Secure Sharing of UAV Operational Data Based on Broadcast Proxy Re-encryption

The low-altitude economy represents a strategic emerging industry and a crucial component of the new quality productive forces under vigorous national development. The Low-altitude Intelligent Network serves as the digital foundation for this economic growth, providing fundamental technological support for applications like Urban Air Mobility (UAM). Within this framework, Unmanned Aerial Vehicles (UAVs or drones) are the core operational platforms and have found initial applications across commercial, industrial, and public safety sectors, including logistics delivery, unmanned inspections, and emergency response. By the end of 2024, China hosted over 19,000 UAV operating enterprises with more than 2.158 million registered drones. The cumulative flight hours for 2024 exceeded 26.66 million, marking a 15% year-on-year increase. Accelerating the establishment of a robust low-altitude intelligent network system and enhancing the operational safety of UAVs are essential prerequisites for fostering this new quality productive force in low-altitude domains.

The Low-altitude Intelligent Network is a comprehensive system comprising digitalized, networked, and intelligent aircraft, cyber-physical infrastructure, data networks, and application service systems. Under the overarching “Device-Network-Cloud-Application” architecture, it achieves ubiquitous perception, wide-area interconnection, and intelligent management and service applications for low-altitude airspace, supporting the safe and efficient operation of typical scenarios. Currently, the operation of China’s low-altitude intelligent network is still in its nascent stage. UAVs are primarily controlled independently by their respective operators, and data flow methods are relatively singular, typically involving data transmission from the drone back to a ground control station. However, this isolated operational model struggles to meet the demands of future multi-agent collaborative operations in low-altitude airspace. Relevant national authorities and local governments are actively promoting UAM pilot programs and gradually constructing low-altitude traffic management platforms. This creates an urgent need for the secure and efficient sharing of critical information such as UAV flight planning, situational awareness, low-altitude weather and intelligence services, separation management, emergency response, and mission application approval.

From the perspective of air-ground collaborative sharing of UAV operational data, drone nodes share operational data (e.g., flight plans, position information) with multiple ground network nodes via air-ground and ground-ground communications. However, due to the dynamic and open nature of the network, UAV operational data faces various security threats during multi-agent sharing. For instance, attackers eavesdropping on flight data downlinked from a UAV, such as its flight path or mission objectives, can lead to confidential information leakage. Attackers replaying historical data may cause ground systems to receive incorrect operational status or environmental information, affecting flight control and potentially causing accidents. Unauthorized users might illegally access sensitive data, paving the way for deeper attacks. In January 2024, China’s Ministry of Transport issued the “Rules for the Safety Management of Civil Unmanned Aircraft Operations,” explicitly requiring effective prevention of security risks like data eavesdropping and leakage during the sharing of UAV operational data. Therefore, in-depth research into technologies for secure multi-agent sharing of UAV operational data is crucial for building a safer and more efficient low-altitude intelligent network system.

Several schemes have been proposed for point-to-point secure sharing, such as using session key negotiation or hyperelliptic curve cryptography to ensure communication security and integrity. However, these point-to-point solutions incur significant computational and communication overhead for the UAV in point-to-multipoint data sharing scenarios, limiting system scalability. To enable more efficient multi-user access control, Attribute-Based Encryption (ABE) has been widely adopted. These schemes allow data owners to define access policies based on attribute sets and encrypt data; only when a recipient user’s attributes satisfy the policy can they decrypt the data using their attribute private key, enabling flexible point-to-multipoint data sharing. Nevertheless, ABE schemes typically involve high key update and management overhead when access policies change or users dynamically join/leave, making them less suitable for the resource-constrained and dynamic UAV operational environment.

Identity-Based Broadcast Encryption (IBBE), by eliminating the need for public key certificates, significantly reduces key management costs, thus offering high practical value in multi-agent data sharing scenarios. IBBE has been integrated into session key distribution systems and combined with Identity-based Encryption (IBE) and Lagrange interpolation polynomials. Some schemes achieve constant ciphertext size, but often at the cost of linear computational overhead for the decrypting user relative to the group size. Proxy re-encryption offers a promising direction: first, an IBE ciphertext for an individual authorized user is computed; it can then be transformed via re-encryption into an IBBE ciphertext, balancing individual access control with multi-user sharing. Recent advancements include constructions using Lagrange interpolation for anonymous revocable broadcast proxy re-encryption and schemes converting IBE to IBBE ciphertexts to achieve constant computational cost for receivers. However, many existing IBBE-based sharing schemes still face limitations: the system’s public parameter size often grows linearly with the number of potential receivers, requiring a pre-set group capacity which restricts flexibility and scalability; furthermore, during decryption, a recipient frequently must perform additional mathematical operations for other group members, leading to a heavy computational burden on the receiving end.

Addressing these challenges, we propose a UAV Operational Data Secure Sharing (UODSS) scheme. This scheme integrates identity-based broadcast encryption mechanisms with efficient symmetric encryption to design a high-performance broadcast proxy re-encryption algorithm. It supports stateless group sharing where users hold only a fixed-length private key and does not require pre-setting the group capacity, thereby enhancing system scalability and flexibility. By introducing ciphertext re-encryption, the UODSS scheme implements both point-to-point and point-to-multipoint data sharing modes. It can effectively resist security threats such as eavesdropping, replay attacks, and unauthorized access, efficiently ensuring the security of operational data sharing in dynamic, open network environments.

1. System Architecture and Problem Formulation

1.1 System Model

The secure sharing system for low-altitude UAV operational data primarily involves five entities: the Low-altitude Air Traffic Management platform (LATM), the UAV, the Cloud Platform, the Proxy, and Multi-agent Sharers.

1) Low-altitude Air Traffic Management (LATM): Managed by governmental authorities, the LATM is responsible for implementing the security mechanisms for UAV operational data sharing. This includes setting the security level for the sharing system, initializing the system’s public parameters, verifying the identities of new users joining the system, and distributing corresponding identity private keys via secure channels.

2) UAV (Drone): As the data producer, the drone is responsible for initially encrypting various data generated during operation (e.g., situational awareness logs, mission logs) and uploading the initial ciphertext to the cloud. UAVs typically have limited resources such as computing power, storage, and battery life.

3) Cloud Platform: Serving as the data storage and computation center, the cloud is responsible for storing data uploaded by UAVs and providing data management, analysis, and intelligent services. Simultaneously, the cloud offers secure and efficient data access services to system users, allowing them to access cloud data anytime, anywhere via network devices.

4) Proxy: This entity, authorized by the UAV, is the initial data sharer. Typically, it could be the UAV’s ground control station or operator and can be flexibly designated based on different application scenarios. The proxy can not only access and decrypt the initial ciphertext data (point-to-point) but also, according to scenario requirements, set access control via re-encryption to achieve multi-agent data sharing (point-to-multipoint).

5) Multi-agent Sharers: This broadly refers to the multiple system users who need to access shared UAV operational data, such as UAV service providers, industry regulators, research institutions, and other entities.

In this model, the LATM initializes the entire system and distributes corresponding identity private keys to each system user via a secure channel (e.g., using the Diffie-Hellman protocol). The UAV designates a data proxy, encrypts the data using the proxy’s identity, and uploads the initial ciphertext to the cloud platform. The proxy, based on different needs, sets access policies and requests the cloud to re-encrypt the initial ciphertext. Any system user satisfying the access policy can download the re-encrypted ciphertext from the cloud platform and decrypt it using their own identity private key.

1.2 Communication Model

The communication in our system model involves two primary types: Air-Ground Communication and Ground-Ground Communication.

1) Air-Ground Communication: UAVs primarily rely on 4G/5G cellular networks to establish communication links with ground nodes (e.g., the cloud) via ground base stations for transmitting operational data. For drones in remote or special environments, satellite communication or dedicated wireless links can be incorporated to enhance communication coverage and stability.

2) Ground-Ground Communication: Communication between ground nodes such as ground control centers, LATM, and the cloud is mainly conducted via the Internet (e.g., the TCP/IP protocol suite). Compared to wireless channels, fiber-optic communication offers higher bandwidth and lower latency.

1.3 Threat Model

We assume each entity in the sharing system is equipped with a Trusted Platform Module (TPM) for securely storing secret values, such as identity private keys. Due to the dynamic and open network, the system is vulnerable to various security threats. This paper primarily considers the following:

1) Eavesdropping Attack: An attacker may intercept air-ground or ground-ground communications, attempting to acquire transmitted UAV operational data.

2) Cloud Data Leakage: Since the cloud platform stores data uploaded by UAVs, attackers might exploit cloud storage vulnerabilities or insider threats to access and leak data.

3) Access Policy Bypass: Malicious system users may attempt to access non-authorized sensitive data, illegally expanding their sharing permissions.

4) Replay Attack: An attacker may capture and re-transmit the UAV’s operational data, attempting to deceive the system and disrupt normal operations.

1.4 Design Goals

This paper aims to construct an efficient UAV Operational Data Secure Sharing (UODSS) scheme for the Low-altitude Intelligent Network. The primary design goals are:

1) Multi-agent Data Sharing: Enable the construction of sharing groups to achieve point-to-multipoint data sharing without the need to pre-determine the group’s capacity.

2) Stateless Receivers: Each system user retains only one stateless decryption (identity) key. When the sharing group changes, users within the group do not need to update their decryption keys, and decryption does not require performing mathematical operations for other members in the group.

3) Replay Attack Prevention: Prevent attackers from re-transmitting previously sent data messages.

4) Confidentiality: Ensure that UAV operational data is accessible only to authorized parties during transmission, storage, and sharing, preventing unauthorized adversaries from obtaining, stealing, or leaking sensitive data.

2. The Proposed UAV Operational Data Secure Sharing (UODSS) Scheme

This section presents an identity-based broadcast proxy re-encryption algorithm and further constructs the UODSS scheme based on it. The scheme consists of three main phases: Initialization, Initial Sharing, and Multi-agent Sharing. The Initialization phase, managed by the LATM, generates all parameters for the UODSS scheme, including the scheme’s public parameters, the master key pair, and each user’s identity private key. In the Initial Sharing phase, the UAV first selects an initial sharer (the proxy), then encrypts the operational data using that sharer’s identity to obtain the initial ciphertext, and finally uploads this ciphertext to the cloud. In the Multi-agent Sharing phase, the proxy establishes a sharing group, generates a re-encryption key for the initial ciphertext and sends it to the cloud, which then re-encrypts the initial ciphertext. Only users within the sharing group can decrypt the re-encrypted ciphertext using their own identity private keys, thereby achieving secure multi-agent sharing of UAV operational data.

2.1 Initialization Phase

The Initialization phase deploys the entire UODSS scheme with three algorithms: $PmsGen$, $MasterGen$, and $Register$.

1) $PmsGen(\kappa) \rightarrow P$: Given a security parameter $\kappa$, the algorithm randomly selects a large prime $p$ and constructs a bilinear map group system $(p, \mathbb{Z}_p, \mathbb{G}, \mathbb{G}_T, \hat{e})$, where $\mathbb{Z}_p$ denotes an integer group, $\mathbb{G}$ and $\mathbb{G}_T$ denote multiplicative cyclic groups, and $\hat{e}$ denotes a bilinear map, i.e., $\hat{e}: \mathbb{G} \times \mathbb{G} \rightarrow \mathbb{G}_T$. Then, the algorithm constructs two hash functions $\mathcal{H}_1: \{0,1\}^* \rightarrow \mathbb{Z}_p^*$ and $\mathcal{H}_2: \mathbb{G}_T \rightarrow \mathbb{G}$, and selects symmetric encryption and decryption algorithms $\mathcal{E}$ and $\mathcal{D}$, such as the AES algorithm. Finally, the algorithm randomly selects two generators $h, u \xleftarrow{\$} \mathbb{G}$ and outputs the public parameters $P = (\mathbb{Z}_p, \mathbb{G}, \mathbb{G}_T, \hat{e}, \mathcal{H}_1, \mathcal{H}_2, h, u, \mathcal{E}, \mathcal{D})$.

2) $MasterGen(P) \rightarrow (MPK, MSK)$: Given the public parameters $P$, the algorithm first randomly selects an integer $\alpha \xleftarrow{\$} \mathbb{Z}_p^*$ and a multiplicative cyclic group generator $g \xleftarrow{\$} \mathbb{G}$. Then, it computes $h^\alpha \in \mathbb{G}$, $u^\alpha \in \mathbb{G}$, and $v \leftarrow \hat{e}(g, h) \in \mathbb{G}_T$. Finally, it outputs the master public key $MPK = (h^\alpha, u^\alpha, v)$ and the master secret key $MSK = (g, \alpha)$.

3) $Register(P, MSK, id) \rightarrow sk_{id}$: Given the public parameters $P$, the master secret key $MSK = (g, \alpha)$, and an identity $id$, the algorithm computes and outputs the identity private key $sk_{id}$ as follows:
$$ sk_{id} \leftarrow g^{\frac{1}{\alpha + \mathcal{H}_1(id)}} $$

In this phase, the LATM first runs the $PmsGen$ algorithm to generate the public parameters $P$, initializing the entire sharing scheme. Then, the LATM runs the $MasterGen$ algorithm to generate the master public key $MPK$ and master secret key $MSK$, publishes $MPK$, and securely stores $MSK$. In the UODSS scheme, all system users must send their identity $id_x$ to the LATM to request authentication and registration. Upon successful identity verification, the LATM runs the $Register$ algorithm to generate the corresponding identity private key $sk_{id_x}$ for identity $id_x$ and sends it to the corresponding user via a secure channel.

2.2 Initial Sharing Phase

This phase provides two algorithms: $Enc$ and $Dec$, to achieve initial sharing of UAV operational data.

1) $Enc(P, MPK, m, id_u, id_a, id_c) \rightarrow C$: Given the public parameters $P$, the master public key $MPK = (h^\alpha, u^\alpha, v)$, a plaintext message $m$, the data owner’s identity $id_u$, the initial sharer’s (proxy’s) identity $id_a$, and the cloud platform’s identity $id_c$, the algorithm first randomly selects a random element $K \xleftarrow{\$} \mathbb{G}_T$ as the symmetric key and encrypts the plaintext $m$ to generate the ciphertext body:
$$ C_m = \mathcal{E}_K(m) $$
Then, the algorithm randomly selects a random number $r_1 \xleftarrow{\$} \mathbb{Z}_p^*$ and, based on the current timestamp $t$, computes the ciphertext header as follows:
$$
\begin{aligned}
C_0 &= t \parallel id_u \parallel id_a \parallel id_c \\
C_1 &= (h^\alpha \cdot h^{\mathcal{H}_1(id_a)})^{r_1} \\
C_2 &= v^{r_1 \cdot \mathcal{H}_1(C_0)} \cdot K \\
C_3 &= (u^\alpha \cdot u^{\mathcal{H}_1(id_a)})^{r_1}
\end{aligned}
$$
Finally, it outputs the initial ciphertext $C = (C_0, C_1, C_2, C_3, C_m)$.

2) $Dec(P, C, sk_{id_a}) \rightarrow m/\perp$: Given the public parameters $P$, the initial ciphertext $C = (C_0, C_1, C_2, C_3, C_m)$, and the initial sharer’s identity private key $sk_{id_a}$, the algorithm recovers the symmetric key $K$ as follows:
$$ \hat{e}(sk_{id_a}, C_1) = v^{r_1} $$
$$ \frac{C_2}{(v^{r_1})^{\mathcal{H}_1(C_0)}} = K $$
Then, if decryption using key $K$ is successful, it outputs $m = \mathcal{D}_K(C_m)$; otherwise, if decryption fails, it outputs an invalid plaintext $\perp$.

In this phase, the UAV designates the initial sharer (proxy) as $id_a$ (e.g., the UAV’s ground control station). This proxy’s responsibility is to further implement and manage multi-agent sharing policies for the UAV’s operational data. Given an operational data message $m$, the UAV uses the proxy’s identity $id_a$ to run the $Enc$ algorithm to encrypt the data, obtaining the initial ciphertext $C$. Then, the UAV uploads this initial ciphertext to the cloud via air-ground communication. As the initial sharer, the proxy can use its private key $sk_{id_a}$ to run the $Dec$ algorithm to decrypt the ciphertext, achieving point-to-point data sharing.

2.3 Multi-agent Sharing Phase

This phase provides three algorithms: $ReKeyGen$, $ReEnc$, and $Dec2$, to achieve multi-agent sharing of UAV operational data.

1) $ReKeyGen(P, MPK, \boldsymbol{S}, sk_{id_a}) \rightarrow rk_{id_a \rightarrow S}$: Given the public parameters $P$, the master public key $MPK = (h^\alpha, u^\alpha, v)$, the multi-agent sharing group $\boldsymbol{S} = \{id_i\}_{1 \leq i \leq n}$, and the proxy’s identity private key $sk_{id_a}$, the algorithm first randomly selects a random number $r_2 \xleftarrow{\$} \mathbb{Z}_p^*$ and computes $\boldsymbol{A} = \{a_i\}_{1 \leq i \leq n}$, where for each identity $id_i$ in the group:
$$ a_i = \mathcal{H}_1(id_i) \parallel (h^\alpha)^{r_2} (h)^{r_2 \mathcal{H}_1(id_i)} $$
Finally, the algorithm selects another random number $r_3 \xleftarrow{\$} \mathbb{Z}_p^*$, computes and outputs the re-encryption key $rk_{id_a \rightarrow S} = (rk_1, rk_2, rk_3)$, where:
$$
\begin{aligned}
rk_1 &= \mathcal{H}_2(v^{r_2}) \cdot h^{r_3} \\
rk_2 &= sk_{id_a} \times u^{r_3} \\
rk_3 &= \boldsymbol{A}
\end{aligned}
$$

2) $ReEnc(P, C, rk_{id_a \rightarrow S}) \rightarrow C_r$: Given the public parameters $P$, the initial ciphertext $C = (C_0, C_1, C_2, C_3, C_m)$, and the re-encryption key $rk_{id_a \rightarrow S} = (rk_1, rk_2, rk_3)$, it recomputes the initial ciphertext header to obtain $C_r = (C_{r0}, C_{r1}, C_{r2}, C_{r3}, C_{r4}, C_m)$, where:
$$
\begin{aligned}
C_{r0} &= C_0 \\
C_{r1} &= rk_1 \\
C_{r2} &= C_2^{1 / \mathcal{H}_1(C_0)} \cdot \hat{e}(rk_2, C_1^{-1}) \\
C_{r3} &= C_3 \\
C_{r4} &= rk_3
\end{aligned}
$$
Finally, the algorithm outputs the re-encrypted ciphertext $C_r$.

3) $Dec2(P, C_r, id_x, sk_{id_x}) \rightarrow m/\perp$: Given the public parameters $P$, the re-encrypted ciphertext $C_r$, a sharer’s identity $id_x$, and the corresponding identity private key $sk_{id_x}$, the algorithm first computes $\mathcal{H}_1(id_x)$ and locates $\mathcal{H}_1(id_x) \parallel h^{r_2(\alpha + \mathcal{H}_1(id_x))}$ within $rk_3$ (i.e., $C_{r4}$). If $id_x \in \boldsymbol{S}$, then let $y_{id_x} = h^{r_2(\alpha + \mathcal{H}_1(id_x))}$. The algorithm further recovers the symmetric key $K$ as follows:
$$ \hat{e}(sk_{id_x}, y_{id_x}) = v^{r_2} $$
$$ \frac{C_{r1}}{\mathcal{H}_2(v^{r_2})} = h^{r_3} $$
$$ (C_{r2} \times \hat{e}(C_{r3}, h^{r_3}))^{\mathcal{H}_1(C_{r0})} = K $$
Finally, if decryption using key $K$ is successful, it outputs $m = \mathcal{D}_K(C_m)$; otherwise, it outputs $\perp$.

In this phase, assume the proxy designates $n$ users who can access the UAV operational data, forming a multi-agent sharing group $\boldsymbol{S} = \{id_i\}_{1 \leq i \leq n}$. The proxy $id_a$ then runs the $ReKeyGen$ algorithm to generate the re-encryption key $rk_{id_a \rightarrow S}$ and sends this key to the cloud. Upon receiving $rk_{id_a \rightarrow S}$, the cloud runs the $ReEnc$ algorithm to re-encrypt the initial ciphertext $C$, generating the re-encrypted ciphertext $C_r$. Now, any legitimate identity within the sharing group, i.e., $id_x \in \boldsymbol{S$, can use its identity private key to run the $Dec2$ algorithm and decrypt the re-encrypted ciphertext. The update policy for group membership changes is as follows:
1) New member $id^*$ joins: The proxy simply computes the parameter $a_{id^*}$ for the new member and adds it to $rk_3 = \boldsymbol{A}$. The cloud then updates $C_{r4}$ to grant the new member sharing permission.
2) Old member leaves: The proxy needs to regenerate a re-encryption key $rk_{id_a \rightarrow S’}$ for the new sharing group $\boldsymbol{S’}$ and send it to the cloud to update the ciphertext, thereby updating the access control policy.

In our proposed scheme, every user’s identity private key is stateless. Therefore, when the sharing group changes, users within the group do not need to update their identity keys. If a user’s identity private key is compromised, the user must select and publish a new identity, apply for a new identity private key for it, and notify the proxy to update the ciphertext.

2.4 Scheme Discussion

In the UODSS scheme, the ciphertext body employs symmetric encryption, while the ciphertext header uses the proposed identity-based broadcast proxy re-encryption technology to encrypt the symmetric key $K$. This hybrid encryption mechanism requires managing only a small number of asymmetric keys while dynamically generating symmetric keys, significantly reducing key management burden. Simultaneously, it leverages efficient symmetric encryption to process the data body, accelerating the encryption and decryption process for the main data payload. This is particularly effective in reducing computational overhead when the data volume is large. Based on actual operational scenarios, this mechanism allows the UAV to either use a different symmetric key for each ciphertext to enhance data security or update the symmetric key at fixed intervals, balancing security and further reducing the computational overhead of the ciphertext header.

To address future complex application scenarios, the UODSS scheme provides two sharing modes: point-to-point sharing (Initial Sharing phase) and point-to-multipoint sharing (Multi-agent Sharing phase). These two modes can be executed in parallel to reduce latency in multi-agent data sharing. For example, the proxy can pre-generate re-encryption keys based on access policies and store them in the cloud. Upon receiving a ciphertext uploaded by the UAV, the cloud can immediately perform re-encryption, enabling low-latency multi-agent data sharing. Furthermore, the UODSS scheme can flexibly adapt its sharing service based on different UAV scenarios (e.g., communication conditions, sharing requirements) to further reduce data sharing latency: 1) The UAV directly sends the initial ciphertext to the initial sharer (proxy), who then performs re-encryption and shares it with multi-agent users. 2) The UAV itself acts as the initial sharer, directly receiving data from other UAVs or performing re-encryption to achieve multi-UAV collaboration or multi-agent sharing without relying on an intermediate proxy.

3. Security Analysis

3.1 Correctness

The correctness of our proposed low-altitude UAV operational data secure sharing scheme can be proven by the following theorems.

Theorem 1: Given the public parameters $P$, master public key $MPK$, and master secret key $MSK$, if an initial ciphertext $C = (C_0, C_1, C_2, C_3, C_m)$ is generated by algorithm $Enc(P, MPK, m, id_u, id_a, id_c)$ and the identity private key $sk_{id_a}$ is generated by algorithm $Register(P, MSK, id_a)$, then the initial ciphertext decryption algorithm $Dec(P, C, sk_{id_a})$ will always output the correct plaintext data $m$.

Proof: The first step of $Dec(P, C, sk_{id_a})$ is to compute $\hat{e}(sk_{id_a}, C_1) = v^{r_1}$, whose correctness is derived as follows:
$$
\hat{e}(sk_{id_a}, C_1) = \hat{e}\left(g^{\frac{1}{\alpha + \mathcal{H}_1(id_a)}}, h^{r_1(\alpha + \mathcal{H}_1(id_a))}\right) = v^{r_1}
$$
The second step is to compute $\frac{C_2}{(v^{r_1})^{\mathcal{H}_1(C_0)}} = K$, whose correctness is derived as follows:
$$
\frac{C_2}{(v^{r_1})^{\mathcal{H}_1(C_0)}} = \frac{v^{r_1 \cdot \mathcal{H}_1(C_0)} \cdot K}{(v^{r_1})^{\mathcal{H}_1(C_0)}} = K
$$
Therefore, using the symmetric key $K$, $m = \mathcal{D}_K(C_m)$ can be successfully decrypted. $\blacksquare$

Theorem 2: Given the public parameters $P$, master public key $MPK$, sharing group $\boldsymbol{S} = \{id_i\}_{1 \leq i \leq n}$, and initial ciphertext $C$, if the re-encryption key $rk_{id_a \rightarrow S}$ is generated by $ReKeyGen(P, MPK, \boldsymbol{S}, id_a)$, the re-encrypted ciphertext $C_r$ is generated by $ReEnc(P, C, rk_{id_a \rightarrow S})$, the identity private key $sk_{id_x}$ is generated by $Register(P, MSK, id_x)$, and $id_x \in \boldsymbol{S}$, then the decryption algorithm $Dec2(P, C_r, id_x, sk_{id_x})$ will always output the correct plaintext data $m$.

Proof: The algorithm $Dec2(P, C_r, id_x, sk_{id_x})$ first obtains $y_{id_x} = h^{r_2(\alpha + \mathcal{H}_1(id_x))}$ and computes $\hat{e}(sk_{id_x}, y_{id_x}) = v^{r_2}$ (similar to Theorem 1). Then, it computes:
$$
\frac{C_{r1}}{\mathcal{H}_2(v^{r_2})} = \frac{\mathcal{H}_2(v^{r_2}) \cdot h^{r_3}}{\mathcal{H}_2(v^{r_2})} = h^{r_3}
$$
Next, it computes:
$$
(C_{r2} \times \hat{e}(C_{r3}, h^{r_3}))^{\mathcal{H}_1(C_{r0})} = \left(C_2^{1 / \mathcal{H}_1(C_0)} \cdot \hat{e}(rk_2, C_1^{-1}) \cdot \hat{e}(C_{r3}, h^{r_3})\right)^{\mathcal{H}_1(C_{r0})}
$$
Expanding and simplifying using the definitions of $C_2$, $rk_2$, and $C_{r3}$, and noting that $\hat{e}(rk_2, C_1^{-1}) \cdot \hat{e}(C_{r3}, h^{r_3}) = 1$ (as they cancel each other out), we get:
$$
\left(K^{1 / \mathcal{H}_1(C_0)}\right)^{\mathcal{H}_1(C_{r0})} = K \quad \text{(since } C_{r0} = C_0\text{)}
$$
Therefore, using the symmetric key $K$, $m = \mathcal{D}_K(C_m)$ can be successfully decrypted. $\blacksquare$

Theorem 3: When every system entity executes the UODSS scheme according to the public parameters $P$, the scheme can correctly achieve multi-agent data sharing, stateless receivers, and replay attack prevention mechanisms.

Proof: According to Theorem 2, the proxy can effectively construct a sharing group $\boldsymbol{S} = \{id_i\}_{1 \leq i \leq n}$, and only when $id_x \in \boldsymbol{S}$ can decryption succeed. Furthermore, the public parameters $P = (\mathbb{Z}_p, \mathbb{G}, \mathbb{G}_T, \hat{e}, \mathcal{H}_1, \mathcal{H}_2, h, u, \mathcal{E}, \mathcal{D})$ do not impose a limit on the sharing group’s capacity. Therefore, the UODSS scheme correctly achieves the property of multi-agent data sharing.

According to the $Register$ algorithm, the identity private key $sk_{id} = g^{1/{\alpha + \mathcal{H}_1(id)}}$ is independent of other users’ private keys. Thus, when the sharing group changes, members do not need to update their identity keys. In the decryption algorithm, a sharer only needs to locate their own parameter $\mathcal{H}_1(id_x) \parallel h^{r_2(\alpha + \mathcal{H}_1(id_x))}$ and does not need to perform any mathematical operations for other members in the group. Therefore, the UODSS scheme correctly achieves the property of stateless receivers.

Finally, the ciphertext header includes $C_0 = t \parallel id_u \parallel id_a \parallel id_c$, which is embedded into the $C_2$ field via a hash function. By incorporating the timestamp $t$, the UODSS scheme can effectively prevent replay attacks. Thus, the UODSS scheme correctly implements a replay prevention mechanism. $\blacksquare$

3.2 Confidentiality

Delerablée et al. proposed an identity-based broadcast encryption algorithm (denoted DIBBE) and proved its security against Chosen Plaintext Attack (CPA) under the random oracle model. We leverage this algorithm to argue for the confidentiality of our proposed UODSS scheme.

Theorem 4: If the DIBBE algorithm is secure against CPA under the random oracle model, then the initial encryption of our proposed UODSS scheme is also secure against CPA under the random oracle model.

Proof (Sketch): The security of the DIBBE ciphertext for a single identity $id^*$ hinges on the fact that only the identity private key $sk_{id^*}$ can recover the encapsulated key from the component $C_2^D = h^{r_1(\alpha + \mathcal{H}_1(id^*))}$. In our UODSS scheme’s $Enc$ algorithm, $C_1$ is exactly equivalent to $C_2^D$. While $C_2$ and $C_3$ contain additional elements, the recovery of the symmetric key $K$ from $C_2$ still fundamentally requires computing $v^{r_1}$ via $\hat{e}(sk_{id^*}, C_1)$. The other components either contain public information ($C_0$) or are independent of the core encryption security ($C_3$). Therefore, under the random oracle model, the security of the UODSS initial encryption reduces to that of the single-identity DIBBE encryption, making it CPA-secure. $\blacksquare$

Theorem 5: If the DIBBE algorithm is secure against CPA under the random oracle model, then the re-encryption key in our proposed UODSS scheme cannot decrypt the initial ciphertext.

Proof (Sketch): The re-encryption key $rk$ contains $rk_2 = sk_{id^*} \times u^{r_3}$. Attempting to use $rk_2$ directly for decryption, as in $\hat{e}(rk_2, C_1)$, results in $\hat{e}(sk_{id^*} \times u^{r_3}, h^{r_1(\alpha+\mathcal{H}_1(id^*))}) = v^{r_1} \cdot \hat{e}(u, h)^{r_1 r_3 (\alpha+\mathcal{H}_1(id^*))}$. Since $r_1$ and $r_3$ are secret random values, the term $\hat{e}(u, h)^{r_1 r_3 (\alpha+\mathcal{H}_1(id^*))}$ acts as a random blinding factor in $\mathbb{G}_T$, preventing the recovery of the correct $v^{r_1}$ needed to obtain $K$ from $C_2$. $\blacksquare$

Theorem 6: If the DIBBE algorithm is secure against CPA under the random oracle model, then the re-encryption of the initial ciphertext in our proposed UODSS scheme is secure against CPA.

Proof (Sketch): The security of the re-encrypted ciphertext $C_r$ for the group $\boldsymbol{S}$ relies on the structure of the re-encryption key component $rk_3 = \boldsymbol{A} = \{ \mathcal{H}_1(id_i) \parallel h^{r_2(\alpha + \mathcal{H}_1(id_i))} \}_{id_i \in \boldsymbol{S}}$. For a user $id_x \in \boldsymbol{S}$ to decrypt, they must first use their private key $sk_{id_x}$ on the corresponding $y_{id_x} = h^{r_2(\alpha + \mathcal{H}_1(id_x))}$ to obtain $v^{r_2}$. This step is analogous to decrypting a DIBBE ciphertext for identity $id_x$ with a different randomizer $r_2$. Obtaining $v^{r_2}$ is essential for unblinding $C_{r1}$ to get $h^{r_3}$, which is then required to cancel out the blinding factor in $C_{r2}$. An adversary not in possession of any $sk_{id_i}$ for $id_i \in \boldsymbol{S}$ cannot perform this first crucial step. Therefore, under the random oracle model, the re-encrypted ciphertext is CPA-secure. $\blacksquare$

4. Performance Analysis

4.1 Theoretical Analysis

We compare the computational complexity of our proposed scheme with existing schemes CZL, ZCD, and GLX. Let $n$ denote the number of identities in the sharing group, $t_e$ denote an exponentiation in group $\mathbb{G}$, and $t_b$ denote a bilinear pairing operation. We omit the cost of hash operations, multiplications in $\mathbb{G}$, inversions, and integer arithmetic as their overhead is significantly lower than $t_e$ and $t_b$.

Table 1: Computation Comparison of Algorithms in Initialization and Initial Sharing Phases

Scheme $MasterGen$ $Register$ $Enc$ $Dec$
CZL[21] $(2n+1)t_e + t_b$ $t_e$ $7t_e$ $t_b$
ZCD[23] $(2n+1)t_e + 3t_b$ $t_e$ $5t_e$ $t_b$
GLX[24] $2n t_e + t_b$ $t_e$ $4t_e$ $t_b$
Our Scheme $2t_e + t_b$ $t_e$ $5t_e$ $t_e + t_b$

In the Initialization phase, existing schemes often pre-set the group capacity, causing their $MasterGen$ complexity to be $\mathcal{O}(n)$. Our scheme, without this constraint, achieves $\mathcal{O}(1)$ complexity. All schemes have $\mathcal{O}(1)$ complexity for $Register$. In the Initial Sharing phase, all schemes have $\mathcal{O}(1)$ complexity for both $Enc$ and $Dec$. Our $Enc$ uses slightly more operations than GLX but fewer than CZL.

Table 2: Computation Comparison of Algorithms in Multi-agent Sharing Phase

Scheme $ReKeyGen$ $ReEnc$ $Dec2$
CZL[21] $(n^2 + n + 5)t_e$ $t_b$ $(n-1)t_e + 2t_b$
ZCD[23] $(2n + 5)t_e$ $2t_b$ $n t_e + 4t_b$
GLX[24] $(2n + 6)t_e$ $2t_b$ $n t_e + 3t_b$
Our Scheme $(n + 4)t_e$ $t_e + t_b$ $t_e + 2t_b$

In the Multi-agent Sharing phase, our scheme’s $ReKeyGen$ complexity is $\mathcal{O}(n)$, which is linear like ZCD and GLX but with a lower coefficient, and far superior to CZL’s $\mathcal{O}(n^2)$. Our $ReEnc$ has $\mathcal{O}(1)$ complexity, slightly higher than CZL’s but comparable. Crucially, our $Dec2$ algorithm achieves $\mathcal{O}(1)$ complexity, requiring only a fixed number of operations regardless of group size $n$. In contrast, all three comparison schemes have $Dec2$ complexity of $\mathcal{O}(n)$, as the decrypting user’s computational cost scales linearly with the group size.

4.2 Experimental Analysis

Experiments were conducted to evaluate the practical performance of the proposed scheme. All experiments were implemented in the Go programming language and run on a MacOS system (Ventura 13.5.2, 32GB RAM, 8-core Intel Core i9 @2.30GHz). The PBC library was used to construct the bilinear map system $(p, \mathbb{Z}_p, \mathbb{G}, \mathbb{G}_T, \hat{e})$. All test results are averaged over 10 runs.

4.2.1 Initialization Phase
The execution time of the $MasterGen$ algorithm for different schemes under varying group sizes $|S|$ (number of sharing entities $n$) is shown in the analysis. The runtimes for the three comparison schemes (CZL, ZCD, GLX) increase gradually with $|S|$, showing a clear linear growth trend. In contrast, the runtime of our scheme’s $MasterGen$ algorithm remains constant and low (approximately 4.05 ms), significantly outperforming the others. The $Register$ algorithm runtime for all schemes is constant, around 1.06 ms.

4.2.2 Initial Sharing Phase
The initial encryption $Enc$ algorithm has $\mathcal{O}(1)$ complexity in all schemes. The actual runtime comparison shows all schemes maintain small fluctuations and good performance. Our scheme exhibits a clear advantage with a shorter execution time of approximately 4.98 ms, suitable for resource-constrained UAV node encryption. The GLX scheme’s $Enc$ time is about 4.02 ms, slightly better, but its other algorithms perform less favorably compared to ours. The $Dec$ algorithm runtimes for all schemes are also $\mathcal{O}(1)$ and very close, ranging between 0.6 ms and 0.75 ms.

4.2.3 Multi-agent Sharing Phase
The runtime of the $ReKeyGen$ algorithm under different $|S|$ values shows that as the number of sharing entities increases, the runtimes for ZCD, GLX, and our scheme show clear linear growth, with our scheme having the lowest time cost. The CZL scheme’s time increases exponentially with group size, quickly reaching the order of seconds, far exceeding the other three. Compared to the next best scheme, our $ReKeyGen$ algorithm reduces computation overhead by over 40%.

The re-encryption $ReEnc$ algorithm has $\mathcal{O}(1)$ complexity in all schemes. The time comparison shows CZL and our scheme have constant average time costs at the millisecond level (601.57 µs and 747.56 µs, respectively), with negligible difference. The other two schemes have average costs of about 1.31 ms and 1.28 ms.

As the number of sharing entities increases, the runtime of the $Dec2$ algorithm is critical. The runtimes for the three comparison schemes (CZL, ZCD, GLX) show a clear linear increase with group size. In stark contrast, the time cost of our scheme does not change with the number of sharing entities, remaining constant at approximately 3.6 ms, which is far superior to the linear-scaling comparison schemes when $n$ is large.

5. Conclusion

1) The proposed scheme does not require pre-setting the sharing group capacity during initialization, and the computational overhead of the master key generation algorithm is constant, effectively enhancing the scalability of UAV operational data sharing.

2) In the Initial Sharing phase, the time overheads of the encryption and decryption algorithms are approximately fixed at 4.02 ms and 0.74 ms, respectively, effectively ensuring confidentiality and efficiency during point-to-point sharing.

3) In the Multi-agent Sharing phase, the re-encryption key generation algorithm reduces time overhead by over 40% compared to the next best scheme, and the re-encrypted ciphertext decryption algorithm costs a fixed ~3.6 ms, far superior to comparison schemes with linear overhead, effectively ensuring security and high efficiency during point-to-multipoint sharing for drone networks.

Scroll to Top