#### Abstract

The Internet of things (IoT) has emerged into a revolutionary technology that enables a wide range of features and applications given the proliferation of sensors and actuators embedded in everyday objects, as well as the ubiquitous availability of high-speed Internet. When nearly everything is connected to the Internet, security and privacy concerns will become more significant. Furthermore, owing to the resource-constrained nature of IoT devices, they are unable to perform standard cryptographic computations. As a result, there is a critical need for efficient and secure lightweight cryptographic scheme that can meet the demands of resource-constrained IoT devices. In this study, we propose a lightweight proxy in which a person/party can delegate its signing authority to a proxy agent. Existing proxy signcryption security approaches are computationally costly and rely on RSA, bilinear pairing, and elliptic curves cryptography (ECC). The hyperelliptic curve cryptosystem (HECC), on the other hand, employs a smaller key size while maintaining the same level of security. When assessed using the random oracle model (ROM), the proposed scheme provides resilience against indistinguishable under adaptive chosen ciphertext attacks (IND-CCA) and unforgeable under adaptive chosen message attacks (UU-ACMA). To demonstrate the viability of the proposed scheme, security analyses and comparisons with existing schemes are performed. The findings show that the proposed scheme provides high security while reducing computational and communication costs.

#### 1. Introduction

Modern enterprises and business organizations require the delegation of signing rights due to a lack of processing capability or the temporal absence of an agent. Similarly, it attracted e-commerce applications like signing the business contract and online proxy auction. To provide the delegation of rights, Mambo et al. [1, 2] were the first who contributed a new method called a proxy signature. This approach includes three participants: original signer, proxy signer, and a verifier/receiver. The original signer can delegate its signing rights to the delegated agent/proxy signer. Later, the delegated agent uses this sign on the behalf of its delegator and delivers it to the respective verifier/receiver. Unfortunately, the schemes in [1, 2] do not provide any solution to prevent it from misuse. Another attempt in enhancing proxy signature was made by Kim et al. [3]. They claim that the partial delegation with a warrant is more impactful and secure than full delegation in terms of computations and more processing speed. But it gives unlimited delegation resulting misuse of delegation. Another scheme proposed in [4] gives the concept of nonrepudiation by devising the threshold proxy signature scheme (TPSS). The scheme successfully preserves the nonrepudiation between the original sender and proxy groups without involving the trusted third party.

Though, the proxy signature will fail when communication includes some commercial secrets. Thus, to resolve this problem, Gamage et al. [5] designed a proxy signcryption approach by combining proxy signature and the encryption in a single logical step. The proficiency and security strength of the given approach relies upon the discrete logarithm problem which causes making it more costly in terms of both computation and communication. In addition, the proposed approach does not provide some security services like forward secrecy and public verifiability. Zhang [6] contributed publicly verifiable and forward secure proxy signcryption scheme. His proposed scheme is inefficient as it needs a secure channel between the sender and proxy. In addition, the proposed scheme creates more computational cost and requires more bandwidth for communication. Li and Chen [7] used pairing phenomena in the identity-based proxy signcryption (IDBPYS) scheme that necessarily requires a safe medium for transferring the secret key to the user. Wang et al. [8] proposed an IDBPYS scheme that satisfies the security parameters like forward secrecy and public verifiability. But their proposed approach faces the key escrow problem. Duan et al. [9] presented a secure delegation-by-warrant IDBPYS scheme which is secure under the random oracle model (ROM). In this approach, efficiency and hardiness of security are based on bilinear pairing. It requires more communication bandwidth and creates high computation cost. Elkamshouchy et al. [10] improved the proxy signcryption techniques and proposed a new publicly verifiable proxy signcryption scheme based on the discrete logarithm problem (DLP). The authors claim that the given approach achieves the security properties of confidentiality and authenticity through an unsecured channel. Since, it depends upon DLP, which consumes more computing power. Furthermore, the proxy signcryption idea was furnished by Elkamshouchy et al. [11]. They attempted to improve the security of this scheme, but the scheme is affected by high computing power and extra bandwidth due to utilizing hard problems, i.e., integer factorization problem (IF), DLP, Diffie–Hellman problem (DHP), and DSA problem. So, IF, DHP, and DLP require more machine cycles and more computational power. Elkamchouchi and Abouslseoud [12] successfully enabled the partial delegation rights in their scheme by utilizing bilinear pairings on EC. However, in the given approach, the proxy signcrypter utilizes the signcrypting right incorrectly in light of the fact that in partial delegation, there is no limitation on proxy signcrypter. Lin et al. [13] designed a new provable secure proxy signcryption approach utilizing bilinear pairing. Unluckily, their proposed approach does not ensure the security requirement of warrant unforgeability. For further improving, Elkamchouchi et al. [14] proposed the notion of warrants-based proxy signcryption which is good for low resource devices. The security hardness and efficiency of this scheme are completely based on the elliptic curve cryptography that leads to more power consumption of the machine. Yanfeng et al. [15] presented a secure certificateless proxy identity-based signcryption scheme. They proposed elliptic curve discrete logarithm problem (ECDLP) for the efficiency and security in their scheme. But the scheme needs a secured channel for the partial private key distribution to the users. Elkamchouchi et al. [16] introduced two proxy signcryption schemes: one relies on DLP and other on ECDLP, respectively. They claim that this approach has less computational and communication costs. The scheme is still affected by more machine power consumption and extra communication bandwidth. Furthermore, the proposed scheme was not provable secured. Lo and Tsai [17] coined a provable secure proxy signcryption scheme depending on the bilinear pairings. They demonstrate better performance and secrecy in terms of in-distinguishability and unforgeability. Furthermore, they proved the security requirements of the given approach under the ROM. Then, for improving security services, Ming and Wang [18] proposed a provable secured proxy signcryption on the standard model. Because of heavy computations due to bilinear pairing, the proposed approach can still be affected by more machine control usage and extra communication of information transmission. Insafullah et al. [19] presented a lightweight proxy signcryption approach based on HECC. They claim that their newly designed scheme ensures all the security services with low computational and communication costs. Unfortunately, the scheme is affected by using more major operations over the hyperelliptic curve. Abdelfatah [20] coined a novel proxy signcryption approach and its EC variant. Hui and Lunzhia [21] coined a new proxy signcryption with EC. Waheed et al. [22] coined a new proxy signcryption with EC. Hundera et al. [23] coined a novel proxy signcryption approach with bilinear pairing for cloud data sharing. However, the designed approaches in [20–23] have been affected by more computational cost and extra communication bandwidth due to EC and bilinear pairing.

##### 1.1. Motivations and Contributions

Keeping in view all the above proxy signcryption approaches, we identified that there is still a need for improvement in computational cost and bandwidth utilization. Though the abovementioned techniques are based on some prominent security techniques, i.e., RSA, bilinear pairing, and EC, HECC provides an equal level of security with 80 bits key size as compared to the elliptic curve with 160 bits key size and RSA and bilinear pairing with 1024 bits key size, respectively. Therefore, in order to decrease computational costs and channel bandwidth consumption, we design a cost-effective proxy signcryption scheme based on HECC that perform three roles of proxy delegator/original signcrypter, proxy signcrypter, and proxy unsigncrypter. The following are the main contributions of this study:(i)We make a new proxy signcryption approach with the help of the hyperelliptic curve cryptosystem(ii)We prove that the proposed approach is resilient against indistinguishable under adaptive chosen ciphertext attacks (IND-CCA) and unforgeable under adaptive chosen message attacks (UU-ACMA), when it is tested through the random oracle model (ROM).(iii)Our approach reduces the computational cost and communication costs as compared to its counterpart schemes

##### 1.2. Organization of the Study

The organization of the study is as follows. Section 2 defines the basic preliminaries and threat model. The proposed model and the algorithm are defined in Section 3. Section 4 contains the security analysis of the proposed approach. Furthermore, in Section 5, we describe the computation and communication overheads analysis. Section 6 discusses the communication overhead, and Section 7 presents the conclusion.

#### 2. Preliminaries

This section includes some formal definitions of the hyperelliptic curve discrete logarithm problem and hyperelliptic curve Diffie–Hellman problem; furthermore, the explanation of the threat model is provided.

*Definition 1. *Suppose a devisor of order and an instance is given, so, to extract from is said to be hyperelliptic curve discrete logarithm problem (HDL).

*Definition 2. *Suppose a devisor of order and an instance is given, so, to extract and from is said to be hyperelliptic curve Diffie–Hellman problem (HDDH).

##### 2.1. Threat Model

Here, we are trying to explain the threats against our proposed scheme regarding the security requirements of indistinguishable under adaptive chosen ciphertext attacks (IND-CCA) and unforgeable under adaptive chosen message attacks (UU-ACMA) by adversary . The following Definitions 3 and 4 can be better explaining the threats against our newly proposed scheme.

*Definition 3. *The newly proposed scheme can be IND-CCA secure, if with the help of challenger cannot win with nonnegligible benefit in the following game.

Setup: executes the setup part to make the global parameter param and sends it to .

###### 2.1.1. Phase 1

Hash queries: submits these queries and can check the value for the ask queries if the value is found in the list; then, it gives the value to ; otherwise, selects a random value for each ask query and sends them to . Private key generation query: can submit queries for private key of signer and executes the key generation algorithm to produce the required private key and dispatch it to . Proxy delegation query: when this query is submitted by , responds as valid delegation for ask query to . Proxy signcryption query: when this query is submitted with message and private key of proxy and delegation by , responds as valid proxy signcryption tuple for asking query to . Proxy unsigncryption query: when this query is submitted with proxy signcryption tuple by , responds as valid plaintext which is generated through proxy unsigncryption for asking query to . Challenge: two equal lengths plaintext and will send by , and uniformly chooses a bit and computes a ununderstandable text on .

###### 2.1.2. Phase 2

In this phase, should make same queries as phase 1 with the following constraints:(i) will not send a request for any user private key(ii) never asks for proxy unsigncryption for ciphertext (iii)At the end of this phase, generates a bit and succeeds this game if .

*Definition 4. *The newly proposed scheme can be UU-ACMA secure, if with the help of challenger cannot win with nonnegligible benefit in the following game. Setup: same as above IND-CCA game. Query: same as above IND-CCA game. Forgery: finally, outputs a proxy signcryption tuple and succeeds in this game if the following events happen successful.(i)The generated proxy signcryption text is valid(ii)The private key of proxy signcrypter never been asked(iii)The proxy signcryption text is not generated using proxy signcryption query

#### 3. Proposed Model

We present here our cost-effective proxy signcryption scheme for low constraint environment. Our proposed scheme is comprised of four phases such as public key verification, proxy delegation, proxy signcryption, and proxy unsigncryption, respectively. The block diagram of our cost-effective proxy signcryption scheme is shown in Figure 1 and the symbols used in algorithm in Table 1. Four types of roles used in our scheme are public key verification, proxy delegator/original signcrypter, proxy signcrypter, and proxy unsigncrypter. First of all, each user verifies the requested user public key from certificate authority (CA). A proxy delegator first sends a warrant message with the signature to delegate the signcryption privileges to proxy signcrypter. Later, proxy signcrypter verifies the received message and computes the signcryption on behalf of the proxy delegator and then delivers it to the proxy unsigncrypter. After receiving a proxy signcryption tuple, proxy unsigncrypter verifies the authentication and performs the steps of unsigncryption.

##### 3.1. Setup

In this section, the certificate authority (CA) pick HEC with 80 bits parameter size, make a system parameter set as , where is the public key CA and made as by selecting at random, and then compute . Finally, CA makes sure the availability of in a network publicly.

##### 3.2. Key Generation

In this subsection, the participants first compute their public and private keys in the following way. The participants randomly selects a number and calculates . So, and represent the participants private and public keys.

##### 3.3. Proxy Delegation

In this subsection, the original signcrypter/proxy delegator gives the right of the sign to proxy signcrypter .(i)The original signcrypter selects (ii)Compute (iii)Compute and also compute (iv)Sends to proxy signcrypter PS

After receiving for validation, performs the following equations:

After validation, the proxy signcrypter generates the secret key and then calculates and publishes the public key .

##### 3.4. Proxy Signcryption

In this subsection, proxy signcrypter performs the following steps to generate signcryption on the message .(i)First choose a random number (ii)Compute , where is the divisor over the hyper elliptic curve(iii)Compute , where is the shared secret key between proxy and recipient(iv)Compute the ciphertext , where is the plain text(v)Compute the hash function (vi)Compute the signature , where is the proxy signcrypter secret key(vii)Then, send to the proxy unsigncrypter

##### 3.5. Proxy Verification and Unsigncryption

In this subsection, receiving the tuple proxy unsigncrypter carry out the subsequent steps for verification and decryption of the proxy signcrypted text.(i)First recover and (ii)After this, verify the signature and accept if (iii)Compute and decrypt

#### 4. Security Analysis

Our scheme meets the security requirements of indistinguishable under adaptive chosen ciphertext attacks (IND-CCA) and unforgeable under adaptive chosen message attacks (UU-ACMA) by adversary . The following Theorems 1 and 2 can be better explaining the threats against our newly proposed scheme.

Theorem 1. *The newly proposed scheme can be IND-CCA secure, if with the help of challenger cannot win with nonnegligible benefit in the following steps.*

*Proof. *The instance of the hyperelliptic curve is given to and the task of to compute .

Setup: executes the setup part for to make the global parameter param and sends it to .

##### 4.1. Phase 1

Hash queries: if submits query and can check the value for a query if the value found in the list is , then it gives the values () to ; otherwise, selects randomly and send them to . Hash queries: if submits a query and can check the value for a query if the value found in the list is (), then it gives the values () to ; otherwise, selects randomly and send them to . Hash () queries: if submits a query and can check the value for a query if the value found in the list is (), then it gives the values () to ; otherwise, selects randomly and send them to . Private key generation query: if submits query for private key and public key of signer and randomly select , calculate , and dispatch () to . Proxy delegation query: when this query is submitted by , responds as valid delegation to in the following way.(i) randomly selects and form and compute (ii)Compute , set , and respond to as a delegation Proxy signcryption query: when this query is submitted with message () and private key of proxy () and delegation by , responds as valid proxy signcryption *ψ* to in the following way.(i) chooses random numbers (ii)Computes the ciphertext (iii)Computes the signature (iv)Set and respond to as a proxy signcryption Proxy unsigncryption query: when this query is submitted to *ψ* by , if this query is not for target participant, responds as valid plaintext which is generated through proxy unsigncryption to . Otherwise, outputs *ψ* as an invalid proxy signcryption tuple. Challenge: two equal lengths plaintext and will send by , uniformly chooses a bit , and computes an un-understandable text on as follows.(i) choose random numbers (ii)Compute , , and (iii)Compute the signature , set , and respond to as a proxy signcryption on to .

##### 4.2. Phase 2

Just like phase 1, can submit the identical queries, but it does not make a query for receiver private key and a massage corresponding to the .

After that, results , and if , then results 1. Otherwise, results . If , is valid signcrypted text, and for this reason can extricate by utilized advantage Accordingly, .

If , cannot extricate without advantages. Accordingly, . Probability analysis: suppose the queries (), , and represent hash queries, private key queries, proxy delegation queries, and proxy signcryption queries, separately. Thus, we signify some measures as follows:(i) output is positive in private key queries, and the probability is .(ii) output is positive in proxy unsigncryption queries, and the probability is .(iii) output is positive in challenge part, and the probability is .

So, the total probability will be as follows:

Theorem 2. *The newly proposed scheme can be UU-ACMA secure, if with the help of challenger cannot win with nonnegligible benefit in the following steps.*

*Proof. *The instance of the hyperelliptic curve is given to and the task of to compute . Setup: execute the setup part for to make the global parameter param and sends it to . Phase 1 Queries: same like Theorem 1. Forgery: according to forking lemma [24], can get two valid proxy signcryption text that and . Then, for the verification, we get two equations that are and . So, after subtraction, we can get the following results. ; hence, this is the solution for solving the hyperelliptic curve discrete logarithm problem. Probability analysis: suppose the queries (), , and represent the hash queries, private key queries, proxy delegation queries, and proxy signcryption queries, separately. Thus, we signify some measures as follows:(i) output is positive in private key queries, and the probability is .(ii) output is positive in proxy unsigncryption queries, and the probability is .(iii) output is positive in challenge part, and the probability is .So, the total probability will be as follows:

#### 5. Computational Cost

The comparisons of the proposed and existing proxy signcryption schemes in terms of major operations are offered in table. In Table 2, computational cost in ms is provided. The symbols , and represent the exponential computations, elliptic curve multiplications, pairing operations, and hyperelliptic curve devisor multiplication, respectively. The other operations such as addition, subtraction, hash, and division are ignored because they require fewer computations time.

To show more clearly the comparisons between the proposed scheme and existing schemes, it has been observed from [25], by using the Multiprecision Integer and Rational Arithmetic C Library (MIRACL) and test the run time of the basic cryptographic operations. The running time for basic cryptographic operations is given in Table 3 (tested it 100 of times), an experiment donned through:(i)Raspberry PI 3 B + Rev 1.3(ii)OS: Ubuntu 20.04 LTS, 64-bit(iii)with CPU: 64-bit, processor: 1.4 GHz Quad-Core(iv)With 1 GB of memory

Also, we assume the half-time elliptic curve for the hyperelliptic curve because it is the generalized form of elliptic curve [26–30]. So, Table 3 provides details about the average time. Table 4 and Figure 2 show that our proposed scheme is computationally efficient from existing schemes. In Table 2, we provide the computational cost comparisons in milliseconds.

#### 6. Communication Overhead

To design a cryptographic protocol for wireless communication, media is an important element because wireless protocols need lower communication overhead. Selecting a larger size of parameters can greatly affect the efficiency. In this section, we compare our newly designed scheme with previous schemes in terms of communication overhead. For generalization, we suppose that(i) is a prime number (ii) is a prime number (iii) where be a group (iv) is a hash with bits

Table 5 represents the communication cost of the designed and previous schemes; furthermore, Table 6 and Figure 3 show that when we consider 1 kb message or warrant, then our scheme is best from existing schemes.

#### 7. Conclusion

In this article, we proposed a cost-effective proxy signcryption scheme for IoT devices. The proposed approach ensures the security properties such as unforgeability and confidentiality when it is tested through the ROM. The proposed scheme is lightweight due to the usage of HECC, which provides the same level of security with a lower-key size. A detailed security as well as performance analysis is conducted with the relevant existing schemes. The results demonstrate that the proposed scheme improves the overall computational cost and communication overhead, these being 5.7 ms and 2800 bits, respectively, which authenticates the superiority of our scheme from the existing schemes. Finally, we concluded that the proposed scheme could be of prime importance for the Internet of things devices.

In the future, we are intended to implement the same scheme on multimessage multireceiver environment using genus 3 of HECC.

#### Data Availability

The data generated or analyzed during this study are included within this article.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.