Secure and Efficient Identity-based Batch Verification Signature Scheme for ADS-B System

Abstract

As a foundation of next-generation air transportation systems, automatic dependent surveillance-broadcast (ADS-B) helps pilots and air traffic controllers create a safer and more efficient national airspace system. Owing to the open communication environment, it is easy to insert fake aircraft into the system via spoofing or the insertion of false messages. Efforts have thus been made in academic research and practice in the aviation industry to ensure the security of transmission of messages of the ADS-B system. An identity-based batch verification (IBV) scheme was recently proposed to enhance the security and efficiency of the ADS-B system, but current IBV schemes are often too resource intensive because of the application of complex hash-to-point operations or bilinear pairing operations. In this paper, we propose a lightweight IBV signature scheme for the ADS-B system that is robust against adaptive chosen message attacks in the random oracle model, and ensures the security of batch message verification and against the replaying attack. The proposed IBV scheme needs only a small and constant number of point multiplication and point addition computations instead of hash-to-point or pairing operations. Detailed performance analyses were conducted to show that the proposed IBV scheme has clear advantages over prevalent schemes in terms of computational cost and transmission overhead.

1. Introduction

 Civil aviation systems are continually being modernized through advanced technologies. Automatic dependent surveillance–broadcast (ADS-B) is one of the most important technologies in aviation systems. Aircraft can periodically broadcast information about themselves through ADS-B systems, such as location and identification information. Two types of information are broadcast. Information broadcasted by a subsystem to other aircraft and ground stations is called ADS-B Out, whereas that processed by the subsystem from the ADS-B of other aircraft is called ADS-B In [1]. Both subsystems combine to create situational awareness, which provides pilots with complete knowledge of the scenario and helps them make decisions. This makes air traffic management much easier.

 ADS-B systems have been deployed widely across the globe, and are expected to replace radars and become the mainstay of air traffic management systems. In recent years, international organizations have made strenuous efforts to standardize ADS-B. ADS-B systems will be operational in most airspaces by 2020 to support next-generation air transportation systems. For instance, the Federal Aviation Administration requires that aircraft in the US be prepared for ADS-B by 2020 [2], and China’s civil aviation plans to implement a fully operational ADS-B system on July 1, 2019 [3].

 From the perspective of security, messages in the ADS-B system are transmitted through wireless channels without being encrypted [4]. Therefore, adversaries can mount a series of attacks by intercepting, modifying, injecting, and replaying a message at will. A large number of attacks against ADS-B systems have featured the use of low-cost and simple tools (e.g., aircraft spoofing attacks) in recent years [5]. These attacks can cause significant damage, such as hijacking an aircraft. Thus, it is important to address security risks in ADS-B systems to ensure aviation safety.

 Message authenticity and integrity need to be solved for first in ADS-B applications. Message integrity means that the information has not been falsified and message authenticity means that the messages were broadcasted by the indicated aircraft. They can prevent adversaries from falsifying or implanting messages to attack the system—for example, through spoofing attacks and virtual trajectory modification attacks [6]. Several studies have been conducted on ensuring ADS-B messages’ authenticity and integrity. Methods of implementing secure authentication in the ADS-B system can be roughly divided into non-cryptographic approaches [7], [8] and cryptographic approaches [9], [10]. In this paper, cryptographic approaches are considered in detail.

 Although these approaches can address some security problems in ADS-B systems, the relevant schemes suffer from weaknesses. First, complex computation operations are used to guarantee security, such as the hash-to-point operation [10], bilinear pairing operation [6], and expensive certification management [10]. When signatures arrive frequently, the recipient does not have enough time to verify each received signature, especially where the verification of the signature scheme involves costly pairing operations. This can be avoided by using pairing to enhance efficiency. Second, in some studies on the IBV scheme, the security of the protocol itself has not been fully considered. For example, in the security problem in Yang’s YKLY scheme [6], some signatures cannot pass signatures verification separately but can pass batch verification by themselves.

 The main contributions of this study are as follows: First, an IBV signature scheme is proposed to guarantee the security of ADS-B messages, and it is shown to be provably secure. Second, compared with previously proposed schemes in the area, the computational cost of the verification algorithm in the proposed signature scheme is reduced by half as it uses fewer point multiplication calculations.

 The remainder of this paper is organized as follows: The status of research in the area is described in Section 2. Some preliminaries were introduced in Section 3. In Section 4, we explain the nomenclature used in this paper, and the proposed IBV signature scheme is described in detail in Section 5. The security analysis and calculation evaluation are given in Sections 6 and 7, respectively. In Section 8, we state the conclusions of the paper.

 

2. Related Work

 By using cryptographic approaches, a number of achievements to guarantee the security of ADS-B messages [6], [9], [10], [11]. They can be divided into two types: symmetric key-based authentication methods, like Message Authentication Code (MAC), and asymmetric key-based authentication solutions, such as digital certificate. Important studies in the area as follows: Samuelson et al. [12] considered a method that uses the MAC. Pan et al. [11] offered an encryption algorithm that uses elliptic curve cryptography as a public key. Baek et al. proposed a staged identity-based encryption (SIBE) method that can solve the confidentiality of ADS-B [4]. SIBE provides high efficiency by classifying “key encryption” and “data encryption.” But these methods are impractical because every aircraft should pre-load the same key [13].

 Digital signatures are a good means of optimizing symmetric cryptography, but some requirements need to be met when using ADS-B. The signatures should be short as the payload of the ADS-B message is usually no more than 1000 bits. Signatures should be verified quickly as each aircraft broadcasts and receives a large number of ADS-B messages from surrounding aircraft. A number of identity-based batch verification (IBV) signatures have been proposed to address these challenges. Yang et al. [6] proposed an IBV signature method for ADS-B systems, but it is unsecure because some signatures cannot pass single signature verification but can pass batch verification. Anjia Yang et al. [10] defined three levels of the ADS-B system and proposed two identity-based signature (YTBW1 and YTBW2) schemes accordingly. He et al. [9] described three weaknesses of the YTBW1 and YTBW2 schemes. First, the performance of YTBW1 is impractical as the hash-to-point operations increase in number when the number of signatures increases. Second, the YTBW1 scheme supports only partial batch verification. Third, the YTBW2 scheme is impractical as it demands an authority to ensure identities and public keys. He et al. concluded that neither the YTBW1 nor the YTBW2 scheme can be used in ADS-B systems, and offered an improved scheme (HKCW) to enforce security.

 Recently, the IBV protocol was put forward to ensure vehicular ad-hoc networks (VANETs) more secure and efficient. Zhang et al. [14], [15] developed an IBV method (ZLLHS-IBV) for VANET communication using an identity-based one-time signature to eliminate the use of certificates for public keys. Lee and Lai [16] found two weaknesses in the ZLLHS-IBV [15] scheme: It is not secure against replaying attack, and it can’t provide non-repudiation. For these two weaknesses, an improved method [16] was proposed to improve security and maintain the efficiency of ZLLHS-IBV. Recently, Tzeng et al. noted that the improved scheme [16] suffers from the infringement of privacy and forgery attacks [17]. They introduced a new modified proposal to meet the demands of security wanted in vehicles.

 However, ZLLHS-IBV schemes and the HKCW scheme require bilinear pairing operations. In modern cryptography, they are the costliest calculation. Our proposed IBV signature avoids bilinear pairing, which reduces the cost of calculation. It can thus be deployed in ADS-B systems. 

 

3. Preliminaries

 In this section, we describe the ADS-B system model, threat model, and design goals.

 

3.1 ADS-B System Model

 As shown in Fig. 1, each aircraft comes fitted with a global positioning system (GPS) as the primary source of information for navigation. The aircraft flies according to messages from other aircraft and the ADS-B ground stations. Moreover, it broadcasts traffic beacons by using the ADS-B Out capability once or twice per second. ADS-B data link standards include the universal access transceiver (UAT) and 1090 MHz Extended Squitters (1090 ES) [18, 19]. As the 1090 ES is highly congested owing to its current use by the air traffic control radar beacon system [20], this paper considers only the authentication of ADS-B messages in the UAT data link. Each aircraft also has a universally unique permanent identifier that can be considered its unique identity in the identity-based setting of our broadcast message signature scheme.

Fig. 1. System model

 

3.2 ADS-B System Threat Model

 As the ADS-B data link is a broadcast-type shared link and messages are broadcast in the form of plaintext, they are vulnerable to attacks. In [21], the authors claimed that ADS-B can easily suffer from cyberattacks, such as message injection, modification, and deletion, ranging from comparatively easy discontinues using interference device to the more harder target ghost inject to denial of service. Costin et al. [22] showed that both active and passive attacks are practical in ADS-B. Tampering information can be realized by bit-flipping and overshadowing [23].

 This paper focuses on ensuring the authenticity of ADS-B information. We thus assume only that the adversary can carry out active attacks, by spoofing false target aircraft or destroying transfer data for example. Passive eavesdropping and recording broadcasts are not considered here. Jamming threats that do not influence the authenticity of the message are studied. 

 

3.3 Design Goals

 To ensure the authentication of the broadcasted information in ADS-B system, the following features are needed.

 • Authenticity and integrity: To solve such a problem as the insertion of fake targets or damage to traffic data [5], ADS-B broadcast messages should be authentic and complete. For example, messages should be transmitted by legitimate aircrafts that have the ADS-B system such that they have not been counterfeited or tampered.

 • Scalability: It becomes increasingly challenging to administer the ADS-B system because of the increase in the number of aircraft. Thus, the IBV signature scheme requires a reasonable interaction mechanism that can easily increase or reduce the number of aircraft.

 • Low cost of communication: The cost of communication should be low because the data space of ADS-B Out is finite in the UAT data link.

 • Low cost of computation: The computational cost should be low because participants are usually avionics devices with limited resources.

 

3.4 Security Requirements 

 It is essential to guarantee the safety and privacy of ADS-B systems. A safe signature should meet the following demands:

 1) Message authentication. Ground stations and aircraft should be capable of confirming that the message has been transmitted by a legitimate aircraft, and has not been tampered with or counterfeited by an attacker.

 2) Non-repudiation. A spiteful aircraft cannot to broadcast messages to misguide ground stations or other aircraft and deny behaviors when the ATC traces it by its digital signatures.

 3) Replaying resistance. A spiteful aircraft cannot collect and store a signed message, and attempt to deliver it at a later time when the original message is invalid.

 

4. Definitions

4.1 System Notations

 This subsection introduces the notations used in this paper (Table 1). Note in particular that all arithmetic operations in this paper are based on the modular operation of finite fields F_q .

Table 1. Notations

 

4.2 Harness Problem

 The security of our signature protocol is based on the elliptic curve discrete logarithm problem (ECDLP):

 Definition 1. ECDLP: Let G  be an elliptic curve of order q. P be a generator of group G . For element \(E \in G\) , the problem of ECDL is to compute  \(e \in Z_{q}^{*}\) to cause the equation E=eP  mod q  to hold.

 

4.3 Bilinear Map

 Let  and G₂ be cyclic groups of prime order q . Let  P denote a generator of group G₁. \(e: G_{1} \times G_{1} \rightarrow G_{2}\) is a bilinear map when the three conditions hold listed below:

 • Bilinearity: \(e(x M, y N)=e(M, N)^{x}\) for all \(M, N \in G_{1}\) and  \(x, y \in Z_{q}^{*}\).

 • Non-degeneracy:\(e(P, P) \neq 1\).

 • Computability: For all \(M, N \in G_{1}, e(M, N)\) can be computed efficiently.

 

4.4 The IBV Signature Scheme Framework

 The IBV signature scheme contains the following five algorithms: System initialization, Registration, Sign, Verify, and BVerify.

 • System initialization: This algorithm takes as input a security parameter k  to generate the master secret key s  and the public parameters  .

 • Registration: Let ID_AL be airline AL ’s identity and ID_AC be aircraft AC’s identity. This algorithm inputs ID_AL, ID_AC, s , and   to generate AC’s private key sk_AC  and its public key PK_AC .

 • Sign: Let sk_AC  be AC’s private key. This algorithm takes as inputs message m ,sk_AC  , and params  to generate a signature \(\sigma\) .

 • Verify: This algorithm takes as inputs message \(\left\{m_{1}, m_{2}, \cdots, m_{n}\right\}\), signature \(\left\{\sigma_{m_{1}}, \sigma_{m_{2}}, \cdots, \sigma_{m_{n}}\right\}\) ,   identity \(\left\{I D_{A C_{1}}, I D_{A C_{2}}, \cdots, I D_{A C_{n}}\right\}\) ,   public key  , and   to determine whether  is legitimate.

 • BVerify: This algorithm takes as inputs a group of messages  , group of digital signatures  , group of identities  , group of public keys \(\left\{P K_{A C_{1}}, P K_{A C_{2}}, \cdots, P K_{A C_{n}}\right\}\) , and   to simultaneously determine whether \(\left\{\sigma_{m_{1}}, \sigma_{m_{2}}, \cdots, \sigma_{m_{e}}\right\}\) are legitimate.

 

5. Proposed ADS-B Signature Scheme

5.1 Scheme Description

 The scheme contains the following five algorithms: system initialization, registration, sign, signature verification, and batch verification.

 (1) System initialization

 In this phase, air traffic controllers act as   to set-up all parameters as follows:

 1) Choose a large prime number q  and a cyclic groups G  of order q  randomly.

 2)P  is a generator of GW  chosen at random.

 3) Randomly pick an element \(s \in Z_{q}^{*}\)  and compute \(P_{p u b}=s P\) .

 4) Select three hash functions \(H_{i}:\{0,1\}^{*} \rightarrow Z_{q}^{*}(i=1,3), H_{2}: G \rightarrow\{0,1\}\), publish \(\text {params}=\left\{q, G, P, P_{p u b}, H_{2}, H_{3}\right\}\), and keep \(s, H_{1}\)  secret.

 (2) Registration

 In this phase, RPKC  generates an identity ID_AL  for each airline, and an identity ID_AC and a secret key sk_AC  for each aircraft.

 1) Generate identity ID_AL  for each airline.

 2) Generate identity ID_AL for each aircraft.

 3) Compute \(s k_{A C}=s H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right), P K_{A C}=H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right)^{-1} P\)

 (3) Sign

 In this phase, AC  generates a signature for message m .

 1) Generate current time stamp T .

 2) Randomly produce  \(r_{m} \in Z_{q}^{*}\) and compute \(R_{m}=r_{m} P K_{A C}\) , \(\alpha_{m}=I D_{A C} \oplus H_{2}\left(s k_{A C} P_{p u b}\right) \text { and } S_{m}=r_{m}+s k_{A C} H_{3}\left(R_{m}\|m\| \alpha_{m} \| T\right)\)  and \(S_{m}=r_{m}+s k_{A C} H_{3}\left(R_{m}\|m\| \alpha_{m} \| T\right)\) .

 3) Output a signature  \(\sigma=\left\{R_{m}, \alpha_{m}, S_{m}, T\right\}\) on message  .

 Finally, AC  broadcasts signature \(\left\{R_{m}, \alpha_{m}, S_{m}, T\right\}\)  through the ADS-B data link to the ground stations and neighboring aircraft.

 (4) Signature verification

 Upon the receipt of signature \(\sigma_{m}=\left\{R_{m}, \alpha_{m}, S_{m}, T\right\}\)  of message AC from broadcaster  , each recipient verifies it as follows:

 1) Let the receipt time be ; the verifier computes  \(\Delta T \geq T_{v}-T\) to determine whether it is correct.  If it is correct, go to step 2; otherwise, reject the message.

 2) If

\(S_{m} P K_{A C}=R_{m}+H_{3}\left(R_{m}\|m\| \alpha_{m} \| T\right) P_{p u b}\)       (1)

 holds, output 1; otherwise, output 0. 

 (5) Batch verification

 When a recipient receives ADS-B broadcast messages from different aircraft at the same time, it can verify the signatures of the messages in a batch-wise manner. Assume that the verifier receives l  signatures \(\sigma_{m_{i}}=\left\{R_{m_{i}}, \alpha_{m_{i}}, S_{m_{i}}, T_{m_{i}}\right\}_{i=1}^{l}\) concerning messages \(\left\{m_{i}\right\}_{i=1}^{l}\) .

 1) Let the time of receipt be  T_v. The verifier determines whether  \(\Delta T \geq T_{v}-T_{m_{i}}(1 \leq i \leq l)\) is correct. If it is correct, the verifier goes to the next step. Otherwise, it rejects the signature.

 2) Pick a group of numbers \(\left\{t_{1}, t_{2}, \cdots, t_{l}\right\}\)  with a small number of bits  l_s (e.g., 80).

 3) If the following equation

\(\sum_{i=1}^{l} t_{i} S_{m_{i}} P K_{A C_{i}}=\sum_{i=1}^{l} t_{i} R_{m_{i}}+\sum_{i=1}^{l} t_{i} H_{3}\left(R_{m_{i}}\left\|m_{i}\right\| \alpha_{m_{i}} \| T_{m_{i}}\right) P_{p u b}\)       (2)

 holds, output 1; otherwise, output 0.

Note: Note that a spiteful verifier can choose t₁=1 . This contributes to a BVerify vulnerability, also called the false acceptance problem, and has been described in [25]. We thus assume that the verifier is honest in the proposed scheme.

 

5.2 Correctness of Verification and Batch Verification

 The correctness of verification and batch verification can be illustrated in the following two theorems, respectively:

 Theorem  1: Verification of the broadcasted message is correct.

 Proof: The correctness of the verification in Eq. (1) is justified as below. For simplicity, we denote \(H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right)^{-1} P\)  by PKAC .

 We have

\(\begin{array}{l}S_{m} P K_{A C}=\left(r_{m}+s k_{A C} H_{3}\left(R_{m}\|m\| \alpha_{m} \| T\right)\right) P K_{A C} \\=r_{m} P K_{A C}+s k_{A C} H_{3}\left(R_{m}\|m\| \alpha_{m} \| T\right) P K_{A C} \\=R_{m}+s H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right) H_{3}\left(R_{m}\|m\| \alpha_{m} \| T\right) P K_{A C} \\=R_{m}+s H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right) H_{3}\left(R_{m}\|m\| \alpha_{m} \| T\right) H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right)^{-1} P \\=R_{m}+H_{3}\left(R_{m}\|m\| \alpha_{m} \| T\right) s P \\=R_{m}+H_{3}\left(R_{m}\|m\| \alpha_{m} \| T\right) P_{p u b}\end{array}\)

 Theorem 2: Batch verification for the broadcasted message is correct.

 Proof: The correctness of the batch verification in Eq. (2) is justified as follows:

\(\begin{array}{lc}\sum_{i=1}^{l} t_{i} S_{m_{i}} P K_{A C_{i}}==\sum_{i=1}^{l} t_{i}\left(r_{m_{i}}+s k_{A C_{i}} H_{3}\left(R_{m_{i}}\left\|m_{i}\right\| \alpha_{m_{i}} \| T_{m_{i}}\right)\right) P K_{A C_{i}}\\=\sum_{i=1}^{l} t_{i}\left(r_{m_{i}} P K_{A C_{i}}+s k_{A C_{i}} H_{3}\left(R_{m_{i}}\left\|m_{i}\right\| \alpha_{m_{i}} \| T_{m_{i}}\right) P K_{A C_{i}}\right)\\=\sum_{i=1}^{l} t_{i} r_{m_{i}} P K_{A C_{i}}+\sum_{i=1}^{l} t_{i} s k_{AC_{i}} H_{3}\left(R_{m_{i}}\left\|m_{i}\right\| \alpha_{m_{i}} \| T_{m_{i}}\right) P K_{A C_i }\\=\sum_{i=1}^{l} t_{i} R_{m_{i}}+\sum_{i=1}^{l} t_{i} H_{3}\left(R_{m_{i}}\left\|m_{i}\right\| \alpha_{m_{i}} \| T_{m_{i}}\right) s k_{AC_{i}} P K_{A C_{i}}\\=\sum_{i=1}^{l} t_{i} R_{m_{i}}+\sum_{i=1}^{l} t_{i} H_{3}\left(R_{m_{i}}\left\|m_{i}\right\| \alpha_{m_{i}} \| T_{m_{i}}\right)s H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right) H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right)^{-1} P\\=\sum_{i=1}^{l} t_{i} R_{m_{i}}+\sum_{i=1}^{l} t_{i} H_{3}\left(R_{m_{i}}\left\|m_{i}\right\| \alpha_{m_{i}} \| T_{m_{i}}\right)s H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right) H_{1}\left(I D_{A L}\left\|I D_{A C}\right\| s\right)^{-1} P\\=\sum_{i=1}^{l} t_{i} R_{m_{i}}+\sum_{i=1}^{l} t_{i} H_{3}\left(R_{m_{i}}\left\|m_{i}\right\| \alpha_{m_{i}} \| T_{m_{i}}\right)sP\\=\sum_{i=1}^{l} t_{i} R_{m_{i}}+\sum_{i=1}^{l} t_{i} H_{3}\left(R_{m_{i}}\left\|m_{i}\right\| \alpha_{m_{i}} \| T_{m_{i}}\right)P_{p u b}\end{array}\)

 

5.3 Discussion

5.3.1 Replay attack

 Eavesdroppers can block and resend both information and their signatures. To deal with the replay attack, this method utilizes the current timestamp   to get the signature, and makes sure that the ground station and the aircraft receive the latest messages. In this way, even if the attackers have monitored the signatures, they still cannot counterfeit the new signatures.

5.3.2 Identification of invalid signatures

 The ADS-B receiver can obtain a large amount of ADS-B information and signatures transmitted by aircraft or stations. If a message has an invalid signature, there is no need to determine the information as new information with a valid signature will arrive shortly (information on position and speed are included, and these values change a little from previously reported ones, which can thus be ignored). However, a large number of invalid signatures means a high likelihood of being attacked. To identify false signatures, a recursive divide-and-conquer method is feasible. In particular, when verification fails, the signatures can be separated into two parts and verified again. If a group of the signatures is verified as valid by the algorithm, we can be sure that the false signatures are in the other part. This process can be repeated until the false signatures have been found [10].

 

6. Security Analysis

 In this section, we give a formal proof of the security of the proposed IBV signature scheme.

 

6.1 Security Model

 An IBV signature scheme should be secure against existential forgery under an adaptively chosen message attack in the random oracle model. For a formal definition of existential unforgeability, an adversary \(\mathcal{A}\)  and a challenger \(\mathcal{B}\)  should interact through a game. The game consists of three phases as follows:

 Setup phase. \(\mathcal{B}\)  executes an initialization algorithm to generate the master secret key  and the public parameters params, and returns params  to  \(\mathcal{A}\).

 Oracle simulation phase.  \mathcal{B} adaptively \(\)issues  H₂ oracle, H₃  oracle, and a sign oracle.  \(\mathcal{B}\)  provides respective responses as follows:

H₂ -oracle: After receiving AC ’s identity ID_AC , \left(R_{m}, m, \alpha_{m}, T\right)  selects an element \(r \in\{0,1\}^{*}\)  randomly. It then  sends r  to  \(\mathcal{A}\) and stores  \(\left(P_{p u b}, I D_{A C}, r\right)\) in the list  \(H_{2}^{l i s t}\).

 H₃-oracle: After receiving a signature  \(\left(R_{m}, m, \alpha_{m}, T\right)\), , \(\mathcal{B}\)  selects an element  \( t \in Z_{q}^{*}\) , randomly. It sends t  to \(\mathcal{A}\) and stores \(\left(R_{m}, m, \alpha_{m}, T, t\right)\)  in the list  \(H_{3}^{l i s t}\).

 Signing query. After receiving message m  and  ID_AC,  \(\mathcal{B}\) generates a signature  \(\sigma\) for message m , and sends \(\sigma\)  to  \(\mathcal{A}\).

 Output phase. In this phase, \(\mathcal{A}\) forges message m* ’s signature \(\sigma\) * corresponding to ID_AC  and a current time stamp T^* .

 We say that   wins in the above game if  \(\text {Verify }\left(m^{*}, I D_{A C^{*}}, T^{*}, \sigma^{*}\right)=1\)  holds.

 Definition 2. We say that an IBV signature scheme is existentially unforgeable against a selective chosen message attack in the random oracle model if there is no polynomial-time adversary   that can win the above game with a non-gligible advantage.

 

6.2 Proof of Security

 Theorem 3: The proposed IBV signature scheme is provably secure against forgeability attacks in the random oracle model if the ECDL problem is hard.

 Proof: Assuming that \(\mathcal{A}\) is an adversary, we build an adversary \(\mathcal{B}\)  to solve the ECDLP. \(\mathcal{B}\)  takes an ECDLP challenge \((P, x P)\)  for \(x \in Z_{q}^{*}\)  and \(P \in G\) . To use  \(\mathcal{A}\) to solve x , \(\mathcal{B}\)  needs to simulate the oracles and a challenger for \(\mathcal{A}\) .\(\mathcal{B}\)   runs \(\mathcal{A}\)  by carrying out the steps below.

 Setup:   sets common parameters \(\text {params}=\left\{q, G, P, P_{p u b}, H_{2}, H_{3}\right\}\) , where   H₂, H₃are random oracles controlled by \(\mathcal{A}\) , and transmits them to the attacker. Note that the master key is the value of s , which is unknown to algorithm \(\mathcal{B}\) .

 Oracle simulation: \(\mathcal{B}\)  simulates the oracles as follows:

  H₂-oracle: Suppose \(\mathcal{A}\)  does not know how to compute the hash function \(H_{2}(\cdot) \cdot \mathcal{B}\) .   maintains a list \(H_{2}^{l i s t}\)  to respond to  H₂ queries, where  \(H_{2}^{l i s t}\) is originally empty. \(\mathcal{B}\)  returns the query made by \(\mathcal{A}\)  makes with message \(\left(P_{p u b}, I D_{A C_{i}}\right)\) , as follows: When the query  \(\left(P_{p u b}, I D_{A C_{i}}\right)\) appears in  \(H_{2}^{l i s t}\) already in a tuple \(\left(P_{p u b}, I D_{A C_{i}}, H_{2_{i}}\right)\) ,  \(\mathcal{B}\) outputs \(H_{2_{1}}\)  to \(\mathcal{A}\)  immediately. If not, it outputs a random value \(H_{2_{1}} \in Z_{q}^{*}\)  to \(\mathcal{A}\) , and inserts a new tuple \(\left(P_{p u b}, I D_{A C_{i}}, H_{2_{i}}\right)\)  into \(H_{2}^{l i s t}\) .

 H₃ -oracle: Suppose A does not know how to compute the hash function  \(H_{3}(\cdot) \cdot \mathcal{B}\).   maintains a list \(H_{3}^{l i s t}\)  to respond to H₃  queries, where \(H_{3}^{l i s t}\)  is originally empty. When \(\mathcal{A}\) makes a query through message \(\left(R_{m_{i}}, m_{i}, \alpha_{m_{i}}, T_{m_{i}}\right)\) ,  \(\mathcal{B}\)  returns it, at which \(\mathcal{A}\)  queries with message \(\left(R_{m_{i}}, m_{i}, \alpha_{m_{i}}, T_{m_{i}}\right)\)  as follows: When the query \(\left(R_{m_{i}}, m_{i}, \alpha_{m_{i}}, T_{m_{i}}\right)\)  is already  in \(H_{3}^{l i s t}\)  in a tuple \(\left(R_{m_{i}}, m_{i}, \alpha_{m_{i}}, T_{m_{i}}, H_{3_{i}}\right)\) , \(\mathcal{B}\)  outputs \(H_{3_{i}}\) to  \(\mathcal{A}\) directly. Otherwise, it outputs a random value \(H_{3_{1}} \in Z_{q}^{*}\)  to  and inserts a new tuple \(\left(R_{m_{i}}, m_{i}, \alpha_{m_{i}}, T_{m_{i}}, H_{3_{i}}\right)\)  into \(H_{3}^{l i s t}\) .

 Sign oracle: When a signing query for a message is received, B can build the signature without the private key. It chooses \(S_{m_{1}}, H_{2_{2}}, H_{3_{3}} \in Z_{q}^{*}\)  at random. Then, it calculates \(R_{m_{i}}=S_{m_{i}} P K_{A C}-H_{3_{i}} P_{p u b} \cdot\left(R_{m_{i}}, S_{m_{i}}, \alpha_{m_{i}}, T_{m_{i}}\right)\)   can be checked to be a valid signature as follows: \(S_{m_{i}} P K_{A C}=R_{m_{i}}+H_{3} P_{p u b}\) .

 If tuple \(\left(R_{m_{i}}=r_{m_{i}} P, m_{i}, \alpha_{m_{i}}, T_{m_{i}}, H_{3_{j}}\right)\)  already appears in \(H_{3}^{l i s t}\) , \(\mathcal{B}\)  selects another \(S_{m}, H_{2_{2}}, H_{3_{1}} \in Z_{q}^{*}\)  and tries again. Then, \(\mathcal{B}\)  returns  \(\left(R_{m_{i}}, S_{m_{i}}, \alpha_{m_{i}}, T_{m_{i}}\right)\) to \(\mathcal{A}\)  and stores \(\left(R_{m_{i}}=r_{m_{i}} P, m_{i}, \alpha_{m_{i}}, T_{m_{i}}, H_{3_{j}}\right)\)  in \(H_{3}^{l i s t}\) . It is difficult for the adversary to distinguish all signatures produced by \(H_{3}^{l i s t}\)  from signatures provided by the legitimate aircraft.

 Output: By the forking lemma [26], after replaying \(\mathcal{A}\)  with the same random tape, \(H_{3}^{l i s t}\)  receives two valid signatures  \(\left(R_{m_{i}}=r_{m_{i}} P, S_{m_{i}}, \alpha_{m_{i}}, T_{m_{i}}\right)\) and  \(\left(R_{m_{i}}^{*}=r_{m_{i}}^{*} P, S_{m_{i}}, \alpha_{m_{i}}, T_{m_{i}}^{*}\right)\)  in a polynomial time, where

\(\begin{aligned}&S_{m_{i}}=r_{m_{i}}+s k_{A C} H_{3_{1}}\\&S_{m_{i}}=r_{m_{i}}^{*}+s k_{A C} H_{3_{i}}^{*}\end{aligned}\)

 Then, \(\mathcal{B}\)  calculates  \(s k_{A C}=\left(H_{3_{j}}-H_{3_{j}}^{*}\right)^{-1}\left(r_{m_{i}}^{*}-r_{m_{i}}\right)\). Finally, \(\mathcal{B}\)  outputs \(s k_{A C}\)  according to \(\left(P_{p u b}, P K_{A C}=s k_{A C} P_{p u b}\right)\)  for \(s k_{A C} \in Z_{q}^{*}\)  and \(P_{p u b} \in G\) , which can solve the ECDLP instance.

 We cannot show that \(\mathcal{B}\)  solves the given instance of the ECDLP to complete the proof because this contradicts the assumption that the ECDLP is difficult. This means that ground stations or other aircraft cannot be cheated by a signature of a message forged by an attacker. Therefore, integrity, message authentication, and non-repudiation are ensured.

 Similar to the approach proposed by Camenisch et al. [27], we demonstrate that the new BVerifity algorithm is secure by the following theorem:

Theorem 4: The proposed batch verification scheme for the ADS-B system is provably secure in the random oracle model if the ECDL problem is hard.

 

6.3 Security Comparison

 We compare the proposed IBV signature scheme with prevalent schemes, i.e., the YKLY scheme [6], the HKCW scheme [9], and the YTBW2 scheme [10], in terms of the security properties listed in Section 3.4. The YKLY scheme [6] is vulnerable to non-repudiation and forgery attacks as any malicious aircraft or outside attacker can generate two valid signatures for any message. Moreover, the YKLY scheme [6], HKCW scheme [9], and YTBW2 scheme [10] all fail to prevent the replay attack because any malicious attacker can implement reply attacks. The proposed scheme uses the current timestamp to ensure that the ground station and aircraft receive the latest messages and generate the signature to avoid the replay attack.

Table 2. Security comparison

 Table 2 lists a comparison of the security functions in the ADS-B system. The results show that our scheme is more advantageous than prevalent schemes.

 

7. Performance Evaluation

 As shown in Fig. 1, the ADS-B messages broadcasted by an aircraft are received either by ground stations or other aircraft. In general, the ground stations have powerful processing capacity and large storage capability, but aircraft have limited computation power and small storage space owing to the size-related limitation in avionics. Hence, the low computational cost of the signature is important for an aircraft with limited resources. As a result, in the following, the performance evaluation focuses on cases involving aircraft.

 We evaluated the proposed signature scheme in terms of computational, verification-related, and communication overhead. In our experiments, we used the Ate pairing \(e: G_{1} \times G_{1} \rightarrow G_{2}\), where G₁ was generated by a point on a super-singular elliptic curve \(E\left(F_{p}\right): y^{2}=x^{3}+1\) defined on the finite field F_p . The order q  was 160 bits and p  was 512 bits. We defined the time cost of these operations as follows:

 \(T_{bp}\) : The time to calculate one pairing operation \(e: G_{1} \times G_{1} \rightarrow G_{2}\).

 \(T_{mtp}\) : The time to calculate a map-to-point hash function \(H:\{0,1\}^* \rightarrow G\).

 \(T_{pm}\) : The time to perform a general point multiplication operation \(s.P\) , where \(s\)  is represented by160 bits.

 \(T_{spm}\) : The time to calculate a short point multiplication operation \(s.P\) , where \(s\)  is represented by 80 bits.

 \(T_{pa}\) : The time to calculate a point addition operation.

 \(T_{exp}\) : The time to execute an exponentiation operation  \(g^r\).

 \(T_{mul}\) : The time to perform a multiplication operation.

 \(T_{h}\) : The time to calculate a general hash operation.

 We implemented the above operations on a 3.2 GHz Intel I5-3470 machine for fair comparison [9]. The running results are shown in Table 3.

Table 3. Runtimes of related operations (in ms)

 

7.1 Computational Cost

 We compared the proposed signature scheme with the YKLY scheme [6], HKCW scheme [9], and YTBW2 scheme [10] in computational complexity. Table 4 shows the operational costs of the four schemes.

 In the YKLY scheme, the times needed to generate aircraft AC ’s private key were\(T_{h}+T_{p m}+T_{i v}\) =0.053+3.740+2.892=6.685 ms , \(T_{b p}+3 \times T_{p m}+2 \times T_{p a}+T_{e x p}+2 \times T_{h}=\) 11.515 + 3×3.740 + 2×0.022 + 0.591 + 2×0.053 =23.476 ms for the signature generation, and  \(T_{b p}+T_{p m}+T_{e x p}+T_{p a}+2 \times T_{h}\)  = 11.515 + 3.740 + 0.591 + 0.022 + 2×0.053 = 15.974 ms for verifying the legitimacy of the signature. To verify n  signatures \(\sigma_{i}=\left\{I D_{i}, m_{i}, r_{i}, S_{i}\right\}_{i=1}^{n}\)  from the batch verification equation, the verifier in the YKLY scheme needed to calculate  ,  \(2 T_{b p},n T_{p m}, n T_{m d l}, \quad(2 n-2) T_{p a}, \quad 2 n T_{h}\) and \(T_{e x p}\) . Hence, the verifier’s runtime was \(3.893 n+23.577 \mathrm{ms}\left(=2 \times T_{b p}+n \times T_{p m}+n \times T_{m u l}+(2 n-2) \times T_{p a}+2 n \times T_{h}+T_{ex p}\right.\) = 2×11.515 +  n×3.740 + n ×0.003 + (2n-2) ×0.022 +2n ×0.053 + 0.591).

 In the YTBW2 scheme, the times needed to generate airline AL ’s private key were  \(T_{m p t}+T_{p m}\) = 9.773+3.740 =13.513 ms, \(2 \times T_{m p t}+3 \times T_{p m}+T_{p a}\)  = 2×9.773+3×3.740+0.022 = 30.788 ms for aircraft  AC’s private key, \(2 \times T_{s m}+T_{p a}+T_{h}\)= 2×3.740+0.022+0.053 =7.555 ms for the signature generation, and  \(3 \times T_{b p}+T_{p m}+T_{p a}+T_{h}\)= 3 × 11.515 + 3.740 + 0.022 +0.053 = 38.360 ms for verifying the legitimacy of the signature. To verify n  signatures \(\sigma_{m_{i}}=\left\{R_{A L}, R_{A C_{i}}, R_{m_{i}}, S_{m_{i}}\right\}_{i=1}^{n}\)  from the batch verification equation, the verifier in the YTBW2 scheme needed to execute \(3 T_{b p}, n T_{p m}, 3 T_{s p m},(4 n-3) T_{p a}\)  and \(n T_{h}\) . Hence, the verifier’s runtime was 10.148 +34.479 ms \(\left(=3 \times T_{b p}+n \times T_{p m}+3 n \times T_{s p m}+(4 n-3) \times T_{p q}+n \times T_{h}\right. =3 \times 11.515+n \times 3.740+3 n \times 2.089+(4 n-3) \times 0.022+n \times 0.053)\)

 In the HKCW scheme, the needed to generate airline AL ’s private key was \(2 \times T_{p m}+T_{h}\)   = 2 × 3.740 +0.053 = 7.533 ms, \(2 \times T_{p m}+T_{p a}+T_{h}\)= 2 × 3.740 + 0.022 +0.053 = 7.555 ms for generating aircraft AC ’s private key, \(2 \times T_{p m}+T_{p a}+T_{h}\)=2 × 3.740 + 0.022 + 0.053 = 7.555 ms for the signature generation, and  \(2 \times T_{b p}+3 \times T_{p m}+3 \times T_{p a}+3 \times T_{h}\) =2 × 11.515 + 3 × 3.740 + 3 × 0.022 + 3 × 0.053 = 34.475 ms for verifying the legitimacy of the signature. To verify  n signatures \(\sigma_{m_{i}}=\left\{R_{A L}, R_{A C_{i}}, R_{m_{i}}, S_{m_{i}}\right\}_{i=1}^{n}\)  simultaneously, the verifier in the HKCW scheme needed to execute \(2 T_{b p}, T_{p m}, n T_{m p m}, n T_{p a} \text { and } 3 n T_{h}\). Hence, the verifier’s runtime was 8.005n  + 26.77 ms \(\left(=2 \times T_{b p}+T_{p m}+n \times T_{s p m}+n \times T_{m p n}+n \times T_{p a}+3 n \times T_{h}\right.\)= 2×11.515 + 3.740 +n  ×2.089+ n × 5.735 +  n × 0.022 + 3n  × 0.053 ).

 For the proposed IBV signature scheme,  the runtimes were \(2 \times T_{h}+T_{w}+T_{p m}+T_{m d}\)= 2 × 0.053 + 2.892+3.740 +0.003 = 6.741 ms for generating aircraft  ’s private key, \(T_{m u l}+T_{p m}+2 \times T_{h}\)   = 0.003 + 3.740 +2 × 0.053 = 3.849 ms for signature generation, and\(2 \times T_{p m}+ T_{p a}+T_{h}\)  =2 ×3.740 +  0.022  +  0.053 = 7.555 ms for verifying the legitimacy of the signature. To verify n  signatures  \(\sigma_{m_{i}}=\left\{R_{m_{i}}, \alpha_{m_{i}}, S_{m_{i}}, T_{m_{i}}\right\}_{i=1}^{n}\) simultaneously, the verifier in the proposed scheme needed to execute  \((n+1) T_{p m}, 2(n-1) T_{p a}, n T_{s p m}\) and \(n T_{h}\) . Hence, the verifier’s runtime was 5.926  + 3.696 ms \(\left(=(n+1) \times T_{p m}+2(n-1) \times T_{p a}+n \times T_{s p m}+n \times T_{h}\right.\)  =   (n+1)× 3.740 +  (2n-2) × 0.022 + n × 2.089 +n  × 0.053 ).

Table 4. Comparative summary: Computational costs (in ms)

 We compared our proposed IBV signature scheme with those of the YKLY scheme, HKCW scheme, and YTBW2 scheme (see Table 4) in terms of the computational cost. Obviously, our signature scheme had lower computation complexity in the Registration (Extract AL, Extract AC), Sign, Verify, and BVerify algorithms than the YKLY, HKCW, and YTBW2 schemes.

 In the Registration (Extract AL, Extract AC) algorithm, our IBV signature scheme recorded improvements of 123.82% and 557.19% over the HKCW scheme and the YTBW2 scheme, respectively. On the Sign algorithm, the proposed scheme improved by 509.92%, 96.28%, and 96.28% over the YKLY, HKCW, and YTBW2 schemes, respectively.

 It is thus clear that our scheme outperformed the YKLY, HKCW, and YTBW2 schemes.

 

7.2. Transmission Overhead

 The transmission cost of the IBV signature method was analyzed and compared with those of the YKLY [6], HKCW [9], and YTBW2 schemes [10]. The transmission overhead was that generated by transmitting data from an aircraft to a ground station, and by communication between aircraft. The evaluation focused on the communication cost of the signature and timestamp but the information was considered. Table 5 shows the communication costs of all schemes.

Table 5. Comparative summary: Communication costs (in bits)

 According to the results, p was 512 bits and T was 96 bits. Thus, an element in  G was 512+512=1024 bits. The signature produced by the YKLY scheme was {r,S} , where \(S \in G\), \(|s|=512\) Therefore, the transmission cost of the YKLY method was 1024+512=1536 bits. The signature produced by the HKCW method was \(\left\{R_{A L}, R_{A C}, R_{m}, S_{m}\right\}\) , where \(R_{A L}, R_{A C}, R_{m}, S_{m} \in G\) . The transmission cost of He et al.’s second method was 1024 4=4096 bits. The signature produced by the YTBW2 scheme was \(\{U, V, P, R\}\) , where \(U, V, P, R \in G\) ,  Hence, the transmission cost of He et al.’s scheme was 1024 4=4096 bits. The signature produced by our method was \(\left\{R_{m}, \alpha_{m}, S_{m}, T\right\}\) , where  \(R_{m}, S_{m} \in G\), \(\left|\alpha_{m}\right|=512\) . Hence, the transmission cost of our method was 1024 2+512+96= 2656 bits.

 

8. Conclusion

 In recently developed e-enabled aircraft, advanced network technologies make an important contribution to improving safety and efficiency. The ADS-B system is among the important parts of e-enabled aircraft, and its security is thus important when communicating, especially given that the airspace is now considered cyberspace and aircraft act as intelligent nodes that are vulnerable to cyberattacks.

 In this paper, we propose an identity-based batch verification signature scheme of the ADS-B system while dealing with the intractability of the ECDL. A comparative analysis showed that the proposed scheme better than the YKLY scheme [6], HKCW scheme [9], and YTBW2 scheme [10]. Its outstanding security and lightweight computation show that this method can be deployed in the ADS-B. The next step in this research is to evaluate this method in a practical environment, improve it, and design a scheme secure in the post-quantum epoch.