Privacy-Preserving Mutual Heterogeneous Signcryption Schemes Based on 5G Network Slicing

With the wide application of 5G network, much research has been carried out in recent years toward the 5G network slicing technology in order to save 5G network resources and satisfy the service requirements of different users. Different public key cryptosystems may be deployed in different 5G network slicings. Therefore, heterogeneous signcryption is required to achieve secure communications between different 5G network slices. The existing scheme is a one-to-one communication between 5G network slicings. To obtain one-to-many and many-to-one secure communications, two new privacy-preserving heterogeneous signcryption schemes have been proposed in this article based on 5G network slicings, which can accomplish mutual communications between the public key infrastructure (PKI) and the certificateless public-key cryptography. In this work, we present PKI $\to $ CLC completely anonymous multireceiver signcryption (PMRCHS) and CLC $\to $ PKI heterogeneous aggregate signcryption (CPHAS) schemes based on the 5G Internet of Things (IoT) slicing and the 5G Internet of Vehicle (IoV) slicing. Under the random oracle model (ROM), the proposed schemes have proved to satisfy confidentiality and unforgeability under the computational Diffie–Hellman problem and discrete logarithm problem (DLP). Furthermore, we make comparisons of the proposed work with the existing works in terms of computational cost, communication cost, anonymity, and communication direction. The results show that the proposed schemes are more secure and effective.

healthcare, and smart cities. In 2012, the European Union officially launched METIS (Mobile and Wireless Communications Enables for the 2020 Information Society) [1]. In 2015, the International Telecommunication Union (ITU) [2] designated 5G as "IMT-2020" and defined its three communication features: 1) enhanced mobile broadband (eMBB); 2) ultrareliable and low latency communications (uRLLC); and 3) massive machine-type communications (mMTC). There are great differences in the serviceability requirements of the network in the three application scenarios of eMBB, uRLLC, and mMTC [3]. The main applications of the three application scenarios of 5G in real life are shown in Fig. 1. Compared with previous communication technologies, 5G technological innovations include 5G network slicing, edge computing, massive MIMO, device to device (D2D), and so on [4] and [5].
While 5G brings convenience and an entirely new service experience to users, 5G applications are also facing broader and more complex security threats, which have become the focus of attention for researchers, enterprises, and users around the world. Cao et al. [5] focused on the new capabilities and technologies introduced by 5G, which pose significant challenges for the mobile Internet, such as the Internet of Things (IoT), direct-to-device (D2D), vehicle-to-everything (V2X), and 5G network slicing. Moreover, 5G security features, security requirements, and security vulnerabilities are discussed in detail. As different 5G application scenarios require different service requirements, the problem of constrained 5G network resources and network security in the new 5G application are all urgent issues to be addressed. Therefore, 5G network resources are divided into different network slicings to solve resource constraints and different service needs of users, reduce network operation costs, and improve network efficiency [6]. 5G network slicings under different cryptosystems can communicate securely through heterogeneous signcryption.
In the public key infrastructure (PKI), the certificate authority (CA) issues public key certificates for each user and binds those certificates with the identity of the user. However, as the number of users grows, this method takes a lot of time and storage space to manage certificates in PKI. To solve this dilemma, Shamir [7] introduced the identity-based cryptosystem (IBC) in 1984. In IBC, public keys are the identities of users whose private keys are generated by the private key generator (PKG). However, it leads to the problem of key escrow in IBC. In order to solve the issue of certificate management and key escrow in IBC, Al-Riyami and Paterson [8] proposed certificateless cryptosystems (CLC), in which the private key consists of two parts. One is the secret value chosen by the user, and the other is calculated and issued to the user by KGC, taking advantage of the master key and the user's identity information. Therefore, KGC cannot obtain a complete private key, which effectively solves the existing problems.
To achieve confidentiality, integrity, authentication, and unforgeability at the same time, the traditional approach is to sign before encrypting or encrypt before signing. In order to optimize the algorithm and improve the efficiency while implementing digital signatures and public-key encryption in one logical step, Zheng [9] first proposed the concept of signcryption in 1997 and first put forward the formal security model of signcryption in 2002 [10]. Some signcryption schemes based on PKI, IBC, or CLC [11]- [13] have been proposed for practical application scenarios, such as wireless body area networks, wireless sensor networks, Industrial IoT (IIoT), Internet of Vehicles (IoVs), smart healthcare, and so on. In 2018, Karati et al. [14] introduced a new identity-based signcryption scheme using the bilinear pairing for IIoT crowdsourcing environments, and also applicable for low-bandwidth communications. In the edge computing environment, to facilitate lightweight deployment and reduce the system operation, Peng et al. [15] designed a certificateless multimessage and multireceiver signcryption scheme by using the elliptic curve cryptography in 2020. However, they are only applicable to homogeneous cryptosystems. Since different 5G network slicings and communication systems may adopt different cryptosystems, it is necessary to support and research heterogeneous communications if the secure communications between different cryptosystems has been considered [6].
In 2010, a multirecipient PKI→IBC heterogeneous signcryption scheme was introduced by Sun and Hui [16], but could only satisfy external security. In 2011, Huang et al. [17] proposed a heterogeneous signcryption scheme that could implement IBC→PKI communications and resist internal attacks, but not carry out mutual communications. Although Li et al. [18] discussed that the scheme could accomplish PKI↔IBC mutual communications in 2013, the work relied on tedious pairing operations, which result in poor efficiency.
In recent years, more heterogeneous signcryptions have been proposed to achieve secure and efficient communications between different cryptosystems. In 2016, Li et al. [19] proposed a multireceiver heterogeneous signcryption scheme from CLC→IBC for the first time, and realized the anonymity of all receivers, which is very attractive for wireless network applications. However, this scheme could not guarantee the anonymity of the sender, and a large number of pairing operations were utilized, leading to increased computational costs and unable to proceed with mutual communications. In 2019, Zhou et al. [20] proposed a specific heterogeneous signcryption of vehicle-to-infrastructure (V2I) communications. There were four schemes to achieve one-to-many and many-to-one communications between PKI and IBC. But the overall algorithms utilized a great deal of pairing and exponentiation operations, which led to inefficiency. In order to satisfy the main security requirements of the NDN-based IoT, Rehman et al. [21] proposed a heterogeneous signcryption scheme from CLC to IBC in 2020, which could only fulfill one-to-one communications in one direction. The work proposed by Ali et al. [22] could accomplish the communications between vehicles under CLC and vehicles under PKI in a vehicular ad hoc network, which supports batch verification and helps vehicles send multiple messages. However, the algorithms frequently used pairing and exponentiation operations, which had deficiencies. In 2021, Xiong et al. [23] proposed a heterogeneous signcryption scheme with equality test (HSC-ET) for IIoT. HSC-ET could determine whether the same underlying plaintext exists between two ciphertexts and achieve a flexible search to the ciphertext.
Nowadays, security breach and privacy leakage severely threat the development of all walks of life. Consequently, privacy-preserving has increasingly become the focus of everyone's attention. In 2021, to guarantee both the security and privacy of users behavior features, Wei et al. [24] presented an implicit authentication framework for the intelligent network and also designed a privacy-preserving implicit authentication protocol using the cosine similarity. In 2022, Zhou et al. [25] focused on designing a human-in-the-loop-aided scheme to preserve privacy in smart healthcare. To achieve privacypreserving and secure communications in 5G network slicings, Liu et al. [6] proposed secure communications between PKI and CLC without bilinear pairings in 2018. However, this method could only fulfill one-to-one communications between users of different 5G network slicings, which had limited applications in real life. In 2021, Luo et al. [26] proposed oneto-one communications between PKI and CLC with different system parameters for different 5G network slicings, which did not utilize pairing operation and has high computational efficiency. However, it had limitations in practical application and could not perform one-to-many and many-to-one communications. In this article, we develop two new schemes to achieve one-to-many and many-to-one secure communications for different 5G network slicings.

A. Our Contribution
The contributions of this work are listed as follows. 1) This work presents the one-to-many and many-toone communication between 5G IoVs slicing deployed in PKI and 5G IoT slicing deployed in CLC. We proposed two privacy-preserving mutual heterogeneous signcryption schemes: a) the PMRCHS scheme and b) the CLC→PKI heterogeneous aggregate signcryption (CPHAS) scheme, which can realize identity and data privacy. 2) Under the random oracle model (ROM), our proposed are proved that have the indistinguishability against adaptive chosen ciphertext attack under the computational Diffie-Hellman problem (CDHP) and the existential unforgeability against adaptive chosen message attack under the discrete logarithm problem (DLP). Namely, that satisfies confidentiality and unforgeability. In addition, our work also provides a public verification method to verify the validity of the ciphertext. 3) The PMRCHS scheme achieves anonymity for the sender and receivers at the same time. Each authorized receiver can easily judge whether the received ciphertext is from an authorized sender. Any unauthorized receiver cannot obtain the sender's identity. What's more, the Lagrange interpolation formula is employed to prevent the leakage of the identities of authorized receivers. Each receiver can quickly tell whether he/she is an authorized receiver, but cannot determine the identity of any other authorized receiver. The CPHAS scheme can also ensure that only authorized participants can obtain identities. Meanwhile, the CPHAS scheme can achieve batch verification for aggregated ciphertext. 4) The two proposed schemes both require less computational overhead than other works through experiment and performance analyses because they do not require bilinear pairing operations. Our proposals are more suitable for the practical application scenarios of 5G network slicings. For example, when a user in a 5G IoV slicing deployed in PKI tries to communicate with multiple users in a 5G IoT slicing deployed in CLC, a secure communication can be established using the PMRCHS scheme. We assume that numerous users in a 5G IoT slicing deployed in CLC intend to communicate with a user in a 5G IoV slicing deployed in PKI, and that CPHAS will be a better choice for secure communication.

B. Organization
The remainder of this article is organized as follows. Section II describes the preliminaries, which includes 5G network slicing, bilinear mapping, and complexity assumptions. Section III discusses the algorithm model and security model. Section IV introduces the proposed PMRCHS and CHAPS schemes. Sections V and VI provide the security and performance analysis respectively. Finally, we conclude the work and present an outlook for this work in Section VII.

A. 5G Network Slicing
In 2015 Ericsson [6] announced that the 5G system would be built with logical network slicings that would enable operators to satisfy the wide range of user demands. The network slicings are also known as the "5G network slicings." A 5G network slicing is composed of various functions and specific radio access technology (RAT) sets [27]. The definition of a network slicing is to partition and optimize the calculation and communication resources of physical infrastructure into several independent logical networks so that virtualization technology can be utilized to provide various application services, such as software-defined networks (SDNs) or network functions virtualization (NFV), which can be determined as the key enabling technology for realizing network slicing in 5G networks [28], [29]. This means that network operators will be able to quickly create and deploy different network slicings. 5G network slicings can customize network functionality and manage network resources according to different service scenarios [30]. Each network slicing can be abstracted as a logical network composed of a set of network functions and their corresponding configurations [31], thus providing more flexible and diverse services.
The lifecycle of a 5G network slice consists of three steps, namely, creation, management, and revocation, as shown in Fig. 2 [32]. The business requirement operators make requests to network operators, and upon receiving these requests, the network operator matches the network slice template in accordance with the business scenario demands. The slicing template consists of the required network function components, the component interaction interfaces, and the instructions for network resources. When the template is imported, the service engine can request network resources from the resource platform. After obtaining the resources, the service engine can adopt them to implement virtual network functions and make them enterprise entitative [32], [33]. The 5G network slice shown in Fig. 2 can be a smart healthcare, a mobile network, the IoVs, an industrial automation, the IoT, etc.
Recently, 5G network slicing has become one of the most essential hot topics of research. In [32] we can find that the utilization of network slicing in the IoT has been comprehensively analyzed, discussing the usage of network slicing in different IoT application scenarios. Furthermore, the technical challenges that can be addressed by network slicings are considered. Noticeably, 5G network slicings play an important role in the future of communication networks. However, it is assumed that the secure communication between different network slicings cannot be guaranteed, the application of 5G network slicings will be limited [34].

B. Bilinear Pairing
Let G 1 denotes a q order cyclic addition group, and G 2 denotes a q order cyclic multiplicative group, where q is a prime. A bilinear pairing e : G 1 × G 1 → G 2 is defined as a function with the following properties [30]. 1) Bilinearity: For any P, Q ∈ G 1 and a, b ∈ Z * p , e(aP, bQ) = e(P, Q) ab . 2) Nondegeneracy: There exists a point P ∈ G 1 so that e(P, P) = 1 G 2 . 3) Computability: For any P, Q ∈ G 1 , there exists an efficient algorithm to compute e(P, Q).

C. Complexity Assumptions
To prove the security of our proposed PMRCHS and CPHAS, we recall the following complexity problems: G 1 is a q order cyclic addition group and P is a generator of group G 1 .

A. Algorithm Model
In this section, we present the algorithm model for the proposed PMRCHS and CPHAS schemes.
Setup: This algorithm is implemented by CA and KGC. The CA generates digital certificates for the user in PKI, KGC inputs a security parameters l and outputs system parameters params and system master key s. KGC publishes system parameters params while secretly preserving master key s. PKI-KG: This algorithm generates keys for PKI users. In the PKI cryptosystem, a user ID p selects a private key sk p at random and publishes public key pk p .
CLC-KG: This algorithm generates keys for users in CLC, which needs four steps.
1) Partial Private Key Extract: The KGC performs this operation using identities ID i (i = 1, 2, . . . , n), system parameters params, and the master key s as input. The KGC generates a partial private key d i and sends it to users via a secure channel. 2) Set Secret Value: The user ID i randomly selects the secret value x ci . 3) Private Key Extract: Taking partial private d i and secret value x ci as input, and then outputing the private key sk ci .

4) Public Key Extract:
The user ID i inputs partial public key B i and secret value x ci , and outputs the public key pk ci . Signcrypt: Given a message m, an authorized senders identity ID p , a private key sk p , the authorized receiver's identity set L = {ID i , i = 1, 2, . . . , n}, and the corresponding public key pk ci , a sender runs this signcryption algorithm to output ciptertext σ .
Unsigncrypt: Given the ciphertext σ , the authorized receiver's private key sk ci , and a sender public key pk p . If the ciptertext σ is valid, then output m. Otherwise, it returns ⊥.
Signcrypt: Given messages m i (i = 1, 2, . . . , n), the authorized senders' identities ID i (i = 1, 2, . . . , n) and the corresponding private key sk ci , the authorized receiver's identity ID p , and the corresponding public key pk p . The signcryption algorithm is executed by senders to output ciphertext σ i .
Unsigncrypt: The receiver uses the ciphertext σ i , the authorized receiver's private key sk p , and the authorized sender's public key pk ci to perform the unsigncryption algorithm. If the ciphertext σ i is valid, it returns m i . Otherwise, it returns ⊥.
Aggregate Signcrypt: The authorized receiver inputs multiple ciphertexts σ i , and outputs aggregate ciphertext σ .
Aggregate Unsigncrypt: The authorized receiver inputs system parameters params, sender's public key sets pk ci (1 ≤ i ≤ n), the authorized receiver's private key sk p , and aggregate ciphertext σ , and returns plaintext message sets {m 1 , m 2 , . . . , m n } or ⊥.

B. Security Model
Since the PMRCHS and CPHAS schemes both contain two cryptosystems, the schemes need to satisfy the confidentiality of message and the unforgeability of ciphertext. That is the indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) under the CDHP and the existential unforgeability against chosen messages attacks (EUF-CMAs) under the DLP under the ROM [6].
Assuming that the PMRCHS and CPHAS schemes have two adversaries, the adversary A 1 is a user in the system who does not know the master key s but can replace the user's public key. The adversary A 2 is an honest but curious KGC, who knows the master key s, but cannot replace the public key of the user. An adversary and a challenger can perform a query response of the game. If an adversary has a nonnegligible advantage ξ against a challenger C in the game, the PMRCHS and CPHAS schemes are proved to be safe.
Game 1: A 1 interacts with C in the following ways. Initialization: C generates the master key s and the system parameters params using the Setup algorithm, and then returns params to A 1 and secretly keeps s. Otherwise, it executes the private key extraction algorithm, resulting in the complete private key d i and x ci as a response to A 1 . 6) CLC-Public-Key-Queries: When A 1 requests the CLC public key from identity ID i , C first checks to see if its public key value exists in the list. If it does, it selects the value as the response to A 1 . Otherwise, C executes the public key extraction algorithm, outputs B i and pk c1i , and returns the complete public key pk ci in response to A 1 . 7) Request-Public-Key-Queries: When A 1 wants to replace the public key pk ci of identity ID i as a pk * ci queries, C replaces pk ci in the corresponding list with pk * ci . 8) Signcryption Queries: C, utilizing a sender's sk p and pk ci of receivers, runs the signcryption algorithm and returns the result σ to A 1 . 9) UnSigncryption Queries: C, using a sender's pk p and sk ci of receivers, runs the unsigncryption algorithm and returns the result m to A 1 . Challenge Phase: A 1 generates equal length plaintexts m 0 and m 1 , while also generating the sender's identity ID * send , and the identity receiver ID * receive who wish to challenge. In this phase, the public key of ID * receive cannot be replaced, and d i and x ci cannot be queried either. C chooses μ ∈ {0, 1} at random, computes σ * = (c μ , u * , R * 2 , T * ) and returns it to A 1 . Phase 2: A 1 executes queries similar to those in Phase 1, but without the ability to perform private key queries for ID * receive and unsigncryption queries for the tuple (σ * , ID * send , ID * receive ). Guess: A 1 generates a guess value ι * , and if ι * ← A 1 : ι * = ι, it wins IND-CCA2-1. We define the advantage of A 1 being successful as

Definition 4 (IND-CCA2-2):
The PMRCHS scheme has IND-CCA2-2. If an adversary A 2 has a nonnegligible advantage ξ against a challenger C in the game, which indicates that the PMRCHS scheme satisfies IND-CCA2-2 security.
Game 2: A 2 interacts with challenger C in the following ways.
Initialization: Using the Setup algorithm, C generates the master key s and the system parameters params. C then returns params to A 2 while keeping s secretly.
Phase 1: C interacts with A 2 . A 2 carries out adaptive queries, and C tracks hash predictor and key extraction predictor. At this stage, A 2 performs subsequent challenges via inquiries similar to those in Game 1, but A 2 is unable to perform public-key replacement queries.
Challenge Phase: A 2 generates equal length plaintexts m 0 and m 1 , while also generating the identity ID * send of the sender and the receiver's ID * receive who wish to challenge. In this phase, the public key of ID * receive cannot be replaced, and d i and x ci cannot be queried either. C randomly selects μ ∈ {0, 1}, computes σ * = (c μ , u * , R * 2 , T * ) and returns it to A 2 . Phase 2: A 2 executes queries similar to those Phase 1, but cannot perform private key queries for ID * receive and unsigncryption queries for the tuple (σ * , ID * send , ID * receive ). Guess: A 2 outputs a guess value ι * . If ι * ← A 2 : ι * = ι, it wins IND-CCA2-2. We define the advantage of A 2 being successful as

2) Unforgeability: Definition 5 (EUF-CMA):
The PMRCHS scheme is said to be EUF-CMA. If an adversary F has a nonnegligible advantage ξ against a challenger C in the game, which indicates that the PMRCHS scheme satisfies EUF-CMA security.
Game 3: F interacts with challenger C in the following ways.
Initialization: C generates the master key s , and the system parameters params using the Setup algorithm and then return params to F while secretly keeping s.
Training: C interacts with F, F carries out adaptive queries, and C tracks hash and key extraction oracles. In this phase, F carries out subsequent challenges through inquiries similar to those in Game 1.
Forgery: After training, F returns forgery (σ * , ID * send , ID * receive ). F cannot make private key queries, public key replacement queries, and signcryption queries for ID * send during the training period. That is, the F signcryption that responds to a message m under ID * send and ID * receive cannot be σ * . C then performs the unsigncryption algorithm to get m * . Otherwise, it returns ⊥, and F wins the game. We define the advantage of F being successful as The security model of our proposed CPHAS scheme is similar to that of the PMRCHS scheme.

IV. PROPOSED SCHEMES
In this section, we assume that 5G IoV slicings are deployed in PKI cryptosystems and 5G IoT slicings are deployed in CLC cryptosystems. We propose two effective heterogeneous signcryption schemes to achieve secure communication and authentication between two heterogeneous 5G slicings. The first scheme is the PMRCHS based on 5G network slicings, which allows any user in the IoV slicing to signcrypt a message and send ciphertext to authorized users in the IoT slicing. After receiving the ciphertext, the authorized users in the IoT slicing have the ability to unsigncrypt and acquire the message. The second scheme is CPHAS, which is the inverse of the PMRCHS scheme. The system model of the proposed scheme is shown in Fig. 3. It comprises of four entities, including the CA, KGC, 5G IoT, and the 5G IoV slicings. The CA and 5G IoT slicings belong to the PKI cryptosystem, whereas the KGC and the 5G IoV slicings belong to the CLC cryptosystem.
Setup: Given a security parameter l, CA and KGC choose a cyclic additive group G 1 of a large prime order q(q ≥ 2 l ). The generator of G 1 is P. m = {0, 1} is a message space, field Z * q = {1, 2, . . . , q − 1}. KGC then defines four different crypotographic hash functions: It then randomly selects a number s ∈ Z * q as the master key and computes the public key P pub = sP. Finally, KGC keeps safe the master key s and publishes system parameters PKI-KG: This algorithm generates keys for PKI users. A user ID p in the PKI cryptosystem chooses a random number x p ∈ Z * q as a private key sk p and publishes public key pk p = (1/x p )P.
CLC-KG: This algorithm generates keys for users in CLC cryptosystems, which executes the following four steps.
1) Partial Private Key Extraction: Authorized user ID i in CLC sends a request to KGC. After receiving the user's request, KGC randomly selects b i ∈ Z * q and computes q . Then, KGC sends (d i , B i ) to the user through a secure channel. d i is the user's partial private key. 2) Set Secret Value: Authorized user ID i randomly selects x ci ∈ Z * q as a secret value. 3) Private Key Extract: Authorized user ID i receives d i and generates x ci as a private key. 4) Public Key Extract: Authorized user ID i computes pk c1i = x ci P according to the secret value x ci , and then sets the public key pk ci = (B i , pk c1i ). Signcrypt: Inputting the plaintext message m, the sender's private key sk p , the authorized receivers' identity sets L = (ID 1 , ID 2 , . . . , ID n ), and the corresponding public key pk ci in the CLC cryptosystem, the sender in the PKI cryptosystem executes the following signcryption algorithm.

B. CPHAS Scheme
In this section, the CPHAS scheme is constructed by seven algorithms. The Setup, PKI-KG, and CLC-KG are similar to those of PMRCHS. Signcrypt, unsigncrypt, aggregate signcrypt, and aggregate unsigncrypt are described below. The difference is that this work requires the hash function Signcrypt: This signcryption algorithm is performed by authorized senders ID i (i = 1, 2, . . . , n) in the 5G IoT slicing to output ciptertext σ i using message m i , private key sk ci , and the public key pk p of a receiver in the 5G IoV slicing.
Unsigncrypt: In 5G IoV slicings, the authorized receiver ID p uses the system parameter params, private key sk p , and the sender's public key sets (pk c1 , pk c2 , . . . , pk cn ) to unsigncrypt the message after receiving the ciphertext If it is vaild, do the following computation. Otherwise, return ⊥.

4) Compute
, and accept messages m i . Aggregate Signcrypt: In order to verify the correctness of the aggregate message and save on verification costs, the receiver can aggregate multiple the received messages. Because S = i=1 n S i is computed by the receiver, the aggregate signcryption ciphertext is , S). Aggregate Unsigncrypt: In 5G IoV slicings, the receiver ID p uses the system parameter params, private key sk p , and the sender's public key sets (pk c1 , pk c2 , . . . , pk cn ) to validate the If the equation holds, the receiver obtains the message m i through the unsigncryption steps. Otherwise it will return ⊥. Correctness: The correctness of the CPHAS scheme can be verified. First Third

V. SECURITY ANALYSES
In this section, based on CDHP and DLP in ROM, our PMRCHS and CPHAS schemes proved to be confidential and unforgeable. The security proof of the CPHAS scheme is similar to that of the PMRCHS scheme. Hence, we only proved the security of the proposed PMRCHS by the following theorems.

Theorem 1 (IND-CCA2-1):
Assuming that there is an IND-CCA2-1 adversary A 1 for q i (i = 1, 2, 3, 4) hash queries under the ROM [36] with q puk public key queries, q ppk partial private key queries of the CLC cryptosystem, q sv secret value queries in the CLC cryptosystem, q pk private key queries in the CLC cryptosystem, q pkr public key replacement queries, q sc signcryption queries, q dsc unsigncryption queries in polynomial time, as well as win the game with a nonnegligible advantage ξ against the IND-CCA2-1 security of the PMRCHS scheme, there is a challenger C that can solve the CDHP problem with probability ξ * . This advantage [6] is Proof: To solve a random CDHP instance (P, aP, bP), C as the challenger interacts with A 1 as a subprogram in the game. A 1 queries H 1 using ID i , i ∈ {1, 2, . . . , n} before making other queries.
Initialization: The challenger C executes the initialization algorithm and returns to the adversary A 1 the system parameters params = {G 1 , P, P pub , H 1 , H 2 , H 3 , H 4 , n,  is queried, C queries LK p for tuples (ID i , x pi , pk pi ), and returns x pi and pk pi as a response to A 1 . 6) CLC-Partial-Private-Key-Queries: When the partial private key of the identity ID i is queried, C responds as follows.
pk cli ) by querying LK c , and returns the partial private key d i as a response to A 1 . 7) CLC-Private-Key-Queries: When the private key of identity ID i is queried, C responds as follows. b) If the public key of ID i does not exist and ID i = ID * i , C randomly selects x ci ∈ Z * q and γ * i ∈ Z * q , and an unknown number b to calculate bP ∈ G 1 . C then computes pk * c1i = bP, . c) If the public key of ID i does not exist and ID i = returning the generated (γ i , B i , pk c1i ). 9) CLC-Public-Key-Replacement-Queries: A 1 selects the identity ID i for public key replacement and replaces pk cli to pk * cli . Then, C updates list LK c by adding (ID * i , ⊥, ⊥, γ i , B i , pk * cli ). 10) Signcrypt-Queries: Assuming that ID S and ID R i are sender and receiver identities, respectively. Then, when (σ, ID S , ID R i ) signcryption is received, challenger C returns the following response. a) If ID S = ID * i , C executes the signcryption algorithm normally and returns the result to p ) from LK p and LK c lists, and performs the following steps to generate ciphertext. i) Select a number randomly 2 x + · · · + a i,n x n−1 , i = 1, 2, . . . , n; a i,1 , . . . , a i,n ∈ Z q . vii) Compute T i = n j=1 a j,i v j , i = 1, 2, . . . , n; T = {T 1 , T 2 , . . . , T n }. The ciphertext is σ = (c, u, R 2 , T). 11) Unsigncrypt-Queries: When receiving an unsigncryption query about (σ, ID S , ID R i ), challenger C returns the following response. a) If ID S = ID * i , C executes the signcryption algorithm normally and returns the result to A 1 . b) If ID S = ID * i , C queries h 3i and h 4i from L 3 and L 4 lists, respectively, and then performs the following steps.
Otherwise, return ⊥. Challenge Phase: First, adversary A 1 generates two plaintexts m 0 and m 1 of equal length, and challenges the target identities ID * S and ID * R i . At this stage, the adversary A 1 cannot replace the public key of ID * R i and query d * i and x * ci . C aborts the game if ID * R i = ID * i . Otherwise, it obtains the public key of ID * S , sets the receiver's public key to bP, and selects R ∈ G 1 , B i ∈ G 1 , and pk c1i ∈ G 1 at random. Second, C randomly selects k * ∈ Z * q and u * ∈ Z * q , and sets R * 1 = aP and pk * c1i = bP. Then it randomly selects γ * i ∈ {0, 1} n , h * 3 ∈ {0, 1} n and u ∈ {0, 1}, and sets c * = (ID * S ||m u ) ⊕ H * 3 . Subsequently, C computes the following.
. Phase 2: The A 1 queries in this phase are similar to those in Phase 1 with the exception that they require consideration of adversary A 1 's features. The private key of the receiver ID * R i cannot be accessed by A 1 . If the receiver's public key ID * R i is replaced before the challenger, A 1 can not perform partial private key queries on ID * R i or unsigncryption queries on (σ * , ID * S , ID * R i ). Guess: Given (P, aP, bP), depending on the results of the challenge phase, get R * 1 = aP, pk * c1i = bP, v * i = k * P 1 + k * pk * c1i + B i + γ * i P pub . As a response to the CDHP instance, Probability Analysis: According to the above discussion, there are following four cases that C will abort the game. E 1 : The probability of A 1 asking the partial private key of ID * i is (q ppk /2 l ). E 2 : The probability of A 1 asking the private key of ID * i is (q pk /q 1 ). E 3 : During the challenge phase, the probability that A 1 does not choose ID * i as the receiver's identity is (1 − [1/q 1 ]). E 4 : The maximum probability of the aborts of the unsigncryption query is (q dsc /2 l ) because C rejects a valid cipher-text at some point. Only when C does not abort the game can CDHP be solved. Therefore, the probability of C dealing with a CDHP instance is Pr The probability that C randomly selects B i from L 1 is (1/q 1 ).
In summary, the probability of C solving CDHP is

Theorem 2 (IND-CCA2-2):
Under the ROM, assuming that there is an IND-CCA2-2 adversary A 2 conducting a query similar to that in Theorem 1 in polynomial time and winning the game with a nonnegligible probability ξ , then there is a challenger C that can solve the CDHP problem with probability ξ * calculated as Phase 1: In this phase, the hash oracles H 1 , H 2 , H 3 , and H 4 and the key extraction oracles are similar to Theorem 1. Also, the security proof is similar to those of Theorem 1. A 2 can obtain the master key s, but cannot replace the public key of the user.
Phase 2: In this phase, A 2 carries out queries similar to those Phase 1. However, it is necessary to consider the adversary's features, which is that A 2 cannot query the private key of the receiver ID * R i and (σ * , ID * S , ID * R i ) for unsigncryption. Guess: This guess phase is similar to that of Theorem 1. Probability Analysis: According to the above discussion, there are the following three cases where C will abort the game. E 1 : The probability of A 2 querying the private key of ID * i is (q pk /q 1 ). E 2 : During the challenge phase, the probability that A 2 does not choose ID * i as the receiver's identity is (1 − 1 q 1 ). E 3 : Because C rejects a valid ciphertext at a certain time, the maximum probability of the aborts for unsigncryption query is (q dsc /2 l ). Only when C does not abort the game can CDHP be solved. Therefore, the probability of C dealing with a CDHP instance is Pr Overall, the probability of C solving CDHP is

B. Unforgeability
Theorem 3 (EUF-CMA): Assuming that an adversary F can attack the EUF-CMA of the PMRCHS scheme with a nonnegligible advantage ξ after q i (i = 1, 2, 3, 4) times of hash queries, q puk times of PKI public key queries, and q sc times of signcryption queries under the ROM, then there exists a challenger C who can solve the DLP problem with advantage ξ * , calculated as ξ * = (ξ/q 2 1 )(1 − [q puk /q 1 ])(1 − [q sc /2 l ]). Proof: Suppose a challenger C receives a DLP random instance (P, aP), the purpose of which is to compute a, C as a challenger in the game regards F as a subroutine in the game to interact with. Before querying other oracles, F uses ID i to perform H 1 queries.
Initialization: C executes the initialization algorithm and returns to F the system parameters {G 1 , P, P pub , n, l, H 1 , H 2 , H 3 , H 4 }. The challenger identity ID * i , i ∈ {1, 2, . . . , q 1 } is selected by C from the challenger (ID * 1 , ID * 2 , . . . , ID * q1 ), but ID * i is not leaked to F. To avoid discontinuous responses to F queries, C keeps an initially empty list set {L 1 , L 2 , L 3 , L 4 , LK p , LK c }, which are used to track the H 1 , H 2 , H 3 , and H 4 hash oracles and key extraction oracles, respectively.
Training: F performs adaptive queries in this phase as in Theorem 1.
Forgery: F generates a forgery (σ * , ID * S , ID * R i ) after the training. However, F cannot perform private key queries for ID * S , public key replacement queries, partial private key queries, or signcryption queries for ID * R i during the training period.
1) If ID * S = ID * i , C aborts the game. 2) If ID * S = ID * i , C queries γ * i , B * i , pk * c1i and R through lists L 1 and LK c to obtain apk c1i  Probability Analyses: The probability of C successfully solving the DLP problem can be obtained through probability analysis. In summary, C will abort the game given the probabilities of the following three cases. E 1 : The probability of F asking private key of ID * i is (q pk /q 1 ). E 2 : In the forgery phase, F does not select ID * i as a sender with the probability (1 − [1/q 1 ]). E 3 : C aborts the game due to hash collision and the maximum probability is (q sc /2 l ). Only if C does not abort the game can the DLP be solved. The probability that C does not aborts the game is Pr ). In addition, the probability that C correctly guesses the hash value is (1/q 1 ). In conclusion, the probability of C solving the DLP is

A. Performance Evaluation
In this section, we evaluate the performance of the proposed PMRCHS and CPHAS in terms of computational efficiency, communication overhead, and anonymity. We compare the proposed work with previous methods in [6], [19], and [20] to assess its accuracy, validity, and reliability. In the table, n denotes the number of user identities in the systems. For the purposes of calculating computation costs, the following four time-related metrics have been considered as follows.  Table I shows the results of the computation cost comparison between the PMRCHS work and other existing works. The multireceiver heterogeneous signcryption methods are described in [19] and [20]. Liu et al. [6] is a one-to-one heterogeneous signcryption scheme. In the signcryption and unsigncryption algorithms, [19], [20] utilizes the bilinear pairings in Table I. Furthermore, [19] adopts the exponentiation operation, significantly increasing the computation time. The scheme in [6] has high computation efficiency in the oneto-one communication of a single message. However, during the one-to-many communication of a single message, its computation cost surges remarkablely with increasing number of receivers. As seen from Table I, the paring and exponentiation operations have not been utilized in the overall algorithm of our proposed work. Therefore, the proposed PMRCHS requires less computation overhead. Table II shows the comparison results of performance in terms of communication overhead, anonymity, and communication direction. Because [19] and [20] schemes in Table II both contain ciphertext elements in group G 2 , which significantly increases communication overhead, our proposed PMRCHS has less communication overhead. Our proposed PMRCHS and the scheme in [19] adopt the Lagrange interpolation formula to achieve the anonymity of the receiver, but in [19] and [20] cannot realize the anonymity of the sender. The PMRCHS algorithm simultaneously achieves the anonymity of the sender and the receiver. Hence, the PMRCHS work not only improves the computation efficiency but also provides a better privacy-preserving mechanism, which is able to realize secure communication in different 5G network slicings.
We compare the proposed CPHAS to previous works in terms of their computation cost, communication overhead, anonymity, and communication direction in Tables III and IV. Liu et al. [6] implemented one-to-one heterogeneous signcryption, and other schemes achieve many-to-one heterogeneous signcryption. The two aggregate signcryption schemes in [20] utilize more bilinear pairing and exponentiation during the algorithm process, which significantly increased the computational complexity. The protocol in [6] has high computational efficiency in the one-to-one communication of a single a message. Whereas, during the many-to-one communication  of a single message, its computation overhead dramatically increases with increasing number of receivers. Table III shows that the proposed CPHAS has a greater advantage in computation cost during the signcryption and unsigncryption phases. It is obvious from Table IV that the CPHAS has minimum communication overhead and can guarantee the anonymity of both participants. In short, our proposed methods outperform all the existing methods, which are effective for the practical application of 5G network slicings.

B. Experimental Analysis
We performed a simulation for the quantitative analysis of our proposed work. This was carried out using the pairingbased cryptography (PBC) library in Ubuntu10, with the Linux operating system of a Lenovo laptop equipped with an Intel  The computation overhead is analyzed by varying the number of receivers to 10, 20, 30, 40, 50, 60, 70, 80, 90, and 100, respectively. All results are based on the average running time of 100 trials. A comparison between PMRCHS and other previous schemes in terms of key generation, signcryption, and unsigncryption is shown in Figs. 4-6. It is can be seen from Fig. 4 that the schemes in [6], [19], and [20] spend much more time on key generation algorithms than the PMRCHS. It can also be seen from Figs. 5 and 6 that PMRCHS has the least computation overhead during signcryption and unsigncryption. For example, during the signcryption phase, when the number of receivers is 30, the running time of the proposed PMRCHS is 48.271 ms. However, [6], [19], [20] take 589.693,  336.454, 314.750 ms, respectively. Therefore, we conclude that the proposed PMRCHS has more advantages.
The computation time is compared by varying the number of senders. The number of senders as 10, 20, 30, 40, 50, 60, 70, 80, 90, and 100, respectively. The experimental results are based on the average running time of 100 trials. We compare CPHAS and other preexisting schemes in terms of key generation, aggregate signcryption, and aggregate unsigncryption in Figs. 7-9. It can be seen from Fig. 7 that the computation time of the key generation algorithm in [6] is far higher than that of our proposed CPHAS. In addition, since the scheme in [20] realizes the communication between PKI and IBC. However, more parameters are required to be generated when the proposed CPHAS scheme implements communication between PKI and CLC. Consequently, that takes less time than our proposed scheme. Figs. 8 and 9 show that the proposed CPHAS requires less computational time than the other algorithms in [6] and [20] during both the signcryption and unsigncryption phases. For example, during the aggregate signcryption phase, when the number of senders is 50 [6], the MOHSC-I in [20], and the MOHSC-II in [20]  From all the above-mentioned schemes, we conclude that both the proposed PMRCHS and CPHAS have outstanding performance. Meanwhile, a lot of new features are added compared with the existing heterogeneous signcryption based on 5G network slices.

VII. CONCLUSION
In this article, we propose two schemes for heterogeneous signcryption between different 5G network slicings under PKI and CLC, which present PKI→CLC completely anonymous multireceiver signcryption (PMRCHS) and CPHAS schemes, proving that our proposed scheme satisfies confidentiality, unforgeability, and anonymity. Through performance analysis, we can draw a conclusion that our proposed scheme is more reliable, efficient, and secure. In summary, it is obvious that our proposal is more suitable for 5G network slicings. In a future work, our proposed scheme will be applied to secure communications between various 5G network slicings and more practical application scenarios.
Ying Hu was born in Baiyin, Gansu, China, in 1998. She received the bachelor's degree from the School of Computer Science and Engineering, Northwest Normal University, Lanzhou, China, in 2020, where she is currently pursuing the master's degree.
Her research interests include searchable encryption and edge computing.
Siwei Zhou was born in Hanzhong, Shanxi, China, in 1997. She received the bachelor's degree from the School of Computer Science and Technology, Xi'an University of Finance and Economics, Xi'an, China, in 2020. She is currently pursuing the master's degree with the College of Computer Science and Engineering, Northwest Normal University, Lanzhou, China.
Her research interests include Internet of Vehicles and privacy protection.
Caifen Wang received the Ph.D. degree in cryptography from Xidian University, Xi'an, China, in 2003.
She is currently a Professor of Computer Science with Shenzhen Technology University, Shenzhen, China. Her current research interests include network security, cryptographic protocols, and security engineering.
Prof. Wang is a member of the Chinese Cryptology and Information Security Association.