A Novel Certificateless Signature Scheme for Smart Objects in the Internet-of-Things.

Rapid advances in wireless communications and pervasive computing technologies have resulted in increasing interest and popularity of Internet-of-Things (IoT) architecture, ubiquitously providing intelligence and convenience to our daily life. In IoT-based network environments, smart objects are embedded everywhere as ubiquitous things connected in a pervasive manner. Ensuring security for interactions between these smart things is significantly more important, and a topic of ongoing interest. In this paper, we present a certificateless signature scheme for smart objects in IoT-based pervasive computing environments. We evaluate the utility of the proposed scheme in IoT-oriented testbeds, i.e., Arduino Uno and Raspberry PI 2. Experiment results present the practicability of the proposed scheme. Moreover, we revisit the scheme of Wang et al. (2015) and revealed that a malicious super type I adversary can easily forge a legitimate signature to cheat any receiver as he/she wishes in the scheme. The superiority of the proposed certificateless signature scheme over relevant studies is demonstrated in terms of the summarized security and performance comparisons.

1. Introduction

The boosting advances on wireless communication and sensing technologies bring universal Internet connectivity, and a more ubiquitous and pervasive computing environment is thus created, called Internet-of-Things (i.e., IoT). Plenty of novel smart objects with specific purposes emerge in IoT to support various innovative applications providing higher intelligence and more convenience to our daily life. Since IoT has attracted significant attention as a key step in furthering intelligent human life in the future, IoT is definitely one of the most promising network paradigms in this computer generation. In an IoT environment, numerous smart objects, such as customized sensors or wearable intelligent devices, can be used to sense, collect, transmit, disseminate, etc., data from the field to a server or other smart things. Unsurprisingly, IoT has wide industrial and individual applications. However, due to the amount and nature of data and potential for exploitation, it is essential to ensure the security of both data-in-transit and data-at-rest [1,2,3,4]. In addition, the heterogeneous nature of the IoT network and the presence of (a large number of) specific-purpose sensors embedded within the smart objects complicate efforts to offer effective security. One particular research challenge is to balance the tradeoff between performance efficiency and system security when designing security solutions for smart objects in IoT-based networks.

In the literature, researchers have dedicated significant efforts on refining traditional security techniques as system security solutions for IoT-based network architectures, such as authentication [5,6,7,8,9], signcryption [10,11,12,13], and certificateless digital signature [14,15], respectively. First of all, due to the nature of limited processing capability of smart objects, the design of lightweight authentication has been thoroughly investigated as a critical security component in IoT-based network systems. In this category of study, lightweight but robust crypto-modules, such as one way hash function, are embedded into the operation and communication of resource-constrained IoT-based objects to support the security of application operated by objects and backend servers (from service providers). It simultaneously focuses on the computation efficiency and communication robustness of object-to-object and object-to-server data exchange procedures. Secondly, the signcryption technique combines the merits from encryption and digital signature. Most of critical security requirements, such as confidentiality, integrity, unforgeability, and non-repudiation, can be guaranteed in a single logic step. It enjoys better security robustness than other kinds of single-crypto-based security mechanisms. Thirdly, the refinement of certificateless digital signature for protecting IoT-based networks has been studied because of the benefit from the relief on the difficult certificate management in traditional public key infrastructure. Relying on a trusted third party, certificateless public key cryptography facilitates users in establishing a private key and the corresponding public key. It is, thus, more suitable to IoT-based network architecture since there is no need to maintain a centralized server for key/certificate management. In addition, with the decentralized and changed structure, it is believed that we the more efficiency will be guaranteed due to the less of limitation on implementing security mechanism on IoT. Existing certificateless signature schemes can be broadly categorized into certificateless signature schemes with and without bilinear pairing. It has been proven that bilinear pairing is less efficient than ECC (elliptic curve cryptography) point-based crypto-operations, in terms of computation costs [16], although the use of bilinear pairing results in shorter signature message. The latter property makes bilinear pairing-based approach particularly suitable for bandwidth-limited networks, such as traditional wireless sensor networks. Nevertheless, owing to the recent advancements in communication technologies, including those for sensors, the communication environment for existing IoT-based sensors is not as limited by bandwidth restriction as before. Various techniques, such as Bluetooth Low Energy, LoRa, and Zigbee, have been leveraged to build IoT-based communication networks which are bandwidth-guaranteed during sensors-to-server message transmission. Hence, during the design of an efficient and secure certificateless signature scheme for IoT-based smart objects, we argue that computation efficiency takes priority over communication efficiency. For the above observations, in this paper we focus on the design of a certificateless signature scheme with ECC point-based crypto-operations for IoT-based network environments.

The rest of the paper is organized as follows. Section 2 presents relevant background materials. In Section 3, we present the proposed certificateless signature scheme for IoT-based smart objects. We then provide the security analysis and the system implementation of our proposed scheme in Section 4 and Section 5, respectively. In Section 6, we review related work and present a comparative summary, in terms of security and performance. Finally, we conclude the paper in Section 7.

2. Preliminary

The objective of this study is to propose a robust and efficient certificateless signature scheme with ECC point-based crypto-operations. ECC is one kind of public key cryptography (PKC)-based techniques, where it is based on the algebraic structure of elliptic curves over finite fields. Normally, ECC requires a smaller key size than other PKC-oriented approaches to provide an equivalent security level. For example, it is generally thought that the same security can be delivered by 256-bit elliptic curve and 3072-bit RSA. Hence, to enjoy higher computation efficiency, we would like to integrate the ECC crypto-technique into our proposed certificateless signature scheme. Furthermore, since the robustness of the proposed scheme is based on the hardness of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP), we present the definition of ECDLP in the following.

The ECDLP is defined as follows: Let the notation denotes an elliptic curve over a prime finite field , defined by an equation: , where are constants such that . All points P = (x, y) on E and the infinity point O form a cyclic group G under the operation of point addition R = P + Q defined based on the chord-and-tangent rule. In addition, t · P = P + P + … + P (t times) is defined as a scalar multiplication, where P is a generator of G with order n. The ECDLP is that given a group G of elliptic curve points with prime order n, a generator P of G and a point x · P, it is computationally infeasible to derive x, where .

The robustness of the proposed certificateless signature scheme is based on the intractability of ECDLP. Next, for better understanding of our proposed scheme, we present the general concepts of the certificateless signature. A certificateless signature scheme generally consists of six phases, i.e., Setup, PartialPrivateKeyExtract, SetSecretValue, SetPublicKey, Sign, and Verify [17]. Note that the four phases, i.e., Setup, PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey, can be treated as a pre-processing stage. In the following, we briefly review the normal process of a general certificateless signature scheme (Figure 1).

Figure 1

The normal process of a general certificateless signature scheme.

Step 1 (Setup phase): A trusted KGC (key generation center) generates a master secret key , a corresponding master public key and a set of public parameters, i.e., .

Step 2 (PartialPrivateKeyExtract phase): With the master secret key , and the user i’s identity , KGC generates a partial secret key for the user i.

Step 3: KGC sends to the user i.

Step 4 (SetSecretValue phase): Upon receiving , the user i examine the correctness of . If it holds, the user i randomly selects a value as his/her secret. Otherwise, the session is terminated.

Step 5 (SetPublicKey phase): With and , the user i generates and outputs his/her public key .

Step 6 (Sign phase): With the message m, this phase outputs a signature which is based on m, and .

Step 7: the user i sends to the verifier.

Step 8 (Verify phase): With the signature of the message m, the verifier examine the correctness of . If the examination holds, the signature is valid. Otherwise, the session is terminated.

3. The Proposed Certificateless Signature Scheme for IoT-Based Smart Objects

In this section, we propose a new certificateless signature scheme with ECC point-based crypto-operations. The security of the scheme assumes the intractability of ECDLP. In the following, we present the proposed scheme consisting of two phases, i.e., the Pre-processing phase and Sign/Verify phase. Note that three entities, i.e., KGC, the signer and the verifier, are involved.

Pre-processing phase (Figure 2):

Figure 2

Pre-processing phase of the proposed certificateless signature scheme.

Steps 1–4: KGC generates a group G of elliptic curve points with prime order n and determines a generator P of G. Then, KGC chooses a master key and a secure hash function . Next, KGC calculates a master public key . Eventually, KGC publishes and keeps securely. Next, given , and the identity of user i, KGC generates a random number , and calculates , and mod n.

Steps 5–6: KGC returns a partial private key to the user i who checks the validity of via whether the equation mod n holds or not. The correctness of is presented as follows:

Steps 7–8: If it holds, the user i picks a random number as his/her own secret value. Otherwise, the session is terminated. Then, given and , the user i computes as his/her public key.

Sign/Verify phase (Figure 3):

Figure 3

Sign/Verify phase of the proposed certificateless signature scheme.

Steps 1–3 (Sign): Given , , and a message m, the user i first chooses a random number . Then, the user i computes , and mod n. Note that the computation of is performed at the Pre-processing phase and thus the cost can be removed. Finally, the user i outputs as the signature of the message m.

Steps 4–5 (Verify): Given , , , and , the verifier first computes and . Next, the verifier examines if holds. The signature is accepted if the equation holds. The correctness of the signature is presented as follows:

4. Security Analysis

We will now define the adversary model we used to prove the security of our scheme, prior to presenting the security analysis.

4.1. Adversary Model for Certificateless Signature

In the proposed certificateless signature scheme, we considered type I adversary and type II adversaries as defined in [18]. Due to the lack of certificate verification, it is possible for adversaries to replace an entity's public key with one of its choice. Therefore, the type I adversary models an external adversary capable of replacing any entity’s public key with specific values chosen by the adversary itself. Nevertheless, the type I adversary does not know the private key of KGC. On the other hand, the type II adversary models a malicious KGC who is able to access the master key, but cannot replace the public keys of other entities. In addition, type I and II adversaries can be further classified into three categories of power levels [17,19], i.e., normal adversary, strong adversary, and super adversary. A normal-level adversary only has the ability to learn a valid verification message. A strong-level adversary is able to replace a public key in order to forge a valid verification message when the adversary possesses a corresponding private value. A super-level adversary is able to learn valid verification messages for a replaced public key without any submission. Normally, the super adversary may issue the following queries.

: The oracle takes as input a query , where is the party ’s identity, and then runs algorithms PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey to obtain the partial private key , the secret value , and the public key .

: The oracle takes as input a query . It browses the list and returns the party ’s public key .

: The oracle takes as input a query . This oracle replaces the party ’s public key with and updates the corresponding information in the list .

: The oracle takes as input a query . It browses the list and returns the secret values . However, if the party has been asked the query, it returns .

: The oracle takes as input a query . It then browses the list L and returns the partial private key .

: The oracle takes as input a query , where denotes the message to be signed. This oracle outputs a signature such that . If the public key has not been replaced, i.e., , is the public key returned from the oracle . Otherwise, , where is the latest public key value submitted to the oracle .

The following two games, i.e., Games 1 and 2, are against super type I and type II adversaries, respectively. Type I adversary models an external adversary who is able to replace any entity’s public key with specific values chosen by the adversary itself. On the other hand, type II adversary simulates a malicious KGC who holds the master key and might engage in adversarial activities, such as eavesdropping on signatures and asking signing queries.

This game is performed between a challenger C and a super type I adversary interacting within the proposed certificateless signature scheme. First, in the “Initialization” stage, the challenger C runs the Setup algorithm and generates a private key , and public system parameters . Next, C keeps , but gives to the adversary . Second, in the “Query” phase, can adaptively access oracle queries , , , , and , of C, where t may be the user i. After all necessary queries have been asked, outputs a forged signature . wins in Game 1 if the following three conditions hold:

has never queried the oracle .

has never queried the oracle .

true ← Verify(m, σ, params, ID, PK) where PK is the current public key of party t and it may be replaced by SA.

The proposed certificateless signature scheme is existentially unforgeable against a super type I adversary , if runs in polynomial time , makes at most queries to the oracle , queries to the oracle , queries to the oracle , queries to the oracle , queries to the oracle , queries to the oracle and queries to the oracle and is negligible, where is the success probability that wins in Game 1.

This game is performed between a challenger C and a super type II adversary interacting within the proposed certificateless signature scheme. First, in the “Initialization” phase, the challenger C runs the Setup algorithm and generates a private key , and public system parameters . Then, C keeps , but gives to the adversary . Second, in the “Query” phase, can adaptively access the oracle queries , , , , and , of C, where t may be the user i. After all necessary queries have been asked, outputs a forged signature . wins in Game 2 if the following three conditions hold:

has never queried the oracle .

has never queried the oracle .

true ← Verify(m, σ, params, ID, PK), where is the original public key of party.

The proposed certificateless signature scheme is existentially unforgeable against a super type II adversary , if runs in polynomial time , makes at most queries to the oracle , queries to the oracle , queries to the oracle , queries to the oracle , queries to the oracle , queries to the oracle and queries to the oracle and is negligible, where is the success probability that wins in Game 2.

4.2. Formal Analysis

Assuming the hardness of solving ECDLP, we prove that our proposed scheme is existentially unforgeable against the super type I adversary and super type II adversary, respectively.

The proposed certificateless signature scheme is existentially unforgeable against a super type I adversary in the random oracle model, assuming the hardness of solving ECDLP. That is, if there exists a super type I adversary who can submit queries to random oracles and win in Game 1 with probability , then there is an algorithm which can solve a random instance of ECDLP in polynomial time with success probability .

Let be a super type I adversary which can compromise our proposed certificateless signature scheme with a non-negligible probability . We then construct a polynomial-time algorithm which can utilize to solve ECDLP. At first, contains a hash list and a key list , which are initially empty.

Initialization phase: picks an identity as the challenged identity in Game 1, sets and sends to .

Query phase:

: The oracle takes as input a query . If has been created, nothing happens. Otherwise, runs algorithms PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey to obtain the partial private key , the secret value and the public key . Next, returns to .

query:

When accesses a hash query on , if the list contains , returns to . Otherwise, picks a random number , returns to , and adds to .

When accesses a hash query on , if the list contains , returns to . Otherwise, picks a random number , returns to , and adds to .

: Upon receiving a query with an identity from , performs the following steps.

If , selects three random numbers , and performs , , , and . Then, adds to list , and and to list , respectively. Finally, returns to .

Otherwise, generates three random numbers , and sets , , and . Then, adds to list , and and to list , respectively. Finally, returns to .

: Upon receiving an query for an identity from , performs the following steps.

If , stops the session.

Otherwise, looks at for . If there exists a record of such a tuple, returns to ; otherwise, makes a query with and returns to accordingly.

: When receives an query for an identity from , looks for in the list . If there is such a tuple, returns to . Otherwise, makes a query and returns to .

: Once receives a query for some from , looks for in the list . If there exists such a record, sets and . Otherwise, makes a query with and then sets and .

: Upon receiving a query with from , looks for and in the lists . Next, generates a random number , and computes and . After that, returns to .

Finally, outputs a forged but valid signature . If , terminates the simulation. Otherwise, looks for , , , and in the lists and . On the other hand, based on the forking lemma [20], if we have the polynomial replay of with the same random tape and different choices of hash oracle, is able to output another two valid signatures. Eventually, we will have three valid signatures, with j = 1, 2, 3, satisfying the equations, i.e., = mod n, where j = 1, 2, 3. Note that winning Game 1 requires that has never queried the oracles and . Based on the above three equations, can derive the three unknown values , and , and outputs as the solution of a random instance of ECDLP. So far, we have shown that can solve the given instance of ECDLP. Next, we analyze ’s success probability of winning in Game 1.

: does not abort in all of the queries.

: successfully forges a valid signature .

: The forged signature satisfies .

The corresponding probabilities of the above three events are presented. That is, , and , where , and are the numbers of queries, queries and queries. In that case, the probability of solving the given instance of ECDLP is . Clearly, can solve ECDLP with a non-negligible probability because is non-negligible. This contradicts the hardness of ECDLP. ■

The proposed certificateless signature scheme is existentially unforgeable against a super type II adversary in the random oracle model, assuming the hardness of solving ECDLP. That is, if there exists a super type II adversary who can submit queries to random oracles and win in Game 2 with probability , then there is an algorithm which can solve a random ECDLP instance in polynomial time with success probability .

We assume that there is a super type II adversary breaking our proposed scheme with a non-negligible probability . Then we want to build a polynomial-time algorithm which uses to solve ECDLP. That is, receives a random ECDLP instance , with ’s goal being to derive the secret . Similarly, in the Initialization phase, picks an identity as the challenged identity in Game 2, sets and sends master key and to . Meanwhile, maintains two lists, i.e., and . Next, in the Query phase, can issue the following oracle queries to . Here, we skip the same oracle queries as those, i.e., , , and , set out in Theorem 1. In addition, simulates other oracle queries of as follows:

: When makes this query with an identity , acts as follows:

If , generates two random numbers , and computes , , mod n and . Then, adds , and to the lists and , respectively. Finally, returns to .

Otherwise, selects a random value , and sets , , mod n and . Then, adds , and to the lists and respectively. Finally, returns to .

: When makes this query with an identity , looks for in . If there exists a record of such a tuple, returns to ; otherwise, makes a query with and returns to accordingly.

: When makes this query with an identity , acts as follows:

If , terminates the session.

Otherwise, looks for in . If there is such a record, returns to ; otherwise, makes a query with and then returns to .

Finally, outputs a forged but valid signature . If , stops the simulation. Otherwise, looks for and in the list . Based on the forking lemma [20], if we have the polynomial replay of with the same random tape and different choices of hash oracle, can further generate another signature. Eventually, we have two valid signatures, with j = 1, 2, satisfying the equations, i.e., = mod n, where j = 1, 2. Note that winning Game 2 requires that the oracles and had never been queried by . With the above two linear and independent equations, can derive the two unknown values and , and outputs as the solution of the random ECDLP instance . We then analyze ’s success probability of winning in Game 2. We present the events which result in ’s success:

: does not abort in all of the queries.

: successfully forges a valid signature .

: The forged signature satisfies .

The probabilities of the following equations are presented. That is, , , and , where , , and are the numbers of queries, queries and queries. Hence, the probability of solving the given instance of the ECDLP is . Now, is able to solve ECDLP with a non-negligible probability because is non-negligible. This contradicts the hardness of ECDLP.  ■

5. System Implementation and Performance Evaluation

To evaluate the performance of the proposed certificateless scheme, we adopt two IoT-based testbeds, i.e., Arduino Uno and Raspberry PI 2 platforms, as the major evaluation platforms in the experiments. The Arduino Uno is a microcontroller board based on the ATmega328P, i.e., an 8-bit AVR RISC-based microchip with 32 KB EEPROM and 2 KB RAM. It is a tiny platform at very low cost, and thus is suitable to evaluate the performance of IoT-based schemes. On the other hand, the Raspberry PI is a card-sized single-board computer which offers an ARM GNU/Linux kernel and 1 GB RAM and 16 GB storage. Generally speaking, the Arduino Uno platform is usually simulated as a resource-constrained device while the Raspberry PI platform is simulated as a smart object which is more powerful on computation efficiency. Hence, in our experiment the Arduino Uno is adopted as resource-constrained objects in IoT networks and the Raspberry PI 2 platform is operated as smart objects (or the mobile IoT-based gateway associated with the resource-constrained objects). The implementation environment is outlined in Table 1. It is known that current techniques for solving ECDLP need steps, which depend on the size of the underlying field. NIST has recommended five levels of prime fields for certain prime n of sizes, i.e., 192, 224, 256, 384, and 512-bit [21] with associated and recommended elliptic curves. A prime field is the field , which contains a prime number of elements, and the security strength of which is dependent on the length of the binary expansion of . Normally, an elliptic curve over , where , can be contrasted with finite-field cryptography (e.g., DSA) with a 3072-bit public key and a 256-bit private key, and integer factorization cryptography (e.g., RSA) with a 3072-bit value of n. Therefore, to strike the best balance between protocol efficiency, security robustness and system scalability, the following two conditions are considered in our system implementation.

Table 1

Implementation environment.

Environment	Description
Arduino Uno	Atmel ATmega328P 8-Bit 16MHz AVR ArchitectureMemory 2 KB RAM/32 KB EEPROM
Raspberry PI 2	Broadcom BCM2836 @ 1 GHz Quad-Core ARM Cortex-A7 Architecture with 1 GB DDR2 RAM and SanDisk 16 GB Class 10 SD Card
Programming Language	(For Raspberry PI 2) Eclipse 3.8 with Oracle Java 8 ARM(For Arduino Uno) ANSI C
Crypto API	(For Raspberry PI 2) The Bouncy Castle Crypto APIs [23](For Arduino Uno) Fackelmann/SHA3 [24], Kmackay/micro-ecc [25], AESLib [26]

Condition (1). For the Arduino Uno, we adopt elliptic curve points over a prime field with a 192-bit prime , a random number generator with a 96-bit output sequence and a secure one-way hash function, i.e., SHA-3 (512-bit) [22] as the underlying crypto-modules in our proposed certificateless scheme.

Condition (2). For the Raspberry PI 2 platform, the elliptic curve is with a 384-bit prime and the random number generator is with 96-bit output sequence. In addition, SHA-3 (512-bit) is implemented as the one-way hash function.

Table 2 describes the computation cost of our proposed certificateless signature scheme implemented on the Arduino Uno with a 192-bit elliptic curve, a 96-bit random number generator and a 512-bit SHA-3, in terms of execution time of required computation components. In the pre-processing phase, we need 4.414 ms for generating four random numbers, 0.2 ms for computing via a SHA-3 operation with a 288-bit input sequence, 14.4 s for calculating four values , , and via ECC scalar multiplication operations, and 8.64 s for verifying the equation . The total computation cost of the pre-processing phase is 23.044 s. Next, during each normal operation of our proposed scheme, we require 11.537 s and 14.416 s for the sign phase and the verify phase, respectively. In the sign phase, we require 1.104 ms to generate a 96-bit , and 2.88 s and 16.2 ms to compute and , respectively. Note that we assume that the size of the signed message m is 512-bit and, thus, the input sequence of is 1408-bit. Finally, 8.64 s is needed to compute the signature value . On the other hand, in the verify phase, we need 16.4 ms to complete the executions of and , and 14.4 s to verify the equation, i.e., . Thus, we require 25.953 s in total to execute the processes of our proposed certificateless signature scheme. According to the above simulation results, we can see that the practicability of the proposed scheme is not convinced. However, in a general IoT scenario, resource-constrained sensors usually perform simple task (or command), such as the sensing and transmission of environmental parameters. This kind of data is always meaningless when it is transmitted alone. Therefore, we argue that only reasonable security density is required to guarantee basic robustness. Based on our implementation results, we find that the execution of ECC scalar multiplication operations dominates the computation cost of the proposed scheme. For better performance efficiency, we suggest that the elliptic curve points with a 64/96/160-bit prime n, the 64/96-bit random number generator and the SHA-3 128/256-bit can be considered during the implementation of practical applications. Table 3 shows the implementation results of the experiment with the elliptic curve with a 160-bit prime n. If we adopt the elliptic curve with a 160-bit prime n, a 96-bit random number generator and a SHA-3 with 512-bit output, around 53% of computation cost can be deducted from the case with the 192-bit elliptic curve. That is, as shown in Table 3, we only require 10.812 s, 5.421 s, and 6.771 s for executing the pre-processing phase, the sign phase, and the verify phase of our proposed scheme, respectively. It is believed that the best balance of system robustness and performance efficiency can be achieved by appropriately adjusting the system parameters of the adopted crypto-modules. Furthermore, when higher security robustness is needed, the proposed certificateless signature method can be adopted to support a key exchange (or key agreement) process and produce a session key for later secure communication via symmetric encryption (e.g., the performance of AES implementation on Arduino Uno is shown in Table 4). It is obvious that both higher security and better performance can, thus, be delivered. In brief, for resource-constrained devices, we suggest to exploit our proposed certificateless signature mechanism with 160-bit elliptic curve to construct a robust key exchange (or key agreement) process, and enjoy the performance efficiency from the symmetric encryption with an exchanged (or agreed) session key while preserving the security. Note that the same security level can be achieved via 160-bit elliptic curve and 1028-bit RSA, respectively [27].

Table 2

The computation cost of our proposed certificateless signature scheme implemented on the Arduino Uno with Condition (1).

Phase	Computation Cost	Execution Time	Total
Pre-processing	Generate s, r_i, x_i, ID_i (96-bit)	4.414 ms	23.044 s
	Compute h_i (SHA-3 with 288 bit input sequence)	0.2 ms
	Compute PK_KGC, R_i, s_i, PK_i (ECC 192-bit)	14.4 s
	Verify s_i⋅P=R_i+h_i⋅PK_KGC (ECC 192-bit)	8.64 s
Sign	Generate t_i (96-bit)	1.104 ms	11.537 s
	Compute k_i (SHA-3 with 1408-bit input sequence) 1	16.2 ms
	Compute T_i (ECC with 192-bit)	2.88 s
	Compute τ_i=t_i+k_i⋅(x_i+s_i) (ECC 192-bit)	8.64 s
Verify	Compute h_i (SHA-3 with 288-bit input sequence)	0.2 ms	14.416 s
	Compute k_i (SHA-3 with 1408-bit input sequence) 1	16.2 ms
	Verify τ_i⋅P=T_i+k_i⋅(PK_i+h_i⋅PK_KGC) (ECC 192-bit)	14.4 s

1 Suppose the size of message m is 512-bit.

Table 3

The computation cost of our proposed signature scheme implemented on the Arduino Uno with a 160-bit elliptic curve, a 96-bit random number generator, and a 512-bit SHA-3.

Phases of the Proposed Scheme	Total Execution Time
Pre-processing phase	10.812 s
Sign phase	5.421 s
Verify phase	6.771 s

Table 4

The computation cost of AES implemented on the Arduino Uno.

Input Sequence of AES	Encryption/Decryption
AES-128 with 32/64/128/256 Bytes Input Sequence	0.63 ms
AES-256 with 32/64/128/256 Bytes Input Sequence	0.87 ms

Similarly, Table 5 describes the computation cost of our proposed certificateless signature scheme implemented on the Raspberry PI 2 platform in which the elliptic curve points is with a 384-bit prime , the random number generator is a 96-bit output sequence, and the one-way hash function is SHA-3 (512-bit). In the pre-processing phase, 0.276 ms is required for four random number generations, 0.0051 ms is required for computing a SHA-3 operation with a 480-bit input sequence, i.e., , 0.355 ms is required for the calculation of four values, i.e., , , and via ECC scalar multiplication operations, and 0.213 ms is required for verifying the equation . In total, we need 0.895 ms to execute the pre-processing phase. Next, 1.549 ms and 1.556 ms are required for executing the sign phase and the verify phase, respectively. In the sign phase, we require 1.336 ms to generate a 96-bit , and to compute and . Note that the input sequence of is 1792-bit. Finally, 0.213 ms is needed for computing the value . In the verify phase, we need 1.2011 ms to compute and , and 0.355 ms to verify the equation, i.e., . In brief, we require 3.105 ms in total to execute the processes of our proposed certificateless signature scheme.

Table 5

The computation cost of our proposed certificateless signature scheme implemented on the Raspberry PI 2 with Condition (2).

Phase	Computation Cost	Execution Time	Total
Pre-processing	Generate s, r_i, x_i, ID_i (96-bit)	0.276 ms	0.895 ms
	Compute h_i (SHA-3 with 480-bit input sequence)	0.0051 ms
	Compute PK_KGC, R_i, s_i, PK_i (ECC 384-bit)	0.355 ms
	Verify s_i⋅P=R_i+h_i⋅PK_KGC (ECC 384-bit)	0.213 ms
Sign	Generate t_i (96-bit)	0.069 ms	1.549 ms
	Compute k_i (SHA-3 with 1792-bit input sequence) 1	1.196 ms
	Compute T_i (ECC with 384-bit)	0.071 ms
	Compute τ_i=t_i+k_i⋅(x_i+s_i) (ECC 384-bit)	0.213 ms
Verify	Compute h_i (SHA-3 with 480-bit input sequence)	0.0051 ms	1.556 ms
	Compute k_i (SHA-3 with 1792-bit input sequence) 1	1.196 ms
	Verify τ_i⋅P=T_i+k_i⋅(PK_i+h_i⋅PK_KGC) (ECC 384-bit)	0.355 ms

1 Suppose the size of message m is 512-bit.

Based on our implementation results, the performance bottleneck occurs at the execution of the SHA-3 hash function with a 1792-bit input sequence, i.e., about 77% () of total computation cost is dominated by this operation. Nevertheless, the computation cost of executing , derived via a SHA-3 hash function with a 480-bit input sequence, is almost negligible when compared to the total computation cost. This observation inspires us to further investigate the performance evaluation of the SHA-3 hash function on the Raspberry PI 2 platform. From Table 6, we observe that the performance of SHA-3 hash function will degrade once the input sequence exceeds multiple of 576-bit, which is one of the defaulted block sizes of the SHA-3 hash function. In other words, it appears that SHA-3 hash function is more suitable for communication protocols with short messages. Normally, in a sensor-based IoT environment, communication messages operated by sensors cannot be too long, due to power consumption limitations. We, thus, argue that the proposed scheme is suitable for current IoT-based communication networks.

Table 6

The computation cost of SHA-3 with different length input sequences on Raspberry PI 2.

SHA-3 Operation	Execution Time
SHA-3 with 576-bit input sequence	0.412 ms
SHA-3 with 1152-bit input sequence	0.939 ms
SHA-3 with 1728-bit input sequence	1.194 ms
SHA-3 with 2304-bit input sequence	1.726 ms
SHA-3 with 2880-bit input sequence	2.260 ms
SHA-3 with 3456-bit input sequence	2.407 ms
SHA-3 with 4032-bit input sequence	2.807 ms
SHA-3 with 4608-bit input sequence	3.215 ms
SHA-3 with 5184-bit input sequence	4.084 ms
SHA-3 with 5760-bit input sequence	4.430 ms

Based on the above results, we find that there exists one limitation in our experiment. In order to examine the practicability of the proposed scheme, the experiment adopts the Arduino Uno and Raspberry PI 2 as the evaluation platforms. However, the adopted crypto-libraries are not consistent in which Bouncy Castle Crypto APIs [23] is adopted for the Raspberry PI 2, and Fackelmann/SHA3 [24], Kmackay/micro-ecc [25] and AESLib [26] are for the Arduino Uno. In general, the evaluation platforms with different processors certainly influence the performance. On the other hand, the crypto-library may also be elegantly-tuned to fit specific processors and gain better performance efficiency. In our experiment, the Bouncy Castle Crypto APIs are generic crypto-libraries for general processors and the others (i.e., Fackelmann/SHA3 [24], Kmackay/micro-ecc [25], and AESLib [26]) are well-configured for the feasible implementation on the Arduino Uno. The performance evaluation is, thus, not under the same evaluation criteria. Fortunately, the practicability and feasibility of the proposed certificateless signature scheme is demonstrated by the experiments. Nevertheless, this limitation existed. Therefore, we suggest that this limitation can be as one of the future research directions. In addition, to pursue the best balance between the performance efficiency and security robustness, we suggest that, in the resource-constrained objects, the proposed scheme with 160-bit elliptic curve can be exploited to construct a robust key exchange process and support secure communications. Tuning the ECC crypto-module with a 192-bit (or 224/256/384/512-bit) elliptic curve to fit the resource-constrained objects is suggested as another interesting future research direction.

6. Related Work

In recent years, designing certificateless signature schemeswithout bilinear pairings has been extensively studied due to its effectiveness in solving the key escrow problem in identity-based cryptography, and its potential for deployment in an environment comprising resource-limited mobile devices. In this section, we first present the state-of-the-art of certificateless signature before revealing a previously unknown weakness in a recent certificateless signature mechanism proposed by Wang et al. [28]. We then present a comparative summary of our proposed scheme and relevant schemes.

6.1. Review of Certificateless Signature Schemes

Since Al-Riyami and Paterson [18] first proposed certificateless public key cryptography in 2003 to solve the key-escrow problem in identity-based public key cryptography, certificateless cryptography has been widely investigated for different network types. Huang et al. [17], in 2007, refined the security model presented by Al-Riyami and Paterson, and introduced type I and type II adversaries with three different power levels, namely: a normal adversary, strong adversary, and super adversary. The authors then presented a robust scheme based on bilinear pairing, and proved the security of the scheme against type I and II adversaries. Later, Gong and Li [29] introduced a provably-secure certificateless signature scheme without the use of bilinear pairing. The authors claimed that their proposed scheme is more robust than previous schemes, in terms of resilience to super type I and II adversaries. While security proof in the random oracle was presented, Yeh et al. [30,31] pointed out that the scheme is vulnerable to super type I attacker, contrary to the claims. The authors then proposed a countermeasure for the identified attacks in which the robustness against super type I and II adversaries can be guaranteed. In a latter work, Wang et al. [28] re-designed the communication procedures of the certificateless signature mechanism proposed by Yeh et al. [30,31] to enhance the computation efficiency. Specifically, costs associated with ECC-based scalar multiplication and addition operations of points are removed. However, in the next subsection, we reveal that a malicious super type I adversary can easily forge a legitimate signature to cheat any receiver as he/she wishes in this scheme.

There have been other attempts to design lightweight certificateless signcryption schemes for low-cost sensors. For example, in a 2014 work, Shi et al. [32] proposed a certificateless signcryption scheme without bilinear pairing, and proved the security of the scheme against type I and II adversaries assuming the hardness of the discrete logarithm problem. Shingh et al. [14] and Sharma et al. [15] demonstrated a RSA-based certificateless signature scheme for wireless sensor networks, which attempted to integrate RSA cryptography in certificateless signature scheme for securing resource-limited sensors. However, an exponential multiplication operation under a discrete logarithm is less efficient than point multiplication operations on elliptic curves over under the same security level [27]. Hence, there is potential to improve the performance in the schemes reported in [14,15,32] without invalidating the security claims. Pang et al. [33] presented a bilinear pairing-based certificateless signature scheme and proved its security in the standard model. However, the proposed scheme requires significant computation due to the inherent nature of bilinear pairing. In [16], Tsai proposed a certificateless short signature scheme using bilinear pairing. It was claimed that the proposed scheme is suitable for low-bandwidth communication environment (or power-constrained devices). However, the tradeoff between communication and computation costs is not rigorously investigated, in terms of power consumption of target devices. Hence, this claim is debatable. Moreover, the current sensor-based communication environment is not as bandwidth-limited compared to a decade ago, as we have previously discussed. Therefore, we posit that computational efficiency should be prioritized over communication efficiency when designing an efficient certificateless signature scheme for IoT-based smart objects.

6.2. Previously Unknown Weakness in Wang et al’s (2015) CLS Scheme

We now revisit Wang et al.’s certificateless signature scheme [28], and demonstrate that the scheme is insecure against a super type I adversary.

Revisiting the scheme:

In the Setup phase, KGC generates a group G of elliptic curve points with prime order n and determines a generator P of G, prior to randomly selecting a master secret key and computing the master public key . Then, KGC chooses two secure hash functions and , and publishes a set of system parameters, i.e., .

In the PartialPrivateKeyExtract phase, given , and the user i’s identity , KGC selects a random number , and computes , and mod n. Next, KGC returns the partial private key to the user i. Upon receiving , i is able to verify by examining whether two values, i.e., and , are identical or not since .

In the SetSecretValue phase, given , the user i randomly selects as his/her secret value.

In the SetPublicKey phase, given and , the user i computes his/her public key as .

In the Sign phase, given , , and a message m, the user i selects a random value , and outputs a signature with a series of computed values , and mod n.

In the Verify phase, Given , , , m and , the verifier computes and , and then checks whether the equation holds. Note that is accepted if the equation holds. That is, .

Cryptanalysis

Suppose there exists a malicious super type I adversary j which seeks to forge a valid signature on a message m' chosen by the adversary j. The adversary j eavesdrops a valid signature with message m issued by the user i from any previous session, where , , , , , , mod n, and mod n.

Since the adversary j is a super type I adversary, j is able to issue an oracle query of ExtractSecretValue(i) and replace any entity’s public key including KGC’s public key. With the eavesdropped values, i.e., , and , and public values, i.e., and , the adversary j chooses a random number , and derives , , and mod n. Note that the secret is retrieved via ExtractSecretValue(i) oracle query.

So far, the adversary j can forge a valid signature on the chosen message m'. It is obvious that the equation holds. Therefore, the resistance to signature forgery attack cannot be guaranteed under the assumption of existing a malicious super type I adversary.

6.3. Security and Performance Comparative Summary

We now benchmark the security and performance of the proposed certificateless signature with those of Gong and Li [29], Wang et al. [28] and Tsai [16]. From Table 7, we observe that our proposed scheme and Tsai’s scheme [16] enjoy the same security level–resilience to super type I and II adversaries. However, Gong and Li’s scheme [29] still suffers from vulnerability to signature forgery attack via super type I adversary [30] as does Wang et al.’s scheme [28], as presented in Section 6.2.

Table 7

A comparative summary: security.

	Gong & Li’s Scheme [29]	Wang et al’s Scheme [28]	Tsai’s Scheme [16]	Our proposed Scheme
Resistance to Super Type I Adversary	No	No	Yes	Yes
Resistance to Super Type II Adversary	Yes	Yes	Yes	Yes

A comparative summary of performance efficiency is presented in Table 8, where the evaluation metrics are of the inverse operation (T), bilinear pairing operation (T), ECC-based scalar multiplication operation for points (T), ECC-based addition operation for points (T), multiplication operation (T), addition operation (T), one-way hash function (T), and random number generator operation (T). It is clear that our proposed scheme outperforms Gong and Li’s scheme [29] and Wang et al.’s scheme [28] by eliminating the computation costs of (1T, 1T, 2T, 2T) and (1T), respectively. When compared to Tsai’s scheme [16], the tradeoff between the computation cost (1T, 1T, 1T) and (1T, 2T) is observed. It is clear that bilinear pairing operation is more inefficient than ECC point-based operations, i.e., scalar multiplication and addition. Hence, we can claim that our proposed scheme is more efficient and practical than Tsai’s scheme [16] with a better performance efficiency.

Table 8

A comparative summary: performance.

	Sign Phase	Verify Phase	In Total
Gong & Li’s scheme [29]	1Tem + 2Tm + 2Tadd + 2Th + 1Tg	4Tem + 3Teadd + 3Th	5Tem + 2Tm + 3Teadd + 2Tadd + 5Th + 1Tg
Wang et al’s scheme [28]	1Tem + 1Tm + 2Tadd + 1Th + 1Tg	3Tem + 3Teadd + 2Th	4Tem + 1Tm + 3Teadd + 2Tadd + 3Th + 1Tg
Tsai’s scheme [16]	1Tinv + 1Tem + 1Tm + 1Tadd + 1Th	2Tbp + 2Tem + 2Teadd + 2Th	1Tinv + 2Tbp + 3Tem + 1Tm + 2Teadd + 1Tadd + 3Th
Our proposed scheme	1Tem + 1Tm + 2Tadd + 1Th + 1Tg	3Tem + 2Teadd + 2Th	4Tem + 1Tm + 2Teadd + 2Tadd + 3Th + 1Tg

7. Conclusions

In this paper, we presented a new certificateless signature scheme for IoT-based smart objects. We proved the security of the proposed scheme against the super type I and II adversaries, as well as demonstrating the utility of the scheme in IoT-oriented testbeds. For passive objects with constrained computation ability and limited power capability, we argued that the proposed certificateless signature scheme with 160-bit elliptic curve can be exploited to construct a key exchange (or key agreement) process with a reasonable security robustness. Around 5.421 s and 6.771 s are required for performing the sign phase and the verify phase of our proposed scheme, respectively. For active objects with powerful computation efficiency, we suggested considering the proposed certificateless signature scheme with at least 384-bit elliptic curve and SHA-3 (512-bit) to pursue the highest security due the affordability of computation cost on the Raspberry PI platform. Findings from the implementation showed that low computation cost, i.e., 1.549 ms and 1.556 ms, is required to perform the execution processes of the sign phase and verify phase, respectively. Moreover, we compared the security and performance of our scheme with those of Gong and Li [29], Wang et al. [28] and Tsai [16], as well as revealing a previously unknown vulnerability in Wang et al.’s scheme [28] (where a malicious super type I adversary can easily forge a valid signature on any message and cheat receivers at will).