A Strongly Unforgeable Certificateless Signature Scheme and Its Application in IoT Environments.

With the widespread application of the Internet of Things (IoT), ensuring communication security for IoT devices is of considerable importance. Since IoT data are vulnerable to eavesdropping, tampering, forgery, and other attacks during an open network transmission, the integrity and authenticity of data are fundamental security requirements in the IoT. A certificateless signature (CLS) is a viable solution for providing data integrity, data authenticity, and identity identification in resource-constrained IoT devices. Therefore, designing a secure and efficient CLS scheme for IoT environments has become one of the main objectives of IoT security research. However, the existing CLS schemes rarely focus on strong unforgeability and replay attacks. Herein, we design a novel CLS scheme to protect the integrity and authenticity of IoT data. In addition to satisfying the strong unforgeability requirement, the proposed scheme also resists public key replacement attacks, malicious-but-passive key-generation-centre attacks, and replay attacks. Compared with other related CLS schemes without random oracles, our CLS scheme has a shorter private key, stronger security, and lower communication and computational costs.

1. Introduction

The Internet of Things (IoT) is a self-establishing network of smart devices that are equipped with electronics, sensors, software, and actuators and that are connected via the Internet to generate, collect, and exchange data [1]. Since IoT devices connect objects in different environments to the Internet for information exchange and communication to realize intelligent identification, location, tracking, monitoring, management, and other functions, IoT devices have the ability to support a wide range of services. Consequently, the IoT builds a network that covers various things throughout the world via numerous IoT devices, and it enables various human-to-human, human-to-thing, thing-to-thing, and thing-to-thing interactions. Figure 1 shows a variety of IoT applications, including intelligent transportation, military target tracking, surveillance, public safety, smart home, industrial monitoring, smart city, medical equipment, and food traceability [2]. The application of the IoT involves all economic and social aspects of daily life and fundamentally changes the way in which humans interact with the world around them. Hence, the IoT is considered to be an information technology revolution and has become a growth point for the global economy [3].

Figure 1

Internet of Things (IoT) applications.

Various IoT-enabled devices with embedded sensors collect and send IoT data to data centres over public networks; thus, the issues of security and privacy in IoT environments have become increasingly important [4,5]. Only authentic data can be stored in data centres, which requires the integrity and authenticity of the data transmitted by an IoT device to be checked before being stored. The signature-based cryptosystem is technology that provides the integrity, real source, unforgeability, and non-repudiation of the data. An IoT device signs the data using its private key during data transmission, and the data centre confirms the data authenticity and integrity by verifying the validity of the received signature. Therefore, a digital signature scheme can ensure data integrity and data authenticity in the IoT. However, the IoT differs from traditional networks. Most IoT devices have limited computational and processing capabilities, short communication ranges, and restricted storage and power resources. Conventional cryptosystems cannot run on resource-constrained IoT devices. The main reason is that conventional cryptosystems are classified into two categories: PKI-based and ID-based cryptosystems. Traditional PKI-based cryptosystems require certificates to authenticate users’ public keys, which results in a large amount of computational overhead and communication costs to manage and exchange certificates. The identity-based cryptosystem avoids the use of certificates, but there are security flaws in key escrow that make it unsuitable for large-scale network environments. Hence, designing an efficient, secure signature scheme is very important for IoT security.

In a signature scheme, the private key of the signer is used to sign the message, and the validity of the corresponding signature is verified by the signer’s public key. The signature’s validity not only ensures that the signer with the private key can apply a valid signature to the message but also ensures the authenticity and integrity of the message. The user’s public key is generally a random string; thus, authenticating the authenticity of the user’s public key is particularly crucial. In traditional public key infrastructure (PKI) settings, a certificate issued by a fully trusted authority associates the user’s public key with the user’s real identity. The authenticity of the user’s public key can be verified by the legality of the corresponding certificate. However, the storage, distribution, verification, and revocation of certificates in PKI are resource-intensive and computationally expensive tasks [6]. Hence, PKI is unsuitable for resource-constrained IoT environments.

Shamir [7] proposed identity-based cryptography (IBC) to solve the complex certificate management problems in PKI. IBC allows a key generation centre (KGC) to produce the user’s private key, but the corresponding user’s public key comes from their public identity information, such as an e-mail address or mobile phone number. However, KGC can replace the user to decrypt any ciphertext or to forge the signature of any message without being found, which results in the key escrow problem.

The concept of certificateless signature (CLS) was introduced by Al-Riyami and Paterson [8]. In a CLS scheme, the user’s private key consists of two parts: One is a partial private key generated by the KGC, and the other is a secret value calculated independently by the user. The CLS scheme solves the key escrow problem because the KGC is unable to obtain the user’s final private key. In addition, the user generates the corresponding public key based on its secret value, but it is not necessary to verify the authenticity of the public key by using the certificate. In practical applications, the user’s public key is sent to the recipient together with the signature or is obtained from a public directory in a proper manner.

Certificateless signatures have received considerable attention in recent years, and researchers have designed numerous CLS schemes [9,10,11,12]. Most existing CLS schemes [13,14,15] have been proven to be secure in the random oracle model [16], where a cryptographic hash function is modelled as an ideal random oracle. The random oracle paradigm helps construct efficient cryptographic schemes, but it has received substantial criticism. It has been shown that, when random oracles are instantiated with actual hash functions, the cryptographic scheme that proves to be secure using the random oracle model may be unsafe in reality [17]. To overcome this security flaw, Liu et al. [18] designed the first CLS scheme without random oracles. Later, several CLS schemes [19,20,21,22] in the standard model were proposed, but these schemes cannot resist public key replacement (PKR) attacks or malicious-but-passive KGC (MKGC) attacks. In addition, most existing CLS schemes [23,24,25] without random oracles are proven to be existentially unforgeable against adaptive chosen-message attacks. This security notion only ensures that an attacker cannot forge the signature of any new message; it does not guarantee that the attacker generates the valid signature for the signed message. However, some signature schemes are malleable [26]; thus, an attacker can generate multiple valid signatures of the same message by using the previous message–signature pair without the signer’s private key. In other words, these schemes do not satisfy strong unforgeability, which is a stronger security notion than existential unforgeability. Strong unforgeability is desirable in some applications [27,28,29] (such as electronic commerce, construction of certificateless signcryption schemes, and certificateless group signature schemes). If a CLS signature scheme satisfies existential unforgeability and can prevent an attacker from forging a valid signature of a previously signed message, then we say that the CLS scheme is strongly unforgeable. Strong unforgeability is an important property of the CLS scheme, but few CLS schemes [30] satisfy strong unforgeability in the standard model. Unfortunately, none of those strongly unforgeable CLS schemes considers replay attacks [31,32]. Note that the energy of the IoT device is one of the main factors that restricts improvements in network performance. However, replay attacks, which are considered to be one of the major attacks faced by IoT devices, can consume a large amount of node energy. Therefore, a CLS scheme that is applicable to IoT environments must consider replay attacks.

In this paper, motivated by the above concerns, we present a new CLS scheme for IoT environments that is more secure and efficient than the previous CLS schemes. As a potential signature-based authentication technology, our proposed scheme manifests a solution to the problems of data authenticity and data integrity in the IoT. The main contributions of this paper are the following.

A novel CLS scheme without random oracles is constructed. Under the collision-resistant hash function (CRHF) and computational Diffie–Hellman (CDH) assumptions, the proposed CLS scheme is proven to be strongly unforgeable against adaptive chosen-message attacks in the standard model.

In our CLS scheme, the user’s public key is not only bound to the user’s partial private key but also embedded into the signature of the message. This makes the proposed CLS scheme have a higher security trust level and be capable of resisting PKR attacks and MKGC attacks.

The proposed CLS scheme resists replay attacks by verifying the freshness of the timestamp and the validity of the signature. To our best knowledge, our scheme is the first CLS scheme with a strong unforgeability in the standard model that can resist replay attacks.

Compared to other CLS schemes in the standard model, our CLS scheme has higher security, a smaller key size, a shorter signature length, and lower computational overhead for signature generation and signature verification.

Due to the aforementioned functionalities, our CLS scheme is able to be implemented and deployed in IoT environments where IoT devices have limited computing power, storage space, and communication bandwidth.

The remainder of this paper is organized as follows. We present the relevant CLS works in Section 2. Then, we introduce some preliminaries and security notions of the CLS scheme in Section 3. The proposed CLS scheme and its security proof are presented in Section 4 and Section 5. Section 6 gives the CLS system model for IoT environments and performance analysis. Section 7 concludes this paper.

2. Related Work

The first CLS scheme was proposed by Al-Riyami and Paterson [8]. Later, Huang et al. [33] noted that their CLS scheme [8] was unable to resist PKR attacks and proposed security notions for CLS schemes. Since then, researchers have constructed a large number of provably secure CLS schemes [9,10,11,12,13,14,15] in the random oracle model. Aiming to eliminate the security requirements of ideal random oracles, Liu et al. [18] constructed a CLS scheme without random oracles based on the identity-based signature scheme proposed by Paterson and Schuldt [34]. However, Xiong et al. [19] and Huang et al. [35] demonstrated that Liu et al.’s CLS scheme [18] was insecure against MKGC attacks. To enhance the security of Liu et al.’s CLS scheme [18], Xiong et al. [19] presented an improved scheme, but it was still vulnerable to MKGC attacks [36]. Furthermore, Xia et al. [37] showed that several CLS schemes [18,19,20] without random oracles were susceptible to PKR attacks.

Subsequently, Yu et al. [21] designed a CLS scheme and claimed that their scheme was secure in the standard model. However, Yuan et al. [23] and Pang et al. [27] independently demonstrated that Yu et al.’s CLS scheme [21] was insecure against PKR or MKGC attacks. As a countermeasure, Yuan et al. [23] designed an enhanced scheme, but it did not satisfy strong unforgeability. Based on the Boneh–Boyen signature [38] and Pointcheval–Sanders signature [39], Canard and Trinh [25] constructed a CLS scheme with a low computational cost. However, Canard and Trinh’s CLS scheme [25] was existentially unforgeable in the standard model. Subsequently, Huang et al. [22] constructed a CLS scheme with strong unforgeability in the standard model. Unfortunately, Yang et al. [30] demonstrated that Huang et al.’s CLS scheme [22] failed to achieve a strong unforgeability and was vulnerable to MKGC attacks. Furthermore, Yang et al. [30] presented a secure CLS scheme, but their scheme still has some drawbacks, including a longer private key size and a higher computational overhead than those of the previous schemes.

Digital signatures are widely used to ensure data authenticity and integrity. Yeh et al. [4] devised a CLS scheme for IoT environments. However, Jia et al. [40] demonstrated that Yeh et al.’s scheme [4] was insecure against PKR attacks and then proposed a new CLS scheme to overcome the flaws of Yeh et al.’s scheme [4]. Based on technologies such as RSA, DSA, and Merkle tree, Li et al. [41] proposed an IoT data communication framework to provide integrity and authenticity. Frädrich et al. [42] used redactable signature [43] to design another framework for the IoT environment to allow the redaction of parts from signed data and proved its security in the random oracle model. To achieve the security requirements in IoT, Challa et al. [44] presented a new signature-based authenticated key establishment scheme for the IoT environment. Based on Nyberg’s fast one-way accumulator [45], Yao et al. [46] designed a lightweight multicast authentication mechanism for small scale IoT applications. Yang et al. [47] proposed a certificateless aggregate signature scheme for vehicular ad hoc networks to reduce transmission bandwidth and verification overhead of signatures. To protect the identity privacy of IoT devices, Yang et al. [48] constructed a strong designated-verifier proxy re-signature (SDVPRS) scheme in the standard model and applied it to the IoT environment. Unfortunately, the existing data integrity and authenticity schemes in IoT have two drawbacks. (1) Some schemes [41,42,44,46,47,48] require heavy management and communication overheads of certificates to achieve authenticity authentication of the user’s public key. (2) Most of the schemes [4,40,41,42,44,46,47] are proved to be secure in the random oracle model. To fill thess gaps, Karati et al. [3] presented a secure CLS scheme for IoT environments in the standard model, but their scheme did not consider a strong unforgeability and replay attacks. To our best knowledge, designing an efficient CLS scheme that both satisfies strong unforgeability in the standard model and is resistant to PKR attacks, MKGC attacks, and replay attacks remains an open issue. Therefore, in this paper, we advance such a construction for IoT environments to ensure data integrity and data authenticity.

3. Preliminaries

Here, we briefly review some preliminary knowledge, including the definition of bilinear pairings, the complexity assumptions, and the security model of the CLS schemes.

3.1. Bilinear Paring

Assume that and are cyclic groups with the same order of prime p and that g is any generator of . A bilinear pair is a map that satisfies the following conditions [23]:

Bilinearity: for all .

Nondegeneracy: .

Computability: There is an algorithm that can efficiently calculate for any .

3.2. Complexity Assumptions

Given two elements , the discrete logarithm (DL) problem [30] is to find an integer such that .

Let denote an attacker with probabilistic polynomial time (PPT). The advantage of to solve the DL problem in is defined as

We say that the DL assumption holds in

Given three elements, for unknown, randomly chosen , the computational Diffie–Hellman (CDH) problem [22] is to calculate .

The advantage that any PPT adversary can solve the CDH problem in is defined as

The CDH assumption holds in

Suppose that represents a family of hash functions , where n is the length of the output value of and k is an index. Given the index k, the collision resistance of hash function (CRHF) [30] is to find such that . The advantage of any PPT adversary in breaking the collision resistance of is defined as

A hash family

3.3. Security Model of CLS

A CLS scheme consists of six algorithms, as follows:

: This algorithm takes as input a security parameter , and it outputs the master secret key and system parameters .

: This algorithm takes as input and an identity , and it outputs a secret value and a public key .

: This algorithm takes as input , , and , and it returns a partial private key for identity .

: Upon receiving , , and , this algorithm outputs a private key .

: This algorithm takes as input , an identity ’s private key and public key , a timestamp T, and a message m, and it returns a signature on m.

: Upon receiving , , , T, m, and , this algorithm outputs 1 if is a valid signature of on m with respect to T and , and it outputs 0 otherwise.

According to the security model for CLS presented in References [15,35], a CLS scheme’s security should consider two types of adversaries: type I and type II adversaries. A type I adversary is a PKR attacker who knows the secret value of the targeted entity and who can replace any entity’s public key with its own. A type I adversary models an outside attacker who is not capable of possessing the master secret key of the KGC. In contrast, a type II adversary models an honest-but-curious KGC attacker who holds the master secret key of the KGC and generates the partial private key of any entity. However, a type II adversary can neither perform the entity’s PKR nor obtain the secret value of the targeted entity. To meet more realistic security requirements, Au et al. [49] presented an enhanced security model in which a type II adversary is viewed as an MKGC attacker. In this case, a malicious KGC can access the master secret key of the KGC and may embed extra trapdoors in the system parameters and the master secret key during the initialization phase of the system. Hence, the type II adversary that we focus on is an MKGC attacker. Here, the security model for a strongly secure CLS scheme is formalized via the following games (denoted Games 1 and 2) between a challenger and an adversary .

Game 1: Executed between a challenger and a type I adversary .

Initialization: first runs the algorithm to obtain the master secret key and system parameters . then runs the algorithm to output the secret value and corresponding public key of the targeted entity. Finally, sends and to while keeping secret.

Queries: can adaptively access the following oracles with .

Public Key Query: Upon receiving an identity , runs the algorithm to obtain a public key and sends it to .

Public Key Replacement (PKR) Query: Upon receiving such a query, finds and replaces the original public key of identity with a new public key .

Partial Private Key Query: Upon receiving an identity and a public key , runs the algorithm to generate a partial private key and sends it to .

Private Key Query: When initiates a private key inquiry about an identity , executes the algorithm to produce a private key and sends it to . Note that returns the symbol ⊥ if has already appeared in PKR queries.

Signing Query: Upon receiving an identity , a timestamp Tm and a message m, first executes the algorithm to produce a private key and then uses , T, and the identity ’s matching public key to execute the algorithm to produce a signature on m. Finally, sends to .

Forgery: eventually outputs a forged signature on a message corresponding to an identity , a timestamp , and the targeted public key . It is said that wins this game when the following conditions are fulfilled:

.

is not requested in and .

is not an output of the oracle .

Game 2: Executed between a challenger and a type II adversary . To launch malicious attacks more easily, is allowed to set some trapdoors during the initialization phase of the game.

Initialization: invokes to produce the master secret key and system parameters . Then, runs the algorithm to produce the secret value and the corresponding public key of the targeted entity. Finally, sends to while keeping secret.

Queries: can adaptively access the oracles , , and , which are defined in Game 1, and responds in the same way as it does in Game 1.

Forgery: eventually outputs a forged signature on a message corresponding to an identity , a timestamp , and the targeted public key . It is said that wins this game when the following conditions are fulfilled:

.

is not requested in .

is not an output of the oracle .

denotes the advantage that wins the above games, where .

A CLS scheme is said to be strongly unforgeable against adaptive chosen message attacks if the advantages

4. Proposed CLS Scheme

Based on Waters’ scheme [26] and its variants [28,34], we propose an undeniable and strongly unforgeable CLS scheme in the standard model. Our CLS scheme is described as follows.

: Upon giving the security parameter as input, the KGC produces the master secret key and system parameters by performing the following steps.

Select and as two cyclic groups with prime order p, a generator g of , and a bilinear pairing .

Select two random values and compute and .

Select two random elements and two vectors and of lengths and , respectively, where for and .

Select three collision-resistant hash functions , , and .

Secretly keep the master key and publicly broadcast the system parameters , .

: An entity with identity randomly selects and computes

Then, the entity computes as its secret value and sets its public key .

: Given an identity and a public key of an entity, the KGC first computes a vector and . Then, the KGC selects at random and computes

Finally, the KGC sends the partial private key to the entity via a secure channel.

After receiving from the KGC, the entity can check the correctness of by verifying

If this equation holds, then the entity accepts as a valid partial private key.

: The entity with identity selects a random value and computes a vector and , where is ’s public key. Then, the entity uses its secret value and partial private key to compute its private key

: The signer with identity generates a signature of a message m by performing the following steps.

Select a random value and compute .

Choose the current timestamp T and compute a vector and .

Compute where and are the private and public keys of identity , respectively.

Output as a signature of m.

: Given the signer’s identity and public key , timestamp T, and a signature of message m, the verifier first chooses the current time . Then, the verifier verifies the legality of as follows.

If , where is a threshold value, the verifier refuses to verify the validity of and exits.

If , the verifier computes , , , and

Then, the verifier checks

If this equation holds, the verifier accepts and outputs 1; otherwise, the verifier rejects and outputs 0.

Correctness: The correctness of a signature on a message m is presented as follows:

5. Security Proof

In our CLS scheme, the algorithm randomizes the entity’s secret value and partial private key to generate the final private key . Hence, it is not feasible for a malicious KGC to produce a valid signature without the secret value . Additionally, the KGC cannot derive the entity’s private key from the master secret key and the entity’s partial private key .

To prevent PKR and MKGC attacks, a part of the entity’s public key is embedded in the signature . Only each entity can produce its legal public key ; thus, the malicious KGC can neither set the entity’s public key at will nor derive the secret value from the signature. Furthermore, it is impossible to obtain the value directly from the entity’s public key and the public value of the signature unless the adversary can solve the CDH problem.

The algorithm binds each entity’s public key , identity , and partial private key , which can enhance the trust level of the proposed CLS scheme. If the KGC attempts to replace the entity’s public key , then the entity’s identity and the new public key must be re-bound to compute a new partial private key, which results in the entity’s identity corresponding to two public keys and two partial private keys. Therefore, our CLS scheme can easily determine whether the KGC replaced the entity’s public key.

In addition, is a collision-resistant hash function. The hash value h combines the message m, the identity , public key , two values , and in the signature, a timestamp T, and system parameters as . Hence, an attacker cannot forge a new valid signature from an existing signature on a message; that is, an adversary cannot generate a valid signature on any previously signed/new message in our CLS scheme.

In the following, we introduce two theorems to demonstrate that our CLS scheme satisfies a strong unforgeability against PKR and MKGC attacks in the standard model. Reduction technology is used to prove the strong unforgeability of the proposed scheme; specifically, if an attacker breaks the security of the scheme, a solver then uses the attacker’s ability to solve the underlying hard problem related to the scheme. However, this problem is intractable in reality; thus, such an attacker does not exist. Furthermore, we prove that the proposed CLS scheme can resist replay attacks.

In the standard model, our CLS scheme is strongly unforgeable against PKR attacks. Specifically, there is a type I adversary

is given a random instance of the CDH problem, and ’s goal is to output with the help of . The algorithm simulates the challenger in Game 1 and responds to ’s queries as follows.

Initialization: first sets and such that and . Then, simulates the algorithm by performing the following steps:

Randomly select and .

Randomly select , , , , and , .

Select three hash functions , , and . Note that the adopted hash functions are not considered to be random oracles in the following proof.

Set and , where and are from the input of the instance of the CDH problem. Note that the master secret key is implicitly set to .

Assign , for , , and for , and set and .

Select three random integers and compute , , and . Next, set the secret value of the targeted entity to and the corresponding public key to .

Send system parameters , and the targeted entity’s secret value/public key pair to .

From the perspective of , the distribution of the system parameters produced by is identical to the real construction.

In our CLS scheme, we have for an identity and a public key , and we have , for a message m and a timestamp T. Aiming to simplify the analysis, we define the following four functions:

Hence, we have the following equations:

Queries: maintains a list , , which is initially empty. constructs the following oracles to answer a series of ’s queries.

Public Key Query: When initiates such an inquiry for an identity , looks up the corresponding entry in the list . If is found in , returns to . Otherwise, randomly selects and computes the secret value and the public key . Then, stores in and sends to .

Public Key Replacement Query: If there is an entry for the identity in the list , replaces the original public key of with a new public key . Otherwise, directly sets as the public key of .

Partial Private Key Query: When requests a partial private key of an identity and a public key , returns to if there is an entry for and in the list . Otherwise, computes and .

If , randomly selects and calculates a partial private key where and , . Then, stores the partial private key of the corresponding entry in and sends to .

If , terminates the simulation.

Note that the partial private key generated by is legal.

Then, we have

Hence, from ’s perspective, the partial private key simulated by is computationally indistinguishable from that computed by the real KGC.

Private Key Query: When requests the private key of an identity , checks for an entry of in . If it exists, returns to ; otherwise, computes and . If , terminates; otherwise, initiates a public key query about to acquire a secret value and a public key and then initiates a partial private key query with to acquire a partial private key . Next, executes the algorithm to create a private key , stores of the corresponding entry in and sends to .

Signing Query: Upon receiving an identity , a timestamp T, and a message m, issues a query to acquire a public key and the triplet . Then, proceeds as follows.

If , first makes a query to acquire a private key and then runs the algorithm to generate a signature of m. Finally, sends to .

If , computes . If , terminates; otherwise, randomly selects and computes , , , and . Furthermore, computes

Finally, sends to .

For , we have

Clearly, the signature generated by is legal because satisfies the following verification equation:

From ’s perspective, the signatures simulated by are computationally indistinguishable from those produced by the real signer.

Forgery: eventually outputs a signature on a message corresponding to an identity , a timestamp , and targeted public key . If or , terminates; otherwise, computes and uses to output as a solution to the CDH instance as follows:

Now, we analyze the probability that can successfully solve the CDH problem. If the following conditions hold, completes the above simulation without aborting.

All partial private key queries on have .

All private key queries on have .

All signing queries on have or .

In the forgery phase, and .

Here, we define four independent events , , , and as follows.

for the ith query, where .

.

for the jth query, where .

.

Because the events , , , and are independent, the probability that does not terminate is

From , , , , and , we have , , and . Therefore, it is easy to derive and from and , respectively. Moreover, implies that , and implies that . Since and are randomly chosen, we obtain the probabilities of the events and as follows:

Furthermore, we have

Since and , we write

Therefore, if breaks the strong unforgeability of the proposed CLS scheme with advantage , then has an advantage to solve the given instance of the CDH problem. □

In the standard model, the proposed CLS scheme is strongly unforgeable against MKGC attacks launched by the type II adversary

Supposing that a PPT adversary breaks the strong unforgeability of our CLS scheme in an adaptive chosen-message attack, we can construct an algorithm that calls as a subroutine to violate the CDH assumption. Assuming that is given a random instance , to calculate , simulates the challenger in Game 2 to answer all ’s queries.

Initialization: For the given values , , , and , sets and such that and . selects a random element and calculates . Then, sets the targeted entity’s public key and sends parameters and to .

Subsequently, performs the following steps to produce other system parameters and the master secret key.

Select two random integers and , where and .

Randomly select , and , , , .

Select three collision-resistant hash functions , , and .

Assign , for , , and for and set and .

Select two random values and compute , and .

Send parameters and the master secret key to .

Note that the secret value of the targeted entity is , which is unknown to , and the system parameters are , .

As the initialization phase in Theorem 1, we define the following four functions:

Furthermore, we have the following equations:

Queries: maintains an initially empty list of tuples and builds the following oracles to answer the queries initiated by .

Public Key Query: When issues such a query on an identity , looks up the corresponding entry in list and sends to . Otherwise, if does not store this entry, randomly selects and computes the public key . Note that the secret value is , but a and b are unknown to . Then, stores , in and transmits to .

Private Key Query: Upon receipt of a query on an identity , returns to if is found in ; otherwise, makes a query to obtain a public key and the triplet and then verifies whether .

If , exits the simulation.

If , selects and uses the master secret key to compute where and , . Then, stores the private key of the corresponding entry in and sends to .

The correctness of simulated by is where . Hence, the above equations indicate that is a valid private key of identity .

Signing Query: Upon receiving a message m, an identity , and a timestamp T, issues a query to obtain a public key and a triplet . Then, considers the following two cases:

If , makes a query to obtain a private key and then runs the algorithm to generate a signature on m. Finally, sends to .

If , computes . If , quits the simulation; otherwise, randomly selects and computes , , , and . Furthermore, computes

Finally, sends to .

Let ; then, we have

The simulated signature satisfies the following signature verification equation; thus, is a valid signature on message m:

Forgery: eventually outputs a signature on a message corresponding to an identity , a timestamp , and the targeted public key . If or , terminates; otherwise, calculates and then uses and to output the CDH value by calculating

Here, we discuss the probability of outputting a correct solution for the CDH instance. completes the above simulation if all of the following events occur:

during private key queries.

or during signing queries.

and in the forgery phase.

The probability of completing the simulation is analogous to that in Theorem 1. We define four independent events, , , , and , as follows:

for .

.

for .

.

Similar to the probability analysis in Theorem 1, we give the probability of not aborting as

Hence, can solve the given instance of the CDH problem with advantage . □

We obtain Theorem 3 by combining Theorems 1 and 2, as follows.

In the standard model, our CLS scheme is strongly unforgeable against adaptive chosen-message attacks corresponding to type I and II adversaries under the CDH and CRHF assumptions.

Our CLS scheme is resistant to replay attacks.

In replay attacks, the adversary generally initiates two types of attacks [31,32]. One is to directly replay the intercepted message and the corresponding signature, and the other is to modify the timestamp in the signature of the intercepted message and to create a new signature for the message.

In the first type of attack, it is assumed that the adversary replays an intercepted combination of message m, timestamp T, and signature generated by an IoT device. Upon receiving this combination , the data centre compares the timestamp T in the combination with the current timestamp . If the value of exceeds the threshold , the data centre can determine that m in this combination is a replayed message and can discard m. Therefore, the first type of attack has no effect on our CLS scheme. □

Since our CLS scheme satisfies strong unforgeability, the attacker cannot generate a legal signature for any message. Therefore, in the second type of attack, the attacker can only use the existing combination to initiate the attack. In the proposed scheme, the timestamp T is bound to the message m, i.e., . Additionally, the timestamp T is embedded in the parameter h in the form of and is also embedded in the signature of the message m in the form of . If the attacker wants to replace T in the signature with a new timestamp , the attacker needs to calculate and . Although an attacker can calculate and , the difficulty in calculating from is equivalent to solving the DL problem. However, if the attacker does not know , then they cannot calculate the correct value . In addition, must satisfy the conditions and , which is equivalent to finding a collision of the hash functions and . Since the DL problem is unsolvable in reality and the functions and are CRHF, the second type of attack does not compromise the security of our CLS scheme. In summary, the proposed CLS scheme can efficiently withstand replay attacks.

6. Application in IoT Environments and Performance Analysis

6.1. System Model

In a CLS scheme for IoT environments, it is very important that data are not modified and that the source of the data is authentic during data transmission. Therefore, we mainly focus on the integrity and authenticity of IoT data in our system while simultaneously reducing the bandwidth, computational cost, and storage overhead for IoT devices. Figure 2 shows our CLS system model for IoT environments, which consists of three entities: PKG, data centre, and IoT device.

Figure 2

System model of the proposed certificateless signature (CLS) scheme for IoT.

PKG: This entity is primarily responsible for producing system parameters and computing partial private keys for the data centre and each IoT device. The PKG sends system parameters to all of the entities through a public channel and transmits an individual partial private key to each entity via a secure channel.

Data centre: This entity has a strong computing power and storage space; thus, it can check the integrity and authenticity of the data by verifying the signature sent by each IoT device and can store the authentic data for other users to use. Initially, the data centre submits its identity information to the PKG to apply for the corresponding partial private key; it then saves the system parameters and partial private key sent by the PKG.

IoT device: This entity equipped with sensors has limited computational and memory resources and limited battery capacity. During the registration of the IoT device, the PKG generates a unique partial private key based on the physical address of each IoT device. After the IoT device is embedded with system parameters and its private key, it signs messages collected from the physical world and sends the corresponding signatures along with messages to the data centre.

6.2. Performance Analysis

In this subsection, we analyze the performance of the proposed CLS scheme. Compared with other cryptographic operations, bilinear pairing and exponentiation are the most time-consuming operations [22,28]; hence, our efficiency analysis mainly emphasizes the computational costs of these two operations. Table 1 and Table 2 compare the performance of our CLS scheme and other related CLS schemes [21,22,23,27,30] without random oracles in terms of private key size, signature length, computational cost, and security. In Table 1, the KeySize and SigSize columns list the sizes of the private key and signature, respectively. The Sign and Verify columns present the computational costs of the algorithms and , respectively. Let P and E represent the execution times of a bilinear pairing and an exponentiation, respectively. Let represent the length of an identity, and let and represent the lengths of an element in and , respectively. In Table 2, the columns Type I, Type II, and Replay attacks show whether the CLS scheme can resist PKR attacks, MKGC attacks, and replay attacks, respectively. The SUF column denotes whether the CLS scheme satisfies a strong unforgeability in the standard model. It should be noted that the key length affects the storage capacity of the IoT device and the data center and that the signature length affects the communication capabilities of the IoT device and the storage capacity of the data center. In addition, the overhead of signature generation and signature verification affect the computing power of the IoT device and the data center, respectively.

Table 1

A comparison of the CLS scheme performance.

Scheme	KeySize	SigSize	Sign	Verify
Yu et al. [21]	|p|+2|G_1|	4|G_1|	7E	E+5P
Yuan et al. [23]	|p|+2|G_1|	3|G_1|	3E	E+6P
Pang et al. [27]	|p|+2|G_1|	3|G_1|	7E	4E+5P
Huang et al. [22]	3|G_1|	3|G_1|	5E	3E+6P
Yang et al. [30]	(4+n_u)|p|+2|G_1|	|p|+4|G_1|	10E	3E+7P
Our scheme	2|G_1|	3|G_1|	3E	E+3P

Table 2

A comparison of the security attributes.

Scheme	Type I	Type II	SUF	Replay Attacks
Yu et al. [21]	No	No	No	No
Yuan et al. [23]	Yes	Yes	No	No
Pang et al. [27]	Yes	Yes	No	No
Huang et al. [22]	Yes	No	No	No
Yang et al. [30]	Yes	Yes	Yes	No
Our scheme	Yes	Yes	Yes	Yes

From Table 1 and Table 2, the length of the private key in our CLS scheme is , which is the shortest among the six CLS schemes. The size of the signature in the proposed CLS scheme is , which is equivalent to that of the schemes presented in References [22,23,27] but smaller than that of other schemes [21,30]. In the signing phase, our CLS scheme requires three exponentiations, as does Yuan et al.’s scheme [23], but is superior to other schemes [21,22,27,30]. In the verification phase, the computational cost of the proposed CLS scheme is , which is lower than that of the five other CLS schemes. Moreover, the efficiency of the verification process in our CLS scheme can be improved by a pre-calculation. Note that the verification equation for signature legitimacy is as follows:

Here, and can be pre-computed; thus, the time cost of verification in our CLS scheme can be reduced to one exponentiation and 3 bilinear pairings. Furthermore, only our CLS scheme can resist PKR attacks, MKGC attacks, and replay attacks while satisfying a strong unforgeability.

We also evaluated the performance of the proposed CLS scheme via experiments conducted with the PBC-0.47-VC cryptographic library [50]. The simulation program was run on a laptop equipped with a basic configuration of a 2.50 GHz CPU, 8 GB RAM, and the 64-bit Windows 10 operating system. To obtain faster pairing computation, we selected the Type A curve in the PBC library, which is a super-singular curve built with the 512-bit order of the base field. The results of the experiment are presented in Figure 3, Figure 4, Figure 5 and Figure 6.

Figure 3

A comparison of the private key size.

Figure 4

A comparison of the communication cost.

Figure 5

A comparison of the signature generation cost.

Figure 6

A comparison of the signature verification cost.

The IoT device must secretly store its private key; therefore, the size of the private key is important for an IoT device with a limited storage capacity. As shown in Figure 3, the size of the private key in our CLS scheme is 256 bits, which is 92.8% of that in Yuan et al.’s CLS scheme [23]. However, the size of the private key increases linearly with the length of the entity’s identity in Yang et al.’s CLS scheme [30]. For example, if the length of the entity’s identity is 100 bits, then the private key size in our CLS scheme is approximately 11% of that in Yang et al.’s CLS scheme [30]. In other words, our CLS scheme has a higher performance in private key length.

Since IoT devices possess limited battery power and communication bandwidth, one of the goals of our CLS scheme is to reduce the communication overhead of IoT devices. The most critical factor affecting communication cost is signature size. Figure 4 shows that the signature size of our CLS scheme and that of Yuan et al. [23] is 384 bits, while the signature size of Yang et al.’s CLS scheme [30] is 532 bits. Hence, the proposed CLS scheme has a lower communication overhead.

Due to the characteristics of IoT devices, such as limited computing and processing power, the computational overhead of generating signatures for IoT devices should be as small as possible. Figure 5 shows that the cost of signature generation in our CLS scheme is almost the same as that in Yuan et al.’s CLS scheme [23] but less than that in Yang et al.’s CLS scheme [30].

The data centre has a strong computation and storage capability to verify the validity of signatures sent by IoT devices. Figure 6 shows that the proposed CLS scheme greatly reduces the computational overhead of signature verification and that its performance is superior to that of the other two schemes [23,30].

A scheme in the random oracle model usually has a higher computational performance, but its security depends on the ideal random oracle. Both our scheme and Yang et al.’s [48] scheme are provable in the standard model, and their security only depends on the difficulty of the associated mathematical problems. Therefore, these two schemes have higher security than other schemes [4,40,41,42,44,46,47]. Our scheme and Yang et al.’s scheme [48] use CLS and SDVPRS respectively to guarantee the integrity and authenticity of data in IoT. We compare the signature generation and verification overhead of two schemes, and the corresponding results are shown in Figure 7 and Figure 8.

Figure 7

A comparison of the signature generation cost between CLS-based and SDVPRS-based authentication schemes.

Figure 8

A comparison of the signature verification cost between CLS-based and SDVPRS-based authentication schemes.

From Figure 7, we can see that the computational cost of signature generation in our scheme is lower than that in the scheme of Reference [48]. This is because the signature generation in the scheme of Reference [48] requires an additional bilinear pairing operation. Figure 8 shows that the time consumption of signature verification in the scheme of Reference [48] is lower than ours, but the scheme in Reference [48] does not satisfy the properties of a strong unforgeability and replay attack resistance. As a result, our scheme has a higher security.

In summary, the results of all the above experimental analyses are consistent with those of the theoretical analysis in Table 1. Therefore, we conclude that our CLS scheme is applicable to IoT environments.

7. Conclusions

The IoT is profoundly changing production activities, social management, and public services, but ensuring the integrity and authenticity of data is an important issue for IoT. To solve this problem, a new CLS scheme for IoT environments is presented in this paper. In addition to protecting data integrity and data authenticity, our CLS scheme also reduces the computational and communication costs for IoT devices. The proposed CLS scheme is proven to be strongly unforgeable against adaptive chosen-message attacks under the CDH and CRHF assumptions in the standard model. Additionally, our CLS scheme can withstand replay attacks. Furthermore, the performance comparisons demonstrate that our CLS scheme outperforms the previous CLS schemes without random oracles. The Internet of Vehicles is considered to be one of the most potential areas in IoT and has wide application prospects in the field of intelligent transportation. Compared with ordinary sensors, the vehicle terminal equipment has a more stable power supply and higher computing power and storage space. Hence, our CLS scheme is suitable for the Internet of Vehicles.