A new provably secure certificateless signature scheme for Internet of Things

Ad Hoc Networks 100 (2020) 102074

Contents lists available at ScienceDirect

Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc

A new provably secure certificateless signature scheme for Internet of Things ✩ Hongzhen Du a,∗, Qiaoyan Wen b, Shanshan Zhang a,c, Mingchu Gao d a

School of Mathematics and Information Science, Baoji University of Arts and Sciences, Baoji, Shaanxi 721013, China State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China c School of Telecommunications Engineering, Xidian University, Xi’an, Shaanxi 710071, China d Department of Mathematics, Louisiana College, Pineville, LA 71360, USA b

a r t i c l e

i n f o

Article history: Received 25 October 2019 Revised 16 December 2019 Accepted 5 January 2020 Available online 28 January 2020 Keywords: Authentication Certificateless public key cryptography Certificateless signature Internet of things Unforgeability

a b s t r a c t With the rapid popularization of Internet of Things (IoT) in various fields, the security of the IoT has been widely concerned. Security authentication technology is the foundation of the security of the IoT. Certificateless signature, which removes the intricate certificate management and key escrow, is one of the practical methods to provide data integrity and identity authentication for the IoT. At present, many certificateless signature schemes have been put forward, but few of them are secure and suitable for the IoT. Recently, Jia et al. designed a certificateless signature scheme for the IoT deployment. The authors demonstrated that their scheme can withstand attacks of two types of super adversaries. However, we prove that Jia et al.’s scheme cannot resist attacks from a normal Type I adversary, not to mention a super Type I adversary. Then, we put forward a certificateless signature scheme on the basis of elliptic curve cryptosystem, and prove the scheme cannot be forged by two types of super adversaries. Our certificateless signature scheme performs better than the existing certificateless signature schemes, and it is the best combination of high security and efficiency so far and is more appropriate for the resourceconstrained IoT environment. © 2020 Published by Elsevier B.V.

1. Introduction Internet of Things (IoT) is the interconnection between thing to thing (T2T), human to thing (H2T) and human to human (H2H). Compared with other networks, the IoT has its own characteristics. Firstly, in the IoT environment, the number of terminals accessing the network will increase exponentially, and include a variety of terminals, such as computers, mobile phones, tablets, furniture appliances, cameras, and even automobiles. Secondly, the communication interaction between terminals does not need human operation, but it needs to solve its own security and communication security problems. In addition, the terminal itself has limited resources. Most IoT devices are usually based on small embedded chips, and their computing and communication capabilities are limited. The security issues involved in the IoT ✩ This work was supported in part by the National Natural Science Foundation of China under Grant 61402015, in part by the MOE Layout Foundation of Humanities and Social Sciences under Grant 19YJA790 0 07, in part by the Project of Shaanxi Education Department under Grant 19JK0042. ∗ Corresponding author. E-mail addresses: [email protected] (H. Du), [email protected] (Q. Wen), [email protected] (S. Zhang), [email protected] (M. Gao).

https://doi.org/10.1016/j.adhoc.2020.102074 1570-8705/© 2020 Published by Elsevier B.V.

are challenging due to the heterogeneity, scalability, openness of wireless communication and the limited resources of wireless sensors and radio frequency identification [1]. The IoT has a wide range of applications, such as transportation, health care, education, agriculture, industry, military surveillance, smart house and so on (See Figures 1 and 2). Therefore, the security requirements of IoT are also more diversified and complex. Security authentication is the foundation of IoT security, so it is of great significance to study the security authentication of IoT. Digital signature technology which can provide identity authentication, data integrity protection and non-repudiation is suitable for the IoT environments. In a digital signature scheme, the private key of the signer is needed to generate a signature, and the public key of the signer is needed to verify a signature. The signer is the only one who holds the private key, and thus it is the only one who can generate a valid signature. In recent years, Elliptic Curve Cryptography (ECC) has attracted wide attention. Under the same security level, ECC has many good properties, including smaller private key size, less computation, smaller storage amount and less bandwidth. It is generally believed that 224-bit elliptic curve guarantees the same level of security as 2048-bit RSA. Therefore, the

2

H. Du, Q. Wen and S. Zhang et al. / Ad Hoc Networks 100 (2020) 102074

PKC [2] removes certificate management, but it suffers from key escrow and is easy to reveal users’ privacy. Certificateless PKC (CLPKC) [3] is the best mixture of the advantages of both conventional PKC and ID-based PKC because it reduces the complexity of certificate management and has no key escrow problem. Therefore, this paper concentrates on designing digital signature schemes in CLPKC for IoT applications. 1.1. Related work

Fig. 1. Application Areas of the IoT.

Fig 2. The outline of our CLS scheme.

signature scheme based on elliptic curve is more proper for low power devices. It is a practical and meaningful method to use elliptic curve signature scheme to achieve data integrity and identity authentication in the resource-constrained IoT environment. As we all know, the conventional public key cryptosystem (PKC) exists the problem of intricate certificate management. ID-based

The first CLS scheme was designed by Al-Riyami and Paterson [3], and then CLS schemes have been paid more and more attention. Yum and Lee [4] gave a general construction for CLS scheme. Gorantla et al. [5] put forward a novel CLS scheme. However, the scheme cannot resist the public key replacement attack of a Type I adversary [6]. Al-Riyami and Patterson’s CLS scheme [3] was found to be insecure against both kinds of adversaries [7]. Next, Yap et al. [8] designed a new CLS scheme, but Park et al. [9] proved that the new scheme is forgeable under the public key replacement attacks. Then Zhang et al. [10] revised the security model of CLS scheme and constructed a new CLS scheme in the random oracle model. Liu et al. [11] put forward the first CLS scheme in the standard model, but the scheme suffers from the attacks of a Type II adversary. Yuan et al. [12] also designed a CLS scheme in the standard model. Hu et al. [13] gave a simplified definition of CLS scheme. Later, the researchers have proposed several novel and efficient CLS schemes [14–17]. Short signatures are appropriate for resource-constrained wireless network applications. Du et al. [18] put forward a short CLS scheme and the verification algorithm only needs one pairing operation. Choi et al. [19] and Tso et al. [20] put forward a novel short CLS scheme, respectively. But Du et al. [21] pointed out that both schemes [19,20] are easy to be attacked by the strong type II adversaries. Later, He et al. [22] and Chen et al. [23] constructed a short CLS scheme, respectively. The two schemes are secure, but the computational cost of the two schemes is relatively high because the former requires two pairings in the verification while the latter requires three pairing operations. Tsai et al. [24] constructed a short CLS scheme. However, there is a defect in their construction because the signature produced by a signer on a message is not associated with the message. That is, a signer generates a signature σ on a message m, but m is not used when verifying the validity of σ . As a result, a verifier does not believe that σ is the signature on m. All the CLS schemes mentioned above are constructed by bilinear pairings, but pairing calculation is expensive, which results in the inefficiency of the implementation of these schemes. Therefore, designing CLS schemes without bilinear pairings has become a research hotspot. The first CLS scheme without bilinear pairings was put forward by He et al. [25], but the authors [26,27] showed the scheme is easy to be attacked by a strong Type II adversary. Next, the authors [28] constructed a CLS scheme based on RSA. Yeh et al. [29] designed a CLS scheme without bilinear pairings. Gong et al. [30] and Wang et al. [31] presented a CLS scheme without bilinear pairings, respectively. However, Yeh et al. [32,33] pointed out that both schemes [30,31] suffer from attacks by the super Type I adversaries. Yeh et al. also presented two CLS schemes without bilinear pairings in [32,33]. However, Jia et al. [34] provided evidence that the scheme [33] has two drawbacks. One is that any malicious adversary can simulate KGC to produce a user’s partial private key. The other is that their scheme is incapable of stopping the public key replacement attack of a super Type I adversary. Very recently, Karati [35] put forward a new CLS scheme without pairings.

H. Du, Q. Wen and S. Zhang et al. / Ad Hoc Networks 100 (2020) 102074

1.2. Contributions Our contributions are as follows: (1) Jia et al. [34] designed a CLS scheme for IoT deployment, and demonstrated their scheme is unforgeable against two kinds of super adversaries. Unfortunately, the statement is not solid. We prove that Jia et al.’s CLS scheme is subjected to attacks by a normal Type I adversary, not to mention a super Type I adversary. (2) We construct a novel CLS scheme which can obtain the highest level of security. Our CLS scheme is unforgeable under adaptive chosen message attacks by two types of super adversaries. Moreover, the scheme avoids using expensive bilinear pairings and has better performance compared with the existing CLS schemes, so it is more appropriate for the resource-constrained IoT environment. 2. Preliminaries 2.1. Elliptic curve and difficult assumption (1) Elliptic Curve Suppose q is a large prime number, and GF(q) represents a finite field. Given a congruence equation

y2 = x3 + γ x + δ ( mod q ) where γ , δ ∈ GF(q) and (4γ 3 + 27δ 2 ) mod q = 0. All solutions (x, y) ∈ GF(q) × GF(q) of the congruence equation and a special point O, i.e. infinite point, constitute an elliptic curve E over GF(q). The points on E and the infinite point O compose an additive cyclic group G under the additive operation of points. Suppose l is the order of group G and R is a generator of G. We call hR = R + R +  + R (h times, h∈Zl ) as a scalar multiplication on group G. (2) Difficult Assumption – Elliptic Curve Discrete Logarithm Problem (ECDLP) is called as below: Assume G is an additive group of elliptic curve with order q, where q is a large prime number. Q ∈ G is a generator. Given an arbitrary instance χ ∈G, for χ = aQ and a ∈ Zq∗ , it is hard to calculate a from χ . 2.2. Definition of CLS Definition 1. Three entities mentioned in a CLS scheme are a KGC, a signer and a verifier. The following five algorithms form a CLS scheme. – Setup is executed by the KGC. On inputting a security parameter l, this algorithm outputs a system master key smk and a public parameters params. – Extract-Partial-Private-Key is performed by the KGC. Given params, smk, and a user’s identity ID, it outputs a value dID as the user’s partial private key. – Generate-User-Key is performed by the user ID. On inputting params and ID, it returns the secret value vID and the public key PKID . – Sign is operated by a user (signer) ID with the public key PKID . On inputting params, a message m, ID, PKID , dID and vID , it returns σ as a signature on m. – Verify is performed by a verifier. On inputting a tuple (params, ID, PKID , m, σ ), it outputs value “1” or “0”. “1” means that σ is effective, “0” means σ is of no avail.

3

2.3. Security model for CLS As described in [3], there are two kinds of adversaries A1 and A2 in a CLS scheme. A1 models an external attacker. He/she has no the system master key and every user’s partial private key, but he/she can choose a value to replace any user’s public key. A2 acts as a malicious-but-passive KGC, which holds the system master key, but he/she is unable to replace the public key of the target user. Later, some researchers continue to study the adversary models of the CLS scheme. Typically, Huang et al. [14] revised the security model of CLS. According to the adversary’s attack power, the Type I/II adversary A1 /A2 is classified into three types: normal, strong and super Type I/II adversaries. Through making Sign queries, a normal adversary is only capable of getting a valid signature of the user under the original public key. If the user’s public key has been replaced, the normal adversary cannot obtain the valid signature. For a strong adversary, if the public key has been replaced, the strong adversary can obtain a valid signature only after providing the relevant secret value of the new public key. A super adversary is capable of getting the legitimate signature of the user whose public key has been replaced, and need not submit the new secret value. The CLS scheme which can resist attacks of super adversaries has the highest security, and it can withstand attacks from strong or normal adversaries. The CLS scheme, which can only prevent attacks of a normal adversary, is not suitable for IoT environments because of its weak security. Next, we will utilize the following two games to signify that a CLS scheme is existentially unforgeable against two kinds of super adversaries. Game I The game involves entities who are the challenger C1 and the super Type I adversary A1 . They interact as follows.  Setup: C1 operates the Setup algorithm to produce a system master key smk and a system parameters params, C1 sends params to A1 and secretly preserves smk.  Query: A1 is capable of querying the following oracles adaptively. -Create-User: Upon receiving such a query on IDi , C1 calls out a list Llist to check whether IDi has been created, if yes, C1 outputs the public key pkIDi to A1 . Otherwise, C1 executes algorithm Extract-Partial-Private-Key to produce dIDi , and then executes algorithm Generate-User-Key to generate vIDi and pkIDi . Then C1 adds a tuple (IDi ,dIDi ,vIDi ,pkIDi ) to a list Llist , and outputs pkIDi to A1 . (Note. We suppose that the Create-User query always precedes other oracle queries.)

– Extract-Partial-Private-Key: Upon receiving such a query on IDi , C1 searches Llist for a corresponding item to IDi . If the item (IDi ,dIDi ,vIDi ,pkIDi ) does not exist, ⊥ is returned, or else dIDi is output. – Extract-Secret-Value: When this query on IDi is received, C1 recovers Llist and outputs vIDi . – Replace-Public-Key: The user’s original public key pkIDi can be replaced with a new public key pkIDi ∗ . – SuperSign: Upon receiving such a query on a message mi , IDi and pkIDi which may be replaced by A1 (If pkIDi is replaced, there is no need to provide a new secret value), C1 performs algorithm Sign to generate a valid signature σ i and outputs it to A1 . Forgery At last, A1 returns a tuple (m∗ , σ ∗ , IDi ∗ , pkIDi ∗ ) and is victorious in the game if the following three requirements establish:

4

H. Du, Q. Wen and S. Zhang et al. / Ad Hoc Networks 100 (2020) 102074

– σ ∗ is a rightful signature on m∗ under IDi ∗ and pkIDi ∗ which may be replaced by A1 . – The SuperSign oracle has never received a query on the tuple (m∗ , IDi ∗ ). – The Extract-Partial-Private-Key oracle has never received a query on the identity IDi ∗ . Game II The game involves entities who are the challenger C2 and the super Type II adversary A2 . They interact as follows.  Setup: Like Game I, C2 operates Setup algorithm to generate params and smk. C2 outputs params and smk to A2 .  Query: As in Game I, A2 is capable of making queries to the following oracles adaptively. Create-User, Extract-Partial-Private-Key, Extract- Secret-Value, Replace-Public-Key, SuperSign. C2 responds to these queries just like Game I. Forgery At last, A2 returns a tuple (m∗ , σ ∗ , IDi ∗ , pkIDi ∗ ) . If the following three conditions hold, A2 succeeds in Game II. – σ ∗ is a rightful signature on (m∗ , IDi ∗ , pkIDi ∗ ) where pkIDi ∗ is the original public key of the identity IDi ∗ . – The SuperSign oracle has never received a query on the tuple (m∗ , IDi ∗ ). – The Extract-Secret-Value oracle has never received a query on the identity IDi ∗ . Definition 2. If no polynomial time super adversary A1 /A2 can be successful with a non-negligible advantage in Game I/II, a CLS scheme is called to be existentially unforgeable against adaptively chosen message and identity attacks.

– Set-Public-Key: The user calculates PID = xID P, u = H2 (ID,PID ) and QID = RID + uPID , and stipulates PKID = (RID , QID ) as the public key. -CL-Sign: On inputting ID, PP, SKID , PKID , and a message m, the algorithm computes as follows: (1) Randomly choose a value t ∈ Zq∗ , calculate

T = tP = (Tx , Ty ), where Tx and Ty signify the x-coordinate, y-coordinate respectively. (2) Set

r = Tx mod q, u = H2 (ID, PID ), v = H3 (ID, m, h1 , PKID , T ). (3) Calculate ε = t −1 (v + r (dID + uxID )) mod q. The signature concerning message m is σ = (T, ε ). -Verify: When receiving a tuple (m, ID, PKID , σ = (T, ε ) = ((Tx ,Ty ),ε ), PP), for the public key PKID =(RID ,QID ), the verifier computes as follows: (1) Compute

h1 = H1 (ID, RID ), v = H3 (ID, m, h1 , PKID , T ), r = Tx mod q. (2) Check ?

ε T = vP + r (QID + h1 Ppub ). If yes, the verifier outputs “accept”, or else outputs “reject”. 3.2. Attack on Jia et al.’s scheme

3. Comments on Jia et al.’s scheme 3.1. Review of Jia et al.’s scheme Jia et al.’s CLS scheme [34] which has seven algorithms is described as follows. -Setup: q is a prime of l bits, where l is a secure parameter. KGC operates as below: (1) Generate an elliptic curve group G with order q. P ∈ G is a generator. (2) Select x ∈ Zq∗ at random and calculate Ppub = xP, and secretly preserve x as the system master key. (3) Pick three distinct cryptographic hash functions

H1 : {0, 1}∗ × G → Zq ∗ , H2 : {0, 1}∗ × G × G → Zq ∗ , H3 : {0, 1}∗ × Zq ∗ × G × G → Zq ∗ . (4) Publish params: PP = {G, P, Ppub ,H1 ,H2 ,H3 }. as the system public parameters. – Extract-Partial-Private-Key: Input PP and an identity ID, it randomly selects α ∈ Zq∗ and calculates

RID = α P, h1 = H1 (ID, RID ), and dID = xh1 +α ( mod q ), and then secretly sends DID =(RID , dID ) to the user ID as his/her partial private key. – Set-Secret-Value: The user ID selects xID ∈ Zq∗ in random and stipulates xID as his/her secret value. – Set-Private-Key: The user ID stipulates SKID =(dID , xID ) as his/her private key.

Jia et al. demonstrated that their scheme is unforgeable under attacks of two kinds of super adversaries. However, we point out that their scheme has a defect because it cannot resist the attack of a super Type I adversary, or even a normal Type I adversary. That is, their scheme can be forged universally under public key replacement attacks by a normal Type I adversary. Next, we provide a specific attack for Jia et al.’s scheme. Assume that a normal Type I adversary A1 intends to forge the signature of a user ID with the public key PKID = (RID , QID ). A1 chooses a random element ξ ∈ Zq∗ , computes

h1 = H1 (ID, RID ), ∗ QID = −h1 Ppub + ξ P. ∗ = (R , Q ∗ ) for PK = (R , A1 substitutes the public key P KID ID ID ID ID QID ). After replacing the public key of the user ID, A1 can impersonate the user ID to forge a signature on an arbitrary message m∗ .

– Sign A1 operates as follows. (1) Select a random element t ∗ ∈ Zq∗ , calculate

T ∗ = t ∗ P = (Tx∗ , Ty∗ ), r ∗ = Tx∗ mod q. (2) Set ∗ v∗ = H3 (ID, m∗ , h1 , PKID , T ∗ ).

(3) Compute

ε ∗ = (t ∗ )−1 (v∗ + r∗ ξ ) mod q. The signature on message m∗ is σ ∗ = (T∗ , ε ∗ ).

H. Du, Q. Wen and S. Zhang et al. / Ad Hoc Networks 100 (2020) 102074

– Verify

5

(2) Set

∗ = ( R , Q ∗ ), σ ∗ = ( T ∗ , ε ∗ ), P P ), Given a tuple (m∗ , ID, P KID ID ID where T ∗ = (Tx∗ , Ty∗ ), a verifier computes as below:

(1) Compute

h1 = H1 (ID, RID ), ∗ v∗ = H3 (ID, m∗ , h1 , PKID , T ∗ ), r ∗ = Tx∗ mod q (2) Check ?

∗ ε ∗ T ∗ = v∗ P + r∗ (QID + h1 Ppub ).

If yes, the verifier outputs “accept”, or else outputs “reject”. Obviously, the forged signature is valid because the verification ∗ +h P equation ε ∗ T ∗ = v∗ P + r ∗ (QID 1 pub ) always holds. Because we have ∗ v∗ P + r∗ (QID + h1 Ppub ) = v∗ P + r ∗ (−h1 Ppub + ξ P + h1 Ppub ) = v∗ P + r ∗ ξ P = ( v∗ + r ∗ ξ )P = ε∗ T ∗ .

Hence, the scheme in [34] cannot resist the attacks of normal Type I adversaries, let alone super Type I adversaries. Remark. The reason why Jia et al.’s CLS scheme [34] cannot resist the public key replacement attack of a normal Type I adversary is that both Set-Public-Key algorithm and CL-Sign algorithm are designed improperly. If the user’s public key PKID = (RID , QID ) is replaced by PKID = (RID , PID ), where QID = RID + uPID , PID = xID P and u = H2 (ID,PID ), and some hash functions are added skillfully in the CL-Sign algorithm, this forgery attack can be prevented. 4. A provably-secure CLS scheme for IOT 4.1. The basic scheme We present a provably-secure certificateless signature scheme for IoT in this section. -Setup: The notation q is a large prime with a length of l bits, where l is a secure parameter. G is an elliptic curve additive group with order q. P ∈ G is a generator. KGC operates as follows: (1) Select a value x ∈ Zq∗ in random and calculate Ppub =xP, and secretly maintain x as the system master key. (2) Select three distinct secure hash functions

H1 : {0, 1}∗ → Zq ∗ , H2 : {0, 1}∗ → Zq ∗ , H3 : {0, 1}∗ → Zq ∗ . (3) Publish params: {l, G, q, P, Ppub ,H1 ,H2 ,H3 }. -Extract-Partial-Private-Key: On inputting params and a user’s identity ID, it randomly picks α ∈ Zq∗ and computes

yID = α P, h1 = H1 (ID, yID , P, Ppub ), dID = α + h1 x( mod q ). And then it secretly returns DID =(yID , dID ) to the user ID. DID is the user ID’s partial private key. – Generate-User-Key: This algorithm randomly selects vID ∈ Zq∗ as the secret value and calculates gID = vID P. PKID = (gID ,yID ) is the user ID’s public key. -Sign: On inputting a message m, DID , vID , and PKID , this algorithm calculate as below. (1) Randomly pick k ∈ Zq∗ and compute δ = kP,

h2 = H2 (m, δ, ID, P KID , Ppub ), h3 = H3 (m, δ, ID, P KID , h2 ), (3) Compute

z = k−1 (h2 vID + h3 dID ) mod q. The signature on message m is σ = (δ , z). -Verify: After getting a message-signature tuple (m, σ = (δ , z)), params, and PKID = (gID ,yID ), this algorithm operates as below: (1) Calculate

h1 = H1 (ID, yID , P, Ppub ), h2 = H2 (m, δ, ID, P KID , Ppub ), h3 = H3 (m, δ, ID, P KID , h2 ). (2) Check ?

zδ = h2 gID + h3 (yID + h1 Ppub ). If yes, this algorithm outputs "1", otherwise it outputs "0". 4.2. Security analysis Our CLS scheme is provably secure under the attacks of two kinds of super adversaries. Theorem 1. Suppose A1 is a super adversary of probabilistic polynomial time. If A1 has a non-negligible advantage ε to forge a rightful signature in Game I after querying at most qH1 times Hash oracle H1 and qppk times Extract-Partial-Private-Key oracle, there exists an algorithm C1 which can call A1 as a subprogram to figure out the solution to ECDLP with a probability

ε  ≥ ε ((qH1 − 1 )/qH1 )q ppk /qH1 . Proof. Assume (P, xP) ∈ G is an arbitrary instance of ECDLP. The purpose of C1 is to get the solution x to the ECDLP by making interaction with A1 .  Setup C1 randomly selects a ∈ Zq∗ and calculates Ppub = aP, produces the system public parameters are:

params : {l, G, q, P, Ppub , H1 , H2 , H3 }. Then, C1 selects an identity IDI in random as the Challenged ID and sends params to A1 . C1 keeps three lists Llist , H2list and H3list which are initially empty. The list Llist is utilized to write down Create-User queries. Lists H2list and H3list are utilized to write down H2 and H3 queries, respectively. Query -Create-User: When this request is issued on an identity IDi , C1 first randomly picks vIDi ∈ Zq∗ and calculates gIDi = vIDi P. Then, C1 calculates the following:  If IDi = IDI , C1 selects two random elements αi , h1i ∈ Zq∗ , computes yIDi = α i P, and sets H1 (IDi ,yIDi ,P, Ppub ) = h1i , and then computes dIDi = αi + ah1i ( mod q ).  If IDi = IDI , C1 randomly picks h1i ∈ Zq∗ , sets yIDi = xP, H1 (IDi ,yIDi ,P, Ppub ) = h1i and dIDi = ⊥. In both of the cases, the user IDi has been created. The user IDi ’s partial private key is (yIDi ,dIDi ), and his/her secret value is vIDi . Next, C1 outputs PKIDi = (gIDi ,yIDi ) as the public key of the user IDi to A1 , and adds the tuple (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) to the list Llist . (Note. We suppose that the Create-User query always precedes other oracle queries.) – Extract-Partial-Private-Key: When A1 issues this query on a created user IDi . If IDi = IDI , C1 finds the relevant record (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) from Llist and returns (yIDi ,dIDi ) to A1 . Otherwise, C1 aborts and returns “failure”.

6

H. Du, Q. Wen and S. Zhang et al. / Ad Hoc Networks 100 (2020) 102074

– Extract-Secret-Value: When A1 issues this query on a created user IDi , C1 finds the corresponding tuple (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) from Llist and returns vIDi to A1 . – Replace-Public-Key: When receiving a query on in ), C put (IDi , P KIDi recovers the corresponding item 1 (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) from the list Llist and sets  , v = ⊥, and renews the above mentioned P KIDi = P KIDi IDi item to (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ). – H1 -queries: A1 submits a tuple (IDi ,yIDi ,P,Ppub ) to this oracle. C1 recovers the corresponding record (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) from Llist and returns h1i to A1 if it exists. Otherwise, C1 asks Create-User oracle and extracts h1 i from Llist and returns it to A1 . – H2 -queries: C1 keeps a list H2list :(mi ,δ i ,IDi ,PKIDi ,Ppub ,h2i ). When A1 submits a tuple (mi ,δ i ,IDi ,PKIDi ,Ppub ) to this oracle, C1 recovers H2list (mi ,δ i ,IDi ,PKIDi ,Ppub ,h2i ) and returns h2i to A1 if it exists. If it does not exist, C1 picks a random h2i ∈ Zq∗ and sets h2i = H2 (mi ,δ i ,IDi ,PKIDi ,Ppub ). And then C1 returns h2i to A1 and inserts (mi ,δ i ,IDi ,PKIDi ,Ppub ,h2i ) into H2list . – H3 -queries: On inputting an item (mi ,δ i ,IDi ,PKIDi ,h2i ), C1 finds the list H3list . If it contains the relevant tuple (mi ,δ i ,IDi ,PKIDi ,h2i ,h3i ), C1 outputs h3i . Otherwise, C1 randomly selects an element h3i ∈Zq ∗ and sets h3i = H3 (mi ,δ i ,IDi ,PKIDi ,h2i ), and returns h3i to A1 , and inserts (mi ,δ i ,IDi ,PKIDi ,h2i ,h3i ) to H3list . – SuperSign: When receiving this query on inputs a message mi , an identity IDi and the current public key PKIDi (The new secret value need not be provided if PKIDi has been replaced by A1 ), C1 performs as below: C1 recovers Llist : (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) and calculates the following:  If IDi = IDI and PKIDi has not been replaced, C1 randomly selects a value ki ∈ Zq∗ and computes δ i = ki P, and sets h2i = H2 (mi ,δ i ,IDi ,PKIDi ,Ppub ) and h3i = H3 (mi ,δ i ,IDi ,PKIDi ,h2i ), and computes zi = ki

−1

(h2i vIDi + h3i dIDi ) mod q.

C1 sends σ i = (δ i ,zi ) to A1 , and then adds an item (mi ,δ i ,IDi ,PKIDi ,Ppub ,h2i ) and an item (mi ,δ i ,IDi ,PKIDi ,h2i ,h3i ) to H2list and H3list , respectively.  Otherwise, C1 selects three different random values zi , h2i , h3i ∈ Zq∗ , computes δi = zi−1 (h2i gIDi + h3i (yIDi + h1i Ppub )), and sets

h2i = H2 (mi , δi , IDi , P KIDi , Ppub ), h3i = H3 (mi , δi , IDi , P KIDi , h2i ). C1 returns σ i = (δ i ,zi ) as a signature to A1 . Then, inserts (mi ,δ i ,IDi ,PKIDi ,Ppub ,h2i ) and (mi ,δ i ,IDi ,PKIDi ,h2i ,h3i ) into H2list and H3list , respectively. Forgery At last, A1 outputs a rightful message/signature tuple (m∗i σi∗ = (δi∗ , zi∗ )) for ID∗i with PKIDi∗ which may be replaced by A1 . If ID∗i = IDI , C1 aborts and returns “failure”, or else, C1 recovers the list Llist :(ID∗i , dIDi∗ , yIDi ∗ , vIDi∗ , gIDi∗ , h∗1i )and list ∗ ∗ ∗ the list H2 :(mi , δi , IDi , P KIDi∗ , Ppub , h∗2i ) and the list list ∗ ∗ H3 :(mi , δi , ID∗i , P KIDi∗ , Ppub , h∗2i , h∗3i ). We apply the forking lemma [36] in the following simulation. C1 replays A1 with the same random tape, but provides two distinct values of H3 . That is,

h∗3(i 2) = H3 (mi ∗ , δi∗ , ID∗i , P KIDi∗ , Ppub , h∗2i ), h∗3(i 3) = H3 (mi ∗ , δi∗ , ID∗i , P KIDi∗ , Ppub , h∗2i ), and

h∗3(i 2 )

σi∗(2)

=

= h∗3(i 3 ) = h∗3i . Then, A1 returns (δi∗ , zi∗(2) ) and σi∗(3) = (δi∗ , zi∗(3) )

As a result, we have the following three equations (For convenience, we let h∗3(i 1 ) = h∗3i and zi∗(1 ) = zi∗ ).

zi∗( j ) δi∗ =h∗2i gIDi∗ + h∗3(i j ) (yIDi∗ + h∗1i Ppub ),

j = 1, 2, 3.

Here δi∗ = k∗i P, gIDi∗ = vIDi∗ P, yIDi∗ = xP, Ppub = aP , and then we have the following three linear independent equalities.





zi∗( j ) = (k∗i )−1 h∗2i vIDi∗ + h∗3(i j ) (x + ah∗1i ) mod q, Let the notation



D = h∗3(i 3) − h∗3(i 1)







zi∗(1) − zi∗(2) − h∗3(i 2) − h∗3(i 1)

j = 1, 2, 3.





zi∗(1) − zi∗(3) .

In case D = 0 (mod q), C1 will provide two other distinct values for h∗3(i 2 ) , h∗3(i 3 ) . In the above three equations, only k∗i , vIDi∗ , x are not known by C1 . C1 can successfully extract the value x from the above equalities. That is, x= =



−ah∗1i D −ah∗1i D D

h∗3(i 3) − h∗3(i 1)







zi∗(1) − zi∗(2) − h∗3(i 2) − h∗3(i 1)

= −ah∗1i ( mod q ).



zi∗(1) − zi∗(3)



At last, C1 obtains the solution x to the arbitrary instance of ECDLP. Next, let’s calculate C1 ’s winning probability in Game I. When event 1 and event 2 do not take place, but event 3 happens, C1 will win in this game. 1: A1 submits a Extract-Partial-Private-Key query on the challenged identity IDI . 2: In the Forgery phase, A1 outputs a message-signature pair (m∗i , σi∗ ) on an identity ID∗i = IDI . 3: σi∗ is a valid forgery on (m∗i , IDI ). Obviously,

Pr[¬1 ] ≥ (1 − Pr[¬2 |1 ] ≥

1 qH1 1 , qH1

)q ppk ,

Pr[3 |¬1 ∧ ¬2 ] = ε . As a result, C1 ’s probability is

ε  = Pr[¬1 ∧ ¬2 ∧ 3 ]

= Pr[¬1 ]Pr[¬2 |¬1 ]Pr[3 |¬1 ∧ ¬2 ] ≥ ε ((qH1 − 1 )/qH1 )q ppk /qH1 . Hence, C1 handles the ECDLP with a probability

ε ≥

ε ((qH1 − 1 )/qH1 )q ppk /qH1 .

Theorem 2. Suppose A2 is a super adversary of probabilistic polynomial time. If A2 has a non-negligible advantage ε to generate a rightful signature in Game II after querying at most qH1 times Hash oracle H1 and qesv times Extract-Secret-Value oracle and qrpk times ReplacePublic-Key oracle, there exists an algorithm C2 which can call A2 as a subprogram to figure out the solution to ECDLP with a probability ε  ≥ ε ((qH1 − 1 )/qH1 )qesv +qr pk /qH1 . Proof. We will prove how C2 calls A2 as a subprogram to handle an arbitrary instance (P, xP) ∈ G of ECDLP.  Setup C2 selects a ∈ Zq∗ in random and calculates Ppub = aP, and produces params:{l, G, q, P, Ppub ,H1 ,H2 ,H3 }. Then, C2 picks an identity IDI as the Challenged ID and returns a and params to the adversary A2 . C2 holds four lists Llist , Llist , H3list , H4list which are blank in the beTK ginning. Query – Create-User: A2 submits this query on IDi . C2 selects two random elements

two more valid signatures on the same message m∗i .

αi , h1i ∈ Zq∗ , calculates yIDi = α i P, sets H1 (IDi ,yIDi ,P, Ppub ) = h1i , and calculates dIDi = αi + ah1i ( mod q ). And then, C2 calculates as below:

H. Du, Q. Wen and S. Zhang et al. / Ad Hoc Networks 100 (2020) 102074

7

 If IDi = IDI , C2 randomly selects an element vIDi ∈ Zq∗ and calculates gIDi = vIDi P.  If IDi = IDI , C2 sets gIDi = vIDi P = xP, vIDi =⊥. In both of the cases, we call that the user IDi has been created. The user IDi ’s partial private key is (yIDi ,dIDi ), and his/her secret value is vIDi . Next, C2 outputs the public key PKIDi = (gIDi ,yIDi ) to A2 , adds the tuple (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) to Llist . (Note. Create-User queries always precedes other oracle queries) – Extract-Partial-Private-Key: If A2 issues a query on a created user IDi , C2 finds the relevant item (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) from Llist and returns (yIDi ,dIDi ) to A2 . – Extract-Secret-Value: A2 issues this query on a created user IDi . If IDi = IDI , C2 outputs “failure”, or else finds the relevant item (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) from Llist and returns vIDi to A2 . – Replace-Public-Key: A2 issues this query on the tuple (IDi ,PK IDi ). If IDi = IDI , C2 rejects this query and returns “failure”, or else, C2 finds the relevant item  ,v = (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) from Llist and sets P KIDi = P KIDi IDi ⊥, and renews the above item to (IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ). – H1 , H2 , H3 queries: The answers to H1 , H2 , H3 queries are similar to those of H1 , H2 , H3 queries in Theorem 1. – SuperSign: If A2 makes a query on a tuple (mi ,IDi ,PKIDi ), C2 acts as below: C2 recovers Llist :(IDi ,dIDi ,yIDi ,vIDi ,gIDi ,h1i ) and calculates as below:  If IDi = IDI and PKIDi has not been replaced, C2 randomly selects an element ki ∈ Zq∗ and calculates δ i = ki P, and sets h2i = H2 (mi ,δ i ,IDi ,PKIDi ,Ppub ) and h3i = H3 (mi ,δ i ,IDi ,PKIDi ,h2i ), and computes zi = ki

−1

(h2i vIDi + h3i dIDi ) mod q.

C2 sends σ i = (δ i ,zi ) to A2 , and then adds an item (mi ,δ i ,IDi ,PKIDi ,Ppub ,h2i ) and an item (mi ,δ i ,IDi ,PKIDi ,h2i ,h3i ) to H2list and H3list , respectively.  Otherwise, C2 selects three different random elements zi , h2i , h3i ∈ Zq∗ , computes δi = zi−1 (h2i gIDi + h3i (yIDi + h1i Ppub )), and sets

h2i = H2 (mi , δi , IDi , P KIDi , Ppub ), h3i = H3 (mi , δi , IDi , P KIDi , h2i ). C2 returns a signature σ i = (δ i ,zi ) to A2 . Then, adds (mi ,δ i ,IDi ,PKIDi ,Ppub ,h2i ) and (mi ,δ i ,IDi ,PKIDi ,h2i ,h3i ) to H2list and H3list , respectively. Forgery At last, A2 outputs its forgery (m∗i σi∗ = (δi∗ , zi∗ )) on ID∗i with the public key P KIDi ∗ . If ID∗i = IDI , C2 aborts. Otherwise, C2 recovers the list Llist :(ID∗i , dIDi∗ , yIDi ∗ , vIDi∗ , gIDi∗ , h∗1i ) and the list H2list :(mi ∗ , δi∗ , ID∗i , P KIDi∗ , Ppub , h∗2i ) and the list H3list :(mi ∗ , δi∗ , ID∗i , P KIDi∗ , Ppub , h∗2i , h∗3i ). We apply the forking lemma [36] in the following simulation. C2 replays A2 with the same random tape, but it provides a distinct value for H2 . That is,  h2i = H2 (mi ∗ , δi∗ , ID∗i , P KIDi∗ , Ppub ) and h2i = h∗2i . Then, A2 returns another forgery σi = (δi∗ , zi ) on the same message m∗i . As a result, we get

zi∗ δi∗ = h∗2i gIDi∗ + h∗3i (yIDi∗ + h∗1i Ppub ), zi δi∗ = h2i gIDi∗ + h∗3i (yIDi∗ + h∗1i Ppub ). Here δi∗ = k∗i P, gIDi∗ = xP, yIDi∗ = αi∗ P, Ppub = aP and then we have the following two equations.

zi∗ = (k∗i )−1 (h∗2i x + h∗3i (αi + ah∗1i )) mod q, zi = (k∗i )−1 (h 2i x + h∗3i (αi + ah∗1i )) mod q.

Fig. 3. Computational Cost of Our Scheme and the Other Related Schemes.



In case h∗2i zi  − zi∗ h2i = 0( mod q ), C2 will provide a new value for H2 . In the above two equations, only k∗i , x are unknown to C2 . C2 can compute x =

h∗3i (zi∗ −zi )(αi∗ +ah∗1i ) h∗ z −z∗ h 2i i

i

as the answer of the ECDLP.

2i

By imitating Theorem 1, we can deduce that the probability of C2 getting the answer to ECPLP is

ε  ≥ ε ((qH1 − 1 )/qH1 )qesv +qr pk /qH1 . 4.3. Performance analysis We will illustrate our scheme’s performance and compare it with the existing representative CLS schemes. To ensure the appropriate level of security, we will use widely accepted parameter sizes for these CLS schemes mentioned in this paper. In the comparison of computational costs, the execution time of the correlated cryptographic operations we used come from the data calculated by Miracal library [37] and the reference [38], as shown in Table 1. It takes trivial time to perform addition or multiplication in Zq ∗ or the operation of general hash function. For instance, the calculation time for a general hash operation is only 0.0 0 01 ms. Therefore, we ignore these trifling operations in the following performance evaluation. For pairing-based CLS schemes, we take Tate pairing as an example. Suppose q is a 512-bit prime, the Tate pairing on a supersingular elliptic curve E/Fq satisfying the equation y2 = x3 + x is able to reach the security level of 1024-bit RSA algorithm. If the CLS scheme is on the basis of ECC, for the sake of achieving the same level of security, we employ elliptic curve group on Koblitz elliptic curve y2 = x3 + λx + η over a finite field F2163 , where λ = 1 and η is a 163-bit prime. General speaking, 160-bit ECC is able to achieve the security level of 1024-bit RSA. Assuming that the notations |Gbp | and |Gec | represent the size of a group element based on bilinear pairing and elliptic curve re-

Table 1 Run time of several cryptographic operations (in milliseconds). Symbol

Operation

Runtime(ms)

Tpr Tpsm Tppa Tsm Tpa Tmtp

A A A A A A

4.2110 1.7090 0.0071 0.4420 0.0018 4.4060

bilinear pairing computation pairing-based scalar multiplication pairing-based point addition scalar multiplication on elliptic curve point addition on elliptic curve map-to-point hash function

8

H. Du, Q. Wen and S. Zhang et al. / Ad Hoc Networks 100 (2020) 102074 Table 2 Performance comparison among different CLS schemes. Scheme

Sign

Verify

Signature Size

Security against A1

Security against A2

Al-Riyami and Paterson’s [3] Zhang-Wong-Xu-Feng’s [10] Choi-Park-Lee’s [19] Chen-Tso-Horng, et al. [23] He-Chen-Zhang’s [25] Gong and Li’s [30] Wang-Chen-Long-Mao’s [31] Yeh-Su-Choo’s [33] Jia-He-Liu-Kim’s [34] Karati-Islam-Biswas [35] Our scheme

3Tpsm +1Tpr 3Tpsm 3Tpsm 2Tpsm 1 Tsm 1 Tsm 1 Tsm 1Tsm 1 Tsm 1Tsm 1Tsm

4Tpr +1Tpsm 4Tpr 3Tpr +2Tpsm 3Tpr +1Tpsm 3Tsm +3Tpa 4Tsm +3Tpa 3Tsm +3Tpa 3Tsm + 2 Tpa 4Tsm +2 Tpa 3Tsm +3Tpa 4Tsm +2Tpa

|Gbp |+|Zq ∗ | 2|Gbp | 1|Gbp | 1|Gbp | |Gec |+|Zq ∗ | 2|Gec |+|Zq ∗ | 2|Gec |+|Zq ∗ | |Gec |+|Zq ∗ | |Gec |+|Zq ∗ | |Gec |+|Zq ∗ | |Gec |+|Zq ∗ |

Insecure Super A1 Normal A1 Super A1 Super A1 Normal A1 Normal A1 Insecure Insecure Super A1 Super A1

Insecure Super A2 Super A2 Super A2 Normal A2 Super A2 Super A2 Normal A2 Super A2 Normal A2 Super A2

(Note. “Insecure” means the CLS scheme is insecure against a normal Type I/Type II adversary.) Table 3 Efficiency comparison. Scheme

Sign

Al-Riyami and Paterson’s [3] Zhang-Wong-Xu-Feng’s [10] Choi-Park-Lee’s [19] Chen-Tso-Horng, et al. [23] He-Chen-Zhang’s [25] Gong and Li’s [30] Wang-Chen-Long-Mao’s [31] Yeh-Su-Choo’s [33] Jia-He-Liu-Kim’s [34] Karati-Islam-Biswas [35] Our scheme

9.338 5.127 5.127 3.418 0.422 0.422 0.422 0.422 0.422 0.422 0.422

Verify ms ms ms ms ms ms ms ms ms ms ms

Fig. 4. Computational Cost of the CLS Schemes against Super Adversaries.

spectively, |Zq ∗ | signifies the size of a group element on Zq ∗ , where q is a 160-bit prime. Tables 2 and 3 show the performance comparison between our CLS scheme and the existing representative CLS schemes. As shown in Tables 2 and 3, the computational cost of the CLS scheme [3] is the highest compared with that of other schemes. Their scheme requires 4Tpsm +5Tpr (27.891 ms). Zhang-Wong-XuFeng’s scheme [10] requires 3Tpsm +4Tpr (21.971ms). Yeh-Su-Choo’s [33] scheme needs 4Tsm + 2Tpa (1.7516 ms), which has the lowest computational cost. Our scheme needs 5Tsm + 2Tpa (2.1936 ms), which is slightly less efficient than the scheme [33]. However, our scheme is unforgeable under the attacks of two kinds of super adversaries; while the scheme [33] is vulnerable to a normal Type I adversary and it can merely resist a normal Type II adversary.

18.553 16.844 16.051 14.342 1.3314 1.7734 1.3314 1.3296 1.7716 1.3314 1.7716

ms ms ms ms ms ms ms ms ms ms ms

Computational Cost

Signature Size

27.891 ms 21.971 ms 21.178 ms 17.76 ms 1.7534 ms 2.1954 ms 1.7534 ms 1.7516 ms 2.1936 ms 1.7534 ms 2.1936 ms

84byte 128byte 64byte 64byte 41byte 61byte 61byte 41byte 41byte 41byte 41byte

Fig. 5. Signature Size of the CLS Schemes against Super Adversaries.

The signature generated by the scheme [3] is composed of a group element over a pairing and an element over Zq ∗ , and thus the size of the signature is (512+160)/8 = 84byte. The signature generated by the CLS scheme [10] is composed of two group elements on bilinear pairings, so its size is (512 + 512)/8 = 128byte. The length of the signature produced by the scheme [19,23] is 512/8 = 64byte. The signature generated by the scheme [25,33,34,35] is composed of a group element on an elliptic curve and an element on Zq ∗ , the size of the signature is (163+160)/8 = 41byte. Similarly, we can see that the signature size of the scheme [30,31] is (163+163+160)/8 = 61byte. The signature size generated by our CLS scheme is 41byte. Figure 3 shows the comparison of the computational cost between our scheme and other schemes [3,10,19,23,25,30,31,33–35].

H. Du, Q. Wen and S. Zhang et al. / Ad Hoc Networks 100 (2020) 102074

From Table 2, it can be seen that only our scheme and the two schemes in [10,23] can resist attacks of two types of super adversaries. Next, we will evaluate the performance of these three schemes. As shown in Figures 4 and 5, the efficiency of our scheme is higher than that of the schemes [10,23]. Therefore, our scheme is the best combination of high security and efficiency so far and is more appropriate for the IoT environment. 5. Conclusions Security authentication is the foundation of IoT security. Digital signature technology which can provide identity authentication, data integrity protection and non-repudiation is suitable for the IoT environment. It is a research hot issue for designing a lightweight and secure signature scheme for IoT applications. CLS scheme perfectly combines advantages of conventional signature scheme and ID-based signature scheme, so this paper concentrates on designing CLS scheme for IoT applications. We construct a CLS scheme without pairings for the IoT, which is proved to be secure against two kinds of super adversaries. And our scheme performs better than the existing CLS schemes and is more proper for the resourceconstrained environment of the IoT. Declaration of Competing Interest We declare that we have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. References [1] Q. Jing, A. Vasilakos, J. Wan, J. Lu, D. Qiu, Security of the internet of things: perspectives and challenges, Wirel. Netw. 20 (8) (2014) 2481–2501. [2] Shamir, Identity-based cryptosystems and signature schemes, in: Advances in Cryptology, Springer, 1984, pp. 47–53. [3] S. Al-Riyami, K.G. Paterson, Certificateless public key cryptography, in: Proceedings of ASIACRYPT, Springer-Verlag, 2003, pp. 452–473. LNCS 28942003. [4] D.H. Yum, P.J. Lee, Generic construction of certificateless signature, in: ACISP’04, LNCS 3108, Springer, 2004, pp. 200–211. [5] M.C. Gorantla, A. Saxena, An efficient certificateless signature scheme, in: Proc. of CIS, Springer-Verlag, Berlin Heidelberg, 2005, pp. 110–116. Part II, LNAI 3802, 20 0520 05. [6] X. Cao, K.G. Paterson, W. Kou, An attack on a certificateless signature scheme and its improvement, J. Beijing Univ. Posts Telecommun. 31 (2) (2008) 64–67. [7] X. Huang, W. Susilo, Y. Mu, F. Zhang, et al., On the security of certificateless signature schemes from Asiacrypt, in: Y.G. Desmedt, et al. (Eds.), CANS 2005, LNCS 3810, 2003, pp. 13–25. 2005. [8] W.S. Yap, S.H. Heng, B.M. Goi, An efficient certificateless signature scheme, in: Proc. of EUC Workshops, 4097, 2006, pp. 322–331. LNCS2006. [9] J.H. Park, B.G. Kang, Security analysis of the certificateless signature scheme proposed at SecUbiq, in: EUCWorkshops 2007, LNCS, vol. 4809, Springer-Verlag, 2006, pp. 686–691. 2007. [10] Z. Zhang, D.S. Wong, J. Xu J, et al., Certificateless public-key signature: security model and efficient construction, in: ACNS, Berlin Heidelberg, Springer-Verlag, 2006, pp. 293–308. LNCS 39892006. [11] J.K. Liu, M.H. Au, W. Susilo, Self-generated-certificate public key cryptography and certificateless signature / encryption scheme in the standard model, in: ACM Symposium on information, Computer and Communications Security, 2007, pp. 273–283. [12] Y. Yuan, C. Wang, Certificateless signature scheme with security enhanced in the standard model, Inf. Process. Lett. 114 (2014) 492–499. [13] B.C. Hu, D.S. Wong, Z. Zhang, et al., Certificateless signature: a new security model and an improved generic construction, Des. Codes Cryptogr. 42 (2007) 109–126. [14] X. Huang, Y. Mu, W. Susilo, et al., Certificateless signature revisited, in: ACISP, Springer-Verlag, 2007, pp. 308–322. LNCS 45862007. [15] X. Yang, X. Pei, G. Chen, T. Li, M. Wang, C. Wang, A strongly unforgeable certificateless signature scheme and its application in IoT environments, Sensors 19 (12) (2019) 1–27.

9

[16] K.A. Shim, A new certificateless signature scheme provably secure in the standard model, IEEE Syst. J. 13 (2) (2019) 1421–1430. [17] Y. Zhang, R. Deng, D. Zheng, J. Li, P. Wu, and J. Cao, ‘‘Efficient and robust certificateless signature for data crowdsensing in cloud-assisted industrial IoT,’’ IEEE Trans. Ind. Inform., doi:110.1109/TII.2019.2894108. [18] H. Du, Q. Wen, Efficient and provably-secure certificateless short signature scheme from bilinear pairings, Comput. Stand. Interfaces 31 (2) (2009) 390–394. [19] K.Y. Choi, J.H. Park, D.H. Lee, A new provably secure certicateless short signature scheme, Comput. Math. Appl. 61 (7) (2011) 1760–1768. [20] R. Tso, X. Huang, W. Susilo, Strongly secure certificateless short signatures, J. Syst. Softw. 85 (2012) 1409–1417. [21] H. Du, Q. Wen, Security analysis of two certificateless short signature schemes, IET Inf. Secur. 8 (4) (2014) 230–233. [22] D. He, B. Huang, J. Chen, New certificateless short signature scheme, IET Inf. Secur. 7 (2) (2013) 113–117. [23] Yu-Chi Chen, R. Tso, G. Horng, et al., Strongly secure certificateless signature: cryptanalysis and improvement of two schemes, J. Inf. Sci. Eng. 31 (2015) 297–314. [24] J. Tsai, A new efficient certificateless short signature scheme using bilinear pairings, IEEE Syst. J. 99 (2015) 1–8. [25] D. He, J. Chen, R. Zhang, An efficient and provably secure certificateless signature scheme without bilinear pairings, Int. J. Commun. Syst. 25 (11) (2011) 1432–1442. [26] M. Tian, L. Huang, Cryptanalysis of a certificateless signature scheme without pairings, Int. J. Commun. Syst. 26 (11) (2013) 1375–1381. [27] J. Tsai, N. Lo, T. Wu, Weaknesses and improvements of an efficient certificateless signature scheme without using bilinear pairings, Int. J. Commun. Syst. 27 (7) (2014) 1083–1090. [28] J. Zhang, J. Mao, An efficient RSA-based certificateless signature scheme, J. Syst. Softw. 85 (2012) 638–642. [29] K.H. Yeh, K.Y. Tsai, R. Kuo, T. Wu, Robust certificateless signature scheme without bilinear pairings, Multimed. Tools Appl. 74 (16) (2013) 1–4. [30] P. Gong, P. Li, Further improvement of a certificateless signature scheme without pairing, Int. J. Commun. Syst. 27 (10) (2014) 2083–2091. [31] L. Wang, K. Chen, Y. Long, X. Mao, A modified efficient certificateless signature scheme without bilinear pairings, in: International Conference on Intelligent Networking and Collaborative Systems, 2015, pp. 82–85. [32] K.H. Yeh, K.Y. Tsai, C.Y. Fan, An efficient certificateless signature scheme without bilinear pairings, Multimed. Tools Appl. 74 (16) (2015) 6519–6530. [33] K.H. Yeh, C. Su, K.-K.R. Choo, W. Chiu, A novel certificateless signature scheme for smart objects in the internet-of-things, Sensors 17 (5) (2017) 1–17. [34] X. Jia, D. He, Q. Liu, K.-K.R. Choo, An efficient provably-secure certificateless signature scheme for Internet-of-Things deployment, Ad Hoc Netw. 71 (2018) 78–87. [35] A. Karati, SK Hafizul Islam, G.P. Biswas, A pairing-free and provably secure certificateless signature scheme, Inf. Sci. 450 (2018) 378–391. [36] D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures, J. Cryptol. 13 (3) (20 0 0) 361–396. [37] Shamus Software Ltd. MIRACL library. http://www.shamus. ie/index. Php?page=home. [38] J. Cui, J. Zhang, H. Zhong, R. Shi, Y. Xu, An efficient certificateless aggregate signature without pairings for vehicular ad hoc networks, Inf. Sci. 451–452 (2018) 1–15. Hongzhen Du received her B.S. degree in mathematics from Baoji University of Arts and Sciences in 20 0 0, and M.S. degree in cryptography from Shaanxi Normal University in 2006, and the Ph. D degree in cryptography from Beijing University of Posts and Telecommunications in 2009. She is a professor of Baoji University of Arts and Sciences. Her research interests include cryptology, digital signatures and IoT Security.

Qiaoyan Wen received her B.S. and M.S. degrees in mathematics from Shaanxi Normal University in 1981 and 1984 respectively, and Ph. D degree in cryptography from Xidian University in 1997. She is a doctoral supervisor and professor of Beijing University of Posts and Telecommunications. Her research interests include cryptology and information security.

10

H. Du, Q. Wen and S. Zhang et al. / Ad Hoc Networks 100 (2020) 102074 Shanshan Zhang received her B.S. degree from Baoji University of Arts and Sciences in 2004, and M.S. degree from Huaibei Normal University in 2007. Now she is a Ph. D Candidate in Xidian University. Her main research interest is public key cryptography based on lattices.

Mingchu Gao received his B.S. and M.S. degrees in mathematics from Shaanxi Normal University in 1987 and 1990 respectively, and Ph. D degree in applied mathematics from University of New Hampshire in 2004. He is a professor of Louisiana College. His research interests include information security.