Provably Secure and Lightweight Certificateless Signature Scheme For Iiot Environments

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2018.2794991, IEEE
Transactions on Industrial Informatics
Provably Secure and Lightweight Certificateless

Signature Scheme for IIoT Environments
Arijit Karati, Member, IEEE, SK Hafizul Islam, Marimuthu Karuppiah, Member, IEEE
Abstract—In recent years, two technologies, the cloud com- IoT is a technological marvel of imminent computer and
puting, and the Internet of Things (IoT) have a synergistic effect communication systems. It is viewed as the considerable
in the modern organizations as digitization is a new business position in the growth of information technology after the
trend for various industries. Therefore, many organizations
outsource their crowdsourced Industrial-IoT (IIoT) data in the computer science and the Internet. The Research findings from
cloud system to reduce data management overhead. However, Gartner suggest that 8.4 billion smart devices will be utilized
data authentication is one of the fundamental security/trust in 2017, and it will be 20.5 billion by 2020 worldwide. In
requirements in such IIoT network. Certificateless signature addition, the global economic influence of IoT technology is
(CLS) scheme is a cryptographic primitive that provides data accounted to be USD 2 trillion in this year [2], [3].
authenticity in IIoT systems. Recently, CLS has become a prime
research focus due to its ability to solve the key-escrow problem IoT has a significant demand for the technological infras-
in very recent identity-based signature technique. Many CLS tructure as the organizations today are subjected to multiple
schemes have already been developed using map-to-point (MTP) thrusts from different fields. Faster replies at considerable
hash function and random oracle model (ROM). However, due costs, scalable and agile operations are some of the prospective
to the implementation difficulty and probabilistic nature of requirements from IT infrastructure leading to increased de-
MTP function and ROM, those CLSs are impractical. Hence,
the development of a CLS for lightweight devices mounted in mands on the Internet. Many industries exploit the concept of
IIoT has become one of the most focused research trends. This IoT and use it across the various business sectors such as man-
paper presents a new pairing-based CLS scheme without MTP ufacturing, logistics, etc. This is known as Industrial IoT (IIoT)
function and ROM. The new CLS is secure against both the where employees use their smart devices to perform many
Type-I and Type-II adversaries under the hardness of Extended business-related activities through an active Internet [4], [5].
Bilinear Strong Diffie-Hellman (EBSDH) and Bilinear Strong
Diffie-Hellman (BSDH) assumptions, respectively. Performance The data needed in various IIoT settings are being retrieved
evaluation and comparison proves that our scheme outperforms by introducing the methodology of crowdsourcing nowadays
other CLS schemes. as it reduces data management overhead by collecting the
Index Terms—Certificateless signature; Industrial Internet of task from active users connected to the Internet. Besides,
Things; Provable security; Cryptography; Bilinear pairing. many IoT-enabled organization outsourced their workloads and
retrieved the responses from crowd workers. Parallel to the
I. I NTRODUCTION most utilized communication techniques like cloud computing
I N present-day, the Internet of Things (IoT) influences the

neoteric society by raising the potential migration without
compromising human daily needs, improving personal security
[6], the crowdsourced IIoT data allures the collaboration and
minimizes the cost by keeping in the cloud-centric server side.
Cloud technology provides an elegant computational model
through surveillance and making physical environments more for data processing and facilitates users to utilize applica-
user-friendly. The idea of IoT was coined in 1999 by Ashton tion and IIoT data globally through smart devices. Figure 1
during his extensive research on the Radio Frequency Identi- demonstrates an architectural overview of cloud-based IIoT
fication (RFID) [1]. Basically, IoT provides a self-establishing environment. Here, a partially trusted cloud-centric server is
network of highly coupled heterogeneous objects, namely, assumed for analyzing information collected from the IIoT
different smart devices, RFID, sensors, actuators, etc. Such network. Various IoT-enabled devices, mounted with sensors,
smart devices simplify the retrieval as well as the exchange of collect information during industrial outturn, and transmit IIoT
data in various applications [1]. The IoT brings a pervasive data to the cloud server over the Internet. Prior to store any
digital appearance by engaging society and industries, and sensitive IIoT data in the server, such data is required to be
it enables a series of interactions between human-to-human, checked entirely so that only authentic data is to be kept in the
human-to-thing, thing-to-thing or thing-to-things. Moreover, cloud storage space. Therefore, the authenticity of IIoT data
totally relies on the safety of cloud server. Since such type
A. Karati is with the Area of Computer Science and Engineering, NIIT Uni-
versity, Neemrana, Rajasthan 301705, India.E-mail: arijit.karati@gmail.com of server is semi-trusted, the authenticity of those IIoT data
must be maintained before outsourcing to the server. To ensure
S. H. Islam is with the Department of Computer Science and Engineering, authenticity, a number of public key infrastructure (PKI)-based
Indian Institute of Information Technology Kalyani, West Bengal 741235,
India.E-mail: hafi786@gmail.com, hafi786@iiitkalyani.ac.in cryptographic techniques have been proposed.
The authenticity of the users’ public key in traditional
M. Karuppiah is with the School of Computing Science and En- PKI is an important aspect of this modern era. Therefore,
gineering, VIT University, Vellore 632014, Tamilnadu, India. E-mail:
marimuthume@gmail.com it needs to be satisfied prior to the establishment of secure
communication over any public channel. The signature-based
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2018.2794991, IEEE
eliminated by not giving the full access to KGC from users’

private key in order to decrypt and sign any message. In the
certificateless cryptography, users’ public key is determined
by users’ manual computation using a secret value and a
partial private key (optional). In these settings, users’ public
key is being available to others by sending it along with the
ciphertext/signature or by making it available in the IIoT-
networked public directory in a proper way. In order to assure
better security features, various certificateless cryptographic
protocols [9]–[12] are used in the IoT and cloud systems.
A. Related works
In 2003, Al-Riyami and Paterson [8] designed a novel
certificateless signature scheme that eliminates the key-escrow
problem for IBC. This pioneering work initiates a paradigm
shift in public key cryptographic technique. Since Al-Riyami
and Paterson’s work, subsequently, a number of certificateless
techniques [13]–[16] were developed. Moreover, many exist-
ing schemes in this certificateless setting were proven secure
in the random oracle model (ROM) which were proposed by
Bellare and Rogaway [17]. Though ROM leads to efficient and
provably-secure construction of such schemes, it has faced a
lot of criticism. It is seen that when ROM is implemented
Fig. 1. Cloud-centric IIoT data storage architecture with real cryptographic hash functions, the resulting schemes
may not be secure enough [18], [19]. In 2006, [15], [16]
were shown as insecure against the key-replacement attacks
cryptosystem is a technique to provide data authenticity. Here, in [20], [21]. Zhang et al. [22] constructed a novel CLS
signature plays an important role in authenticating various using bilinear pairing. They proposed a security model and
smart devices. Such devices implicitly send a signature (digest) achieved tight security reduction under (Computational Diffie-
using its physical address during the data transmission. On Hellman) CDH assumption by utilizing the concept of ROM.
the other hand, the receiver confirms the authenticity if the However, their scheme is not computationally efficient. Huang
source of data is genuine by verifying the received signature. et al. [23] devised a new CLS scheme using bilinear pairing,
Since the IIoT uses such types of devices, the signature which produces enough short-size signature, but, Shim [24]
can be a solution for the data authenticity issue. Besides, demonstrated that scheme in [23] is insecure against Type-I
to achieve authenticity, it maintains certificates by ensuring adversary. After that, Tso et al. [25] proposed a new CLS
that the user’s public key is not tampered by any malicious using bilinear pairing operation. Though they have shown
entity. Thus, a trusted third party, called certificate authority their scheme is semantic secure under k−CAA (Collusion
(CA) is responsible for issuing and distributing of certificates Attack Algorithm with k Traitors) assumption, unfortunately,
by binding users identity with the corresponding public keys. it is shown as insecure against Type-I adversary. In 2009, Du
But, due to the significant management overhead for certificate and Wen [26] proposed a new CLS scheme, which produces
storage, distribution, verification, and revocation in traditional a short-size signature and does not use map-to-point (MTP)
PKI, it is assumed to be time-consuming to use and handle in hash function in their implementation. However, the scheme
different IIoT systems. Due to these certificate management is found to be insecure against Type-I adversary. Recently,
overhead, a novel idea was introduced by Shamir in 1987, Choi et al. [27] showed that Du and Wen’s scheme [26] is
called identity-based cryptosystem (IBC) [7]. The idea is to insecure against strong Type-I adversary. Subsequently, they
choose a unique identity as public key by each party itself have proposed a new CLS scheme using bilinear pairing.
without being certified by any trusted entity. On the other Their CLS supports short signature facility and secure under
hand, a trusted third party, called Key Generation Center CDH assumption, however, Tian et al. [28] showed that the
(KGC), is assumed to send a private key for each public scheme in [27] is still suffering due to the attack performed
key via a secure channel. It may be noted that, as KGC by the Type-I adversary. In 2012, Tso et al. [29] proposed a
generates users’ secret keys, so, KGC has all those abilities new CLS scheme based on the bilinear pairing. The scheme
which a user can perform, e.g. decryption, signature, etc. is said to be strongly unforgeable under CDH assumption,
This is known as “key-escrow problem”. To solve this type but, later it is found to be inefficient and insecure against
of flaw in IBC, a new cryptosystem was proposed by Al- Type-I adversary. Since, the bilinear pairing is assumed to
Riyami and Paterson [8] that makes use of the concept of be the high computational cryptographic operation, so as an
both PKI and IBC. The technique introduced a new concept enhancement, He et al. [30] designed a CLS scheme without
of generating public and private key using both the user’s using bilinear pairing. Although, it was a good attempt to make
and KGC’s secrets. In this way, the key escrow problem is their scheme more efficient for low bandwidth communication,
TABLE I
unfortunately, Tian and Huang [31] proved that the CLS L IST OF THE N OTATIONS U SED
scheme in [30] is insecure for Type-II adversary. Furthermore,
Yu et al. [32] designed an improved CLS scheme that has Symbols Meaning
several advantages including shorter system parameters and p Sufficiently large prime number
higher computational efficiency than the earlier CLS schemes. G1 , G 2 Cyclic groups of same order p
Although they showed that their CLS scheme was more secure, g Generator of G1
but Yuan et al. [33] proved that the scheme in [32] is insecure H(·) Cryptographic hash functions: H : {0, 1}∗ → Zp∗
against key replacement and malicious-but-passive KGC (Key M SK Private key of the KGC
Generation Center) attacks. Besides, they have devised an im- params Public parameters of the KGC
proved version of [32] that overcomes the security flaws. Their IDi i-th user identity
scheme was constructed using the bilinear pairing and secure xi Secret value selected by the user IDi
under CDH assumption. Similarly, Feng et al. [34] showed that Di The partial private key of user i
the scheme in [35] cannot withstand against Super type I and Yi The public key of user i
II adversaries. As a countermeasurement, they have designed m The message in Zp∗
σ Signature of message m
an enhanced version of [35] using bilinear pairing and showed
e(·, ·) The bilinear pairing e : G1 × G1 → G2
its security under the standard model. He et al. [36] devised a
novel short-CLS scheme using elliptic curve point operations.
Their scheme is developed using the bilinear pairing and found
• In our CLS scheme, the signer needs two exponentiations
to be secure against Type-I and Type-II adversaries under the
during signature generation and the verifier requires two
hardness assumption of the CDH problem in the ROM. In
exponentiations with one pairing computation to verify
2015, Tsai [37] used the same concept to design a novel short-
a signature. Besides, the signature-size in our scheme
CLS scheme using bilinear pairing. Although, they have shown
consists two same ordered cyclic group elements.
that their scheme resists Type-I and Type-II attacks under k-
• Our scheme resists both the Type-I and Type-II adver-
CAA assumption, unfortunately, it is found as insecure under
saries under the hardness of EBSDH and BSDH assump-
message-signature independency property [38]. In 2016, Jose
tions, respectively. Besides, the scheme does not consider
and Martin [39] proposed a CLS scheme using bilinear pairing
random oracle model during its security analysis.
and hash function. The authors claimed that their scheme can
• Proposed CLS scheme is compared with other related
be used in place of dual signature in SET Protocol. Based
paring based CLSs in terms of its execution time during
on the constant-size of parameters, Canard and Trinh [40]
signature generation and verification processes, and it is
designed a CLS scheme in the standard model and with lower
found that our scheme is computationally efficient.
computation cost. Based on hash function and bilinear pairing,
• Because of the above-mentioned functionalities, our CLS
Li et al. [41] also proposed a provably secure CLS scheme
scheme can be implemented and mounted in the IIoT
applicable for cloud environments. The authors claimed that
network where the smart gadgets require low computation
their scheme can easily detect the malicious behavior of the
cost, and the communication channel has limited band-
KGC. In 2017, Yeh et al. [42] proposed a new provably secure
width.
CLS scheme using elliptic curve for IoT-enabled resource-
constrained smart objects. Wang et al. [43] also designed a new C. Organization
pairing-free CLS scheme using elliptic curve. The proposed
scheme is shown to be provably secure in the ROM. Rest of the article is structured as follows. Section II pro-
vides some backgrounds on the structure and security notion of
CLS scheme with a few mathematical hard problems. Section
B. Contributions III discusses our CLS construction in detail. We analyze our
The burgeoning IIoT and the rapid increase of connected scheme from its security and performance aspects in Section
devices associated with it have introduced data authenticity IV. Finally, Section V concludes the paper with some remarks.
as a security vulnerability. Our CLS as a potential signature-
based authentication technique provides a solution of data II. P RELIMINARIES
authenticity deficiency in the IIoT network. Study of the differ- This section discusses the structure and security notion of
ent research proposals ensures that they may be implemented CLS with some cryptographic definitions. In addition, a list of
and mounted in the IIoT network easily. However, many symbols used throughout the paper is summarized in Table I.
already proposed CLS schemes have failed to provide proper
security (Type-I and Type-II) in the standard security models.
A. Mathematical definitions
Therefore, our motivation is to develop a CLS scheme that is
secure as well as achieve lower computational cost. This paper This section discusses some of the hard assumptions, which
introduces a new CLS with the following functionality. are considered to be intractable by all probabilistic polynomial
time (PPT) algorithms.
• Our CLS scheme is implemented using bilinear pairing
over prime order cyclic groups. In addition, a special Definition 1 (Negligible function): A function (y) is said
type of probabilistic map-to-point (MTP) hash function negligible if, ∀ ν > 0, ∃ y0 such that (y) ≤ y1ν holds ∀ y ≥
is avoided during its implementation. y0 .
Definition 2 (Cryptographic Hash Function): It is hard for • Set-Partial-Private-Key (params, M SK, IDi ): Re-
every PPT algorithm A to find out x for a given value of turns a partial private-key Di to IDi . Now, IDi can verify
H(x). The advantage of A in finding another solution x0 is Di anytime whenever it is required.
considered as • Set-Secret-Value (IDi ): Sends a secret value xi .
∗ Set-Public-Key (xi ): Generates its full public key P Ki .
0
Pr x ∈R {0, 1} x ←0 A(y) ≥
•
y ← H(x) H(x ) = y • CLS-Sign (params, m, SKi ): Transmits signature σ to
the verifier where SKi is the signatory’s private key.
Definition 3 (Computational Diffie-Hellman Assumption): • CLS-Verify (params, P Ki , σ, m): Outputs VALID, if the
Given a tuple T = hg, g x , g y i, it is computationally hard signature σ is original, otherwise, outputs INVALID. Here
for any PPT algorithm A to compute X = g xy without the P Ki is the signatory’s public key
knowledge of x, y ∈R Zp∗ . The advantage of the algorithm
in finding the solution is considered as D. Network Description
∗ Figure 2 recapitulates the network diagram of the proposed

Pr g ∈R G1 ,x x, yy ∈R Zp X ← A(T )

T = hg, g , g i X = g xy ≥ authentication technique consisting with four independent en-
tities namely, the cloud server, the KGC, the IIoT data owner
Definition 4 (Bilinear Strong Diffie-Hellman Assumption): (DO) and the data consumer (DC).
1
For every PPT algorithm A, calculating Υ = (k, e(g, g) x+k )
2 q
from known T = hg, g x , g x , . . . , g x i is very hard for known
k, and x, k ∈R Zp∗ . Then, the advantage of the algorithm to
solve q-BSDH is considered as
 
k ∈R Z ∗
p
 g ∈R
G1 , x ∈R Zp∗

Pr  X ← A(k, T ) ≥

q
T = g, g x , . . . , g x

1
X = e(g, g) k+x
Definition 5: (Extended Bilinear Strong Diffie-Hellman As-

sumption [44]) For every PPT algorithm A, calculating Υ =
x 2 q
k, e(g, g) x+k from known T = hg, g x , g x , . . . , g x i is very
hard, for known k, and x, k ∈R Zp∗ is chosen at random.
Then, the advantage of the algorithm to solve q-EBSDH is
considered as
 
k ∈R Z ∗
∗ p
 g ∈R
G1 , x ∈R Zp

Pr  X ← A(k, T )  ≥

x xq
T = g, g , . . . , g x
X = e(g, g) k+x Fig. 2. Network model of the proposed CLS scheme for IIoT data authenticity
B. Bilinear pairing •PKG: It computes system’s public keys, and then private
keys for both the data owner and the consumer.
Let, (G1 , G2 ) be a prime ordered cyclic group pair. Also, g,
• Cloud Server: It is assumed for information processing,
h be two generators of G1 . Then an admissible bilinear map
like the data storing, computation, exchange, etc. for
is defined as e : G1 × G1 → G2 with following three features:
∗
users.
• Bilinearity: For any integers x, y ∈R Zp , e is defined
x y xy • IIoT data owner: This entity requires its own secret
as e(g , h ) = e(g, h) .
key along with the recipient’s and the PKG’s public keys
• Non-degeneracy: Always, e(g x , hy ) 6= 1, where 1 is to sign IIoT data. After successful execution, signatory
the identity of G2 . stores the signed data in the cloud server.
• Computability: There must be an efficient algorithm to • Data consumer: It is a data receiver who takes the
calculate e(g, h). public parameters and performs a verification over signed
It is well-known that e is symmetric by its nature because the information.
map satisfies e(g x , hy ) = e(g y , hx ) = e(g, h)xy . The proposed CSL scheme is easily implementable as a
software. Therefore, it can be mounted on all the IIoT-based
smart devices. During the registration of such devices, the IIoT
C. Formal definition of a CLS scheme
network administrator acts as a PKG, stores the generated key
The formal structure of a CLS scheme considers six differ- for an individual physical address in the devices. Hence, it can
ent algorithms as mentioned below: send the signature implicitly along with the message. On the
• Setup (k): Generates a private key M SK of the KGC other hand, Receiver smart device(s) can verify the signature
and public parameter params. using senders’ physical address.
E. Security notion of a CLS Definition 7: A CLS is (T, qE , qS , )−Type-II secure under

Two possible attacks found in CLS named as Type-I and the adaptive chosen-message and -ID attack, if every forger
Type-II, which are mentioned below. A2 gains a negligible amount of advantage against utmost
qE number of partial private key queries and qS number of
i) Type-I Model: signature queries in every polynomial time T .
• Setup: Challenger C executes the algorithm to get the
master secret key M SK, and public parameters params.
After that, it keeps M SK as secret and makes params III. P ROPOSED CLS T ECHNIQUE
public. This section discusses a new CLS scheme using bilinear
• Queries: Forger A1 adaptively asks one of the following pairing. After that, the correctness of the scheme is discussed.
queries one at unit time to C.
– Set-Partial-Private-Key (IDi ): A1 gains knowl- A. Construction of our CLS Scheme for IIoT System
edge of the partial-private key Di of IDi .
Our CLS scheme contains six different independent algo-
– Set-Secret-Value (IDi ): A1 receives the secret rithms which are discussed now.
value xi of IDi from C.
– Set-Public-Key(IDi ): A1 collects public key P Ki • Setup(k): On receiving k (security parameter) as input,
of IDi from C. KGC generates two groups G1 and G2 of prime order p,
and an efficient bilinear pairing e : G1 × G1 → G2 . Now,
– Replace-Public-Key (IDi , P Ki ): A1 replaces
KGC selects g1 as a generator of G1 , a cryptographic one-
P Ki with a newly chosen public key P Ki0 .
way hash function H : {0, 1}∗ → Zp∗ and an integer y ∈R
– Sign (IDi , m): A1 obtains σ for a chosen (IDi , m) Zp∗ as its private key. After that, KGC computes g2 =
where Verify(params, IDi , P Ki , m, σ) = VALID e(g1 , g1 )y and the public key YKGC = (g1 )y . Finally,
and P Ki is the most recently used public key of KGC keeps M SK = (y) safely, and publishes public
IDi . parameter as
• Output: Finally, with a chosen message m0 and identity params = hG1 , G2 , p, e, g1 , g2 , YKGC , Hi
ID0 , A1 produces a well-forged signature σ 0 and wins
the game if following two conditions are fulfilled. • Set-Partial-Private-Key(params, M SK, IDi ): On re-
– Neither the Set-Partial-Private-Key(ID0 ) nor the ceiving params, private key y of KGC, and a user’s
Sign(ID0 , m0 ) queries are been asked by A1 . identity IDi as input, KGC computes
– Always Verify (params, ID0 , P KID0 , m0 , σ) out- y·hi
puts VALID, where A1 may change P KID0 . hi = H(IDi ) and yi = (g1 ) hi +ri +y
Definition 6: A CLS is (T, qE , qS , )−Type-I secure under where ri ∈R Zp∗ is chosen at random. Then, KGC sends
the adaptive chosen-message and -ID attack, if every A1 gains the partial private key Di = (yi , Ri = g1ri ) to the user
a negligible amount of advantage against utmost qE number IDi . After receiving Di from the KGC securely, user
of partial private key queries and qS number of signature may check the validity of Di as
queries in polynomial time T . ?
e(g1 , YKGC )hi = e yi , (g hi · Ri · YKGC )

Now, in this above game, if the access of KGC’s secret key
is given to forger A2 , i.e., A2 is capable to generate partial If it holds, user i believes that Di is genuine.
private key, then it is considered as Type-II forger. The game
• Set-Secret-Value(IDi ): Given params, user i with
is defined as follows:
identity IDi chooses two random numbers (xi , ci ) and
ii) Type-II Model: sets its secret value SKi = (ci , xi , Ri ).
• Setup: Challenger C executes this algorithm to generate
• Set-Public-Key(xi , IDi ): On receiving params and xi ,
the master secret key M SK, and public parameters 1
user i sets the public key Yi = (Yi1 = (yi ) xi , Yi2 = g2ci ).
params. Then, it makes s, params public to forger A2 .
• Queries: A2 adaptively asks one of the queries below.
• CLS-Sign(params, SKS , m): On receiving params,
signatory’s SKS = (xS , cS , RS ) with message m ∈ Zp∗ ,
– Set-Partial-Private-Key (IDi ), Set-Secret-Value
this algorithm chooses t ∈R Zp∗ and computes
(IDi ), Set-Public-Key (IDi ), Sign (IDi , m): As
it is defined in Type-I model. hS = H(IDS ) (1)
0
• Output: Finally, with a chosen message m and identity σ1 = g2t (2)
ID0 , A2 produces a well-forged signature σ 0 and wins σ2
cs
= (g1hS · RS · YKGC )( m −t)xS (3)
the game if following conditions are fulfilled:
– Neither Set-Secret-Value(ID0 ) nor Sign(ID0 , m0 ) Finally, it outputs σ = (σ1 , σ2 ) as the signature of
queries are asked in this game. message m, and sends it to the verifier V .
– Always Verify(params, ID0 , P KID0 , m0 , σ) outputs • CLS-Verify(params, IDS , YS , m, σ): Given m, signa-
VALID. tory’s identity IDS with public key YS and (m, σ), this
2 p
algorithm returns VALID, if Eq. (4) holds; otherwise, σ is hG, g, g x , g x , .x. . , g x i to A1 for which A1 wants to find
considered as false signature and thus, it returns INVALID. Z = e(g, g) x+α for some known α ∈ Zp∗ , where G, g
and q are the multiplicative group, its generator and the
hS = H(IDS ) maximum number of queries, respectively. For simplicity, we
1 !hs
YS2m
?
have considered that Ai = g i , ∀ i ∈ [1, q] in ψ.
= e (YS1 , σ2 ) (4) • Setup: On receiving ψ, A1 sets two lists L and R of
σ1
tuples (ID, Y1 , Y2 , x, c, r, h, y, R) and (ID, x, c, Y1 , Y2 ),
This completes the description of our scheme. It is noted that receptively. Initially, L and R are empty. Now, A1
the proposed CLS scheme is also applicable for variable- chooses two polynomials P (y) and Φ(y) of degree q as
length messages, i.e., M ∈R {0, 1}∗ . In this situation, signer q−1 q−1
and verifier need to compute m = H(M ) before running
X X
i
P (y) = αi y and Φ(y) = βi y i
CLS-Sign and CLS-Verify algorithms, respectively. i=0 i=0
∀ i ∈ [0, q-1], (αi , βi ) ∈R (Zp∗ )2 . It com-

Consistency: The correctness of verifying the well-formed Qq−1 αi
putes g = i=0 (Ai ) = g P (x) and YKGC =
signature σ for message m is given below: Qq−1 1 αi x
i=0 (Ai+1 ) = (g1 ) . Finally, it computes g2 =
 1
hs e(g1 , YKGC ) = e(g1 , g1 )x and sends system parameter
m
Y S2 ? params = (G1 , G2 , q, e, g1 , g2 , YKGC , H) to A1 , where
  = e (YS1 , σ2 )
σ1 H : {0, 1}∗ → Zp∗ . Now, A1 runs an algorithm F1 to
cS
hs y·hs
! solve q−EBSDH.
−t c
e g (rS +hS +y)xS , (g1hS · RS · YKGC )( m −t)xS
S
m
g2 = • Create User (IDi ): A1 selects ri = Φ(IDi ) and
computes Ri = g ri . As users’ identity is publicly known
 y·hs
( cS −t)x
m S
to all, so P(y) can be reformed as
( r +hS +y x ) (r +h +y) q−1
= e g1 S S
, g1 S S  Y
P (y) = (y + rj + hj )
cS j=0
= e (g1 , g1 )y·( m
−t)·hs
Let, Pi (y) be polynomial for IDi , and it is defined for
( cS −t)·hs hi = H(IDi ) and coefficients (µ1 , . . . , µq ) ∈R (Zp∗ )q as
= g2 m
y · q−1
Q
y · P (y) j=0 (y + rj + hj )
Pi (y) = + µ0 = + µ0
IV. S ECURITY AND PERFORMANCE ANALYSIS (y + ri + hi ) (y + ri + hi )
q−1 q−1
This section demonstrates that our CLS scheme is existen- = y·
Y
(y + rj + hj ) + µ0 =
X
µj y j
tial unforgeable against both the Type-I and Type-II attacks. j=0,j6=i j=0
Besides, a comparative study of proposed CLS scheme with Qq−1 µi
hi x·P (x)·hi x·hi
(Ai ) x+ri +hi
other CLS schemes is given later in this section. It sets yi = i=0
g µ0
=g x+ri +hi = g1 , ∀ IDi .
Finally, it stores (IDi , ⊥, ⊥, ⊥, ⊥, ri , hi , yi , Ri ) in L.
A. Security analysis It is noted that partial private key verification condition
In this section, we discuss two different theorems which e(g1 , YKGC )hi = e(yi , g1hi ·ri · YKGC ) holds.
are based on the proof by reduction. More specifically, if any • Set-Partial-Private-Key (IDi ): A1 asks the query on
forger A1 /A2 breaks any scheme, then a solver F1 /F2 uses its selected IDi and if it is found in L, then F1 returns
A1 /A2 to solve the underline hard assumption. However, in Di = (yi , Ri ). Otherwise, F1 calls Create User for
the reality, such problem is unbreakable, therefore, no such IDi 6= ID∗ and outputs Di = (yi , Ri ).
A1 /A2 will exist. • Set-Secret-Value (IDi ): For IDi = ID∗ , F1 aborts
Theorem 1 (Type-I security): If there exists a forger A1 that the simulation. Otherwise, it checks an entry for IDi
breaks (T, nC , nS , )−Type-I security of our CLS, then there (6= ID∗ ) in L. If it exists (other than ⊥), then F1 returns
exists a solver F1 that breaches q−EBSDH assumption with (xi , ci , Ri ); otherwise, it chooses (x0i , c0i ) ∈R (Zp∗ )2 .
advantage 0 in polynomial time T 0 for Now, if an entry exists for xi =⊥, then updates only
xi as xi = x0i and similarly for ci with c0i ; otherwise,

0 nC + nSV + nS 1
≥ 1− calls Create-User and updates xi = x0i , ci = c0i in L.
n nC
T 0 = T + O((qnC + nS ) TE ) • Set-Public-Key (IDi ): A1 asks the query on its chosen
IDi and if it is found in L, then F1 returns Yi =
where nSV , nS and nC represent Set-Secret-Value, CLS- (Yi1 , Yi2 ). Otherwise, F1 calls Create User and proceeds
Sign and Create User queries, respectively. with IDi 6= ID∗ as
Proof: Here, we prove that if the proposed CLS scheme – Checks an entry for IDi in L where xi 6=⊥ and
is breakable in time frame T , then a Type-I forger A1 ci 6=⊥. If such xi and ci do not exist, then it chooses
must exist which can break q−EBSDH assumption. Sup- (xi , ci ) ∈R (Zp∗ )2 . After that, it computes Yi =
1
pose that the challenger C gives a challenge instance ψ = (Yi1 , Yi2 ), where Yi1 = (yi ) xi and Yi2 = (g2 )ci .
– After that, it replaces the tuple (⊥, ⊥, ⊥, ⊥) by • F1 does not abort during the simulation of Set-Secret-
n
(Yi1 , Yi2 , xi , ci ) of the corresponding tuple in L, i.e., Value with success probability at least 1 − SVn .
(IDi , Yi1 , Yi2 , xi , ci , ri , hi , yi , Ri ) to L. •
to train A1
CLS-Sign successfully produces a signature
Finally, F1 sends public key Yi = (Yi1 , Yi2 ) to A1 . for ID 6= ID∗ with probability 1 − n1 . Therefore, it
• Replace-Public-Key (IDi , Yi0 ): Now, for invoked n abort for nnS times with probability at least
does not
query (IDi , Yi0 = (Yi10 , Yi20 )), F1 sets Yi1 = Yi10 , 1 − n1 S ≥ 1 − nS .
Yi2 = Yi20 , xi = x0i and ci = c0i which reflects in L • It is assumed that the probability of forging a valid
if the corresponding tuple is present in L. Finally, F1 signature for an identity by F1 is .
inserts (IDi , xi , ci , Yi1 , Yi2 ) to list L. • A1 succeeds to forge a signature for ID = ID∗ with
• Sign (IDi , m): On receiving query qs = (IDi , m), F1 advantage n1 where CLS-Sign does not abort.
C
first checks an entry in list L, if it will not exist, then Therefore, we have
the signature generation procedure is the same as defined
nC nSV
nS
in original scheme. Otherwise, F1 considers list R and 1−
Pr[Γ1 ] = 1− 1−
proceeds as follows: n n n
nC + nSV + nS
– Collects the secret key pair (xi , ci ) from list L. ≥ 1− (6)
n
– Selects k ∈R Zp∗ , and computes σ1 = (g2 )k . Pr[Γ2 |Γ1 ] ≥ (7)
ci
– Computes σ = {(g )hi · R · Y }( m −t)xi for

2 1 i KGC 1
Pr[Γ3 |Γ1 ∧ Γ2 ] ≥ (8)
hi = H(IDi ) and returns σ = (σ1 , σ2 ) to A1 . nC
• Output: A1 stops asking queries and outputs a forged Therefore, A1 has the overall success probability of breaking
signature σ 0 = (σ10 , σ20 ) for message m0 with identity EBSDH assumption
ID0 whose public key is YID0 = (YID 0 0
0 1 , YID 0 2 ) where
0 0 0 Pr[Γ1 ∧ Γ2 ∧ Γ3 ] = Pr[Γ1 ] · Pr[Γ2 |Γ1 ] · Pr[Γ3 |Γ1 ∧ Γ2 ]
CLS-Verify(params, m , σ , ID , YID0 ) = VALID. Now,
if ID0 6= ID∗ , then F1 outputs INVALID and aborts n + nSV + nS 1
0 ≥ 1 − C
simulation. Otherwise, it considers a polynomial ψ(y) = n nC
Pq−2
τ
i=0 i y i+1
for some (τ1 , τ2 , · · · , τq−1 ) ∈ (Zp∗ )q−1 and Breaching Time estimation: Since, exponentiation cost is
expands the polynomial P (y) as a dominant operation than other operations in this simulation,
P (y) = y −1 · ψ(y) · [(ri + hi ) + y] + c (5) we mainly consider exponentiation cost (TE ) in Game 1.
F1 requires nC (q + 3)TE , 2nP TE and 3nS TE during set-
where c is chosen selectively from Zp∗ so that Eq. (10) partial-private-key, set-public-key and signature generation
holds successfully. Then, it finds YID0 1 from L where
xhi queries respectively. So, the additional time required by F1
YID0 1 = (g1 ) [(ri +hi )+x]xi . After that, F1 computes Υ as is Tadd = (n (q + 3) + 2n + 3n )TE ≈ O ((qn + n )TE ).
C P S C S
"
xi
q−1
# 1c xP (x)
1 Hence, the overall time needed by F1 to break q−EBSDH is
c
considered as T 0 = T + O ((qnC + nS )TE ).
Y
Υ = (YID0 1 ) hi · (Ai+1 )−τi = g [(ri +hi )+x] · g −ψ(x)
i=1
i1 i1
As refers non-negligible advantage, so, A1 cannot breach
h cx h cx
= (g)
ψ(x)+ [(r +h
i i )+x]
·g −ψ(x) c
= g [(ri +hi )+x]
c
q−EBSDH assumption. Hence, our CLS scheme resists Type-
x I attack due to the intractability of q−EBSDH. This completes
= g [(ri +hi )+x] the proof of Theorem 1.
x
F1 computes Z = e(g, Υ ) = e(g, g) (ri +hi )+x
x
. Now, if Theorem 2: If there exists a forger A2 that breaks
we view α = ri + hi , then Z = e(g, g) α+x . Thus, it (T, nC , nS , )−Type-II security of our CLS scheme, then
breaks q−EBSDH assumption. there exists a solver F2 that breaches q−BSDH assumption
Probability analysis: For successful forgery, there are three with success probability 0 in polynomial time T 0 for
events as follows:
n + nS

1
0 ≥ 1 − SV
Γ1 : F1 does not abort during the above simulation. n nC
Γ2 : σ ∗ is a valid forged signature on m∗ for ID∗ . T 0 = T + O((qnC + nS ) TE )
Γ3 : The forged signature σ ∗ allows ID = ID∗ .
where nSV , nS and nC represent the Set-Secret-Value, CL-
Hence, the overall advantage of breaking q-EBSDH assump- Sign and Create User queries, respectively.
tion in Game 1 is defined as
Proof: Here we prove that if our CLS scheme is in-
Pr[Γ1 ∧ Γ2 ∧ Γ3 ] = Pr[Γ1 ] · Pr[Γ2 |Γ1 ] · Pr[Γ3 |Γ1 ∧ Γ2 ] secure in time frame T , then there exists a Type-II forger
• Simulation of Set-partial-private-key stops if Create A2 that can breach the hardness of BSDH assumption.
User algorithm fails. Now, this happens with probability Suppose, the challenger gives the BSDH challenge instance
2 q
at most n1 , where n is the total number of iteration. Hence, ψ = hG, g, g x , g x , . . . , g x i to A2 for which A2 wants to
the simulation nC times with probability at find the unknown x ∈ Zp∗ by satisfying the condition of
n is successful
n 1
least 1 − n1 C ≥ 1 − nC . Z = e(g, g) x+α for some known α ∈ Zp∗ , where G, g, q carries
same meaning as defined in Theorem 1. For simplicity, we – Checks an entry for IDi in L where xi 6=⊥ and
have considered Ai = g i , ∀ i ∈ [1, q] in ψ. ci 6=⊥. If such xi and ci do not exist, then it chooses
• Setup: Once, A2 receives the challenge tuple ψ, it (xi , ci ) ∈R (Zp∗ )2 . After that, it computes Yi =
1
consider a list L of tuple (ID, Y1 , Y2 , x, c, r, h, y, R). (Yi1 , Yi2 ), where Yi1 = (yi ) xi and Yi2 = (g2 )ci .
Initially, L is empty. A2 chooses two polynomials P (y) – After that, it replaces (⊥, ⊥, ⊥, ⊥) by
and Φ(y) of degree q as (Yi1 , Yi2 , xi , ci ) of the corresponding tuple in
q
X q
X L, i.e., (IDi , Yi1 , Yi2 , xi , ci , ri , hi , yi , Ri ) to L.
P (y) = αi y i and Φ(y) = βi y i Finally, F2 sends Yi = (Yi1 , Yi2 ) to A2 .
i=0 i=0
• Sign (IDi , m): On receiving the query on qis =
∀ i ∈ [1, q], αi , βi ∈R Zp∗ . It selects s ∈R Zp∗ , computes (IDi , m) asked by A2 , F2 proceeds as follows:
Qq
g1 = i=0 (Ai )αi = g P (x) and YKGC = (g1 )s . Finally, it – Collects the secret key pair (xi , ci ) from L.
computes g2 = e(g1 , g1 )s and transmits system parameter – Selects k ∈R Zp∗ , and computes σ1 = (g2 )k .
params = (G1 , G2 , q, e, g1 , g2 , YKGC , H) to A2 , where ci
H : {0, 1}∗ → ZP∗ . Now, A2 runs F2 to solve q−BSDH. – Computes σ = {(g )hi · R · Y 2 1 }( m −t)xi , for
i KGC
hi = H(IDi ), and returns σ = (σ1 , σ2 ) to A1 .
• Create User(IDi ): For hi = H(IDi ), F2 performs
certain tasks as follows: • Output: A1 stops asking queries and produces a
– If IDi 6= ID∗ , then computes ri = Φ(IDi ), Ri = forged signature σ 0 = (σ10 , σ20 ) for a random cho-
s·hi
sen message m0 with identity ID0 whose pub-
(g1 )ri and yi = (g1 ) hi +ri +s . 0 0
lic key is YID0 = (YID 0 1 , YID 0 2 ), where CLS-
– Else (i.e., IDi = ID∗ ) 0 0 0
Verify(params, m , σ , ID , YID0 ) = VALID holds. Now,
Qq
1) Sets Ri = i=1 (Ai+1 )αi = (g1 )x . for ID0 6= ID∗ F1 outputs INVALID and aborts the
2) As all IDs are known publicly, therefore P (y) simulation. Otherwise, it considers a polynomial ψ(y) =
Pq−2
can also be rewritten as i=1 τi y i
for some (τ1 , τ2 , · · · , τq−2 ) ∈ (Zp∗ )q−2 and
q−1
Y expands the polynomial P (y) as
P (y) = (s + hi + y) (9) P (y) = ψ(y) · [(s + hi ) + y] + δ (10)
j=0
where δ is some chosen integer to form Eq. (10).
Let Pi (y) be the polynomial for IDi , which can
Then, s·hit finds YID0 1 from list L where YID0 1 =
be defined as ID 0 ·x 1
(g1 ) [(s+hi )+x] ID 0 . After that, F1 computes Υ as
P (y)
Pi (y) = # δ1
(s + hi + x) q−2
"
x
ID 0 Y
Qq−1 Υ = (YID0 1 ) s·hID0 · (Ai+1 )−τi
j=0 (s + hj + y)
= i=1
(s + hi + x) h P (x) i δ1
−ψ(x)
q−1
Y q−2
X = g [(s+hi )+x]
·g
= (s + hj + y) = µj y j h i δ1
ψ(x)+ [(s+hδ )+x]
j=0,j6=i j=0 = (g) i · g −ψ(x)
for (µ0 , µ1 , . . . µq−2 ) ∈R (Zp∗ )q−2 . It computes h δ
i δ1 1
nQ os·hi n 1
os·hi = g [(s+hi )+x] = g [(s+hi )+x] (11)
q−2 µi
yi = i=0 (A i ) = (g 1 ) s+hi +x
.
1
F2 computes Z = e(g, Υ ) = e(g, g) (ri +hi )+x . Now, if we
– Finally, it keeps (IDi , ⊥, ⊥, ⊥, ⊥, ri , hi , yi , Ri ) in 1
view α = s + hi , then Z = e(g, g) α+x . Thus, it breaks
L. It is noted that partial private key verification
q−BSDH assumption.
condition e(g1 , YKGC )hi = e(yi , g1hi +x · YKGC ) holds.
Probability analysis: Similar to Theorem 1, in Game 2,
• Set-Partial-Private-Key (IDi ): A2 asks query for IDi ,
the overall successful probability of breaking q−BSDH is
and if it is found in L, then F2 returns Di = (yi , Ri );
computed and the following situations occur.
otherwise, calls Create User and outputs Di = (yi , Ri ).
• F2 does not abort during the execution of Set-Secret-
• Set-Secret-Value (IDi ): F2 checks an entry for IDi in Value with success probability at least 1 − SV
n
.
n
L. If it exists (other than ⊥), then F2 returns (xi , ci , Ri );
• CLS-Sign successfully produces a signature to train A2
otherwise, it chooses (x0i , c0i ) ∈R (Zp∗ )2 . Now, if an entry
for ID 6= ID∗ with probability 1 − n1 , where n is the

exists for xi =⊥, then updates only xi as xi = x0i , and
similarly for ci with c0i ; otherwise, calls Create-User and number of iteration. So, it does not abort for nS times
n
then updates xi = x0i , ci = c0i in L. with probability at least 1 − nS .
• It is assumed that the probability of forging a valid
• Set-Public-Key (IDi ): A1 invokes the query on its
chosen IDi and if it is found in L then F1 returns signature for an identity by F2 is .
∗
Yi = (Yi1 , Yi2 ). Otherwise, F1 calls Create User and • A2 succeeds to forge a signature for ID = ID with
1
proceeds as probability n where CLS-Sign does not abort.
C
TABLE II
C OMPUTATION COST OF P RIMITIVE OPERATIONS 2) Signature length: To sign any message m, the signatory
executes CLS-Sign algorithm and produces 2-tuple signature
Operation Required time (≈) σ = (σ1 , σ2 ), where (σ1 , σ2 ) ∈ (G1 )2 . Therefore, the length
Tm (Modular multiplication) 01.00 Tm of signature is 2|Gq |, which is equal to the signature proposed
Ti (Modular inversion) 11.60 Tm in [22] and little-bit larger than the schemes in [23], [26],
Ta (Two elliptic curve points addition) 00.12 Tm
[27], [29], [34], [36], [37]. Although signature size in our
Ts (Elliptic curve scalar point multiplication) 29.00 Tm
Te (Exponentiation) 21.00 Tm
CLS scheme is larger than other CLS schemes, only our CLS
Th (Map-To-Point hash operation) 29.00 Tm scheme achieves both the Type-I and Type-II security with
Tp (Bilinear pairing) 87.00 Tm minimum computational overhead (requires 171.00 Tm ). Now
in the next section, we discuss how the actual time is computed
for each mentioned operation by utilizing the PBC library.
Therefore, we have

n + nS
C. Implementation issues and experimental results
1 − SV
Pr[Γ1 ] ≥ (12)
n The execution time of various mathematical operations
Pr[Γ2 |Γ1 ] ≥ (13) on the bilinear group pair is collected from a SONY E-

1 series laptop. The configuration is Intel(R) CoreTM i3-2310M
Pr[Γ3 |Γ1 ∧ Γ2 ] ≥ (14) CPU@2.10 GHz, 4 GB RAM and Ubuntu 14.04 LTS operating
nC
system. Now, the running time of every operation is calculated
From Eqs. (12), (13) and (14), F2 has the overall success by taking the mean of ten consecutive execution with various
probability of breaking BSDH inputs based on the popular PBC library [50]. Table IV gives
execution cost of such operations run over the bilinear group,
0 nSV + nS 1
Pr[Γ1 ∧ Γ2 ∧ Γ3 ] = ≥ 1− where pairing computation is performed with the preprocess-
n nC ing functionality. To achieve faster pairing computation, the
Breaching Time estimation: As like Theorem 1, the re- nature of curve is considered as Type-A with 512-bit group
quired time is needed by A2 to break q−BSDH is considered and the underline embedding degree is considered as 2, which
as T 0 = T + O ((qnC + nS )TE ). is equal to 1024-bit RSA security level. Basically, Type-A is
a super singular curve y 2 = x3 + x built with Solinas prime
Hence, our CLS scheme resists Type-II attack based on q-
ordered group, where G1 = G2 . For the purpose of compar-
BSDH assumption. This completes the proof of Theorem 2.
ison, we consider |G1 | = |G2 | = |Zp∗ |, G = G1 , GT = G2 .
It is noticed that KGC requires approximately 1.458 ms to
B. Performance analysis start our system and requires 0.630 ms to compute a party’s
This section discusses the performance of our CLS scheme private key for a chosen identity. To perform a sign operation
from the aspect of the security type, security definition, signa- on a randomly chosen message, signatory needs 0.370 ms, and
ture length with the computational complexity during signature verifier requires 1.147 ms to verify a signature. A pictorial
generation and verification. In addition, we also discuss how overview as Fig. 3 based on Table IV is given where it is
our scheme is efficient than others from its implementation seen that our CLS scheme is secure as well as performs
point of view later in this section. efficiently (during signature generation and verification) than
1) Computational time: The cost of Setup algorithm others CLSs.
comprises the generation of a prime ordered group pair V. C ONCLUDING R EMARKS
(G1 , G2 ), two exponentiations and a pairing computation; Set- The IIoT with cloud technology is transforming our society
Partial-Private-Key algorithm needs two exponentiation cost and the industries into a new digital form globally by adding
computations, and Set-Public-Key algorithm computes one many extra facilities. Therefore, promising the authenticity of
exponentiation cost. In addition, the signer runs CLS-Sign IIoT data is one of the important issues for any IIoT System.
algorithm, which requires two exponentiations to produce a To address this issue, a novel CLS technique using bilinear
signature σ. Also, the verifier runs CLS-Verify, which requires pairing applicable for IIoT environments is presented in this
two exponentiations with one pairing operation to authenticate paper. The proposed CLS resists both Type-I and Type-II
any signature σ. Based on [45]–[49], Table II is given which attacks under the intractability of EBSDH and BSDH problems
shows the computational cost required by each cryptographic without considering the random oracle model respectively. In
operation. Table III shows a detailed performance comparisons addition, our scheme takes lesser cryptographic operations and
between the proposed CLS and other relevant CLSs where the avoids probabilistic MTP hash function. Both the theoretical
required cost notations are given in Table II. Based to Table and practical experiments show that our CLS scheme is com-
III, we mention that the total required time of our CLS scheme putationally efficient and has better security features compared
is nearly 52% of Feng et al.’s CLS [34], 53% of He et al.’s to other existing CLSs. Thus, our CLS scheme is applicable
CLS [36], 30% of Zhang et al.’s CLS [22], 92% of Tsai et in every scenario, especially where the computational cost
al.’s CLS [37], 49% of Huang et al’s CLS [23], 33% of Choi is a major issue and the communication bandwidth, as well
et al.’s CLS [27], 42% of Tso et al.’s CLS [29] and 34.34% as storage space, is confined. Thus, our lightweight CLS is
Yuan et al’s CLS [33]. compatible with the IIoT system than other CLS schemes.
10
TABLE III
P ERFORMANCE COMPARISONS OF OUR CLS SCHEME AND OTHER CLS SCHEMES
Cost during signature Total cost Secure against Security

Scheme |σ|
Generation (G) Verification (V ) (G + V ) Type-I Type-II assumption
√ √
Zhang et al. [22] 3Ts + Ta + 2Th 4Tp + 3Th 580.12 Tm 2|Gq | CDHP
√
Huang et al. [23] Ts + Th + Ta 3Tp + Th 348.12 Tm |Gq | × CDHP
√
Choi et al. [27] Th + 3Ts + Ta 2Ts + Ta + 3(Tp + Th ) 522.24 Tm |Gq | × CDHP
√
Tso et al. [29] Te + Ti 4Tp + Th 409.60 Tm |Gq | × CDHP
√ √
Yuan et al. [33] 2Te Te + 5Tp 498.00Tm 3|Gq | CDHP
√ √
Feng et al. [34] 2Te 3Tp + Th 332.00 Tm |Gq | CDHP
√ √
He et al. [36] Ts + Th Th + 2(Ts + Ta + Tp ) 319.24 Tm |Gq | CDHP
Tsai [37] Ts + Ti Tp + 2(Ts + Ta ) 185.84 Tm |Gq | × × k-CAA
√ √
Ours 2Te 2Te + Tp 171.00 Tm 2|Gq | EBSDH & BSDH
|σ|: Length of the signature k-CAA: Collusion attack algorithm with k traitors CDHP: Computational Diffie-Hellman problem
ECDLP: Elliptic curve discrete logarithm problem BSDH: Bilinear Strong Diffie-Hellman Problem EBSDH: Extended BSDH problem
TABLE IV
C OMPUTATION TIME BENCHMARK OF DIFFERENT CRYPTOGRAPHIC [3] Mimi Ma, Debiao He, Neeraj Kumar, Kim-Kwang Raymond Choo,
OPERATIONS ( IN MILLISECOND ) and Jianhua Chen. Certificateless searchable public key encryption
scheme for industrial internet of things. IEEE Transactions on Industrial
Informatics, 2017.
Curve Type: A [4] Xiong Li, Jieyao Peng, Jianwei Niu, Fan Wu, Junguo Liao, and Kim-
Operations Run time Kwang Raymond Choo. A robust and energy efficient authentication
protocol for industrial internet of things. IEEE Internet of Things
Normal 2.486 ms Journal, 2017.
Bilinear Pairing (TP )
PreComp 1.088 ms [5] Xiong Li, Jianwei Niu, Md Zakirul Alam Bhuiyan, Fan Wu, Marimuthu
in G 0.311 ms Karuppiah, and Saru Kumari. A robust ecc based provable secure
Exponentiation (TE ) authentication protocol with privacy preserving for industrial internet
in GT 0.059 ms
of things. IEEE Transactions on Industrial Informatics, 2017.
Addition (Ta ) 0.001 ms [6] Mohamed Almorsy, John Grundy, and Ingo Müller. An analysis of the
Point Operation
Multiplication (Ts ) 0.318 ms cloud computing security problem. arXiv preprint arXiv:1609.01107,
Modular Inversion (Ti ) 0.009 ms 2016.
[7] Adi Shamir. Identity-based cryptosystems and signature schemes. In
Map-To-Point Hash (Th ) 0.334 ms Advances in cryptology, pages 47–53. Springer, 1984.
[8] Sattam S Al-Riyami and Kenneth G Paterson. Certificateless public
key cryptography. In Advances in cryptology-ASIACRYPT 2003, pages
6 Generation Verification
452–473. Springer, 2003.
[9] Boyang Wang, Baochun Li, Hui Li, and Fenghua Li. Certificateless
public auditing for data integrity in the cloud. In Communications and
5 Network Security (CNS), 2013 IEEE Conference on, pages 136–144.
IEEE, 2013.
Time in millisecond
4 [10] Zhe Liu, Xinyi Huang, Zhi Hu, Muhammad Khurram Khan, Hwajeong
Seo, and Lu Zhou. On emerging family of elliptic curves to secure
internet of things: Ecc comes of age. IEEE Transactions on Dependable
3 and Secure Computing, 14(3):237–248, 2017.
[11] Seung-Hyun Seo, Mohamed Nabeel, Xiaoyu Ding, and Elisa Bertino.
An efficient certificateless encryption for secure data sharing in public
2
clouds. IEEE Transactions on Knowledge and Data Engineering,
26(9):2107–2119, 2014.
1 [12] Yuan Zhang, Chunxiang Xu, Shui Yu, Hongwei Li, and Xiaojun Zhang.
Sclpv: Secure certificateless public verification for cloud-based cyber-
physical-social systems against malicious auditors. IEEE Transactions
0
on Computational Social Systems, 2(4):159–170, 2015.
[22] [23] [27] [29] [33] [34] [36] [37] Ours
[13] YinXia Sun and Hui Li. Short-ciphertext and bdh-based cca2 se-
Schemes cure certificateless encryption. Science China Information Sciences,
53(10):2005–2015, 2010.
Fig. 3. Cost comparisons between our CLS and other related schemes [14] Yin-xia Sun and Fu-tai Zhang. Secure certificateless encryption with
short ciphertext. Chin. J. Electron, 19(2):313–318, 2010.
[15] M Choudary Gorantla and Ashutosh Saxena. An efficient certificateless
signature scheme. In Computational Intelligence and Security, pages
Although our scheme is computationally efficient, during 110–116. Springer, 2005.
[16] Wun-She Yap, Swee-Huay Heng, and Bok-Min Goi. An efficient
authenticated IIoT data creation and verification, the execution certificateless signature scheme. In Emerging Directions in Embedded
cost can be reduced by discarding the pairing computation. and Ubiquitous Computing, pages 322–331. Springer, 2006.
[17] Mihir Bellare and Phillip Rogaway. The exact security of digital
signatures-how to sign with rsa and rabin. In International Conference
on the Theory and Applications of Cryptographic Techniques, pages
R EFERENCES 399–416. Springer, 1996.
[18] Mihir Bellare, Alexandra Boldyreva, and Adriana Palacio. An uninstan-
[1] Kevin Ashton. That ‘internet of things’ thing. RFiD Journal, 22(7), tiable random-oracle-model scheme for a hybrid-encryption problem.
2009. In International Conference on the Theory and Applications of Crypto-
[2] Gartner says 8.4 billion connected. http://www.gartner.com/newsroom/ graphic Techniques, pages 171–188. Springer, 2004.
id/3598917. Accessed: 2017-02-07. [19] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle
11
methodology, revisited. Journal of the ACM (JACM), 51(4):557–594, scheme. Security and Communication Networks, 9(17):4060–4074,
2004. 2016.
[20] Zhenfeng Zhang and Dengguo Feng. Key replacement attack on [45] SK Hafizul Islam and GP Biswas. A pairing-free identity-based authen-
a certificateless signature scheme. IACR Cryptology ePrint Archive, ticated group key agreement protocol for imbalanced mobile networks.
2006:453, 2006. annals of telecommunications-annales des télécommunications, 67(11-
[21] Xuefei Cao, Kenneth G Paterson, and Weidong Kou. An attack on 12):547–558, 2012.
a certificateless signature scheme. IACR Cryptology ePrint Archive, [46] Xuefei Cao, Weidong Kou, and Xiaoni Du. A pairing-free identity-based
2006:367, 2006. authenticated key agreement protocol with minimal message exchanges.
[22] Zhenfeng Zhang, Duncan S Wong, Jing Xu, and Dengguo Feng. Certifi- Information Sciences, 180(15):2895–2903, 2010.
cateless public-key signature: security model and efficient construction. [47] Marko Holbl, Tatjana Welzer, and Bovstjan Brumen. Two proposed
In International Conference on Applied Cryptography and Network identity-based three-party authenticated key agreement protocols from
Security, pages 293–308. Springer, 2006. pairings. computers & security, 29(2):244–252, 2010.
[23] Xinyi Huang, Yi Mu, Willy Susilo, Duncan S Wong, and Wei Wu. [48] Paulo SLM Barreto, Hae Y Kim, Ben Lynn, and Michael Scott. Efficient
Certificateless signature revisited. In Information Security and Privacy, algorithms for pairing-based cryptosystems. In Annual International
pages 308–322. Springer, 2007. Cryptology Conference, pages 354–369. Springer, 2002.
[24] Kyung-Ah Shim. Breaking the short certificateless signature scheme. [49] Ai Wan Fan and Shu Xi Lu. An improved elliptic curve digital signature
Information Sciences, 179(3):303–306, 2009. algorithm. In Applied Mechanics and Materials, volume 34, pages 1024–
[25] Raylin Tso, Xun Yi, and Xinyi Huang. Efficient and short certificateless 1027. Trans Tech Publ, 2010.
signature. In Cryptology and Network Security, pages 64–79. Springer, [50] Ben Lynn. Pbc library–the pairing-based cryptography library. http:
2008. //crypto.stanford.edu/pbc/, 2007.
[26] Hongzhen Du and Qiaoyan Wen. Efficient and provably-secure cer-
tificateless short signature scheme from bilinear pairings. Computer Arijit Karati received B.Sc. in Computer Appli-
Standards & Interfaces, 31(2):390–394, 2009. cations from University of Calcutta, West Bengal,
[27] Kyu Young Choi, Jong Hwan Park, and Dong Hoon Lee. A new provably India in 2011 and M.Sc. in Computer Science from
secure certificateless short signature scheme. Computers & Mathematics Pondicherry University, Puducherry, India in 2013.
with Applications, 61(7):1760–1768, 2011. He has submitted his Ph.D thesis to Indian Institute
[28] Miaomiao Tian, Liusheng Huang, and Wei Yang. On the security of a of Technology (ISM) Dhanbad, India. Presently,
certificateless short signature scheme. IACR Cryptology ePrint Archive, he is working as an Assistant Professor in the
2011:419, 2011. area of Computer Science and Engineering, NIIT
[29] Raylin Tso, Xinyi Huang, and Willy Susilo. Strongly secure certificate- University, Neemrana, Rajasthan 301705, India. His
less short signatures. Journal of Systems and Software, 85(6):1409–1417, research interest includes Cryptography and Infor-
2012. mation/Network Security.
[30] Debiao He, Jianhua Chen, and Rui Zhang. An efficient and provably-
secure certificateless signature scheme without bilinear pairings. Inter-
SK Hafizul Islam received M.Sc. in Applied Mathe-
national Journal of Communication Systems, 25(11):1432–1442, 2012.
matics from the Vidyasagar University, West Bengal,
[31] Miaomiao Tian and Liusheng Huang. Cryptanalysis of a certificateless
India in 2006. He also received M.Tech. degree
signature scheme without pairings. International Journal of Communi-
in Computer Application in 2009, and Ph.D. de-
cation Systems, 26(11):1375–1381, 2013.
gree in Computer Science and Engineering in June
[32] Yong Yu, Yi Mu, Guilin Wang, Qi Xia, and Bo Yang. Improved 2013 from the Indian Institute of Technology(ISM)
certificateless signature scheme provably secure in the standard model. Dhanbad, Jharkhand, India, under the INSPIRE
IET Information Security, 6(2):102–110, 2012. Fellowship Ph.D. Program (funded by DST, Govt.
[33] Yumin Yuan and Chenhui Wang. Certificateless signature scheme with of India). He is currently an Assistant Professor
security enhanced in the standard model. Information Processing Letters, with the Department of Computer Science and Engi-
114(9):492–499, 2014. neering, Indian Institute of Information Technology
[34] Shu Rong Feng, Jiao Mo, Hua Zhang, and Zheng Ping Jin. Certificateless Kalyani (IIIT Kalyani), West Bengal India. Before joining the IIIT Kalyani,
short signature scheme from bilinear pairings. In Applied Mechanics and he worked as an Assistant Professor in the Department of Computer Science
Materials, volume 380, pages 2435–2438. Trans Tech Publ, 2013. and Information Systems, BITS Pilani, Pilani Campus, Rajasthan, India.
[35] RUEI-HAU HSU CHUN-IFan and PEI-HSIU HO. Truly non- He received University Gold Medal, S.D. Singha Memorial Endowment
repudiation certificateless short signature scheme from bilinear pairings. Gold Medal and Sabitri Parya Memorial Endowment Gold Medal from
Journal of information science and engineering, 27:969–982, 2011. Vidyasagar University, in 2006. He also received University Gold Medal
[36] Debiao He, Baojun Huang, and Jianhua Chen. New certificateless short from IIT(ISM) Dhanbad in 2009 and OPERA award from BITS Pilani
signature scheme. IET Information Security, 7(2):113–117, 2013. in 2015. He has more than five yrs. of teaching and eight yrs. of research
[37] Jia-Lun Tsai. A new efficient certificateless short signature scheme using experiences, and published seventy research papers in Journals and Conference
bilinear pairings. IEEE Systems Journal, 2015. Proceedings of International reputes. He served as reviewer in many reputed
[38] Arijit Karati and GP Biswas. Cryptanalysis of zheng et al.’s pairing-free International Journals and Conferences. He is an Associate Editor of Wiley’s
secure IBE scheme. In 2015 International Conference on Information the International Journal of Communication Systems and Security and
Technology (ICIT), pages 101–106. IEEE, 2015. Privacy. His current research interest includes Cryptography, Information
[39] G Jai Arul Jose and Adalia Martin. Efficient signature scheme for secure security, WSNs, IoT and Cloud Computing.
electronic transaction. Journal of Computing Technologies, 5(4):28–30,
2016.
Marimuthu Karuppiah received his B.E. degree in
[40] Sébastien Canard and Viet Cuong Trinh. An efficient certificateless
Computer Science and Engineering from Madurai
signature scheme in the standard model. In International Conference on
Kamaraj University, Madurai, India in 2003, M.E.
Information Systems Security, pages 175–192. Springer, 2016.
degree in Computer Science and Engineering from
[41] Fei Li, Dongqing Xie, Wei Gao, Kefei Chen, Guilin Wang, and Roberto Anna University, Chennai, India in 2005, Ph.D.
Metere. A certificateless signature scheme and a certificateless public degree in Computer Science and Engineering from
auditing scheme with authority trust level 3+. Journal of Ambient VIT University, Vellore, India in 2015. He is now
Intelligence and Humanized Computing, pages 1–10, 2017. an Associate Professor in School of Computing
[42] Kuo-Hui Yeh, Chunhua Su, Kim-Kwang Raymond Choo, and Wayne Science and Engineering, VIT University, Vellore,
Chiu. A novel certificateless signature scheme for smart objects in the Tamilnadu, India. He has published more than fifteen
internet-of-things. Sensors, 17(5):1001, 2017. research papers in SCI indexed journals and more
[43] Liangliang Wang, Kefei Chen, Yu Long, and Huige Wang. An efficient than twenty research papers in SCOPUS indexed journals and international
pairing-free certificateless signature scheme for resource-limited sys- conferences. He is a life member of Cryptology Research Society of India
tems. Science China Information Sciences, 60(11):119102:1–119102:3, (CRSI) and Computer Society of India (CSI). His main research interests in-
2017. clude cryptography and wireless network security, in particular, authentication
[44] Arijit Karati and GP Biswas. Efficient and provably secure ran- and encryption schemes.
dom oracle-free adaptive identity-based encryption with short-signature

Provably Secure and Lightweight Certificateless Signature Scheme For Iiot Environments

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Provably Secure and Lightweight Certificateless Signature Scheme For Iiot Environments

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been