A Lightweight Cryptographic Protocol with Certificateless

Signature for the Internet of Things

LU ZHOU and CHUNHUA SU, University of Aizu, Japan 28

KUO-HUI YEH, National Dong Hwa University, Taiwan

The universality of smart-devices has brought rapid development and the significant advancement of ubiq-
uitous applications for the Internet of Things (IoT). Designing new types of IoT-compatible cryptographic
protocols has become a more popular way to secure IoT-based applications. Significant attention has been
dedicated to the challenge of implementing a lightweight and secure cryptographic protocol for IoT devices.
In this study, we propose a lightweight cryptographic protocol integrating certificateless signature and bi-
linear pairing crypto-primitives. In the proposed protocol, we elegantly refine the processes to account for
computation-limited IoT devices during security operations. Rigorous security analyses are conducted to
guarantee the robustness of the proposed cryptographic protocol. In addition, we demonstrate a thorough
performance evaluation, where an IoT-based test-bed, i.e., the Raspberry PI, is simulated as the underlying
platform of the implementation of our proposed cryptographic protocol. The results show the practicability
of the proposed protocol.
CCS Concepts: • Security and privacy → Cryptography; Public key (asymmetric) techniques; Digital signa-
tures; Security in hardware; Hardware security implementation; Hardware-based security protocols;
Additional Key Words and Phrases: Bilinear pairing, certificateless signature, cryptographic protocol, internet
of things (IoT), security
ACM Reference format:
Lu Zhou, Chunhua Su, and Kuo-Hui Yeh. 2019. A Lightweight Cryptographic Protocol with Certificateless
Signature for the Internet of Things. ACM Trans. Embed. Comput. Syst. 18, 3, Article 28 (April 2019), 10 pages.
https://doi.org/10.1145/3301306

1 INTRODUCTION
With the rapid growth and universality of information and communication technologies of IoT,
numerous ubiquitous applications have found an increasingly wide deployment in diverse daily-
operated services to probe for more business opportunities or higher individual benefit. For ex-
ample, a smart home consisting of smart IoT devices may provide tailored and on-demand enter-
tainment services to accomplish better satisfaction for individuals. Another example is individuals
gradually changing their purchasing styles from classic credit cards to new approaches such as
This work was supported in part by JSPS Kakenhi Kiban(B) 18H03240 and Kakenhi Kiban(C) 18K11298, and in part by the
Ministry of Science and Technology (Taiwan) under grants MOST 105-2221-E-259-014-MY3, MOST 105-2221-E-011-070-
MY3, MOST 105-2923-E-182-001-MY3, and MOST 107-2218-E-011-012.
Authors’ addresses: L. Zhou and C. Su, University of Aizu, Aizu-Wakamatsu, Fukushima Pref. 965-8580, Japan; emails:
{d8192103, chsu}@u-aizu.ac.jp; K.-H. Yeh (corresponding author), National Dong Hwa University, No. 1, Sec. 2, Da Hsueh
Road, Shoufeng, Hualien 97401, Taiwan; email: khyeh@gms.ndhu.edu.tw.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee
provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and
the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires
prior specific permission and/or a fee. Request permissions from permissions@acm.org.
© 2019 Association for Computing Machinery.
1539-9087/2019/04-ART28 $15.00
https://doi.org/10.1145/3301306

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:2 L. Zhou et al.

online payments via wearables. Nevertheless, there exists the space for the improvements of IoT
applications in terms of the viewpoints of standards, interoperability, and security. That is, it still
lacks widely accepted standards for the development and deployment of IoT applications. This
impedes the advancement of interoperability among systems. Moreover, security is important and
indispensable. It is, unfortunately, in the early stages of evolution as the support of recent hardware
and software techniques are not sufficient.
Recently, the benefits from IoT have been mostly focused on industry, and numerous IoT-
applications have emerged as part of a trend. These techniques have provided more convenience
and thoroughly changed the individuals’ thoughts about their behaviors in daily life. However,
the convenience is accompanied by security and privacy risks with respect to the robustness of
hardware, software and communication architecture. Hence, it is critical to provide a secure and
privacy-aware scheme protecting the user’s sensitive data, processed and transferred by IoT ap-
plications, from being disclosed and tampered with. In this study, we are motivated to design
and implement a robust cryptographic protocol as a security guarantee for IoT applications. The
proposed protocol adopts solid certificateless signature and bilinear pairing crypto-primitives to
obtain high security robustness. In Section 2, we investigate the existing research in which the
most relevant studies are discussed. Then, we introduce the detailed procedures of the proposed
cryptographic protocol in Section 3. Next, Section 4 shows the security analysis and performance
evaluation of the proposed protocol. Finally, the concluding remarks are presented in Section 5.

2 RELATED WORK
The first certificateless signature (CLS) scheme was proposed by Al-Riyami and Paterson (2003), in
which an asymmetric key pair was established via aid from external trusted third parties instead
of a centralized certificate management. With the decentralized and changed structure, better ef-
ficiency can be obtained, because no implementation of certificate management is required on
the user’s side. Nevertheless, the pioneer study has spaces for improvement. Huang et al. (2005)
pointed out that Al-Riyami and Paterson’s scheme is insecure against public key replacement at-
tacks, and they presented a modified scheme as the remedy. Later, Huang et al. (2007) further
refined the security model proposed by Al-Riyami and Paterson with three power levels of adver-
sary abilities, such as normal, strong, and super adversaries. Huang et al. then demonstrated a CLS
scheme, which is immune against super type I and II adversaries, with bilinear pairing. Note that
Huang et al. have also published an extension of their study (Huang et al. 2012), with the updated
version maintaining detailed proofs and more contents. In 2004, Yum and Lee (2004) proposed a
generic construction of CLS schemes with the concept of identity-based public key cryptography.
The author further identified an extended construction in which a trusted third party (TTP) cannot
know the users’ private keys. However, Hu et al. (2006) found that the construction, proposed by
Yum and Lee (2004), is vulnerable to public key replacement attacks. Next, Gorantla and Saxena
(2005), introduced a CLS protocol with bilinear pairing, and claimed that the proposed protocol
is more computationally efficient than published certificateless signature schemes. It requires less
demand of bandwidth and power consumption. Unfortunately, the weaknesses had been identified
by Cao et al. (2008).
In 2011, He et al. (2011) presented an efficient CLS scheme in which a bilinear pairing technique
is not considered during the protocol operation. The security robustness of the proposed CLS
scheme was verified under the random oracle model. Later, Tsai et al. (2014), pointed out the inse-
curity of He et al.’s scheme (2011) when a strong Type II adversary exists. In the same year, Gong
and Li (2014) also presented a provably-secure CLS mechanism. Similarly, the proposed mechanism
does not utilize bilinear pairing due to the efficiency consideration. Nevertheless, Yeh et al. (2015)
identified that a vulnerability exists in Gong and Li’s CLS mechanism under the assumption of a

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
A Lightweight Cryptographic Protocol with Certificateless Signature 28:3

super type I attacker. A remedy was then proposed with a security proof under the random
oracle. In a later work, Wang et al. (2015), further considered the design of verification messages
transmitted in the CLS scheme proposed by Yeh et al. and introduced an updated scheme with
higher computation efficiency. Some costs associated with ECC scalar multiplication and addition
operations could be removed. However, Yeh et al. (2017), presented a vulnerability in Wang et al.’s
scheme, where a malicious super type I adversary can easily forge a valid signature on any given
message. After that, Jia et al. (2018) demonstrated that Yeh et al.’s scheme (2017) was insecure
against the Type I and II adversaries. A countermeasure was presented to conquer the identified
security weaknesses. However, the applicable fields of CLS techniques are diverse. Possible
applications with CLS techniques include big data with cloud (He et al. 2017) and vehicular ad
hoc networks (Cui et al. 2018).

3 THE PROPOSED CRYPTOGRAPHIC PROTOCOL

In this section, we introduce the detailed procedures of the proposed cryptographic protocol for
IoT devices. The proposed protocol can be used in securing real IoT application scenarios. Before
the introduction of our proposed protocol, the system parameters, including elliptic curve and
bilinear pairing, are presented. Let the notation E/Ep denote an elliptic curve E over a prime finite
field Ep , defined by an equation of y 2 = x 3 + ax + b, where a, b ∈ Fp are constants such that Δ =
4a 3 + 27b 2  0. All points Pi = (x i , yi ) on E and the infinity point O form a cyclic group G under the
operation of point addition R = P + Q defined based on the chord-and-tangent rule. In addition,
t · P = P + P + · · · + P (t times) is considered as scalar multiplication, where P is a generator of G
with order n. Then, the Elliptic Curve Discrete Logarithm Problem (ECDLP) is defined as follows:
given a group G of elliptic curve points with prime order n, a generator P of G and a point x · P,
it is computationally infeasible to derive x, where x ∈ Z n∗ . Moreover, Let G 1 and G 2 be the cyclic
group with the same prime order q, where G 1 is an additive cyclic group and G 2 is a multiplicative
cyclic group. Let a mapping e : G 1 × G 1 → G 2 hold the following conditions. They are (a) bilinear:
∀a, b ∈ Z q∗ , ∀ P, Q ∈ G 1 : e (aP, bQ ) = e (P, Q ) ab ; (b) non-degenerate: e  1; and (c) computability:
there exists an efficient algorithm to compute ae.
The security of our proposed cryptographic protocol is based on the intractability of ECDLP
and the robustness of bilinear pairing. During the system initialization phase, the following
steps are launched. Given a secure parameter k, a Trusted Third Party (TTP) chooses two
groups G 1 and G 2 with the same prime order q and a bilinear pairing e : G 1 × G 1 → G 2 , where
P is a generator of G 1 . Next, TTP chooses a random number s ∈ Z q∗ as its master private key
and then computes its corresponding master public key PKT T P = s · P. After that, TT P chooses
three secure hash functions, i.e., H 1 : {0, 1}∗ × G 1 → Z q∗ , H 2 : {0, 1}∗ × G 1 × G 1 → Z q∗ , and H 3 :
{0, 1}∗ × G 1 × G 1 × G 1 → Z q∗ . After that, TTP launches a set of public parameters, i.e., params =
{G 1 , G 2 , q, e, P, PKT T P , H 1 , H 2 , H 3 , e (P, P )}, and store params and s into the secure element (SE) of
the target IoT devices (as shown in Figure 1). Meanwhile, the user Ui chooses a secret key x i and
computes the corresponding public key is PKi = x i · P.
• The Procedures of a Normal Operation of our Proposed Cryptographic Protocol
When a transaction of IoT application starts, the user Ui sends corresponding data D to an IoT
application via the user interface (step 1-1), where D may be the information of the current trans-
action. Our protocol will assistant in producing a signature for D during the operation of the IoT
application.
At first, D will be forwarded to SE for further process (step 1-2). Once SE receives D, SE generates
a random number r i and computes Ri = r i · P, hi = H 1 (T I D i , Ri , PKT T P , D), si = r i + hi · s mod q,
and σi_1 = si−1 · P. Next, SE sends a response (Ri , σi_1 ) back to the IoT application (step 2). After

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:4 L. Zhou et al.

Fig. 1. Steps 1 and 2 of the proposed cryptographic protocol.

receiving (Ri , σi_1 ), IoT application checks the validity of (Ri , σi_1 ) with the following computa-
tions: (a) compute hi = H 1 (T I D i , Ri , PKT T P , D) and (b) check if e (σi_1 , Ri + hi · PKT T P ) = e (P, P )
holds. The correctness of e (σi_1 , Ri + hi · PKT T P ) = e (P, P ) is presented as follows:
   
e σi 1 , Ri + hi · PKT T P = e si−1 · P, r i · P + hi · s · P
   
= e si−1 · P, (r i + hi · s) · P = e si−1 · P, si · P
−1 ×s
= e (P, P ) si i
= e (P, P ) .
If the examination holds, then the IoT application confirms the validity of (Ri , σi_1 ). The above
procedures refer to Figure 1.
After (Ri , σi_1 ) is verified, the IoT application chooses a random number r 1 ∈ Z q∗ and com-
putes R 1 = r 1 · P, H 3 (r 1 · PKi ) and ED = H 3 (r 1 · PKi ) ⊕ D. Next, the IoT application calculates
ki = H 2 (I D i , PKi , Ri , PKT T P , ED) and σi_2 = (ki · si + x i ) −1 · P. These processes can be referred to
step 3-1 of Figure 2.
The IoT application then issues (T I D i , r 1 , ED, σi_2 ) to SE as shown in step 3-2 in Figure 2.
Upon receiving (T I D i , r 1 , ED, σi_2 ), SE computes ki = H 2 (I D i , PKi , Ri , PKT T P , ED) and checks the
correctness of e (σi_2 , ki · (Ri + hi · PKT T P ) + PKi ) = e (P, P ). If the correctness examination holds,
then SE believes the validity of σi_2 . These processes can be referred to step 4-1 of Figure 2.
 
e σi_2 , ki · (Ri + hi · PKT T P ) + PKi
 
= e (ki · si + x i ) −1 · P, ki · (r i · P + hi · s · P ) + x i · P
 
= e (ki · si + x i ) −1 · P, (ki · (r i + hi · s) + x i ) · P
 
= e (ki · si + x i ) −1 · P, (ki · si + x i ) · P
−1
= e (P, P ) (ki ·si +xi ) ×(k i ·s i +x i )
= e (P, P ) .
If the above verification holds, then SE first chooses a random number ti and computes Ti =
ti · P. Second, SE calculates Hashi = H 3 (ti , ED) and Cipher i = ti ⊕ H 3 (e (ki , ti · PKi )) and sends
(Ti , Hashi , Cipher i ) to the IoT application, which then forwards it to external storage for the
purpose of audit. Once the audit is required, the external auditor will ask the user to provide his/her

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
A Lightweight Cryptographic Protocol with Certificateless Signature 28:5

Fig. 2. Steps 3–5 of the proposed cryptographic protocol.

secret key x i , and compute ki = H 2 (I D i , PKi , Ri , PKT T P , ED), ti = Cipher i ⊕ H 3 (e (ki , x i · Ti )). It
then checks the correctness of H 3 (ti , ED) = Hashi . These processes can be referred to steps 4-2
to 4-4 of Figure 2. Note that steps 4-3 and 4-4 are optional. Finally, as shown in step 5 of Figure 2,
the IoT application will send a result, i.e., (D, ED, Ri , σi_1 , σi_2 ), of the current transaction operation
back to Ui .

4 SECURITY ANALYSIS AND PERFORMANCE EVALUATION

In this section, we analyze the security robustness of the proposed cryptographic protocol. In light
of the deployment of certificateless signature and bilinear pairing crypto-primitives, the analysis
is with the adversary abilities and security models defined by Huang et al. (2012) and Al-Riyami
and Paterson (2003).
• Adversaries and Oracles
In a normal transaction operation, there exist two kinds of adversaries: the Type I adversary, i.e.,
AI , and the Type II adversary, i.e., AI I . Basically, adversary AI I (it can be anyone except the TTP)
possesses the abilities of replacing the user’s public keys, i.e., PKi . Nevertheless, AI is not given
with (si , Ri ). However, adversary AI I has the master private key, i.e., s, of TTP, but AI I cannot
replace the target user’s public key. In general, AI and AI I are able to query the following oracles:
— CreateUser: Given a query I D ∈ {0, 1}∗ , the oracle gets (s I D , R I D ), x I D and PK I D . After
that, the oracle maintains a record of (I D, (s I D , R I D ), x I D , PK I D ) in the list L. Eventually,
the PK I D is returned.
— PublicKeyReplace: Given a query (I D, PK ID ), the oracle replaces the user I D’s public key
with PK ID and updates the corresponding information in the list L.
— SecretValueExtract: Given a query I D ∈ {0, 1}∗ , the oracle browses the list L and returns
the secret value x I D . Note that the secret value x ID correspondent with the replaced public
key PK ID cannot be extracted.

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:6 L. Zhou et al.

In addition, Type I and II adversaries can further be classified into three categories, i.e., normal,
strong, and super adversaries. In general, a normal-level adversary has the ability to learn a
valid verification message, while a strong-level adversary is able to replace a public key to forge
a valid verification message. The most powerful adversary, i.e., a super-level adversary, can
learn valid verification messages for a replaced public key without any submission. The highest
security robustness can be achieved if the proposed cryptographic protocol is secure against
the super-level adversary. Therefore, in this study, we investigate the security of our proposed
protocol against the super type I and II adversaries.
• Game 1: Security Against a Super type I Adversary
The certificateless signature is the core security technique in the proposed cryptographic pro-
tocol, the robustness of our protocol is based on the existential unforgeability of the signa-
tures generated during the operation of the cryptographic protocol. The following statements
are made. A super type I adversary AI is able to retrieve a signature σi satisfying true ←
Verify(m, σi , params, I D, PK I D ) in which a public key PK I D is created by AI . Note that m denotes
the target message. We then define the existential unforgeability of the certificateless signature
(in our proposed cryptographic protocol) against a super type I adversary AI with the following
games:
Phase 1: The challenger launches a system initialization and then returns the system parameters
params to AI .
Phase 2: AI is able to access the oracles, i.e., CreateUser, PublicKeyReplace, SecretValueExtract,
PrivateKeyExtract, and SuperSign. Note that PrivateKeyExtract and SuperSign oracles are defined
as follows.
— PrivateKeyExtract: Given a query ID, the oracle looks for (s I D , R I D ) in the list L.
— SuperSign: Given a query (I D, m), the oracle outputs a signature σi such that true ←
Verify(m, σi , params, I D, PK I D ), where m denotes the message to be signed.
Phase 3: After all queries, AI outputs a forgery (m∗ , σi ∗ , I D ∗ ). It is claimed that AI wins the
game if the following requirements are satisfied.
— The SuperSign oracle has never been queried by AI ;
—T he PrivateKeyExtract oracle has never been queried by AI ;
—true ← Verify(m, σi , params, I D, PK I D ∗ ) holds.
The success probability, i.e., Succ AI , of a super type I adversary AI winning the above game is
then defined.
Definition 1. The proposed cryptographic protocol is secure against a (t, qCU , q P K R , q SV E ,
q P K E , q S S ) super type I adversary AI if AI runs in polynomial time t, makes at most qCU times of
the CreateUser oracle query, q P K R times of the PublicKeyReplace oracle query, q SV E times of the
SecretValueExtract oracle query, q P K E times of the PrivateKeyExtract oracle query, q S S times of
the SuperSign oracle query, and Succ AI is negligible.
• Game 2: Security Against a Super type II Adversary
The type II adversary AI I simulates the TTP holding the master secret key s and is possible to
engage in malicious activities, such as transmission eavesdropping or making a forgery as valid
signatures. The existential unforgeability of the certificateless signature (in the proposed crypto-
graphic protocol) against a super type II adversary AI I is defined as follows:
Phase 1: The challenger launches a system initialization and sends the system parameters
params to AI I .

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
A Lightweight Cryptographic Protocol with Certificateless Signature 28:7

Phase 2: AI I is able to send queries to the oracles, i.e., CreateUser, PublicKeyReplace, Secret-
ValueExtract, and SuperSign.
Phase 3: Eventually, AI I will output a forgery (m∗ , σi ∗ , I D ∗ ). It is claimed that AI I wins the game
if the following requirements are satisfied.
— The SuperSign oracle has never been queried by AI I ;
— The SecretValueExtract oracle has never been queried by AI I ;
—true ← Verify(m, σi , params, I D ∗ , PK I D ∗ ) holds, where PK I D ∗ is the original public key re-
turned by the oracle CreateUser.
The success probability, i.e., Succ AI I , of a super type II adversary AI I winning the above game
is defined as follows:
Definition 2. The proposed cryptographic protocol is secure against a (t, qCU , q P K R , q SV E , q S S )
super type II adversary AI I if AI I runs in polynomial time t, makes at most qCU times of the
CreateUser oracle query, q P K R times of the PublicKeyReplace oracle query,q SV E times of the Se-
cretValueExtract oracle query,q S S times of the SuperSign oracle query, and Succ AI I is negligible.
• Security Analysis
In this subsection, we analyze the security robustness of our proposed cryptographic protocol.
Based on the hardness of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP), we prove
that the proposed cryptographic protocol is robust against the super Type I adversary and super
Type II adversary, respectively. That is, the certificateless signature deployed in the cryptographic
protocol is existentially unforgeable against a super type adversary in the random oracle model,
assuming the hardness of solving the ECDLP.
Theorem 1. If there is a (t, qCU , q P K R , q SV E , q P K E , q S S ) super Type I adversary AI , which can
submit additional q H queries to random oracles Hash and win game 1 with probability Succ S A1 , then
there exists another algorithm B, which can solve a random instance of the ECDLP in polynomial time
q
with a success probability Succ B ≥ q1H (1 − q1H ) P K E Succ AI .
Proof. Assume that a super type I adversary AI intends to break the proposed cryptographic
protocol with a non-negligible probability Succ AI . In that case, if we can use AI to build a
polynomial-time algorithm B to solve the ECDLP, then the proof is completed. In the system ini-
tialization, B picks an identity I D π as the challenged identity in game 1, Then, B sets Q = Ri and
sends params = {G 1 , G 2 , q, e, P, PKT T P , H 1 , H 2 , H 3 , e (P, P )} to AI . In addition, B is able to simulate
the oracle queries of AI as follows:
—Hash query: AI is able to access Hash query via I D j . That is, B maintains a list, L H , con-
taining tuples
I D j , R j , PKT T P , h j , k j , N SD, EPD. If the I D j is recorded in the list L H , then
B responds with h j (or k j ) to AI . Otherwise, B randomly picks two numbers h j ∈ Zp∗ and
k j ∈ Zp∗ , returns h j and k j to AI , and adds
I D j , R j , PKT T P , h j , k j , N SD, EPD to L H .
— CreateUser: AI is able to create a user with I D j . Once a query with I D j is launched, B first
checks the maintained list L and, if it is required, then it creates a tuple in the list L based
on the following two conditions. After that, B adds
I D j , (s j , R j ), x j , PK I D j  to the list L.
— If I D j  I D π , then B chooses b j ∈ Zp∗ and (s j , R j ) ∈ Zp∗ , and sets PK I D j = b j · P and x j = b j .
— If I D j = I D π , thenB chooses a value of PK I D π ∈ Zp∗ , and sets x π = ⊥ and (s j , R j ) = ⊥.
— PrivateKeyExtract: AI is able to request the private key (s j , R j ) of the user I D j , which has
been created. Once a query with I D j is made, B checks the list L:
— If (s j , R j ) = ⊥, then the simulation is terminated by B.
— If (s j , R j )  ⊥, then B returns (s j , R j ).

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:8 L. Zhou et al.

— PublicKeyReplace: AI is able to replace the user I D j ’s public key with PK ID j freely chosen
by AI . Once a query with I D j is invoked, B updates the list L with
I D j , (s j , R j ), x j , PK ID j .
— SecretValueExtract: AI is able to request the secret value of the existing user I D j . Once a
query with I D j is delivered, B checks the list L:
— If x I D j = ⊥, then the simulation is terminated by B.
— If x I D j  ⊥, then B returns x I D j .
— SuperSign: AI is able to request a SuperSign query with (I D t , mt ). Once a query is made, B
looks for
I D j , R j , PKT T P , h j , k j , N SD, EPD and
I D j , (s j , R j ), x j , PK I D j  in the lists L H and
L, respectively. Next, B generates a random number a j , b j ∈ Z n∗ and computes σ j_1 = a −1 j ·P
and σ j_2 = b j −1 · P. After that, B returns σ j_1 and σ j_2 to AI .
Finally, AI outputs a forged but legitimate signature (I D j , m j , σ j_1 , σ j_2 ). If I D j  I D π ,
thenB terminates the simulation. Otherwise, B looks for
I D j , R j , PKT T P , h j , k j , N SD, EPD and

I D j , (s j , R j ), x j , PK I D j  in the lists L H and L, respectively. Based on the forking lemma (Pointcheval

and Stern 1996), if we have the polynomial replay of B with the same random tape and different
choices of hash oracle, then AI can generate another signature. Hence, we will have two valid sig-
natures σ j_1 (j ) and σ j_2 (j ) , where j = 1, 2. The two verification equations correspondent to σ j_1 (j )
and σ j_2 (j ) are Ri (j ) + h j · PKT T P and k j · (Ri (j ) + h j · PKT T P ) + PK j , respectively. With the known
values h j , k j , PK j , and PKT T P , we can derive the r i from the above two linear and independent
equations. It then outputs a = r i as the solution of the random instance (P, Q = a · P ) of the ECDLP.
We have shown that B can solve the given instance of the ECDLP. Next, we analyzeB’s success
probability Succ B of winning game 1.
E1 : B does not abort in all the queries of PrivateKeyExtract.
E2 : AI can forge a valid signature (I D j , m j , σ j_1 , σ j_2 ).
E3 : The output (I D j , m j , σ j_1 , σ j_2 ) satisfies I D t = I D π .
The probabilities of Pr[E1 ], Pr[E2 |E1 ], and Pr[E3 |E1 ∧ E2 ] are presented. That is, Pr[E1 ] ≥
q
(1 − q1H ) P K E , Pr[E2 |E1 ] ≥ Succ AI , and Pr[E3 |E1 ∧ E2 ] ≥ q1H , where q H and q P K E are the numbers
of Hash queries and PrivateKeyExtract queries. Then, the probability of B solving the given in-
stance of the ECDLP is
 q
1 1 PKE
Succ B = Pr [E1 ∧ E2 ∧ E3 ] = Pr [E1 ] Pr [E2 |E1 ] Pr [E3 |E1 ∧ E2 ] ≥ 1− Succ AI .
qH qH
It is obvious that B can solve the ECDLP with a non-negligible probability Succ B if Succ AI is
non-negligible. This contradicts the hardness of the ECDLP.
Theorem 2. If there exists a (t, qCU , q P K R , q SV E , q S S ) super Type II adversaryAI I , which is able to
submit additional qH queries to random oracles and win game 2 with probability Succ AI I , then there
will be an algorithm B solving a random instance of the ECDLP in polynomial time with a success
q
probability Succ B ≥ q1H (1 − q1H ) SV E Succ AI I .
Proof. We assume that a super type II adversary AI intends to break the proposed crypto-
graphic protocol with a non-negligible probability Succ AI I . Then, we want to build a polynomial-
time algorithm B, which uses AI I to solve the ECDLP. That is, given a random instance (P, Q =
a · P ) of the ECDLP, its goal is to derive the secret a. Similarly, in the system initialization
phase, B picks an identity I D π as the challenged identity in game 2. Then, B sets Q = PKi and
sends params = {G 1 , G 2 , q, e, P, PKT T P , H 1 , H 2 , H 3 , e (P, P )} to AI I . Meanwhile, B maintains the lists,
i.e., L H and L. Then, B answers Hash, CreateUser, PublicKeyReplace, SecretValueExtract, and
SuperSign exactly as the processes in Theorem 1. Eventually, AI I delivers a forged but legitimate

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
A Lightweight Cryptographic Protocol with Certificateless Signature 28:9

Table 1. Computation Cost of our Proposed

Cryptographic Protocol

Times Cost
Random number generator (96bit) 3 0.015s
Hash function (SHA-512) 9 0.855s
ECC Pairing 6 3.48s
ECC point multiplication 12 0.48s
ECC point addition 5 0.1s
The proposed cryptographic protocol 4.93s

signature (I D j , m j , σ j_1 , σ j_2 ). If I D j  I D π , then B terminates the simulation. Otherwise, B looks

for
I D j , R j , PKT T P , h j , k j , N SD, EPD and
I D j , (s j , R j ), x j , PK I D j  in the lists L H and L, respec-
tively. Based on the forking lemma (Pointcheval and Stern 1996), we will eventually have two
valid signatures, i.e., σ j_1 (j ) and σ j_2 (j ) , where j = 1, 2. The two equations correspondent to σ j_1 (j )
and σ j_2 (j ) are Ri (j ) + h j · PKT T P and k j · (Ri (j ) + h j · PKT T P ) + PKi (j ) , respectively. With these two
linear and independent equations, B is able to the two unknown values r i and x i . It is obvious that
x i is the solution of the random instance (P, Q = x i · P ) of the ECDLP. Next, B’s success probability
Succ B of winning game 2 is calculated as follows:
E1 : B does not abort in all the queries of SecretValueExtract.
E2 : AI I can forge a valid signature (I D j , m j , σ j_1 , σ j_2 ).
E3 : The output (I D j , m j , σ j_1 , σ j_2 ) satisfies I D j = I D π .
q
The probabilities of Pr[E1 ] ≥ (1 − q1H ) SV E , Pr[E2 |E1 ] ≥ Succ AI I , and Pr[E3 |E1 ∧ E2 ] ≥ q1H ,
where q H and q SV E are the numbers of the Hash query and the SecretValueExtract query. Then,
the probability of B solving the given instance of the ECDLP is
 q
1 1 SV E
Succ B = Pr [E1 ∧ E2 ∧ E3 ] = Pr [E1 ] Pr [E2 |E1 ] Pr [E3 |E1 ∧ E2 ] ≥ 1− Succ AI I .
qH qH
• Performance Evaluation
To evaluate the performance of the proposed cryptographic protocol, we implement the core
crypto-components of our protocol on a raspberry PI 3 model B platform and then calculate the
computation cost of the proposed protocol. Note that the raspberry PI 3 model B is embedded
with a 1GHz ARM Cortex-A53 64-bits processor and 1GB DDR3 RAM. All of the experiments are
programmed in Java. For the crypto-library, we adopt the Bouncy Castle Crypto APIs (2013). The
proposed cryptographic protocol in total performs three times using the 96 bits random number
generator, nine times the SHA-512 hash function (with pre-defined 1,000 bits input sequences),
six times ECC pairing, twelve times ECC point multiplication and five times the ECC point addi-
tion, where the ECC is with a 384-bit prime. The computation cost of our proposed cryptographic
protocol is 4.93s, in total, as shown in Table 1.

5 CONCLUSIONS
Aided by sturdy crypto-primitives, i.e., certificateless signature and bilinear pairing operations,
the proposed lightweight cryptographic protocol has demonstrated its security guarantee and
solid robustness against super-type adversaries. Applicable fields for our proposed protocol are
examples, such as mobile payment, ubiquitous commerce, smart home, and intelligent entertain-
ment, in which a higher demand of security is required. To examine the practicability, a single-
board computing platform, i.e., raspberry PI 3, is simulated in the performance evaluation as an

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:10 L. Zhou et al.

IoT-compatible device. A user-acceptable computation cost, i.e., 4.93s, for a regular security oper-
ation is delivered.
REFERENCES
S. S. Al-Riyami and K. G. Paterson. 2003. Certificateless public key cryptography. In Proceedings of the International Con-
ference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’03).
J. Cui, J. Zhang, H. G. Zhong, R. Shi, and Y. Xu. 2018. An efficient certificateless aggregate signature without pairings for
vehicular ad hoc networks. Info. Sci. 451–452 (2018), 1–15.
X. F. Cao, K. G. Paterson, and W. D. Kou. 2008. Attack on a certificateless signature scheme and its improvement. J. Beijing
Univ. Posts Telecommun. 31, 2 (2008), 64–67.
P. Gong and P. Li. 2014. Further improvement of a certificateless signature scheme without pairing. Int. J. Commun. Syst.
27, 10 (2014), 2083–2091.
M. C. Gorantla and A. Saxena. 2005. An efficient certificateless signature scheme. In Proceedings of the International Con-
ference on Computational Intelligence and Security. 110–116.
D. He, J. Chen, and R. Zhang. 2011. An efficient and probably secure certificateless signature scheme without bilinear
pairings. Int. J. Commun. Syst. 25, 11 (2011), 1432–1442.
D. He, N. Kumar, H. Wang, L. Wang, and K.-K. R. Choo. 2017. Privacy-preserving certificateless provable data possession
scheme for big data storage on cloud. Appl. Math. Comput. 314 (2017), 31–43.
B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng. 2006. Key replacement attack against a generic construction of certificateless
signature. In Proceedings of the 11st Australasian Conference on Information Security and Privacy. 235–246.
X. Huang, W. Susilo, Y. Mu, and F. Zhang. 2005. On the security of certificateless signature schemes from Asiacrypt 2003.
In Proceedings of the International Conference on Cryptology and Network Security. 13–25.
X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu. 2007. Certificateless signature revisited. In Proceedings of the 12th
Australasian Conference on Information Security and Privacy (ACISP’07), Lecture Notes in Computer Science, Vol. 4586,
308–322.
X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu. 2012. Certificateless signature: New schemes and security models.
Comput. J. 55, 4 (2012), 457–474.
D. Pointcheval and J. Stern. 1996. Security Proofs for Signature Schemes. In Proceedings of the EUROCRYPT’96 (LNCS 1070).
387–398.
X. Jia, D. He, Q. Liu, and K. R. Choo. 2018. An efficient provably-secure certificateless signature scheme for internet-of-
things deployment. Ad Hoc Netw. 71 (2018), 78–87.
The Bouncy Castle Crypto APIs. 2013. Retrieved from https://www.bouncycastle.org/java.html.
J. Tsai, N. Lo, and T. Wu. 2014. Weaknesses and improvements of an efficient certificateless signature scheme without using
bilinear pairings. Int. J. Commun. Syst. 27, 7 (2014), 1083–1090.
L. Wang, K. Chen, Y. Long, X. Mao, and H. Wang. 2015. A modified efficient certificateless signature scheme without bilinear
pairings. In Proceedings of the International Conference on Intelligent Networking and Collaborative Systems (INCOS’15).
K.-H. Yeh, K.-Y. Tsai, and C.-Y. Fan. 2015. An efficient certificateless signature scheme without bilinear pairings. Multimedia
Tools Appl. 74, 16 (2015), 6519–6530.
K. Yeh, C. Su, K. Choo, and W. Chiu. 2017. A novel certificateless signature scheme for smart objects in the internet-of-
things. Sensors 17, 5, Article 1001 (2017).
D. H. Yum and P. J. Lee. 2004. Generic construction of certificateless signature. In Proceedings of the 9th Australasian Con-
ference on Information Security and Privacy. 200–211.

Received April 2018; revised October 2018; accepted December 2018

ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.