Professional Documents
Culture Documents
A Lightweight Cryptographic Protocol With Certificateless Signature For The Internet of Things
A Lightweight Cryptographic Protocol With Certificateless Signature For The Internet of Things
The universality of smart-devices has brought rapid development and the significant advancement of ubiq-
uitous applications for the Internet of Things (IoT). Designing new types of IoT-compatible cryptographic
protocols has become a more popular way to secure IoT-based applications. Significant attention has been
dedicated to the challenge of implementing a lightweight and secure cryptographic protocol for IoT devices.
In this study, we propose a lightweight cryptographic protocol integrating certificateless signature and bi-
linear pairing crypto-primitives. In the proposed protocol, we elegantly refine the processes to account for
computation-limited IoT devices during security operations. Rigorous security analyses are conducted to
guarantee the robustness of the proposed cryptographic protocol. In addition, we demonstrate a thorough
performance evaluation, where an IoT-based test-bed, i.e., the Raspberry PI, is simulated as the underlying
platform of the implementation of our proposed cryptographic protocol. The results show the practicability
of the proposed protocol.
CCS Concepts: • Security and privacy → Cryptography; Public key (asymmetric) techniques; Digital signa-
tures; Security in hardware; Hardware security implementation; Hardware-based security protocols;
Additional Key Words and Phrases: Bilinear pairing, certificateless signature, cryptographic protocol, internet
of things (IoT), security
ACM Reference format:
Lu Zhou, Chunhua Su, and Kuo-Hui Yeh. 2019. A Lightweight Cryptographic Protocol with Certificateless
Signature for the Internet of Things. ACM Trans. Embed. Comput. Syst. 18, 3, Article 28 (April 2019), 10 pages.
https://doi.org/10.1145/3301306
1 INTRODUCTION
With the rapid growth and universality of information and communication technologies of IoT,
numerous ubiquitous applications have found an increasingly wide deployment in diverse daily-
operated services to probe for more business opportunities or higher individual benefit. For ex-
ample, a smart home consisting of smart IoT devices may provide tailored and on-demand enter-
tainment services to accomplish better satisfaction for individuals. Another example is individuals
gradually changing their purchasing styles from classic credit cards to new approaches such as
This work was supported in part by JSPS Kakenhi Kiban(B) 18H03240 and Kakenhi Kiban(C) 18K11298, and in part by the
Ministry of Science and Technology (Taiwan) under grants MOST 105-2221-E-259-014-MY3, MOST 105-2221-E-011-070-
MY3, MOST 105-2923-E-182-001-MY3, and MOST 107-2218-E-011-012.
Authors’ addresses: L. Zhou and C. Su, University of Aizu, Aizu-Wakamatsu, Fukushima Pref. 965-8580, Japan; emails:
{d8192103, chsu}@u-aizu.ac.jp; K.-H. Yeh (corresponding author), National Dong Hwa University, No. 1, Sec. 2, Da Hsueh
Road, Shoufeng, Hualien 97401, Taiwan; email: khyeh@gms.ndhu.edu.tw.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee
provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and
the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires
prior specific permission and/or a fee. Request permissions from permissions@acm.org.
© 2019 Association for Computing Machinery.
1539-9087/2019/04-ART28 $15.00
https://doi.org/10.1145/3301306
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:2 L. Zhou et al.
online payments via wearables. Nevertheless, there exists the space for the improvements of IoT
applications in terms of the viewpoints of standards, interoperability, and security. That is, it still
lacks widely accepted standards for the development and deployment of IoT applications. This
impedes the advancement of interoperability among systems. Moreover, security is important and
indispensable. It is, unfortunately, in the early stages of evolution as the support of recent hardware
and software techniques are not sufficient.
Recently, the benefits from IoT have been mostly focused on industry, and numerous IoT-
applications have emerged as part of a trend. These techniques have provided more convenience
and thoroughly changed the individuals’ thoughts about their behaviors in daily life. However,
the convenience is accompanied by security and privacy risks with respect to the robustness of
hardware, software and communication architecture. Hence, it is critical to provide a secure and
privacy-aware scheme protecting the user’s sensitive data, processed and transferred by IoT ap-
plications, from being disclosed and tampered with. In this study, we are motivated to design
and implement a robust cryptographic protocol as a security guarantee for IoT applications. The
proposed protocol adopts solid certificateless signature and bilinear pairing crypto-primitives to
obtain high security robustness. In Section 2, we investigate the existing research in which the
most relevant studies are discussed. Then, we introduce the detailed procedures of the proposed
cryptographic protocol in Section 3. Next, Section 4 shows the security analysis and performance
evaluation of the proposed protocol. Finally, the concluding remarks are presented in Section 5.
2 RELATED WORK
The first certificateless signature (CLS) scheme was proposed by Al-Riyami and Paterson (2003), in
which an asymmetric key pair was established via aid from external trusted third parties instead
of a centralized certificate management. With the decentralized and changed structure, better ef-
ficiency can be obtained, because no implementation of certificate management is required on
the user’s side. Nevertheless, the pioneer study has spaces for improvement. Huang et al. (2005)
pointed out that Al-Riyami and Paterson’s scheme is insecure against public key replacement at-
tacks, and they presented a modified scheme as the remedy. Later, Huang et al. (2007) further
refined the security model proposed by Al-Riyami and Paterson with three power levels of adver-
sary abilities, such as normal, strong, and super adversaries. Huang et al. then demonstrated a CLS
scheme, which is immune against super type I and II adversaries, with bilinear pairing. Note that
Huang et al. have also published an extension of their study (Huang et al. 2012), with the updated
version maintaining detailed proofs and more contents. In 2004, Yum and Lee (2004) proposed a
generic construction of CLS schemes with the concept of identity-based public key cryptography.
The author further identified an extended construction in which a trusted third party (TTP) cannot
know the users’ private keys. However, Hu et al. (2006) found that the construction, proposed by
Yum and Lee (2004), is vulnerable to public key replacement attacks. Next, Gorantla and Saxena
(2005), introduced a CLS protocol with bilinear pairing, and claimed that the proposed protocol
is more computationally efficient than published certificateless signature schemes. It requires less
demand of bandwidth and power consumption. Unfortunately, the weaknesses had been identified
by Cao et al. (2008).
In 2011, He et al. (2011) presented an efficient CLS scheme in which a bilinear pairing technique
is not considered during the protocol operation. The security robustness of the proposed CLS
scheme was verified under the random oracle model. Later, Tsai et al. (2014), pointed out the inse-
curity of He et al.’s scheme (2011) when a strong Type II adversary exists. In the same year, Gong
and Li (2014) also presented a provably-secure CLS mechanism. Similarly, the proposed mechanism
does not utilize bilinear pairing due to the efficiency consideration. Nevertheless, Yeh et al. (2015)
identified that a vulnerability exists in Gong and Li’s CLS mechanism under the assumption of a
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
A Lightweight Cryptographic Protocol with Certificateless Signature 28:3
super type I attacker. A remedy was then proposed with a security proof under the random
oracle. In a later work, Wang et al. (2015), further considered the design of verification messages
transmitted in the CLS scheme proposed by Yeh et al. and introduced an updated scheme with
higher computation efficiency. Some costs associated with ECC scalar multiplication and addition
operations could be removed. However, Yeh et al. (2017), presented a vulnerability in Wang et al.’s
scheme, where a malicious super type I adversary can easily forge a valid signature on any given
message. After that, Jia et al. (2018) demonstrated that Yeh et al.’s scheme (2017) was insecure
against the Type I and II adversaries. A countermeasure was presented to conquer the identified
security weaknesses. However, the applicable fields of CLS techniques are diverse. Possible
applications with CLS techniques include big data with cloud (He et al. 2017) and vehicular ad
hoc networks (Cui et al. 2018).
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:4 L. Zhou et al.
receiving (Ri , σi_1 ), IoT application checks the validity of (Ri , σi_1 ) with the following computa-
tions: (a) compute hi = H 1 (T I D i , Ri , PKT T P , D) and (b) check if e (σi_1 , Ri + hi · PKT T P ) = e (P, P )
holds. The correctness of e (σi_1 , Ri + hi · PKT T P ) = e (P, P ) is presented as follows:
e σi 1 , Ri + hi · PKT T P = e si−1 · P, r i · P + hi · s · P
= e si−1 · P, (r i + hi · s) · P = e si−1 · P, si · P
−1 ×s
= e (P, P ) si i
= e (P, P ) .
If the examination holds, then the IoT application confirms the validity of (Ri , σi_1 ). The above
procedures refer to Figure 1.
After (Ri , σi_1 ) is verified, the IoT application chooses a random number r 1 ∈ Z q∗ and com-
putes R 1 = r 1 · P, H 3 (r 1 · PKi ) and ED = H 3 (r 1 · PKi ) ⊕ D. Next, the IoT application calculates
ki = H 2 (I D i , PKi , Ri , PKT T P , ED) and σi_2 = (ki · si + x i ) −1 · P. These processes can be referred to
step 3-1 of Figure 2.
The IoT application then issues (T I D i , r 1 , ED, σi_2 ) to SE as shown in step 3-2 in Figure 2.
Upon receiving (T I D i , r 1 , ED, σi_2 ), SE computes ki = H 2 (I D i , PKi , Ri , PKT T P , ED) and checks the
correctness of e (σi_2 , ki · (Ri + hi · PKT T P ) + PKi ) = e (P, P ). If the correctness examination holds,
then SE believes the validity of σi_2 . These processes can be referred to step 4-1 of Figure 2.
e σi_2 , ki · (Ri + hi · PKT T P ) + PKi
= e (ki · si + x i ) −1 · P, ki · (r i · P + hi · s · P ) + x i · P
= e (ki · si + x i ) −1 · P, (ki · (r i + hi · s) + x i ) · P
= e (ki · si + x i ) −1 · P, (ki · si + x i ) · P
−1
= e (P, P ) (ki ·si +xi ) ×(k i ·s i +x i )
= e (P, P ) .
If the above verification holds, then SE first chooses a random number ti and computes Ti =
ti · P. Second, SE calculates Hashi = H 3 (ti , ED) and Cipher i = ti ⊕ H 3 (e (ki , ti · PKi )) and sends
(Ti , Hashi , Cipher i ) to the IoT application, which then forwards it to external storage for the
purpose of audit. Once the audit is required, the external auditor will ask the user to provide his/her
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
A Lightweight Cryptographic Protocol with Certificateless Signature 28:5
secret key x i , and compute ki = H 2 (I D i , PKi , Ri , PKT T P , ED), ti = Cipher i ⊕ H 3 (e (ki , x i · Ti )). It
then checks the correctness of H 3 (ti , ED) = Hashi . These processes can be referred to steps 4-2
to 4-4 of Figure 2. Note that steps 4-3 and 4-4 are optional. Finally, as shown in step 5 of Figure 2,
the IoT application will send a result, i.e., (D, ED, Ri , σi_1 , σi_2 ), of the current transaction operation
back to Ui .
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:6 L. Zhou et al.
In addition, Type I and II adversaries can further be classified into three categories, i.e., normal,
strong, and super adversaries. In general, a normal-level adversary has the ability to learn a
valid verification message, while a strong-level adversary is able to replace a public key to forge
a valid verification message. The most powerful adversary, i.e., a super-level adversary, can
learn valid verification messages for a replaced public key without any submission. The highest
security robustness can be achieved if the proposed cryptographic protocol is secure against
the super-level adversary. Therefore, in this study, we investigate the security of our proposed
protocol against the super type I and II adversaries.
• Game 1: Security Against a Super type I Adversary
The certificateless signature is the core security technique in the proposed cryptographic pro-
tocol, the robustness of our protocol is based on the existential unforgeability of the signa-
tures generated during the operation of the cryptographic protocol. The following statements
are made. A super type I adversary AI is able to retrieve a signature σi satisfying true ←
Verify(m, σi , params, I D, PK I D ) in which a public key PK I D is created by AI . Note that m denotes
the target message. We then define the existential unforgeability of the certificateless signature
(in our proposed cryptographic protocol) against a super type I adversary AI with the following
games:
Phase 1: The challenger launches a system initialization and then returns the system parameters
params to AI .
Phase 2: AI is able to access the oracles, i.e., CreateUser, PublicKeyReplace, SecretValueExtract,
PrivateKeyExtract, and SuperSign. Note that PrivateKeyExtract and SuperSign oracles are defined
as follows.
— PrivateKeyExtract: Given a query ID, the oracle looks for (s I D , R I D ) in the list L.
— SuperSign: Given a query (I D, m), the oracle outputs a signature σi such that true ←
Verify(m, σi , params, I D, PK I D ), where m denotes the message to be signed.
Phase 3: After all queries, AI outputs a forgery (m∗ , σi ∗ , I D ∗ ). It is claimed that AI wins the
game if the following requirements are satisfied.
— The SuperSign oracle has never been queried by AI ;
—T he PrivateKeyExtract oracle has never been queried by AI ;
—true ← Verify(m, σi , params, I D, PK I D ∗ ) holds.
The success probability, i.e., Succ AI , of a super type I adversary AI winning the above game is
then defined.
Definition 1. The proposed cryptographic protocol is secure against a (t, qCU , q P K R , q SV E ,
q P K E , q S S ) super type I adversary AI if AI runs in polynomial time t, makes at most qCU times of
the CreateUser oracle query, q P K R times of the PublicKeyReplace oracle query, q SV E times of the
SecretValueExtract oracle query, q P K E times of the PrivateKeyExtract oracle query, q S S times of
the SuperSign oracle query, and Succ AI is negligible.
• Game 2: Security Against a Super type II Adversary
The type II adversary AI I simulates the TTP holding the master secret key s and is possible to
engage in malicious activities, such as transmission eavesdropping or making a forgery as valid
signatures. The existential unforgeability of the certificateless signature (in the proposed crypto-
graphic protocol) against a super type II adversary AI I is defined as follows:
Phase 1: The challenger launches a system initialization and sends the system parameters
params to AI I .
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
A Lightweight Cryptographic Protocol with Certificateless Signature 28:7
Phase 2: AI I is able to send queries to the oracles, i.e., CreateUser, PublicKeyReplace, Secret-
ValueExtract, and SuperSign.
Phase 3: Eventually, AI I will output a forgery (m∗ , σi ∗ , I D ∗ ). It is claimed that AI I wins the game
if the following requirements are satisfied.
— The SuperSign oracle has never been queried by AI I ;
— The SecretValueExtract oracle has never been queried by AI I ;
—true ← Verify(m, σi , params, I D ∗ , PK I D ∗ ) holds, where PK I D ∗ is the original public key re-
turned by the oracle CreateUser.
The success probability, i.e., Succ AI I , of a super type II adversary AI I winning the above game
is defined as follows:
Definition 2. The proposed cryptographic protocol is secure against a (t, qCU , q P K R , q SV E , q S S )
super type II adversary AI I if AI I runs in polynomial time t, makes at most qCU times of the
CreateUser oracle query, q P K R times of the PublicKeyReplace oracle query,q SV E times of the Se-
cretValueExtract oracle query,q S S times of the SuperSign oracle query, and Succ AI I is negligible.
• Security Analysis
In this subsection, we analyze the security robustness of our proposed cryptographic protocol.
Based on the hardness of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP), we prove
that the proposed cryptographic protocol is robust against the super Type I adversary and super
Type II adversary, respectively. That is, the certificateless signature deployed in the cryptographic
protocol is existentially unforgeable against a super type adversary in the random oracle model,
assuming the hardness of solving the ECDLP.
Theorem 1. If there is a (t, qCU , q P K R , q SV E , q P K E , q S S ) super Type I adversary AI , which can
submit additional q H queries to random oracles Hash and win game 1 with probability Succ S A1 , then
there exists another algorithm B, which can solve a random instance of the ECDLP in polynomial time
q
with a success probability Succ B ≥ q1H (1 − q1H ) P K E Succ AI .
Proof. Assume that a super type I adversary AI intends to break the proposed cryptographic
protocol with a non-negligible probability Succ AI . In that case, if we can use AI to build a
polynomial-time algorithm B to solve the ECDLP, then the proof is completed. In the system ini-
tialization, B picks an identity I D π as the challenged identity in game 1, Then, B sets Q = Ri and
sends params = {G 1 , G 2 , q, e, P, PKT T P , H 1 , H 2 , H 3 , e (P, P )} to AI . In addition, B is able to simulate
the oracle queries of AI as follows:
—Hash query: AI is able to access Hash query via I D j . That is, B maintains a list, L H , con-
taining tuples
I D j , R j , PKT T P , h j , k j , N SD, EPD. If the I D j is recorded in the list L H , then
B responds with h j (or k j ) to AI . Otherwise, B randomly picks two numbers h j ∈ Zp∗ and
k j ∈ Zp∗ , returns h j and k j to AI , and adds
I D j , R j , PKT T P , h j , k j , N SD, EPD to L H .
— CreateUser: AI is able to create a user with I D j . Once a query with I D j is launched, B first
checks the maintained list L and, if it is required, then it creates a tuple in the list L based
on the following two conditions. After that, B adds
I D j , (s j , R j ), x j , PK I D j to the list L.
— If I D j I D π , then B chooses b j ∈ Zp∗ and (s j , R j ) ∈ Zp∗ , and sets PK I D j = b j · P and x j = b j .
— If I D j = I D π , thenB chooses a value of PK I D π ∈ Zp∗ , and sets x π = ⊥ and (s j , R j ) = ⊥.
— PrivateKeyExtract: AI is able to request the private key (s j , R j ) of the user I D j , which has
been created. Once a query with I D j is made, B checks the list L:
— If (s j , R j ) = ⊥, then the simulation is terminated by B.
— If (s j , R j ) ⊥, then B returns (s j , R j ).
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:8 L. Zhou et al.
— PublicKeyReplace: AI is able to replace the user I D j ’s public key with PK ID j freely chosen
by AI . Once a query with I D j is invoked, B updates the list L with
I D j , (s j , R j ), x j , PK ID j .
— SecretValueExtract: AI is able to request the secret value of the existing user I D j . Once a
query with I D j is delivered, B checks the list L:
— If x I D j = ⊥, then the simulation is terminated by B.
— If x I D j ⊥, then B returns x I D j .
— SuperSign: AI is able to request a SuperSign query with (I D t , mt ). Once a query is made, B
looks for
I D j , R j , PKT T P , h j , k j , N SD, EPD and
I D j , (s j , R j ), x j , PK I D j in the lists L H and
L, respectively. Next, B generates a random number a j , b j ∈ Z n∗ and computes σ j_1 = a −1 j ·P
and σ j_2 = b j −1 · P. After that, B returns σ j_1 and σ j_2 to AI .
Finally, AI outputs a forged but legitimate signature (I D j , m j , σ j_1 , σ j_2 ). If I D j I D π ,
thenB terminates the simulation. Otherwise, B looks for
I D j , R j , PKT T P , h j , k j , N SD, EPD and
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
A Lightweight Cryptographic Protocol with Certificateless Signature 28:9
Times Cost
Random number generator (96bit) 3 0.015s
Hash function (SHA-512) 9 0.855s
ECC Pairing 6 3.48s
ECC point multiplication 12 0.48s
ECC point addition 5 0.1s
The proposed cryptographic protocol 4.93s
5 CONCLUSIONS
Aided by sturdy crypto-primitives, i.e., certificateless signature and bilinear pairing operations,
the proposed lightweight cryptographic protocol has demonstrated its security guarantee and
solid robustness against super-type adversaries. Applicable fields for our proposed protocol are
examples, such as mobile payment, ubiquitous commerce, smart home, and intelligent entertain-
ment, in which a higher demand of security is required. To examine the practicability, a single-
board computing platform, i.e., raspberry PI 3, is simulated in the performance evaluation as an
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.
28:10 L. Zhou et al.
IoT-compatible device. A user-acceptable computation cost, i.e., 4.93s, for a regular security oper-
ation is delivered.
REFERENCES
S. S. Al-Riyami and K. G. Paterson. 2003. Certificateless public key cryptography. In Proceedings of the International Con-
ference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’03).
J. Cui, J. Zhang, H. G. Zhong, R. Shi, and Y. Xu. 2018. An efficient certificateless aggregate signature without pairings for
vehicular ad hoc networks. Info. Sci. 451–452 (2018), 1–15.
X. F. Cao, K. G. Paterson, and W. D. Kou. 2008. Attack on a certificateless signature scheme and its improvement. J. Beijing
Univ. Posts Telecommun. 31, 2 (2008), 64–67.
P. Gong and P. Li. 2014. Further improvement of a certificateless signature scheme without pairing. Int. J. Commun. Syst.
27, 10 (2014), 2083–2091.
M. C. Gorantla and A. Saxena. 2005. An efficient certificateless signature scheme. In Proceedings of the International Con-
ference on Computational Intelligence and Security. 110–116.
D. He, J. Chen, and R. Zhang. 2011. An efficient and probably secure certificateless signature scheme without bilinear
pairings. Int. J. Commun. Syst. 25, 11 (2011), 1432–1442.
D. He, N. Kumar, H. Wang, L. Wang, and K.-K. R. Choo. 2017. Privacy-preserving certificateless provable data possession
scheme for big data storage on cloud. Appl. Math. Comput. 314 (2017), 31–43.
B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng. 2006. Key replacement attack against a generic construction of certificateless
signature. In Proceedings of the 11st Australasian Conference on Information Security and Privacy. 235–246.
X. Huang, W. Susilo, Y. Mu, and F. Zhang. 2005. On the security of certificateless signature schemes from Asiacrypt 2003.
In Proceedings of the International Conference on Cryptology and Network Security. 13–25.
X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu. 2007. Certificateless signature revisited. In Proceedings of the 12th
Australasian Conference on Information Security and Privacy (ACISP’07), Lecture Notes in Computer Science, Vol. 4586,
308–322.
X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu. 2012. Certificateless signature: New schemes and security models.
Comput. J. 55, 4 (2012), 457–474.
D. Pointcheval and J. Stern. 1996. Security Proofs for Signature Schemes. In Proceedings of the EUROCRYPT’96 (LNCS 1070).
387–398.
X. Jia, D. He, Q. Liu, and K. R. Choo. 2018. An efficient provably-secure certificateless signature scheme for internet-of-
things deployment. Ad Hoc Netw. 71 (2018), 78–87.
The Bouncy Castle Crypto APIs. 2013. Retrieved from https://www.bouncycastle.org/java.html.
J. Tsai, N. Lo, and T. Wu. 2014. Weaknesses and improvements of an efficient certificateless signature scheme without using
bilinear pairings. Int. J. Commun. Syst. 27, 7 (2014), 1083–1090.
L. Wang, K. Chen, Y. Long, X. Mao, and H. Wang. 2015. A modified efficient certificateless signature scheme without bilinear
pairings. In Proceedings of the International Conference on Intelligent Networking and Collaborative Systems (INCOS’15).
K.-H. Yeh, K.-Y. Tsai, and C.-Y. Fan. 2015. An efficient certificateless signature scheme without bilinear pairings. Multimedia
Tools Appl. 74, 16 (2015), 6519–6530.
K. Yeh, C. Su, K. Choo, and W. Chiu. 2017. A novel certificateless signature scheme for smart objects in the internet-of-
things. Sensors 17, 5, Article 1001 (2017).
D. H. Yum and P. J. Lee. 2004. Generic construction of certificateless signature. In Proceedings of the 9th Australasian Con-
ference on Information Security and Privacy. 200–211.
ACM Transactions on Embedded Computing Systems, Vol. 18, No. 3, Article 28. Publication date: April 2019.