# A Novel Certificateless Signature Scheme for Smart Objects in the Internet-of-Things

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Preliminary

- The ECDLP is defined as follows: Let the notation $E/{E}_{p}$ denotes an elliptic curve $E$ over a prime finite field ${E}_{p}$, defined by an equation: ${y}^{2}={x}^{3}+ax+b$, where $a,\text{}b\in {F}_{p}$ are constants such that $\mathsf{\Delta}=4{a}^{3}+27{b}^{2}\ne 0$. All points P
_{i}= (x_{i}, y_{i}) on E and the infinity point O form a cyclic group G under the operation of point addition R = P + Q defined based on the chord-and-tangent rule. In addition, t · P = P + P + … + P (t times) is defined as a scalar multiplication, where P is a generator of G with order n. The ECDLP is that given a group G of elliptic curve points with prime order n, a generator P of G and a point x · P, it is computationally infeasible to derive x, where $x\in {Z}_{n}^{*}$.

- Step 1 (Setup phase): A trusted KGC (key generation center) generates a master secret key $s\in {Z}_{n}^{*}$, a corresponding master public key $P{K}_{KGC}$ and a set of public parameters, i.e., $params$.
- Step 2 (PartialPrivateKeyExtract phase): With the master secret key $s$, $params$ and the user i’s identity $I{D}_{i}$, KGC generates a partial secret key ${D}_{i}$ for the user i.
- Step 3: KGC sends ${D}_{i}$ to the user i.
- Step 4 (SetSecretValue phase): Upon receiving ${D}_{i}$, the user i examine the correctness of ${D}_{i}$. If it holds, the user i randomly selects a value ${x}_{i}\in {Z}_{n}^{*}$ as his/her secret. Otherwise, the session is terminated.
- Step 5 (SetPublicKey phase): With $params$ and ${x}_{i}$, the user i generates and outputs his/her public key $P{K}_{i}$.
- Step 6 (Sign phase): With the message m, this phase outputs a signature ${\sigma}_{i}$ which is based on m, $s$ and ${x}_{i}$.
- Step 7: the user i sends ${\sigma}_{i}$ to the verifier.
- Step 8 (Verify phase): With the signature ${\sigma}_{i}$ of the message m, the verifier examine the correctness of ${\sigma}_{i}$. If the examination holds, the signature is valid. Otherwise, the session is terminated.

## 3. The Proposed Certificateless Signature Scheme for IoT-Based Smart Objects

- Pre-processing phase (Figure 2):
- ○
- Steps 1–4: KGC generates a group G of elliptic curve points with prime order n and determines a generator P of G. Then, KGC chooses a master key $s\in {Z}_{n}^{*}$ and a secure hash function ${H}_{1}:{\left\{0,1\right\}}^{*}\times G\to {Z}_{q}^{*}$. Next, KGC calculates a master public key $P{K}_{KGC}=s\cdot P$. Eventually, KGC publishes $params=\left(G,P,P{K}_{KGC},H\right)$ and keeps $s$ securely. Next, given $params$, $s$ and the identity $I{D}_{i}$ of user i, KGC generates a random number ${r}_{i}\in {Z}_{n}^{*}$, and calculates ${R}_{i}={r}_{i}\cdot P$, ${h}_{i}=H\left(I{D}_{i},P{K}_{KGC}\right)$ and ${s}_{i}={r}_{i}+{h}_{i}\cdot s$ mod n.
- ○
- Steps 5–6: KGC returns a partial private key ${D}_{i}=\left({s}_{i},{R}_{i}\right)$ to the user i who checks the validity of ${D}_{i}$ via whether the equation ${s}_{i}\cdot P={R}_{i}+{h}_{i}\cdot P{K}_{KGC}$ mod n holds or not. The correctness of ${D}_{i}$ is presented as follows:$${s}_{i}\cdot P=\left({r}_{i}+{h}_{i}\cdot s\right)\cdot P={r}_{i}\cdot P+{h}_{i}\cdot s\cdot P={R}_{i}+{h}_{i}\cdot P{K}_{KGC}$$
- ○
- Steps 7–8: If it holds, the user i picks a random number ${x}_{i}\in {Z}_{n}^{*}$ as his/her own secret value. Otherwise, the session is terminated. Then, given $params$ and ${x}_{i}$, the user i computes $P{K}_{i}={x}_{i}\cdot P+{R}_{i}$ as his/her public key.

- Sign/Verify phase (Figure 3):
- ○
- Steps 1–3 (Sign): Given $params$, ${D}_{i}$, ${x}_{i}$ and a message m, the user i first chooses a random number ${t}_{i}\in {Z}_{n}^{*}$. Then, the user i computes ${T}_{i}={t}_{i}\cdot P$, ${k}_{i}=H\left(m,{h}_{i},P{K}_{i},{T}_{i}\right)$ and ${\tau}_{i}={t}_{i}+{k}_{i}\cdot ({x}_{i}+{s}_{i})$ mod n. Note that the computation of ${h}_{i}$ is performed at the Pre-processing phase and thus the cost can be removed. Finally, the user i outputs ${\sigma}_{i}=\left({T}_{i},{\tau}_{i}\right)$ as the signature of the message m.
- ○
- Steps 4–5 (Verify): Given $params$, $I{D}_{i}$, $P{K}_{i}$, and ${\sigma}_{i}=\left({T}_{i},{\tau}_{i}\right)$, the verifier first computes ${h}_{i}=H\left(I{D}_{i},P{K}_{KGC}\right)$ and ${k}_{i}=H\left(m,{h}_{i},P{K}_{i},{T}_{i}\right)$. Next, the verifier examines if ${\tau}_{i}\cdot P={T}_{i}+{k}_{i}\cdot \left(P{K}_{i}+{h}_{i}\cdot P{K}_{KGC}\right)$ holds. The signature ${\sigma}_{i}$ is accepted if the equation holds. The correctness of the signature ${\sigma}_{i}=\left({T}_{i},{\tau}_{i}\right)$ is presented as follows:$${\tau}_{i}\cdot P=\left({t}_{i}+{k}_{i}\cdot ({x}_{i}+{s}_{i}\right))\cdot P$$$$={t}_{i}\cdot P+{k}_{i}\cdot ({x}_{i}+{r}_{i}+{h}_{i}\cdot s)\cdot P$$$$={T}_{i}+{k}_{i}\cdot \left({x}_{i}\cdot P+{r}_{i}\cdot P+{h}_{i}\cdot s\cdot P\right)$$$$={T}_{i}+{k}_{i}\cdot \left(\left({x}_{i}\cdot P+{R}_{i}\right)+{h}_{i}\cdot P{K}_{KGC}\right)$$$$={T}_{i}+{k}_{i}\cdot \left(P{K}_{i}+{h}_{i}\cdot P{K}_{KGC}\right)$$

## 4. Security Analysis

#### 4.1. Adversary Model for Certificateless Signature

- $CreateUser\left(I{D}_{t}\right)$: The oracle takes as input a query $\left(I{D}_{t}\right)$, where $I{D}_{t}$ is the party $t$’s identity, and then runs algorithms PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey to obtain the partial private key ${D}_{t}$, the secret value ${x}_{t}$, and the public key $P{K}_{t}$.
- $RequestPublicKey\left(I{D}_{t}\right)$: The oracle takes as input a query $\left(I{D}_{t}\right)$. It browses the list $L$ and returns the party $t$’s public key $P{K}_{t}$.
- $ReplacePublicKey\left(I{D}_{t},P{K}_{t},P{K}_{t}^{\text{'}}\right)$: The oracle takes as input a query $\left(I{D}_{t},P{K}_{t},P{K}_{t}^{\text{'}}\right)$. This oracle replaces the party $t$’s public key with $P{K}_{t}^{\text{'}}$ and updates the corresponding information in the list $L$.
- $ExtractSecret\left(I{D}_{t}\right)$: The oracle takes as input a query $I{D}_{t}$. It browses the list $L$ and returns the secret values ${x}_{t}$. However, if the party $t$ has been asked the $ReplacePublicKey$ query, it returns $\perp $.
- $ExtractPartialSecret\left(I{D}_{t}\right)$: The oracle takes as input a query $I{D}_{t}$. It then browses the list L and returns the partial private key ${D}_{t}=\left({s}_{t},{R}_{t}\right)$.
- $SuperSign\left(I{D}_{t},{m}_{t}\right)$: The oracle takes as input a query $\left(I{D}_{t},{m}_{t}\right)$, where ${m}_{t}$ denotes the message to be signed. This oracle outputs a signature ${\sigma}_{t}=\left({R}_{t},{T}_{t},{\tau}_{t}\right)$ such that $true\leftarrow Verify\left({m}_{t},{\sigma}_{t},params,I{D}_{t},P{K}_{t}\right)$. If the public key has not been replaced, i.e., $P{K}_{t}=P{K}_{t}$, $P{K}_{t}$ is the public key returned from the oracle $RequestPublicKey\left(I{D}_{t}\right)$. Otherwise, $P{K}_{t}=P{K}_{t}^{\text{'}}$, where $P{K}_{t}^{\text{'}}$ is the latest public key value submitted to the oracle $ReplacePublicKey\left(I{D}_{t},P{K}_{t},P{K}_{t}^{\text{'}}\right)$.

**Game**

**1.**

- (1)
- $S{A}_{1}$ has never queried the oracle $ExtractPartialSecret\left(I{D}_{t}\right)$.
- (2)
- $S{A}_{1}$ has never queried the oracle $SuperSign\left(I{D}_{t},{m}_{t}\right)$.
- (3)
- true ← Verify(m
_{t}, σ_{t}, params, ID_{t}, PK_{t}) where PK_{t}is the current public key of party t and it may be replaced by SA_{1}.

**Definition**

**1.**

**Game**

**2.**

- (1)
- $S{A}_{2}$ has never queried the oracle $ExtractSecret\left(I{D}_{t}\right)$.
- (2)
- $S{A}_{2}$ has never queried the oracle $SuperSign\left(I{D}_{t},{m}_{t}\right)$.
- (3)
- true ← Verify(m
_{t}, σ_{t}, params, ID_{t}, PK_{t}), where $P{K}_{t}$ is the original public key of party.

**Definition**

**2.**

#### 4.2. Formal Analysis

**Theorem**

**1.**

**Proof**.

- Initialization phase: $\beta $ picks an identity $I{D}^{*}$ as the challenged identity in Game 1, sets $P{K}_{KGC}$ and sends $params=\left(G,P,P{K}_{KGC},H\right)$ to $S{A}_{1}$.
- Query phase:
- ➢
- $CreateUser\left(I{D}_{t}\right)$: The oracle takes as input a query $\left(I{D}_{t}\right)$. If $I{D}_{t}$ has been created, nothing happens. Otherwise, $\beta $ runs algorithms PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey to obtain the partial private key ${D}_{t}$, the secret value ${x}_{t}$ and the public key $P{K}_{t}$. Next, $\beta $ returns $P{K}_{t}$ to $S{A}_{1}$.
- ➢
- $Hash$ query:
- (1)
- When $S{A}_{1}$ accesses a hash query on $\left(I{D}_{t},P{K}_{KGC}\right)$, if the list ${L}_{{H}_{1}}$ contains $<{h}_{t},I{D}_{t},P{K}_{KGC}>$, $\beta $ returns ${h}_{t}$ to $S{A}_{1}$. Otherwise, $\beta $ picks a random number ${h}_{t}\in {Z}_{n}^{*}$, returns ${h}_{t}$ to $S{A}_{1}$, and adds $<{h}_{t},I{D}_{t},P{K}_{KGC}>$ to ${L}_{{H}_{1}}$.
- (2)
- When $S{A}_{1}$ accesses a hash query on $\left(m,{h}_{t},P{K}_{t},{T}_{t}\right)$, if the list ${L}_{{H}_{1}}$ contains $<{k}_{t},m,{h}_{t},P{K}_{t},{T}_{t}>$, $\beta $ returns ${k}_{t}$ to $S{A}_{1}$. Otherwise, $\beta $ picks a random number ${k}_{t}\in {Z}_{n}^{*}$, returns ${k}_{t}$ to $S{A}_{1}$, and adds $<{k}_{t},m,{h}_{t},P{K}_{t},{T}_{t}>$ to ${L}_{{H}_{1}}$.

- ➢
- $RequestPublicKey\left(I{D}_{t}\right)$: Upon receiving a $RequestPublicKey$ query with an identity $I{D}_{t}$ from $S{A}_{1}$, $\beta $ performs the following steps.
- (1)
- If $I{D}_{t}\ne I{D}^{*}$, $\beta $ selects three random numbers ${a}_{t},{b}_{t},{x}_{t}\in {Z}_{n}^{*}$, and performs ${s}_{t}\leftarrow {a}_{t}$, ${h}_{t}\leftarrow {b}_{t}$, ${R}_{t}\leftarrow {a}_{t}\cdot P-{b}_{t}\cdot P{K}_{KGC}$, and $P{K}_{t}={x}_{t}\cdot P+{R}_{t}$. Then, $\beta $ adds $\langle I{D}_{t},{R}_{t},{h}_{t}\rangle $ to list ${L}_{{H}_{1}}$, and $\langle I{D}_{t},{s}_{t},{R}_{t}\rangle $ and $\langle I{D}_{t},P{K}_{t},{x}_{t}\rangle $ to list ${L}_{{K}_{1}}$, respectively. Finally, $\beta $ returns $P{K}_{t}$ to $S{A}_{1}$.
- (2)
- Otherwise, $\beta $ generates three random numbers ${a}_{t},{b}_{t},{x}_{t}\in {Z}_{n}^{*}$, and sets ${R}_{t}\leftarrow {a}_{t}\cdot P$, ${h}_{t}\leftarrow {b}_{t}$, ${s}_{t}\leftarrow \perp $ and $P{K}_{t}={x}_{t}\cdot P+{R}_{t}$. Then, $\beta $ adds $\langle I{D}_{t},{R}_{t},{h}_{t}\rangle $ to list ${L}_{{H}_{1}}$, and $\langle I{D}_{t},\perp ,{R}_{t}\rangle $ and $\langle I{D}_{t},P{K}_{t},{x}_{t}\rangle $ to list ${L}_{{K}_{1}}$, respectively. Finally, $\beta $ returns $P{K}_{t}$ to $S{A}_{1}$.

- ➢
- $ExtractPartialSecret\left(I{D}_{t}\right)$: Upon receiving an $ExtractPartialSecret$ query for an identity $I{D}_{t}$ from $S{A}_{1}$, $\beta $ performs the following steps.
- (1)
- If $I{D}_{t}=I{D}^{*}$, $\beta $ stops the session.
- (2)
- Otherwise, $\beta $ looks at ${L}_{{H}_{1}}$ for $<I{D}_{t},{s}_{t},{R}_{t}>$. If there exists a record of such a tuple, $\beta $ returns ${s}_{t}$ to $S{A}_{1}$; otherwise, $\beta $ makes a $RequestPublicKey$ query with $I{D}_{t}$ and returns ${s}_{t}$ to $S{A}_{1}$ accordingly.

- ➢
- $ExtractSecret\left(I{D}_{t}\right)$: When $\beta $ receives an $ExtractSecret$ query for an identity $I{D}_{t}$ from $S{A}_{1}$, $\beta $ looks for $\langle I{D}_{t},P{K}_{t},{x}_{t}\rangle $ in the list ${L}_{{K}_{1}}$. If there is such a tuple, $\beta $ returns ${x}_{t}$ to $S{A}_{1}$. Otherwise, $\beta $ makes a $ExtractPartialSecret\left(I{D}_{t}\right)$ query and returns ${x}_{t}$ to $S{A}_{1}$.
- ➢
- $ReplacePublicKey\left(I{D}_{t},P{K}_{t},P{K}_{t}^{\text{'}}\right)$: Once $\beta $ receives a query for some $\left(I{D}_{t},P{K}_{t},P{K}_{t}^{\text{'}}\right)$ from $S{A}_{1}$, $\beta $ looks for $\langle I{D}_{t},P{K}_{t},{x}_{t}\rangle $in the list ${L}_{{K}_{1}}$. If there exists such a record, $\beta $ sets $P{K}_{t}=P{K}_{t}^{\text{'}}$ and ${x}_{t}=\perp $. Otherwise, $\beta $ makes a $RequestPublicKey$ query with $I{D}_{t}$ and then sets $P{K}_{t}=P{K}_{t}^{\text{'}}$ and ${x}_{t}=\perp $.
- ➢
- $SuperSign\left(I{D}_{t},{m}_{t}\right)$: Upon receiving a $SuperSign$ query with $\left(I{D}_{t},{m}_{t}\right)$ from $S{A}_{1}$, $\beta $ looks for $<I{D}_{t},{s}_{t},{R}_{t}>$ and $\langle I{D}_{t},P{K}_{t},{x}_{t}\rangle $ in the lists ${L}_{{K}_{1}}$. Next, $\beta $ generates a random number ${c}_{t}\in {Z}_{n}^{*}$, and computes ${\tau}_{t}\leftarrow {c}_{t}$ and ${T}_{t}={\tau}_{t}\cdot P-{k}_{t}\cdot \left(P{K}_{t}+{h}_{t}\cdot P{K}_{KGC}\right)$. After that, $\beta $ returns ${\sigma}_{t}=\left({T}_{t},{\tau}_{t}\right)$ to $S{A}_{1}$.

- ${E}_{1}$: $\beta $ does not abort in all of the $ExtractPartialSecret$ queries.
- ${E}_{2}$: $S{A}_{1}$ successfully forges a valid signature $\left(I{D}_{t},{m}_{t},{\sigma}_{t}\right)$.
- ${E}_{3}$: The forged signature $\left(I{D}_{t},{m}_{t},{\sigma}_{t}\right)$ satisfies $I{D}_{t}=I{D}^{*}$.

**■**

**Theorem**

**2.**

**Proof.**

- ➢
- $RequestPublicKey\left(I{D}_{t}\right)$: When $S{A}_{2}$ makes this query with an identity $I{D}_{t}$, $\beta $ acts as follows:
- (1)
- If $I{D}_{t}\ne I{D}^{*}$, $\beta $ generates two random numbers ${r}_{t},{x}_{t}\in {Z}_{n}^{*}$, and computes ${R}_{t}={r}_{t}\cdot P$, ${h}_{t}=H\left(I{D}_{t},P{K}_{KGC}\right)$, ${s}_{t}={r}_{t}+{h}_{t}\cdot s$ mod n and $P{K}_{t}={x}_{t}\cdot P+{R}_{t}$. Then, $\beta $ adds $\langle I{D}_{t},{R}_{t},{h}_{t}\rangle $, $\langle I{D}_{t},{s}_{t},{R}_{t}\rangle $ and $\langle I{D}_{t},P{K}_{t},{x}_{t}\rangle $ to the lists ${L}_{{H}_{1}}$ and ${L}_{{K}_{1}}$, respectively. Finally, $\beta $ returns $P{K}_{t}$ to $S{A}_{2}$.
- (2)
- Otherwise, $\beta $ selects a random value ${r}_{t}\in {Z}_{n}^{*}$, and sets ${R}_{t}={r}_{t}\cdot P$, ${h}_{t}=H\left(I{D}_{t},P{K}_{KGC}\right)$, ${s}_{t}={r}_{t}+{h}_{t}\cdot s$ mod n and $P{K}_{t}={x}_{t}\cdot P+{R}_{t}$. Then, $\beta $ adds $\langle I{D}_{t},{R}_{t},{h}_{t}\rangle $, $\langle I{D}_{t},{s}_{t},{R}_{t}\rangle $ and $\langle I{D}_{t},P{K}_{t},\perp \rangle $ to the lists ${L}_{{H}_{1}}$ and ${L}_{{K}_{1}}$ respectively. Finally, $\beta $ returns $P{K}_{t}$ to $S{A}_{2}$.

- ➢
- $ExtractPartialSecret\left(I{D}_{t}\right)$: When $S{A}_{2}$ makes this query with an identity $I{D}_{t}$, $\beta $ looks for $\langle I{D}_{t},{s}_{t},{R}_{t}\rangle $ in ${L}_{{K}_{1}}$. If there exists a record of such a tuple, $\beta $ returns ${s}_{t}$ to $S{A}_{2}$; otherwise, $\beta $ makes a $RequestPublicKey$ query with $I{D}_{t}$ and returns ${s}_{t}$ to $S{A}_{2}$ accordingly.
- ➢
- $ExtractSecret\left(I{D}_{t}\right)$: When $S{A}_{2}$ makes this query with an identity $I{D}_{t}$, $\beta $ acts as follows:
- (1)
- If $I{D}_{t}=I{D}^{*}$, $\beta $ terminates the session.
- (2)
- Otherwise, $\beta $ looks for $\langle I{D}_{t},P{K}_{t},{x}_{t}\rangle $ in ${L}_{{K}_{1}}$. If there is such a record, $\beta $ returns ${x}_{t}$ to $S{A}_{2}$; otherwise, $\beta $ makes a $RequestPublicKey$ query with $I{D}_{t}$ and then returns ${x}_{t}$ to $S{A}_{2}$.

- ${E}_{1}$: $\beta $ does not abort in all of the $ExtractSecret$ queries.
- ${E}_{2}$: $S{A}_{2}$ successfully forges a valid signature $\left(I{D}_{t},{m}_{t},{\sigma}_{t}\right)$.
- ${E}_{3}$: The forged signature $\left(I{D}_{t},{m}_{t},{\sigma}_{t}\right)$ satisfies $I{D}_{t}=I{D}^{*}$.

**■**

## 5. System Implementation and Performance Evaluation

- (1)
- Condition (1). For the Arduino Uno, we adopt elliptic curve points over a prime field $\mathbb{G}\mathbb{F}\left(n\right)$ with a 192-bit prime $n$, a random number generator with a 96-bit output sequence and a secure one-way hash function, i.e., SHA-3 (512-bit) [22] as the underlying crypto-modules in our proposed certificateless scheme.
- (2)
- Condition (2). For the Raspberry PI 2 platform, the elliptic curve is with a 384-bit prime $n$ and the random number generator is with 96-bit output sequence. In addition, SHA-3 (512-bit) is implemented as the one-way hash function.

## 6. Related Work

#### 6.1. Review of Certificateless Signature Schemes

#### 6.2. Previously Unknown Weakness in Wang et al’s (2015) CLS Scheme

- Revisiting the scheme:
- ➢
- In the Setup phase, KGC generates a group G of elliptic curve points with prime order n and determines a generator P of G, prior to randomly selecting a master secret key $s\in {Z}_{p}^{*}$ and computing the master public key $P{K}_{KGC}=s\cdot P$. Then, KGC chooses two secure hash functions ${H}_{1}:{\left\{0,1\right\}}^{*}\times G\times G\to {Z}_{q}^{*}$ and ${H}_{1}:{\left\{0,1\right\}}^{*}\times {\left\{0,1\right\}}^{*}\times G\times G\times G\times G\to {Z}_{q}^{*}$, and publishes a set of system parameters, i.e., $params=\left(G,P,P{K}_{KGC},{H}_{1},{H}_{2}\right)$.
- ➢
- In the PartialPrivateKeyExtract phase, given $params$, $s$ and the user i’s identity $I{D}_{i}$, KGC selects a random number ${r}_{i}\in {Z}_{n}^{*}$, and computes ${R}_{i}={r}_{i}\cdot P$, ${h}_{i}={H}_{1}\left(I{D}_{i},{R}_{i},P{K}_{KGC}\right)$ and ${s}_{i}={r}_{i}+{h}_{i}\cdot s$ mod n. Next, KGC returns the partial private key ${D}_{i}=\left({s}_{i},{R}_{i}\right)$ to the user i. Upon receiving ${D}_{i}$, i is able to verify ${D}_{i}$ by examining whether two values, i.e., ${s}_{i}\cdot P$ and ${R}_{i}+{h}_{i}\cdot P{K}_{KGC}$, are identical or not since ${s}_{i}\cdot P=\left({r}_{i}+{h}_{i}\cdot s\right)\cdot P={R}_{i}+{h}_{i}\cdot P{K}_{KGC}$.
- ➢
- In the SetSecretValue phase, given $params$, the user i randomly selects ${x}_{i}\in {Z}_{n}^{*}$ as his/her secret value.
- ➢
- In the SetPublicKey phase, given $params$ and ${x}_{i}$, the user i computes his/her public key as $P{K}_{i}={x}_{i}\cdot P$.
- ➢
- In the Sign phase, given $params$, ${D}_{i}$, ${x}_{i}$ and a message m, the user i selects a random value ${t}_{i}\in {Z}_{n}^{*}$, and outputs a signature ${\sigma}_{i}=\left({R}_{i},{T}_{i},{\tau}_{i}\right)$ with a series of computed values ${T}_{i}={t}_{i}\cdot P$, ${k}_{i}={H}_{2}\left(I{D}_{i},m,{T}_{i},P{K}_{i},{R}_{i},P{K}_{KGC}\right)$ and ${\tau}_{i}={t}_{i}+{k}_{i}\cdot {x}_{i}+{s}_{i}$ mod n.
- ➢
- In the Verify phase, Given $params$, $I{D}_{i}$, $P{K}_{i}$, m and ${\sigma}_{i}=\left({R}_{i},{T}_{i},{\tau}_{i}\right)$, the verifier computes ${h}_{i}={H}_{1}\left(I{D}_{i},{R}_{i},P{K}_{KGC}\right)$ and ${k}_{i}={H}_{2}\left(I{D}_{i},m,{T}_{i},P{K}_{i},{R}_{i},P{K}_{KGC}\right)$, and then checks whether the equation ${\tau}_{i}\cdot P={T}_{i}+{k}_{i}\cdot P{K}_{i}+{R}_{i}+{h}_{i}\cdot P{K}_{KGC}$ holds. Note that ${\sigma}_{i}$ is accepted if the equation holds. That is, ${\tau}_{i}\cdot P=\left({t}_{i}+{k}_{i}\cdot {x}_{i}+{s}_{i}\right)\cdot P={t}_{i}\cdot P+{k}_{i}\cdot {x}_{i}\cdot P+{s}_{i}\cdot P={t}_{i}\cdot P+{k}_{i}\cdot {x}_{i}\cdot P+\left({r}_{i}+{h}_{i}\cdot s\right)\cdot P={T}_{i}+{k}_{i}\cdot P{K}_{i}+{R}_{i}+{h}_{i}\cdot P{K}_{KGC}$.

- Cryptanalysis
- ➢
- Suppose there exists a malicious super type I adversary j which seeks to forge a valid signature ${\sigma}_{i}=\left({R}_{i},{T}_{i}^{\text{'}},{\tau}_{i}^{\text{'}}\right)$ on a message m' chosen by the adversary j. The adversary j eavesdrops a valid signature ${\sigma}_{i}=\left({R}_{i},{T}_{i},{\tau}_{i}\right)$ with message m issued by the user i from any previous session, where ${T}_{i}={t}_{i}\cdot P$, ${R}_{i}={r}_{i}\cdot P$, $P{K}_{i}={x}_{i}\cdot P$, $P{K}_{KGC}=s\cdot P$, ${h}_{i}={H}_{1}\left(I{D}_{i},{R}_{i},P{K}_{KGC}\right)$, ${k}_{i}={H}_{2}\left(I{D}_{i},m,{T}_{i},P{K}_{i},{R}_{i},P{K}_{KGC}\right)$, ${s}_{i}={r}_{i}+{h}_{i}\cdot s$ mod n, and ${\tau}_{i}={t}_{i}+{k}_{i}\cdot {x}_{i}+{s}_{i}$ mod n.
- ➢
- Since the adversary j is a super type I adversary, j is able to issue an oracle query of ExtractSecretValue(i) and replace any entity’s public key including KGC’s public key. With the eavesdropped values, i.e., ${T}_{i}$, ${R}_{i}$ and ${\tau}_{i}$, and public values, i.e., $P{K}_{i}$ and $P{K}_{KGC}$, the adversary j chooses a random number ${t}_{a}\in {Z}_{n}^{*}$, and derives ${T}_{a}={t}_{a}\cdot P$, ${T}_{i}^{\text{'}}={T}_{a}+{T}_{i}$, ${k}_{i}^{\text{'}}={H}_{2}\left(I{D}_{i},{m}^{\prime},{T}_{i}^{\text{'}},P{K}_{i},{R}_{i},P{K}_{KGC}\right)$ and ${\tau}_{i}^{\text{'}}={\tau}_{i}-{k}_{i}\cdot {x}_{i}+{k}_{i}^{\text{'}}\cdot {x}_{i}+{t}_{a}=\left({t}_{i}+{k}_{i}\cdot {x}_{i}+{s}_{i}\right)-{k}_{i}\cdot {x}_{i}+{k}_{i}^{\text{'}}\cdot {x}_{i}+{t}_{a}=\left({t}_{i}+{t}_{a}\right)+{k}_{i}^{\text{'}}\cdot {x}_{i}+{s}_{i}$ mod n. Note that the secret ${x}_{i}$ is retrieved via ExtractSecretValue(i) oracle query.
- ➢
- So far, the adversary j can forge a valid signature ${\sigma}_{i}^{\text{'}}=({R}_{i},{T}_{i}^{\text{'}},{\tau}_{i}^{\text{'}})$ on the chosen message m'. It is obvious that the equation ${\tau}_{i}^{\text{'}}\cdot P=\left[\left({t}_{i}+{t}_{a}\right)+{k}_{i}^{\text{'}}\cdot {x}_{i}+{s}_{i}\right]\cdot P=\left({t}_{i}+{t}_{a}\right)\cdot P+{k}_{i}^{\text{'}}\cdot {x}_{i}\cdot P+\left({r}_{i}+{h}_{i}\cdot s\right)\cdot P=\left({T}_{a}+{T}_{i}\right)+{k}_{i}^{\text{'}}\cdot P{K}_{i}+{r}_{i}\cdot P+{h}_{i}\cdot s\cdot P={T}_{i}^{\text{'}}+{k}_{i}^{\text{'}}\cdot P{K}_{i}+{R}_{i}+{h}_{i}\cdot P{K}_{KGC}$ holds. Therefore, the resistance to signature forgery attack cannot be guaranteed under the assumption of existing a malicious super type I adversary.

#### 6.3. Security and Performance Comparative Summary

_{inv}), bilinear pairing operation (T

_{bp}), ECC-based scalar multiplication operation for points (T

_{em}), ECC-based addition operation for points (T

_{eadd}), multiplication operation (T

_{m}), addition operation (T

_{add}), one-way hash function (T

_{h}), and random number generator operation (T

_{g}). It is clear that our proposed scheme outperforms Gong and Li’s scheme [29] and Wang et al.’s scheme [28] by eliminating the computation costs of (1T

_{m}, 1T

_{h}, 2T

_{eadd}, 2T

_{h}) and (1T

_{eadd}), respectively. When compared to Tsai’s scheme [16], the tradeoff between the computation cost (1T

_{m}, 1T

_{add}, 1T

_{h}) and (1T

_{inv}, 2T

_{bp}) is observed. It is clear that bilinear pairing operation is more inefficient than ECC point-based operations, i.e., scalar multiplication and addition. Hence, we can claim that our proposed scheme is more efficient and practical than Tsai’s scheme [16] with a better performance efficiency.

## 7. Conclusions

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## References

- Yang, Y.; Lu, J.; Choo, K.K.R.; Liu, J. On Lightweight Security Enforcement in Cyber-physical Systems. In Proceedings of the International Workshop on Lightweight Cryptography for Security & Privacy (LightSec 2015), Bochum, Germany, 10–11 September 2015. [Google Scholar]
- D'Orazio, C.; Choo, K.-K.R. Circumventing iOS Security Mechanisms for APT Forensic Investigations: A Security Taxonomy for Cloud Apps. Future Gener. Comput. Syst.
**2016**. [Google Scholar] [CrossRef] - D'Orazio, C.; Choo, K.-K.R. A Technique to Circumvent SSL/TLS Validations on iOS Devices. Future Gener. Comput. Syst.
**2016**. [Google Scholar] [CrossRef] - D'Orazio, C.; Choo, K.-K.R.; Yang, L.T. Data Exfiltration from Internet of Things Devices: iOS Devices as Case Studies. IEEE Internet Things J.
**2017**, 4, 524–535. [Google Scholar] [CrossRef] - Yao, X.; Han, X.; Du, X.; Zhou, X. A lightweight multicast authentication mechanism for small scale IoT applications. IEEE Sens. J.
**2013**, 13, 3696–3701. [Google Scholar] [CrossRef] - Kawamoto, Y.; Nishiyama, H.; Kato, N.; Shimizu, Y.; Takahara, A.; Jiang, T. Effectively collecting data for the location-based authentication in the Internet of Things. IEEE Sens. J.
**2015**. [Google Scholar] [CrossRef] - Hernandez-Ramos, J.L.; Pawlowski, M.P.; Jara, A.J.; Skarmeta, A.F.; Ladid, L. Toward a lightweight authentication and authorization framework for smart objects. IEEE J. Sel. Areas Commun.
**2015**, 33, 690–702. [Google Scholar] [CrossRef] - Gope, P.; Hwang, T. BSN-Care: A Secure IoT-based modern healthcare system using body sensor network. IEEE Sens. J.
**2016**, 16, 1368–1376. [Google Scholar] [CrossRef] - Yang, Y.; Cai, H.; Wei, Z.; Lu, H.; Choo, K.-K.R. Towards Lightweight Anonymous Entity Authentication for IoT Applications. In Proceedings of the 21st Australasian Conference on Information Security and Privacy-CISP 2016, Melbourne, Australia, 4–6 July 2016; pp. 265–280. [Google Scholar]
- Nguyen, K.; Ouahla, N.; Laurent, M. Lightweight Certificateless and Provably-Secure Signcryptosystem for the Internet of Things. In Proceedings of the 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-15), Helsinki, Finland, 20–22 August 2015. [Google Scholar]
- Toorani, M.; Beheshti, A.A. An elliptic curve-based signcryption scheme with forward secrecy. J. Appl. Sci.
**2009**, 9, 1025–1035. [Google Scholar] [CrossRef] - Dutta, M.; Singh, A.K.; Kumar, A. An Efficient Signcryption Scheme based on ECC with Forward Secrecy and Encrypted Message Authentication. In Proceedings of the IEEE 3rd International Advance Computing Conference (IACC), Ghaziabad, India, 22–23 February 2013. [Google Scholar]
- Yu, G.; Yang, H.; Fan, S.; Han, W. Efficient Certificateless Signcryption Scheme from Weil Pairing. J. Netw.
**2011**, 6, 1280–1287. [Google Scholar] [CrossRef] - Singh, J.; Kumar, V.; Kumar, R. An RSA based Certificateless Signature Scheme for Wireless Sensor Networks. In Proceedings of the 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), Noida, India, 8–10 October 2016. [Google Scholar]
- Sharma, G.; Bala, S.; Verma, A.K. An improved RSA Based Certificateless Signature Scheme for Wireless Sensor Networks. Int. J. Network Secur.
**2016**, 18, 82–89. [Google Scholar] - Tsai, J.-L. A New Efficient Certificateless Short Signature Scheme Using Bilinear Pairings. IEEE Syst. J.
**2015**. [Google Scholar] [CrossRef] - Huang, X.; Mu, Y.; Susilo, W.; Wong, D.S.; Wu, W. Certificateless signature revisited. In Proceedings of the 12th Australasian Conference on Information Security and Privacy (ACISP), Townsville, Australia, 2–4 July 2007; pp. 308–322. [Google Scholar]
- Al-Riyami, S.; Paterson, K. Certificateless public key cryptography. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT), Taipei, Taiwan, 30 November–4 December 2003; pp. 452–473. [Google Scholar]
- Huang, X.; Mu, Y.; Susilo, W.; Wong, D.S.; Wu, W. Certificateless Signatures: New Schemes and Security Models. Comput. J.
**2012**, 55, 457–474. [Google Scholar] [CrossRef] - Pointcheval, D.; Stern, J. Security Proofs for Signature Schemes. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), Saragossa, Spain, 12–16 May 1996; pp. 387–398. [Google Scholar]
- FIPS PUB 186–4, Digital Signature Standard (DSS), National Institute of Standards and Technology, June 2009. Available online: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf (accessed on 1 May 2017).
- Dworkin, M.J. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, NIST FIPS-202. August 2015. Available online: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf (accessed on 24 December 2016).
- The Bouncy Castle Crypto APIs. 2016. Available online: https://www.bouncycastle.org/ (accessed on 24 December 2016).
- Fackelmann/SHA3. Available online: https://github.com/Fackelmann/SHA3 (accessed on 20 March 2017).
- Kmackay/micro-ecc. Available online: https://github.com/kmackay/micro-ecc (accessed on 20 March 2017).
- AESLib. Available online: https://github.com/DavyLandman/AESLib (accessed on 21 April 2017).
- Maletsky, K. RSA vs ECC Comparison for Embedded Systems (White Paper), Atmel. Available online: http://www.atmel.com/Images/Atmel-8951-CryptoAuth-RSA-ECC-Comparison-Embedded-Systems-WhitePaper.pdf (accessed on 18 January 2017).
- Wang, L.; Chen, K.; Long, Y.; Mao, X.; Wang, H. A Modified Efficient Certificateless Signature Scheme without Bilinear Pairings. In Proceedings of the 2015 International Conference on Intelligent Networking and Collaborative Systems (INCOS), Taipei, Taiwan, 2–4 September 2015. [Google Scholar] [CrossRef]
- Gong, P.; Li, P. Further Improvement of a Certificateless Signature Scheme without Pairing. Int. J. Commun. Syst.
**2014**, 27, 2083–2091. [Google Scholar] [CrossRef] - Yeh, K.-H.; Tsai, K.-Y.; Kuok, R.-Z.; Wu, T.-C. Robust Certificateless Signature Scheme without Bilinear Pairings. In Proceedings of the International Conference on IT Convergence and Security (ICITCS 2013), Macau, China, 16–18 December 2013. [Google Scholar]
- Yeh, K.-H.; Tsai, K.-Y.; Fan, C.-Y. An Efficient Certificateless Signature Scheme without Bilinear Pairings. Multimed. Tools Appl.
**2015**, 74, 6519–6530. [Google Scholar] [CrossRef] - Shi, W.; Kumar, N.; Gong, P.; Zhang, Z. Cryptanalysis and Improvement of a Certificateless Signcryption Scheme without Bilinear Pairing. Front. Comput. Sci.
**2014**, 8, 656–666. [Google Scholar] [CrossRef] - Pang, L.; Hu, Y.; Liu, Y.; Xu, K.; Li, H. Efficient and Secure Certificateless Signature Scheme in the Standard Model. Int. J. Commun. Syst.
**2017**, 30. [Google Scholar] [CrossRef]

Environment | Description |
---|---|

Arduino Uno | Atmel ATmega328P 8-Bit 16MHz AVR Architecture Memory 2 KB RAM/32 KB EEPROM |

Raspberry PI 2 | Broadcom BCM2836 @ 1 GHz Quad-Core ARM Cortex-A7 Architecture with 1 GB DDR2 RAM and SanDisk 16 GB Class 10 SD Card |

Programming Language | (For Raspberry PI 2) Eclipse 3.8 with Oracle Java 8 ARM (For Arduino Uno) ANSI C |

Crypto API | (For Raspberry PI 2) The Bouncy Castle Crypto APIs [23] (For Arduino Uno) Fackelmann/SHA3 [24], Kmackay/micro-ecc [25], AESLib [26] |

**Table 2.**The computation cost of our proposed certificateless signature scheme implemented on the Arduino Uno with Condition (1).

Phase | Computation Cost | Execution Time | Total |
---|---|---|---|

Pre-processing | Generate $s$, ${r}_{i}$, ${x}_{i}$, $I{D}_{i}$ (96-bit) | 4.414 ms | 23.044 s |

Compute ${h}_{i}$ (SHA-3 with 288 bit input sequence) | 0.2 ms | ||

Compute $P{K}_{KGC}$, ${R}_{i}$, ${s}_{i}$, $P{K}_{i}$ (ECC 192-bit) | 14.4 s | ||

Verify ${s}_{i}\cdot P={R}_{i}+{h}_{i}\cdot P{K}_{KGC}$ (ECC 192-bit) | 8.64 s | ||

Sign | Generate ${t}_{i}$ (96-bit) | 1.104 ms | 11.537 s |

Compute ${k}_{i}$ (SHA-3 with 1408-bit input sequence) ^{1} | 16.2 ms | ||

Compute ${T}_{i}$ (ECC with 192-bit) | 2.88 s | ||

Compute ${\tau}_{i}={t}_{i}+{k}_{i}\cdot ({x}_{i}+{s}_{i})$ (ECC 192-bit) | 8.64 s | ||

Verify | Compute ${h}_{i}$ (SHA-3 with 288-bit input sequence) | 0.2 ms | 14.416 s |

Compute ${k}_{i}$ (SHA-3 with 1408-bit input sequence) ^{1} | 16.2 ms | ||

Verify ${\tau}_{i}\cdot P={T}_{i}+{k}_{i}\cdot \left(P{K}_{i}+{h}_{i}\cdot P{K}_{KGC}\right)$ (ECC 192-bit) | 14.4 s |

^{1}Suppose the size of message m is 512-bit.

**Table 3.**The computation cost of our proposed signature scheme implemented on the Arduino Uno with a 160-bit elliptic curve, a 96-bit random number generator, and a 512-bit SHA-3.

Phases of the Proposed Scheme | Total Execution Time |
---|---|

Pre-processing phase | 10.812 s |

Sign phase | 5.421 s |

Verify phase | 6.771 s |

Input Sequence of AES | Encryption/Decryption |
---|---|

AES-128 with 32/64/128/256 Bytes Input Sequence | 0.63 ms |

AES-256 with 32/64/128/256 Bytes Input Sequence | 0.87 ms |

**Table 5.**The computation cost of our proposed certificateless signature scheme implemented on the Raspberry PI 2 with Condition (2).

Phase | Computation Cost | Execution Time | Total |
---|---|---|---|

Pre-processing | Generate $s$, ${r}_{i}$, ${x}_{i}$, $I{D}_{i}$ (96-bit) | 0.276 ms | 0.895 ms |

Compute ${h}_{i}$ (SHA-3 with 480-bit input sequence) | 0.0051 ms | ||

Compute $P{K}_{KGC}$, ${R}_{i}$, ${s}_{i}$, $P{K}_{i}$ (ECC 384-bit) | 0.355 ms | ||

Verify ${s}_{i}\cdot P={R}_{i}+{h}_{i}\cdot P{K}_{KGC}$ (ECC 384-bit) | 0.213 ms | ||

Sign | Generate ${t}_{i}$ (96-bit) | 0.069 ms | 1.549 ms |

Compute ${k}_{i}$ (SHA-3 with 1792-bit input sequence) ^{1} | 1.196 ms | ||

Compute ${T}_{i}$ (ECC with 384-bit) | 0.071 ms | ||

Compute ${\tau}_{i}={t}_{i}+{k}_{i}\cdot ({x}_{i}+{s}_{i})$ (ECC 384-bit) | 0.213 ms | ||

Verify | Compute ${h}_{i}$ (SHA-3 with 480-bit input sequence) | 0.0051 ms | 1.556 ms |

Compute ${k}_{i}$ (SHA-3 with 1792-bit input sequence) ^{1} | 1.196 ms | ||

Verify ${\tau}_{i}\cdot P={T}_{i}+{k}_{i}\cdot \left(P{K}_{i}+{h}_{i}\cdot P{K}_{KGC}\right)$ (ECC 384-bit) | 0.355 ms |

^{1}Suppose the size of message m is 512-bit.

SHA-3 Operation | Execution Time |
---|---|

SHA-3 with 576-bit input sequence | 0.412 ms |

SHA-3 with 1152-bit input sequence | 0.939 ms |

SHA-3 with 1728-bit input sequence | 1.194 ms |

SHA-3 with 2304-bit input sequence | 1.726 ms |

SHA-3 with 2880-bit input sequence | 2.260 ms |

SHA-3 with 3456-bit input sequence | 2.407 ms |

SHA-3 with 4032-bit input sequence | 2.807 ms |

SHA-3 with 4608-bit input sequence | 3.215 ms |

SHA-3 with 5184-bit input sequence | 4.084 ms |

SHA-3 with 5760-bit input sequence | 4.430 ms |

Gong & Li’s Scheme [29] | Wang et al’s Scheme [28] | Tsai’s Scheme [16] | Our proposed Scheme | |
---|---|---|---|---|

Resistance to Super Type I Adversary | No | No | Yes | Yes |

Resistance to Super Type II Adversary | Yes | Yes | Yes | Yes |

Sign Phase | Verify Phase | In Total | |
---|---|---|---|

Gong & Li’s scheme [29] | 1T_{em} + 2T_{m} + 2T_{add} + 2T_{h} + 1T_{g} | 4T_{em} + 3T_{eadd} + 3T_{h} | 5T_{em} + 2T_{m} + 3T_{eadd} + 2T_{add} + 5T_{h} + 1T_{g} |

Wang et al’s scheme [28] | 1T_{em} + 1T_{m} + 2T_{add} + 1T_{h} + 1T_{g} | 3T_{em} + 3T_{eadd} + 2T_{h} | 4T_{em} + 1T_{m} + 3T_{eadd} + 2T_{add} + 3T_{h} + 1T_{g} |

Tsai’s scheme [16] | 1T_{inv} + 1T_{em} + 1T_{m} + 1T_{add} + 1T_{h} | 2T_{bp} + 2T_{em} + 2T_{eadd} + 2T_{h} | 1T_{inv} + 2T_{bp} + 3T_{em} + 1T_{m} + 2T_{eadd} + 1T_{add} + 3T_{h} |

Our proposed scheme | 1T_{em} + 1T_{m} + 2T_{add} + 1T_{h} + 1T_{g} | 3T_{em} + 2T_{eadd} + 2T_{h} | 4T_{em} + 1T_{m} + 2T_{eadd} + 2T_{add} + 3T_{h} + 1T_{g} |

© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Yeh, K.-H.; Su, C.; Choo, K.-K.R.; Chiu, W. A Novel Certificateless Signature Scheme for Smart Objects in the Internet-of-Things. *Sensors* **2017**, *17*, 1001.
https://doi.org/10.3390/s17051001

**AMA Style**

Yeh K-H, Su C, Choo K-KR, Chiu W. A Novel Certificateless Signature Scheme for Smart Objects in the Internet-of-Things. *Sensors*. 2017; 17(5):1001.
https://doi.org/10.3390/s17051001

**Chicago/Turabian Style**

Yeh, Kuo-Hui, Chunhua Su, Kim-Kwang Raymond Choo, and Wayne Chiu. 2017. "A Novel Certificateless Signature Scheme for Smart Objects in the Internet-of-Things" *Sensors* 17, no. 5: 1001.
https://doi.org/10.3390/s17051001