A Novel Certificateless Signature Scheme for Smart Objects in the Internet-of-Things

Rapid advances in wireless communications and pervasive computing technologies have resulted in increasing interest and popularity of Internet-of-Things (IoT) architecture, ubiquitously providing intelligence and convenience to our daily life. In IoT-based network environments, smart objects are embedded everywhere as ubiquitous things connected in a pervasive manner. Ensuring security for interactions between these smart things is significantly more important, and a topic of ongoing interest. In this paper, we present a certificateless signature scheme for smart objects in IoT-based pervasive computing environments. We evaluate the utility of the proposed scheme in IoT-oriented testbeds, i.e., Arduino Uno and Raspberry PI 2. Experiment results present the practicability of the proposed scheme. Moreover, we revisit the scheme of Wang et al. (2015) and revealed that a malicious super type I adversary can easily forge a legitimate signature to cheat any receiver as he/she wishes in the scheme. The superiority of the proposed certificateless signature scheme over relevant studies is demonstrated in terms of the summarized security and performance comparisons.


Introduction
The boosting advances on wireless communication and sensing technologies bring universal Internet connectivity, and a more ubiquitous and pervasive computing environment is thus created, called Internet-of-Things (i.e., IoT). Plenty of novel smart objects with specific purposes emerge in IoT to support various innovative applications providing higher intelligence and more convenience to our daily life. Since IoT has attracted significant attention as a key step in furthering intelligent human life in the future, IoT is definitely one of the most promising network paradigms in this computer generation. In an IoT environment, numerous smart objects, such as customized sensors or wearable intelligent devices, can be used to sense, collect, transmit, disseminate, etc., data from the field to a server or other smart things. Unsurprisingly, IoT has wide industrial and individual applications. However, due to the amount and nature of data and potential for exploitation, it is essential to ensure the security of both data-in-transit and data-at-rest [1][2][3][4]. In addition, the heterogeneous nature of the IoT network and the presence of (a large number of) specific-purpose sensors embedded within the smart objects complicate efforts to offer effective security. One particular research challenge is to balance the tradeoff between performance efficiency and system security when designing security solutions for smart objects in IoT-based networks.
In the literature, researchers have dedicated significant efforts on refining traditional security techniques as system security solutions for IoT-based network architectures, such as authentication [5][6][7][8][9] signcryption [10][11][12][13], and certificateless digital signature [14,15], respectively. First of all, due to the nature of limited processing capability of smart objects, the design of lightweight authentication has been thoroughly investigated as a critical security component in IoT-based network systems. In this category of study, lightweight but robust crypto-modules, such as one way hash function, are embedded into the operation and communication of resource-constrained IoT-based objects to support the security of application operated by objects and backend servers (from service providers). It simultaneously focuses on the computation efficiency and communication robustness of object-to-object and object-to-server data exchange procedures. Secondly, the signcryption technique combines the merits from encryption and digital signature. Most of critical security requirements, such as confidentiality, integrity, unforgeability, and non-repudiation, can be guaranteed in a single logic step. It enjoys better security robustness than other kinds of single-crypto-based security mechanisms. Thirdly, the refinement of certificateless digital signature for protecting IoT-based networks has been studied because of the benefit from the relief on the difficult certificate management in traditional public key infrastructure.
Relying on a trusted third party, certificateless public key cryptography facilitates users in establishing a private key and the corresponding public key. It is, thus, more suitable to IoT-based network architecture since there is no need to maintain a centralized server for key/certificate management. In addition, with the decentralized and changed structure, it is believed that we the more efficiency will be guaranteed due to the less of limitation on implementing security mechanism on IoT. Existing certificateless signature schemes can be broadly categorized into certificateless signature schemes with and without bilinear pairing. It has been proven that bilinear pairing is less efficient than ECC (elliptic curve cryptography) point-based crypto-operations, in terms of computation costs [16], although the use of bilinear pairing results in shorter signature message. The latter property makes bilinear pairing-based approach particularly suitable for bandwidth-limited networks, such as traditional wireless sensor networks. Nevertheless, owing to the recent advancements in communication technologies, including those for sensors, the communication environment for existing IoT-based sensors is not as limited by bandwidth restriction as before. Various techniques, such as Bluetooth Low Energy, LoRa, and Zigbee, have been leveraged to build IoT-based communication networks which are bandwidth-guaranteed during sensors-to-server message transmission. Hence, during the design of an efficient and secure certificateless signature scheme for IoT-based smart objects, we argue that computation efficiency takes priority over communication efficiency. For the above observations, in this paper we focus on the design of a certificateless signature scheme with ECC point-based crypto-operations for IoT-based network environments. The rest of the paper is organized as follows. Section 2 presents relevant background materials. In Section 3, we present the proposed certificateless signature scheme for IoT-based smart objects. We then provide the security analysis and the system implementation of our proposed scheme in Sections 4 and 5, respectively. In Section 6, we review related work and present a comparative summary, in terms of security and performance. Finally, we conclude the paper in Section 7.

Preliminary
The objective of this study is to propose a robust and efficient certificateless signature scheme with ECC point-based crypto-operations. ECC is one kind of public key cryptography (PKC)-based techniques, where it is based on the algebraic structure of elliptic curves over finite fields. Normally, ECC requires a smaller key size than other PKC-oriented approaches to provide an equivalent security level. For example, it is generally thought that the same security can be delivered by 256-bit elliptic curve and 3072-bit RSA. Hence, to enjoy higher computation efficiency, we would like to integrate the ECC crypto-technique into our proposed certificateless signature scheme. Furthermore, since the robustness of the proposed scheme is based on the hardness of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP), we present the definition of ECDLP in the following.

•
The ECDLP is defined as follows: Let the notation E/E p denotes an elliptic curve E over a prime finite field E p , defined by an equation: y 2 = x 3 + ax + b, where a, b ∈ F p are constants such that ∆ = 4a 3 + 27b 2 = 0. All points P i = (x i , y i ) on E and the infinity point O form a cyclic group G under the operation of point addition R = P + Q defined based on the chord-and-tangent rule. In addition, t · P = P + P + . . . + P (t times) is defined as a scalar multiplication, where P is a generator of G with order n. The ECDLP is that given a group G of elliptic curve points with prime order n, a generator P of G and a point x · P, it is computationally infeasible to derive x, where x ∈ Z * n .
The robustness of the proposed certificateless signature scheme is based on the intractability of ECDLP. Next, for better understanding of our proposed scheme, we present the general concepts of the certificateless signature. A certificateless signature scheme generally consists of six phases, i.e., Setup, PartialPrivateKeyExtract, SetSecretValue, SetPublicKey, Sign, and Verify [17]. Note that the four phases, i.e., Setup, PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey, can be treated as a pre-processing stage. In the following, we briefly review the normal process of a general certificateless signature scheme (Figure 1).

•
Step 1 (Setup phase): A trusted KGC (key generation center) generates a master secret key s ∈ Z * n , a corresponding master public key PK KGC and a set of public parameters, i.e., params.
• Step 2 (PartialPrivateKeyExtract phase): With the master secret key s, params and the user i's identity ID i , KGC generates a partial secret key D i for the user i. • Step 3: KGC sends D i to the user i. • Step 4 (SetSecretValue phase): Upon receiving D i , the user i examine the correctness of D i . If it holds, the user i randomly selects a value x i ∈ Z * n as his/her secret. Otherwise, the session is terminated. • Step 5 (SetPublicKey phase): With params and x i , the user i generates and outputs his/her public key PK i . • Step 6 (Sign phase): With the message m, this phase outputs a signature σ i which is based on m, s and x i . • Step 7: the user i sends σ i to the verifier. The ECDLP is defined as follows: Let the notation / denotes an elliptic curve over a prime finite field , defined by an equation: = + + , where , ∈ are constants such that ∆= 4 + 27 ≠ 0. All points = ( , ) on and the infinity point form a cyclic group under the operation of point addition = + defined based on the chord-and-tangent rule. In addition, ⋅ = + + ⋯ + ( times) is defined as a scalar multiplication, where is a generator of with order . The ECDLP is that given a group G of elliptic curve points with prime order , a generator P of G and a point ⋅ , it is computationally infeasible to derive , where ∈ * .
The robustness of the proposed certificateless signature scheme is based on the intractability of ECDLP. Next, for better understanding of our proposed scheme, we present the general concepts of the certificateless signature. A certificateless signature scheme generally consists of six phases, i.e., Setup, PartialPrivateKeyExtract, SetSecretValue, SetPublicKey, Sign, and Verify [17]. Note that the four phases, i.e., Setup, PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey, can be treated as a pre-processing stage. In the following, we briefly review the normal process of a general certificateless signature scheme (Figure 1).


Step 1 (Setup phase): A trusted KGC (key generation center) generates a master secret key ∈ * , a corresponding master public key and a set of public parameters, i.e., .  Step 2 (PartialPrivateKeyExtract phase): With the master secret key , and the user i's identity , KGC generates a partial secret key for the user i.  Step 3: KGC sends to the user i.  Step 4 (SetSecretValue phase): Upon receiving , the user i examine the correctness of . If it holds, the user i randomly selects a value ∈ * as his/her secret. Otherwise, the session is terminated.  Step 5 (SetPublicKey phase): With and , the user i generates and outputs his/her public key .


Step 6 (Sign phase): With the message m, this phase outputs a signature which is based on m, and .  Step 7: the user i sends to the verifier.  Step 8 (Verify phase): With the signature of the message m, the verifier examine the correctness of . If the examination holds, the signature is valid. Otherwise, the session is terminated.

The Proposed Certificateless Signature Scheme for IoT-Based Smart Objects
In this section, we propose a new certificateless signature scheme with ECC point-based crypto-operations. The security of the scheme assumes the intractability of ECDLP. In the following, we present the proposed scheme consisting of two phases, i.e., the Pre-processing phase and Sign/Verify phase. Note that three entities, i.e., KGC, the signer and the verifier, are involved.
• Pre-processing phase ( Figure 2): Steps 1-4: KGC generates a group G of elliptic curve points with prime order n and determines a generator P of G. Then, KGC chooses a master key s ∈ Z * n and a secure hash function H 1 : {0, 1} * × G → Z * q . Next, KGC calculates a master public key PK KGC = s · P. Eventually, KGC publishes params = (G, P, PK KGC , H) and keeps s securely. Next, given params, s and the identity ID i of user i, KGC generates a random number r i ∈ Z * n , and calculates R i = r i · P, h i = H(ID i , PK KGC ) and s i = r i + h i · s mod n.
Steps 5-6: KGC returns a partial private key D i = (s i , R i ) to the user i who checks the validity of D i via whether the equation s i · P = R i + h i · PK KGC mod n holds or not. The correctness of D i is presented as follows: Steps 7-8: If it holds, the user i picks a random number x i ∈ Z * n as his/her own secret value. Otherwise, the session is terminated. Then, given params and x i , the user i computes PK i = x i · P + R i as his/her public key.

The Proposed Certificateless Signature Scheme for IoT-Based Smart Objects
In this section, we propose a new certificateless signature scheme with ECC point-based crypto-operations. The security of the scheme assumes the intractability of ECDLP. In the following, we present the proposed scheme consisting of two phases, i.e., the Pre-processing phase and Sign/Verify phase. Note that three entities, i.e., KGC, the signer and the verifier, are involved.


Pre-processing phase ( Figure 2): o Steps 1-4: KGC generates a group G of elliptic curve points with prime order n and determines a generator P of G. Then, KGC chooses a master key ∈ * and a secure hash function : 0,1 * × → * . Next, KGC calculates a master public key = ⋅ .
o Steps 5-6: KGC returns a partial private key = ( , ) to the user i who checks the validity of via whether the equation ⋅ = + ℎ ⋅ mod n holds or not. The correctness of is presented as follows: o Steps 7-8: If it holds, the user i picks a random number ∈ * as his/her own secret value.
Otherwise, the session is terminated. Then, given and , the user i computes = ⋅ + as his/her public key. • Sign/Verify phase ( Figure 3): Steps 1-3 (Sign): Given params, D i , x i and a message m, the user i first chooses a random number t i ∈ Z * n . Then, the user i computes Note that the computation of h i is performed at the Pre-processing phase and thus the cost can be removed. Finally, the user i outputs σ i = (T i , τ i ) as the signature of the message m.

Security Analysis
We will now define the adversary model we used to prove the security of our scheme, prior to presenting the security analysis.

Adversary Model for Certificateless Signature
In the proposed certificateless signature scheme, we considered type I adversary and type II adversaries as defined in [18]. Due to the lack of certificate verification, it is possible for adversaries to replace an entity's public key with one of its choice. Therefore, the type I adversary models an external adversary capable of replacing any entity's public key with specific values chosen by the adversary itself. Nevertheless, the type I adversary does not know the private key of KGC. On the other hand, the type II adversary models a malicious KGC who is able to access the master key, but cannot replace the public keys of other entities. In addition, type I and II adversaries can be further classified into three categories of power levels [17,19], i.e., normal adversary, strong adversary, and super adversary. A normal-level adversary only has the ability to learn a valid verification message. A strong-level adversary is able to replace a public key in order to forge a valid verification message when the adversary possesses a corresponding private value. A super-level adversary is able to learn valid verification messages for a replaced public key without any submission. Normally, the super adversary may issue the following queries.


( ): The oracle takes as input a query ( ), where is the party 's identity, and then runs algorithms PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey to obtain the partial private key , the secret value , and the public key . The following two games, i.e., Games 1 and 2, are against super type I and type II adversaries, respectively. Type I adversary models an external adversary who is able to replace any entity's

Security Analysis
We will now define the adversary model we used to prove the security of our scheme, prior to presenting the security analysis.

Adversary Model for Certificateless Signature
In the proposed certificateless signature scheme, we considered type I adversary and type II adversaries as defined in [18]. Due to the lack of certificate verification, it is possible for adversaries to replace an entity's public key with one of its choice. Therefore, the type I adversary models an external adversary capable of replacing any entity's public key with specific values chosen by the adversary itself. Nevertheless, the type I adversary does not know the private key of KGC. On the other hand, the type II adversary models a malicious KGC who is able to access the master key, but cannot replace the public keys of other entities. In addition, type I and II adversaries can be further classified into three categories of power levels [17,19], i.e., normal adversary, strong adversary, and super adversary. A normal-level adversary only has the ability to learn a valid verification message. A strong-level adversary is able to replace a public key in order to forge a valid verification message when the adversary possesses a corresponding private value. A super-level adversary is able to learn valid verification messages for a replaced public key without any submission. Normally, the super adversary may issue the following queries.
• CreateUser(ID t ): The oracle takes as input a query (ID t ), where ID t is the party t's identity, and then runs algorithms PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey to obtain the partial private key D t , the secret value x t , and the public key PK t . • RequestPublicKey(ID t ): The oracle takes as input a query (ID t ). It browses the list L and returns the party t's public key PK t . • ReplacePublicKey ID t , PK t , PK t : The oracle takes as input a query ID t , PK t , PK t . This oracle replaces the party t's public key with PK t and updates the corresponding information in the list L. • ExtractSecret(ID t ): The oracle takes as input a query ID t . It browses the list L and returns the secret values x t . However, if the party t has been asked the ReplacePublicKey query, it returns ⊥. • ExtractPartialSecret(ID t ): The oracle takes as input a query ID t . It then browses the list L and returns the partial private key D t = (s t , R t ).
The oracle takes as input a query (ID t , m t ), where m t denotes the message to be signed. This oracle outputs a signature σ t = (R t , T t , τ t ) such that true ← Veri f y(m t , σ t , params, ID t , PK t ) . If the public key has not been replaced, i.e., PK t = PK t , PK t is the public key returned from the oracle RequestPublicKey(ID t ). Otherwise, PK t = PK t , where PK t is the latest public key value submitted to the oracle ReplacePublicKey ID t , PK t , PK t .
The following two games, i.e., Games 1 and 2, are against super type I and type II adversaries, respectively. Type I adversary models an external adversary who is able to replace any entity's public key with specific values chosen by the adversary itself. On the other hand, type II adversary simulates a malicious KGC who holds the master key and might engage in adversarial activities, such as eavesdropping on signatures and asking signing queries. Game 1. This game is performed between a challenger C and a super type I adversary SA 1 interacting within the proposed certificateless signature scheme. First, in the "Initialization" stage, the challenger C runs the Setup algorithm and generates a private key s, and public system parameters params. Next, C keeps s, but gives params to the adversary SA 1 . Second, in the "Query" phase, SA 1 can adaptively access oracle queries CreateUser(ID t ), RequestPublicKey(ID t ), ReplacePublicKey ID t , PK t , PK t , ExtractSecret(ID t ), ExtractPartialSecret(ID t ) and SuperSign(ID t , m t ), of C, where t may be the user i. After all necessary queries have been asked, SA 1 outputs a forged signature (ID t , m t , σ t ). SA 1 wins in Game 1 if the following three conditions hold: (1) SA 1 has never queried the oracle ExtractPartialSecret(ID t ).
(3) true ← Verify(m t , σ t , params, ID t , PK t ) where PK t is the current public key of party t and it may be replaced by SA 1 .
Definition 1. The proposed certificateless signature scheme is existentially unforgeable against a super type I adversary SA 1 , if SA 1 runs in polynomial time pt, makes at most q H queries to the oracle Hash(.), q CU queries to the oracle CreateUser(ID t ), q EPS queries to the oracle ExtractPartialSecret(ID t ), q ES queries to the oracle ExtractSecret(ID t ), q PK queries to the oracle RequestPublicKey(ID t ), q RPK queries to the oracle ReplacePublicKey ID t , PK t , PK t and q SS queries to the oracle SuperSign(ID t , m t ) and Succ SA 1 is negligible, where Succ SA 1 is the success probability that SA 1 wins in Game 1.

Game 2.
This game is performed between a challenger C and a super type II adversary SA 2 interacting within the proposed certificateless signature scheme. First, in the "Initialization" phase, the challenger C runs the Setup algorithm and generates a private key s, and public system parameters params. Then, C keeps s, but gives params to the adversary SA 2 . Second, in the "Query" phase, SA 2 can adaptively access the oracle queries CreateUser(ID t ), RequestPublicKey(ID t ), ReplacePublicKey ID t , PK t , PK t , ExtractSecret(ID t ), ExtractPartialSecret(ID t ) and SuperSign(ID t , m t ), of C, where t may be the user i. After all necessary queries have been asked, SA 2 outputs a forged signature (ID t , m t , σ t ). SA 2 wins in Game 2 if the following three conditions hold: (1) SA 2 has never queried the oracle ExtractSecret(ID t ).
(3) true ← Verify(m t , σ t , params, ID t , PK t ), where PK t is the original public key of party.

Definition 2.
The proposed certificateless signature scheme is existentially unforgeable against a super type II adversary SA 2 , if SA 2 runs in polynomial time pt, makes at most q H queries to the oracle Hash(.), q CU queries to the oracle CreateUser(ID t ), q EPS queries to the oracle ExtractPartialSecret(ID t ), q ES queries to the oracle ExtractSecret(ID t ), q PK queries to the oracle RequestPublicKey(ID t ), q RPK queries to the oracle ReplacePublicKey ID t , PK t , PK t and q SS queries to the oracle SuperSign(ID t , m t ) and Succ SA 2 is negligible, where Succ SA 2 is the success probability that SA 2 wins in Game 2.

Formal Analysis
Assuming the hardness of solving ECDLP, we prove that our proposed scheme is existentially unforgeable against the super type I adversary and super type II adversary, respectively. Theorem 1. The proposed certificateless signature scheme is existentially unforgeable against a super type I adversary in the random oracle model, assuming the hardness of solving ECDLP. That is, if there exists a super type I adversary SA 1 who can submit queries to random oracles and win in Game 1 with probability Succ SA 1 , then there is an algorithm β which can solve a random instance of ECDLP in polynomial time with success Proof. Let SA 1 be a super type I adversary SA 1 which can compromise our proposed certificateless signature scheme with a non-negligible probability Succ SA 1 . We then construct a polynomial-time algorithm β which can utilize SA 1 to solve ECDLP. At first, β contains a hash list L H 1 and a key list L K 1 , which are initially empty.

•
Initialization phase: β picks an identity ID * as the challenged identity in Game 1, sets PK KGC and sends params = (G, P, PK KGC , H) to SA 1 . • Query phase: CreateUser(ID t ): The oracle takes as input a query (ID t ). If ID t has been created, nothing happens. Otherwise, β runs algorithms PartialPrivateKeyExtract, SetSecretValue, and SetPublicKey to obtain the partial private key D t , the secret value x t and the public key PK t . Next, β returns PK t to SA 1 .
Hash query: (1) When SA 1 accesses a hash query on (ID t , PK KGC ), if the list L H 1 contains < h t , ID t , PK KGC >, β returns h t to SA 1 . Otherwise, β picks a random number h t ∈ Z * n , returns h t to SA 1 , and adds < h t , ID t , PK KGC > to L H 1 .
(2) When SA 1 accesses a hash query on (m, h t , PK t , T t ), if the list L H 1 contains < k t , m, h t , PK t , T t >, β returns k t to SA 1 . Otherwise, β picks a random number k t ∈ Z * n , returns k t to SA 1 , and adds < k t , m, h t , PK t , T t > to L H 1 . RequestPublicKey(ID t ): Upon receiving a RequestPublicKey query with an identity ID t from SA 1 , β performs the following steps.
(1) If ID t = ID * , β selects three random numbers a t , b t , x t ∈ Z * n , and performs s t ← a t , h t ← b t , R t ← a t · P − b t · PK KGC , and PK t = x t · P + R t . Then, β adds ID t , R t , h t to list L H 1 , and ID t , s t , R t and ID t , PK t , x t to list L K 1 , respectively. Finally, β returns PK t to SA 1 .
(2) Otherwise, β generates three random numbers a t , b t , x t ∈ Z * n , and sets R t ← a t · P , h t ← b t , s t ← ⊥ and PK t = x t · P + R t . Then, β adds ID t , R t , h t to list L H 1 , and ID t , ⊥, R t and ID t , PK t , x t to list L K 1 , respectively. Finally, β returns PK t to SA 1 . ExtractPartialSecret(ID t ): Upon receiving an ExtractPartialSecret query for an identity ID t from SA 1 , β performs the following steps.
(2) Otherwise, β looks at L H 1 for < ID t , s t , R t >. If there exists a record of such a tuple, β returns s t to SA 1 ; otherwise, β makes a RequestPublicKey query with ID t and returns s t to SA 1 accordingly. ExtractSecret(ID t ): When β receives an ExtractSecret query for an identity ID t from SA 1 , β looks for ID t , PK t , x t in the list L K 1 . If there is such a tuple, β returns x t to SA 1 . Otherwise, β makes a ExtractPartialSecret(ID t ) query and returns x t to SA 1 . ReplacePublicKey ID t , PK t , PK t : Once β receives a query for some ID t , PK t , PK t from SA 1 , β looks for ID t , PK t , x t in the list L K 1 . If there exists such a record, β sets PK t = PK t and x t = ⊥. Otherwise, β makes a RequestPublicKey query with ID t and then sets PK t = PK t and x t = ⊥. SuperSign(ID t , m t ): Upon receiving a SuperSign query with (ID t , m t ) from SA 1 , β looks for < ID t , s t , R t > and ID t , PK t , x t in the lists L K 1 . Next, β generates a random number c t ∈ Z * n , and computes τ t ← c t and T t = τ t · P − k t · (PK t + h t · PK KGC ). After that, β returns σ t = (T t , τ t ) to SA 1 .
Finally, SA 1 outputs a forged but valid signature (ID t , m t , σ t ). If ID t = ID * , β terminates the simulation. Otherwise, β looks for < h t , ID t , PK KGC >, < k t , m, h t , PK t , T t >, ID t , s t , R t , and ID t , PK t , x t in the lists L H 1 and L K 1 . On the other hand, based on the forking lemma [20], if we have the polynomial replay of β with the same random tape and different choices of hash oracle, SA 1 is able to output another two valid signatures. Eventually, we will have three valid signatures, i.e., σ t (j) = (T t (j) , τ t (j) ) with j = 1, 2, 3, satisfying the equations, i.e., τ t (j) = t t (j) + k t (j) · (x t + s t (j) ) = t t (j) + k t (j) · (x t + r t + h t (j) · s) mod n, where j = 1, 2, 3. Note that winning Game 1 requires that SA 1 has never queried the oracles ExtractPartialSecret and SuperSign. Based on the above three equations, β can derive the three unknown values x t , r t , and s, and outputs s as the solution of a random instance (P, Q = s · P) of ECDLP. So far, we have shown that β can solve the given instance of ECDLP. Next, we analyze β's success probability Succ β of winning in Game 1.
E 1 : β does not abort in all of the ExtractPartialSecret queries. E 2 : SA 1 successfully forges a valid signature (ID t , m t , σ t ).
The corresponding probabilities of the above three events are presented.
Succ SA 1 . Clearly, β can solve ECDLP with a non-negligible probability Succ β because Succ SA 1 is non-negligible. This contradicts the hardness of ECDLP. Theorem 2. The proposed certificateless signature scheme is existentially unforgeable against a super type II adversary in the random oracle model, assuming the hardness of solving ECDLP. That is, if there exists a super type II adversary SA 2 who can submit queries to random oracles and win in Game 2 with probability Succ SA 2 , then there is an algorithm β which can solve a random ECDLP instance in polynomial time with success probability Succ β ≥ 1 q CU +q H 1 − 1 q CU +q H q es Succ SA 2 .
Proof. We assume that there is a super type II adversary SA 2 breaking our proposed scheme with a non-negligible probability Succ SA 2 . Then we want to build a polynomial-time algorithm β which uses SA 2 to solve ECDLP. That is, β receives a random ECDLP instance (P, Q = x t · P), with β's goal being to derive the secret x t . Similarly, in the Initialization phase, β picks an identity ID * as the challenged identity in Game 2, sets PK KGC and sends master key s and params = (G, P, PK KGC , H) to SA 2 . Meanwhile, β maintains two lists, i.e., L H 2 and L K 2 . Next, in the Query phase, β can issue the following oracle queries to SA 2 . Here, we skip the same oracle queries as those, i.e., CreateUser, Hash, ReplacePublicKey and SuperSign, set out in Theorem 1. In addition, β simulates other oracle queries of SA 2 as follows: RequestPublicKey(ID t ): When SA 2 makes this query with an identity ID t , β acts as follows: (1) If ID t = ID * , β generates two random numbers r t , x t ∈ Z * n , and computes R t = r t · P, h t = H(ID t , PK KGC ), s t = r t + h t · s mod n and PK t = x t · P + R t . Then, β adds ID t , R t , h t , ID t , s t , R t and ID t , PK t , x t to the lists L H 1 and L K 1 , respectively. Finally, β returns PK t to SA 2 .
Otherwise, β selects a random value r t ∈ Z * n , and sets R t = r t · P, h t = H(ID t , PK KGC ), s t = r t + h t · s mod n and PK t = x t · P + R t . Then, β adds ID t , R t , h t , ID t , s t , R t and ID t , PK t , ⊥ to the lists L H 1 and L K 1 respectively. Finally, β returns PK t to SA 2 .
ExtractPartialSecret(ID t ): When SA 2 makes this query with an identity ID t , β looks for ID t , s t , R t in L K 1 . If there exists a record of such a tuple, β returns s t to SA 2 ; otherwise, β makes a RequestPublicKey query with ID t and returns s t to SA 2 accordingly. ExtractSecret(ID t ): When SA 2 makes this query with an identity ID t , β acts as follows: (1) If ID t = ID * , β terminates the session. (2) Otherwise, β looks for ID t , PK t , x t in L K 1 . If there is such a record, β returns x t to SA 2 ; otherwise, β makes a RequestPublicKey query with ID t and then returns x t to SA 2 .
Finally, SA 2 outputs a forged but valid signature (ID t , m t , σ t ). If ID t = ID * , β stops the simulation. Otherwise, β looks for ID t , s t , R t and ID t , PK t , x t in the list L K 1 . Based on the forking lemma [20], if we have the polynomial replay of β with the same random tape and different choices of hash oracle, SA 2 can further generate another signature. Eventually, we have two valid signatures, i.e., Note that winning Game 2 requires that the oracles ExtractSecret and SuperSign had never been queried by SA 2 . With the above two linear and independent equations, β can derive the two unknown values r t and x t , and outputs x t as the solution of the random ECDLP instance (P, Q = x t · P). We then analyze β's success probability Succ β of winning in Game 2. We present the events which result in β's success: E 1 : β does not abort in all of the ExtractSecret queries. E 2 : SA 2 successfully forges a valid signature (ID t , m t , σ t ).
Succ SA 2 . Now, β is able to solve ECDLP with a non-negligible probability Succ β because Succ SA 2 is non-negligible. This contradicts the hardness of ECDLP.

System Implementation and Performance Evaluation
To evaluate the performance of the proposed certificateless scheme, we adopt two IoT-based testbeds, i.e., Arduino Uno and Raspberry PI 2 platforms, as the major evaluation platforms in the experiments. The Arduino Uno is a microcontroller board based on the ATmega328P, i.e., an 8-bit AVR RISC-based microchip with 32 KB EEPROM and 2 KB RAM. It is a tiny platform at very low cost, and thus is suitable to evaluate the performance of IoT-based schemes. On the other hand, the Raspberry PI is a card-sized single-board computer which offers an ARM GNU/Linux kernel and 1 GB RAM and 16 GB storage. Generally speaking, the Arduino Uno platform is usually simulated as a resource-constrained device while the Raspberry PI platform is simulated as a smart object which is more powerful on computation efficiency. Hence, in our experiment the Arduino Uno is adopted as resource-constrained objects in IoT networks and the Raspberry PI 2 platform is operated as smart objects (or the mobile IoT-based gateway associated with the resource-constrained objects). The implementation environment is outlined in Table 1. It is known that current techniques for solving ECDLP need O √ n steps, which depend on the size of the underlying field. NIST has recommended five levels of prime fields for certain prime n of sizes, i.e., 192, 224, 256, 384, and 512-bit [21] with associated and recommended elliptic curves. A prime field is the field GF(n), which contains a prime number n of elements, and the security strength of which is dependent on the length of the binary expansion of n. Normally, an elliptic curve over GF(n), where n ≈ 2 256 , can be contrasted with finite-field cryptography (e.g., DSA) with a 3072-bit public key and a 256-bit private key, and integer factorization cryptography (e.g., RSA) with a 3072-bit value of n. Therefore, to strike the best balance between protocol efficiency, security robustness and system scalability, the following two conditions are considered in our system implementation.
(1) Condition (1). For the Arduino Uno, we adopt elliptic curve points over a prime field GF(n) with a 192-bit prime n, a random number generator with a 96-bit output sequence and a secure one-way hash function, i.e., SHA-3 (512-bit) [22] as the underlying crypto-modules in our proposed certificateless scheme. (2) Condition (2). For the Raspberry PI 2 platform, the elliptic curve is with a 384-bit prime n and the random number generator is with 96-bit output sequence. In addition, SHA-3 (512-bit) is implemented as the one-way hash function.  [24], Kmackay/micro-ecc [25], AESLib [26] Table 2 describes the computation cost of our proposed certificateless signature scheme implemented on the Arduino Uno with a 192-bit elliptic curve, a 96-bit random number generator and a 512-bit SHA-3, in terms of execution time of required computation components. In the pre-processing phase, we need 4.414 ms for generating four random numbers, 0.2 ms for computing h i = H(ID i , PK KGC ) via a SHA-3 operation with a 288-bit input sequence, 14.4 s for calculating four values PK KGC , R i , s i and PK i via ECC scalar multiplication operations, and 8.64 s for verifying the equation s i · P = R i + h i · PK KGC . The total computation cost of the pre-processing phase is 23.044 s. Next, during each normal operation of our proposed scheme, we require 11.537 s and 14.416 s for the sign phase and the verify phase, respectively. In the sign phase, we require 1.104 ms to generate a 96-bit t i , and 2.88 s and 16.2 ms to compute T i and k i , respectively. Note that we assume that the size of the signed message m is 512-bit and, thus, the input sequence of k i is 1408-bit. Finally, 8.64 s is needed to compute the signature value τ i . On the other hand, in the verify phase, we need 16.4 ms to complete the executions of h i and k i , and 14.4 s to verify the equation, i.e., τ i · P = T i + k i · (PK i + h i · PK KGC ). Thus, we require 25.953 s in total to execute the processes of our proposed certificateless signature scheme. According to the above simulation results, we can see that the practicability of the proposed scheme is not convinced. However, in a general IoT scenario, resource-constrained sensors usually perform simple task (or command), such as the sensing and transmission of environmental parameters. This kind of data is always meaningless when it is transmitted alone. Therefore, we argue that only reasonable security density is required to guarantee basic robustness. Based on our implementation results, we find that the execution of ECC scalar multiplication operations dominates the computation cost of the proposed scheme. For better performance efficiency, we suggest that the elliptic curve points with a 64/96/160-bit prime n, the 64/96-bit random number generator and the SHA-3 128/256-bit can be considered during the implementation of practical applications. Table 3 shows the implementation results of the experiment with the elliptic curve with a 160-bit prime n. If we adopt the elliptic curve with a 160-bit prime n, a 96-bit random number generator and a SHA-3 with 512-bit output, around 53% of computation cost can be deducted from the case with the 192-bit elliptic curve. That is, as shown in Table 3, we only require 10.812 s, 5.421 s, and 6.771 s for executing the pre-processing phase, the sign phase, and the verify phase of our proposed scheme, respectively. It is believed that the best balance of system robustness and performance efficiency can be achieved by appropriately adjusting the system parameters of the adopted crypto-modules. Furthermore, when higher security robustness is needed, the proposed certificateless signature method can be adopted to support a key exchange (or key agreement) process and produce a session key for later secure communication via symmetric encryption (e.g., the performance of AES implementation on Arduino Uno is shown in Table 4). It is obvious that both higher security and better performance can, thus, be delivered. In brief, for resource-constrained devices, we suggest to exploit our proposed certificateless signature mechanism with 160-bit elliptic curve to construct a robust key exchange (or key agreement) process, and enjoy the performance efficiency from the symmetric encryption with an exchanged (or agreed) session key while preserving the security. Note that the same security level can be achieved via 160-bit elliptic curve and 1028-bit RSA, respectively [27]. Table 2. The computation cost of our proposed certificateless signature scheme implemented on the Arduino Uno with Condition (1).

Phase Computation Cost Execution Time Total
Pre-processing 14.4 s 1 Suppose the size of message m is 512-bit. Table 3. The computation cost of our proposed signature scheme implemented on the Arduino Uno with a 160-bit elliptic curve, a 96-bit random number generator, and a 512-bit SHA-3.

Phases of the Proposed Scheme Total Execution Time
Pre-processing phase 10.812 s Sign phase 5.421 s Verify phase 6.771 s Similarly, Table 5 describes the computation cost of our proposed certificateless signature scheme implemented on the Raspberry PI 2 platform in which the elliptic curve points is with a 384-bit prime n, the random number generator is a 96-bit output sequence, and the one-way hash function is SHA-3 (512-bit). In the pre-processing phase, 0.276 ms is required for four random number generations, 0.0051 ms is required for computing a SHA-3 operation with a 480-bit input sequence, i.e., h i = H(ID i , PK KGC ), 0.355 ms is required for the calculation of four values, i.e., PK KGC , R i , s i and PK i via ECC scalar multiplication operations, and 0.213 ms is required for verifying the equation s i · P = R i + h i · PK KGC . In total, we need 0.895 ms to execute the pre-processing phase. Next, 1.549 ms and 1.556 ms are required for executing the sign phase and the verify phase, respectively. In the sign phase, we require 1.336 ms to generate a 96-bit t i , and to compute T i and k i . Note that the input sequence of k i is 1792-bit. Finally, 0.213 ms is needed for computing the value τ i . In the verify phase, we need 1.2011 ms to compute h i and k i , and 0.355 ms to verify the equation, i.e., τ i · P = T i + k i · (PK i + h i · PK KGC ). In brief, we require 3.105 ms in total to execute the processes of our proposed certificateless signature scheme.
Based on our implementation results, the performance bottleneck occurs at the execution of the SHA-3 hash function with a 1792-bit input sequence, i.e., about 77% (≈ (1.196 × 2)/(1.549 + 1.556)) of total computation cost is dominated by this operation. Nevertheless, the computation cost of executing h i , derived via a SHA-3 hash function with a 480-bit input sequence, is almost negligible when compared to the total computation cost. This observation inspires us to further investigate the performance evaluation of the SHA-3 hash function on the Raspberry PI 2 platform. From Table 6, we observe that the performance of SHA-3 hash function will degrade once the input sequence exceeds multiple of 576-bit, which is one of the defaulted block sizes of the SHA-3 hash function. In other words, it appears that SHA-3 hash function is more suitable for communication protocols with short messages. Normally, in a sensor-based IoT environment, communication messages operated by sensors cannot be too long, due to power consumption limitations. We, thus, argue that the proposed scheme is suitable for current IoT-based communication networks. Table 5. The computation cost of our proposed certificateless signature scheme implemented on the Raspberry PI 2 with Condition (2).

Phase Computation Cost Execution Time Total
Pre-processing  Based on the above results, we find that there exists one limitation in our experiment. In order to examine the practicability of the proposed scheme, the experiment adopts the Arduino Uno and Raspberry PI 2 as the evaluation platforms. However, the adopted crypto-libraries are not consistent in which Bouncy Castle Crypto APIs [23] is adopted for the Raspberry PI 2, and Fackelmann/SHA3 [24], Kmackay/micro-ecc [25] and AESLib [26] are for the Arduino Uno. In general, the evaluation platforms with different processors certainly influence the performance. On the other hand, the crypto-library may also be elegantly-tuned to fit specific processors and gain better performance efficiency. In our experiment, the Bouncy Castle Crypto APIs are generic crypto-libraries for general processors and the others (i.e., Fackelmann/SHA3 [24], Kmackay/micro-ecc [25], and AESLib [26]) are well-configured for the feasible implementation on the Arduino Uno. The performance evaluation is, thus, not under the same evaluation criteria. Fortunately, the practicability and feasibility of the proposed certificateless signature scheme is demonstrated by the experiments. Nevertheless, this limitation existed. Therefore, we suggest that this limitation can be as one of the future research directions. In addition, to pursue the best balance between the performance efficiency and security robustness, we suggest that, in the resource-constrained objects, the proposed scheme with 160-bit elliptic curve can be exploited to construct a robust key exchange process and support secure communications. Tuning the ECC crypto-module with a 192-bit (or 224/256/384/512-bit) elliptic curve to fit the resource-constrained objects is suggested as another interesting future research direction.

Related Work
In recent years, designing certificateless signature schemeswithout bilinear pairings has been extensively studied due to its effectiveness in solving the key escrow problem in identity-based cryptography, and its potential for deployment in an environment comprising resource-limited mobile devices. In this section, we first present the state-of-the-art of certificateless signature before revealing a previously unknown weakness in a recent certificateless signature mechanism proposed by Wang et al. [28]. We then present a comparative summary of our proposed scheme and relevant schemes.

Review of Certificateless Signature Schemes
Since Al-Riyami and Paterson [18] first proposed certificateless public key cryptography in 2003 to solve the key-escrow problem in identity-based public key cryptography, certificateless cryptography has been widely investigated for different network types. Huang et al. [17], in 2007, refined the security model presented by Al-Riyami and Paterson, and introduced type I and type II adversaries with three different power levels, namely: a normal adversary, strong adversary, and super adversary. The authors then presented a robust scheme based on bilinear pairing, and proved the security of the scheme against type I and II adversaries. Later, Gong and Li [29] introduced a provably-secure certificateless signature scheme without the use of bilinear pairing. The authors claimed that their proposed scheme is more robust than previous schemes, in terms of resilience to super type I and II adversaries. While security proof in the random oracle was presented, Yeh et al. [30,31] pointed out that the scheme is vulnerable to super type I attacker, contrary to the claims. The authors then proposed a countermeasure for the identified attacks in which the robustness against super type I and II adversaries can be guaranteed. In a latter work, Wang et al. [28] re-designed the communication procedures of the certificateless signature mechanism proposed by Yeh et al. [30,31] to enhance the computation efficiency. Specifically, costs associated with ECC-based scalar multiplication and addition operations of points are removed. However, in the next subsection, we reveal that a malicious super type I adversary can easily forge a legitimate signature to cheat any receiver as he/she wishes in this scheme.
There have been other attempts to design lightweight certificateless signcryption schemes for low-cost sensors. For example, in a 2014 work, Shi et al. [32] proposed a certificateless signcryption scheme without bilinear pairing, and proved the security of the scheme against type I and II adversaries assuming the hardness of the discrete logarithm problem. Shingh et al. [14] and Sharma et al. [15] demonstrated a RSA-based certificateless signature scheme for wireless sensor networks, which attempted to integrate RSA cryptography in certificateless signature scheme for securing resource-limited sensors. However, an exponential multiplication operation under a discrete logarithm is less efficient than point multiplication operations on elliptic curves over GF(n) under the same security level [27]. Hence, there is potential to improve the performance in the schemes reported in [14,15,32] without invalidating the security claims. Pang et al. [33] presented a bilinear pairing-based certificateless signature scheme and proved its security in the standard model. However, the proposed scheme requires significant computation due to the inherent nature of bilinear pairing. In [16], Tsai proposed a certificateless short signature scheme using bilinear pairing. It was claimed that the proposed scheme is suitable for low-bandwidth communication environment (or power-constrained devices). However, the tradeoff between communication and computation costs is not rigorously investigated, in terms of power consumption of target devices. Hence, this claim is debatable. Moreover, the current sensor-based communication environment is not as bandwidth-limited compared to a decade ago, as we have previously discussed. Therefore, we posit that computational efficiency should be prioritized over communication efficiency when designing an efficient certificateless signature scheme for IoT-based smart objects.

Previously Unknown Weakness in Wang et al's (2015) CLS Scheme
We now revisit Wang et al.'s certificateless signature scheme [28], and demonstrate that the scheme is insecure against a super type I adversary.

•
Revisiting the scheme: In the Setup phase, KGC generates a group G of elliptic curve points with prime order n and determines a generator P of G, prior to randomly selecting a master secret key s ∈ Z * p and computing the master public key PK KGC = s · P. Then, KGC chooses two secure hash functions H 1 : {0, 1} * × G × G → Z * q and H 1 : {0, 1} * × {0, 1} * × G × G × G × G → Z * q , and publishes a set of system parameters, i.e., params = (G, P, PK KGC , H 1 , H 2 ). In the PartialPrivateKeyExtract phase, given params, s and the user i's identity ID i , KGC selects a random number r i ∈ Z * n , and computes R i = r i · P, h i = H 1 (ID i , R i , PK KGC ) and s i = r i + h i · s mod n. Next, KGC returns the partial private key D i = (s i , R i ) to the user i. Upon receiving D i , i is able to verify D i by examining whether two values, i.e., s i · P and R i + h i · PK KGC , are identical or not since s i · P = (r i + h i · s) · P = R i + h i · PK KGC . In the SetSecretValue phase, given params, the user i randomly selects x i ∈ Z * n as his/her secret value. In the SetPublicKey phase, given params and x i , the user i computes his/her public key as PK i = x i · P. In the Sign phase, given params, D i , x i and a message m, the user i selects a random value t i ∈ Z * n , and outputs a signature σ i = (R i , T i , τ i ) with a series of computed values T i = t i · P, k i = H 2 (ID i , m, T i , PK i , R i , PK KGC ) and τ i = t i + k i · x i + s i mod n. In the Verify phase, Given params, ID i , PK i , m and σ i = (R i , T i , τ i ), the verifier computes h i = H 1 (ID i , R i , PK KGC ) and k i = H 2 (ID i , m, T i , PK i , R i , PK KGC ), and then checks whether the equation τ i · P = T i + k i · PK i + R i + h i · PK KGC holds. Note that σ i is accepted if the equation holds. That is, τ i · P = (t i + k i · x i + s i ) · P = t i · P + k i · x i · P + s i · P = t i · P + k i · x i · P + (r i + h i · s) · P = T i + k i · PK i + R i + h i · PK KGC .

•
Cryptanalysis Suppose there exists a malicious super type I adversary j which seeks to forge a valid signature σ i = R i , T i , τ i on a message m' chosen by the adversary j. The adversary j eavesdrops a valid signature σ i = (R i , T i , τ i ) with message m issued by the user i from any previous session, where T i = t i · P, R i = r i · P, PK i = x i · P, PK KGC = s · P, h i = H 1 (ID i , R i , PK KGC ), k i = H 2 (ID i , m, T i , PK i , R i , PK KGC ), s i = r i + h i · s mod n, and τ i = t i + k i · x i + s i mod n.
Since the adversary j is a super type I adversary, j is able to issue an oracle query of ExtractSecretValue(i) and replace any entity's public key including KGC's public key. With the eavesdropped values, i.e., T i , R i and τ i , and public values, i.e., PK i and PK KGC , the adversary j chooses a random number t a ∈ Z * n , and derives T a = t a · P,

Conclusions
In this paper, we presented a new certificateless signature scheme for IoT-based smart objects. We proved the security of the proposed scheme against the super type I and II adversaries, as well as demonstrating the utility of the scheme in IoT-oriented testbeds. For passive objects with constrained computation ability and limited power capability, we argued that the proposed certificateless signature scheme with 160-bit elliptic curve can be exploited to construct a key exchange (or key agreement) process with a reasonable security robustness. Around 5.421 s and 6.771 s are required for performing the sign phase and the verify phase of our proposed scheme, respectively. For active objects with powerful computation efficiency, we suggested considering the proposed certificateless signature scheme with at least 384-bit elliptic curve and SHA-3 (512-bit) to pursue the highest security due the affordability of computation cost on the Raspberry PI platform. Findings from the implementation showed that low computation cost, i.e., 1.549 ms and 1.556 ms, is required to perform the execution processes of the sign phase and verify phase, respectively. Moreover, we compared the security and performance of our scheme with those of Gong and Li [29], Wang et al. [28] and Tsai [16], as well as revealing a previously unknown vulnerability in Wang et al.'s scheme [28] (where a malicious super type I adversary can easily forge a valid signature on any message and cheat receivers at will).