# A Certificateless Aggregate Arbitrated Signature Scheme for IoT Environments

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

- Analyze existing CL-AS schemes and design scenarios for secure public key replacement and malicious KGC attacks.
- In addition to the existing security requirements, the concept of the arbitrated signature for the non-repudiation function is applied considering the security of the aggregator that aggregates signatures.
- Aggregate signature is performed on messages and signatures of IoT devices, and the arbitrated signature of the gateway is also aggregated in the aggregate signature of IoT devices. Through this, we propose a secure and efficient CL-AAS scheme compared to the existing schemes.

## 2. Background and Related Work

#### 2.1. Elliptic Curve Cryptography and ECDLP

#### 2.2. Digital Signature

- Signer authentication: The signer of the electronic document must be verifiable;
- Unforgeable: The electronic document cannot be forged;
- Non-reusable: The electronic signature cannot be used as a signature for another document;
- Unmodifiable: The content of the electronic document cannot be changed; and
- Non-repudiation: The signature of the electronic document cannot be denied.

#### 2.3. Certificateless PKC (CL-PKC)

#### 2.4. Certificateless Aggregate Signature (CL-AS)

- Setup: The KGC generates public parameters and a master secret key using a security parameter as input.
- Partial-private-key-extract: The KGC generates the user’s partial private key and partial public key using the public parameters, master secret key, and the user’s personal identification information, and delivers these keys to the user.
- Set-secret-value: The user creates his own secret information and secret key by inputting public parameters and user identification information.
- Set-public-key: The user sets the public key by entering the public parameters, his partial public key, and secret information.
- CL-sign: Among the users who generated the key, the user who wants to sign the message becomes a signer, and signs the message using his private key. The message and its signature are sent to the verifier.
- CL-verify: The verifier verifies the integrity of individual messages and signatures using the signer’s public key.
- CL-aggregate: The aggregator, which receives the messages and signatures from multiple signers, aggregates these signatures into a single one for multiple messages, to reduce their overall size, and outputs this.
- CL-aggregate-verify: Upon receiving a message and an aggregated signature, the verifier can verify the signature using the signer’s public key, verify the user who created the signature, and verify the integrity of the message.

#### 2.5. Security Threat of CL-AS

#### 2.6. Analysis of Existing CL-AS Schemes

## 3. Security Requirements

- Integrity: The most important requirement for digital signatures, including CLSs, is integrity. In particular, in the IoT environment, since data are transmitted and received using a wireless communication network, it is particularly important to ensure integrity by signing important messages. In the existing CL-AS schemes, since the aggregator only aggregates the signature, the entity that verifies the signer’s signature first is that aggregator. The integrity of the aggregate signature itself must be ensured, as it can also be an attack point.
- Prevention of key leakage: The reason for performing the signature is to ensure the integrity of the transmitted message, and the signer’s signature key must not be leaked to the outside or be possible to derive via public parameters. If an attacker can derive or steal the signature key, they can forge the signature on messages generated by themselves, reducing the reliability of the IoT service, and create and transmit a malicious message that the attacker can have verified legitimately.
- Unforgeability: An attack on CL-PKC-based signatures is an attack with counterfeit signatures. As described in Section 2.4, forgery of signatures can occur through the public key replacement attack of adversary ${A}_{I}$ or the generation of the signer’s partial key using the KGC master key of adversary ${A}_{II}$. For adversary ${A}_{I}$, even if public key replacement is performed, it should not be possible to generate a valid signature. If the verifier could remove the private key portion of the signature using the replaced public key, the attack would succeed. In particular, since a public key certificate is not used in CL-PKC-based cryptographic protocols, it is essential to verify that the public key used for signature verification is the actual signer’s public key, and the user’s identifier and public key cannot be authenticated. So, the non-repudiation function must be strengthened. For adversary ${A}_{II}$, it should not be possible to generate a signature using only the signer’s partial key. This means that both the PSK and the signer-generated key must be used when generating the signature. In addition, even if the signature is generated using both, the signature can be forged, so the verifier should not be able to verify the forged signature normally.

## 4. Proposed Scheme

- $I{D}_{*}$: Identifier of entity;
- $E$: Elliptic curve on group G of prime order q;
- $P$: Generator of cyclic group G;
- $p{u}_{*},s{v}_{*}$: Verification the public key and private key pair of entity;
- $P{U}_{*},P{R}_{*}$: Full public key and private key pair of entity;
- $msk$: Master key of KGC;
- ${P}_{Pub}$: Public key of KGC $\left({P}_{Pub}=msk\times P\right)$;
- ${D}_{*}=\left({R}_{*},{z}_{*}\right)$: Partial key of the entity;
- ${H}_{1}\left(\xb7\right)$: Cryptographic hash function $\left({\left\{0,1\right\}}^{*}\times G\times G\to {Z}_{q}^{*}\right)$;
- ${H}_{2}\left(\xb7\right)$: Cryptographic hash function $\left({\left\{0,1\right\}}^{*}\times {\left\{0,1\right\}}^{*}\times G\times G\to {Z}_{q}^{*}\right)$; and
- ${H}_{3}\left(\xb7\right)$: Cryptographic hash function $\left({\left\{0,1\right\}}^{*}\times {\left\{0,1\right\}}^{*}\times {Z}_{q}^{*}\times G\times G\to {Z}_{q}^{*}\right)$.

- Setup $\left(k\right)$: The KGC creates public parameters and a master secret key with a security parameter, k, as input.
- Set-device-key $\left(params,I{D}_{A}\right)$: A generates a verification key pair from the public parameters, params, and A’s public identifier, $I{D}_{A}$.
- Partial-private-key-extract $\left(params,msk,I{D}_{S},p{u}_{S}\right)$: The KGC uses params, the master secret key, msk, $I{D}_{A}$, and the verification public key, $p{u}_{A}$, to generate the partial key, ${D}_{A}$, of A and transmits it to A.
- Set-full-key $\left(params,I{D}_{A},{D}_{A},p{u}_{A},s{v}_{A}\right)$: A sets its full key pair, $P{U}_{A},P{R}_{A}$, using params, ${D}_{A}$ received from the KGC, and the verification key pair, $s{v}_{A},p{u}_{A}$.
- CL-sign $\left({m}_{A},I{D}_{A},P{R}_{A},P{U}_{A}\right)$: A becomes a signer, and signs a single message, ${m}_{A}$, using its private key, $P{R}_{A}$. Then, ${m}_{A}$ and its signature are transmitted to G.
- CL-verify $\left({m}_{A},{\sigma}_{A},I{D}_{A},P{U}_{A}\right)$: Verification of ${m}_{A}$ and its signature, ${\sigma}_{A}$, is performed using $I{D}_{A}$ and the public key, $P{U}_{A}$. In the proposed scheme, the gateway performs verification, and the signatures of all received messages are verified through this process.
- CL-AA-sign $\left({m}_{1},\dots ,{m}_{n},{\sigma}_{1},\dots ,{\sigma}_{n},I{D}_{1},\dots ,I{D}_{n},I{D}_{G},P{U}_{1},\dots ,P{U}_{n}\right)$: G, which has received messages and signatures from multiple devices, reduces the size of the signature. The signature is aggregated through the process, and an arbitrated signature is added: This algorithm outputs one signature that has been aggregated for multiple messages. To reiterate, G creates a single aggregated signature for all the signatures of the devices.
- CL-AA-verify $\left({m}_{1},\dots ,{m}_{n},{\sigma}_{AS},I{D}_{1},\dots ,I{D}_{n},I{D}_{G},P{U}_{1},\dots ,P{U}_{n}\right)$: When V receives the message and its aggregated signature from G, the signature and public keys can be used to verify the signature and, thus, the integrity of the message.

#### 4.1. Setup Phase

#### 4.2. Individual Signing and Verifying Phase

#### 4.3. Aggregated Arbitrated Signing Phase

#### 4.4. Aggregated Verifying Phase

## 5. Security Analysis

#### 5.1. Integrity

#### 5.2. Prevention of Key Leakage

#### 5.3. Unforgeability

#### 5.3.1. Unforgeability from Adversary ${\mathrm{A}}_{\mathrm{I}}$

#### 5.3.2. Unforgeability from Adversary ${\mathrm{A}}_{\mathrm{II}}$

## 6. Efficiency Analysis

## 7. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Li, S.; Da Xu, L.; Zhao, S. 5G Internet of Things: A survey. J. Ind. Inf. Integr.
**2018**, 10, 1–9. [Google Scholar] [CrossRef] - Yassein, M.B.; Aljawarneh, S.; Al-Sadi, A. Challenges and features of IoT communications in 5G networks. In Proceedings of the 2017 International Conference on Electrical and Computing Technologies and Applications (ICECTA), Ras Al Khaimah, UAE, 21–23 November 2017. [Google Scholar]
- Griffiths, F.; Ooi, M. The fourth industrial revolution-Industry 4.0 and IoT [Trends in Future I&M]. IEEE Instrum. Meas. Mag.
**2018**, 21, 29–43. [Google Scholar] [CrossRef] - Sadeghi, A.-R.; Wachsmann, C.; Waidner, M. Security and privacy challenges in industrial internet of things. In Proceedings of the 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), San Francisco, CA, USA, 8–12 June 2015. [Google Scholar]
- Khajenasiri, I.; Estebsari, A.; Verhelst, M.; Gielen, G. A review on Internet of Things solutions for intelligent energy control in buildings for smart city applications. Energy Procedia
**2017**, 111, 770–779. [Google Scholar] [CrossRef] - Khatoun, R.; Zeadally, S. Cybersecurity and Privacy Solutions in Smart Cities. IEEE Commun. Mag.
**2017**, 55, 51–59. [Google Scholar] [CrossRef] - Mahmoud, R.; Yousuf, T.; Aloul, F.; Zualkernan, I. Internet of things (IoT) security: Current status, challenges and prospective measures. In Proceedings of the 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), London, UK, 14–16 December 2015. [Google Scholar]
- Zhang, Z.K.; Cho, M.C.Y.; Wang, C.W.; Hsu, C.W.; Chen, C.K.; Shieh, S. IoT security: Ongoing challenges and research opportunities. In Proceedings of the 2014 IEEE 7th international conference on service-oriented computing and applications, Matsue, Japan, 17–19 November 2014. [Google Scholar]
- Diffie, W.; Hellman, M. New directions in cryptography. IEEE Trans. Inf. Theory
**1976**, 22, 644–654. [Google Scholar] [CrossRef] [Green Version] - Goldwasser, S.; Micali, S.; Rivest, R.L. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput.
**1988**, 17, 281–308. [Google Scholar] [CrossRef] - Schnorr, C.P. Efficient identification and signatures for smart cards. In Proceedings of the Conference on the Theory and Application of Cryptology, Daejeon, Korea, 6–10 December 1989. [Google Scholar]
- Chaum, D. Blind signature system. In Proceedings of the Advances in cryptology, Paris, France, 9–11 April 1984. [Google Scholar]
- Chen, L.; Pedersen, T.P. New group signature schemes. In Workshop on the Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1994. [Google Scholar]
- Ateniese, G.; Camenisch, J.; Joye, M.; Tsudik, G. A Practical and Provably Secure Coalition-Resistant Group Signature Scheme. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2000. [Google Scholar]
- Harn, L. Group-oriented (t, n) threshold digital signature scheme and digital multisignature. IEE Proc. Comput. Digit. Tech.
**1994**, 141, 307–313. [Google Scholar] [CrossRef] - Perrig, A. The BiBa One-Time Signature and Broadcast Authentication Protocol. Available online: https://dl.acm.org/doi/abs/10.1145/501983.501988 (accessed on 2 May 2020).
- Boneh, D.; Gentry, C.; Lynn, B.; Shacham, H. Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. Available online: https://link.springer.com/chapter/10.1007/3-540-39200-9_26 (accessed on 2 May 2020).
- Zhang, L.; Zhang, F. A new certificateless aggregate signature scheme. Comput. Commun.
**2009**, 32, 1079–1085. [Google Scholar] [CrossRef] - Shamir, A. Identity-Based Cryptosystems and Signature Schemes. Available online: https://link.springer.com/chapter/10.1007/3-540-39568-7_5 (accessed on 2 May 2020).
- Oh, J.; Lee, K.; Moon, S. How to Solve Key Escrow and Identity Revocation in Identity-Based Encryption Schemes. Available online: https://link.springer.com/chapter/10.1007/11593980_22 (accessed on 3 May 2020).
- Yuen, T.H.; Susilo, W.; Mu, Y. How to construct identity-based signatures without the key escrow problem. Int. J. Inf. Secur.
**2010**, 9, 297–311. [Google Scholar] [CrossRef] [Green Version] - Al-Riyami, S.S.; Paterson, K.G. Certificateless Public Key Cryptography. Available online: https://link.springer.com/chapter/10.1007/978-3-540-40061-5_29 (accessed on 4 May 2020).
- He, D.; Chen, J.; Hu, J. A pairing-free certificateless authenticated key agreement protocol. Int. J. Commun. Syst.
**2012**, 25, 221–230. [Google Scholar] [CrossRef] - Mandt, T.K.; Tan, C.H. Certificateless Authenticated Two-Party Key Agreement Protocols. Available online: https://link.springer.com/chapter/10.1007/978-3-540-77505-8_4 (accessed on 5 May 2020).
- Yum, D.H.; Lee, P.J. Generic Construction of Certificateless Signature. Available online: https://link.springer.com/chapter/10.1007/978-3-540-27800-9_18 (accessed on 6 May 2020).
- Huang, X.; Mu, Y.; Susilo, W.; Wong, D.S.; Wu, W. Certificateless Signature Revisited. Available online: https://link.springer.com/chapter/10.1007/978-3-540-73458-1_23 (accessed on 6 May 2020).
- Dent, A.W. A survey of certificateless encryption schemes and security models. Int. J. Inf. Secur.
**2008**, 7, 349–377. [Google Scholar] [CrossRef] - Libert, B.; Quisquater, J.J. On Constructing Certificateless Cryptosystems from Identity Based Encryption. Available online: https://link.springer.com/chapter/10.1007/11745853_31 (accessed on 6 May 2020).
- Qu, Y.; Mu, Q. An efficient certificateless aggregate signature without pairing. Int. J. Electron. Secur. Digit. Forensics
**2018**, 10, 188–203. [Google Scholar] [CrossRef] - Deng, L.; Yang, Y.; Chen, Y.; Wang, X. Aggregate signature without pairing from certificateless cryptography. J. Internet Technol.
**2018**, 19, 1479–1486. [Google Scholar] - Cui, J.; Zhang, J.; Zhong, H.; Shi, R.; Xu, Y. An efficient certificateless aggregate signature without pairings for vehicular ad hoc networks. Inf. Sci.
**2018**, 451, 1–15. [Google Scholar] [CrossRef] - Du, H.; Wen, Q.; Zhang, S. An Efficient Certificateless Aggregate Signature Scheme Without Pairings for Healthcare Wireless Sensor Network. IEEE Access
**2019**, 7, 42683–42693. [Google Scholar] [CrossRef] - Gayathri, N.B.; Thumbur, G.; Rajesh Kumar, P.; Rahman, M.Z.U.; Reddy, P.V.; Lay-Ekuakille, A. Efficient and Secure Pairing-Free Certificateless Aggregate Signature Scheme for Healthcare Wireless Medical Sensor Networks. IEEE Internet Things J.
**2019**, 6, 9064–9075. [Google Scholar] [CrossRef] - Zhao, Y.; Hou, Y.; Wang, L.; Kumari, S.; Khan, M.K.; Xiong, H. An efficient certificateless aggregate signature scheme for the Internet of Vehicles. Trans. Emerg. Telecommun. Technol.
**2020**, 31, e3708. [Google Scholar] [CrossRef] - Seo, S.-H.; Won, J.; Bertino, E. pCLSC-TKEM: A Pairing-free Certificateless Signcryption-tag Key Encapsulation Mechanism for a Privacy-Preserving IoT. Trans. Data Priv.
**2016**, 9, 101–130. [Google Scholar] - Yang, Q.; Zhou, Y.; Yu, Y. Leakage-Resilient Certificateless Signcryption Scheme. In Proceedings of the 2019 IEEE Globecom Workshops (GC Wkshps), Waikoloa, HI, USA, 9–13 December 2019. [Google Scholar]
- Du, H.; Wen, Q.; Zhang, S. A Provably-Secure Outsourced Revocable Certificateless Signature Scheme Without Bilinear Pairings. IEEE Access
**2018**, 6, 73846–73855. [Google Scholar] [CrossRef] - Xiong, H.; Mei, Q.; Zhao, Y. Efficient and Provably Secure Certificateless Parallel Key-Insulated Signature Without Pairing for IIoT Environments. IEEE Syst. J.
**2020**, 14, 310–320. [Google Scholar] [CrossRef]

**Figure 2.**Structure of the general certificateless aggregate signature process. KGC: key generation center.

**Figure 4.**The relationship between the phases and algorithms of the proposed scheme. CL: certificateless, AA: aggregate arbitrated.

**Table 1.**Security analysis of various certificateless aggregate signature schemes, including the proposed one.

Qu et al. [29] | Deng et al. [30] | Cui et al. [31] | Du et al. [32] | Gayathri et al. [33] | Zhao et al. [34] | Proposed Scheme | |
---|---|---|---|---|---|---|---|

Key leakage attack | OCannot derive key | XCan derive key with public parameters | OCannot derive key | XCan derive key with public parameters | OCannot derive key | OCannot derive key | OCannot derive key |

Forgery with public key replacement (A_{I}) | XNo identifier binding to public key | XNo identifier binding to signature | XNo identifier binding to public key | OBinds identifier to public key | XNo identifier binding to public key | XNo identifier binding to public key | OBinds identifier to public key |

Forgery with KGC master key (A_{II}) | XCan forge due to public key replacement | OUses two types of signature | XCan forge due to public key replacement | XCan forge due to key leakage | OUses two types of signature | OSends signature verification tag directly | OUses gateway-arbitrated signature |

Notations | Description | Run Time (ms) |
---|---|---|

T_{EM} | The execution time of scalar multiplication operation in ECC | 0.4420 |

T_{EA} | The execution time of point addition operation in ECC | 0.0018 |

T_{h} | The execution time of hash operation | 0.0082 |

T_{E} | The execution time of scalar exponential operation | 5.3100 |

Qu et al. [29] | Deng et al. [30] | Cui et al. [31] | Du et al. [32] | Gayathri et al. [33] | Zhao et al. [34] | Proposed Scheme | |
---|---|---|---|---|---|---|---|

Form of signature | ${\sigma}_{i}=\left({U}_{i},{s}_{i}\right)$ | ${\sigma}_{i}=\left({T}_{i},{B}_{i},{r}_{i},{R}_{i}\right)$ | ${\sigma}_{i}=\left({R}_{i},{S}_{i}\right)$ | ${\sigma}_{i}=\left({S}_{i},{v}_{i}\right)$ | ${\sigma}_{i}=\left({Y}_{1i},{u}_{i},{w}_{i}\right)$ | ${\sigma}_{i}=\left({R}_{i},{\varphi}_{i}\right)$ | ${\sigma}_{i}=\left({\tau}_{i},{T}_{i}\right)$ |

Signing operation | $1H+2EA+2EM$ | $1H+2E+1EA+3EM$ | $H+EA+2EM$ | $2H+2EA+3EM$ | $3H+3EA+5EM$ | $2H+2EA+2EM$ | $1H+2EA+2EM$ |

Verifying operation | $2EA+3EM$ | $E+1EA+4EM$ | $2H+2EA+3EM$ | $3H+3EA+3EM$ | $2H+3EA+5EM$ | $2H+3EA+4EM$ | $1H+2EA+2EM$ |

Aggregating operation | $nEA$ | $2nEA$ | $nEA$ | $nEA$ | $3n\left(EA+EM\right)$ | $nEA$ | $1H+\left(2n+3\right)EA+2EM$ |

Aggregated verifying operation | $n\left(1H+4EA+2EM\right)+1EA+1EM$ | $n\left(1H+2EA+2EM+E\right)+1EM$ | $n\left(2H+2EA+1EM\right)+2EM+2EA$ | $n\left(3H+4EA+3EM\right)+2EA+1EM$ | $n\left(1H+1EA+2EM\right)+2EA+1EM$ | $n\left(2H+4EA+4EM\right)+3EA+2EM$ | $n\left(1H+2EA+1EM\right)+1H+3EA+1EM$ |

Total operations | $\left(n+1\right)H+\left(5n+4\right)EA+\left(2n+6\right)EM$ | $\left(n+1\right)H+\left(n+2\right)E+\left(4n+2\right)EA+\left(2n+8\right)EM$ | $\left(2n+3\right)H+\left(3n+5\right)EA+\left(n+7\right)EM$ | $\left(3n+5\right)H+\left(5n+7\right)EA+\left(3n+7\right)EM$ | $\left(n+5\right)H+\left(4n+8\right)EA+\left(5n+11\right)EM$ | $\left(2n+4\right)H+\left(5n+8\right)EA+\left(4n+8\right)EM$ | $\left(n+3\right)H+\left(4n+10\right)EA+\left(n+7\right)EM$ |

Total operation time (ms, n = 100) | 92.7874 | 635.1078 | 49.5076 | 139.1076 | 227.4574 | 182.9232 | 48.8766 |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Lee, D.-H.; Yim, K.; Lee, I.-Y.
A Certificateless Aggregate Arbitrated Signature Scheme for IoT Environments. *Sensors* **2020**, *20*, 3983.
https://doi.org/10.3390/s20143983

**AMA Style**

Lee D-H, Yim K, Lee I-Y.
A Certificateless Aggregate Arbitrated Signature Scheme for IoT Environments. *Sensors*. 2020; 20(14):3983.
https://doi.org/10.3390/s20143983

**Chicago/Turabian Style**

Lee, Dae-Hwi, Kangbin Yim, and Im-Yeong Lee.
2020. "A Certificateless Aggregate Arbitrated Signature Scheme for IoT Environments" *Sensors* 20, no. 14: 3983.
https://doi.org/10.3390/s20143983