Reusable Mesh Signature Scheme for Protecting Identity Privacy of IoT Devices

Abstract

The development of the Internet of Things (IoT) plays a very important role for processing data at the edge of a network. Therefore, it is very important to protect the privacy of IoT devices when these devices process and transfer data. A mesh signature (MS) is a useful cryptographic tool, which makes a signer sign any message anonymously. As a result, the signer can hide his specific identity information to the mesh signature, namely his identifying information (such as personal public key) may be hidden to a list of tuples that consist of public key and message. Therefore, we propose an improved mesh signature scheme for IoT devices in this paper. The IoT devices seen as the signers may sign their publishing data through our proposed mesh signature scheme, and their specific identities can be hidden to a list of possible signers. Additionally, mesh signature consists of some atomic signatures, where the atomic signatures can be reusable. Therefore, for a large amount of data published by the IoT devices, the atomic signatures on the same data can be reusable so as to decrease the number of signatures generated by the IoT devices in our proposed scheme. Compared with the original mesh signature scheme, the proposed scheme has less computational costs on generating final mesh signature and signature verification. Since atomic signatures are reusable, the proposed scheme has more advantages on generating final mesh signature by reconstructing atomic signatures. Furthermore, according to our experiment, when the proposed scheme generates a mesh signature on 10 MB message, the memory consumption is only about 200 KB. Therefore, it is feasible that the proposed scheme is used to protect the identity privacy of IoT devices.

1. Introduction

1.1. Background

The Internet of Things (IoT) is an important environment for processing data at the edge of a network [1], where a huge amount of data is generated in IoT. Thus, we are always surrounded by IoT data in our homes, cars and offices. IoT devices are responsible for acquiring, storing and transferring data, as shown in Figure 1. By collecting, processing and analyzing the data through IoT devices, consumers and organizations can gain valuable insights, the data can further help them make better decisions for the future. However, since data usually comes from multiple IoT devices on different formats, after sensors acquire data from IoT devices, such as smart appliances, smart TVs, and wearable health devices, data must be preprocessed. In IoT, data may be transmitted, saved and retrieved at any time. For example, we build a system to collect location data of any things, such as a things track system. In the system, location data enables you to track your packages, pallets and devices in real time, rather than directing you to specific destinations. Therefore, as IoT devices keep “connected” and communicate with each other by introducing various new ways, IoT enables us to automatically complete certain tasks through some platforms, further making our life easier. Currently many IoT devices are located on the edge of a network and lack of protection measures to resist various attacks. Therefore, these devices are more vulnerable to some attacks, such as device theft, device manipulation, identity theft, data eavesdropping and so on. Once an IoT system is invaded, it may have a serious impact on the security of personal life or enterprise. For example, attackers may track a person by attacking his/her mobile phone; further, when a physical defense system based on IoT devices was successfully attacked in a building, it leads to that the attackers can more easily access some confidential areas in the building. Obviously the current vulnerabilities of IoT system can make attackers easier to implement these attacks. Therefore, when IoT devices process their data, their privacy is easily disclosed. It is very important to protect the privacy of IoT devices when these devices process and transfer data. Thus, the privacy of IoT devices needs to be focused. The privacy protection of IoT devices refers to the privacy protection measures to prevent the unnecessary disclosure of personal information. For the privacy protection technology of IoT devices, many scholars have done a lot of research. The current privacy protection technology mainly focuses on data publishing, data mining, wireless sensor network and other fields. In data publishing field, it is mainly divided into data distortion-based technology, data encryption-based technology and restricted publishing technology, among which the restricted publishing technology is mainly realized by data anonymity. For example, when IoT devices sign and publish their data, and the data anonymity technology may prevent disclosure of their identities. Additionally, IoT devices also need to publish a large amount of data, thus it is also very important for IoT devices to decrease the number of signatures generated by them in the same data. A mesh signature (MS) [2] allows a user to hide his specific identity information in a list of tuples that consist of public key and message when the user signs any message. Thus, mesh signature can only tell us that one of potential signers signed the message. Furthermore, a mesh signature consists of some atomic signatures, where the atomic signatures may be reused. Therefore, a mesh signature is a good choice for protecting the identities of IoT devices when these devices issue their data. For example, in some IoT devices that belong to one network group sign and publish their data through mesh signatures, no one can know the specific identities of the publishing IoT devices, and further the old mesh signatures are easily modified and reconstructed by partly generating some new atomic signatures so as to decrease the number of signatures.

A mesh signature is the extension of a ring signature [3]. Compared with ring signature, mesh signature can modularize the construction of signature, namely a user first must sign or collect enough atomic signatures which are seen as the basic elements of mesh signature, then the user may construct an access structure to mesh the atomic signatures and generate the final mesh signature. Boyen first proposed the notion of mesh signature in the Cryptology-EUROCRYPT, 2007, and a revised version [4] in the Journal of Cryptology, 2015. In the notion of mesh signatures, access structure is used to construct different combinations of atomic signatures; and mesh signature does not disclose that which atomic signature was used, thus atomic signatures can be reusable when a new mesh signature needs to be generated. Compared with a ring signature, a mesh signature has the modularity, which may provide much richer predicate expression of language. In [2,4], according to the context of mesh signature, the mesh signature may use a tree as the access structure to represent the relationship of atomic signatures. In the tree, its interior nodes denote the logic relationships, such as “And”, “Or”, and “Threshold gates”, and its leaf nodes denote the specific atomic signatures. Thus, the construction of mesh signature is similar to another anonymous signature, attribute-based signature (ABS) [5]. Compared with other kind of anonymous signatures (ring signature, attribute-based signature and group signature [6]), the mesh signature consists of some atomic signatures, where the atomic signatures can be reusable. Thus, the merit is very suitable for IoT devices. As IoT devices can generate a large amount of data every day, if each IoT device both needs to sign and then publish its data, then the signing cost is very heavy for itself, which needs to consume a lot of energy. However, for many IoT devices, some publishing data are the same. Thus, if each IoT device may reuse some “old” signatures by itself on the same data, then it will save the signing cost so as to decrease the number of signatures generated by IoT devices. Therefore, for a large amount of data published by the IoT devices, mesh signature is suitably used for publishing the same data.

We have the following example to show that how the structure of mesh signature is used to protect the identities of IoT devices. For example, IoT device 1, IoT device 2 and IoT device 3 belong to a online group at the edge of the network, where the public verification key of IoT device 1 is $V{K}_{d1}$, the public verification key of IoT device 2 is $V{K}_{d2}$ and the public verification key of IoT device 3 is $V{K}_{d3}$. These devices both need to send their data to the IoT data collector, as shown in Figure 2. When the IoT device 1 issues a tuple of messages {$Msg1$, $Msg2$, $Msg3$} to the IoT data collector, it does not want to disclose that these messages are only published by itself. Therefore, this device may create such mesh signature, ${\sigma }_1=\underset{atomicsignature-1}{\underbrace{[V{K}_{d1}:Msg1]}}And\underset{atomicsignature-2}{\underbrace{[V{K}_{d2}:Msg2]}}And\underset{atomicsignature-3}{\underbrace{[V{K}_{d3}:Msg3]}}$.

Then this device issues these messages by the names of three devices, thus its specific identity can be hidden into these names. Additionally, another feature of mesh signature is that it is modularized and its atomic signatures can be reusable, which is suitable for the same data published by the IoT devices. For example, IoT device 1 may flexibly create a new mesh signature on other messages {$Msg4$,$Msg2$,$Msg5$},

$${\sigma }_2=\underset{atomicsignature-4}{\underbrace{[V{K}_{d1}:Msg4]}}And\underset{atomicsignature-2}{\underbrace{[V{K}_{d2}:Msg2]}}And\underset{atomicsignature-5}{\underbrace{[V{K}_{d3}:Msg5]}},$$

where the $atomicsignature-2$ that binds to IoT device 2 is reused. As mesh signature has perfect anonymity, it does not disclose any fact that how the two signatures ${\sigma }_1$ and ${\sigma }_2$ are made up as long as the signatures ${\sigma }_1$ and ${\sigma }_2$ are valid.

However, although mesh signatures may be used in many security fields [3,7,8,9,10,11,12,13,14,15,16,17,18,19,20], few researchers focused on the improvement of mesh signatures because of their complexity. Currently the generation of mesh signatures consists of two main steps: (1) generating some atomic signatures; (2) generating a final mesh signature based on previous atomic signatures. Because atomic signatures can be reused, randomization technology is employed so that any adversary cannot know which atomic signatures were reused. Compared with other similar anonymous signature schemes, the generation of mesh signatures is relatively complicated in the existing schemes. In this paper, we focus on improving mesh signatures, where we construct a novel mesh signature scheme for IoT devices.

1.2. Our Contributions

In this paper, we present an improved mesh signature for protecting the identities of IoT devices. Also, we give a syntax of mesh signature in IoT. In this paper, our detailed contributions are as follows:

• We present a syntax for mesh signature in IoT. Compared with the works of [2,4], we further clearly describe the frame of mesh signature in IoT. Under the proposed syntax, we present a fully anonymous mesh signature scheme for IoT devices, where the IoT devices may be seen as the signers to sign their data and their specific identities can be hidden. Additionally, the atomic signatures on the same data can be reusable so as to decrease the number of signatures generated by IoT devices.
• In our proposed scheme, we have limitedly defined the access structure of language expression by monotone-span programs, thus the proposed mesh signature can resist the collusion attacks and its access structure still support generalized monotone predicates. Also, under the security frame proposed by [2,4], our proposed scheme is secure in the standard model, where the security of our scheme can be reduced to the CDH assumption. Also, the proposed scheme has the anonymity with enough security to protecting the identities of IoT devices.
• Compared with the original mesh signature scheme [2], the proposed scheme preserves the original modularity. Although generating atomic signatures in the proposed scheme needs more computational cost, the proposed scheme has less computational costs on generating final mesh signature and signature verification. Since atomic signatures are reusable, the proposed scheme has more advantages on generating final mesh signature by reconstructing atomic signatures. According to our experiment, it is feasible that the proposed scheme is used to protect the identity privacy of IoT devices.

1.3. Organization

The rest of this paper is organized as follows. In Section 2, we discuss the related works about the privacy protection of IoT devices. In Section 3, we review the complexity assumptions and the related technologies on which we build. In Section 4, we show a syntax for MS in IoT. In Section 5, we propose an improved mesh signature scheme for protecting the identities of IoT devices. In Section 6, we analyze the efficiency and security of the proposed scheme. Finally, we draw our conclusions in Section 7.

2. Related Work

Currently, many signature schemes have been used to protect the privacy (identities) of IoT devices. Li [21] proposed an attribute-based signature to receive WiFi beacons and use Doppler Effect and multipath signal to produce signatures. In their scheme, because these generated signatures do not need sensor attachments, the related identities are still anonymous. Karati [1] proposed a secure certificateless signature scheme to protect industrial-IoT Environments. The proposed signature scheme is proved to be secure under bilinear strong Diffie–Hellman (BSDH) assumptions, which can resist the Type-I and Type-II attacks. Furthermore, they analyzed the performance of their scheme, which is superior to other similar schemes. Sun [22] proposed a decentralized multi-authority attribute-based signature scheme for IoT devices. Compared with other similar signature schemes, their proposed scheme has more perfect privacy and can resist authority corruption. Furthermore, their scheme employs an extra cloud server to sign messages so as to decrease the signing cost. Xie [23] proposed a novel group signature based on lattice for anonymous authentication in IoT. In their scheme, a user may dynamically join a network group, and their proposed scheme easily revoke a group membership when the user quits the group. Also, their scheme can effectively resist the frameability attack, where other users cannot forge any user’s signature. Furthermore, their scheme is proved to be secure under lattice problem. Mughal [24] proposed a lightweight shortened signature scheme to secure the communication between devices in human centered IoT. In their scheme, the signing and verification procedures need less costs. Also, for different document protection requirements, their scheme provides the parameter selection function to make signature/verification. Their scheme is enough secure to resist traffic analysis attacks. Additionally, compared with other similar signature schemes, their scheme provides an experimental environment to test that whether their scheme can secure the communication procedure between cell phones (or smart devices). The obtained results show their scheme is effective. Cui [25] also proposed an attribute-based signature to protect industrial-IoT Environments under constrained resources. Their scheme employs a server to decrease the signing and verification cost, where a signing procedure can be immediately ceased when a signer is revoked. Li [26] proposed an effective ring signcryption scheme to protect the data transmission procedure from sensors to servers in IoT under public key infrastructure. They proved that their scheme is indistinguishable under adaptive chosen ciphertext attacks and unforgeable under adaptive chosen message attacks, whose security can be reduced to the computational Diffie–Hellman (CDH) assumption.

Additionally, many new anonymous signature schemes were also proposed, where the group signature [27,28,29,30,31], ring signature [32,33,34] and attribute-based signature [35,36,37] all belong to anonymous signatures. Libert et al. [28] proposed an effective group signature. Their proposed scheme has linear size public keys, linear size revocation list and constant signature size. Furthermore, the verification time is constant. We [31] proposed a traceable identity-based group signature, which employs verifier-local revocation to revoke users. Under the proposed security frame, the security of our scheme can be reduced to the CDH assumption. Yuen et al. [32] proposed a linkable ring signature, which is based on the logic operations, such as “and”, “or” and “threshold”. In their scheme, a sub-linear size $O(d·\sqrt{n})$ signature can be generated, where d is a threshold and n is the number of potential signers in a ring. Liu et al. [33] also proposed a perfect anonymous linkable ring signature scheme, where the generated signature size is still linear with the number of possible signers in a ring. Au et al. [34] proposed a novel identity-based linkable ring signature scheme, which is revocable-iff-linked. Kaafarani et al. [35] proposed some traceable attribute-based signatures, which are decentralized. Their schemes provide anonymity under adaptive chosen-ciphertext attack. We [37] proposed an attribute-based signature, which supports monotone predicates. Compared with other similar schemes, our scheme is efficient by decreasing the signing and verification cost. Boyen first proposed the original mesh signature in [2], which may be seen as the extension of ring signature. Compared with other kind of anonymous signatures, the most advantage of mesh signature is that it can modularize the construction of signature and provide much richer predicate expression of language. In 2015, Boyen proposed a revised version in [4]. He considered that the construction of mesh signature is more flexible than that of ring signature, thus they proposed the notion of mesh signature, in which the access structure is used to construct different combinations of atomic signatures; and mesh signature does not disclose that which atomic signature was used, thus atomic signatures can be reusable when a new mesh signature needs to be generated. However, as the modularity of mesh signature is open to the construction of access structure of language expression, original mesh signature [2,4] has a security weakness that this scheme cannot satisfy the strict unforgeability because multiple illegal signers may collusively pool their obtained atomic signatures together and then generate final mesh signature which none of them could produce.

3. Preliminaries

3.1. Bilinear Maps

Let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ be groups of prime order q and g be a generator of ${\mathbb{G}}_1$. We say ${\mathbb{G}}_2$ has an admissible bilinear map, $e:{{\mathbb{G}}_1\times {\mathbb{G}}_1\to \mathbb{G}}_2$ if the following two conditions hold. The map is bilinear; for all a, b, we have $e\left(g^a,g^b\right)=e{\left(g,g\right)}^{a·b}$. The map is non-degenerate; we must have that $e\left(g,g\right)\ne 1$.

3.2. Computational Diffie–Hellman Assumption

Definition 1 (Computational Diffie–Hellman (CDH) Problem).

Let ${\mathbb{G}}_1$ be a group of prime order q and g be a generator of ${\mathbb{G}}_1$; for all $(g,g^a,g^b)\in {\mathbb{G}}_1$, with $a,b\in {\mathbb{Z}}_q$, the CDH problem is to compute $g^{a·b}$.

Definition 2.

The $(\hslash ,\epsilon )$-CDH assumption holds if no ℏ-time algorithm can solve the CDH problem with probability at least ε.

3.3. Monotone-Span Programs

Let $\mathsf{{\rm Y}}:{\{0,1\}}^n\to \{0,1\}$ be a monotone boolean function. A monotone span program [5] for $\mathsf{{\rm Y}}$ over a field $\mathbb{F}$ is an $l\times t$ matrix $\mathsf{\Lambda }$ with entries in $\mathbb{F}$, along with a labeling function $\varpi :\left[l\right]\to \left[n\right]$ that associates each row of $\mathsf{\Lambda }$ with an input variable of $\mathsf{{\rm Y}}$, that, for every ($x_1$, $x_2$……$x_n$)$\in {\{0,1\}}^n$, satisfies the following:

$$\mathsf{{\rm Y}}\left(x_1,\dots \dots x_n\right)=1\iff \exists \overrightarrow{\eta }\in {\mathbb{F}}^{1\times l}:\overrightarrow{\eta }·\mathsf{\Lambda }=\left\{1,0,0\dots \dots 0\right\} and \left(\forall i:x_{\varpi \left(i\right)}=0\Rightarrow {\eta }_i=0\right);$$

in other words, $\mathsf{{\rm Y}}$($x_1$, $x_2$……$x_n$)$=1$ if and only if the rows of $\mathsf{\Lambda }$ indexed by $\{i\mid x_{\varpi \left(i\right)}=1\}$ span the vector $[1,0,0\dots \dots 0]$, where we call l the length and t the width of the span program, and $l+t$ the size of the span program.

4. A Syntax for MS in IoT

In this section, we present a syntax for mesh signature in IoT, where each IoT device is seen as a signer, they need to issue their data to the IoT data collector. Intuitively, a mesh signature is the combination of some atomic signatures, which satisfies the condition that the monotone boolean expression $\mathsf{{\rm Y}}$ over access structure (or expression structure) is true. Therefore, in our proposed syntax we set that the monotone boolean expression $\mathsf{{\rm Y}}$ is associated with a list of tuples that consist of public key and message and its value is true if one IoT device possesses some corresponding atomic signatures on the verified messages under the public verification keys, as shown in Figure 3.

In Figure 3, when one IoT device belonging to a network group needs to issue its data set to the IoT data collector, the whole language expression $Expression$ is represented by the form $Expression::=\{La{g}_1\mathbf{OP}La{g}_2\dots \dots \mathbf{OP}La{g}_l\}$, where $La{g}_i$ is sub-expression belongs to the whole expression, $\mathbf{OP}$ denotes the operation on the sub-expressions, l is the number of involved IoT devices belonging to the same network group (or the number of atomic clauses in a mesh structure). The more detailed and generalized form is as follows:

$$Expression::=\{La{g}_1\mathbf{OP}La{g}_2\dots \dots \mathbf{OP}La{g}_l\}$$

$$=\mathbf{And}\{La{g}_1,La{g}_2\dots \dots La{g}_{m_1}\}$$

$$\left|\mathbf{Or}\right\{La{g}_1,La{g}_2\dots \dots La{g}_{m_2}\}$$

$$|{\mathbf{Threshold}}_{t,m_3}\{La{g}_1,La{g}_2\dots \dots La{g}_{m_3}\},$$

where we set $l=m_1+m_2+m_3$. Then we consider the monotone boolean expression $\mathsf{{\rm Y}}$ over access structure is true only if $\mathsf{{\rm Y}}(La{g}_1,La{g}_2\dots \dots La{g}_l)=1$. Thus, for the previous-mentioned example, ${\sigma }_1=\underset{atomicsignature-1}{\underbrace{[V{K}_{d1}:Msg1]}}And\underset{atomicsignature-2}{\underbrace{[V{K}_{d2}:Msg2]}}And\underset{atomicsignature-3}{\underbrace{[V{K}_{d3}:Msg3]}}$, the form of the atomic signature $[V{K}_i:Ms{g}_i]$ is set to $La{g}_i$, which means this “$Ms{g}_i$” is signed under $V{K}_i$.

Definition 3.

Improved Mesh signature in IoT: Let MS = (System-Setup, Generate-Key, Mesh-Sign, Mesh-Verify) be a mesh signature scheme in IoT. In MS, all detailed algorithms are as follows:

(1) 

System-Setup: The authority system runs the randomized algorithm, and inputs a security parameter $1^k$. In addition, the algorithm outputs all related public system parameters $MRK$ and a master system private key $msk$ on the parameter $1^k$.

(2) 

Generate-Key: The authority system runs the randomized algorithm, and inputs ($MRK$, $msk$), and then outputs the IoT device’s private/public key pair $(s{k}_i,p{k}_i)$ to the device i, where $i\in \{1,2\dots \dots ,n\}$ (we set that n is the number of the IoT devices).

(3) 

Mesh-Sign: The randomized algorithm generates a mesh signature. The IoT device i issues its message set (data) $\mathfrak{M}\in {\{0,1\}}^{*}$ and then signs the message set, thus the device i runs the algorithm: (a) the algorithm inputs ($MRK$, $s{k}_i$, $PK\_List$, $\mathfrak{M}$), and then outputs a monotone boolean expression Υ and the atomic signatures ${\sigma }_i$; (b) the algorithm inputs ($MRK$, $s{k}_i$, ${\sigma }_i$, Υ), and then outputs a mesh signature Φ, where $PK\_List$ is a list of all the public keys of the devices involved with this signing; (c) the algorithm run by the device i sends the message set $\mathfrak{M}$, the boolean expression Υ and the mesh signature Φ to the IoT data collector.

(4) 

Mesh-Verify: The IoT data collector verifies the standard mesh signature Φ on Υ and $\mathfrak{M}$. The IoT data collector runs the deterministic algorithm, and inputs ($MRK$, $PK\_List$, $\mathfrak{M}$, Υ, Φ), and then outputs the result, $accept$ or $reject$.

5. Improved Mesh Signature Scheme for IoT Devices

In the section, we propose an improved mesh signature scheme for protecting the identities of IoT devices. Currently the generation of mesh signatures consists of two main steps: (1) generating some atomic signatures; (2) generating a final mesh signature based on previous atomic signatures. Because atomic signatures can be reused, in our construction the randomization technology is also employed so that any adversary cannot know which atomic signatures were reused. Compared with the original mesh signature [2,4], we have limitedly defined the access structure of language expression by monotone-span programs, thus improved mesh signature can still support generalized monotone predicates over access structure. Let MS = (System-Setup, Generate-Key, Mesh-Sign, Mesh-Verify) be a mesh signature scheme in IoT. In MS, all detailed algorithms are described as follows (shown in Figure 4):

(1) 

MS.System-Setup: The system runs this setup algorithm, and inputs the parameter $1^k$ (used as the security level). Also, we set that ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are the groups of prime order q, g is a generator of ${\mathbb{G}}_1$, and that $e:{{\mathbb{G}}_1\times {\mathbb{G}}_1\to \mathbb{G}}_2$ denotes the bilinear map. In addition, we set that $H:{\{0,1\}}^{*}\to {\mathbb{Z}}_{1^k·q}$ denotes one hash function and it can be used to output integers in ${\mathbb{Z}}_{1^k·q}$. Additionally, we assume that the monotone span programs related to claim-predicates have their width at most $t_{max}$ in our construction.

Then the following parameters are outputted in the system. The algorithm randomly chooses $a\in {\mathbb{Z}}_q$ and sets $g_1=g^a$. Five group elements y, f, $\vartheta$, $\psi$ and $\varpi \in {\mathbb{G}}_1$ are randomly picked. Also, the algorithm generates a $t_{max}$-length vector $\mathsf{\Psi }=\left(u_i\right)$, whose element $u_i$ is randomly picked from ${\mathbb{G}}_1$. Finally the algorithm outputs the public parameters $MPK$ = (${\mathbb{G}}_1$, ${\mathbb{G}}_2$, e, g, $g_1$, y, f, $\vartheta$, $\psi$, $\varpi$, $\mathsf{\Psi }$), where $msk=a$ is a master private key in the system.

(2) 

MS.Generate-Key: The system runs the algorithm and then generates IoT device’s private/public key pair. For the device i, the algorithm inputs ($MRK$, $msk$), and then it randomly picks $a_{i,0},a_{i,1}\in Z_q$, sets $s{k}_{i,0}=a_{i,0}$ and computes $s{k}_{i,1}=f^{msk}·y^{a_{i,1}}=f^a·y^{a_{i,1}}$, $p{k}_{i,0}=g^{a_{i,0}}$ and $p{k}_{i,1}=g^{a_{i,1}}$, where we set $s{k}_i$ = ($s{k}_{i,0}$, $s{k}_{i,1}$) as the private key of the device i and $p{k}_i$ = ($p{k}_{i,0}$, $p{k}_{i,1}$) as the public key of the device i.

(3) 

MS.Mesh-Sign: The IoT device i signs a message set $\mathfrak{M}\in {\{0,1\}}^{*}$, where the message set $\mathfrak{M}=$$\{ms{g}_1,ms{g}_2,\dots \dots ,ms{g}_l\}$. The device i runs the algorithm, and then inputs ($MRK$, $s{k}_i$, $PK\_List$, $\mathfrak{M}$) where $PK\_List$ is a list of the public keys of the IoT devices involved with this signing, and then the following steps are finished:

• atomic signature
  The algorithm randomly chooses $z_i\in {\mathbb{Z}}_q$ and a vector ($r_{i,k}$) with $r_{i,k}\in {\mathbb{Z}}_q$ and $k\in [1,2\dots \dots l]$, and then computes the atomic signatures as follows:

  -

  Compute $x_{i,0,k}=g^{\frac{s{k}_{i,0}}{l}}·{\varpi }^{r_{i,k}}$, $x_{i,1,k}=g^{r_{i,k}}$, with $k\in [1,2,\dots \dots ,l]$;

  -

  For the messages $ms{g}_1,ms{g}_2,\dots \dots ,ms{g}_l$, the algorithm computes $v_k=H(ms{g}_k\left|\right|p{k}_k)$ with $k\in [1,2\dots \dots ,l]$, where we assume the signing needs to involve l IoT devices, $p{k}_k$ is the public key of the k-th device with $p{k}_k\in PK\_List$;

  -

  For $V=(v_1,v_2,\dots \dots ,v_l)$, generate the claim-predicate $\mathsf{{\rm Y}}$ which satisfies $\mathsf{{\rm Y}}\left(V\right)=1$, and then transform the claim-predicate $\mathsf{{\rm Y}}$ to its corresponding monotone span program $\mathsf{\Lambda }\in {\left({\mathbb{Z}}_q\right)}^{l\times t_{max}}$;

  -

  Compute $s_{k,j}={\psi }^{r_{i,k}}·{\left(u_j\right)}^{v_k·r_{i,k}}$ with $k\in [1,2\dots \dots ,l]$ and $j\in [1,2\dots \dots ,t_{max}]$;

  -

  The algorithm outputs the atomic signatures ${\sigma }_i=\left\{\left(x_{i,0,k}\right),\left(x_{i,1,k}\right),\left(s_{k,j}\right)\right\}$, where $k\in [1,2\dots \dots ,l]$ and $j\in [1,2\dots \dots ,t_{max}]$.

  Remark. 

  As one of the atomic signatures, we can denote

  $${\sigma }_{i,k}=\left\{x_{i,0,k},x_{i,1,k},(s_{k,1},s_{k,2},\dots \dots ,s_{k,t_{max}})\right\},$$

  with $k\in [1,2\dots \dots ,l]$.

• mesh signature
  The algorithm randomly chooses $b,c,t,d_0,d_1,\dots \dots ,d_l\in {\mathbb{Z}}_q$, and then computes the mesh signature as follows:

  -

  Compute $X_0={\prod }_{k=1}^l\left(x_{i,0,k}\right)·{\vartheta }^{(d_0+b)·H\left(\mathfrak{M}\right)}·{\psi }^{d_0+b}·{\varpi }^{d_0}$, $X_1=g^{d_0+b}$, $X_2=g^{d_0}·{\prod }_{k=1}^l\left(x_{i,1,k}\right)=g^{d_0+{\sum }_{k=1}^l{r}_{i,k}}$, $X_3=p{k}_{i,1}·g^c$, $X_4=y^{a_{i,0}}·y^c$, $X_{5,k}=x_{i,1,k}·g^{d_0+t}=g^{r_{i,k}+d_0+t}$ with $k\in [1,2\dots \dots ,l]$;

  -

  Compute the vector $\overrightarrow{\eta }=\left({\eta }_k\right)$ related to the satisfying assignment $V=(v_1,v_2,\dots \dots ,v_l)$, where ${\eta }_k\in {\mathbb{Z}}_q$ with $k\in [1,2\dots \dots ,l]$;

  -

  Compute $I_k=g^{d_k}·{\left(X_1\right)}^{\frac{{\eta }_k}{v_k}}$ with $k\in [1,2\dots \dots ,l]$, $Q_j=s{k}_{i,1}·y^c·g^c·X_0·{\prod }_{k=1}^l{\psi }^{(d_0+t)·{\mathsf{\Lambda }}_{k,j}}·{\prod }_{k=1}^l[{\left(s_{k,j}\right)}^{{\mathsf{\Lambda }}_{k,j}}·{\left(u_j\right)}^{(d_0+t)·{\mathsf{\Lambda }}_{k,j}·v_k}·{\left(u_j\right)}^{d_k·{\mathsf{\Lambda }}_{k,j}·v_k}]$ with $j\in [1,2\dots \dots ,t_{max}]$;

  -

  The algorithm finally generates and outputs a mesh signature

  $\mathsf{\Phi }=\{X_1,X_2,X_3,X_4,\left(X_{5,1},\dots \dots ,X_{5,l}\right),\left(I_1,\dots \dots ,I_l\right),\left(Q_1,\dots \dots ,Q_{t_{max}}\right)\}.$ Then the algorithm sends the message set $\mathfrak{M}$, the boolean expression $\mathsf{{\rm Y}}$ and the mesh signature $\mathsf{\Phi }$ to the IoT data collector.

(4) 

MS.Mesh-Verify: The IoT data collector verifies the mesh signature $\mathsf{\Phi }$ on the monotone boolean expression $\mathsf{{\rm Y}}$ and the message set $\mathfrak{M}$. The algorithm run by the IoT data collector inputs ($MRK$, $PK\_List$, $\mathfrak{M}$, $\mathsf{{\rm Y}}$, $\mathsf{\Phi }$), and then the following steps are finished (the complete computation is shown in Appendix A.3):

• For the message set $\mathfrak{M}=$$\{ms{g}_1,ms{g}_2,\dots \dots ms{g}_l\}$, the algorithm computes $v_k=H(ms{g}_k\left|\right|p{k}_k)$ with $k\in [1,2\dots \dots ,l]$, where $p{k}_k$ is the public key of the k-th device with $p{k}_k\in PK\_List$.
• For $V=(v_1,v_2,\dots \dots ,v_l)$, the algorithm transforms the claim-predicate $\mathsf{{\rm Y}}$ to the monotone span program $\mathsf{\Lambda }\in {\left({\mathbb{Z}}_q\right)}^{l\times t_{max}}$, where $\mathsf{{\rm Y}}\left(V\right)=1$.
• The algorithm computes $e\left(f,g_1\right)·e\left(y,X_3\right)·e\left(g,X_4\right)·e\left({\vartheta }^{H\left(\mathfrak{M}\right)}·\psi ,X_1\right)·e\left(\varpi ,X_2\right)·{\prod }_{k=1}^{l}e({\psi }^{{\mathsf{\Lambda }}_{k,j}}·{u_j}^{v_k·{\mathsf{\Lambda }}_{k,j}},X_{5,k})·{\prod }_{k=1}^{l}e({u_j}^{v_k·{\mathsf{\Lambda }}_{k,j}},I_k)$

  $$=\left\{\begin{array}{c}e\left(Q_j,g\right)·e\left(u_j,X_1\right),j=1\hfill \\ e\left(Q_j,g\right),j>1\hfill \end{array}\right.$$
  If the equation is correct, the algorithm outputs $accept$, otherwise it outputs $reject$.

6. Analysis of Our Scheme

6.1. Security Analysis

In our proposed mesh signature scheme, we need to consider the two notions “one-more unforgeability” and “full anonymity”. First, any IoT device cannot forge a new mesh signature on any corrupted or fresh information. Second, the anonymity of IoT device will be preserved even if some atomic signatures are reused to generate a new mesh signature, namely mesh signature and its atomic signatures must be anonymous, where we need to use the technology of randomization to randomize the generated signatures. Under the security frame proposed by [2,4], our scheme is proven to be unforgeable and anonymous.

Theorem 1.

Our proposed scheme is (ℏ, ε, $q_k$, $q_a$, $q_m$)-unforgeable, where we assume that the (${\hslash }^{\prime }$, ${\epsilon }^{\prime }$)-CDH assumption can hold in ${\mathbb{G}}_1$, and:

$$\begin{array}{c}{\epsilon }^{\prime }=(1-\frac{q_k}{q})·[1-q_a+q_a·{(1-\frac{1}{q})}^l]·(1-\frac{q_m}{q})·\epsilon ,\\ {\hslash }^{\prime }=\hslash +O(q_k·[3·C_{exp}+C_{mul}]+q_a·[(2·l·t_{max}+3)·C_{exp}+(l·t_{max}+1)·C_{mul}]+q_m·[(4·l·t_{max}+\\ 3·l+13)·C_{exp}+(4·l·t_{max}+4·l+8)·C_{mul}]),\end{array}$$

$q_k$ denotes the queries number of “Generate-Key” oracle, $q_a$ denotes the queries number of “Atomic Signature” oracle, $q_m$ denotes the queries number of “Mesh Signature” oracle, $C_{mul}$ denotes the time of a multiplication in ${\mathbb{G}}_1$, $C_{exp}$ denotes the time of an exponentiation in ${\mathbb{G}}_1$.(This proof is provided to Appendix A.1)

Theorem 2.

Our proposed scheme is (ℏ, ε, $q_k$, $q_a$, $q_m$)-anonymous, where we assume that the (${\hslash }^{\prime }$, ${\epsilon }^{\prime }$)-CDH assumption can hold in ${\mathbb{G}}_1$, and:

$$\begin{array}{c}{\epsilon }^{\prime }=(1-\frac{q_{k_1}}{q})·(1-\frac{q_{k_2}}{q})·[1-q_{a_1}+q_{a_1}·{(1-\frac{1}{q})}^l]·[1-q_{a_2}+q_{a_2}·{(1-\frac{1}{q})}^l]·(1-\frac{q_{m_1}}{q})·(1-\frac{q_{m_2}}{q})·(\epsilon -\frac{1}{2}),\\ {\hslash }^{\prime }=\hslash +O((q_{k_1}+q_{k_2})·[3·C_{exp}+C_{mul}]+(q_{a_1}+q_{a_2})·[(2·l·t_{max}+3)·C_{exp}+(l·t_{max}+1)·C_{mul}]+\\ (q_{m_1}+q_{m_2})·[(4·l·t_{max}+3·l+13)·C_{exp}+(4·l·t_{max}+4·l+8)·C_{mul}]),\end{array}$$

$q_{k_1}$ and $q_{k_2}$ denote the queries numbers of “Generate-Key” oracle in the query phases 1 and 2 respectively, $q_{a_1}$ and $q_{a_2}$ denote the queries numbers of “Atomic Signature” oracle in the query phases 1 and 2 respectively, $q_{m_1}$ and $q_{m_2}$ denote the queries numbers of “Mesh Signature” oracle in the query phases 1 and 2 respectively, $C_{mul}$ denotes the time of a multiplication in ${\mathbb{G}}_1$, $C_{exp}$ denotes the time of an exponentiation in ${\mathbb{G}}_1$.(This proof is provided to Appendix A.2)

6.2. Efficiency Analysis

In the proposed scheme, the length of the atomic signatures is $(2·l+l·t_{max})·\left|{\mathbb{G}}_1\right|$, the length of the mesh signature is $(4+2·l+t_{max})·\left|{\mathbb{G}}_1\right|$, where $|{\mathbb{G}}_1|$ is the size of element in ${\mathbb{G}}_1$. Because $x_{i,0,k}$, $x_{i,1,k}$, ${\psi }^{r_{i,k}}$ in $s_{k,j}$ may be pre-computed (To make our analysis simple, we set the time of integer and hash computations is ignored.), signing a message set for the atomic signatures only computes at most $l·t_{max}$ exponentiations in ${\mathbb{G}}_1$ and $l·t_{max}$ multiplications in ${\mathbb{G}}_1$. Also, because $X_1$, $X_2$, $X_3$, $X_4$, $X_{5,k}$, $g^{d_k}$ in $I_k$, ${\prod }_{k=1}^l\left(x_{i,0,k}\right)·{\psi }^{d_0+b}·{\varpi }^{d_0}$ in $X_0$, $s{k}_{i,1}·y^c·g^c$ in $Q_j$ may be pre-computed, signing a message set for the mesh signature only computes at most $4·l·t_{max}+l+1$ exponentiations in ${\mathbb{G}}_1$ and $4·l·t_{max}+l+1$ multiplications in ${\mathbb{G}}_1$. In the verify algorithm, because the value $e(f,g_1)$ can be pre-computed and cached, the verification needs $(2·l+1)·t_{max}+5$ pairing computations, $2·l·t_{max}$ exponentiations in ${\mathbb{G}}_1$, $2·l·t_{max}+5$ multiplications in ${\mathbb{G}}_1$. Furthermore, we compare our proposed scheme with the original mesh signature scheme [2] in detail.

Table 1. Complexity of Two Schemes.

	Atomic Signatures	Mesh Signature	Verification
Original scheme [2]	$C_{exp}$	$(6·(l+1)·t_{max})·C_{exp}+$	$((l+1)·t_{max}+1)·C_{pair}+$
		$(4·l·t_{max}+t_{max})·C_{mul}$	$3·(l+1)·t_{max}·C_{exp}+$
			$3·l·t_{max}·C_{mul}$
Our scheme	$l·t_{max}·(C_{exp}+C_{mul})$	$(4·l·t_{max}+l+1)·$	$((2·l+1)·t_{max}+5)·C_{pair}+$
		$(C_{exp}+C_{mul})$	$2·l·t_{max}·C_{exp}+$
			$(2·l·t_{max}+5)·C_{mul}$

shows the performance comparison according to our theoretical analysis (In this comparison, we assume that the order of assigned structure tree in [2] is set to $t_{max}$.), where $C_{mul}$ denotes the time of a multiplication in ${\mathbb{G}}_1$, $C_{exp}$ denotes the time of an exponentiation in ${\mathbb{G}}_1$ and $C_{pair}$ denotes the time of a pairing computation. According to Table 1, we can know although generating atomic signatures in our scheme needs more computational cost, our scheme has less computational costs on generating final mesh signature and signature verification. Since atomic signatures are reusable, our scheme has more advantages on generating final mesh signature by reconstructing atomic signatures.

Additionally, we make some experiments to test and evaluate the actual performance of our scheme. In the tests, we employ the paring based cryptography (PBC) library to simulate our scheme, where the experimental computer is under Intel Core i5 2.7 GHz and RAM 8GB. In our experiments, we use the Type A parings in PBC library to construct the parings, where the lengths of the parameters p and q are respectively set as 160 bits and 512 bits. Furthermore, the parameter l is set to {1, 10, 20, 30, 40, 50}, and then we test our scheme and the original scheme [2] 10 times on average under the different settings of l.

Table 2. Actual Performance of Two Schemes.

		Computational Costs (ms)
1		1	10	20	30	40	50
Original scheme [2]	Atomic Signatures	1.958	1.746	1.590	1.605	1.566	1.629
	Mesh Signature	91.495	583.225	1038.55	1617.78	2003.15	2270.82
	Verification	61.457	339.048	593.315	1001.73	1263.15	1473.34
Our scheme	Atomic Signatures	7.890	78.850	164.900	236.100	313.600	387.250
	Mesh Signature	37.752	353.003	881.153	981.836	1551.64	1675.29
	Verification	37.910	441.830	591.710	1000.43	1150.84	1128.29

shows the actual performance comparison of our scheme and the original scheme. Similar to our theoretical analysis, our scheme has less computational costs on generating final mesh signature and signature verification, compared with the original scheme.

Since our scheme is used to protect the identity privacy of IoT devices, we further test our memory consumption through signing different sizes of messages. Figure 5 shows the change of memory consumption by signing different sizes of messages, where the sizes of messages are set to 100 KB, 1 MB, 10 MB, 20 MB, 50 MB respectively. In Figure 5, when our scheme generates a mesh signature on 10 MB message, the memory consumption is only about 200 KB. Therefore, it is feasible that our scheme is used to protect the identity privacy of IoT devices.

7. Conclusions

IoT devices are responsible for acquiring, storing, and transferring data. Currently, many IoT devices are located on the edge of a network and lack of protection measures to resist various attacks [38,39,40,41,42,43]. Therefore, these devices are more vulnerable to some attacks, such as device theft, device manipulation, identity theft, data eavesdropping and so on. Thus, the privacy of IoT devices needs to be focused. It is very important to protect the identities of IoT devices when these devices process and transfer data [44,45,46,47,48,49,50,51,52]. Then we present a syntax about mesh signature in IoT. Under the proposed syntax, we present a fully anonymous mesh signature scheme for IoT devices, where the IoT devices may be seen as the signers to sign their data and their specific identities can be hidden. In our proposed scheme, the generation of mesh signatures consists of two main steps: (1) generating some atomic signatures; (2) generating a final mesh signature based on previous atomic signatures. Additionally, as IoT devices can generate a large amount of data every day, if each IoT device both needs to sign and then publish its data, then the signing cost is very heavy for itself. Thus, if each IoT device reuses some “old” signatures by itself on the same data, it will save the signing cost so as to decrease the number of signatures generated by IoT devices. In our proposed scheme, the atomic signatures on the same data can be reusable so as to decrease the number of signatures. Although the atomic signatures can be reused, the randomization technology is employed so that any adversary cannot know which atomic signatures were reused. Thus, the merit is very suitable for IoT devices. Furthermore, in our proposed scheme we have limitedly defined the access structure of language expression by monotone-span programs, thus the proposed mesh signature can resist the collusion attacks and its access structure still support generalized monotone predicates. Compared with the original mesh signature scheme, our proposed scheme has its advantage, which has linear size length of signature.