1. Introduction
Currently, there has been a growing interest in monitoring marine ecosystems for scientific research, military applications, and commercial exploitation [
1]. The UWSN is the most effective method of monitoring the marine environment. In principle, the UWSN is a wireless communication network comprised of tens or hundreds of batterypowered sensor nodes [
2]. Unlike wireless connections between ground sensors, the underwater channel has a high latency and low bandwidth, which uses a lot of power. In addition, changing or recharging a battery in UWSNs is far more complex than in ground WSNs. That is why the current security algorithms struggle with power usage [
3]. Due to the constrained resources, the sensor nodes suffer from an energy consumption problem [
4]. Therefore, almost all of the existing research and technology on UWSNs is focused on power savings at the expense of security and capability.
Security is one of the key elements in the design of the UWSNs’ protocol and mechanism. As a result of their low cost and proximity to the events they monitor, sensor nodes are prime targets for malicious attacks of many kinds. In addition, the public communication channel makes it possible for any device to participate in the flow of information. Therefore, an attacker might easily control the sensors and unsecured UWSN communication lines. The research available on UWSNs focuses on selforganization, communication, flexibility, low power consumption, and adaptability. Unfortunately, the current studies have a lot of limitations when it comes to how well UWSNs can resist security threats, because resources are very limited, and the security situation is usually serverbased because of certain data and communication sites [
5].
In the context of security, authentication is necessary. Global WSN authentication solutions, such as publicbased RSA [
6] and Blom’s symmetric matrix multiplication algorithm [
7], have been presented, but they do not work for UWSNs because of their increased computational and communicational complexity. As a result, UWSNs require the development of an authentication system based on signatures [
8].
A digital signature is a common solution for ensuring data authenticity in UWSNs. However, traditional digital signature schemes are based on expensive scaler point multiplication of the ECC, hyperelliptic curve devisor multiplication, and bilinear pairing operations, limiting their transmission to resourcelimited devices such as sensors and IoT devices. An alternate solution to the problem is to utilize an offline/online signature, where the signature process is divided into online and offline phases. The offline phase performs computationally intensive tasks, while the online phase produces the signature on the message in real time. When installed on UWSNs, the gateway can simplify the online signature to generate authentic messages. Reducing the communication bandwidth and computation time is the key to the actual use of an online/offline signature technique. However, ensuring both the security and effectiveness of an online/offline approach in the real world remains a challenge. This is the main focus of the current paper.
1.1. Motivation and Contributions
The computation time and communication overhead are inversely related to the hardness of the underlying security concerns that must be spent on signature formation. Traditional signature techniques such as RSA and bilinear pairing, both of which are based on subexponential issues, need a significant amount of computation time and communication overhead and are not suitable for devices that have limited resources. Elliptic curve cryptography (ECC) is utilized instead. Their fundamental issue is a fully exponential one, and it is possible to generate their signatures in a significantly shorter amount of time.
However, it is still challenging to find a cryptographic solution that is appropriate for UWSNs. There are hardly any articles that concentrate on the cryptographic security and privacy for UWSNs [
9,
10,
11,
12,
13,
14]. However, bilinear pairing with elliptic curves is used to apply authenticity in various environments [
15]. Since HEC has a higher efficiency and a shorter key length than ECC, bilinear pairing, and RSA, it is often regarded as the most compact and effective form of cryptographic mechanisms. In the proposed work, we focused on proposing a new security solution for UWSNs devices by dividing our algorithm into online and offline phases to further reduce the computational time and communication bandwidth during the device operation. The contributions to this paper are as follows:
Firstly, we propose a new certificateless online/offline signature scheme based on a hyperelliptic curve cryptosystem for underwater wireless sensor networks.
Secondly, we present the generic syntax of the proposed certificateless online/offline signature scheme for underwater wireless sensor networks.
Thirdly, we provide the mathematical construction for the proposed certificateless online/offline signature scheme for underwater wireless sensor networks. The construction is actually an extension of the syntax. The designed approach offers the security necessity of unforgeability against both type one and type two adversaries, an antireplay attack.
Finally, we compared the computational and communicational overhead of our proposed method with earlier certificateless online and offline signature solutions. According to the findings, the proposed strategy uses significantly fewer computing and communication resources than earlier solutions.
1.2. Paper Organization
In the upcoming section (i.e.,
Section 2), we will review the existing literature.
Section 3 presents our proposed network and the construction of an online/offline signature for UWSNs.
Section 4, presents the deployment of the proposed scheme on UWSNs.
Section 5 presents the formal security analysis and
Section 6 added the performance analysis.
Section 7 is a review of our contributions while
Section 8 concludes the research.
2. Related Works
Related studies have been presented to secure the UWSNs in recent years [
9,
10,
11,
12,
13,
14]. Unfortunately, the present key management and cryptographic solutions have some common problems, including computational and communicational complexity and the expansion of ciphertext [
4]. Therefore, in the proposed approach, we considered an online/offline signature with a lightweight hyperelliptic curve cryptosystem to reduce the computational and communicational complexities for UWSN communications.
Table 1 summarizes the related works.
Evan, Goldreich, and Micali [
16] proposed the online/offline signature concept in 1990. The authors divided the signing algorithm into two phases: online and offline. In the absence of a message, heavier computations are transferred to the offline phase, while lighter computations are performed online. During the production process or whenever the device’s power is connected, offline action can be conducted on the background computation device. Shamir and Thuman [
17] refined the Trapdoor hash functionbased online/offline signature technique in 2001. This improves the online efficiency. However, the technique increases the signature costs and has a trapdoor leak issue. In 2007, Chen [
18] created an online/offline signature system employing the dual trapdoor hash function. However, in normal situations, neither method works.
Recently, Liu et al. [
19] proposed an identitybased online/offline signature using the elliptic curve discrete logarithm problem (ECDLP). Addobea et al. [
20] proposed COOS for mobile health devices in 2020. This study aims to reduce the computational and communication resources required by mobile health devices. According to Xu and Zeng [
21], the propose scheme of Addobea et al. [
20] is unable to accomplish correctness, a key security property that should be provided by a signature scheme. In the same year, Khan et al. [
22] provided a new COOS solution for IoHT employing hyperelliptic curve discrete logarithm problem hardness (HCDLP). According to Hussain et al. [
23], the given approach of Khan et al. [
22] is insecure when subject to adaptive chosen message attacks. It has been proven that an adversary can fake a valid signature on a message by substituting their own public key in place of the one that is supposed to be used. An attributebased online/offline signature system for mobile crowdsourcing was presented in 2021 by Hong et al. [
24]. Sadly, the authors did not present a mathematical or network model. The solution is theoretical.
Table 1.
Summary of the literature.
Table 1.
Summary of the literature.
Authors Name & Reference No.  Advantages  Limitations 

Liu et al. [19]   
Addobea et al. [20]   
Khan et al. [22]   Insecure when subject to adaptive chosen message attacks [ 23]

Hong et al. [24]   
The above schemes are based on sophisticated cryptographic methods, i.e., bilinear pairing and ECC, and thus combined with the high cost of computation and communication. These approaches are therefore not compatible with UWSNs equipped with minimal computation and communication resources. To construct an effective cryptographic solution for UWSNs that requires minimal computational resources, there is a critical need for a more concrete and efficient online/offline signature scheme. Our design scheme is based on the HCC, which is a generalized form of an elliptic curve.
3. Construction of the Proposed Scheme
3.1. Security Threats
In certificateless public key cryptography, two types of adversaries are considered i.e., type1 (${T}_{1}$) and type2 (${T}_{2}$).
The certificateless signature scheme has a unique security concept in comparison to those used by traditional signature schemes. According to the definitions found in [
25], a certificateless signature scheme ought to take into account two distinct kinds of adversaries: a TypeI (
${T}_{1}$) adversary and a TypeII (
${T}_{2}$) adversary. The adversary
${T}_{1}$ is meant to stand in for a typical threat posed by a third party against the certificateless signature scheme. This means that
${T}_{1}$ does not have access to the master key, but it is able to request public keys and replace existing public keys with values of its choosing. The adversarial
${T}_{2}$ is a representation of a malicious Key Generation Center (KGC) that is responsible for generating users’ partial private keys. It is permissible for the adversary
${T}_{2}$ to have access to the master key, but they are not authorized to replace the target user’s public key.
3.2. Hyperelliptic Curve Cryptosystem (HEC)
Koblitz [
26] is the one who first introduced the hyperelliptic curve cryptosystem (HEC), which belongs to a class of algebraic curves. It is also possible to think of it as a more generalized version of the elliptic curves cryptosystem (ECC) [
27]. The HEC points, as opposed to ECC points, cannot be obtained from a group in any way [
28]. The additive Abelian group that can be generated from a devisor is the subject of computation by the HEC. In comparison to RSA, bilinear pairing, and ECC, the HEC’s parameter size is significantly smaller while maintaining the same level of security. This makes the HEC appealing to resourceconstrained devices.
The curve whose genus value is 1 is typically referred to as the ECC curve.
Figure 1 [
29] illustrates a HEC that has a genus that is higher than 1. In a similar manner, the group order of the finite field (
${\mathbb{F}}_{\mathbb{q}}$.) for the (genus = 1) needed operands that were 160 bits long, which necessitated the need for at least
$\mathbb{g}.{\mathbb{l}\mathbb{o}\mathbb{g}}_{\U0001d7da}(\mathbb{q})\approx {\U0001d7da}^{\U0001d7d9\U0001d7de\U0001d7d8}$, where g is the genus of the curve over,
${\mathbb{F}}_{\mathbb{q}}$., which is the set of a finite field of order q. In a similar manner, the curve with a genus equal to two needed operands that were 80 bits long. In addition, the curves with a genus equal to three required operands were 54 bits in length [
30].
Let us assume that
$\mathbb{F}$ is a finite field and that
$\overline{\mathbb{F}}$ is the algebraic closure of
$\mathbb{F}$. An HEC of a genus (
$\mathbb{g}1$) over
$\mathbb{F}$ is a set of solutions to the following equation of the curve in the form (
$\mathbb{x},\mathbb{y}$)
$\u2107$ $\overline{\mathbb{F}}$ x $\overline{\mathbb{F}}$.
If there are no pairs of (
$\mathbb{x},\mathbb{y}$)
$\u2107$ $\overline{\mathbb{F}}$ x $\overline{\mathbb{F}}$ that satisfy the condition, then the curve in question is regarded to be nonsingular. In addition, the curve in question must be able to satisfy both the previously mentioned curve equation, as well as the subsequent given partial differential equation.
The polynomial $\mathrm{h}\left(\mathrm{x}\right)$ $\u2107$ $\mathbb{F}$[u] is a degree of $\mathbb{g},$ and $\mathrm{h}\left(\mathrm{x}\right)$ $\u2107$ $\mathbb{F}$[u] is the monic polynomial of degree $2\mathbb{g}+1$.
3.3. Complexity Assumptions
During the course of the investigation, we found it necessary to presume the following assumptions:
${\mathbb{F}}_{\mathbb{q}}$ is a finite field with order $\mathbb{q}$, where $\mathbb{q}\approx {\U0001d7da}^{\U0001d7e0\U0001d7d8};$
D is a divisor of a HEC, which is a finite sum of points;
D = $\sum$ ${p}_{i}\u2107$ HEC ${m}_{i}$ ${p}_{i}$, where ${m}_{i}\u2107$ ${\mathbb{F}}_{\mathbb{q}}$.
3.3.1. Definition 1. Hyperelliptic Curve Discrete Logarithm Problem (HCDLP)
We made the following supposition for HECDLP.
Let $\eta \in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ and $\mathcal{W}=\eta .\mathcal{D}$; then, finding $\eta $ from $\mathcal{W}$ is called HCDLP.
3.3.2. Definition 2. Hyperelliptic Curve Computational DiffieHellman Problem (HCCDH)
For $\mathrm{HCCDHP}$, we make the following suppositions.
Let $\eta ,{\rm Y}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ and $\mathcal{W}=\eta .\mathcal{D}$, $\mathcal{T}={\rm Y}.\eta .\mathcal{D}$; then, finding $\eta $ from $\mathcal{W}$ and ${\rm Y}$ from $\mathcal{T}$ is called HCCDH.
3.4. Network Model
In
Figure 2, we present the proposed network model for the online/offline signature scheme for the underwater wireless sensors network. The proposed network model consists of a Network Manager (NM), an Intermediate Getaway, Underwater Sensors, and Surface Users.
Network Manager (NM): It is the responsibility of the NM to establish a secure connection between all of the entities within the networks, and it is a third party that can be trusted.
Underwater Sensors: These are the sensors that sense the underwater environment and transmit data to the surface of the water.
A surface user is a device or a client that is interested in underwater sensors, such as an Internet of Things device or a client.
Intermediary Getaway: The intermediate getaway is a collection of nodes that act as a conduit for data and requests between different entities.
The NM is in charge of the registration process that takes place prior to the creation of communication links. The NM first registers the communication parties in order to facilitate secure communication. A great amount of processing power, memory, and computational capability are available on the intermediate gateway device. Sensors with limited resources collect data and pass it to the intermediary gateway, which then processes it. In the presence of a message, the intermediate gateway then goes through the process of signature generation on the message.
3.5. Proposed Online/Offline Signature Algorithm for UWSNs
The symbols that were used in the construction of the proposed online/offline signature algorithm are listed in
Table 2 of the following section. Additionally,
Figure 3 presents the flowchart of the proposed algorithm.
Setup: The phase is carried out on NM, it take the security parameter ($\zeta $) as an input. In addition, the NM will carry out the following procedures in order to produce a public parameter set designated as “($\mathcal{W}$)”.
Select the genus ($g=2$) of HCC with the key size of 80 bits;
Select $\mathcal{N}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ to compute the master public key as $\mathcal{G}=\mathcal{N}.\mathcal{D}$, where $\mathcal{D}$ is a devisor of the hyperelliptic curve cryptosystem (HCC);
Choose two oneway hash functions ${\mathscr{H}}_{a},{\mathscr{H}}_{b}$;
Finally, the NM advertise $\mathcal{W}=\{\mathrm{HCC},{\mathscr{H}}_{a},{\mathscr{H}}_{b},\mathcal{G},n$, $\mathcal{D}$ } in the entire network while keeping the $\mathcal{N}$ with itself.
Partial Private Key Extraction: By taking the identity ($\mathrm{ID}$) of users, the NM perform the following computations:
First pick $\U0001d4be\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$;
Compute $\mathcal{A}=\U0001d4be.\mathcal{D}$;
$\U0001d4bb={\mathscr{H}}_{a}\left(ID,\mathcal{A}\right)$;
Compute ${\mathcal{U}}_{ID}=\U0001d4be+\mathcal{N}\U0001d4bbmodn$.
The NM then send
${\mathcal{U}}_{ID}$ and
$\U0001d4d0$ to the participants. Upon receiving them, the participants can check the validity of the equation as
The partial private key is legitimate if the aforementioned equation is true; else, it is invalid.
Secret Value and Private Key Settings: Upon receiving ${\mathcal{U}}_{ID}$ and $\mathcal{A}$, the participants pick ${\mathcal{V}}_{ID}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ and set it as a secret value.
Furthermore, the participants also set their full private key as (${\mathcal{V}}_{ID},{\mathcal{U}}_{ID}$).
Signature Generation: This section is divided into two phases, i.e., the online phase and the offline phase. The offline phase will perform heavy mathematical operations to reduce the computation for the online phase.
Offline Phase: Given (${\mathcal{V}}_{ID},{\mathcal{U}}_{ID}$), the sender picks $\U0001d4bf\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and performs the following computations.
Compute $\mathcal{J}=\U0001d4bf.\mathcal{D}$;
Compute $\mathcal{K}={\mathcal{U}}_{ID}+{\mathcal{V}}_{ID}$;
Compute $\mathcal{L}={\mathcal{V}}_{ID}\mathcal{D}+\mathcal{A}$.
The triple ($\mathcal{J},\mathcal{K},\mathcal{L}$) is then assigned to the online phase.
Online Phase: Given the offline triple (
$\mathcal{J},\mathcal{K},\mathcal{L}$), fresh nonce (𝜏) and message (
$\U0001d4c2$), the signature generator creates an online signature by performing the following computations.
Finally, the sender computes the triple of ($\mathcal{L},{\U0001d4bd}_{b},\vartheta $) as a full signature.
Signature Verification: For an identity $\left(ID\right)$ and message ($\U0001d4c2$) with the computed signature triple ($\mathcal{L},{\U0001d4bd}_{b},\vartheta $) on $\U0001d4c2$, the receiver verifies the signature by performing the following operations:
Compute $\U0001d4bb={\mathscr{H}}_{a}\left(ID,\mathcal{A}\right);$
Compute ${\mathcal{J}}^{\prime}=\vartheta \mathcal{D}{\U0001d4bd}_{b}\left(\mathcal{L}+{\U0001d4bd}_{a}\mathcal{G}\right)$;
Compute ${\U0001d4bd}_{b}{}^{\prime}={\mathscr{H}}_{b}\left(ID,{\mathcal{J}}^{\prime},\mathcal{L},\tau ,\U0001d4c2\right)$.
The receiver then compares both ${\U0001d4bd}_{b}{}^{\prime}={\U0001d4bd}_{b}$; if it holds, then the signature is valid; otherwise, it is forged.
The consistency can be proved from the following equation.
4. Deployment of the Proposed Scheme
For deployment, we consider underwater sensors, and surface users want communication to share data. In this communication, there will be other entities like NM and the intermediate getaway. To make a connection and authentic sources of data, each entity will follow the following steps of the suggested online/offline signature.
Figure 4 shows the deployment of the proposed scheme.
4.1. Setup, Connectivity, and Keys Extraction
To connect devices, the NM as an input takes the security parameter ($\zeta $), and the KGC generates a public parameter set ($\mathcal{W}$). For this, the NM select a genus ($g=2$) of HCC with a key size of 80 bits, select $\mathcal{N}\u2107\left\{1,2,3,4,5,\dots ,\left(n1\right)\right\},$ compute the master public key as $\mathcal{G}=\mathcal{N}.\mathcal{D}$, where $\mathcal{D}$ is a devisor of the hyperelliptic curve cryptosystem (HCC), and choose two oneway hash functions ${\mathscr{H}}_{0},{\mathscr{H}}_{1}.$ Finally, the NM advertise $\mathcal{W}=\{\mathrm{HCC},{\mathscr{H}}_{a},{\mathscr{H}}_{b},\mathcal{G},n$} in the entire network while keeping the $\mathcal{N}$ with itself.
To contact the network, the underwater sensors and surface user send their identities ($\mathrm{IDs},\mathrm{IDu}$) to NM. By taking the $\mathrm{IDs},\mathrm{IDu},$ the NM first pick $\U0001d4be\u2107\left\{1,2,3,4,5,\dots ,\left(n1\right)\right\}$, compute $\mathcal{A}=\U0001d4be.\mathcal{D}$, ${\U0001d4bd}_{a}={\mathscr{H}}_{a}\left(ID,\mathcal{A}\right),$ and compute ${\mathcal{U}}_{i}=\U0001d4be+\mathcal{N}{\U0001d4bd}_{a}modn.$ The NM then send ${\mathcal{U}}_{i}$ and $\mathcal{A}$ to the underwater sensors and surface user as a partial private key. Upon receiving it, the users can check the validity ${\mathcal{U}}_{i}$ of the equation as ${\mathcal{U}}_{i}.\U0001d4d3=\U0001d4d0+\mathcal{G}{\U0001d4bd}_{a}$. If this equation holds, then the partial private key is valid; otherwise, it is invalid. Upon receiving ${\mathcal{U}}_{i}$ and $\mathcal{A}$, the participant picks ${\mathcal{V}}_{i}\u2107\left\{1,2,3,4,5,\dots ,\left(n1\right)\right\}$ and set it as a secret value. Furthermore, the underwater sensors and surface user also set their full private key as (${\mathcal{V}}_{i},{\mathcal{U}}_{i}$).
4.2. Signature Generation
In this step, the underwater sensors generate the signature on data. As we know, the underwater sensors have limited energy. This section is divided into two phases, i.e., the online phase and the offline phase of the signature. The offline phase will perform heavy mathematical operations to reduce the computations for the online device. The heir of the intermediate gateway performs the offline phase and underwater sensors online phase. The intermediate gateway picks $\U0001d4bf\u2107\left\{1,2,3,4,5,\dots ,\left(n1\right)\right\}$ at random, computes $\mathcal{J}=\U0001d4bf.\mathcal{D}$, computes $\mathcal{K}={\mathcal{U}}_{i}+{\mathcal{V}}_{i},$ and computes $\mathcal{L}={\mathcal{V}}_{i}\mathcal{D}+\mathcal{A}$. The intermediate gateway then assigns the triple of ($\mathcal{J},\mathcal{K},\mathcal{L}$) to underwater sensors.
The underwater sensors take the triplet ($\mathcal{J},\mathcal{K},\mathcal{L}$) and data ($\U0001d4c2$) and generate an online signature. For this, it calculates ${\U0001d4bd}_{b}={\mathscr{H}}_{b}\left(ID,\mathcal{J},\mathcal{L},\mathsf{\tau},\U0001d4c2\right)$ and $\vartheta =\U0001d4bf+{\U0001d4bd}_{b}\mathcal{K}modn$. Finally, the underwater sensors compute the triple of ($\mathcal{L},{\U0001d4bd}_{b},\vartheta $) as a full signature and send it to the surface user.
4.3. Signature Verification
The surface user can verify the signature triple ($\mathcal{L},{\U0001d4bd}_{b},\vartheta $) on $\U0001d4c2$ by computing ${\U0001d4bd}_{a}={\mathscr{H}}_{a}\left(ID,\mathcal{A}\right)$, computing ${\mathcal{J}}^{\prime}=\vartheta \mathcal{D}{\U0001d4bd}_{b}\left(\mathcal{L}+{\U0001d4bd}_{a}\mathcal{G}\right)$, and computing ${\U0001d4bd}_{b}{}^{\prime}={\mathscr{H}}_{b}\left(ID,\mathcal{J},\mathcal{L},\mathsf{\tau},\U0001d4c2\right)$. The surface user then compares both ${\U0001d4bd}_{b}{}^{\prime}={\U0001d4bd}_{b}$; If it holds, the signature is considered legitimate; if not, it is considered to be forged.
5. Security Analysis
5.1. Theorem 1
Definition 3. “Under the security assumptions of the random oracle model (ROM), an adversary (${T}_{1}$) is unforgeable against the adaptive chosen message and identity attacks without knowledge of the partial private key and secret value.”
Proof. Assume ($\mathcal{D},\u2134\mathcal{D}$) as a random HCDLP stance that outputs 𝓸. An algorithm ($\mathcal{A}\ell $) will perform the subsequent simulations for interacting with ${T}_{1}$. □
Setup: In this phase, $\mathcal{A}\ell $ performs the following steps.
The $\mathcal{A}\ell $ sets the public key as $\mathcal{G}=\u2134.\mathcal{D}$ and advertises $\mathcal{W}=\{\mathrm{HCC},{\mathscr{H}}_{a},{\mathscr{H}}_{b},\mathcal{G},n,\mathcal{D}$} in the entire network.
For $1\le \U0001d4c5\le {Q}_{{\mathscr{H}}_{a}}$, the $\mathcal{A}\ell $ chooses ${\mathrm{ID}}_{\mathrm{p}}$ at random as a challenging ID for this particular game, while ${Q}_{{\mathscr{H}}_{a}}$ represents the utmost number of the ${\mathscr{H}}_{a}$ querying oracle.
The $\mathcal{A}\ell $ picks ${\U0001d4bb}_{p}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and sets ${\mathcal{A}}_{p}={\U0001d4bb}_{p}\left(\u2134.\mathcal{D}\right)$, defines ${\mathcal{C}}_{p}={\mathscr{H}}_{a}\left(ID,\mathcal{A}\right)$, and adds the triple of (${\mathrm{ID}}_{\mathrm{p}},{\mathcal{A}}_{p},{\U0001d4bb}_{p}$) to the ${\mathscr{H}}_{a}{}^{list}$.
Finally, the $\mathcal{A}\ell $ gives ${T}_{1}$ the global parameters set as $\mathcal{W}=\{\mathrm{HCC},{\mathscr{H}}_{a},{\mathscr{H}}_{b},\mathcal{G},n,\mathcal{D}$}.
After that, the $\mathcal{A}\ell $ starts answering the queries from ${T}_{1}$ as
${\U0001d4d7}_{a}Queries$: The ${T}_{1}$ inputs (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i}$), and with that, the $\mathcal{A}\ell $ calls the ${\mathscr{H}}_{a}{}^{list}$. If the ${\mathscr{H}}_{a}{}^{list}$ has the (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i},{\U0001d4bb}_{i}$), $\mathcal{A}\ell $ provides it to the ${T}_{1}$. If not, the $\mathcal{A}\ell $ picks ${\U0001d4bb}_{i}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and adds (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i},{\U0001d4bb}_{i}$) to the ${\mathscr{H}}_{a}{}^{list}$ and response ${\mathcal{C}}_{i}$ to the ${T}_{1}$.
${\U0001d4d7}_{b}Queries:$ The ${T}_{1}$ inputs $\left(I{D}_{i},{\mathcal{J}}_{i},{\mathcal{L}}_{i},{\U0001d4c2}_{i}\right),$ and with that, the $\mathcal{A}\ell $ calls the ${\mathscr{H}}_{b}{}^{list}$. If the ${\mathscr{H}}_{b}{}^{list}$ already has the requested query, it simply returns back to the ${T}_{1}$. If not, the $\mathcal{A}\ell $ picks ${\U0001d4bd}_{i}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and adds $\left(I{D}_{i},{\mathcal{J}}_{i},{\mathcal{L}}_{i},\mathsf{\tau},{\U0001d4c2}_{i},{\U0001d4bd}_{i}\right)$ to the ${\mathscr{H}}_{b}{}^{list}$ and response ${\U0001d4bd}_{i}$ to the ${T}_{1}$.
Partial Private Key Extraction Queries: Upon requesting the private key associated with ${\mathrm{ID}}_{\mathrm{i}}$, the $\mathcal{A}\ell $ first verifies if ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{p}}$ stays or not. The $\mathcal{A}\ell $ also maintains the $Ex{t}^{list}.$
If ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{p}},$ the $\mathcal{A}\ell $ terminates the simulation and outputs an error.
If ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{p}}$, the $\mathcal{A}\ell $ choose ${\mathcal{V}}_{ID}{}_{i}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random as of the secret value allied with ${\mathrm{ID}}_{\mathrm{i}}$. The $\mathcal{A}\ell $ picks ${\mathcal{U}}_{ID}{}_{i}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ and computes ${\mathcal{L}}_{\mathrm{i}}={\mathcal{U}}_{ID}{}_{i}.\mathcal{D}+{\mathcal{V}}_{ID}{}_{i}.\mathcal{D}{\U0001d4bb}_{i}\u2134.\mathcal{D}$. If the ${\mathscr{H}}_{a}$(${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i},{\U0001d4bb}_{i}$) already exists, then the $\mathcal{A}\ell $ terminates the simulation and outputs an error. The process is termed the Event by ${\mathrm{EVE}}_{1}$. The $\mathcal{A}\ell $ then adds (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i},{\U0001d4bb}_{i}$) and (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{U}}_{ID}{}_{i},{\mathcal{V}}_{ID}{}_{i}$) to the $Ex{t}^{list}.$ To end with, the $\mathcal{A}\ell $ outputs ${\mathcal{L}}_{i}$ and ${\mathcal{U}}_{ID}{}_{i}$.
The probability of ${\mathrm{EVE}}_{1}$ is the utmost $\frac{\left({Q}_{{\mathscr{H}}_{a}}+{Q}_{E}\right)}{{2}^{\u22cb+1}}$, where ${Q}_{E}$ represent the querying of the key extraction oracle.
Secret Value Extraction Queries:
If ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{p}},$ the $\mathcal{A}\ell $ terminates the simulation and outputs an error.
If ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{p}}$, the $\mathcal{A}\ell $ searches (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{U}}_{ID}{}_{i},{\mathcal{V}}_{ID}{}_{i}$) from the $Ex{t}^{list}$ and responds to the allied secret value (${\mathcal{V}}_{ID}$).
Signature Generation Queries: Suppose a query for a signature with an identity $\left(ID\right)$ and message ($\U0001d4c2$).
If ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{p}},$ the $\mathcal{A}\ell $ picks ${\vartheta}_{p}$,${\U0001d4bd}_{p}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and sets ${\mathcal{L}}_{\mathrm{p}}=\u2134.\mathcal{D}{\mathcal{C}}_{p}\left(\u2134.\mathcal{D}\right)$ and computes ${\mathcal{J}}_{p}={\vartheta}_{p}.\mathcal{D}{\U0001d4bd}_{p}\left({\mathcal{L}}_{\mathrm{p}}+{\mathcal{C}}_{p}\mathcal{G}\right)$, where ${\mathscr{H}}_{b}\left(I{D}_{p},{\mathcal{J}}_{p},{\mathcal{L}}_{p},\mathsf{\tau},{\U0001d4c2}_{i}\right)$. If ${\mathscr{H}}_{b}\left(I{D}_{p},{\mathcal{J}}_{p},{\mathcal{L}}_{p},{\U0001d4c2}_{i}\right)$ already exists, $\mathcal{A}\ell $ terminates the simulation and outputs an error. The process is the Event ${\mathrm{EVE}}_{2}$.
Finally, the $\mathcal{A}\ell $ outputs the triple (${\mathcal{L}}_{\mathrm{p}},{\U0001d4bd}_{p}$,${\vartheta}_{p}$) as the signature. The probability of ${\mathrm{EVE}}_{2}$ is utmost $\frac{\left({Q}_{{\mathscr{H}}_{a}}+{Q}_{Sig}\right)}{{2}^{\u22cb}}$, where ${Q}_{Sig}$ represents the querying of the signature generation oracle.
If ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{p}}$, the signature is normal, as the $\mathcal{A}\ell $ has the partial private key and secret value. Thus, the $\mathcal{A}\ell $ can ordinarily perform the online signature generation.
Forgery: Let the ${T}_{1}$ generate a forgeable digital signature (${\mathcal{L}}^{*},{\U0001d4bd}^{*},{\vartheta}^{*}$) on the message (${\U0001d4c2}^{*}$) for a given identity (${\mathrm{ID}}^{*}$), though ${\mathrm{ID}}^{*}$ is not submitted to the $\mathrm{secret}\mathrm{value}\mathrm{extraction}\mathrm{oracle}$ and $\mathrm{partial}\mathrm{private}\mathrm{key}\mathrm{extraction}\mathrm{oracle},$ and (${\U0001d4c2}^{*}$,${\mathrm{ID}}^{*}$) is not a query to the $\mathrm{signature}\mathrm{generation}\mathrm{oracle}$.
If ${\mathrm{ID}}^{*}\ne {\mathrm{ID}}_{\mathrm{p}}{}^{*}$ and ${\mathcal{L}}^{*}\ne {\mathcal{L}}_{p}{}^{*}$, then the $\mathcal{A}\ell $ terminates the simulation and outputs an error. The process is termed the Event ${\mathrm{EVE}}_{3}$. The probability of ${\mathrm{EVE}}_{2}$ is utmost $\frac{1}{{Q}_{{\mathscr{H}}_{a}}}$, where ${Q}_{{\mathscr{H}}_{a}}$ represent the utmost number of ${\mathscr{H}}_{a}$ querying the oracle.
If not, then according to the forking lemma [
19], another algorithm (
$\mathfrak{M}$) exists that is able to produce two valid digital signatures
$\left(I{D}_{p},{\mathcal{J}}_{p},{\mathcal{L}}_{p},{\U0001d4c2}^{*},{\U0001d4bd}_{1},{\vartheta}_{1}\right)$ and
$\left(I{D}_{p},{\mathcal{J}}_{p},{\mathcal{L}}_{p},\mathsf{\tau},{\U0001d4c2}^{*},{\U0001d4bd}_{2},{\vartheta}_{2}\right)$ in a probabilistic polynomial time, where
${\U0001d4bd}_{1}\ne {\U0001d4bd}_{2}$ while
${\mathcal{C}}_{p}$ remains the same due to
$\left(I{D}_{p},{\mathcal{A}}_{p}\right)={\U0001d4bb}_{p}$. Thus, the subsequent equations hold as
After the calculations, we obtain $\left({\vartheta}_{1}{\vartheta}_{2}\right)\mathcal{D}=\left({\U0001d4bd}_{1}{\U0001d4bd}_{2}\right)\u2134.\mathcal{D}$, then get $\u2134=\left({\vartheta}_{1}{\vartheta}_{2}\right)/\left({\U0001d4bd}_{1}{\U0001d4bd}_{2}\right)$ and output $\u2134$ as a solution for the HCDLP instance, respectively.
5.2. Theorem 2
Definition 4. There is an adversary (${T}_{2}$) who is existentially unforgeable against the adaptive chosen message and identity attacks and has the knowledge of the partial private key/master secret key but does not have the participant’s secret value in the ROM under the security HCDLP assumptions.
Proof. Assume ($\mathcal{D},\u2134\mathcal{D}$) as a random HCDLP stance that outputs 𝓸. An algorithm ($\mathcal{A}\ell $) will perform the subsequent simulations for interacting with ${T}_{2}$. □
Setup: In this phase, $\mathcal{A}\ell $ performs the following steps.
The $\mathcal{A}\ell $ sets the public key as $\mathcal{G}=\u2134.\mathcal{D}$ and advertises $\mathcal{W}=\{\mathrm{HCC},{\mathscr{H}}_{a},{\mathscr{H}}_{b},\mathcal{G},n,\mathcal{D}$} in the entire network.
For $1\le \U0001d4c5\le {Q}_{{\mathscr{H}}_{a}}$, the $\mathcal{A}\ell $ chooses ${\mathrm{ID}}_{\mathrm{p}}$ at random as a challenging ID for this particular game, while ${Q}_{{\mathscr{H}}_{a}}$ represents the utmost number of ${\mathscr{H}}_{a}$ querying oracles.
Finally, the $\mathcal{A}\ell $ gives ${T}_{2}$ the global parameters set $\mathcal{W}=\{\mathrm{HCC},{\mathscr{H}}_{a},{\mathscr{H}}_{b},\mathcal{G},n,\mathcal{D}$} and master secret key ($\mathcal{N}$).
After that, the $\mathcal{A}\ell $ starts answering the queries from ${T}_{2}$ as:
${\U0001d4d7}_{a}Queries$: The ${T}_{2}$ inputs (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i}$), and with that, the $\mathcal{A}\ell $ calls the ${\mathscr{H}}_{a}{}^{list}$. If the ${\mathscr{H}}_{a}{}^{list}$ has the (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i},{\U0001d4bb}_{i}$), $\mathcal{A}\ell $ provides it to the ${T}_{2}$. If not, the $\mathcal{A}\ell $ picks ${\U0001d4bb}_{i}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and adds (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i},{\U0001d4bb}_{i}$) to the ${\mathscr{H}}_{a}{}^{list}$ and response ${\U0001d4bb}_{i}$ to the ${T}_{2}$.
${\U0001d4d7}_{b}Queries:$ The ${T}_{2}$ inputs $\left(I{D}_{i},{\mathcal{J}}_{i},{\mathcal{L}}_{i},\mathsf{\tau},{\U0001d4c2}_{i}\right)$, and with that, the $\mathcal{A}\ell $ calls the ${\mathscr{H}}_{b}{}^{list}$. If the ${\mathscr{H}}_{b}{}^{list}$ already has the requested query, it simply returns back to the ${T}_{2}$. If not, the $\mathcal{A}\ell $ picks ${\U0001d4bd}_{i}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and adds $\left(I{D}_{i},{\mathcal{J}}_{i},{\mathcal{L}}_{i},\mathsf{\tau},{\U0001d4c2}_{i},{\U0001d4bd}_{i}\right)$ to the ${\mathscr{H}}_{b}{}^{list}$ and response ${\U0001d4bd}_{i}$ to the ${T}_{2}$.
Partial Private Key Extraction Queries: Upon requesting the private key associated with ${\mathrm{ID}}_{\mathrm{i}}$, the $\mathcal{A}\ell $ first verifies if ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{p}}$ stays or not. The $\mathcal{A}\ell $ also maintains the $Ex{t}^{list}.$
If ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{p}},$ the $\mathcal{A}\ell $ sets ${\mathcal{A}}_{i}=\u2134.\mathcal{D}$ and obtains (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i},{\U0001d4bb}_{i}$) from ${\mathscr{H}}_{a}{}^{list}$. The $\mathcal{A}\ell $ then picks ${\U0001d4be}_{\mathrm{i}}$ at random and computes ${\mathcal{U}}_{ID}{}_{i}={\U0001d4be}_{\mathrm{i}}+\mathcal{N}{\U0001d4bd}_{i}$ and adds (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{U}}_{ID}{}_{i},\perp $) to the list (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{U}}_{ID}{}_{i},{\U0001d4be}_{\mathrm{i}}$), where $\perp $ represents the unknown secret value for the identity ${\mathrm{ID}}_{\mathrm{i}}$. To end with, the $\mathcal{A}\ell $ returns ${\mathcal{U}}_{ID}{}_{i}$.
If ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{p}}$, the $\mathcal{A}\ell $ finds (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i},{\U0001d4bb}_{i}$) from the ${\mathscr{H}}_{a}{}^{list}$. The $\mathcal{A}\ell $ then chooses ${\U0001d4be}_{\mathrm{i}1},{\U0001d4be}_{\mathrm{i}2}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and computes ${\mathcal{U}}_{ID}{}_{i}={\U0001d4be}_{\mathrm{i}2}+\mathcal{N}{\U0001d4bb}_{i}$ and adds (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{U}}_{ID}{}_{i},{\U0001d4be}_{\mathrm{i}1}$) to the list. To end with, the $\mathcal{A}\ell $ returns ${\mathcal{U}}_{ID}{}_{i}$
Signature Generation Queries: Suppose a ${T}_{2}$ query for a signature with an identity $\left(ID\right)$ and message ($\U0001d4c2$).
If ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}_{\mathrm{p}},$ the $\mathcal{A}\ell $ picks ${\vartheta}_{i}$,${\U0001d4bd}_{i}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and sets ${\mathcal{A}}_{i}=\u2134.\mathcal{D}$ and finds (${\mathrm{ID}}_{\mathrm{i}},{\mathcal{A}}_{i},{\U0001d4bb}_{i}$) from ${\mathscr{H}}_{a}{}^{list},$ and additionally, the $\mathcal{A}\ell $ also sets ${\mathcal{L}}_{i}={\mathcal{A}}_{i}=\u2134.\mathcal{D}$ and computes ${\mathcal{J}}_{i}={\vartheta}_{i}.\mathcal{D}{\U0001d4bd}_{i}\left({\mathcal{L}}_{i}+{\U0001d4bb}_{i}\mathcal{G}\right)$, where ${\U0001d4bd}_{i}={\mathscr{H}}_{b}\left(I{D}_{i},{\mathcal{J}}_{i},{\mathcal{L}}_{i},\mathsf{\tau},{\U0001d4c2}_{i}\right)$. If ${\mathscr{H}}_{b}\left(I{D}_{i},{\mathcal{J}}_{i},{\mathcal{L}}_{i},{\U0001d4c2}_{i}\right)$ already exists, $\mathcal{A}\ell $ terminates the simulation and outputs an error. The process is termed the Event ${\mathrm{EVE}}_{2}$.
Computes ${\mathcal{J}}_{p}={\vartheta}_{p}.\mathcal{D}{\U0001d4bd}_{p}\left({\mathcal{L}}_{\mathrm{p}}+{\U0001d4bb}_{p}\mathcal{G}\right)$, where ${\mathscr{H}}_{a}\left(I{D}_{p},{\mathcal{J}}_{p},{\mathcal{L}}_{p},\mathsf{\tau},{\U0001d4c2}_{i}\right)$. If ${\mathscr{H}}_{a}\left(I{D}_{p},{\mathcal{J}}_{p},{\mathcal{L}}_{p},\mathsf{\tau},{\U0001d4c2}_{i}\right)$ already exists, $\mathcal{A}\ell $ terminates the simulation and outputs an error. The process is termed the Event ${\mathrm{EVE}}_{2}$. Finally, the $\mathcal{A}\ell $ outputs the triple $\left({\mathcal{L}}_{i},{\U0001d4bd}_{i},{\vartheta}_{i}\right)$ as the signature. The probability of ${\mathrm{EVE}}_{2}$ is the utmost $\frac{\left({Q}_{{\mathscr{H}}_{b}}+{Q}_{Sig}\right)}{{2}^{\u22cb}}$, where ${Q}_{Sig}$ represents the querying of the signature generation oracle.
If ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}_{\mathrm{p}}$, the signature is normal, as the $\mathcal{A}\ell $ has the partial private key and secret value. Thus, the $\mathcal{A}\ell $ can ordinarily perform the online signature generation.
Forgery: Let the ${T}_{2}$ generate a forgeable digital signature (${\mathcal{L}}^{*},{\U0001d4bd}^{*},{\vartheta}^{*}$) on the message (${\U0001d4c2}^{*}$) for a given identity (${\mathrm{ID}}^{*}$), though ${\mathrm{ID}}^{*}$ is not submitted to the $\mathrm{secret}\mathrm{value}\mathrm{extraction}\mathrm{oracle}$, and (${\U0001d4c2}^{*}$,${\mathrm{ID}}^{*}$) is not query to the $\mathrm{signature}\mathrm{generation}\mathrm{oracle}$.
If ${\mathrm{ID}}^{*}\ne {\mathrm{ID}}_{\mathrm{p}}{}^{*}$ and ${\mathcal{L}}^{*}\ne {\mathcal{L}}_{p}{}^{*}$, then the $\mathcal{A}\ell $ terminates the simulation and outputs an error. The process is termed as the Event ${\mathrm{EVE}}_{3}$. The probability of ${\mathrm{EVE}}_{2}$ is not less than $\frac{1}{{Q}_{{\mathscr{H}}_{a}}}$, where ${Q}_{{\mathscr{H}}_{a}}$ represent the utmost number of ${\mathscr{H}}_{a}$ querying oracles.
If not, then according to the forking lemma [
19], another algorithm (
$\mathfrak{M}$) exists that is able to produce two valid digital signatures
$\left(I{D}_{p},\mathcal{J},{\mathcal{L}}_{p},{\U0001d4c2}^{*},{\U0001d4bd}_{1},{\vartheta}_{1}\right)$ and
$\left(I{D}_{p},\mathcal{J},{\mathcal{L}}_{p},{\U0001d4c2}^{*},{\U0001d4bd}_{2},{\vartheta}_{2}\right)$ in a probabilistic polynomial time, where
${\U0001d4bd}_{1}\ne {\U0001d4bd}_{2}$ and
${\mathcal{A}}^{\prime}={\mathcal{L}}^{\prime}\mathcal{D}$ ${\U0001d4bb}_{p}$ remain the same. Thus, the subsequent equations hold as:
After the calculations, we obtain $\left({\vartheta}_{1}{\vartheta}_{2}\right)\mathcal{D}=\left({\U0001d4bd}_{1}{\U0001d4bd}_{2}\right)\left(\u2134+\mathcal{N}{\U0001d4bb}_{p}\right)\mathcal{D}$, then get $\u2134=\frac{\left({\vartheta}_{1}{\vartheta}_{2}\right)}{({\U0001d4bd}_{1}{\U0001d4bd}_{2)}}\mathcal{N}{\U0001d4bb}_{p}$ and output $\u2134$ as a solution for the HCDLP instance, respectively.
5.3. Theorem 3
Definition 5. If the NM impersonates an authentic participant in order to forge the signature and has knowledge of the participant’s partial private key and secret value (an alternate secret value that is not real), we can demonstrate to the mediator that the NM is dishonest.
Proof. According to the above two theorems, the proposed scheme is unforgeable against both malicious type1 and type2 adversaries. The process is split into two steps, i.e., forging the private key and signing the message. □
Forging the Private Key: Let $\mathrm{ID}$ be the identity of the participant, and (${\mathcal{V}}_{ID},{\mathcal{U}}_{ID}$) is the respective private key. The NM simulates the participant to generate a signature in two possible ways:
By knowing the participant’s secret value ${\mathcal{V}}_{ID}$.
By replacing the participant’s secret value ${\mathcal{V}}_{ID}$. As we know that the ${\mathcal{V}}_{ID}$ is picked at random from the $\left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$, it is infeasible of the NM to obtain the ${\mathcal{V}}_{ID}$.
Thus, the NM has to pick a secret value ${\mathcal{V}}_{ID}$ for the participants to produce another private key using the identity ID. The procedure is mentioned below.
The NM picks ${\mathcal{V}}_{ID}$ for the replacement of the participant’s secret value.
The NM picks ${\U0001d4be}^{\prime}\in \left\{\U0001d7d9,\U0001d7da,\U0001d7db,\dots ,\left(\mathbb{n}\U0001d7d9\right)\right\}$ at random and computes ${\mathcal{A}}^{\prime}={\U0001d4be}^{\prime}.\mathcal{D}$ and ${\mathcal{U}}_{ID}{}^{\prime}={\U0001d4be}^{\prime}+\mathcal{N}{\U0001d4bb}_{p}{}^{\prime}modn$. Let ${\mathcal{A}}^{\prime}$,${\mathcal{U}}_{ID}{}^{\prime}$ satisfy and produce a private key (${\mathcal{V}}_{ID}{}^{\prime},{\mathcal{U}}_{ID}{}^{\prime}$).
Signing message: After forging the participant private key (${\mathcal{V}}_{ID}{}^{\prime},{\mathcal{U}}_{ID}{}^{\prime}$), the NM executes the signature generation algorithm. The triple (${\U0001d4be}^{\prime},{\U0001d4bd}^{\prime},{\vartheta}^{\prime}$) on the message $\U0001d4c2$ is for a given identity (ID) of the participant. The participant can run the signature generation algorithm twice to make sure that (${\U0001d4be}^{\prime},{\U0001d4bd}^{\prime},{\vartheta}^{\prime}$) is forged by the NM or an adversary conspired with the NM. Let the participant produce two signatures, ($\mathcal{L},{\U0001d4bd}_{1},{\vartheta}_{1}$) and ($\mathcal{L},{\U0001d4bd}_{2},{\vartheta}_{2}$), and submit the ($\mathcal{L},{\U0001d4bd}_{1},{\vartheta}_{1}$) and ($\mathcal{L},{\U0001d4bd}_{2},{\vartheta}_{2}$) to the intermediary trusted authority.
Note: Here, ${\mathcal{L}}^{\prime}\ne \mathcal{L}$,. If the NM aims to make ${\mathcal{L}}^{\prime}=\mathcal{L},$ then the NM needs to satisfy $({\U0001d4be}^{\prime}+{\mathcal{V}}_{ID}{}^{\prime})\mathcal{D}=\left(\U0001d4be+{\mathcal{V}}_{ID}\right)\mathcal{D}$. Furthermore, the NM also needs to know the value ${\mathcal{A}}^{\prime}=\left(\U0001d4be+{\mathcal{V}}_{ID}{\mathcal{V}}_{ID}{}^{\prime}\right)\mathcal{D}={\U0001d4be}^{\prime}\mathcal{D}$, but the NM does not know about ${\mathcal{V}}_{ID}$. Thus, according to the HCDLP, it is infeasible for the NM to obtain $\U0001d4be,{\U0001d4bb}_{p}$ and ${\mathcal{U}}_{ID}$. Hence, ${\mathcal{L}}^{\prime}\ne \mathcal{L}$.
Now, if the above three signatures are valid, then the $\mathcal{L}$ in the triple ($\mathcal{L},{\U0001d4bd}_{1},{\vartheta}_{1}$) and ($\mathcal{L},{\U0001d4bd}_{2},{\vartheta}_{2}$) are the same. We obtain ${\mathcal{L}}^{\prime}\ne \mathcal{L}$ in (${\mathcal{L}}^{\prime},{\U0001d4bd}^{\prime},{\vartheta}^{\prime}$). Hence, (${\mathcal{L}}^{\prime},{\U0001d4bd}^{\prime},{\vartheta}^{\prime}$) definitely is forged by the NM or an adversary conspired with the NM.