A Strong Designated Veriﬁer Proxy Re-Signature Scheme for IoT Environments

: With the rapid popularization of the Internet of Things (IoT) in our daily lives, the communication security and identity privacy of IoT devices must be ensured. However, traditional authentication mechanisms utilized in IoT cannot completely ensure a user’s privacy when his/her messages are routed via an untrusted intermediate device. Strong designated-verifier proxy re-signature (SDVPRS) is a new cryptographic technology that combines the advantages of strong designated verifier signature and proxy re-signature. Therefore, SDVPRS is considered to be a better approach to maintain data integrity and protect the identity privacy of the signer in a resource-limited IoT device. Nevertheless, designing a secure SDVPRS scheme without random oracles is still a challenging task. In this paper, we mainly focus on such a construction by providing a new method. We first provide the formal definition of SDVPRS and its security model. Then, we present the first SDVPRS scheme, which is bidirectional, multi-use and non-transferable, and we prove its security under the standard complexity assumptions in the standard model. The analysis results show that our SDVPRS scheme can not only protect the privacy of the signer’s identity, but also provide non-delegatability for signature verification. We present an example of potential application to environmental monitoring systems using our SDVPRS scheme.


Introduction
The Internet of Things (IoT) is rapidly entering all aspects of our daily lives.IoT uses sensors, radio frequency identification (RFID), wireless data communications and other technologies to construct a network that covers all things in the world to make the interactions between people and things and between things and things more intelligent and convenient [1].IoT devices equipped with sensors have the ability to sense and process information, and they are used to collect, transmit and disseminate data from the field to a server or other IoT devices.IoT has been deployed in many environments, such as smart transportation, smart cities, environmental surveillance, smart homes, military target tracking, biomedical health monitoring and industrial automation [2].
IoT is everywhere in our daily lives and offers great benefits for human life.However, IoT data are transmitted over public networks, and ensuring a user's privacy and data security is of particular importance [3].In an IoT environment, most IoT devices have limitations in terms of energy capacity, storage capacity and computing power.Therefore, conventional cryptosystems cannot be implemented in resource-constrained IoT devices.Digital signature technology guarantees the integrity of the data during transmission and also authenticates the identity of the sender.Based on various digital signature techniques, such as identity-based signature and certificateless signature, researchers have proposed several schemes [2][3][4][5][6] to ensure the integrity and authenticity of IoT data transmitted over public channels.However, anyone can use the signer's public key to verify the validity of the signature, so these schemes [2][3][4][5][6] reveal some private information of the signer (such as the identity of the signer).Strong designated verifier proxy re-signature (SDVPRS) can provide a better solution to solve these problems.Due to the combination of the features of strong designated verifier signature (SDVS) and proxy re-signature (PRS), SDVPRS not only maintains the integrity of IoT data during transmission, but also protects the identity privacy of the IoT device that signs IoT data.In an SDVPRS scheme, only the designated verifier can verify the validity of a signature.Specifically, SDVPRS allows a signer to designate a verifier, and a semi-trusted proxy is allowed to convert the signer or the designated verifier into a signature.However, how to design an SDVPRS scheme without random oracles is still challenging.Hence, we focus on constructing an SDVPRS scheme in the standard model that can be applied to IoT devices.
PRS, which allows a proxy to transform the signature of a message generated by Alice into Bob's signature of the same message, is an important cryptosystem in cryptography [7].However, the proxy by itself is unable to create arbitrary signatures on behalf of Alice or Bob.If the proxy can not only convert Alice's signature into Bob's signature, but also convert Bob's signature into Alice's signature, then we say that a PRS scheme is bidirectional.Additionally, if the transformed signatures can be further transformed by the proxy, then we say that a PRS scheme is multi-use.Since PRS can convert signatures, it has been applied to key management, cross-domain identity authentication and other fields [7][8][9].
To designate a verifier to verify the validity of a signature, the designated verifier signature (DVS) was presented by Jakobsson et al. [10].A DVS scheme ensures that only the designated verifier can verify signatures generated by the signer.However, the designated verifier is able to produce simulated signatures that are computationally indistinguishable from the real signatures on the same messages created by the signer.Consequently, a DVS scheme provides the authentication of signatures, but it does not satisfy the non-repudiation of ordinary signatures since only the designated verifier is able to ensure that signatures are generated by a real signer.Specifically, in a DVS scheme, both the signer and the designated verifier can generate a valid signature of the message.To avoid man-in-the-middle attacks, Jakobsson et al. [10] further proposed the concept of the strong designated verifier signature (SDVS), which requires the secret key of the designated verifier during signature verification.Since the attacker does not know the verifier's secrete key, the validity of the intercepted signature cannot be verified.SDVS has stronger security and many special applications such as voting and deniable authentication [11][12][13].
Based on the concepts of PRS and DVS, designated verifier proxy re-signature (DVPRS) was introduced by Wei et al. [14].In a DVPRS scheme, a semi-trusted proxy can change the signer or the verifier in a DVS.Consequently, DVPRS has the properties of both PRS and DVS.DVPRS is a useful technique in deniable or anonymous authentication, and it can be applied to fields such as wireless communication networks [15][16][17].
To enhance the privacy of the signer's identity, we introduce the concept of SDVPRS in this paper, which is a variant of DVPRS.In SDVPRS, the designated verifier's secret key is required in the signature verification; thus, the validity of the signature can only be checked by the signer or the designated verifier.This approach ensures that an adversary who captures a signature only knows that either the signer or the designated verifier created the signature, but the adversary cannot infer which one of them is the real signature generator.No third party other than the designated verifier knows the true identity of the signer; thus, SDVPRS can protect the privacy of the signer's identity.Because SDVPRS combines the advantages of SDVS and PRS, most of the significant security requirements, such as integrity, unforgeability and non-transferability, and the signer's identity privacy protection can be guaranteed in a single logic step.
The security concepts of DVPRS were presented by Wei et al. [14], but the formal definition of SDVPRS was not taken into account in [14].In addition, Wei et al. [14] designed a DVPRS scheme in the random oracle model, which is also the only publicly available DVPRS scheme.Unfortunately, the random oracle model might not ensure the security of the scheme if the random oracles are instantiated with concrete hash functions [18].In fact, Wei et al.'s proposal [14] is an SDVPRS scheme since the verification of the signature requires the designated verifier's secret key.Therefore, constructing a secure (S)DVPRS scheme without random oracles in the standard model is an unsolved problem.

Our Contributions
In this paper, we first present the security concepts of SDVPRS.In contrast to PRS, our formal definition for SDVPRS relies on the security concepts of SDVS.Based on Waters' technique [19], we then present a construction of an SDVPRS scheme without random oracles, which is proven to be existentially unforgeable in the standard model.Our SDVPRS scheme is bidirectional, multi-use, transparent and non-transferable.Furthermore, the security proof shows that our SDVPRS scheme can ensure the integrity and authenticity of IoT data, as well as protect the identity privacy of the IoT device.To the best of our knowledge, our proposal is the first (strong) designated verifier PRS scheme without random oracles.Our SDVPRS scheme is very useful for protecting the security of IoT data and the identity privacy of the sender.

Related Work
With the substantial development of cloud computing and IoT techniques, data privacy [20][21][22][23], access control [24,25] and message authentication [26][27][28] have become important issues and the focus of many studies.According to the diverse requirements of the authentication, various signature schemes, such as homomorphic signature schemes [29,30] and proxy signature schemes [31][32][33], have been proposed.However, most of the existing message authentication schemes do not consider the privacy of IoT devices.SDVPRS is a new cryptographic technology that has the advantages of PRS and SDVS, so we introduce SDVPRS to solve the sender's identity privacy problem in IoT environments.
The concept of PRS was presented by Blaze et al. [7] in 1998, and the security definition of PRS was formalized by Ateniese and Hohenberge [34] in 2005.Since then, researchers have designed a large number of PRS schemes with special properties.Hu et al. [35] proposed a secure identity-based proxy re-signature scheme under the standard model, but its security relies on strong difficult problem assumptions.Tian [36] designed an identity-based proxy re-signature scheme over lattices, but the size of the signature and secret key was relatively large.Wang and Xia [37] presented an identity-based proxy re-signature scheme with the aggregate property.However, their scheme required numerous system parameters.To reduce the security risks of an individual proxy, Yang et al. [38] introduced the concept of threshold proxy re-signature, which can distribute the re-signature key to multiple proxies for management.Yang et al. [39] introduced the concept of flexible threshold proxy re-signature, which can flexibly select different thresholds according to the importance of the message to be re-signed.To improve the response time of re-signing, Yang et al. [40] proposed an on-line/off-line threshold proxy re-signature scheme, which completes most of the computational tasks of re-signing in the off-line phase.To solve the key escrow problem in identity-based proxy re-signature, some certificateless proxy re-signature schemes [41,42] have been proposed.Unfortunately, these schemes have some security flaws [43].
The first DVS scheme was presented by Jakobsson et al. [10] in 1996.Saeednia et al. [44] gave the formal definition of SDVS.Later, some SDVS schemes were presented in [45][46][47].Hung et al. [48] designed a secure SDVS scheme in the standard model, but its security depended on the security of pseudo-random functions.Hence, their scheme has potential security risks.Based on the standard complexity assumptions, Tian et al. [49] designed two SDVS schemes without random oracles.The researchers also proposed some variants of DVS such as universal DVS [50,51] and multi-verifier DVS [52,53].Until now, the only DVPRS scheme was that proposed by Wei et al. [14], but its security was dependent on ideal random oracles.
Data security has become an important issue in IoT.When IoT data are transmitted through open and insecure channels, they are vulnerable to various attacks, such as forgery attack, tamper attack, and so on.To ensure the communication security of IoT devices, Jia et al. [3] proposed a data authentication scheme based on a certificateless signature.Combining aggregate signature and identity-based signature, Shen et al. [2] designed a data integrity protection scheme for wireless sensor networks.Kumar et al. [4] proposed a secure data transmission scheme for a healthcare wireless sensor network using certificateless aggregation signature technology.Yeh et al. [6] proposed an efficient certificateless signature scheme to ensure the security of IoT devices.However, these schemes [2][3][4][5][6] were proven to be secure in the random oracle model, which means that these schemes might be insecure in reality.In particular, these existing schemes protect the integrity of IoT data, but at the same time, they disclose the identity privacy of IoT devices.Motivated by this scenario, we construct an SDVPRS scheme in the standard model to protect the integrity of IoT data and the privacy of the sender's identity.The proxy converts the IoT device's signature to a group's signature on the same data, thereby reducing the risk of identifying the identity of the IoT device according to the signature and realizing the anonymity of data transmission.In addition to the designated verifier, no one can verify the legality of the final signature.That is, our scheme enables the integrity and authenticity of IoT data to be verified without revealing the user's identity privacy.

Bilinear Pairing
Assume that p is a large prime, G 1 and G 2 are two multiplicative cyclic groups of order p and g is an arbitrary generator of G 1 .A map e : G 1 × G 1 → G 2 is called a bilinear pairing if it satisfies the following conditions.
• Computability: e(g x , g y ) is efficiently computable, where x, y ∈ Z p .

Complexity Assumptions
Polynomial-time algorithms are unable to solve the following hard problems [34,54], which are considered to be intractable in complexity theory.Definition 1.Given four elements g, g a , g b , g c ∈ G 1 , where unknown values a, b and c are randomly selected from Z p , the bilinear Diffie-Hellman (BDH) problem in (G 1 , G 2 ) is to calculate e(g, g) abc ∈ G 2 .Definition 2. Given g, g a , g b , g c ∈ G 1 and Z ∈ G 2 where unknown values a, b and c are randomly selected from Z p , the decisional bilinear Diffie-Hellman (DBDH) problem in (G 1 , G 2 ) is to determine whether Z = e(g, g) abc holds.
Taking as input (g, g a , g b , g c ) ∈ G 4  1 and Z ∈ G 2 , the DBDH oracle O DBDH outputs one if Z = e(g, g) abc ; else, it outputs zero.Definition 3. Given g, g a , g b , g c ∈ G 1 where unknown values a, b and c are randomly selected from Z p , the gap bilinear Diffie- The main difference between the BDH problem and the GBDH problem is whether the DBDH oracle O DBDH is required to solve the corresponding problem.

The Syntax of SDVPRS
An SDVPRS scheme includes the following nine algorithms: • Setup: This algorithm takes a security parameter λ ∈ Z as input and produces system parameters sp.
• KeyGen: Upon input of sp, this algorithm outputs a secret key sk and a corresponding public key pk.
• ReSKey: Upon input of sp, a signer's key pair (pk A , sk A ) and another signer's key pair (pk B , sk B ), this algorithm generates a re-signing key rsk A→B for the proxy.• ReVKey: Upon input of sp and two verifiers' key pairs (pk C , sk C ) and (pk D , sk D ), this algorithm generates a re-designate-verifier key rvk C→D .• Sign: This algorithm takes sp, a signer's secret key sk S , a message m and a designated verifier's public key pk V as input.It outputs a signature σ on m. • ReSign: This algorithm takes sp, a re-signing key rsk A→B between a signer S A and another signer S B and a signature σ AC on a message m under the signer S A and a verifier V C as input.It generates a re-signature σ BC on m under S B and V C .• ReVer: This algorithm takes sp, a re-designate-verifier key rvk C→D between a verifier V C and another verifier V D and a signature σ AC on a message m under a signer S A and the verifier V C as input.It generates a re-signature σ AD on m under S A and V D .
• Verify: This algorithm takes sp, a signer's public key pk S , a designated verifier's secret key sk V and a signature σ on a message m as input.It outputs one if σ is a valid signature; otherwise, it outputs zero.• Sim: This algorithm takes sp, a signer's public key pk S , a designated verifier's secret key sk V and a message m as input.It generates a simulated signature σ that is indistinguishable from the one created by the signer.

Security Model of SDVPRS
An SDVPRS scheme consists of three entities: the signer, the proxy and the designated verifier.The security model of SDVPRS mainly considers the following four security concepts.Among them, two properties, unforgeability and non-delegatability for signature verification, ensure the integrity and authenticity of the IoT data in the communication process, and the other two properties, non-transferability and privacy of the signer's identity (PSI), prevent any third party from obtaining the identity information of the IoT device from a signature.Similar to the security model of a bidirectional PRS scheme [34], the security model of a bidirectional SDVPRS scheme also requires that the proxy is semi-trusted and is not allowed to collude with the signer or the designated verifier.
Unforgeability means that a legal signature can only be generated by the signer or the designated verifier.We define a game between a challenger C and an adversary A to describe the unforgeability of an SDVPRS scheme.
• Setup: C executes the algorithms Setup and KeyGen to generate system parameters sp, the key pair (pk S , sk S ) of the target signer and the key pair (pk V , sk V ) of the target verifier.Then, C sends (sp, pk S , pk V ) and the public keys of other users to A. • Queries: A may adaptively request the following oracles built by C.
-O Sign : Upon input of message m i , this oracle outputs a signature σ i = Sign(sk S , pk V , m i ) on m i .
-O ReSKey : Upon input of two signers' public keys pk i and pk j , this oracle outputs a re-signing key rsk i→j = ReSKey(pk i , sk i , pk j , sk j ), where sk i and sk j are the secret keys corresponding to pk i and pk j , respectively.-O ReVKey : Upon input of two verifiers' public keys pk i and pk j , this oracle outputs a re-designateverifier key rvk i→j = ReVKey(pk i , sk i , pk j , sk j ).-O Sim : Upon input of a message m i , this oracle returns a simulated signature σ i = Sim(sk V , pk S , m i ) on m i .-O Veri f y : This oracle takes a message m i and a signature σ i as input, and it outputs a decision dec = Verify(sk V , pk S , m i , σ i ), where dec ∈ {0, 1}.

Definition 4.
If there is no polynomial-time attacker A who can win in the above game with a non-negligible probability, then we say that a bidirectional SDVPRS scheme is existentially unforgeable against adaptive chosen-message attacks.
The property of non-transferability means that any third party cannot distinguish whether the real generator of a signature is the signer or the designated verifier.Definition 5.If the signature created by the signer and the signature simulated by the designated verifier are computationally indistinguishable, then we say that an SDVPRS scheme is non-transferable [14].
PSI ensures that no one other than the designated verifier can infer the signer's true identity from a signature.Specifically, two signers S 0 and S 1 produce signatures for a designated verifier V. Given a signature σ on a message m, anyone without V's secret key is unable to determine whether σ is created by S 0 or S 1 .We provide a game between a distinguisher D and a challenger B to describe the formal definition of PSI.
• Setup: B performs the algorithms Setup and KeyGen to generate system parameters sp, S 0 's key pair (pk S 0 , sk S 0 ), S 1 's key pair (pk S 1 , sk S 1 ) and V's key pair (pk V , sk V ).Then, B sends (sp, pk S 0 , pk S 1 , pk V ) to D. • Phase 1: D may adaptively issue the following oracle queries.
-O Sign : Upon receiving sp, a message m i and an index d ∈ {0, 1}, this oracle returns a signature -O Sim : Upon receiving sp, a message m i and an index d ∈ {0, 1}, this oracle returns a simulated signature The advantage of D in the game is defined as follows: Definition 6.If the advantage Adv D of any polynomial-time distinguisher D is negligible in the above game, then we say that an SDVPRS scheme possesses the PSI property.
Non-delegatability for signature verification requires that the legality of a signature can only be correctly verified by those who know the secret key of the designated verifier.We use a game between a challenger C and an adversary A to define non-delegatability for signature verification.
• Setup: C executes the algorithms Setup and KeyGen to generate system parameters sp, the key pair (pk S , sk S ) of the target signer and the key pair (pk V , sk V ) of the target verifier.Then, C sends (sp, pk S , pk V ) to A.
• Queries: C answers A's signing query and simulation query in the same manner as in the formal definition of existential unforgeability in Definition 5. • Forgery: A finally produces a forgery (m * , σ * ).If the following conditions are satisfied, then we say that A wins the game.
2. A has never made a signature query and a simulated query on m * .Definition 7.An SDVPRS scheme is said to be non-delegatable for signature verification if there is no polynomial-time attacker A who can win the above game with a non-negligible probability.

System Framework
Our system model is shown in Figure 1, which contains three entities: IoT device, proxy and data center.It focuses on the integrity and authenticity of IoT data during transmission while protecting the identity privacy of the IoT device.The proposed SDVPRS scheme is easily implemented on each IoT device as software.Our system model focuses on the integrity and authenticity of IoT data.

Our SDVPRS Scheme
In this section, we present a construction of an SDVPRS scheme based on Waters' scheme [19].In our proposed SDVPRS scheme, the length of a message is assumed to be n bits.For a message of arbitrary length, we use a hash function H : {0, 1} * → {0, 1} n to convert the length of the message to fixed length n.Our SDVPRS scheme works as follows.
• Setup: This algorithm takes a security parameter λ ∈ Z as input and produces system parameters sp = (G 1 , G 2 , p, g, e, u 0 , u 1 , ..., u n ), where G 1 and G 2 are two cyclic groups of prime order p, g is a generator of G 1 , e : G 1 × G 1 → G 2 is a bilinear pairing and n + 1 elements u 0 , u 1 , ..., u n are randomly chosen from G 1 .• KeyGen: The signer S randomly selects (x S , y S ) ∈ Z p , computes pk S,1 = g x S and pk S,2 = g y S and sets its secret key sk S = (sk S,1 , sk S,2 ) = (x S , y S ) and the public key pk S = (pk S,1 , pk S,2 ) = (g x S , g y S ).
Similarly, the designated verifier V randomly selects x V ∈ Z p , computes pk V = g x V and outputs its public/secret key pair (pk V , sk V ) = (g x V , x V ).
• ReSKey: The proxy randomly selects r 1 ∈ Z p and sends r 1 to the signer S A .After receiving r 1 , S A uses his/her secret key sk A = (x A , y A ) to compute r 2 = x A y A r 1 (mod p) and forwards r 2 to the signer S B .Then, S B uses his/her secret key sk B = (x B , y B ) to calculate and send r 3 = x B y B r 2 ( mod p) to the proxy.Finally, the proxy computes the re-signing key between S A and S B : • ReVKey: To generate a re-designate-verifier key rvk C→D between two verifiers V C and V D , the proxy does the following: 1.The proxy randomly selects s 1 ∈ Z p and returns s 1 to the verifier V C . 2. V C uses his/her secret key sk C = x C to compute s 2 = s 1 x C (mod p) and sends s 2 to the verifier V D .3. V D uses his/her secret key sk D = x D to compute s 3 = x D s 2 (mod p).Then, V D returns s 3 to the proxy.4.After receiving s 3 , the proxy calculates the re-designate-verifier key as follows: Note that rsk A→B and rvk C→D can be kept by different proxies to perform different operations, and they can also be assigned to a proxy to perform all operations.In ReSKey and ReVKey, a cryptographic algorithm (such as RSA or ECC) may be used to encrypt the transmitted messages to prevent the proxy from obtaining each participant's secret key through intercepted messages in practical applications.• Sign: Given a message m = (m 1 , ...m n ) ∈ {0, 1} n and a designated verifier V's public key g v , the signer S performs the following steps: 1. Choose a random integer r ∈ Z p , and calculate σ 2 = g r .2. Calculate σ 1 = e(g x S y S (u where (x S , y S ) is the secret key of the signer S. 3. Output σ = (σ 1 , σ 2 ) as a signature on m.
• ReSign: For a signature σ AC = (σ AC,1 , σ AC,2 ) on a message m with respect to a signer S A and a verifier V C , the proxy uses a re-signing key rsk A→B between two signers S A and S B to compute a new signature σ BC on m related to the signer S B and the verifier V C as follows: σ BC = ((σ AC,1 ) rsk A→B , (σ AC,2 ) rsk A→B ).
• ReVer: Given a re-designate-verifier key rvk C→D between two verifiers V C and V D , a message m and a signature σ AC = (σ AC,1 , σ AC,2 ) of m for a signer S A and a verifier V C , the proxy computes a new signature σ AD on m for S A and V D as follows: σ AD = ((σ AC,1 ) rvk C→D , (σ AC,2 ) rvk C→D ).
• Verify: Upon receiving the public key pk S = (g x S , g y S ) of a signer S, a message m and a corresponding signature σ = (σ 1 , σ 2 ) = (e(g x S y S (u 0 n ∏ i=1 u m i i ) r , g x V ), g r ), the designated verifier V utilizes its own secret key sk V = x V to check whether: holds.If it holds, output one; else, output zero.
• Sim: For a message m and the public key pk S = (g x S , g y S ) of a signer S, the designated verifier V with a secret key sk V = x V randomly selects r ∈ Z p , computes σ 2 = g r and: then generates σ = (σ 1 , σ 2 ) as a simulated signature on m with respect to S and V.
x A y A (mod p) is a re-signing key between S A and S B and σ BC = (σ BC,1 , σ BC,2 ) is a signature on m that is derived from σ AC and rsk A→B .
Let rA = r A ; we have: x B y B x A y A = e(g Then, we can obtain: Similarly, we are able to check the correctness of the signature σ AD for S A and V D .Hence, we can conclude that our SDVPRS scheme is correct.
Remark 1.For a re-signing key rsk A→B between S A and S B , it is easy to obtain another key rsk B→A = 1 rsk A→B between S B and S A that converts S B 's signatures into S A 's signatures.From a re-designate-verifier key rvk C→D between V C and V D , we can also obtain another key rvk D→C = 1 rvk C→D that transforms the identity of the verifier in a signature from V D to V C .Hence, our SDVPRS scheme is bidirectional.

Remark 2.
As σ BC = (σ AC ) rsk A→B and σ AD = (σ AC ) rvk C→D , it is easy to infer that signatures created by the Sign algorithm are computationally indistinguishable from signatures generated by the ReSign and ReVer algorithms.This shows that the proposed SDVPRS scheme possesses the multi-use property.
) is a signature created by the signer S for the message m, then the designated verifier V can also output a valid signature σ = (e(g x S , g y S ) x V e(u 0 on the same message m.Consequently, the distribution of σ is the same as that of σ .This result implies that signatures generated by the Sign algorithm are indistinguishable from those simulated by the Sim algorithm.Therefore, our SDVPRS scheme is non-transferable.

Theorem 1.
If the GBDH problem is intractable, then our proposed SDVPRS scheme is existentially unforgeable against adaptively chosen message attacks in the standard model.

Proof of Theorem 1.
Let A be an attacker against the unforgeability of the proposed scheme with probability ε.A is allowed to make at most q S signing queries, q V signature verification queries, q Sim simulation queries, q rsk re-signing key queries and q rvk re-designate-verifier key queries.We can build an algorithm C that utilizes A's output to solve the GBDH problem.Given an instance (g, g a , g b , g c ) ∈ G 4  1 of the GBDH problem, C's goal is to calculate e(g, g) abc by invoking the oracle O DBDH .C will act as a challenger to answer the following queries requested by A.
In addition, C randomly selects x i , y i , z j ∈ Z p and sets the public key of the signer i to be pk i = (g ax i , g by i ) and the public key of the verifier j as pk j = g cz j for i = 1, ..., 2q rsk and j = 1, ..., 2q rvk .The public key of the target signer is set to pk S = (pk S,1 , pk S,2 ) = (g a , g b ), and the public key of the target designated verifier's public key is set to pk V = g c .This implicitly indicates that sk S = (a, b) is the target signer's secret key and sk V = c is the target designated verifier's secret key, but (a, b) and c are unknown to C. Finally, C sends (G 1 , G 2 , p, g, e, u 0 , u 1 , ..., u n , pk S , pk V ) and the public keys of other users to A.
Given any n-bit message m = (m 1 , ..., m n ), we define two functions to simplify the expression: • Queries: C builds the following oracles to answer A's queries.
-O Sign : Upon receiving a message m, C checks whether F(m) = 0(mod l m ) holds.
If it does hold, then C aborts.Otherwise, C randomly selects r ∈ Z p , computes F(m) g r and then returns a signature σ = (σ 1 , σ 2 ) on m to A.
Correctness: For a signature σ = (σ 1 , σ 2 ) produced by C, we have: . Then, we deduce that σ = (σ 1 , σ 2 ) satisfies the following signature verification equation: This equation shows that the signature σ is valid.Moreover, it indicates that the signature computed by C and the signature created by the signer in the real scheme are computationally indistinguishable from the adversary A's view.
-O ReSKey : Upon receiving two signers' public keys pk i and pk j , C computes rsk i→j = ax j •by j ax i •by i = x j •y j x i •y i (mod p) and returns a re-signing key rsk i→j to A.
-O ReVKey : Upon input of two verifiers' public keys pk i and pk j , C computes rvk i→j = cz j cz i = z j z i (mod p) and returns a corresponding re-designate-verifier key rvk i→j to A.
-O Sim : This oracle is the same as O Sign .
-O Veri f y : Upon receiving a message m and a signature σ = (σ 1 , σ 2 ), C responds by performing the following steps: (1) If F(m) = 0( mod p), then C creates another signature σ = ( σ1 , σ2 ) of m just as C responds to the signing queries in the oracle O Sign .Subsequently, C submits (g, ) is a valid signature for message m, then σ must satisfy the following signature verification equation: Another valid signature σ = ( σ1 , σ2 ) calculated by C must also satisfy the following verification equation: Thus, we can obtain: The above equation demonstrates that (g, ) is a correct BDH tuple.(2) If F(m) = 0(mod p), C makes a query to the oracle O DBDH with input (g, g a , g b , g c , σ 1 e(g c ,σ 2 ) J(m) ).If O DBDH returns one, then C sends one to A; else, C sends zero to A. Correctness: Assuming that σ = (σ 1 , σ 2 ) is a valid signature, the following equation holds: Hence, we can obtain: e(g, g) abc = σ 1 e(g c , σ 2 ) J(m) .This shows that (g, g a , g b , g c , σ 1 e(g c ,σ 2 ) J(m) ) is a valid BDH tuple.
• Forgery: A produces a message/signature pair (m * , σ * ) = (m * , (σ * 1 , σ * 2 )), where m * has never been submitted to O Sign and O Sim .If F(m * ) = 0(mod p), then C terminates the simulation.Otherwise, C can successfully obtain a solution for the given CDHinstance by calculating: We now analyze the probability that C can successfully solve the GBDH instance.If C completes the entire simulation without aborting, then the following events must occur.
• A 1 : All signature, simulation and verification queries on any message m j satisfy F(m j ) = 0(mod l m ).
l m and l m (n + 1) < p, we have: Since two events A 1 and A 2 are independent, we have: Furthermore, we conclude that: .
The probability ε of C successfully solving the GBDH problem is at least ε 4(n+1)(q S +q Sim +q V ) .
Theorem 2. If the DBDH problem is intractable, then our SDVPRS scheme possesses the PSI property.
Proof of Theorem 2. Let D be a polynomial-time distinguisher against the PSI property in the proposed SDVPRS scheme.We can construct another algorithm B that invokes D to solve the DBDH problem.Upon receiving a DBDH instance (g, g a , g b , g c , Z), where a, b, c ∈ Z p and Z ∈ G 2 , the task of B is to determine whether Z = e(g, g) abc holds.
• Setup: B selects x, y, w 0 , w 1 , ..., w n ∈ Z p at random and sets u 0 = g w 0 and u i = g w i (1 Then, B assigns the signer S 0 's public key pk S 0 = (g a , g b ), the signer S 1 's public key pk S 1 = (g x , g y ) and the public key pk V = g c of the designated verifier V. B sets the common secret key between S 0 and V as sk S 0 ↔V = Z.Additionally, B sets the common secret key between S 1 and V as sk S 1 ↔V = e(g x , g c ) y .Finally, B sends (G 1 , G 2 , p, g, e, u 0 , u 1 , ..., u n , pk S 0 , pk S 1 , pk V ) to D.
Given any n-bit message m = (m 1 , ..., m n ), we define a function K(m) = w 0 + n ∑ i=1 w i m i .Thus, we have: • Phase 1: D adaptively issues queries to the following oracles.
-O Sign : Upon receiving an index d ∈ {0, 1} and a message m, B selects r ∈ Z p at random and uses the common secret key sk S d ↔V to compute: and σ 2 = g r .Then, B sends a signature σ = (σ 1 , σ 2 ) of m to D. -O Sim : This oracle is the same as O Sign .
-O Veri f y : When D issues a verification query on a signature σ = (σ 1 , σ 2 ) of a message m and an index d ∈ {0, 1}, B computes K(m) and uses sk S d ↔V to check whether the following equation is true: If this equation holds, then B sends one to D; else, B sends zero to D.
Correctness: For a signature σ = (σ 1 , σ 2 ) associated with the signer S d and the verifier V, we have: This shows that B can correctly verify the legality of the signature submitted by D.
Therefore, B can successfully solve a DBDH instance with at least 2ε probability.

Theorem 3.
If the BDH problem is intractable, then our SDVPRS scheme is non-delegatable for signature verification.
Proof of Theorem 3. Let A be a polynomial-time attacker against the property of non-delegatability for signature verification.Given a BDH tuple (g, g a , g b , g c ) ∈ G 4 1 , we can construct another algorithm C that utilizes A's forgery to calculate Z = e(g, g) abc .
• Setup: C sets system parameters sp, the signer's public key pk S = (g a , g b ) and the designated verifier's public key pk V = g c in the same way as in the proof of Theorem 1. • Queries: C answers A's signing and simulation queries in the same manner as in the proof of Theorem 1.
• Forgery: Eventually, A produces a message/signature pair (m * , σ * = (σ * 1 , σ * 2 )).If F(m * ) = 0(mod p), then C terminates the simulation.Otherwise, C evaluates J(m * ) and outputs the BDH value: The probabilistic analysis of C successfully solving the BDH problem is similar to the probability analysis of Theorem 1.

Performance Evaluation
This section discusses the performance comparison between our SDVPRS scheme and Wei et al.'s [14] DVPRS scheme with respect to the security model, the size of the secret key, the signature length and the computational overhead.The corresponding comparison results are shown in Tables 1 and 2. We use the PBClibrary to evaluate the time cost of cryptographic operations.We select the curve a.param of Type A in the PBC-0.47-VClibrary to perform bilinear pairing, and p is a 512-bit prime.The simulated environment is set up on a laptop with the Windows 10 operating system, with an Intel(R) Core(TM) i7-6500 CPU @2.59 GHz and 8 GB of RAM.Since the computational overhead of other cryptographic operations is relatively small, we mainly consider time-consuming exponentiation and bilinear pairing.To simplify the description, let E denote an exponentiation computation that takes 7.46 ms.P represents a bilinear pairing operation, which takes 14.13 ms.|p| represents the length of an element in Z p , which is 20 bits.|G 1 | represents the length of an element in G 1 , which is 128 bits.In Table 1, KeySize and SigSize are used to represent the size of a secret key and a signature, respectively.1 presents the comparisons of the communication overhead based on the size of the secret key and signature.In both our SDVPRS scheme and Wei et al.'s scheme [14], the size of the secret key is 2|p| (40 bits).In our SDVPRS scheme, the length of a signature is 2|G 1 | (256 bits).The length of a signature in Wei et al.'s scheme [14] is |G 1 | (128 bits), but this scheme has been proven to be secure in the random oracle model.
Table 2 presents the comparisons between our SDVPRS scheme and Wei et al.'s DVPRS scheme [14] in terms of the computational overheads of the Sign, ReSign, ReVer and Verify algorithms.It should be noted that g x S y S and e(g x S , g y S ) x V can be pre-computed in our scheme.To generate a signature, our scheme needs two exponentiations and one bilinear pairing operation (29.05 ms), while Wei et al.'s scheme [14] needs one exponentiation and one bilinear pairing operation (21.59 ms).As for the computation cost of signature conversion, our scheme requires two exponentiations (14.92 ms), while Wei et al.'s scheme [14] requires one exponentiation (7.46 ms).For the signature verification process, our scheme needs one exponentiation and one bilinear pairing operation (21.59 ms), while Wei et al.'s scheme [14] requires one exponentiation and two bilinear pairing operations (35.72 ms).
From the above analysis, we have observed that our scheme is comparable in computational performance to that of Wei et al.'s scheme [14].However, our SDVPRS scheme provides higher security because the security of our scheme does not depend on ideal random oracles.

Application for Environmental Monitoring System
We describe an environmental monitoring data transmission system using our proposed SDVPRS scheme.This system, as shown in Figure 2, consists of three entities: IoT device, a server node and a set of n data centers that store IoT data.The IoT device A belonging to a group B is mainly responsible for collecting environmental data and generating signatures of these data.Each data center U i has powerful computing and storage capabilities to store or analyze environmental data sent by IoT devices.For example, data centers receiving environmental data are usually government agencies, universities, research institutes or various types of environmental companies.The server node S acts as a proxy with a certain computing power and communication capabilities.It can convert the signature of IoT device A into the signature of group B, where the IoT device is located, and send the environmental monitoring data and corresponding signature anonymously to a subset of some designated data centers (denoted by {U 1 , ..., U n }).The system consists of four phases: system setup, data acquisition, data transmission and data storage.The environmental monitoring data transmission system is described as follows.

IoT device
• System setup: The system parameters sp = (G 1 , G 2 , p, g, e, u 0 , u 1 , ..., u n ) are generated by the Setup algorithm in Section 4. Each entity in the system generates its public/secret key pair (pk, sk) by running the KeyGen algorithm in Section 4.
1.The IoT device A sets its secret key sk A = (sk A,1 , sk A,2 ) = (x A , y A ) and public key pk A = (pk A,1 , pk A,2 ) = (g x A , g y A ). Similarly, the group B in which the IoT device A is located sets the secret key sk B = (sk B,1 , sk B,2 ) = (x B , y B ) and public key pk B = (pk B,1 , pk B,2 ) = (g x B , g y B ). 2. Each data center U i sets its public/secret key pair (pk i , sk i ) = (g x i , x i ), i = 1, ..., n. 3. The server node S runs the ReSKey algorithm in Section 4 to generate the re-signing key rsk A→B = x B y B x A y A (mod p) between the IoT device A and the group B. The server node S then runs the ReVKey algorithm in Section 4 to generate the re-designate-verifier key rvk 1→i = x i x 1 (mod p) between the data center U 1 and the other data center U i (i = 2, ..., n).Running time (ms) The length of the data (bit) In the data transmission phase, the server node needs two exponentiations to convert the signature σ A1 of the IoT device into the signature σ B1 of its group.In addition, the server node needs two exponentiations to change the data center U 1 in σ B1 to the data center U i .Figure 4 shows that when the total number of data centers is 2, 4, 6, 8 and 10, the computational overhead required by the server node is approximately 29 ms, 60 ms, 92 ms, 125 ms and 156 ms, respectively.

Running time (s)
The number of data centers For the data storage phase, the signature verification equation of the data is: σ Bi,1 = e(g x B , g y B ) x i e(u 0 where e(g x B , g x B ) x i can be pre-computed.When the length of the data is 100 bits, 300 bits, 500 bits, 700 bits and 900 bits, the time overhead required for each data center is as shown in Figure 5.Because the server nodes and data centers have strong computing power, our proposal has practical application.Running time (ms) The length of the data (bit)

Conclusions
Data authenticity and identity privacy are still critical issues for IoT devices.To secure IoT devices, a new SDVPRS technique applied to the IoT environment is presented in this paper.First, we present the security concepts of SDVPRS, and then, we propose the first construction of an SDVPRS scheme without random oracles.Furthermore, we prove that the proposed scheme is secure in the standard model based on the BDH, GBDH and DBDH problems.The security proofs demonstrate that our SDVPRS scheme can protect the identity privacy of IoT devices while ensuring the authenticity and integrity of IoT data.Our SDVPRS scheme is very useful for IoT-based data transmission systems.
1} and a signature σ on a message m as input, this oracle outputs a decision dec = Verify(sk V , pk S d , m, σ), where dec ∈ {0, 1}.-O ReSign : Upon input of sp, a message m d , an index d ∈ {0, 1}, a signature σ d on m d and an index d 2 ∈ {0, 1}, this oracle outputs a re-signature σ d 2 = ReSign(ReVKey(pk d , sk d , pk d 2 , sk d 2 ), m d , pk d , σ d ) on m d .• Challenge: Upon receiving a challenge message m * submitted by D, B first selects a random bit b ∈ {0, 1} and runs the algorithm Sign to generate a signature σ * = Sign(sk S b , pk V , m * ).Then, B returns σ * to D. • Phase 2: D continues to query O Sign , O Sim and O Veri f y defined in Phase 1, but D is not allowed to submit (m * , σ * ) to O Veri f y .• Guessing Phase: D finally outputs a guess b ∈ {0, 1}.The distinguisher D wins the game if b = b .

•
IoT device: This entity has very limited computing and communication capabilities.Each IoT device uses its secret key to sign the data collected from the physical world and then sends the data and its signature to the proxy.•Proxy: This entity is usually served by a semi-trusted server with a certain computation and communication power.To ensure the security of data storage, IoT data are stored by multiple data centers for consumers of different security levels.The proxy uses the re-signing key rsk A→B to convert the signature σ AC generated by the IoT device into a group's signature σ BC for the same message m, so that the data center only knows that σ BC is a valid signature on m, but cannot infer the identity of the real signer.After receiving (m, σ BC ), another proxy uses the re-designate-verifier key rvk C→D i to convert the signature σ BC into the signature σ BD i for every data center, and it sends the IoT data m and σ BD i to the i-th data center, where i ∈ {1, ..., n}.• Data center: This entity has high computing and storage capacities.After verifying the validity of the received signature, the authentic IoT data are stored by each data center.

Figure 1 .
Figure 1.System framework for IoT data authenticity.
-O ReSign : Upon input of a message m d , an index d ∈ {0, 1}, a signature σ d on m d and an index d 2 ∈ {0, 1}, B first performs a verification query O Veri f y with input (m d , d, σ d ) to obtain a corresponding decision dec ∈ {0, 1}.If dec = 0, then B returns ⊥; otherwise, B obtains a signature σ d 2 related to S d 2 and V by querying the oracle O Sign with input (m d , d 2 ).Then, B sends σ d 2 to D as a re-signature on m d .• Challenge: After receiving a challenge message m * submitted by D, B first randomly selects a bit b ∈ {0, 1} and queries the oracle O Sign on input (m * , b) to obtain a corresponding signature σ * of m * .Then, B sends σ * to D. Note that if b = 0, then Z = e(g, g) abc ; otherwise, Z = e(g x , g c ) y is a random element in G 2 .• Phase 2: B handles the subsequent queries submitted by D as in Phase 1, and D is not allowed to query O Veri f y with input (m * , σ * , d), where d ∈ {0, 1}.• Guessing Phase: D eventually produces a guess b ∈ {0, 1}.B outputs one if b = b and zero otherwise.If D can correctly guess b such that b = b , then we have:

Figure 2 .
Figure 2. Environmental monitoring data transmission based on IoT.

Figure 3 .
Figure 3.Time cost of the IoT device.

Figure 4 .
Figure 4. Time cost of the server node.

Figure 5 .
Figure 5.Time cost for verifying signature validity in each data center.

Table 2 .
Comparison of computational overhead.