Improving Throughput of Mobile Sensors via Certificateless Signature Supporting Batch Verification

Abstract

Mobile sensors enjoy the advantages of easy installation and low consumption, which have been widely adopted in many information systems. In those systems where data are generated rapidly, the throughput of the sensors is one of the most fundamental factors that determine the system functionality. For example, to guarantee data integrity, digital signature techniques can be applied. In many practical scenarios, such as the smart grid system, data are generated rapidly and, hence, the signature together with the data must also be transmitted and verified in time. This requires the mobile sensors to support a high-throughput data processing ability. In this setting, how to achieve efficient signature schemes supporting batch verification must be considered. Many signatures, such as the original national cryptographic standard, namely, the SM2 algorithm, do not support batch verification and are in a public-key infrastructure setting. In this paper, we propose a SM2-based certificateless signature scheme with batch verification, which is suitable for the aforementioned environment. The scheme extends the Chinese cryptographic standard SM2 algorithm to the certificateless setting and multiple signatures can be verified simultaneously. Another advantage of this scheme is that its signing phase does not involve any pairing operation. The verification phase only requires a constant pairing operation, which is not related to the number of signatures to be verified. The construction is generic and can be instantiated using any traditional signature scheme.

1. Introduction

A smart grid is a new type of network based on multiple power devices, which integrates a power data transmission function and power transmission function. These terminal devices often have limited hardware resources while generating mass data. How to increase throughput while ensuring data validation with limited hardware resources is an urgent problem that smart grids face. The validation of power data ensures, on the one hand, the integrity of data. Integrity directly affects the statistical, regulatory, and distribution of the electricity resources. In addition, considering the uncertain work environment of these devices, it is inevitable that sensor equipment malfunctions lead to data anomalies. At this point, it is necessary to quickly locate the device sending the abnormal data. Therefore, tracing the source of the error data is also a function that needs to be implemented. Digital signature technology can protect data from tampering and repudiation, which is sufficient for the data requirements of smart grids.

The earliest digital signature schemes mostly relied on the public-key infrastructure (PKI) setting, which bound user identity and public key information through the issuance of certificates by a CA (a certificate authority). However, this certificate can bring complex certificate management issues to the system and have high requirements for communication bandwidth and storage resources for devices so that it is unsuitable for grid devices. To address this issue, cryptography researchers have proposed identity-based cryptosystems (IBCs) [1,2] that directly use some identifiable information as public keys, such as phone numbers and email addresses. However, the private key comes entirely from the private key generator (PKG) in IBCs. This centralized trust dependency brings serious key escrow problems. Once the PKG center is attacked, it brings security issues to all subordinate devices. The certificateless public-key cryptosystem (CLPKC) inherits the advantages of the previous systems. In the CLPKC, there is neither certificates nor the problem of key escrow. Therefore, the CLPKC is more suitable for smart grid equipment in resource constrained scenarios.

In detail, many smart grid sensors are embedded with sequential numbers in the equipment. The sequential numbers can be treated as identities of the users in the systems and can be used to verify signatures or trace the origin of the message. On the other hand, the identity-based setting is not enough for the smart grid environment since there are large numbers of nodes in the system and it is not easy to select a widely adopted and fully trusted third party as the PKG. Therefore, certificateless cryptography is a prominent candidate for such a system. As is known to all, the pairing operations are comparatively complex and take much more time for computation than other group structures like the elliptic curve setting. However, many certificateless cryptographic schemes share similar algebraic structures to the identity-based constructions and are built upon pairing-friendly groups. Pairing-free certificateless signature schemes have not been widely developed, especially the scheme derived from the national cryptographic standard. To sum up, signature schemes that satisfy the pairing-free, certificateless setting, based on the published standard have many applications in smart grid system. Unfortunately, few constructions have been studied in the literature.

In addition, due to the high real-time requirements of data in the power system, the signature algorithm used must be able to calculate quickly [3]. The terminal node may generate electricity data at any time, and the server will receive multiple data streams from multiple nodes at the same time. The server must be able to quickly process signature verification, which requires the signature algorithm to preferably support batch verification. In these systems, both efficiency [4] and privacy-preserving properties [5] need to be taken into consideration. Signatures that support batch verification can solve this problem. Namely, the signatures on the data collected from various sensors and other equipment can be aggregated in a certain node before being transmitted to the center and can later be verified together. The framework is shown in Figure 1.

Figure 1. Framework of certificateless signature with batch verification.

1.1. Related Work

The CLPKC was first proposed by Al-Riyami and Paterson [6] to deal with the key escrow problem in the identity-based encryption (IBE) system [2]. They provided the construction of three schemes including encryption, signature, and key agreement. In addition, two basic adversary models in the certificateless cryptosystem were identified, namely, Type I adversary and Type II adversary. Due to the excellent properties of no-certificate, many researchers were attracted and many follow-up work was proposed. Yum and Lee summarized a general secure construction method of the certificateless signature (CLS) scheme [7] and certificateless encryption (CLE) scheme [8]. However, later these constructions were proved to be unsafe by Hu et al. [9] and Libert et al. [10]. In 2005, Huang et al. [11] proved that there was a security risk in the original Al-Riyami and Paterson scheme [6]. Au et al. [12] re-examined the security model of CLPKC and proposed the concept of a new adversary model called the malicious key generation center (KGC). Huang et al. [13] further subdivided each type opponent into three levels based on their attack capabilities and provided a super secure certificateless signature scheme. Among the known models, security against the super-type adversary achieves the most secure level. Nevertheless, the signature length was slightly long and contained three group elements. In recent years, many new shorter certificateless signature schemes and certificateless aggregate signatures [14,15] were proposed. There are also some schemes that have been proven to be insecure. For example, Shim [16] analyzed five recent articles and found that they can all be forged by adversaries. Therefore, how to construct secure certificateless signatures still requires a very rigorous approach. For a comparative survey of certificateless signature, ref. [17] is a good reference for the related studies until 2022. Two other related but earlier surveys can be found in [18,19].

In addition to solving the key escrow problem, compared to IBCs, another major advantage of certificateless cryptosystem is that they can be implemented without pairing. Baek et al. [20] explored the first certificateless encryption scheme without pairing using the Schnorr signature. However, Sun et al. [21] showed that the scheme in [20] did not consider public key attacks. They fixed the problem using a new scheme with a more stringent security model. The certificateless signature scheme without pairing was finished by He et al. [22] in 2010. For the IoT scenario, Gong et al. [23] and Yang et al. [24] designed a certificateless aggregation signature without pairing and Dai et al. [25] proposed a certificateless aggregation signcryption without pairing. Moreover, many certificateless schemes based on other PKI signatures have been studied. Using the RSA signature, Zhang et al. [26] also constructed a CLS scheme. Another study point is constructing CLS schemes based on already-published cryptographic standards. In 2022, Tang et al. [27] proposed a CLS scheme (in Chinese) based on the Chinese national cryptographic standard. The scheme is built upon the identity-based standard, namely, the SM9 (SM stands for the Chinese pinyi “shangmi”, which means a commercial cryptography application) algorithm. As a result, it must rely on the pairing operation. Recently, He et al. [28] proposed a new CLS scheme using the SM2 algorithm without pairing. But their scheme requires zero-knowledge proof to verify the user public keys and how to support batch verification remains unknown. For batch verification, the certificateless aggregate signature (CLAS) [15,29] technique can be considered.

1.2. Motivation and Contributions

From the above analysis, we can see the enormous advantages of the certificateless cryptosystem and the feasibility of constructing a certificateless scheme based on the traditional signature scheme. However, current research is mostly limited to the implementation of the most basic signature schemes, while some signature algorithms with special functions have not yet emerged. For example, in systems with high throughput and low latency requirements, batch verification of signatures is also a crucial attribute that directly affects the availability of the entire system. Currently, there is no batch verifiable certificateless signature algorithm based on the national security algorithm. The primary contributions of this study include:

• We propose a certificateless signature algorithm with batch verification based on the Chinese national cryptographic standards, in particular with the SM2 algorithm;
• Our scheme supports batch verification of multiple signatures, thereby accelerating the algorithm in high throughput scenarios.

1.3. Technical Overview

From the above analysis, we can see that current studies on certificateless signature (CLS) schemes encounter the limitations of either relying on pairing operations like the scheme [27] built on the SM9 algorithm, or the underlying scheme not being selected as the cryptographic standard. The scheme proposed by He et al. [28] is extended from the SM2 algorithm and does not involve any pairing operation. However, it does not support batch verification. We first review the basic idea of He et al.’s construction. The core technical transformation from a traditional signature scheme to a certificate-based signature scheme is show in Figure 2.

Figure 2. Transformation from traditional signature to certificate-based signature.

A certificateless signature is similar to a certificate-based signature. The main difference is the secret value setting phase. In the CLS scheme, it is not necessary for the user to select a secret value and compute the public key first, before transmitting the public key to the key generation center (KGC) to obtain the partial private key. This means that the user can apply the partial private key from the KGC first; then, generate the secret value and compute the public key later. During the key extraction phase, the user’s public key may not yet be generated and, hence, cannot directly use the above transformation. To solve this issue, the user’s public key contain two parts: one part is from the key extraction phase, which is similar to the certificate-based setting; the other part is generated by the user itself. These two parts are independently generated but must be used together to sign a message. This paves the way for transforming a traditional signature scheme into a CLS scheme.

As for the zero-knowledge proof part, we use the property of bilinear pairing to replace the complex proof process. Even though this brings the pairing operation into the scheme, it only appears in the verification phase and the signing phase does not involve any pairing operation. For verification, since our scheme supports batch verification, multiple signatures can be verified simultaneously and the number of pairing operations is constant. This means that the additional time cost caused by the pairing operations is a fixed value and, hence, it will not incur too much computational cost during batch verification. The details of batch verification are depicted in Section 4.2.

1.4. Organization

The structure of this article is organized as follows. In Section 2, two preliminaries will be briefly introduced, including CLS and bilinear pairing, and a SM2-based CLS scheme will be reviewed. In Section 3, a new signature scheme with batch verification will be proposed, and in Section 4, the performance of these schemes will be evaluated through simulation experiments. Finally, a conclusion of the entire article is provided in Section 5.

2. Preliminaries

We will describe the definition of two preliminaries, including bilinear pairing and the certificateless signature. We will also review a SM2-based CLS scheme.

2.1. Bilinear Pairing

For three cyclic groups $G_1,G_2,G_T$ of a prime order q, a map $e:G_1\times G_2\to G_T$ is a bilinear pairing if and only if three properties hold:

• Computable: given any $g\in G_1,h\in G_2$, calculating $e(g,h)\in G_T$ is efficient;
• Bilinear: for $x,y\in Z_q$, the equation $e(g^x,h^y)=e{(g,h)}^{xy}$ always holds;
• Nondegenerate: if g is a generator of $G_1$ and h is a generator of $G_2$, $e(g,h)$ will also be a generator of $G_T$.

2.2. Certificateless Signature

The CLS scheme usually includes six algorithms:

• Setup $\left(1^{\lambda }\right)$: The Setup algorithm is usually operated by the KGC to initialize the scheme, which receives a security parameter $1^{\lambda }$. The system master public and secret key pair $(mpk,msk)$ will be generated;
• KeyExt $(mpk,msk,\mathtt{ID})$: The KeyExt algorithm is usually operated by the KGC, which receives the master key pair $mpk,msk$ and a user identity $\mathtt{ID}$. Finally, a partial private key $d_{\mathtt{ID}}$ is generated and transmitted to the user;
• SecretValue $(mpk,\mathtt{ID})$: The SecretValue algorithm is usually completed by a user, which receives the master public key $mpk$ and a user identity $\mathtt{ID}$. Finally, a secret value $s{v}_{\mathtt{ID}}$ is generated and returned to the user;
• PublicKey $(mpk,\mathtt{ID},s{v}_{\mathtt{ID}})$: The PublicKey algorithm is usually completed by a user, which receives the master public key $mpk$, a user identity $\mathtt{ID}$, and a secret value $s{v}_{\mathtt{ID}}$. A user public key $p{k}_{\mathtt{ID}}$ will be output;
• Sign $(mpk,d_{\mathtt{ID}},s{v}_{\mathtt{ID}},m)$: The Sign algorithm is usually completed by a user signing it. They receive the master public key $mpk$, a partial private key $d_{\mathtt{ID}}$, a secret value $s{v}_{\mathtt{ID}}$, and a message m. A signature ${\sigma }_m$ on the message m will be output;
• Verify $(mpk,\mathtt{ID},m,{\sigma }_m)$: The Verify algorithm is usually completed by a user verifying it. They receive the master public key $mpk$, a user identity $\mathtt{ID}$, a public key $p{k}_{\mathtt{ID}}$, a message m, and a signature ${\sigma }_m$. If the output is “1”, it means the signature is legal; otherwise, the signature is illegal.

2.3. Review a CLS Scheme Based on SM2

The SM2-based CLS scheme designed by He et al. [28] is made up of six algorithms.

• Setup $\left(1^{\lambda }\right)$: The Setup algorithm receives the security parameter $1^{\lambda }$ as input and uses the SM2 setup algorithm. It chooses an elliptic curve group $(\mathbb{G},p,P)$ with parameters $a,b$ and coordinates $x_P,y_P$. Then, it randomly picks $\alpha \in {\mathbb{Z}}_p$ and computes $P_{pub}=\left[\alpha \right]P$. It also selects a hash function H, such as the SM3 algorithm. Finally, the algorithm returns the master public and secret key pair as

  $$mpk=(\mathbb{G},p,P,P_{pub},H),msk=\alpha .$$
• KeyExt $(mpk,msk,\mathtt{ID})$: The KeyExt algorithm receives the master key pair $(mpk,msk)$ and an identity $\mathtt{ID}$ as inputs. Firstly, it randomly selects $x\in {\mathbb{Z}}_p$ and computes $pp{k}_{\mathtt{ID}}=\left[x\right]P$. Then, it concatenates the identity $\mathtt{ID}$ and the partial public key $pp{k}_{\mathtt{ID}}$. Finally, it runs the SM2 signature algorithm to produce the partial private key.
  • Compute $e=H(\mathtt{ID}\Vert pp{k}_{\mathtt{ID}})$;
  • Pick $k\in {\mathbb{Z}}_p$ randomly and calculate $\left[k\right]P=(x_1,y_1),r=(e+x_1)modp$;
  • Compute $s=({(1+\alpha )}^{-1}·(k-r·\alpha ))modp$.
  The partial private key is $d_{\mathtt{ID}}=(r,s,x,pp{k}_{\mathtt{ID}})$;
• ScretValue $(mpk,\mathtt{ID})$: The ScretValue algorithm receives the master public key $mpk$ and an identity $\mathtt{ID}$. Then, it runs the SM2 key generation algorithm. It randomly selects a $y\in {\mathbb{Z}}_p$ and sets $s{v}_{\mathtt{ID}}=(x,y)$ with the random value x received from the KGC. Next, it outputs the secret value $s{v}_{\mathtt{ID}}$;
• PublicKey $(mpk,\mathtt{ID},s{v}_{\mathtt{ID}})$: The PublicKey algorithm receives the master public key $mpk$, an identity $\mathtt{ID}$, and a secret value $s{v}_{\mathtt{ID}}=(x,y)$. Then, it computes $\left[y\right]P$ and generates a noninteractive zero-knowledge proof (NIZKP) $\pi$ of holding the unique y with respect to $\left[y\right]P$. Next, it sets $p{k}_{\mathtt{ID}}=(pp{k}_{\mathtt{ID}},\left[y\right]P,\pi )$ and outputs $p{k}_{\mathtt{ID}}$ as the public key;
• Sign $(mpk,d_{\mathtt{ID}},s{v}_{\mathtt{ID}},m)$: The Sign algorithm receives the master public key $mpk$, a partial private key $d_{\mathtt{ID}}=(r,s,x,pp{k}_{\mathtt{ID}})$, a secret value $s{v}_{\mathtt{ID}}=(x,y)$, and a message m. It first concatenates the identity $\mathtt{ID}$ and message m. Then, it computes $(x+y)modp$ and runs the SM2 signing algorithm with $(x+y)$ to generate the part signature. In detail,
  • Compute $e=H(\mathtt{ID}\Vert m)$;
  • Pick $k\in {\mathbb{Z}}_p$ randomly and compute $\left[k\right]P=(x_1,y_1),r^{\prime }=(e+x_1)modp$;
  • Compute $s^{\prime }{=((1+(x+y))}^{-1}·(k-r^{\prime }·(x+y))modp$.
  Next, it outputs the signature ${\sigma }_m=(r,s,r^{\prime },s^{\prime })$;
• Verify $(mpk,\mathtt{ID},p{k}_{\mathtt{ID}},m,{\sigma }_m)$: The Verify algorithm receives the master public key $mpk$, an identity $\mathtt{ID}$, a public key $p{k}_{\mathtt{ID}}=(pp{k}_{\mathtt{ID}},\left[y\right]P,\pi )$, a message m, and a signature ${\sigma }_m=(r,s,r^{\prime },s^{\prime })$. Then, it runs the SM2 algorithm to verify $(r,s)$ and $(r^{\prime },s^{\prime })$ and checks whether $\pi$ is valid. In detail,
  • Compute $e_1^{\prime }=H(\mathtt{ID}\Vert pp{k}_{\mathtt{ID}}),e_2^{\prime }=H(\mathtt{ID}\Vert m)$;
  • Compute $t_1=(r+s)modp,t_2=(r^{\prime }+s^{\prime })modp$;
  • Compute $\left[s\right]P+\left[t_1\right]P_{pub}=(x_1^{\prime },y_1^{\prime }),\left[s^{\prime }\right]P+\left[t_2\right](pp{k}_{\mathtt{ID}}+\left[y\right]P)=(x_2^{\prime },y_2^{\prime })$;
  • Compute $R=(e_1^{\prime }+x_1^{\prime }),R^{\prime }=(e_2^{\prime }+x_2^{\prime })$.
  If the proof $\pi$ is valid and the equations $r=R,r^{\prime }=R^{\prime }$ hold, it outputs “1”. Otherwise, it outputs “0”.

3. A Certificateless Signature Scheme Supporting Batch Verification

3.1. Zero-Knowledge Proof with Pairing

In the above scheme, we need to provide a NIZKP of y in the user public key to avoid adversaries bypassing $\left[x\right]P$ by setting $\left[y\right]P$. However, zero-knowledge proof requires additional overhead and increases the length of the user public key. We provide an extension scheme that uses bilinear pairing tools to verify the binding relationship between $\left[x\right]P$ and $\left[y\right]P$. A user who verifies the signature can ensure that the signer knows the y corresponding to Y by calculating $e\left(\right[x]P,[y\left]P\right)=e\left(\right[xy]P,P)$. The extension scheme is depicted in the following.

3.2. Construction

Next, we describe our new certificateless signature scheme with batch verification based on SM2. Our scheme also consists of six algorithms.

• Setup $\left(1^{\lambda }\right)$: The Setup algorithm receives a security parameter $1^{\lambda }$. It generates an elliptic curve group $(\mathbb{G},p,P)$ with parameters $a,b$ and coordinates $x_P,y_P$. Then, it picks $\alpha \in {\mathbb{Z}}_p$ randomly and sets $P_{pub}=\left[\alpha \right]P$. Next, it chooses a hash function H, such as the SM3 algorithm. Finally, it outputs the master key pair as

  $$mpk=(\mathbb{G},p,P,P_{pub},H),msk=\alpha .$$
• KeyExt $(mpk,msk,\mathtt{ID})$: The KeyExt algorithm receives the master key pair $(mpk,msk)$ and an identity $\mathtt{ID}$ as inputs. It first picks $x\in {\mathbb{Z}}_p$ randomly and calculates $pp{k}_{\mathtt{ID}}=\left[x\right]P$. Then, it concatenates $\mathtt{ID}$ with $pp{k}_{\mathtt{ID}}$. Next, it runs the SM2 algorithm to generate a partial private key.
  • Compute $e=H(\mathtt{ID}\Vert pp{k}_{\mathtt{ID}})$;
  • Pick $k\in {\mathbb{Z}}_p$ randomly and compute $\left[k\right]P=(x_1,y_1),r=(e+x_1)modp$;
  • Compute $s=({(1+\alpha )}^{-1}·(k-r·\alpha ))modp$.
  It transmits the partial private key $d_{\mathtt{ID}}=(r,s,x,pp{k}_{\mathtt{ID}})$ to the user safely;
• ScretValue $(mpk,\mathtt{ID})$: The ScretValue algorithm receives the master public key $mpk$ and an identity $\mathtt{ID}$ as inputs. Then, it runs the SM2 key generation algorithm. It selects $y\in {\mathbb{Z}}_p$ randomly and sets $s{v}_{\mathtt{ID}}=(x,y)$ with the random value x received from KGC. Next, it outputs the secret value $s{v}_{\mathtt{ID}}$;
• PublicKey $(mpk,\mathtt{ID},s{v}_{\mathtt{ID}})$: The PublicKey algorithm receives the master public key $mpk$, a user identity $\mathtt{ID}$, and a secret value $s{v}_{\mathtt{ID}}=(x,y)$ of the user as inputs. Then, it computes $\left[y\right]P$ and $\left[xy\right]P$. Next, it sets $p{k}_{\mathtt{ID}}=(pp{k}_{\mathtt{ID}},\left[y\right]P,\left[xy\right]P)$ and produces the public key $p{k}_{\mathtt{ID}}$;
• Sign $(mpk,d_{\mathtt{ID}},s{v}_{\mathtt{ID}},m)$: The Sign algorithm inputs the master public key $mpk$, a user partial private key $d_{\mathtt{ID}}=(r,s,x,pp{k}_{\mathtt{ID}})$, a secret value $s{v}_{\mathtt{ID}}=(x,y)$, and a message m. It first concatenates the identity $\mathtt{ID}$ and the message m. Then, it computes $xymodp$ and runs the SM2 signing algorithm with $xy$ to generate the part signature. In detail,
  • Compute $e=H(\mathtt{ID}\Vert m)$;
  • Pick $k^{\prime }\in {\mathbb{Z}}_p$ randomly and compute $\left[k^{\prime }\right]P=(x_2,y_2),r^{\prime }=(e+x_2)modp$;
  • Compute $s^{\prime }{=((1+xy)}^{-1}·(k^{\prime }-r^{\prime }·xy)modp$.
  Next, it outputs the signature $\sigma =(r,s,r^{\prime },s^{\prime })$;
• Verify $(mpk,\mathtt{ID},p{k}_{\mathtt{ID}},m,\sigma )$: The Verify algorithm receives the master public key $mpk$, an identity $\mathtt{ID}$, public key $p{k}_{\mathtt{ID}}=(\left[x\right]P,\left[y\right]P,\left[xy\right]P)$, a message m, and a signature $\sigma =(r,s,r^{\prime },s)$. It first checks if $e\left(\right[x]P,[y\left]P\right)=e\left(\right[xy]P,P)$ holds. Then, it runs the SM2 verification algorithm to check the validity of ${\sigma }_{\mathtt{ID}}$ and ${\sigma }_m$. In detail,
  • Compute $e_1^{\prime }=H(\mathtt{ID}\Vert pp{k}_{\mathtt{ID}}),t_1=(r+s)modp,\left[s\right]P+\left[t_1\right]P_{pub}=(x_1^{\prime },y_1^{\prime }),$$R=(e_1^{\prime }+x_1^{\prime })$. Then check if the equations $R=r$ holds;
  • Compute $e_2^{\prime }=H(\mathtt{ID}\Vert m),t_2=(r^{\prime }+s^{\prime })modp,\left[s^{\prime }\right]P+\left[t_2\right]\left(\left[xy\right]P\right)=(x_2^{\prime },y_2^{\prime }),$$R^{\prime }=(e_2^{\prime }+x_2^{\prime })$.Then check if the equations $R^{\prime }=r^{\prime }$ holds;
  • Check if the equations $e\left(\right[x]P,[y\left]P\right)=e\left(\right[xy]P,P)$ holds

If all three equations hold, it outputs “1”. Otherwise, it outputs “0”.

4. Performance Analyses

4.1. Computational Costs

The efficiency performance of the scheme was evaluated by comparing it with Huang’s CLS [13] through simulation experiments. We use $T_{add},T_P,T_{mul},T_e$ to represent the time of a point addition, a pairing operation, a scalar multiplication in the elliptic curve group, and an exponential operation in the $G_T$ group. G and $Z_p$ represent the elliptic curve group and the group of integers that are modular to a prime number p without an explicit statement. The experimental environment and the results are shown as Table 1 and Table 2, respectively:

Table 1. Experimental environment.

CPU	OS	RAM	Compiler and Library
Intel i7-12700z	Ubuntu 14.04	32 GB DDR5 4800 MHz	GNU C/C++ & PBC 0.5.14

Table 2. Efficiency comparison of the CLS schemes.

Scheme	Signature Length	Sign Computation	Verify Computation	Sign Time (ms)	Verify Time (ms)
He	$4|Z_p|$	$3T_{add}+3T_{mul}$	$6T_{mul}+7T_{add}$	1.01	4.81
Huang	$1\left|G\right|+2|Z_p|$	$3T_{mul}+T_P+T_e$	$2T_{mul}+2T_P+T_e$	4.08	3.63
Our	$4|Z_p|$	$3T_{add}+3T_{mul}$	$6T_{mul}+7T_{add}$	0.99	5.26

In the above table, $|Z_p|$ and $\left|G\right|$ denote the binary length of an element in group $Z_p$ and G, respectively.

4.2. Batch Verification

This scheme requires the pairing operations in the verification algorithm, which consumes a lot of resources. To accelerate the algorithm, we can batch process a large number of signatures from the same user. For example, when multiple signatures from the same user are received consecutively, the received $r,s,X,Y$ must all be consistent. Therefore, the verification equations can be performed once. The following is a simplified validation algorithm:

Batch-Verify $(mpk,\mathtt{ID},p{k}_{\mathtt{ID}},\left\{m_1,m_2,\dots ,m_n\right\},\left\{{\sigma }_1,{\sigma }_2,\dots ,{\sigma }_n\right\})$: The verification algorithm inputs the master public key $mpk$, a user’s identity $\mathtt{ID}$, a public key $p{k}_{ID}$, n messages $\left\{m_1,m_2,\dots ,m_n\right\}$, and n signatures $\left\{{\sigma }_1,{\sigma }_2,\dots ,{\sigma }_n\right\}$. The ${\left\{{\sigma }_i\right\}}_{i\in \left\{1\dots n\right\}}$ is denoted as $\left\{r_i,s_i,r_i^{\prime },s_i^{\prime }\right\}$ and the $p{k}_{ID}$ is denoted as $\left\{\left[x\right]P,\left[y\right]P,\left[xy\right]P\right\}$.

• Compute $e_{i,1}^{\prime }=H(\mathsf{ID}\Vert pp{k}_{\mathsf{ID}})$, $t_{i,1}=(r_i+s_i)modp$, $\left[s_i\right]P+\left[t_{i,1}\right]P_{pub}=(x_{i,1}^{\prime },y_{i,1}^{\prime })$, $R_i=(e_{i,1}^{\prime }+x_{i,1}^{\prime })$. Then, check if the equations $R_i=r_i$ holds. For n signatures coming from the same user, the $\left\{r_i,s_i,\left[x\right]P\right\}$ are the same so that this step only needs to be calculated once for n signatures;
• Compute $e_{i,2}^{\prime }=H(\mathsf{ID}\Vert m_i)$, $t_{i,2}=(r_i^{\prime }+s_i^{\prime })modp$, $\left[s_i^{\prime }\right]P+\left[t_{i,2}\right]\left(\left[xy\right]P\right)=(x_{i,2}^{\prime },y_{i,2}^{\prime })$, $R_i^{\prime }=(e_{i,2}^{\prime }+x_{i,2}^{\prime })$. Then, check if the equation $R_i^{\prime }=r_i^{\prime }$ holds. This step must to be executed for each signature;
• Check if the equation $e\left(\right[x]P,[y\left]P\right)=e\left(\right[xy]P,P)$ holds. This step only needs to be calculated once for n signatures.

If all three equations hold, it outputs “1”. Otherwise, it outputs “0”.

In this way, when verifying n signatures from the same user, step 1 and 3 only need to be performed once and step 2 needs to be performed n times. Thus, the expensive pairing operation only needs to be performed twice.

Multi-User-Batch-Verify ($mpk$, $\left\{I{D}_1,I{D}_2,\dots ,I{D}_m\right\}$, $\left\{p{k}_{I{D}_1},p{k}_{I{D}_2},\dots ,p{k}_{I{D}_m}\right\}$, $\left\{m_{1,1},\right.\left.\dots ,m_{1,n},m_{1,2},\dots ,m_{m,n}\right\}$, $\left\{{\sigma }_{1,1},{\sigma }_{1,2},\dots ,{\sigma }_{1,n},\dots ,{\sigma }_{m,n}\right\}$): The verification algorithm inputs the master public key $mpk$, m identities $\left\{{\mathsf{ID}}_{\mathsf{1}},{\mathsf{ID}}_{\mathsf{2}},\dots ,{\mathsf{ID}}_{\mathsf{m}}\right\}$, and m public keys $\left\{p{k}_{{\mathsf{ID}}_{\mathsf{1}}},p{k}_{{\mathsf{ID}}_{\mathsf{2}}},\right.$$\left.\dots ,p{k}_{{\mathsf{ID}}_{\mathsf{m}}}\right\}$. The $m_{i,j}$ and ${\sigma }_{i,j}$ denote the j-th message and signature for i-th user, respectively. The ${\sigma }_{i,j}$ is denoted as $(r_{i,j},s_{i,j},r_{i,j}^{\prime },s_{i,j}^{\prime })$ and the $p{k}_{{\mathsf{ID}}_{\mathsf{i}}}$ is denoted as $(\left[x_i\right]P,\left[y_i\right]P,\left[x{y}_i\right]P)$.

• Compute $e_{i,1}^{\prime }=H({\mathsf{ID}}_{\mathsf{i}}\Vert \left[x_i\right]P)$, $t_{i,j,1}=(r_{i,j}+s_{i,j})modp$, $\left[s_{i,j}\right]P+\left[t_{i,j,1}\right]P_{pub}=(x_{i,j,1}^{\prime },y_{i,j,1}^{\prime })$, $R_{i,j}=(e_{i,1}^{\prime }+x_{i,j,1}^{\prime })$. Then, check if the equation $R_{i,j}=r_{i,j}$ holds. This step needs to be calculated once for each user;
• Compute $e_{i,j,2}^{\prime }=H({\mathsf{ID}}_{\mathsf{i}}\Vert m_{i,j})$, $t_{i,j,2}=(r_{i,j}^{\prime }+s_{i,j}^{\prime })modp$, $\left[s_{i,j}^{\prime }\right]P+\left[t_{i,j,2}\right]\left(\left[x{y}_i\right]P\right)=(x_{i,j,2}^{\prime },y_{i,j,2}^{\prime })$, $R_{i,j}^{\prime }=(e_{i,j,2}^{\prime }+x_{i,j,2}^{\prime })$. Then, check if the equation $R_{i,j}^{\prime }=r_{i,j}^{\prime }$ holds. This step must to be calculated for each signature;
• For all m public keys, calculate ${\pi }_1$ = ${\prod }_{i=1,j=1,i!=j}^{m}e(\left[x_i\right]P,\left[y_j\right]P)$=${\prod }_{i=1}^m\left({\prod }_{j=1,j!=i}^m\right(e\left(\left[x_i\right]P,\right.$
  $\left.\left[y_j\right]P\right))$. This calculation can be completed by a third-party assistant and the results can be sent to the user. Then, the user calculates ${\pi }_2=e({\sum }_{i=1}^m\left[x_i\right]P,{\sum }_{i=1}^m\left[y_i\right]P)$ and ${\pi }_3=e({\sum }_{i=1}^m\left[x{y}_i\right]P,P)$. Finally, check if the equation $\frac{{\pi }_2}{{\pi }_1}={\pi }_3$ holds.

If all equations in the three steps hold, it outputs “1”. Otherwise, it outputs “0”.

In this way, when verifying the signatures from m users, the pairing operation can be completed twice locally rather than increasing with the number of users.

5. Conclusions and Future Work

To accelerate the verification algorithm, we extended the CLS scheme proposed by He et al. [28] and accelerated the algorithm execution through batch verification. The proposed scheme is still based on the Chinese national cryptographic standard (SM2) algorithm and no pairing operation is required during the signing process. This guarantees both efficiency and the requirement of using the standard cryptographic algorithm. In addition, the noninteractive zero-knowledge proof (NIZKP) of the signature is replaced by verifying an equation. This improvement provides efficient batch verification for multiple signatures. The number of pairing operations is constant regardless of the amount of signatures.

In this paper, we propose a basic certificateless signature scheme derived from the SM2 algorithm without resorting to the use of pairing operations. Signing or verifying a single signature does not involve any pairing operation. In addition, we further show how to improve the scheme to support batch verification. Nevertheless, the verification of multiple signatures requires a constant number of pairing operations. Despite the fact that the number is constant and is independent from the number of signatures in a batch verification, how to achieve a fully pairing-free SM2-based certificateless signature scheme that supports batch verification is worth studying. In addition, the security analysis is based on the random oracle model, which treats the hash function as an oracle. How to construct schemes without random oracles would also improve the security to a greater extent.