An Efficient Certificateless Forward-Secure Signature Scheme for Secure Deployments of the Internet of Things

Abstract

As an extension of the wired network, the use of the wireless communication network has considerably boosted users’ productivity at work and in their daily lives. The most notable aspect of the wireless communication network is that it overcomes the constraints of the wired network, reduces the amount of cost spent on wire maintenance, and distributes itself in a manner that is both more extensive and flexible. Combining wireless communication with the Internet of Things (IoT) can be used in several applications, including smart cities, smart traffic, smart farming, smart drones, etc. However, when exchanging data, wireless communication networks use an open network, allowing unauthorized users to engage in communication that is seriously destructive. Therefore, authentication through a digital signature will be the best solution to tackle such problems. Several digital signatures are contributing to the authentication process in a wireless communication network; however, they are suffering from several problems, including forward security, key escrow, certificate management, revocations, and high computational and communication costs, respectively. Keeping in view the above problems, in this paper we proposed an efficient certificateless forward-secure signature scheme for secure deployments in wireless communication networks. The security analysis of the proposed scheme is carried out using the random oracle model (ROM), which shows that it is unforgeable against type 1 and type 2 adversaries. Moreover, the computational and communication cost analyses are carried out by using major operations, major operations cost in milliseconds, and extra communication bits. The comparative analysis with the existing scheme shows that the proposed scheme reduces the computational cost from 19.23% to 97.54% and the communication overhead from 11.90% to 83.48%, which means that the proposed scheme is efficient, faster, and more secure for communication in the wireless communication network.

1. Introduction

The Internet of Things (IoT) is a rapidly expanding field that involves connecting millions of physical objects (called “things”) to networked sensors and smart devices that allow them to create, collect, and share different kinds of information [1,2]. As demonstrated in Figure 1, IoT has various applications in several industries, including smart cities, smart traffic, smart farming, and smart drones. In smart cities, IoT enhances people’s lives by increasing traffic control, tracking the availability of parking places, evaluating the quality of the air, and even warning inhabitants when trash cans are full. In addition, it makes the traffic intelligent and employs sensors to collect raw traffic data, informing the driver of traffic updates to help him choose a better route while keeping his private information secure [3]. Farming is the second useful use of IoT devices, wherein data are gathered and analyzed to advise the owner of the need for water, pesticides, manure, fertilizer, or treatment for ill plants based on factors such as temperature, soil moisture, leaf wetness, and sun radiation [4]. The third application is the Internet of drones, in which smart drones could play an important role in multiple contexts, such as in smart cities, where they can be used for customer order delivery, accident surveillance and road traffic monitoring, private and police investigations, prison surveillance, drone taxis, ambulances drone, pollution control drone, surveillance and monitoring of large crowds at gatherings and protests, etc. [5].

Moreover, drones are also used by most border patrol officers that monitor criminal activity on the border, mainly smuggling of drugs. This huge variation, the increasing management and interaction of devices, and the usage of public networks for the transfer of massive volumes of data make IoT systems an ideal target for hacker attacks [6]. IoT privacy and the safety of devices are linked, e.g., producing accidents by interrupting automotive networks, placing farms in danger by tampering with a farming network, invasion of privacy, power consumption, and poor data security in smart cities, the brick-sized batteries consumed by drones being heavy and losing energy quickly, memory limitations, and chances of malware and virus threats in the information shared by drones, etc. [7]. To counter such attacks, authentication is the most effective strategy, and it allows two or more network participants to verify each other’s identity before exchanging data. In cryptography, the attractive technique for authentication is a digital signature, which is a mathematical method that is used to authenticate the identity of the sender through its private key, which it sends to the receiver, and then the receiver uses the public key of the sender and verifies the signature [8]. In a conventional digital signature technique, the signature key cannot be changed for every session, so there is a risk of exposure to the private key. The forward-secure digital signature was introduced to tackle the exposure problem of private keys where private keys are updated for every session [9]. The forward signature may be public key infrastructure-based (PKI-based) or identity-based (ID-based); however, in a PKI-based digital forward signature, there are certificate revocation and certificate management issues, and in ID-based digital forward signature schemes, there is a key escrow problem [10]. The abovementioned problems may be avoided using a forward secure certificateless digital signature, which combines the working structure of forward security with a certificateless signature. Though several forward-secure signatures are contributed, they are based on an elliptic curve, RSA, and bilinear pairing that are suffering from extra computational burdens on small IoT devices during the execution process and require more bandwidth because they need more bits to be transferred. Hyper elliptic curve cryptography (HECC) is the replacement for elliptic curve cryptography (ECC), and it uses only 80-bit keys. HECC is a subclass of algebraic curves that comprises genus g ≥ 1, and the field of the HECC is a quadratic extension of the field of rational functions, so in this sense, it is the simplest field of algebraic functions except for the field of rational functions [11]. HECC consists of the divisor D, which refers to the finite formal sum of points on a hyperelliptic curve, and the divisor D forms an Abelian group referred to as the Jacobian group $J_c\left(F_q\right)$ [12].

As a result of the above discussion, the following contributions have been made to this work:

• We propose a certificateless, forward-secure HECC-based digital signature scheme that provides privacy, gets rid of the key escrow problem, and ensures its forward security.
• A comprehensive security analysis is conducted to demonstrate that the proposed scheme is secure against various types of cyber-attacks.
• Finally, the efficiency of the proposed scheme is evaluated by comparing it to other existing schemes in terms of its computation and communication costs. The results reveal that the proposed scheme is more efficient.

2. Literature Review

In recent years, the issues of privacy protection and forward security for the IoT have drawn more and more attention, and that is why security and privacy concerns may occur at multiple levels of smart IoT systems, so it needs to settle the problems mentioned above. Therefore, many signatures and authentication schemes have been proposed; for example, Malkin et al. [13] constructed a new forward-secure digital signature for the first time in which the existing schemes were combined to form a new forward secure digital signature scheme without being aware of the total number of periods. This scheme not only can take any digital signature scheme as the underlying module, but it also does not rely on any assumptions. They proved that this scheme achieves excellent performance overall, is very competitive with previous schemes with respect to all parameters and outperforms each of the previous schemes in at least one parameter. Itkis and Reyzin [14] developed a digital signature technique with forward secrecy using four modular exponentials and proved the security of their scheme based on the random oracle model (ROM). Kozlov and Reyzin [15] constructed a system for digital signatures that requires only a single modular exponential in the key update. The Fiat–Shamir transformation and the strong Rivest–Shamir–Adleman (RSA) assumption were used to demonstrate that this technique is secure against different types of attacks. McCullagh and Barreto [16] suggested a new forward-secured, efficient digital signature technique, which is based on pairing cryptography, that is both transferable and non-transferable. They pointed out semantic security problems in previous schemes and showed that this scheme is more secure than the previously proposed schemes. Boyen et al. [17] were the first to introduce the forward security digital signature with malicious updates in 2006. They introduced the concept of forward-secure signatures with an untrusted update, where the key update can be performed on an encrypted version of the key, and they demonstrated that forward-secure signatures with an untrusted update allow us to add forward security to signatures, while keeping passwords as a second factor of security. The security analysis of their scheme proved that the scheme has better performance as compared to the existing forward-secure signature schemes. The forward-secure ring signatures scheme was proposed by Liu and Wong [18] to resolve the key exposure problem. In their scheme, they reduced the damage of exposure of any secret key of users in a ring signature; even if a secret key is compromised, previously generated ring signatures remain valid and do not need to be regenerated. They demonstrated the security of their system using the ROM. Next, Das et al. [19] presented a new user authentication scheme that supports dynamic node addition. In this scheme, the user authenticates itself at both the base station and the cluster heads inside wireless sensor networks (WSN), so after successful authentication, both the user and the cluster head from which the user wants to access real-time data in the target field will be able to establish a secret session key between them. They showed that this scheme has better security performance. Taking into consideration the restricted sensor resources and time restrictions, a forward-secure Certificateless digital signature scheme was first introduced by Xu et al. [20] based on random lattice in the standard model, and they claimed that the scheme’s strong unforgeability was based on the small integer solution problem. Kim et al. [21] constructed the Fast-Bellare–Miner (Fast-BM) and Fast-Abdalla–Reyzin (Fast-AR) fast forward-secure digital signature schemes, which allow fast signing and key updating with constant size public and secret keys and a short constant size signature. They proved that their approach is suitable for both real-time surveillance streaming applications and standard forward-secure signature systems. However, the computation cost was high because it was based on the elliptic curve. Oh et al. [22] designed an ID-based digital signature technique with a forward-secure private key generator. Based on the bilinear Diffie–Hellman inversion assumption (BDHI), they developed its concept and demonstrated its implementation by giving construction and security proof in the standard model (without random oracles). However, this scheme was based on bilinear pairing and required more computing power due to heavy pairing operations. Based on the RSA assumption, Ko et al. [23] developed a forward-secure ID-based digital signature technique with a forward-secure private key generator. They described its concept and presented practical constructions as well as its security proof in the random oracle model under the factoring assumption. Their scheme was based on RSA, which has high computation costs and communication costs. Du et al. [24] proposed a new provably secure certificateless signature scheme for IoT with perfect forward secrecy, which concentrated on designing a certificateless signature scheme (CLS) for IoT applications without pairings, which proved to be secure against different kinds of adversaries. Saqib et al. [25] proposed a three-factor authentication (password, identity, and low-cost digital signature) framework suitable for IoT-driven critical applications using ECC that provides mutual entity authentication of the gateway with both remote users (subscriber) and IoT node (publisher). The session key generation is dynamic, which could be changed in every session, which makes the scheme resistant to known session key attacks and guarantees pure forward secrecy. In 2022, based on an elliptic curve, a forward-secure digital signature scheme was proposed by Ping et al. [26] for privacy protection in wireless communication networks and proved its forward security and unforgeability in the random oracle model. However, this scheme suffers from three major flaws: (1) high computational cost, (2) more communication overhead, and (3) a key escrow problem. So, we have concluded three main limitations from the above literature survey, i.e., they are suffering from high computational cost, more communication overhead, and a key escrow problem, respectively.

To remove the above limitations, we are going to introduce a new method called the certificateless forward signature based on the hyperelliptic curve, which removes the key escrow problem, provides communication with very low bandwidth, and processes algorithms with very little time.

3. Preliminaries

This section discusses the proposed network model used in this scheme, the syntax of the proposed certificateless forward signature scheme, and the hyper elliptic curve discrete logarithm problem (HECDLP), respectively.

3.1. Network Model

This section describes the proposed network model for the proposed certificateless forward signature scheme used in the IoT environment. Figure 2 shows that our network model contains five entities: trusted authority, IoT devices, key update devices, controller, Internet, and receiver, which perform different functions during the communication process, respectively. Here, the role of a trusted third party is that when it receives the identity and request for a partial private key from IoT devices and receivers, it makes the partial key. By using their identities and delivering them on a secure network, the IoT devices receive a partial private key from a trusted third party and make their own private and public keys. After that, the key update device receives the request for signature key updating from IoT devices and sends back the updated key to the IoT devices after performing the updating process. Then, IoT devices give the updated key and generated data to the controller by using Bluetooth technology. Bluetooth technology enables wireless communication between devices without the use of wires or cables [6]. It is based on short-range radio frequency, and any device equipped with the technology can communicate if it is within a specified distance. This technology is essentially a wireless networking protocol for a broad range of devices, such as notebook computers, as well as cooking ovens, PDAs, mobile phones, and refrigerators, in the residential, workplace, and other similar aspects. After the above process, the controller generates a forward signature and sends it to the receiver using 5G communication with the open network. When the signature tuple is received by the receiver, it performs the verification process; if the verification is successful, it accepts the signature and data; otherwise, it rejects it.

3.2. Syntax of Certificateless Forward Signature

The syntax contains the subsections that are Initialization, Generate Private Number, Generate Partial Private Key, Generate Private Key, Generate Public Key, Key Update, Generate Forward Signature, and Forward Signature Verification. So, the explanations of each subsection are as follows:

• Initialization: The trusted authority (TA) generates public parameter param, his private key ($\partial$), and public key ($\Gamma$) by taking as input the security parameter of hyperelliptic curve.
• Generate Private Number: Given the security parameter and param, the user ($U_i$) selects ${\varphi }_i$ as his private number.
• Generate Partial Private Key: Given user identity ($I{D}_i$), public key of TA ($\Gamma$), and public parameter param, TA generates the tuple (${\mathcal{I}}_i$, ${\omega }_i$) as a partial private key for user with identity ($I{D}_i$).
• Generate Private Key: Given a private number (${\varphi }_i$) and the tuple (${\mathcal{I}}_i$, ${\omega }_i$), a ser ($U_i$) sets (${\omega }_i,{\varphi }_i$) as his private key.
• Key Update: In this phase, it renews the signature key pair by replacing (${\omega }_i,{\varphi }_i$) on $({\omega }_i{}^{new}$,${\varphi }_i{}^{new})$ before signature generations and also renews the verification public key as $({\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$.
• Generate Public Key: Given a private number (${\varphi }_i$) and the tuple (${\mathcal{I}}_i$, ${\omega }_i$), the user ($U_i$) sets (${\mathcal{I}}_i,{\mathcal{Q}}_i$) as his public key, where ${\mathcal{Q}}_i={\varphi }_i.\mathcal{D}$.
• Generate Forward Signature: Given a message $m$, the updated signature key pair $({\omega }_i{}^{new}$,${\varphi }_i{}^{new})$, param, signer identity ($I{D}_i$), and ${\mathcal{I}}_i$, generate and send the signature tuple ($K,\beta$) to the verifier.
• Forward Signature Verification: Given a message $m$, the public key pair $\left({\mathcal{I}}_i,{\mathcal{Q}}_i\right)$, param, signer identity ($I{D}_i$), and ($K,\beta$), the verifier verifies the received signature tuple.

3.3. Hyperelliptic Curve Discrete Logarithm Problem (HECDLP)

In place of elliptic curve cryptography (ECC), hyper elliptic curve cryptography (HECC) uses keys that are just 80 bits long. The field of the HECC is a quadratic extension of the field of rational functions, making it the simplest field of algebraic functions, except for the field of rational functions. The HECC is a subclass of algebraic curves that includes genus g 1. The Jacobian group is an Abelian group that contains the divisor D, which is the finite formal sum of points on a hyperelliptic curve.

Supposing $\mathsf{\Upsilon }=\partial .\mathcal{D}$, finding the value of $\partial$ from $\mathsf{\Upsilon }$ is called the hyper elliptic curve discrete logarithm problem.

4. Certificateless Forward-Secure Signature Scheme

The following seven sub algorithmic steps can make our proposed certificateless forward-secure signature scheme, and

Table 1. Symbols used in the proposed algorithm.

No	Symbol	Description
1	$H_{G=2}$	Represents a hyper elliptic curve with genus 2
2	$F_p$	Represents a finite field of order p, where its range is not more than 80 bits
3	$\mathcal{D}$	Represents a devisor, where its range is not more then 80 bits
4	$H_j,H_k,H_l$	Represent three irreversible, one-way, and collision-resistant hash functions from the SHA family
5	$\Gamma$	The public key of TA, and it is made from the combination of secret key and devisor
6	$\partial$	The secret key of TA, and it is randomly selected from Fp
7	$U_i$	This symbol is used to indicate user
8	${\omega }_i,{\varphi }_i$	These two symbols are used to indicate the private key of Ui
9	${\varphi }_i$	This is used to represent the private number of Ui
10	$I{D}_i$	This is used to represent the identity of Ui
11	${\omega }_i{}^{new}$$, {\varphi }_i{}^{new}$	This is used to represent the update private key pair of Ui
12	${\mathcal{I}}_i,{\mathcal{Q}}_i$	This is used to represent the public key pair of Ui
13	${\mathcal{Q}}_i{}^{new}$$, {\mathcal{I}}_i{}^{new}$	This is used to represent the update public key pair of Ui
14	$K,\beta$	This is used to represent the signature pair generated by signer
15	$\mathcal{B}\mathcal{M}$	This is used to represent bilinear pairing-based multiplication
16	Xⅇ	This is used to represent the exponential
17	$\mathcal{E}\mathcal{C}\mathcal{M}$	This is used to represent elliptic curve multiplication
18	$\mathcal{H}\mathcal{E}\mathcal{C}\mathcal{M}$	This is used to represent hyperelliptic curve multiplication
19	$\mathcal{B}𝓀$	This is used to represent the bilinear pairing operation
20	$C_n$	This is used to represent the challenger, which will support the adversary during security analysis
21	$A_n$	This is used to represent the type 1 adversary
22	$A_m$	This is used to represent the type 2 adversary
23	$\mathcal{E}$	This is used to represent the non-negligible probability type 1 and type 2 adversaries
24	$Q{H}_l$	This is used to represent the query for Hl
25	$Q_{ppt}$	This is used to represent partial private key query
26	$Q_U$	This is used to represent user creation query
27	$Q{H}_k$	This is used to denote the query for Hk
28	$Q{H}_j$	This is used to denote the query for Hj

contains the symbols that are used to make up the whole algorithm’s mathematical steps.

• Initialization: Here, the trusted authority performs the following mathematical computations:
  • Select hyper elliptic curve ($H_{G=2}$) with genus 2.
  • Suggest the finite field ($F_p$) of order $p$, where its range is not more than 80 bits.
  • Suggest the devisor $\left(\mathcal{D}\right)$ of $H_{G=2}$, where its range is not more than 80 bits.
  • Suggest three irreversible, one-way, and collision-resistant hash functions ($H_j,H_k,H_l$) from the SHA family.
  • TA computes the public key $\Gamma =\partial .\mathcal{D}$, where $\partial$ is the randomly selected private key from$F_p$.
  • TA publishes the public parameter set {$\Gamma$,$\mathcal{D}$,$F_p,H_{G=2},H_j, H_k, H_l$}.
• Generate Private Number: User ($U_i$) selects ${\varphi }_i$ from $F_p$ as a private number.
• Generate Partial Private Key: Upon the request of $U_i$ with identity $I{D}_i$, TA selects ${\gamma }_i$ from$F_p$ and computes ${\mathcal{I}}_i={\gamma }_i.\mathcal{D}$, ${\Delta }_i=H_j\left(I{D}_i,\Gamma ,{\mathcal{I}}_i\right)$, and ${\omega }_i=\partial +{\gamma }_i.{\mathcal{I}}_i$.
• Generate Private Key: The User ($U_i$) sets (${\omega }_i,{\varphi }_i$) as his private key.
• Key Update: In this phase, it renews the signature key pair by replacing (${\omega }_i,{\varphi }_i$) on $({\omega }_i{}^{new}$,${\varphi }_i{}^{new})$ before signature generations and also renews the verification public key as $({\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$.
• Generate Public Key: The user ($U_i$) sets (${\mathcal{I}}_i,{\mathcal{Q}}_i$) as his public key, where ${\mathcal{Q}}_i={\varphi }_i.\mathcal{D}$.
• Generate Forward Signature: Given a message $m$, the updated signature key pair $({\omega }_i{}^{new}$,${\varphi }_i{}^{new})$, {$\Gamma$,$\mathcal{D}$,$F_p, H_{G=2},H_j,H_k,H_l$}, signer identity ($I{D}_i$), and ${\mathcal{I}}_i$, the signer performs the following computations:
  • Signer selects $𝓀$ from $F_p$ and computes $K=𝓀.\mathcal{D}$.
  • Compute $r_1=H_k\left(m,K\right)$ and $r_2=H_l\left(m,K,\Gamma ,{\mathcal{Q}}_i\right)$.
  • Compute $\beta ={\varphi }_i{}^{new}+r_1𝓀+r_2{\omega }_i{}^{new}$ and send ($K,\beta ,r_1$) to verifier.
• Forward Signature Verification: Given a message $m$, the public key pair $\left({\mathcal{I}}_i,{\mathcal{Q}}_i\right)$, {$\Gamma$,$\mathcal{D}$,$F_p, H_{G=2},H_j,H_k,H_l$}, signer identity ($I{D}_i$), and ($K,\beta ,r_1$), the verifier performs the following computations:

Verifier computes ${\Delta }_i=H_j\left(I{D}_i,\Gamma ,{\mathcal{I}}_i\right)$, $r_1=H_k\left(m,K\right)$, and $r_2=H_l\left(m,K,\Gamma ,{\mathcal{Q}}_i\right)$.

Verifier checks the validity of the signature by computing $\beta .\mathcal{D}={\mathcal{Q}}_i+r_{1}K+r_2\left(\Gamma +{\Delta }_i{\mathcal{I}}_i{}^{new}\right)$; if it is satisfied, accept.

5. Correctness

Given a message $m$, the public key pair $\left({\mathcal{I}}_i,{\mathcal{Q}}_i\right)$, {$\Gamma$,$\mathcal{D}$,$F_p, H_{G=2},H_j,H_k,H_l$}, signer identity ($I{D}_i$), and ($K,\beta ,r_1$), the verifier computes ${\Delta }_i=H_j\left(I{D}_i,\Gamma ,{\mathcal{I}}_i\right)$, $r_1=H_k\left(m,K\right),$ and $r_2=H_l\left(m,K,\Gamma ,{\mathcal{Q}}_i\right)$. Verifier checks the validity of the signature by computing $\beta .\mathcal{D}={\mathcal{Q}}_i+r_{1}K+r_2\left(\Gamma +{\Delta }_i{\mathcal{I}}_i{}^{new}\right)$; if it is satisfied, accept.

$$\begin{array}{c}\beta .\mathcal{D}={\mathcal{Q}}_i+r_{1}K+r_2\left(\Gamma +{\Delta }_i{\mathcal{I}}_i{}^{new}\right)\\ \beta .\mathcal{D}=\left({\varphi }_i{}^{new}+r_1𝓀+r_2{\omega }_i{}^{new}\right).\mathcal{D}\\ =\left({\varphi }_i{}^{new}.\mathcal{D}+r_1𝓀.\mathcal{D}+r_2{\omega }_i{}^{new}.\mathcal{D}\right)\\ =({\mathcal{Q}}_i{}^{new}+r_{1}K+r_2\left(\partial +{\gamma }_i.{\mathcal{I}}_i{}^{new}\right).\mathcal{D})\\ =({\mathcal{Q}}_i{}^{new}+r_{1}K+r_2\left(\partial .\mathcal{D}+{\gamma }_i.\mathcal{D}.{\mathcal{I}}_i{}^{new}\right)\\ ={\mathcal{Q}}_i+r_{1}K+r_2\left(\Gamma +{\Delta }_i{\mathcal{I}}_i{}^{new}\right)\end{array}$$

is hence proved.

6. Security Analysis

Our proposed certificateless forward-secure signature scheme is analyzed for unforgeability under the process of the random oracle model against type 1 and type 2 adversaries based on the crack hyperelliptic curve discrete logarithm problem. The following two theorems (e.g., Theorems 1 and 2) are used for the provable security of the proposed scheme. Both of the theorems, i.e., Theorems 1 and 2, are based on the robustness of hard problem called the hyperelliptic curve discrete logarithm, which is not feasible for type 1 and type 2 adversaries to break its security. Therefore, the following two theorems show that our proposed scheme is unforgeable due to the hardiness of the hyperelliptic curve discrete logarithm problem.

Theorem 1.

In this theorem, we first introduce some players and symbols, $A_n$,$C_n$, and $\mathcal{E}$, denoting the type 1 adversary, challenger, and non-negligible advantages of $A_n$ in a polynomial time. Then, we explain the probability of solving the hyperelliptic curve discrete logarithm problem of $C_n$ in the following equations.

$${\mathcal{E}}^{/}={\left(1-\frac{Q{H}_j}{Q}\right)}^{Q_U}+{\left(1-\frac{1}{Q_U}\right)}^{Q_{ppt}}\left(\frac{1}{Q_U}\right)\left(1-\frac{Q{H}_k}{Q}\right)( 1-\frac{Q{H}_l}{Q})\mathcal{E}$$

Here, $Q{H}_j, Q{H}_k, Q_U, Q_{ppt},$ and $Q{H}_l$ denote the query for $H_j$,$H_k$, user creation query, partial private key query, and the query for $H_l$, respectively.

Proof. 

$A_n$ can win in Theorem 1 with $\mathcal{E}$, and the challenger ($C_n$) is needed to crack the hyperelliptic curve discrete logarithm problem in which $\mathsf{\Upsilon }=\partial .\mathcal{D}$. The challenger ($C_n$) sets $\mathsf{\Upsilon }=\Gamma$ and is required to extract $\partial$. The challenger ($C_n$) suggests some empty lists at the beginning of this process, which are $L_j,L_k,L_{l,},L_{CUQ},L_{PNQ}$, and $L_{PPKQ}$, that can store the information about $H_j$ query, $H_k$ query, $H_l$ query, and user creation query, private number query, and partial private key query, respectively.  □

Phase 1: here, first of all, the challenger ($C_n$) could suggest the target identity $I{D}^{\ast }$, generate public parameter set {$\Gamma =\mathsf{\Upsilon }$,$\mathcal{D}$,$F_p, H_{G=2},H_j,H_k,H_l$}, and send it to $A_n$.

Phase 2: keeping in view the polynomials’ bounded nature, it performs the following queries:

• $H_j$ Query: When $A_n$ submits the $H_j$ query with $\left(I{D}_i,\Gamma ,{\mathcal{I}}_i\right)$, the challenger ($C_n$) combs in $L_j$ and returns $\left(I{D}_i,\Gamma ,{\mathcal{I}}_i,{\Delta }_i\right)$, if it was available previously. Otherwise, it chooses ${\Delta }_i$ from $F_p$ and sends it to$A_n$.
• $H_k$ Query: When $A_n$ submits the $H_k$ query with $\left(m,K\right)$, the challenger ($C_n$) combs in $L_k$ and returns $\left(m,K,r_{1i}\right)$, if it was available previously. Otherwise, it chooses $r_{1i}$ from $F_p$ and sends it to$A_n$.
• $H_l$ Query: When $A_n$ submits the $H_l$ query with $\left(m,K,\Gamma ,{\mathcal{Q}}_i\right)$, the challenger ($C_n$) combs in $L_l$ and returns $\left(m,K,\Gamma ,{\mathcal{Q}}_i,r_{2i}\right)$, if it was available previously. Otherwise, it chooses $r_{2i}$ from $F_p$ and sends it to$A_n$.
• User Creation Query: When $A_n$ submits query with$I{D}_i$, the challenger ($C_n$) combs in $L_{UCQ}$ and returns $({\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$ and (${\mathcal{I}}_i,{\mathcal{Q}}_i$), if they exist. Otherwise, it goes for the following conditions:
  • If $I{D}_i\ne I{D}^{\ast }$, three variables ${\omega }_i,{\varphi }_i,{\Delta }_i$ are chosen by $C_n$, which computes ${\mathcal{I}}_i=\raisebox{1ex}{${\omega }_i. \mathcal{D}-\Gamma $}\!\left/ \!\raisebox{-1ex}{${\Delta }_i$}\right.$, and ${\mathcal{Q}}_i={\varphi }_i. \mathcal{D}$.
  • If $ID=I{D}^{\ast }$, three variables ${\omega }_i,{\varphi }_i,{\Delta }_i$ are chosen by $C_n$, which computes ${\mathcal{I}}_i={\gamma }_i. \mathcal{D}$, ${\mathcal{Q}}_i={\varphi }_i. \mathcal{D}$, and sets ${\omega }_i=null$. Then, it returns (${\mathcal{I}}_i,{\mathcal{Q}}_i$) and renews $({\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$ to $A_n$ and updates $L_{UCQ}$.

• Replace Public Key Query: When $A_n$ submits a query with$I{D}_i$, the challenger ($C_n$) replaces $({\mathcal{Q}}_i{}^{new/}$,${\mathcal{I}}_i{}^{new/})$ and $({\mathcal{Q}}_i{}^{/}$,${\mathcal{I}}_i{}^{/})$ and returns them to $A_n$.
• Private Number Query: When $A_n$ submits a query with$I{D}_i$, the challenger ($C_n$) combs in $L_{PNQ}$ and returns ${\varphi }_i$, if it exists. Otherwise, it goes for the following conditions:
  • If $I{D}_i\ne I{D}^{\ast }$, three variables ${\omega }_i,{\varphi }_i,{\Delta }_i$ are chosen by $C_n$, which computes ${\mathcal{I}}_i=\raisebox{1ex}{${\omega }_i. \mathcal{D}-\Gamma $}\!\left/ \!\raisebox{-1ex}{${\Delta }_i$}\right.$ and ${\mathcal{Q}}_i={\varphi }_i. \mathcal{D}$.
  • If $ID=I{D}^{\ast }$, three variables ${\omega }_i,{\varphi }_i,{\Delta }_i$ are chosen by $C_n$, which computes ${\mathcal{I}}_i={\gamma }_i. \mathcal{D}$, ${\mathcal{Q}}_i={\varphi }_i. \mathcal{D}$, and sets ${\omega }_i=null$. Then, it renews $({\omega }_i{}^{new}$,${\varphi }_i{}^{new})$ and returns to $A_n$ and updates $L_{PNQ}$.

• Partial Private Key Query: When $A_n$ submits a query with$I{D}_i$, the challenger ($C_n$) checks if $I{D}_i\ne I{D}^{\ast }$, and then it combs in $L_{PPKQ}$ and returns ${\omega }_i{}^{new}$, if it exists. Otherwise, it stops the further executions.
• Generate Forward Signature Query: When $A_n$ submits a query with$I{D}_i$, the challenger ($C_n$) combs in $L_j,L_k,L_{l,},L_{CUQ},L_{PNQ}$, and $L_{PPKQ}$ for the record of $(I{D}_i$,${\omega }_i{}^{new}$,${\varphi }_i{}^{new}, {\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$, $(I{D}_i$,$\Gamma , {\mathcal{I}}_i{}^{new})$,$\left(m,K\right)$, and $\left(m,K,\Gamma ,{\mathcal{Q}}_i{}^{new}\right)$. If $ID=I{D}^{\ast }$ or ${\omega }_i=null$, $C_n$ randomly chooses $K$ and $\beta$ and sends them to $A_n$. Otherwise, three variables $𝓀,r_1,r_2$ are chosen by $C_n$, which computes $K=𝓀.\mathcal{D},$ $\beta ={\varphi }_i{}^{new}+r_1𝓀+r_2{\omega }_i{}^{new}$ and returns $K,\beta$ to $A_n$.

Phase 3: $A_n$ generates a forge signature ($K^{forge}$, ${\beta }^{forge}$), $C_n$ checks if it belongs to $I{D}^{\ast }$, and if it does not, it stops further processing. Otherwise, the challenger ($C_n$) combs in $L_j,L_k,L_{l,},L_{CUQ},L_{PNQ}$, and $L_{PPKQ}$ for the record of $(I{D}_i$,${\omega }_i{}^{new}$,${\varphi }_i{}^{new}, {\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$, $(I{D}_i$,$\Gamma , {\mathcal{I}}_i{}^{new})$,$\left(m,K\right)$, and $\left(m,K,\Gamma ,{\mathcal{Q}}_i{}^{new}\right)$. If the above records are not found in $L_j,L_k,L_{l,},L_{CUQ},L_{PNQ}$, and $L_{PPKQ}$, it stops further processing. For the forge signature generation, a genuine value of $𝓀$, ${\varphi }_i{}^{new}$, and ${\omega }_i{}^{new}$ needs to be chosen, which will solve the hyperelliptic curve discrete logarithm problem. Suppose the probability of solving the hyperelliptic curve discrete logarithm problem is $Prob\left(Wins\right)$ and $rob\left(Wins\right)=$ $Prob\left(Event1\wedge Event2\right)$, where $Event1$ represents all the queries, and executions of this theorem are successful, and $Event2$ denotes that $A_n$ generates a forge signature on $I{D}^{\ast }$. Letting $A_n$ forge a forward signature with probability advantages $\mathcal{E}$, we can calculate $Prob\left(Wins\right)=Prob\left(Event1\wedge Event2\right)=Prob\left(Event1\right)Prob\left(Event1.Event2\right)=Prob\left(Event1\right)\mathcal{E}.$ We can define some of the probabilities that follow:

• If there exists no collision during the user creation query, its probability is ${\left(1-\frac{Q{H}_j}{Q}\right)}^{Q_U}$.
• When $A_n$ is not called for the partial private key query on $I{D}^{\ast }$, its probability is ${\left(1-\frac{1}{Q_U}\right)}^{Q_{ppt}}$.
• $A_n$ can send forward a signature if $ID=I{D}^{\ast }$, and its probability is $\frac{1}{Q_U}$.
• $A_n$ can find the valid value from $L_k$, and its probability is $\left(1-\frac{Q{H}_k}{Q}\right)$.
• $A_n$ can find the valid value from $L_l$, and its probability is ($1-\frac{Q{H}_l}{Q}$).
• The combined probability will be what follows:${\mathcal{E}}^{/}={\left(1-\frac{Q{H}_j}{Q}\right)}^{Q_U}+{\left(1-\frac{1}{Q_U}\right)}^{Q_{ppt}}\left(\frac{1}{Q_U}\right)\left(1-\frac{Q{H}_k}{Q}\right)$($1-\frac{Q{H}_l}{Q}$)$\mathcal{E}$.

Using the above probability analysis, we have proved that the proposed scheme resists against the type 1 adversary for forgeability attack, because the adversary is not able to find the solution for the hyperelliptic curve discrete problem.

Theorem 2.

In this theorem, we first introduce some players and symbols, $A_m$, $C_n$, and $\mathcal{E}$, denoting the type 2 adversary, challenger, and non-negligible probability of $A_m$ in a polynomial time. Then, we explain the probability of solving the hyperelliptic curve discrete logarithm problem of$C_n$ in the following equations.

$${\mathcal{E}}^{/}={\left(1-\frac{Q{H}_j}{Q}\right)}^{Q_U}+{\left(1-\frac{1}{Q_U}\right)}^{Q_{ppt}}\left(\frac{1}{Q_U}\right)\left(1-\frac{Q{H}_k}{Q}\right)$$

Here, $Q{H}_j, Q{H}_k, Q_U, Q_{ppt},$ and $Q{H}_l$ denote the query for $H_j$,$H_k$, user creation query, partial private key query, and the query for $H_l$, respectively.

Proof. 

$A_m$ can win in Theorem 2 with $\mathcal{E}$, and the challenger ($C_n$) is needed to crack the hyperelliptic curve discrete logarithm problem in which $\mathsf{\Upsilon }=\partial .\mathcal{D}$. The challenger ($C_n$) sets $\mathsf{\Upsilon }=\Gamma$ and is required to extract $\partial$. The challenger ($C_n$ suggests some empty lists at the beginning of this process, which are$L_j,L_k,L_{l,},L_{CUQ},L_{PNQ}$, and $L_{PPKQ}$, that can store the information about $H_j$ query, $H_k$ query, $H_l$ query, and user creation query, private number query, and partial private key query, respectively.  □

Phase 1: Here, first of all, the challenger ($C_n$) could suggest the target identity $I{D}^{\ast }$, generate public parameter set {$\Gamma =\mathsf{\Upsilon }$,$\mathcal{D}$, $F_p, H_{G=2},H_j,H_k,H_l$}, and send $\Gamma$ and$\partial$ to $A_m$.

Phase 2: keeping in view the polynomials’ bounded nature, it performs the following queries:

• $H_j$ Query: This query is performed as in Theorem 1.
• $H_k$ Query: This query is performed as in Theorem 1.
• $H_l$ Query: This query is performed as in Theorem 1.
• User Creation Query: When $A_n$ submits a query with$I{D}_i$, the challenger ($C_n$) combs in $L_{UCQ}$ and returns $({\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$ and (${\mathcal{I}}_i,{\mathcal{Q}}_i$), if they exist. Otherwise, it goes for the followed conditions:
  • If $I{D}_i\ne I{D}^{\ast }$, three variables ${\omega }_i,{\varphi }_i,{\Delta }_i$ are chosen by $C_n$, which computes ${\mathcal{I}}_i=\raisebox{1ex}{${\omega }_i. \mathcal{D}-\Gamma $}\!\left/ \!\raisebox{-1ex}{${\Delta }_i$}\right.$ and ${\mathcal{Q}}_i={\varphi }_i. \mathcal{D}$.
  • If $ID=I{D}^{\ast }$, three variables ${\omega }_i,{\varphi }_i,{\Delta }_i$ are chosen by $C_n$, which computes ${\mathcal{I}}_i={\gamma }_i. \mathcal{D}$, ${\mathcal{Q}}_i={\varphi }_i. \mathcal{D}$, and sets ${\omega }_i=null$. Then, it returns (${\mathcal{I}}_i,{\mathcal{Q}}_i$) and renews $({\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$ to $A_m$ and updates $L_{UCQ}$.
• Private Number Query: Here, $A_m$ is not allowed to access ${\varphi }_i$ on $I{D}^{\ast }$, and $C_n$ will not stop further executions if $I{D}_i\ne I{D}^{\ast }.$ Otherwise, the challenger ($C_n$) combs in $L_{PNQ}$ and returns ${\varphi }_i$ if it exists.
• Partial Private Key Query: When $A_m$ submits a query with$I{D}_i$, the challenger ($C_n$) combs in $L_{PPKQ}$ and returns ${\omega }_i{}^{new}$ if it exists.
• Generate Forward Signature Query: When $A_m$ submits a query with$I{D}_i$, the challenger ($C_n$) combs in $L_j,L_k,L_{l,},L_{CUQ},L_{PNQ}$, and $L_{PPKQ}$ for the record of $(I{D}_i$,${\omega }_i{}^{new}$,${\varphi }_i{}^{new}, {\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$, $(I{D}_i$,$\Gamma , {\mathcal{I}}_i{}^{new})$,$\left(m,K\right)$, and $\left(m,K,\Gamma ,{\mathcal{Q}}_i{}^{new}\right)$. If $ID=I{D}^{\ast }$ or ${\omega }_i=null$, $C_n$ randomly chooses $K$ and $\beta$, and sends them to $A_m$. Otherwise, three variables $𝓀,r_1,r_2$ are chosen by $C_n$, which computes $K=𝓀.\mathcal{D},$ $\beta ={\varphi }_i{}^{new}+r_1𝓀+r_2{\omega }_i{}^{new}$, and returns $K,\beta$ to $A_m$.

Phase 3: $A_m$ generates a forge signature ($K^{forge}$, ${\beta }^{forge}$), $C_n$ checks if it belongs to $I{D}^{\ast }$, and if it does not, it stops further processing. Otherwise, the challenger ($C_n$) combs in $L_j,L_k,L_{l,},L_{CUQ},L_{PNQ}$, and $L_{PPKQ}$ for the record of $(I{D}_i$,${\omega }_i{}^{new}$,${\varphi }_i{}^{new}, {\mathcal{Q}}_i{}^{new}$,${\mathcal{I}}_i{}^{new})$, $(I{D}_i$,$\Gamma , {\mathcal{I}}_i{}^{new})$,$\left(m,K\right)$, and $\left(m,K,\Gamma ,{\mathcal{Q}}_i{}^{new}\right)$. If the above records are not found in $L_j,L_k,L_{l,},L_{CUQ},L_{PNQ}$, and $L_{PPKQ}$, it stops further processing. For the forge signature generation, a genuine value of $𝓀$, ${\varphi }_i{}^{new}$, and ${\omega }_i{}^{new}$ needs to be chosen, which will the solve hyperelliptic curve discrete logarithm problem. Suppose the probability of solving the hyperelliptic curve discrete logarithm problem is $Prob\left(Wins\right)$ and $rob\left(Wins\right)=$ $Prob\left(Event1\wedge Event2\right)$, where $Event1$ represents all the queries, and executions of this theorem are successful, and $Event2$ denotes that $A_n$ generates a forge signature on $I{D}^{\ast }$. Letting $A_m$ forge a forward signature with probability advantages $\mathcal{E}$, we can calculate $Prob\left(Wins\right)=$ $Prob\left(Event1\wedge Event2\right)=Prob\left(Event1\right)Prob\left(Event1.Event2\right)=Prob\left(Event1\right)\mathcal{E}.$ We can define some of the probabilities that follow:

• If there exists no collision during the user creation query, its probability is ${\left(1-\frac{Q{H}_j}{Q}\right)}^{Q_U}$.
• When $A_m$ is not called for the partial private key query on $I{D}^{\ast }$, its probability is ${\left(1-\frac{1}{Q_U}\right)}^{Q_{ppt}}$.
• $A_m$ can send forward a signature if $ID=I{D}^{\ast }$, and its probability is $\frac{1}{Q_U}$.
• $A_m$ can find the valid value from $L_k$, and its probability is $\left(1-\frac{Q{H}_k}{Q}\right)$.
• $A_m$ can find the valid value from $L_l$, and its probability is ($1-\frac{Q{H}_l}{Q}$).
• The combined probability will be what follows:${\mathcal{E}}^{/}={\left(1-\frac{Q{H}_j}{Q}\right)}^{Q_U}+{\left(1-\frac{1}{Q_U}\right)}^{Q_{ppt}}\left(\frac{1}{Q_U}\right)\left(1-\frac{Q{H}_k}{Q}\right)$($1-\frac{Q{H}_l}{Q}$)$\mathcal{E}$.

Using the above probability analysis, we have proved that the proposed scheme resists against the type 2 adversary for forgeability attack, because the adversary is not able to find the solution for the hyperelliptic curve discrete problem.

Theorem 3.

In this theorem, we will first prove how our proposed scheme provides the integrity of the message [27].

Proof. 

In the proposed scheme, the sender computes $r_1=H_k\left(m,K\right)$ and sends ($r_1$) to the verifier. At the receiving side, the verifier computes $r_{11}=H_k\left(m,K\right)$ and compares if the following equation is satisfied, $r_{11}=r_1$, and then it means that our scheme provides integrity of message.  □

Theorem 4.

In this theorem, we will first prove how our proposed scheme provides authentication between the sender and verifier.

Proof. 

In the proposed scheme, the signer selects $𝓀$ from $F_p$, computes $K=𝓀.\mathcal{D}$, $r_1=H_k\left(m,K\right)$, $r_2=H_l\left(m,K,\Gamma ,{\mathcal{Q}}_i\right)$, $\beta ={\varphi }_i{}^{new}+r_1𝓀+r_2{\omega }_i{}^{new}$, and sends ($K,\beta ,r_1$) to the verifier. The verifier computes ${\Delta }_i=H_j\left(I{D}_i,\Gamma ,{\mathcal{I}}_i\right)$, $r_1=H_k\left(m,K\right)$, $r_2=H_l\left(m,K,\Gamma ,{\mathcal{Q}}_i\right)$, and checks the validity of the signature by computing $\beta .\mathcal{D}={\mathcal{Q}}_i+r_{1}K+r_2\left(\Gamma +{\Delta }_i{\mathcal{I}}_i{}^{new}\right)$; if it is satisfied, the signature is accepted. In Section 5, Correctness, we have shown equality of the followed equation: $\beta .\mathcal{D}={\mathcal{Q}}_i+r_{1}K+r_2\left(\Gamma +{\Delta }_i{\mathcal{I}}_i{}^{new}\right)$; if it is proved, that means that the proposed schemes provide authentication or authenticity security requirements.  □

7. Computational Cost

In this section, we are going to evaluate the efficiency of the proposed scheme with respect to the computational cost based on major operations. Normally, the major operations in cryptographic scheme are considered the operation, such as elliptic curve point multiplication, bilinear pairing operation, exponentiations, and hyperelliptic curve devisor multiplications, respectively. For the evaluation of the proposed scheme with respect to the computational cost, we consider major operations such as exponential $\left(\mathrm{Xe}\right),$ bilinear pairing-based multiplication $\left(\mathcal{B}\mathcal{M}\right)$, hyperelliptic curve multiplication $\left(\mathcal{H}\mathcal{E}\mathcal{C}\mathcal{M}\right),$ bilinear pairing operation $\left(\mathcal{B}𝓀\right)$, and elliptic curve multiplication $\left(\mathcal{E}\mathcal{C}\mathcal{M}\right)$ in the proposed scheme and those of Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26], respectively. The comparative outcomes are presented in

Table 2. Comparison of computation cost in terms of major operations between Our Scheme and those Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26].

Schemes	Key Update	Sender	Receiver	Total
Kim et al. [21]	$8\mathrm{Xe} +5\mathcal{B}\mathcal{M}$	$5\mathcal{B}\mathcal{M}+6\mathrm{Xe}$	$3\mathcal{B}\mathcal{M}+3\mathrm{Xe} +4\mathcal{B}𝓀$	$17\mathrm{Xe} +13\mathcal{B}\mathcal{M}+4\mathcal{B}𝓀$
Oh et al. [22]	$1\mathrm{Xe}$	$3\mathrm{Xe}$	$2\mathrm{Xe}$	$6\mathrm{Xe}$
Ko et al. [23]	1Xⅇ	2Xⅇ	$3\mathrm{Xe}$	$6\mathrm{Xe}$
Zhang et al. [26]	$1 \mathrm{Xe}$	$2\mathcal{E}\mathcal{C}\mathcal{M}$	$1\mathcal{E}\mathcal{C}\mathcal{M}$	$1\mathrm{Xe} +3\mathcal{E}\mathcal{C}\mathcal{M}$
Our Scheme	-	$3\mathcal{H}\mathcal{E}\mathcal{C}\mathcal{M}$	$4\mathcal{H}\mathcal{E}\mathcal{C}\mathcal{M}$	$7 \mathcal{H}\mathcal{E}\mathcal{C}\mathcal{M}$

, based on major operations in the proposed scheme and those of Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26]. The analysis based on time in milliseconds (ms) is included in

Table 3. Computation cost comparison in milliseconds between Our Scheme and those Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26].

Schemes	Key Update	Sender	Receiver	Total
Kim et al. [21]	8 × 1.25 + 5 × 4.31 = 31.55	5 × 4.31 + 6 × 1.25 = 29.05	3 × 4.31 + 3 × 1.25 + 4 × 14.90 = 76.28	17 × 1.25 + 13 × 4.31 + 4 × 14.90 = 136.88
Oh et al. [22]	1 × 1.25 = 1.25	3 × 1.25 = 3.75	2 × 1.25 = 2.5	6 × 1.25 = 7.5
Ko et al. [23]	1 × 1.25 = 1.25	2 × 1.25 = 2.5	3 × 1.25 = 3.75	6 × 1.25 = 7.5
Zhang et al. [26]	1 × 1.25 = 1.25	2 × 0.97 = 1.94	1 × 0.97 = 0.97	1 × 1.25 + 3 × 0.97 = 4.16
Our Scheme	-	3 × 0.48 = 1.44	4 × 0.48 = 1.92	7 × 0.48 = 3.36

, between Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26], and the proposed scheme. Note that we have calculated the values used in Table 3 based on the experimental setup of [28], which includes hardware and software specifications such as a PC Intel Corei7, random access memory (RAM) of 8 GB, and a multi-precision integer and rational arithmetic C library, in which $\mathrm{Xe}$ needs 1.25 ms, $\mathcal{B}\mathcal{M}$ consumes 4.31 ms, $\mathcal{H}\mathcal{E}\mathcal{C}\mathcal{M}$ requires 0.48 ms, and $\mathcal{B}𝓀$ needs 14.90 ms, respectively. By using the values contained in Table 3, we generated Figure 3, which clearly indicates that the proposed scheme is efficient as compared to Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26]. In comparison with the schemes of Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26], Table 2 and Table 3 and Figure 3 demonstrate that the new approach consumed fewer computing resources by using the hyperelliptic curve cryptography, which uses only 80 bits of key size and provides the same security level as the RSA, as well as elliptic curve cryptography.

For more details, we used the following cost reduction formula: $\frac{Existing Scheme-Newly Proposed Scheme}{Existing Scheme}\ast 100$ [29]. The following computation shows how the proposed scheme provides secure communication with a reduced amount of computation compared to the schemes that are proposed in Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26], respectively.

• Computational cost reduction process between the newly proposed scheme and Kim et al. [21], which is represented and processed as $\frac{\mathrm{Kim} \mathrm{et} \mathrm{al}.-Newly Proposed Scheme}{\mathrm{Kim} \mathrm{et} \mathrm{al}. }\ast 100=\frac{136.88-3.36}{136.88}\ast 100=97.54\%$.
• Computational cost reduction process between the newly proposed scheme and Oh et al. [22], which is represented and processed as $\frac{\mathrm{Oh} \mathrm{et} \mathrm{al}.-Newly Proposed Scheme}{\mathrm{Oh} \mathrm{et} \mathrm{al}. }\ast 100=\frac{7.5-3.36}{7.5}\ast 100=55.2 \%$.
• Computational cost reduction process between the newly proposed scheme and Ko et al. [23], which is represented and processed as $\frac{\mathrm{Ko} \mathrm{et} \mathrm{al}.-Newly Proposed Scheme}{\mathrm{Ko} \mathrm{et} \mathrm{al}. }\ast 100=\frac{7.5-3.36}{7.5}\ast 100=55.2 \%$.
• Computational cost reduction process between the newly proposed scheme and Ping et al. [26], which is represented and processed as $\frac{\mathrm{Zhang} \mathrm{et} \mathrm{al}. -Newly Proposed Scheme}{\mathrm{Zhang} \mathrm{et} \mathrm{al}. }\ast 100=\frac{4.16-3.36}{4.16}\ast 100=19.23 \%$.

So, we can conclude that the proposed scheme is significantly more efficient by 97.54% compared to [21], 55.2% compared to [22], 55.2% compared to [23], and 19.23% compared to [26] regarding computational cost.

8. Communication Overhead

This section compares the efficiency of the proposed scheme with the other relevant schemes of Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26] in term of communication overhead. This comparison is based on extra parameters being sent with the message, which include the current timestamp size, bilinear pairing (|Ꝕ|), parameter size (|𝑮|), hash value (|𝓗|), elliptic-curve point size (|𝓠|), and hyperelliptic-curve (|𝓷|) divisor size, respectively. We assume $\left|\mathcal{M}\right|=1024 bits, \left|Ꝕ\right|=1024 bits, \left|G\right|=1024 bits, \left|𝓗\right|=256 \left|𝓠\right|=160 bits, and \left|𝓷\right|=80 bits$. The comparative analysis is performed in

Table 4. Communication overhead analysis between Our Scheme and those Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26].

Schemes	Communication Overheads	Communication Overheads in Bits
Kim et al. [21]	$\left|\mathcal{M}\right|+6\left|G\right|$	$6\ast 1024+1024=7168 bits$
Oh et al. [22]	$\left|\mathcal{M}\right|+2\left|Ꝕ\right|+\left|\mathscr{H}\right|$	$1024+2\ast 1024+256=3328 bits$
Ko et al. [23]	$\left|\mathcal{M}\right|+3\left|Ꝕ\right|$	$1024+3\ast 1024=4096 bits$
Zhang et al. [26]	$\left|\mathcal{M}\right|+2\left|𝒬\right|$	$1024+2\ast 160=1344 bits$
Our Scheme	$\left|\mathcal{M}\right|+2\left|𝓃\right|$	$1024+2\ast 80=1184 bits$

using the above values between the proposed scheme, Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26]. We can conclude from Table 4 and Figure 4 that our proposed strategy clearly outperforms the [21,22,23,26] schemes in both characteristics.

For more details, we used the following overhead reduction formula: $\frac{Existing Scheme-Newly Proposed Scheme}{Existing Scheme}\ast 100$ [29]. The following computation shows how the proposed scheme provides secure communication with a reduced amount of computation compared to the schemes that are proposed in Kim et al. [21], Oh et al. [22], Ko et al. [23], and Zhang et al. [26], respectively.

• Communication overheads reduction process between the newly proposed scheme and Kim et al. [21], which is represented and processed as $\frac{\mathrm{Kim} \mathrm{et} \mathrm{al}.-Newly Proposed Scheme}{\mathrm{Kim} \mathrm{et} \mathrm{al}.}\ast 100=\frac{7168-1184}{7168}\ast 100=83.48\%$.
• Communication overheads reduction process between the newly proposed scheme and Oh et al. [22], which is represented and processed as $\frac{\mathrm{Oh} \mathrm{et} \mathrm{al} -Newly Proposed Scheme}{\mathrm{Kim} \mathrm{et} \mathrm{al}.}\ast 100=\frac{3328-1184}{3328}\ast 100=64.42\%$.
• Communication overheads reduction process between the newly proposed scheme and Ko et al. [23], which is represented and processed as $\frac{\mathrm{Ko} \mathrm{et} \mathrm{al}.-Newly Proposed Scheme}{\mathrm{Ko} \mathrm{et} \mathrm{al}. }\ast 100=\frac{4096-1184}{4096}\ast 100=71.09\%$.
• Communication overheads reduction process between the newly proposed scheme and Zhang et al. [26], which is represented and processed as $\frac{\mathrm{Zhang} \mathrm{et} \mathrm{al}. -Newly Proposed Scheme}{\mathrm{Zhang} \mathrm{et} \mathrm{al}. }\ast 100=\frac{1344-1184}{1344}\ast 100=11.90\%$.

So, we can conclude that the proposed scheme is significantly more efficient by 83.48% compared to [21], 64.42% compared to [22], 71.09% compared to [23], and 11.90% compared to [26] regarding communication overheads.

9. Conclusions

To remove the problem of key escrow in existing forward-secure signature schemes, in this paper we have proposed a certificateless forward-secure signature scheme based on the hyperelliptic curve for the Internet-of-Things environment. The security analysis of this newly designed scheme is performed under the random oracle model (ROM), in which we have shown the proposed scheme safeguarded from type 1 and type 2 adversaries regarding forgeability and forward security requirements. The computational cost and communication overheads comparisons show that the proposed scheme is significantly efficient compared to existing similar schemes. From the above discussion, we have concluded that the proposed scheme has good quality such as being key-escrow-free, unforgeable, forward-secure, and having low computational cost and low communication overheads. With these qualities, it would be a suitable approach for resource-hungry IoT devices which can communicate with each other using the open Internet.