I2PA : An Efficient ABC for IoT

Internet of Things (IoT) is very attractive because of its promises. However, it brings many challenges, mainly issues about privacy preserving and lightweight cryptography. Many schemes have been designed so far but none of them simultaneously takes into account these aspects. In this paper, we propose an efficient ABC scheme for IoT devices. We use ECC without pairing, blind signing and zero knowledge proof. Our scheme supports block signing, selective disclosure and randomization. It provides data minimization and transactions' unlinkability. Our construction is efficient since smaller key size can be used and computing time can be reduced. As a result, it is a suitable solution for IoT devices characterized by three major constraints namely low energy power, small storage capacity and low computing power.


INTRODUCTION
Internet has changed our way of living. In fact, it has become an integral part of our life. As a ubiquitous communication platform, it has undergone remarkable development in recent years. The concept of IoT has been emerged and envisages to integrate all real-world objects into the Internet. The evolution of IoT concept has given rise to others concepts such as IoE for Internet of Everything or IoV for Internet of Vulnerabilities. Some people even talk about IoP [1] for Internet of People. According to Cisco forecasts [2], there would be 50 billions connected devices by 2020.
In most cases, communications between devices require authentication itself based on authentication factors [3]. Authentication is also based on identification which makes activities of an entity traceable since each device is directly or indirectly associated with its owner. The current infrastructure is based on centralized architecture which allows no control of data by their owners; this is a threat to privacy preserving. Security in current infrastructures is guaranteed in most cases by PKIs (Public Key Infrastructures) that can guarantee that messages are not compromised and only recipients are able to open and read them (integrity, confidentiality and authenticity are guaranteed). PKIs main objective is to guarantee keys encryption authenticity. However, they cannot protect users' privacy and users cannot get a credential on a subset of their attributes without letting the CA (Certification authority) see the resulting credential. Moreover, when authenticating to a service provider, users must show their whole credential instead of just proving their eligibility for that access. We must therefore think to migrate to decentralized architectures and user-centric.
The ultimate challenges can be summarized to this fundamental question: How to minimize the amount of data disclosed about oneself and provide only the bare minimum necessary ? Nowadays, to the best of our knowledge, the most convenient way to protect users' privacy remains using anonymous credential systems also known as Attribute-Based Credentials (ABCs). ABCs are building blocks for user-centric identity management [4]. With ABCs, it is possible to get a signature on a set of attributes and then use this later to access others services. Seeing the abstractness of some attributes (nationality, age class, occupation, affiliation, profession, etc.), the entire mechanism can remain anonymous and therefore guarantees concerned entities' privacy. Authentication is carried out by revealing the bare minimum necessary. Better, it is possible, for a set of attributes, to prove their possession instead of revealing their values; from where the concept I2PA meaning "I Prove Possession of Attributes".
There are two major families of ABC systems, namely those based on blind signatures (BS) and those based on zero-knowledge proofs (ZKP). In terms of anonymous credential, there are two flagship schemes; Idemix of IBM and U-prove of Microsoft [5]. While Idemix's building block [6] is based on Camenish-Lysyanskaya signature scheme [7] (CL-Signature), U-prove is based on Stefan Brand's digital signature [8] instead. Nowadays, there are many contributions (U-prove, Idemix, IRMA of Radboud University of Nijmegen [9] based on Idemix, etc.). However, when tackling privacy concerns, none of this schemes is fully adapted in an IoT environment characterized by three major constraints namely low computing power, very limited storage capacity and low energy autonomy. In fact, these models are based either on RSA cryptosystem [10] or on Pairing-Based Cryptography [11]. Some of them are based on ECC without pairing (U-prove for instance) but do not fully take into account some fundamental features relative to privacy preserving. Indeed, Lucjan et al. [12] showed that unlinkability feature is not fully taken into account by U-prove. With reference to RSA based cryptosytems, the major problem remains keys' size which will necessarily rise problem of storage, performance in computing time and bandwidth usage. Pairing-based cryptosystems, although considered as very robust, are not applicable in an IoT context seeing that they are too greedy in term of computing time. The relative computation cost of a pairing is approximately twenty times higher than that of the scalar multiplication. The model presented by Gergely et al. [13] is very efficient in a sensor network but does not guarantee anonymity since the verifier has a database of identifiers. Fuentes et al. [14] present a very interesting result in Vehicular ad hoc network but their scheme lacks generality. Even if Idemix is the most advanced in terms of implementation, it is subject of improvement. Authors in [15] show that at equal security level, an RSA key is at least six times longer than an Elliptic Curve Cryptography (ECC) key. Further, in major cases, operations are faster on ECC than in RSA based schemes. Another important point is that, in an RSA cryptosystem, when keys' size are no longer sufficient to guarantee a secure level, it is recommended to double their size what is not necessarily the case for ECC cryptosystem. Another important contribution [16] is build on top of Idemix scheme. It has been successfully implemented, deployed, and tested. However, the criticisms of Idemix remain valid toward it. The U-prove scheme, by its generality, can be implemented either on the basis of subgroup or using ECC. However, as shown by Lucjan et al. [12], unlinkability feature is not fully taken into account. Indeed, if a token is presented twice to a verifier, then the later knows that it is the same token. This means that unlinkability in U-prove can be achieved only by using different credentials [17], what requires the client device to have additional storage space.
The relevance of our contribution lies in the fact that it offers a good level of security and drastically reduces keys' size. Credentials' randomizations, selective disclosure and unlinkability features are very interesting results that contribute in guaranteeing non traceability. Edwards curves, known as the curves in which cryptographic calculations are faster [18], are privileged. We then win in memory usage, performance in computing time and bandwidth usage. Analysis presented in section 6 show that our scheme is very efficient. Its level of abstractness makes it applicable in any IoT environment.
The rest of this paper is organized as flow. We start by reviewing some mathematic backgrounds in section 2 while definitions of some flagship concepts are presented in section 3. Section 4 presents an architecture of ABC system and in section 5, our contribution is presented. Section 6 is related to complexity analysis and this paper is ended by a conclusion and perspectives in section 7.

MATHEMATIC BACKGROUND
Elliptic Curves Cryptography (ECC) was presented independently by Koblitz [19] and Miller [20] in the 80s. Their structure of group and performance in computing time they offer make them a new direction in cryptography. The following section is a brief description on ECC.

Définition
An Elliptic Curve E over a field K can be described as the set of K × K satisfying the equation : where a i ∈ K to which we add a point at infinity O, defined as the intersection of all vertical lines. An additional requirement is that the curve must be "smooth", which means that the partial derivations ∂E ∂y and ∂E ∂x have no common zeros. Depending on the characteristic of the field K, the equation below can be simplified [3][?].
1) When char(K) = 2, 3 the equation can be simplified to y 2 = x 3 + ax + b, where a, b ∈ K. 2) When char(K) = 2 and a 1 = 0, the equation can be simplified to y 2 + xy = x 3 + ax 2 + b, where a, b ∈ K. This curve is said to be non-supersingular. If a 1 = 0, the equation can be simplified to y 2 + cy = x 3 + ax + b,where a, b, c ∈ K. This curve is said to be supersingular. 3) When char(K) = 3 and a 2 1 = −a 2 the equation can be simplified to This curve is said to be non-supersingular. If a 2 1 = −a 2 , the equation can be simplified to y 2 = x 3 +ax+ b, a, b ∈ K. This curve is said to be supersingular. The "figure 1" is an illustration of the curve y 2 = x 3 −x over R.
Theorem 2.1 (Hasse's theorem). Let E be an elliptic curve defined over a finite field K with q elements, then the result of Hasse states that :

Edwadrs' curves
Edwards, generalizing an example from Euler and Gauss, introduced an addition law for the curves x 2 + y 2 = c 2 (1 + Figure 1: An Elliptic Curve of equation x 2 y 2 ) over a non-binary field K. He showed that every elliptic curve over a non-binary field K can be expressed in the form x 2 + y 2 = c 2 (1 + x 2 y 2 ) if K is algebraically closed. Bernstein and Lange [21] generalized the addition law of the curves x 2 +y 2 = c 2 (1+dx 2 y 2 ). Let char(K) = 2, 3 and let E(K) has a unique point of order 2. Then, E can be written in Edwards form : Let P 1 (x 1 , y 1 ), P 2 (x 2 , y 2 ) and P 3 (x 3 , y 3 ) be points of the curve such that P 3 = P 1 P 2 . The Edwards addition law over E d is described as follow : This group law is complete and strongly uniform. The doubling operation is given by the following equation : 2(x, y) = ( 2xy This addition law presents interesting results : • If d is a non-square in K, the addition law is complete. This ensures that denominators are never zero. • The addition law is strongly unified, i.e., it can be also used for doubling.
Addition in Edwards curve is known to be the fastest among all families of elliptic curves used to implement Cryptography.

Elliptic Curve Discret Logarithm Problem (ECDLP)
The basic operations of ECC are point scalar computations (also known as scalar multiplication) of the form : The Elliptic Curve Discrete Logarithm Problem (ECDLP) is the problem of retrieving k given P and Q, where P and Q are points of the curve and k is an integer uniformly chosen at random in the interval [1,r-1](r denotes the order of P). The assumed difficulty of this problem is the basis of security in elliptic curve public key cryptosystems. Point scalar multiplication can be performed efficiently using algorithms such as Double-and-Add .

DEFINITION
The aim of this section is to define some leading terms in this paper namely attribute, credential, blind signing and zero-knowledge-proof.

Attribute
An attribute is a characteristic or a qualification of a person. It can either be an identifying or non-identifying property. For example, "full name", "address", "social security number", are identifying attributes. Attributes such as "is a student" and "is a teenager" are nonidentifying as they do not uniquely identify a person; such properties can belong to other people as well.

Credential
A credential is a set of attributes digitally signed by a trusted third party(issuer). In others words, a set of attributes together with the corresponding cryptographic information. A credential is similar to a certificate in terms of content but they are different in the way they are used. While certificate usage requires showing all its content, a credential can be used by showing some parts and hiding or proving knowledge of others. Credentials are important in identity management systems. They certify that an entity has certain characteristics, knowledges, skills, etc. One main point is that credentials involve attributes of an entity without including identity information which allows linking the credential to its owner. As illustrated in the "figure 2", a credential has three main parts: a secret key of its owner, a set of attributes and a signature of an issuer on that set of attributes. A credential includes others informations such as expiry date.

Zero-Knowledge Proofs
The past decades have witnessed the emergence of several new cryptographic notions. In 1985, Goldwasser, Micali and Rackoff [22] introduced the concept of zeroknowledge interactive proofs that enables an entity, a prover, to convince another entity, a verifier, of the validity of a statement without revealing anything else beyond the assertion of this statement. Zero-Knowledge Proofs are elegant techniques to limit the amount of information transferred from a prover to a verifier in a cryptographic protocol. The "table 1" describes Schnorr's proof of knowledge also known as Schnorr's Identification protocol. Given a group G of prime order q, in which the discrete logarithm problem (DLP) is hard, and a generator g ( g = G), a prover proves to a verifier that he knows a secret value x, uniformly chosen at random from Z * q , corresponding to a public value h = g x ∈ G.
There is a formal symbolic notation of ZKP as described in "equation 3".

Blind signing
In many applications involving anonymity, it is often desirable to allow a participant to sign a document without knowing its content; this is known as blind signature. It is typically used in privacy-related protocols where the signer and credential owner are different parties. It can be used in e-cash or privacy-vote.

Blindness
Let U 0 and U 1 be two honest users and A be a PPT (Probabilistic Polynomial-Time) adversary which plays the role of the signer engaged in the issuing scheme with U 0 and U 1 on messages m b and m 1−b where b is chosen uniformly at random in {0, 1}. U 0 and U 1 output the signatures σ b and σ 1−b . After that,

ARCHITECTURE
A general architecture of Privacy-ABC consists of three main entities, a User (credential owner also known as Prover), an Issuer (trusted third party or credential signer ) and a Verifier (services provider or secure resource owner). The Issuer issues credential(s) for a User, which can later be used for authentication purposes. Such an architecture may optionally include an entity that takes care of revocation of credentials (Revocation authority) and another entity (Inspector) that can revoke the anonymity of users. Inspection and revocation are beyond the scope of this paper. The main phases are described in the following section.
• Set-up : Performed to output system's parameters • Issuance : An interactive protocol between a User and an Issuer. By issuing a credential to a User, the Issuer guarantees the correctness of attributes' values contained in the credential. • Presentation : An interactive protocol in which a User reveals or proves possession of some attributes or claims about attributes. This phase is also known as verification. • Inspection : Provides conditional anonymity. It enables a trusted party, the so called Inspector, to revoke, in some conditions, anonymity of cheating provers. • Revocation : Ends the validity of credentials whenever necessary.
All those phases are illustrated in "figure 3". At the core of Privacy-ABCs systems, untraceability and unlinkability are the most important privacy-related features. Additional features are also supported [17][4], without exhaustivity, we cite.
• Authenticity : Refers to the feature that guarantees that the content of an ABC signed by the issuer cannot be modified • Non-transferability : Refers to the feature that guarantees that prevents the user from transferring her ABC to another user of the system. • Minimal information : Refers to the privacy feature that guarantees that during the verification protocols no other information is revealed to the verifier beyond the disclosed attributes, the credential names and the corresponding issuers.
• Multi-show unlinkability : Refers to the privacy feature that guarantees that different presentations of a given credential cannot be linked. • Issuance unlinkability : Refers to the privacy feature which guarantees that the presentation of a credential cannot be linked to its issuance. • Selective disclosure : Allows a user to prove only a subset of attributes to a verifier. • Carry-over attributes : Enables users to carry over some attributes from an existing credential into a new one without disclosing them to the Issuer. • Predicate proof : Allows logical operators, such as greater or smaller than, to be applied on attributes without disclosing them; • Prove of holdership : A cryptographic evidence for proving ownership or possession of a credential. • Unforgeability : Refers to the feature that guarantees that none malicious third party can forge a valid ABC. • Etc.

CONTRIBUTION
In this sections, our scheme is described. We focus on three main phases namely set-up, issuance and verification (showing, presentation). We also present a selective disclosure protocol and randomization of credential.

Set-up
The set-up is the first algorithm to be ran to extract system's parameters from a security parameter k. This algorithm is described as follows : • {p, E(F p ), P, P pub , H } ←− 1 k Where : • k : a security parameter • p : a prime number that defines the field F p . • E : an elliptic curve defined over F p . • P ∈ E(F p ) : a base point of prime order q. • x ∈ R F * q : issuer's secret key. • P pub = x.P : issuer's public key.
• H : a hash function defined as follow :

Issuance
When the set-up algorithm is successfully ran, the system's parameters are available and ready to be used. The issuer is ready to issue credentials. When a user wants to be issued a credential, he runs an interactive algorithm with the issuer at the end of which a credential should be issued for him. Issuance unlinkability property should be ensured. The way it is done is that not only the issuer can not store the issued credential but also, thanks to the blinding mechanism, he may not see the credential's content while signing. The issuing protocol on a single message is an interactive protocol of three steps between Prover and Issuer as described below : • Blinding : The issuer starts by generating a random integerk ∈ F * q , computes the resulting pointR =k.P and sendsR to the User. After receivingR, the User generates random factors α and β. He blinds his document and sends it to the Issuer. The User should prove knowledge of m 0 , this is very important to guarantee unforgeability. • Singing : After receiving the blinded document, the Issuer signs it with his secret key x by computinḡ s ≡hx +k(mod q). He sends the blinded and signed document to the User. • Unblinding : After receiving the blinded and signed document, the User unblinds it with his blind factors α and β without invalidating it. He can also verify that the signature is correctly computed.

Signature on a single message
For convenient notation, all proofs of knowledge would be noted P K. The corresponding proofs is those mentioned in the so called protocol. All the details of the issuing protocol on a single message are described in "table 2".
Outputs (R,s) the blind version of (R,s)R Theorem 5.1. The prosed scheme is fully blind.
Proof. Froms ≡hx +k(mod q), we have α ≡ hx(s − k) −1 (mod q). Thus α ∈ F * q is unique. It follows that β ≡ s − αs(mod q) is also unique. Thus, there always exist α and β, regardless of (R,h,s) and (m, R, s), such that (R,h,s) and (m, R, s) have the same relation. Therefore, an adversary A outputs a correct value b ′ with probability exactly 1 2 . As a result, the issuing protocol is fully blind.
Theorem 5.2. The proposed scheme is (ǫ ′ , t ′ , q i , q h )secure in the sense of unforgeability under chosen message attack (UE-CMA) in the random oracle model, assuming that the (ǫ, t)-ECDL assumption holds in P , where ǫ and q i , q h are the number of issue and hashing queries, respectively, the adversary is allowed to perform while T denotes the time for a scalar multiplication operation.
Proof. Assuming that there exists a forger A that can forge a credential while playing the game of chosen message attack (CMA) [23], we construct an algorithm M A that uses A to solve the discrete logarithm problem. Without losing generality, we assume that q i q h < q. The following section is adapted from the proof presented by Joseph K Lui et al [24].
• Setup: M A receives the problem P 1 : (k, p, q, E(F p ), P, P sec ) and should find x such that P sec = x.P . It chooses a hash function H which behaves like a random oracle, sets P pub = P sec and sends the public parameters (k, p, q, E(F p ), P, P pub , H) to A expecting it forges a credential. M A and A start playing the game of chosen message attack [23]. • Hashing oracle: M A starts by initializing and empty database. When A sends m i for hashing, M A checks whether or not that message has already been sent. If so, it picks h i from database and returns it as a response to that query, otherwise it picks h i uniformly at random from F * p ,stores the couple (m i , h i ) in the database and returns h i as a response to that query. • Issuing oracle: When A queries the issuing oracle for the message m i , M A first checks whether m i has already been queried for issuing. If so, it aborts and the game is stopped (Event 1) [23], otherwise, it computes h i = RO(m i )(where RO denotes the hashing oracle), picks random value s i from F * p , computes R i = s i .P − h i .P pub and sends (R i , s i ) to A as response to its issuing query. As we can see, the algorithm is valid since s i .P = h i .P pub + R i . • Forging step: Finally A outputs a forged signature σ * = (s * , R * ) on message m * with h * . It computes and extracts x as solution of the DLP. • Probability analysis: The simulation fails if A queries the same message for issuing (Event 1). This happens with probabilité at most ( q h q ). Hence, the simulation is successful with probability at least (1 − q h q ) qi ≥ (1 − q h qi q ) (provable by recurrence reasoning). The tuple (m * , R * , s * ) is a valid credential with probability at least 1 − 1 q and M A guesses it correctly with probability at least 1 q h [24]. Finally, the overall successful probability is [24]. The time complexity of the algorithm M A is t ′ = t + O(q i )T since the issuing oracle computes at most 2q i T scalar multiplications.

Verification
Once the credential is issued, the user can be authenticated by a service provider. As for the issuing algorithm, he must perform an interactive protocol with the service provider at the end of which an access to the so called service might be granted or denied. The prover must prove knowledge of his secret key. This guarantees unforgeability property. The verifying protocol is described in "table 3".

Randomized version
With rapid development of modern technologies, many digital services involved in our life emphasize user privacy. Blind signature is a well-known technique to address privacy concerns. When a user presents the same signature (R, s) multiple times, he could be traceable; R, s could be stored by the verifier even if this can not be linked to issuance. The randomized version allows a user to derive a random signature from a valid one without invalidating it. The randomization feature is fundamental because it contributes in guaranteeing multi-show unlinkability. The prover generates a random factor r from which a random signature (R,ŝ) is derived. The randomization process is described in "table 4".

Signature on a block of messages
A credential rarely contains one attribute. In this section, we consider a credential of l attributes (m 1 , ..., m l ). The issuing protocol on a block of messages is described in "table 5" . The verification protocol remains the same as in section 5.4.
Outputs (R,s) the blind version of (R,s)R

Selective disclosure
The fundamental principle of privacy master is data minimization. Selective disclosure is a way to achieve this. It is the ability of an individual to granularly decide what information to share. In our context , it is a very interesting feature that lets a user decides what attributes to disclose while being authenticated. How user and verify agreed on the attributes to disclose is beyond the scope of this paper. After convinced about hidden and revealed attributes, the verifier grants access to the prover. More concretely, in the selective disclosure protocol, the prover decides to disclose a subset of attributes, let us say m n+1 , m n+2 , ..., m n+l while m 0 , m 1 , ..., m n remain secret. The selective disclosure protocol is described in "table 6".

COMPLEXITY ANALYSIS
Design an algorithm is good, design an efficient algorithm is better. Let P be a problem, M 1 and M 2 two methods designed to solve P. Answer to the question: which of the methods M 1 and M 2 is more efficient is not trivial unless one knows their complexity. A complexity is a mathematical approximation to estimate the number of operations and/or memory required for an algorithm to solve a problem. A good algorithm must therefore use as little memory as possible and make the processor work less than possible. In the remain of this section, we adopt the following notations : • M s : Scalar multiplication over EC This section aims to compare complexities of schemes Idemix, U-prove and I2PA. While tackling IoT devices, the case of Idemix could be left behind because a basic RSA operation (inversion or elevation to power on large numbers) is more expensive than a well designed operation on an EC [15] [25]. It should be noted that basic arithmetic operations such as addition and multiplication are negligible, in terms of resource consumption, compared to operations in elliptic curves or RSA base operations (power elevation and inversion). Given that the Idemix model does not have, as far as we know, an implementation on EC, we will focus on the memory usage. In the rest of this section, we consider a credential of n attributes to sign and verify. Results presented below are based on papers [26][5] [6][10] [17] and simplified schemes presented by Alpár Gergely [27][28].

Operations over curve comparison
In this first part of comparative study, we focus on U-prove and I2PA schemes regarding operations on the elliptic curve. We do not consider the hash function because its fundamental property is that it should be very easy and quick to compute. The comparison results are recorded in "table 7".  Table 7 shows that, what should be the number of attributes to issue and verify, U-prove performs more operations in the curve than I2PA. In addition, the issuance is far more expensive in U-prove than in I2PA especially when the number of attributes grows. We can safely conclude, without going wrong, that I2PA is more efficient than Uprove in term of computing time when system's parameters are the same.

Memory usage comparison
In this second part of comparative study, we are interested in memory usage. We compare the number of bits in the issuing phase. This choice is justified by the fact that, in the verification phase, the verifier has nothing to store. We adopt the following notation : • T : Total of variables needed in this phase • P: Total of variables to be stored permanently in this phase In addition, we assume that all variables of a protocol have the same size and this size is the same that the security level. If in the Idemix model we work with 1024 bits, then in I2PA and U-prove we can work with 160 bits expecting the same security level [15]. Results obtained are recorded in "table 8". This table show that, at user side, I2PA and U-prove require around 1024(n+9) bits while Idemix requires around 1024(n+6) bits. However, at issuer side, I2PA presents interesting results (around 1600 bits independent on the number of attributes) compared to U-prove and I2PA that require respectively 160(2n+8) and 1024(n+9). We can also see that if implementation is based on RSA cryptosystem, U-prove presents less interesting results than Idemix. Finally, we can conclude that I2PA is very efficient compared to Idemix and U-prove, the two leaders in terms of anonymous credentials.

Feature comparisons
In this last part of comparative study, we focus on the number of key features that need to be carefully considered when tackling privacy concerns in an IoT context. We consider three scenarios for a feature. It can be totally, partially or not at all supported (not provided). The following legend is adopted: • : Fully supported • × : Not supported • ⊘ : Partially supported The "table 9" is a summary of features comparison.

Bandwidth saving ×
Idemix issuance is not totally blind because two of the three parts of the resulting credential are known by the issuer. These two elements are A and e of the signature (A, e, v). In addition, this model is not optimal with lowresource devices and bandwidth optimization. U-prove, meanwhile, does not support the randomization feature. Even if the signature phase is blind, the issues related to traceability are not fully taken into account. Indeed, the triple (h ′ , c ′ , r ′ ) where (c ′ , r ′ ) constitutes the signature, if presented several times, may be traceable. The problem can be seen in two angles. First h ′ constituting the user's public key, is required in the verification phase. Since the latter only depends on the signed attributes and the secret key of the user, then the probability of having two credentials with the same public key is almost zero. Secondly, lack of randomization may be a problem. To guarantee nontraceability in U-prove, one needs several credentials [12]. In our schema, the triple (h, R, c) can become (h, R ′ , c ′ ) where (R ′ , c ′ ) is a random version of (R, c) without invalidating the signature.

CONCLUSION
Until a recent period, authentication without identification was impossible. Anonymous credentials are a suitable way to do it. In this paper, we propose an efficient Attribute-Based Credentials scheme for IoT. We use Elliptic Curves, Zero Knowledge Proof, Blind Signing, Selective Disclosure and Randomization. Our scheme guarantees anonymity; a fundamental aspect for privacy preserving. As stated in section 5.2, our scheme is (ǫ ′ , t ′ , q i , q h )-secure in the sense of unforgeability under chosen message attack in the random oracle model. Complexities presented in section 6 show that our scheme is very suitable with an IoT environment with severely constrained resources. Future work would include performance study, predicate proof over attributes, inspection and revocation protocols.