A Privacy Preserving Authentication Scheme for Heterogeneous Industrial Internet of Things

Tan, Zuowen; Jiao, Jintao; Yu, Mengjiang

doi:https://doi.org/10.1155/2022/9919089

Security and Communication Networks

On this page

Abstract Introduction Preliminaries System Model Experimental Results Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 9919089 | https://doi.org/10.1155/2022/9919089

A Privacy Preserving Authentication Scheme for Heterogeneous Industrial Internet of Things

Zuowen Tan,¹Jintao Jiao,¹and Mengjiang Yu¹

Academic Editor: Kuo-Hui Yeh

Received14 Jul 2022

Revised21 Sept 2022

Accepted27 Sept 2022

Published17 Oct 2022

Abstract

Nowadays, the industrial Internet of Things (IIoT) is playing a promising role in the optimization of industrial systems. IIoT devices generate a great amount of data that could be used for different applications. Due to the untrusted nature of machine-to-machine (M2M) communication channels, data authenticity and integrity are an important issue that must be addressed. Especially, it is challenging to deal with the privacy disclosure that the heterogeneity of IIoT brings about. In this paper, we propose a privacy-preserving scheme for authenticity in heterogeneous IIoT systems. Our authentication schemes support many kinds of IIoT devices with multicryptographic configurations such as RSA-based, DL-based, ECC-based, and lattice-based cryptosystems. We provide the formalized proof of the unforgeability and privacy of the proposed schemes in the random oracle model. The experimental simulation demonstrates that the proposed schemes are feasible in the heterogeneous IIoT environment.

1. Introduction

With the great increment of smart devices, the Internet of Things (IoT) has made tremendous changes in the way people live. Smart devices in the IoT can connect with each other and exchange information with each other. Among all fields of the IoT, the industrial IoT (IIoT) is the most important one [1]. IIoT has the characteristics of real-time, automation, information interconnection, and so on. By introducing many kinds of sensors, wireless communications, artificial intelligence, and other technologies into the industrial production process, IIoT has greatly improved productivity and quality. Meanwhile, the production costs and resource consumption are reduced, and the intelligence degree of the traditional industry has been promoted to a higher level. Despite its great convenience, one of the major obstacles to widely adopting IIoT is its security risks [2]. Since the IIoT is a network with highly coupled heterogeneous devices, the industries are mostly concerned with the integrity and authenticity of the data which is generated and transmitted by the IIoT devices. In most cases, the IIoT data are transmitted via a public channel. These data are easily intercepted by the adversary. Hence, it is essential to ensure that the data are from legal devices, and the data are not tampered with by a malicious adversary.

Signature schemes are usually used to ensure integrity and authenticity. Nevertheless, since the nature of the existing signature schemes is homogeneous, most of them can only provide data authenticity in a single cryptosystem. Due to the heterogeneity of IIoT, multiple cryptographic systems are always applied for data authenticity [3, 4], and such cryptographic systems are usually based on RSA, DL, and ECC. In addition, due to the consideration of postquantum security, a cryptographic system based on lattice has already been implemented in IIoT [5]. On the other hand, the privacy of the data sender in IIoT is very important under many circumstances. If the public key is used to verify the validity of the signature, the privacy of the sender’s identity will be leaked.

1.1. Motivation

Due to the complexity of practical network architecture in the IIoT environment, it is urgent to design an authentication scheme for the heterogeneous IIoT systems with distinct cryptosystems. Li et al. [6] proposed the SAMA scheme which considers the situation that the devices in IIoT use the same cryptographic configuration. However, it is quite possible that devices in IIoT networks may use different kinds of cryptographic systems. In order to remove this limitation, Wei et al. [7] propose an improved authentication scheme with different system parameters (hereafter, called improved SAMA). However, the improved SAMA scheme only considers the RSA nodes and DL nodes. In fact, there are more devices that adopt other cryptosystems, such as the elliptical cryptosystem. In recent years, more and more attention is paid to postquantum cryptographic algorithms. The threat from quantum computers will emerge in the future, so antiquantum attack cryptographic algorithms have attracted great attention [8]. Some researchers such as Paul and Guerin [9] and Zhang et al. [10] have already conducted a lot of research on postquantum cryptography to secure IIoT. Among the existed postquantum cryptographies, lattice-based cryptography brings the advantage of high-security guarantees and performance efficiency.

In addition, privacy is another major concern in IIoT [11]. To the best of our knowledge, privacy issues in IIoT have not been treated very well in the existing literature, which is a potentially fatal threat. When the IIoT devices transmit data through communication channels, the adversaries could intercept the messages and reveal the identities of the devices.

Motived by the above limitations, we propose novel message authentication schemes with more kinds of nodes compared with the improved SAMA scheme. Our scheme allows the devices in the IIoT to use RSA-based systems, ElGamal-based systems, ECC-based systems, and quantum cryptography. We also consider the privacy preservation of the IIoT devices while the scheme can provide data authenticity. In order to achieve these two goals at the same time, we chose the ring signature to design the authentication schemes in the heterogeneous IIoT environment.

1.2. Contribution

We construct novel authentication schemes over a multicryptosystem (hereafter, called ASMC) for the heterogeneous IIoT environment. The main contributions of this paper are as follows:(1)We propose two ASMC schemes that support heterogeneous devices with multicryptographic configurations such as RSA-based, DL-based, ECC-based, and lattice-based cryptosystems. This solution brings greater flexibility to the authentication for heterogeneous IIoT. Moreover, the ASMC scheme can provide the devices with strong privacy protection.(2)Based on the hardness assumption of the complex problem, we give the proof of unforgeability against adaptive chosen-message-and-chosen-ring attacks and privacy under the random oracle model.(3)The IIoT devices only need to do lightweight signing operations online; some expensive operations can be preprocessed offline. So, even if there are lattice-based nodes that may need more computation power, our schemes are still suitable for the IIoT environment.

1.3. Related Work

In order to achieve data authenticity [12], researchers have conducted a lot of related works.

In these years, considerable efforts have been paid for the authentication scheme for the resource constrained devices. Bali and Kumar [13] proposed secure clustering for efficient data dissemination among vehicles, and a trust metric was presented by considering various transmission characteristics of vehicles. He et al. [14] proposed a privacy-preserving data aggregation scheme for the smart grid against internal attacks. Bordel et al. [15] applied watermarking and physically unclonable functions to their scheme which can authenticate data in the IoT system, and the scheme is also suitable for 5G networks. Roy et al. [16] proposed a lightweight authentication scheme based on cryptographic hash, bitwise, and fuzzy extractor functions. Peng et al. [17] proposed a mechanism called verifiable query layer (VQL) which can work effectively and guarantee data authenticity. Jain and Prabhakar [18] constructed a system to ensure authenticity and integrity of data in a dynamic database where the server could be untrusted. Challa et al. [19] designed a scheme between a smart meter and a cloud server, and they also give the security and cost analysis of the scheme.

At the same time, the digital signature schemes are usually used to ensure data authenticity for the devices that need to transmit data to each other. Ring signature is one of the important cryptographic primitives which can provide both message authentication and the anonymity of the actual signer. The first ring signature scheme was designed by Rivest et al. [20] in 2001. Any member in the ring can anonymously sign a message, and any receiver can verify the authenticity of the signature. Herranz [21] proposed a ring signature scheme based on RSA. In 2008, Ren and [22] introduced a ring signature scheme based on the ElGamal signature. Recently, some lattice-based ring signature schemes against quantum attacks have been proposed. Liu et al. [23] proposed a lattice-based ring signature that is proven secure against chosen-message attacks. Mundhe et al. [24] proposed a lattice-based ring signature that can provide identity privacy and location privacy. Ren et al. [25] proposed a lattice-based linkable ring signature scheme based on the Borromean ring signature.

1.4. Paper Organization

The remaining paper is organized as follows: in Section 2, we present some preliminaries. Section 3 introduces the threat model and security model. Section 4 constructs our ASMC schemes and gives its security analysis. In Section 5, we compare the proposed protocols with the relevant improved SAMA scheme in terms of computation cost and communication overhead. Finally, Section 6 concludes this paper.

2. Preliminaries

In this section, we will briefly review some cryptographic assumptions. Table 1 lists the notations used throughout this paper. Preliminaries.

2.1. Elliptic Curve over

Let be an odd prime with . An elliptic curve over is defined by the equation , where , and . The set consists of all points , , , which satisfy the above equation, together with an additional point called the point at infinity.

2.2. Complexity Assumptions

DLP: Given a finite cyclic group , a generator of , and an element h, the DLP is to find the integer , , such that .

ECDLP: Given an elliptic curve defined over a finite field , a point of order in , and a point that is a multiple of , the ECDLP is to find the integer , such that .

SVP (shortest vector problem): Given a monic polynomial and a lattice corresponding to an ideal in the ring , for , the is to find an element such that , where is the shortest length of a nonzero vector in [26].

Lyubashevsky and Micciancio [27] introduced a family of collision-resistant hash functions based on the worst-case hardness of standard lattice problems over ideal lattices.

For any integer and , let be the family of functions such that for any , , where , , , and all the operations are performed in the quotient polynomial ring .

Given an element , the collision problem of lattice-based hash function is to find distinct elements and in such that . The function family is collision-resistant when the input domain is suitably chosen in .

Theorem 1 (Hardness of collision-resistant hash function [27]). Let be the ring for a power of two. Define the set for some integer . Let be a hash function family as the above definition such that and . If there is a polynomial-time algorithm that solves for random with some non-negligible probability, then there is a polynomial-time algorithm that can solve for every lattice corresponding to an ideal in , where .
In this paper, we set . The setting ensures that the conditions required by the above theorem are verified, and finding collisions for implies an algorithm for breaking SVP in the case over ideal lattices for polynomial gaps.

2.3. Statistical Distance

Statistical distance is a measure of the difference between two probability distributions [28]. Let and be two random variables over a countable set . The statistical distance between and is defined by

3. System Model

This section gives a brief discussion of the network, threat, and security model of the proposed scheme. We assume that the IIoT is heterogeneous, and the devices may use different cryptographic systems, and a privacy-preserving authentication scheme (ASMC) based on ring signature over a multicryptosystem is proposed under such circumstance.

3.1. Network Model

In the proposed ASMC scheme, we consider the network model with cloud data centers for the IIoT device authenticity and privacy. The network model is shown in Figure 1. Specifically, we consider an IIoT network where the devices may be deployed by different workshops or different factories for collecting many types of data. Hence, these devices may use various system parameters. We assume that all the system parameters, public, and private keys have been stored in the devices before they are deployed. After the deployment, devices will collect data and transmit the data to the cloud data centers.

3.2. Attack Model

The IIoT devices connect with each other via an insecure channel. During the data transmitting process, an adversary can eavesdrop, intercept, and modify the transmitted data of both devices. So, the IIoT devices are vulnerable to various attacks. We apply the Dolev–Yao (DY) attack model [29] in the presented scheme, and there are two types of adversaries in the system.(1)Passive adversary can eavesdrop on the data transmitted in the public channel, such as collecting the messages sent by the IIoT devices. Then, the adversary may analyze the intercepted message and try to reveal the content of the message and identify the real data sender. Since one type of IIoT device always generates a specific kind of data, thus the kind of data implies the type of device. So, the disclosure of the message type may leak the sender’s privacy such as identity.(2)Active adversary may actively launch different attacks which include man-in-the-middle, brute force attack, data injection, and so on. can intercept and modify the messages during data transmission or inject fake messages into the data channel. An IIoT device may be corrupted and controlled by an active adversary. When an IIoT device is compromised, the adversary can access all the secret information of the device.

3.3. Security Model

In IIoT, many devices transmit data via the insecure channels. In order to mitigate the various types of attacks launched by the passive adversary and active adversary, the ASMC schemes aim at providing the message transmitted with authenticity, integrity, and privacy.

The message authenticity and integrity require that a message is sent by a legal device and has not been altered by any other devices. This security goal is guaranteed by the unforgeability of the underlying ring signature scheme in ASMC. Privacy protection requires that the identity and other private information of the message sender is well protected. The anonymity of the underlying ring signature scheme in ASCM can meet the requirement of privacy. So, the security goals of the ASMC scheme are unforgeability and anonymity.

Unforgeability. The property means that it is difficult for to forge a valid signature of an honest ring member in the ASMC scheme. The security model allows the adversary to mount the following two attacks:(1)Adaptive chosen-message attack: can acquire the signature of a message chosen by the adversary in the forge attack phase.(2)Adaptive chosen-ring attack: can choose the ring members and acquire a signature regarding the chosen ring.

In the security model, is allowed to make the following oracle queries: , , , and (for details, see the proof of Theorem 2). Now, we can define the unforgeability.

Definition 1. Existential unforgeability against adaptive chosen-message-and-ring attack (EUF-ACMRA): an ASMC scheme is said to satisfy the existential unforgeability against the adaptive chosen-message-and-ring attack if no probabilistic polynomial-time adversary has a non-negligible advantage in the experiment as defined in Table 2, where the advantage of the adversary is defined byAnonymity. This property indicates that the ASMC scheme will not reveal the identity of the real data sender.

Definition 2. Anonymity
For the ASMC scheme, we define the advantage of any probabilistic polynomial-time adversary in the experiment as defined in Table 2, and an ASMC scheme is said to provide the anonymity of the actual signer if the advantage is negligible for any with a security parameter , with querying oracles , , , , , and (for details, see the proof of Theorem 4).

4. 4. Our Authentication Scheme over Multicryptosystem

In the following section, we construct two ASMC schemes, corresponding to two situations, respectively, adjacent nodes using the same cryptographic system as shown in Figure 2 and the mixture of distinct cryptosystem nodes as shown in Figure 3.

4.1. ASMC for Adjacent Nodes Using the Same Cryptosystem

In order to provide the legitimacy of one’s identity, the signature schemes based on RSA, DL (discrete logarithm), ECC (elliptic curve), and lattice are mostly used at present. For simplicity, we make the assumptions that each node in the IIoT system can use only one type of these four schemes. For adjacent nodes using the same cryptosystem, the ASMC scheme is composed of the following phases.

For clarity, we assume that the number of each type of cryptosystem nodes in the system is n. The ring consists of RSA nodes (with indices from 1 to ), DL nodes (with indices from to ), ECC nodes (with indices from to ), and lattice nodes (with indices from to ).

. KGC generates for DL nodes, for ECC nodes, and for lattice nodes, where is a nonzero element chosen randomly from . The parameters denote the system public parameters. The hash functions are , , and .

. After the is executed, each node will be equipped with . Specially, the key pairs are generated as follows.

Each RSA node has a private key and a public key . A hash function is also generated, where .

Similarly, each DL node i has a private key and a public key , where is chosen randomly from and . Each ECC node i has a private key and a public key , where and .

For the lattice node , the system generates a vector . If none of the vector component is invertible, then it regenerates the vector. Otherwise, set as the node’s private key. Let be any of the invertible vector components. Then, the system generates and . The public key is . We have

. Suppose that the node in the ring wants to generate a ring signature. The generation of a ring signature consists of the offline-sign and online-sign phases.

Offline-Sign.

For any RSA node in R, select and compute .

For any DL node in R, select and compute .

For any ECC node in R, select and compute .

For any lattice node in R, select and compute .

Online-Sign.

According to the kind of the node, the real signer j generates the ring signature about the message m as shown in the following steps:(1)Signing by an RSA node(1)Node chooses a random number and computes .(2)For , Node i computes(3)Node computes .(4)For , Node i computes(5)Node computes(6)For , Node i computes(7)Node computes(8)For , Node i computes(9)Node computes .(10)For , Node i computes(11)Node computes .(2)Signing by a DL node(1)Node chooses randomly , and Node i computes(2)For , Node i computes(3)Node computes(4)For , Node i computes(5)Node computes(6)For , Node i computes(7)Node computes .(8)For , Node i computes(9)Node computes(10)For , Node i computes(11)Node computes .(3)Signing by an ECC node(1)Node chooses randomly , and it computes(2)For , Node computes(3)Node computes(4)For , Node computes(5)Node computes .(6)For , Node computes(7)Node computes(8)For , Node computes(9)Node computes(10)For , Node computes(11)Node computes .(4)Signing by a lattice node(1)Node chooses randomly , and it computes(2)For , computes(3)Node computes .(4)For , computes(5)Node computes(6)For , Node computes(7)Node computes(8)For , Node computes(9)Node computes(10)For , Node computes(11)Node computes .

Let . Then, the final ring signature on the message m is .

Once receiving an ASMC signature , one can check the authenticity and integrity regarding as follows:(1)For , the verifier computes(2)The verifier computes .(3)For , the verifier computes(4)The verifier computes .(5)For , the verifier computes(6)The verifier computes(7)For , the verifier computes(8)The verifier computes .

If , the signature is valid. Otherwise, it is invalid.

4.2. ASMC for the Mixture of Distinct Cryptosystem Nodes

In this case, we assume that the ring includes RSA nodes, DL nodes, ECC nodes, and lattice nodes, and they are mixed as shown in Figure 3. Now, the ASMC scheme for a mixture of distinct cryptosystems is different from the ASMC scheme for the first case, especially in the and phase.

and are the same as those ones of ASMC in the first case.

The Offline-Sign in the case is the same as the Offline-Sign in the first case. Here, we only give the description of Online-Sign.

Online-Sign.

Step 1. Initialization.
If Node is an RSA, DL, ECC, or lattice node, it randomly chooses , , or , respectively. Then, Node j computesNext, Node j computes

Step 2. Forward the sequence.
For , Node i computesNext, it computes with the same manner as above .

Step 3. Form the ring. Finally, Node computesLet . Then, the ring signature on the message m is .Upon receiving an ASMC signature , the receiver can check the authenticity and integrity regarding by verifying the signature as follows.
The verifier computes and as the same as and in the online phase. Finally, it computesIf , the verifier believes the authenticity and integrity of the received message. Otherwise, it outputs .

5. Security Analysis of Our Scheme

5.1. Message Authenticity and Integrity Analysis

The proposed ASMC scheme guarantees the message authenticity and integrity, due to the underlying ring signature being existentially unforgeable against adaptive chosen-message- and-chosen-ring attacks.

Our ring signature scheme is an extension of the 1-out-of-n signature scheme proposed by Abe et al. [30]. The theorems of Abe et al. [30] show that if all the nodes in the ring use the same type of cryptosystems such as the RSA-type, DL-type, or ECC-type, the ring signature scheme is unforgeable.

However, Abe et al. [30] did not consider the lattice-type cryptosystem. In the following section, we will show that the ring signature is existentially unforgeable if all the nodes in the ring are lattice nodes.

Theorem 2. If a -adversary exists in the ASMC scheme for all the nodes in the ring being lattice nodes, a -simulator can find two vectors and such that with the probability at least and the cost time at most for at least one node in . Here, and on the condition that and , where is the order of the quotient polynomial ring .

Proof. For simplicity, the hash function is written as . Thus, can be treated as that uses as th query and returns , where is a set of public keys. The experiment is carried out as follows.
Initialization The simulator starts the unforgeable experiment with , , and .
Setup generates for lattice nodes, where is a nonzero element chosen randomly from .
Query1 makes queries on , , , , and hash oracle with repeatedly. These oracles can make responses as follows.
If , return , otherwise generate.
, add into and return
If , return , otherwise set as the public key of signer with identity , add to and identity to , finally returns .
If , return , otherwise add identity into and return .
If , return , else uniformly choose from , add into and return .
If , return , else generate the signature as follows.
For any member in the ring R including , if , return . Otherwise, there are two cases.(1)If , call the algorithm to create a signature (2)If , do the following four steps:

Step 4. Choose .

Step 5. For , select , compute , where is part of system public parameters , and then we compute if.

Step 6. Assign to the value of and add into .

Step 7. Form the signature as .
Finally, we return signature and add into .
Challenge chooses the message and ring that he wants to challenge. For any member in the ring , if and ) or , return , otherwise continue to carry on the next phase.
Query2 queries , , , , and hash oracle the same as the phase, Query1, but he is not allowed to query with anyone in the ring and with .
Forge Finally, after those phases above, returns a forged signature for the ring .
The oracle fails if inconsistencies of emerge in Step-3. The probability is at most where is the order of the quotient polynomial ring . So, can succeed times with probability greater than .
Let be the view given to the signing oracle and . Let be a set of with which is successful in forge. For the success probability of restricted by , and , we have . Let be a forged signature that outputs. We define and for . Due to the ideal randomness of , there exist queries with probability at least , for . Let be a subset of . Then, we haveLet . Since the queries form a ring, there exists at least one such that and with . Then, is between the gap of query order. Let be a gap index. Note that happens only if . We will classify by the gap indices. Let be a class which yields gap indices . Hence, there are at most classes. By invoking with randomly chosen at most times, can find at least one for a gap index with probability .
Let and . Then, it holds that . Due to the heavy-row lemma [31], that yields the successful run of is in with probability at least . We split as where corresponds to the answers to all queries except for answered with . Due to the heavy-row lemma [31], again, with probability at least , satisfies . We assume and . It holds that .
By running up to times with obtained in the first successful run and randomly chosen , then with probability at least , finds at least one such that . Since happens before , will not change. Therefore, gets two distinct tuples and that satisfies . Then, we will have . Thus, a collision of the lattice-based hash function has been found. The overall success probability is , and the number of invocations of isBy applying the similar technique in [30], with the mixture case of multi-type cryptosystems, we have Theorem 3.

Theorem 3. With regard to the ring, consists of the public keys of nodes, if a -adversary does exist, a -simulator is allowed to interact with who can make queries on the hash oracles up to times and the signing oracle up to times, and then can compute for with probability greater than 3/5 and running time or compute the discrete-logarithm of such that with probability and running time or compute elliptic-curve-discrete-logarithm of such that with probability and running time or compute and finds two vectors and such that with probability and running time .

So, the proposed ASMC ring signature with the mixture case of multi-type cryptosystems is existentially unforgeable against adaptive chosen-message and chosen-ring attacks.

By combining the proofs of the theorems in [30] and Theorem 2, we can easily get the proof of Theorem 3. Now, we omit the detailed proof.

2. Privacy analysis. The privacy of the proposed ASMC schemes can be guaranteed by the anonymity of the ring signature scheme.

Theorem 4. (Anonymity). For , let be the signature of a member in the ring about message in the proposed ASMC schemes. With a probabilistic polynomial-time turning machine, the statistical distance (as defined in Eq. 1) between the two signatures generated by signer and signer holds for any polynomial and sufficiently large under the random oracle model.

Proof. Here, we will prove that the statistical distance between two signatures is negligible. There is a simulator and an adversary in . Assume that is granted the ability to access the security key of any member in the ring, and is allowed to query with the oracles , , , , and hash oracles. The anonymity experiment is carried out asfollows.
Initialization The anonymity experiment starts with , , , , , and .
Setup generates for DL nodes, for ECC nodes, and for lattice nodes, where is a nonzero element chosen randomly from . The generated parameters are considered as public parameters .
Query 1 makes queries on , , , , and hash oracles repeatedly. makes responses about the oracle queries as follows.
: if , return , otherwise generate , add into , and return .
: if , return , else uniformly choose from , add into , and return .
, , and are handled similarly as . is chosen randomly from the legal domain, and the pair is added into the corresponding oracle list , , or .
: If , return , else generate the signature as follows.
For any member in the ring R including , if , return . Otherwise, there are two cases.(1)If , call the algorithm to create a signature .(2)If Node 1 is an RSA, DL, ECC, or lattice node and , it randomly chooses from , , , or , respectively, and generate , , , with the same manner as the ASMC scheme.Lastly, program hash oracle asForm the signature as and add into .
Finally, return the signature. , and are handled the same as in Theorem 2.
Challenge chooses two identities , and message , the oracle is handled as follows.
- If or , return . Otherwise, we generate a ring which contains the public keys of and the public key of . If , return . Otherwise, we generate a signature by calling where . Finally return the signature . Note that the triple is also added to the list .
Query 2 The adversary queries , , , , and hash oracles in the same way as in Query 1, but he is not allowed to query about with any k in the ring or with .
Finally, returns a guess of bit according to the signature from .
Since the pair of the two signatures and are the same as each other, we will omit it when we measure the statistical distance between and . Set the as a vector of coordinates. Thus, each coordinate is independent of each other. For clarity, and are written as and . All the signature coordinates except for of are directly chosen uniformly from the domains defined in the ASMC scheme (here, we refer the domain as domain , but the meaning of domain for distinct kinds of nodes is different), while of signature is not directly chosen from the domain . We set , . The distance between and isThe variables are used in the real signer’s secure value computation, and they are generated uniformly as , , , and . So, can still be considered a uniform chosen variable. is generated by random oracles with uniform distributions as , , , . So, we have Equation (2).
If the security parameter is larger enough, for any polynomial , and will have an upper bound. Then, we have for any polynomial and sufficiently large .

6. Efficiency Analysis and Experimental Results

In this section, we will give an analysis of the computation cost and the communication overhead of the proposed schemes. To the best of our knowledge, there is no other heterogeneous IIoT authentication system in the literature that supports multiple cryptosystems except for Sun’s authentication scheme which supports two different cryptosystems. So, we just compare the scheme proposed by Wei et al. [7] with our schemes.

Table 3 gives the comparison of the computation costs of the proposed ASMC schemes and the scheme proposed by Wei et al. [7]. For the sake of fairness, we assume that the number of nodes in the two schemes is the same. Each ring has n nodes. Furthermore, we assume that the proportion of each type of node in the two schemes is the same. Specifically, there are RSA nodes and DL nodes in [7], while there are RSA nodes, DL nodes, ECC nodes, and Lattice nodes in our scheme.

Let and denote the signature generation and verification exponentiation operations carried out by an RSA node. Similarly, let and denote the signing and verification exponentiation operations carried out by a DL node. Let and represent the signing and verification elliptic curve multiplication operations carried out by an ECC node. Let and represent the signing and verification polynomial multiplication operations carried out by a lattice node.

Table 4 gives the comparison of the communication overhead between Wei et al. [7] and our ASMC scheme. is the size of a random number in the signature chosen by the RSA node, while and are the size of random numbers chosen by the DL node and ECC node, respectively. is the size of the generator of the quotient polynomial ring , and is the number of polynomials contained in one vector which is chosen by the lattice node. We set the security level as 1024-bit RSA, 1024-bit DL, 160-bit ECC. As for lattice nodes, we choose = 256, and set to a 16bit prime number, and we note that the meaning of those symbols is the same as in Theorem 1. As the size of is much bigger than the others, so the communication overhead of our ASMC scheme is higher than the scheme of Wei et al. [7], as shown in Table 4. Considering that the communication overhead of lattice-based signatures is generally larger than that of other type signatures, even the communication overhead of our ASMC scheme is several times of Wei et al. [7], it is still acceptable compared with other lattice-based ring signature schemes. When the number of signing nodes is 20, the communication overhead of our ASMC scheme is 42.5 K bytes, while the communication overhead of other lattice-based ring signature schemes is basically of the same order of magnitude as ours or even larger. For instance, the communication overhead of SALRS proposed by Liu et al. [32] is 53.6k with 16 ring members.

Table 5 gives the simulation experiments’ computation time based on different values of n on a PC. The configuration is Intel Core i7-8550 [email protected] GHz and 16 GB RAM with Window 10 operating system. The signature is generated by using the NTL [33]. The computational time of every operation is calculated as the average time of 10 executions. Our simulation is based on the architecture of adjacent nodes using the same cryptographic system. Since the actual operations remain the same in the architecture of a mixture of distinct cryptosystem nodes, so the results of the two architectures shown in Figures 2 and 3 are similar.

Figures 4–6 show the computation time of a different number of signing nodes in the phase Offline-Sign, Online-Sign, and verification, respectively. From the experiment results, we can see that the computational cost of our ASMC scheme is lower than that of [7], and the computational cost difference between the two schemes increases with the number of signing nodes.

7. Conclusion

In this paper, we proposed two novel privacy-preserving message Figure 6 authentication schemes that allow IIoT devices to use different security systems and parameters. Our AMSC schemes can support four kinds of nodes. Analysis shows that the ASMC schemes can provide the authentication and integrity of the message and the anonymity of the message senders.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest.

Acknowledgments

This work was partially supported by the National Natural Science Foundation of China under Grant no. 61862028, Graduate Innovation Foundation of Jiangxi Province No. YC2020-B123, and the Foundation of Wuyi University under Grant no. 2018L3013.

References

K. W. Rehman, H. M. Zangoti, M. K. Afzal, N. Armi, and K. Salah, “Industrial Internet of things: Industrial internet of things: Recent advances, enabling technologies and open challengesecent advances, enabling technologies and open challenges,” Computers & Electrical Engineering, vol. 81, Article ID 106522, 2020.
View at: Publisher Site | Google Scholar
A. Kaci and A. Rachedi, “Toward a Machine Learning and Software Defined Network Approaches to Manage Miners’ Reputation in Blockchain,” Journal of Network and Systems Management, vol. 28, no. 3, pp. 478–501, 2020.
View at: Publisher Site | Google Scholar
Q. Jing, A. V. Vasilakos, J. Wan, J. Lu, and D. Qiu, “Security of the internet of things: perspectives and challenges,” Wireless Networks, vol. 20, no. 8, pp. 2481–2501, 2014.
View at: Publisher Site | Google Scholar
F. Li, H. Zhang, and T. Takagi, “Efficient Efficient Signcryption for Heterogeneous Systemsigncryption for heterogeneous systems,” IEEE Systems Journal, vol. 7, no. 3, pp. 420–429, Sept. 2013.
View at: Publisher Site | Google Scholar
R. V. Begum, N. Shanmugasundaram, and N. Ganesh, “Lattice-based cryptography using internet of things,” International Journal of Information and Computing Science, vol. 6, no. 4, pp. 444–451, April 2019.
View at: Google Scholar
J. Li, Y. Li, J. Ren, and J. Wu, “Hop-by-Hop Hop-by-Hop Message Authenticationand Source Privacy in WirelessSensor Networksessage authentication and source privacy in wireless sensor networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 5, pp. 1223–1232, May 2014.
View at: Publisher Site | Google Scholar
J. Wei, T. V. X. Phuong, and G. Yang, “An An Efficient Privacy Preserving Message Authentication Scheme for Internet-of-Thingsfficient privacy-preserving message authentication scheme for internet-of-things,” IEEE Transactions on Industrial Informatics, vol. 17, no. 1, pp. 617–626, Jan. 2021.
View at: Publisher Site | Google Scholar
L. Wang, C. Huang, and H. Cheng, “Quantum attack-resistant signature scheme from lattice cryptography for WFH,” in Proceedings of the 2021 IEEE 2nd International Conference on Big Data Artificial Intelligence and Internet of Things Engineering (ICBAIE), pp. 868–871, Nanchang, China, March 2021.
View at: Google Scholar
S. Paul and E. Guerin, “Hybrid OPC UA: enabling post-quantum security for the industrial internet of things,” in Proceedings of the 2020 25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 238–245, Vienna, Austria, September 2020.
View at: Google Scholar
X. Zhang, C. Xu, H. Wang, Y. Zhang, and S. Wang, “Lattice-based forward secure public-key encryption with keyword search for cloud-assisted industrial internet of things,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 3, pp. 1019–1032, 2021.
View at: Google Scholar
T. Wang, M. Z. A. Bhuiyan, G. Wang, L. Qi, J. Wu, and T. Hayajneh, “Preserving Preserving Balance Between Privacy and Data Integrity in Edge-Assisted Internet of Thingsalance between privacy and data integrity in edge-assisted internet of things,” IEEE Internet of Things Journal, vol. 7, no. 4, pp. 2679–2689, 2020.
View at: Publisher Site | Google Scholar
L. Zhou, K. H. Yeh, G. Hancke, Z. Liu, and C. Su, “Security and Security and Privacy for the Industrial Internet of Things: An Overview of Approaches to Safeguarding Endpointsrivacy for the industrial internet of things: an overview of approaches to safeguarding endpoints,” IEEE Signal Processing Magazine, vol. 35, no. 5, pp. 76–87, 2018.
View at: Publisher Site | Google Scholar
R. S. Bali and N. Kumar, “Secure clustering for efficient data dissemination in vehicular cyber–physical systems,” Future Generation Computer Systems, vol. 56, pp. 476–492, 2016.
View at: Publisher Site | Google Scholar
D. He, N. Kumar, and J.-H. Lee, “Privacy-preserving data aggregation scheme against internal attackers in smart grids,” Wireless Networks, vol. 22, no. 2, pp. 491–502, 2016.
View at: Publisher Site | Google Scholar
B. Bordel, R. Alcarria, T. Robles, and M. S. Iglesias, “Data Data Authentication and Anonymization in IoT Scenarios and Future 5G Networks Using Chaotic Digital Watermarkinguthentication and anonymization in IoT scenarios and future 5G networks using chaotic digital watermarking,” IEEE Access, vol. 9, pp. 22378–22398, 2021.
View at: Publisher Site | Google Scholar
S. Roy, S. Chatterjee, A. K. Das, S. Chattopadhyay, N. Kumar, and A. V. Vasilakos, “On the On the Design of Provably Secure Lightweight Remote User Authentication Scheme for Mobile Cloud Computing Servicesesign of provably secure lightweight remote user authentication scheme for mobile cloud computing services,” IEEE Access, vol. 5, pp. 25808–25825, 2017.
View at: Publisher Site | Google Scholar
Z. Peng, H. Wu, B. Xiao, and S. Guo, “VQL: providing query efficiency and data authenticity in blockchain systems,” in Proceedings of the 2019 IEEE 35th International Conference on Data Engineering Workshops (ICDEW), pp. 1–6, Macao, China, April 2019.
View at: Google Scholar
R. Jain and S. Prabhakar, “Guaranteed Authenticity and Integrity of Data from Untrusted Servers,” in Proceedings of the 2014 IEEE 30th International Conference on Data Engineering, pp. 1282–1285, Chicago, IL, USA, April 2014.
View at: Google Scholar
S. Challa, A. K. Das, P. Gope, N. Kumar, F. Wu, and A. V. Vasilakos, “Design and analysis of authenticated key agreement scheme in cloud-assisted cyber–physical systems,” Future Generation Computer Systems, vol. 108, pp. 1267–1286, 2020.
View at: Publisher Site | Google Scholar
R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 552–565, Australia, December2001.
View at: Google Scholar
J. Herranz, “Identity-Identity-based ring signatures from RSAased ring signatures from RSA,” Theoretical Computer Science, vol. 389, no. 1-2, pp. 100–117, 2007.
View at: Publisher Site | Google Scholar
J. Ren and L. Harn, “Generalized Generalized Ring Signaturesing signatures,” IEEE Transactions on Dependable and Secure Computing, vol. 5, no. 3, pp. 155–163, 2008.
View at: Publisher Site | Google Scholar
J. Liu, Y. Yu, J. Jia et al., “Lattice-based double-authentication-preventing ring signature for security and privacy in vehicular Ad-Hoc networks,” Tsinghua Science and Technology, vol. 24, no. 5, pp. 575–584, 2019.
View at: Publisher Site | Google Scholar
P. Mundhe, V. K. Yadav, S. Verma, and S. Venkatesan, “Efficient Efficient Lattice-Based Ring Signature for Message Authentication in VANETsattice-based ring signature for message authentication in VANETs,” IEEE Systems Journal, vol. 14, no. 4, pp. 5463–5474, 2020.
View at: Publisher Site | Google Scholar
Y. Ren, H. Guan, and Q. Zhao, “An efficient lattice-based linkable ring signature scheme with scalability to multiple layer,” Journal of Ambient Intelligence and Humanized Computing, vol. 13, no. 3, pp. 1547–1556, 2021.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Fiat-Shamir with aborts: applications to lattice and factoring-based signatures,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 598–616, Tokyo, Japan, December 2009.
View at: Google Scholar
V. Lyubashevsky and D. Micciancio, “Generalized compact knapsacks are collision resistant,” in Proceedings of the 33rd International Conference on Automata Languages and Programming, pp. 144–155, Venice, Italy, July 2006.
View at: Google Scholar
C. A. Melchor, S. Bettaieb, X. Boyen, L. Fousse, and P. Gaborit, “Adapting Lyubashevsky’s signature schemes to the ring signature setting,” in Proceedings of the 6th International Conference on Cryptology in Africa (AFRICACRYPT), pp. 1–25, Cairo, Egypt, June 2013.
View at: Google Scholar
D. Dolev and A. C. Yao, “On the security of public key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983.
View at: Publisher Site | Google Scholar
M. Abe, M. Ohkubo, and K. Suzuki, “1-out-of-n signatures from a variety of keys,” IEICE Transactions, vol. 87, no. 1, pp. 131–140, 2004.
View at: Google Scholar
K. Ohta and T. Okamoto, “On concrete security treatment of signatures derived from identification,” in Proceedings of the Annual International Cryptology Conference, pp. 354–369, Santa Barbara CA USA, Augest1998.
View at: Google Scholar
Z. Liu, K. Nguyen, G. Yang, H. Wang, and D. S. Wong, “A Lattice-Based Linkable Ring Signature Supporting Stealth Addresses,” in Proceedings of the 24th European Symposium on Research in Computer Security, pp. 726–746, Luxembourg, September2019.
View at: Google Scholar
V. Shoup, “NTL: A Library for Doing Number Theory,” Version 11.5.0, 2021, https://www.shoup.net/ntl.
View at: Google Scholar

Copyright

Copyright © 2022 Zuowen Tan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

383

Downloads

345

Citations