#### Abstract

Nowadays, the industrial Internet of Things (IIoT) is playing a promising role in the optimization of industrial systems. IIoT devices generate a great amount of data that could be used for different applications. Due to the untrusted nature of machine-to-machine (M2M) communication channels, data authenticity and integrity are an important issue that must be addressed. Especially, it is challenging to deal with the privacy disclosure that the heterogeneity of IIoT brings about. In this paper, we propose a privacy-preserving scheme for authenticity in heterogeneous IIoT systems. Our authentication schemes support many kinds of IIoT devices with multicryptographic configurations such as RSA-based, DL-based, ECC-based, and lattice-based cryptosystems. We provide the formalized proof of the unforgeability and privacy of the proposed schemes in the random oracle model. The experimental simulation demonstrates that the proposed schemes are feasible in the heterogeneous IIoT environment.

#### 1. Introduction

With the great increment of smart devices, the Internet of Things (IoT) has made tremendous changes in the way people live. Smart devices in the IoT can connect with each other and exchange information with each other. Among all fields of the IoT, the industrial IoT (IIoT) is the most important one [1]. IIoT has the characteristics of real-time, automation, information interconnection, and so on. By introducing many kinds of sensors, wireless communications, artificial intelligence, and other technologies into the industrial production process, IIoT has greatly improved productivity and quality. Meanwhile, the production costs and resource consumption are reduced, and the intelligence degree of the traditional industry has been promoted to a higher level. Despite its great convenience, one of the major obstacles to widely adopting IIoT is its security risks [2]. Since the IIoT is a network with highly coupled heterogeneous devices, the industries are mostly concerned with the integrity and authenticity of the data which is generated and transmitted by the IIoT devices. In most cases, the IIoT data are transmitted via a public channel. These data are easily intercepted by the adversary. Hence, it is essential to ensure that the data are from legal devices, and the data are not tampered with by a malicious adversary.

Signature schemes are usually used to ensure integrity and authenticity. Nevertheless, since the nature of the existing signature schemes is homogeneous, most of them can only provide data authenticity in a single cryptosystem. Due to the heterogeneity of IIoT, multiple cryptographic systems are always applied for data authenticity [3, 4], and such cryptographic systems are usually based on RSA, DL, and ECC. In addition, due to the consideration of postquantum security, a cryptographic system based on lattice has already been implemented in IIoT [5]. On the other hand, the privacy of the data sender in IIoT is very important under many circumstances. If the public key is used to verify the validity of the signature, the privacy of the senderâ€™s identity will be leaked.

##### 1.1. Motivation

Due to the complexity of practical network architecture in the IIoT environment, it is urgent to design an authentication scheme for the heterogeneous IIoT systems with distinct cryptosystems. Li et al. [6] proposed the SAMA scheme which considers the situation that the devices in IIoT use the same cryptographic configuration. However, it is quite possible that devices in IIoT networks may use different kinds of cryptographic systems. In order to remove this limitation, Wei et al. [7] propose an improved authentication scheme with different system parameters (hereafter, called improved SAMA). However, the improved SAMA scheme only considers the RSA nodes and DL nodes. In fact, there are more devices that adopt other cryptosystems, such as the elliptical cryptosystem. In recent years, more and more attention is paid to postquantum cryptographic algorithms. The threat from quantum computers will emerge in the future, so antiquantum attack cryptographic algorithms have attracted great attention [8]. Some researchers such as Paul and Guerin [9] and Zhang et al. [10] have already conducted a lot of research on postquantum cryptography to secure IIoT. Among the existed postquantum cryptographies, lattice-based cryptography brings the advantage of high-security guarantees and performance efficiency.

In addition, privacy is another major concern in IIoT [11]. To the best of our knowledge, privacy issues in IIoT have not been treated very well in the existing literature, which is a potentially fatal threat. When the IIoT devices transmit data through communication channels, the adversaries could intercept the messages and reveal the identities of the devices.

Motived by the above limitations, we propose novel message authentication schemes with more kinds of nodes compared with the improved SAMA scheme. Our scheme allows the devices in the IIoT to use RSA-based systems, ElGamal-based systems, ECC-based systems, and quantum cryptography. We also consider the privacy preservation of the IIoT devices while the scheme can provide data authenticity. In order to achieve these two goals at the same time, we chose the ring signature to design the authentication schemes in the heterogeneous IIoT environment.

##### 1.2. Contribution

We construct novel authentication schemes over a multicryptosystem (hereafter, called ASMC) for the heterogeneous IIoT environment. The main contributions of this paper are as follows:(1)We propose two ASMC schemes that support heterogeneous devices with multicryptographic configurations such as RSA-based, DL-based, ECC-based, and lattice-based cryptosystems. This solution brings greater flexibility to the authentication for heterogeneous IIoT. Moreover, the ASMC scheme can provide the devices with strong privacy protection.(2)Based on the hardness assumption of the complex problem, we give the proof of unforgeability against adaptive chosen-message-and-chosen-ring attacks and privacy under the random oracle model.(3)The IIoT devices only need to do lightweight signing operations online; some expensive operations can be preprocessed offline. So, even if there are lattice-based nodes that may need more computation power, our schemes are still suitable for the IIoT environment.

##### 1.3. Related Work

In order to achieve data authenticity [12], researchers have conducted a lot of related works.

In these years, considerable efforts have been paid for the authentication scheme for the resource constrained devices. Bali and Kumar [13] proposed secure clustering for efficient data dissemination among vehicles, and a trust metric was presented by considering various transmission characteristics of vehicles. He et al. [14] proposed a privacy-preserving data aggregation scheme for the smart grid against internal attacks. Bordel et al. [15] applied watermarking and physically unclonable functions to their scheme which can authenticate data in the IoT system, and the scheme is also suitable for 5G networks. Roy et al. [16] proposed a lightweight authentication scheme based on cryptographic hash, bitwise, and fuzzy extractor functions. Peng et al. [17] proposed a mechanism called verifiable query layer (VQL) which can work effectively and guarantee data authenticity. Jain and Prabhakar [18] constructed a system to ensure authenticity and integrity of data in a dynamic database where the server could be untrusted. Challa et al. [19] designed a scheme between a smart meter and a cloud server, and they also give the security and cost analysis of the scheme.

At the same time, the digital signature schemes are usually used to ensure data authenticity for the devices that need to transmit data to each other. Ring signature is one of the important cryptographic primitives which can provide both message authentication and the anonymity of the actual signer. The first ring signature scheme was designed by Rivest et al. [20] in 2001. Any member in the ring can anonymously sign a message, and any receiver can verify the authenticity of the signature. Herranz [21] proposed a ring signature scheme based on RSA. In 2008, Ren and [22] introduced a ring signature scheme based on the ElGamal signature. Recently, some lattice-based ring signature schemes against quantum attacks have been proposed. Liu et al. [23] proposed a lattice-based ring signature that is proven secure against chosen-message attacks. Mundhe et al. [24] proposed a lattice-based ring signature that can provide identity privacy and location privacy. Ren et al. [25] proposed a lattice-based linkable ring signature scheme based on the Borromean ring signature.

##### 1.4. Paper Organization

The remaining paper is organized as follows: in Section 2, we present some preliminaries. Section 3 introduces the threat model and security model. Section 4 constructs our ASMC schemes and gives its security analysis. In Section 5, we compare the proposed protocols with the relevant improved SAMA scheme in terms of computation cost and communication overhead. Finally, Section 6 concludes this paper.

#### 2. Preliminaries

In this section, we will briefly review some cryptographic assumptions. Table 1 lists the notations used throughout this paper. Preliminaries.

##### 2.1. Elliptic Curve over

Let be an odd prime with . An elliptic curve over is defined by the equation , where , and . The set consists of all points , , , which satisfy the above equation, together with an additional point called the point at infinity.

##### 2.2. Complexity Assumptions

DLP: Given a finite cyclic group , a generator of , and an element *h*, the DLP is to find the integer , , such that .

ECDLP: Given an elliptic curve defined over a finite field , a point of order in , and a point that is a multiple of , the ECDLP is to find the integer , such that .

SVP (shortest vector problem): Given a monic polynomial and a lattice corresponding to an ideal in the ring , for , the is to find an element such that , where is the shortest length of a nonzero vector in [26].

Lyubashevsky and Micciancio [27] introduced a family of collision-resistant hash functions based on the worst-case hardness of standard lattice problems over ideal lattices.

For any integer and , let be the family of functions such that for any , , where , , , and all the operations are performed in the quotient polynomial ring .

Given an element , the collision problem of lattice-based hash function is to find distinct elements and in such that . The function family is collision-resistant when the input domain is suitably chosen in .

Theorem 1 (Hardness of collision-resistant hash function [27]). *Let be the ring for a power of two. Define the set for some integer . Let be a hash function family as the above definition such that and . If there is a polynomial-time algorithm that solves for random with some non-negligible probability, then there is a polynomial-time algorithm that can solve for every lattice corresponding to an ideal in , where .**In this paper, we set . The setting ensures that the conditions required by the above theorem are verified, and finding collisions for implies an algorithm for breaking SVP in the case over ideal lattices for polynomial gaps.*

##### 2.3. Statistical Distance

Statistical distance is a measure of the difference between two probability distributions [28]. Let and be two random variables over a countable set . The statistical distance between and is defined by

#### 3. System Model

This section gives a brief discussion of the network, threat, and security model of the proposed scheme. We assume that the IIoT is heterogeneous, and the devices may use different cryptographic systems, and a privacy-preserving authentication scheme (ASMC) based on ring signature over a multicryptosystem is proposed under such circumstance.

##### 3.1. Network Model

In the proposed ASMC scheme, we consider the network model with cloud data centers for the IIoT device authenticity and privacy. The network model is shown in Figure 1. Specifically, we consider an IIoT network where the devices may be deployed by different workshops or different factories for collecting many types of data. Hence, these devices may use various system parameters. We assume that all the system parameters, public, and private keys have been stored in the devices before they are deployed. After the deployment, devices will collect data and transmit the data to the cloud data centers.

##### 3.2. Attack Model

The IIoT devices connect with each other via an insecure channel. During the data transmitting process, an adversary can eavesdrop, intercept, and modify the transmitted data of both devices. So, the IIoT devices are vulnerable to various attacks. We apply the Dolevâ€“Yao (DY) attack model [29] in the presented scheme, and there are two types of adversaries in the system.(1)Passive adversary can eavesdrop on the data transmitted in the public channel, such as collecting the messages sent by the IIoT devices. Then, the adversary may analyze the intercepted message and try to reveal the content of the message and identify the real data sender. Since one type of IIoT device always generates a specific kind of data, thus the kind of data implies the type of device. So, the disclosure of the message type may leak the senderâ€™s privacy such as identity.(2)Active adversary may actively launch different attacks which include man-in-the-middle, brute force attack, data injection, and so on. can intercept and modify the messages during data transmission or inject fake messages into the data channel. An IIoT device may be corrupted and controlled by an active adversary. When an IIoT device is compromised, the adversary can access all the secret information of the device.

##### 3.3. Security Model

In IIoT, many devices transmit data via the insecure channels. In order to mitigate the various types of attacks launched by the passive adversary and active adversary, the ASMC schemes aim at providing the message transmitted with authenticity, integrity, and privacy.

The message authenticity and integrity require that a message is sent by a legal device and has not been altered by any other devices. This security goal is guaranteed by the unforgeability of the underlying ring signature scheme in ASMC. Privacy protection requires that the identity and other private information of the message sender is well protected. The anonymity of the underlying ring signature scheme in ASCM can meet the requirement of privacy. So, the security goals of the ASMC scheme are unforgeability and anonymity.

Unforgeability. The property means that it is difficult for to forge a valid signature of an honest ring member in the ASMC scheme. The security model allows the adversary to mount the following two attacks:(1)Adaptive chosen-message attack: can acquire the signature of a message chosen by the adversary in the forge attack phase.(2)Adaptive chosen-ring attack: can choose the ring members and acquire a signature regarding the chosen ring.

In the security model, is allowed to make the following oracle queries: , , , and (for details, see the proof of Theorem 2). Now, we can define the unforgeability.

*Definition 1. * Existential unforgeability against adaptive chosen-message-and-ring attack (EUF-ACMRA): an ASMC scheme is said to satisfy the existential unforgeability against the adaptive chosen-message-and-ring attack if no probabilistic polynomial-time adversary has a non-negligible advantage in the experiment as defined in Table 2, where the advantage of the adversary is defined byAnonymity. This property indicates that the ASMC scheme will not reveal the identity of the real data sender.

*Definition 2. *Anonymity

For the ASMC scheme, we define the advantage of any probabilistic polynomial-time adversary in the experiment as defined in Table 2, and an ASMC scheme is said to provide the anonymity of the actual signer if the advantage is negligible for any with a security parameter , with querying oracles , , , , , and (for details, see the proof of Theorem 4).

#### 4. 4. Our Authentication Scheme over Multicryptosystem

In the following section, we construct two ASMC schemes, corresponding to two situations, respectively, adjacent nodes using the same cryptographic system as shown in Figure 2 and the mixture of distinct cryptosystem nodes as shown in Figure 3.

##### 4.1. ASMC for Adjacent Nodes Using the Same Cryptosystem

In order to provide the legitimacy of oneâ€™s identity, the signature schemes based on RSA, DL (discrete logarithm), ECC (elliptic curve), and lattice are mostly used at present. For simplicity, we make the assumptions that each node in the IIoT system can use only one type of these four schemes. For adjacent nodes using the same cryptosystem, the ASMC scheme is composed of the following phases.

For clarity, we assume that the number of each type of cryptosystem nodes in the system is *n*. The ring consists of RSA nodes (with indices from 1 to ), DL nodes (with indices from to ), ECC nodes (with indices from to ), and lattice nodes (with indices from to ).

. KGC generates for DL nodes, for ECC nodes, and for lattice nodes, where is a nonzero element chosen randomly from . The parameters denote the system public parameters. The hash functions are , , and .

. After the is executed, each node will be equipped with . Specially, the key pairs are generated as follows.

Each RSA node has a private key and a public key . A hash function is also generated, where .

Similarly, each DL node *i* has a private key and a public key , where is chosen randomly from and . Each ECC node *i* has a private key and a public key , where and .

For the lattice node , the system generates a vector . If none of the vector component is invertible, then it regenerates the vector. Otherwise, set as the nodeâ€™s private key. Let be any of the invertible vector components. Then, the system generates and . The public key is . We have

. Suppose that the node in the ring wants to generate a ring signature. The generation of a ring signature consists of the offline-sign and online-sign phases.

Offline-Sign.

For any RSA node in *R*, select and compute .

For any DL node in *R*, select and compute .

For any ECC node in *R*, select and compute .

For any lattice node in *R*, select and compute .

Online-Sign.

According to the kind of the node, the real signer *j* generates the ring signature about the message *m* as shown in the following steps:(1)Signing by an RSA node(1)Node chooses a random number and computes .(2)For , Node *i* computes(3)Node computes .(4)For , Node *i* computes(5)Node computes(6)For , Node *i* computes(7)Node computes(8)For , Node *i* computes(9)Node computes .(10)For , Node *i* computes(11)Node computes .(2)Signing by a DL node(1)Node chooses randomly , and Node *i* computes(2)For , Node *i* computes(3)Node computes(4)For , Node *i* computes(5)Node computes(6)For , Node *i* computes(7)Node computes .(8)For , Node *i* computes(9)Node computes(10)For , Node *i* computes(11)Node computes .(3)Signing by an ECC node(1)Node chooses randomly , and it computes(2)For , Node computes(3)Node computes(4)For , Node computes(5)Node computes .(6)For , Node computes(7)Node computes(8)For , Node computes(9)Node computes(10)For , Node computes(11)Node computes .(4)Signing by a lattice node(1)Node chooses randomly , and it computes(2)For , computes(3)Node computes .(4)For , computes(5)Node computes(6)For , Node computes(7)Node computes(8)For , Node computes(9)Node computes(10)For , Node computes(11)Node computes .

Let . Then, the final ring signature on the message *m* is .

Once receiving an ASMC signature , one can check the authenticity and integrity regarding as follows:(1)For , the verifier computes(2)The verifier computes .(3)For , the verifier computes(4)The verifier computes .(5)For , the verifier computes(6)The verifier computes(7)For , the verifier computes(8)The verifier computes .

If , the signature is valid. Otherwise, it is invalid.

##### 4.2. ASMC for the Mixture of Distinct Cryptosystem Nodes

In this case, we assume that the ring includes RSA nodes, DL nodes, ECC nodes, and lattice nodes, and they are mixed as shown in Figure 3. Now, the ASMC scheme for a mixture of distinct cryptosystems is different from the ASMC scheme for the first case, especially in the and phase.

and are the same as those ones of ASMC in the first case.

The Offline-Sign in the case is the same as the Offline-Sign in the first case. Here, we only give the description of Online-Sign.

Online-Sign.

*Step 1. *Initialization.

If Node is an RSA, DL, ECC, or lattice node, it randomly chooses , , or , respectively. Then, Node *j* computesNext, Node *j* computes

*Step 2. *Forward the sequence.

For , Node *i* computesNext, it computes with the same manner as above .

*Step 3. *Form the ring. Finally, Node computesLet . Then, the ring signature on the message *m* is .Upon receiving an ASMC signature , the receiver can check the authenticity and integrity regarding by verifying the signature as follows.

The verifier computes and as the same as and in the online phase. Finally, it computesIf , the verifier believes the authenticity and integrity of the received message. Otherwise, it outputs .

#### 5. Security Analysis of Our Scheme

##### 5.1. Message Authenticity and Integrity Analysis

The proposed ASMC scheme guarantees the message authenticity and integrity, due to the underlying ring signature being existentially unforgeable against adaptive chosen-message- and-chosen-ring attacks.

Our ring signature scheme is an extension of the 1-out-of-n signature scheme proposed by Abe et al. [30]. The theorems of Abe et al. [30] show that if all the nodes in the ring use the same type of cryptosystems such as the RSA-type, DL-type, or ECC-type, the ring signature scheme is unforgeable.

However, Abe et al. [30] did not consider the lattice-type cryptosystem. In the following section, we will show that the ring signature is existentially unforgeable if all the nodes in the ring are lattice nodes.

Theorem 2. *If a -adversary exists in the ASMC scheme for all the nodes in the ring being lattice nodes, a -simulator can find two vectors and such that with the probability at least and the cost time at most for at least one node in . Here, and on the condition that and , where is the order of the quotient polynomial ring .*

*Proof. *For simplicity, the hash function is written as . Thus, can be treated as that uses as th query and returns , where is a set of public keys. The experiment is carried out as follows.**Initialization** The simulator starts the unforgeable experiment with , , and .**Setup ** generates for lattice nodes, where is a nonzero element chosen randomly from .**Query1 ** makes queries on , , , , and hash oracle with repeatedly. These oracles can make responses as follows.

If , return , otherwise generate.

, add into and return

If , return , otherwise set as the public key of signer with identity , add to and identity to , finally returns .

If , return , otherwise add identity into and return .

If , return , else uniformly choose from , add into and return .

If , return , else generate the signature as follows.

For any member in the ring *R* including , if , return . Otherwise, there are two cases.(1)If , call the algorithm to create a signature (2)If , do the following four steps:

*Step 4. *Choose .

*Step 5. *For , select , compute , where is part of system public parameters , and then we compute if.

*Step 6. *Assign to the value of and add into .

*Step 7. *Form the signature as .

Finally, we return signature and add into .**Challenge ** chooses the message and ring that he wants to challenge. For any member in the ring , if and ) or , return , otherwise continue to carry on the next phase.**Query2 ** queries , , , , and hash oracle the same as the phase, Query1, but he is not allowed to query with anyone in the ring and with .**Forge** Finally, after those phases above, returns a forged signature for the ring .

The oracle fails if inconsistencies of emerge in Step-3. The probability is at most where is the order of the quotient polynomial ring . So, can succeed times with probability greater than .

Let be the view given to the signing oracle and . Let be a set of with which is successful in forge. For the success probability of restricted by , and , we have . Let be a forged signature that outputs. We define and for . Due to the ideal randomness of , there exist queries with probability at least , for . Let be a subset of . Then, we haveLet . Since the queries form a ring, there exists at least one such that and with . Then, is between the gap of query order. Let be a gap index. Note that happens only if . We will classify by the gap indices. Let be a class which yields gap indices . Hence, there are at most classes. By invoking with randomly chosen at most times, can find at least one for a gap index with probability .

Let and . Then, it holds that . Due to the heavy-row lemma [31], that yields the successful run of is in with probability at least . We split as where corresponds to the answers to all queries except for answered with . Due to the heavy-row lemma [31], again, with probability at least , satisfies . We assume and . It holds that .

By running up to times with obtained in the first successful run and randomly chosen , then with probability at least , finds at least one such that . Since happens before , will not change. Therefore, gets two distinct tuples and that satisfies . Then, we will have . Thus, a collision of the lattice-based hash function has been found. The overall success probability is , and the number of invocations of isBy applying the similar technique in [30], with the mixture case of multi-type cryptosystems, we have Theorem 3.

Theorem 3. *With regard to the ring, consists of the public keys of nodes, if a -adversary does exist, a -simulator is allowed to interact with who can make queries on the hash oracles up to times and the signing oracle up to times, and then can compute for with probability greater than 3/5 and running time or compute the discrete-logarithm of such that with probability and running time or compute elliptic-curve-discrete-logarithm of such that with probability and running time or compute and finds two vectors and such that with probability and running time .*

So, the proposed ASMC ring signature with the mixture case of multi-type cryptosystems is existentially unforgeable against adaptive chosen-message and chosen-ring attacks.

By combining the proofs of the theorems in [30] and Theorem 2, we can easily get the proof of Theorem 3. Now, we omit the detailed proof.

2. Privacy analysis. The privacy of the proposed ASMC schemes can be guaranteed by the anonymity of the ring signature scheme.

Theorem 4. **(Anonymity).** For , let be the signature of a member in the ring about message in the proposed ASMC schemes. With a probabilistic polynomial-time turning machine, the statistical distance (as defined in Eq. 1) between the two signatures generated by signer and signer holds for any polynomial and sufficiently large under the random oracle model.

*Proof. *Here, we will prove that the statistical distance between two signatures is negligible. There is a simulator and an adversary in . Assume that is granted the ability to access the security key of any member in the ring, and is allowed to query with the oracles , , , , and hash oracles. The anonymity experiment is carried out asfollows.**Initialization** The anonymity experiment starts with , , , , , and .**Setup ** generates for DL nodes, for ECC nodes, and for lattice nodes, where is a nonzero element chosen randomly from . The generated parameters are considered as public parameters .**Query 1 ** makes queries on , , , , and hash oracles repeatedly. makes responses about the oracle queries as follows.

: if