An Efficient Pairing-Free Certificateless Signature Scheme with KGC Trust Level 3 for Wireless Sensor Network

Zhao, Hong; Zhang, Xinyu; Li, Zhaobin; Wei, Zhanzhen

doi:https://doi.org/10.1155/2023/9884050

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Related Work Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2023 | Article ID 9884050 | https://doi.org/10.1155/2023/9884050

An Efficient Pairing-Free Certificateless Signature Scheme with KGC Trust Level 3 for Wireless Sensor Network

Hong Zhao,^1,2Xinyu Zhang,²Zhaobin Li,²and Zhanzhen Wei²

Academic Editor: Ghufran Ahmed

Received14 Jun 2022

Revised03 Jan 2023

Accepted17 Mar 2023

Published09 May 2023

Abstract

With the widespread adoption of wireless sensor networks (WSN), the security of the WSN has been a wide concern. Certificateless signature eliminates the certificate management problem and key escrow problem and is considered a feasible solution to solve the data integrity and authentication of WSN. Recently, Thumbur et al. proposed an efficient pairing-free certificateless signature scheme, and Xu et al. pointed out that their scheme is not resistant to signature forgery attacks and proposed an improved scheme. Based on the trust hierarchy defined by Girault, we find that Xu et al.’s scheme is still only able to achieve security under KGC trust level 2. Moreover, Thumbur et al.’s scheme uses the Schnorr signature algorithm form, which makes it favorable for scaling, while Xu et al.’s scheme breaks this advantage. Therefore, we propose a pairing-free certificateless scheme capable of reaching KGC trust level 3, still using the Schnorr signature algorithm form, and prove the security of the new scheme under the random oracle model. The final efficiency analysis shows that the new scheme has shorter public key length and higher computational efficiency.

1. Introduction

In recent years, wireless sensor network (WSN) technology has been developed tremendously, which has triggered widespread interest in both academia and industry. WSN is a self-organized multihop network of a large number of sensor nodes with features such as flexibility, fault tolerance, high perception ability, and rapid layout. These features of WSN determine its wide range of applications, such as environmental monitoring, agriculture, military, Smart Grid [1], and medical [2, 3]. As shown in Figure 1, the WSN system consists of aggregation node (i.e., sink node), sensor nodes, and management node. In practice, sensor nodes are arbitrarily deployed in the monitored area by manual placement or drone dispersal, forming a WSN through wireless self-organization, in which each node has the function of a router and can locate and restore connections. When the WSN is in operation, the sensor nodes collect the required information and transmit it to the sink node in the form of single-hop or multihop. The sink node performs preliminary data processing and information fusion and then transmits it to the users through satellite channels or wired network connections [4]. A wireless communication channel adopted by WSN is easily monitored by attackers, leading to information leakage or tampering. Sensor nodes in WSN are often distributed in unattended, harsh, or even hostile open environments, and the nodes are easily captured or physically controlled by attackers. Compared with traditional internet networks, WSN faces more complex and diverse security threats, so existing cybersecurity mechanisms are not fully applicable to WSN. Since most WSN devices are usually based on small embedded chips with limited computing and storage capabilities and most of them adopt wireless technologies such as Bluetooth and ZigBee for communication, the communication bandwidth of WSN is limited by the spectrum resources of wireless communication. Therefore, how to ensure the communication security of WSN is a challenge in the case of limited computing, storage, and communication capabilities.

Digital signature technology can provide the authentication, data integrity, and nonrepudiation functions required by WSN. In digital signature schemes, the problem of how to bind the user’s identity to the user’s public key needs to be solved; otherwise, the risk of man-in-the-middle public key replacement attack is faced. Currently, there are three main solutions. The first is public key infrastructure (PKI) cryptosystem, which faces complex certificate management problems. The second is identity-based public key cryptography (IBC) system, which simplifies the complexity of certificate management but has the problem of key escrow. The third is certificateless public key cryptography (CL-PKC) system, where the user’s private key consists of a partial private key (PPK) generated by the key generation center (KGC) and the secret value generated by the user together, and there is no certificate in the system, so there is no certificate management problem, and the KGC cannot calculate the complete private key of the user, thus solving the key escrow problem. Therefore, this paper focuses on certificateless signature (CLS) schemes applied to WSN.

In 2003, Al-Riyami and Paterson [5] proposed the first CL-PKC scheme, and subsequently, Yum and Lee [6] proposed a generic construction for CLS in 2004. After that, many CLS schemes are devised [7–11]. However, these schemes were constructed based on pairing operations in ECC and map-to-point hash functions, which require high computing resources and are not suitable for implementation on resource-constrained WSN devices. In 2011, He et al. [12] proposed the first pairing-free certificateless signature (PF-CLS) scheme, which did not use pairing operations and greatly improved the computational efficiency. Later, many PF-CLS schemes [13–18] were proposed for resource-constrained environments.

In the security model in [5], two types of adversaries are defined. The Type-I adversary represents malicious signer, which does not know the system master key but can replace the signer’s public key at will, and the Type-II adversary represents malicious KGC which knows the system master key but cannot replace the signer’s public key. In 2006, Au et al. [19] proposed a new kind of attack: malicious-but-passive KGC attack. This attack assumes that the KGC is already malicious at the beginning of the system setup phase. This KGC maliciously generates a specific system master public/secret keypair for a specific user, and then when that user publishes his public key, the KGC is able to calculate the user’s secret value by the user’s public key. In 2007, Huang et al. [20] classified Type-I/II adversaries into three types: normal, strong, and super Type-I/II adversaries, but all of them were based on the capability limits of the two types of adversaries defined in [5]. Once KGC can replace the user’s public key, it can impersonate any user, which leads to the fact that the user must trust the KGC completely. According to Girault’s [21] definition of trust hierarchy for authority (KGC is the authority of CL-PKC system) in the public key cryptosystem: (i)Trust level 1 implies that the trusted authority can compute the private keys of all the users in the system(ii)Trust level 2 implies that authority cannot compute the private keys of individual users; however, it can still generate false guarantees to impersonate any user in the system, without being implicated(iii)Trust level 3 implies that the authority cannot compute the user’s private key, and it will be implicated if the KGC generates false guarantees

Many CL-PKC systems just achieve trust level 2, whereas the PKI technology attains trust level 3, and the IBC technology only achieves trust level 1. Al-Riyami and Paterson [5] pointed out that the CL-PKC system with trust level 2 could be upgraded to trust level 3 through binding technology, i.e., the public key corresponding to the user secret value is bound to the user ID. But the relevant security models and proofs were not further elaborated. In 2011, Yang and Tan [22] introduced a new binding technique, proposed the notion of key-dependent certificateless signature (KD-CLS), and directly defined KGC trust level 3 security in the security model described in [5]. The security definition of Yang and Tan [22] did not define a new type of adversary, but only placed different restrictions on the capabilities of Type-I/II adversaries defined by Al-Riyami and Paterson [5]. In 2017, Li et al. [23], based on the literature [22], further pointed out that the scheme using the binding technology described in [5] can also be proved secure. In addition, in 2007, Hu et al. [24] defined the KGC trust level 3 security model for CLS separately from the definition in [5]. In this definition, a new type of adversary is introduced, and such an adversary is required to be able to forge the user’s legitimate public-private key pair. This independent security definition had since been further elaborated and applied by Chen et al. [25] in 2015 and Tseng et al. [26] in 2019. In 2021, Rastegari and Susilo [27] updated the victory condition of this independent security definition to be that the legitimate user whose signature is forged cannot repudiate the forged signature. The security definition in this paper is mainly based on literature [26] and literature [27].

At present, many researchers on PF-CLS schemes ignore the KGC trust level issue and focus only on how to resist the attacks of Type-I/II adversaries with KGC trust level 2. For example, Yeh et al. [13] proposed a PF-CLS scheme for the IoT in 2017. In 2018, Jia et al. [14] pointed out that Yeh et al.’s scheme could not resist the public key replacement attack of Type-I adversary. In 2020, Du et al. [15] further pointed out that Jia et al.’s scheme cannot resist the public key replacement attack of Type-I adversary, and in 2022, Xiang et al. [18] further stated that Jia et al.’s scheme could not resist Type-II adversary attacks. In 2020, Thumbur et al. [16] proposed a PF-CLS scheme for resource-constrained devices. In 2021, [17] proved that Thumbur et al.’s scheme cannot resist the attacks from Type-I adversaries and proposed an improved scheme. In this paper, we analyze the scheme of Xu et al. [17] as an example, which cannot support the KGC trust level 3, and so do the schemes in [13–16, 18].

In addition, most of the PF-CLS schemes mentioned above adopted custom signature algorithms, which was less scalable. The Schnorr signature algorithm [28] has been rigorously proven to be secure [29] and has linear characteristics that make it easy to aggregate and provide scalability guarantees that have been accepted by applications such as Bitcoin. In Thumbur et al.’s scheme [16], the user’s complete private key is a sum of PPK generated by KGC and the secret value generated by the user, and the signature algorithm takes the form of a Schnorr signature algorithm, making it easier to further extend to applications such as aggregate signature and multisignatures. However, Xu et al.’s scheme [17] uses a custom signature algorithm, which failed to maintain this advantage and reduced the efficiency of the original scheme. Different from [17], we propose another improved scheme for Thumbur et al.’s scheme [16]. The new scheme still uses the Schnorr signature algorithm with no reduction in computational efficiency, but with a shorter public key length and support KGC trust level 3 security.

2.1. Our Contribution

The main contributions of this paper are the following: (i)We first analyzed Xu et al.’s scheme and prove their scheme only achieve KGC trust level 2(ii)We propose a new PF-CLS scheme with KGC trust level 3 and prove the security of the scheme in the random oracle model(iii)Our scheme uses the Schnorr signature algorithm, which makes the scheme more scalable(iv)Our scheme has a shorter public key size, and the efficiency analysis shows that our scheme has a lower computational cost

2.2. Paper Organization

The remainder of this paper is organized as follows. We present the relevant PF-CLS works in Section 1. Then, we introduce some preliminaries and security model for PF-CLS scheme in Section 2. A review of Xu et al.’s scheme and security analysis are presented in Sections 4 and 5. Section 6 proposes our PF-CLS scheme for WSN environments. Section 7 provides the correctness proof and security analysis of our scheme. Section 8 gives a comparative analysis of the proposed scheme, with Section 9 giving the paper’s conclusions.

3. Preliminaries

In this section, we briefly review some preliminary knowledge, including the definition of elliptic curve discrete logarithm problem, syntax of PF-CLS scheme, and security model for PF-CLS.

To enhance readability, the list of symbols is shown in Table 1.

3.1. Elliptic Curve Discrete Logarithm Problem

denotes a prime finite field, and is a large prime number. denotes an elliptic curve defined over a finite field by the equation , where and . All points on and the infinity point form a cyclic group under the operation of point addition for defined based on the basis of a chord-and-tangent rule.

Assume is an additive cyclic group of elliptic curve with order , where is a large prime number. is a generator. Let , and scalar multiplication is defined by the equation: . Given a point , the elliptic curve discrete logarithm problem (ECDLP) is to find a integer in polynomial time such that with nonnegligible probability.

3.2. Syntax of PF-CLS Scheme

As defined by Al-Riyami and Paterson [5], a CLS scheme consists of three entities: a KGC, a signer and a verifier, and seven polynomial-time algorithms. On the basis of [5], He et al. [12] further gave the definition of the PF-CLS scheme. Following the works [5, 12], we present the syntax definition as follows. (i)Setup: this algorithm is operated by the KGC. On inputting a security parameter , it outputs a master public/secret key pair (, ), the master public key together with other elliptic curve related parameters to form the public parameter , KGC publishes and keeps secretly(ii)Set-Secret-Value: this algorithm is operated by the user . On inputting , it returns as user ’s secret value and as user ’s public value(iii)Partial-Private-Key-Extract: this algorithm is performed by the KGC. On inputting , system master key , user’s identity , and public value , it returns as PPK to the user through secure channel(iv)Set-Private-Key: this algorithm is performed by the user . On inputting , and , it returns the user’s private key (v)Set-Public-Key: this algorithm is run by the user . On inputting , , it returns the user’s public key (vi)Sign: this algorithm is operated by a user (signer). On inputting , message , user’s identity and private key , it outputs as a signature(vii)Verify: this algorithm is performed by a verifier. Given , , , , and , it returns “Accept” if is valid; “Reject” otherwise

Different from the definitions of schemes such as [16, 17], in our definition, Set-Secret-Value is executed before Partial-Private-Key-Extract. The reason is that in order to achieve KGC trust level 3, the Partial-Private-Key-Extract algorithm requires the output of the Set-Secret-Value as input. The Set-Secret-Value algorithm takes the system public parameters and the user’s identity as input and does not depend on the output of the Partial-Private-Key-Extract algorithm. Therefore, it is feasible for Set-Secret-Value to be executed before Partial-Private-Key-Extract.

3.3. Security Model for PF-CLS

Based on the definition of the security model in [27], if the KGC trust level 3 security needs to be achieved, there exist three types of adversaries: , , and . We utilize the following three games to signify that a CLS scheme is existentially unforgeable against adaptively chosen message and identity attacks (EUF-CMA) against three types of adversaries: , , and .

3.3.1. Game I

The game is executed between a challenger and a Type-I adversary . And the game proceeds in three phases: (i)Setup. operates the Setup algorithm to generate a system master key and the system public parameters . sends the to and keeps secretly(ii)Query. is allowed to issue polynomial queries to the challenger (a)Create-User: upon receiving such a query on , calls out a list to check if the identity has been created. If yes, outputs as the public key to . Otherwise, executes algorithm Set-Secret-Value, Partial-Private-Key-Extract, Set-Private-Key, and Set-Public-Key to produce , , and , respectively. Next, adds the tuple to the list and outputs to

(Note: we suppose that the Create-User query always precedes other oracle queries) (b)Extract-Partial-Private-Key: when this query on , finds the relevant record from and returns to (c)Extract-Secret-Value: upon receiving such a query on , finds the relevant record from and returns to (d)Replace-Public-Key: given an identity and a public key , this oracle allows to replace the original public key with . Next, update the tuple to list (e)Sign: upon receiving a query on a message , an identity , and the current public key . executes the Sign algorithm to generate a valid signature and outputs it to (iii)Forgery. At last, outputs a rightful message/signature tuple for with . The wins the game if the following three conditions are satisfied: (1) outputed a rightful message-signature pair on the identity (2) has never made an Extract-Partial-Private-Key query on identity (3) has never made a Sign query with input

3.3.2. Game II

This game is executed between a challenger and a Type-II adversary . Similar to Game I, Game II also proceeds in three phases. (i)Setup. Like Game I, operates the Setup algorithm to generate and . sends the and to (ii)Query. As in Game I, adaptively make queries to Create-User, Extract-Partial-Private-Key, Extract-Secret-Value, Replace-Public-Key and Sign oracles. responds to these queries similarly to Game I(iii)Forgery. outputs a tuple . The wins the game if the following four conditions are satisfied: (1) outputed a rightful message-signature pair on the identity (2) has never submitted an Extract-Secret-Value query on the challenged identity (3) has never submitted a Replace-Public-Key query on the challenged identity (4) has never made a Sign query with input

3.3.3. Game III

This game is executed between a challenger and a Type-III adversary . Similar to Game I and Game II, Game III also proceeds in three phases. (i)Setup. Like Game I, operates the Setup algorithm to generate and . sends the and to (ii)Query. As in Game I, adaptively make queries to Create-User, Extract-Partial-Private-Key, Extract-Secret-Value, Replace-Public-Key, and Sign oracles. responds to these queries similarly to Game I(iii)Forgery. outputs a tuple . The wins the game if the following four conditions are satisfied: (1) outputed a rightful message-signature pair on the identity (2) has never submitted an Extract-Secret-Value query on the challenged identity (3) has never made a Sign query with input (4)The user with cannot repudiate

Definition 1. A PF-CLS scheme is said to be EUF-CMA satisfying KGC trust level 3, if for any polynomial-time Type-I/Type-II/Type-III adversary //, their advantage in winning game I/II/III is negligible.

4. Revisiting Xu et al.’s Scheme

We take Xu et al.’s scheme [17] as an example to illustrate that it cannot achieve KGC trust level 3. The scheme is described as follows: (i)Setup: input the security parameter , select -order additive group , where is a generator of . KGC randomly selects as the master key, calculates , and defines three secure Hash functions: . Finally, KGC publishes the system parameters and keeps the master key in secret(ii)Partial Private Key Extract: KGC generates PPK of a user with , as follows: (1)Choose a random value and compute (2)Computes , (3)KGC sends as PPK to the user through a secure channel(4)The user can validate the PPK by verifying the equation (iii)Set-Secret-Value: the user selects the secret value randomly and keeps it secretly. Also, the user computes (iv)Set-Public/Private-Key: the user sets his/her public key as and private key as (v)Sign: input , signer’s identity , signing key pair and message . The signer generates a signature on message as follows: (1)Choose a random and compute (2)Compute , , and (3)Set as the signature of message (vi)Verify: on the input of , signature and message , any verifier can verify the signature on as follows: (1)Compute , , and (2)Verify the equation

If equation (1) holds, the verifier outputs “Accept”; else it outputs “Reject”.

5. Attack on Xu et al.’s Scheme

In Xu et al.’s scheme [17], if KGC leaks the user’s PPK to the adversary , can successfully forge the signature by replacing the public key. The specific attack description is as below: (i)Replace Public Key: adversary completes the public key replacement by performing the following operations: (1)Randomly choose as secret value, compute (2)Replace the original public key with of the user (ii)Signature forgery: to forge the signature of the user on the message , performs as follows: (1)Randomly choose and compute (2)Compute , , (3)Output the forged signature (iii)Verify: given the identity , , and , a verifier computes as below: (1)Compute, , , and (2)Verify the equation

Obviously, the forged signature is valid because the verification equation (2) always holds. Because we have

From the above process, we find that in the event of such an attack, any adversary in possession of the can forge , so KGC can initiate an attack without being implicated. The KGC might even claim that the user has replaced its original with a new . Therefore, Xu et al.’s scheme cannot attain KGC trust level 3, and the schemes in [13–16, 18] can also be proved by similar methods.

6. Our Proposed PF-CLS Scheme

To address the shortcomings of Xu et al.’s scheme, we propose an improved PF-CLS, which consists of seven algorithms and is described as follows. To improve readability, we provide a graphical representation of the scheme as shown in Figure 2. (i)Setup: input the security parameter , select -order additive group , where is a generator of . KGC selects the value randomly, calculates , and defines three secure Hash functions: . Finally, KGC publishes the system parameters and keeps the master secret key secretly(ii)Set-Secret-Value: the user selects the secret value randomly and computes first, then sends to KGC through secure channel and keeps in secret(iii)Partial-Private-Key-Extract: KGC generates PPK of a user with , as follows: (1)Choose a random value , compute and , where (2)Calculate and (3)Send as PPK to the user through secure channel(4)The user can validate the PPK by verifying the equation (iv)Set-Private-Key: the user sets his/her private key as , where (v)Set-Public-Key: the user sets his/her public key as (vi)Sign: signer with identity generates a signature on message , as follows (1)Choose a random value and compute (2)Compute and (3)Set as the signature of message (vii)Verify: on inputting of , , , signature , and message , any verifier can verify the signature on as follows: (1)Compute , (2)Verify the equation

If equation (4) holds, the verifier outputs “Accept”; else it outputs “Reject.”

As mentioned above, we set , and the full private key is computed from the PPK and the user’s secret value , unlike many PF-CLS schemes where the full private key is denoted as: . Furthermore, the signature’s form is , which corresponds to the Schnorr algorithm. In the following, we briefly give the application of our scheme to aggregate signatures to show the scalability of our scheme. (i)Aggregate: inputting signatures for users and computes . Then, the algorithm outputs the aggregate signature (ii)Aggregate verify: on inputting of , , and signature . Any verifier can verify the signature on the message as follows: (1)Compute , , where (2)Verify the equation , if the equation holds, the verifier outputs “Accept”; else it outputs “Reject.”

7. Analysis of our CLS Scheme

7.1. Correctness Proof

Suppose is the signature produced by our proposed PF-CLS scheme, it is easy to verify that equation (4) holds. The correctness of the proposed scheme can be justified by verifying the equation as follows:

7.2. Security Analysis

In this section, we demonstrate that our presented PF-CLS scheme is existential unforgeable against the Type-I/II/III adversaries. The security proof of our scheme is described as follows.

Theorem 2. In the random oracle model, suppose is a Type-I adversary of probabilistic polynomial time. If has a nonnegligible advantage to forge a rightful signature in Game I after querying at most times Hash oracle and times Extract-Partial-Private-Key oracle, there exists an algorithm which can call as a subprogram to figure out the solution to ECDLP with a probability .

Proof. Assume is an arbitrary instance of ECDLP. The purpose of is to get the solution to the ECDLP by making interaction with (i)Setup. sets , produces the system public parameters . Then, randomly selects an identity as the challenged identity and sends to . keeps three lists , , and , which are utilized to write down Create-User queries, queries and queries, respectively. All lists are initially empty(ii)Query(a)Create-User: when this request is issued on an identity , calculates the following: (1)If , selects random elements , computes , and sets , (2)If , selects random elements , computes , , and then sets , , In both cases, the user has been created. The user’s PPK is , and his/her secret value is . Next, outputs as the public key of the user to . Then, adds the tuple to the list and the tuple to the list
(Note: we suppose that the Create-User query always precedes other oracle queries.) (b)Extract-Partial-Private-Key: when issues this query on a created user , if , finds the relevant record from , and returns to . Otherwise, aborts(c)Extract-Secret-Value: when issues this query on a created user , finds the relevant record from and returns to (d)Replace-Public-Key: when receiving a query on input , retrieves the tuple from and sets , , and then renews the abovementioned item to (e)Queries: submits a tuple to this oracle. recovers the corresponding record from and returns to if it exists. Otherwise, asks Create-User query and extracts from and returns it to (f)Queries: keeps a list . When submits a tuple to this oracle, recovers the corresponding record from and returns to if it exists. Otherwise, asks Create-User query and returns to (g)Queries: keeps a list . On inputting an item , finds the list . If it contains the relevant tuple , outputs to . Otherwise, randomly selects an element and sets to , and inserts to (h)Sign: when receiving this query on inputs a message , an identity , and the current public key , recovers , and calculates the following: (1)If and has not been replaced, randomly selects and computes and sets and computes . sends as a signature to , and then inserts into (2)Otherwise, randomly selects and computes , and sets . returns as a signature to . Then, adds the item to (iii)Forgery. At last, outputs a rightful message/signature tuple for with which may be replaced by . If , aborts, or else, recovers the list , and , respectivelyWe apply the forking lemma [29] in the following simulation. replays with the same random tape but provides another different value of . That is, , and . Then, outputs another two valid signature on the same message .
Hence, we have the following two equations (for convenience, we let ): In the above two equations (6), and are unknown for . Hence, can successfully obtain the value of by solving the equation system. That is, However, this contradicts the ECDLP assumption. Namely, the signature cannot be forged by .
Next, let us calculate s winning probability in Game I. When events , , and occur, will win this game.
: does not abort the game when queries Extract-Partial-Private-Key oracle
: in the forgery phase, outputs a message-signature pair on an identity
: is a valid forgery on
Obviously, As a result, ’s probability is Hence, handles the ECDLP with a probability .

Theorem 3. In the random oracle model, suppose is a Type-II adversary of probabilistic polynomial time. If has a nonnegligible advantage to forge a rightful signature in Game II after querying at most times Hash oracle and times Extract-Secret-Value oracle and times Replace-Public-Key oracle, there exists an algorithm which can call as a subprogram to figure out the solution to ECDLP with a probability .

Proof. Assume is an arbitrary instance of ECDLP. The purpose of is to get the solution to the ECDLP by making interaction with : (i)Setup. randomly selects and calculates , produces the system public parameters . Then, randomly selects an identity as the challenged identity and sends to . keeps three lists , , and , which are utilized to write down Create-User queries, queries and queries, respectively. All lists are initially empty(ii)Query(a)Create-User: when this request is issued on an identity , calculates the following: (1)If , selects random elements , computes , , and sets , , and then computes (2)If , selects random elements , sets , and computes , , and then sets , , In both cases, the user has been created. The user’s PPK is , and his/her secret value is . Next, outputs as the public key of the user to . Then, adds the tuple to the list and the tuple to the list .
(Note. We suppose that the Create-User query always precedes other oracle queries) (b)Extract-Partial-Private-Key: when issues this query on a created user , finds the relevant record from and returns to (c)Extract-Secret-Value: when issues this query on a created user . If , finds the relevant record from and returns to . Otherwise, aborts(d)Replace-Public-Key: when receiving a query on input , if , retrieves the tuple from and sets , , and then renews the abovementioned item to . Otherwise, aborts(e), , Queries: the answers to , , and queries are similar to do in Theorem 2(f)Sign: when receiving this query on inputs a message , an identity , and the current public key , recovers , and calculates the following: (1)If and has not been replaced, randomly selects and computes and sets and computes . sends as a signature to , and then inserts into (2)Otherwise, randomly selects and computes , and sets . returns as a signature to . Then, adds the item to (iii)Forgery. At last, outputs a rightful message/signature tuple for with . If , aborts, or else, recovers the list , , and , respectivelyWe apply the forking lemma [29] in the following simulation. replays with the same random tape but provides another different value of . That is, , and . Then, outputs another valid signature on the same message
Hence, we have the following two equations (for convenience, we let ). In the above two equations (10), and are unknown for . Hence, can successfully obtain the value of by solving the equation system. That is, (i)However, this contradicts the ECDLP assumption. Namely, the signature cannot be forged by
Next, let us calculate ’s winning probability in Game II. When events , , and occur, will win this game.
: does not abort the game when queries Extract-Secret-Value and Replace-Public-Key oracle
: In the forgery phase, outputs a message-signature pair on an identity
: is a valid forgery on
Obviously, As a result, ’s probability is Hence, handles the ECDLP with a probability .

Theorem 4. In the random oracle model, suppose is a Type-III adversary of probabilistic polynomial time, ’s advantage in winning Game III is negligible.

Proof. The challenger executes Game III with as follows: (i)Setup. The description is similar to that of Theorem 3, but is replaced with and is replaced with in the description(ii)Query(a)Create-User, Extract-Partial-Private-Key, Extract-Secret-Value, Sign,, , Queries: the answers to these queries are similar to do in Theorem 3(b)Replace-Public-Key: when receiving a query on input , retrieves the tuple from and sets , , and then renews the abovementioned item to (iii)Forgery. replaces the public key of the user whose identity is , with the corresponding secret value by a new public key with the corresponding secret value . Since knows , it can compute corresponding to . By the use of and , can output a rightful signature tuple Next, we show that the user is able to repudiate the signature . The user can provide a valid signature for message that can be verified by the user’s original public key . As a result, the verifier has received two valid signatures and corresponding to different public keys and , respectively. The user denies that the signature was produced by him/her by the following reasons: (i)According to Theorem 2, cannot be produced by any user other than KGC and the user whose identity is (ii)The user is able to provide a valid signature , indicating that the user has the public key and the corresponding PPK . But the public key corresponding to the signature is (iii)In our proposed scheme, the PPK generation method was: . If we consider as the private key and as the public key, this is a schnorr signature form with message and signature value . According to the security of the Schnorr signature [28], it is clear that is in one-to-one correspondence with , and since the user does not know , he/she cannot get corresponding to Hence, ’s advantage in winning Game III is negligible.

8. Performance Evaluation

In this section, we evaluate our PF-CLS scheme from three aspects: computational efficiency, security level, and communication overhead. For this, we choose a nonsingular elliptic curve , where , are 160-bit primes and run a simulation experiment using the MIRACL library on a personal computer (Intel(R) Core (TM) i5-9300HF CPU @ 2.40GHz, 16.0 GB RAM, and Windows 10 operating system). In the comparison of computational efficiency, the running times of cryptographic operations are shown in Table 2.

8.1. Computation Costs

Due to the characteristics of WSN devices, such as limited computing and processing power, the computational overhead of generating signatures for WSN devices should be as small as possible. In the efficiency analysis of PF-CLS schemes, the computation costs mainly depend on the computation amount of the signature algorithm and verification algorithm. As can be seen from Table 3 and Figure 3, our scheme and Thumbur et al.’s scheme [16] compared with other PF-CLS schemes in [14, 15, 17], the computational efficiency in signature and verification has obvious advantages. However, Table 4 shows that the PF-CLS scheme in [16] cannot resist the attacks of the Type-I adversaries but our scheme falls into KGC trust level 3. That is to say, our new scheme has better computational efficiency and higher security. To sum up, according to the results of all the above experimental analysis and the theoretical analysis in Tables 3 and 4. We conclude that our PF-CLS scheme is more secure and more efficient.

8.2. Communication Costs

Since WSN devices possess limited battery power and communication bandwidth, one of the goals of our PF-CLS scheme is to reduce the communication overhead of WSN devices. The communication cost depends mainly on the size of signature and public key. From Table 5 and Figure 4, the signature size of our scheme is equivalent to that in [14]–[17], which is , where denotes the size of the point in the group and denotes the size of the number in . Also, our scheme has a shorter public key size which is (320 bits) compared with other schemes [14–17] which is 2(640 bits). Hence, the proposed CLS scheme has a lower communication overhead.

9. Conclusions

Digital signature technology can provide identity authentication, ensure data integrity, and nonrepudiation. Most WSN devices have limited computing, storage and communication capabilities and require a “lightweight” digital signature scheme to protect data integrity and data authenticity. The PF-CLS scheme requires low computing and storage resources as well as communication bandwidth, making it a suitable choice for WSN devices. However, we found that once the PF-CLS scheme fails to achieve the trust level 3 defined by Girault, the malicious KGC can create false guarantees to impersonate any user in the system without being implicated, which affects the adoption and promotion of the PF-CLS scheme.

In this paper, we took Xu et al.’s scheme as an example and proved that it cannot support the KGC trust level 3. We presented a new PF-CLS scheme with KGC trust level 3. The KGC cannot compute the user’s secret keys or generate false guarantees without being implicated. To facilitate the scheme promotion, our signature conforms to the Schnorr signature form. The security analysis presented that our proposed scheme is existentially unforgeable against adaptive chosen-message and identity attacks. The efficiency analysis showed that our PF-CLS scheme with stronger security, lower computational cost, and shorter public key size can be rapidly deployed on hardware and software. At the same time, it has broad application prospects in resource-constrained environments such as the WSN and IoT.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was funded by the Higher Education Department of the Ministry of Education Industry-University Cooperative Education Project grant numbers 201802007011 and 201902169008.

References

D. He, N. Kumar, and J.-H. Lee, “Privacy-preserving data aggregation scheme against internal attackers in smart grids,” Wireless Networks, vol. 22, no. 2, pp. 491–502, 2016.
View at: Publisher Site | Google Scholar
N. Kumar, K. Kaur, S. C. Misra, and R. Iqbal, “An intelligent RFID-enabled authentication scheme for healthcare applications in vehicular mobile cloud,” Peer-to-Peer Networking and Applications, vol. 9, no. 5, pp. 824–840, 2016.
View at: Publisher Site | Google Scholar
S. Roy, A. K. Das, S. Chatterjee, N. Kumar, S. Chattopadhyay, and J. J. P. C. Rodrigues, “Provably secure fine-grained data access control over multiple cloud servers in mobile cloud computing based healthcare applications,” IEEE Transactions on Industrial Informatics, vol. 15, no. 1, pp. 457–468, 2019.
View at: Publisher Site | Google Scholar
N. Temene, C. Sergiou, C. Georgiou, and V. Vassiliou, “A survey on mobility in wireless sensor networks,” Ad Hoc Networks, vol. 125, article 102726, 2022.
View at: Publisher Site | Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Advances in Cryptology - ASIACRYPT 2003, vol. 2894, pp. 452–473, Springer, 2003.
View at: Publisher Site | Google Scholar
D. H. Yum and P. J. Lee, “Generic construction of certificateless signature,” in Information Security and Privacy, pp. 200–211, Springer, 2004.
View at: Publisher Site | Google Scholar
X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the security of certificateless signature schemes from Asiacrypt 2003,” in Cryptology and Network Security, pp. 13–25, Springer, 2005.
View at: Publisher Site | Google Scholar
Q. Mei, Y. Zhao, and H. Xiong, “A new provably secure certificateless signature with revocation in the standard model,” Informatica, vol. 30, no. 4, pp. 711–728, 2019.
View at: Publisher Site | Google Scholar
X. Yang, X. Pei, G. Chen, T. Li, M. Wang, and C. Wang, “A strongly unforgeable certificateless signature scheme and its application in IoT environments,” Sensors, vol. 19, no. 12, p. 2692, 2019.
View at: Publisher Site | Google Scholar
A. A. Addobea, J. Hou, and Q. Li, “MHCOOS: an offline-online certificateless signature scheme for M-health devices,” Security and Communication Networks, vol. 2020, Article ID 7085623, 12 pages, 2020.
View at: Publisher Site | Google Scholar
C. Wu, H. Huang, K. Zhou, and C. Xu, “Cryptanalysis and improvement of a new certificateless signature scheme in the standard model,” China Communications, vol. 18, no. 1, pp. 151–160, 2021.
View at: Publisher Site | Google Scholar
D. He, J. Chen, and R. Zhang, “An efficient and provably-secure certificateless signature scheme without bilinear pairings,” International Journal of Communication Systems, vol. 25, no. 11, pp. 1432–1442, 2012.
View at: Publisher Site | Google Scholar
K.-H. Yeh, C. Su, K.-K. R. Choo, and W. Chiu, “A novel certificateless signature scheme for smart objects in the internet-of-things,” Sensors, vol. 17, no. 5, p. 1001, 2017.
View at: Publisher Site | Google Scholar
X. Jia, D. He, Q. Liu, and K.-K. R. Choo, “An efficient provably-secure certificateless signature scheme for Internet-of- Things deployment,” Ad Hoc Networks, vol. 71, pp. 78–87, 2018.
View at: Publisher Site | Google Scholar
H. Du, Q. Wen, S. Zhang, and M. Gao, “A new provably secure certificateless signature scheme for internet of things,” Ad Hoc Networks, vol. 100, article 102074, 2020.
View at: Publisher Site | Google Scholar
G. Thumbur, G. S. Rao, P. V. Reddy, N. B. Gayathri, and D. V. R. K. Reddy, “Efficient pairing-free certificateless signature scheme for secure communication in resource-constrained devices,” IEEE Communications Letters, vol. 24, no. 8, pp. 1641–1645, 2020.
View at: Publisher Site | Google Scholar
Z. Xu, M. Luo, M. K. Khan, K.-K. R. Choo, and D. He, “Analysis and improvement of a certificateless signature scheme for resource-constrained scenarios,” IEEE Communications Letters, vol. 25, no. 4, pp. 1074–1078, 2021.
View at: Publisher Site | Google Scholar
D. Xiang, X. Li, J. Gao, and X. Zhang, “A secure and efficient certificateless signature scheme for Internet of Things,” Ad Hoc Networks, vol. 124, article 102702, 2022.
View at: Publisher Site | Google Scholar
M. H. Au, J. Chen, J. K. Liu, Y. Mu, D. S. Wong, and G. Yang, “Malicious KGC attacks in certificateless cryptography,” February 14, 2022, https://eprint.iacr.org/2006/255.
View at: Google Scholar
X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu, “Certificateless signature revisited,” in Information Security and Privacy, pp. 308–322, Springer, Berlin, Heidelberg, 2007.
View at: Publisher Site | Google Scholar
M. Girault, “Self-certified public keys,” in Advances in Cryptology — EUROCRYPT ‘91, pp. 490–497, Springer, Berlin, Heidelberg, 1991.
View at: Publisher Site | Google Scholar
G. Yang and C. H. Tan, “Certificateless cryptography with KGC trust level 3,” Theoretical Computer Science, vol. 412, no. 39, pp. 5446–5457, 2011.
View at: Publisher Site | Google Scholar
F. Li, W. Gao, D. Xie, and C. Tang, “Certificateless cryptography with KGC trust level 3 revisited,” in Cloud Computing and Security, pp. 292–304, Springer, 2017.
View at: Publisher Site | Google Scholar
B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, “Certificateless signature: a new security model and an improved generic construction,” Designs, Codes and Cryptography, vol. 42, no. 2, pp. 109–126, 2007.
View at: Publisher Site | Google Scholar
Y.-C. Chen, R. Tso, G. Horng, C.-I. Fan, and R.-H. Hsu, “Strongly secure certificateless signature: cryptanalysis and improvement of two schemes,” Journal of Information Science and Engineering, vol. 31, no. 1, pp. 297–314, 2015.
View at: Google Scholar
Y.-F. Tseng, C.-I. Fan, and C.-W. Chen, “Top-level secure certificateless signature scheme in the standard model,” IEEE Systems Journal, vol. 13, no. 3, pp. 2763–2774, 2019.
View at: Publisher Site | Google Scholar
P. Rastegari and W. Susilo, “On random-oracle-free top-level secure certificateless signature schemes,” The Computer Journal, vol. 65, no. 12, pp. 3049–3061, 2022.
View at: Publisher Site | Google Scholar
C. Schnorr, “Efficient identification and signatures for smart cards,” vol. 435, pp. 239–251, Springer.
View at: Publisher Site | Google Scholar
D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2023 Hong Zhao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

230

Downloads

228

Citations

Wireless Communications and Mobile Computing

An Efficient Pairing-Free Certificateless Signature Scheme with KGC Trust Level 3 for Wireless Sensor Network

Abstract

1. Introduction

2. Related Work

2.1. Our Contribution

2.2. Paper Organization

3. Preliminaries

3.1. Elliptic Curve Discrete Logarithm Problem

3.2. Syntax of PF-CLS Scheme

3.3. Security Model for PF-CLS

3.3.1. Game I

3.3.2. Game II

3.3.3. Game III

4. Revisiting Xu et al.’s Scheme

5. Attack on Xu et al.’s Scheme

6. Our Proposed PF-CLS Scheme

7. Analysis of our CLS Scheme

7.1. Correctness Proof

7.2. Security Analysis

8. Performance Evaluation

8.1. Computation Costs

8.2. Communication Costs

9. Conclusions

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright