Med Iot Ref1

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2894108, IEEE
Transactions on Industrial Informatics
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, 2019 1
Efficient and Robust Certificateless Signature for

Data Crowdsensing in Cloud-assisted Industrial IoT
Yinghui Zhang, Member, IEEE, Robert H. Deng, Fellow, IEEE, Dong Zheng, Jin Li, Pengfei Wu, and Jin Cao
Abstract—With the digitalization of various industries, the untrustworthiness of involved third parties, and the robustness
combination of cloud computing and the Industrial Internet of and efficiency of the system 1 . Because essential information
Things (IIoT) has become an attractive data processing paradigm. extracted from IIoT data usually plays an important role in
However, cloud-assisted IIoT still has challenging issues including
authenticity of data, untrustworthiness of third parties, and improving enterprises’ operation and even is related to the
system robustness and efficiency. Recently Karati et al. [1] lives of front-line workers, if used by consumers, erroneous
proposed a lightweight certificateless signature (CLS) scheme for or tampered data will produce misleading information and
cloud-assisted IIoT, that was claimed to address both authenticity hence may lead to disastrous results [4]. Accordingly, it is
of data and untrustworthiness of third parties. In this paper, we indispensable to efficiently ensure the authenticity of collected
demonstrate that the CLS scheme fails to achieve the claimed
security properties by presenting four types of signature forgery IIoT data before analyzing and processing the data. It should
attacks. We also propose a robust certificateless signature (RCLS) be noted that the dynamic deployment of the IIoT system
scheme to address the aforementioned challenges. Our RCLS only and the massiveness and resource constraints of diverse IIoT
needs public channels and is proven secure against both public devices obsolete energy-intensive authentication mechanisms
key replacement attacks and malicious-but-passive third parties relying on trustworthy third parties. In particular, the property
in the standard model. Performance evaluation indicates that
RCLS outperforms other CLS schemes and is suitable for IIoT. of no secure channel should be realized in the IIoT system in
that the system scalability is indispensable for practicality.
Index Terms—Industrial Internet of Things; Cloud computing,
As promising cryptographic primitives, the public key cryp-
Certificateless signature; Signature forgery attack; Crowdsens-
ing; Robustness. tosystem (PKC) and the identity-based cryptosystem (IBC)
[5] are two possible solutions to data authentication in IIoT.
However, PKC suffers from severe performance bottlenecks
I. Introduction due to burdensome public key certificate management. In
HE rapid technological advancements in the Internet addition, the complicated validation process of public keys
T of Things (IoT) and cloud computing are expected to
play an important promoting role in creating a smart world.
could quickly drain the resource of a constrained IIoT device.
In IBC, the cost and complexity of the system are drastically
According to Gartner [2], it is estimated that by 2020, the reduced by removing the need of users’ public key certificates.
number of worldwide connected things will amount to 20.4 To be precise, certificates are only needed for a trusted author-
billion and the business IoT endpoint spending will reach ity called key generation center (KGC) who is responsible for
almost $3 trillion. In particular, the combination of cloud issuing private keys to users. Nevertheless, IBC is still not
computing and the industrial IoT (IIoT) has been recognized suitable for IIoT because of an inherent trust issue known
as a promising solution to transform the operation of exist- as “key escrow problem”, which means the private key of a
ing industrial systems which involves industrial production, user is known to KGC. To tackle this problem, Al-Riyami
logistics, storage and marketing [3]. The ultimate goal of and Paterson [6] proposed a new cryptosystem referred to as
cloud-assisted IIoT is to enable various industries to obtain certificateless public key cryptography (CL-PKC). In CL-PKC,
competitive advantages. a user’s private key is a combination of some contribution
However, cloud-assisted IIoT still has several fundamental of KGC and a user-chosen secret, and hence the key escrow
and challenging issues including the authenticity of data, the problem can be solved. It is noted that the combination method
against key replacement attacks is not to directly prove the
Y. Zhang is with the National Engineering Laboratory for Wireless Security, authenticity of a public key based on a certificate. On the
Xi’an University of Posts & Telecommunications, Xi’an 710121, China; contrary, it is guaranteed in CL-PKC that even if a malicious
and the School of Information Systems, Singapore Management University,
Singapore (Corresponding author. E-mail: yhzhaang@163.com). user successfully replaces a victim’s public key with his own
R. H. Deng is with the School of Information Systems, Singapore Man- choice, he still cannot forge a valid signature. As a kind of
agement University, Singapore (E-mail: robertdeng@smu.edu.sg). CL-PKC, certificateless signature (CLS) can be used to check
D. Zheng is with the National Engineering Laboratory for Wireless Security,
Xi’an University of Posts & Telecommunications, Xi’an 710121, China; and data authenticity in IIoT. For one thing, the unique security
Westone Cryptologic Research Center, Beijing 100070, China (Corresponding and performance requirements of the IIoT system mentioned
author. E-mail: zhengdong@xupt.edu.cn). above eliminate both PKC and IBC because of burdensome
J. Li is with the School of Computer Science, Guangzhou University,
Guangzhou 510006, China. (E-mail: jinli71@gmail.com). key management and the key escrow problem. For another,
P. Wu is with the School of Software and Microelectronics, Peking CLS-enabled systems enjoy the benefit of lightweight key
University, Beijing 102600, China (E-mail: wpf9808@163.com). management. Specifically, CLS can work just like an identity-
J. Cao is with the State Key Laboratory of Integrated Services Networks,
School of Cyber Engineering, Xidian University, Xian 710126, China (E-mail:
caoj897@gmail.com). 1 Robustness means that no secure channel is required in the system.
1551-3203 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2019.2894108, IEEE
based signature scheme by including the public key as part of the importance of data security in the enabling technologies
a signature message, but it is free of the key-escrow problem. such as cloud computing, IoT and IIoT [12]. Zhang et al.
proposed two blockchain-based fair payment protocols called
BPay [13] and BCPay [14] for outsourcing services in cloud
computing. The protocol BPay [13] is compatible with the
Processing
Storage Bitcoin blockchain and the performance remains to be im-
Third Party Analysis Verification
proved. At the cost of losing the compatibility with the Bitcoin
blockchain, the protocol BCPay [14] is very efficient in terms
Secure Channel
(Authentic) Data
Public Channel
Cloud Service Provider

RCLS Joining
CLS Joining
of the computation cost and the number of transactions. These

Crowdsensing Data in IIoT
two protocols can be adopted to enable trustworthy keyword
search over cloud encrypted data with two-side verifiability
[15]. Shu et al. [16] presented a privacy-preserving task recom-
Verification
Services
mendation scheme in cloud computing environment. Zhang et
Smart Things
al. [17] realized attribute privacy protection and fast decryption
Industrial Research
for outsourced data security in mobile cloud computing. Since
the introduction of CLS for solving the key escrow problem in
Industrial Devices Mounted
Sensors Industrial Ap
Applications the ID-based setting [6], many research efforts have focused on
IIoT Data Owner IIoT Data Consumer the design and analysis of CLS. Huang et al. [18] pointed out
that the scheme [6] is vulnerable to key replacement attacks
Fig. 1. The system model of data crowdsensing in cloud-assisted IIoT.
launched by any malicious third party (e.g. Type I adversary).
However, very recently Karati et al. [1] pointed out that They also developed an improved CLS scheme in [18], which
most of the existing CLS schemes are designed based on map- is proven secure in ROM. Zhang et al. [19] proposed a CLS
to-point (MTP) hash functions and the random oracle model scheme based on bilinear pairings, which achieves a tight
(ROM), of which the implementation difficulty and proba- security reduction in ROM. Yeh et al. [20] proposed a CLS
bilistic nature make the scheme impractical. Furthermore, the scheme for smart objects in the IoT scenario. It is claimed
authors [1] proposed a CLS scheme without MTP and ROM that the scheme is secure in ROM against both the Type I
to enable data authentication in IIoT. As illustrated in Figure and Type II adversaries. However, Jia et al. [21] showed that
1, the authors [1] considered a typical cloud-assisted IIoT an adversary can impersonate the key generation center and
enabled data crowdsensing system. The system consists of four malicious users as Type I adversaries can successfully launch
types of entities: a third party, IIoT data owners (DOs), IIoT public key replacement attacks in [20]. Furthermore, Jia et al.
data consumers (DUs) and a cloud service provider (CSP). [21] proposed an improved scheme and proved its security in
The third party is a malicious-but-passive KGC [6], [7] and ROM. To date, there have been numerous CLS schemes [22],
it helps DOs and DUs to join the system. DOs outsource [23], [24], [25], [26] proved secure in ROM. However, once
the crowdsensing IIoT data from various industrial devices to instantiated with concrete hash functions, random oracles may
CSP. CSP either stores the data for sharing among DOs and make the schemes insecure.
DUs or processes the data to extract valuable information for Yum and Lee [27] proposed a generic CLS construction
DUs. In any case, the authenticity of the collected IIoT data by combining any standard signature scheme with any ID-
should be checked such that erroneous or tampered data are based signature scheme. However, Hu et al. [28] showed
removed. The authors [1] claimed that their solution efficiently that the construction [27] is insecure against the Type I
addresses both authenticity of data and untrustworthiness of adversary. Liu et al. [29] proposed the first concrete CLS
the third party in cloud-assisted IIoT. Specifically, the authors scheme in the standard model. However, the malicious-but-
proved that the CLS scheme is secure against the Type I passive attack launched by the Type II adversary is not taken
adversary and the Type II adversary in the standard model into consideration. Many other schemes in the standard model
under the Bilinear Strong Diffie-Hellman (BSDH) assumption can be found in the literature [30], [31], [32], [33], [34],
[8] and the Extended Bilinear Strong Diffie-Hellman (EBSDH) [35], [36], [37]. However, the schemes [29], [30], [31] are
assumption [9], respectively.2 However, after a close look at vulnerable to the Type I adversary [38]. The scheme [32]
their scheme, we find that the scheme suffers from four types fails to resist both the Type I and Type II adversary [37]. In
of signature forgery attacks and hence fails to achieve the [33], [34], [37], the authors did not provide a formal security
claimed security properties. In addition, the CLS scheme is proof against the Type II adversary in the standard model. The
not robust because of the use of a secure channel between the schemes [29], [35], [36] suffer from bad efficiency in terms of
third party and DOs. the computation cost. To improve efficiency, Karati et al. [1]
proposed a CLS scheme without MTP and ROM. However, we
will show the scheme still suffers from severe security flaws.
A. Related Work
Data crowdsensing plays an essential role in digitalization B. Our Contributions
of various industries [10], [11], which makes people aware of Aiming to simultaneously address several fundamental and
2 In the supplemental material, we demonstrate an inaccuracy of [1] that the challenging issues in cloud-assisted IIoT, including the authen-
EBSDH assumption and the BSDH assumption are equivalent. ticity of data, the untrustworthiness of third parties, and the
robustness and efficiency of the system, we make two-fold parameters params and a master secret key msk. The
contributions: details are as follows:
For one thing, we demonstrate that the most recent CLS – KGC first chooses a bilinear map ê : G1 × G1 → G2 ,
scheme due to Karati et al. [1] fails to achieve the claimed where G1 and G2 are cyclic multiplicative groups of
security properties. the same prime order p. It also picks a hash function
• We present four types of signature forgery attacks on the H : {0, 1}∗ → Z∗p .
CLS scheme [1]. The attack I is mounted by the Type I – Furthermore, KGC chooses y ∈R Z∗p as its private key
adversary based on public key replacement. The attack II and calculates the corresponding public key YKGC =
is from the Type II adversary, that is, the malicious-but- gy1 , where g1 is a generator of G1 . It also computes
passive KGC. Both the attack III and the attack IV can g2 = ê(g1 , g1 )y .
be launched by any entity without replacing public keys – Finally, KGC keeps msk = y private and publishes
and accessing the master secret key.
params = ⟨G1 , G2 , p, ê, g1 , g2 , YKGC , H⟩.
• We also identify certain other disadvantages of the CLS
scheme [1]. • Set-Partial-Private-Key(params, msk, IDi ): The partial
For another, we propose a robust certificateless signature private key generation algorithm is run by KGC to
(RCLS) scheme without MTP and ROM to address the generate a partial private key Di for the user with identity
aforementioned challenges in cloud-assisted IIoT. Our RCLS IDi . Given params, msk and IDi received from the user,
scheme is characterized by the following attractive features. KGC does the following:
• We prove that RCLS is secure against the above four – KGC first computes hi = H(IDi ), and then chooses
attacks in the standard model under the Strong Diffie- ri ∈R Z∗p , computes
Hellman (SDH) assumption [39]. y·hi
h +ri +y
• Our RCLS is robust in that no secure channel is required. yi = g1i and Ri = gr1i . (1)
Performance evaluation and comparisons indicate that the – Furthermore, KGC sets Di = ⟨yi , Ri ⟩ and securely
RCLS scheme outperforms other CLS schemes and is sends it to the user IDi .
suitable for IIoT.
Remark 1: After receiving Di from KGC, the user IDi
believes that Di is valid if and only if Equation (2) holds.
C. Organization ( )
ê (g1 , YKGC )hi = ê yi , gh1i · Ri · YKGC . (2)
The rest of the paper is organized as follows. We review
Karati et al.’s CLS scheme [1] in Section II. The proposed • Set-Secret-Value(params, Di ): Given params and Di , the
signature forgery attacks are presented in Section III. In Sec- secret value generation algorithm is run by the corre-
tion IV, we describe the proposed RCLS scheme together with sponding user IDi to generate its own secret value S Ki .
its security results. Performance evaluation and comparisons Concretely, the user IDi chooses ci , xi ∈R Z∗p and sets
are given in Section V. Finally, concluding remarks are made S Ki = ⟨ci , xi , Ri ⟩.
in Section VI. Besides, the involved complexity assumptions, • Set-Public-Key(params, S Ki , Di ): Given params, S Ki
the consistency analysis of the attack III and IV, an inaccuracy and Di , the public key generation algorithm is run by the
of [1] and the detailed security proofs of RCLS are given in corresponding user IDi to generate its own public key Yi .
the Supplemental Material. To be specific, the user IDi sets Yi = ⟨Yi,1 , Yi,2 ⟩, where
1
Yi,1 = yi i and Yi,2 = gc2i .

x
II. Review of Karati et al.’s CLS Scheme
• CLS-Sign(params, S KS , m): Given params, S KS and a
TABLE I message m ∈ Z∗p , the certificateless signature generation
Notations used in the Karati et al.’s CLS scheme.
algorithm is performed by the signatory with identity IDS
Notation Description to generate a signature σ on m. Specifically, the signatory
r ∈R S The element r is randomly chosen from the set S . does the following:
s1 ∥ s2 The bit concatenation of two strings s1 and s2 .
G1 , G2 Cyclic multiplicative groups of the same prime order p. – The signatory computes hS = H(IDS ).
g1 A generator of G1 .
IDi The identity of the user indexed by i. – It then chooses t ∈R Z∗p , computes σ1 = gt2 and
Di = ⟨yi , Ri ⟩ The partial private key of the user IDi .
S Ki (resp. Yi ) The private (resp. public) key of the user IDi . ( )( cS −t) xS
σ = ⟨σ1 , σ2 ⟩ A CLS signature. σ2 = gh1S · RS · YKGC m .
– Finally, the signatory sets σ = ⟨σ1 , σ2 ⟩ and sends
(m, σ) together with IDS and YS to the verifier.3
A. Karati et al.’s CLS Scheme • CLS-Verify(params, IDS , YS , m, σ): Given params, IDS ,
We first summarize the involved notations in Table I, and YS , m and σ, the certificateless signature verification
then briefly review Karati et al.’s CLS scheme [1]. algorithm is performed by the verifier below.
• Setup(k): Given a security parameter k, the system setup 3 If the signing result is outsourced to the CSP by the signatory, the verifier
algorithm is performed by KGC to generate system public can retrieve it from the CSP.
– The verifier computes hS = H(IDS ). chosen message, which corresponds to the scenario of Attack
– It outputs VALID to indicate that σ is a valid signature I in Section III-B.
of m from IDS if and only if Equation (3) holds. On the other hand, for Type II adversaries, public key
Otherwise, it returns INVALID. replacement is not allowed and hence m ci
in σ2 cannot be
 1 hS changed. In addition, the secret component xi is unknown to
 Y m 
 S ,2  ( ) Type II adversaries. Consequently, if a Type II adversary aims
  = ê YS ,1 , σ2 . (3)
σ1  to forge Di ’s signature, it has to update the random value
t involved in σ2 . According to Equation (3), corresponding
update should be made to σ1 = gt2 . In other words, the Type
1
B. Claimed Security Properties
II adversary has to compute g2i which is used to change σ1
x
In this section, we first review the adversary model used in to σ∗1 . Because g2 = ê(g1 , g1 )y , the adversary only needs to
y
[1] and then describe the claimed security properties. 1
compute g1i . Particularly, the public component Yi,1 = yi i and

x x
1) Adversary Model for Certificateless Signature: In Karati

y·hi
et al.’s CLS scheme [1], the security proof is based on the h +ri +y
yi = g1i . (4)
adversary model defined in [6], [18], which is also used in
our security analysis. Specifically, two types of adversary with It follows from Equation
y
(4) that the Type II adversary is
distinct capabilities are considered. capable of computing g1i in that it knows hi = H(IDi ), ri and
x
• Type I Adversary: This type of adversary can mount y. Therefore, the Type II adversary can forge IDi ’s signature
public key replacement attacks even if it does not have on a previous message, which corresponds to the scenario of
knowledge of the master secret key. Attack II in Section III-C.
• Type II Adversary: This type of adversary has knowl- Finally, because ∆, ci and xi are constant, it is possible to
edge of the master secret key but cannot mount public forge IDi ’s signature even if public key replacement is not
key replacement attacks. allowed and the master secret key cannot be accessed.
Note that both Type I adversaries and Type II adversaries can Any entity can forge IDi ’s signature by adopting the idea of
mount other attacks, such as the attack III and the attack IV component-wise multiplication based on two or more previous
given in Section III-D and Section III-E, respectively. There- signature messages of IDi , which corresponds to the scenario
fore, in our security analysis, we need to show RCLS can resist of Attack III in Section III-D. In particular, any entity can
Type I adversaries and Type II adversaries simultaneously. also forge IDi ’s signature on any randomly chosen message by
2) Security Statements: The CLS scheme in [1] is claimed adopting the idea of exponentiation re-randomization, which
to be secure against the Type I adversary (see Theorem 1 in corresponds to the scenario of Attack IV in Section III-E.
Section IV of [1]) and the Type II adversary (see Theorem 2 Remark 2: Both the Type I adversary and Type II adversary
in Section IV of [1]) in the standard model under the BSDH can also launch the attack III and IV. However, to reflect the
assumption and the EBSDH assumption, respectively. Due to different points, we assume the Type I adversary and Type II
space limitation, we present the involved assumptions in the adversary do not perform the procedures of attack III and IV
Supplemental Material A. during the attack I and II. Furthermore, if a scheme is said
to be secure against both the Type I adversary and Type II
III. Security Analysis of Karati et al.’s CLS Scheme adversary, it can resist four attacks simultaneously.
In this section, we first give an overview of attacks on the

CLS scheme, and then illustrate the details. We also identify B. Attack I: Forgery Attacks based on Public Key Replacement
other disadvantages of [1]. Suppose a user (not KGC) with identity ID j ( j , i) intends
to forge IDi ’s signature. As shown in Figure 2, given a valid
signature message ⟨IDi , Yi , m, σ⟩ from IDi , for any randomly
A. Overview of Attacks
chosen IIoT data m∗ ∈R Z∗p with m∗ , m, ID j can forge a
According to the details of the algorithms Set-Secret-Value signature message ⟨IDi , Yi∗ , m∗ , σ⟩ by replacing the public key
and Set-Public-Key, we know that for a user with identity IDi , of IDi . The details are as follows.
the secret value is S Ki = ⟨ci , xi , Ri ⟩ and the public key is Yi = Forgery Attack I: ID j performs the following procedures.
⟨Yi,1 , Yi,2 ⟩. In particular, Yi,2 = gc2i is determined only by the
1 1) Get a valid tuple ⟨IDi , Yi , m, σ⟩ by eavesdropping on the
secret component ci which is not involved in Yi,1 = yi i . Most
x
public channel between IDi and the verifier. We know
importantly, for a given message m ∈ Z∗p , the corresponding Yi = ⟨Yi,1 , Yi,2 ⟩, σ = ⟨σ1 , σ2 ⟩ and
signature is σ = ⟨σ1 , σ2 ⟩. Note that σ1 is used to introduce  h
ci
randomization to the signature and σ2 = ∆( m −t) xi , where ∆ =  Yi,2 m1  i
  = ê (Yi,1 , σ2 ) .
σ1 
(5)
gh1i ·Ri ·YKGC is a constant. Therefore, given a previous signature
message ⟨IDi , Yi , m, σ⟩, it is possible for Type I adversaries to
randomly change the message m and correspondingly make 2) Choose m∗ ∈R Z∗p as IIoT data, where m∗ , m.
m∗
a replacement to Yi,2 such that m ci
is constant. In this case, a 3) Set Yi∗ = ⟨Yi,1
∗ ∗
, Yi,2 ∗
⟩, where Yi,1 ∗
= Yi,1 and Yi,2 = Yi,2m .
∗ ∗
Type I adversary can forge IDi ’s signature on any randomly 4) Send ⟨IDi , Yi , m , σ⟩ to the verifier.
Forgery Attack I 1) Get a valid tuple ⟨IDi , Yi , m, σ⟩ by eavesdropping on the

public channel between IDi and the verifier. We know
Yi = ⟨Yi,1 , Yi,2 ⟩, σ = ⟨σ1 , σ2 ⟩ and
 h
 Yi,2 m1  i
 = ê (Yi,1 , σ2 ) .
Adversary

σ1 
(7)
Eavesdrop
2) Choose x∗ ∈R Z∗p , and compute hi = H(IDi ),

hi + ri + y ( ai x
)∗
Verifier
ai = mod p, ∆i,1 = ê g1 , Yi,1 . (8)
The input and output of algorithms hi
Public channels
3) Set σ∗1 = σ1 · ∆−1 ∗
i,1 and σ2 = σ2 · ∆i,2 , where
Fig. 2. The scenario of attack I. ( ) x∗
∆i,2 = gh1i · Ri · YKGC . (9)
4) Send ⟨IDi , Yi , m, σ∗ ⟩ to the verifier, where σ∗ = ⟨σ∗1 , σ∗2 ⟩.
Verification: The forged signature message ⟨IDi , Yi∗ , m∗ , σ⟩
can be verified by the verifier as follows. Verification: The forged signature message ⟨IDi , Yi , m, σ∗ ⟩
can be verified by the verifier as follows.
1) Compute hi = H(IDi ).
2) Output VALID to indicate that σ is a valid signature of 1) Compute hi = H(IDi ).
m∗ from IDi if and only if Equation (6) holds. Otherwise, 2) Output VALID to indicate that σ∗ is a valid signature of m
it returns INVALID. from IDi if and only if Equation (10) holds. Otherwise,
it returns INVALID.
 ∗ 1 hi  h
 Yi,2 m∗  ( )  Yi,2 m1  i
  ∗
 σ1  = ê Yi,1 , σ2 . (6)   = ê (Yi,1 , σ∗2 ) .
σ∗1 
(10)
Correctness: It follows from Equation (5) that Equation (6) Correctness: It follows from Equation (7)-(9) that Equation
holds. In fact, (10) holds. In fact,
 ∗ 1 hi  m1 hi 
 Yi,2 m1
hi

 h  h
 Yi,2 m1  i  Yi,2 m1  i h
 Yi,2 m∗  Y  ( )
  =  i,2  = ê (Yi,1 , σ2 ) = ê Y ∗ , σ2 . 
σ∗1
 = 
σ1 · ∆−1
 = 
σ1 
 · ∆ i
i,1
 σ1   σ1  i,1 i,1
( ) ( ( ) ∗ ) hi ( ∗ )
ai x
= ê Yi,1 , σ2 ê g1 , Yi,1 = ê Yi,1 , σ2 · g1x ·(hi +ri +y)
( ) ( )
= ê Yi,1 , σ2 · ∆i,2 = ê Yi,1 , σ∗2 .
C. Attack II: Forgery Attacks from Malicious-but-Passive KGC
In this case, the adversary is a malicious but passive KGC
who wants to forge signatures of users. Suppose KGC intends
to forge IDi ’s signature and hence it keeps the random value D. Attack III: Forgery Attacks from Anyone (based on Two
ri as a preparation, where ri is chosen in the generation of the Previous Signature Messages)
partial private key Di according to Equation (1). As shown Based on the attack III, anyone including IIoT users and
in Figure 3, given a valid signature message ⟨IDi , Yi , m, σ⟩ KGC can act as an adversary to forge signatures of the CLS
from IDi , msk, ri and Di = ⟨yi , Ri ⟩, the adversary can forge a scheme. As shown in Figure 4, given two valid signature
signature message ⟨IDi , Yi , m, σ∗ ⟩. The details are as follows. messages ⟨IDi , Yi , m(1) , σ(1) ⟩ and ⟨IDi , Yi , m(2) , σ(2) ⟩ from IDi
with m(1) + m(2) , 0, anyone can forge a signature message
⟨IDi , Yi , m∗ , σ∗ ⟩ as follows.
Forgery Attack II
Forgery Attack III: The adversary does the following:
1) Get two tuples ⟨IDi , Yi , m(1) , σ(1) ⟩ and ⟨IDi , Yi , m(2) , σ(2) ⟩
KGC
Malicious but Passive by eavesdropping on the public channel between IDi and
the verifier. We know Yi = ⟨Yi,1 , Yi,2 ⟩, σ(1) = ⟨σ(1) (1)
1 , σ2 ⟩,
(2) (2)
Eavesdrop
σ = ⟨σ1 , σ2 ⟩ and
(2)
  hi   hi
 Yi,2 m(1)
1
 ( )  Yi,2 m(2)
1
 ( )
Verifier  (1)  = ê Yi,1 , σ(1)
2


,  (2)  = ê Yi,1 , σ(2)
2 . (11)
The input and output of algorithms σ1 σ 1
Public channels
2) Set m∗ = m(1) m(2)
m(1) +m(2)
and σ∗ = ⟨σ∗1 , σ∗2 ⟩, where
Fig. 3. The scenario of attack II.
σ∗1 = σ(1) (2) ∗ (1) (2)
1 · σ1 , σ2 = σ2 · σ2 . (12)
Forgery Attack II: The adversary does the following: 3) Send ⟨IDi , Yi , m∗ , σ∗ ⟩ to the verifier.
m m
3) Set σ∗ = ⟨σ∗1 , σ∗2 ⟩, where σ∗1 = σ1m and σ∗2 = σ2m .
∗ ∗
Forgery Attack III
4) Send ⟨IDi , Yi , m∗ , σ∗ ⟩ to the verifier.
Verification: The forged signature message ⟨IDi , Yi , m∗ , σ∗ ⟩
can be verified by the verifier as follows.
Adversary
2) Output VALID to indicate that σ∗ is a valid signature
Eavesdrop
of m∗ from IDi if and only if Equation (15) holds.

Otherwise, it returns INVALID.
Verifier
The input and output of algorithms  1 hi
 Y m∗ 
Public channels
 i,2  ( ∗)
 ∗  = ê Yi,1 , σ2 . (15)
Fig. 4. The scenario of attack III.
σ1
Correctness: It follows from Equation (14) that Equation

Verification: The forged signature message ⟨IDi , Yi , m∗ , σ∗ ⟩ (15) holds. Due to space limitation, please refer to the Sup-
can be verified by the verifier as follows. plemental Material B for details.
2) Output VALID to indicate that σ∗ is a valid signature Remark 3 (Other Disadvantages): Due to space limitation,
of m∗ from IDi if and only if Equation (13) holds. please refer to the Supplemental Material C for details.
Otherwise, it returns INVALID.
 h
 Yi,2 m1∗  i ( ) IV. RCLS: Robust Certificateless Signature for IIoT
 ∗  = ê Yi,1 , σ∗2 . (13)
σ1
A. Challenge and Main Idea
Correctness: It follows from Equation (11) and Equation
(12) that Equation (13) holds. Due to space limitation, please In Karati et al.’s CLS scheme [1], for a given message m,
refer to the Supplemental Material ?? for details. the signature generated by IDi with public key Yi = ⟨Yi,1 , Yi,2 ⟩
is σ = ⟨σ1 , σ2 ⟩, as shown in Section II-A, where σ1 = gt2 and
cS
σ2 = ∆( m −t) xS with ∆ = gh1i · Ri · YKGC .
E. Attack IV: Forgery Attacks from Anyone (based on Any
Based on the analysis in Section III-A, to resist attack I, we
Previous Signature Message)
can bind Yi,2 with IDi and σ2 simultaneously.ci
To
x
defeat attack
As shown in Figure 5, given a valid signature message −t i
II, IDi can change σ2 from ∆( m −t) xi to ∆( m ) ci , which makes
ci
⟨IDi , Yi , m, σ⟩ from IDi , for any randomly chosen IIoT data the adversary fail to compute corresponding σ1 . Attackc III can
m∗ ∈R Z∗p with m∗ , m, anyone can forge a signature message i −m·t xi
be easily resisted by changing σ2 from ∆( m −t) xi to ∆( m ) ci ,
ci
⟨IDi , Yi , m∗ , σ∗ ⟩. The details are as follows.

which makes it impossible to get a suitable message. However,
the above improvements fail to resist attack IV in that it
Forgery Attack IV
can avoid the involvement of secret ci by re-randomizing the
exponentiations in σ1 and σ2 simultaneously.
In order to defeat attack I, II, III and IV simultaneously,
Adversary we introduce the idea of partial private key generation into
Eavesdrop
the short signature scheme [39], which does not need MTP
hash functions and is proven existentially unforgeable against
chosen-message attacks in the standard model. On the other
Verifier
hand, in order to achieve robustness by eliminating secure
The input and output of algorithms channels, the idea of key exchange is exploited in the par-
Public channels tial private key generation. To improve the computation and
storage performance, we present our RCLS scheme based on
Fig. 5. The scenario of attack IV. the elliptic curve analogue of [39].
Forgery Attack IV: The adversary does the following: TABLE II

1) Get a valid tuple ⟨IDi , Yi , m, σ⟩ by eavesdropping on the Notations used in Our RCLS.
public channel between IDi and the verifier. We know Notation Description
Yi = ⟨Yi,1 , Yi,2 ⟩, σ = ⟨σ1 , σ2 ⟩ and G1 (resp. G2 ) A cyclic additive (resp. multiplicative) group of prime order p.
A generator of G1 .
 h P
 Yi,2 m1  i uski /upki The user side secret/public key of IDi .
  = ê (Yi,1 , σ2 ) . pski /ppki The partial private/public key of IDi .
σ1 
(14) ski /pki The secret/public key of IDi .
σ = ⟨t, δ⟩ A RCLS signature.
2) Choose m∗ ∈R Z∗p as IIoT data, where m∗ , m.
B. Design Details of RCLS pski is valid and proceeds. Otherwise, IDi applies a
partial private key from KGC again.
For ease of reference, we first list some notations in Table
II, which are used in RCLS. Then, RCLS is described in detail. di P = Ri + h1,i PKGC . (16)
• Setup(k): As shown in Figure 6, given a security parame- – IDi keeps ski = ⟨xi , di ⟩.
ter k, the system setup algorithm is performed by KGC to
generate system public parameters params and a master • Set-Full-Public-Key(params, upki , ppki ): Upon receiv-
secret key msk. For simplicity, params is not reflected in ing params, upki and ppki , the user runs the full public
Figure 6. The details are as follows: key generation algorithm to generate its own full public
key pki . To be specific, the user IDi outputs pki = ⟨Xi , Ri ⟩.
(4) Set-Full-Secret-Key (1) Setup
• RCLS-Sign(params, IDS , skS , m): As illustrated in Fig-
ure 7, given params, IDS , skS and a message m ∈ {0, 1}∗ ,
(2) Set-User-Side-Secret-Key
the certificateless signature generation algorithm is per-

formed by the signatory with identity IDS to generate a
User KGC
signature σ on m. The signatory does the following:
RCLS-Sign RCLS-Verify
(5) Set-Full-Public-Key (3) Set-Partial-Private-Key
The input and output of algorithms A public channel
Fig. 6. The procedures of system setup and key generation.

Signatory CSP Verifier
– KGC first chooses a bilinear map ê : G1 × G1 → The input and output of algorithms
A public channel
G2 , where G1 is a cyclic additive group and G2 is
a cyclic multiplicative group, with the same prime Fig. 7. The procedures of signing and verification.
order p. It also picks three collision-resistant hash
functions H0 : G1 → Z∗p , H1 : {0, 1}ℓID × G21 → Z∗p – The signatory computes h2,S = H2 (m ∥ IDS ).
and H2 : {0, 1}∗ × {0, 1}ℓID → Z∗p , where ℓID is the bit – It then chooses t ∈R Z∗p , and computes
length of a user identity. ( )
– Furthermore, KGC chooses s ∈R Z∗p as its private key δ = xS · t + dS + h2,S −1 P.
and calculates the corresponding public key PKGC =
– Finally, the signatory sets σ = ⟨t, δ⟩ and sends (m, σ)
sP, where P is a generator of G1 . It also computes
together with IDS and pkS to the verifier.
Y = ê(P, P).
– Finally, KGC keeps msk = s private and publishes • RCLS-Verify(params, IDS , pkS , m, σ): As shown in Fig-
ure 7, given params, IDS , pkS , m and σ, the certificate-
params = ⟨G1 , G2 , p, ê, P, PKGC , Y, H0 , H1 , H2 ⟩. less signature verification algorithm is run by the verifier.
– The verifier computes h1,S = H1 (IDS ∥ XS ∥ RS ) and
• Set-User-Side-Secret(params): The user-side secret val- h2,S = H2 (m ∥ IDS ).
ue generation algorithm is run by users. Given params, – It outputs VALID to indicate that σ is a valid signature
a user with identity IDi chooses xi ∈R Z∗p and computes of m from IDS if and only if Equation (17) holds.
Xi = xi P. It then sets uski = xi and upki = Xi . Otherwise, it returns INVALID.
• Set-Partial-Private-Key(params, msk, IDi , upki ): The al- ( )
gorithm is run by KGC to generate a partial private key ê δ, tXS + RS + h1,S PKGC + h2,S P = Y. (17)
pski and the corresponding partial public key ppki for
users. As shown in Figure 6, given params, msk, and IDi , C. Consistency of RCLS
upki received from the user, KGC does the following: The proposed RCLS scheme achieves consistency because
– KGC chooses ri ∈R Z∗p , and computes Ri = ri P, h1,i = Equation (17) holds. In fact,
H1 (IDi ∥ Xi ∥ Ri ) and ki = ri +s·h1,i +H0 (sXi ) mod p. ( )
ê δ, tXS + RS + h1,S PKGC + h2,S P
– Then, KGC returns ppki = Ri and pski = ki through ( ( ) )
public channels. = ê δ, xS · t + rS + s · h1,S + h2,S P
(( )−1 ( ) )
• Set-Full-Secret-Key(params, IDi , uski , upki , pski , ppki ): = ê xS · t + dS + h2,S P, xS · t + dS + h2,S P = Y.
The algorithm is performed by a user to generate its full
secret key ski . Given params, IDi , uski , upki , pski and D. Security Results
ppki , the corresponding user IDi does the following: In this section, we show that RCLS can resist both Type
– IDi computes di = ki − H0 (xi PKGC ) mod p. I and Type II adversaries under the SDH assumption. Due
– It computes h1,i = H1 (IDi ∥ Xi ∥ Ri ) and checks to space limitation, please refer to the Supplemental Material
if Equation (16) holds. It it holds, IDi believes that A for detailed SDH assumption. In addition, please refer to
the Supplemental Material D for proofs of Theorem 1 and

102 102
Theorem 2. CLS-YW14
CLS-CT16
CLS-YW14
CLS-CT16
Our RCLS Our RCLS
The Computation Time (ms)
The Computation Time (ms)

Theorem 1: For an adversary of Type I, RCLS is existential- 101
101
ly unforgeable against chosen-message attacks in the standard
model under the (q s + 1)-SDH assumption, where q s is the 100
number of signing queries made by the adversary. 100
Theorem 2: For Type II adversaries, RCLS is existentially 10-1
unforgeable against chosen-message attacks in the standard 1 20 40 60

The Number of Signatures
80 100 1 20 40 60
The Times of Verification
80 100
model under the (q s + 1)-SDH assumption. (a) Signing Time (b) Verification Time
Fig. 8. The computation cost comparison.

V. Performance Evaluation
Although substantial research has been done on the design
and analysis of CLS for secure data crowdsensing in cloud and robust certificateless signature scheme without MTP and ROM
IoT enabled applications, only schemes [1], [27], [29], [30], to address the typical data authenticity challenges in cloud-
[31], [32], [33], [34], [35], [36], [37] are developed in the assisted IIoT. Finally, our security and performance analysis
standard model. Furthermore, in [27], [29], [30], [31], [32], showed that RCLS is secure and efficient. In future research,
[33], [35], [36], both the space and time complexities are not it would be interesting to design efficient and privacy-aware
constant and usually lead to large public parameters and heavy RCLS schemes for cloud-assisted IIoT application scenarios.
computation time. Therefore, as shown in Table III, we only
compare the CLS schemes in [1], [34], [37] and our RCLS in Acknowledgment
terms of security properties and efficiency. In Table III, we de- The authors would like to thank the editors and anonymous
note by T p , T e , T spm and T pm the time cost of a bilinear pairing, referees for their invaluable suggestions. This research is
an exponentiation, a simultaneous point multiplication, and a supported by National Key R&D Program of China (No.
point multiplication, respectively. The symbol ℓ p represents 2017YFB0802000), the AXA Research Fund, National Nat-
the bit length of the group order p. Obviously, the scheme [1] ural Science Foundation of China (No. 61772418, 61602378,
suffers from security flaws. Particularly, only RCLS realizes 61402366), and Natural Science Basic Research Plan in
robustness and it is most efficient according to the computation Shaanxi Province of China (No. 2018JZ6001, 2015JQ6236),
cost and signature length. For convenience of observation, and the Youth Innovation Team of Shaanxi Universities.
we implement our RCLS and the scheme [37] (CLS-YW14) Yinghui Zhang is supported by New Star Team of Xi’an
and [34] (CLS-CT16) on a XiaoMi 5s Mobile Phone (with University of Posts & Telecommunications (2016-02).
2.15 GHz Qualcomm Snapdragon 821 CPU, 4 GB RAM
memory, and OS Android 7.0) based on the Java Pairing Based References
Cryptography Library (JPBC) 2.0.0 [40]. In our experiments, [1] A. Karati, S. H. Islam, and M. Karuppiah, “Provably secure and
Type A1 pairings are exploited which are constructed on the lightweight certificateless signature scheme for iiot environments,” IEEE
Transactions on Industrial Informatics, vol. 14, no. 8, pp. 3701–3711,
curve y2 = x3 +x over the field F p with p having length of 1024 2018.
bit. As shown in Figure 8, the computation cost comparison [2] Gartner. (2017) Gartner says 8.4 billion connected “things” will be in
is made based on the signing time and the verification time in use. [Online]. Available: https://www.gartner.com/newsroom/id/3598917
[3] L. Da Xu, W. He, and S. Li, “Internet of things in industries: A survey,”
Figure 8(a) and Figure 8(b), respectively. To clearly present IEEE Transactions on industrial informatics, vol. 10, no. 4, pp. 2233–
the computation cost, the vertical axis adopts the log scale. 2243, 2014.
It easily follows that RCLS is very efficient in terms of the [4] X. Li, J. Niu, M. Z. A. Bhuiyan, F. Wu, M. Karuppiah, and S. Kumari,
“A robust ecc-based provable secure authentication protocol with privacy
computation cost. preserving for industrial internet of things,” IEEE Transactions on
Industrial Informatics, vol. 14, no. 8, pp. 3599–3609, 2018.
TABLE III [5] A. Shamir, “Identity-based cryptosystems and signature schemes,” in
Comparisons of CLS schemes in the standard model CRYPTO. Springer, 1984, pp. 47–53.
[6] S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryp-
Computation Cost† Security Against tography,” in ASIACRYPT. Springer, 2003, pp. 452–473.
Schemes Signature Size Robustness
Signing Verification Type I Type II [7] M. H. Au, Y. Mu, J. Chen, D. S. Wong, J. K. Liu, and G. Yang,
[1] 3T e T p + 2T e 2ℓ p × × × “Malicious kgc attacks in certificateless cryptography,” in ASIACCS.
[37] 3T e 6T p + T e 3ℓ p X X ×
[34] 6T e 4T p + 2T e 4ℓ p X X × ACM, 2007, pp. 302–311.
Our RCLS T pm T p + T spm + T pm 2ℓ p X X X [8] V. Goyal, “Reducing trust in the pkg in identity based cryptosystems,”
† in CRYPTO. Springer, 2007, pp. 430–447.
For the sake of simplicity, pre-computation is not considered in the comparison.
[9] A. Karati and G. Biswas, “Efficient and provably secure random oracle-
free adaptive identity-based encryption with short-signature scheme,”
Security and Communication Networks, vol. 9, no. 17, pp. 4060–4074,
VI. Conclusions and Future Work 2016.
[10] Z. Bi, L. Da Xu, and C. Wang, “Internet of things for enterprise systems
Aiming to ensure the data crowdsensing security in cloud- of modern manufacturing,” IEEE Transactions on industrial informatics,
assisted IIoT, we analyzed the security of a CLS scheme with- vol. 10, no. 2, pp. 1537–1546, 2014.
out MTP and ROM, and showed that four types of signature [11] I. J. Vergara-Laurens, L. G. Jaimes, and M. A. Labrador, “Privacy-
preserving mechanisms for crowdsensing: Survey and research chal-
forgery attacks exist and hence the scheme fails to achieve lenges,” IEEE Internet of Things Journal, vol. 4, no. 4, pp. 855–869,
the claimed security properties. Furthermore, we proposed a 2017.
[12] M. Ma, D. He, N. Kumar, K.-K. R. Choo, and J. Chen, “Certificateless [39] D. Boneh and X. Boyen, “Short signatures without random oracles,” in
searchable public key encryption scheme for industrial internet of EUROCRYPT. Springer, 2004, pp. 56–73.
things,” IEEE Transactions on Industrial Informatics, vol. 14, no. 2, [40] A. D. Caro and V. Iovino, “jpbc: Java pairing based cryptography,” in
pp. 759–767, 2018. ISCC. IEEE, 2011, pp. 850–855.
[13] Y. Zhang, R. H. Deng, X. Liu, and D. Zheng, “Outsourcing service fair
payment based on blockchain and its applications in cloud computing,”
IEEE Transactions on Services Computing, Online, 2018.
[14] Y. Zhang, R. H. Deng, X. Liu, and D. Zheng, “Blockchain based efficient Yinghui Zhang (M’18) is a professor of NELWS,
and robust fair payment for outsourcing services in cloud computing,” Xi’an University of Posts & Telecommunications
Information Sciences, vol. 462, pp. 262–277, 2018. since 2018. He got his Ph.D degree in cryptography
[15] Y. Zhang, R. H. Deng, J. Shu, K. Yang, and D. Zheng, “TKSE: Trust- from Xidian University, China, in 2013. He has pub-
worthy keyword search over encrypted data with two-side verifiability lished over 80 research articles in ACM ASIACCS,
via blockchain,” IEEE Access, vol. 6, pp. 31077–31087, 2018. IEEE Transactions on Services Computing, Com-
[16] J. Shu, X. Jia, K. Yang, and H. Wang, “Privacy-preserving task recom- puter Networks, IEEE Internet of Things Journal,
mendation services for crowdsourcing,” IEEE Transactions on Services Computers & Security, etc. His research interests
Computing, Online, 2018. include public key cryptography, cloud security, IoT
[17] Y. Zhang, X. Chen, J. Li, D. S. Wong, H. Li, and I. You, “Ensuring security and privacy, and wireless network security.
attribute privacy protection and fast decryption for outsourced data
security in mobile cloud computing,” Information Sciences, vol. 379,
pp. 42–61, 2017. Robert H. Deng (F’16) is AXA Chair Professor of
[18] X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the security of cer- Cybersecurity and Professor of Information Systems
tificateless signature schemes from asiacrypt 2003,” in CANS. Springer, in the School of Information Systems, Singapore
2005, pp. 13–25. Management University since 2004. His research in-
[19] Z. Zhang, D. S. Wong, J. Xu, and D. Feng, “Certificateless public-key terests include data security and privacy, multimedia
signature: security model and efficient construction,” in ACNS. Springer, security, network and system security. He served/is
2006, pp. 293–308. serving on the editorial boards of many international
[20] K.-H. Yeh, C. Su, K.-K. R. Choo, and W. Chiu, “A novel certificateless journals in security, including the IEEE TIFS, IEEE
signature scheme for smart objects in the internet-of-things,” Sensors, TDSC, and IEEE Security and Privacy Magazine.
vol. 17, no. 5, pp. 1–17, 2017. He is a fellow of the IEEE.
[21] X. Jia, D. He, Q. Liu, and K.-K. R. Choo, “An efficient provably-secure
certificateless signature scheme for internet-of-things deployment,” Ad
Hoc Networks, vol. 71, pp. 78–87, 2018. Dong Zheng received his Ph.D. degree in communi-
[22] K. Choi, J. Park, J. Hwang, and D. Lee, “Efficient certificateless cation engineering from Xidian University, China, in
signature schemes,” in ACNS. Springer, 2007, pp. 443–458. 1999. He was a Professor at the School of Informa-
[23] X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu, “Certificateless tion Security Engineering, Shanghai Jiao Tong Uni-
signatures: new schemes and security models,” The computer journal, versity. He is currently a Professor at NELWS, Xi’an
vol. 55, no. 4, pp. 457–474, 2011. University of Posts & Telecommunications. He has
[24] R. Tso, X. Yi, and X. Huang, “Efficient and short certificateless published over 100 research articles including CT-
signature,” in CANS. Springer, 2008, pp. 64–79. RSA, IEEE Transactions on Industrial Electronics,
[25] D. He, B. Huang, and J. Chen, “New certificateless short signature Information Sciences. His research interests include
scheme,” IET Information Security, vol. 7, no. 2, pp. 113–117, 2013. cloud computing security, public key cryptography.
[26] A. Karati, S. H. Islam, and G. Biswas, “A pairing-free and provably
secure certificateless signature scheme,” Information Sciences, vol. 450,
pp. 378–391, 2018. Jin Li is currently a professor of School of Comput-
[27] D. H. Yum and P. J. Lee, “Generic construction of certificateless er Science, Guangzhou University. He got his Ph.D
signature,” in ACISP. Springer, 2004, pp. 200–211. degree in information security from Sun Yat-sen
[28] B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, “Key replacement attack University at 2007. He served as a senior research
against a generic construction of certificateless signature,” in ACISP. associate at Korea Advanced Institute of Technology
Springer, 2006, pp. 235–246. (Korea) and Illinois Institute of Technology (U.S.A.)
[29] J. K. Liu, M. H. Au, and W. Susilo, “Self-generated-certificate public from 2008 to 2010, respectively. His research inter-
key cryptography and certificateless signature/encryption scheme in the ests include secure cloud storage and outsourcing
standard model,” in ASIACCS. ACM, 2007, pp. 273–283. computation.
[30] H. Xiong, Z. Qin, and F. Li, “An improved certificateless signature
scheme secure in the standard model,” Fundamenta Informaticae,
vol. 88, no. 1-2, pp. 193–206, 2008.
[31] Y. Yuan, D. Li, L. Tian, and H. Zhu, “Certificateless signature scheme Pengfei Wu received the B.Eng degree in software
without random oracles,” in ISA. Springer, 2009, pp. 31–40. engineering from Shandong University, Jinan, China,
[32] Y. Yu, Y. Mu, G. Wang, Q. Xia, and B. Yang, “Improved certificateless in 2016. He is currently pursuing the Ph.D. degree of
signature scheme provably secure in the standard model,” IET Informa- information security in Peking University, Beijing,
tion Security, vol. 6, no. 2, pp. 102–110, 2012. China. His research interests include cloud security
[33] Y.-H. Hung, S.-S. Huang, Y.-M. Tseng, and T.-T. Tsai, “Certificateless and big data security.
signature with strong unforgeability in the standard model,” Informatica,
vol. 26, no. 4, pp. 663–684, 2015.
[34] S. Canard and V. C. Trinh, “An efficient certificateless signature scheme
in the standard model,” in ICISS. Springer, 2016, pp. 175–192.
[35] W. Yang, J. Weng, W. Luo, and A. Yang, “Strongly unforgeable cer-
tificateless signature resisting attacks from malicious-but-passive kgc,” Jin Cao received the B.S. and Ph.D. degrees from X-
Security and Communication Networks, vol. 2017, pp. 1–8, 2017. idian University, in 2008 and 2015, respectively. He
[36] K.-A. Shim, “A new certificateless signature scheme provably secure has been an associate professor in the School of Cy-
in the standard model,” IEEE Systems Journal, 2018. Available online: ber Engineering, Xidian University, Xi’an Shaanxi,
http://dx.doi.org/10.1109/JSYST.2018.2844809 China. His research interests include wireless net-
[37] Y. Yuan and C. Wang, “Certificateless signature scheme with security work security and cloud security.
enhanced in the standard model,” Information Processing Letters, vol.
114, no. 9, pp. 492–499, 2014.
[38] Q. Xia, C. X. Xu, and Y. Yu, “Key replacement attack on two certifi-
cateless signature schemes without random oracles,” Key Engineering
Materials, vol. 439, pp. 1606–1611, 2010.

Med Iot Ref1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Med Iot Ref1

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Eﬃcient and Robust Certificateless Signature for

Cloud Service Provider

of the computation cost and the number of transactions. These

Yi,1 = yi i and Yi,2 = gc2i .

compute g1i . Particularly, the public component Yi,1 = yi i and

1) Adversary Model for Certificateless Signature: In Karati

In this section, we first give an overview of attacks on the

Forgery Attack I 1) Get a valid tuple ⟨IDi , Yi , m, σ⟩ by eavesdropping on the

2) Choose x∗ ∈R Z∗p , and compute hi = H(IDi ),

of m∗ from IDi if and only if Equation (15) holds.

Correctness: It follows from Equation (14) that Equation

⟨IDi , Yi , m∗ , σ∗ ⟩. The details are as follows.

Forgery Attack IV: The adversary does the following: TABLE II

2) Choose m∗ ∈R Z∗p as IIoT data, where m∗ , m.

the certificateless signature generation algorithm is per-

The input and output of algorithms A public channel

Fig. 6. The procedures of system setup and key generation.

the Supplemental Material D for proofs of Theorem 1 and

The Computation Time (ms)

The Computation Time (ms)

number of signing queries made by the adversary. 100

Theorem 2: For Type II adversaries, RCLS is existentially 10-1

unforgeable against chosen-message attacks in the standard 1 20 40 60

Fig. 8. The computation cost comparison.

You might also like