Sage Journals: Discover world-class research

Abstract

Fog computing is viewed as an extended technique of cloud computing. In Internet of things–based collaborative fog computing systems, a fog node aggregating lots of data from Internet of things devices has to transmit the information to distributed cloud servers that will collaboratively verify it based on some predefined auditing policy. However, compromised fog nodes controlled by an adversary might inject bogus data to cheat or confuse remote servers. It also causes the waste of communication and computation resources. To further control the lifetime of signing capability for fog nodes, an appropriate mechanism is crucial. In this article, the author proposes a time-constrained strong multi-designated verifier signature scheme to meet the above requirement. In particular, a conventional non-delegatable strong multi-designated verifier signature scheme with low computation is first given. Based on its constructions, we show how to transform it into a time-constrained variant. The unforgeability of the proposed schemes is formally proved based on the famous elliptic curve discrete logarithm assumption. The security requirement of strong signer ambiguity for our substantial constructions is also analyzed by utilizing the intractable assumption of decisional Diffie–Hellman. Moreover, some comparisons in terms of the signature size and computational costs for involved entities among related mechanisms are made.

Keywords

Time-constrained strong multi-designated verifier Internet of things fog computing privacy-preserving

Introduction

Traditionally, enterprises utilize a centralized database to arrange information technology (IT) resources. Yet, with the coming of the concept of cloud computing which provides all kinds of cloud services such as software, hardware, storage, computation, and analysis via the Internet, organizations could more effectively pay their attention to required cloud services and reduce unnecessary cost expense. In 2012, Huang et al.¹ introduced a unified architecture of cloud service delivery platform which can deliver many IT resources and support dozens of software as a service (SaaS). Generally speaking, cloud computing has several advantages including cost savings, high security, dynamic expansion, improved performance, high productivity, and reliability. To ensure data security of cloud users, a provider of cloud services usually sets up relevant backup mechanisms and disaster recovery processes.

Although the concept of cloud computing services has greatly revolutionized conventional ways of data usage, store, and sharing, the high latency of network transmission and centralized processing bottlenecks of cloud servers are still critical questions of Internet of things (IoT)–based cloud service applications. For example, in an Intelligent Transportation System (ITS), the vehicle driving data collected by sensors is an important source of information to ensure traffic safety and smooth driving. An ITS has to make instant decisions and responses according to these data. When all the data are processed by clouds, it not only causes the burdens on cloud systems but also leads to the inability to effectively respond to various emergencies immediately. Due to the above concerns, the notion of fog computing is introduced. We could say that a fog is a cloud closer to the ground and is a computing mode closer to users as well. In an information-centric future Internet, the techniques of fog computing–enabled cognitive network function virtualization are also crucial. In 2019, Wu et al.² presented a virtualization scheme for on-demand caching functions and came up with a forwarding approach for future Internet nodes and fog nodes. Besides, they also addressed a cognitive resource configuration method based on their virtualization architecture. The simulation results of their scheme exhibit better performance over the original information-centric networking (ICN).

For protecting the security of diversified IoT-based fog computing applications, we usually have to adopt suitable cryptographic protocols. In modern cryptosystems,^3,4 the technique of digital signature schemes plays a crucial role in modern era. Such a scheme provides many important properties such as non-repudiation, authenticity along with data integrity. Although generic digital signature schemes have been extensively employed in many electronic commerce applications, they are not suitable for privacy-enabled services such as copyright protection, business contract signing, and electronic voting.^5,6

To additionally provide digital signatures with the property of confidentiality, we can employ the technique of designated verifier signature (DVS) schemes which only permit a designated recipient to verify a given signature. A strong multi-designated verifier signature (SMDVS) scheme is a group-oriented extension of general DVS ones. In such a scheme, a signer can produce a multi-designated verifier signature for a group of recipients who will collaborate with each other to inspect the validity of received multi-signatures. Meanwhile, a verifying group is able to generate valid transcripts which are computationally indistinguishable from an original one and are designated for themselves.

Related works

In 1990, a digital signature variant called undeniable signature is proposed by Chaum and Van Antwerpen.⁷ In this scheme, a verifier must cooperate with an original signer to verify a signature rather than solely. Namely, an original signer has the complete power to select preferred verifiers who could be granted the privilege to access given signatures. Still, a signer must participate in every signature verification procedure.

To provide digital signatures with the characteristic of confidentiality, in 1996, Jakobsson et al.⁸ introduced a system of designated verifier proof. In their mechanism, a recipient can independently run the verification procedure of signature without signer’s intervention. However, only an intended verifier would believe the identity of real signer due to the fact that the former is able to create a legitimate transcript of signature which is difficult to distinguish when compared with the one created by an original signer. This property is called non-transferability which also prevents a malicious verifier from purposely disseminating received signatures. Unfortunately, Wang⁹ showed that there are still some security flaws in their mechanism.

Since only an indicated verifier will be persuaded of the real signer’s identity in Jakobsson et al.’s system, Saeednia et al.¹⁰ incorporated the private key of verifier with the verification procedure of signatures and accordingly presented a strong designated verifier signature (SDVS) scheme in 2003. As the knowledge of verifier’s private key is necessary for running a signature verification procedure, only an intended recipient is capable of verifying a given signature. In the next year, Susilo et al.¹¹ employed the well-known bilinear Diffie–Hellman problem (BDHP) to address an SDVS method implemented on identity-based cryptosystems.

Considering the merits of message recovery signature schemes, in 2007, several researchers¹² addressed an SDVS variant enabling a specific verifier to retrieve signed messages from received signatures. In this way, a message is unnecessary to be transmitted along with its signature for reducing communication overheads. In 2009, Kang et al.¹³ also adopted ID-based systems to construct an SDVS mechanism with shorter signature length.

In 2011, Lin et al.¹⁴ employed the security assumption of discrete logarithm (DL) to propose a pairing-free SDVS approach which exhibits lower computational and communicational costs as compared with previous protocols. Later, Tian¹⁵ presented an SMDVS scheme for broadcast propagation. In his system, the simulation just needs the private key of one verifier.

In 2014, Zhang et al.¹⁶ considered the impact of rogue key attacks on multi-designated verifier signature (MDVS) and gave a new security model of unforgeability to capture such an attack. They also presented a new construction based on the DL assumption. Without using bilinear pairings, in 2016, Hu et al.¹⁷ introduced an undeniable SDVS scheme in which a judger is responsible for telling a genuine signer by simple computation. However, they failed to present reliable formal security proofs in either random oracle or standard models.

Thinking of a more flexible verification policy, in 2019, Rastegari et al.¹⁸ proposed a threshold MDVS scheme in which a threshold number of the set of designated verifiers is sufficient to inspect the validity of a given signature. They also proved the basic security requirement of their scheme in the standard model. Up to present, various DVS variants^19–39 have been proposed. Still, none of existing DVS systems deals with the issue of lifetime of signing capability.

Motivations and objectives

It is obvious that an SMDVS scheme could be applied to IoT-based collaborative fog computing systems in which a fog node would send authenticated data to multiple semi-honest cloud servers for collaborative verification and auditing procedures. In a distributed computing system, several semi-honest cloud servers must cooperatively verify a given multi-signature to prevent a sensitive message from easily obtained by a masqueraded or compromised cloud server. Moreover, existing SMDVS schemes fail to take the issue of lifetime of signing capability for fog nodes into consideration.

Motivated by the above reason, this article will propose a new SMDVS scheme supporting the functionality of time-constrained signing power. The property of time-constrained signing power for fog nodes is crucial in a fog computing system, since a few fog nodes might be compromised by attackers and used to send bogus data. It is thus obvious that the main advantage of time-constrained signing capability in a fog computing system is to prevent compromised fog nodes from persistently injecting bogus data to confuse backend cloud servers. In addition, such a functionality also makes our scheme suitable for specific IoT applications like natural resource monitoring which usually deploys non-recyclable IoT sensors and fog nodes in extreme environments.

A major challenge to design a time-constrained SMDVS scheme is how to realize the control of lifetime of signing power. Moreover, as fog nodes might only be equipped with slight processing capabilities and limited storage space, the adopted cryptographic mechanism must have low computational complexity.

Contributions

This article concentrates on the research of security protocols for IoT-based collaborative fog computing systems. Some concrete contributions are listed as follows:

A new non-delegatable SMDVS scheme and its time-constrained variant are proposed.

Both of the proposed schemes could achieve the existential unforgeable against adaptive chosen-message attack (EUF-CMA) security in the random oracle model provided that the hardness assumption of elliptic curve discrete logarithm (ECDL) holds.

The security notion of strong signer ambiguity (SSA) for the proposed schemes is fulfilled based on the well-known decisional Diffie–Hellman (DDH) assumption.

The performance evaluation demonstrates that the proposed mechanisms have lower computational complexity when compared with related systems.

The rest of this article is arranged as follows. In section “Preliminaries,” we first roughly recall some mathematical characteristics and the adopted cryptographic assumptions. We present the proposed SMDVS schemes in section “The proposed SMDVS schemes.” Some essential security proofs and the evaluation of efficiency will be demonstrated in sections “Proof of security and performance analysis” and “Efficiency analysis.” Eventually, a conclusion to highlight the significance of this article is presented in section “Conclusion.”

Preliminaries

In this section, we first review the mathematical backgrounds of elliptic curve systems, and then describe underlying security problems and their computational assumptions.

Bilinear pairings

Let G ₁ and G ₂ be two groups of prime order q. The former is additive while the latter is multiplicative. The function of bilinear pairing is defined as e: G ₁ × G ₁ → G ₂. Some characteristics of the function of bilinear pairing are described as follows:

1. Bilinearity

\begin{matrix} e (P_{x} + P_{y}, R) = e (P_{x}, R) e (P_{y}, R) \\ e (R, Q_{x} + Q_{y}) = e (R, Q_{x}) e (R, Q_{y}) \end{matrix}

2. Non-degeneracy

If there is a generator P in the group G ₁, there is also another generator e(P, P) in the group G ₂.

3. Computability

Given two values P_x, P_y ∈ G ₁², there is an efficient polynomial-time algorithm for computing the value of e(P_x, P_y).

Computational assumptions

Elliptic curve discrete logarithm problem

Let (P, aP) be a problem instance randomly chosen from the group G ₁ for some unknown integer a ∈ Z_q^*, the elliptic curve discrete logarithm problem (ECDLP) is to derive the value a ∈ Z_q^*.

ECDL assumption

The ECDL assumption states that the advantage for every probabilistic algorithm, say A, which runs in polynomial-time to solve any instance of ECDLP is negligible.

Decisional Diffie–Hellman problem

Let (P, aP, bP, C) be a problem instance randomly chosen from the group G ₁ for some unknown integers a, b ∈ Z_q^*, the decisional Diffie–Hellman problem (DDHP) is to determine whether the equality C = abP holds or not.

DDH assumption

The DDH assumption states that the advantage for every probabilistic algorithm, say A, which runs in polynomial-time to solve any instance of DDHP is negligible.

The proposed SMDVS schemes

We first describe the parties participated in the proposed system. Next, the composed algorithms and two substantial formations would be presented in the sections. The first construction is a basic SMDVS scheme while the second one is a time-constrained variant. We will show the differences of these two schemes and state the advantages of our time-constrained mechanism.

Joined entities

In the proposed basic SMDVS system as shown in Figure 1, there are two major parties including a fog node (signer) and a verifying group which is composed of n cloud servers (designated verifiers). The former acts as a data aggregator responsible for collecting various messages such as environmental data or human health data and will produce a multi-verifier signature that could only be inspected by the latter. In our system architecture, each cloud server is semi-honest, that is, they are curious about received information. Specifically, a clerk of the verifying group will assist in verifying an SMDVS and making a computationally indistinguishable transcript for the group. Note that a fog node plays an important role in the IoT-based collaborative fog computing architecture, as its data are gathered from various IoT devices or sensors. The produced SMDVS is transmitted via a public network. Although the communication security between IoT devices and fog nodes is also vital, this article does not discuss such an issue.

Figure 1.

The proposed basic SMDVS system model.

When it comes to a time-constrained SMDVS system as shown in Figure 2, there is also a trusted Key Authority Server (KAS) involved. The KAS will issue time-constrained private keys to fog nodes and maintain a revocation list to control the lifetime of signing capability for each fog node. More specifically, a revocation list contains invalid time-constrained public keys and their corresponding statuses which are either “Revoked” or “Hold.” The former means permanently revoked while the latter stands for temporarily unused. The KAS will periodically announce the updated revocation list. To verify a time-constrained SMDVS, cloud servers must make a request to the KAS for a corresponding time-constrained public key first.

Figure 2.

The proposed time-constrained SMDVS system model.

Note that in our designed systems, all cloud servers must collaboratively verify the received SMDVS. As long as there is one cloud server that is unwilling to assist, the procedure could not be proceeded. Although a threshold system would be more appealing to the practical applications, a distribution mechanism of secret shares among all cloud servers is mandatory. It also results in extra computational efforts and the security issue of secret shares.

In order to reduce the network transmission latency, a fog node will upload its data to nearby cloud servers, which means that the verifying group is composed of adjacent cloud servers close to the fog node. Figure 3 shows a conceptual model when the proposed schemes are employed in the application of Internet Protocol (IP) camera surveillance. Specifically, a fog node gathering data from several IP cameras will generate an SMDVS to all cloud servers within its communication range. The cloud servers receiving such an SMDVS would form a designated verifying group whose members must collaborate with each other to carry out the verification steps.

Figure 3.

A conceptual model of our system applied in the scenario of IP camera surveillance.

Another practical usage of the proposed schemes is the automated inventory system. In this system, fog nodes are deployed among factories and warehouses. When a fog node receives messages from sensors indicating material shortage, it will send an SMDVS to all adjacent cloud servers to apply for a reorder procedure of materials.

Algorithms

There are four algorithms in the proposed (time-constrained) SMDVS scheme. Definitions of each algorithm are stated as follows:

Setup: by inputting a security parameter to run the algorithm, some necessary parameters of the system are initialized.

SMDVS-Gen: the SMDVS-Gen algorithm is used to create a DVS δ for an intended verifying group. The essential input parameters include system public parameters, the private key SK of the fog node, and all public keys PKs of the verifying group along with a message m.

SMDVS-Verify: the SMDVS-Verify algorithm is used to verify a given DVS δ and will return a response of either True or an error symbol. The essential input parameters include public parameters of the system, a received message, a fog node’s public key PK, all private keys SKs of the verifying group, and a specific multi-verifier signature δ.

Transcript Simulation (TS): the goal of TS algorithm could be used to produce a legitimate transcript of signature, say δ^*, for a verifying group. The essential input parameters are system public values, the public key PK of original fog node, all private keys SKs of the verifying group, and a message to be signed.

Construction of a basic scheme

Using the previously defined algorithms, we give a substantial formation for the strong SMDVS scheme as follows. Some utilized symbols are listed in Table 1.

Setup: initially, by inputting a random value k as a security parameter, the algorithm selects groups G ₁ and G ₂. Both groups have the same prime order q. G ₁ is an additive group while G ₂ is a multiplicative one. The parameter P is a generator in the group G ₁. The symbols of h₀, h₁ and h₂ represent three secure one-way hash functions which should be collision-resistant. There is also a function e called bilinear pairing which satisfies that e: G ₁ × G ₁ → G ₂. The public parameters of the system consist of { G ₁, G ₂, q, P, e, h₀, h₁, h₂}.

SMDVS-Gen: without loss of generality, let U_s be a fog node and VG = {V₁, V₂, …, V_n} be a verifying group composed of n cloud servers. Each entity is equipped with a private key SK which is a random integer x_i ∈ Z_q and a public key PK computed as Y_i = x_iP. Let m be an aggregated data from several IoT-based devices or sensors, and t_s be the current timestamp. In order to sign the message m for the designated verifying group VG, U_s chooses a random value z ∈ Z_q^* and computes

Y = \sum_{i = 1}^{n} Y_{v_{i}}

(1)

W = zY

(2)

l = z + x_{s} h_{0} (m | | t_{s}, Y) \mod q

(3)

N = e (Y, x_{s} h_{2} (m | | t_{s}, W))

(4)

σ = h_{1} (m | | t_{s}, N, l)

(5)

Here, δ = (l, σ) is regarded as a multi-designated verifier signature for the message m intended for VG.

SMDVS-Verify: to check the validity of the DVS δ for the message m, each cloud server V_i of the group VG first checks whether |t_v − t_s| ≤ Δt, where t_v is the current timestamp and Δt is a predefined time period of a valid network transmission. If it holds, the clerk V_c will choose r, f ∈ Z_q^* and send R = r(lP − h₀(m || t_s, Y)Y_s) to the group VG. Next, each V_i computes

K_{i} = x_{v_{i}} R

(6)

and then returns it to V_c. When all K_is are collected, V_c could compute

W' = r^{- 1} \sum_{V_{i} \in VG} K_{i}

(7)

Z = f h_{2} (m | | t_{s}, W')

(8)

and delivers Z to all V_is ∈ VG. Then, each V_i continues to compute

Z_{i} = x_{v_{i}} Z

(9)

and sends it back to V_c. After all Z_is are gathered, V_c could compute

N' = e (Y_{s}, f^{- 1} \sum_{V_{i} \in VG} Z_{i})

(10)

and then checks the accuracy of the signature by inspecting whether

σ = h_{1} (m | | t_{s}, N', l)

(11)

We prove that the equality (11) is correct through the following derivations. According to equation (11), we get

\begin{matrix} h_{1} (m | | t_{s}, N', l) \\ = h_{1} (m | | t_{s}, e (Y_{s}, f^{- 1} \sum_{V_{i} \in VG} Z_{i}), l) \\ = h_{1} (m | | t_{s}, e (Y_{s}, \sum_{V_{i} \in VG} x_{v_{i}} h_{2} (m | | t_{s}, W')), l) \\ = h_{1} (m | | t_{s}, e (Y, x_{s} h_{2} (m | | t_{s}, W')), l) \\ = h_{1} (m | | t_{s}, e (Y, x_{s} h_{2} (m | | t_{s}, r^{- 1} \sum_{V_{i} \in VG} K_{i})), l) \\ = h_{1} (m | | t_{s}, e (Y, x_{s} h_{2} (m | | t_{s}, r^{- 1} \sum_{V_{i} \in VG} x_{v_{i}} R)), l) \\ = h_{1} (m | | t_{s}, e (Y, x_{s} h_{2} (m | | t_{s}, zY)), l) \\ = h_{1} (m | | t_{s}, e (Y, x_{s} h_{2} (m | | t_{s}, W)), l) \\ = h_{1} (m | | t_{s}, N, l) \\ = σ \end{matrix}

TS: for making a legitimate transcript δ″ of the signature in relation to the received message m, a clerk V_c of VG first randomly picks l″, r, f ∈ Z_q^*. Then, he determines a timestamp t_s′ and sends R″ = r(l″P − h₀(m || t_s, Y)Y_s) to the group VG. Next, each cloud server of VG computes

{K_{i}}^{''} = x_{v_{i}} R ″

(12)

and then returns it to V_c. When all of K_i″s is received, V_c will compute

W ″ = r^{- 1} \sum_{V_{i} \in VG} {K_{i}}^{''}

(13)

Z ″ = f h_{2} (m | | {t_{s}}^{'}, W ″)

(14)

and delivers Z″ to all V_is ∈ VG. Each cloud server of VG can therefore compute

{Z_{i}}^{''} = x_{v_{i}} Z ″

(15)

which will be sent back to V_c. After obtaining all Z_i″s, V_c could derive

N ″ = e (Y_{s}, f^{- 1} \sum_{V_{i} \in VG} {Z_{i}}^{''})

(16)

σ ″ = h_{1} (m | | t_{s}, N ″, l ″)

(17)

Table 1.

Symbol notations.

Notation	Description
k	A security parameter
q	A large prime
G ₁	An additive group of order q
G ₂	A multiplicative group of order q
P	A generator in G ₁
e	A bilinear map satisfying that G ₁ × G ₁ → G ₂
h ₀, h₁, h₂	Collision-resistant hash functions
U_s	A fog node
V_i	A cloud server
VG	A verifying group, VG = {V₁, V₂, …, V_n}
V_c	A clerk of the verifying group VG
SK	A private key
PK	A public key
x_t	A time-constrained private key
Y_t	A time-constrained public key
t_s, t_v	Timestamps
δ	An SMDVS

SMDVS: strong multi-designated verifier signature.

It is evident that the derived transcript δ″ = (l″, σ″) would be a valid signature with respect to the message m || t_s′.

Construction of a time-constrained variant

A time-constrained variant can further control the lifetime of signing capability for fog nodes in IoT environments. In particular, a fog node compromised by a malicious adversary would be unable to persuade cloud servers of bogus data. Based on our basic SMDVS construction, we could extend it into a time-constrained variant by introducing a KAS. A KAS is responsible for generating a time-constrained key-pair of fog nodes and also maintaining a revocation list. When a time-constrained private key is expired or revoked, its corresponding public key will be recorded in the revocation list. Although a fog node can still use the revoked time key to sign messages, the resulted signatures would not be regarded as legitimate by cloud servers. Consequently, when using any time-constrained public key, one should first make sure that it is still in the valid time periods by checking the revocation list of KAS. The proposed scheme did not further deal with the update issue of time-constrained key-pairs. Interested readers can refer to the key-update mechanism in Du et al.⁴⁰ The advantage of introducing an independent KAS is centralized administration of time-constrained keys. The KAS also implements the X.509 standard to generate certificates for valid time keys. Using a centralized structure could make the revocation process more efficient and simple.

Without redesigning the entire structure, the extended time-constrained SMDVS variant still enjoys the advantage of low computation complexity of our basic scheme. It also benefits those practical systems adopting our basic scheme to painlessly upgrade the time-constrained functionality. Since the Setup phase is the same as that of our basic construction, we simply present modified parts of other algorithms below. Let (x_t ∈ Z_q, Y_t = x_tP) be a time-constrained key-pair associated with a fog node, say U_s. Consequently, the private key SK of U_s would be composed of {x_s, x_t} while the public key PK is {Y_s, Y_t}. In the SMDVS-Gen algorithm, U_s will perform the same signing procedures except that equations (4) and (5) would be modified as

N_{t} = e (Y, (x_{s} + x_{t}) h_{2} (m | | t_{s}, W))

(18)

σ_{t} = h_{1} (m | | t_{s}, N_{t}, l)

(19)

Here, (l, σ_t) is regarded as a time-constrained SMDVS for the message m intended for VG. In the above equation (18), the time-constrained private key x_t is utilized to control the signing power of fog nodes. When the valid period of time-constrained private key is expired, all corresponding signatures would be viewed as illegal by cloud servers, since its corresponding public time key will be kept in the revocation list of KAS.

To accommodate the modification in the above equation, we have to replace equations (10) and (11) in the SMDVS-Verify algorithm as

{N_{t}}^{'} = e (Y_{s} + Y_{t}, f^{- 1} \sum_{V_{i} \in VG} Z_{i})

(20)

σ = h_{1} (m | | t_{s}, {N_{t}}^{'}, l)

(21)

We prove that equation (21) is correct through the following derivations. According to equation (21), we get

\begin{matrix} h_{1} (m | | t_{s}, {N_{t}}^{'}, l) \\ = h_{1} (m | | t_{s}, e (Y_{s} + Y_{t}, f^{- 1} \sum_{V_{i} \in VG} Z_{i}), l) \\ = h_{1} (m | | t_{s}, e (Y_{s} + Y_{t}, \sum_{V_{i} \in VG} x_{v_{i}} h_{2} (m | | t_{s}, W')), l) \\ = h_{1} (m | | t_{s}, e (Y, (x_{s} + x_{t}) h_{2} (m | | t_{s}, W')), l) \\ = h_{1} (m | | t_{s}, e (Y, (x_{s} + x_{t}) h_{2} (m | | t_{s}, r^{- 1} \sum_{V_{i} \in VG} {K_{i}}^{''})), l) \\ = h_{1} (m | | t_{s}, e (Y, (x_{s} + x_{t}) h_{2} (m | | t_{s}, r^{- 1} \sum_{V_{i} \in VG} x_{v_{i}} R ″)), l) \\ = h_{1} (m | | t_{s}, e (Y, (x_{s} + x_{t}) h_{2} (m | | t_{s}, zY)), l) \\ = h_{1} (m | | t_{s}, e (Y, (x_{s} + x_{t}) h_{2} (m | | t_{s}, W)), l) \\ = h_{1} (m | | t_{s}, {N_{t}}^{'}, l) \\ = σ_{t} \end{matrix}

Likewise, in the TS algorithm, equations (16) and (17) for generating a valid signature σ_t″ would be replaced by

N ″ = e (Y_{s} + Y_{t}, f^{- 1} \sum_{V_{i} \in VG} {Z_{i}}^{'})

(22)

{σ_{t}}^{''} = h_{1} (m | | {t_{s}}^{'}, {N_{t}}^{''}, l ″)

(23)

Then, the derived transcript δ″ = (l″, σ_t″) would be a valid time-constrained SMDVS in relation to the message m || t_s′.

Proof of security and performance analysis

This article proves that the proposed substantial formations fulfill essential security characteristics in this section. We will provide the security model for the proposed system and then prove its security in the following sections.

Let us first consider the following potential attacks against the proposed schemes:

Joint attacks from revoked fog nodes: if two or more revoked fog nodes cooperatively inject bogus data to fool cloud servers, it will be detected as the revoked information of their time-constrained public keys has been revealed in the revocation list of KAS. Thus, any SMDVS created by revoked fog nodes would be treated as illegal and those transmitted messages will be directly dropped by cloud servers.

Replay attacks: to prevent the replay attacks, we add a timestamp into the signature. Whenever an SMDVS is received, each cloud server will first check the freshness of received timestamps. If an adversary attempts to modify the embedded timestamp of any intercepted SMDVS, he or she will face the intractability of ECDLP and one-way hash functions and fail to make it.

Collusion attacks: consider the collusion attacks plotted by two or more malicious cloud servers. According to the proposed SMDVS-Verify algorithm, it requires the knowledge of all private keys of the group VG to inspect the validity of an SMDVS. Therefore, even if there are n − 1 cloud servers colluding with each other, they cannot successfully derive the correct value W = zY to verify a given SMDVS.

Backward security attacks: in the proposed time-constrained SMDVS scheme, a fog node will use its private key and a time key to produce a valid signature. Even if the current time private key x_t is compromised by an adversary, he or she still cannot forge any valid SMDVS without knowing the private key x_s. Hence, the backward secrecy is fulfilled in the proposed scheme.

Security model

The most important security requirement of a generic digital signature scheme is unforgeability. A commonly used security notion for unforgeability is EUF-CMAs. We adapt its definition for SMDVS schemes as follows:

Definition 1

In the security proof model of random oracles, an SMDVS scheme is said to be EUF-CMA secure if no probabilistic adversary A running in polynomial-time has the non-negligible advantage to defeat a challenger B in the following interactive game:

Setup: initially, B generates system parameters and sends public parameters to the adversary A.

Hash oracles: A could adaptively request B for the output of submitted hash oracles.

SMDVS-Gen oracles: A could adaptively request B for the output of SDMVS-Gen oracles on arbitrarily chosen messages.

SMDVS-Verify oracles: A could adaptively request B for the output of SMDVS-Verify oracles on any message m with an SMDVS δ. The return value would be a bit “0” if δ is an invalid SMDVS for m; else, a bit “1” is responded instead.

Forgery: at last, the adversary A chooses an arbitrary message m^* and then returns a forged signature δ^* = (l^*, σ^*). We say that the adversary A is the winner of this game as long as the following conditions hold:

The outputted δ^* is a valid SMDVS in relation to the message m^*.

The SMDVS δ^* is not acquired from any SMDVS-Gen oracle.

As to an SMDVS scheme, the properties of signer ambiguity and non-transferability should also be taken into account. We describe these definitions as follows.

Definition 2

In the security proof model of random oracles, an SMDVS scheme is said to fulfill the security requirement of SSA if no probabilistic SSA-distinguisher D₁ against the proposed scheme has the non-negligible advantage to defeat a DDH-distinguisher D₂ in the following interactive game:

Setup: initially, D₂ generates system parameters and sends public parameters along with a signing private key x_s to the distinguisher D₁.

Hash oracles: D₁ could adaptively request D₂ for the output of submitted hash oracles.

Challenge: at last, D₂ flips an internal coin to decide a random bit b. If b = 1, D₂ generate a message-signature pair (m || t_s, δ = (l, σ_t)) using the signing private key x_s. Otherwise, a random message-signature pair is created instead. The generated message-signature pair is the challenge for D₁ who has to guess a bit b′. When b′ = b, we say that D₁ wins this game.

Definition 3

In the security proof model of random oracles, an SMDVS scheme is said to fulfill the security requirement of unconditional non-transferability if no probabilistic distinguisher D against the proposed scheme has the non-negligible advantage to win the following game played with a challenger C:

Setup: initially, the challenger C generates system parameters and two signatures (δ, δ″) for the message m || t_s. δ is computed by running the SMDVS-Gen algorithm while δ″ is derived by executing the TS algorithm. Then, C sends public parameters, the message m || t_s and two signatures (δ, δ″) to the distinguisher D.

Hash oracles: D could adaptively request C for the output of submitted hash oracles.

Challenge: at last, C flips an internal coin to decide a random bit b. If b = 1, C generate a signature δ^* = (l^*, σ_t^*) using the SMDVS-Gen algorithm. Otherwise, C employs the TS algorithm to create δ^*. The generated signature δ^* = (l^*, σ_t^*) is the challenge for D who has to guess a bit b′. When b′ = b, we say that D wins this game.

There is an extra security requirement called non-delegatability which describes that neither a signer nor a designated verifier could delegate his or her signing power to anyone without revealing his or her own private key information. According to the literature of Tian et al.,⁴¹ a non-delegatable DVS scheme emphasizes the responsibility of a signer and hence is only desired in some special application scenarios. We will show that the proposed schemes are non-delegatable later.

Security proof

Theorem 1

In the security proof model of random oracles, the designed substantial formation of our basic SMDVS is said to be EUF-CMA secure if no probabilistic adversary A running in polynomial-time t has the non-negligible advantage ε to break the assumption of (t′, ε′)-ECDL under the attacking scenario of adaptive chosen-message attacks, where

\begin{matrix} ε' \geq \frac{10 (q_{sg} + 1) (q_{sg} + q_{f})}{2^{k}} \\ t' \leq \frac{120, 686 (q_{f}) t}{ε} \end{matrix}

Proof

We employ the technique of Forking lemma to prove this theorem. Assume that a probabilistic adversary A launches adaptive chosen-message attacks against the proposed scheme. If the success probability of A is non-negligible, say ε, within the polynomial-time t, we could exploit its advantage to solve the ECDL assumption by building a new algorithm called B. Let a random instance of ECDLPs be (P, aP) for unknown integers a ∈ Z_q^*, and the successful output of B has to be a. B runs two games with A and is also in charge of answering A’s queries as follows:

Setup: initially, B generates system parameters Ω = { G ₁, G ₂, q, P, e}, chooses $b \in {{}_{R}Z}_{q}^{*}, Y_{v_{1}}, Y_{v_{2}}, Y_{v_{3}}, . . ., Y_{v_{n - 1}} \in {{}_{R}G}_{1}$ and sets $(Y_{s}, Y_{v_{n}}) = {aP, bP - (Y_{v_{1}} + Y_{v_{2}} + . . . Y_{v_{n - 1}})}$ . Then, B sends ${Ω, Y_{s}, Y_{v_{1}}, Y_{v_{2}}, Y_{v_{3}}, \dots, Y_{v_{n}})}$ to the adversary A.

Phase 1: the challenges and responses between A and B are described as follows:

h ₀ oracle: whenever A queries the response of h₀(m || t_s, Y), B searches the stored h₀-table for a consistent value v₀ ∈ _R Z_q^* from the matched record (m || t_s, Y, v₀) and then returns it.

h ₁ oracle: whenever A queries the response of h₁(m || t_s, N, l), B searches the stored h₁-table for a consistent value v₁ ∈ _R Z_q^* from the matched record (m || t_s, N, l, v₁) and then returns it.

h ₂ oracle: whenever A queries the response of h₂(m || t_s, W), B searches the stored h₂-table for a consistent value V₂ from the matched record (m || t_s, W, v₂, V₂), where v₂ ∈ _R Z_q^* and then returns V₂.

SMDVS-Gen oracle: whenever A queries an SMDVS in relation to some message m || t_s, B will choose l, v₀, v₁, v₂ ∈ _RZ_q^* and perform the following steps:

Compute W = b(lP − v₀(aP)) = zY,

Compute N^* = e(bP, v₂(aP)),

Set σ = v₁,

Add (m || t_s, Y, v₀) into h₀-table,

Add (m || t_s, N^*, l, v₁) into h₁-table,

Add (m || t_s, W, v₂, v₂P) into h₂-table

Then. δ = (l, σ) is a simulated SMDVS on m || t_s.

SMDVS-Verify oracle: whenever A queries the validity of an SMDVS δ = (l, σ) for some message m || t_s, B will look the h₁-table for all entries containing this message m || t_s and the signature parameter l. If there is such a record, B will continue to check whether the second value N is equivalent to e(b(aP), h₂(m || t_s, b(lP − h₀(m || t_s, bP)aP))). If it holds, B returns a bit “1.” Otherwise, a bit “0” is returned.

Forgery: at last, the adversary A will choose an arbitrary message m^* || t_s and then return a forged signature δ^* = (l^*, σ^*) which is not an output of any SMDVS-Gen oracle. In the second game, A also has the non-negligible advantage ε to output another SMDVS δ^** = (l^**, σ^**) for m^* || t_s.

Analysis of the simulation: anyone can observe that based on the simulation of h₀ oracle, the challenger B will return the value v₀ in the first game and we have l^* = z + x_sh₀(m || t_s, Y) = z + av₀ mod q. In the second game, B would return a different value, say v₀′, for solving the given instance of ECDLPs. If the adversary A is provided with the same random tape to choose random bits, the forged SMDVS parameter l^* of the second game should be z′ + av₀′ mod q, where z′ = z. Consequently, with these two equations, that is

\begin{matrix} l^{*} = z + a {v_{0}}^{'} \mod q \\ l^{* *} = z + a {v_{0}}^{'} \mod q \end{matrix}

B could solve the ECDLP by computing

a = \frac{(l^{* *} - l^{*})}{({v_{0}}^{'} - v_{0})}

Let q_f and q_sg be the maximum query times of h₀ and SMDVS-Gen oracles, respectively. According to the Forking lemma, the success probability ε′ of B after running two simulation games could be expressed as ε′ ≥ 10(q_sg+1)(q_sg+q_f)/2^k and the expected running time is t′ ≤ 120,686(q_f)t/ε.

Theorem 2

In the security proof model of random oracles, the designed substantial formation of time-constrained SMDVS is said to be EUF-CMA secure if no probabilistic adversary A running in polynomial-time t has the non-negligible advantage ε to break the assumption of (t′, ε′)-ECDL under the attacking scenario of adaptive chosen-message attacks, where

\begin{matrix} ε' \geq \frac{10 (q_{sg} + 1) (q_{sg} + q_{f})}{2^{k}} \\ t' \leq \frac{120, 686 (q_{f}) t}{ε} \end{matrix}

Proof

Assume that a probabilistic adversary A attempts to plot adaptive chosen-message attacks against the proposed scheme. If the success probability of A is non-negligible, say ε, within the polynomial-time t, we are able to make good use of its advantage to solve the ECDL assumption by constructing a new algorithm named B. Given an identical ECDLP instance, that is, (P, aP) for some unknown integers a ∈ Z_q^*, B has to successfully compute a for winning this game. During each query of A, B acts as follows:

Setup: initially, B generates system parameters Ω = { G ₁, G ₂, q, P, e}, chooses $b, d \in {{}_{R}Z}_{q}^{*}, (Y_{v_{1}}, Y_{v_{2}}, Y_{v_{3}}, \dots, Y_{v_{n - 1}})_{R} \in G_{1}^{n - 1}$ and sets $(Y_{s}, Y_{t}, Y_{v_{n}}) = {aP, dP, bP - (Y_{v_{1}} + Y_{v_{2}} + \dots Y_{v_{n - 1}})}$ . Then, B sends ${Ω, Y_{s}, x_{t} = d, Y_{t}, Y_{v_{1}}, Y_{v_{2}}, Y_{v_{3}}, \dots, Y_{v_{n}}}$ to the adversary A. Note that the adversary A is allowed to learn the information of time-constrained private key d.

Phase 1: the challenges and responses between A and B are described as follows:

h ₀ oracle: every time that A submits an h₀(m || t_s, Y) oracle, and B performs the same steps as those defined in Theorem 1.

h ₁ oracle: every time that A submits an h₁(m || t_s, N, l) oracle, and B performs the same steps as those defined in Theorem 1.

h ₂ oracle: every time that A submits an h₂(m || t_s, W) oracle, and B performs the same steps as those defined in Theorem 1.

SMDVS-Gen oracle: every time that A submits an SMDVS-Gen oracle for some message m || t_s, and B executes the O_SMDVS-Gen algorithm as shown in Figure 4.

SMDVS-Verify oracle: every time that A submits an SMDVS-Verify oracle on a time-constrained SMDVS δ = (l, σ_t) for some message m || t_s, and B executes the O_SMDVS-Verify algorithm as shown in Figure 5.

Forgery: finally, the adversary A determines a chosen message m^* || t_s and then forges a time-constrained SMDVS δ^* = (l^*, σ_t^*) that could not be the answer of any SMDVS-Gen oracle. In the second game, A also has the non-negligible advantage ε to output another time-constrained SMDVS δ^** = (l^**, σ_t^**) for m^* || t_s.

Analysis of the simulation: the detailed analyses of this simulation game could be referred to those stated in Theorem 1, because the proposed time-constrained variant and its basic scheme have quite similar structures. Therefore, based on the arguments of Theorem 1, one can realize that the success probability of B to solve the given ECDLP instance could also be expressed as

ε' \geq \frac{10 (q_{sg} + 1) (q_{sg} + q_{f})}{2^{k}}

and the running time of B is t′ ≤ 120,686(q_f)t/ε.

Figure 4.

O_SMDVS-Gen algorithm.

Figure 5.

O_SMDVS-Verify algorithm.

Theorem 3

In a key-compromise attacking scenario where an adversary leans the information of original fog node’s private key, our proposed substantial formations of basic SMDVS scheme and its time-constrained variant still fulfill the security property of SSA.

Proof

We first give a heuristic argument of proofs. Assume there is a malicious adversary who has leaned the information of original fog node’s private key. Given a fresh signature which has not been received by the verifying group, the adversary might try to distinguish the fog node’s identity by checking whether equation (5) or equation (19) holds or not. However, in equation (5) or equation (19), there is a meta value N which could be rewritten as

\begin{matrix} N = e (Y, x_{s} h_{2} (m | | t_{s}, W)) \\ = e (Y, x_{s} h_{2} (m | | t_{s}, zY)) \end{matrix}

It should be noted that without knowing the random integer z chosen by the fog node, no one could derive the parameter N to perform equation (5) or equation (19) successfully. In a more formal approach of proofs, we display that if there is an SSA-distinguisher D₁ against the proposed time-constrained SMDVS variant, we could construct a DDH-distinguisher D₂ to solve a random DDH instance of (P, aP, bP, C). The DDH-distinguisher D₂ will output a bit “1” provided that C = abP; else, a bit “0” is returned instead. Likewise, the SSA-distinguisher D₁ who is given a signing private key x_s and a message-signature pair (m || t_s, δ = (l, σ_t)) would output a bit “1” on condition that the signature δ is produced using the signing private key x_s and is legitimate with respect to the message m || t_s. We exhibit the algorithm of constructed DDH-distinguisher D₂ as Figure 6.

Figure 6.

Algorithm of DDH-distinguisher D₂.

It could be deduced that if D₁ is a (t, ε)-polynomial-time SSA-distinguisher against the proposed time-constrained SMDVS variant, D₂ would be a (t′, ε′)-polynomial-time DDH-distinguisher in which ε = ε′ and t′ ≤ t + 3T_M + T_B, where T_M is the time for running a point multiplication and T_B is the time for running a bilinear map. Hence, the proposed SMDVS schemes achieve a strong notion of the security requirement for signer ambiguity even in the key-compromise attacking scenario.

Theorem 4

Our proposed substantial formation of basic SMDVS scheme fulfills the essential property of unconditional non-transferability.

Proof

Let m || t_s be a given message and (δ, δ″) be two signatures of the proposed basic SMDVS scheme. The former is generated by the fog node U_s while the latter is created by the verifying group VG. According to the algorithm of SMDVS-Gen in section “Construction of a basic scheme,”U_s will first choose a random value z ∈ Z_q^* and then compute a valid SMDVS

\begin{matrix} δ = (l, σ) \\ = (l, h_{1} (m | | t_{s}, e (Y, x_{s} h_{2} (m | | t_{s}, zY)), l)) \end{matrix}

where $Y = \sum_{i = 1}^{n} Y_{v_{i}}$ and l = z + x_sh₀(m || t_s, Y).

However, based on the algorithm of TS in section “Construction of a basic scheme,” a clerk V_c and each cloud server of VG could cooperatively derive a valid SMDVS transcript

\begin{matrix} δ ″ = (l ″, σ ″) \\ = (l ″, h_{1} (m | | t_{s}, e (Y, x_{s} h_{2} (m | | {t_{s}}^{'}, z ″ Y)), l ″)) \end{matrix}

where $Y = \sum_{i = 1}^{n} Y_{v_{i}}$ and l″ ∈ Z_q^*.

It can be seen that the distribution of (δ, δ″) is identical, and thus, they are indistinguishable. Assume that there is a challenger C and a corresponding distinguisher D who tries to distinguish the given signatures (δ, δ″). The challenger C will produce an SMDVS δ^* = (l^*, σ^*) by running the Sim_TS-I algorithm as shown in Figure 7.

Figure 7.

Sim_TS-I algorithm.

From the description of the Sim_TS-I algorithm, we know that

\begin{matrix} \Pr [δ^{*} = δ] = \Pr [z^{*} = z] = \frac{1}{q - 1} \\ \Pr [δ^{*} = δ ″] = \Pr [l^{*} = l ″] = \frac{1}{q - 1} \end{matrix}

That is, the distribution of (δ, δ″) is indistinguishable, and the distinguisher D would be unable to tell them apart.

Theorem 5

Our proposed substantial formation of time-constrained SMDVS variant fulfills the essential property of unconditional non-transferability.

Proof

Let m || t_s be a given message and (δ, δ″) be two signatures of the proposed time-constrained SMDVS variant. δ is computed by the fog node U_s and δ″ is derived by the verifying group VG. Following the algorithm of SMDVS-Gen introduced in section “Construction of a time-constrained variant,”U_s utilizes a random value z ∈ Z_q^* and then computes

\begin{matrix} δ = (l, σ_{t}) \\ = (l, h_{1} (m | | t_{s}, e (Y, (x_{s} + x_{t}) h_{2} (m | | t_{s}, zY)) l)) \end{matrix}

where $Y = \sum_{i = 1}^{n} Y_{v_{i}}$ and l = z + x_sh₀(m || t_s, Y).

However, based on the algorithm of TS introduced in section “Construction of a time-constrained variant,” a clerk V_c and each participated cloud server of VG could jointly derive

\begin{matrix} δ ″ = (l ″, {σ_{t}}^{''}) \\ = (l ″, h_{1} (m | | t_{s}, e (Y, (x_{s} + x_{t}) h_{2} (m | | {t_{s}}^{'}, z ″ Y)) l ″)) \end{matrix}

where $Y = \sum_{i = 1}^{n} Y_{v_{i}}$ and l″ ∈ Z_q^*.

It is obvious that the distribution of δ is the same as that of δ″. Let C be a challenger and D a distinguisher of (δ, δ″). The challenger C will generate an SMDVS δ^* = (l^*, σ_t^*) by executing the Sim_TS-II algorithm as demonstrated in Figure 8.

Figure 8.

Sim_TS-II algorithm.

In accordance with the steps stated in the Sim_TS-II algorithm, we also have

\begin{matrix} \Pr [δ^{*} = δ] = \Pr [z^{*} = z] = \frac{1}{q - 1} \\ \Pr [δ^{*} = δ ″] = \Pr [l^{*} = l ″] = \frac{1}{q - 1} \end{matrix}

Namely, the distribution of these two signatures (δ, δ″) is indistinguishable, and the distinguisher D would be unable to differentiate δ computed by the signer U_s from δ″ derived by the designated verifying group VG.

Theorem 6

The proposed substantial formations of basic SMDVS scheme and its time-constrained variant satisfy the security property of non-delegatability.

Proof

According to the notations utilized in section “The proposed SMDVS schemes,” we first assume that an adversary A is able to lean the shared secret key information, that is, x_sY between the fog node and the verifying group VG. Based on the basic assumption of ECDL, we know that it is computationally infeasible for A to derive the private key information x_s from the value x_sY. Next, let us consider the following cases of attacking scenarios:

Case 1: A tries to compute a valid SMDVS δ which is either (l, σ) or (l, σ_t). Without knowing the private key x_s, the first approach of A is to choose a random integer l. In this way, however, it would be difficult for him to derive a valid value W satisfying that W = zY, since A does not knowing the corresponding random number z.

Case 2: the second approach of A to forge a valid SMDVS δ = (l, σ) or (l, σ_t) is to choose an integer z first and then attempts to derive a valid N using the shared secret key x_sY. Nevertheless, A does not have the real private key x_s to compute a valid value l. Consequently, the forged signature δ will be detected during the signature verification process.

Case 3: if A tries to verify a given SMDVS δ = (l, σ) or (l, σ_t) with the shared secret key x_sY, the adversary also faces the difficulty in deriving the correct value W′ = zY without knowing either all the private keys of the verifying group VG or the random number z chosen by the signer U_s.

Due to the above analyses, this article claims that the security property of non-delegatability is fulfilled in the proposed SMDVS schemes.

Efficiency analysis

To perform an efficiency analysis on the proposed substantial formations of SMDVS framework, we consider the length of signature along with the computational complexity of every joined party. Some used symbols are first defined as follows. The approximate running time of each computation is estimated according to the experimental setting of Han et al.³¹ which defines the Tate pairing over the super singular elliptic curve E: y² = x³ + x mod p with embedding degree 2 and uses a platform of Windows 10 with Intel Core i5-4210H 2.90 GHz CPU with 4.0 GB RAM:

|x|: bit length of x;

T₁: execution time of a bilinear pairing function (≈53 ms);

T₂: execution time of an elliptic curve cryptography (ECC)–based point multiplication in the group G ₁ (≈23 ms);

T₃: execution time of a pairing-based exponentiation (≈37 ms);

T₄: execution time of a one-way hash function (≈1.4 ms).

We compare the proposed formations with previous related (S)MDVS schemes including Chow,³⁷ Laguillaumie and Vergnaud,³⁸ Tian,³⁹ and RDBS.¹⁸ Detailed analyses are demonstrated in Tables 2 and 3. It is evident that the length of signature among the proposed, Tian and RDBS schemes are fixed while that of the other two is variable depending on the group size. As to the security proof model, almost all compared mechanisms provide concrete security proofs in either random oracle or standard models except for Chow’s scheme whose computational assumption is also unknown. Although RDBS scheme could be proved secure in the standard model, each verifier of their system has to verify the shares of all joined parties, which will inevitably result in extra computation efforts.

Table 2.

Comparisons of functionality and security among our SMDVS and previous constructions.

	Type	Signature length	Security model	Security assumption
Chow	SMDVS	(n + 4)\| G ₁\|	NA	Unknown
LV	SMDVS	(n + 2)\| G ₁\|	ROM	CDH
Tian	SMDVS	(n + 3)\| G ₁\| + 2\|Z_q*\|	ROM	DDH
RDBS	(t, n)-MDVS	\| G ₁\| + \| G ₂\|	Standard	GBDH
Ours-I	SMDVS	2\|Z_q*\|	ROM	ECDL and DDH
Ours-II	Time-constrained SMDVS	2\|Z_q*\|	ROM	ECDL and DDH

SMDVS: strong multi-designated verifier signature; DDH: decisional Diffie–Hellman; ECDL: elliptic curve discrete logarithm; ROM: random oracle model; GBDH: gap bilinear Diffie-Hellman; CDH: computational Diffie-Hellman.

Table 3.

Comparisons of computational costs among our SMDVS and previous constructions.

	Cost of signer	Cost of each verifier
Chow	T₁ + (n + 5)T₂ + (2n + 3)T₄	4 T₁ + 2T₂ + (n + 3)T₄
LV	(n + 4)T₂ + T₄	(2n + 1)T₁ + T₂ + T₄
Tian	(n + 6)T₂ + 2T₄	2 T₁ + 3T₂ + 3T₄
RDBS	T₁ + 3T₂	(2t)T₁ + (t + 1)T₃
Ours-I	T₁ + 2T₂ + 3T₄	2T₂
Ours-II	T₁ + 2T₂ + 3T₄	2T₂

SMDVS: strong multi-designated verifier signature.

We summarize the approximate running time of the signer and each verifier among these systems in Figures 9 and 10. Note that since RDBS scheme is a (t, n)-MDVS, we simply let t = n for easily facilitating the estimation. As illustrated in these figures, when the group size n is set to be 10, the estimated computation time of the signer in the proposed basic or time-constrained SMDVS scheme is 103.2 ms while that of each verifier in the proposed basic or time-constrained variant is 46 ms. Nevertheless, a clerk of the verifying group has to spend additional 172.2 ms for assisting the verification procedure.

Figure 9.

Approximate computation time of the signer in different schemes.

Figure 10.

Approximate computation time of each verifier in different schemes.

To further ensure the practical feasibility of our proposed schemes, we could use a Raspberry Pi Model B device to serve as a fog node. Some research works^42,43 also adopted these tiny embedded devices in many IoT applications like motion detection and home automation. A Raspberry Pi Model B is equipped with a Quad-core ARM Cortex-A7 CPU of 900 MHz and has 512 MB memory. According to the simulation of Ting et al.,⁴⁴ it would take approximately 34 and 46 ms to carry out a 160-bit point multiplication and bilinear pairing, respectively, on a Raspberry Pi Model B machine. That is, if such a device implements the proposed schemes, it will spend about 114 ms to generate a valid SMDVS in our basic or time-constrained schemes. We believe that the above estimated running time is within an acceptable time period in most IoT-based application scenarios.

Conclusion

For facilitating the security applications in IoT-based collaborative fog computing systems, this article came up with two new non-delegatable SMDVS schemes based on bilinear pairings. The first basic scheme is a conventional SMDVS which allows all designated cloud servers to cooperatively verify a signature generated by a fog node. We show that a time-constrained SMDVS variant could be easily extended from our basic construction. Both of the proposed schemes are formally proved EUF-CMA secure in the random oracle model as long as the hardness assumption of ECDL holds. In addition, the crucial requirement of SSA for our mechanisms is satisfied based on the DDH assumption. When compared with previous approaches, ours also have lower computational complexity, which helps with an effective implementation in IoT-based collaborative fog computing environments.

The future work of this research will focus on a dynamic verification group, that is, the number of cloud servers involved in the verification group is changeable and a threshold value of verifiers is sufficient to represent the entire group. Furthermore, a concrete construction of time-constrained SMDVS scheme combined with certificateless public key systems would bring more practical benefits.

Footnotes

Handling Editor: Yanjiao Chen

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported, in part, by the Ministry of Science and Technology of Republic of China under the contract number MOST 109-2221-E-019-052.

ORCID iD

Han-Yu Lin

References

Huang

Yang

Rossi

, et al. Towards a unified architecture of cloud service delivery platform. In: Proceedings of the 2012 IEEE 2nd international conference on cloud computing and intelligence systems (CCIS’2012), Hangzhou, China, 30 October–1 November 2012, vol. 1, pp.360–364. New York: IEEE.

Dong

Ota

, et al. Fog-computing-enabled cognitive network function virtualization for an information-centric future Internet. IEEE Commun Mag 2019; 57(7): 48–54.

Agarwala

Saravanan

. A public key cryptosystem based on number theory. In: Proceedings of the 2012 international conference on recent advances in computing and software systems, Chennai, India, 25–27 April 2012, pp.238–241. New York: IEEE.

Liu

Hao

, et al. Two efficient variants of the RSA cryptosystem. In: Proceedings of the 2010 international conference on computer design and applications (ICCDA’2010), Qinhuangdao, China, 25–27 June 2010, vol. 5, pp.550–553. New York: IEEE.

Singh

Chatterjee

SecEVS: secure electronic voting system using blockchain technology. In: Proceedings of the 2018 international conference on computing, power and communication technologies (GUCON), Greater Noida, India, 28–29 September 2018, pp.863–867. New York: IEEE.

Haiyan

Chang

. Study and implementation of the electronic voting plan on blind signature. In: Proceedings of the 2011 international conference on mechatronic science, electric engineering and computer (MEC), Jilin, China, 19–22 August 2011, pp.876–879. New York: IEEE.

Chaum

Van Antwerpen

Undeniable signatures. In: Brassard

(ed.) Advances in cryptology—CRYPTO’90. New York: Springer-Verlag, 1990, pp.212–216.

Jakobsson

Sako

Impagliazzo

Designated verifier proofs and their applications. In: Maurer

(ed.) Advances in cryptology—EUROCRYPT’96. Berlin; Heidelberg: Springer-Verlag, 1996, pp.143–154.

Wang

An attack on not-interactive designated verifier proofs for undeniable signatures. Cryptology ePrint archive, 2003, http://eprint.iacr.org/2003/243

10.

Saeednia

Kremer

Markowitch

An efficient strong designated verifier signature scheme. In: Proceedings of the 6th international conference on information security and cryptology (ICISC’2003), Seoul, Korea, 27–28 November 2003, pp.40–54. Berlin; Heidelberg: Springer-Verlag.

11.

Susilo

Zhang

Identity-based strong designated verifier signature schemes. In: Proceedings of the 9th Australasian conference on information security and privacy (ACISP’2004; Lecture notes in computer science (LNCS), vol. 3108), Sydney, NSW, Australia, 13–15 July 2004, pp.313–324. Berlin; Heidelberg: Springer-Verlag.

12.

Lee

Chang

JH.

Strong designated verifier signature scheme with message recovery. In: Proceedings of the 9th international conference on advanced communication technology, Gangwon, Korea, 12–14 February 2007, vol. 1, pp.801–803. New York: IEEE.

13.

Kang

Boyd

Dawson

A novel identity-based strong designated verifier signature scheme. J Syst Software 2009; 82(2): 270–273.

14.

Lin

Yeh

YS.

A DL based short strong designated verifier signature scheme with low computation. J Inf Sci Eng 2011; 27(2): 451–463.

15.

Tian

. A new strong multiple designated verifiers signature for broadcast propagation. In: Proceedings of the 2011 3rd international conference on intelligent networking and collaborative systems, Fukuoka, Japan, 30 November–2 December 2011, pp.268–274. New York: IEEE.

16.

Zhang

Yang

, et al. (Strong) multi-designated verifiers signatures secure against rogue key attack. In: Proceedings of the international conference on network and system security (NSS’2012), Fujian, China, 21–23 November 2012, pp.334–347. Berlin; Heidelberg: Springer-Verlag.

17.

Wang

, et al. An undeniable strong DSVS scheme with no bilinear pairings. In: Proceedings of the 2016 9th international congress on image and signal processing, biomedical engineering and informatics (CISP-BMEI), Datong, China, 15–17 October 2016, pp.1944–1948. New York: IEEE.

18.

Rastegari

Dakhilalian

Berenjkoub

, et al. Multi-designated verifiers signature schemes with threshold verifiability: generic pattern and a concrete scheme in the standard model. IET Inform Secur 2019; 13(5): 459–468.

19.

Tian

. General certificateless strong designated verifier signature schemes. In: Proceedings of the 2013 5th international conference on intelligent networking and collaborative systems, Xi’an, China, 9–11 September 2013, pp.392–397. New York: IEEE.

20.

Tang

Lin

, et al. Identity-based strong designated verifier signature scheme with full non-delegatability. In: Proceedings of the 2011 IEEE 10th international conference on trust, security and privacy in computing and communications, Changsha, China, 16–18 November 2011, pp.800–805. New York: IEEE.

21.

Yang

Sun

, et al. A strong designated verifier signature scheme with secure disavowability. In: Proceedings of the 4th international conference on intelligent networking and collaborative systems (INCOS’12), Bucharest, 19–21 September 2012, pp.286–291. New York: IEEE.

22.

Fang

Provably secure and efficient ID-based strong designated verifier signature scheme with message recovery. In: Proceedings of the 2014 17th international conference on network-based information systems, Salerno, 10–12 September 2014, pp.287–293. New York: IEEE.

23.

Lin

HY.

A new certificateless strong designated verifier signature scheme: non-delegatable and SSA-KCA secure. IEEE Access 2018; 6: 50765–50775.

24.

Hsu

Lin

HY.

Universal forgery attack on a strong designated verifier signature scheme. Int Arab J Inf Techn 2014; 11(5): 425–428.

25.

Lin

HY.

Toward secure strong designated verifier signature scheme from identity-based system. Int Arab J Inf Techn 2014; 11(4): 315–321.

26.

Lin

HY.

Secure universal designated verifier signature and its variant for privacy protection. Inf Technol Control 2013; 42(3): 268–276.

27.

Islam

SKH

Biswas

. Provably secure certificateless strong designated verifier signature scheme based on elliptic curve bilinear pairings. J King Saud Univ: Comput Inform Sci 2013; 25(1): 51–61.

28.

Chen

An efficient certificateless designated verifier signature scheme. Int Arab J Inf Techn 2013; 10(4): 389–396.

29.

Chen

Zhao

Xiong

, et al. A certificateless strong designated verifier signature scheme with non-delegatability. Int J Netw Secur 2017; 19(4): 573–582.

30.

Gong

Xue

Constructing strong designated verifier signatures from key encapsulation mechanisms. In: Proceedings of the 2019 18th IEEE international conference on trust, security and privacy in computing and communications; 13th IEEE international conference on big data science and engineering (TrustCom/BigDataSE), Rotorua, New Zealand, 5–8 August 2019, pp.586–593. New York: IEEE.

31.

Han

Xie

Yang

, et al. A certificateless verifiable strong designated verifier signature scheme. IEEE Access 2019; 7: 126391–126408.

32.

Beheshti-Atashgah

Aref

Bayat

, et al. ID-based strong designated verifier signature scheme and its applications in Internet of things. In: Proceedings of the 2019 27th Iranian conference on electrical engineering (ICEE), Yazd, Iran, 30 April–2 May 2019, pp.1486–1491. New York: IEEE.

33.

Cai

Jiang

Zhang

, et al. An efficient strong designated verifier signature based on R−SIS assumption. IEEE Access 2019; 7: 3938–3947.

34.

Liu

Zhang

, et al. Efficient strong designated verifier proxy signature scheme with low cost. In: Proceedings of the 2015 17th international conference on advanced communication technology (ICACT), Pyeongchang, South Korea, 1–3 July 2015, pp.568–572. New York: IEEE.

35.

Huo

Yang

, et al. Highly efficient strong designated verifier signature schemes in the standard model. In: Proceedings of the 2014 IEEE 7th joint international information technology and artificial intelligence conference, Chongqing, China, 20–21 December 2014, pp.316–320. New York: IEEE.

36.

Tao

Yue

. Research of attack on short designated verifier signature and its new construction. In: Proceedings of the 2015 12th international computer conference on wavelet active media technology and information processing (ICCWAMTIP), Chengdu, China, 18–20 December 2015, pp.90–93. New York: IEEE.

37.

Chow

. Identity-based strong multi-designated verifiers signatures. In: Proceedings of the European public key infrastructure workshop, Turin, 19–20 June 2006, pp.257–259. New York: IEEE.

38.

Laguillaumie

Vergnaud

Multi-designated verifiers signatures: anonymity without encryption. Inform Process Lett 2007; 102(2–3): 127–132.

39.

Tian

A new strong multiple designated verifiers signature. Int J Grid Utility Comput 2012; 3(1): 1–11.

40.

Wen

Zhang

A provably-secure outsourced revocable certificateless signature scheme without bilinear pairings. IEEE Access 2018; 6: 73846–73855.

41.

Tian

Jiang

Liu

, et al. A non-delegatable strong designated verifier signature without random oracles. In: Proceedings of the 4th international conference on intelligent networking and collaborative systems (INCOS), Bucharest, 19–21 September 2012, pp.237–244. New York: IEEE.

42.

Ansari

Sedky

Sharma

, et al. An Internet of Things approach for motion detection using Raspberry Pi. In: Proceedings of the 2015 international conference on intelligent computing and Internet of Things, Harbin, China, 17–18 January 2015, pp.131–134. New York: IEEE.

43.

Vujović

Maksimović

Raspberry Pi as a Sensor Web node for home automation. Comput Electr Eng 2015; 44: 153–171.

44.

Ting

Tsai

TS.

Signcryption method suitable for low-power IoT devices in a wireless sensor network. IEEE Syst J 2018; 12(3): 2385–2394.

Time-constrained strong multi-designated verifier signature suitable for Internet of things–based collaborative fog computing systems

Abstract

Keywords

Introduction

Related works

Motivations and objectives

Contributions

Preliminaries

Bilinear pairings

Computational assumptions

Elliptic curve discrete logarithm problem

ECDL assumption

Decisional Diffie–Hellman problem

DDH assumption

The proposed SMDVS schemes

Joined entities

Algorithms

Construction of a basic scheme

Construction of a time-constrained variant

Proof of security and performance analysis

Security model

Definition 1

Definition 2

Definition 3

Security proof

Theorem 1

Proof

Theorem 2

Proof

Theorem 3

Proof

Theorem 4

Proof

Theorem 5

Proof

Theorem 6

Proof

Efficiency analysis

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References