A Practical and Efficient Node Blind SignCryption Scheme for the IoT Device Network

Abstract

In recent years, Internet of Things (IoT for short) research has become one of the top ten most popular research topics. IoT devices also embed many sensing chips for detecting physical signals from the outside environment. In the wireless sensing network (WSN for short), a human can wear several IoT devices around her/his body such as a smart watch, smart band, smart glasses, etc. These IoT devices can collect analog environment data around the user’s body and store these data into memory after data processing. Thus far, we have discovered that some IoT devices have resource limitations such as power shortages or insufficient memory for data computation and preservation. An IoT device such as a smart band attempts to upload a user’s body information to the cloud server by adopting the public-key crypto-system to generate the corresponding cipher-text and related signature for concrete data security; in this situation, the computation time increases linearly and the device can run out of memory, which is inconvenient for users. For this reason, we consider that, if the smart IoT device can perform encryption and signature simultaneously, it can save significant resources for the execution of other applications. As a result, our approach is to design an efficient, practical, and lightweight, blind sign-cryption (SC for short) scheme for IoT device usage. Not only can our methodology offer the sensed data privacy protection efficiently, but it is also fit for the above application scenario with limited resource conditions such as battery shortage or less memory space in the IoT device network.

1. Introduction

In recent years, Internet of Things(IoT for short) devices has widely applied in our daily life. From the life of human beings to industry 4.0, there are many common machines composed of several IoT devices such as the air conditioner, electronic vehicle, mobile phone, etc. These devices can collect physical signal data and transfer these data to a powerful gateway device of the IoT network through the Internet in a digital manner. When the gateway has received the sensed data from a sender node, it preserves these records in a database or cloud storage service. However, such IoT devices have limitations compared with a general gateway server, such as fewer memory space or limited computing power. This situation usually occurs in the communications between nodes of wireless sensing network(WSN for short) and IoT networks. Once an IoT device has collected physical data from a human body, it then must forward these data to the powerful gateway that can preserve the final result data into a database and perform other cryptography operations. From the above scenario, we discover that, if any IoT devices attempt to perform a heavy encryption/decryption computation such as modular exponentiation over a large prime number in a public key algorithm, then they must perform a signature operation later for concrete security protection and authentication on these sensed data. This will lead to fast power consumption and free-memory usage of these nodes.

To solve the above situation, we adopt the sign-cryption approach to let a sensing node perform the lightweight sign-cryption operation and generate the final cipher-text with its own signature simultaneously on the powerful server side. When the gateway server has received this cipher-text from a sensor node, it can decrypt this cipher-text first, then perform the validation of this plain-text with the inside signature’s help for data authentication.

We consider the following situation of an IoT device called $D{S}_i$ that attempts to transfer sensed data to a receiver called $\mathcal{R}$, where $i=1\sim l$ and l is the total number of all the sensor nodes. To keep the data confidential, $D{S}_i$ must encrypt its own data first. At this time, it can adopt an efficient encryption/decryption method to generate a cipher-text. Then, $D{S}_i$ can forward this cipher-text to a powerful base station ($BS$ for short), which it equips with more computing power than all the sensor nodes in the same IoT network. However, $D{S}_i$ must also consider its own memory limitation and remaining computing power to perform such encrypting/decryption computation in sequence. The node $D{S}_i$ may not be able to perform the signature computation after it has generated encryption if the remaining power is not enough to perform signature generation in this time; thus, it must transfer the heavy computation to a powerful node such as the base station $BS$.

Due to the mentioned situations, we concluded that, if there exists an efficient method allowing IoT devices to perform encryption and signature operations on the sensed data in one operation, it could save more computing time and energy, which can then be used for other computations. In the recent literature, sign-cryption was discussed in [1,2,3,4]. The authors claimed that the sender can transfer the data only to perform one sign-cryption time, and it can output a cipher-text with a guaranteed signature within. Then, the receiver can decrypt the received cipher-text with a secret random number inside the corresponding signature. When the signature is verified by the receiver successfully, the receiver can obtain the random secret value by applying its own secret key. Finally, the receiver $\mathcal{R}$ can obtain the final data by inputting this secret random number to decrypt the cipher-text. Unfortunately, their computation efficiency are not practical to fit above situation for IoT device network. There are some research limitations in our proposed scheme. One is that the sender device $\mathcal{S}$ is already authenticated with the receiver $\mathcal{R}$; they both inherently trust each other within the same IoT network environment. The authentication mechanism is beyond the scope of this research. Another limitation is that IoT device management is also beyond our research. We can adopt other proposed authentication mechanisms [5,6,7,8,9,10] for devices to authenticate with each other in an IoT device network and also construct an IoT devices group with other devices. Our scheme focuses on the efficient signature and encryption scheme for these power limitation IoT devices such as the Zigbee chips or IoT sensor devices embedding less memory.

To provide a mechanism to generate a signature and a cipher-text for IoT devices simultaneously, we propose an efficient and practical, fair sign-cryption scheme based on quadratic residue (QR for short) for the IoT device network. Not only does it offer an efficient and practical solution to IoT devices, but it also reduces the signature and cipher-text generation cost in our methodology. We also offer the formal security proof on our proposed scheme in the Appendix A and evaluate the efficiency of our mechanism in this research.

2. Related Work and Security Definitions

Related Work

In this section, we discuss the related research proposed in [1,2,3,4]. In [1], the authors propose a $\mathcal{CPAS}$ scheme for the vehicular sensor network and assume that there exists two TAs, where one is a tracing Authority (TRA for short) and the other is a public key generation center (PKG for short) for tracing the identity and key pairs of all vehicles, respectively. The TRA can produce a pseudo-ID for all vehicles after it has verified the real identity from them. The PKG also can generate the key-pairs for these vehicles. If there is a dispute in the protocol, the TRA can determine the real identity of the pseudo-ID key-pair through the help of the PKG. At this time, each vehicle does not show its real identity through the above scheme’s methodology. On the other hand, we can discover that the total efficiency computation of this scheme is $3Pa+1SM$ for signature verification operation and $3Pa+(n+1)SM$ for n signatures batch verification, where $Pa$ is a pairing operation and $SM$ is a symmetric encrypting operation. We consider that the pairing operation is demanding for comparing our scheme with others in

Table 1. Performance comparison.

	Sign-Cryption	Unsign-Cryption	Totally	Approx.
[1]	2$Mu$ + 1$Pa$	3$Pa$ + 1$Ad$ + 1⊕	4$Pa$ + 2$Mu$ + 1$Ad$ + 1⊕	327$Mu$ + 1⊕
[2]	4$Mu$ + 1$Ex$ + 2$Ha$ + 1⊕	1$Ex$ + 2$Pa$ + 2$Mu$ + 2$Ha$	2$Ex$ + 2$Pa$ + 6$Mu$ + 4$Ha$ + 1⊕	647$Mu$ + 1⊕
[3]	4$Ha$ + 1$Ex$ + 2⊕	3$Ha$ + 1$Pa$ + 2⊕	1$Ex$ + 1$Pa$ + 7$Ha$ + 4⊕	322.8$Mu$ + 4⊕
[4]	1$Ex$ + 2$Mu$ + 2$Ha$ + 1⊕	2$Pa$ + 3$Ha$ + 1$Ad$ +	1$Ex$ + 2$Pa$+ 2$Mu$ + 1$Ad$ + 5$Ha$ + 1⊕	409$Mu$ + 1⊕
Ours	4$Ha$ + 29 $Mu$ + 1⊕ + 1$SE$	1$SD$ + 2$Ha$ + 1⊕	33$Mu$ + 1$SE$ + 1$SD$ + 6$Ha$ + 2⊕	36.2$Mu$ + 2⊕

Ex—Modular exponentiation, Ad—Addition operation, Mu—Modular multiplication, $SE$—Symmetric Encryption operation, Ha—Hash operation, $SD$—Symmetric Decryption operation, Pa—Pairing operation, ⊕—XOR bit operation.

for Internet of Things (IoT for short) devices. From the efficiency comparison in Table 1, we can see that our approach is much more efficient than [1]. In [2], we observed that authors also claim their scheme is more efficient than those in other articles [3,4]. However, this paper [2] is still slower than our proposed approach in Table 1.

On one hand, from the data authentication aspect, the gateway is unaware of what the sensor node’s data are in our approach. The sensor node will blind the forward data first before sending these data to the gateway. On the other hand, the gateway also provides its own random parameters during the signature generation of the offline-sign-cryption phase. This means that each signature is generated by the gateway’s signing parameters and the sensor node’s parameters after the above offline-sign-cryption and online-sign-cryption phases. Meanwhile, our approach can guarantee the situation where the signer cannot fully control the signature generation and provide the unlinkability to the signature. In [3], the authors provide an efficient sign-cryption methodology between the traditional public key crypto-system to the identity-based crypto-system and vice versa. This can be applied in the multireceiver construction for the IoT device network and provides a general prototype for this crypto-system transformation. We think that this idea is effective and suitable for the IoT device to transfer sensing data to another crypto-system construction. However, the sensing node still requires great computation effort on the paring operation and can cause a performance bottleneck on these sensor nodes. We also see in [3] that its computation cost is about 3 $Pa$, where $Pa$ is a pairing operation on a large prime number q. Finally, in [4], the authors claim their approach is only about 4 $Mu$ + 2 $Pa$, where $Mu$ is the modular multiplication and $Pa$ is the paring operation. After converting to the final computation approximately, we discover that this scheme still costs 409 $Mu$ more than ours in Table 1. In this approach, our contribution is to construct an efficient methodology that can generate a signature and encryption based on the QR at the same time and also preserve a concrete security proof on well-known hard problems such as the RSA factoring problem [11].

3. The Proposed Scheme

The following is our proposed scheme, which contains four phases: the initial phase, blinding phase, offline-sign-cryption phase, and the unsign-cryption phase.

3.1. Preliminary

In this subsection, we provide some definitions used in our proposed scheme as follows:

• n: A large prime number, which it computes from two large primes $p_1$ and $p_2$ such that $n=p_1·p_2$, where $p_1\equiv p_2\equiv 3(mod4)$.
• l: The total number of all Internet of Things (IoT for short) nodes.
• $\widehat{n}$: A large prime number, which it computes from two large prime $p_3$ and $p_4$ such that $\widehat{n}=p_3·p_4$, where $p_3\equiv p_4\equiv 3(mod4)$.
• $D{S}_i$: An IoT data sender, which is a sensor node that forwards collected data to the receiver R, where $i=1\sim l$ and l is the number of all sensor nodes.
• $BS$: A base station, which helps to collect data sent from a sensor node $D{S}_i$, where $i=1\sim l$.
• R: An IoT data receiver, which receives data from the sender $D{S}_i$.
• ⊕: An exclusive-or operation for symmetric encryption/decryption usage.
• $H_1$, $H_2$: Two secure hash functions that each of them maps $Z_n^{*}\to {\{0,1\}}^n$ with collision-resistance and outputs the same n-bits hash strings.
• $E_{p{k}_j}$: A symmetric key encryption function for the party j with the public key $p{k}_j$, where $j\in \{D{S}_j,R\}$, where $j=1\sim l$.
• $D_{s{k}_j}$: A symmetric key decryption function for the party j with the private key $s{k}_j$, where $j\in \{D{S}_j,R\}$, where $j=1\sim l$.

3.2. Initial Phase

In this phase, an IoT node $D{S}_l$ acts as a data sender; it first selects two large, distinct primes, where one is $p_1$ and the other is $p_2$ such that $n=p_1·p_2$, where $l=1\sim l$ and l are totally node numbers. $D{S}_i$ also publishes this n and we could know that given a QR in $Z_n^{*}$; there are four different square roots (or 2 roots) of the QR in $Z_n^{*}$. From this property, we could derive the $2^i$th roots of the QR in $Z_n^{*}$, where i must be larger than 1 in $Z_n^{*}$. On one hand, we assume that there exists a powerful base station as a signer $BS$, which also selects two large primes, where one is $p_3$ and the other is $p_4$ in the same IoT network environment. It also computes $\widehat{n}=p_3·p_4$ and sets up to let $n<\widehat{n}$. Then, it publishes $\widehat{n}$ and its prefix string $\mathsf{\Omega }$. In the following, we take Fan and Lei’s Scheme [12] as our reference. Nevertheless, the data receiver (R for short) sets up its own private/public key pair as ($s{k}_R$, $p{k}_R$). When the set-up is finished, it publishes its own public key to the IoT network.

• First, a node $D{S}_i$ randomly chooses its own QR numbers ($z_1$, $z_2$, $z_3$) from $Z_n^{*}$ similar with $y_1$, $y_2$ and $y_3$, where each of them is computed from $y_i=(z_i^{2}modn)$ and $i=1\sim 3$, respectively. Then, base station $BS$ also selects two random QR numbers $\alpha$ and $\beta$ such that they allow $({\beta }^2/{\alpha }^{2}modn)$ to belong to QR in $Z_n^{*}$. $D{S}_i$ also publishes (n, $y_1$, $y_2$, $y_3$) to the signer $BS$. Once the signer $BS$ has received them from $D{S}_i$, $D{S}_i$ computes $\gamma =({\kappa }^{2}mod\widehat{n})$ with a random number $\kappa$ and the identifier $\widehat{z}=H_1\left(z\right)mod\widehat{n}$ with an identifier number z. After setting up these random numbers, $BS$ forwards ($\gamma$, $\widehat{n},z,\widehat{z}$) to $D{S}_i$ and enters the offline-signing phase.

3.3. Offline-Signing Phase

• When $D{S}_i$ has received ($\gamma ,\widehat{n},z,\widehat{z}$) from the $BS$, $D{S}_i$ also computes the following messages if the checking of z is valid, where $\widehat{z}=H_1\left(z\right)mod\widehat{n}$. $D{S}_i$ selects a random number $r\in Z_n^{*}$ and computes the following:

  $$\begin{array}{ccc}\hfill C_1& =E_{p{k}_R}\left(r\right)\hfill & \\ \hfill C_2& =H_1\left(r\right)\oplus m\hfill & \\ \hfill C_3& =H_1(C_1,C_2,r,\widehat{z},m)\hfill & \end{array}$$

  (1)
• After computing the above equations, $D{S}_i$ also allows ${\beta }^2/{\alpha }^2$ as $\tau$ and performs the following:

  $$\begin{array}{ccc}\hfill C_1^{\prime }& =C_1*{\tau }^2*\gamma \hfill & \\ \hfill C_2^{\prime }& =C_2*\gamma \hfill & \\ \hfill C_3^{\prime }& =C_3*\gamma \hfill & \\ \hfill h& =H_1(C_1^{\prime },C_2^{\prime },C_3^{\prime })\hfill & \end{array}$$

  (2)
• From the above equations, we know that $D{S}_i$ blinds the sensor data and computes a cipher-text $(C_1^{\prime },C_2^{\prime },C_3^{\prime })$. Then, $D{S}_i$ forwards ($C_1^{\prime },C_2^{\prime },C_3^{\prime },h,z,\widehat{z}$) to $BS$. When $BS$ has received these messages from $D{S}_i^{\prime }$, it verifies above them with z, checks the h from $(C_1^{\prime },C_2^{\prime },C_3^{\prime })$, and enters the online-signing phase.

3.4. Online-Signing Phase

• When $BS$ obtains ($C_1^{\prime },C_2^{\prime },C_3^{\prime },h,z,\widehat{z}$) from $D{S}_i$, it could perform verification of these cipher-texts. If they are valid, then $BS$ decrypts them with ${\gamma }^{-1}$ as follows:

  $$\begin{array}{ccc}\hfill C_1& =C_1^{\prime }*{\tau }^2*{\gamma }^{-1}\hfill & \\ \hfill C_2& =C_2^{\prime }*{\gamma }^{-1}\hfill & \\ \hfill C_3& =C_3^{\prime }*{\gamma }^{-1}\hfill & \end{array}$$

  (3)
• After decrypting the above cipher-texts successfully, $BS$ computes the signature as follows with a QR number $\lambda$:

  $$\begin{array}{ccc}\hfill C_3^{\prime }& =C_3^{-2}*{\left(\frac{\beta }{\alpha }\right)}^{-2}*{\left(\lambda \right)}^2\hfill & \\ \hfill C_3^{\prime \prime }& =C_3^{\prime }*y_1(modn)\hfill & \\ \hfill C_2^{\prime \prime }& =C_2^{\prime }*y_2(modn)\hfill & \\ \hfill C_1^{\prime \prime }& =C_1^{\prime }*y_3(modn)\hfill & \end{array}$$

  (4)
• The signer $BS$ finishes the signing operation and generates the signature ($C_1^{″},C_2^{″},C_3^{″}$) to the data sender $D{S}_i$. When the node $D{S}_i$ has received this signature, it could unblind the signature by computing the following operations:

  $$\begin{array}{ccc}\hfill C_1^{\prime }& =C_1^{″}*y_3^{-1}\hfill & \\ \hfill C_2^{\prime }& =C_2^{″}*y_2^{-1}\hfill & \\ \hfill C_3^{\prime }& =C_3^{″}*y_1^{-1}\hfill & \\ \hfill C_3^{*}& =C_3^{\prime }*{\left(\frac{1}{\alpha }\right)}^2\hfill & \\ \hfill & =C_3^{-2}*{\beta }^{-2}*{\left(\lambda \right)}^2\hfill & \end{array}$$

  (5)
• Then, the $D{S}_i$ computes the final encrypted cipher-text messages $(C_1^{‴},C_2^{‴},C_3^{‴})$ to the $BS$ in the following and enters the unsign-cryption phase:

  $$\begin{array}{ccc}\hfill C_1^{‴}& =C_1^{″}*\gamma \hfill & \\ \hfill C_2^{‴}& =C_2^{″}*\gamma \hfill & \\ \hfill C_3^{‴}& =C_3^{*}*\gamma \hfill & \end{array}$$

  (6)

3.5. Unsign-Cryption Phase

• When $BS$ received these cipher-text messages from $D{S}_i$, it can decrypt by the following operations:

  $$\begin{array}{ccc}\hfill C_3^{*}& =C_3^{‴}*{\gamma }^{-1}\hfill & \\ \hfill t& ={\left(C_3^{*}\right)}^2*{\left(\lambda \right)}^{-4}\hfill & \\ \hfill & =C_3^{-4}*{\beta }^{-4}\hfill & \\ \hfill t^{*}& =t*y_1\hfill & \end{array}$$

  (7)
• After $BS$ has computed this signature t from the above equation, it forwards $(t^{*},z,\widehat{z})$ to the node $D{S}_i$ and allows the $D{S}_i$ to decrypt $t^{*}$ and un-blinds this signature t as follows:

  $$\begin{array}{ccc}\hfill t& =t^{*}*y_1^{-1}\hfill & \\ \hfill S_R& =t*{\beta }^4\hfill & \\ \hfill & =C_3^{-4}*{\beta }^{-4}*{\beta }^4\hfill & \\ \hfill & =C_3^{-4}modn\hfill & \end{array}$$

  (8)
• After $D{S}_i$ summarizes the above equation, we conclude that the node $D{S}_i$ has the final signature ${\sigma }_R=(S_R,C_1,C_2,C_3)$, where $S_R^4=C_3=H_1(C_1,C_2,\gamma ,\tau ,\widehat{z},m)$. Then, the node $D{S}_i$ can forward the sign-cryption signature ${\sigma }_R$ and cipher-text messages $(C_1,C_2,C_3)$ to the receiver R of the Internet host.
• Once the receiver R has obtained this sign-cryption signature ${\sigma }_R$ and cipher-text messages $(C_1,C_2,C_3)$ from $D{S}_i$, it can perform the following steps:

  $$\begin{array}{ccc}\hfill r^{*}& =D_{s{k}_R}\left(C_1\right)\hfill & \\ \hfill m& \stackrel{?}{=}{C}_2\oplus H_1\left(r^{*}\right)\hfill & \\ \hfill C_3& \stackrel{?}{=}{H}_1(C_1,C_2,r,\widehat{z},m)\hfill & \\ \hfill S_R^4& \stackrel{?}{=}{C}_3\hfill & \end{array}$$

  (9)

4. Functionality Comparisons and Security Analysis

In this section, we could provide functionality comparisons with other schemes and security analysis about our proposed scheme.

4.1. Fast Sign-Cryption Operation

The proposed scheme only needs three hash operations, one ⊕ operations, five multiplication operations, and one symmetric encryption in the offline-signing phase. In this situation, our proposed scheme is more efficient than [2]. In addition, the sensor node $D{S}_i$ can blind the sensed data to the base station efficiently and with data confidence. The base station $BS$ cannot be aware of the sensed data content. If the base station is compromised by a malicious attacker, $D{S}_i$ can also protect this data to prevent its exposure outside the IoT network. At the same time, it also guarantees the protection of user’s personal information.

4.2. Signer Fair Signature Operation

Our proposed scheme can offer the signature of sensed data after the base station $BS$ has received the encrypted sensed data from the user. In this time, $BS$ only can apply the square root operation on these sensed data to generate the corresponding signature under these blind and encrypted data. In the online-signing operation, the IoT device can perform lightweight operations on the user’s sensed data and obtain the signing result after the offline-signing phase performed by the signer $BS$. From the two signing phases above, we know that the IoT device and the base station can present some random numbers in these phases to prevent the unfair situation that the signature generation is controlled by a certain party.

4.3. User Data Protection

In our proposed scheme, we use the sign-cryption method to generate the encryption data with the corresponding signature within. In this time, the signer cannot know what the plain-text is without the corresponding decryption key. Only the receiver is aware of the corresponding decryption key to decrypt this cipher-text. Thus, our sign-cryption scheme could offer privacy protection of the user’s personal sensed information.

4.4. Efficiency Comparisons

In this section, we evaluate the efficiency of our approach in the following. First, there is an assumption that the prime numbers $p_1$, $p_2$, $p_3$ and $p_4$ are 1024 bits in length; $Ha$ is computation time for one hash computation; $SE$ is the time for a symmetric encryption operation, and $SD$ is time for a symmetric decryption operation. Meanwhile, we also define that $Ex$ is the computation time for one modular exponential operation in a 1024-bit module, $Mu$ is the time for one modular multiplication in a 1024-bit module, $M_{ecc}$ is the time for a number performing another point addition over an elliptic curve [13], and $Pa$ is the time for the computation time of a bilinear pairing operation of two elements over an elliptic curve. Then, we assume that $Ex\approx 8.24M_{ecc}$ for the ARM CPU to process at 200 Mhz in [14]. From the above assumption, we can discover that there exists some relation in the following, where $Ex\approx 240Mu=600Ha\approx 3Pa$ and $Ad\approx 5Mu$ in [15,16,17,18,19,20,21]. From the above computation time evaluation, we can see that our approach total computation time is $33Mu+6Ha+2\oplus +1SE+1SD$. Then, the result is approximate to 36 $Mu$ modular multiplication operations. Comparing with [2], we can see that our approach is much faster under the 1024-bit prime numbers. In the following two simulation results shown in Figure 1 and Figure 2, our approach provides the QR-signature simulation and RSA signature simulation, respectively. On the other hand, we implemented our approach on a Ubuntu 20.04 operating system with Intel Core i5-1135G7 CPU @ Base 2.4 GHz up to 4.2 GHz CPU and 8 GB memory. This simulation is carried out by using GO language and python language with “crypto/encoding/Matplotlib” library on the 10 nodes to 50 nodes, where are shown in Figure 1 and Figure 2, respectively.

4.5. Security Definitions

4.5.1. QR Signature Security

We provide the definition on the digital signature’s security as follows: In the initial phase, we assume that there exists some functions used in our proposed scheme; one is the signature generating function $Sig(·)$ and the other is the verification function $Ver(·)$, where the signer S can input her/his signing key $s{k}_S$ into this signing function with the message m. Then, we can claim that $\sigma$ is the resulting output from the signing function by S and the receiver R can verify $\sigma$ by the verification function $Ver(·)$ with the message m and the signer’s public key $p{k}_S$. The above scheme is based on well-known hard problems such as the RSA factoring problem. If there exists an attacker $\mathcal{F}$ whose goal is to forge a valid signature $S^{\prime }$ on the message m and pass the verification, i.e., $Ver(S^{\prime },m,p{k}_S)=1$, then $\mathcal{F}$ outputs it successfully with non-negligible probability larger than $\epsilon$, we can use $\mathcal{F}$’s ability to factor the RSA factoring problem. However, in fact, the attacker $\mathcal{F}$’s advantage is less than $\epsilon$. This means that the probability of $\mathcal{F}$ to output a forged signature and for this signature to pass the verification function with non-negligible probability is less than $\epsilon$.

$$Adv[S_i^{\prime }⟵{\mathcal{F}}^{Sig(s{k}_S,m)}|Ver(S_i^{\prime },m,p{k}_S)=1]<\epsilon .$$

4.5.2. Unforgeability

In this proposed scheme, we provide the signature definition of our sign-cryption scheme. From the above digital signature definition, we discuss the case where there exists a forger $\mathcal{F}$ with the ability to forge a valid QR-signature on our scheme. We assume that there are some functions such that $\mathcal{F}$ can make the hash query to the hash functions $H_1(·)$ and $H_2(·)$, symmetric encryption $En{c}_{p{k}_R}(·)$ function and the signing function $Sig(·)$. After preparing these functions, $\mathcal{F}$ can make its own query on these functions. $\mathcal{F}$ can ask i times query, where $i=1\sim l$ and l is the total number of IoT nodes. After the above $q_s$ times query, if $\mathcal{F}$ can output $q_s+1$ signatures on our proposed scheme, we can use $\mathcal{F}$ to break the RSA factoring problem.

$$Ad{v}_{{\mathcal{F}}^{Sig(·),H_1(·),H_2(·),R{O}_1,E_{p{k}_R}(·)}}^{Unf}(\theta ,t^{\prime })\le \frac{1}{2^l·q_s·q_e·q_d}+{\epsilon }^{\prime }.$$

Lemma 1.

First, we assume that there exists a secure digital signature function $Sig(·)$ and a secure hash function $H_1(·)$, which could be replaced with a random oracle $R{O}_1$ and a secure hash function $H_2$ in our proposed scheme. We also claim that our proposed scheme with the above unforgeability (Unf for short) satisfies the following situations. In other words, if our scheme is $(t^{\prime },{\epsilon }^{\prime })$ unforgeable, then

$$Ad{v}_{{\mathcal{F}}^{Sig(·),H_1(·),H_2(·),R{O}_1,E_{p{k}_R}(·)}}^{Unf}(\theta ,t^{\prime })\le \frac{1}{2^l·q_s·q_e·q_d}+{\epsilon }^{\prime }.$$

where $t^{\prime }$ is total experiment simulation time, including simulating l as an upper bound on the number of IoT devices, at most signature oracle $q_s$ times query, at most encryption oracle $q_e$ times query, at most decryption oracle $q_d$ times query, and ${\epsilon }^{\prime }$ has taken over the coin toss of our scheme.

4.5.3. Indistinguishability

In this definition, we assume the Indistinguishable (Ind for short) game where there exists an attacker $\mathcal{A}$ in the following simulation, which is controlled by a simulator $\mathcal{S}$. First, we defined that there is a symmetric encryption/decryption function $E_{p{k}_i}(·)$/$D_{s{k}_i}(·)$, where $i\in \{D{S}_j,BS,R\},j=1\sim l$, in which $D{S}_j$ is one of the l IoT devices; $BS$ is the base station, and R is the receiver of the outside network. The simulator $\mathcal{S}$ will prepare all set-up parameters including key pairs for the above parties. After set-up is complete, $\mathcal{S}$ will launch the proposed scheme simulation with $\mathcal{A}$. $\mathcal{A}$ can perform the encryption/decryption on the chosen message m. $\mathcal{S}$ also can reply the cipher-text $C=E_{p{k}_i}\left(m\right)$ and the original message m to $\mathcal{A}$. After the above game simulation, $\mathcal{S}$ can replace the encryption/decryption functions to an encryption/decryption oracle ($\tau$, ${\tau }^{-1}$), which performs the same action as our above symmetric encryption/decryption function. Through the above training phase, $\mathcal{A}$ sends a chosen target message ($M_0,M_1$) to $\mathcal{S}$; $\mathcal{S}$ will perform a coin flip b on the message ($M_b,M_{1-b}$). Then, $\mathcal{S}$ inputs the $M_b$ to the encryption oracle $E_{p{k}_i}$ to obtain the final result $C_b$. $\mathcal{S}$ forwards $C_b$ to $\mathcal{A}$ to guess whether $M_b$ is $M_0$ or $M_1$ on its coin flip $b^{\prime }$—that is,

$$Pr[b^{\prime }⟵{\mathcal{A}}^{(E_{p{k}_i}(·),D_{s{k}_i}(·),\tau ,{\tau }^{-1})}|b=b^{\prime }]<\frac{1}{2}+{\epsilon }^{\prime }.$$

4.5.4. Indistinguishable-Chosen Cipher-Text Attack (Ind-CCA for Short)

In this proposed scheme, we continue to define the chosen cipher-text attack security of our SC approach. There also exists an attacker $\mathcal{A}$, whose goal is to distinguish the cipher-text of our sign-cryption scheme. First, we assume that there is a simulator $\mathcal{A}$ to control the environment situational parameters including key pairs, security parameters, and hash length. After setting up, $\mathcal{S}$ defines the experiment in which $\mathcal{A}$ can make a query as follows.

• Phase 1: In this phase, the attacker $\mathcal{A}$ could make the encryption/decryption query on the chosen message m. If $\mathcal{A}$ makes the encryption query on the m of the IoT device i, where $i=1\sim l$, then $\mathcal{S}$ inputs the m into $C_{i,1}=E_{p{k}_i}\left({\gamma }_i\right)$, $C_{i,2}=m\oplus H_1\left({\gamma }_i\right)$ and $C_{i,3}=H_1(C_1,C_2,{\gamma }_i,m)$, where $i=1\sim l$. Here, $\mathcal{S}$ will preserve these parameters into the encryption oracle list ${\mathcal{E}}_i$ entry. On the other hand, $\mathcal{A}$ asks the decryption query on the cipher-text ($C_{i,1},C_{i,2},C_{i,3}$), $\mathcal{S}$ will check if there are any parameters matching this cipher-text in the ${\mathcal{E}}_i$ entry. If the answer is yes, $\mathcal{S}$ forwards the original message back to $\mathcal{A}$ and keeps this query in the decryption oracle ${\mathcal{D}}_i$ entry.
• Challenge: In this phase, if $\mathcal{A}$ chooses a target IoT device $j^{*}$ and a message pair ($M_0^{*},M_1^{*}$), where $M_0^{*}$ and $M_1^{*}$ are never asked the encryption query and decryption query before, $j^{*}\ne i$ and $i=1\sim l$. In this time, $\mathcal{S}$ will toss the coin flip b and inputs the $M_b^{*}$ into the encryption oracle $E_{p{k}_j^{*}}(·)$. Finally, $\mathcal{S}$ returns the target cipher-text ($C_{1,j^{*}},C_{2,j^{*}},C_{3,j^{*}}$) to $\mathcal{A}$. When $\mathcal{A}$ has received this target cipher-text, it still can make the decryption query on other cipher-texts except ($C_{1,j^{*}},C_{2,j^{*}},C_{3,j^{*}}$).

In the following, we model above the actions as game simulation steps that we played with the attacker $\mathcal{A}$.

$$\begin{array}{c}Ex{p}_{\mathcal{A},SC}^{Ind-CCA-b}\left(\theta \right)\hfill \\ \mathbf{Phase}\mathbf{1}\hfill \\ i\in \{1,\cdots ,l\},M_i⟵{\mathcal{A}}^{E_{p{k}_i}(·,\theta ),D_{s{k}_i}(·,\theta ),H_1(·)}\hfill \\ {\gamma }_i⟵{\{0,1\}}^{*}\hfill \\ C_{1,i}⟵E_{p{k}_i}\left({\gamma }_i\right)\hfill \\ C_{2,i}⟵M_i\oplus H_1\left({\gamma }_i\right)\hfill \\ C_{3,i}⟵H_1(C_{1,i},C_{2,i},{\gamma }_i,M_i)\hfill \\ \mathbf{Challenge}\mathbf{Phase}\hfill \\ b\in \{0,1\},j^{*}\ne i,(M_b^{*},M_{1-b}^{*})⟵\mathcal{A}\hfill \\ M_{b,j^{*}}\stackrel{b}{⟵}\mathcal{S}\hfill \\ C_{1,j^{*}}⟵E_{p{k}_{j^{*}}}\left({\gamma }_{j^{*}}\right)\hfill \\ C_{2,j^{*}}⟵M_i\oplus H_1\left({\gamma }_{j^{*}}\right)\hfill \\ C_{3,j^{*}}⟵H_1(C_{1,j^{*}},C_{2.j^{*}},{\gamma }_{j^{*}},M_{b,j^{*}})\hfill \\ b^{\prime }⟵{\mathcal{A}}^{(E_{p{k}_{j^{*}}}(·,\theta ),D_{p{k}_{j^{*}}}(·,\theta ),\tau ,{\tau }^{-1})}(C_{1,j^{*}},C_{2,j^{*}},C_{3,j^{*}},M_b^{*},\hfill \\ M_{1-b}^{*})\hfill \\ \mathrm{Return}{b}^{\prime }.\hfill \end{array}$$

The advantage ok function of the adversary $\mathcal{A}$ where it is defined as $Ad{v}_{\mathcal{A},SC}^{Ind-CCA}\left(\theta \right)=|Pr[Ex{p}_{\mathcal{A},SC}^{Ind-CCA-1}\left(\theta \right)=1]-Pr[Ex{p}_{\mathcal{A},SC}^{Ind-CCA-0}\left(\theta \right)=1]|<{\epsilon }^{\prime }.$

Lemma 2.

We defined that our sign-cryption SC scheme can withstand Ind-CCA attacks if there exists no such attacker $\mathcal{A}$ that could guess the cipher-text during above experiment $Exp$ with non-negligible probability than ${\epsilon }^{\prime }$, i.e.,

$$Ad{v}_{\mathcal{A},SC}^{Ind-CCA}(\theta ,t)<\frac{1+{\epsilon }^{\prime }}{2·q_e·q_d},$$

where at most t time bound, at most $q_e$ times encryption query, at most $q_d$ times decryption query under the θ security parameter.

Theorem 1.

First, we assume that our sign-cryption $SC$ scheme is an Ind-CCA secure symmetric encryption/decryption scheme with a secure hash random oracle $H_1$ and also satisfied with the unforgeability (Unf) in the following. Then, we can say that, if $SC$ is $(t^{\prime },{\epsilon }^{\prime })$ Ind-CCA secure and unforgeable, then

$$Ad{v}_{\mathcal{F},\mathcal{A},SC}^{Unf,Ind-CCA}(\theta ,t)\le (\frac{1}{2^l·q_s·q_e·q_d}·\epsilon +\frac{1+{\epsilon }^{\prime }}{2·q_e·q_d}),$$

where t is the maximum total experiment time including adversary execution time, l is an upper bound on the number of all IoT devices of at most $q_s$ times signing query, at most encryption oracle $q_e$ times query, and at most decryption oracle $q_d$ times query under the security parameter θ in the experiment.

5. Conclusions

In the final result, we can see that our approach is suitable for an IoT device to compute the QR signature and encryption simultaneously. From Table 1, we also can see that our approach is more efficient than other schemes [1,2,3,4]. Our methodology not only efficiently computes the encryption and signature simultaneously, but can also support the fair protocol of two parties during communication between these IoT devices. This point also prevents allowing a single device such as the powerful gateway being compromised by attackers when IoT devices attempt to perform a signature operation or data exchange with this gateway. At the same time, this approach also provides data privacy protection for users. On one hand, our future goal is to develop a lightweight hierarchical sign-cryption scheme for IoT devices, and it can offer the authentication functionality between different levels of IoT devices with data privacy protection simultaneously. On the other hand, our approach can extend to develop a novel and real practical IoT data migration methodology for the IoT network in the future.