Blockchain-enhanced certificateless signature scheme in the standard model

: The Internet of Things (IoT), driven by wireless communication and other technologies, is gradually entering our lives and promoting the transformation of society from “informatization” to “intelligence”. Certificateless signature (CLS) eliminates the characteristic of certificate management, making it an e ff ective method for verifying large-scale data in the IoT environment. Nevertheless, hash functions are regarded as ideal random oracles in the security proofs of most CLS schemes, which cannot guarantee the security of CLS schemes in reality. In response to this problem, Shim devised a CLS scheme without random oracles in the standard model and declared it to be provably secure. Unfortunately, in this paper, we cryptanalyze Shim’s CLS scheme and demonstrate that it is not resistant to public key replacement attacks from a Type I attacker. Furthermore, to further improve the security of the Shim CLS scheme and avoid the single-point failure of the KGC and the signature forgery initiated, we propose a blockchain-based CLS scheme without a random oracle. Finally, we evaluate the comprehensive performance, and while maintaining the computational and communication performance of the Shim scheme, we resist both Type I and Type II attackers, as well as signature forgery initiated against public parameters.


Introduction
The Internet of Things (IoT) connects items through sensors, controllers, and other devices to facilitate information exchange and communication in various application areas [1], such as environmental protection, intelligent transportation, public safety, food traceability, industrial monitoring, personal health, and intelligence collection. For example, smart transportation closely matches people, vehicles, and roads to improve traffic efficiency, ensure traffic safety, improve the traffic environment, and increase energy efficiency [2]. In environmental protection, it improves resource utilization, achieves energy saving and emission reduction [3]. However, with the increasing number of devices in the IoT, ensuring integrity verification and identity authentication among a large number of devices has become a critical and realistic issue [4].
To achieve effective authentication of the large amount of data transmitted in the IoT, ensuring data integrity, non-repudiation, and source identity authentication [5], Certificateless Signatures (CLS) is a commonly used solution, that avoids multiple algorithm parallel implementation to reduce efficiency [6]. In CLS, the user's signature key is created by combining a partial private key generated by the Key Generation Center (KGC) with the user's own secret key. Due to the independent operations of KGC and users, the CLS scheme effectively solves the problems of public key management and key custody. However, the design of CLS leads to it facing two types of attackers [7]. 1). Type I attacker A 1 : This is a type of attacker who impersonates a dishonest user. Specifically, A 1 can be qualified to have the user's secret key to initiate a public key replacement (PKR) attack, but the user's private key is kept secret to A 1 . 2). Type II attacker A 2 : Malicious KGC is portrayed as this type of attacker. Specifically, A 2 has all the functionality of KGC and launches a malicious-but-passive KGC (MBPK) attack. However, A 2 is prohibited from holding the user's secret key or replacing the user's public key.
To ensure the security of IoT devices, it is necessary to prevent these two types of attacks in the IoT environment.
IoT has gradually been combined with blockchain to address IoT security issues [8,9]. The distributed nature of blockchain ensures that the data stored on the chain cannot be tampered with, thus solving trust issues and ensuring data security [10]. Therefore, in CLS, the user's partial private key is created through a blockchain smart contract, which avoids forgery attacks launched by attackers using public parameters.
The remainder of this paper is arranged as follows. Some preliminary knowledge related to our CLS scheme is presented in Section 3. Section 4 describes and cryptographically analyzes Shim's scheme [11]. Section 5 depicts the improved CLS scheme, and Section 6 analyzes its safety and effectiveness. Section 7 performs an analysis and comparison of the performance of the proposed scheme. Finally, the conclusion of this paper is summarized in Section 8.

Related work
Since the introduction of the concept of CLS by Ai-Riyami and Paterson [12], plenty of CLS schemes [13][14][15] have been designed. Existing CLS schemes can be broadly categorized into two types: under the random oracle model and under the standard model without the random oracle. While it is common and convenient to use the random oracle model to establish security proofs, it does not guarantee that the scheme will remain secure in the real world [16]. Hence, proving security in the standard model has become necessary. Most CLS schemes abstract cryptographic hash functions as ideal random oracles. However, such CLS schemes may have security vulnerabilities in practice. Therefore, designing a CLS scheme that does not rely on random oracles is more practical for authenticating IoT data integrity [17].
In recent years, CLS schemes without random oracles have attracted a great deal of attention from researchers. The first CLS scheme without random oracles was proposed by Liu et al. [18], but it was found to be vulnerable to MBPK attacks [19]. Subsequently, Yuan et al. [20] designed a CLS scheme that addressed MBPK attacks, but it was found to be vulnerable to PKR attacks [21]. Yu et al. [22] proposed another efficient CLS scheme, but it still could not resist MBPK and PKR attacks. To address the security issues in the Yu scheme [22], Yuan and Wang [23] proposed an improved scheme, but it is still not secure and can be vulnerable to MBPK attacks. Also, Shim [11] devised a CLS scheme that did not require random oracles and proved that its security only depended on computing the unsolvability of the Diffie-Hellman (CDH) problem. Nevertheless, in this paper, we demonstrate that it is insecure against PKR attacks. A summary of our main work is given below. 1). We present an attack method against Shim's scheme [11]. Specifically, by substituting the user's public key, the legitimate signature of any desired message can be generated by A 1 . 2). To remedy the security flaws of Shim's scheme [11], we present a blockchain-based CLS scheme without random oracles. Especially, our enhanced scheme utilizes the smart contract of the blockchain to represent the traditional KGC, which avoids the single-point failure of the KGC and the signature forgery initiated by the attacker with the help of public parameters. 3). We formally analyze the security of the improved scheme to show its ability to resist MBPK and PKR attacks. 4). We compare the performance of the improved solution with that of Shim's scheme [11] to illustrate the practical feasibility of our scheme. Table 1. Caption of the table.

Symbols
Description The idntity of the user m The message to be signed H u , H m Two secure hash functions msk The system master key (psk (1) , psk (2) ) The private key (pk (1) , pk (2) ) The public key σ The signature on m Table 1 shows the symbols used in this article. We choose two cyclic groups G 1 and G 2 and require their orders to be the same prime p. Next, we pick a generator g of G 1 and a bilinear map e : G 1 ×G 1 → G 2 satisfying the following conditions.
In addition, (p, G 1 , G 2 , g, e) is commonly referred to as the bilinear group. Several mathematical problems used in this article are described below, and they are difficult to solve in polynomial time.
• CDH problem: A triple (g, g a , g b ) is known, where the unknown values a, b ∈ Z * p , and the CDH problem is to calculate g ab .
• Inverse-CDH problem: Given a tuple (g, g a ), calculate g −a , where a ∈ Z * p . • Discrete logarithm (DL) problem: A tuple (g, g a ) is known and the DL problem is to compute a ∈ Z * p .

Review of Shim's CLS scheme
The construction of Shim's CLS scheme [11] is briefly described below.
• Setup: KGC executes the following to produce system parameters.
1). Select the bilinear group (p, G 1 , G 2 , g, e) according to the selected security parameter ϑ.
• Partial-Private-Key-Extract: Based on the user's identity ID, the user's partial private key parkey ID is produced by KGC.
• User-Key-Generation: Assuming that ID is the identity of the user, the user performs the following actions.
• CL-Sign: For a message m, the user whose identity is ID performs the following signature steps. 1). Calculatem = H m (m, ID, upk ID ). 2). Define the ith bit ofm to bem[i], and assign the set of indices that satisfym • CL-Vfy: For a signature σ = (σ 1 , σ 2 , σ 3 ) on m from a user with ID, the verifier checks as follows.

Weakness of Shim's CLS scheme
Shim [11] claims that their CLS scheme is secure against MBPK and PKR attacks. Nevertheless, we indicate that their scheme is not resistant to PKR attacks launched by Type I attackers. Type I attacker A 1 represents a malicious signer. The identity of the attacked user is assumed to be ID * , although A 1 does not know the partial private key of ID * , it can forge a valid signature for any message m * m by replacing ID * 's public key. This allows the forged message to pass signature verification. The forgery attack launched by A 1 is described in detail as follows.

Blockchain-based CLS scheme without random oracles
Based on Shim's CLS scheme [11], we construct an improved CLS scheme using blockchain technology.

System model
The system model of our CLS scheme is depicted in Figure 1, involving four entities: the administrator, the smart contract-based KGC (SC-KGC), the user and the verifier. • Administrator: The administrator is primarily responsible for maintaining the blockchain network and initializing the system parameters.
• SC-KGC: This smart contract, deployed on the blockchain, mainly issues the user's partial private key and stores system parameters on the blockchain. • User: Each user generates its public and private key, resulting in the certificateless signature of the message. • Verifier: The verifier mainly verifies the validity of the signature generated by the user on the basis of the system parameters.

Improved CLS scheme
The proposed scheme is described in detail below.
• Partial-Private-Key-Extract: For the identity ID submitted by the user, SC-KGC executes as follows.
• User-Key-Generation: Assuming that ID is the identity of the user, the user performs the following actions.
• CL-Sign: For a message m, the user whose identity is ID performs the following steps. . Pick k, r ∈ Z * p at random, then calculate σ 2 = g r · psk (2) = g r+r u and σ 3 = g k .

Security proof
Similar to Shim's CLS scheme [11], the improved CLS is proven to be secure by exploiting the security game between the attacker and the challenger. If the CDH problem is intractable in polynomial time, our improved CLS scheme is resistant to PKR attacks from Type I attackers.
Let A 1 be a Type I attacker who forges a legitimate signature of our CLS scheme with probability ε 1 . Then, a challenger C 1 can successfully solve the CDH problem using A 1 's forged signature. C 1 is assigned a CDH instance (g, g a , g b ), and needs to interact with A 1 as follows in order to compute g ab .
System initialization: Assume that the number of partial private key queries initiated by A 1 is C par and the number of signature queries is C s . C 1 initializes the following system parameters. 1). Set l u = 2(C par + C s ) to satisfy l u (n u + 1) ≤ p. 2). Set l m = 2C s to satisfy l m (n m + 1) ≤ p.
Create-User-Queries: C 1 creates a list L U with an initial value of null. When A 1 requests ID i 's public key, C 1 passes upk i to A 1 if L U contains a tuple of ID i . Otherwise, C 1 executes as follows. 1). Pick τ i ∈ Z * p at random and calculate ID i 's secret key usk ID i = τ i . 2). Calculate u i = H u (ID i ).
3). Define the set of indices that satisfy u i [ j] = 1 to be U i ⊂ {1, · · · , n u }. 4). DefineŨ i = u ′ j∈U iû j . 5). Calculate pk (1) i = g τ i and pk (2) i =Ũ τ i i . 6). Set ID i 's public key upk ID i = (pk (1) i , pk (2) i ). 7). If F(u i ) = 0mod p, set parkey ID i = (psk (1) i , psk (2) i ) = (⊥, ⊥); otherwise, select r u i ∈ Z * p , and then calculate psk (1) Partial-private-key-Queries: When A 1 asks for ID i 's partial private key, C 1 looks up the tuple (ID i , usk ID i , upk ID i , psk (1) i , psk (2) i ) in L U and passes parkey ID i = (psk (1) i , psk (2) i ) to A 1 . Secret-value-Queries: When A 1 asks for ID i 's secret value, C 1 looks up the tuple (ID i , usk ID i , upk ID i , psk (1) i , psk (2) i ) in L U and passes usk ID i to A 1 . Replace-public-key-Queries: When A 1 wants to replace ID i 's public key with upk * ID i , C 1 replaces upk ID i with upk * ID i in the list L U . Signature-Queries: When A 1 requests a query for messages m j and ID i , C 1 looks up the tuple (ID i , usk ID i , upk ID i , psk (1) i , psk (2) i ) in L U and calculatesm j = H m (m j , ID i , upk ID i ). 1). If F(u i ) 0 mod p, C 1 invokes the CL-Sign algorithm and passes the calculated signature to A 1 . 2). If F(u i ) = 0 mod p and K(m j ) 0 mod p, C 1 picks k, r ∈ Z * p randomly, then calculates σ i2 = g r and g −1 K(m j ) 1 · g k . Next, C 1 calculates Finally, C 1 returns (σ i1 , σ i2 , σ i3 ) to A 1 . 3). Otherwise, C 1 terminates the game.
If the CDH problem is intractable in polynomial time, our improved CLS scheme is resistant to MBPK attacks from Type II attackers. Table 2 shows the security analysis comparison with similar CLS schemes [11,18,19,22] without random oracles, where the symbols ✓ and × represent the scheme's ability or inability to resist such attackers. Obviously, the improved CLS scheme can resist Type I and Type II attackers, making it more suitable for the IoT environment.

Scheme
Type I attacker Type II attacker Scheme [11] × ✓ Scheme [18] ✓ × Scheme [19] × ✓ Scheme [22] × × Our scheme ✓ ✓ In the CL-Vf algorithm of the improved scheme, e(g, pk (2) ), Z and e(Ũ, pk (1) ) can be pre-computed since they are independent of the signed message. Hence, our enhanced scheme inherits the performance of Shim's scheme [11] for computing and communication. Table 3 shows the computational and communication costs obtained from the analysis of the Shim scheme [11] and our proposed improved scheme, where T p and T m represent the execution of bilinear mapping and point-scalar multiplication operations, and |G 1 | represents the byte length of elements in G 1 . Table 3. Comparison of communication and computational costs.

Scheme
CL-Sig CL-Vf Signature length Scheme [11] 5T m 3T p 3|G 1 | Our scheme 5T m 3T p 3|G 1 | We used pbc 0.5.14 library [24] and A-type elliptic curve parameters for computations and evaluated the average execution time of cryptographic operations. The experimental environment was Ubuntu 22.04.2 LTS system with Intel(R) Xeon(R) Gold 6133 CPU @ 2.50GHz. The time required for bilinear pairing and point scalar multiplication was calculated to be 3.21 milliseconds and 1.15 milliseconds, respectively. Figure 2 shows the required running time for signers and verifiers, which is suitable for device time consumption in the IoT environment.

Conclusions
To address the issues of data integrity verification and identity authentication in the IoT environment, we chose the CLS method. Shim [11] designed a CLS scheme without random oracles and demonstrated its security in the standard model. In this article, we provide an attack against Shim's scheme [11] and found their scheme to be vulnerable to PKR attacks. In addition, we proposed an improved scheme to fix the security vulnerabilities of their scheme and combined it with blockchain to further enhance security. Finally, the analysis results show that our enhanced scheme achieves stronger security while preserving the performance of the original scheme. Although bilinear pairing operations consume relatively more time than other operations, this improved scheme still involves bilinear pairing operations. We plan to reduce the number of bilinear pairing operations for higher operational efficiency while ensuring security in the future.