Open Access

ARTICLE

A Linear Homomorphic Proxy Signature Scheme Based on Blockchain for Internet of Things

Caifen Wang1,*, Bin Wu2

1 College of Big Data and Internet, Shenzhen Technology University, Shenzhen, 518118, China
2 School of Electronic and Information Engineering, Lanzhou Jiaotong University, Lanzhou, 730070, China

* Corresponding Author: Caifen Wang. Email:

(This article belongs to this Special Issue: Emerging Trends on Blockchain: Architecture and Dapp Ecosystem)

Computer Modeling in Engineering & Sciences 2023, 136(2), 1857-1878. https://doi.org/10.32604/cmes.2023.026153

Abstract

The mushroom growth of IoT has been accompanied by the generation of massive amounts of data. Subject to the limited storage and computing capabilities of most IoT devices, a growing number of institutions and organizations outsource their data computing tasks to cloud servers to obtain efficient and accurate computation while avoiding the cost of local data computing. One of the most important challenges facing outsourcing computing is how to ensure the correctness of computation results. Linearly homomorphic proxy signature (LHPS) is a desirable solution to ensure the reliability of outsourcing computing in the case of authorized signing right. Blockchain has the characteristics of tamper-proof and traceability, and is a new technology to solve data security. However, as far as we know, constructions of LHPS have been few and far between. In addition, the existing LHPS scheme does not focus on homomorphic unforgeability and does not use blockchain technology. Herein, we improve the security model of the LHPS scheme, and the usual existential forgery and homomorphic existential forgery of two types of adversaries are considered. Under the new model, we present a blockchain-based LHPS scheme. The security analysis shows that under the adaptive chosen message attack, the unforgeability of the proposed scheme can be reduced to the CDH hard assumption, while achieving the usual and homomorphic existential unforgeability. Moreover, compared with the previous LHPS scheme, the performance analysis shows that our scheme has the same key size and comparable computational overhead, but has higher security.

Keywords


1  Introduction

In the past decade, the way of data collection and dissemination have inspired the rapid development of the Internet of Things (IoT) [1,2]. The IoT has opened up new avenues for technical support and business upgrades in the fields of industry, healthcare, transportation, military target tracking, smart homes and food traceability, among which mobile healthcare systems (MHSs) and the industrial Internet of Things (IIoT) are the most successful applications.

The IIoT continuously integrates all kinds of acquisition, sensors or controllers with sensing abilities, as well as mobile communication technology, into all aspects of industrial production, to improve production efficiency, reduce costs, and ultimately realize the conversion of traditional industry to smart industry [3]. MHSs provide services and applications [4,5], including mobile telemedicine and electronic monitoring systems based on wireless sensors. In this system, sensors (wearable or implanted) are connected to the bodies of remote patients to collect medical data, including body temperature, blood pressure, pH-value etc., and transmit these data through nodes to a medical server, which distributes the relevant data to professional medical personnel.

The rapid development of IIoT and MHSs, along with the generation of massive medical and industrial data, has led to increasing computing overhead and resource consumption, which makes traditional local computing model (most IoT devices have limited processing and computing power and are not economical to calculate) unable to meet the application requirements. Fortunately, due to the convenience and rapidity of cloud computing, many users migrate local data to cloud servers to meet the above challenge. Fig. 1 shows a typical cloud-based network architecture. Outsourcing data to cloud servers to obtain and accurate computation or analysis results have become preferential.

images

Figure 1: A typical architecture of cloud-based network

However, as an unsecure third party, cloud servers may return incomplete or wrong calculation results due to software and hardware errors and commercial interest inducement. Homomorphic signature (HS) provides a natural method for verifying outsourced computing, which can effectively solve the above problems. HS can enable untrusted servers to run calculations on outsourced data and generate a short signature to ensure the integrity and correctness of the calculation results. In recent years, HS has been extensively studied and developed [610].

Furthermore, consider such an application scenario: a hospital authorizes a sensor to sign data and communicate with the cloud server. The cloud server first confirms the authenticity of the sender (i.e., the sensor connected to the bodies of remote patients) and then sends the data calculation result and the derived signature to the hospital or research institution to verify its correctness. In an IIoT environment, an executive officer issues instructions to subordinates (such as the plant manager) to perform communication tasks. Thus, the data signature was often carried out by the subordinate on behalf of the superior organization. To realize this kind of authentication mechanism, it is necessary to authorize the signing right. In order to implement such kind of authentication mechanism, signature rights need to be authorized. Mambo et al. [11] realized this delegation authorization relationship with the concept of proxy signature (PS). In the PS scheme, the original signer (all represented by Alice) delegates its signing power to the proxy signer (all represented by Bob). Bob can generate valid proxy signatures in the name of Alice, and the verifier accepts the authorization protocol.

Naturally, to ensure the reliability of outsourced computing in the case of authorized signing rights, constructing a PS scheme with the homomorphism is interesting, which combines the delegation characteristics and homomorphism in the authentication method. In this type of scheme, Alice can authorize Bob, and Bob can create a proxy signature with homomorphic properties. However, as far as we know, constructions of linearly homomorphic proxy signature (LHPS) have been few and far between; in addition, the existing LHPS scheme [12] is only proven to be usually existential unforgeable (EUF) against adaptive chosen-message attacks (CMA). This security concept only guarantees that an adversary cannot forge a signature of any new message under the unqueried data identifier; it does not ensures that the adversary generates a valid signature for the data sets that have been queried for signatures (i.e., homomorphic existential forgery). In detail, for the security of a signature with homomorphic properties, there are two meanings of existential unforgeability, a verifiable forgery (f,y,σ) where f is an admissible function on messages x and yy(y=f(x)) characterizes two facts: First, if f(x)=πi(x)=xi is a special projection function, then σ is a usual existential forgery (UEF), corresponding to the general concept of signature forgery. Another is that if f is a generally admissible function, then σ is a homomorphic existential forgery (HEF), that is, forgery σ authenticates y as f(x), which is not the case. Homomorphic unforgeability is an important property of the LHPS scheme, which can prevent untrusted cloud servers from authenticating the wrong computing or analysis results and returning them to the receiver. Unfortunately, for the two types of adversaries, the existing homomorphic proxy signature security model does not consider the situation in which adversaries output homomorphic existential forgeries; thus, the proposed scheme does not satisfy homomorphic unforgeability in the sense of provable security.

To overcome this security flaw, we improve the security definition for LHPS and construct a new LHPS scheme for IoT environments, and makes the following main contributions in this paper:

1.    The security model for LHPS is improved. For the two types of adversaries, considering the situation of an adversary’s output of a homomorphic existential forgery, the types of forgeries are more comprehensive, so the model security standard is higher.

2.    We construct a blockchain-based LHPS scheme and prove that this scheme is secure against existentially forgery (including the usual existential forgery and homomorphic existential forgery) on adaptive CMA based on the CDH assumption under two types of adversaries.

3.    The performance of the new LHPS is analyzed in detail. The discussion shows that our scheme has the same key size and comparable computational overhead as Lin et al.’s LHPS scheme [12], but it has higher security. Therefore, it is feasible to deploy and implement our LHPS scheme in cloud-based IoT environments.

2  Related Works

The concept of HS scheme was first proposed by Goldwasser et al. [13] in 2000. Johnson et al. [14] first introduced the formal definition and overall framework of HS. Until 2009, Boneh et al. [15] proposed the first secure and practical LHS scheme, which can be regarded as a milestone of LHS scheme. Utilizing the k-SIS hardness assumption, reference [9] proposed the first scheme that can against quantum attacks. In order to be independent of certificate management, scholars proposed identity-based LHS schemes [1619]. Although certificate management is simplified, key escrow issues are introduced. In response to this problem, researchers have successively proposed certificateless LHS [20,21]. Recently, multi-key HS has attracted attention [2229]. For datasets involving inputs authenticated by different clients, multiple-key support is required, Chen et al. [27,28] successively proposed two multi-key LHS schemes, supporting three-layer and multi-layer routing networks respectively. Lai et al. [29] proposed an unforgeable multi-key HS under internal corruption based on adaptive zero-knowledge non-interactive knowledge demonstration. The public verifiability of HS makes them studied in other application scenarios. For example, the verifiable encryption HS scheme proposed by Seo et al. [30] has been successfully applied to cumulative optimistic fair exchange, and the homomorphic signcryption scheme proposed by Fan et al. [31] has been successfully applied to electronic voting, for voters, the use of homomorphic signcryption can complete the encryption and signature of votes in one step. In 2021, Li et al. [32] proposed a homomorphic signcryption scheme with verifiable public plaintext results, allowing the evaluation of arbitrary functions on signcrypted data, and allowing anyone to publicly test whether a given ciphertext is a signcrypted file for a message under a key.

Since Mambo et al. [11] proposed the concept of PS in 1996, many variants of PS have been proposed by other researchers successively, including proxy multi-signatur, multi-PS, proxy blind signature, certificate-based proxy signature and designated verifier proxy signature [3338]. In 2003, Lee et al. [39] believed that proxy signature does not necessarily require a secure channel. In terms of the security model, Cao et al. [40] and Wang et al. [41] presented the model of a multi-proxy signature scheme. However, as Schuldt et al. [42] pointed out, the structure of the model is complex and incomplete. In 2012, Boldyreva et al. [43] improved its early security model by clearly defining the security attributes of proxy signatures and formalizing the definition of adversary behavior.

Blockchain is a new type of decentralized protocol that can securely store Bitcoin transactions or other data. The information cannot be forged or tampered with, and smart contracts can be automatically executed without the audit of any centralized organization [44,45]. Transactions can be digital currencies such as Bitcoin or digital assets such as debt, equity, copyright, etc. Blockchain technology solves the Byzantine general problem, greatly reduces the cost of trust and accounting in the real economy, and redefines the property right system in the Internet era. The introduction of blockchain technology in the proxy signature mechanism can realize the delegation of digital signature rights under the premise of safety and reliability, and support traceability and tamper-proof modification [46]. Additionally, blockchain-based proxy signatures enable anonymity of authentication while ensuring traceability of misconduct [47].

3  Architecture of Sign Delegation and Authentication Computing in a Cloud-Based IoT Environment

In the architecture of a cloud-based IoT environment using delegation and authentication computing, five entities are involved: CA, data owner, cloud server, end user and blockchain, as shown in Fig. 2. The specific functions are as follows (In this paper, Alice/Bob always represents the original/proxy signer):

•   CA: It generates system parameters and generates certificates for users according to the identity and public key provided by each user.

•   Data owner: It is composed of industry officials (e.g., system administrators, executive officers, etc.) and intelligent devices (embedded sensors). In our LHPS scheme, the superior is the Alice, and the subordinate is the Bob. For smart machines, the deployment agency/supervisor acts as the Alice, and the sensor will act as the Bob. Therefore, the superior (or supervisor) delegates its signature right to the subordinate (or smart machine).

•   Cloud server: The cloud server can use the homomorphic signature to perform various calculations on the authentication data, and then sends the calculation results and the derived signatures to the end user, which can be done with minimal interaction and communication.

•   End user: The end user may be a hospital, a research institution, or an intelligent machine (depending on the scenario). It receives the calculation result and the corresponding signature and uses the public key of the two signers for verification.

•   Blockchain: The blockchain mainly stores the warrant from the original signer to the proxy signer so that other entities can download and verify the validity of the warrant.

images

Figure 2: Architecture for IoT environment based on LHPS, blockchain and cloud computing

4  Definitions and Security Model

4.1 Linearly Homomorphic Proxy Signature

A LHPS scheme proposed in this paper includes seven polynomial-time algorithms (Setup, UserKGen, Delegation, DeleVerify, LHP-Sign, LHP-Combine, LHP-Verify):

•   Setup: On input a security parameter λ and a integers l (the maximum data-size) as input, it outputs the system parameters params.

•   UserKGen: On input params, it output a public/private key pair (pku,sku) for a user.

•   Delegation: Given params, the private key skA of Alice, the warrant wB of Bob (it records the identity information of the Alice and Bob, the type of authorization message, and the validity period of the proxy signer), it output delegation information SwB.

•   DeleVerify: For the input params, public key of Alice, delegation and warrant, it outputs 0 or 1 according to reject or accept.

•   LHP-Sign: Bob greats a proxy signature σ on a message vector v, after using params, the private key skB of Bob, a warrant wB, delegation information SwB and a file identifier τ{0,1}λ.

•   LHP-Combine: Takes a file identifier τ, public keys of both signer, a warrant wB, and a set of tuples {(ci,σi)}i=1l, where ciFq, σi LHP-Sign (params,τ,skB,SwB,vi), and outputs a signature σ on v=i[l]civi.

•   LHP-Verify: Takes as input public keys of both signer, wB, a file identifier τ, and message/signature pair, outputs either 1 or 0.

Correctness. The requirement is that for any output (pkA,skA), (pkB,skB) of the algorithm UserKGen, the following conditions are true:

(1)   For any τ{0,1}λ and message vector v, if σ LHP-Sign (skB,wB,SwB,τ,v), then LHP-Verify (τ,pkA,pkB,wB,v,σ) = 1.

(2)   For all τ and sets of tuples {(ci,σi,vi)}i=1l, if LHP-Verify (τ,pkA,pkB,wB,vi,σi) = 1, then LHP-Verify (τ,pkA,pkB,wB,i=1lcivi, LHP-Combine {τ,pkA,pkB,wB,(ci,σi)}i=1l) = 1.

4.2 Security Models

We consider two type of adversaries, and denoted by 𝒜, 𝒜, respectively.

Type-I adversary (𝒜): 𝒜 consists of system parameters, Alice’s public-private key pair, and Bob’s public key. In fact, 𝒜 is a malicious original signer.

Type II adversary (𝒜): 𝒜 consists of system parameters, Bob’s public-private key pair, and Alice’s public key. In fact, 𝒜 is a malicious proxy signer.

We use the following game between challenger 𝒞 and 𝒜, 𝒜 to describe the security of the LHPS scheme.

Game 1. (Security against adversary 𝒜) 𝒜 attempts to outputs a forged proxy signature while having no private key of the Bob. The following formalized security models are designed for 𝒜 and 𝒞.

•   Setup: 𝒞 performs Setup and UserKGen oracles, and obtain the system parameters params, the key pair (pkA,skA) of Alice as well as key pair (pkB,skB) of the targeted proxy signer. 𝒞 then gives params and (pkA,skA,pkB) to 𝒜.

•   Queries: Adversary 𝒜 can performs the following polynomial number of oracle queries.

    – Key Registration Queries: Given a key pair (pki,ski), 𝒞 first checks whether (pki,ski) is valid. If so, 𝒞 stores it in a list. Otherwise, 𝒞 rejects.

    – Signing Queries: Given a tuple (τ,pkA, pkB,wB,v), 𝒞 outputs a signature σ on v.

Output: 𝒜 outputs a forgery tuple (pkA,pkB,wB,τ,v,σ). The adversary wins if LHP-Verify (τ, pkA,pkB,wB,v,σ) = 1, the message vector v does not appear in signing queries, and one of the following conditions is satisfied:

(1)   For any τi appearing in the signing queries, ττi holds (usual existential-forgery–Type 1 forgery).

(2)   For a τi appearing in the signing queries, there is τ=τi, but vVi, where Vi represents the subspace spanned by the vectors {vi}i[l] that have been queried by the identifier τi (homomorphic existential-forgery–Type 2 forgery).

Game 2. (Security against adversary 𝒜) 𝒜 attempts to output a forged proxy signature while having no private key of Alice. Now, the following formal model with respect to 𝒜 and challenger 𝒞 is designed.

•   Setup: 𝒞 performs Setup and UserKGen oracles, and obtains the parameters params, the public/private key pair (pkA,skA) of Alice. 𝒞 then gives params and pkA to 𝒜.

•   Queries: Adversary 𝒜 can performs the following polynomial number of oracle queries.

    – Key Registration Queries: Given a key pair (pki,ski), 𝒞 first checks whether (pki,ski) is valid. If so, 𝒞 stores it in a list. Otherwise, 𝒞 rejects.

    – Delegate Queries: Given public key pkA and registered pki, 𝒞 returns a warrant wi and a delegation Swi.

    – Signing Queries: Given public key pkA and registered public key pki, wi, τ, and a vector v, 𝒞 returns a signature σ on the message v.

•    Output: 𝒜 outputs a forgery tuple (τ,pkA,pki,wBi,v,σ). 𝒜 wins if LHP-Verify (τ,pkA,pki,wi,v,σ) = 1, and public key pki and message vector v do not appear in delegate queries and signing queries, respectively, and one of the following conditions is satisfied:

(1)   For any τi appearing in the signing queries, ττi holds (usual existential-forgery–Type 1 forgery).

(2)   For a τi appearing in the signing queries, there is τ=τi, but vVi, where Vi represents the subspace spanned by the vectors {vi}i[l] that have been queried by the identifier τi (homomorphic existential-forgery–Type 2 forgery).

The advantage of adversary 𝒜 (𝒜) is the probability of winning Game 1 (Game 2), which is recorded as Adv𝒜LHPS(λ) (Adv𝒜LHPS(λ)).

Definition 4.1. Our proposed LHPS scheme is said to be unforgeable against the adversaries 𝒜I and 𝒜II in the above games, if Adv𝒜iLHPS(λ)(i=I,II) is negligible.

5  Proposed LHPS Scheme

Our proposed LHPS scheme is described in detail as follows:

•   Setup: Takes a security parameter λ and two positive integers l, n as inputs, CA generates params as follows:

(1) Choose two groups G1, G2 of the same prime order q, with g as the generator of G1, and select a bilinear pairing e:G1×G1G2.

(2) Selects different hash functions H,H1,H2, each of which maps {0,1} to G1.

•   UserKGen: Each user chooses xuZq at random as his private key and computes pku=gxu as public key. Then, the public/private key pair of original signer Alice and proxy signer Bob are (pkA=gxA,xA) and (pkB=gxB,xB), respectively. Subsequently, each user provides its identity and public key to the CA to obtain the corresponding certificate.

•   Delegation: Alice generates a warrant wB related to Bob, and computes delegation SwB=H(wB)xA, then returns SwB to Bob. After that, Alice uploads wB to the blockchain so that other users can query and verify the validity of wB.

•   DeleVerify: Bob checks e(SwB,g)=e(H(wB),pkA) and accepts delegation. Then, Bob sets proxy signing key as Sp=(SwB,xB).

•   LHP-Sign: Suppose that this algorithm has stored an initially empty list L containing information about all identifiers τ that have been used. Given a tuple (Sp,wB,τ{0,1}λ,v), here the message vector v=(v1,,vn)Zqn, it performs the following steps:

   (1)   Retrieve the relevant (U,r) from L, if τ appears in the list L.

   (2)   Otherwise, it chooses a random number rZq, lets U=gr, then stores (U,r) into L.

   (3)   Calculate hash values Qi=H1(pkA,wB,τ,U,i),i[n], Q=H2(pkB,wB).

   (4)   Choose a random number sZq, and computes

W=(SwB)i[n]vi(H(wB)si[n]Qivi)r(Qi[n]vi)xB.

(5)   Output σ=(U,W,s) as signature.

LHP-Combine: On input pkA, pkB, τ, wB, and a set of tuple {(ci,σi)}i=1l with ciZq, where σi=(U,Wi,si) (note that the data signatures under the same identifier have the same U), this algorithm computes W=i[l]Wici, s=i[l]cisi. Then, it outputs (U,W,s).

LHP-Verify: Given a tuple (τ,pkA,pkB,wB,v,σ), where vector v=(v1,,vn)Zqn, σ=(U,W,s), the algorithm considers the proxy signature to be valid by verifying the following equation:

e(W,g)=e((H(wB)i[n]vi,pkA)e(H(wB)si[n]Qivi,U)e(Qi[n]vi,pkB).

Correctness

(1)   Given a tuple (τ,pkA,pkB,v=(v1,,vn)Zqn,σ), if σ LHP-Sign (Sp,wB,τ,v), then the correctness of proxy signature verification can be obtained by the following derivation:

e(W,g)=e((SwB)i[n]vi,g)e(H(wB)si[n]Qivi)r,g)e((Qi[n]vi)xB,g)=e((H(wB)i[n]vi,pkA)e((H(wB)si[n]Qivi,U)e(Qi[n]vi,pkB).

(2)   Given a tuple (τ,wB,{(ci,σi,vi)}i=1l), where σi=(U,Wi,si) and vi=(vi1,,vin), if σi LHP-Sign (Sp,wB,τ,vi), we have to prove that σ=(U,W=i[l]Wici,s=i[l]cisi) is a signature on y=i[l]civi=(y1,,yn). Since for each i[l], σi is the correct signature of vi, we have

e(Wi,g)=e(H(wB)j[n]vij,pkA)e(H(wB)sij[n]Qjvij,U)e(Qj[n]vij,pkB),

and further we have

e(W,g)=i[l]e(Wi,g)ci=e(H(wB)i[l]j[n]civij,pkA)e(H(wB)i[l]cisij[n]Qji[l]civij,U)e(Qi[l]j[n]civij,pkB)=e(H(wB)j[n]yj,pkA)e(H(wB)sj[n]Qjyj,U)e(Qj[n]yj,pkB).

Therefore, for the LHP-Combine algorithm, the LHP-Verify algorithm is correct.

6  Security Analysis

This section presents the security analysis of our LHPS scheme. In this section, (g,ga,gb) always represents a random instance of the CDH problem.

Theorem 6.1. If there is an adversary 𝒜 that can forge a valid message/signature pair with an advantage ε within time t, then there is an algorithm 𝒞 that can solve the CDH problem with probability ε within time t′. Among them, qH refers to the number of querying H oracle, qHi(i=1,2) refers to the number of querying Hi oracles, qS refers to the number of querying signing oracle.

Proof. For any PPT adversary 𝒜, we construct a simulator 𝒞, which can call 𝒜 to solve the CDH problem. Since 𝒜 finally outputs one of the two forgery types, it is obvious that the probability of 𝒞 guessing the forgery type outputed eventually by 𝒜 is 12.

Case 1 (usual existential-forgery.) 𝒞 guesses that adversary 𝒜 will output a Type 1 forgery. 𝒞 is invoked on (g,ga,gb), and 𝒞’ goal is to compute gab. 𝒞 interacts with 𝒜 in this way.

•   Setup: 𝒞 randomly selects xAZq, computes Alice’s public key as pkA=gxA, and sets Bob’s public key as pkB=ga (note that in the proof of Theorem 1, Bob represents the target proxy signer). 𝒞 sets the system parameter params = (G1,G2,e,g,H,H1,H2,q). Then, 𝒞 sends params and (xA,pkA,pkB) to 𝒜.

•   Queries: 𝒜 can issue queries to the following oracles simulated by 𝒞. 𝒞 maintains an initially empty list for each type of query, recording all responses to 𝒜.

    – Key Registration Queries: When 𝒜 requests to register a new user i by outputting a key pair (pki,xi), 𝒞 verifies if it is valid, and then adds (pki,xi) to the list LK.

    – H Queries: On a requested wi, 𝒞 selects a random ziZq and sets H(wi)=gzi. Then, 𝒞 updates list LHLH<wi,gzi,zi> and responds gzi to 𝒜.

–   H1 Queries: For a requested (PkA,wB,τ,U,i), 𝒞 first searches LH1 and if an required entry is found, 𝒞 returns it. Otherwise, 𝒞 selects a random tiZq and computes Qi=gti, then updates LH1LH1<(pkA,wB,τ,U,i),Qi,ti> and sends Qi to 𝒜 as response.

–   H2 Queries: On a requested (wB,pkB), 𝒞 checks the list LH2 to determine whether there is a corresponding hash value, and if so, 𝒞 returns it to 𝒜; otherwise, 𝒞 chooses a random number tZq and sets Q=(gb)t, then updates list LH2LH2<(wB,pkB),Q,t> and sends Q to 𝒜 as response.

– Signing Queries: Given τ, pkA,pkB, a warrant wB, and a vector v=(v1,,vn)Zqn, 𝒞 generates the signature as follows:

(1)   Randomly choose numbers s,r,uiZq(i[n]), and set U=pkBr=(ga)r.

(2)   Define the hash values of H1(pkA,wB,τ,U,i) as Qi=(guiQ)r1G1, where Q=H2(wB,pkB)=(gb)t. If for some i[n], (pkA,wB,τ,U,i) has already been queried in the H1 queries phase, then 𝒞 terminates and gives up.

(3)   Recover H(wB)=gzB from LH.

(4)   Finally, 𝒞 computes

W=(H(wB))xAi[n]vi(pkB)i[n]uivi+srzB.

𝒞 returns the signature σ=(U,W,s) to 𝒜. From the following derivation process, it can be known that σ is a valid signature.

e(H(wB)i[n]vi,pkA)e(H(wB)si[n]Qivi,U)e(Qi[n]vi,pkB)=e(H(wB)xAi[n]vi,g)e(H(wB)si[n](guiQ)r1vi,pkBr)e(Qi[n]vi,pkB)=e(H(wB)xAi[n]vi,g)e(H(wB)s,pkBr)e(gi[n]uivi,pkB)e(Qi[n]vi,pkB)e(Qi[n]vi,pkB)=e(H(wB)xAi[n]vi,g)e(H(wB)s,pkBr)e(gi[n]uivi,pkB)=e(H(wB)xAi[n]vi(pkB)i[n]uivi+srzB,g)=e(W,g).

•   Output: Finally, 𝒜 outputs (pkA,pkB,wB,τ,v,σ), where v=(v1,,vn), i[n]vi0 and σ=(U,W,s). 𝒞 retrieves the items H(wB) from LH, the items Qi from LH1, and the item Q from LH2; Note that H(wB)=gzB,Qi=gti,Q=(gb)t. If the 𝒜 successfully outputs a Type 1 forgery, then ττi, i.e., none of the message vectors identified by τ have been queried during the Signing Queries phase, and there is a verification equation.

e(W,g)=e(H(wB)i[n]vi,pkA)e(H(wB)si[n](Qi)vi,U)e((Q)i[n]vi,pkB)=e(H(wB)xAi[n]vi(U)szB+i[n]tivi(gab)i[n]tvi,g).

Therefore, we have

W=H(wB)xAi[n]vi(U)szB+i[n]tivi(gab)i[n]tvi.

The CDH problem can be solved by calculating the following equation:

gab=(WH(wB)xAi[n]vi(U)szB+i[n]tivi)1i[n]tvi.

Next we calculate the probability of 𝒞 success.

We only need to analyze the probability of 𝒞 aborting the simulation during the signing query phase. When the hash value conflicts on H1, that is, the same hash object appears in H1 hash query and signing query, 𝒞 aborts. Since the entry in LH1 is not more than qH1+qS, it is easy to know that the probability of 𝒞 aborting in signing query is at most qS(qH1+qS)2λ. Therefore, if the advantage of 𝒜 forging a signature in Game 1 is ε, 𝒞 can solve the CDH problem with a probability of at least ε=12ε(qS)2+qH1qS2λ, within time t=t+O(qH+qH1+qH2+qS)×texp+qS×Tmul, where Tmul and texp represent the multiplication and exponential operation time of group elements, respectively.

Case 2 (homomorphic existential-forgery): 𝒞 guesses that adversary 𝒜 will output a Type 2 forgery. 𝒞 is invoked on a tuple (g,ga,gb), and is asked to compute value of gab by using 𝒜 as a subroutine.

•   Setup: 𝒞 randomly selects xAZq and lets pkA=gxA, and runs 𝒜 on input pkB=ga as the public key of Bob. 𝒞 sets the system parameter params = (G1,G2,e,g,H,H1,H2,q). Then, 𝒞 sends params and (xA,pkA,pkB) to 𝒜, and responds to 𝒜 as follows.

•   Queries: 𝒞 maintains a corresponding list in both the key registration queries and the hash queries, recording all responses to the 𝒜.

–   Key Registration Queries: When 𝒜 outputs the key pair (pki,xi) and requests to register a new user i, if 𝒞 verifies that it is a valid key pair, it will add (pki,xi) to the list LK; otherwise, (pki,xi) can be refused by 𝒜.

–   H Queries: On a requested wi=wB, 𝒞 sets H(wB)=gb; otherwise, wiwB. 𝒞 chooses a number ziZq randomly, and lets H(wi)=gzi. Then, 𝒞 updates list LHLH<wi,gb,> or LHLH<wi,gzi,zi>, and responds H(wi) to 𝒜.

–   H1 Queries: For a requested (pkA,wB,τ,U,i), 𝒞 first searches LH1 and if an entry is found, 𝒞 returns it. Otherwise, 𝒞 chooses randomly αi,βiZq and sets Qi=(gb)αigβi, then updates list LH1LH1<(pkA,wB,τ,U,i),Qi,αi,βi>, and returns Qi to 𝒜.

–   H2 Queries: 𝒜 submits (wi,pki), if wi=wB, 𝒞 sets Q=(gb)t with random tZq. Otherwise, 𝒞 selects a number tZq randomly and lets Q=(gb)t, then updates list LH2LH2<(wB,pkB),Q,t> or LH2LH2<(wi,pki),Q,t>, and sends Q to 𝒜 as response.

–   Signing Queries: Given τ, pkA,pkB, a warrant wB, and a vector v=(v1,,vn)Zqn, 𝒞 generates the signature as follows:

(1)   If list L does not contain τ, 𝒞 choose numbers rZq randomly, set U=pkBr=(ga)r, and stores (wB,τ,U,r) in L. Otherwise, it recovers the required items from L.

(2)   𝒞 computes

W=(gb)xAi[n]vi(ga)ri[n]βivi,s=i[n](tr+αi)vi.

and returns the signature σ=(U,W,s) to 𝒜. The following analysis shows that σ is valid since s=i[n](tr+αi)vi, so rs+ri[n]αivi+ti[n]vi=0. Hence,

(SwB)i[n]vi(H(wB)si[n]Qivi)ra(Qi[n]vi)xB=(gb)xAi[n]vi(gbsgbi[n]αivigi[n]βivi)ra(gab)ti[n]vi=(gb)xAi[n]vigab(rs+ri[n]αivi+ti[n]vi)grai[n]βivi=(gb)xAi[n]vi(ga)ri[n]βivi=W.

•   Output: Finally, 𝒜 outputs (pkA,pkB,wB,τ,v,σ), where v=(v1,,vn), i[n]vi0 and σ=(U,W,s). 𝒞 retrieves the items H(wB), Ti and T from LH, LH1, and LH2, respectively. Note that H(wB)=gb,Qi=(gb)αigβi,Q=(gb)t. If 𝒜 successfully outputs a Type 2 forgery, it is not hard to see that U=pkBr=(ga)r, and the following equation holds:

e(W,g)=e(H(wB)i[n]vi,pkA)e(H(wB)si[n](Qi)vi,U)e((Q)i[n]vi,pkB)=e((gb)xAi[n]vi,g)e(gbs+bi[n]αivigi[n]βivi,gar)e(gbti[n]vi,ga)=e(gbxAi[n]vigab(rs+ri[n]αivi+ti[n]vi)gari[n]βivi,g).

Therefore, we have

W=(gb)xAi[n]vi(gab)rs+i[n](t+rαi)vigari[n]βivi.

If si[n](tr+αi)vi, then it holds that rs+i[n](t+rαi)vi0. So 𝒞 can compute

gab=(WgbxAi[n]vigari[n]βivi)1rs+i[n](t+rαi)vi.

Now, we show that s=i[n](tr+αi)vi with probability 1q. Since for each τ, 𝒜 queries signatures on independent vectors, and all signed messages are n-dimensional vectors, we can assume without loss of generality that 𝒜 performs at most signing queries for the file identifier τ and obtains σi=(U,Wi,si) for vi=(vi1,,vin),i[n1]. 𝒞 recovers the corresponding r,t from L and LH2 respectively. From the above simulation process, we can see that the n1 value si satisfies the equation si=j[n](tr+αj)vij for i[n1]. So we have

{s1=(tr+α1)v11++(tr+αn)v1n,sn1=(tr+α1)vn1,1++(tr+αn)vn1,n.

Moreover, according to the definition of type 2 forgery, vSpan(v1,,vn1). Therefore, the vectors v1,,vn1,v identified by τ are linearly independent vectors.

Assume 𝒜 outputs a forgery σ=(U,W,s) with respect to v such that s=i[n](tr+αi)vi, then combined with the above equations, we have

{s1=(tr+α1)v11++(tr+αn)v1n,sn1=(tr+α1)vn1,1++(tr+αn)vn1,n,s=(tr+α1)v1++(tr+αn)vn.

Note that v1,,vn1,v are linearly independent vectors, so

|v11v1nvn1,1vn1,nv1vn|0.

From Gramer criterion, 𝒜 can obtain {tr+αi}i[n] and further obtain the random numbers {αi}i[n]. However, as {αi}i[n] are independent of 𝒜’s view, it can be concluded that s=i[n](tr+αi)vi holds randomly with a probability of 1q. Therefore, if the advantage of 𝒜 forging a signature in Game 1 is ε, 𝒞 can solve the CDH problem with a probability of at least 12ε(11q) within time t=t+O(qH+qH1+qH2+qS)×texp+2qS×Tmul.

Theorem 6.2. If there is an adversary 𝒜 that can forge a valid message/signature pair with an advantage ε within time t, then there is an algorithm 𝒞 that can solve the CDH problem with probability ε within time t′. Among them, qH refers to the number of querying H oracle, qHi(i=1,2) refers to the number of querying Hi oracles, qD refers to the number of querying delegation oracle, qS refers to the number of querying signing oracle.

Proof. For any PPT adversary 𝒜, which represents a malicious proxy signer, we construct a simulator 𝒞, which can call 𝒜 to solve the CDH problem. As in Theorem 1, the probability of 𝒞 guessing the forgery type outputed eventually by 𝒜 is 12.

Case 1 (usual existential-forgery): 𝒞 is invoked on a triple (g,ga,gb) of the CDH problem, and 𝒞' goal is to compute gab.

•   Setup: 𝒞 set Alice’s public key pkA=ga, and returns pkA and systems params = (G1,G2,e,g,H,H1,H2,q) to 𝒜, then responds to 𝒜 as follows:

•   Queries: 𝒞 maintains an initially empty list for each type of query, recording all responses to 𝒜.

– Key Registration Queries: As in the query/response in the proof of case 1 in Theorem 1, it is omitted here.

Suppose that 𝒜 gets the warrants wi(i[qH]) from 𝒞 before this queries. 𝒞 randomly selects k{1,,qH}, and guesses that the k-th warrant wk submitted by 𝒜 is the targeted warrant. On a requested wi, if i=k, 𝒞 outputs the value H(wk)=gb and adds <wk,gb,> to list LH. Otherwise, 𝒞 randomly chooses ziZq and returns the value H(wi)=gzi, and adds <wi,gzi,zi> to LH.

–   H1 Queries: For a requested (PkA,wB,τ,U,i), 𝒞 first searches LH1 and if an entry is found, 𝒞 returns it. Otherwise, 𝒞 selects a random tiZq and lets Qi=gti, then updates list LH1LH1<(pkA,wB,τ,U,i),Qi,ti> and sends Qi to 𝒜 as response.

–   H2 Queries: On a requested (wB,pkB), 𝒞 checks the list LH2 to determine whether there is a corresponding hash value, if so, return it to 𝒜; Otherwise, 𝒞 chooses a random number tZq and sets Q=gt, then updates list LH2LH2<(wB,pkB),Q,t> and sends Q to 𝒜 as response.

– Delegation Queries: Given a warrant wi, if wiwk, 𝒞 recovers the tuple <wi,gzi,zi> from LH, and returns the delegation Swi=(pkA)zi to 𝒜 and adds <wi,Swi> to list LD. Otherwise, 𝒞 aborts.

– Signing Queries: Given τ, pkA,pki, a warrant wi, and a vector v=(v1,,vn)Zqn, 𝒞 checks the lists defined above and responses as follows:

(1)

If wiwk, 𝒞 chooses random numbers s,rZqn, sets U=gr, and computes the signature

W=(Swi)i[n]vi(H(wi)si[n]Qivi)r(Qi[n]vi)xi=(pkA)zii[n]vi(gzisgi[n]tivi)rgtxii[n]vi.

(2)

Otherwise, 𝒞 aborts.

Output: 𝒜 outputs a tuple (pkA,pkB,wB,τ,v,σ), where v=(v1,,vn), i[n]vi0 and σ=(U,W,s). If wBwk, 𝒞 aborts. Otherwise, 𝒞 retrieves the required hash values H(wB), Qi and Q from the lists LH, LH1 and LH2, respectively, note that H(wB)=gb,Qi=gti,Q=gt. If the 𝒜 successfully outputs a Type 1 forgery, then ττi, i.e., none of the message vectors identified by τ have been queried during the Signing Queries phase, and there is a verification equation.

e(W,g)=e(H(wB)i[n]vi,pkA)e(H(wB)si[n](Qi)vi,U)e((Q)i[n]vi,pkB)=e(gab,g)i[n]vie((gb)rs(U)i[n]tivi,g)e(pkBti[n]vi,g).

Further, we have

W=(gab)i[n]vi(gb)rs(U)i[n]tivi(pkB)ti[n]vi.

Next, 𝒞 solves the CDH problem by calculating the following equation:

gab=(W(gb)rs(U)i[n]tivi(pkB)ti[n]vi)1i[n]vi.

Then the CDH problem has been solved.

It is not difficult to see that the probability of not aborting in delegation queries, signing queries and forgery stage is at least 1qDqH, 1qSqH, and 1qH. Thus, if the advantage of 𝒜 forging a signature is ε, 𝒞 can solve the CDH problem with a probability of at least 12(1qDqH)(1qSqH)1qHε within time t=t+O(qH+qH1+qH2+qD+qS)×texp+qS×Tmul.

Case 2 (homomorphic existential-forgery): 𝒞 guesses that adversary 𝒜 will output a Type 2 forgery. 𝒞 is invoked on a triple (g,ga,gb), and is asked to compute value of gab by using 𝒜 as a subroutine.

•   Setup: 𝒞 invokes 𝒜 on input pkA=ga as the public key of Alice, and returns pkA and systems params = (G1,G2,e,g,H,H1,H2,q) to 𝒜. Then, 𝒞 responds to 𝒜 as follows:

•   Queries: 𝒞 maintains an initially empty list for each type of query, recording all responses to 𝒜.

  – Key Registration Queries, H (H2) Queries: As in the query/response in the proof of case 1 in Theorem 2, it is omitted here.

H1 Queries: 𝒜 submits (pkA,wB,τ,U,i). 𝒞 checks LH1 to find out whether the required hash value exists, If so, 𝒞 sends it to 𝒜; otherwise, 𝒞 selects randomly αi,βiZq, let Qi=(gb)αigβi, then updates list LH1LH1<(pkA,wB,τ,U,i),Qi,αi,βi>, and sends Qi to 𝒜.

– Delegation Queries: Given a warrant wi, if wiwk, 𝒞 recovers the tuple <wi,gzi,zi> from LH, and returns the delegation Swi=(pkA)zi=(ga)zi to 𝒜 and adds <wi,Swi> to LD. Otherwise, 𝒞 aborts.

– Signing Queries: Given pkA,pkB, τ, a warrant wB, and a vector v=(v1,,vn)Zqn. Assuming w.l.o.g 𝒜 has inquired the corresponding hash queries and delegation queries, and retrieve the required items by searching the list LH,LH1,LH2, LD, then 𝒞 performs the following steps:

(1)

If wBwk, 𝒞 can sign the message vector in the same way as the real LHP-Sign algorithm, which is omitted here.

(2)

If wB=wk, 𝒞 first checks whether there is a record (wB,τ,U,r) in list L, if it exists, 𝒞 restores (U,R), otherwise, it selects rZq randomly, sets U=(pkA)r=(ga)r, and stores (wB,τ,U,r) in L. Then, 𝒞 compute

W=(ga)ri[n]βivigtxki[n]vi,s=i[n](1r+αi)vi.

𝒞 returns the signature σ=(U,W,s) to 𝒜. The following analysis shows that σ is valid since s=i[n](1r+αi)vi, so rs+i[n]vi+ri[n]αivi=rs+i[n](1+rαi)vi=0. Hence,

(Swk)i[n]vi(H(wk)si[n]Qivi)ar(Qi[n]vi)xk=(gab)i[n]vi(gbsgbi[n]αivigi[n]βivi)ar(gti[n]vi)xk=(gab)(rs+i[n]vi+ri[n]αivi)gari[n]βivigtxki[n]vi=(ga)ri[n]βivigtxki[n]vi=W.

•   Output: Finally, 𝒜 outputs (pkA,pkB,wB,τ,v,σ), where v=(v1,,vn), i[n]vi0 and σ=(U,W,s). If wBwk, 𝒞 aborts. Otherwise, it retrieves the items H(wB), Qi and Q from LH, LH1, and LH2, respectively. Note that H(wB)=gb,Qi=(gb)αigβi,Q=gt. If 𝒜 outputs Type 2 forgery signatures successlly, it is not hard to see that U=pkAr=(ga)r, and there are the following series of equations:

e(W,g)=e(H(wB)i[n]vi,pkA)e(H(wB)si[n](Qi)vi,U)e(Qi[n]vi,pkB)=e((gab)i[n]vi,g)e(gbs+bi[n]αivigi[n]βivi,gar)e((pkB)ti[n]vi,g)=e(gab(rs+i[n](1+rαi)vi)(U)i[n]βivi(pkB)ti[n]vi,g).

Therefore, we have

W=gab(rs+i[n](1+rαi)vi)(U)i[n]βivi(pkB)ti[n]vi.

If si[n](1r+αi)vi, then it holds that rs+i[n](1+rαi)vi0. So 𝒞 can compute the value of gab as follows:

gab=(W(U)i[n]βivi(pkB)ti[n]vi)1rs+i[n](1+rαi)vi.

Now, we need to show that s=i[n](1r+αi)vi with probability 1q, the proof method is the same as in case 2 of Theorem 1, so it is omitted here. Therefore, if the advantage of 𝒜 forging a signature is ε, 𝒞 can solve the CDH problem with a probability of at least 12ε(11q)1qH within time t=t+O(qH+qH1+qH2+qS)×texp+2qS×Tmul.

7  Analysis of Security and Efficiency

We compare our scheme with the only LHPS scheme proposed by Lin et al. [12]. For convenience, we abbreviate this scheme as Lin-LHPS. Specifically, Tables 1 and 2 compare the proposed LHPS scheme with the Lin-LHPS scheme in terms of security, communication overhead and delegation overhead. Two main operations are listed: “E” represents the exponential operation on G1, and “P” represents bilinear pairing operation. |G1| and |q| represent the bit length of the elements in a group G1 and a field Fq, respectively.

images

images

As seen in Table 1, our scheme satisfies both the usual and homomorphic existential unforgeability, while the Lin-LHPS scheme only satisfies the usual existential unforgeability. In the outsourced computation of authentication data, homomorphic existential unforgeability can prevent untrusted cloud servers from authenticating the wrong computing or analysis results and returning them to the receiver. In Table 2, DeleSize and SigSize represent the size of the delegation and the proxy signature, respectively. The two columns, DeleGen and DeleVer, show the computational cost of generating the delegation signature and delegation verification, respectively. Table 2 shows that the signature size of the proposed scheme is larger than that of the Lin-LHPS scheme; whereas the size of delegation, the computational cost of generating the delegation signature and delegation verification in our scheme are the same as those in the Lin-LHPS scheme. However, our scheme provides stronger security. We implement our LHPS scheme and Lin-LHPS in the experiments. The experiment was run on a laptop equipped with a 3.10-GHz Intel i5 CPU, 128 GB memory, and the Ubuntu Linux operating system.

As shown in Figs. 3 and 4, the computational cost of signature generation and signature verification in our scheme is slightly higher than that in the Lin-LHPS. It is a natural result because our scheme provides provably secure homomorphic existential unforgeability.

images

Figure 3: A comparison of the signature generation cost

images

Figure 4: A comparison of the signature verification cost

8  Conclusions

In this paper, we improve the security model of the LHPS for the two types of adversaries, considering the situation in which adversaries output homomorphic existential forgeries. Under the new model, we present a blockchain-based LHPS scheme and prove that this scheme is secure against existential forgery (including the usual existential forgery and homomorphic existential forgery) under adaptive CMA based on the CDH assumption. The tamper-proof modification of the blockchain ensures the validity of the original signer’s warrant, which prevents problems such as the abuse of proxy signing rights. Moreover, the performance analysis shows that this new scheme has the same key size and comparable computing cost as Lin et al.’s LHPS scheme [12], and it has higher security. Therefore, our LHPS scheme is suitable for deployment and implementation in cloud-based IoT environments. However, the proposed scheme cannot resist quantum computing attacks. The next task is to design a secure and efficient LHPS scheme on lattice.

Funding Statement: This research is funded by the Special Innovation Project for General Colleges and Universities in Guangdong Province (Grant No. 2020KTSCX126).

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.

References

  1. Atzori, L., Iera, A., & Morabito, G. (2010). The Internet of Things: A survey. Computer Networks, 54, 2787-2805. [Google Scholar] [CrossRef]
  2. Ray, P. P. (2018). A survey on Internet of Things architectures. Journal of King Saud University-Computer and Information Sciences, 30(3), 291-319. [Google Scholar] [CrossRef]
  3. Xu, L., He, W., & Li, S. (2014). Internet of Things in industries: A survey. IEEE Transactions on Industrial Informatics, 10(4), 2233-2243. [Google Scholar] [CrossRef]
  4. Doukas, C., Pliakas, T., Maglogiannis, I. (2010). Mobile healthcare information management utilizing cloud computing and android OS. Proceedings of the 2010 Annual International Conference of the IEEE Engineering in Medicine and Biology, Buenos, Aires, Argentina. DOI 10.1109/IEMBS.2010.5628061. [CrossRef]
  5. Li, X., Huang, X., Li, C., Yu, R., & Shu, L. (2019). EdgeCare: Leveraging edge computing for collaborative data management in mobile healthcare systems. IEEE Access, 7, 22011-22025. [Google Scholar] [CrossRef]
  6. Hu, X., Zheng, S., Gong, J., Cheng, G., Zhang, G. et al. (2019). Enabling linearly homomorphic signatures in network coding-based named data networking. Proceedings of the 14th International Conference on Future Internet Technologies, New York, USA. DOI 10.1145/3341188.3341191. [CrossRef]
  7. Schabhüser, L., Buchmann, J., Struck, P. (2017). A linearly homomorphic signature scheme from weaker assumptions. IMA International Conference on Cryptography and Coding, Oxford, UK. DOI 10.1007/978-3-319-71045-7_14. [CrossRef]
  8. Luo, F., Wang, F., Wang, K., & Chen, K. (2019). A more efficient leveled strongly-unforgeable fully homomorphic signature scheme. Information Sciences, 480, 70-89. [Google Scholar] [CrossRef]
  9. Boneh, D., Freeman, D. M. (2011). Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. International Workshop on Public Key Cryptography, Taormina, Italy. DOI 10.1007/978-3-642-19379-8_1. [CrossRef]
  10. Wang, F., Shi, S., Wang, C. (2019). Leveled lattice-based linearly homomorphic signature scheme in the standard model for network coding. International Conference on Frontiers in Cyber Security, Xi’an, China. DOI 10.1007/978-981-15-0818-9_6. [CrossRef]
  11. Mambo, M., Usuda, K., & Okamoto, E. (1996). Proxy signatures: Delegation of the power to sign messages. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 79(9), 1338-1354. [Google Scholar]
  12. Lin, Q., Li, J., Huang, Z., Chen, W., & Shen, J. (2018). A short linearly homomorphic proxy signature scheme. IEEE Access, 6, 12966-12972. [Google Scholar] [CrossRef]
  13. Goldwasser, S., Micali, S., & Rivest, R. L. (1988). A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2), 281-308. [Google Scholar] [CrossRef]
  14. Johnson, R., Molnar, D., Song, D., Wagner, D. (2002). Homomorphic signature schemes. Cryptographersa^ Track at the RSA Conference, San Jose, CA, USA. DOI 10.1007/3-540-45760-7_17. [CrossRef]
  15. Boneh, D., Freeman, D., Katz, J., Waters, B. (2009). Signing a linear subspace: Signature schemes for network coding. Proceedings of International Workshop on Public Key Cryptography, Irvine, CA, USA. DOI 10.1007/978-3-642-00468-1_5. [CrossRef]
  16. Zhang, Y., Jiang, Y., Li, B., Zhang, M. (2017). An efficient identity-based homomorphic signature scheme for network coding. International Conference on Emerging Internetworking, Data and Web Technologies, Wuhan, China. DOI 10.1007/978-3-319-59463-7_52. [CrossRef]
  17. SadrHaghighi, S., Khorsandi, S. (2016). An identity-based digital signature scheme to detect pollution attacks in intra-session network coding. 2016 13th International Iranian Society of Cryptology Conference on Information Security and Cryptology, Tehran, Iran. DOI 10.1109/iscisc.2016.7736444. [CrossRef]
  18. Lin, Q., Yan, H., Huang, Z., Chen, W., & Shen, J. (2018). An ID-based linearly homomorphic signature scheme and its application in blockchain. IEEE Access, 6, 20632-20640. [Google Scholar] [CrossRef]
  19. Chang, J., Ma, H., Zhang, A., Xu, M., & Xue, R. (2019). RKA security of identity-based homomorphic signature scheme. IEEE Access, 7, 50858-50868. [Google Scholar] [CrossRef]
  20. Chang, J., Ji, Y., Shao, B., Xu, M., & Xue, R. (2020). Certificateless homomorphic signature scheme for network coding. IEEE/ACM Transactions on Networking, 28(6), 2615-2628. [Google Scholar] [CrossRef]
  21. Li, Y., Zhang, F., & Sun, Y. (2021). Lightweight certificateless linearly homomorphic network coding signature scheme for electronic health system. IET Information Security, 15(1), 131-146. [Google Scholar] [CrossRef]
  22. Wang, F., Wang, K., Li, B., Gao, Y. (2015). Leveled strongly-unforgeable identity-based fully homomorphic signatures. International Conference on Information Security, Trondheim, Norway. DOI 10.1007/978-3-319-23318-5_3. [CrossRef]
  23. Fiore, D., Mitrokotsa, A., Nizzardo, L., Pagnin, E. (2016). Multi-key homomorphic authenticators. International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam. DOI 10.1007/978-3-662-53890-6_17. [CrossRef]
  24. Samarin, S. D., Fiore, D., Venturi, D., & Amini, M. (2021). A compiler for multi-key homomorphic signatures for turing machines. Theoretical Computer Science, 889, 145-170. [Google Scholar] [CrossRef]
  25. Aranha, D. F., Pagnin, E. (2019). The simplest multi-key linearly homomorphic signature scheme. International Conference on Cryptology and Information Security in Latin America, Bogota, Colombia. DOI 10.1007/978-3-030-30530-7_114. [CrossRef]
  26. Schabhüser, L., Butin, D., Buchmann, J. (2019). Context hiding multi-key linearly homomorphic authenticators. Cryptographersa^ Track at the RSA Conference, San Francisco, CA, USA. DOI 10.1007/978-3-030-12612-4_25. [CrossRef]
  27. Chen, W., Lei, H., Li, J., Gao, C., Li, F. et al. (2017). A multi-source homomorphic network coding signature in the standard model. International Conference on Green, Pervasive, and Cloud Computing, Xi’an, China. DOI 10.1007/978-3-319-57186-7_6. [CrossRef]
  28. Li, T., Chen, W., Tang, Y., & Yan, H. (2018). A homomorphic network coding signature scheme for multiple sources and its application in IoT. Security and Communication Networks, 2018, 9641273. [Google Scholar] [CrossRef]
  29. Lai, R. W., Tai, R. K., Wong, H. W., Chow, S. S. (2018). Multi-key homomorphic signatures unforgeable under insider corruption. International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia. DOI 10.1007/978-3-030-03329-3_16. [CrossRef]
  30. Seo, J. H., Emura, K., Xagawa, K., & Yoneyama, K. (2018). Accumulable optimistic fair exchange from verifiably encrypted homomorphic signatures. International Journal of Information Security, 17(2), 193-220. [Google Scholar] [CrossRef]
  31. Fan, X., Wu, T., Zheng, Q., Chen, Y., & Alam, M. (2020). HSE-voting: A secure high-efficiency electronic voting scheme based on homomorphic signcryption. Future Generation Computer Systems, 111, 754-762. [Google Scholar] [CrossRef]
  32. Li, S., Liang, B., Mitrokotsa, A., & Xue, R. (2021). Homomorphic signcryption with public plaintext-result checkability. IET Information Security, 15(5), 333-350. [Google Scholar] [CrossRef]
  33. Gu, K., Jia, W., Li, C., & Chen, R. (2013). Identity-based group proxy signature scheme in the standard model. Journal of Computer Research and Development, 40(7), 1370-1386. [Google Scholar] [CrossRef]
  34. Chen, M., & Yuan, S. (2016). Provably secure identity-based multi-proxy signature scheme in standard model. Journal of Computer Research and Development, 54(8), 1879-1892. [Google Scholar] [CrossRef]
  35. Verma, G. K., & Singh, B. B. (2017). Efficient message recovery proxy blind signature scheme from pairings. Transaction on Emerging Telecommunication Technologies, 28(11), e3167. [Google Scholar] [CrossRef]
  36. Verma, G. K., Singh, B. B., & Singh, H. (2018). Bandwidth efficient designated verifier proxy signature scheme for healthcare wireless sensor networks. Ad Hoc Networks, 81, 100-108. [Google Scholar] [CrossRef]
  37. Verma, G. K., Singh, B. B., & Singh, H. (2018). Provably secure certificate-based proxy blind signature scheme from pairings. Information Sciences, 468, 1-13. [Google Scholar] [CrossRef]
  38. Verma, G. K., Singh, B. B., Kumar, N., Obaidat, M. S., & He, D. (2020). An efficient and provable certificate-based proxy signature scheme for IIoT environment. Information Sciences, 518, 142-156. [Google Scholar] [CrossRef]
  39. Lee, J. Y., Cheon, J. H., Kim, S. (2003). An analysis of proxy signatures: Is a secure channel necessary? Cryptographersa^ Track at the RSA Conference, San Francisco, CA, USA. DOI 10.1007/3-540-36563-X_5. [CrossRef]
  40. Cao, F., & Cao, Z. (2009). A secure identity-based multi-proxy signature scheme. Computers and Electrical Engineering, 35(1), 86-95. [Google Scholar] [CrossRef]
  41. Wang, Q., Cao, Z., Wang, S. (2005). Formalized security model of multi-proxy signature schemes. The Fifth International Conference on Computer and Information Technology, Shanghai, China. DOI 10.1109/CIT.2005.119. [CrossRef]
  42. Schuldt, J. C., Matsuura, K., Paterson, K. G. (2008). Proxy signatures secure against proxy key exposure. International Workshop on Public Key Cryptography, Barcelona, Spain. DOI 10.1007/978-3-540-78440-1_9. [CrossRef]
  43. Boldyreva, A., Palacio, A., & Warinschi, B. (2012). Secure proxy signature schemes for delegation of signing rights. Journal of Cryptology, 25(1), 57-115. [Google Scholar] [CrossRef]
  44. Han, D., Chen, J., Zhang, L., Shen, Y., & Gao, Y. (2021). A deletable and modifiable blockchain scheme based on record verification trees and the multisignature mechanism. Computer Modeling in Engineering & Sciences, 128(1), 223-245. [Google Scholar] [CrossRef]
  45. Hu, N., Teng, Y., Zhao, Y., Yin, S., & Zhao, Y. (2021). IDV: Internet domain name verification based on blockchain. Computer Modeling in Engineering & Sciences, 129(1), 299-322. [Google Scholar] [CrossRef]
  46. Wang, Y., Qiu, W., Dong, L., Zhou, W., & Pei, Y. (2020). Proxy signature-based management model of sharing energy storage in blockchain environment. Applied Sciences, 10(21), 7502. [Google Scholar] [CrossRef]
  47. Zou, H., Liu, X., Ren, W., & Zhu, T. (2022). A decentralized electronic reporting scheme with privacy protection based on proxy signature and blockchain. Security and Communication Networks, 2022, [Google Scholar] [CrossRef]

Cite This Article

Wang, C., Wu, B. (2023). A Linear Homomorphic Proxy Signature Scheme Based on Blockchain for Internet of Things. CMES-Computer Modeling in Engineering & Sciences, 136(2), 1857–1878.


This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
  • 492

    View

  • 268

    Download

  • 0

    Like

Share Link