An Efficient Proxy Blind Signcryption Scheme for IoT

: Recent years have witnessed growing scientific research interest in the Internet of Things (IoT) technologies, which supports the development of a variety of applications such as health care, Industry 4.0, agriculture, ecological data management, and other various domains. IoT utilizes the Internet as a prime medium of communication for both single documents as well as multi-digital messages. However, due to the wide-open nature of the Internet, it is important to ensure the anonymity, untraceably, confidentiality, and unforgeability of communication with efficient computational complex-ity and low bandwidth. We designed a light weight and secure proxy blind signcryption for multi-digital messages based on a hyperelliptic curve (HEC). Our results outperform the available schemes in terms of computational cost and communication bandwidth. The designed scheme also has the desired authentication, unforgeability of warrants and/or plaintext, confidentiality, integrity, and blindness, respectively. Further, our scheme is more suitable for devices with low computation power such as mobiles and tablets.


Introduction
In recent years, there has been extensive research on IoT technologies, which covers various applications such as healthcare (HC), Industry 4.0, agriculture, and ecological data management, to name a few. The IoT comprises certain devices that have the capability of sending, receiving, and storing data, in addition to being about to communicate through the Internet. Once these devices are connected to the Internet, communication can take place for single documents as well as multi-digital messages. Thus, blindness and untraceable security services are required. Chaum was the first author to coin the term blind signature for the protection of digital information privacy. The blind signature mechanism enables resistance to forgery, indisputability and anonymity [1,2]. Blindness and untraceability are the core properties which must be fulfilled by any blind signature scheme [1][2][3][4]. In addition, the blindness property allows the transmission of signed messages between the user and the signer in an interactive signature protocol. In this instance, untraceability ensures that the signer cannot link back any message-signature pairs even if the signature is revealed to the public. A blind signature scheme based on the integer factorization problem (IFP), which was initially proposed by Chaum [2], relies on the solidity of the Rivest, Shamir, and Adleman (RSA) cryptosystem assumptions. The security of this scheme is based on the appropriate selection of the underlying hash function. There have been several investigations on various schemes that examined the efficiency, security of improved blind signature techniques [3][4][5][6][7][8][9][10][11]. ECC-based blind signatures have been introduced in several variations; these schemes are extremely beneficial for applied applications between security and performance [12][13][14][15][16][17][18][19]. Lin et al. [20] proposed a new scheme, named the proxy blind signature, which combines proxy and blind signatures. The proxy signer is permitted with features to create blind signatures on behalf of the original signer, similar to the traditional digital signature procedure with some unique differences. Several studies have revealed considerable types of variations for this scheme to improve the desired unforgeability, untraceability, non-repudiation and efficiency [21][22][23][24][25][26][27][28][29].
Gamage et al. [30] provided a new approach called proxy signcryption by merging a proxy signature and encryption in a single logical step. Their approach was more secure and proficient due to the incorporation of the discrete logarithm problem (DLP). However, this approach suffered from several issues such as forward secrecy and public verifiability. Moreover, Zhang et al. [31] introduced a new proxy signcryption scheme which incorporates public verifiability and forward secrecy. Their scheme suffered from higher computational and communication costs which was later addressed by Li et al. [32]. Wang et al. [33] addressed security constraints such as forward secrecy and public verifiability with an approach called an efficient identity-based proxy-signcryption. Duan et al. [34] introduced another proxy-signcryption scheme, named secure under ROM (Random Oracle Model), which is a secure delegation-by-warrant ID-based proxy signcryption scheme. However, this scheme was challenged and negatively affected by extra computations and limited communication bandwidth. A more recent and improved proxy-signcryption scheme was provided by Elkamchouchi et al. [35][36][37]. The authors asserted that their techniques are publicly verifiable while achieving confidentiality, higher security levels, and authenticity using an unsecured channel.
Partial delegation rights were also provided in their technique by using bilinear pairings on elliptic curves. Their techniques suffered from a misuse of authority in the case of partial delegation. A new provable and secure proxy-signcryption scheme was designed by Lin et al. [38] by utilizing bilinear pairing. Despite the advantages of these techniques, another main drawback is their inability to ensure the warrant unforgeability requirement for security. Elkamchouchi et al. [39] introduced a proxy-signcryption based on the notion of warrants. The scheme introduced by the authors was based on elliptic curve cryptography to ensure efficiency and security, however it suffers from extra power consumption. Yanfeng et al. proposed proxy identity-based signcryption based on the elliptic curve discrete logarithm problem (ECDLP) [40]. Another proxysigncryption scheme using DLP and ECDLP was introduced by Elkamchouchi et al. [41]. Despite their claim that the proposed scheme incurs less communication and computational costs, a major issue is that it is not sufficiently provable. More recently, a new provable and secure proxy-signcryption scheme was introduced by Lo et al. [42] based on bilinear pairing. The study addressed performance and secrecy in an effective approach in terms of unforgeability and indistinguishability. Ming et al. [43] developed a provable and secure proxy-signcryption scheme based on a standard model to improve the security service area. This approach was relatively narrow, being primarily focused on heavy computations of bilinear pairing and it also suffered from additional communication and machine control costs.
In our previous work [44], we proposed a lightweight proxy-signcryption scheme using hyperelliptic curve cryptography. This scheme ensures all security service areas that are commonly needed for proxy-signcryption in resource constrained environments due to its needs of low computational and communication costs. Our scheme was affected by utilizing additional major operations over the hyperelliptic curve. A novel proxy-signcryption scheme and its elliptic curve variant were recently proposed by Abdelfatah [45]. The author claimed that the developed technique was more secure and efficient, however, the study fails to provide security requirements such as non-repudiation, warrants, message, and message non-repudiation. The technique also incurred higher computational and communication costs. In addition, the above proxy-signcryption scheme only provides a delegation of rights with authenticity and confidentiality. Therefore, the scheme suffers in cases where the applications require anonymity.
Sadat et al. [46] proposed another proxy blind signcryption technique to provide the anonymity property together with a delegation of rights. It combines the property of proxy signcryption with blind signcryption [47][48][49][50]. More recently, Su et al. [51] proposed a new proxy blind signcryption for multiple digital documents based on elliptic curve cryptography. The scheme allows the sender to simultaneously produce a proxy blind signcryption of multi-digital documents. To the best of our knowledge, all the proxy blind signature and proxy blind signcryption approaches available in the literature are affected by higher computational cost due to RSA, bi-linear pairing and EC. A major reason for these issues is due to the fact that underlying frameworks have larger key sizes, such as 1024 bits for RSA and bilinear pairing, and 160 bits for EC.
In this paper, we propose a new provable secure proxy blind signcryption scheme for multidigital messages based on hyperelliptic curves which provides a similar level of security with less communication and computational costs. The rest of the paper is organized as follows: Section 2 discusses the pre-requisites to understanding the formalization of our scheme, which is followed by discussions of our methodology in Section 3. Sections 4 and 5 cover the results and discussions. Finally, the conclusion is presented in Section 6.

Preliminaries of Formalisms
In 1988, Koblitz introduced the generality of the elliptic curve to the advanced genus of the curve called the hyperelliptic curve cryptosystem, which performs a significant operation in comparison to the elliptic curve cryptosystem. Let g = genus (curve) over Fq (set of finite fields of order q), g.log 2 q ≈ 2 160 = group order (field) Fq for the genus one and there will be a need for a future field Fq for the order of the curve i.e., for genus two |Fq| ≈ 2 80 are 80 bits long, for genus three 54-bits long operands [52].
Let F 0 = final field of hyper ellipticcurve cryptosystem and F / 0 = algebraic closure of a field, the genus (curve) g > 1 over F 0 represents sol-set (x, y) ∈ F 0 * F 0 . The following equation of the hyper ellipticcurve is: is poly-nominal of degree g and f(x) ∈ F 0 [x] is monic-polynomial of degree 2(g) + 1, no solution set of (x,y) ∈ F 0 * F 0 which satisfy Eq. (1). The partial derivative of 2y + The Elliptic Curve is the particular case of hyper ellipticcurve at g = 1.
In contrast, the group arrangement of the hyperelliptic curve has the Jacobian (J) of a curve C. A piece element of the J is a correspondent class of divisors. A divisor is the formal sum of finite points for the curve ρ i ∈ C.
where mi = 0, and each element of the J can be denoted by an exceptional divisor.
The reduced divisor is: Eq.
(3) contains one opposite point, i.e., and opposed point for Polynomial expressions can be used to characterize the divisor [53]. The operative process of calculation for the whole value of C in Abelian group having a DLP.
The group operations of addition and doubling of divisors is called a scalar multiplication divisor (SMD). The operations changed elliptic curve point multiplication into divisors of the Jacobian of a hyper ellipticcurve [53][54][55].

Proposed Model in a Nutshell
Our scheme consists of five participants: • Original user: The original signer delegates the signing capabilities to a proxy signcrypter.
• Proxy signcrypter: The proxy signcrypter verifies the delegation and blinds a message for signing and then delivers it to the anonymous signer. • Anonymous signer: The signer generates a blind signature on a blind message and then sends it back to the proxy signcrypter. The proxy signcrypter combines the blind signature with an encrypted message and hands it over to the receiver. • Receiver/Un-signcrypter: At the end, the receivers verify the blind signcrypted message and then decrypt it. • The authentication server: This acts as a certificate authority which publishes all the public parameters and generates the certificates for each user.  The communication in the above scheme is completed in the following steps (the sequence of these steps is demonstrated in Fig. 1): Key Generation: The pre-requisite of our model (not shown in Fig. 1) is the generation of keys (public and private) by each participant of our scheme in the following manner: All participants (Alice, Proxy, signer, Bob) first generate their keys (private, public) from the given σ security parameter with size 80 bits as follows: Alice: randomly takes a number X a from {0, 1, 2 Suppose the proxy assumes that he wants to send a vector of message sm j EM, blindly, over a public network to Bob while maintaining their privacy.

IV Bob/blind Unsigncryption
After receiving (C j , r, S, Z), Bob verifies the multi-documents' signcrypted text and accepts them if they are valid, otherwise he rejects them. r = H(m j N a ) (v) Accept m j as a valid original message if r = r otherwise reject

Security Analysis
In this section, we divide the security of our scheme into two parts, the first part showing the correctness of the scheme and the second part showing the security services e.g., warrant authentication, unforgeability of warrants, confidentiality, integrity, and blindness, respectively. We consider a popular Dolev-Yao (DY) threat model and suppose the adversary is able to dismiss the warrant authentication, forge the warrant signature, read the exchanged messages, destroy the blindness, modify the message contents, and generate a forged signature.

Correctness
Theorem 1: In this theorem, we prove how a blind unsigncrypter generates the secret key for it to decrypt a cipher text. The unsigncrypter performs the following process.

Theorem 2:
In Theorem 2, we prove how the proxy signcrypter validates whether the warrant message is from the sender or not. The proxy signcrypter performs the following process.

Warrant Authentications
The security attribute of the warrant authentication is another contribution of our approach. If the sender delegates their signing rights by sending a warrant message m w to the proxy, the original user first generates the digital signature m w using T = (L − X a .h (U, m w )). When an attacker wants to break the authenticity, it must have the secret number L from A = L.D and the private key of the original user X a from Y a = X a D by computing two elliptic curve discrete logarithm problems, which is difficult for an attacker to solve. Thus, our designed scheme ensures the strong authenticity of a warrant.

Unforgeability of Warrant
Our scheme also meets the property of warrant unforgeability. When an attacker generates a forged signature T / for a warrant m w , the attacker first computes L from Eq. (3) and the private key of the original user X a from Y a = X a D, which is equal to solving two elliptic curve discrete logarithm problems. Thus, finding two unknown variables from the same equation is not feasible for an attacker.

Confidentiality
In our scheme, the encrypted multi-documents are sent to the legitimate recipient (Bob) using the secret shared key K. If an intruder wants to access the original contents of an encrypted multi-document, they need to get the secret shared key K, first which involves the following steps.
Step 1: An intruder can easily get the secret shared key if they can solve Eq. (1). Therefore, the intruder must first get the blind random number O which is private to the proxy signer. Hence, it is difficult for an intruder to solve = (O.Y b mod n) which is the equivalent of solving a difficult problem such as the hyperelliptic curve discrete logarithm problem.
Step 2: Similar to step 1, an intruder can get the secret key from G = X b .S. However, the intruder needs Bob's private key X b from Y b = X b D. This is very difficult and finding Bob's private key from the Y b = X b D is the equivalent of solving a difficult problem such as the hyperelliptic curve discrete logarithm problem.

Integrity
We use a collision resistant hash function in our proposed scheme to ensure the integrity of multi-digital documents as r= H m j N a . Therefore, in our proposed scheme, in the event that an intruder alters the multi-digital cipher text contents Cip j toĆ ip j , the multi-documents m j will be changed toḿ j . According to the collision resistance property r= H m j N a =ŕ= H m j N a of a one-way hash function, our proposed scheme meets the integrity property.

Unforgeability
In our designed scheme, before sending the multi-document cipher text to the recipients/Bob, the signer computes a blind digital signature on the multi-documents cipher text as S = (X s + Ω.d). This signature includes two private parameters, the private key X s of the signer and the private randomly generated number d. Thus, finding the private key of the signer from Y s = X s D and a private number from V = d.Dmod n is the equivalent of calculating two hyperelliptic curve discrete logarithm problems which is infeasible for intruders.

Blindness
Our scheme enables the proxy signer to select three blind numbers O, P, and Q ∈ {0, 1, 2, . . .n − 1} to blind a multi-document. The signer does not know about the blind number because it is private to the proxy signer and the original contents of a multi-document cannot be derived. Hence, our designed scheme provides the security property of blindness.

Computational Efficiency
This section elaborates on the computational cost of the proposed multi-document proxy blind signcryption scheme and the existing proxy blind signature [28,29] and signcryption schemes [46,47]. We compare our strategy with the state-of-the-art approaches by computing the time taken for proxy delegations, proxy blind signcryption and proxy blind unsigncryption. As shown in Tab. 1, we use PM for elliptic curve point multiplication and HM for hyperelliptic curve divisor multiplications. Tab. 1 demonstrates the key operations of the existing and proposed proxy blind signcryption schemes. The computations of addition, subtraction, division and hash are ignored due to their fewer needs of computations and lower execution periods. For a more detailed illustration of the difference between the proposed and existing schemes, observations can be obtained from Ullah et al. [55], and "test the runtime of basic cryptographic operations" respectively According to Ullah et al. [55], 1 PM and 1 HM consume 0.97 and 0.48 milliseconds, respectively. Tab. 2 and Fig. 2 compare our scheme with the existing ones proposed in [28,29,46,47], with respect to milliseconds for a single message.  Our results show that our scheme is more computationally efficient even for a larger number of messages.

Conclusions
In this paper, we have developed a lightweight and secure proxy blind signcryption scheme for multi-digital messages based on a hyperelliptic curve. Our scheme consists of five participants, e.g., the authenticated server, original user, proxy signcrypter, the anonymous signer and receiver/unsigncrypter. The authenticated server performs the role of a certificate authority which publishes all public parameters and issues certificates to each user. The original signer simply delegates the signing capabilities to the proxy signcrypter. The proxy signcrypter verifies the delegation and blinds a message for signing, then delivers it to the anonymous signer. The signer only generates a blind signature on a blind message and then back sends it back to the proxy signcrypter. Finally, the proxy signcrypter combines the blind signature with the encrypted message and then hands it over to the receiver. In the final step, the receiver verifies the blind signcrypted message and then decrypts it. Further, the developed scheme provides all the security services of proxy and blind signcryption e.g., warrant authentication, unforgeability of warrants and/or plaintext, confidentiality, integrity, and blindness. Compared to the existing schemes, our scheme reduces the computational costs by about 33.28% to 64.07% in terms of milliseconds. Additionally, due to the lower parameters and the standard size of the hyperelliptic curve, our scheme is attractive to limited-resource devices such as those used in IoT environments.
Future studies are required to shed light on the development of such a scheme with different functionalities. These functionalities will be combined into a single scheme, such as encryption only, signature only, and signcryption, so that they can be utilized whenever they are required. It is also important to consider developing more efficient techniques that focus on lowering computational and communication costs.

Funding Statement:
The authors received no specific funding for this study.

Conflicts of Interest:
The authors declare that they have no conflicts of interest to report regarding the present study.