A New Efficient and Provably Secure Certificateless Signature Scheme Without Bilinear Pairings for the Internet of Things

Highlights

What are the main findings?

• A new attack method, the Common Factor Substitution Attack, is introduced, showing that a broad class of existing pairing-free certificateless signature (PF-CLS) schemes share a common vulnerability and cannot resist Type I adversary forgeries—even after certain prior improvements.
• A new PF-CLS scheme is proposed that securely binds both parts of a user’s public key to the system public key via a hash function, eliminating the Type II attack vulnerability in Ma et al.’s scheme, and is proven secure against both Type I and Type II adversaries under the Random Oracle Model while offering higher computational efficiency than comparable schemes.

What is the implication of the main finding?

• The results underscore that many PF-CLS schemes in current use for resource-constrained environments like IoT remain insecure against forged signature attacks unless both Type I and Type II threats are systematically addressed in their design.
• The proposed scheme’s combined security and efficiency make it a strong candidate for real-world IoT deployments, improving trust in data integrity and identity authentication without imposing heavy computational or communication costs.

Abstract

Pairing-free certificateless signature (PF-CLS) schemes are ideal authentication solutions for resource-constrained environments like the Internet of Things (IoT) due to their low computational, storage, and communication resource requirements. However, it has come to light that many PF-CLS schemes are vulnerable to forged signature attacks. In this paper, we use a novel attack method to prove that a class of PF-CLS schemes with the same security vulnerabilities cannot resist Type I adversary attacks, and we find that, even if some schemes are improved to invalidate existing attack methods, they still cannot defend against the new attack method proposed in this paper. Subsequently, we introduce an enhanced scheme proven to be resilient against both types of adversary attacks under the random oracle model (ROM). Performance analysis shows that, compared with several existing PF-CLS schemes, our scheme offers higher computational efficiency.

1. Introduction

The IoT is used broadly and, because of its openness, transmits most data over the public Internet, exposing it to eavesdropping, tampering, forgery, and other attacks. Consequently, data security is paramount for IoT. Digital signature technology, ensuring the authentication, unforgeability, and non-repudiation of messages, is ideal for IoT environments.

In a traditional public key cryptosystem, an entity’s public key’s authenticity and validity require a digital certificate from a trusted third-party, the Certificate Authority (CA). Managing certificates in IoT environments is challenging because of the substantial overhead for storing, distributing, verifying, and revoking them. In Identity-Based Cryptography (IBC), a user’s public key is generated based on identifiable public information, like a phone number, email address, or IP address. A trusted third-party Private Key Generator (PKG) creates the user’s Private Key, eliminating the need for CAs and digital certificates and addressing the certificate management issue. However, since the PKG fully generates the user’s private key, this raises concerns over potential signature forgeries, undermining the unforgeability of the system. Certificateless Public Key Cryptography (CL-PKC) solves the key escrow issue in IBC by having a Key Generation Center (KGC) create a partial private key for the user. The user then combines this with their own data to generate a full private key.

Consequently, CLS amalgamates the strengths of traditional public key cryptosystem and IBC, addressing their respective drawbacks and proving more effective for ensuring data integrity and identity authentication in IoT’s distributed, flexible, and resource-limited environments.

1.1. Related Work

In 2003, AI-Riyami and Paterson proposed the first certificateless signature scheme [1]. This scheme, which does not require digital certificates, allows the user and the KGC to jointly generate both public and private keys. The KGC only holds a portion of the user’s private keys, effectively solving the key escrow problem inherent in IBC. In 2004, Yum et al. proposed a general construction for CLS schemes [2]. This led to the development of numerous CLS schemes [3,4]. However, these schemes all relied on bilinear pairings, which are known for their high computational complexity and low efficiency. In 2011, He et al. introduced the first CLS scheme that does not use bilinear pairings [5]. However, Tian and Tsai later pointed out that He’s scheme was vulnerable to Type II adversary attacks [6,7]. In 2013, Gong et al. proposed a pairing-free CLS scheme [8], but Yeh et al. pointed out that it could not resist Type I adversary attacks and proposed an improved version [9]. In 2015, Wang et al. introduced a more efficient variant of Yeh et al.’s scheme [10]. In 2017, Yeh et al. discovered vulnerabilities in Wang’s improved scheme regarding forged signatures and subsequently developed a new scheme [11]. However, Jia et al. later revealed that Yeh’s new scheme was still vulnerable to Type II adversary attacks involving public key replacement [12]. In 2018, Karati et al. independently proposed a new scheme that does not use bilinear pairings and claimed that it can resist both Type I and Type II adversary attacks under the ROM [13]. Later, Pakniat et al. successfully demonstrated that Karati et al.’s scheme can be attacked by Type I adversaries, and they improved the scheme [14]. Shim et al. found that Karati et al.’s scheme allows for forging arbitrary message signatures without obtaining any secret information, and that Pakniat et al.’s scheme still cannot resist Type I adversary attacks [15]. In the same year, Du et al. pointed out that Jia et al.’s improved scheme cannot resist Type I adversary attacks and subsequently developed an enhanced version [16]. Thumbur et al. independently proposed a new pairing-free certificateless signature scheme [17], but it was later pointed out by Xu et al. [18] that it cannot resist Type I adversary public key replacement attacks. By 2022, Xiang et al. successfully demonstrated a specific Type II adversary attack method targeting Jia et al.’s scheme and improved it based on identified vulnerabilities [19]. In 2023, Ma et al. pointed out that both Du et al.’s and Xiang et al.’s schemes are susceptible to Type I adversary attacks, and proposed new attack methods and improvements [20]. However, Feng et al. [21] found that Ma et al.’s scheme still could not resist Type II adversary attacks the following year.

1.2. Our Contributions

This paper’s primary contributions are as follows:

1. We analyze a class of PF-CLS schemes with the same security vulnerabilities and use a new attack method to show that all schemes in this class cannot resist Type I adversary attacks.

2. We introduce a new pairing-free certificateless signature scheme, which tightly binds the two parts of the user’s public key ($X_{ID}$ and $R_{ID}$) to the system’s public key ($P_{pub}$) via a hash function, avoiding the vulnerability of Type II adversary attack due to independent generation of public keys in the scheme of Ma et al. [20]. Moreover, our scheme proves its security against both Type I and Type II adversary attacks under the Random Oracle Model (ROM).

3. Performance evaluations demonstrate that our scheme has higher computational efficiency compared to other people’s schemes, making it more suitable for IoT environments.

2. Preliminaries

2.1. Complexity Assumption

Consider q as a large prime number, with $\mathbb{G}$ representing an additive group of order q over the elliptic curve $E/F_q$, where P is a generator of $\mathbb{G}$. The Elliptic Curve Discrete Logarithm Problem (ECDLP) means that, for any instance $Q = aP, a\in {\mathbb{Z}}_q^{*},Q\in \mathbb{G}$, if $P,Q$ are known, finding the solution yields a.

The difficult hypothesis for the Elliptic Curve Discrete Logarithm Problem is that there is no probabilistic polynomial algorithm A that can solve ECDLP with a non-negligible probability in polynomial time.

2.2. Security Model

Certificateless signature schemes face two types of attacks from adversaries. An adversary of Type I ($A_I$) has the capability to substitute the user’s public key without requiring access to the system master key. On the other hand, an adversary of Type II ($A_{II}$) holds possession of the system master key but does not possess authority to alter or replace the user’s public key. The security model is represented as a gaming scenario involving both challengers $C_1\left(C_2\right)$ and their respective adaptive adversaries $A_I\left(A_{II}\right)$

Game 1: This game is played between an adaptive adversary $A_I$ and the challenger $C_1$. $C_1$ maintains a list $L_1$ that stores information about users. The game consists of the following phases:

Initialization: Challenger $C_1$ enters a security parameter k, generates system parameters $params$, and sends them to $A_I$, while $C_1$ saves the system master key s itself.

Query phase: In this phase, the following queries can be submitted adaptively by $A_I$. That is, the adversary will issue a new query based on the received response.

1. $CreateUser$ $query$: Enter user identity ($ID$); $C_1$ queries list $L_1$. If the user has been created, $C_1$ returns its corresponding user public key ($P{K}_{ID}$); otherwise, $C_1$ performs three algorithms, $ExtractPartialPrivateKey$, $ExtractSecretValue$, and $SetPublicKey$, to create a user and returns the $P{K}_{ID}$. It then adds the $ID$, partial private key ($d_{ID}$), secret value ($x_{ID}$), and $P{K}_{ID}$ to list $L_1$ for maintenance.

2. $ReplacePublicKey query$: Enter $(ID,P{K}_{ID}^{\prime })$; $C_1$ queries table $L_1$. If the user exists, then $C_1$ updates the corresponding public key $P{K}_{ID}$ in the record table $L_1$ as $P{K}_{ID}^{\prime }$, and records the secret value $x_{ID}$ as ⊥; otherwise, $C_1$ executes the $CreateUser query$ first, and then performs the update.

3. $ExtractSecretValue query$: Enter $ID$; $C_1$ first queries table $L_1$. If the user does not exist, then $C_1$ executes $CreateUser query$ and returns the corresponding secret value $x_{ID}$; if the user exists and the public key $P{K}_{ID}$ is not replaced, $C_1$ outputs the corresponding secret value $x_{ID}$. Otherwise, output ⊥.

4. $ExtractPartialPrivateKey query$: Enter $ID$; $C_1$ queries table $L_1$. If the user is present, $C_1$ returns the corresponding partial private key $d_{ID}$. Otherwise, $C_1$ first executes the $CreateUser query$ and then returns $d_{ID}$.

5. $SuperSign query$: Input $(ID,m)$; $C_1$ outputs a signature $\tau$. The signature can be verified by the corresponding message plaintext m, system parameter $params$, and user public key $P{K}_{ID}$. The $P{K}_{ID}$ is the last updated public key corresponding to the $ID$ in list $L_1$, that is, the public key may not be original.

Forgery: After successfully executing all queries, adversary $A_I$ generates a counterfeit signature $(I{D}^{*},m^{*},{\tau }^{*})$. The victory condition for $A_I$ is as follows: 1. $A_I$ has never queried the super signature for $(I{D}^{*},m^{*})$; 2. $A_I$ has never performed an $ExtractPartialPrivateKey query$ for $I{D}^{*}$; 3. ${\tau }^{*}$ for $(I{D}^{*},m^{*},P{K}^{*})$ is a verifiable valid signature, and the public key $P{K}^{*}$ may not be original.

Game 2: This game is played between an adaptive adversary $A_{II}$ and the challenger $C_2$.$C_2$ maintains a list $L_2$ that stores information about users. The game consists of the following phases:

Initialization: Challenger $C_2$ enters a security parameter k, generates system parameters $params$, and sends them to $A_{II}$, while $C_2$ sends the system master key s to $A_{II}$.

Query phase: In this phase, the following queries can be submitted adaptively by $A_{II}$.

1. $CreateUser query$: Enter user identity ($ID$); $C_2$ queries list $L_2$. If the user has been created, $C_2$ returns its corresponding user public key ($P{K}_{ID}$); otherwise, $C_2$ performs three algorithms, $ExtractPartialPrivateKey$, $ExtractSecretValue$, and $SetPublicKey$, to create a user and returns the $P{K}_{ID}$, and then adds the $ID$, partial private key ($d_{ID}$), secret value ($x_{ID}$), and $P{K}_{ID}$ to list $L_2$ for maintenance.

2. $ExtractSecretValue query$: Enter $ID$; $C_2$ first queries table $L_2$. If the user does not exist, then $C_2$ executes $CreateUser query$ and returns the corresponding secret value $x_{ID}$; if the user exists and the public key $P{K}_{ID}$ is not replaced, $C_2$ outputs the corresponding secret value $x_{ID}$. Otherwise, output ⊥.

3. $ExtractPartialPrivateKey query$: Enter $ID$; $C_2$ queries table $L_2$. If the user is present, $C_2$ returns the corresponding partial private key $d_{ID}$. Otherwise, $C_2$ first executes the $CreateUser query$ and then returns $d_{ID}$.

4. $SuperSign query$: Input $(ID,m)$; $C_2$ outputs a signature $\tau$. The signature can be verified by the corresponding message plaintext m, system parameter $params$, and user public key $P{K}_{ID}$. The $P{K}_{ID}$ is the last updated public key corresponding to the $ID$ in list $L_2$, that is, the public key may not be original.

Forgery: After successfully executing all queries, adversary $A_{II}$ generates a counterfeit signature $(I{D}^{*},m^{*},{\tau }^{*})$. The victory condition for $A_{II}$ is as follows: 1. $A_{II}$ has never queried the super signature for $(I{D}^{*},m^{*})$; 2. $A_{II}$ never performs an $ExtractSecretValue query$ on $I{D}^{*}$; 3. ${\tau }^{*}$ is a verifiable valid signature for $(I{D}^{*},m^{*},P{K}^{*})$, and the public key $P{K}^{*}$ remains intact.

For a CLS scheme, if the super Type I or Type II adversary cannot win Game 1 or Game 2 by a significant advantage in polynomial time, we say that the scheme is unfalsifiable against adaptive chosen plaintext attacks and identity attacks.

3. Review of Four PF-CLS Schemes

In this section, we review the four PF-CLS schemes [13,14,16,19]. The four PF-CLS schemes contain six basic process algorithms: $Setup$, $Partial Private Key Extract$, $Set Secret Value$, $Set Public/Private Key$, $Signature$, and $Verification$.

3.1. Xiang et al.’s Scheme

Xiang et al.’s scheme [19] contains the following six algorithms:

1. $Setup$: The KGC generates an elliptic curve additive group $\mathbb{G}$ of order q and selects $P\in \mathbb{G}$ as the generator of group $\mathbb{G}$. The KGC randomly chooses $s\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ as the system master key, computes $P_{pub} = sP$, and selects three $Hash$ functions: $H_{i(i = 1,2,3)}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$. Subsequently, the KGC publishes the system parameters $params = \{q,G,P,P_{pub},H_1,H_2,H_3\}$ and keeps the master key s secret.

2. $Partial Private Key Extract$: The KGC takes the system parameters $params$ and identity $ID$ as input. Then, it randomly selects $r_{ID}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, computes $R_{ID} = r_{ID}P$, $h_1 = H_1(ID,R_{ID},P_{pub})$, and $d_{ID} = r_{ID} + h_{1}smodq$. KGC sends the partial private key $D_{ID} = (R_{ID},d_{ID})$ to the user over a secure channel.

3. $Set Secret Value$: The user randomly picks $x_{ID}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ as his/her secret value and calculates $X_{ID} = x_{ID}P$.

4. $Set Public/Private Key$: The user sets $P{K}_{ID} = (R_{ID},X_{ID})$ as the public key and $s{k}_{ID} = (d_{ID},x_{ID})$ as the private key.

5. $Signature$: The signer takes the message m, $params$, $ID$, $P{K}_{ID}$, and $s{k}_{ID} = (d_{ID},x_{ID})$ as input, then generates a signature $\sigma$ on message m as follows:

(i) Randomly select a value $t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, and compute $T = tP$;

(ii) Compute $h_2 = H_2(ID,T,P{K}_{ID})$, $h_3 = H_3(ID,m,T,P{K}_{ID},P_{pub})$, and $\tau = x_{ID}^{-1}(h_{2}t + h_3{d}_{ID})modq$;

(iii) Output $\sigma = (T,\tau )$ as a signature.

6. $Verification$: The verifier takes the message–signature tuple $(m,\sigma = (T,\tau \left)\right)$, $params$, $ID$, and $P{K}_{ID} = (R_{ID},X_{ID})$ as input, then verifies the signature $\sigma$ as follows:

(i) Compute $h_1 = H_1(ID,R_{ID},P_{pub})$, $h_2 = H_2(ID,T,P{K}_{ID})$, $h_3 = H_3(ID,m,T,P{K}_{ID},P_{pub})$;

(ii) Output “Accept” if $\tau X_{ID} = h_{2}T + h_3(R_{ID} + h_1{P}_{pub})$ holds, and “Reject” otherwise.

3.2. Du et al.’s Scheme

The $Setup$, $Partial Private Key Extract$, $Set Secret Value$, and $Set Public/Private Key$ algorithms in Du et al.’s scheme [16] are basically the same as those in Xiang et al.’s scheme [19], with the only difference being the value of $h_1 = H_1(ID,R_{ID},P,P_{pub})$.

$Signature$: Given the message m, $params$, $ID$, $P{K}_{ID}$, and $s{k}_{ID} = (d_{ID},x_{ID})$ as input, the signature generation process is as follows:

1. Randomly select a value $t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, and compute $T = tP$.

2. Compute $h_2 = H_2(m,T,ID,P{K}_{ID},P_{pub})$, $h_3 = H_3(m,T,ID,P{K}_{ID},h_2)$, and $\tau = t^{-1}(h_2{x}_{ID} + h_3{d}_{ID})modq$.

3. Output $\sigma = (T,\tau )$ as the signature.

$Verification$: Given m, $\sigma$, $params$, $ID$, and $P{K}_{ID}$ as input, the verification process is as follows:

1. Compute $h_1 = H_1(ID,R_{ID},P,P_{pub})$, $h_2 = H_2(m,T,ID,P{K}_{ID},P_{pub})$, $h_3 = H_3(m,T,ID,P{K}_{ID},h_2)$.

2. Output "Accept" if $\tau T = h_2{X}_{ID} + h_3(R_{ID} + h_1{P}_{pub})$ holds, and "Reject" otherwise.

3.3. Karati et al.’s Scheme

Karati et al.’s scheme [13] contains the following six algorithms:

1. $Setup$: The KGC generates an elliptic curve additive group $\mathbb{G}$ of order q and selects $P\in \mathbb{G}$ as the generator of group $\mathbb{G}$. The KGC randomly chooses $s\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ as the master key, computes $P_{pub} = \{P_{pub1},P_{pub2}\} = \{sP,s^{-1}P\}$, and selects two $Hash$ functions: $H_{i(i = 1,2)}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$. Subsequently, the KGC publishes the system parameters $\mathrm{params} = (q,G,P,P_{pub},H_1,H_2)$ and keeps the master key s secretly.

2. $Partial Private Key Extract$: The KGC takes $params$ and identity $ID$ as input, randomly selects $r_{ID}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, computes $R_{ID} = r_{ID}P$, $h_1 = H_1(ID,R_{ID},P)$, $d_{ID} = (s^{-1} + r_{ID}^{-1}s{h}_1)modq$, and $Q_{ID} = r_{ID}{s}^{-1}P$. KGC sends the partial private key $D_{ID} = (R_{ID},d_{ID},Q_{ID})$ to the user over a secure channel.

3. $Set Secret Value$: The user randomly selects $x_{ID}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ as his/her secret value.

4. $Set Public/Private Key$: The user computes $X_{ID} = x_{ID}{R}_{ID}$, then sets $P{K}_{ID} = (R_{ID},Q_{ID},X_{ID})$ as the public key and $s{k}_{ID} = (d_{ID},x_{ID})$ as the private key.

5. $Signature$: The signer inputs m, $params$, $ID$, $P{K}_{ID}$, and $s{k}_{ID}$, then generates signature $\sigma$ for m as follows:

(i) Randomly select a value $t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, and compute $T = t{R}_{ID}$;

(ii) Compute $h_2 = H_2(m\oplus ID,T,Q_{ID})$, and $\tau = x_{ID}{(t + h_2{x}_{ID} + d_{ID})}^{-1}modq$;

(iii) Output $\sigma = (T,\tau )$ as a signature.

6. $Verification$: The verifier inputs $(m,\sigma = (T,\tau \left)\right)$, $params$, $ID$, and $P{K}_{ID} = (R_{ID},Q_{ID},X_{ID})$, then verifies the signature $\sigma$ as follows:

(i) Compute $h_1 = H_1(ID,R_{ID},P)$, $h_2 = H_2(m\oplus ID,T,Q_{ID})$, and $R^{\prime } = T + h_2{X}_{ID} + Q_{ID} + h_1{P}_{pub1}$;

(ii) Output “Accept” if $X_{ID} = \tau R^{\prime }$ holds, and “Reject” otherwise.

3.4. Pakniat and Vanda’s Scheme

The $Setup$, $Partial Private Key Extract$, $Set Secret Value$, and $Set Public/Private Key$ algorithms in Pakniat and Vanda’s scheme [14] are basically the same as those in Karati et al.’s scheme [13], except that Pakniat and Vanda’s scheme additionally defines an extra $Hash$ function $H_3:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$.

$Signature$: Given m, $params$, $ID$, $P{K}_{ID}$, and $s{k}_{ID}$ as input, the signature generation process is as follows:

1. Randomly select a value $t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ and compute $T = t{R}_{ID}$.

2. Compute $h_2 = H_2(H_3\left(m\right)\oplus H_3\left(ID\right),T,Q_{ID},0)$, $h_3 = H_2(H_3\left(m\right)\oplus H_3\left(ID\right),T,Q_{ID},1)$, and $\tau = x_{ID}{(h_{2}t + h_3{x}_{ID} + d_{ID})}^{-1}modq$.

3. Output $\sigma = (T,\tau )$ as a signature.

$Verification$: Given m, $\sigma$, $params$, $ID$, and $P{K}_{ID}$ as input, the verification process is as follows:

1. Compute $h_1 = H_1(ID,R_{ID},P)$, $h_2 = H_2(H_3\left(m\right)\oplus H_3\left(ID\right),T,Q_{ID},0)$, $h_3 = H_2(H_3\left(m\right)\oplus H_3\left(ID\right),T,Q_{ID},1)$, and $R^{\prime } = h_{2}T + h_3{X}_{ID} + Q_{ID} + h_1{P}_{pub1}$.

2. Output “Accept” if $X_{ID} = \tau R^{\prime }$ holds, and “Reject” otherwise.

4. Novel Attacks on Four Schemes

In this section, we use a novel attack method on the four schemes presented in Section 3 and prove that all four schemes cannot resist Type I adversary attacks.

4.1. Cryptanalysis of Xiang et al.’s and Du et al.’s Schemes

Ma et al. [20] have pointed out that Xiang et al.’s scheme [19] cannot resist Type I adversary attacks, and the specific attack method will not be elaborated here. In this section, we use a new attack method different from Ma et al. to prove that Xiang et al.’s scheme cannot resist Type I adversary attacks. Suppose that there exists a Type I adversary $A_I$ attempting to forge the signature of a user with identity $ID$ and public key $P{K}_{ID} = (R_{ID},X_{ID})$. The process of forging the signature is as follows:

1. $A_I$ selects two random values $x_{ID}^{*}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, $r_{ID}^{*}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, computes $X_{ID}^{*} = x_{ID}^{*}{P}_{pub}$, $R_{ID}^{*} = r_{ID}^{*}{P}_{pub}$, and replaces the original public key $P{K}_{ID} = (R_{ID},X_{ID})$ with $P{K}_{ID}^{*} = (R_{ID}^{*},X_{ID}^{*})$.

2. Assuming that the message is $m^{*}$, $A_I$ randomly selects $t^{*}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, and computes $T^{*} = t^{*}{P}_{pub}$, $h_1^{*} = H_1(ID,R_{ID}^{*},P_{pub})$, $h_2^{*} = H_2(ID,T^{*},P{K}_{ID}^{*})$, $h_3^{*} = H_3(ID,m^{*},T^{*},P{K}_{ID}^{*},P_{pub})$, and ${\tau }^{*} = {\left(x_{ID}^{*}\right)}^{-1}(h_2^{*}{t}^{*} + h_3^{*}(r_{ID}^{*} + h_1^{*}))$. Then, $A_I$ outputs the forged signature ${\sigma }^{*} = (T^{*},{\tau }^{*})$.

3. Upon receiving the message–signature tuple $(m^{*},{\sigma }^{*} = (T^{*},{\tau }^{*}))$, $params$, and $P{K}_{ID}^{*} = (R_{ID}^{*},X_{ID}^{*})$, the verifier first computes $h_1^{*} = H_1(ID,R_{ID}^{*},P_{pub})$, $h_2^{*} = H_2(ID,T^{*},P{K}_{ID}^{*})$, $h_3^{*} = H_3(ID,m^{*},T^{*},P{K}_{ID}^{*},P_{pub})$, and then verifies the equation ${\tau }^{*}{X}_{ID}^{*} = h_2^{*}{T}^{*} + h_3^{*}(R_{ID}^{*} + h_1^{*}{P}_{pub})$.

We can observe that the forged signature can easily pass the verification equation:

$$\begin{array}{cc}\hfill {\tau }^{*}{X}_{ID}^{*}& = {\left(x_{ID}^{*}\right)}^{-1}(h_2^{*}{t}^{*} + h_3^{*}(r_{ID}^{*} + h_1^{*}))x_{ID}^{*}{P}_{pub}\hfill \\ & = h_2^{*}{t}^{*}{P}_{pub} + h_3^{*}(r_{ID}^{*} + h_1^{*})P_{pub}\hfill \\ & = h_2^{*}{T}^{*} + h_3^{*}(R_{ID}^{*} + h_1^{*}{P}_{pub})\hfill \end{array}$$

Through the above attack method, the attacker can forge a valid signature for any user on any message. Therefore, Xiang et al.’s scheme cannot resist Type I adversary attacks. Moreover, the attack on Du et al.’s scheme [16] is similar to the attack on Xiang et al.’s scheme, and will not be elaborated here.

4.2. Cryptanalysis of Pakniat and Vanda’s and Karati et al.’s Schemes

Shim [15] pointed out that Pakniat and Vanda’s scheme [14] cannot resist Type I adversary attacks, and the specific attack method will not be elaborated here. In this section, we first improve Pakniat and Vanda’s scheme to make Shim’s attack method ineffective. Then, we use the same attack method as in Section 4.1 to demonstrate that the improved Pakniat and Vanda’s scheme still cannot resist Type I adversary attacks.

The method for improving Pakniat and Vanda’s scheme is relatively simple, requiring only a change in the calculation of $h_1$ from $h_1 = H_1(ID,R_{ID},P)$ to $h_1 = H_1(ID,R_{ID},P,Q_{ID},P_{pub1})$. The improved scheme will not be described in detail here. After this improvement, if we still want to forge $Q_{ID}^{*} = -h_1{P}_{pub1}$, we need to provide the value of $h_1$ to obtain $Q_{ID}^{*}$, and, in order to obtain the value of $h_1$,we need to first provide the value of $Q_{ID}^{*}$. This is contradictory, so we cannot forge and Shim’s attack cannot succeed.

Next, we prove that the improved Pakniat and Vanda’s scheme still cannot resist Type I adversary attacks. Suppose that a Type I adversary $A_1$ attempts to forge the signature of a user with identity $ID$ and public key $P{K}_{ID} = (R_{ID},Q_{ID},X_{ID})$. The detailed process is as follows:

1. $A_1$ selects three random values $x_{ID}^{*}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, $r_{ID}^{*}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, $q_{ID}^{*}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, computes $X_{ID}^{*} = x_{ID}^{*}{P}_{pub1}$, $R_{ID}^{*} = r_{ID}^{*}{P}_{pub1}$, $Q_{ID}^{*} = q_{ID}^{*}{P}_{pub1}$, and replaces the original public key $P{K}_{ID} = (R_{ID},Q_{ID},X_{ID})$ with $P{K}_{ID}^{*} = (R_{ID}^{*},Q_{ID}^{*},X_{ID}^{*})$.

2. Supposing that the message is $m^{*}$, $A_1$ randomly selects $t^{*}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, and computes $T^{*} = t^{*}{P}_{pub1}$, $h_1^{*} = H_1(ID,R_{ID}^{*},P,Q_{ID}^{*},P_{pub1})$, $h_2^{*} = H_2(H_3\left(m^{*}\right)\oplus H_3\left(ID\right),T^{*},Q_{ID}^{*},0)$, $h_3^{*} = H_2(H_3\left(m^{*}\right)\oplus H_3\left(ID\right),T^{*},Q_{ID}^{*},1)$, ${\tau }^{*} = x_{ID}^{*}{(h_2^{*}{t}^{*} + h_3^{*}{x}_{ID}^{*} + q_{ID}^{*} + h_1^{*})}^{-1}modq$. Then, $A_1$ outputs the forged signature ${\sigma }^{*} = (T^{*},{\tau }^{*})$.

3. After receiving the message–signature pair $(m^{*},{\sigma }^{*} = (T^{*},{\tau }^{*}))$, $params$, and $P{K}_{ID}^{*} = (R_{ID}^{*},Q_{ID}^{*},X_{ID}^{*})$, the verifier first computes $h_1^{*} = H_1(ID,R_{ID}^{*},P,Q_{ID}^{*},P_{pub1})$, $h_2^{*} = H_2(H_3\left(m^{*}\right)\oplus H_3\left(ID\right),T^{*},Q_{ID}^{*},0)$, $h_3^{*} = H_2(H_3\left(m^{*}\right)\oplus H_3\left(ID\right),T^{*},Q_{ID}^{*},1)$, and then verifies the equation ${\tau }^{*}(h_2^{*}{T}^{*} + h_3^{*}{X}_{ID}^{*} + Q_{ID}^{*} + h_1^{*}{P}_{pub1}) = X_{ID}^{*}$.

We can observe that the forged signature can easily pass the verification equation:

$$\begin{array}{cc}\hfill {\tau }^{*}(& h_2^{*}{T}^{*} + h_3^{*}{X}_{ID}^{*} + Q_{ID}^{*} + h_1^{*}{P}_{pub1})\hfill \\ \hfill = & x_{ID}^{*}{(h_2^{*}{t}^{*} + h_3^{*}{x}_{ID}^{*} + q_{ID}^{*} + h_1^{*})}^{-1}(h_2^{*}{t}^{*} + h_3^{*}{x}_{ID}^{*} + q_{ID}^{*} + h_1^{*})P_{pub1}\hfill \\ \hfill = & x_{ID}^{*}{P}_{pub1}\hfill \\ \hfill = & X_{ID}^{*}\hfill \end{array}$$

Through the above attack method, the attacker can forge a valid signature for any user on any message. Therefore, Pakniat and Vanda’s scheme cannot resist Type I adversary attacks. Moreover, we can use the same attack method to prove that Karati et al.’s scheme [13] cannot resist Type I adversary attacks, and the detailed process can be referred to above, which will not be repeated here.

Definition 1. 

In our attack, $X_{ID}^{*}$, $R_{ID}^{*}$, $T^{*}$ are generated by random values $x_{ID}^{*}$, $r_{ID}^{*}$, $t^{*}$, which do not have a relationship with each other, and therefore the verifier cannot detect the forgery of the public key and signature. Compared with the attack method of Ma et al., our attack method is practical. We call this novel attack the Common Factor Substitution Attack.

5. The Proposed CLS Scheme

In this section, we introduce a novel CLS scheme that offers enhanced security and efficiency (Figure 1).

1. $Setup$: KGC takes the security parameter k as input and selects the elliptic curve addition group $\mathbb{G}$, where q and P are the order and generator of the group $\mathbb{G}$, respectively. KGC chooses two secure hash function $H_1:{\{0,1\}}^{*} \times {\mathbb{G}}^3\to {\mathbb{Z}}_q^{*}$, $H_2:{{\{0,1\}}^{*}}^2 \times {\mathbb{G}}^3\to {\mathbb{Z}}_q^{*}$. Then, KGC randomly selects the system master key $s\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, and calculates the system public key $P_{pub} = sP$. $params = (\mathbb{G},q,P,P_{pub},H_1,H_2)$ will be outputted as the public system parameters.

2. $SetSecretValue$: User identified by $ID$ randomly chooses the secret value $x_{ID}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$, then computes $X_{ID} = x_{ID}P$ and transmits it to KGC.

3. $PartialPrivateKeyExtract$: After receiving $(ID,X_{ID})$ submitted by the user, KGC randomly selects $r_{ID}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ and calculates $R_{ID} = r_{ID}P$ as part of the public key, then calculates $h_1 = H_1(ID,X_{ID},R_{ID},P_{pub})$. Finally, KGC calculates $d_{ID} = r_{ID} + h_{1}s$ as the partial private key and transmits $(d_{ID},R_{ID})$ to the user via a secure communication channel.

4. $SetPrivateKey$: The user generates the complete private key $S{K}_{ID} = (x_{ID},d_{ID})$.

5. $SetPublicKey$: The user generates the complete public key $P{K}_{ID} = (X_{ID},R_{ID})$.

6. $Sign$: The signer signs the message m. The signer randomly picks $t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ and calculates $T = tP$. And then the signer calculates $h_2 = H_2(m,ID,X_{ID},R_{ID},T),$$v = t + h_2(x_{ID} + d_{ID}) mod q$ to obtain signature $\tau = (T,v)$

7. $Verify$: The verifier receives signature $\tau$ and message m for verification. First, the verifier calculates $h_1 = H_1(ID,X_{ID},R_{ID},P_{pub}),$$h_2 = H_2(m,ID,X_{ID},R_{ID},T)$, and then determines whether the verification equation $vP = T + h_2(X_{ID} + R_{ID} + h_1{P}_{pub})$ is valid. It accepts if true, and rejects the signature otherwise.

6. Security Proof

Forking Lemma: In cryptography, the forking lemma is a crucial tool for proving the security of digital signature schemes. Its core idea is as follows: if there exists an adversary capable of successfully forging a valid signature triple $\delta = (m,\sigma ,h)$ (where m denotes the message, $\sigma$ denotes the signature value, h denotes the hash value generated by the random oracle H, and it contains a publicly accessible value z), then, by replaying the interaction process between the adversary and the random oracle, the adversary can be forced to generate a different hash output $\left(h^{*}\right)$ for the same input, thereby obtaining another valid signature ${\delta }^{*} = (m,{\sigma }^{*},h^{*})$.

Specifically, by fixing the adversary’s random tape and resetting the random oracle, the adversary can be compelled to generate two distinct yet valid signatures during repeated executions. These two signatures satisfy $h \ne h^{*}$, and their existence can be used to construct an algorithm to solve the underlying cryptographic hard problem (such as the discrete logarithm problem) with a non-negligible probability. The advantage probability of the forking lemma is $\left(1 - {\displaystyle \frac{1}{e}}\right)·{\displaystyle \frac{\epsilon }{q_h}}$, where $\epsilon$ denotes the original forgery probability of the adversary, $q_h$ denotes the number of oracle queries, and e denotes the natural constant.

Theorem 1. 

Suppose that the probability that a super Type I adversary $A_I$, being able to produce a valid forged signature in polynomial time, is ε, the maximum number of times that an adversary $A_I$ can query $CreateUser query$ is $q_{H_1}$, and the maximum number of times that an adversary $A_I$ can query the $ExtractPartialPrivateKey query$ is $q_{eppk}$. The polynomial time algorithm $C_1$ has the advantage of ${\epsilon }_1 \ge {(1 - {\displaystyle \frac{1}{q_{H_1}}})}^{q_{eppk}}{\displaystyle \frac{1}{q_{H_1}}}\epsilon$ to solve difficult ECDLP problems.

Proof. 

Suppose that the super Type I adversary can win Game 1 by a non-negligible advantage in polynomial time. For a given ECDLP hard problem instance $(P,aP)$, we can construct the algorithm $C_1$ to call $A_I$ as a subroutine and use the power of $A_I$ to solve it. $H_1$ and $H_2$ are two random oracle models. $C_1$ maintains two lists, $L_1$ and $L_2$, for recording $A_I$’s query of $H_1$ and $H_2$, respectively. $L_1$, $L_2$ are initially empty. The interaction between $A_I$ and $C_1$ is as follows:

Initialization phase: $C_1$ inputs security parameter k to generate system parameters and sets $P_{pub} = aP$ (a is unknown to $C_1$). Then, $C_1$ selects the challenge user $I{D}^{*}$ and sends the system parameters $(\mathbb{G},q,P,P_{pub},H_1,H_2)$ to the adversary $A_I$.

Query phase:

1. $CreateUser query$: $A_I$ enters $I{D}_i$; $C_1$ first looks up list $L_1$. If $(I{D}_i, x_i,d_i,X_i,R_i,h_{1i})\in L_1$ already exists, $C_1$ returns $P{K}_i = (Q_i,R_i)$; otherwise, carry out the following: (1) If the $I{D}_i \ne I{D}^{*}$, $C_1$ randomly selects $x_i,d_i,h_{1i}\in {\mathbb{Z}}_q^{*}$, calculates $X_i = x_{i}P,$$R_i = d_{i}P - h_{1i}{P}_{pub}$, sets $h_{1i} = H_1(I{D}_i,X_i,R_i,P_{pub})$, and returns $P{K}_i = (X_i,R_i)$. $C_1$ adds $(I{D}_i,x_i,d_i,X_i,R_i,h_{1i})$ to table $L_1$. (2) If the $I{D}_i = I{D}^{*}$, $C_1$ randomly selects $x_i,r_i,h_{1i}\in {\mathbb{Z}}_q^{*}$, calculates $X_i = x_{i}P,$$R_i = r_{i}P$, sets $h_{1i} = H_1(I{D}_i,X_i,R_i,P_{pub})$, and returns $P{K}_i = (X_i,R_i)$. $C_1$ adds $(I{D}_i,x_i,\perp ,X_i,R_i,h_{1i})$ to list $L_1$.

2. $H_1 query$: $A_I$ inputs $(I{D}_i,X_i,R_i,P_{pub})$. $C_1$ first queries list $L_1$. If $(I{D}_i,x_i,d_i,X_i,R_i,h_{1i})\in L_1$ already exists, then $C_1$ returns $h_{1i}$ to $A_I$; otherwise, $C_1$ performs the $CreateUser query$ and then returns $h_{1i}$.

3. $H_2 query$: $A_I$ inputs $(m_i,I{D}_i,X_i,R_i,T_i)$; $C_1$ first inquires about $L_2$. If $(m_i,I{D}_i,X_i,R_i,T_i,h_{2i})\in L_2$ already exists, then $C_1$ returns $h_{2i}$; otherwise, $C_1$ randomly selects $h_{2i}\in {\mathbb{Z}}_q^{*},(\ast ,\ast ,\ast ,\ast ,\ast ,h_{2i})\notin L_2$ and returns $h_{2i}$ to $A_I$. Then, $C_1$ updates $(m_i,I{D}_i,X_i,R_i,T_i,h_{2i})$ to list $L_2$.

4. $ExtractPartialPrivateKey query$: $A_I$ inputs $I{D}_i$. If $I{D}_i = I{D}^{*}$, $C_1$ aborts the program and outputs ⊥; otherwise, $C_1$ checks list $L_1$ and returns $d_i$. If $I{D}_i$ does not exist in table $L_1$, the $CreateUser query$ will be executed first and then $d_i$ will be returned.

5. $ExtractSecretValue query$: $A_I$ enters $I{D}_i$. $C_1$ queries list $L_1$ and returns $x_i$. If $I{D}_i$ does not exist in list $L_1$, $C_1$ executes $CreateUser query$ and then returns $x_i$. In addition, if the public key is not the original one, then $C_1$ outputs ⊥.

6. $ReplacePublicKey query$: $A_I$ inputs $(I{D}_i,P{K}_i^{\prime })$. $C_1$ looks up list $L_1$ and updates in the table corresponding to the content as $(I{D}_i,x_i,d_i,X_i,R_i,h_{1i})\to (I{D}_i,\perp ,d_i,X_i^{\prime },R_i^{\prime },h_{1i})$.

7. $SuperSign query$: $A_I$ inputs $(I{D}_i,m_i)$. $C_1$ checks whether $(I{D}_i,X_i,R_i,P_{pub},h_{1i})$ is contained in list $L_1$. If not, $C_1$ executes $H_1 query$ first and then performs the following: (1) if the $I{D}_i \ne I{D}^{*}$ and $x_i \ne \perp$ (the public key has not been replaced), $C_1$ randomly selects $t_i,h_{2i}\in {\mathbb{Z}}_q^{*}$, calculates $T_i = t_{i}P,v_i = t_i + h_{2i}(x_i + d_i)$, and outputs signature ${\tau }_i = (T_i,v_i)$; (2) if $I{D}_i = I{D}^{*}$ or $x_i = \perp$ (the public key is replaced), $C_1$ randomly selects $t_i,v_i\in {\mathbb{Z}}_q^{*}$, calculates $T_i = v_{i}P - h_{2i}(X_i + R_i + h_{1i}{P}_{pub})$, and outputs signature ${\tau }_i = (T_i,v_i)$. Then, $C_1$ updates $(m_i,I{D}_i,X_i,R_i,T_i,h_{2i})$ to list $L_2$.

Forgery: Upon completing all queries, adversary $A_I$ outputs a forged signature ${\tau }^{*} = (T^{*},v^{*})$ for $(I{D}^{*},m^{*})$. If $I{D}_i \ne I{D}^{*}$, $C_1$ will abort and output ⊥. In line with the forking lemma, when $C_1$ replays $h_1$, $A_I$ produces another forged signature ${{\tau }^{*}}^{\left(2\right)} = (T^{*},{v^{*}}^{\left(2\right)})$, resulting in two signatures sharing $T^{*} = t^{*}P$. According to the signature calculation, there are two equations:

$$\left\{\begin{array}{c}{v}^{*\left(1\right)} = t^{*} + h_2^{*}(x^{*} + r^{*} + h_1^{*\left(1\right)}a)\hfill \\ v^{*\left(2\right)} = t^{*} + h_2^{*}(x^{*} + r^{*} + h_1^{*\left(2\right)}a)\hfill \end{array}\right.$$

Considering the potential for public key replacement, $x^{*}$ remains unknown to $C_1$. The equation involves three unknown variables: $x^{*},t^{*},a$. The value of a can be determined using simultaneous equations as $a = {\displaystyle \frac{v^{*\left(1\right)} - v^{*\left(2\right)}}{h_1^{*\left(1\right)} - h_1^{*\left(2\right)}}}$. This approach enables $C_1$ to successfully employ $A_I$ as a subroutine to solve the ECDLP.

Next, we calculate the probability that $C_1$ will win Game 1. First, we define three events: ${\Delta }_1$ indicates that $A_I$ does not exit during the query phase; ${\Delta }_2$ indicates that $A_I$ does not exit during the forgery; ${\Delta }_3$ indicates that $A_I$ successfully forges a valid signature. Therefore, the following are true:

1. The probability that $A_I$ does not perform the $ExtractPartialPrivateKey query$ for $I{D}^{*}$ during the query phase is $Pr\left[{\Delta }_1\right] = {(1 - {\displaystyle \frac{1}{q_{H_1}}})}^{q_{eppk}}$;

2. The probability that $A_I$ does not exit in the forgery stage is the probability that $a_i$ outputs the signature corresponding to $I{D}^{*}$ in the forgery stage: $Pr\left[{\Delta }_2\right|{\Delta }_1] = {\displaystyle \frac{1}{q_{H_1}}}$;

3. The probability of forging one valid signature is $\epsilon$, and the probability of forging two valid signatures is $Pr\left[{\Delta }_3\right|{\Delta }_2{\Delta }_1] = \epsilon$. Thus, $Pr\left[{\Delta }_1{\Delta }_2{\Delta }_3\right]\ge {(1 - {\displaystyle \frac{1}{q_{H_1}}})}^{q_{eppk}}{\displaystyle \frac{1}{q_{H_1}}}\epsilon$, and challenger $C_1$ can solve an ECDLP hard problem with non-negligible probability. And because the difficult problem is actually unsolvable, the adversary $A_I$ cannot forge the signature. □

Theorem 2. 

If the ECDLP hardness assumption cannot be solved in polynomial time, then our proposed enhanced scheme can effectively resist Type II attackers $A_{II}$. Specifically, suppose that the probability that a super Type II adversary $A_{II}$, being able to produce a valid forged signature in polynomial time, is ε. The maximum number of times that an adversary $A_{II}$ can query $CreateUser query$ is $q_{H_1}$, the maximum number that an adversary $A_{II}$ can query $ExtractSecretValue query$ is $q_{esv}$, and the maximum number that an adversary $A_{II}$ can query $ExtractPartialPrivateKey query$ is $q_{rpk}$. The polynomial time algorithm $C_2$ has the advantage of ${\epsilon }_2 \ge {(1 - {\displaystyle \frac{1}{q_{H_1}}})}^{q_{esv} + q_{rpk}}{\displaystyle \frac{1}{q_{H_1}}}\epsilon$ to solve difficult ECDLP problems.

The proof steps of Theorems 2 and 1 are similar. However, it is necessary to mention that, in the proof of Theorem 2, $ExtractPartialPrivateKey query$ and $ReplacePublicKey query$ will not be initiated by $A_{II}$.

7. Performance Evaluation

In the previous section, we established the complete security and unforgeability of our proposed new scheme. We now turn our attention to the performance analysis of this new solution. To match the security level of the 1024-bit RSA algorithm, we employ the elliptic curve $y^2 = x^3 + \beta x + \gamma mod q,$$\beta ,\gamma \in {\mathbb{Z}}_q^{*}$, with $\mathbb{G}$ being the order-q additive cyclic group on $E\left(Fp\right)$. Here, p is a 512-bit prime, q is a 160-bit prime, and P serves as the generator of $\mathbb{G}$. The implementation utilizes the open-source cryptography library MIRACL, running on a device equipped with an Intel(R) Core(TM) i5-3470 CPU @ 3.20 GHz x4 processor, 4GB of memory, and the 64-bit Ubuntu 22.04.3 LTS operating system.

Table 1. Running time of cryptographic operations.

Notation	Operation	Time (ms)
$T_{sm}$	A scalar multiplication operation on elliptic curve	0.334273
$T_{pa}$	A point addition operation on elliptic curve	0.002042
$T_m$	A modular multiplication operation	0.000864
$T_a$	A modular addition operation	0.000455
$T_{inv}$	A modular inversion operation	0.002742
$T_h$	A general hash operation	0.002440

presents the average running time of each basic cryptographic operation, measured over 1000 repeated experiments.

In the IoT environment, where device resources are limited and computing capacities are modest, there are stringent requirements for both computational efficiency and communication efficiency. In CLS schemes, computational efficiency is primarily determined by the computational load during the signing and verification phases, whereas communication efficiency largely depends on the size of the signature.

As illustrated in

Table 2. Comparative analysis of performance.

Scheme	Sign	Verify	Signature Size	Against ${\mathit{A}}_{\mathit{I}}$	Against ${\mathit{A}}_{\mathit{I}\mathit{I}}$
Karati [13]	$T_{sm} + T_{inv}$	$3T_{sm} + 3T_{pa}$	$\mid \mathbb{G}\mid + \mid {\mathbb{Z}}_q^{*}\mid$	Insecure	Normal
Pakniat [14]	$T_{sm} + T_{inv}$	$4T_{sm} + 3T_{pa}$	$2\mid \mathbb{G}\mid + \mid {\mathbb{Z}}_q^{*}\mid$	Insecure	Normal
Du [16]	$T_{sm} + T_{inv}$	$4T_{sm} + 2T_{pa}$	$\mid \mathbb{G}\mid + \mid {\mathbb{Z}}_q^{*}\mid$	Insecure	Super
Xiang [19]	$T_{sm} + T_{inv}$	$4T_{sm} + 2T_{pa}$	$\mid \mathbb{G}\mid + \mid {\mathbb{Z}}_q^{*}\mid$	Insecure	Super
Ma [20]	$T_{sm}$	$4T_{sm} + 3T_{pa}$	$\mid \mathbb{G}\mid + \mid {\mathbb{Z}}_q^{*}\mid$	Super	Insecure
Feng [21]	$T_{sm}$	$4T_{sm} + 3T_{pa}$	$\mid \mathbb{G}\mid + \mid {\mathbb{Z}}_q^{*}\mid$	Super	Super
Our	$T_{sm}$	$3T_{sm} + 3T_{pa}$	$\mid \mathbb{G}\mid + \mid {\mathbb{Z}}_q^{*}\mid$	Super	Super

and Figure 2, in terms of computational efficiency, during the signature phase, our scheme has a calculation time comparable to those of Feng, Ma et al.’s scheme, and is slightly lower than those of Karati, Pakniat, Du, Xiang, and other schemes. However, in the verification phase, our scheme has a calculation time of $3T_{sm} + 3T_{pa} = 1.008945\mathrm{ms}$, which is lower than Feng, Ma et al.’s calculation time of $4T_{sm} + 3T_{pa} = 1.343218\mathrm{ms}$, and Du, Xiang et al.’s calculation time of $4T_{sm} + 2T_{pa} = 1.341176\mathrm{ms}$, and is comparable to Karati et al.’s scheme. The total calculation time of our scheme is slightly lower than that of Karati et al.’s scheme, about 19.76% lower than Feng et al. and Ma et al.’s scheme, about 19.80% lower than Du et al. and Xiang et al.’s schemes, and about 20.05% lower than Pakniat et al.’s scheme, marking a significant improvement in computational efficiency.

Regarding communication efficiency, our scheme’s output signature size, $\mid \mathbb{G}\mid + \mid {\mathbb{Z}}_q^{*}\mid (360 + 120 = 480 bits)$, is comparable to Feng, Ma, Karati, Du, and Xiang et al. Compared to Pakniat et al.’s scheme’s output signature size, $2\mid \mathbb{G}\mid + \mid {\mathbb{Z}}_q^{*}\mid (720 + 120 = 840 bits)$, our scheme is more efficient in communication efficiency.

Our performance analysis shows that our scheme offers higher security and computational efficiency compared to Ma, Karati, Pakniat, Du, and Xiang et al.’s schemes. Compared with Feng et al.’s scheme, our scheme has improved computational efficiency while maintaining the original security level. Therefore, our scheme is a more suitable solution for the IoT environment.

8. Conclusions

The design of lightweight, secure, efficient, and reliable signature schemes for the IoT has become a hot research topic. Certificateless signature schemes have become an important solution for providing security services such as identity authentication, data integrity protection, and non-repudiation for the IoT due to their advantages of not requiring certificates and avoiding the key escrow problem. We review four PF-CLS schemes and use a novel attack method to attack the existing ones on four PF-CLS schemes with the same security vulnerabilities to prove that none of the four schemes can protect against Type I adversary forgery attacks. Subsequently, we propose an improved scheme, which is proven to be secure, reliable, and unforgeable under the ROM. Finally, the performance analysis of the new scheme shows that our scheme offers higher computational efficiency compared to the other PF-CLS schemes, making it more suitable for resource-constrained IoT environments.

Future research will focus on the following directions: (1) Existing schemes may expose user identities, and anonymous signatures can instead be realized by combining zero-knowledge proof (ZKP) or ring signature technologies. (2) Deploy the new scheme in practical resource-constrained IoT environment applications, and evaluate its feasibility during actual deployment, as well as its resistance to side-channel attacks such as timing attacks and power analysis.