Self-C2AD: Enhancing CA Auditing in IoT with Self-Enforcement Based on an SM2 Signature Algorithm

Abstract

Malicious certificate authorities (CAs) pose a significant threat to the security of the Internet of Things (IoT). Existing CA auditing schemes primarily rely on passive detection and public data collection, lacking real-time and comprehensive monitoring. In this paper, we propose a novel double-authentication preventing signature scheme based on an SM2 algorithm, referred to as Dap-SM2. We further enhance its functionality by introducing Self-C2AD, a CA auditing mechanism with self-enforcement. In our proposed mechanism, any malicious CA that generates two certificates with different descriptions (such as public key and basic information) for the same IoT device will immediately lose its private key. To ensure the security of our proposed scheme, we provide a detailed security analysis of Dap-SM2. The analysis demonstrates that our Self-C2AD mechanism meets the necessary security requirements, offering robust protection against malicious CAs. Additionally, we conduct an efficiency evaluation and present experimental data to illustrate the promising potential of our construction for future IoT applications. By introducing the Dap-SM2 scheme and the Self-C2AD mechanism, we address the critical issue of malicious CAs in the IoT domain. Our approach provides real-time and comprehensive auditing capabilities, surpassing the limitations of existing schemes. The security analysis confirms the effectiveness of Dap-SM2, while the efficiency evaluation and experimental data demonstrate its suitability for practical IoT applications. In summary, our work presents a novel solution to combat the threat of malicious CAs in the IoT context. The Dap-SM2 scheme, coupled with the Self-C2AD mechanism, offers enhanced security and real-time auditing capabilities. The security analysis validates the robustness of our approach, while the efficiency evaluation and experimental data showcase its potential for future IoT deployments.

1. Introduction

With the advent of the 6G era, the Internet of Things (IoT) has been applied in diverse fields, such as healthcare, agriculture, smart homes, etc., connecting large numbers of devices like mobile phones, wearables and even household appliances [1,2]. In this context, it is vital to ensure the validity of accessing devices. Most existing IoT authentication schemes depend on certificates in the public key infrastructure (PKI) system [3,4], which mainly consists of three components: a certification authority (CA), a registration authority (RA), and a database (DB). In this system, the RA functions as the verifier of the devices’ identities, the CA is responsible for the issue of certificates for valid devices, and the DB acts as a manager to save additional items about certificates.

Therefore, the CA serves as the access controller on the IoT. As shown in Figure 1, when a smart device (SDV) wants to join in the IoT, it first sends an application to the RA and CA, then the RA verifies its validity and gives feedback to the CA; the CA confirms the feedback and generates a certificate for this SDV. In this case, the certificate is the unique credential to access the IoT. When a user wants to use an SDV, they will first check its certificate to confirm its validity before proceeding. Thus, malicious or incorrect CA behaviours will seriously damage the security of the IoT, which mislead users to trust invalid devices, eventually causing leakage of personal privacy. In this context, it is necessary to construct an appropriate mechanism to avoid the above problems.

Existing countermeasures such as certificate transparency [5,6] and others audit CAs by collecting and reporting in public to establish a trust-friendly ecosystem. However, these mechanisms do not operate in real-time and are not comprehensive. On the one hand, the presence of a neglected malicious CA poses a significant latent threat. On the other hand, incorrect CA behaviours cannot be detected immediately, which can also cause privacy leakage in a small range even they will be punished eventually.

Double-authentication preventing signatures (DAPS) [7] are a special type of digital signature scheme for detecting ambiguous signer behaviours; any signers producing signatures on the same address with different domains will face confidence loss. Moreover, this process is incontrovertible, immediate and irreversible. This “self-enforcement” encourages signers to comply with the correct behaviours spontaneously and, at the same time, provides no room for flaws. Combined with the practical context of IoT [8], DAPS represent a good potential choice for the construction of a real-time CA auditing mechanism.

We build upon the foundation of the double-authentication preventing signatures (DAPS) scheme proposed by Poettering et al. [7] and leverage the Chinese SM2 signature algorithm [9] as a key component in our research. Furthermore, we extend the capabilities of the SM2 signature algorithm to develop a real-time CA auditing mechanism specifically designed for the IoT context. The SM2 signature algorithm is a prominent branch of the Chinese SM2 public key cryptographic standard, widely applied in various domains, such as key management systems [10], electronic authentication systems [11], and confidential systems [12,13]. It was initially published by the Chinese State Cryptography Administration Office of the Security Commercial Code Administration in 2010 and later standardized in ISO/IEC 14888-3:2016/DAMD 1 [14] in 2016. Due to its high efficiency and robust security, the SM2 signature algorithm naturally emerges as an excellent choice to serve as the fundamental building block for our CA auditing mechanism.

1.1. Our Contributions

In this paper, we present Dap-SM2, a DAPS derived from the SM2 signature algorithm. Building upon the framework introduced in [15], our proposed scheme offers the advantage of shorter signature lengths. Additionally, leveraging the efficiency of the SM2 signature algorithm, Dap-SM2 exhibits low time consumption in each stage. Moreover, we transform the Dap-SM2 into a CA auditing mechanism with self-enforcement named Self-C2AD. Inherited from the Dap-SM2, it has high efficiency with relatively small address space and provides the security of a certificate of unforgeability and timely key-extractability. Our contributions mainly relate to the following three points:

• We propose Dap-SM2, a short efficient double-authentication preventing signature based on an SM2 signature algorithm.
• We provide a security analysis of Dap-SM2, which satisfies the property of existential unforgeability and key-extractability. We also implement it on a PC and provide a detailed efficiency evaluation, whose performance demonstrates that our scheme has good potential for usability.
• We transform Dap-SM2 into Self-C2AD, a real-time CA auditing mechanism with self-enforcement designed to cope with the complex IoT context. Inherited from the Dap-SM2, our Self-C2AD can provide certificate unforgeability and timely key-extractability.

1.2. Organization of This Paper

Our paper includes seven sections. The rest of this paper is organized as follows: We review the development of double-authentication preventing signatures and some CA auditing schemes in Section 2. In Section 3, we define some notations that will be used later and review understanding of elliptic curves cryptography and the Chinese SM2 signature algorithm. The system model, scheme framework and security definition are described in Section 4. In Section 5, we describe our Dap-SM2 and Self-C2AD in detail, as well as providing details of the correctness and security analysis at the same time. We present the performance analysis in Section 6. Finally, we conclude our work in Section 7.

2. Related Work

As previously mentioned, the double-authentication preventing signatures (DAPS) scheme has significant potential as a solution for CA auditing in the IoT context as it can reveal a signer’s secret key to the public [16,17,18,19]. The concept of DAPS was initially introduced by Poettering and Stebila in the factoring-based setting [7]. They presented a generic construction based on a novel type of trapdoor function with extractability. In a related but weaker primitive approach called accountable assertions (AS), Ruffing, Kate, and Schröder presented a DAPS variant (referred to as RKS) that utilized Merkle trees [20] and chameleon hash functions [21] from the discrete logarithm setting [22]. Bellare, Poettering, and Stebila then proposed an efficient form of DAPS in the factoring-based setting, combining trapdoor identification schemes with an adapted and extended transformation [23,24]. Concurrently, Boneh et al. constructed the first DAPS in a lattice-based setting, extending it to a more general concept called predicate-authentication-preventing signatures (PAPS) [18]. Derler, Ramacher, and Slamanig introduced the first black-box version of DAPS, demonstrating its transformation into N-times-authentication-preventing signatures (NAPS) [25]. Poettering further contributed to this work by constructing a shorter DAPS for small addresses using the Fiat–Shamir transformation [15]. Moreover, the authors proposed a lattice-based double-authentication-preventing ring signature and adapted it to a novel privacy-preserving authentication scheme, creating the potential for security against selected message attacks [26]. Additionally, Derler, Ramacher, and Slamanig overcame the limitation of address space and presented a generic construction of DAPS with constant key and signature sizes, without relying on structured hardness assumptions [27].

Regarding CA auditing mechanisms, previous works, such as [28,29], have been associated with trust decisions from CAs, providing assertions to users about whether a CA can be trusted or not. Safdar, et al. proposed a randomly shifted CA authentication protocol, which employed a trusted third party with public key certificates as a CA for authentication purposes [30]. A public auditing system based on distributed ledgers was proposed in [31] to store the interactions between IoT entities as evidence for investigation when under attack. Projects like certificate transparency and others focus on collecting and auditing public certificates to identify malicious CAs and maintain the integrity of the Internet ecosystem. However, these mechanisms often rely on third-party supervision, which lacks real-time and comprehensive monitoring capabilities. By drawing upon these related works and addressing their limitations, our proposed scheme combines the strengths of DAPS and the SM2 signature algorithm to develop an innovative and real-time CA auditing mechanism specifically tailored for the IoT context.

3. Preliminaries

3.1. Notations

Definitions of notations used in this paper are presented in

Table 1. Notations and Definitions.

Notations	Definitions
E	The elliptic curve equation $y^2\equiv x^3+ax+b$
${\mathcal{F}}_q$	The finite field contained q elements
$\mathbb{G}$	An elliptic curve group of order q
G	A generator of group $\mathbb{G}$
$\left[K\right]P$	The k times of the point P on E
$a\left|\right|b$	The concatenation of two strings a and b
$1^{\lambda }$	The security parameter
$ID$	The identity of the user
$ENTL$	The length of the user’s identity
$vk(·)$	The function of generating user’s public key
$K(·)$	The function of generating user’s partial public key used to extract private key
$F(k,a)\to (x,y)$	The pseudorandom function takes k as evaluation key
$f_x\left(R\right)=r$	The X-axis extraction function takes point R as input and returns its X-axis
SOT	The abbreviation of the One-time signatures
ROM	The abbreviation of the Random Oracle model
$\mathcal{A}$	The set of addresses
$\mathcal{PPT}$	The abbreviation of probabilistic polynomial time
$negl(·)$	The negligible function
$A\Rightarrow B$	The event A can deduce to event B

.

3.2. Elliptic Curves Cryptography

Neal Koblitz and Victor Miller proposed elliptic curves public-key cryptosystems (ECCs) independently in 1985 [32], which mainly depend on the hardness of the elliptic curve discrete logarithm problem (ECDLP). Compared to the general discrete logarithm problem (DLP) and RSA, it is more difficult to solve the ECDLP. Thus, under the same security level requirements, the ECC has a significantly smaller key than other public-key cryptosystems, which leads it to be more efficient and lightweight.

Here, we give the definition of ECDLP [32].

Definition 1. 

The Elliptic Curve Discrete Logarithm Problem. Given two points Q and P on the group $G_1$, to find an integer $k\in {\mathbb{Z}}_q^{*}$ s.t. $Q=\left[k\right]P$. The advantage of any $\mathcal{PPT}$ adversary $\mathcal{A}$ to solve this problem is defined as:

$$\mathrm{Pr}[\mathcal{A}(P,Q)=k:k\in {\mathbb{Z}}_q^{*},Q=\left[k\right]P]$$

(1)

If the ECDLP assumption holds, the advantage above is negligible.

3.3. Review of Chinese SM2 Signature Algorithm

We build our scheme based on the Chinese SM2 signature algorithm, which consists of four sub-algorithms: Setup, KeyGen, Sign and Verify. We describe the details below:

Definition 2. 

(The Chinese SM2 Signature Algorithm.)

• Setup$\left(1^{\lambda }\right)$$\to PP$: takes $1^{\lambda }$ as input and outputs the set of public parameters $PP$.

  (1) 

  Choose a finite field ${\mathcal{F}}_q$ and generate the elliptic curve equation $E:y^2=x^3+ax+bmodq$ satisfies $a,b\in {\mathcal{F}}_q$.

  (2) 

  Randomly choose $G\in \mathbb{G}$ as a generator, where the order of it is q.

  (3) 

  Output the public parameters set $PP=\{{\mathcal{F}}_q,a,b,q,G\}$.

• KeyGen$\left(PP\right)\to (pk,sk)$: takes $PP$ as input and outputs the key pair $(pk,sk)$.

  (1) 

  Randomly choose $d\leftarrow {\mathbb{Z}}_n^{*}$ as the private key.

  (2) 

  Compute $P=\left[d\right]G$ as the public key.

  (3) 

  Output the key pair $(P,d)$.

• Sign$(d,P,m,PP)\to \sigma$: takes $sk,m$ as input and out put the signature σ.

  (1) 

  Compute hash value $Z=H\left(ENTL\right|\left|ID\right|\left|a\right|\left|b\right|\left|x_G\right|\left|y_G\right|\left|x_P\right|\left|y_P\right)$, where $P=(x_P,y_P)$.

  (2) 

  Set $M=Z\left|\right|m$ and compute $e=H_v\left(M\right)$.

  (3) 

  Randomly choose $k\in [1,q-1]$, and compute $R=\left[k\right]G=(r_x,r_y)$.

  (4) 

  Compute $r=(e+r_x)modq$. If $r=0\vee r+k=q$, then return to Sign.3).

  (5) 

  Compute $s=({(1+d)}^{-1}·(k-r·d))modq$. If $s=0$, then return to Sign.3).

  (6) 

  Output the signature as $\sigma =(r,s)$.

• Verify$(\sigma ,m,P,PP)\to 1/0$: takes the signature, $m,P,PP$ as input and output $1/0$ which represents “accept” or “invalid”.

  (1) 

  Compute hash value $Z=H\left(ENTL\right|\left|ID\right|\left|a\right|\left|b\right|\left|x_G\right|\left|y_G\right|\left|x_P\right|\left|y_P\right)$, where $P=(x_P,y_P)$.

  (2) 

  If $r\notin {\mathbb{Z}}_q^{*}\vee s\notin {\mathbb{Z}}_q^{*}$, then output 0 and end the algorithm.

  (3) 

  Set $M=Z\left|\right|m$ and compute $e=H_v\left(M\right)$.

  (4) 

  Compute $t=(r+s)modq$. If $t=0$, output 0 and end the algorithm.

  (5) 

  Compute $(r_x,r_y)=\left[s\right]G+\left[t\right]P$.

  (6) 

  Compute $R=(e+r_x)modq$. If $R=r$, output 1. Otherwise, output 0.

4. Scheme Framework and Security Definitions

4.1. System Model

We illustrate the IoT authentication system model (Figure 2) in detail. In this model, there are mainly three roles we consider (to simplify the model, we ignore the control centre in the initialization stage). We give definitions below.

• CA: The CA functions as the authentication centre which is mainly responsible for checking the identity validity of the SDV and issues certificates for it if its identity is valid to access the Internet.
• SDV: The SDV plays the role of an interface to IoT users. It provides specific functions for users in different scenarios, meeting a variety of needs. There are usually plenty of SDVs in the IoT.
• User: The user is the one who enjoys the services of the IoT. At the same time, the user verifies the certificates of SDVs before using devices.

4.2. Double-Authentication Preventing Signature

A double-authentication preventing signature (DAPS) scheme consists of four $\mathcal{PPT}$ algorithms: ($\mathsf{Setup}$, $\mathsf{KeyGen}$, $\mathsf{Sign}$, $\mathsf{Verify}$, $\mathsf{Extract}$). Our Self-C2AD follows this framework [27].

• $pp\leftarrow$$\mathsf{Setup}$$\left(1^{\lambda }\right)$: is a $\mathcal{PPT}$ algorithm, which takes the security parameter $\lambda \in \mathbb{N}$ as input, and outputs a set of public parameters $pp$.
• $(vk,sk)\leftarrow$$\mathsf{KeyGen}$$(pp,\mathcal{A})$: is a $\mathcal{PPT}$ algorithm, which takes the public parameters $pp$ and the addresses set as input and outputs key pairs for signers.
• $\sigma \leftarrow$$\mathsf{Sign}$$(pp,sk,M)$: takes input of the public parameters $pp$, the signer’s private key $sk$, and a message M (where $M=a\left|\right|p$, $a,p$ represents the address and content respectively). It returns a signature $\sigma$ as output.
• $1/0\leftarrow$$\mathsf{Verify}$$(pp,\sigma ,M,vk)$: takes input of the public parameters $pp$, the received signature from signer $\sigma$, the signed message M and the public key $vk$. The algorithm outputs 1 if the $\sigma$ is valid, otherwise it outputs 0.
• $\perp /sk\leftarrow \mathsf{Extract}$$(vk,M_1,M_2,{\sigma }_1.{\sigma }_2)$: takes input of the public key $vk$, two messages $M_1$ and $M_2$, and the corresponding signatures ${\sigma }_1$ and ${\sigma }_2$. The algorithm outputs $sk$ if the $m_1$ and $m_2$ have the same address, otherwise it returns “⊥”.

A DAPS scheme is correct if it satisfies verification correctness and key-extractability. Here, key-extractability means that there is no way that any malicious signer can prevent revelation of its private key if it produces a compromising pair of signatures (${\sigma }_1\leftarrow \mathsf{Sign}(pp,sk,a_1\left|\right|p_1)$,${\sigma }_2\leftarrow \mathsf{Sign}(pp,sk,a_2\left|\right|p_2)$, where $a_1=a_2\wedge p_1\ne p_2$).

4.3. Security Definitions

Our Dap-SM2 scheme follows the security definitions of DAPS in [33]. Since it is a subclass of a standard signature scheme, it naturally has the notion of existential unforgeability. At the same time, it has the special security property called key-extractability. We give the details as follows.

First, we define the concept of $\mathcal{SO}$:

• Sign Oracle ($\mathcal{SO}$): returns $\sigma \leftarrow$Sign$(pp,sk,a|\left|p\right)$, $Q\leftarrow Q\bigcup \left\{a\right|\left|p\right\}$ with input of $pp\leftarrow \mathsf{Setup}\left(1^{\lambda }\right)$. If $\exists p^{\prime }\ne p:\left\{a\right||p^{\prime }\}\in Q$, then it returns ⊥.

Existential Unforgeability. This is a basic requirement for any variant of signatures. DAPS schemes inherit this property from the standard signature scheme.

Definition 3. 

Dap-SM2 is existentially unforgeable under adaptive chosen-message attacks(EUF-CMA), if, for all $\mathcal{PPT}$ adversaries $\mathcal{A}$, we define its success advantage:

$${\mathbf{Adv}}_{\mathcal{A}}^{Unf}\left(\lambda \right):=\mathrm{Pr}\left[\begin{array}{c}pp\leftarrow \mathsf{Setup}\left(\lambda \right);\\ \left({\sigma }^{*}\right)\leftarrow {\mathcal{A}}^{\mathcal{SO}}\left(pp\right);\\ \mathsf{Verify}({\sigma }^{*},a^{*}||p^{*},vk,pp)=1;\\ \left\{a^{*}\right|\left|p^{*}\right\}\notin Q\end{array}\right]$$

(2)

is negligible with overwhelming probability.

Key-extractability. This is the special property of DAPS schemes. It means that there is no way that any malicious signer can prevent revelation of its private key when it produces a compromising pair of signatures. In order to capture this property, we define the predicate Comp before giving the formal definition of key-extractability.

• $1/0\leftarrow$Comp${}_{vk}\left(s{k}^{\prime }\right)$: this requires that producing $s{k}^{\prime }$ such that $1\leftarrow$Comp${}_{vk}\left(s{k}^{\prime }\right)$ if there is truly no compromising pair of signed messages.

Now, we give the formal definition of key-extractability as follows:

Definition 4. 

Self-C2AD is key-extractability, if, for all $\mathcal{PPT}$ adversaries $\mathcal{A}$, we define its success advantage:

$${\mathbf{Adv}}_{\mathcal{A}}^{Ket}\left(\lambda \right):=\mathrm{Pr}\left[\begin{array}{c}(sk,vk)\leftarrow \mathsf{KeyGen}\left(1^{\lambda }\right);\\ ({\sigma }_1,{\sigma }_2)\leftarrow \mathcal{A}(sk,vk);\\ M_1=a_1\left|\right|p_1,M_2=a_2\left|\right|p_2;\\ s{k}^{\prime }\leftarrow \mathsf{Extract}(vk,M_1,M_2,{\sigma }_1,{\sigma }_2);\\ a_1=a_2\wedge p_1\ne p_2;\\ 0\leftarrow {\mathsf{Comp}}_{vk}\left(s{k}^{\prime }\right)\end{array}\right]$$

(3)

is negligible with overwhelming probability.

5. Dap-SM2 and Self-C2AD

5.1. The Double-Authentication Preventing Signature from SM2

Based on the framework of the double-authentication preventing signature we mentioned before, we propose an efficient scheme (Dap-SM2) using an SM2 signature algorithm and describe it below. There are five algorithms included.

• Setup($1^{\lambda }$): takes $1^{\lambda }$ as input and outputs the set of public parameters $PP$.

  (1)

  Choose a finite field ${\mathcal{F}}_q$ and generate the elliptic curve equation $E:y^2=x^3+ax+bmodq$ satisfies $a,b\in {\mathcal{F}}_q$.

  (2)

  Randomly choose a generator $G(x_G,y_G)\in \mathbb{G}$ with order q.

  (3)

  Choose hash functions $H_1:\{{\mathbb{Z}}_q^{*}\times {\mathbb{Z}}_q^{*}\times {\mathbb{Z}}_q^{*}\}\to {\mathbb{Z}}_q^{*},H_2:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$.

  (4)

  Choose pseudorandom function $F(k,a)\to (x,y)$ and the X-axis extraction function $f_x\left(R\right)\to y$.

  (5)

  Output public parameters set $PP=\{{\mathcal{F}}_q,p,a,b,G,\mathbb{G},q,H_1,H_2,F,f_x\}$.

• KeyGen($PP,\mathcal{A}$): takes $PP$ and $\mathcal{A}$ as input and performs the following steps.

  (1)

  Initialize functions $vk[·]\leftarrow \perp$, $K[·]\leftarrow \perp$.

  (2)

  Randomly choose $k\leftarrow {\{0,1\}}^{\kappa }$ as SOT private key.

  (3)

  For all addresses $\alpha \in \mathcal{A}$:

  (a)

  $(d,u)\leftarrow F(k,\alpha )$.

  (b)

  Compute $v=d·{(1+d)}^{-1}$.

  (c)

  Compute $t=u·{(1+d)}^{-1}$.

  (d)

  For address as $\alpha$, compute partial public key $P=\left[d\right]G$, random element $R=\left[u\right]G$.

  (e)

  Let $vk\left[\alpha \right]\leftarrow (P,R)$.

  (f)

  Let $K\left[\alpha \right]\leftarrow k+H_1(\alpha ,v,t)$

  (4)

  Let $sk\leftarrow k$, $vk\leftarrow \left(vk\right[·],K[·\left]\right)$.

  (5)

  Return key pair $(vk,sk)$.

• Sign($PP,m,sk$): here, the signed message $m=(\alpha ,p)$.

  (1)

  Phase the message $m=(\alpha ,p)$.

  (2)

  Compute $(d,u)\leftarrow F(k,\alpha )$.

  (3)

  Compute the point $R=\left[u\right]G$.

  (4)

  Compute $r=f_x\left(R\right)$, $c=(H_2\left(p\right)+rmodq$ and $s=({(1+d)}^{-1}·(u-c·d))modq$.

  (5)

  Output the signature s.

• Verify($PP,m,s,vk$): verifier performs the following steps.

  (1)

  Phase the message $m=(\alpha ,p)$.

  (2)

  Compute $vk[·]\leftarrow vk$.

  (3)

  Compute $r=f_x\left(R\right)$, $c=(H_2\left(p\right)+rmodq$ and $(x_1,y_1)=\left[s\right]G+\left[(s+c)\right]P$.

  (4)

  Check if $x_1=r$, output 1 represents “valid” or 0 represents “invalid”.

• Extract($vk,m_1,m_2,s_1,s_2$): anyone can perform the following steps.

  (1)

  Phase the messages $m_1=({\alpha }_1,p_1)$, $m_2=({\alpha }_2,p_2)$.

  (2)

  Compute $vk[·]\leftarrow vk$.

  (3)

  If ${\alpha }_1={\alpha }_2\wedge p_1\ne p_2$, then continue. Otherwise, output “⊥”.

  (4)

  Compute $R\leftarrow vk\left[\alpha \right]$, $r=f_x\left(R\right)$, $c_1=(H_2\left(p_1\right)+rmodq$ and $c_2=(H_2\left(p_2\right)+rmodq$.

  (5)

  Compute $v=\frac{s_1-s_2}{c_2-c_1}$.

  (6)

  Compute $t=s_1+c_1·v$.

  (7)

  Compute $k\leftarrow K\left[{\alpha }_1\right]-H_1({\alpha }_1,v,t)$.

  (8)

  Return the private key of malicious user $sk\leftarrow k$.

5.2. Correctness Analysis

Definition 5. 

Dap-SM2 is correct if it satisfies verification correctness and key-extractability.

Verification Correctness. The verification correctness of our Self-C2AD follows the SM2 signature algorithm. Notice that the signature $s={(1+d)}^{-1}·(u-c·d)$; we have the following equations:

$$\begin{array}{cc}\hfill \left[s\right]G+\left[\right(s+c\left)\right]P& =\left[s\right]G+\left[\right(s+c)·d]G\hfill \\ \hfill & =\left[s\right]G+[sd+cd]G\hfill \\ \hfill & =\left[\right(s+sd+cd\left)\right]G\hfill \\ \hfill & =\left[\right(1+d)·s+cd]G\hfill \\ \hfill & =[(1+d)·{(1+d)}^{-1}·(u-cd+cd)]G\hfill \\ \hfill & =\left[u\right]G=R\hfill \end{array}$$

(4)

Since $f_x\left(R\right)=r$, the verification correctness of our proposed scheme is demonstrated.

Key-Extractability. Since the signature $s={(1+d)}^{-1}·(u-c·d)$, for the condition ${\alpha }_1={\alpha }_2\wedge p_1\ne p_2$, we have the following equations:

$$\begin{array}{cc}\hfill F(k,\alpha )& \to (d,u),c=(H_2\left(p\right)+r)modq\Rightarrow \hfill \\ \hfill d_1& =d_2,u_1=u_2,c_1\ne c_2,\hfill \\ \hfill \frac{s_1-s_2}{c_2-c_1}& =\frac{{(1+d_1)}^{-1}(c_2-c_1)d_1}{c_2-c_1}\hfill \\ \hfill & =d_1·{(1+d_1)}^{-1}=v,\hfill \\ \hfill s_1+c_1·v_1& ={(1+d_1)}^{-1}(u_1-c_1·d_1)+c_1·d_1·{(1+d_1)}^{-1}\hfill \\ \hfill & =u_1{(1+d_1)}^{-1}=t,\hfill \\ \hfill k& \leftarrow K\left[{\alpha }_1\right]-H_1({\alpha }_1,v,t)\hfill \\ \hfill sk& \leftarrow k.\hfill \end{array}$$

(5)

Therefore, the key-extractability of our proposed scheme is demonstrated.

5.3. Security Analysis

Theorem 1. 

Existential Unforgeability. Dap-SM2 satisfies existential unforgeability in ROM, if the standard SM2 signature scheme satisfies EUF-CMA.

Proof. 

In our Dap-SM2 scheme, the equations of signing and verifying are the same as the standard ones in the SM2 signature scheme. If there is a $\mathcal{PPT}$ adversary, $\mathcal{A}$ can successfully forge a signature $s^{\prime }$, which can pass the verification of Verify, and $\mathcal{A}$ can forge a valid double-authentication preventing signature on the message m based on the SM2 signature scheme.

The SM2 signature scheme is EUF-CMA in ROM. Thus, our Dap-SM2 satisfies existential unforgeability. □

Theorem 2. 

Key-Extractability. Dap-SM2 satisfies key-extractability if the generating signatures are well-formed, the hash function is collision resistant, and the correctness of key-extractability holds.

Proof. 

In our Dap-SM2 scheme, having a pair of signatures on different messages implies that there are two transcripts with the same commitment but different challenges. If the hash function is collision resistant, for two messages with different content $p_1\ne p_2$, we have $c_1\ne c_2$. If the signatures are well-formed and the correctness of key-extractability holds, there is naturally a solution which has been set to compute the private key in KeyGen which can be extracted.

Therefore, our Dap-SM2 satisfies key-extractability. □

5.4. The Self-C2AD Mechanism

Now we are ready to illustrate our Self-C2AD mechanism, the correctness and security of which follows the above Dap-SM2 scheme. First, we provide an overview of our mechanism.

As we mentioned before, there are three parties in our IoT authentication system model. When an SDV wants to access the IoT, it applies its own device ID (DID) and description ($dsp$) and chooses a CA to request. After the CA receives the request, it checks the validity of the SDV, generating its key pairs according to the CA’s DID and producing a signature on the CA’s DID and $dsp$ as a certificate if possible. When an IoT user Alice wants to use an SDV, she would first check the validity of its certificate. Notice that the main function of our mechanism is CA auditing with self-enforcement, which means that if a CA issues certificates for the ones having the same DID and different $sdp$s, its private key will inevitably be revealed. Therefore, the malicious CA can be punished immediately with self-enforcement. This process is shown in Figure 3.

We give the details of our Self-C2AD below. There are five algorithms: Initialization, KeyGen, Certificate Issue, Certificate Check and Self-Auditing.

• Initialization$\left(1^{\lambda }\right)$: this algorithm is performed by the control centre. It performs Dap-SM2.setup to generate the system parameters $PP$.
• KeyGen$(PP,\mathcal{A})$: this algorithm is performed by the CA. When a CA receives a set of applications from SDVs, it gathers DIDs into a set $\mathcal{A}$ and runs DAP-SM2. KeyGen to generate key pairs $(vk,sk)$.
• Certificate Issue$(PP,\mathrm{DID}||dsp,sk)$: this algorithm is performed by the CA. For an SDV, CA checks its validity and issues a certificate $ctf$ by generating a signature on the message $\mathrm{DID}\left|\right|dsp$ by the corresponding partial private key if possible.
• Certificate Check$(PP,\mathrm{DID}||dsp,ctf,vk)$: this algorithm is performed by the IoT user. Assuming that there is a user Alice who wants to use a SDV, she first runs Dap-SM2.Verify to check the validity of the SDV certificate. If the outcome is 1, she can use it safely, otherwise, she would give it up.
• Self-Auditing$(vk,{\mathrm{DID}}_1||ds{p}_1,{\mathrm{DID}}_2||ds{p}_2,ct{f}_1,ct{f}_2)$: this algorithm is performed automatically by the IoT system. It detects in a timely way whether there is a malicious CA issuing two $ctf$s for the same DID by performing DAP-SM2.Extract, where ${\mathrm{DID}}_1={\mathrm{DID}}_2\wedge ds{p}_1\ne ds{p}_2$. The private key of the malicious CA will be extracted in public.

Our Self-C2AD mechanism satisfies the security properties of certificate unforgeability and key-extractability, which are inherited from the existentially unforgeability under adaptive chosen-message attacks and key-extractability of Dap-SM2. We illustrate these as follows:

• Certificate Unforgeability: this means that there is no way that any $\mathcal{PPT}$ adversary can successfully forge a certificate for an SDV without obtaining the corresponding partial private key.
• Timely Key-Extractability: this means that there is no way that any malicious CA can prevent being punished if it produces a compromising pair of $ctf$s; moreover, this process is performed in a timely way.

6. Efficiency Evaluation

In this section, we benchmark our Dap-SM2 scheme and compare it with relevant schemes based on the MIRACL Cryptographic SDK (https://github.com/miracl/MIRACL, accessed on 21 August 2019) to analyse its performance and further illustrate the reference efficiency of Self-C2AD. The experiment relies on the platform Intel(R)Core(TM)i7-8700 CPU @3.20 GHz, 16.0 GM RAM and Windows 10 for a 64-bit operating system, with compiler Visual Studio 2019 in release mode. Additionally, we choose the elliptic curve and official parameters in the SM2 cryptographic standard [9] document, using the standard test data to implement and benchmark.

Here, we mainly focus on the time consumption of the four sub-algorithms, KeyGen, Sign, Verify and Extract. The experimental data show that the time consumption of these are 23.43 ms, 2.03 ms, 5.94 ms and 1.88 ms, respectively. We illustrate the results in Figure 4. Here, we set the size of the address space as 10.

More directly, we perform a comparison between the original SM2 signature and Dap-SM2, where the main focus point is still the time consumption of the sub-algorithms with the address space as 10 in Dap-SM2. Here, we neglect the Extract because it has no meaning in the original SM2. The results are shown in

Table 2. Comparison of time consumption with the original SM2 signature algorithm [9].

Scheme	Sub-Algorithm
	KeyGen (ms)	Sign (ms)	Verify (ms)
Original SM2	5.94	2.03	6.09
Dap-SM2	23.43	2.03	5.94

and Figure 5. We observe that the time consumption of the Sign and the Verify operations in our proposed Dap-SM2 scheme is comparable to that of the original SM2 signature algorithm [9]. However, it is important to emphasize that the most time-consuming part of our Dap-SM2 scheme is the KeyGen process. This is primarily due to the necessity of generating multiple keys for each address. In our CA auditing mechanism, the KeyGen operation is of significant importance as it generates the cryptographic keys required for address-specific authentication. Given that our scheme involves addressing and auditing a large number of IoT devices, the KeyGen process needs to be executed for each individual address. Consequently, this results in a considerable increase in the overall time consumption compared to the original SM2 signature algorithm. We would like to underscore the significance of this time-consuming aspect, as it directly impacts the practical feasibility and scalability of our Dap-SM2 scheme. While the Sign and Verify operations themselves demonstrate efficient performance, the extensive key generation process is an essential trade-off required to ensure the robustness and security of our CA auditing mechanism in the IoT context.

Thus, the stage of KeyGen is an important study point. In particular, we benchmark the KeyGen in our Dap-SM2 with different sizes of address space (ranging from 10 to 50). The results are shown in the following

Table 3. Time consumption of KeyGen in Dap-SM2 with different sizes of address space.

Size	Time Consuming (ms)
10	23.43
20	42.66
30	61.87
40	82.18
50	109.81

.

In order to illustrate the relationship between the time consumption and the address space size, we depict the above results in Figure 6. Here, we can easily see that there is a linear relationship between the time consumption and the address space size. We note that, in the practical IoT context, the number of authentication requests for the CA in the same period will not be very large. Even in extreme cases, the time consumption of KeyGen can still be acceptable, by inference from the above results.

Finally, we perform a comparison with the DAPS scheme in [15] (called Dap-ECDSA here), which depends on the ECDSA signature [34] with a 571-bit security level. The results are given in

Table 4. Comparison of time consumption with the scheme in [15].

Scheme	Sub-Algorithm
	KeyGen (ms)	Sign (ms)	Verify (ms)	Extract (ms)
Dap-SM2	23.43	2.03	5.94	1.88
[15]	17.71	1.21	6.65	1.13

and Figure 7.

We appreciate the opportunity to provide further clarification on this aspect of our proposed scheme and to emphasize the rationale behind the substantial time consumption during key generation. By addressing this crucial step, our Dap-SM2 scheme offers the necessary security and accountability required for effective CA auditing in the IoT landscape.

7. Conclusions

In this paper, we propose the Dap-SM2, a short and efficient double-authentication preventing signatures (DAPS) scheme derived from the SM2 signature algorithm. Our scheme addresses the crucial challenge of double-authentication in signature schemes. Moreover, we leverage the practical context of IoT to transform Dap-SM2 into a CA auditing mechanism with self-enforcement, named Self-C2AD. Through a comprehensive security analysis, we demonstrate that our proposed scheme satisfies the properties of existential unforgeability and key-extractability within the random oracle model (ROM). These properties ensure that our scheme provides strong security guarantees, protecting against various forging attempts and enabling key extraction when necessary. Furthermore, our proposed scheme underwent an efficiency evaluation, which revealed its excellent performance in terms of computation time and resource utilization. These favorable efficiency characteristics make our scheme highly suitable for real-world IoT applications, where computational constraints and resource limitations are prevalent. Overall, our contributions in this paper, including the Dap-SM2 scheme and its integration into the Self-C2AD mechanism, provide a practical solution to the challenge of double-authentication in the context of IoT. The security analysis confirms the effectiveness of our scheme, while the efficiency evaluation highlights its strong performance. We believe that our proposed scheme has great potential for a wide range of real-world IoT applications, ensuring secure and efficient operations in IoT environments. In summary, our work introduces the Dap-SM2 scheme as a robust solution to double-authentication and extends its functionality through the Self-C2AD mechanism tailored for IoT. The security analysis demonstrates its effectiveness, and the efficiency evaluation confirms its strong performance. We envision widespread adoption of our scheme in practical IoT scenarios, enhancing security and authentication mechanisms in IoT deployments.