5.3.2. Unforgeability from Adversary AII

The adversary *AII* is a malicious KGC, and since they know *msk*, they have the ability to know all the partial keys of the participating devices. If *AII* wants to forge A's signature, they will try to generate one from the partial key, since they lack the ability to replace the public key.

The partial key of A is *DA* = (*RA*, *zA*), where *RA* is a partial public key and *zA* is a PSK. The signature generation for the message, *mA*, is via Equation (8) and, since the full private key, *PRA*, generated by the signer, A, is used for this, the KGC cannot forge a signature using only *zA*. It should be impossible to forge the signer's signature using only external public parameters, including in this *AII* scenario.



O (X): scheme is strong (weak) in this category, KGC: key generation center.

In particular, in the proposed scheme, since the arbitrated signature is performed through a gateway called the arbitrator, it is possible to strengthen non-repudiation. The arbitrated signatures involve this arbitrator, between the signer and the verifier, to protect the validity of the signature and prevent repudiation of the signer; if the gateway performs its arbitrated signature properly, it can prevent forgery of the signature.

#### **6. E**ffi**ciency Analysis**

Another important requirement in the IoT environment is efficiency. In this environment, in which a large number of heterogeneous devices participate in communication, efficiency of the protocol is required so that it can operate even for devices with low computational performance. This includes reducing the amount of computation, and this section compares the existing schemes with the execution time of the proposed CL-AAS.

The simulation environment constructed in this paper is an Intel i5-4690 processor with 3.50 GHz, 16 GB memory, and Windows 10 operating system. Additionally, to provide security strength like 1024-bit RSA and ECC group, it uses the Koblitz elliptic curve *y*<sup>2</sup> = *x*<sup>3</sup> + *ax* + *b*(*mod p*), where *a* = 1 and *b* is a 163-bit random prime defined on *F*2163 . Table 2 is a comparison of the execution times with cryptographic operation. The proposed CL-AAS scheme provides computational efficiency compared to the existing [29–34] schemes, as shown in Figure 9, by a graph showing the total execution time according to the number of signatures being aggregated, and Table 3. As the number of messages and signatures being aggregated increases, the total times for the aggregated signature and for the verification process increase in direct proportion.


**Table 2.** Comparison of execution times with cryptographic operation.

**Figure 9.** Comparison of execution time between proposed and existing schemes.


**Table 3.** Efficiency analysis of the proposed scheme.

H: One-way hash function, E: Modular exponential operation. EA: Elliptic curve addition operation, EM: Elliptic curve scalar multiple operation. See references for definitions of variables in the forms of the signatures.

**Total operation time**

**(ms, n** = **100)**

92.7874

 635.1078

 49.5076

 139.1076

 227.4574

 182.9232

 48.8766

 +

 +

In this proposed scheme, without using a pairing operation, compared with other pairing-free schemes, elliptic-curve cryptography-based addition and multiplication operations are efficiently applied to reduce the total operation time. In addition, since the tag, *T*, for verification is also aggregated for all the messages together, only the part of the public key that the verifier actually acquires and directly calculates is included. Because of this, storage, such as that of a gateway or server, can save space and the verification overhead for the verifier is reduced.
