An Efficient and Provably Secure SM2 Key-Insulated Signature Scheme for Industrial Internet of Things

Senshan Ouyang,Xiang Liu,Lei Liu,Shangchao Wang,Baichuan Shao and Yang Zhao,★

1School of Mechanical Engineering,Northwestern Polytechnical University,Xi’an,China

2Department of Process and Information Technology,Chengdu Aircraft Industrial(Group)Co.,Ltd.,Chengdu,China

3School of Information and Software Engineering,The Network and Data Security Key Laboratory of Sichuan Province,University of Electronic Science and Technology of China,Chengdu,China

ABSTRACT

With the continuous expansion of the Industrial Internet of Things(IIoT),more and more organisations are placing large amounts of data in the cloud to reduce overheads.However,the channel between cloud servers and smart equipment is not trustworthy,so the issue of data authenticity needs to be addressed.The SM2 digital signature algorithm can provide an authentication mechanism for data to solve such problems.Unfortunately,it still suffers from the problem of key exposure.In order to address this concern,this study first introduces a key-insulated scheme,SM2-KI-SIGN,based on the SM2 algorithm.This scheme boasts strong key insulation and secure keyupdates.Our scheme uses the elliptic curve algorithm,which is not only more efficient but also more suitable for IIoT-cloud environments.Finally,the security proof of SM2-KI-SIGN is given under the Elliptic Curve Discrete Logarithm(ECDL)assumption in the random oracle.

KEYWORDS

Key-insulated;SM2 algorithm;digital signature;Industrial Internet of Things(IIoT);provable security

1 Introduction

In recent years,the Industrial Internet of Things(IIoT),a core subset of the Internet of Things(IoT) [1,2],has seen rapid development and has brought substantial and sustainable advancement to industries [3].The IIoT is a technology that connects sensors,smart devices and actuators to the existing “Internet” through Wireless Sensor Networks (WSNs) [4].In IIoT environment,all smart devices can monitor,transmit,collect,and analyze information automatically.Apparently,compared to traditional industries,IIoT achieves more efficient and sustainable production,significantly reducing operating costs and resource consumption[5].Consequently,the implementation of IIoT-centered smart industry plays a significant role in promoting the development of traditional manufacturing industry to smart manufacturing industry [6].However,despite IIoT brings plenty of benefits,it also faces thorny data processing issues.Of particular concern is the huge amount of data that is monitored and collected by IIoT smart devices.How to store and process the big data raise serious challenges [7].Fortunately,cloud computing can provide us with a solution to appropriately deal with the aforementioned problems [8].Cloud computing has broad network access and resource pooling,as well as formidable processing power and low cost advantages[9].In IIoT-cloud computing environment,the challenges of big data collection,storage and processing can be properly solved[10].

Although the IIoT-cloud computing environment brings new ideas to solve the aforementioned problems,the authenticity and integrity of the data still need to be addressed urgently[5].Generally,the channel between the cloud server and the smart device is considered undependable[11].Therefore,ensuring that the authenticity of data is not maliciously intercepted and modified during transmission is a very difficult challenge.The digital signatures are a promising cryptographic primitive to address these challenges[12](We give an example of a digital signature in Fig.1).The data can be signed by the signer’s private key before it is sent from the smart devices to the cloud server.The recipient,in turn,can verify the integrity of the message by verifying the signature [4].Consequently,a series of public key infrastructure(PKI)signature protocols were progressively presented[13].

Figure 1 :Digital signature

In a PKI-based digital signature system,a trusted certification authority (CA) binds a user’s identity to a corresponding public key using an issued certificate.In 1976,the first digital signature scheme was proposed by Diffie et al.[14].It is through the paper [14] that the foundation of Public Key Cryptography (PKC) has been established for the first time.In the next decades,Public Key Infrastructure (PKI) is a popularly applied authentication architecture in traditional PKCbased schemes.Based on the aforementioned knowledge,the U.S.government has released a federal information processing standard: Digital Signature Standard (DSS).And the Chinese government adopts RSA digital signature scheme.

With the development of cryptography and computer technology,the commonly used 1024-bit RSA algorithms are facing serious security threats.In 1987,the Elliptic Curve Cryptography(ECC),which performs better than traditional cryptosystem(such as RSA and DSA)in security and efficiency,was proposed for the first time [15].On December 17 2010,the public key cryptographic algorithm SM2,published by the Chinese State Cryptography Administration Office in 2010[16],is also an ECC.Noticeable,it has been standardized by ISO/IEC in ISO/IEC 14888-3:2016/DAMD 1[17].Since the algorithm is based on ECC,its signature speed and secret key generation speed are faster than RSA.Compared with RSA algorithm,256-bit SM2 password strength is already higher than 2048-bit RSA password strength.In order to demonstrate the advantages of SM2 over RSA more intuitively,we have made a comparison between the two dimensions of security and speed.The comparison results are listed in Tables 1 and 2.Thus,SM2 has better performance and security:high password complexity,fast processing speed,and less machine performance consumption.Now,SM2 algorithm is already widely executed in lots of fields,such as electronic authentication systems,ECommerce systems and E-Government systems.

Table 1 : The comparison of security between SM2 and RSA

Table 2 : The comparison of speed between SM2 and RSA

Another inevitable thorny problem is the key exposure problem since the signature operations are often executed frequently on insecure smart devices.It is obvious that key exposure will lead to disastrous consequences.The primitive of key-insulated was given by Dodis et al.in 2002 [18] for the first time.This cryptographic primitive effectively deals with the problem of catastrophic key exposure.The signer’s temporary signing key completes the key evolution with the assistance of the helper.Without the helper providing an update message,the signer’s key cannot be updated from the last time period to the current time period.With the helper’s key secure,an adversary can only forge the signature scheme for the current time period rather than the next one.After that,A strong key-insulated signature scheme was proposed by Dodis et al.[19].Then,a number of well-designed key-insulated schemes were gradually constructed based on the work of Hanaoka et al.[20–22].It is worth noting that the scheme proposed by Zhou et al.[22] does not have the nature of strong keyinsulated.This means that an adversary can forge a signature as a legitimate user if the helper’s key is cracked.Therefore,Weng et al.[23]proposed a promising idea,namely secure key-updates.At present,this idea has been widely applied.

Given the above analysis,it faces the key exposure issue when the SM2 digital signature algorithm is integrated into the IIoT-cloud computing environment.This problem has attracted widespread attention from domestic and international authors [24,25].In order to address the thorny issue of key exposure mentioned above,an efficient and provable secure key-insulated signature scheme based on SM2(SM2-KI-SIGN)is proposed by us in the IIoT-cloud environment now.Our scheme is inspired by the idea of secure key-updates[23].Our scheme also has the properties of strong key-insulated and secure key-updates.However,it is more efficient than the Weng et al.[23] due to the use of Elliptic Curve Cryptography(ECC).

Our core contributions in this paper are as follows:

1) Introduction of an efficient and secure key-insulated signature scheme based on the SM2 cryptosystem,termed SM2-KI-SIGN;

2) Demonstration that SM2-KI-SIGN achieves EUF-CMA (existential unforgeability under chosen message attacks)and has the key-insulated property,thereby efficiently mitigating the key exposure issue;

3) Empirical validation of the efficiency and applicability of SM2-KI-SIGN through specific experimental simulations and performance assessments.

The organization is illustrated in this paragraph.In Section 2,we demonstrate some corresponding preliminaries such as elliptic curve,security assumption,and system framework.In Section 3,the concrete construction of SM2-KI-SIGN is provided.In Section 4,the associated security proof,the theoretical as well as experiment evaluation is demonstrated.Finally,Section 5 gives a summary of this paper.

2 Preliminaries

2.1 Elliptic Curve Discrete Logarithm(ECDL)Problem

Set E(Fq)as an elliptic over FqwhereG∈E(Fq).There are two pointsP,Q∈E(Fq)of orderq.BesidesQis a multiplicity of points ofP.If there exists a positive integerl∈[0,q-1] that makesQ=l·P,then obtaining the value oflfromPandQis the ECDL problem.

2.2 ECDLP Assumption

There is a P.P.T algorithmAhas advantage at leastεto solve ECDL problem inE(Fq).

Pr[A(P,Q)=l|Q=l·P,l∈Z*q]≥ε

2.3 Bilinear Pairings

Let G be an addictive group and GTbe a multiplicative group.G and GThas the equivalent prime orderq.Pis one of the generators of G.The bilinear mape: G × G →GTsatisfies the below properties:

1) Bilinearity:∀m,n∈Z*q,e:(mP,nP)=e:(P,P)mn.

2) Non-degeneracy:e:(P,P)/=1.

3) Computability:There exists an algorithm to calculate bilinear mape:G×G →GT.

2.4 Elliptic Curve Cryptography

In recent decades,Elliptic Curve Cryptography (ECC) has been widely studied and applied.In 1985,a mathematician named Victor Miller studied elliptic curves in cryptography and hypothesised that it was highly unlikely that exponential calculus methods would work for elliptic curves.ECC is a public key cryptography method based on the algebraic structure of elliptic curves over a finite field,allowing the use of smaller keys to provide equivalent security.Elliptic curves have now been applied to tasks such as key negotiation,digital signatures,pseudo-random generators.ECC utilises smaller keys,which reduces storage and transmission consumption.Thus,ECC can be better adapted to the IIoT-cloud environment.

2.5 Notations

The notations presented in the SM2-KI-SIGN scheme are defined in Table 3.

Table 3 : Notations

2.6 Outline of SM2-KI-SIGN

The SM2-KI-SIGN scheme consists of six different algorithms described below:

1) Setup:Input the security parameter k,the KGC produces params.

2) KeyGen:Given params,time periodt,the user generates the public and private key(d,P)for him/her own as well as generates the public and private key for the helper(hk,HK).

3) Upd*:Input params,time periodtiandtj,the helper output the partial temporary keyPSKi,j.

4) Upd:Input params,ti,Tj,andPSKi,j,the helper outputTi.

5) Sign:Input the params,ti,Ti,and the messagem,a signer generate a signatureφonm.

6) Verify:Input the params,P,HK,and a message-signature pair(m,φ),a verifier output 1 when the signature is valid.

3 Our Proposed SM2-KI-SIGN Scheme

In this section,we further elaborate the detailed construction of SM2-KI-SIGN digital signature scheme we proposed.This scheme consists of six different algorithms as listed below.In these algorithms,Upd*and Upd are mainly designed for address the problem of key exposure.The flow of interaction between entities in the SM2-KI-SIGN is illustrated in Fig.2.

1.Setup:Input the security parameter k,the administrator operates as follows:

· Generate an elliptic curvey2=x3+ax+bover a finite field Fpas well as the discriminant≠4a3+27b2/=0.(p,a,b,q)are the parameters of the curve,wherepandqare two large prime numbers.pis the size of Fp.

· SelectG∈RE(Fp)as one of the generators.Besides letqbe the order ofG.

· Set the public parameters params=(p,a,b,q,G)and then output it.

· Select three cryptographic hash functionsH1,H2,H3and describe them with details here:H1:{0,1}*→E(Fp),H2:{0,1}*→Z*q,andH3:{0,1}*→{0,1}256.

2.KeyGen:Input params,the user operates as follows:

· Selectd∈RZ*qas the private key.

· CalculateP=d·Gand setPas the public key.

· Output the pair of the private and public key(d,P).

· Given the time periodt0,the helper for the user executes as follows.

· Selecthk∈RZ*qas the private key for the helper.

· Calculate the public key for the helperHK=hk·G.

· Output(hk,HK).

· Calculate initial time period keyT0=hk·X0and time period functionX0=H1(t0).

3.Upd*:Input two time period indicestiandtj,the helper for the user executes as below:

· CalculateXi,j=H1(ti)-H1(tj).

· Calculate the partial temporary keyPSKi,j=hk·Li,j.

· ReturnPSKi,j.

4.Upd:Input a time period indexti,the partial temporary keyPSKi,jand the temporary keyTj,the signer obtains the temporary key for the time periodtias below:

· SetTi=Tj+PSKi,j.

· Return the temporary keyTi.

5.Sign:Input params,the messagemto be signed,time period indexti,as well as the private keyd,the signer operates as follows:

· CalculateZ=H3(ENTLID‖ID‖a‖b‖G‖x‖y).ENTLIDdenotes the length of a signer’sID.

· Calculatee=H2(),where=Z‖m.

· Selectk∈RZ*q,then calculateK=k·G.

· CalculateK′=K+k·Ti=(x1,y1),r=x1+emodq.

· Calculates=(1+d)-1·(k-r·d)modq.

· Calculateφ=(1+hk)-1·(k-r·hk)modq.

· Output the signatureσ=(r,s,φ).

6.Verify: Input params,the public keyP=d·G,the public key of helperHK=hk·G,the messagemas well as the related signatureσ,and then the verifier operates as below:

· CalculateZ=H2(ENTLID‖ID‖a‖b‖G‖x‖y).The definition ofENTLIDis the same as the aforementioned one.

· Ifr/∈Z*q,the verification fails and then terminate the algorithm.

· Ifs/∈Z*q,the verification fails and then terminate the algorithm.

· Calculatet=(r+s)modq.Ift=0,the verification fails and terminate the algorithm.

· Calculateψ=(r+φ)modq.Ifψ=0,the verification fails and terminate the algorithm.

· Calculate(x1,y1)=s·G+t·P+φ·Xi+ψ·Ti.

· CalculateR=(e+x1)modn,ifR=r,the signature is valid and the verification passes,otherwise the verification fails.

7.Correctness

(x1,y1)=s·G+t·P+φ·Xi+ψ·Ti

=s·G+(r+s)·P+φ·Xi+(r+φ)·Ti

=s·G+(r+s)·d·G+φ·Xi+(r+φ)·hk·Li

=(1+d)·s·G+r·d·G

+(1+hk)·φ·Xi+r·hk·Xi

=(1+d)·(1+d)-1·(k-r·d)·G+r·d·G

+(1+hk)·(1+hk)-1·(k-r·hk)·Xi+r·hk·Xi

=(k-r·d)·G+r·d·G

+(k-r·hk)·Xi+r·hk·Xi

=k·G+k·Ti

Figure 2 :Process of SM2-KI-SIGN scheme

4 Analysis

4.1 Security Proof

1)Theorem 1.The SM2-KI-SIGN scheme we proposed is perfectly key-insulated against a P.P.T adversaryAinGame.

Proof:Given an ECDL problem instance(P,P0),Bcomputesa∈RZ*q,such thatP0=a·P,wherePisGandBcontrols the stochastic prediction machine.

Setup:First,BinitializesAwithPKGC=P0,then it sends the public parameters params=(p,a,b,q,G)and(P,PKGC)toA.

Query:The interaction process between adversaryAandBis as follows.Acan execute queries adaptively.

1)H1query:Bmanages the listL1with the tuple(ti,Xi).AfterAdelivered the(ti,Xi)query to theH1()oracle,Bretrieves the listL1at the beginning.IfL1includes(ti,Xi),Banswers toAwithXi.Otherwise,BselectsXi∈RZ*q,returnsXitoAand inserts the tuple(ti,Xi)intoL1.

2)H2query:Bmanages the listL2with the tuple(e,).AfterAdelivered the(e,)query to theH2()oracle,Bretrieves the listL2at the beginning.IfL2includes(e,),Banswers toAwithe.Otherwise,Bselectse∈RZ*q,returnsetoAand inserts the tuple(e,)intoL2.

3)H3query:Bmanages the listL3with the tuple (ID,Z).AfterAdelivered the (ID,Z)query to theH3()oracle,Bretrieves the listL3at the beginning.IfL3includes(ID,Z),Banswers toAwithZ.Otherwise,BselectsZ∈RZ*q,returnsZtoAand inserts a tuple(ID,Z)intoL3.

4) Extract-Private-Key:Bmanages the listLpriwith the tuple (ID,d,hk,PSKi,j).After the identityIDis delivered to the oracle,thenBretrieves the listLpri.IfIDi=IDI,thenBterminate the simulation (EventE1).OtherwiseLpriincludes (ID,d,hk,PSKi,j),BgivesAanswers with (d,hk,PSKi,j); IfLpridoes not include (ID,d,hk,PSKi,j),Bchoosesdi,hki∈Z*qrandomly,and computesPSKi′,j=hki·Hi,j.ThenBinserts the tuple(ID,di,hki,)intoLpri.Lastly,Banswers toAwith(di,hki,PSKi′,j).

5) Extract-Public-Key:Bmanages the listLpubwith the tuple(ID,P,HK).After the identityIDis provided to this oracle,Bretrieves the listLpub.IfLpubincludes(ID,P,HK),Banswers toAwith(ID,P,HK).OtherwiseLpubdoes not include(ID,P,HK),Bmakes queries toLpar,Lpriand computeP=d·GandHK=hk·Gas well as inserts the tuple(P,HK)into theLpub.Lastly,Banswers toAwith(ID,P,HK).

6) Public-Key-Replace: AfterAmakes a query of (ID,P′,HK′),Bretrieves the listLpub.IfLpubdoes not include(ID,P,HK),Bfirst does a Extract-Public-Key query with identityID,and then,setsP=P′,HK=HK′.To respond the query,Bwill update the listLpubwith(P,HK).

7) Signature query: AfterAmakes a query of (ID,M′),BBpicks a numbera∈Z*qat random,and setshk=a,φ=(1+hk)-1·(k-r·hk)modq.After that,Breturns a valid signatureθtoA.

Forgery: After polynomially bounded queries,Aforges a signatureσ=(r1,s1,φ1) on message (ID*,M) with non-negligible probabilityε.IfID/=IDi/=IDI,the challenge ofBfails and stops (eventE2); otherwise,the forgery succeeds.Then,depending on the forking lemma,Arepeats the aforementioned query using different hash values,two more signature pairs(r2,s2,φ2)and(r3,s3,φ3)can be generated.

(x1,y1)=sj·G+tj·P+φj·XI+ψj·TI,j=1,2,3

Set (x1,y1)=c·G+c·Ti.BecauseP0=a·P·G,Ti′=v·P·Xi,we can obtainc=sj+a·P·G+φj+v·P·Xi.

There are three unknown numbersc,a,vthat are linearly independent of each other.Combining the three equations can find the value ofa.Bsuccessfully solves anECDLPinstance using the capabilities ofA.To forge a pair of signatures successfully,the following three events need to be satisfied:

1).π1represents that no partial private key query has been performed on it,i.e.,the eventE1does not occur,

2).π2The signature forgery under the messageM*is valid.

3).π3The forged signature is subject to ID-consistency,i.e.,the eventE2does not occur,Pr[π3|π1∧π2]≥

Thus,Buses the ability ofAin polynomial time with non-negligible probabilityε′=Pr[π1∧π2∧π3]=Pr[π1]·Pr[π2|π2]·Pr[π3∧π2∧π1]≥successfully solves anECDLPinstance,which contradicts the ECDLP’s difficulty contradiction,so the scheme is able to resist the attacker’sAadaptive selection existential forgery under the choice message attack.

2)Theorem 2.The proposed SM2-KI-SIGN is strong key-insulated secure against adversaryB.

Proof:The adversaryBhas the non-negligible probabilityε′≥The proof is same as those ofTheorem 1,so we omit the proof here.

3)Theorem 3.The SM2-KI-SIGN scheme we proposes in this paper has secure key updates.

Proof: As to any period indicestiandtj,the update keyPSKi,jcan be evolved fromTiandTj.

4)Theorem 4.The proposed SM2-KI-SIGN is secure against EUF-CMA.

Proof:At first,assume that a P.P.T adversaryAcan exchange information with the signer.Thus,L,rands,φcan be viewed byAin the key-insulated signature generating step because ofs=(1+d)-1·(k-r·d)modqandφ=(1+hk)-1·(k-r·hk)modq.Aobtains the value ofr′.IfAwants to obtaindandhkfromsandφ,he/she must get the value ofk.AlthoughAknowsL=k·G+k·Ti,it is aECDLPto calculatekfromK.IfECDLPis difficult to solve,then the private key cannot be received byAwhen he/she exchanges information with the signer.In our proposed SM2-KI-SIGN signature scheme,the signing and verification equations we designed are consistent with the SM2 digital signature scheme.The SM2-KI-SIGN key-insulated signature scheme we proposed is unforgeable under the EUF-CMA attack,since the SM2 signature scheme satisfies EUFCMA.

4.2 Performance Comparison

To certify the efficiency and feasibility of the proposed SM2-KI-SIGN scheme,we compare it with the existing works in this subsection.The comparison results are demonstrated in figures and tables.

In Table 4,we summarise and compare the properties between SM2-KI-SIGN scheme and other relevant schemes.We compare the existing schemes from three dimensions:strong key-insulated,secure key-updates and security assumption in Table 4.Here,it should be noted that the symbol “√” indicates that the scheme satisfies this corresponding property,as well as the symbol “×” means that this capability cannot be achieved by this scheme.Apparently,our proposed SM2-KI-SIGN scheme can satisfy all properties.And this can be proven secure under standardECDLPassumptions which is weaker than other security assumptions.

Table 4 : The comparison of properties

Then,a simulation experiment that runs on a Windows 10 computer equipped with an Intel Core i7-6700@2.60-GHz processor,as well as 8 GB,is given in this section.Then,it is implemented in IDEA with Java pairing-based cryptography (JPBC) library.To achieve the same security level as 1024-bit RSA,the super-singular curvey2=x3+x(modp)with an embedding degree of 2 is utilized,whereq=2159+217+1 is a 160-bit Solinas prime andp=12q·r-1 is a 512-bit prime.As to the ECCbased scheme,in order to offer the security with the equivalent level,we used the Koblitz elliptic curvey2=x3+a·x+bdefined on F2163providing the ECC group.In Table 5,a theoretical evaluation of the signature length,signing cost,as well as verification cost is given.Besides the notations of required signature length and cost of signing and verification are also enumerated in the footnote of Table 5.

Table 5 : The performance comparison of different schemes

Compared with the existing schemes especially the schemes listed here,our scheme has more advantages in cost.This advantage makes SM2-KI-SIGN scheme more suitable for untrusted channels in IIoT-cloud computing environment.At the same time,we show a cost comparison of SM2-KISIGN with other schemes[26–29]in Fig.3.

5 Conclusions

This paper presented the first key-insulated digital signature scheme SM2-KI-SIGN based on the SM2 algorithm.The proposed SM2-KI-SIGN scheme can effectively reduce the risk of key exposure due to untrusted channels in IIoT-cloud computing environment.We first gave a formal outline of the scheme.Following this,a concrete scheme and the formal security proof under theECDLPassumption in the random oracle model were given.Finally,according to the theoretical analysis and simulation experiments,the SM2-KI-SIGN scheme is more efficient and practical than other related key-insulated works.In the current research field,SM2-KI-SIGN introduces a method to make up for the key exposure defects of existing SM2 signature algorithms.On the other hand,our work can provide a new idea for future commercial digital signature schemes.

Acknowledgement:We have already revised the Acknowledgement section in the manuscript.

Funding Statement: This work was supported in part by the National Natural Science Foundation of China (Nos.62072074,62076054,62027827,62002047),the Sichuan Science and Technology Innovation Platform and Talent Plan (Nos.2020JDJQ0020,2022JDJQ0039),the Sichuan Science and Technology Support Plan(Nos.2020YFSY0010,2022YFQ0045,2022YFS0220,2023YFG0148,2021YFG0131),the YIBIN Science and Technology Support Plan (No.2021CG003),the Medico-Engineering Cooperation Funds from University of Electronic Science and Technology of China(Nos.ZYGX2021YGLH212,ZYGX2022YGRH012).

Author Contributions: study conception and design: Senshan Ouyang,Baichuan Shao and Yang Zhao;analysis and interpretation of results:Xiang Liu,Lei Liu,Shangchao Wang;draft manuscript preparation:Senshan Ouyang and Baichuan Shao;figures and tables production:Baichuan Shao.

Availability of Data and Materials:Our current research is limited to algorithm design and analysis,and has not yet applied it to practical scenarios,so we have not yet addressed the source and use of data and materials.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.