Content uploaded by Dezhi Han
Author content
All content in this area was uploaded by Dezhi Han on Jan 10, 2023
Content may be subject to copyright.
IEEE TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS 1
IdenMultiSig: Identity-Based Decentralized
Multi-Signature in Internet of Things
Han Liu , Dezhi Han ,Senior Member, IEEE, Mingming Cui, Kuan-Ching Li ,Senior Member, IEEE,
Alireza Souri ,Senior Member, IEEE, and Mohammad Shojafar ,Senior Member, IEEE
Abstract— Most devices in the Internet of Things (IoT) work
on unsafe networks and are constrained by limited computing,
power, and storage resources. Since the existing centralized
signature schemes cannot address the challenges to security and
efficiency in IoT identification, this article proposes IdenMultiSig,
a decentralized multi-signature protocol that combines identity-
based signature (IBS) with Schnorr scheme under discrete
logarithms on elliptic curves. First, to solve the problem of offline
or faulty devices under unstable networks, we introduce a novel
improvement of the existing Schnorr scheme by introducing a
threshold Merkle tree for the verification with only mvalid
signatures among nparticipants (m–ntree), while hiding the
real identity to protect the data security and privacy of IoT
nodes. Furthermore, to prevent dishonest or malicious behavior
of the private key generator (PKG), a consortium blockchain
is innovatively applied to replace the traditional PKG as
a decentralized and trusted private key issuer. Finally, the
proposed scheme is proven to be unforgeable against forgery
signature attacks in the random oracle model (ROM) under the
elliptic curve discrete logarithm (ECDL) assumption. Theoretical
analysis and experimental results show that our scheme matches
or outperforms existing research studies in privacy protection,
offline device support, decentralized PKG, and provable security.
Index Terms—Blockchai n, identity-based signatu re (IBS),
Internet of Things (IoT), Merkle tree, multi-signature.
NOMENCLATURE
CChallenger.
AAdversary.
Px,pProbability.
Fx(y)Algorithm.
Manuscript received 30 June 2022; revised 21 September 2022, 4 December
2022, and 13 December 2022; accepted 22 December 2022. This work was
supported in part by the National Key Research and Development Program
of China under Grant 2021YFC2801001, in part by the Natural Science
Foundation of Shanghai under Grant 21ZR1426500, and in part by the Top-
Notch Innovative Talent Training Program for Graduate students of Shanghai
Maritime University under Grant 2021YBR008. (Han Liu, Dezhi Han, and
Mingming Cui are co-first authors.) (Corresponding author: Kuan-Ching Li.)
Han Liu, Dezhi Han, and Mingming Cui are with the College of Information
Engineering, Shanghai Maritime University, Shanghai 201308, China (e-mail:
dzhan@shmtu.edu.cn).
Kuan-Ching Li is with the Department of Computer Science and
Information Engineering, Providence University, Taichung 43301, Taiwan
(e-mail: kuancli@pu.edu.tw).
Alireza Souri is with the Department of Software Engineering, Haliç
University, 34060 Istanbul, Turkey (e-mail: alirezasouri@halic.edu.tr).
Mohammad Shojafar is with the 5G/6G Innovation Centre (5G/6GIC),
Institute for Communications Systems (ICS), University of Surrey, GU2 7XH
Guildford, U.K. (e-mail: m.shojafar@surrey.ac.uk).
Digital Object Identifier 10.1109/TCSS.2022.3232173
QxRandom oracle query.
ThHash function time cost.
TEm G←aP,P∈G,a∈Z∗
qtime cost.
TEa G←P+Q,P,Q∈Gtime cost.
|G|Storage cost in G.
Tbp G1←e(P,Q)time cost.
Tpm G1←aP,P∈G1,a∈Z∗
qtime cost.
Tpa G1←P+Q,P,Q∈G1time cost.
|G1|Storage cost in G1.
I. INTRODUCTION
WITH the development of cloud computing and 5G
network, the Internet of Things (IoT) transmits and
stores the collected data to the cloud server for users to access
and process anytime and anywhere. This kind of collection
and sharing will inevitably put forward the requirements
for authentication and security access [1], [2]. On the other
hand, the open environment where the IoT devices are
located is vulnerable to illegal attacks and hijackings [3], [4],
leading to many risks such as weak privacy protection and
data leakage, among other issues [5], [6], [7], [8]. Digital
signatures are generally regarded as the digital replacement
of handwritten signatures and can provide three kinds of
services: 1) integrity checking (ensuring the information
without tampered with during transmission); 2) authentication
(determining the identity of the sender); and 3) nonrepudiation
(the sender cannot deny generating the message). The primary
digital signature scheme involves two parties. When the
number of participants (n) increases from 2 to n, each party
must verify the signatures of the other n-1 parties. The overall
number of verifications can be up to n∗(n−1).Inthis
case, the standard signatures can be converted to an aggregate
signature by splicing each signature to generate an independent
signature. However, its length grows with the number of
members linearly. In addition, broadcasting authentication
standards are highly vulnerable to attacks such as signature
verification abuse, which can further drain nodes’ computing
resources, making the already strict power limitations even
more challenging.
Multi-signature [9], [10] is a digital signature scheme that
can effectively improve throughput. It allows nusers to
generate a fixed-length and aggregated signature representing
the identities of all signers for a general message Mwith
their respective npublic key pairs. Given the message M
2329-924X © 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
2IEEE TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS
and the public key sets (PKs) of all signers, the validity of
the aggregated signature can be publicly verified by a simple
checksum calculation. Compared with the traditional 1-to-
1 digital signature, multi-signature can significantly reduce
computation and communication costs. It has the advantages
of high throughput, small storage space occupation, and fast
verification, which are suitable for communication environ-
ments with low bandwidth and less storage capacity [11].
In addition, the combination of multiple signatures and the
IoT enables nodes in the cluster to be cosigned by neighbors
when releasing sensitive data, which not only ensures data
permissions and transmission security, but also hides the
sender’s identity to protect the privacy of the IoT nodes
further [12].
Nowadays, digital signatures have been widely used in
modern society, especially in computer network communica-
tion [13], [14], [15], [16]. In practice, to prove the public
key’s authenticity, a certificate authority (CA) is responsible
for issuing a certificate for the public key. However, this
model incurs high costs in licensing and managing certificates,
and CAs are vulnerable to attacks and single points of
failure.
To solve the abovementioned challenges, Shamir proposed
an identity-based encryption (IBE) and identity-based sig-
nature (IBS) system that allows a user to select a token
related to its identity as the public key [17]. The IoT
devices can be quickly authorized through IBS to verify
their identity [18]. And they generally have unique identities
(IDs) such as MAC address (MAC), factory number, and
chip firmware code, which can be well adapted to identity-
based cryptosystems [19], [20]. Although IBE eliminates the
reliance on CA for verifying the public key, it introduces
another centralized private key generator (PKG) responsible
for generating public–private key pairs for the entities.
Notwithstanding, the shortcomings of this solution are
threefold. The former is that once the PKG is hacked, the
secrets of all members are also leaked, causing incalculable
losses. Next, the PKG is a centralized institution with a single
point of failure problem; the latter is dishonest third-party
PKGs risk illegal storage and misuse of private keys.
Blockchain is a decentralized, tamper-proof, shared,
immutable ledger that facilitates the process of recording
transactions and tracking assets [21]. With the introduction
of Blockchain V3.0, a consortium chain has come into being
based on features such as granting nodes to join and supporting
smart contracts that are not bound by domain-specific
languages (DSLs). Inspired by the chain code programming
(smart contract) function [22], this article innovatively applies
the hyperledger fabric enterprise-level consortium chain to
the proposed multi-signature scheme to realize decentralized
PKGs.
The main contributions of this research are summarized as
follows.
1) Privacy protection: IdenMultiSig is an identity-based
multi-signature (IBMS) scheme that, while combining
IBS with Schnorr multi-signature scheme, is based on
the elliptic curve discrete logarithm (ECDL) problem.
IdenMultiSig solution binds the device’s unique ID to
the private key and supports the nodes in the IoT cluster
signed by multiple users before publishing sensitive data.
The device is identified, while its real identity is hidden
to ensure the privacy and security of the IoT nodes to
the greatest extent.
2) Offline device support: The current Schnorr scheme
employed in IdenMultiSig is improved by introducing
a public key verification Merkle tree that supports m–n
thresholds. This data structure uses the IDs and public
keys of nsignature participants as leaf nodes and (m−n)
thresholds as additional branches. In IdenMultiSig, the
validation of n signature participants can be performed
using m(m!=n)valid signatures, a novelty that
effectively solves the problem of multiple signatures in
IoT clusters with limited resources and networks, offline
or faulty devices, and heterogeneous nodes.
3) Decentralized PKG: The innovative use of consortium
blockchain instead of the traditional PKG is responsible
for the decentralized key generation, distribution, and
verification, guaranteeing that all key privacy data will
not be tampered with. Moreover, all its operations
are irreversibly recorded in the block for traceability
and accountability, preventing dishonest or malicious
behaviors caused by the traditional PKG.
4) Provable security: A detailed security proof is
given for the proposed multi-signature algorithm
based on the framework of general fork priming,
and the performance and feasibility of the proposed
scheme are further verified by theoretical analysis and
experiments.
The remainder of this article is organized as follows.
Section II covers the related work, Section III introduces the
background, Section IV presents the IdenMultiSig algorithm,
and the security proof is shown in Section V. Experimental
results and analysis are depicted in Section VI, and finally,
concluding remarks and future works in Section VII.
II. RELATED WORK
Multi-signature allows nparticipants to generate a fixed-
length and aggregated signature. Compared with the tra-
ditional 1-to-1 digital signature, it has the advantages of
high throughput, small storage space occupation, and fast
verification, which are suitable for IoT environments. Multi-
signature algorithms based on classical cryptography have
achieved representative research results.
Schnorr signature is an efficient multi-signature scheme,
which provides higher security with the same key length under
the discrete logarithm problem (DLP). Bellare and Neven [9]
proposed a multi-signature scheme based on the discrete
logarithmic difficulty assumption and showed the scheme’s
security under the established general forking lemma model.
Micali et al. [23] proposed a subgroup scheme that calculates
and verifies members’ public keys by constructing a Merkle
spanning tree. Syta et al. [24] proposed an improved scheme
named CoSi. Its most significant innovation is to assign the
computation of constructing multiple signatures to nodes in
the Merkle spanning tree, speeding up the signing process and
reducing the bandwidth overhead.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
LIU et al.: IdenMultiSig: IDENTITY-BASED DECENTRALIZED MULTI-SIGNATURE IN INTERNET OF THINGS 3
TAB LE I
COMPARISONS WITH EXISTING RELEVANT SCHEMES
Taking the advantage of multi-signature in efficiency and
storage, blockchains use this technology to generate a fixed-
length signature for all transactions in a block, which greatly
reduces the storage space (up to 80%) occupied by signa-
tures and improves the efficiency of signature verification.
A simpler and efficient Schnorr-based multi-signature scheme
is proposed by Maxwell et al. [25], which has the same
key and signature size as the standard Schnorr signature
and is easily scalable to general public-key cryptosystems.
In addition, they also applied it to the verification of multiple
transactions in Bitcoin. Nick et al. [26] proposed a simple and
practical two-round multi-signature scheme, MuSig2, whose
output signature has a complexity similar to ordinary Schnorr
signatures. Boneh et al. [27] constructed a multi-signature
scheme derived from the Schnorr signature and Boneh–Lynn–
Shacham (BLS) signature that achieves signature compression
and public key aggregation, aiming to reduce the size of
Bitcoin blocks by aggregating transactions.
However, the above-mentioned schemes are based on
traditional asymmetric cryptosystems, which often require
an authoritative CA to provide digital certificate services
for public keys to meet the basic requirements of secure
communication. Nevertheless, CA brings extra complexity
to certificates’ computation, transmission, management, and
verification, despite this extra complexity means additional
costs that will significantly impact the limited IoT bandwidth
and processing power budget. IBS provides a new solution to
this problem, where the participant uses the ID as the public
key. In contrast, the private key is generated by a trusted
PKG, thus eliminating the reliance on CA. Some research
studies focus on how to combine IBS with multi-signature
and propose improvements for multi-signature. The direction
of improvement mainly includes optimizing the signature
algorithm and reducing interaction rounds.
Bellare and Neven [28] proposed an RSA-based IBMS
scheme and proved its security under the random oracle model
(ROM), which does not rely on assumptions related to bilinear
mapping. Gentry and Ramzan [29] proposed an unpaired
identity-based digital signature (PF-IBS) algorithm for mes-
sage authentication in wireless sensor networks (WSNs),
showing that it is secure in a random prediction model against
adaptive selection message attacks (UF-PF-IBS-ACMA).
Ali et al. [30] proposed an identity-based conditional privacy-
preserving authentication (IBS-CPPA) signature scheme to
improve the authentication efficiency in high-density vehicle
ad-hoc networks (VANETs) based on elliptic curves cryptog-
raphy (ECC) and one-way hash algorithm (HASH).
It is not difficult to find that the IBS also has apparent
drawbacks, that is, the ciphertext of the participant is not
private to the dishonest or malicious PKG, which is a
significantly huge security risk. Al-Riyami and Paterson [31]
proposed a certificateless public-key cryptosystem that can
overcome the trust problem in key escrow. Baek et al. [32]
proposed a scheme named certificateless public key encryption
(CPLKE) that is independent of bilinear pairings and
demonstrated its security in the face of public key substitution
attacks and selective ciphertext attacks in a ROM. Li et al. [33]
implemented a remote desktop connection protocol (RDPC).
It uses certificateless signature technology in cloud storage
services to check the integrity of intergroup data and to solve
the key escrow problem. Fan et al. [34] and Cui et al. [35]
proposed a certificateless signature method combined with
fog for key management and vehicle revocation in VANETs,
reducing time-consuming calculation and improving the
efficiency of authentication and revocation. To ensure the
privacy of decentralized energy transactions, a method
combining Blockchain and multi-signature is proposed by
Aitzhan and Svetinovic [36]. Yu et al. [12] also proposed
the application of multi-signature and Blockchain in the
IoT, ensuring the security and privacy of each node and
the transmitted data. However, the scheme mentioned above
does not achieve high efficiency, while ensuring privacy and
security.
The above research studies provide effective solutions
and references for multiparameter identification in a large-
scale cluster environment (IoT). However, some of their
shortcomings still deserve attention and discussion. First of
all, most of these studies only focus on one or several
issues, which cannot well cover the requirements of IoT
applications on efficiency, security, and privacy protection of
identity recognition. Second, most of these systems adopt the
centralized design, which has significant defects in reliability
and throughput performance. As we all know, large-scale
information exchanges of devices in IoTs bring big data,
which put forward higher requirements for the timeliness of
identification.
Through the analysis of the above hot research, we sum-
marized the hot issues and research directions they focused
on, including multi-signature, Merkle tree, certificate-freeness,
IBS, key escrow resilience, and blockchain support. As shown
in Table I, compared with other relevant schemes, our work
has more support for key issues.
III. BACKGROUND
A. Identity-Based Signature
IBS scheme was proposed initially by Shamir [17] and
includes the following four algorithms.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
4IEEE TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS
Fig. 1. Schnorr signature process.
Setup(1λ). Using a security parameter λas input, IBS
generates the parameters params and a master key msk. All
other algorithms input params implicitly, omitted from the
algorithm described below for simplicity.
1) Extract(msk,ID). On input {ID,msk}, it outputs the
private key d.
2) Sign(d,M). On input dand message M, it outputs the
signature σ.
3) Verify(ID,M,σ). On input {ID,σ,M}, it outputs 1
when σis valid, and 0 otherwise.
B. Schnorr Multi-Signature
A Schnorr signature scheme consists of the abelian group
Gwith prime q(with DLP) and generator g, hash function
H:{0,1}∗→Zq(maps any length of bytecode to a bounded
set of integers to reduce the communication overhead for
authentication), public-private key pair (x,X), and message
M∈{0,1}∗.
One round of the noninteractive Schnorr signature process
is illustrated in Fig. 1. If Ainitiates signature verification
to B, it is assumed that an adversary Cintends to pretend to
be A. The primary attack method of Cis to constantly guess x
and calculate sduring the implementation of the protocol and
expect Bto be verified successfully after calculation. However,
since x∈Z∗
qis large enough, the search range of Cincreases.
As xis a private key, it is not public in any phase. Under
the constraint of the DLP hypothesis, the public keys Xand
Gprovided in the verification phase cannot be obtained from
X=gx→xor X=xg →xin polynomial time.
C. Analysis of Existing Issues
The Schnorr multi-signature scheme is vulnerable to the
following attacks.
1) Key-replace attack: Since the identity of the signing
party is determined (or proved) by its key pair, it is
impossible to guarantee that the signing party will not
modify or replace its key pair without authorization
during the signing process. In case of a key-replace
attack, the identity of the signing party will be
impersonated or disguised
P=
n
i=x
pki=Px∗
n
i=x
pki
=⎛
⎝pkx∗⎛
⎝
n
i=x
Pi⎞
⎠
−1
∗
n
i=x
Pi⎞
⎠
=pkx∗⎛
⎝
n
i=x
Pi⎞
⎠
−1
∗
n
i=x
Pi
=pkx∗⎛
⎝⎛
⎝
n
i=x
Pi⎞
⎠
−1
∗
n
i=x
Pi⎞
⎠
=pkx.
2) Rogue-key attack: A special type of key-replace attack,
and considering that the key pair of player x(attacker)
is (pkx,skx=pkx∗g). In the signature stage, after the
attacker xcollects the commitment set {R1,R2,..., Rn}
of other participants, the rogue public key Px=
pkx(n
i=xPi)−1is maliciously generated. In this case,
the generated multi-signature is only promised by the
private key pair of attacker x, degenerating into a single
standard signature. In the verification stage, attacker
xonly needs to provide its own single signature,
commitment σi=(Ri,si=ri+e∗ski), and public
key pkito pass the verification
gsi=g(ri+e∗ski)=gri∗geski=gri∗gskie=Ri∗pkie.
3) Limitations of n–n signatures: In the general Schnorr
multi-signature scheme, nparticipants sign a message
together. However, due to the uncertain network and
environment in which the IoT devices are located,
it is difficult to ensure that nnodes can successfully
participate in each signature process.
IV. IDENMULTISIG:PROPOSED RESEARCH
In Section III, the principles and flow of the basic Schnorr
multi-signature scheme are introduced in detail, and some
of the challenges it faces are analyzed. In this section, the
elliptic curve cyclic group in a finite field is used as the
problematic assumption for multi-signature implementation,
improving computational efficiency and security. Then, with
the combination of IBS and Schnorr multi-signature, the
key generation algorithm is adopted in IdenMultiSig to
prevent key replacement attacks, eliminate the dependence on
CA, and perform certificateless multi-signature. In addition,
a Merkel tree supporting the m–nthreshold is designed
to solve the limitation of the traditional n–nmode in
IdenMultiSig. The additional computing overhead and storage
brought by the proposed threshold Merkel tree will be
analyzed in the section on theoretical analysis.
A. Cryptography Definition
The proposed multi-signature scheme includes: n(n>1)
signers, an identity set IDs={ID1,ID2,...,IDn}, a message
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
LIU et al.: IdenMultiSig: IDENTITY-BASED DECENTRALIZED MULTI-SIGNATURE IN INTERNET OF THINGS 5
Fig. 2. Merkel tree with (m,n) threshold.
to be signed M={0,1}∗, a threshold (m,n)(indicates that
m(1<m<=n)of nmembers needed to join in the signing
process), and a set of hash functions {H0,H1,H2}.
1) Setup: The PKG chooses three HASH functions
H0,H1,H2:{0,1}∗→Z∗
qand a elliptic curve cyclic group
G←E(Z∗
q,a,b)with generator g, publishing parameters
paras ={G,g,q,H0,H1,H2,mpk}.
2) KenGen: The PKG randomizes a big integer msk ∈Z∗
q
as the master private key, keeps it secret, generates the master
public key mpk =msk ·g, and publishes it.
3) KeyExtract: On input msk and IDi(i<=n),PKG
random a big integer ki∈Z∗
qand calculate pki=ki·g,v
i=
H0(IDi,pki), ski=ki+vi·msk. The (ski,pki)is the key
pair, viis the middle parameter for Merkel tree building in
the ThresholdGen algorithm, and (ski,pki)are sent via a
secure channel to authenticated members with IDi.
4) ThresholdGen: After assigning a key pair to all members,
PKG takes the PK =pk1,pk2,...,pknas the leaf node (the
parent of leaf iis vi) and the threshold (m,n)as an additional
branch leaf to build the Merkel tree T.
Since the threshold is located at the leaf node of the root,
each time the value of the root is computed, it only needs to
recalculate the HASH value twice. The computational cost is
negligible. The root of Tis TROOT =hT.(T,hT)is public,
as shown in Fig. 2.
5) MSign: N original signers together generate a signature
for message Mby following protocols. The protocol contains
several rounds of interaction. In each round, every signer stops
receiving m−1 messages from other signers, performs local
calculations according to the message content, and sends the
calculation results to others. Finally, in this algorithm, only m
signers participate in the subsequent calculation.
- Round 1
Signature initiator SIPichoose ri∈Z∗
q, calculate
Ri=ri·g,ti=H1(ri), and sent Ri,tIto other n−1 signing
participants as a commitment.
- Round 2
SIPicollect sets {Rt1,Rt2,...,Rtm}(tm∈[1,n])from
mparticipants. Then SIPicalculate a1, the hash value
ei=H2(pki,hT,R,M), and the sign si=ri+ei·ski.The
other m−1 participants repeated the above steps and send
sj(j= i)to SIPi.
- Round 3
After receiving msignatures {s1,s2,...,sm},SIP
icalcu-
lates a2, and outputs σm=(R,s)as a multi-signature.
6) MVerify: After receiving σm=(R,s), the verifier checks
the signature using the following steps.
- Merkle tree check
It checks whether the public keys of mparticipants
match the root by HASH-proof on the threshold-Merkle
tree T. An example of verifying a public key pk3of
ID =3onthetreeTbuilt by eight participants:
H1∼8=Hash(Hash(Hash(Hash(ID3,pk3), H4), H1|2), H5∼8).
-Verify
It determines if s∗g=R+m
i=1ei·(pki+vi·mpk)
is true by ei=H2(pki,hT,R,M)←{e1,e2,...,em},v
i=
H0(IDi,pki). If the equation is true, it outputs 1 (success);
otherwise, it outputs 0 (failure). The validity is proven as
follows:
s·g=
m
i=1
si·g
=m
i=1
ri+ei·ski·g
=m
i=1
ri·g+m
i=1
ei·ski·g
=m
i=1
(ri·g)+m
i=1
ei((ki+vi·msk)·g)
=
m
i=1
Ri+
m
i=1
ei·(ki·g+vi·msk ·g)
=R+
m
i=1
ei·(pki+vi·mpk).
B. Improved Decentralized PKG
To perform certificateless signature in the IdenMultiSig
scheme, we introduce a novel entity PKG that generates a
public–private key pair on input IDiand distributes it to
the member through a secure channel. Inspired by existing
blockchain-related applications [37], this section considers
applying the hyperledger fabric alliance chain to improve the
scheme.
In hyperledger fabric, assets are represented as key–value
pairs, and their state and ownership are recorded in a
ledger. In our improved decentralized PKG, the key (K)
is the public key of a key pair, and the value (V)isthe
encrypted private key (real data). The ledger consists of
the world state and blockchain. World state is a database
(leveldb and couchdb) that stores the current values of
assets. In blockchain, the transactions log the change of the
current world state. By applying blockchain, the improved
decentralized PKG can ensure that all private data will
not be tampered with and that operations for keys are
irreversibly recorded in the block. It has the function of
traceability and accountability and can effectively prevent
possible dishonesty or malicious acts of traditional PKG,
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
6IEEE TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS
Fig. 3. Decentralized PKG based on blockchain.
as shown in Fig. 3. The decentralized private key generation
service based on hyperledger fabric mainly implements the
methods of Setup,KenGen,KeyExtract,ThresholdGen with
the following chain codes.
1) Initchaincode: On input (a,b,q), the smart contract
(chain code programming) outputs a set of public parameters
(G,g,q,H0,H1,H2), the master public key mpk, and saves
the master private key msk secretly. Moreover, it implements
the functions of Setup and KenGen as shown in Algorithm 1.
Initchaincode() only implements the init interface of a fabric.
Therefore, it is called only once when the chain code is
packaged to the peer node for initialization, ensuring the
uniqueness of public parameters and master key.
Algorithm 1 InitChainCode
Input: a,b,q
Output: G,g,H0,H1,H2,mpk
1: @implement ChainCodeInterface.init
2: ECC ←G=E(Z∗
q,a,b)←y2
≡x3+ax +b(modq), (x,y)∈Z∗
q
3: g=(x0,y0)←E(Z∗
q,a,b)
4: H0,H1,H2←SH A256
5: x←random.int(q)
6: mpk←xg
7: WorldState←@PutState(MPK,xg)
8: WorldState←@PutState(msk,
DES.encryt(x,node.SK))
9: Ledger←@Record (ACT I O N =Init)
10: return ECC(G,g), H0,H1,H2,mpk
2) KeyChainCode: On inputs mpk, IDi,and(m,n),
it outputs a key pair (ski,pki). The Merkel tree is generated
according to (m,n), as shown in Algorithm 2.
V. S ECURITY PROOF
A feasible digital signature scheme should satisfy at least
two properties: 1) correctness and 2) unforgeability. The
concise proof of completeness has been given in Section IV
and will not be repeated here.
To prove that the multi-signature scheme proposed in
this article is unforgeable, we introduce the general forking
lemma [9]. Based on the ROM, the security of the EIMamal
digital signature is regulated by the DLP and is proven using
Algorithm 2 KeyExtractChainCode
Input: mpk,ID
i,(m,n)
Output: ski,pki
1: ki←random.int(q), ki∈Z∗
q
2: if (mpk == NULL)then
3: mpk =@GetState(MPK)
4: end if
5: pki←kig
6: ski←xi,v
i=H0(ID
i,pki), xi=ki+vix,x=msk
7: Memory←Cache(vi)
8: Ledger←@Record (ACT I ON =KeyExtract)
9: if (i== n)then
10: T=newMerkleTree
11: for (iinn)do
12: T.add Leaf (vi)
13: end for
14: T.add Leaf ((m,n))
15: WorldState←@PutState(MT,T)
16: Ledger←@Record (ACT I ON =GenMTree)
17: end if
18: return ski,pki
the question–answer forking theory. The symbols used in this
section are shown in Nomenclature.
Challenger Ccan simulate an adversary Ato solve a
complex problem containing two challenges. The output of the
second challenge is the same as the first challenge before the
input index i≤I, but it changes when i>I. Applying
the forking lemma for security proof can be understood as:
if algorithm Sis a signature forgery algorithm, Auses S
to output two signatures through a random oracle query
continuously, and Pais the probability that Aforges a
signature. PSactually stands the probability that FS(x)outputs
two signatures that are different ({uI,...,uq} ={u
I,...,u
q})
but both correct (G=G). PS≥Pa·(Pa/q−1/2l)stands that
if Acan forge an effective signature with the probability of Pa,
then FS(x)can solve a difficult problem with the probability
of PS≥Pa·(Pa/q−1/2l).
3) Attack Model: Set ei=H(pki,hT,R,M)stands a
random oracle query. The target of challenger Csimulating the
attack of Ais: Suse the IDs set IDs ={ID1,ID2,...,IDn},
PK ={pk1,pk2,...,pkn},Merkeltree(T,hT), commitment
set {R1,R2,...,Rn}provided by C, continues to launch
random oracle queries until forking: ei→e
i, and successfully
generate a forged signature.
4) Theorem 1: It is assumed that the proposed multi-
signature scheme is secure under the DLP (Qh,Qs,nmax,p),
where Qhis the number of random oracle queries, Qsis the
number of signing queries, and nmax is the maximum number
of signers participating, here q=Qh+Qs+1. There is
an algorithm Sthat chooses random elements pk∗
i, a random
l-bit string group u0,1,...,u(0,q)and u1,1,...,u(1,q)as
input–output forged signature with lowest probability p
p≥p2
q−2n2
max ·q
2k0−4nmax
2k1−1
2.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
LIU et al.: IdenMultiSig: IDENTITY-BASED DECENTRALIZED MULTI-SIGNATURE IN INTERNET OF THINGS 7
Proof: Challenger Cuses the general forking lemma to
make Aget two real signatures (R,S)and forged signatures
(R,S).Cconstructs a three-stage game between algorithm
Sand A−(t,Qh,Qs,nmax,p), as follows:
⎧
⎪
⎪
⎪
⎪
⎨
⎪
⎪
⎪
⎪
⎩
s·g=R+
m
i=1
ei·(pki+vi·mpk)
s·g=R+
m
i=1
e
i·(pki+vi·mpk).
- Init Stage
Cexecutes KenGen and KeyExtract to get public
parameters paras =(G,g,q,H0,H1,H2,mpk)and a
PK L=pk1,pk2,...,pkn.ThenSinit three counter
CT
1,CT
2,CT
3=0, four tables AT0[·],AT 1[·],AT2[·],AT3[·],
andfourflagbits fb
0,fb
1,fb
2,fb
3.AT
0[·],AT1[·],AT2[·]
are used to store the outputs of random oracle
queries H0,H1,H2.AT
3store each public key pki,
i∈[1,Qh+nmax ·Qs].
-QueryStage
H0(IDi,pki)query: If AT0[IDi,pki]=NULL, then S
set CT
1=CT
1+1, AT0[IDi,pki]←CT
1. It random
AT0[IDi,pki]←{0,1}k0, and return AT0[IDi,pki]to A.
H1(Ri)query: If AT1[Ri]=NULL, then Srandom
AT1[Ri]←{0,1}k0and returns AT1[Ri]to A.
H2(pki,hT,R,M)query: If AT3[pki]=NULL, then Sset
CT
2=CT
2+1, AT3[pki]←CT
2.IfAT
2[i,hT,R,M]=
NULL,Srandom values for all entries of AT2[i,hT,R,M],
and set CT
3=CT
3+1, AT2[0,hT,R,M]←CT
3.
- Signing Query:
On input the PK and message M,if pk∗∈PK, Sreturns ⊥
to A.Otherwise,Sfirst sets PK ={pk1=pk∗,pk2,...,pkn}
and checks all AT3[pki](2≤i≤n).IfAT
3[pki]=NULL,
then CT
2self plus 1, and set AT3[pki]←CT
2.Next,CT
3self
plus 1, set e1←CT
3. Finally, r1∈Z∗
qis randomly selected,
and R1=ri˙g,t1=H1(R1)are calculated. A sends (R1,t1)
to other n−1 participants. In the case that more than one Ri
meets the conditions, Ssets fb
1←true to interrupt the query
and output (0,p).Otherwise,Scalculates R=m
(I=1)Riand
checks AT2[0,hT,R,M].
Alternatively, if hT,R,M=NULL,AT 2[0,hT,R,M]←
e1, generate random values AT2[i,hT,R,M]←0,1land
then sends R1to other participants. Otherwise, Ssets flag
bit fb
2←true to interrupt the query and output stop (0,p).
Consider another case: when ti= H1(Ri)exists in the
received n−1 commitment set, Sinterrupts the signing
query and returns ⊥. Then, if ti=H1(Ri)exists fb
0←
true, Sset fb
3←true, interrupts the query and outputs
(0,p).Otherwise,Ssends s1to other participants. After the
above query process, Scollects commitments and signatures
of others, then calculates and outputs multi-signatures (R,S).
- Output
Aoutputs a forged signature (R,S)matches PK,M.
Algorithm Sexecutes random oracle query H2(pki,hT,R,M)
to ensure the generation of AT3[pki]. If the forged signature
(R,s)is valid, Sstops and returns it. Otherwise, S
returns (0,p).
To make fb
2←true in the iround signing query,
we distinguish between cases where H1(R1)was already
queried by Aand cases where H1(R1)was not queried.
In case 1, Amay have got R1, but since R1was chosen
at random by Swithout interference from A, the probability
of Afinding H1(R1)is at best (Qh+nmax ·Qs)/p≤(Qh+
nmax·Qs)/2k1. In case 2, Ais completely unknown R1,and
the probability of H1set by Sin the previous i−1 signature
simulation is at most (Qh+Qs)/ p≤(Qh+Qs)/2k1.Inorder
to make fb
3←true, Amust successfully guess the value of
H1(Ri)with a probability not exceeding nmax/2k0.
For a forking algorithm FS(pk∗), it on input pk∗and
returns forged signatures with probability PS. The probability
of Asuccessfully outputting forged signatures, Pa,andthe
probability of FS(pk∗)solving complex problems, p, can be
calculated as
Pa≥p−Pr[ fb
1=true]
−(Pr[ fb
2=true] −Pr[ fb
3=true])
≥p−(Qh+nmax ·QS+1)2
2k0−2Qs·(Qh+nmax ·QS)
2k1
p≥PS
≥Pa·Pa
q−1
2
≥P2
a
Qh+Qs+1−1
2
≥1
Qh+Qs+1p2−2p·(Qh+nmax·Qs+1)2
2k0
−4p·Qs·(Qh+nmax·QS)
(Qh+Qs)·2k1
≥p2
Qh+Qs+1−2(Qh+nmax ·Qs+1)2
(Qh+Qs+1)·2k0
−4QS·(Qh+nmax ·Qs)
(Qh+Qs+1)·2k1−1
2
≥p2
Qh+Qs+1−2n2
max ·(Qh+Qs+1)2
(Qh+Qs+1)·2k0
−4nmax ·Qs·(Qh+Qs+1)
(Qh+Qs+1)·2k1−1
2
≥p2
Qh+Qs+1−2n2
max ·(Qh+QS+1)
2k0
−4nmax
2k1−1
2
=p2
q−2n2
max ·q
2k0−4nmax
2k1−1
2.
VI. PERFORMANCE ANALYSIS
This section shows the performance and practical avail-
ability of the proposed multi-signature scheme in two parts:
1) theoretical analysis and 2) experimentations. The symbols
used are described in Nomenclature.
A. Theoretical Analysis
To verify the performance of our work, several classical
and recently developed multi-signature schemes that include
BN06 [9], CoSi16 [24], MPSW18 [25], and ASM18 [27] are
compared. BN06 first proposed to apply the Schnorr protocol
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
8IEEE TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS
TAB LE I I
FUNCTIONAL COMPARISON
to multi-signature and created the general forking lemma.
CoSi16 used four communication phases for the scalable
construction of a Schnorr multi-signature over a spanning tree.
In recent years, MPSW18 and ASM18 are proposed to solve
the transaction multi-signature in the blockchain.
The above algorithms are mainly designed based on two
kinds of problems (ECDL problem, ECDL, and computational
Diffie-Hellman problem, CDH). The comparison mainly
includes three aspects. The first one is to compare the
functions, including the type of problem hypothesis, provable
security, antikey replacement attack, support for m−nmulti-
signature, and support for identity key. The second is to
compare the calculation cost of the signature and verification
stages, while the third is to compare the storage overhead,
mainly including the spatial complexity of the public key,
private key, and multi-signature itself. Analysis and evaluation
of experimental results and functional comparison are shown
in Table II.
As seen from Table II, BN06, CoSi16, MPSW18, ASM18,
and the proposed scheme are based on the Schnorr signature
scheme, which can be shown to be unforgeable in the
framework of the general forking lemma. ASM18 is a
new structure derived from the Schnorr prototype and BLS
signature. However, it does not change the interactive logic of
multi-signature at all and is consistent with the above three
in terms of provable security. CoSi16 proposes a spanning
tree structure to organize and manage the commitment values
randomly generated by each participant in the process of
aggregate signature generation. This tree structure supporting
efficient communication can be extended to thousands of
participants.
The proposed scheme combines blockchain and IBS.
The private keys of nmulti-signature participants can be
automatically distributed through smart contracts according to
their unique IDs (such as MAC, IMEI, etc.), to eliminate the
dependence on CA. The other four schemes are based on
the traditional public-key cryptosystem without considering
the need for public key authenticity verification and the
disadvantages of introducing CA. In addition, we propose a
Merkel tree supporting the (m,n) threshold as a public key
verification tool to support (m,n) multi-signature verification.
That is, the proposed scheme meets the characteristics not
entirely owned by other schemes.
TABLE III
COMPARISON OF THEORETICAL CALCULATION
COST OF SINGLE SIGNATURE
Table III lists the computational cost comparison of the
scheme proposed in this article with the other four schemes in
the case of a single signature. The computational complexity
of each scheme under the condition of one signature is clearly
understood, which provides a theoretical basis for further
analyzing the computational cost of nsignature members
participating in multi-signature schemes.
Table III shows that the schemes BN06, CoSi16, MPSW18,
and the proposed one are based on the Schnorr scheme.
Therefore, the cost of the algorithm in terms of the signature
and verification stages is the same as the single one. Notably,
the signature stage H(R)and H(M,L,px|v) take 2Th,
generating commitment Rtakes TEm . In the verification phase,
calculating etakes Th, calculating sg,eX both take 2TEm,
verifying sg =R+eX takes TEa. Particularly, MPSW18
introduces a new commitment variable athat takes additional
time of Th, and Asm18 is based on BLS that selects complex
problems based on the bilinear mapping. In the sign stage, the
message Mis mapped to G1 will takes Th, and calculating
signature takes Tpm . In the verification phase, the message M
is first mapped to G1, taking Th. Then, two pairing operations
are verified, taking 2Tbp.
By analyzing the single-signature schemes in Table III
and the flow of BN06, CoSi16, MPSW18, and ASM18,
we performed the theoretical calculation cost of five schemes
when there are nparticipants in multiple signatures calculated,
as shown in Table IV. In particular, the CoSi16 scheme uses a
spanning tree (binary tree) as the data structure generated by
signature, so the computational cost of constructing this tree
is log n. However, CoSi16 does not provide detailed proof
of security and ownership, making it vulnerable to rogue
key attacks. And, the order of the spanning tree’s leaf nodes
directly determines the value of the root, there may be a
multiparty consistency problem when nparty participates in
the construction of the spanning tree. In the proposed scheme,
the m−nthreshold Merkle tree is introduced to solve this
problem, resulting in an additional log nThoverhead in the
verification stage.
It can be seen from Table V that the proposed IdenMultiSig
scheme occupies the same space for the public key, private
key, single signature, and multiple signatures as the BN06
and MPSW18 schemes. Since the spanning tree structure
is constructed in the CoSi16 scheme, the space occupation
of the tree should be included in the multi-signature to
realize the check. Because ASM18 is based on the BLS
protocol, the generated signature is only one point on G1,
so the space occupied by ASM18 is relatively minimal.
However, considering that BLS relies on pairing operation
under G1in the verification stage, the calculation efficiency
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
LIU et al.: IdenMultiSig: IDENTITY-BASED DECENTRALIZED MULTI-SIGNATURE IN INTERNET OF THINGS 9
TAB LE I V
COMPARISON OF COMPUTATION COST OF MULTI-SIGNATURE COMPOSED OF nPARTICIPANTS
TAB LE V
STORAGE OCCUPATION COMPARISON
Fig. 4. Time cost comparison at different nof participants in signing and verify stages. (a) n=10. (b) n=20. (c) n=50. (d) n=100. (e) Summary.
TAB LE V I
AVERAGE TIME PER BASIC OPERATION
is much lower than that of ECDSA. On the other hand, the
security of BLS-dependent pairing is not easy to demonstrate,
as it is necessary to choose elliptic curves that are easy to pair
and safe enough.
B. Experiments
Through theoretical analysis, it is appraised that the scheme
proposed in this investigation can keep the computational
overhead and space occupation similar to existing schemes
on the premise of adding several new functions. To further
evaluate the performance, simulation experiments are carried
out in a computing server composed of one Intel i7 7500u
3.5 GHZ CPU, 16G memory, and 256G SSD storage.
First, the average time of several basic operations is
calculated. For the schemes based on ECDL, the additive
cyclic group Gand generator gof prime order q(256-bit)
on the hypersingular elliptic curve Eare selected. For the
bilinear pairing scheme e:G1×G1→G2, the hypersingular
elliptic curve cyclic group G1and the generator g1of prime
order q1are selected. To ensure the same safety strength, q1is
set as a 512-bit large prime. By taking the mean value of
100 calculations, the final results are shown in Table VI.
Fig. 4 includes the time consumption comparison between
the proposed scheme and the other four schemes for different
signature participant numbers n(n∈[10,20,50,100])in the
signature and verification stages. As can be seen from Fig. 4,
the results are consistent with the expectation of theoretical
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
10 IEEE TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS
analysis, the time cost of our work is very close to BN06
and MPSW18 but superior to the ASM18 scheme (millisecond
level). CoSi16 is slightly superior to the other four schemes.
According to the theoretical analysis in Section VI-A, CoSi16
adopts a spanning tree to construct a group signature, and
the time complexity of binary tree construction is only log n,
which is superior to other linear structures. However, when
n>20, the time consumption of ASM18 in the validation
phase is significantly higher than that of other schemes.
It can be inferred from the theoretical analysis that ASM18
needed to take G1pairing operation, which will bring more
calculation time compared with the multiplication operation on
G. Therefore, when the number nof participants increases,
its time cost rises more rapidly. It can be found from
theoretical analysis and comparative results, IdenMultiSig
matches or surpasses existing hot researches in terms of
problem hypothesis, provable safety, anti-key-replace attack,
identity key, (m−n) threshold, and no CA.
VII. CONCLUSION AND FUTURE WORK
To meet the urgent needs for identity recognition and
privacy protection in IoT environments, an IBMS scheme
named IdenMultiSig is proposed. By combining IBS with
Schnorr multiple signature schemes under the ECDL problem,
the device’s unique ID is bounded to the private key, and
multiple users sign the nodes before publishing sensitive data,
and, as a result, the device’s real identity is hidden when
identified, and the node’s privacy is guaranteed. Still, the
current Schnorr scheme is improved in this scheme, and
aMerkletreewithanm−nthreshold is introduced to
verify mvalid signatures among nparticipants, supporting
offline devices in IoT. Finally, we replace the traditional PKG
with a consortium blockchain as the decentralized service
provider to ensure that all key privacy data are not tampered
with, effectively preventing dishonesty or malicious behaviors
caused by the traditional PKG.
Theoretical analysis and experimental results show that
IdenMultiSig has more advantages than the existing related
work in privacy protection, offline device support, decen-
tralized PKG, and provable security. However, the multi-
signature method under the Schnorr framework is an
interactive scheme that requires nparticipants to carry out
multiple rounds of communication to deliver commitments
and subsignatures, which undoubtedly increases the bandwidth
overhead. In addition, blockchain technology is developing
rapidly, and the architecture of decentralized applications is
constantly updating and iterating. These problems need to be
improved in future work as follows.
1) In the signature phase, the proposed protocol requires
participating devices to exchange commitments through
multiple rounds, which will consume a certain amount of
bandwidth. Therefore, congested network environments may
bring negative effects. How to further improve or optimize
the existing protocols to reduce bandwidth costs is a direction
to be tackled as further research.
2) How to improve the structure of the Merkel tree and
reduce the computational complexity is a problem worth
further work.
3) The development of Blockchain architecture and the
progress of the consensus mechanism will have positive effects
on this work. How to design a decentralized PKG topology for
the latest blockchain technologies is also worth further study.
4) At present, the experiments of this work are mainly
through simulation, which can further test the performance
in the actual environment in future work.
5) At present, our method can be used for the unlinkability
of sensor clusters and identity hiding of smart home gateways
and devices. More application scenarios [38] need to be tested
in practice, which is also one of the future works.
REFERENCES
[1] B. O. Soufiene, A. A. Bahattab, A. Trad, and H. Youssef, “PEERP:
An priority-based energy-efficient routing protocol for reliable data
transmission in healthcare using the IoT,” Proc. Comput. Sci., vol. 175,
pp. 373–378, Jan. 2020. [Online]. Available: https://www.sciencedirect.
com/science/article/pii/S1877050920317348
[2] S. B. Othman, F. A. Almalki, C. Chakraborty, and H. Sakli, “Privacy-
preserving aware data aggregation for IoT-based healthcare with green
computing technologies,” Comput. Electr. Eng., vol. 101, Jul. 2022,
Art. no. 108025. [Online]. Available: https://www.sciencedirect.com/
science/article/pii/S0045790622002890
[3] Q. Tian, D. Han, K.-C. Li, X. Liu, L. Duan, and A. Castiglione,
“An intrusion detection approach based on improved deep belief
network,” Int. J. Speech Technol., vol. 50, no. 10, pp. 3162–3178 ,
Oct. 2020, doi: 10.1007/S10489-020-01694-4.
[4] C. Diao et al., “A novel spatial–temporal multi-scale alignment
graph neural network security model for vehicles prediction,” IEEE
Trans. Intell. Transp. Syst., early access, Jan. 19, 2022, doi:
10.1109/TITS.2022.3140229.
[5] D. Han et al., “A blockchain-based auditable access control system
for private data in service-centric IoT environments,” IEEE Trans. Ind.
Informat., vol. 18, no. 5, pp. 3530–3540, May 2022.
[6] A. Lakhan et al., “Delay optimal schemes for Internet of Things
applications in heterogeneous edge cloud computing networks,” Sensors,
vol. 22, no. 16, p. 5937, 2022.
[7] K. Kumar et al., “Dimensions of Internet of Things: Technological
taxonomy architecture applications and open challenges—A systematic
review,” Wireless Commun. Mobile Comput., vol. 2022, May 2022,
Art. no. 9148373.
[8] A. Lakhan, M. A. Mohammed, S. N. Kadry, K. H. Abdulkareem,
F. T. Al-Dhief, and C.-H. Hsu, “Federated learning enables intelligent
reflecting surface in fog-cloud enabled cellular network,” PeerJ Comput.
Sci., vol. 7, p. e758, Nov. 2021.
[9] M. Bellare and G. Neven, “Multi-signatures in the plain public-key
model and a general forking lemma,” in Proc. CCS, 2006, pp. 390–399.
[10] V. Srivastava, S. K. Debnath, B. Bera, A. K. Das, Y. Park, and
P. Lorenz, “Blockchain-envisioned provably secure multivariate identity-
based multi-signature scheme for Internet of Vehicles environment,”
IEEE Trans. Veh. Technol., vol. 71, no. 9, pp. 9853–9867, Sep. 2022,
doi: 10.1109/TVT.2022.3176755.
[11] A. Lakhan et al., “Cost-efficient mobility offloading and task scheduling
for microservices IoVT applications in container-based fog cloud
network,” Cluster Comput., vol. 25, pp. 2061–2083, Jun. 2022.
[12] M. Yu et al., “Internet of Things security and privacy-preserving method
through nodes differentiation, concrete cluster centers, multi-signature,
and blockchain,” Int. J. Distrib. Sensor Netw., vol. 14, Dec. 2018,
Art. no. 1550147718815842.
[13] Z. Xu et al., “A time-sensitive token-based anonymous authentication
and dynamic group key agreement scheme for industry 5.0,” IEEE
Trans. Ind. Informat., vol. 18, no. 10, pp. 7118–7127, Oct. 2022, doi:
10.1109/TII.2021.3129631.
[14] W. Liang et al., “A fast defogging image recognition algorithm based on
bilateral hybrid filtering,” ACM Trans. Multimedia Comput., Commun.,
Appl., vol. 17, no. 2, p. 42, 2021.
[15] W. Liang et al., “Spatial–temporal aware inductive graph neural network
for C-ITS data recovery,” IEEE Trans. Intell. Transp. Syst., early access,
Mar. 14, 2022, doi: 10.1109/TITS.2022.3156266.
[16] Z. Guo et al., “Double-layer affective visual question answering
network,” Comput. Sci. Inf. Syst., vol. 18, no. 1, pp. 155–168, 2021,
doi: 10.2298/CSIS200515038G.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
LIU et al.: IdenMultiSig: IDENTITY-BASED DECENTRALIZED MULTI-SIGNATURE IN INTERNET OF THINGS 11
[17] A. Shamir, “Identity-based cryptosystems and signature schemes,” in
Proc. CRYPTO, 1984, pp. 47–53.
[18] M. Miao, J. Wei, J. Wu, K. Li, and W. Susilo, “Verifiable data streaming
with efficient update for intelligent automation systems,” Int. J. Intell.
Syst., vol. 37, no. 2, pp. 1322–1338, Feb. 2022.
[19] D. Han, N. Pan, and K.-C. Li, “A traceable and revocable ciphertext-
policy attribute-based encryption scheme based on privacy protection,”
IEEE Trans. Dependable Secure Comput., vol. 19, no. 1, pp. 316–327,
Jan. 2022, doi: 10.1109/TDSC.2020.2977646.
[20] T. Xiao, D. Han, J. He, K.-C. Li, and R. F. de Mello, “Multi-keyword
ranked search based on mapping set matching in cloud ciphertext storage
system,” Connection Sci., vol. 33, no. 1, pp. 95–112, Jan. 2021.
[21] D. Li et al., “Blockchain for federated learning toward secure distributed
machine learning systems: A systemic survey,” Soft Comput., vol. 26,
pp. 4423–4440, Nov. 2021, doi: 10.1007/S00500-021-06496-5.
[22] A. Lakhan, M. A. Mohammed, S. Kadry, S. A. Alqahtani, M. S. Maashi,
and K. H. Abdulkareem, “Federated learning-aware multi-objective
modeling and blockchain-enable system for IIoT applications,” Comput.
Electr. Eng., vol. 100, May 2022, Art. no. 107839.
[23] S. Micali, K. Ohta, and L. Reyzin, “Accountable-subgroup multi
signatures: Extended abstract,” in Proc. CCS, 2001, pp. 245–254.
[24] E. Syta et al., “Keeping authorities ‘honest or bust’ with decentralized
witness cosigning,” in Proc. IEEE Symp. Secur. Privacy (SP), May 2016,
pp. 526–545.
[25] G. Maxwell, A. Poelstra, Y. Seurin, and P. Wuille, “Simple Schnorr
multi-signatures with applications to Bitcoin,” Des., Codes Cryptogr.,
vol. 87, no. 9, pp. 1–26, 2018.
[26] J. Nick, T. Ruffing, and Y. Seurin, “MuSig2: Simple two-round Schnorr
multi-signatures,” in Advances in Cryptology—CRYPTO 2021,T.Malkin
and C. Peikert, Eds. Cham, Switzerland: Springer, 2021, pp. 189–221.
[27] D. Boneh, M. Drijvers, and G. Neven, “Compact multi-signatures for
smaller blockchains,” in Advances in Cryptology—ASIACRYPT 2018,
T. Peyrin and S. Galbraith, Eds. Cham, Switzerland: Springer, 2018,
pp. 435–464.
[28] M. Bellare and G. Neven, “Identity-based multi-signatures from RSA,”
in Proc. CT-RSA, 2007, pp. 145–162.
[29] C. Gentry and Z. Ramzan, “Identity-based aggregate signatures,” in
Public Key Cryptography—PKC 2006, M. Yung, Y. Dodis, A. Kiayias,
and T. Malkin, Eds. Berlin, Germany: Springer, 2006, pp. 257–273.
[30] I. Ali, T. Lawrence, and F. Li, “An efficient identity-based signature
scheme without bilinear pairing for vehicle-to-vehicle communication
in VANETs,” J. Syst. Archit., vol. 103, Feb. 2020, Art. no. 101692.
[31] S. S. Al-Riyami and K. G. Paterson, “Certificateless public key
cryptography,” IACR Cryptol. ePrint Arch., vol. 2003, p. 126, Jan. 2003.
[32] J. Baek, R. Safavi-Naini, and W. Susilo, “Certificateless public key
encryption without pairing,” in Proc. ISC, 2005, pp. 134–148.
[33] J. Li, H. Yan, and Y. Zhang, “Certificateless public integrity checking
of group shared data on cloud storage,” IEEE Trans. Services Comput.,
vol. 14, no. 1, pp. 71–81, Feb. 2021.
[34] Y. Fan et al., “SBBS: A secure blockchain-based scheme for IoT data
credibility in fog environment,” IEEE Internet Things J., vol. 8, no. 11,
pp. 9268–9277, Jun. 2021, doi: 10.1109/JIOT.2021.3057045.
[35] M. Cui, D. Han, J. Wang, K.-C. Li, and C.-C. Chang, “ARFV:
An efficient shared data auditing scheme supporting revocation for fog-
assisted vehicular ad-hoc networks,” IEEE Trans. Veh. Technol., vol. 69,
no. 12, pp. 15815–15827, Dec. 2020, doi: 10.1109/TVT.2020.3036631.
[36] N. Z. Aitzhan and D. Svetinovic, “Security and privacy in decentralized
energy trading through multi-signatures, blockchain and anonymous
messaging streams,” IEEE Trans. Dependable Secure Comput., vol. 15,
no. 5, pp. 840–852, Sep./Oct. 2018.
[37] N. Gao et al., “Modeling and analysis of port supply chain system
based on fabric blockchain,” Comput. Ind. Eng., vol. 172, Oct. 2022,
Art. no. 108527, doi: 10.1016/J.CIE.2022.108527.
[38] N. Sakli et al., “ResNet-50 for 12-lead electrocardiogram auto-
mated diagnosis,” Comput. Intell. Neurosci., vol. 2022, Apr. 2022,
Art. no. 7617551.
Han Liu received the Ph.D. degree from Shanghai
Maritime University, Shanghai, China, in 2022.
His main research interests include blockchain, the
IoT, cloud security, and machine learning.
Dezhi Han (Senior Member, IEEE) received the
Ph.D. degree from the Huazhong University of
Science and Technology, Wuhan, China, in 2005.
He is currently a Professor of computer science
and engineering at Shanghai Maritime University,
Shanghai, China. His research interests include
cloud computing, mobile networking, wireless
communication, and cloud security.
Mingming Cui is currently pursuing the Ph.D.
degree with the School of Information Engineering,
Shanghai Maritime University, Shanghai, China.
Her current research interests include cryptology,
cloud computing security, and vehicle ad-hoc
networks (VANETs) security.
Kuan-Ching Li (Senior Member, IEEE) received
the Ph.D. degree from the University of São Paulo,
São Paulo, Brazil, in 2001.
He is currently a Professor at the Department
of Computer Science and Information Engineering,
Providence University, Taichung, Taiwan, where he
is also the Director of the High-Performance Com-
puting and Networking Center, established through
collaborations with industry. Besides publishing
articles in renowned journals and conferences,
he is a coauthor/coeditor of more than 40 books
published by Taylor & Francis, Springer, and McGraw-Hill. His research
interests include big data, parallel and distributed computing, and emerging
technologies.
Dr. Li is a fellow of the Institution of Engineering and Technology (IET)
and a member of the American Association for the Advancement of Science
(AAAS).
Alireza Souri (Senior Member, IEEE) is currently
an Associate Professor at the Department of
Software Engineering, Haliç University, Istanbul,
Turkey. He has coauthored more than 80 scientific
articles and conference papers in high-ranked
journals. His research interests include formal veri-
fication, model checking, fog and cloud computing,
the IoT, data mining, and wireless networks.
Dr. Souri is an associate and a guest editor for
several high-ranked scientific journals.
Mohammad Shojafar (Senior Member, IEEE)
received the Ph.D. degree (Hons.) from the Sapienza
University of Rome, Rome, Italy, in 2016.
He has published more than 100 papers in
top-ranked journals and conferences. His research
interests are in the area of security and privacy.
Dr. Shojafar is an associate and a guest editorship
for several high-ranked scientific journals.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Authorized licensed use limited to: Shanghai Maritime University. Downloaded on January 07,2023 at 08:51:47 UTC from IEEE Xplore. Restrictions apply.
