An Efficient and Provably Secure SM2 Key-Insulated Signature Scheme for Industrial Internet of Things

With the continuous expansion of the Industrial Internet of Things (IIoT), more and more organisations are placing large amounts of data in the cloud to reduce overheads. However, the channel between cloud servers and smart equipment is not trustworthy, so the issue of data authenticity needs to be addressed. The SM2 digital signature algorithm can provide an authentication mechanism for data to solve such problems. Unfortunately, it still suffers from the problem of key exposure. In order to address this concern, this study first introduces a key-insulated scheme, SM2-KI-SIGN, based on the SM2 algorithm. This scheme boasts strong key insulation and secure key-updates. Our scheme uses the elliptic curve algorithm, which is not only more efficient but also more suitable for IIoT-cloud environments. Finally, the security proof of SM2-KI-SIGN is given under the Elliptic Curve Discrete Logarithm (ECDL) assumption in the random oracle.


Introduction
In recent years, the Industrial Internet of Things (IIoT), a core subset of the Internet of Things (IoT) [1,2], has seen rapid development and has brought substantial and sustainable advancement to industries [3].The IIoT is a technology that connects sensors, smart devices and actuators to the existing "Internet" through Wireless Sensor Networks (WSNs) [4].In IIoT environment, all smart devices can monitor, transmit, collect, and analyze information automatically.Apparently, compared to traditional industries, IIoT achieves more efficient and sustainable production, significantly reducing operating costs and resource consumption [5].Consequently, the implementation of IIoT-centered smart industry plays a significant role in promoting the development of traditional manufacturing industry to smart manufacturing industry [6].However, despite IIoT brings plenty of benefits, it also faces thorny data processing issues.Of particular concern is the huge amount of data that is monitored and collected by IIoT smart devices.How to store and process the big data raise serious challenges [7].Fortunately, cloud computing can provide us with a solution to appropriately deal with the aforementioned problems [8].Cloud computing has broad network access and resource pooling, as well as formidable processing power and low cost advantages [9].In IIoT-cloud computing environment, the challenges of big data collection, storage and processing can be properly solved [10].
Although the IIoT-cloud computing environment brings new ideas to solve the aforementioned problems, the authenticity and integrity of the data still need to be addressed urgently [5].Generally, the channel between the cloud server and the smart device is considered undependable [11].Therefore, ensuring that the authenticity of data is not maliciously intercepted and modified during transmission is a very difficult challenge.The digital signatures are a promising cryptographic primitive to address these challenges [12] (We give an example of a digital signature in Fig. 1).The data can be signed by the signer's private key before it is sent from the smart devices to the cloud server.The recipient, in turn, can verify the integrity of the message by verifying the signature [4].Consequently, a series of public key infrastructure (PKI) signature protocols were progressively presented [13].In a PKI-based digital signature system, a trusted certification authority (CA) binds a user's identity to a corresponding public key using an issued certificate.In 1976, the first digital signature scheme was proposed by Diffie et al. [14].It is through the paper [14] that the foundation of Public Key Cryptography (PKC) has been established for the first time.In the next decades, Public Key Infrastructure (PKI) is a popularly applied authentication architecture in traditional PKCbased schemes.Based on the aforementioned knowledge, the U.S. government has released a federal information processing standard: Digital Signature Standard (DSS).And the Chinese government adopts RSA digital signature scheme.
With the development of cryptography and computer technology, the commonly used 1024bit RSA algorithms are facing serious security threats.In 1987, the Elliptic Curve Cryptography (ECC), which performs better than traditional cryptosystem (such as RSA and DSA) in security and efficiency, was proposed for the first time [15].On December 17 2010, the public key cryptographic algorithm SM2, published by the Chinese State Cryptography Administration Office in 2010 [16], is also an ECC.Noticeable, it has been standardized by ISO/IEC in ISO/IEC 14888-3:2016/DAMD 1 [17].Since the algorithm is based on ECC, its signature speed and secret key generation speed are faster than RSA.Compared with RSA algorithm, 256-bit SM2 password strength is already higher than 2048-bit RSA password strength.In order to demonstrate the advantages of SM2 over RSA more intuitively, we have made a comparison between the two dimensions of security and speed.The comparison results are listed in Tables 1 and 2. Thus, SM2 has better performance and security: high password complexity, fast processing speed, and less machine performance consumption.Now, SM2 algorithm is already widely executed in lots of fields, such as electronic authentication systems, E-Commerce systems and E-Government systems.Another inevitable thorny problem is the key exposure problem since the signature operations are often executed frequently on insecure smart devices.It is obvious that key exposure will lead to disastrous consequences.The primitive of key-insulated was given by Dodis et al. in 2002 [18] for the first time.This cryptographic primitive effectively deals with the problem of catastrophic key exposure.The signer's temporary signing key completes the key evolution with the assistance of the helper.Without the helper providing an update message, the signer's key cannot be updated from the last time period to the current time period.With the helper's key secure, an adversary can only forge the signature scheme for the current time period rather than the next one.After that, A strong key-insulated signature scheme was proposed by Dodis et al. [19].Then, a number of well-designed key-insulated schemes were gradually constructed based on the work of Hanaoka et al. [20][21][22].It is worth noting that the scheme proposed by Zhou et al. [22] does not have the nature of strong keyinsulated.This means that an adversary can forge a signature as a legitimate user if the helper's key is cracked.Therefore, Weng et al. [23] proposed a promising idea, namely secure key-updates.At present, this idea has been widely applied.
Given the above analysis, it faces the key exposure issue when the SM2 digital signature algorithm is integrated into the IIoT-cloud computing environment.This problem has attracted widespread attention from domestic and international authors [24,25].In order to address the thorny issue of key exposure mentioned above, an efficient and provable secure key-insulated signature scheme based on SM2 (SM2-KI-SIGN) is proposed by us in the IIoT-cloud environment now.Our scheme is inspired by the idea of secure key-updates [23].Our scheme also has the properties of strong key-insulated and secure key-updates.However, it is more efficient than the Weng et al. [23] due to the use of Elliptic Curve Cryptography (ECC).
Our core contributions in this paper are as follows: 1) Introduction of an efficient and secure key-insulated signature scheme based on the SM2 cryptosystem, termed SM2-KI-SIGN; 2) Demonstration that SM2-KI-SIGN achieves EUF-CMA (existential unforgeability under chosen message attacks) and has the key-insulated property, thereby efficiently mitigating the key exposure issue; 3) Empirical validation of the efficiency and applicability of SM2-KI-SIGN through specific experimental simulations and performance assessments.
The organization is illustrated in this paragraph.In Section 2, we demonstrate some corresponding preliminaries such as elliptic curve, security assumption, and system framework.In Section 3, the concrete construction of SM2-KI-SIGN is provided.In Section 4, the associated security proof, the theoretical as well as experiment evaluation is demonstrated.Finally, Section 5 gives a summary of this paper.

Preliminaries 2.1 Elliptic Curve Discrete Logarithm (ECDL) Problem
Set E (F q ) as an elliptic over F q where G ∈ E(F q ).There are two points P, Q ∈ E(F q ) of order q.Besides Q is a multiplicity of points of P. If there exists a positive integer l ∈ [0, q − 1] that makes Q = l • P, then obtaining the value of l from P and Q is the ECDL problem.

ECDLP Assumption
There is a P.P.T algorithm A has advantage at least ε to solve ECDL problem in E(F q ).

Bilinear Pairings
Let G be an addictive group and G T be a multiplicative group.G and G T has the equivalent prime order q.P is one of the generators of G.The bilinear map e : G × G → G T satisfies the below properties: 1) Bilinearity: ∀m, n ∈ Z * q , e : (mP, nP) = e : (P, P) mn .2) Non-degeneracy: e : (P, P) = 1.
3) Computability: There exists an algorithm to calculate bilinear map e : G × G → G T .

Elliptic Curve Cryptography
In recent decades, Elliptic Curve Cryptography (ECC) has been widely studied and applied.In 1985, a mathematician named Victor Miller studied elliptic curves in cryptography and hypothesised that it was highly unlikely that exponential calculus methods would work for elliptic curves.ECC is a public key cryptography method based on the algebraic structure of elliptic curves over a finite field, allowing the use of smaller keys to provide equivalent security.Elliptic curves have now been applied to tasks such as key negotiation, digital signatures, pseudo-random generators.ECC utilises smaller keys, which reduces storage and transmission consumption.Thus, ECC can be better adapted to the IIoT-cloud environment.

Notations
The notations presented in the SM2-KI-SIGN scheme are defined in Table 3. Length of a signer's ID

Outline of SM2-KI-SIGN
The SM2-KI-SIGN scheme consists of six different algorithms described below: 1) Setup: Input the security parameter k, the KGC produces params.
2) KeyGen: Given params, time period t, the user generates the public and private key (d, P) for him/her own as well as generates the public and private key for the helper (hk, HK). 3) Upd * : Input params, time period t i and t j , the helper output the partial temporary key PSKi, j. 4) Upd: Input params, t i , T j , and PSK i,j , the helper output T i .5) Sign: Input the params, t i , T i , and the message m, a signer generate a signature φ on m. 6) Verify: Input the params, P, HK, and a message-signature pair (m, φ), a verifier output 1 when the signature is valid.

Our Proposed SM2-KI-SIGN Scheme
In this section, we further elaborate the detailed construction of SM2-KI-SIGN digital signature scheme we proposed.This scheme consists of six different algorithms as listed below.In these algorithms, Upd * and Upd are mainly designed for address the problem of key exposure.The flow of interaction between entities in the SM2-KI-SIGN is illustrated in Fig. 2.
1. Setup: Input the security parameter k, the administrator operates as follows: • Generate an elliptic curve y 2 = x 3 +ax+b over a finite field F p as well as the discriminant = 4a 3 + 27b 2 = 0. (p, a, b, q) are the parameters of the curve, where p and q are two large prime numbers.p is the size of F p .
• Select G ∈ R E(F p ) as one of the generators.Besides let q be the order of G.
• Set the public parameters params = (p, a, b, q, G) and then output it.
• Select three cryptographic hash functions H 1 , H 2 , H 3 and describe them with details here: , and H 3 : {0, 1} * → {0, 1} 256 .2. KeyGen: Input params, the user operates as follows: • Select d ∈ R Z * q as the private key.• Calculate P = d • G and set P as the public key.
• Output the pair of the private and public key (d, P).
• Given the time period t 0 , the helper for the user executes as follows.
• Select hk ∈ R Z * q as the private key for the helper.• Calculate the public key for the helper HK = hk • G.
• Calculate initial time period key T 0 = hk • X 0 and time period function X 0 = H 1 (t 0 ).
3. Upd * : Input two time period indices t i and t j , the helper for the user executes as below: • Calculate the partial temporary key PSK i,j = hk • L i,j .
4. Upd: Input a time period index t i , the partial temporary key PSK i,j and the temporary key T j , the signer obtains the temporary key for the time period t i as below: • Return the temporary key T i .
5. Sign: Input params, the message m to be signed, time period index t i , as well as the private key d, the signer operates as follows: • Calculate Z = H 3 (ENTL ID ID a b G x y).ENTL ID denotes the length of a signer's ID.
6. Verify: Input params, the public key P = d • G, the public key of helper HK = hk • G, the message m as well as the related signature σ , and then the verifier operates as below: The definition of ENTL ID is the same as the aforementioned one.• If r / ∈ Z * q , the verification fails and then terminate the algorithm.• If s / ∈ Z * q , the verification fails and then terminate the algorithm.• Set m = Z m, and calculate e = H 2 ( m).
• Calculate t = (r + s) mod q.If t = 0, the verification fails and terminate the algorithm.
the signature is valid and the verification passes, otherwise the verification fails.The SM2-KI-SIGN scheme we proposed is perfectly key-insulated against a P.P.T adversary A in Game.Proof : Given an ECDL problem instance (P, P 0 ), B computes a ∈ R Z * q , such that P 0 = a•P, where P is G and B controls the stochastic prediction machine.Setup: First, B initializes A with P KGC = P 0 , then it sends the public parameters params = (p, a, b, q, G) and (P, P KGC ) to A .

Correctness
Query : The interaction process between adversary A and B is as follows.A can execute queries adaptively.
1) H 1 query: B manages the list L 1 with the tuple (t i , X i ).After A delivered the (t i , X i ) query to the H 1 () oracle, B retrieves the list L 1 at the beginning.If L 1 includes (t i , X i ), B answers to A with X i .Otherwise, B selects X i ∈ R Z * q , returns X i to A and inserts the tuple (t i , X i ) into L 1 .
2) H 2 query: B manages the list L 2 with the tuple (e, m).randomly, and computes PSK i,j = hk i • H i,j .Then B inserts the tuple (ID, d i , hk i , PSK i,j ) into L pri .Lastly, B answers to A with (d i , hk i , PSK i,j ). 5) Extract-Public-Key: B manages the list L pub with the tuple (ID, P, HK).After the identity ID is provided to this oracle, B retrieves the list L pub .If L pub includes (ID, P, HK), B answers to A with (ID, P, HK).Otherwise L pub does not include (ID, P, HK), B makes queries to L par , L pri and compute P = d • G and HK = hk • G as well as inserts the tuple (P, HK) into the L pub .Lastly, B answers to A with (ID, P, HK). 6) Public-Key-Replace: After A makes a query of (ID, P , HK ), B retrieves the list L pub .If L pub does not include (ID, P, HK), B first does a Extract-Public-Key query with identity ID, and then, sets P = P , HK = HK .To respond the query, B will update the list L pub with (P, HK).7) Signature query: After A makes a query of (ID, M ), B B picks a number a ∈ Z * q at random, and sets hk = a, φ = (1 + hk) −1 • (k − r • hk) mod q.After that, B returns a valid signature θ to A .Forgery: After polynomially bounded queries, A forges a signature σ = (r 1 , s 1 , φ 1 ) on message (ID * , M) with non-negligible probability ε.If ID = ID i = ID I , the challenge of B fails and stops (event E 2 ); otherwise, the forgery succeeds.Then, depending on the forking lemma, A repeats the aforementioned query using different hash values, two more signature pairs (r 2 , s 2 , φ 2 ) and (r 3 , s 3 , φ 3 ) can be generated.
There are three unknown numbers c, a, v that are linearly independent of each other.Combining the three equations can find the value of a. B successfully solves an ECDLP instance using the capabilities of A .To forge a pair of signatures successfully, the following three events need to be satisfied: 1).π 1 represents that no partial private key query has been performed on it, i.e., the event 2). π 2 The signature forgery under the message M * is valid.
3). π 3 The forged signature is subject to ID-consistency, i.e., the event E 2 does not occur, Thus, B uses the ability of A in polynomial time with non-negligible probability ε = solves an ECDLP instance, which contradicts the ECDLP's difficulty contradiction, so the scheme is able to resist the attacker's A adaptive selection existential forgery under the choice message attack.2) Theorem 2. The proposed SM2-KI-SIGN is strong key-insulated secure against adversary B.
Proof : The adversary B has the non-negligible probability ε The proof is same as those of Theorem 1, so we omit the proof here.3) Theorem 3. The SM2-KI-SIGN scheme we proposes in this paper has secure key updates.
Proof : As to any period indices t i and t j , the update key PSK i,j can be evolved from T i and T j .4) Theorem 4. The proposed SM2-KI-SIGN is secure against EUF-CMA.
Proof : At first, assume that a P.P.T adversary A can exchange information with the signer.Thus, L, r and s, φ can be viewed by A in the key-insulated signature generating step because of s = (1 A obtains the value of r .If A wants to obtain d and hk from s and φ, he/she must get the value of k.
If ECDLP is difficult to solve, then the private key cannot be received by A when he/she exchanges information with the signer.In our proposed SM2-KI-SIGN signature scheme, the signing and verification equations we designed are consistent with the SM2 digital signature scheme.The SM2-KI-SIGN key-insulated signature scheme we proposed is unforgeable under the EUF-CMA attack, since the SM2 signature scheme satisfies EUF-CMA.

Performance Comparison
To certify the efficiency and feasibility of the proposed SM2-KI-SIGN scheme, we compare it with the existing works in this subsection.The comparison results are demonstrated in figures and tables.
In Table 4, we summarise and compare the properties between SM2-KI-SIGN scheme and other relevant schemes.We compare the existing schemes from three dimensions: strong key-insulated, secure key-updates and security assumption in Table 4. Here, it should be noted that the symbol " " indicates that the scheme satisfies this corresponding property, as well as the symbol "×" means that this capability cannot be achieved by this scheme.Apparently, our proposed SM2-KI-SIGN scheme can satisfy all properties.And this can be proven secure under standard ECDLP assumptions which is weaker than other security assumptions.Then, a simulation experiment that runs on a Windows 10 computer equipped with an Intel Core i7-6700@2.60-GHzprocessor, as well as 8 GB, is given in this section.Then, it is implemented in IDEA with Java pairing-based cryptography (JPBC) library.To achieve the same security level as 1024-bit RSA, the super-singular curve y 2 = x 3 + x (mod p) with an embedding degree of 2 is utilized, where q = 2 159 + 2 17 + 1 is a 160-bit Solinas prime and p = 12q • r − 1 is a 512-bit prime.As to the ECCbased scheme, in order to offer the security with the equivalent level, we used the Koblitz elliptic curve y 2 = x 3 + a • x + b defined on F 2 163 providing the ECC group.In Table 5, a theoretical evaluation of the signature length, signing cost, as well as verification cost is given.Besides the notations of required signature length and cost of signing and verification are also enumerated in the footnote of Table 5.Compared with the existing schemes especially the schemes listed here, our scheme has more advantages in cost.This advantage makes SM2-KI-SIGN scheme more suitable for untrusted channels in IIoT-cloud computing environment.At the same time, we show a cost comparison of SM2-KI-SIGN with other schemes [26][27][28][29] in Fig. 3.This paper presented the first key-insulated digital signature scheme SM2-KI-SIGN based on the SM2 algorithm.The proposed SM2-KI-SIGN scheme can effectively reduce the risk of key exposure due to untrusted channels in IIoT-cloud computing environment.We first gave a formal outline of the scheme.Following this, a concrete scheme and the formal security proof under the ECDLP assumption in the random oracle model were given.Finally, according to the theoretical analysis and simulation experiments, the SM2-KI-SIGN scheme is more efficient and practical than other related key-insulated works.In the current research field, SM2-KI-SIGN introduces a method to make up for the key exposure defects of existing SM2 signature algorithms.On the other hand, our work can provide a new idea for future commercial digital signature schemes.

Figure 2 : 1 )
Figure 2: Process of SM2-KI-SIGN scheme 4 Analysis 4.1 Security Proof 1) Theorem 1.The SM2-KI-SIGN scheme we proposed is perfectly key-insulated against a P.P.T adversary A in Game.Proof : Given an ECDL problem instance (P, P 0 ), B computes a ∈ R Z * q , such that P 0 = a•P, where P is G and B controls the stochastic prediction machine.Setup: First, B initializes A with P KGC = P 0 , then it sends the public parameters params = (p, a, b, q, G) and (P, P KGC ) to A .

Figure 3 :
Figure 3: Comparison of cost

Table 1 :
The comparison of security between SM2 and RSA

Table 2 :
The comparison of speed between SM2 and RSA

Table 3 :
Notations A delivered the (e, m) query to the H 2 () oracle, B retrieves the list L 2 at the beginning.If L 2 includes (e, m), B answers to A with e. Otherwise, B selects e ∈ R Z * q , returns e to A and inserts the tuple (e, m) into L 2 .3) H 3 query: B manages the list L 3 with the tuple (ID, Z).After A delivered the (ID, Z) query to the H 3 () oracle, B retrieves the list L 3 at the beginning.If L 3 includes (ID, Z), B answers to A with Z. Otherwise, B selects Z ∈ R Z * q , returns Z to A and inserts a tuple (ID, Z) into L 3 .4) Extract-Private-Key: B manages the list L pri with the tuple (ID, d, hk, PSK i,j ).After the identity ID is delivered to the oracle, then B retrieves the list L pri .If ID i = ID I , then B terminate the simulation (Event E 1 ).Otherwise L pri includes (ID, d, hk, PSK i,j ), B gives A answers with (d, hk, PSK i,j ); If L pri does not include (ID, d, hk, PSK i,j ), B chooses d i , hk i ∈ Z * q

Table 4 :
The comparison of properties