According to Gartner Inc.gartner , the IoT devices are deployed and connected on the Internet have more than 11 billion in 2018. IoT and its applications have pervaded in our daily lives from smart home, smart city to smart everything. However, most of these IoT devices are generally not perfect-by-design with security weaknesses or vulnerabilities and are easy to be hacked under various cyber attacks. In September 2018, ZeroDayLab zero reports a high-severity vulnerability in the 4G-based wireless 4GEE Mini modem. The vulnerability could allow an attacker to run a malicious program on a targeted computer with the highest level of privileges in the system. Later, Mobile operator EE acknowledged the issue and rolled out a firmware patch to address the vulnerability. By using a previously disclosed vulnerability revealed in the CIA Vault 7 leaks, the hackers have compromised more than 210,000 routers from Latvian network hardware provider Mikrotik across the world, with the number still increasing mikrotik , mikrotik1 . With the continues growth of IoT devices, it is essential to update these IoT devices securely, patching their vulnerabilities and protecting protecting the safety of the involved users.
Traditional software updates mainly based on the client-server architecture, as shown in Figure 1, create a single point of failure for denial of service (DoS) attacks. Delivering secure and reliable updates become a challenge issue for the vendors.
Building upon decentralization concept, the advent of blockchain technology may provide a solution for IoT khan . Blockchain is a data structure that is based on hash functions that builds a linked list by using hash pointers. Each block stores the transactions in the peer-to-peer network. Some nodes are known as miners; they run the consensus algorithms such as proof of work (PoW) Nakamoto to mine and generate a new block. The blockchain employs elliptic curve cryptography and SHA-256 hash function to provide security for data authentication and integrity. As a publicly verifiable ledger, it has a full history of the transaction and provides a global distributed trust. Blockchain technology has widely applied to healthcare elb , IoT su , zhao , and financial transactions and2014a - chiesa2016 etc. There are several blockchain based solutions for IoT software and/or firmware updates. Several papers Du1 ; Du2 ; Du3 ; Du4 ; Du5 ; Du6 ; Du7 ; Du8 ; Du9 have studied related security issues.
Related Work. Lee and Lee lee proposed a secure firmware updates scheme for embedded devices in the IoT environments. They executed firmware checking and validation by using blockchain with a new block structure and the BitTorrent as a firmware sharing network for firmware download, to enhance availability and integrity of updates. Boudguiga et al. boudguiga used the blockchain technology to ensure the availability and innocuousness of software updates. They added the trusted innocuousness nodes checking the integrity of updates and only the approved updates can be downloaded. Yohan et al. yohan proposed a firmware update framework by utilizing PUSH-based firmware updates. They used smart contract and the consensus mechanism of blockchain to preserve the integrity of updates. Recently, Leiba et al. leiba proposed decentralized incentivized delivery network for IoT software updates. The participating nodes of delivery network deliver update to IoT devices and the nodes can get the financial incentive from the vendors. However, these mechanisms are inadequate in the process of software updates for the privacy of the involved users. In certain circumstances, when a consumer buys a IoT device, his personal information could be automatically linked to the device. In the vehicle system, an on-board unit (OBU) embed into automatic vehicle as a sensing layer node. This node communicates with the roadside infrastructure and other peer vehicles. The leakage of user information can lead to privacy threats.
Contributions. In this paper, we propose a new blockchain based privacy-preserving IoT software updates protocol. It not only protects the privacy of the updated IoT devices, but also delivers secure and reliable updates with an incentive mechanism. The proposed protocol utilizes blockchain, smart contract, double authentication preventing signature (DAPS) and outsourced attribute-based signature (OABS) to deliver secure and reliable updates. In this protocol, the vendor delivers the updates by using smart contract to provide a financial incentive to the transmission node that provides a proof-of-delivery that a single update was delivered to the IoT devices. A transmission node obtains proof-of-delivery by using double authentication preventing signature (DAPS) to carry out fair exchange. In the process of fair exchange, the transmission node exchanges an OABS of the IoT device by using DAPS. Then, it uses the OABS as s proof-of-delivery to receive the financial incentive. The main contributions of the proposed protocol are as follows:
We propose a new concrete OABS scheme and prove the existential unforgeability under chose message attacks.
We propose the system model and system component of a blockchain-based privacy-preserving IoT software updates protocol.
We propose a concrete blockchian-based privacy-peserving IoT software updates protocol by integrating blockchian, smart contract, DAPS and our proposed OABS, which satisfies anonymity, proof-of-delivery unforgeability, fairness, authentication and integrity.
We analyze the security requirements of a blockchian-based privacy-preserving IoT software updates protocol and provide security analysis of the proposed protocol.
We implement the proposed blockchian-based privacy-preserving IoT software updates protocol using smart contract to demonstrate the validity of the proposed protocol.
The remain of this paper is organized as follows. The model of blockchain based privacy-preserving software updates protocol is in Section 2. The introduction of building blocks is given in Section 3. The details of blockchain based privacy-preserving software updates protocol and the security analysis and evaluation are described in Section 4 and Section 5. Finally, we conclude the paper in Section 6.
2 Blockchain based privacy-preserving software updates model
In the section, we introduce the blockchain based privacy-preserving software updates model and relevant security requirements.
2.1 Blockchain based privacy-preserving software update model
As shown in Figure 2. there are four participants including vendors, transmission nodes, IoT gateways and IoT devices.
Vendors: In blockchain network, the vendor as the provider of IoT devices to publish secure and reliable update. It creates smart contract into blockchain network to provide financial incentive to the transmission node which delivers a single update to IoT devices. It acts as miner and verifies all transactions in the blockchain network. A set of vendors is denoted as , where .
Transmission nodes: The transmission node acting as broker or serve provider competitively finds targets and delivers the updates to IoT devices to obtain financial incentive. It acts as miner to maintain the blockchain network. The transmission nodes is denoted by , where .
IoT gateways: The IoT gateway acting as routing node such as WiFi router connects the IoT devices and it transmits the updates to IoT devices. It assists the IoT device to update and compute. A set of IoT gateways is denoted as , where .
IoT devices: The IoT devices are physical devices such as embedded device and smartphone. The IoT devices connected to a IoT gateway are denoted as a set , where .
Definition 1. (Blockchain based privacy-preserving software updates model). It includes a tuple (, , , , , , , , ) of polynomial time algorithms, which are defined as follows:
: This algorithm takes a security parameter as input and it outputs the public parameters .
: This algorithm takes as input and it outputs a public key and a secret key .
: This algorithm takes and public key as input and it outputs a register list .
: This algorithm takes , and as input and it outputs the transaction .
: This algorithm takes and as input and it outputs a bit .
: This algorithm takes and as input and it outputs a bit .
: This algorithm takes and as input and it outputs a signature .
: This algorithm takes and as input and it outputs a signature .
: This algorithm takes and as input and it generates a signature . Then, it outputs a transaction .
2.2 Security requirements
In the blockchain based privacy-preserving software updates model, it should satisfy the security requirements as follows.
: The completeness says that if the protocol is properly executed at all epochs, then an honest transmission node can get financial incentive and an honest vendor can distribute the updates to its IoT devices.
Anonymity: The protocol protects the privacy of the IoT devices. The IoT devices execute the protocol for updates without revealing the real identity of user.
Proof-of-delivery Unforgeability. The transmission node cannot claim to possession proof-of-delivery that he has not been provided.
Fairness: The fairness is said that, either the transmission node obtains financial incentive and the vendor distributes the updates to its IoT device or neither the transmission node and the vendor get nothing, at the end of protocol.
Authentication and Integrity. For a new version update of the vendor, it should include a valid signature of the vendor to guarantee the authentication and integrity of updates.
3 Building blocks
In this section, we review the smart contract and the cryptography algorithms used in the protocol.
3.1 Smart contract
3.2 Double authentication preventing signatures
In 2014, Poettering and Stebila poe1 , poe proposed the concept of double authentication preventing signature (DAPS), which is a factoring-based setting and prevents compelled certificate creation attack. Later, Ruffing et al. ruffing gave a construction of DAPS in the discrete logarithm setting and it is based on Merkle trees and chameleon hash functions. The DAPS was used to penalize the double spending of transactions. We adopt the DAPS to blockchain based privacy-preserving software updates for fair exchange. We use the practical instantiation of DAPS scheme in the discrete logarithm setting derler . Let be the DAPS scheme. The DAPS is existential unforgeability under chosen message attacks secure in the random oracle model derler . As a building block, it can be replaced by other double authentication preventing signature such as the post-quantum instantiation against quantum computer attacks and interested readers can refer to derler1 .
3.3 Outsourced Attribute-based Signatures
The concept of ABS was introduced by Maji et al. maji , maji1 . In an ABS, a signer signs the message based on attributes satisfy the predicate and it doesn’t revealing the identity of signer. It mainly applies to fine-grained access control such as anonymous authentication systems. In order to reduce bandwidth and computational overhead at the signer side, Chen et al. chen proposed the efficient outsourced ABS (OABS), a signing-cloud service provider (S-CSP) assists signer to carry out computation. An OABS scheme includes five polynomial time algorithms: , .
OABS.Setup: This algorithm takes security parameter and the attribute universe as inputs. It outputs the public parameter and the master key .
OABS.KeyGen: This algorithm takes the public parameter , the master key and an access structure as input and it outputs the outsourcing key and the signing key .
This algorithm takes the outsourcing key and the authorized signing attribute set as input and it outputs the outsourced signature .
OABS.Sign: This algorithm takes a message , the signing key and the outsourced signature as input and outputs a signature .
OABS.Ver: This algorithm takes the message , the signature and the attribute set as inputs and it outputs a bit .
4 Blockchain based privacy-preserving IoT software updates protocol
The privacy-preserving IoT software updates protocol works as follows. The vendor as one provider of the IoT devices initializes the system parameters. It maintains a list of its IoT devices and burns the secret key of device into the manufactured IoT devices. The transmission node registers with the vendor to deliver updates to the IoT devices and obtains financial incentive. Then, the vendor publishes updates by using smart contract and it commits to provide financial incentive to the transmission node that provides proof-of-delivery. The transmission node queries to download the updates that encrypted by the public key of the transmission node and it sends notification to the IoT gateways. Then, the IoT gateway checks the connected IoT devices to match the updates. The transmission node sends the ciphertext of updates with a DAPS to the IoT gateways. Then, the IoT gateway verifies the DAPS and sends the ciphertext of updates to the IoT devices. The IoT device generates OABS to the transmission node. When the transmission node receives an OABS, it generates a new DAPS. As a proof-of-delivery, it sends the DAPS and the OABS to blockchain network to receive the incentive. The IoT gateway extracts the secret key of the corresponding public key about the transmission node by using the extract algorithm of DAPS. It sends the secret key to the IoT device and the IoT device decrypts the ciphertext of updates. We assume the IoT gateway is honest to the IoT device and does not collude with the transmission node. In blockchain network, each entity has the ECDSA key pair , where denotes the ECDSA signature on message .
4.2 The details of protocol
See the Figure 3, the privacy-preserving IoT software update protocol sketch.
Our OABS scheme is based on the ABS scheme of Rao rao . The concept of the computational -Diffie-Hellman exponent problem, access structure and linear secret sharing scheme can refer to rao ,waters . We adopt ElGamal elgamal public key encryption algorithm to encrypt data ( denotes the ElGamal encryption algorithm and denotes the ElGamal decryption algorithm on data ). The concrete construction of the protocol is as follows.
: The vendor runs OABS.Setup, it inputs a security parameter and it outputs the bilinear paring , where are cyclic multiplicative groups with order . Let be the message space. The attribute universe and one default attribute . Let be a max size of the attribute set. It selects , a generator and sets . is a collision resistant hash function. Then, picks . The master key is . Then, it calls DAPS.Setup to generate common reference string .
: The vendor generates an ECDSA key pair . Then, it runs OABS.KeyGen to generate the secret key of the IoT devices for LSSS access structures . Each row of the matrix of size is associated with an attribute . Then, it randomly chooses such that and computes the sharing , where is the th row of and the such that is
length vector. For each, the vendor chooses and computes ,,. For default attribute , the vendor chooses and computes , , . Finally, the vendor returns the outsourcing key , and the private key of IoT device . Then, it burns and into the manufactured IoT device. The transmission node calls DAPS.Kgen to generate its key pair , as well as generates an ECDSA key pair and the IoT gateway generates an ECDSA key pair .
: The transmission node registers with the vendor and it sends to the vendor. Then the vendor maintains a list which records the public key of the transmission node. The IoT device sends to the IoT gateway and the IoT gateway maintains a list which records the public key .
: The vendor generates a update denoted as and sets . It publishes a smart contract to the blockchain network to provide financial incentive to the transmission node. As shown in Table 1. the pseudocode of the smart contract. The vendor sets the limitation time as time epoch.
contract ProofOfDelivery function ProofOfDelivery (v, t, , n, W, L, x) owner v limitationTime t update publicKeyList L attributeSet W counterUpdatedDevice n-1 incentive x balance value function FinancialIncentive(OABS.Sign, DAPS.Sign, , ) assert current time limitationTime if OABS.Ver(attributeSet, OABS.Sign, update) if DAPS.Ver(, DAPS.Sign) transfer(balance-incentivecounterUpdatedDevice, ) counterUpdatedDevice = counterUpdatedDevice - 1 function Withdraw() assert current time limitationTime transfer (balance, owner) Table 1: The pseudocode of the smart contract
: The transmission node queries the binary files of update and the vendor responses corresponding data. It encrypts the update with to generate and . Then, it sends to the transmission node. The transmission node verifies the signature and obtains the update .
: The transmission node sends notification of a new update to the IoT gateway. Then the IoT gateway checks connected IoT devices and queries the updates by sending a random message to the transmission node.
: The transmission node calls DAPS.Sign to generate a signature about . It sends to the IoT gateway. The IoT gateway calls DAPS.Ver to verify the signature and sends to the IoT device.
: The IoT device verifies the signature . Then, it generates OABS to the transmission node. First, it sends outsouring key to the IoT gateway and requests a partial signature. The IoT gateway calls with the outsouring key as follows.
It obtains , where such that . Then, computes the coefficients of the polynomial below.
Set . It picks and computes
Then, it outputs the partial signature to the IoT device. After receiving the partial signature , the IoT device uses to run the OABS.Sign algorithm. First, it computes and . It chooses and computes . Then, the IoT device computes the coefficients of the polynomial as well as the outsourced signing algorithm. It computes . Finally, outputs the signature . Then, the IoT devices sends to the transmission node.
: The transmission node runs OABS.Ver algorithm. It computes the coefficients of the polynomial as well as the outsourcing signing algorithm and computes . it verifies the equation
Then, the transmission node calls DAPS.Sign to generate a new DAPS . It calls smart contract to output a receive transaction . Once the transaction is included in blockchain, the IoT gateway uses and to extract the secret key corresponding to the public key and sends to the IoT device. Then the IoT device utilizes to decrypt the ciphertext to obtain the updates .
5 Security and implementation
In this section, we analyze the security of the blockchain based privacy-preserving IoT software update protocol, then report the performance of the protocol.
5.1 Security analysis
The security of proposed protocol is guaranteed by following lemmas.
Lemma 1. The proposed blockchain based privacy-preserving IoT software updates protocol satisfies completeness.
Proof. The protocol is properly executed at all epochs. The vendor initializes system parameters. Then, it publishes smart contract to blockchain network for a new update. An honest transmission node can obtain financial incentive by publishing a proof-of-delivery to blockchain. By the proof-of-delivery the honest vendor can be sure that an update has been distributed to its IoT devices and an honest IoT device obtains the updates. In the OABS scheme, for the attribute , hence . We have . The default attribute is same. Since , we have . Now
If and are valid DAPS, the IoT gateway can extract the secret key of the corresponding public key by running the DAPS.Ext algorithm. Then, it sends the secret key to IoT device. The IoT device is able to decrypt the ciphertexts and gets updates by .
Lemma 2. The proposed blockchain based privacy-preserving software update protocol satisfies anonymity.
Proof. In blockchain based privacy-preserving software update protocol, the anonymity of IoT device is derived from the OABS scheme. Here, we prove the OABS scheme satisfies signer privacy. For an OABS signature based on the message with an attribute set , it outputs the OABS form , where
Let , where The . is a random generator of and are public parameters. The is master key, are random exponents and is the coefficients of the polynomial. Thus, the distribution of OABS is independent of the signing key, so the OABS scheme satisfies signer privacy.
Lemma 3. The proposed blockchain based privacy-preserving software update protocol satisfies proof-of-delivery unforgeability.
Proof. In the protocol, the proof-of-delivery unforgeability is derived from the OABS scheme. We prove the OABS scheme is existential unforgeability under selective-attribute attack and chosen message attacks secure. The proof follows from the ABS scheme of Rao et al.rao , we give the description in Appendix A.
Lemma 4. The proposed blockchain based privacy-preserving software update protocol satisfies fairness.
Proof. First, we consider the vendor and the IoT device are malicious. As for a vendor, it distributes update to its IoT device without payment and the IoT device obtains the data of update without providing the OABS. Follow the protocol, the vendor encrypts the update with to generate and . Then, it sends to the transmission node. The transmission node delivers the ciphertext to the IoT device. Without the OABS of the IoT device, the transmission node never submits its DAPS to blockchain. So, The IoT device is unable to get the secret key to decrypt the ciphertext. The IoT device must send the OABS to the transmission node, it will get the secret key
. The transmission node sends the DAPS and the OABS as proof-of-delivery to blockchain and obtains financial incentive from the vendor. We say that is contradiction that the vendor distributes update to its IoT device without payment and the IoT device obtains the data of update without providing the OABS. Thus, the probability of success for malicious the vendor and the IoT device is negligible.
The other case is that the transmission node is malicious, the vendor and the IoT device are honest. The transmission node can get payment without submitting the DAPS. According to the smart contract, the miner can not verify the transaction without the DAPS, so the transmission node is unable to get financial incentive. In the limitation time , the vendor can withdraw the payment. In this case, a malicious transmission node gets contradiction. The probability of success for malicious the transmission node is negligible. Therefore, The proposed blockchain based privacy-preserving software update protocol achieves fairness.
Lemma 5. The proposed blockchain based privacy-preserving software update protocol satisfies authentication and integrity.
Proof. For a new update of the vendor, it includes a valid ECDSA signature of the vendor with . The secure ECDSA signature guarantees the authentication and integrity of the update.
5.2 Performance evaluation.
In the section, we implement our protocol to evaluate its performance. We refer to Solidity smart contract implemented on Ethereum. Since Ethereum does not provide the application programme interface (API) for OABS and DPAS, we will quantify the computation cost of cryptographic algorithms and the gas cost of smart contract separately. We execute cryptographic algorithms by Miracl library 222https://certivox.org/display/EXT/MIRACL, and selects a CP elliptic curve for security level AES-80. The experiments platform are based on Dell (Windows 7 operation system with Intel(R) Core(TM) i5-2450M CPU 2.50 GHz and 4.00GB RAM). The average time cost of cryptographic algorithms with 1000 times is shown in Table 2.
Since the dominated computation of the IoT device is the signature of OABS, we evaluate the time cost of OABS signature algorithm. When a IoT device owns 50 attributes, the time cost is almost 155ms. In the protocol, the total time cost for a IoT device is 168ms including OABS.Sign, ECDSA.Sign and Elgamal.Dec algorithm. This is an acceptable result for resource limited device.
We implement smart contract in Solidity with the Web3j and deploy smart contract to run different functions of the blockchain based privacy-preserving software updates protocol. The implementation of smart contract needs a few ether and the estimates of gas cost is provided in Table3.
|Function||Transaction Gas||Execute Gas||Gas cost(ether)|
We describe a new blockchain based privacy-preserving IoT software update with proof-of-delivery protocol which utilizes blockchain, smart contract, double authentication preventing signature (DAPS) and outsourced attribute-based signature (OABS) to deliver secure and reliable update. It protects the privacy of IoT devices, as well as delivers secure and reliable update with an incentive mechanism. In this protocol, the vendor can deliver update to its IoT device by using smart contract. The transmission node can obtain financial incentive by providing a proof-of-delivery. We implemented smart contract in Solidity to demonstrate the validity of the proposed blockchain based privacy-preserving software update protocol.
Acknowledgement: This work was supported by National Key R&D Program of China (2017YFB0802000), National Natural Science Foundation of China (61872229, 61802239), National Cryptography Development Fund during the 13th Five-year Plan Period (MMJJ20170216), Fundamental Research Funds for the Central Universities(GK201702004, GK201803061, 2018CBLY006) and China Postdoctoral Science Foundation (2018M631121).
- (1) http://www.gartner.com/newsroom/id/3598917.
- (2) http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html
- (3) https://thehackernews.com/2018/08/mikrotik-router-hacking.html
- (4) https://thehackernews.com/2018/09/mikrotik-router-hacking.html
- (5) Khan M A, Salah K. IoT security: review, blockchain solutions, and open challenges[J]. Future Generation Computer Systems, 2018, 82: 395-411.
- (6) Nakamoto S. Bitcoin: A peer-to-peer electronic cash system[J]. 2008.
- (7) Ekblaw A, Azaria A. MedRec: medical data management on the blockchain[J]. Viral Communications, 2016.
- (8) Cha S C, Chen J F, Su C, et al. A blockchain connected gateway for BLE-based devices in the internet of things[J]. IEEE Access, 2018, 6: 24639-24649.
- (9) Zhao Y, Li Y, Mu Q, et al. Secure pub-sub: blockchain-based fair payment with reputation for reliable cyber physical systems[J]. IEEE Access, 2018, 6: 12295-12303.
- (10) Andrychowicz M, Dziembowski S, Malinowski D, et al., Secure multiparty computations on bitcoin. Security and Privacy (SP), 2014 IEEE Symposium on. IEEE, 2014: 443-458.
- (11) Andrychowicz M, Dziembowski S, Malinowski D, et al., Fair two-party computations via bitcoin deposits. In: International Conference on Financial Cryptography and Data Security. Springer, 2014: 105-121.
- (12) Chiesa A, Green M, Liu J, et al. Decentralized anonymous micropayments[C]. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Cham, 2017: 609-642.
- (13) Y. Xiao, et al., Internet Protocol Television (IPTV): the Killer Application for the Next Generation Internet, IEEE Communications Magazine, Vol. 45, No. 11, pp. 126-134, Nov. 2007.
- (14) X. Du and H. H. Chen, Security in Wireless Sensor Networks,?IEEE Wireless Communications Magazine, Vol. 15, Issue 4, pp. 60-66, Aug. 2008.
- (15) X. Du, M. Guizani, Y. Xiao and H. H. Chen, Transactions papers, A Routing-Driven Elliptic Curve Cryptography based Key Management Scheme for Heterogeneous Sensor Networks,” IEEE Transactions on Wireless Communications, Vol. 8, No. 3, pp. 1223-1229, March 2009.
- (16) Y. Xiao, et al., A Survey of Key Management Schemes in Wireless Sensor Networks, Journal of Computer Communications, Vol. 30, Issue 11-12, pp. 2314-2341, Sept. 2007.
- (17) X. Du, Y. Xiao, M. Guizani, and H. H. Chen, An Effective Key Management Scheme for Heterogeneous Sensor Networks, Ad Hoc Networks, Elsevier, Vol. 5, Issue 1, pp 24 C34, Jan. 2007.
- (18) X. Du and F. Lin, Designing efficient routing protocol for heterogeneous sensor networks, Conference Proceedings of the 2005 IEEE International Performance, Computing and Communications Conference(PCCC), Phoenix, AZ, USA, pp. 51-58.
- (19) X. Du and D. Wu, Adaptive Cell-Relay Routing Protocol for Mobile Ad Hoc Networks, IEEE Transactions on Vehicular Technology, Vol. 55, Issue 1, pp. 270 C277, Jan. 2006.
- (20) X. Du, QoS Routing Based on Multi-Class Nodes for Mobile Ad Hoc Networks, Ad Hoc Networks, Elsevier, Vol. 2, Issue 3, pp 241 C254, July 2004.
- (21) D. Mandala, F. Dai, X. Du, and C. You, Load Balance and Energy Efficient Data Gathering in Wireless Sensor Networks, MASS 2006, Vancouver, BC, Canada, 586-591.
- (22) Lee B, Lee J H. Blockchain-based secure firmware update for embedded devices in an Internet of Things environment[J]. The Journal of Supercomputing, 2017, 73(3): 1152-1167.
- (23) Boudguiga A, Bouzerna N, Granboulan L, et al. Towards better availability and accountability for iot updates by means of a blockchain[C]. In: Security and Privacy Workshops (EuroS&PW), 2017 IEEE European Symposium on. IEEE, 2017: 50-58.
- (24) Yohan A, Lo N W, Achawapong S. Blockchain-based firmware update framework for internet-of-things environment. https://csce.ucmss.com/cr/books/2018/LFS/CSREA2018/IKE9004.pdf.
- (25) Leiba O, Yitzchak Y, Bitton R, et al. Incentivized delivery network of ioT software updates based on trustless proof-of-distribution[J]. arXiv preprint arXiv:1805.04282, 2018.
- (26) https://en.wikipedia.org/wiki/Smart_contract
- (27) http://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/ Literature/LOTwinterschool2006/szabo.best.vwh.net/smart.contracts.html
- (28) Wood G. Ethereum: A secure decentralised generalised transaction ledger[J]. Ethereum Project Yellow Paper, 2014, 151.
- (29) Poettering B and Stebila D. Double-authentication-preventing signatures[C]. In: ESORICS 2014, Part I, volume 8712, pages 436-453. Springer, Berlin, Heidelberg, 2014.
- (30) Poettering B, Stebila D. Double-authentication-preventing signatures[J]. International Journal of Information Security, 2017, 16(1): 1-22.
- (31) Ruffing T, Kate A, Schrder D. Liar, liar, coins on fire!: Penalizing equivocation by loss of bitcoins[C]. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015: 219-230.
- (32) Derler D, Ramacher S, Slamanig D. Short double-and N-times-authenticationpreventing signatures from ECDSA and more[R]. Cryptology ePrint Archive, Report 2017/1203, 2017.
- (33) Derler D, Ramacher S, Slamanig D. Generic double-authentication preventing signatures and a post-quantum instantiatio[R]. Cryptology ePrint Archive, Report 2018/790, 2018. https://eprint.iacr.org/2018/790.pdf
- (34) Maji H K, Prabhakaran M, Rosulek M. Attribute-based signatures: achieving attribute-privacy and collusion-resistance[J]. IACR Cryptology ePrint Archive, 2008, 2008: 328.
- (35) Maji H K, Prabhakaran M, Rosulek M. Attribute-based signatures[C]. In: Cryptographers Track at the RSA Conference. Springer, Berlin, Heidelberg, 2011: 376-392.
- (36) Chen X, Li J, Huang X, et al. Secure outsourced attribute-based signatures[J]. IEEE Transactions on Parallel and Distributed Systems, 2014, 25(12): 3285-3294.
- (37) Rao Y S, Dutta R. Efficient attribute-based signature and signcryption realizing expressive access structures[J]. International Journal of Information Security, 2016, 15(1): 81-109.
- (38) ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. In: CRYPTO 1984. LNCS,vol.196, pp.10-18.
- (39) Waters B. Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization, Public Key Cryptography, pp.53-70, 2011.
Appendix A Unforgeability
Theorem 1. (Unforgeability) Assume problem is hard in . Then, Our OABS scheme is -EUF-sAtt-CMA secure.
Proof. Suppose that an adversary can break -EUF-sAtt-CMA security of our scheme, there will exist a simulator that can solve the problem with a non-negligible probability by using ’s forgery.
The simulator is given the hard problem instantiation, the parameters and , , where and is a generator of . Let and denote .
Init. The simulator specifies one default attribute and the attribute universe , where is a bound on the size of attribute set. Then, the adversary sends the challenge attribute set to .
Setup. The simulator selects a collision resistant hash function and picks . sets implicitly and sets . It picks and sets for each . Then, it computes the coefficients of the polynomial below.
selects and sets . Then, prepares . It picks a integer such that . It selects , and , where ( is the number of signing queries). Then, it defines for each and . Then, it defines two function and for , where and Finally, sends the public parameters to .
KeyGen Query. The adversary makes outsourcing key query and signing key query as follows.
-Outsourcing key query. Upon receiving an outsourcing key request, the simulator performs simulation as follows. constructs the outsourcing key for the LSSS access struture with the does not satisfy . Each row of the matrix of size denoted is associated with an attribute . Since does not satisfy , there is a vector for and for , and is length vector. selects a vector such that . Then, it sets implicitly. Here . to simulate the outsourcing key as follows. For each , it has two cases.
1). If , then . . picks and computes ,,.
2). If , then . , So , where . We have . picks and it sets implicitly, where . Then, it computes , , . The simulator returns the outsourcing key to the adversary .
-Sign key query. Upon receiving a signing key request, performs simulation as follows. chooses an attribute and . Then it uses to compute ,