A Novel Message Authentication Scheme With Absolute Privacy for the Internet of Things Networks

With the rapid development and massive deployment of the Internet of things (IoT) networks, security related issues in the IoT networks have been paid more and more attention to. Among all the security concerns, message authentication is critical in preventing the unauthorized messages from being transmitted in the IoT networks. Many message authentication schemes have been proposed based on the public-key cryptosystem, where the key management is simple and scalable. Identity based cryptosystem is a special type of public-key cryptosystem and can further ease the process of the key management since the public keys can be obtained easily. In this paper, we devise an efficient message authentication with enhanced privacy (IMAEP) scheme using the identity based signature. Our proposed scheme can provide both unconditional privacy as well as the enhanced privacy under full key exposure attack. Our proposed scheme can also provide existential unforgeability under the adaptive chosen-message-and-identity attack. Compared with the scheme that has the same level of anonymity and security, our proposed scheme has much lower computational overhead, and can provide extra unconditional privacy. Next we propose an extended IMAEP (EIMAEP) scheme for the general access structures where the message is signed by a group of users instead of one user. We also conduct comprehensive analysis and demonstrate that the EIMAEP scheme can achieve the same level of privacy and unforgeability as the IMAEP scheme.


I. INTRODUCTION
Compared to the early stages of Internet of things that utilized computation-limited devices and simple sensor networks [2], today's next generation of Internet of Things (IoT) networks such as in [3] have equipped with advanced communication and computation technologies, and have become more and more intelligent. These systems can automatically sense the physical data and react to the physical world accordingly without any human intervention. Thus correct message exchange within the IoT networks is critical for the system to function properly [4]. Unauthorized messages must be filtered out to recognize the harmful ''fake'' critical messages, The associate editor coordinating the review of this manuscript and approving it for publication was Ilsun You . or to save the precious energy of sensor nodes and so on. Message authentication plays a key role in thwarting unauthorized messages from being forwarded in the IoT networks. Many authentication schemes have been proposed to provide message authenticity and integrity verification for the IoT networks. These schemes can largely be divided into two categories: symmetric-key based approaches and public-key based approaches.
For the symmetric-key based approaches [5], [6], the sender uses a shared secret key to generate a message authentication code (MAC) for the transmitted message. The verifier can examine the authenticity of the message using the same shared key. However, the key management is very complex. Since each pair of the senders and receivers have to share a distinct secret key, the scalability for the VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/ symmetric-key based approaches is very poor with the increasing of the network size. Moreover, only the group of participating nodes which know the secret key can verify the message authenticity, thus the usage of this method is limited in multi-hop networks, which is a major form of network in the Internet of Things. Even if a single node in a group is compromised, the security of the symmetric-key based approaches is infringed. In [7]- [9], the authors propose to use public-key based approaches to authenticate messages. The sender will generate a digital signature for each message and transmit the message with the signature. By using the sender's public key [10], intermediate forwarders and the receiver can check the authenticity of the message. Compared with the symmetrickey based approaches, the key management for the publickey based approaches is simple and clean. However, for the traditional public key cryptosystem [10], a trusted third-party agent is needed to create and distribute the public/private key pairs. In identity based cryptosystem [11], [12], the public key for any receiver can be generated by the sender locally without contacting the trusted agent. The key management and distribution is further simplified in this kind of cryptosystem. Thus in [1], [13]- [17] several authentication schemes built upon the identity based cryptosystem are proposed.
During authenticating of messages transmitted in the IoT networks, source privacy should be preserved as well. Take the remote metering system of the smart grid as an example, where meter readings are transmitted through wireless sensor networks, the household that generates specific power statistic messages should not be identified through these transmitted messages. There are two types of privacy in message authentication: conditional and unconditional. In conditional privacy, the true message sender can be identified by group managers or some trusted third party. Many literatures such as [13]- [16] study the conditional privacy through pseudonyms-based or group signature-based approaches. In unconditional privacy, nobody can identify the true message sender. It is a desirable feature in some application scenarios such as witness protection. In this paper, we study the ID-based ring signature problem through the identity based ring signature scheme in [17], aiming at achieving both unconditional privacy and enhanced privacy. The major contributions of this paper are: 1) We propose an efficient message authentication with enhanced privacy (IMAEP) scheme. The scheme can provide unconditional privacy as well as the enhanced privacy defined in [18] under the full key exposure attack. 2) We formally prove that the proposed IMAEP scheme can achieve the claimed privacy and unforgeability against the adaptive chosen-message-and-identity attack. 3) Compared with the scheme in [1] that has the same level of anonymity and security, our proposed scheme has much lower computational overhead, and can provide extra unconditional privacy.

4)
We propose an EIMAEP scheme for the general access structures where the message is signed by a group of users instead of one user. We demonstrate that the EIMAEP scheme can achieve the same level of privacy and unforgeability as the IMAEP scheme through comprehensive analysis. The rest of this paper is organized as follows: Section II discusses the related work. Section III presents the system settings, design goals and cryptographic tools we used. The proposed IMAEP scheme and the security/performance analysis are presented in Section IV and V respectively. In Section VI and VII we propose the EIMAEP scheme for the general access sturctures and analyze its security and applications. We conclude in Section VIII.

II. RELATED WORK
According to the cryptosystem used, message authentication schemes can be classified into symmetric-key based approaches and public-key based approaches. In the former category, symmetric cryptography is used. The authors in [5] study the message authentication in wireless sensor networks, where the MAC's correctness is calculated probabilistically on each sensor node. Messages with invalid MAC's are dropped. In [6], the authors propose to only perform the symmetric MAC operation in the vehicular privacy-preserving communications in vehicular ad-hoc networks of the Internet of Things. The advantage of the symmetric key based schemes is low computational overhead. However, when the scale of the network becomes large, the key management involving a huge amount of keys would be infeasible.
For the later category, the public key infrastructure (PKI) based authentication is adopted. In [7], the authors propose a secure framework with privacy-preserving based on group signature in vehicular communication. In [8], the authors propose to apply the ring signatures on elliptic curve in an anonymous authentication scheme in wireless sensor networks, which can achieve an unconditional source privacy with low computational overheads. In [9], the authors combine the pseudonyms with group signature and propose an efficient privacy-preserving authentication scheme for the Internet of Things. In [19], the authors propose an improved lightweight authentication protocol for the Internet of Vehicles. In [20], the authors propose a four party authentication protocol for smart vehicular communication. In [21], the authors make use of the El-Gamal cryptosystem and construct a privacypreserving RFID authentication protocol.
Among all the public-key based approaches, identity based cryptosystem has distinct advantages that can further simplify the key management, and has been studied a lot recently. In [13], the authors propose an identity based group signature scheme to provide privacy protection for users in cloud computing. In [15], the authors propose an authentication scheme for vehicular sensor networks which can preserve privacy, based on an identity based signature scheme where no paring is needed. In [16], the authors propose an efficient anonymous authentication scheme in the Internet of Things by leveraging both the pseudonyms and identity based signature. In [22], the authors study the privacyaware authentication problem in the mobile cloud computing environments. In [23], the authors propose an identity-based data sharing scheme, which can check the data integrity while preserving privacy. In the scheme, they introduce an extra data sanitizer to perform sanitizing tasks to user's files. In [24], the authors propose a secure file storage and sharing scheme based on identify-based authentication. In [17], the authors propose an efficient ring signature scheme using the identity based cryptography. They conclude that their scheme has the property of unconditional source anonymity. However, for the full key exposure attack [18] and other similar advanced attacks, the privacy of their scheme is no longer preserved. The authors in [1] improve the work of [17] and propose a scheme that can still preserve the privacy under such advanced attacks. However, unconditional privacy is not preserved in their scheme. We propose IMAEP and EIMAEP schemes in this paper. Our proposed schemes have the same level of enhanced privacy in [1]. Moreover, we demonstrate that our schemes can achieve the unconditional privacy and the computational overhead is much lower.

A. SYSTEM MODEL AND ASSUMPTIONS
We assume that the wireless ad-hoc network consists of a number of users, each with a unique identity that can be used in the ID-based cryptographic operations. The network is fully connected and any two users can communicate directly or through relays of intermediate users. There is a trusted key generation center (KGC) in charge of security parameter and private key gengeration.
In the paper we consider the following types of attacks against the proposed schemes: • Adversaries, who cannot get access to the private keys of the users involved in the ring signature, try to identify the true signer or signer group.
• Adversaries, who know all the private keys of the users involved in the ring signature, try to identify the true signer or signer group.
• Adversaries, who can make a polynomial number of queries to the algorithms in the proposed schemes, try to forge a valid signature which has not been queried before.

B. DESIGN GOALS
Our proposed authentication schemes aim at achieving the following goals: • Message authentication: When receiving a message, the receiver should be able to check whether the message is sent by some user in a particular group or by a group of users. In other words, the adversaries cannot forge valid signatures, with which the fake message injected into the network will be detected.
• Message integrity: When receiving a message, the receiver should be able to check whether the message has been modified in the intermediate relay nodes by the adversaries. If the message content is modified, it will be detected.
• Hop-by-hop message authentication: When receiving a message, every intermediate relay node on the routing path should be able to check the message's authenticity and integrity.
• Identity privacy: When obtaining a message, the adversaries cannot determine the ID of the true message sender, even in the case where all the users' private keys involved in the ring signature are known by the adversaries.
• Efficiency: The authentication scheme should be efficient: it should has low computational overhead and communication overhead.

C. BILINEAR MAP
Let q be a large prime number, G 1 be an additive cyclic group of order q and G 2 be an multiplicative group of order q. A bilinear map [12] can be written asê : G 1 × G 1 → G 2 and has the following properties: 1) Bilinear: for P, Q, R ∈ G 1 ,ê(P + Q, R) = e(P, R)ê(Q, R),ê(P, Q + R) =ê(P, Q)ê(P, R); for P, Q ∈ G 1 and a, b ∈ Z * q ,ê(aP, bQ) =ê(P, Q) ab . 2) Non-degenerate: There exist P, Q ∈ G 1 such that e(P, Q) = 1. The map does not project all possible combinations of G 1 × G 1 to the identify in G 2 . 3) Computable: For P, Q ∈ G 1 , it is computational feasible to computeê(P, Q). The following Computational Diffie-Hellman Problem is defined for the group G 1 : Definition 1 (Computational Diffie-Hellman Problem): Assume P is a generator of G 1 . For two points aP, bP generated from P where a, b ∈ Z * q , calculate abP. Based on the following assumption, the proposed IMAEP/EIMAEP schemes are secure: Definition 2 (Computational Diffie-Hellman Assumption): We assume that the Computational Diffie-Hellman problem cannot be solved by any polynomial time algorithm B with non-negligible probability.

D. NOTATIONS
The notations used in this paper are listed in Table 1.

IV. EFFICIENT MESSAGE AUTHENTICATION WITH ENHANCED PRIVACY (IMAEP) SCHEME
A. SCHEME FRAMEWORK Similar to the framework defined in [1], the proposed IMAEP scheme has a framework consisting of four algorithms: 1) Setup: Given a security parameter k as input, the trusted key generation center (KGC) generates a set of system parameters params and a master secret key x. The system parameters params define a finite message space and a finite signature space. These parameters are made publicly available. The master secret key x is stored privately by the KGC. 2) KeyGen: Given the master secret key x and a signer's identity ID ∈ {0, 1} * , the KGC computes the signer's secret signing key S ID . For the identity based signature, the participating members can compute the public key Q ID efficiently. 3) Sign: Let {ID 1 , ID 2 , . . . , ID n } be the identities of n users in a group. To sign a message m, a user can use its secret signing key S ID s , 1 ≤ s ≤ n and the group identities {ID 1 , ID 2 , . . . , ID n } to compute the corresponding ring signature σ . 4) Verify: Given a message m, the identities of the signer's group {ID 1 , ID 2 , . . . , ID n } and aiding information f (x, σ ) computed by the KGC, a verifier can check the validity of a ring signature σ on the message. The verifier will accept the signature if it is valid. In other cases, the verifier will decline the signature. We can achieve the message authentication for the signer s through the IMAEP scheme. Meanwhile, the true signer will not be identified in a group of users. The only way to find out the message sender is by randomly selecting one from the group.

B. SCHEME SECURITY DEFINITION
There are two aspects to define the security of the IMAEP scheme: anonymity and unforgeability. For anonymity, we study the privacy property of the scheme. For unforgeability, we study the signature's authenticity.

1) ANONYMITY
We define anonymity using the following statement: Definition 3 (Unconditional source anonymity): Given a message m and a group of identities {ID 1 , ID 2 , . . . , ID n }, for an adversary who does not belong to the group, if the adversary cannot identify the true signer s with probability larger than 1/n based on a valid signature σ , the signature scheme has the property of unconditional source anonymity.
In this paper we will also study the enhanced privacy which has stronger definitions for security [18] other than the unconditional source anonymity. The enhanced privacy consists of two extensions: anonymity with regard to adversariallychosen keys and anonymity against the full key exposure.
For the first extension, the adversary may inject ''fake'' ID s into the signer group, which will decrease the number of legitimate signers in the group. These ''fake'' ID s will not be used to sign messages. Then the adversary can increase the probability of finding out the true signer of messages. To prevent from the anonymity with regard to adversarially-chosen keys attack, the validity of the identities in the group can be verified first to detect the ''fake'' ID s. We can devise verification algorithms to achieve this, but it is another research area independent from the message authentication studied in this paper. We mainly focus on the second security extension. Under the anonymity against the full key exposure attack, adversaries can reveal all the private keys in the signing group L and analyze the keys to isolate the real signer. In this attack, the adversaries obtain almost all the sensitive information and can manipulate the private keys to break the privacy.

2) UNFORGEABILITY
Similar to [17], we will first define the EUF-IDRS-CMIA2 game then the existential unforgeability under the adaptive chosen-message-and-identity attack, which is modeled by the EUF-IDRS-CMIA2 game.
Definition 4 (The EUF-IDRS-CMIA2 game [17]): There are three phases in the game: • Setup: A challenger C will first run the Setup algorithm in section IV-A. Then it will send the public parameters params to an adversary A which is a polynomial time adversary. The hash functions used in the scheme will not be sent.  [17]): In the EUF-IDRS-CMIA2 game for an identity based message authentication scheme, if there does not exist any adversary that has a non-negligible advantage, we say that the scheme is existentially unforgeable against the adaptive chosenmessage-and-identity attack.

C. SCHEME CONSTRUCTION
In this section, we will show the construction of our proposed IMAEP scheme based on the simple signature scheme [17]. There are four algorithms: Setup: The KGC will generate the system parameters for a given security parameter k: 1) Generate q = (2 k ) which is a large prime number, and (·) means ''asymptotic lower bound''. Generate G 1 which is an additive cyclic group of order q. Generate G 2 which is a multiplicative cyclic group of order q. Then generateê : 2) Let P be a generator of G 1 . Generate the master secret key: a random number x ∈ Z * q . Then compute P pub = xP, which is the public key of the KGC 3) Choose two cryptographic hash functions H (·) and H 0 (·). H (·) maps the set {0, 1} * to G 1 . H 0 (·) maps the set {0, 1} * to Z * q . After the parameter generation and computation, the KGC will make param = {q, G 1 , G 2 ,ê(·, ·), P, P pub , H (·), H 0 (·)} publicly available as the system parameters.
KeyGen: For a user with an ID ∈ {0, 1} * , the KGC will compute the corresponding private key S ID using S ID = xH (ID) ∈ G 1 . Then through a secret channel, the KGC will send the private key to the user. Other users can efficiently retrieve a user's public key by computing Sign: To sign a message m, a user s will execute the following steps with its private key S ID s and the public parameters params: 1) Form a signing group by choosing a set of n identities L = {ID 1 , ID 2 , . . . , ID n }, including the user s. 2) Compute the public keys of all the users in the group according to where || denotes the operation of concatenation and i = 1, . . . , n, i = s.

4) Compute
where r s ∈ Z * q and α ∈ Z * q are two random numbers. 5) Calculate h s = H 0 (m||L||U s ) and 6) Export the signature for m Verify: To check the validity of a signature σ = {U 1 , . . . , U n , V , W , L} on m, a verifier will take the following steps: 1) Request T 1 , T 2 ∈ G 2 from the KGC, which will be used in the verification. T 1 , T 2 are computed in the KGC by 3) Check whether equation (7) holds: 4) The signature σ is determined as valid if equation (7) holds. In all other cases, the signature is viewed as invalid and will be rejected. To show that the IMAEP scheme is correct, we have the following theorem: Theorem 1: The IMAEP scheme is correct if a signature σ is valid.
Proof: If a signature σ is valid, the left hand side of equation (7) can be written aŝ

V. SECURITY AND PERFORMANCE ANALYSIS FOR IMAEP SCHEME A. SECURITY ANALYSIS
In this section, we will analyze the security of the proposed IMAEP scheme, including unconditional source anonymity, anonymity under the full key exposure attack, and existential unforgeability under the adaptive chosen-message-andidentity attack.

1) UNCONDITIONAL SOURCE ANONYMITY
Theorem 2: The proposed IMAEP scheme can provide unconditional source anonymity.
Proof: (Sketch) An adversary can obtain information through (9) for each j ∈ {1, . . . , n} at best if the adversary is not inside the signing group L.
Since the adversary cannot get the values of r s , h s , Q ID s , α, The only way to infer the real signer is to simply guess. The probability of a successful guessing is 1/n.

2) ANONYMITY AGAINST THE FULL KEY EXPOSURE ATTACK
Theorem 3: The proposed IMAEP scheme can provide anonymity against the full key exposure attack.
Proof: (Sketch) An adversary can obtain all the private keys S id j (1 ≤ j ≤ n) of the signing group L, where the real signer's private key S id s is also included. In addition to the information obtained in (9), the adversary could get more information through for each j ∈ {1, . . . , n}. Then the following bilinear pairings can be computed: The only way for the adversary to find out the real signer is by comparing (11) and (12): • It is obvious that (11) and (12) are not equal for j = s. • For the case that j equals to s, equation (11) can be written asê(S ID s , r s Q ID s )ê(S ID s , αP pub ) and equation (12) can be written asê(r s S ID s , Q ID s )ê(αP pub , Q ID s ).
These two equations are not equal because of the fact e(S ID s , αP pub ) =ê(αP pub , Q ID s ).
No matter whether for the case j = s or the case j = s, equations (11) and (12) are not equal. The adversary cannot spot the true signer.
It should be noted that, the adversary could successfully identify the real signer using the approaches in the proof of Theorem 3, ifê(S ID j , αP pub ) does not appear in equation (11) andê(αP pub , Q ID j ) does not appear in equation (12): • It is obvious that (11) and (12) are not equal for j = s • For the case that j equals s, equation (11) can be written asê(S ID s , r s Q ID s ) and equation (12) can be written aŝ e(r s S ID s , Q ID s ). Thus they are equal.
This is the case for the scheme in [17] where αP pub does not appear in U s or V . The introducing of αP pub in the signing algorithm ensures that the adversary cannot identify the real signer even if it can access all the private keys in the signing group. Theorem 4: For the IMAEP scheme, if an adversary has a non-negligible advantage in the EUF-IDRS-CMIA2 game, the probability of solving the Computational Diffie-Hellman problem will be non-negligible.

Lemma 1 (The Forking Lemma): Assume A is a Probabilistic Polynomial Time (PPT) Turing machine. If the two conditions are met: 1) A can only access the public data and use the public data as input; 2) With non-negligible probability and a bounded polynomial time T , for message m
Proof: To prove the theorem, we will construct a challenger C to solve the Computational Diffie-Hellman problem with non-negligible probability, employing an adversary that has a non-negligible advantage in the EUF-IDRS-CMIA2 game (assume the probability is ε A ). The proof is completed in four steps.
Step 1. challenger C setup: Let P be a generator of G 1 and (P, aP, bP) be the Computational Diffie-Hellman problem to be solved, where a, b ∈ Z * q are randomly selected and not known by C. Assume there is an adversary A that has a non-negligible advantage in the EUF-IDRS-CMIA2 game. C will answer A all the queries in the game. Similar to the setup in [25], the KGC public key of the ring signature is defined to be P pub = aP and will be sent to A. C will maintain two lists LIST and LIST 0 to save the inputs and outputs of previously queried hash functions H (·) and H 0 (·).
Step 2. A attacks the KGC and the signer of the IMAEP scheme emulated by challenger C: C answers the hash function H (·) queries as follows: 1) For an ID i submitted by A, C first checks LIST . If ID i exists in LIST , C will return the corresponding value H (ID i ) already saved in LIST . 2) If ID i does not exist in LIST , which means it is queried for the first time, C will generate a random number x i which does not exist in LIST . Next C will toss a random coin β i with the probability Pr(β i = 0) = µ and Pr(β i = 1) = 1 − µ, where µ will be determined later.
If the outcome β i = 0, C will calculate H (ID i ) = x i P.
If the outcome β i = 1, C will calculate H (ID i ) = x i bP. Then C will save the tuple (ID i , x i , β i , H (ID i )) in LIST . In this way, C can emulate the random oracle H (·) and keep the hash function consistent.
C answers the hash function H 0 (·) queries as follows: 1) Simliar to the queries of H (·), for the query Y i submitted by A, C first checks LIST 0 . If Y i exists in LIST 0 , C will return the corresponding value H 0 (Y i ) already saved in LIST 0 . 2) If Y i does not exist in LIST 0 , C will generate a random number y i which does not exist in LIST 0 and return y i as the result. Then C will save the pair (Y i , y i ) in LIST 0 . C answers the KeyGen queries as follows: 1) If the ID i submitted by A has not been queried before, C will run the H (·) query first to get H (ID i ). 2) C looks up (ID i , x i , β i , H (ID i )) in LIST . If β i equals to 0, C will return the private key S ID i = x i aP. If β i equals to 1, C will halt and the solving process of the Computational Diffie-Hellman problem will fail for this time. C answers the Sign queries as follows: 1) C randomly chooses an index s, 1 ≤ s ≤ n, to be the index of the signer. Different from the standard Sign algorithm where α ∈ Z * q is chosen randomly, here α will be fixed to a constant and will be the same for any Sign queries.
If ID i has not been queried before, C will run the H (·) query first to get H (ID i ). If β s = 1 for ID s , C will halt and the solving process of the Computational Diffie-Hellman problem will fail for this time. 3) For the users in L, compute the corresponding public keys following and i = s. If m||L||U i does not exist in LIST 0 (|| is the concatenation operation), C will run the H 0 (·) query first. Next C will calculate h i = H 0 (m||L||U i ) where H 0 (m||L||U i ) is looked up from LIST 0 . 5) Choose a random number r s ∈ Z * q , calculate U s , W , and V using step 4) and step 5) in the Sign algorithm of the IMAEP scheme in section IV-C. 6) Return the signature σ = {U 1 , . . . , U n , V , W , L}.
Step 3. A forges a valid signature: Since we assume that A has non-negligible probability in winning the EUF-IDRS-CMIA2 game, A can produce a valid signature σ = {U 1 , . . . , U n , V , W , L} with non-negligible probability.
Step 4. C solves the Computational Diffie-Hellman problem: Assume in the EUF-IDRS-CMIA2 game, A issues Q K times KeyGen query and Q S times Sign query. If C does not halt during the KeyGen queries or Sign queries, C can produce a valid signature {U 1 , . . . , U n , h 1 , . . . , h n , V , W , L} on message m with non-negligible probability greater than If for each of the ID i in L the corresponding β i in LIST equals to 1, which means C does not know the private key of any ID i ∈ L, the probability would be (1 − µ) n . In this case, according to the Forking Lemma 1, a replay of C could produce another valid signature {U 1 , . . . , U n , h 1 , . . . , h n , V , W , L} on message m with non-negligible probability ε F , such that h j = h j for some j ∈ 1, . . . , n and h i = h i for 1 ≤ i ≤ n, i = j. Thus the conditional probability Pr(C can produce two valid signatures | C can produce a valid signature) equals to (1 − µ) n ε F Then we have the following equations: If we divide these two equations, we can get Sinceê is non-degenerate, C can solve the Computational Diffie-Hellman problem through with the probability When µ = (Q K + Q S )/(Q K + Q S + n), the first half of equation (18) will be maximized with the value Q K + Q S Q K + Q S + n q n Q K + Q S + n n , which can be further reduced to (n/e(Q K + Q S )) n for large Q K + Q S , where e is the base of the natural logarithm. Thus equation (18) can be written as: Theorem 5: The IMAEP scheme is existential unforgeable against the adaptive chosen-message-and-identity attack. VOLUME 8, 2020 Based on Definition 5 and Theorem 4, Theorem 5 can be derived directly. We can also prove the unforgeability following the direction below: according to the Forking Lemma, a polynomial time adversary can output two valid IMAEP signatures {U 1 , . . . , U n , h 1 , . . . , h n , V , W , L} and {U 1 , . . . , U n , h 1 , . . . , h n , V , W , L}, such that h i = h i for 1 ≤ i ≤ n, i = j, h j = h j , if it is capable of generating a valid IMAEP signature with some probability that is non-negligible. According to equation (8), Thus the adversary can get the private key since the bilinear mapê is non-degenerate. This contradicts to the setting in the KeyGen algorithm in the IMAEP scheme, where the KGC will send the private key to the user using a secret channel and the user will keep the private key as a secret. Moreover, obtaining the private key S ID j makes the forgery of a valid signature trivial.

B. PERFORMANCE ANALYSIS
In this section, the computational overhead and communication overhead of the IMAEP scheme will be evaluated. The performance of the scheme in [1] is also analyzed for comparison since it can provide the same anonymity against the full key exposure attack and defines the enhanced privacy.
In table 2 we show the computational overhead in terms of major mathematical operations for signature generating and verification. The number of major operations are counted according to the specific steps in the algorithms. As an example, for the IMAEP scheme, in step 4) of the signing phase, n + 1 multiplications between elements from Z * q and G 1 are performed in equation (1) and one more such multiplication is carried out in equation (2). In step 5) one new multiplication is performed in equation (3). In total, there are n + 3 multiplications in G 1 during the signing in the IMAEP scheme. The calculation for the numbers of other operations are similar. For the signature verification in [1], a verifier will have to check n identities of the signing group L in the worst case. To make the comparison fair, we assume during the verification phase, a verifier will check an average number of ID's, which is n/2 . Here x means outputting the largest integer that is smaller than or equal to x.
During the signing phase, the IMAEP does not need the pairing operation which is computational intensive while the scheme in [1] involves pairing. During the verification phase, the operations needed in the IMAEP scheme is much less. It is worth noting that the IMAEP scheme only needs a constant number of pairing operations, while in the scheme [1] the number of pairing operations goes up linearly with the increasing of the group size.
Although during the verification phase, the verifier has to receive some aiding information from the KGC in the IMAEP scheme, considering its low computational cost, the small communication overhead is negligible. Moreover, the KGC and the verifier can be placed in the same node in practical implementations. In this case, there is no need to transfer the aiding information.
For the scheme proposed in [1], during the message signing, the calculation of h s is different from the calculation of h i , i = s. Thus for the verification of a valid signature, the verifier has to assume ID i to be the signer first and verify the signatures for every i from 1 to n until the verification equation holds for some i = s. While the signature is accepted, the identity ID s of the true signer can be obtained by the verifier. This scheme loses the property of unconditional privacy. Moreover, the authenticity of a message can only be verified by the designated verifier for the scheme in [1]. In networks where packets are forwarded by intermediate relay nodes, fake messages will be forwarded to the destination without being detected, which will lead to a waste of precious energy and bandwidth in the Internet of Things.

VI. EIMAEP SCHEME FOR GENERAL AD-HOC ACCESS STRUCTURES
In previous section, we study the ring signature scheme for a group of ID s: L = {ID 1 , ID 2 , . . . , ID n } with one group member ID s as the signer of the message to be authenticated. In this section, we will extend the discussion to general ad-hoc access structures as in [25] and propose an extended IMAEP (EIMAEP) scheme with the same level of anonymity as the IMAEP scheme.

A. RING SIGNATURE IN GENERAL AD-HOC ACCESS STRUCTURES
In general ad-hoc access structures, a single member with identity ID i is extended to a subset L i of d i members with identities ID i,j , 1 ≤ j ≤ d i . The general access structure is defined as L = {L 1 , L 2 , . . . , L n } with n subsets. To sign a message, all the members in a subset L s will collaborate to calculate a valid signature. A verifier can check whether the signature is produced by some subset in L. However, anyone outside the subset L s will not be able to tell which subset in L is the actual signer.

B. EIMAEP SCHEME
For the EIMAEP scheme, the KGC will run the same Setup and KeyGen algorithms as the IMAEP scheme described in section IV-C.
Sign: To sign a message m, users with the identities ID s,j , 1 ≤ j ≤ d s , that belong to subset L s can collaborate and execute the following steps, with their private keys S s,j and the public parameters params: 1) Choose one user in L s as the agent user to collect partial signatures from other users in L s and complete the rest of the signing process. Without loss of generality, we assume the ID of the agent user to be ID s,1 .
2) The agent user selects a set of n subsets L = {L 1 , L 2 , . . . , L n } with L s as one of the subsets. 3) For i = 1, . . . , n, the agent user computes the public keys of all the users in L according to Then for each i = 1, . . . , n, calculate PK i = d i j=1 Q i,j , which can be thought as the public key of the subset L i . 4) For each subset L i , i = 1, . . . , n, i = s, the agent user generates random points U i ∈ G 1 and calculate h i = H 0 (m||L||U i ) where || is the concatenation operation. 5) Each user of L s chooses a random number r s,j ∈ Z * q , calculate U s,j = r s,j Q s,j . U s,j , 2 ≤ j ≤ d s will be sent to the agent user. 6) The agent user chooses a random number α ∈ Z * q and calculates Then the agent user will send h s to all the other users in L s 7) Each user of L s calculates V s,j = (r s,j + h s )S s,j . V s,j , 2 ≤ j ≤ d s will be sent to the agent user. 8) The agent user calculates 9) Output the signature on message m as Verify: To check the validity of a signature σ = {U 1 , . . . , U n , V , W , L} on m, a verifier will take the following steps: 1) Request T 1 , T 2 ∈ G 2 from the KGC the same way as the Verify algorithm of IMAEP scheme in section IV-C 2) For i = 1, . . . , n, calculate h i = H 0 (m||L||U i ) and 4) The signature σ is determined as valid if equation (26) holds. In all other cases, the signature is viewed as invalid and will be rejected. Similar to the IMAEP scheme, we have the following theorem to show that the EIMAEP scheme is correct: Since EIMAEP scheme is an extension of the IMAEP scheme, the analysis of the performance of the EIMAEP scheme is similar to that of the IMAEP scheme: EIMAEP scheme is computationally efficient considering the major mathematical operations needed in the corresponding algorithms.

VII. SECURITY AND APPLICATION ANALYSIS FOR EIMAEP SCHEME
A. SECURITY ANALYSIS 1) UNCONDITIONAL SOURCE ANONYMITY Theorem 7: The EIMAEP scheme can provide unconditional source anonymity. Similar to the proof of Theorem 2, for the adversary outside the access structure L, the only way to infer the real signer is to simply guess. The probability of a successful guessing is 1/n.

2) ANONYMITY AGAINST THE FULL KEY EXPOSURE ATTACK
For the EIMAEP scheme, the adversary can obtain all the private keys in the access structure L and try to identify the true signing subset L s . Theorem 8: The EIMAEP scheme can provide anonymity against the full key exposure attack.
Similar to the proof of Theorem 3, the adversary can compute the following bilinear parings: (r s,k + h s )S s,k − h j SK j , PK j ê(αP pub , PK j ), where SK j = d j k=1 S j,k . The only way for the adversary to find out the real signer is by comparing (28) and (29): • It is obvious that (28) and (29) are not equal for j = s. • For the case that j equals to s, equation (28) can be written asê(SK s , d s k=1 r s,k Q s,k )ê(SK s , αP pub ) and equation (29) can be written asê( d s k=1 r s,k S s,k , PK s )× e(αP pub , PK s ). These two equations are not equal because of the factê(SK s , αP pub ) =ê(αP pub , PK s ).
No matter whether for the case j = s or the case j = s, equations (28) and (29) are not equal. The adversary cannot spot the true signer.
It should be noted that, the adversary could successfully identify the real signer using the above approaches, ifê(SK j , αP pub ) does not appear in equation (28) and e(αP pub , PK j ) does not appear in equation (29). This is the case for the scheme in [17] where αP pub does not appear in U s or V . The introducing of αP pub ensures the EIMAEP scheme's anonymity for general access structures.

3) EXISTENTIAL UNFORGEABILITY AGAINST THE ADAPTIVE CHOSEN-MESSAGE-AND-IDENTITY ATTACK
Theorem 9: The EIMAEP scheme is existential unforgeable against the adaptive chosen-message-and-identity attack.
The theorem can be formally proved the similar way as in the proof of unforgeability of the IMAEP scheme. The corresponding EUF-IDRS-CMIA2 game should be modified as follows: 1) Change the Sign queries for identity sets L = {ID 1 , ID 2 , . . . , ID n } to queries for general access structures L = {L 1 , L 2 , . . . , L n }. 2) The adversary A will forge a signature for L with the restriction that A did not make queries for all of the private keys in any subset Similarly, we can also prove the unforgeability another way through the application of the Then we can getê P pub , (h j − h j )PK j =ê(P, V − V ), which equals toê Thus the adversary can get In the KeyGen algorithm, the KGC will send the private key to the user using a secret channel and the user will keep the private key as a secret. The adversary cannot get the summation of the private keys of any subset either. Even we loose the condition and let the adversary get access to at most d i − 1 private keys in subset L i , it still cannot forge a valid signature.

B. A POSSIBLE APPLICATION IN THRESHOLD SIGNATURES
The EIMAEP scheme for general access structures can also be used in threshold signatures, where t users in a group of N users collaborate to produce a signature on message m and a verifier can be convinced that at least t users have signed m. As an example, assume there are N members in an application in the Internet of Things and the application requires that a valid announcement has to be signed by at least t members. Then a group of members L 1 , d 1 ≥ t can publish an announcement as follows: 1) Randomly choose members of the application and form another n − 1 groups L 2 , . . . , L n with the number of members in each group to be at least t. In practice, the group of the true signers L 1 can switch their index with another subset L i to hide the group in L. 2) Generate the ring signature for the general access structure L = {L 1 , L 2 , . . . , L n } using the EIMAEP scheme and publish the announcement. In this way, the authenticity of the announcement can be verified and the group of the true signers will not be identified. We can achieve the anonymous threshold ring signature with enhanced privacy using the EIMAEP scheme.

VIII. CONCLUSION
In this paper, we propose an efficient message authentication with enhanced privacy (IMAEP) scheme using the identity based cryptography for the IoT networks. The IMAEP scheme can provide unconditional privacy as well as the enhanced privacy defined in [18] under the full key exposure attack. The proposed scheme can also achieve unforgeability under the adaptive chosen-message-and-identity attack. For all the statements and theorems, we conduct detailed analysis and provide formal proofs. Compared with the scheme in [1] that has the same level of anonymity and security, our proposed scheme has much lower computational overhead, and can provide extra unconditional privacy. For the general access structure L consisting of n subsets, we propose the EIMAEP scheme to support a group of users L s in L to anonymously sign a message. Comprehensive analysis shows that the EIMAEP scheme can achieve the same level of privacy and unforgeability as the IMAEP scheme. LIN HUI received the B.S. degree in mathematics from Tunghai University, the M.S. degree in mathematics from Fu Jen Catholic University, Taiwan, and the Ph.D. degree in computer science and information engineering from Tamkang University, Taiwan, in 2006. She got the support from the Chungshan Institute of Science and Technology to be a Special Student with the Department of Computer Science, University of Wisconsin-Madison, USA, in 1993. She is currently an Associate Professor with the Department of Innovation Information and Technology, Tamkang University. Her current research interests include operation research, data mining, and multimedia applications. She has published more than 80 journal articles, book chapters, and conference papers related to these fields.
ZHANGBING ZHOU is currently a Professor with the China University of Geosciences, Beijing, China, and an Adjunct Associate Professor with Telecom SudParis, France. His research interests include wireless sensor networks, services computing, and business process management. VOLUME 8, 2020