A remote attestation mechanism using group signature for the perception layer in centralized networking

As the important transmission approach of the perception data, the security and privacy of the perception layer nodes have been paid more and more attention. To evaluate the credibility of the perception nodes and protect autologous identity privacy, a remote attestation mechanism using group signature (GS-RAM) for the perception layer of centralized networking is proposed in this paper. First, a RAM, based on the computational Diffie–Hellman (CDH) problem and GS, is established for the data source of the perception nodes. Second, the specific construction of the proposed GS-RAM is given to identify the trusted state of data sources without exposing the privacy of the perception nodes. Then, a strict security certification was carried out to verify the correctness, unforgeability, anonymity, traceability, unrelatedness, non-framing, anti-joint aggression and forward security of the proposed GS-RAM. Finally, simulation experiments are carried out to verify that the proposed scheme has better security and dynamic adaptability.

As for the perception layer of the IoT, due to its heterogeneity and complexity. It is very vulnerable to be attacked by criminals, resulting in security threats to the source of the perceptual data [4,5]. Ensuring the credibility of the perception nodes and the source of perception data is the cornerstone of ensuring the safe operation of the perception layer. Simultaneously, it is also one of the key issues that need to be solved at present. Therefore, the analysis and research on the security mechanism of the perception layer of the Internet of Things is crucial to the development of the ecology of the Internet of Things.
In order to verify whether the terminal is in a safe state, it is necessary to ensure the integrity of its underlying devices. A remote attestation can enable remote verification devices to verify the credibility of data source nodes. This technology is a key security mechanism after the extension of trusted computing technology to the Internet of Things. However, the current security mechanism for perceptual nodes is not universal and inefficient. Meanwhile, it is unable to guarantee the reliability of perceptual nodes.
So as to solve the issue that the current models lack of objectivity and dynamic, thereby cannot be contented with the current situation of the Internet of things. In this paper, according to the measurement results of perceptual nodes estimating trust status on trusted logical grouping to build a trusted group with different trust level. Based on the trusted logical grouping of the perception layer [6], a remote attestation mechanism using group signature (GS-RAM) for the perception nodes of centralized networking is proposed to ensure the credibility and protect the privacy in this paper. The experimental simulation shows that this mechanism has high operation efficiency and low computational performance consumption, the mechanism can effectively verify the state of the sensing data source. The main contributions of this paper are as follows.

A remote attestation mechanism (RAM), based on the CDH problem, is established
for the data source of the perception nodes of centralized networking. 2. The specific construction of the proposed RAM is given to identify the trusted state of data sources and guarantee the privacy exposure of the perception nodes. 3. The security properties of the proposed GS-RAM, including the correctness, unforgeability, anonymity, traceability, unrelatedness, non-framing, anti-joint aggression and forward security, are testified.
The remaining parts of this paper are organized as follows. Section 2 is concerned with the related work. Section 3 introduces the preliminary knowledge about GS, bilinear mapping and the CDH problem. Section 4 describes the GS-RAM in detail. Then, the various security property certifications of the proposed GS-RAM are given to demonstrate the effectiveness of GS-RAM in Section 5. Simulation experiments are carried out to verify that the proposed scheme has better security and dynamic adaptability in Sect. 6. Section 7 concludes this paper.

Related work
Terminals in the Internet of Things usually sense, process and transmit perceptual information, which often contains sensitive data and is vulnerable to malicious attacks. Remote attestation is a key security mechanism after the extension of trusted computing technology to the Internet of Things, compared to the present authentication mechanism has many advantages. For example, the present identity authentication mechanisms can only meet a simple authentication, but also there is no way to make trustworthiness attestation on the properties and performance of the entire computing platform. Moreover, it cannot resist platform identity attack, forgery attack, conspiracy attack, etc. While through the remote attestation, the correctness and integrity of information can be checked. Besides, the remote verifier can complete the authentication of the whole platform in the process of interaction, and can verify the trusted state [7]. D. Boneh et al. proposed a short local verifier group signature based on the strong Diffie-Hellman hypothesis and the decision linearity hypothesis in bilinear groups. But it did not have backward irrelevance [8]. Brickell et al. was the first to propose a direct anonymous remote attestation scheme to protect the privacy of platform configuration in 2004. The scheme can be extended in many forms [9].The scheme proposed by Brickell et al. protected the privacy of signers through direct anonymous authentication, which solved some limitations. However, the scheme cannot revoke the identity of malicious nodes and does not protect platform configuration information [10]. Literature [11] proposed a attestation mechanism based on TPM to confirm platform identity by providing TPM data verification to users. It authenticate itself by using a certificate to accomplish remote attestation. The remote attestation selection platform uses AIK key to sign the PCR value of the environment state to complete the integrity measurement. The scheme proposed by Sailer et al. described the brief process of TCG for remote attestation. The prover sends the identity information and configuration information of the computing platform to the interrogator, and the interrogator checks the credibility and integrity of the prover according to the configuration information [12]. Literature [13] pointed out that in the process of remote attestation of TCG remote proof protocol, the prover would realize the attestation of the interrogator by signing its own configuration information. Awad et al. proposed a attestation mechanism based on TCG o ensure the integrity of the system by using TPM. The solution provided both hardware and software attestation. Software attestation verified system software and data, while hardware attestation detected tampering at the system level [14].
The simple remote attestation schemes described above use metrics as a state indicator of the system. However, these mechanisms have some issues, such as management problems caused by the complexity and variability of the system, security problems caused by digital signature using AIK as a measure, etc. The remote attestation mechanisms based on TCG still have some shortcomings, such as can't perform attestation dynamically and can't resist replay attack.
In order to solve these problems in TCG remote proof mechanism, the domestic and oversea scholars have carried out further research on remote attestation. Zhao et al. proposed a credential attestation scheme based on attribute certificates. By abstracting the attributes of the computing platform into certificates, privacy exposure was avoided and the efficiency of the attestation process was improved [15]. Awad proposed an attribute-based attestation scheme, which was easier to manage than the hashing attestation scheme in TCG specification. The solution also provided platform-specific integrity and identity authentication technology. However, the scheme is not perfect because it cannot be fully applied to the current situation of the perception layer [16]. Zhu et al. proposed a semantics-based remote attestation model, which combined semantics-based virtual machine technology with remote attestation. This model was independent and dynamic based on the platform [17]. Liu et al. proposed a remote automatic anonymous attestation scheme based on trusted computing, which achieved the purpose of anonymous attestation and privacy protection through ring signature. However, the scheme can not accurately abstract the external platform attribute value and external attribute certificate [18].
In conclusion, due to the application of the Internet of things is more and more widely. Especially, the IoT perceptual technology has become increasingly complex, the perceptual data has increased explosively. However, the present remote attestation mechanisms that applicable to the perception layer have not been fundamentally figure out these issues, such as how to effectively protect the privacy of authentication nodes' information. Therefore, we need to study a remote attestation scheme for data sources, which applicable to the perception layer of the Internet of Things.

Group signature (GS)
As shown in Fig. 1, the scheme of GS consists of four roles: group manager, group member, verifier and opener [19][20][21][22]. The group manager is responsible for the dispensation of signature key and member certificate for each group member. Group members with certificates can generate group signatures, and meanwhile maintain the autologous anonymity. The verifier can judge the legality of signature, but cannot identify the identity of signer. The opener can use the initial key to identify the signer of the corresponding signature, when the behavior of member is abnormal. The detailed procedures include: 1. Initialization: security parameters are considered as the input, and public/private key pairs of group manager and opener are regarded as the output; Fig. 1 The scheme of group signature. Describes the process of group signature. The scheme of GS consists of four roles: group manager, group member, verifier and opener [18][19][20][21] 2. Join: The group public key, private key of the group manager, the public key of the group member is the input, and output the group certificate corresponding to the public key of group member is the output; 3. Signature: The group public key, a message to be signed, the signature key of signer and the member certificate is the input, and the signature of the message is output; 4. Verification: The group public key, a message and the group signature of the message is the input, and the verification result of signature is output; 5. Open: The group signature and initial key is the input, and the confirmed identity result of opener is the output.

Bilinear mapping
G 1 = <g 1 > and G 2 = <g 2 > are defined as the multiplicative cyclic group of order p, p is a prime number, g 1 and g 2 are the generators of G 1 and G 2 respectively, e: G 1 × G 1 → G 2 is a computable mapping [23,24]. if satisfies the following properties.
1. Bilinear: There is a mapping e: there is an effective algorithm to calculate e(g 1 , g 2 ). 4. G 1 × G 1 → G 2 are the bilinear mapping.

The CDH problem
Given the group of G = <g>, If g, g a , g b are known and a, b ∈ Z p , it is difficult to calculate g ab when a and b are unknown [25,26].

Remote attestation mechanism using group signature
The perception nodes should be credible, when transmitting data in a perceptual nodes group of centralized networking. In this proposed GS-RAM, to prove the credibility of this node, the trusted value and relevant data will be transmitted to remote verification node, which can determine the confidence of data source node, using the received information. When the data source node is in an untrusted state, the remote verification node can trace back to the superior node (management node) of the data source node to further evaluate the credibility of the data source node. Based on the final evaluative results, the remote verification node determines whether or not to interact (Shown in Fig. 2). The detailed processes are as follows: 1. In the perception layer of centralized networking mode, the superior node in a perception node group will perform a real-time trust measurement of the data source node. Then, the data source node formalizes the measurement value, timestamp and some other related attributes into a remote proof vector.
2. When a member node in the node group is verified by the remote verification node, the data source node only needs to prove that it belongs to the trusted group, which can avoid the disclosure of node identity. 3. According to the security strategy of the remote verification node, the credibility of source node can be evaluated. The doubtful of source node can unfold its group signature to examine the corresponding information, or carry out the query from superior node of source node. If the result is unreliable, the data transmission of source node can be refused.
Remark 1 Comparing with some security mechanisms, the proposed GS-RAM can efficiently evaluate the credibility of data source node to ensure data transfer more secure between source node and remote node. Moreover, this GS-RAM obtains the characteristics of being measurable, traceable, monitored and extensible.

Construction of GS-RAM
This part describes the signing, verification and signature opening process of GS-RAM scheme. The symbol and corresponding meaning explanation can be summarized in Table 1. given the collision-free hash function H: {0, 1} * → G 1 , GM randomly selects α ∈ Z * q and makes g s = α as the private key of the group, thus the public key of the group is g x = αG ∈ G 1 . Finally, g s is regarded as the private parameter and the public parameters (G 1 , G 2 , e, Q, G, H, g x ) is released.
(2) The registration of group member The perception node needs to conduct an identity interactive authentication protocol with GM, when it wants to join the group. The participant node randomly selects s i ∈ Z * q as its private key and regards S i = s i G as the public key. Then, participant node transmits the public key S i to GM, and meanwhile requests registration. GM authenticates the participant node and arbitrarily selects α c i ∈ Z * q . If α g i = (α − α c i )(modQ), the verification are successful and GM will transmit α c i to this participant node. The participant node becomes a new CIN i and GM will record ( α g i , S i ) in set L 1 of legal information of group member.
(3) The key update of GS-RAM CIN i selects r c 0 ∈ Z * q , and obtains k c Thus, it can be seen that the key of CIN i at time t is k c t , r c t and k c t−1 will be discarded.
(1)     H(m)). If the formula is equal, GM can obtain σ i,t = α c i,t + α g i,t and T i,t = T c i,t + T g i,t + S i , and meanwhile record (S i , T c i,t , T g i,t , H(m)) to the signature information set L 2 of group member. In addition, the group signature of message m is recorded as ∆ = (σ i,t , T i,t ).

(5) The verification of GS-RAM
The remote verification node V can calculate μ = H(m), and judge e(G, σ i,t ) = e(g x + T i,t , μ),When receiving GS ∆ = (σ i,t , T i,t ). The perception data can be transmitted, after finishing validation by the remote verification node V. If signature verification is unsuccessful, V can immediately stop receiving GS and data of the source node.

(6) The open of GS-RAM
When GS is questioned by the remote verifier V, the group member generating GS can be traced with the help of GM. GM can open ∆ = (σ i,t , T i,t ), and then verify the signature node using the information set L 1 of legal group member and the information set L 2 of group member signature recorded by the GM.

Results and discussion
To ensure the security of the proposed GS-RAM, the correctness, unforgeability, anonymity, traceability, non-relatedness, non-frameability, anti-joint aggression and forward security of GS-RAM can be verified. According to Eq. (6), σ i,t must be generated by group manager GM and the group member CIN i .

(2) Unforgeability
If (σ i,t , T i,t ) is the signature of message m by CIN i , then it can calculate where θ 1 is the signature of the group member CIN i and the group manager GM, θ 2 is the BLS signature of the group member CIN i on message m, and θ 3 is the BLS signature of the group manager GM and the group member CIN i on message m. θ 1 , θ 2 and θ 3 satisfy unforgeability, thus ∆ = (σ i,t , T i,t ) meets unforgeability.
Based on Eq. (8), v i is equal to abG, which means that although an attacker can solve a difficult the CDH problem, this problem cannot be calculated on G 1 . Therefore, the attacker cannot successfully attack. The anonymity of GS-RAM has been proved.

(4) Traceability
According to the proposed GS-RAM, ∆ = (σ i,t , T i,t ) is produced by the collaboration of GM and CIN i . If the CIN i wants to provide a legal group signature, it must cooperate with GM. In addition, the identity and public key (S i , T  Proof Suppose (σ i,t , T i,t ) is the GS of CIN i at time t for the information m t and (σ i,t+∆t , T i,t+∆t ) is the GS of CIN i at time (t + ∆t) for the information m t+∆t , the attack can distinguish (σ i,t , T i,t ) and (σ i,t+∆t , T i,t+∆t ). Moreover, the attack can also obtain the signature (σ i,t , T i,t ) for the information m t and the private key of GM and CIN i . To ensure the security of GM, thus ω = αH(m t ), is the CDH problem of group G 1 . Therefore, it is impossible to judge the relevance of (σ i,t , T i,t ) and (σ i,t+∆t , T i,t+∆t ) without unfolding them, because the CDH problem of group G 1 is inextricable.

(6) Non-frameability
Based on the above analysis, the proposed GS-RAM is unforgeable. Therefore, it is impossible to forge a legal signature node for signature under the premise that no other node except the signature node has the key of the group member. Therefore, this GS-RAM cannot be framed.

(7) Anti-joint attack
This GS-RAM is unforgeable. Therefore, GM can verify the legality of CIN i , when GM wants to cooperate with signature node CIN i to generate an effective GS. Some nodes in the group want to jointly forge a legal signature, it is impossible to construct a legal group signature, if GM does not cooperate with them.

(8) Forward safety
Assuming that CIN i can change the key k c t using an arbitrarily r c t , the change of the time period cannot affect the selection of the random number, and the signature key can be updated without restriction. If knowing that the key of CIN i at time t is k c t and wanting to get the key before the time t, the attacker must obtain r c k of CIN i before the (t − 1) time period. However, every r c k getting the key at time t will be destroyed. Therefore, if the attacker wants to obtain r c t−1 at time (t − 1) by computing T c i,t−1 − T c i,t−2 = r c t−1 G, this process can be considered as solving the discrete logarithm difficult problem on group G 1 . This proposed GS-RAM scheme has forward security.

Remark 2
Based on the above analysis, for the centralized networking mode of the perception layer, the proposed GS-RAM can realize the credibility attestation of data source. Moreover, it can be seen that this proposed GS-RAM can effectively protect the concealment of group member's identity, has the correctness, unforgeability, anonymity, traceability, non-relatedness, non-frameability, anti-joint aggression and forward security by analyzing the security of GS-RAM.
The group signature length of GS-RAM is short, which can effectively reduce the computational cost and is more practical.
The communication cost and efficiency of the proposed remote attestation scheme are compared with those proposed in other published literatures. Table 2 shows the comparison results of communication efficiency in attestation process with those proposed in references [27][28][29]. Where, PA represents the number of bilinear pair operations required in the scheme, MUL represents the number of dot product operations required in the scheme, and EXP represents the number of power exponential operations required in the scheme. SIG indicates the signcryption phase, and UNSIG indicates the unsigncryption phase. As can be seen from Table 2, the remote attestation scheme implemented in this paper has one advantage in power exponent calculation. It is very important to reduce the number of bilinear pair operation, dot product operation and power index operation in the attestation scheme to improve the communication efficiency and the use value of the scheme. The remote attestation scheme in this paper has more advantages, which can reduce the communication cost and improve the efficiency.

The simulation experiment
In this section, the remote attestation process between nodes in the perception layer is simulated. Simultaneously, the malicious nodes attack method described in the literature [7] is adopted to test the correctness and effectiveness as well as the dynamic adaptability of the proposed scheme. Figures 3 and 4 respectively show the comparison results of the rate of receiving trusted data at points when malicious nodes account for 5% and 15% of all nodes. Scheme 1 represents the conventional perceptual nodes authentication scheme [30], and scheme 2 represents the interactive scheme without remote attestation.
As can be seen from Figs. 3 and 4, when malicious nodes account for 5% and 15% in the perception layer. The remote attestation scheme proposed in this paper can effectively ensure the trusted data rate of data received by remote nodes. The reason why this scheme is superior to scheme 1 and 2 is that the remote attestation scheme proposed in this paper can guarantee the security and credibility of the nodes before the data source nodes transmits data.
As can be seen from Fig. 5, the energy consumption of the scheme proposed in this paper is slightly higher than scheme 1 and scheme 2's energy consumption. The reason is that the computational complexity is higher than those of scheme 1 and scheme 2. Therefore, the rate of energy consumption per unit time must be higher than those of scheme 1 and scheme 2. While it will not affect the service life of the perceptual nodes significantly, however, it can be seen from the above that the security of this scheme is far superior to scheme 1 and 2. By comprehensively weighing the comparison of security and energy consumption, the remote attestation scheme in this paper achieves better security through less energy consumption and it is more suitable for the perception layer of IoT. Due to the existence of many unstable reasons, the perception layer may change at any time. Therefore, the ability of the perception layer to operate credibly despite the influence of external factors is called dynamic adaptability. If a trust model is not affected by external complex and dynamic factors, and can still accurately and continuously measure the perception nodes. It can be considered that the trust model is effective and has strong dynamic adaptability.
In the different perception layer of the Internet of Things, due to different deployment environments, there will be great differences in the interaction between nodes. For example, due to limited computing resources in the perception layer, some nodes will not interact with each other continually. Another example is in the environment of Internet of vehicles, where frequent interaction between nodes may be required. Therefore, the dynamic adaptability of the proposed scheme is verified by comparing with scheme 1 and scheme 2.
The simulation experiment in this paper reflects the perceptual network environment of different situations through two indicators SRF and TDF.
1. SRF represents the communication frequency between nodes. The value can be used to represent the busy state of the perception network. The variation range of this value is [0,1]. The larger the value is, the more frequent the communication between nodes will be. This value is generally set to a constant depending on the development environment of the perceptual network deployed. 2. TDF represents the dynamic change frequency of the whole perceptual network.
Since the perception nodes may join or quit at any time, this value can represent the dynamic change of the perceptual network. The change range of this value is [0,1]. This value is generally set to a constant depending on the development environment of the perceptual network deployed.
In this simulation experiment, the success rate of node trusted interaction TSSP represents the dynamic adaptability of the remote attestation model. The larger TSSP becomes, the stronger dynamic adaptability the model has. It is stipulated that ST(∆T) is the record of successful communication between nodes. GT(∆T) is all times of communication between nodes including communication failure. Therefore E can be expressed as: Figures 6 and 7 show the comparison of dynamic adaptability between the remote attestation scheme in this paper and other schemes in different perceptual network environments.
In Fig. 6, SRF = 0.3, TDF = 0.2. It indicates that the perceptual network does not change frequently and the communication frequency between nodes is not frequent in this scenario.
In Fig. 7, SRF = 0.9, TDF = 0.8. It indicates that the perceptual network changes frequently and the communication between nodes is frequent in this scenario.
In conclusion, compared with the scheme 1 and 2, the scheme proposed in this paper is more suitable for the perception layer of IoT. Because the remote attestation scheme for the node based on trusted measurement of comprehensive real-time, it fully consider the characteristics of the awareness of different networking nodes. Meanwhile, it can more accurately and objectively describe the safety of the node. Therefore, this scheme has better network dynamic adaptability.

Conclusions
In this paper, a GS-RAM was designed to evaluate the credibility of the perception nodes and protect the autologous identity privacy. Then, the specific construction of the proposed GS-RAM is given, which GS-RAM can query credibility of the perception nodes and trace TSSP = ST(�T ) GT(�T ) , �T is communication time window suspicious nodes. Finally, the correctness, unforgeability, anonymity, traceability, unrelatedness, non-framing, anti-joint aggression and forward security of the proposed GS-RAM was verified. The analysis results demonstrated that this proposed GS-RAM is safe and efficient to apply into the perception layer of centralized networking. Finally, simulation experiments are conducted to compare the proposed scheme with other remote attestation schemes, which verify the correctness and effectiveness of the proposed scheme, which has better security and dynamic adaptability. However, this scheme only applies to centralized networking. Besides, with the rise of quantum cryptography, some new attacks have emerged. The scheme proposed in this paper is still a little weak in resisting quantum