Light-Weight and Privacy-Preserving Authentication Protocol for Mobile Payments in the Context of IoT

The widespread use of smart devices attracts much attention on the research for a mobile payment protocol in the context of the Internet of Things (IoT). However, payment trust and user privacy still raise critical concerns to the application of mobile payments since existing authentication protocols for mobile payments either suffer from the heavy workload on a resource-limited smart device or cannot provide user anonymity in the mobile payment. To address these challenges elegantly, this paper presents a lightweight and privacy-preserving authentication protocol for mobile payment in the context of IoT. First, we put forward a unidirectional certificateless proxy re-signature scheme, which is of independent interest. Based on this signature scheme, this paper, then, gives a new mobile payment protocol that for the first time not only achieves anonymity and unforgeability but also leaves low resource consumption on smart devices. In the proposed protocol, the efficiency is notably improved by placing the most computational cost on Pay Platform (usually with abundant computational power) instead of lightweight mobile devices. Moreover, by considering that the Pay Platform and Merchant Server needs to perform computation for each transaction, the idea of batch-verification has been adopted to mitigate the overhead for millions of users at the Pay Platform and Merchant Server to address the scalability issue. Through the formal security analysis presented in this paper, the proposed protocol is proved to be secure under the extended CDH problem. In addition, the performance evaluation shows that the proposed protocol is feasible and efficient for the resource-limited smart devices in the IoT.

[1]  Zhiguang Qin,et al.  A secure and privacy-preserving mobile wallet with outsourced verification in cloud computing , 2017, Comput. Stand. Interfaces.

[2]  Hu Xiong,et al.  Comments on “Verifiable and Exculpable Outsourced Attribute-Based Encryption for Access Control in Cloud Computing” , 2017, IEEE Transactions on Dependable and Secure Computing.

[3]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[4]  Kenneth G. Paterson,et al.  Certificateless Public Key Cryptography , 2003 .

[5]  Yang Xiaoyuan,et al.  A certificateless proxy re-signature scheme , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[6]  Jan Camenisch,et al.  Batch Verification of Short Signatures , 2007, Journal of Cryptology.

[7]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[8]  B.K. Yi,et al.  Digital signatures , 2006, IEEE Potentials.

[9]  A. Shamm Identity-based cryptosystems and signature schemes , 1985 .

[10]  Zhiguang Qin,et al.  Revocable and Scalable Certificateless Remote Authentication Protocol With Anonymity for Wireless Body Area Networks , 2015, IEEE Transactions on Information Forensics and Security.

[11]  Toru Aihara,et al.  Anonymity-Aware Face-to-Face Mobile Payment , 2010, MobiQuitous.

[12]  Yi Mu,et al.  On the Security of Certificateless Signature Schemes from Asiacrypt 2003 , 2005, CANS.

[13]  Benoît Libert,et al.  Multi-use unidirectional proxy re-signatures , 2008, CCS.

[14]  Ruhul Amin,et al.  A lightweight two-gateway based payment protocol ensuring accountability and unlinkable anonymity with dynamic identity , 2017, Comput. Electr. Eng..

[15]  Jean-Sébastien Coron,et al.  On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[16]  Hao Zhang,et al.  Attribute-Based Privacy-Preserving Data Sharing for Dynamic Groups in Cloud Computing , 2019, IEEE Systems Journal.

[17]  Victor C. M. Leung,et al.  Demographic Information Prediction: A Portrait of Smartphone Application Users , 2018, IEEE Transactions on Emerging Topics in Computing.

[18]  Fagen Li,et al.  Analysis of a mobile payment protocol with outsourced verification in cloud server and the improvement , 2018, Comput. Stand. Interfaces.

[19]  Susan Hohenberger,et al.  Proxy re-signatures: new definitions, algorithms, and applications , 2005, CCS '05.

[20]  Yanan Zhao,et al.  Efficient and Provably Secure Certificateless Parallel Key-Insulated Signature Without Pairing for IIoT Environments , 2020, IEEE Systems Journal.

[21]  Yun Ling,et al.  Unidirectional Identity-Based Proxy Re-Signature , 2011, 2011 IEEE International Conference on Communications (ICC).

[22]  Hu Xiong,et al.  Cost-Effective Scalable and Anonymous Certificateless Remote Authentication Protocol , 2014, IEEE Transactions on Information Forensics and Security.

[23]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[24]  Jen-Ho Yang,et al.  A mobile payment mechanism with anonymity for cloud computing , 2016, J. Syst. Softw..

[25]  Kuo-Hui Yeh,et al.  A Secure Transaction Scheme With Certificateless Cryptographic Primitives for IoT-Based Mobile Payments , 2018, IEEE Systems Journal.

[26]  Duncan S. Wong,et al.  Certificateless Public-Key Signature: Security Model and Efficient Construction , 2006, ACNS.

[27]  Lida Xu,et al.  The internet of things: a survey , 2014, Information Systems Frontiers.

[28]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[29]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[30]  Yining Liu,et al.  A Secure Authentication Protocol for Internet of Vehicles , 2019, IEEE Access.

[31]  Robert Kohl,et al.  Handbook Of Mobile Communication Studies , 2016 .

[32]  Xiaotie Deng,et al.  Key Replacement Attack Against a Generic Construction of Certificateless Signature , 2006, ACISP.