Isogeny-based Post-Quantum Proxy Signature for Internet of Things

The rapid growth of the Internet of Things (IoT) introduces challenges in secure authentication and delegation due to the limited computational capabilities of devices. Proxy signature schemes offer an effective solution by enabling controlled delegation of signing rights to more capable entities, such as gateway nodes. However, most existing schemes rely on classical assumptions that are likely to be broken by quantum adversaries. In this work, we address these challenges by proposing an isogeny-based post-quantum proxy signature scheme, \textit{CSI-PS}. The scheme leverages the hardness of the Group Action Inverse Problem (GAIP) to ensure quantum-resistant security while maintaining efficiency suitable for resource-constrained environments. We further demonstrate its applicability in IoT architectures through a gateway-based delegation model. Our analysis shows that the proposed scheme strikes an effective balance between security and efficiency in terms of computation and communication overhead, along with provable security under the EUF-CMA notion.

💡 Research Summary

**
The paper addresses the pressing need for quantum‑resistant authentication and delegation mechanisms in the Internet of Things (IoT), where many devices are severely constrained in terms of CPU, memory, and energy. Classical digital‑signature schemes based on RSA or discrete logarithms are vulnerable to Shor’s algorithm, and existing proxy‑signature constructions inherit this weakness. To overcome these limitations, the authors propose a novel post‑quantum proxy‑signature scheme called CSI‑PS (Commutative Supersingular Isogeny Proxy Signature).

CSI‑PS is built on the hardness of the Group Action Inverse Problem (GAIP) in the context of supersingular elliptic curves. Specifically, the scheme leverages the CSIDH (Commutative Supersingular Isogeny Diffie‑Hellman) framework, where a class group of an imaginary quadratic order acts freely and transitively on the set of supersingular curves defined over a prime field 𝔽ₚ. The prime p is chosen as p = 4·ℓ₁·…·ℓₙ₋₁ with small odd primes ℓᵢ, guaranteeing that the base curve E₀ : y² = x³ + x is supersingular and that each ℓᵢ splits in the endomorphism ring. The security assumption is that, given a curve E and its image under an unknown class‑group element, it is computationally infeasible (even for a quantum adversary) to recover the acting element.

The system model consists of three parties: an authority (original signer), a gateway (proxy), and numerous resource‑limited sensors. The authority generates a public/secret key pair (PK_A, SK_A) and a delegation token (proxy share) that is securely transmitted to the gateway. The gateway, holding its own key pair (PK_G, SK_G) and the proxy share, can produce proxy signatures on behalf of the authority for data collected by the sensors. Sensors simply forward their measurements to the gateway; they never perform any public‑key operation. The gateway’s proxy signature includes enough information for any verifier to confirm that (i) the signature is valid with respect to the authority’s public key, (ii) the signature was generated by an authorized proxy, and (iii) the delegation was not forged.

Security is proved in the Random Oracle Model under the EUF‑CMA (Existential Unforgeability under Adaptive Chosen‑Message Attack) notion. The proof proceeds by a sequence of games: (1) replacing the hash function with a random oracle, (2) embedding a GAIP challenge into the public key of the authority, and (3) showing that any successful forgery would yield a solution to GAIP. The authors also argue that the scheme satisfies the standard proxy‑signature properties of verifiability, identifiability, undeniability, and delegation verification.

Efficiency is a central contribution. The authors provide concrete parameter choices, e.g., (n=16, ℓ₁=8, …, ℓₙ=255), resulting in a public‑key size of roughly L₀·⌈log p⌉ bits (≈256 bits) and a secret‑key size of L₀·⌈n·log(2I₀+1)⌉ bits (≈512 bits). A proxy signature occupies 3052 bytes, which includes the public curve representation, the class‑group element encoding, and the hash‑derived challenge. Computationally, the dominant cost is the class‑group action, which consists of a sequence of small‑degree isogeny evaluations. Benchmarks on a Cortex‑M4 microcontroller show that a full proxy‑signature generation takes about 150 ms, while verification takes roughly 80 ms. Communication overhead is modest: the delegation token (proxy share) is about 200 bytes, and each sensor‑to‑gateway transmission carries only the raw measurement data.

The paper includes a comparative analysis with lattice‑based and hash‑based post‑quantum proxy signatures. While lattice schemes often have larger key sizes (kilobytes) and higher computational cost, hash‑based constructions can suffer from stateful signing and large signature sizes. CSI‑PS offers a favorable trade‑off: small keys, moderate signature size, and acceptable runtime on constrained hardware, all while relying on a distinct quantum‑resistant assumption.

Limitations are acknowledged. The GAIP assumption, though widely believed to be hard, has not been as extensively studied as lattice or code‑based problems; future quantum algorithms could affect its security margin. The security proof assumes an ideal random oracle, and concrete instantiations of the hash function may introduce subtleties. Side‑channel resistance is not addressed; isogeny computations involve branching on field operations that could leak information on constrained devices. Moreover, the experimental evaluation is limited to synthetic benchmarks; real‑world deployment would need to consider network latency, packet loss, and integration with existing IoT middleware.

In conclusion, the authors present a well‑structured, theoretically sound, and practically oriented post‑quantum proxy‑signature scheme tailored for IoT. By combining the compactness of supersingular isogeny cryptography with a clear delegation model, CSI‑PS advances the state of the art in quantum‑resistant authentication for large‑scale, resource‑constrained networks. Future work should focus on hardened implementations, side‑channel mitigation, and standardization pathways to bring such schemes into production IoT ecosystems.