Tesia: A trusted efficient service evaluation model in Internet of things based on improved aggregation signature

Service evaluation model is an essential ingredient in service‐oriented Internet of things (IoT) architecture. Generally, traditional models allow each user to submit their comments with respect to IoT services individually. However, these kind of models are fragile to resist various attacks, like comment denial attacks, and Sybil attacks, which may decrease the comments submission rate. In this article, we propose a new aggregation digital signature scheme to resolve the problem of comments aggregation, which may aggregate different comments into one with high efficiency and security level. Based on the new aggregation digital signature scheme, we further put forward a new service evaluation model named Tesia allowing specific users to submit the comments as a group in IoT networks. More specifically, they aggregate comments and assign one user as a submitter to submit these comments. In addition, we introduce the synchronization token mechanism into the new service evaluation model, to assure that all users in the group may sign their comments one by one, and the last one who receives the token is assigned as the final submitter. Tesia has more acceptable robustness and can greatly improve the comments submission rate with rather lower submission delay time.

unscrupulous users. The third trusted authority is frequently maintains the trust service evaluation system. However, the IoT systems may collude with the third trusted authority and arbitrarily modify their unwanted comments. For example, they may delete and modify the complaints, which are corresponding comments deleting attacks and modifying attacks, respectively. These attacks can dramatically decrease the comments submission rate and delay submission time, which paralyze the whole system. Therefore, the designer for trust service evaluation system should consider how to resist such attacks such that other users trust the model works well.
The existing works indicate that it is hard to establish a perfect trust mechanism in service evaluation systems. One of the important reasons is that comments submitted by individuals could be easily manipulated by some IoT systems or the trusted authority. Second, malicious users have incentives to attack the systems to get some advantages. Therefore, it is essential to propose a new credible and efficient service evaluation model, which allows more users to cooperatively submit comments, while resist most service evaluation attacks from malicious IoT systems and malicious users.
A new service evaluation model named Tesia is proposed in this article. In the new model, users participate in trusted service evaluation in a cooperative manner. Without the need of a trusted third party, the service provider can maintain a credible and efficient service evaluation, which can effectively resist the comment rejection attack and comment modification attack. It improves the success rate (SR) of comment submission while ensuring security, and reduces the delay time (DT) of comment submission. Specifically, the main contributions of this article are as follows.
We propose a new aggregation digital signature scheme, to resolve the problem of comments aggregation, which may aggregate different comments into a whole with high efficiency and security level. Furthermore, under the security assumption of the difficulty of discrete logarithm problem, we have proved the security of the signature scheme in Existential unforgeability against chosen message attacks (EU-CMA) security model.
Tesia is proposed as a new trusted efficient service evaluation model, which allows multiple users to form a team and aggregate their comments as a whole by utilizing the new proposed aggregation digital signature scheme. Moreover, Tesia introduces synchronization token mechanism to guarantee sequential signature inside the team and finally assign a submitter.
We analyze the security of Tesia under current service comments attacks, such as linkability attacks, rejection attacks, modification attacks, and Sybil attacks. Tesia performs well to resist these attacks. Furthermore, we also evaluation the SR and DT by comparing with traditional models without trust mechanisms.
The rest of this article is organized as below. Section 2 presents the general trusted service evaluation, consisting of the network structure, and potential attacks. Section 3 proposes a new model called Tesia, which means a trusted efficient service evaluation model. The building blocks in Tesia include a new aggregation digital signature scheme and synchronization token mechanism. Then we present the workflow of Tesia based on these building blocks. Finally, security analysis with respect to various attacks. Section 4 compares the comments SR and DT between Tesia and traditional models without considering attacks. Section 5 summarizes this article and prospects the future works.

RELATED WORK
Rajan and Hosamani 19 used additional monitors disposed in the untrusted vendor's site, which can ensure the accuracy of the evaluation results. The two-dimensional trust rating aggregation method is put forward by Wang and Li,20 which enables a small group of trust vectors to indicate a large group of trust ratings. The trust management as an reasoning problem and a faith propagation algorithm are proposed by Aydey and Fekri 21 26 In the sensor networks, the theory that the Sybil attacks can impair routing efficiency is putted forward proposed by Karlof and Wagner. 27 Lots of defence mechanisms are put forwarded by Newsome et al. 28 Wei et al 29 discovered that the presence of a third trusted institution with respect to social network may ease various attacks such as the sybil attacks. However, they hold the idea that it's not acceptable since it will bring extra burdens on users.
F I G U R E 1 The framework of the trusted service evaluation model

Network structure
The network structure of a general trusted service evaluation model composes of diverse vendors that offer different or similar services to users. For simplicity, a single vendor offering a single service is considered in this article. More specifically, a wireless communication equipment with sufficient storage space is equipped by the vendor. The handhold communication equipment are equipped by each users. We also assume that the equipment's transmission scope is same for all users, but less than the vendor's transmission scope.
The framework of the trusted service evaluation model is shown in Figure 1. The key distribution center (KGC) is an infrastructure trusted by each user. Each user u j (j = 1, 2, … , n) has a private unique identity id j . KGC verifies the unique id j of each user u j . Then KGC generates some pseudonyms pid j;1 , pid j;2 , pid j;3 (j = 1, 2, … , n) for each user u j , each corresponds to a private key psk j; * .

Potential attacks on the network
There are some service comment attacks on the service evaluation models. Four major comment attacks are listed below. One of the main tasks is to resist on these attacks. 2. Comment rejection attacks: When a user submits negative comments, the vendor will perform the comment rejection attacks. In this type attacks, the vendor quietly strikes out negative comments without replying to user submissions. Users will not be able to see these negative comments, and the incompleteness of comments will be misleading to the user.
3. Comment modification attacks: The vendor initiates a comment modification attack on the locally stored comment collection. The vendor inserts counterfeit comments or edits, strikes out negative comments in the comment collection. These attacks are designed to undermine the integrity of the comments and influence the users' right service choices.
4. Sybil attacks: The legitimate user are performed Sybil attacks, they leaves multiple false valid comments to the vendor within one time interval.
Sybil attacks destroy the normal operation of the system through a large number of malicious bad comments or deliberate praises. Sybil attacks can be divided into two categories: -Sybil attack 1. The malicious users launch such sybil attack. A registered user leaves diverse comments to the same vendor within one time interval. The comments received by the vendor are fake and negative to it.
-Sybil attack 2. The malicious vendors launch such sybil attack. A malicious vendor requires one colluded registered user to provide diverse valid comments to itself within one time interval, among which the comments are positive to the service vendor.
The above two sybil attacks undermine the validity of the trusted service evaluation model by generating false comment messages, which is unfair to users or vendors. The linkability of comments ensures that the comment is associated with the user's true identity. Therefore, the trusted service evaluation model effectively resists sybil attacks by limiting users to generate a valid comment to the vendor at predefined intervals. If it is detected that any user produces two or more comments with different pseudonyms to the same vendor within one time interval, the real identity of the user will be disclosed. Limiting the number of comments in a time interval does not completely avoid the sybil attack. Any user can still generates incorrect comments at different time intervals using multiple different pseudonyms, and the model cannot immediately find the user who generated the malicious comment. The trusted service evaluation model can resist most Sybil attacks and ensure the true reliability of the user's comments on the vendors.

TESIA: A NEW TRUSTED SERVICE EVALUATION MODEL
In this section we propose Tesia, a new trusted service evaluation model, comprising a new aggregation digital signature scheme and a synchronization token mechanism. The former is applied to the generation and aggregation process of the vendor's service comments and an the latter is utilized to sequentially sign the comments . Tesia is capable of overcoming four typical comment attacks defined in Section 3.2. In Tesia, there is no dedicated trusted third party to manage and maintain the comments, and the vendor can independently maintain the comments left by the users.

A new aggregation digital signature scheme
This section proposes an aggregation digital signature scheme, which is described as follows:

Setup
KGC chooses a prime q and the primitive root , and chooses an encryption hash function H 1 :{0, 1} * → Zq * get the system parameters of digital signature scheme: params={q, , H 1 }.

Key generation
-User u i generates random integers X i as u i 's private key, where X i is 1<X i <q − 1.
-Calculate Y i = X i mod q as the public key of u i .
-User u i 's private key X i is confidential and the public key Y i is unclassified.

Signature
-User u i performs the following steps to sign comment content m i , ∀k i Zq * .
-Get signature i =(K i , S i ).

Verification
The verifier verifies the validity of the signature i =(K i , S i ) on the comments m i with Equation (1).
In case Equation (1) holds, the signature i is effective; otherwise, the signature i fails.

Aggregation
Multiple users' comments on the same vendor can be aggregated. Without loss of generalization, this article considers three users in comments submitting process. For the same vendor, u 1 , u 2 , and u 3 and their connections is shown in Figure 2. These users, respectively, obtained their comments m 1 , m 2 , and m 3 , and the corresponding comment signatures are 1 =(K 1 , S 1 ), 2 =(K 2 , S 2 ), and 3 =(K 3 , S 3 ). The signatures of the three users are aggregated as follows: . Verify the validity of the aggregation signature with Equation (2): In case Equation (2) holds, the aggregation signature is effective; otherwise, the aggregation signature fails.
6. Proof of correctness of the aggregation signature scheme For a hash query on m i , if m i is already in the hash list, B responds to this query following the hash list. Otherwise, let m i be the ith new queried message. B randomly chooses w i ∈ Z q and sets otherwise Then, B responds to this query with H 1 (m i ) and adds (m i , H 1 (m i )) to the hash list.
Signature Query. In this phase the adversary makes signature queries on message m i . B prepares a signature list to record all signature queries and responses as follows, where the signature list is empty at the beginning.
If m i is the i * th queried message in the hash list, abort. Otherwise, B computes signature m i as follows.
to the hash list. B computes the signature of m i as follows.
which is a valid signature of m i .

Signature Forgery. The adversary returns a forged signature
as the solution to the DL problem instance. This completes the simulation and the solution. Indistinguishable simulation. The correctness of the simulation has been explained above. The randomness of the simulation includes all random numbers in the key generation and the responses to hash queries. They are According to the setting of the simulation, where a, x, y, w i are all randomly chosen, it is easy to see that they are random and independent from the point of view of the adversary. Therefore, the simulation is indistinguishable from the real attack.
Probability of successful simulation and useful attack. If the simulator successfully guesses i * , the queried signature on the message m = m * i is simulatable and the forged signature is reducible because the message chosen for signature query must be different from m * i . Therefore, the probability of successful simulation and useful attack is 1∕q H .
Advantage and time cost. Suppose the adversary breaks the scheme with (t, q H , ) after making q H hash queries. The advantage of solving the DL problem is therefore ∕q H . Let T s denote the time cost of the simulation. We have T s = O(1). B will solve the DL problem with This completes the proof of the theorem.

Synchronization token working mechanism in Tesia
Tesia borrows token technology to synchronize the submission process of comments sequentially. The delivery order of tokens is determined by the token distribution situation, and the submission of comments is implemented by following the steps below (ref. Figure 2).

Token delivery and confirmation mechanism
Users can submit their comments only when they have a legal token. The user sends a token request message when a comment needs to be submitted. After receiving the request, the nearby user or the vendor who currently hold a token can transmit the token to the requesting user.
Only the first valid token received is accepted by the requesting user, then the user replies to the ACK message. A successful forwarding token that uses an ACK reply is no longer forwarded, and each token is forwarded to only one user at a time.
The tokens may be lost due to user mobility or malicious discard. The token-pseudonym (TP) list maintained by the vendor. From the TP list, the vendor can perceive the comments submitted by each token, specifically find out which token is lost, and trigger new token distribution. If any comments associated with a token are not received within the predefined maximum duration, the vendor will perceive the token lost. If the token is lost, the vendor will distribute a new token in place of the lost token in order to preserve a constant number of active tokens to ensure the stability of the comment system. Each token forms an independent comments chain.
In order to prevent some users from comments submission failure due to lack of tokens, the system should allocate enough tokens to avoid token starvation. The number of comment chains is directly proportional to the vendor's comment modification ability. The more comment chains are, the lower the credibility of users comments. To make comments more credible, the vendor should keep the number of tokens as small as possible. However, there should be enough tokens to prevent token starvation, otherwise some of users will never get the token and cannot submit their comments.

TP list of synchronization token
The TP list reflects the dynamic delivery process of the token and assists the successful submission of the aggregated comments. The data structure of the TP list is {(token public key, token, user pseudonym, comment signature)}, that is, ( pk t , tok i , pid 1; * , j ). In TP list, each token is linked to a given pseudonym, which pertains to a single user who most lately submitted a comment using this token. Whenever a vendor receives a new comment, it updates the TP list and periodically broadcasts it to all users within the vendor's transmission range. After publishing the token message, if the vendor delete any token from the TP list, this behavior will perceived by the public, because any modification to the list will result in inconsistency with before published message. The user with the token will forward it to the randomly selected adjacent user requesting the comment after using the token.

Example of token working mechanism
Without loss of generalization, this article explains the token structure and the token delivery process taking three users as an example.
Three users u 1 , u 2 and u 3 are considered, with u 1 neighboring u 2 , and u 2 neighboring u 3 . These three users, respectively, obtained the pseudonym pid 1; * , pid 2; * , pid 3; * from KGC. Using the identifier tok to represent the initial token. The vendor produces a public/private key pair (pk t , sk t ) for tok and releases the public key pk t .
The vendor sends the initial token to u 1 which is the first user to submit a comment in the comment chain. Then the vendor signs the pseudonym pid 1; * and timestamp T of u 1 with the token private key sk t , gets tok 1 = Sign skt (pid 1; * ||T 1 ) as the initial version of the token.
As the first user to submit a comment, u 1 must submit a comment using the pseudonym pid 1; * , which is disclosed to it by the vendor. After submitting a comment using tok 1 and pid 1; * , u 1 updates tok 1 to tok 2 and delivers tok 2 to u 2 as a response to the u 2 's token request. tok 2 =(PF 1 ; Sign psk1; * (pid 2; * ||T 2 )), where PF 1 = (pid 1; * , T 1 , Sign skt (pid 1; * ||T 1 )) is the token forwarding proof for u 1 .
After successful comment submission, the token public key, current token version, and corresponding pseudonym of the user who generated the current token version(pk t , tok, pid 1; * ) is appended to the current TP list.
Assume that the first token received by u 2 is tok 2 . u 2 does the following operations: -Check the authenticity and validity of the token by verifying the validity of (pk t , tok, pid 1; * ) and Sign psk1; * (pid 2; * ||T 2 ) ; -Check whether the user pseudonym, who last successfully forwarded token, is pid 1; * by viewing the TP list; -Send an ACK response to u 1 ; -Generate local comments and submit comments using tok 2 and pid 2; * .
After receiving the token tok 3 , u 3 performs an operation similar to u 2 to submit the comment and update the token.

The work flow of Tesia
The generation of the comment does not depend on tokens. The user can flexibly generate local comments. But when users want to submit comments, they must hold a valid token. In the process of submitting a comment, the user aggregates the received comments and its local comments, and submits the aggregated comments to the vendor.

Users' network structure
Suppose the vendor receives n comments. Tesia defines four basic comment structures, and respectively, gives the vendor's corresponding comment modification capabilities on them.
1. Discrete structure. In this structure, the comments are discretely distributed points, which means each user can submit comments, respectively, and independently. This independency enables the vendor to control the n comments. So the vendor's modification capability is O(n).
F I G U R E 3 User's network structure model 2. Tree-like structure. In this structure, the vendor can delete any single comment corresponding to the leaf node. That is, the vendor's modification capability is O(logn).
3. Chain structure, the vendor's modification capability in this scenario is O(1).
4. Ring structure, the vendor's modification capability in this scenario is zero.
Obviously, the modification ability strength of the above four structures follows the order of the Discrete structure > the Tree-like structure>the Chain structure>the Ring structure.
Therefore, with zero modification capability, the ring structure has the best security performance. That is, no modification or deletion of any comments can be performed in ring structure. To form a ring structure, users demand extensive cooperation efforts. That is, the first user that submitted a comment must know the pseudonyms of the subsequent users submitting the comment. This assumption is not easy to be realistic in a service-oriented social network. Therefore, a hybrid structure (ring and chain) is adopted to restrict the vendor's modification capability no more than O(1) in the service-oriented social network, as shown in Figure 3.

Generation of comments
Based on the comment content j and the comment value cv j ∈ [0, 1] for the vendor v, the user u j , who uses the pseudonym pid j; * , generates a local comment rev j in the current time T j (this time must be greater than all the timestamps embedded in the tok) as follows: 1. Generate a comment message: m j = ( j ||cv j ||v||T j ).
Get the local comment rev j of user u j .

Aggregation of comments
The aggregation of comment has two benefits: 30 effectively resisting the comment attacks and reducing the communication overhead. The user u j locally generates the comment rev j . Based on the local comment rev j and the received aggregation comment REV w , u j generates an aggregation comment REV j (REV j = rev j , if REV w =null) using the aggregation algorithm. Then, u j submits the aggregated comment REV j to the vendor along with the local token. The vendor examines the validity of the REV j and the local token, appends the aggregation comment REV j to the TP list and broadcasts the updated TP list. The specific process of comments aggregation is described as follows: Define three users u 1 , u 2 , and u 3 , who respectively, obtained the pseudonym pid 1; * , pid 2; * , pid 3; * , the local comment generated by u 1 : rev 1 = ⟨pid 1; * , 1 , cv 1 , v, T 1 , 1 ⟩, user u 1 has received the initial token tok 1 from the vendor.
The process of passing tokens between these three users is described in Figure 2. Since u 1 is the first user, REV 1 = rev 1 , u 1 passes REV 1 and token tok 2 to u 2 . After a series of security verification, user u 2 aggregates its local comment rev 2 with REV 1 into REV 2 , as follows: The same as before, u 2 passes REV 2 and token tok 3 to u 3 . After a series of security verification, u 3 aggregates its local comment rev 3 and REV 2 into REV 3 , as follows: In the collaborative submission of comments, the next user who receives REV i also follows the comment aggregation operations above to aggregate the comments, and then complete the collaborative submission of the comments.

Submission of comments
The user u j submits the aggregation comment REV j and the token tok j+1 to the vendor. After receiving the aggregation comments, the vendor updates and broadcasts the TP list. After a given time interval, user u j checks which pseudonym is associated with the current token in the TP list.
1. If the current token is related to pid j; * , it means that u j has successfully submitted REV j . Then u j forward the token to the nearby user, and the user who received the token can submit his local comments.
2. If the current tok is still related to pid w; * , it means that the submission of u j fails. Then u j will take to cooperative submission by transmitting token and REV j to users requesting tokens nearby.
3. If the current tok is related to other pseudonyms pid x; * , it means that u w has send the token to multiple users including u x and u j , and u x has submitted the comment successfully. That is the submission of u j fails. At this point, u j will attempt to request a new token to complete the submission of the local comment REV j .

Verification of comments
The recipient of the comment (the vendor or next user) needs to verify that rev j indeed generated by user u j at time T j , not forged by the vendor or any other illegal user. The correctness of the signature j can be assured by the signature scheme in Section 3.1.
The specific verification method is described as follows: If the comment is a separate submission, the recipient of the comment verifies the signature j = (K j , S j ) of the user u j by the following equation.
In case the equation holds, the signature j is effective; otherwise, the signature fails.
If the comment is an aggregation comment, the recipient of the comment verifies the signature j = (K j , S j ) of the user u j by the following equation.
If the equation holds, the signature j of the comment is valid; otherwise, the signature is invalid.
Note that, u j cannot forge a comment on u w because it cannot get the key for the pseudonym pid w; * , and u j cannot replace the received comment with any other comments because there is a timestamp to prevent the comment from being replayed.
In addition, the token records the forwarding history, so u j or replaced cannot forward a token without submitting REV w or rev j . When the vendor later receives a comment submitted by another user, the comment missing can be detected.

Comment linkability attacks
In the comment linkability attacks, if users are allowed to submit unlinked comments to vendors, malicious users may abuse the identity of legitimate users to produce false comments, which can compromise system performance.
The u j 's pseudonym pid j; * and the comment message m j are associated with the unforgeable comment signature j , and they constitute a triplet < pid j; * , m j , j >. Any user who does not have a private key associated with the pseudonym pid j; * cannot forge this triple. The comment rev j is valid if and only if the vendor assures that the triplet is valid.
In addition, when KGC generates the pseudonym pid j; * and the corresponding private key psk j; * for the user u j , KGC assures the validity of the unique ID of u j and always keeps an association between pid j; * and id j . Therefore, if a user submits a malicious comment with no linkability, KGC can link the malicious comment to the unique identity of its generating user. Thereby, Tesia can effectively resist the comment linkability attacks.

Comment rejection attacks
In the comment rejection attacks, the vendor rejects all real but unwelcome comments. During the submission of the comments, user u j tries to directly submit his comment rev j to the vendor using tok j multiple times. If all the trials fail due to the comment rejection attack or communication failure, u j will pass the local tok j and rev j to a nearby user, say u k , for cooperation submission. The user u k needs to submit u j 's comment rev j and its own comment rev k to the same vendor. The user u k firstly assures the validity of the received tok j and rev j . Then he aggregates rev j and rev k into the aggregation comment REV k . At last, he submits the aggregation comment REV k to the vendor together with the tok j for cooperation submission.
The vendor either accepts REV k (which contains the previously rejected comment rev j ) or refuses it (containing the new rev k ). As comments are aggregated, the initiation loss will increase (reject a large number of useful comments) for launching the comment rejection attack. If the vendor eventually accepts the entire aggregated comment, it in fact accepts all the comments rejected before. Therefore, the submission of cooperation and the aggregation of comments can effectively counter comment rejection attacks.

Comment modification attacks
In the comment modification attacks, by inserting false positives, modifying or deleting existing undesired true comments, the vendor can control its locally stored comments. In this article, digital signature technology is used to guarantees the comment content integrity. The comments are linked in the comment chain, and the number of comment chains depends on the number of tokens. Users can submit comments directly or cooperatively.
The cooperation submission allows indirect submission of comment in the event of failure of direct submission. Since comments are submitted indirectly, the different users submitted comments will be aggregated to form a comments chain.
As shown in Figure 3, users can submit comments directly or indirectly. In Figure 3, the blank nodes indicate users who submitted comments individually. The nodes (eg, U 1 U 2 U 3 U 4 ) inside the dotted circle denote these nodes submit the comments corporately, and all the users who submitted the comment form a group according to the cooperation relationship. The dotted arrow represents the delivery process of the token when the group submits the comment in cooperation, and the solid arrow represents the delivery process of the token when the comment is submitted directly.
This article indexes the users in each cluster. The smallest indexed user in the group is called the starting user, and the largest indexed user is called the end user. Smaller indexes show that the user gets the token earlier and submits its comments earlier. The larger indexed user can aggregate the former failed comments with its own comments and submits the aggregation comments to the vendor. Outside these clusters, the arrowed line indicates the direction in which the token is forwarded.
The following theorems show that the comment modification attack can be resisted.

Theorem 2. If the vendor wants to insert comments into the comment chain, it must compromise the start user.
Proof. Assume that the vendor has cracked the starting user u s and gained all the signed private keys. Let u j correspond to the end user u v .
The token forwarding proof list is (PF s … , PF j , PF v ). If inserting a fake comment with the pseudonym u m , then the token must be changed to It is easy to verify the invalidity of the modified token because the end user with the maximum index outputs an unforgeable aggregation signature, which can detect forged comments, thus effectively failed the comment modification attack. ▪ Even if the vendor has successfully inserted a fake comment, the vendor must insert a false token forwarding certificate into the token, which means that the vendor must compromise the users who have used the token. Contradicts with the assumptions assumed in the security model of this article, so the success of comment insertion is not valid. This accomplishes the security certification.

Theorem 3. If the vendor wants to delete the subchain of comments from the comment chain, it must compromise the current user and span all users later
than the current user.
Proof. A group of aggregation comments is considered as a whole since the vendor cannot separate them, and the changes can only be retained or deleted altogether. Vendors can only delete comments from given users and must delete all subsequent comments. The comment chain will be destroyed after deleting all subsequent comments. The invalidity of the comment chain can be detected unless subsequent comments are removed. ▪ If the vendor destroys the initiating user ( gets the signature key of all subsequent users), the vendor will be able to strike out any number of consecutive comments from the initial user, even the whole comment cluster. The break of comment chain can be detected. Under the current security model assumptions, the probability of a vendor compromising all users keys is negligible.

Sybil attack
In a particular single-vendor and service-oriented social network, KGC verifies the identity of each user u j and generates a series of pseudonyms for it. The series of pseudonyms of the user u j uniquely corresponds to the same identity id j . We limit that different pseudonyms can only submit one valid comment at the same time interval. If the same pseudonym submits multiple comments within the same time interval, KGC will track to and punish the user according to the unique identity id j which corresponds to the pseudonym. This can effectively resist Sybil attacks.
Although this article cannot avoid malicious users who use different pseudonyms to launch Sybil attacks at different time intervals, it can still resist Sybil attacks to a large extent and improve the security of Tesia.

PERFORMANCE EVALUATION
In this section, we analyze the performance and security of Tesia by comparing Tesia with another three traditional evaluation models, that is, the NCP model, bTSE model, and SEER model.
Before the simulation operation, we firstly define the following two indexes to measure performance of different models.

Comment SR
SR denotes the rate of the number of successfully submitted comments to the total number of comments generated in the network.

Comment submission SD
SD denotes the average DT between the comment generating time and the comment receiving time.

Simulation setup
Based on the new aggregation digital signature scheme and the cooperation submission policy, Tesia in this article can effectively resist the comment linkability attacks and the comment modification attacks. Furthermore, the new model can effectively mitigate comment rejection attacks.
The comment linkability attacks and comment modification attacks have no effect in the submission process of comments. In our emulation, we just experiment the impact of comment rejection attack on the model performance. The vendor executes comment rejection attack by refusing all negative comments while accepting all positive comments.
The number of tokens in the analyze is set between [1,10], and each comment value is ranged in [0,1]. If the comment value is less than 0.5, it is considered negative, otherwise it is positive. When multiple comments are aggregated and submitted together, if their average value is not less than 0.5, the vendor accepts all comments, or rejects them all. In this emulation, 100 authenticated legitimate users are selected to submit comments to the same vendor. For a given token number between [1,10], 50 comment submissions are performed, and calculate the average SR and the average SD, respectively. The changing curves of SR and SD value with token numbers are analyzed, respectively, in different situations based on whether there is a comment rejection attack or not. In Tesia, the average delayed submission time for each comment in the submitted aggregated comment is taken as SD. In both models, SD only considers the case where the final submission is successful.

Under no comment rejection attack
In the case of no comment rejection attack, the analyzing results of the Tesia proposed in this article are analyzed in this section. In a NCP system, since each user submits their comments separately, their SR and SD have no relationship with the number of tokens in the system, that is, their SR and SD are fixed values.
In Tesia, the submission process of comments is limited by the token possession. Moreover, when a user is unable to submit a comment directly, the collaborative comment submission process will be triggered. We then simulate how the number of tokens impacts Tesia performance. Intuitively, when the number of tokens rises, users have more opportunities to submit comments, which improves model performance. In the bTSE model, the submission process of reviews is limited by token possession. Intuitively, when the number of tokens increases, users have more opportunities to submit evaluations, and the overall performance of the bTSE model will be correspondingly improved. a comment when there are more tokens in the network. After a user's comment is submitted to a vendor or forwarded to another user, the user no longer participates the comment submission process. The participating users' networks become sparse, and as the network density decreases, the chances of these current users to receive tokens are also increased. When all token requirements are met, the SR gradually stabilizes at affixed value. As shown in Figure 5, under no comment rejection attack, the SD of Tesia is much lower than the NCP system, which is approximately doubled.
Because the comment cooperation submission in Tesia can effectively reduce SD. Figures 4 and 5 show that the Tesia has better overall performance than bTSE model without the comment rejection attack, in which the SR value is increased by 15% to 20%, and the SD value is reduced by about 30%. The Tesia is more stable than the SEER model because the Tesia cooperates with users to submit aggregated comments in a special network structure, and the SEER model submits and evaluates distributedly in the form of integrated chains, which does not guarantee the performance and stability of the entire model.

Simulation results under comment rejection attack
In the case of the comment rejection attack, Figures 6 and 7 indicates the performance contrast of Tesia and the NCP system. It can be observed from the experimental data that the SR of the NCP system drops by about 15% when there is a comment rejection attack. This is because the NCP system is not equipped with any security mechanism to resist the comment rejection attack, and it will definitely cause a decrease in SR under the refusal of comments. Since users in the NCP system submitted their comments directly and only calculated the DT of the successfully submitted comment, so the SD of the NCP system did not show any significant changes. Tesia's SR is higher than that of NCP system, which is approximately twice as large as the NCP system. Under the comment rejection attack, the SR of the bTSE model decreased by about 20%, and the SD value increased by 20% to 25%. Because the security mechanism of the bTSE model is not enough to resist the comment rejection attack, the loss of comment during the comment submission process will cause the SR to decrease.
rejection attack. The SR still fluctuated greatly with the increase of the number of tokens. The SD increased irregularly with the increase of the number of tokens.
Comparing the Figures 4 and 6, it can be seen that the SR of Tesia has dropped only about 10% due to the comment rejection attack. These results thanks to the cooperation submission and comment aggregation mechanism has been performed. While in NCP system, without any security policy, the SR has dropped about 30% due to the comment rejection attack. Comparing the Figures 5 and 7, only considering successful comment submission, SD of Tesia is almost unchanged. Tesia's SR is higher than that of NCP system, which is approximately twice as large as the NCP system.
Tesia has a higher SR than the bTSE model, which is about 33% better than the bTSE model. Tesia's SD is approximately 55% lower than the bTSE model. At the same time, Tesia has a more stable and higher SR than the SEER model, which is about 41% higher than the bTSE model. Tesia's SD is reduced by about 60% compared with the bTSE model. The above emulation results show that Tesia can maintain good performance under the comment rejection attack.

Cost analysis
In this section, the security and efficiency of Tesia and NCP model, bTSE model, and SEER model are compared and analyzed. The attack analysis compares their ability to resist the linkability attack, the rejection attack, the modification attack, and the sybil attack proposed in Section 3.2. The analysis results are as shown in Table 1. The efficiency analysis compares the performance of the four trusted service evaluation models from the aspects of communication overhead.
The communication overhead can be obtained from the average comment submission SD value in the simulation experiment. The SD value can represent the communication overhead of the entire model. The optimal SD values of these four models without evaluation attacks are as shown in Table 2.
From Table 2, we can see that the optimal SD cost of Tesia is significantly lower than the other three models in the case of no comment attack.
In the computation overhead analysis of the model, we do not calculate the comment content and the size of the public string, because their size is negligible compared with the signature. Since each user in the NCP model submits their evaluation independently, there is no credibility of the synchronization token mechanism and digital signature to ensure the evaluation, so we just carry on the analysis on the other three models. The computation cost of the model is reflected by the following four indicators: the size of signature on one token(S-one token), the size of signature on one comment (S-one comment), the size of n-aggregated signatures on tokens (S-n token), the size of k-aggregated signatures on comments (S-n comment). Where |G| represents a bilinear mapping; Z * p represents a multiplication operation on Z * p ; H represents a hash operation. The computational overhead of a |G| bilinear mapping is about 10 times that of a multiplication on Z * p , and the computational overhead of the H hash operation is negligible. Table 3, the computation cost of Tesia based on the multiplication operations is significantly lower than the other two models using bilinear mapping. The computation cost of SEER will linearly increase with the number of comments and lead to low efficiency of the model. Therefore, Tesia's computation overhead is better than the other two models.

CONCLUSIONS
This article proposes a new aggregation digital signature scheme, and then designs a trusted effective service evaluation model named Tesia. In Tesia, users submit comments in a distributed manner in the form of a chain, which improves the comment SR and reduces the comment DT. By ensuring the integrity of the comments, the ability for IoT systems to arbitrarily modify comments is reduced, and the security of the user's comments is guaranteed. Security analysis shows that the trusted efficient service evaluation model can effectively resist the current mainstream service comment attacks without relying on any trusted third party. The experimental results show that in the case of comment rejection, Tesia is significantly better than the NCP comment system in terms of the SR and DT of comments. However, the mechanism in this article just focuses on the centralized architecture, and how to apply this mechanism into distributed architecture is our key points in the future work.