A short certificateless aggregate signature against coalition attacks

Xiaodong Yang; Jinli Wang; Tingchun Ma; Yutong Li; Caifen Wang

doi:10.1371/journal.pone.0205453

Abstract

Certificateless aggregate signature (CLAS) is a crucial cryptosystem. It can not only compress multiple signatures into a short signature, but also ensure the validity of each signature participating in the aggregation by verifying the validity of an resulting aggregate signature. Therefore, a secure and efficient CLAS scheme is very useful for resource-constrained environments because it greatly reduces the overall length of the signature and the verifier’s computational overhead. Cheng et al. presented an efficient CLAS scheme and proved its security in the random oracle model. However, we find that their scheme has security flaws. In this paper, we demonstrate that Cheng et al.’s CLAS scheme is vulnerable to coalition attacks from internal signers. To overcome these attacks, we present an improved CLAS scheme and prove that it is existentially unforgeable under the computational Diffie-Hellman assumption. In addition, our CLAS scheme can not only resist coalition attacks but also generate a very short aggregate signature. The performance analysis results show that our improved CLAS scheme is lower than the related CLAS schemes in terms of communication overhead and computation cost.

Citation: Yang X, Wang J, Ma T, Li Y, Wang C (2018) A short certificateless aggregate signature against coalition attacks. PLoS ONE 13(12): e0205453. https://doi.org/10.1371/journal.pone.0205453

Editor: Hua Wang, Victoria University, AUSTRALIA

Received: June 19, 2018; Accepted: September 24, 2018; Published: December 12, 2018

Copyright: © 2018 Yang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper and its Supporting Information files (data.xlsx).

Funding: This work was partially supported by the National Natural Science Foundation of China (No. 61662069, www.nsfc.gov.cn), China Postdoctoral Science Foundation (No. 2017M610817, jj.chinapostdoctor.org.cn), Science and Technology Project of Lanzhou City of China (No. 2013-4-22, kjj.lanzhou.gov.cn) and Foundation for Excellent Young Teachers by Northwest Normal University (No. NWNU-LKQN-14-7, www.nwnu.edu.cn). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript. We also declare that all the funds or support sources are received during the study.

Competing interests: The authors have declared that no competing interests exist.

1 Introduction

Digital signature is one of the major cryptosystems in modern cryptography, which can authenticate the user’s identity, protect the integrity of the data and achieve the non-repudiation of the user’s behavior. Hence, digital signature is one of the important security technologies in open network environments [1–3], which can ensure data security and identity authentication in new network forms and services [4–6]. In a digital signature scheme, the user uses his/her private key to sign the message, while the corresponding public key is used to verify the legality of the signature generated by the user. However, in a traditional public key cryptosystem, the user’s public key is a random string that cannot be associated with the user’s identity. To authenticate the authenticity of the user’s public key, the user’s identity and public key are usually bound by a public key certificate issued by a certificate authority [7–9]. That is, the validity of the user’s public key is determined by the legitimacy of the corresponding certificate. Unfortunately, the storage and management of numerous public key certificates require huge computational and storage overheads when deployed in the real world, which greatly increases the burden of the system.

To eliminate the problem of certificate management in public key cryptosystems, the concept of identity-based cryptography was proposed by Shamir [10]. In an identity-based signature (IBS) scheme, each user selects a unique identity as his/her public key, such as email address, telephone number, etc., and the user’s private key is computed by a trusted private key generator (PKG). Because the user’s public key is a public identity information, it does not need a certificate to verify the validity of the user’s public key. So, the identity-based signature scheme implements the binding of the public key and the entity identity in another way, and greatly simplifies key management. Boneh and Franklin [11] used bilinear pairing to design the first practical identity-based encryption scheme. Later, many efficient IBS schemes have also been presented [12–14]. However, the PKG can generate each user’s private key, which makes the PKG impersonate the user to sign arbitrary message without being discovered. Hence, key escrow is the main security flaw in identity-based cryptography.

Al-Riyami and Paterson [15] introduced the notion of certificateless signature (CLS) to solve the inherent key escrow problem in identity-based cryptosystems. In a CLS scheme, the user’s private key is composed of the secret value and the partial private key. The secret value is selected by the user himself, and the partial private key is generated by a third party called key generation center (KGC). Since the KGC does not know the secret value of the user, PKG cannot obtain the user’s full private key. In this way, the security threats posed by key escrow are resolved. In addition, the user’s public key is derived from the secret value but no longer requires a certificate for authentication. That is, the CLS scheme can basically solve the problems of both the traditional signature scheme and the IBS scheme. Therefore, CLS has become one of the most important research hotspots in public key cryptography. The first CLS scheme was designed by Al-Riyami and Paterson [15], but Huang et al. [16] found that their scheme [15] was insecure under public key replacement attacks. Subsequently, several efforts have been made to construct more secure CLS schemes [17–21].

Certificateless aggregate signature (CLAS) has the advantages of CLS and aggregate signature, which has attracted great attention from researchers. CLAS can compress n individual signatures of n different messages into a short signature. The verifier only needs to verify the final aggregate signature to determine whether n individual signatures involved in the aggregation are valid. As a result, CLAS not only reduces the signature length and the verifier’s computation costs, but also enhances the security of aggregate signature. CLAS is a very useful technique for reducing communication bandwidth and storage overhead, and it is very suitable for environments with limited computing resources and high-efficiency requirements, such as vehicular ad-hoc networks [22–24], wireless sensor networks [25, 26], the Internet of things [27], and so on [28, 29].

In recent years, researchers have proposed many CLAS schemes [30–32]. Yum and Lee [33] presented a CLAS scheme in the random oracle model. However, Hu et al. [34] found that their CLAS scheme [33] was unable to resist public key replacement attacks. Chen et al. [35] presented another CLAS scheme, but was vulnerable to public key replacement attacks and honest-but-curious KGC attacks [36, 37]. Deng et al. [38] constructed an efficient CLAS scheme and demonstrated its security, but Kumar and Sharma [39] showed that this scheme [38] could not provide unforgeability. Zhang et al. [40] also proposed an efficient CLAS scheme and proved its security in the random oracle model. However, Shim [41] pointed out that their CLAS scheme could not resist collusion attacks from internal users and KGC. Xiong et al. [42] designed a CLS scheme with lower signature verification overhead and further constructed a CLAS scheme with higher performance. However, Zhang et al. [43] pointed out that the CLS and CLAS schemes of Xiong et al. [42] could not withstand attacks from a malicious-but-passive KGC. In addition, Cheng et al. [44] and He et al. [45] noted that the CLS and CLAS schemes of Xiong et al. [42] were also insecure against honest-but-curious KGC attacks, respectively. An improved CLAS scheme was proposed by He et al. [45], but Li et al. [46] demonstrated that this modified scheme was still insecure under malicious-but-passive KGC attacks. Cheng et al. [44] also designed an improved version of Xiong et al.’s CLAS scheme, which was proved to be existentially unforgeable in the random oracle model. Unfortunately, we find that Cheng et al.’s CLAS scheme [44] is also insecure against coalition attacks from the collusion of insider signers. That is, the signers generate multiple invalid individual signatures, but the resulting aggregate signature is valid.

To the best of our knowledge, it is still open and challenging to design a secure and efficient CLAS scheme. In this paper, we focus on this issue, providing a new method for addressing it. We first present a coalition attack of insider signers to show the security flaws of Cheng et al.’s CLAS scheme [44]. Such attacks indicate that the validity of an aggregate signature does not guarantee the legitimacy of each individual signatures participating in the aggregation. However, this result has violated the security objectives of the CLAS scheme. To withstand this kind of practical and powerful attack, we further propose an improved CLAS scheme on the basis of Wang et al.’s CLS scheme [47]. In the random oracle model, we prove that the improved CLAS scheme satisfies existential unforgeability under the computational Diffie-Hellman (CDH) assumption. We also demonstrate that our CLAS scheme is secure against coalition attacks. In our CLAS scheme, an aggregate signature is only a group element, so the length of an aggregate signature is independent of the number of signers involved in the aggregation. Additionally, the analysis results indicate that the improved CLAS scheme has lower computational overhead and communication costs.

The remainder of this paper is organized as follows. Section 2 introduces some preliminaries. Section 3 reviews Cheng et al.’s CLAS scheme [44] and gives the corresponding cryptanalysis. Our improved CLAS scheme is presented in Section 4. Section 5 gives the conclusions.

2 Preliminaries

The following are some preliminaries related to this paper, including the security notions of CLAS, bilinear paring and complexity assumption.

2.1 Formal security model of CLAS

A CLAS scheme mainly includes three entities: KGC, n users and an aggregator, as formally defined in the following seven algorithms [32–34].

Setup(λ) → (pp, msk): Given a security parameter λ, the KGC executes this algorithm to produce the master secret key msk and public parameters pp.
PartialKeyGen(pp, msk, ID_i) → psk_i: Upon input of pp, msk and a user ’s identity ID_i, the KGC executes this algorithm to produce a partial private key psk_i for .
UserKeyGen(pp, ID_i) → (usk_i, pk_i): Upon input of pp and ID_i, the user creates its secret value usk_i and public key pk_i. Note that the private key of is sk_i = (usk_i, psk_i).
Sign(pp, sk_i, m_i) → σ_i: Upon input of pp, sk_i and message m_i, the user generates an individual signature σ_i on m_i.
Verify(pp, ID_i, pk_i, m_i, σ_i) → {0, 1}: Upon input of pp, ID_i, pk_i and a signature σ_i on a message m_i, this algorithm outputs 1 if σ_i is valid; else, it outputs 0.
Aggregate : Upon input of n message/signature pairs (m_i, σ_i) from n users (i = 1, …, n), the aggregator runs this algorithm to generate an aggregate signature σ on {m₁, …, m_n}.
AggVerify : Given pp and an aggregate signature σ of n messages {m₁, …, m_n} on {ID₁, …, ID_n} and {pk₁, …, pk_n}, this algorithm outputs 1 if σ is valid; else, it outputs 0.

The security model of a CLAS scheme mainly considers two types of attackers [42, 44, 48], named Type I adversary and Type II adversary .

represents a dishonest user (i.e., an external attacker). can know the secret value of each user and replace any user’s public key, but does not know the master secret key msk.
represents a malicious KGC. A honest-but-curious KGC knows msk and generates the user’s private key, but is unable to perform public key replacement. In addition to having the ability of a honest-but-curious KGC, a malicious-but-passive KGC is also allowed to embed trapdoors in msk and public parameters pp during the system initialization phase.

The following uses two security games between an attacker and a challenger to define the unforgeability of a CLAS scheme.

Game 1: The first game is played by and .

Initialization: sends public parameters pp generated by the algorithm Setup(λ) to , and then secretly stores the master secret key msk.
Partial-private-key-query: If asks for a partial private key of an identity ID_i, then executes the algorithm PartialKeyGen(pp, msk, ID_i) to produce psk_i and returns it to .
Public-key-query: If requests a public key of ID_i, then performs the algorithm UserKeyGen(pp, ID_i) to produce pk_i and returns it to .
Secret-value-query: If receives an identity ID_i sent by , then responds to with a secret value usk_i output by the algorithm UserKeyGen(pp, ID_i).
Public-key-replacement-query: If receives ID_i and sent by , then the public key of ID_i is replaced by .
Sign-query: When asks for a signature of a message m_i and an identity ID_i, runs the algorithm Sign(pp, sk_i, m_i) to produce an individual signature σ_i of m_i and sends it to .
Forgery: finally produces a forgery , where at least one of n identities is the identity ID* of the target user. Assumed that the t-th signer’s identity and that is an individual signature of on message , where t ∈ {1, …, n}. If the following three conditions are satisfied, then wins the game.
1. Partial-private-key-query has never received an inquiry about .
2. Sign-query has never received an inquiry about .
3. σ* is a valid aggregate signature of on messages .

Game 2: The second game is played by and . We consider that the second type of attacker is a malicious-but-passive KGC, which is a strengthened security model.

Initialization: sends the master secret key msk and public parameters pp generated by the algorithm Setup(λ) to .
Queries: In addition to Partial-private-key-query and Public-key-replacement-query, may initiate other queries defined in Game 1.
Forgery: finally produces a forgery . Assume that the target user’s identity and that is an individual signature of (ID*, pk*) on message , where t ∈ {1, …, n}. If the following three conditions are satisfied, then wins the game.
1. Secret-value-query has never received an inquiry about .
2. Sign-query has never received an inquiry about .
3. σ* is a valid aggregate signature of on messages .

Definition 1. If there is no polynomial-time attacker who can win in the above two games with a non-negligible probability, then a CLAS scheme is said to be existentially unforgeable under adaptive chosen-message attacks [42, 44, 48].

2.2 Bilinear pairing and complexity assumption

Assume that p is a prime number, G₁ and G₂ are two cyclic groups with order p, and g is a generator of G₁. If a map e: G₁ × G₁ → G₂ satisfies the following conditions, then e is called a bilinear pairing [43]:

Bilinearity: For all γ₁, γ₂ ∈ Z_p, .
Non-degeneracy:e(g, g) is not an identity element in G₂. That is, .
Computability: For any γ₁, γ₂ ∈ Z_p, an algorithm for efficiently calculating exists.

Given three elements , the CDH problem is to calculate g^ab ∈ G₁, where the unknown values a and b are randomly chosen from .

Definition 2 (CDH assumption). If the probability of any polynomial-time attacker to solve the CDH problem is negligible, then the CDH problem is called intractable [47, 49].

3 Cryptanalysis of Cheng et al.’s CLAS scheme

3.1 Review of Cheng et al.’s CLAS scheme

To overcome the security flaws in Xiong et al.’s CLAS scheme [42], Cheng et al. [44] presented an improved CLAS scheme that is described as follows.

Setup: Given a security parameter λ, the KGC selects two multiplicative cyclic groups G₁ and G₂ with prime order p, a bit string Q of length l, a generator g in G₁ and a bilinear pairing e: G₁ × G₁ → G₂. Then, the KGC randomly selects and computes P_pub = g^s. The KGC also picks three hash functions H₀: {0, 1}^l → G₁, H₁: {0, 1}* → G₁ and . Finally, the KGC secretly stores the master secret key msk = s and publishes public parameters pp = {G₁, G₂, p, g, e, Q, P_pub, H₀, H₁, H₂}.
PartialKeyGen: After receiving an identity ID_i submitted by a user , the KGC computes psk_i = H₁(ID_i)^s and sends ID_i’s partial private key psk_i to through a secure channel.
UserKeyGen: The user with identity ID_i randomly selects and computes public key . Then, sets its secret value usk_i = x_i and private key sk_i = (usk_i, psk_i) = (x_i, H₁(ID_i)^s).
Sign: For a message m_i, the signer selects a random value and computes , h_i = H₂(m_i, ID_i, pk_i, R_i) and . Then, outputs σ_i = (R_i, V_i) as an individual signature of m_i.
Verify: Given ID_i, pk_i and an individual signature σ_i = (R_i, V_i) on message m_i, a verifier computes H₀(Q), H₁(ID_i) and h_i = H₂(m_i, ID_i, pk_i, R_i) and then verifies the following equation: If this equation holds, output 1; otherwise, output 0.
Aggregate: After receiving the message-signature pair (m_i, σ_i = (R_i, V_i)) from user for i = 1, …, n, the aggregator calculates and outputs an aggregate signature σ = (R₁, …, R_n, V).
AggVerify: Given n identities {ID₁, …, ID_n}, n public keys {pk₁, …, pk_n}, n messages {m₁, …, m_n} and an aggregate signature σ = (R₁, …, R_n, V), a verifier first computes H₀(Q), H₁(ID_i) and h_i = H₂(m_i, ID_i, pk_i, R_i) for i = 1, …, n. Then, the verifier verifies the following equation: If this equation holds, output 1; otherwise, output 0.

3.2 Attack on Cheng et al.’s CLAS scheme

In the random oracle model, Cheng et al.’s CLAS scheme [44] was proved to satisfy the security requirement of existential unforgeability. Unfortunately, in this subsection, we demonstrate that Cheng et al.’s CLAS scheme [44] cannot resist coalition attacks from internal signers. Without loss of generality, suppose that {ID₁, pk₁} and {ID₂, pk₂} are the identity/public key pairs of the signers , respectively. As a result, we show that cooperates with to generate invalid individual signature σ_i on message m_i for i = 1, 2, whereas the resulting aggregate signature σ on {m₁, m₂} is valid.

randomly selects and computes and . Then, sends to .
randomly selects and computes and . Then, sends to .
computes and sets as a signature on m₁.
computes and sets as a signature on m₂.
cooperates with to produce an aggregate signature on messages {m₁, m₂}, where .

Clearly, are invalid individual signatures of on {m₁, m₂}, respectively. However, the forged aggregate signature is valid since

Therefore, dishonest signers can jointly forge a valid aggregate signature for arbitrary messages. This shows that even if some individual signatures participating in the aggregation are invalid, the resulting aggregate signature is also valid. That is, the validity of every individual signature involved in the aggregation cannot be guaranteed by the legitimacy of the corresponding aggregate signature. So, Cheng et al.’s CLAS scheme [44] is insecure under coalition attacks.

4 Our improved CLAS scheme

In Cheng et al.’s CLAS scheme [44], dishonest signers can use some invalid individual signatures to jointly generate a valid aggregate signature. However, the main reason for the success of such attacks is due to the fact that signers can exchange their individual signature values with each other during the generation of an aggregate signature.

4.1 Construction

In this subsection, we design an enhanced CLAS scheme for preventing the above coalition attack. The following is the description of our CLAS schem.

Setup: The KGC selects two groups G₁ and G₂, which have the same prime order p. The KGC randomly selects a generator g in G₁ and a bilinear pairing e: G₁ × G₁ → G₂. The KGC picks hash functions H: {0, 1}* → {0, 1}^l and H₁, H₃: {0,1}* → G₁. The KCG also chooses a random value and calculates P_pub = g^s. Finally, the KGC publishes public parameters pp = {G₁, G₂, p, g, e, P_pub, H, H₁, H₃} and secretly stores the master secret key msk = s.
The algorithms PartialKeyGen and UserKeyGen are the same as those in the CLAS scheme of Cheng et al.
Sign: For a message m_i, the user uses its secret value usk_i = x_i and partial private key psk_i = H₁(ID_i)^s to calculate V_i = H₃(m_i, ID_i, pk_i) and Then, outputs σ_i as an individual signature of m_i.
Verify: Given ID_i, pk_i and an individual signature σ_i on message m_i, a verifier computes H₁(ID_i) and V_i = H₃(m_i, ID_i, pk_i), and then checks the following equation: If it holds, accept σ_i and output 1; else, reject σ_i and output 0.
Aggregate: Given the message-signature pair (m_i, σ_i) from user for i = 1, …, n, the aggregator calculates and outputs an aggregate signature σ on {m₁, …, m_n}.
AggVerify: Given n identities {ID₁, …, ID_n}, n public keys {pk₁, …, pk_n}, n messages {m₁, …, m_n} and an aggregate signature σ, a verifier computes H₁(ID_i) and V_i = H₃(m_i, ID_i, pk_i) for i = 1, …, n. Then, the verifier checks the following equation: If the above equation holds, accept σ as a valid aggregate signature and output 1; else, reject it and output 0.

4.2 Correctness

The correctness of verifying an individual signature σ_i on message m_i is given below:

The correctness of verifying an aggregate signature σ on messages {m₁, …, m_n} is given below:

From the above analysis, we can see that our CLAS scheme is correct.

4.3 Security analysis

We prove that the improved CLAS scheme is existentially unforgeable under Type I and Type II adversaries. Also, we demonstrate that our CLAS scheme can withstand coalition attacks.

Theorem 1. If the security of our CLAS scheme is broken by a polynomial-time Type I adversary , then the CDH problem can be solved.

Proof. Suppose that forges a valid aggregate signature with probability ε₁ after making at most q_i random oracle queries to H_i(i = 1, 3), q_psk partial private key queries, q_pk public key queries, q_rep public key replacement queries, q_usk secret value queries and q_s signing queries, then we can construct an algorithm to solve the CDH problem. After receiving a random CDH instance , will utilize ’s forgery to calculate the CDH value g^ab.

Initialization: sets P_pub = g^a and runs the algorithm Setup(λ) to produce other parameters. Then, sends public parameters pp to . Note that the master secret key msk = a is unknown to . Moreover, controls two random oracles to simulate hash functions H₁ and H₃. To simplify the description, it is assumed that has performed related hash queries before making other inquiries. To avoid collisions and consistently respond to all kinds of queries initiated by , maintains a list and two other lists that are all initially empty. picks a random integer d ∈ [1, q₁] and responds to all queries initiated by in the following way.
H₁ queries: Upon receiving the i-th H₁ inquiry about an identity ID_i, first checks whether an entry for ID_i exists in . If yes, sends the corresponding value H₁(ID_i) to . Otherwise, randomly selects and sets If i ≠ d, adds (ID_i, y_i, H₁(ID_i)) to ; otherwise, sets the target user’s identity ID* = ID_d and y* = y_d, and then adds (ID*, y*, H₁(ID*)) to . Finally, sends H₁(ID_i) to .
H₃ queries: issues an H₃ query for (m_i, ID_i, pk_i). If it is found in , then sends the corresponding value V_i to . Otherwise, randomly selects and sets . Next, sends V_i to and adds (m_i, ID_i, pk_i, z_i, V_i) to .
Partial-private-key-query: After receiving an identity ID_i submitted by , considers the following two cases.
- If ID_i = ID*, terminates the game.
- If ID_i ≠ ID*, checks whether contains an entry for ID_i.
  1. If it exists, sends psk_i to .
  2. Else, finds the tuple (ID_i, y_i, H₁(ID_i)) in and returns a partial private key to . Then, adds (ID_i, psk_i, ⊥, ⊥) to .
Public-key-query: On receiving an identity ID_i, checks if an entry for ID_i exists in , where pk_i ≠ ⊥. If yes, sends pk_i to . Otherwise, randomly selects and sets usk_i = x_i and . If ID_i = ID*, sets the target user’s public key pk* = pk_i and secret value usk* = usk_i. Then, adds the corresponding tuple to and returns a public key pk_i to .
Secret-value-query: If issues a query for an identity ID_i, first initiates a public key query about ID_i and then returns the corresponding secret value usk_i to .
Public-key-replacement-query: If submits an identity ID_i and a public key , first checks whether there is an entry for ID_i in . If yes, replaces ID_i’s public key with ; otherwise, sets ID_i’s public key to and then adds a new tuple (ID_i, ⊥, ⊥, pk_i) in .
Sign-query: asks a signature query on its selected identity ID_i and message m_i. If ID_i = ID*, terminates the game. Else, searches the lists and to find the corresponding tuples (psk_i, usk_i, pk_i) and V_i = H₃(m_i, ID_i, pk_i), respectively. Then, returns to as a signature on m_i.
Forgery: eventually produces a valid forgery . Suppose that the individual signature is not returned by Sign-query on the target identity and message , where t ∈ {1, …, n}. If or is not found in , aborts. Else, finds (usk* = x*, pk*) corresponding to in . Then, obtains the tuples (ID*, y*, H₁(ID*)) and from and , respectively. Since is valid, the following equation must hold: From the above equation, calculates g^ab as Hence, solves the CDH problem.

Next, we analyze the successful probability that can solve the CDH problem instance. If the following events occur, will not quit during the entire simulation game.

During the simulation of Partial-private-key-query, each identity ID_i queried by is not equal to ID*. The probability is at least .
During the simulation of Sign-query, each identity ID_i queried by is not equal to ID*. The probability is at least .
In the forgery phase, at least one of n identities is the target user’s identity ID*. The probability of , where t ∈ {1, …, n}, is at least .
V* can be found in . The probability is at least .

Hence, the overall success probability of solving the CDH problem is

Theorem 2. If the security of our CLAS scheme is broken by a polynomial-time Type II adversary , then the CDH problem can be solved.

Proof. Let be a malicious-but-passive KGC. Suppose that forges a valid aggregate signature with probability ε₂ after making at most q_i random oracle queries to H_i(i = 1, 3), q_pk public key queries, q_s signing queries and q_usk secret value queries, then there exists a solver that invokes to violate the CDH assumption. Given a CDH instance , the goal of is to calculate g^ab by interacting with .

Initialization: picks a random value as the master secret key msk and calculates P_pub = g^s. Then, runs Setup(λ) to produce other parameters and sends (pp, msk) to . After that, picks a random integer d ∈ [1, q₃] and maintains three initially empty lists , and .
H₁ queries: Upon receiving an H₁ query on an identity ID_i, returns the corresponding value H₁(ID_i) to if contains an entry for ID_i. Otherwise, selects at random and sets . Then, sends to and adds (ID_i, y_i, H₁(ID_i)) to .
H₃ queries: Upon receiving the i-th H₃ query on (m_i, ID_i, pk_i), sends the corresponding V_i to if an entry for (m_i, ID_i, pk_i) exists in . Otherwise, selects a random value and sets If i ≠ d, adds (m_i, ID_i, pk_i, z_i, V_i) to ; otherwise, sets the target user’s identity ID* = ID_i and pk* = pk_i and then adds (m_i, ID*, pk*, z_i, V_i) to . Finally, sends V_i to .
Public-key-query: asks a public key query for ID_i and if it is found in , then returns pk_i to . Otherwise, selects a random value and sets If ID_i ≠ ID*, sets usk_i = x_i and adds (ID_i, x_i, pk_i) to . Otherwise, sets the public key pk* = pk_i of the target user, and adds (ID*, ⊥, pk*) to . Finally, returns pk_i to . Note that the target user’s secret value usk* = a, while a is unknown to .
Secret-value-query: On receiving the query on ID_i, aborts if ID_i = ID*; otherwise, first initiates a public key query about ID_i and then returns the corresponding secret value usk_i to .
Sign-query: Upon receiving an identity ID_i and a message m_i, proceeds as follows:
- If ID_i = ID*, aborts.
- Else, searches the lists and to find (ID_i, x_i, pk_i) and (ID_i, y_i, H₁(ID_i)), respectively. Next, makes an H₃ query on (m_i, ID_i, pk_i) to obtain V_i = H₃(m_i, ID_i, pk_i). Finally, computes and returns a signature σ_i on m_i to .
Forgery: eventually produces a valid forgery . Suppose that the individual signature is not returned by Sign-query on identity and message , where t ∈ {1, …, n}. If or is not found in , aborts. Otherwise, looks up the lists and to obtain the tuples (ID*, y*, H₁(ID*)) and , respectively. Since is valid, the following equation must hold: Thus, can use the master key msk = s to calculate the CDH value

Here, we also analyse the probability of using ’s forgery to successfully solve the CDH instance. completes the entire simulation if the following events occur.

ID* has never appeared during secret value queries. The probability is at least .
ID* has never appeared during signing queries. The probability is at least .
In the forgery phase, at least one of n identities is the target user’s identity ID*. The probability of , where t ∈ {1, …, n}, is at least .
V* can be found in . The probability is at least .

Therefore, the overall success probability of solving the CDH problem is

Since the CDH problem is intractable, the success probability of or attacking our CLAS scheme is negligible. According to Theorem 1 and Theorem 2, the following theorem is easily obtained.

Theorem 3. If the CDH assumption holds, then our improved CLAS scheme satisfies existential unforgeability in the random oracle model.

Theorem 4. Our CLAS scheme is secure under coalition attacks.

Proof. If an aggregate signature σ is valid, then the following equation must hold:

Since the hash function H satisfies collision resistance, we conclude that It shows that each individual signature σ_i participating in the aggregation is valid.

Meanwhile, if every individual signature σ_i is valid, the following equations hold: Hence, we have This shows that the resulting aggregate signature σ generated by σ_i(i = 1, …, n) is also valid.

The above analysis indicates that if the internal signers exchange each other’s individual signature value during aggregate signature generation, the collision resistance of H ensures that the final aggregate signature could not pass the signature verification equation. In other words, an aggregate signature is valid in our CLAS scheme if and only if each individual signature used to generate the aggregate signature is also valid. Hence, our CLAS scheme can resist coalition attacks.

4.4 Performance analysis

We compare our CLAS scheme with other similar schemes [27, 30, 31, 35, 39, 42–46] in terms of performance and security properties. In Table 1, we give the description of some symbols that need to be used in this subsection.

Download:

Table 1. Definition of some notations.

https://doi.org/10.1371/journal.pone.0205453.t001

4.4.1 Performance comparison.

Because the computational costs of multiplication, hash function and other cryptographic operations are relatively small, we focus on the time-consuming bilinear pairing and exponentiation operations when analysing the performance. Table 2 shows a detailed performance comparison between our CLAS scheme and the related CLAS schemes, where the required symbols are given in Table 1.

Download:

Table 2. Performance comparison of some CLAS schemes.

https://doi.org/10.1371/journal.pone.0205453.t002

From Table 2, for the computational cost of an individual signature generation, our CLAS scheme needs to perform only one exponentiation operation. Zhang et al.’s scheme [43] needs to perform 2 exponentiations. Cheng et al.’s scheme [44] requires 3 exponentiations, as do the schemes of Liu et al. [27], Xiong et al. [42] and He et al. [45]. The other five CLAS schemes [30, 31, 35, 39, 46] need to perform 4 exponentiations.

In our CLAS scheme, the verification equation for an aggregate signature where e(H₁(ID_i), P_pub)(i = 1, …, n), can be pre-computed. During the aggregate signature verification, our CLAS scheme requires n bilinear pairings. The scheme of Chen et al. [35] requires 4 bilinear pairings and 2n exponentiations, as do Du et al.’s scheme [30] and Chen et al.’s scheme [31]. The CLAS scheme in [27, 39, 42, 44–46] requires 3 bilinear pairings and 2n exponentiations, while Zhang et al.’s scheme [43] requires 2n bilinear pairings and 2n exponentiations.

An aggregate signature is only one element of G₁ in our CLAS scheme and Zhang et al.’s scheme [43]. In Liu et al.’s CLAS scheme [27], an aggregate signature is 2 elements in G₁, which is the same as in Du et al.’s scheme [30] and Chen et al.’s scheme [35]. In the other six CLAS scenarios [31, 39, 42, 44–46], an aggregate signature consists of (n + 1) elements in G₁.

Except for our CLAS scheme and Zhang et al.’s scheme [43], all other CLAS schemes [27, 30, 31, 35, 39, 42, 44–46] are insecure against coalition attacks. However, our CLAS scheme is superior to Zhang et al.’s scheme [43] in terms of computational performance.

4.4.2 Experimental evaluation.

We also conduct performance evaluation experiments on the proposed CLAS scheme and other CLAS schemes [43, 44, 46]. The simulated environment is set up on a laptop with the Windows 10 operating system, and the main configuration is Intel(R) Core(TM) i7-6500 CPU @ 2.59 GHz and 8 GB RAM. To execute the bilinear pairing operation quickly, we choose the curve a.param of type A in the PBC-0.47-VC library. The detailed simulation results are shown in Figs 1, 2 and 3.

Download:

Fig 1. Time cost of individual signature generation.

https://doi.org/10.1371/journal.pone.0205453.g001

Download:

Fig 2. Comparison of communication cost.

https://doi.org/10.1371/journal.pone.0205453.g002

Download:

Fig 3. Time cost of aggregate signature verification.

https://doi.org/10.1371/journal.pone.0205453.g003

Fig 1 shows that each signer needs approximately 26 ms to generate an individual signature in our CLAS scheme. The scheme of Zhang et al. [43] needs approximately 49 ms. Cheng et al.’s scheme [44] requires approximately 52 ms, and Li et al.’s scheme [46] requires approximately 91 ms. Therefore, our CLAS scheme requires the least computational cost when generating an individual signature.

The communication overhead of a CLAS scheme mainly relies on the size of the aggregate signature. Table 2 shows that our CLAS scheme and Zhang et al.’s scheme [43] have the same aggregate signature length, and Cheng et al.’s scheme [44] and Li et al.’s scheme [46] also have the same aggregate signature length. Fig 2 shows that the size of an aggregate signature in our CLAS scheme is fixed at 128 bits, while the length of an aggregate signature in Cheng et al.’s scheme [44] increases linearly with the number of signers. Hence, our CLAS scheme greatly reduces the communication cost.

Fig 3 shows that the computational cost of verifying an aggregated signature is linearly increasing with the total number of signatories. Notably, the verification cost of an aggregate signature is less than the total cost of n individual signature verifications participating in the aggregation. Compared with other CLAS schemes [43, 44, 46], Fig 3 shows that our CLAS scheme has lower computational overhead when verifying aggregate signatures.

In summary, the results of the performance evaluations performed in the above experiments are consistent with the theoretical analysis results in Table 2. From the above analysis, we can see that our improved CLAS scheme has lower computational overhead, shorter signature length and higher security.

5 Conclusions

Cheng et al. [44] proposed an efficient CLAS scheme and proved its security. In this paper, we demonstrate that their CLAS scheme [44] cannot resist coalition attacks from internal signers. To prevent these attacks, we design an enhanced CLAS scheme that is secure under coalition attacks. Under the CDH assumption, our improved scheme is proved to satisfy existential unforgeability in the random oracle model. In addition, our CLAS scheme can aggregate n individual signatures into a short signature which is only an element in G₁. More importantly, the length of an aggregate signature is fixed and has nothing to do with the total number of signers participating in the aggregation. Therefore, our CLAS scheme is very suitable for network environments with limited resources, such as the Internet of vehicles, and wireless communication networks [50–52].

Supporting information

S1 Data. Time cost of individual signature generation.

https://doi.org/10.1371/journal.pone.0205453.s001

(XLSX)

S2 Data. Comparison of communication cost.

https://doi.org/10.1371/journal.pone.0205453.s002

(XLSX)

S3 Data. Time cost of aggregate signature verification.

https://doi.org/10.1371/journal.pone.0205453.s003

(XLSX)

References

1. Sun X, Wang H, Li J, Zhang Y (2011) Injecting purpose and trust into data anonymisation. Computers & security, 30(5): 332–345.
- View Article
- Google Scholar
2. Wang H, Cao J, Zhang Y (2002) Ticket-based service access scheme for mobile users. In: Proc. Australian Computer Science Communications. pp. 285-292.
3. Sun X, Wang H, Li J, Zhang Y (2012) Satisfying privacy requirements before data anonymization. The Computer Journal, 55(4): 422–437.
- View Article
- Google Scholar
4. Shen Y, Zhang T, Wang Y, Wang H, Jiang X (2017) MicroThings: A generic IoT Architecture for flexible data aggregation and scalable service cooperation. IEEE Communications Magazine 55(9): 86–93.
- View Article
- Google Scholar
5. Sun X, Li M, Wang H, Plank A (2008) An efficient hash-based algorithm for minimal k-anonymity. In: Proc. the Thirty-First Australasian Conference on Computer Science. pp. 101-107.
6. Zhang Y, Shen Y, Wang H, Zhang Y, Jiang X (2018). On secure wireless communications for service oriented computing. IEEE Transactions on Services Computing 11(2): 318–328.
- View Article
- Google Scholar
7. Szepieniec A, Beullens W, Preneel B (2017) MQ signatures for PKI. In: Proc. International Workshop on Post-Quantum Cryptography. pp. 224-240.
8. Al-Bassam M (2017) SCPKI: a smart contract-based PKI and identity system. In: Proc. the ACM Workshop on Blockchain, Cryptocurrencies and Contracts. pp. 35-40.
9. Li X, Niu J, Kumari S, Wu F, Sangaiah AK, Choo KKR (2018) A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments. Journal of Network and Computer Applications 103: 194–204.
- View Article
- Google Scholar
10. Shamir A (1984) Identity-based cryptosystems and signature schemes. In: Proc. Workshop on the Theory and Application of Cryptographic Techniques. pp. 47-53.
11. Boneh D and Franklin M (2003) Identity-based encryption from the Weil pairing. SIAM Journal on Computing, 32(3): 586–615.
- View Article
- Google Scholar
12. Wei J, Liu W, Hu X (2017) Forward-secure identity-based signature with efficient revocation. International Journal of Computer Mathematics, 94(7): 1390–1411.
- View Article
- Google Scholar
13. Shen L, Ma J, Liu X, Wei F, Miao M (2017) A secure and efficient id-based aggregate signature scheme for wireless sensor networks. IEEE Internet of Things Journal 4(2): 546–554.
- View Article
- Google Scholar
14. Jia X, He D, Zeadally S, Li L (2017) Efficient revocable id-based signature with cloud revocation server. IEEE Access, 5: 2945–2954.
- View Article
- Google Scholar
15. Al-Riyami SS, Paterson KG (2003) Certificateless public key cryptography. In: Proc. International Conference on the Theory and Application of Cryptology and Information Security. pp. 452-473.
16. Huang X, Susilo W, Mu Y, Zhang F (2005) On the security of certificateless signature schemes from Asiacrypt 2003. In: Proc. International Conference on Cryptology and Network Security. pp. 13-25.
17. Wang L, Chen K, Long Y, Wang H (2017) An efficient pairing-free certificateless signature scheme for resource-limited systems. Science China Information Sciences 60(11): 1–3.
- View Article
- Google Scholar
18. Yuan Y, Wang C (2014) Certificateless signature scheme with security enhanced in the standard model. Information Processing Letters 114(9): 492–499.
- View Article
- Google Scholar
19. Hung YH, Huang SS, Tseng YM, Tsai TT (2015) Certificateless signature with strong unforgeability in the standard model. Informatica 26(4): 663–684.
- View Article
- Google Scholar
20. Canard S, Trinh VC (2016) An Efficient certificateless signature scheme in the standard model. In: Proc. International Conference on Information Systems Security. pp. 175-192.
21. Hung YH, Tseng YM, Huang SS (2017) Lattice-based revocable certificateless signature. Symmetry 9(10): 1–17.
- View Article
- Google Scholar
22. Cui J, Zhang J, Zhong H, Shi R, Xu Y (2018) An efficient certificateless aggregate signature without pairings for vehicular ad hoc networks. Information Sciences 451: 1–15.
- View Article
- Google Scholar
23. Malhi AK, Batra S (2015) An efficient certificateless aggregate signature scheme for vehicular ad-hoc networks. Discrete Mathematics and Theoretical Computer Science 17(1): 317–338.
- View Article
- Google Scholar
24. Jin C, Zhao J (2018) Certificateless aggregate deniable authentication protocol for ad hoc networks. International Journal of Electronic Security and Digital Forensics 10(2): 168–187.
- View Article
- Google Scholar
25. Kumar P, Kumari S, Sharma V, Sangaiah AK, Wei J, Li X (2017) A certificateless aggregate signature scheme for healthcare wireless sensor network. Sustainable Computing: Informatics and Systems.
- View Article
- Google Scholar
26. Shen L, Ma J, Liu X, Miao M (2016) A provably secure aggregate signature scheme for healthcare wireless sensor networks. Journal of medical systems 40(11): 1–10.
- View Article
- Google Scholar
27. Liu J, Han J, Wu L, Sun R, Du X (2017) VDAS: verifiable data aggregation scheme for Internet of Things. In: Proc. 2017 IEEE International Conference on Communications. pp. 1-6.
28. Deng J, Xu C, Wu H, Dong L (2016) A new certificateless signature with enhanced security and aggregation version. Concurrency and Computation: Practice and Experience 28(4): 1124–1133.
- View Article
- Google Scholar
29. Zhang L, Qin B, Wu Q, Zhang F (2010) Efficient many-to-one authentication with certificateless aggregate signatures. Computer Networks 54(14): 2482–2491.
- View Article
- Google Scholar
30. Du HZ, Huang MJ, Wen QY (2013) Efficient and provably-secure certificateless aggregate signature scheme. Dianzi Xuebao(Acta Electronica Sinica) 41(1): 72–76.
- View Article
- Google Scholar
31. Chen H, Wei S, Zhu C, Yang Y (2015) Secure certificateless aggregate signature scheme. Journal of Software 26(5): 1173–1180.
- View Article
- Google Scholar
32. Liu H, Liang M, Sun H (2014) A secure and efficient certificateless aggregate signature scheme. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 97(4): 991–995.
- View Article
- Google Scholar
33. Yum DH, Lee PJ (2004) Generic construction of certificateless signature. In: Proc. Australasian Conference on Information Security and Privacy. pp. 200-211.
34. Hu BC, Wong DS, Zhang Z, Deng X (2006) Key replacement attack against a generic construction of certificateless signature. In: Proc. In Australasian Conference on Information Security and Privacy. pp. 235-246.
35. Chen YC, Tso R, Mambo M, Huang K, Horng G (2015) Certificateless aggregate signature with efficient verification. Security and Communication Networks 8(13): 2232–2243.
- View Article
- Google Scholar
36. Zhang H (2016) Insecurity of a certificateless aggregate signature scheme. Security and Communication Networks 9(11): 1547–1552.
- View Article
- Google Scholar
37. Shen H, Chen J, Shen J, He D (2016) Cryptanalysis of a certificateless aggregate signature scheme with efficient verification. Security and Communication Networks 9(13): 2217–2221.
- View Article
- Google Scholar
38. Deng J, Xu C, Wu H, Dong L (2016) A new certificateless signature with enhanced security and aggregation version. Concurrency and Computation: Practice and Experience 28(4): 1124–1133.
- View Article
- Google Scholar
39. Kumar P, Sharma V (2017) A comment on efficient certificateless aggregate signature scheme. In: Proc. 2017 IEEE Computing, Communication and Automation. pp. 515-519.
40. Zhang L, Zhang F (2009) A new certificateless aggregate signature scheme. Computer Communications 32(6): 1079–1085.
- View Article
- Google Scholar
41. Shim KA (2011) On the security of a certificateless aggregate signature scheme. IEEE Communications Letters 15(10): 1136–1138.
- View Article
- Google Scholar
42. Xiong H, Guan Z, Chen Z, Li F (2013) An efficient certificateless aggregate signature with constant pairing computations. Information Sciences 219: 225–235.
- View Article
- Google Scholar
43. Zhang F, Shen L, Wu G (2014) Notes on the security of certificateless aggregate signature schemes. Information Sciences 287: 32–37.
- View Article
- Google Scholar
44. Cheng L, Wen Q, Jin Z, Zhang H, Zhou L (2015) Cryptanalysis and improvement of a certificateless aggregate signature scheme. Information Sciences 295: 337–346.
- View Article
- Google Scholar
45. He D, Tian M, Chen J (2014) Insecurity of an efficient certificateless aggregate signature with constant pairing computations. Information Sciences 268: 458–462.
- View Article
- Google Scholar
46. Li J, Yuan H, Zhang Y (2018) Cryptanalysis and improvement for certificateless aggregate signature. Fundamenta Informaticae 157(2): 111–123.
- View Article
- Google Scholar
47. Wang ZHH, Han ZH, Liu J, Zhang DW, Chang L (2016) ID authentication scheme based on PTPM and certificateless public key cryptography in cloud environment. Journal of Software 27(6): 1523–1537.
- View Article
- Google Scholar
48. Au MH, Mu Y, Chen J, Wong DS, Liu JK, Yang G (2007) Malicious KGC attacks in certificateless cryptography. In: Proc. the 2nd ACM Symposium on Information, Computer and Communications Ssecurity. pp. 302-311.
49. Yang X, Chen C, Ma T, Wang J, Wang C (2018) Revocable identity-based proxy re-signature against signing key exposure. PLoS ONE 13(3): e0194783. https://doi.org/10.1371/journal.pone.0194783. pmid:29579125
- View Article
- PubMed/NCBI
- Google Scholar
50. Ogundoyin SO, Awoyemi SO (2018) EDAS: efficient data aggregation scheme for Internet of things. Journal of Applied Security Research 13(3): 347–375.
- View Article
- Google Scholar
51. Kumar P, Kumari S, Sharma V, Li X, Sangaiah AK, Islam SKH (2018) Secure CLS and CL-AS schemes designed for VANETs. The Journal of Supercomputing, 2018: 1–23. https://doi.org/10.1007/s11227-018-2312-y.
- View Article
- Google Scholar
52. Tian M, Huang L (2013) Cryptanalysis of a certificateless signature scheme without pairings. International Journal of Communication Systems, 26(11): 1375–1381.
- View Article
- Google Scholar

[ref1] 1. Sun X, Wang H, Li J, Zhang Y (2011) Injecting purpose and trust into data anonymisation. Computers & security, 30(5): 332–345.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Wang H, Cao J, Zhang Y (2002) Ticket-based service access scheme for mobile users. In: Proc. Australian Computer Science Communications. pp. 285-292.

[ref3] 3. Sun X, Wang H, Li J, Zhang Y (2012) Satisfying privacy requirements before data anonymization. The Computer Journal, 55(4): 422–437.
View Article
Google Scholar

[6] View Article

[7] Google Scholar

[ref4] 4. Shen Y, Zhang T, Wang Y, Wang H, Jiang X (2017) MicroThings: A generic IoT Architecture for flexible data aggregation and scalable service cooperation. IEEE Communications Magazine 55(9): 86–93.
View Article
Google Scholar

[9] View Article

[10] Google Scholar

[ref5] 5. Sun X, Li M, Wang H, Plank A (2008) An efficient hash-based algorithm for minimal k-anonymity. In: Proc. the Thirty-First Australasian Conference on Computer Science. pp. 101-107.

[ref6] 6. Zhang Y, Shen Y, Wang H, Zhang Y, Jiang X (2018). On secure wireless communications for service oriented computing. IEEE Transactions on Services Computing 11(2): 318–328.
View Article
Google Scholar

[13] View Article

[14] Google Scholar

[ref7] 7. Szepieniec A, Beullens W, Preneel B (2017) MQ signatures for PKI. In: Proc. International Workshop on Post-Quantum Cryptography. pp. 224-240.

[ref8] 8. Al-Bassam M (2017) SCPKI: a smart contract-based PKI and identity system. In: Proc. the ACM Workshop on Blockchain, Cryptocurrencies and Contracts. pp. 35-40.

[ref9] 9. Li X, Niu J, Kumari S, Wu F, Sangaiah AK, Choo KKR (2018) A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments. Journal of Network and Computer Applications 103: 194–204.
View Article
Google Scholar

[18] View Article

[19] Google Scholar

[ref10] 10. Shamir A (1984) Identity-based cryptosystems and signature schemes. In: Proc. Workshop on the Theory and Application of Cryptographic Techniques. pp. 47-53.

[ref11] 11. Boneh D and Franklin M (2003) Identity-based encryption from the Weil pairing. SIAM Journal on Computing, 32(3): 586–615.
View Article
Google Scholar

[22] View Article

[23] Google Scholar

[ref12] 12. Wei J, Liu W, Hu X (2017) Forward-secure identity-based signature with efficient revocation. International Journal of Computer Mathematics, 94(7): 1390–1411.
View Article
Google Scholar

[25] View Article

[26] Google Scholar

[ref13] 13. Shen L, Ma J, Liu X, Wei F, Miao M (2017) A secure and efficient id-based aggregate signature scheme for wireless sensor networks. IEEE Internet of Things Journal 4(2): 546–554.
View Article
Google Scholar

[28] View Article

[29] Google Scholar

[ref14] 14. Jia X, He D, Zeadally S, Li L (2017) Efficient revocable id-based signature with cloud revocation server. IEEE Access, 5: 2945–2954.
View Article
Google Scholar

[31] View Article

[32] Google Scholar

[ref15] 15. Al-Riyami SS, Paterson KG (2003) Certificateless public key cryptography. In: Proc. International Conference on the Theory and Application of Cryptology and Information Security. pp. 452-473.

[ref16] 16. Huang X, Susilo W, Mu Y, Zhang F (2005) On the security of certificateless signature schemes from Asiacrypt 2003. In: Proc. International Conference on Cryptology and Network Security. pp. 13-25.

[ref17] 17. Wang L, Chen K, Long Y, Wang H (2017) An efficient pairing-free certificateless signature scheme for resource-limited systems. Science China Information Sciences 60(11): 1–3.
View Article
Google Scholar

[36] View Article

[37] Google Scholar

[ref18] 18. Yuan Y, Wang C (2014) Certificateless signature scheme with security enhanced in the standard model. Information Processing Letters 114(9): 492–499.
View Article
Google Scholar

[39] View Article

[40] Google Scholar

[ref19] 19. Hung YH, Huang SS, Tseng YM, Tsai TT (2015) Certificateless signature with strong unforgeability in the standard model. Informatica 26(4): 663–684.
View Article
Google Scholar

[42] View Article

[43] Google Scholar

[ref20] 20. Canard S, Trinh VC (2016) An Efficient certificateless signature scheme in the standard model. In: Proc. International Conference on Information Systems Security. pp. 175-192.

[ref21] 21. Hung YH, Tseng YM, Huang SS (2017) Lattice-based revocable certificateless signature. Symmetry 9(10): 1–17.
View Article
Google Scholar

[46] View Article

[47] Google Scholar

[ref22] 22. Cui J, Zhang J, Zhong H, Shi R, Xu Y (2018) An efficient certificateless aggregate signature without pairings for vehicular ad hoc networks. Information Sciences 451: 1–15.
View Article
Google Scholar

[49] View Article

[50] Google Scholar

[ref23] 23. Malhi AK, Batra S (2015) An efficient certificateless aggregate signature scheme for vehicular ad-hoc networks. Discrete Mathematics and Theoretical Computer Science 17(1): 317–338.
View Article
Google Scholar

[52] View Article

[53] Google Scholar

[ref24] 24. Jin C, Zhao J (2018) Certificateless aggregate deniable authentication protocol for ad hoc networks. International Journal of Electronic Security and Digital Forensics 10(2): 168–187.
View Article
Google Scholar

[55] View Article

[56] Google Scholar

[ref25] 25. Kumar P, Kumari S, Sharma V, Sangaiah AK, Wei J, Li X (2017) A certificateless aggregate signature scheme for healthcare wireless sensor network. Sustainable Computing: Informatics and Systems.
View Article
Google Scholar

[58] View Article

[59] Google Scholar

[ref26] 26. Shen L, Ma J, Liu X, Miao M (2016) A provably secure aggregate signature scheme for healthcare wireless sensor networks. Journal of medical systems 40(11): 1–10.
View Article
Google Scholar

[61] View Article

[62] Google Scholar

[ref27] 27. Liu J, Han J, Wu L, Sun R, Du X (2017) VDAS: verifiable data aggregation scheme for Internet of Things. In: Proc. 2017 IEEE International Conference on Communications. pp. 1-6.

[ref28] 28. Deng J, Xu C, Wu H, Dong L (2016) A new certificateless signature with enhanced security and aggregation version. Concurrency and Computation: Practice and Experience 28(4): 1124–1133.
View Article
Google Scholar

[65] View Article

[66] Google Scholar

[ref29] 29. Zhang L, Qin B, Wu Q, Zhang F (2010) Efficient many-to-one authentication with certificateless aggregate signatures. Computer Networks 54(14): 2482–2491.
View Article
Google Scholar

[68] View Article

[69] Google Scholar

[ref30] 30. Du HZ, Huang MJ, Wen QY (2013) Efficient and provably-secure certificateless aggregate signature scheme. Dianzi Xuebao(Acta Electronica Sinica) 41(1): 72–76.
View Article
Google Scholar

[71] View Article

[72] Google Scholar

[ref31] 31. Chen H, Wei S, Zhu C, Yang Y (2015) Secure certificateless aggregate signature scheme. Journal of Software 26(5): 1173–1180.
View Article
Google Scholar

[74] View Article

[75] Google Scholar

[ref32] 32. Liu H, Liang M, Sun H (2014) A secure and efficient certificateless aggregate signature scheme. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 97(4): 991–995.
View Article
Google Scholar

[77] View Article

[78] Google Scholar

[ref33] 33. Yum DH, Lee PJ (2004) Generic construction of certificateless signature. In: Proc. Australasian Conference on Information Security and Privacy. pp. 200-211.

[ref34] 34. Hu BC, Wong DS, Zhang Z, Deng X (2006) Key replacement attack against a generic construction of certificateless signature. In: Proc. In Australasian Conference on Information Security and Privacy. pp. 235-246.

[ref35] 35. Chen YC, Tso R, Mambo M, Huang K, Horng G (2015) Certificateless aggregate signature with efficient verification. Security and Communication Networks 8(13): 2232–2243.
View Article
Google Scholar

[82] View Article

[83] Google Scholar

[ref36] 36. Zhang H (2016) Insecurity of a certificateless aggregate signature scheme. Security and Communication Networks 9(11): 1547–1552.
View Article
Google Scholar

[85] View Article

[86] Google Scholar

[ref37] 37. Shen H, Chen J, Shen J, He D (2016) Cryptanalysis of a certificateless aggregate signature scheme with efficient verification. Security and Communication Networks 9(13): 2217–2221.
View Article
Google Scholar

[88] View Article

[89] Google Scholar

[ref38] 38. Deng J, Xu C, Wu H, Dong L (2016) A new certificateless signature with enhanced security and aggregation version. Concurrency and Computation: Practice and Experience 28(4): 1124–1133.
View Article
Google Scholar

[91] View Article

[92] Google Scholar

[ref39] 39. Kumar P, Sharma V (2017) A comment on efficient certificateless aggregate signature scheme. In: Proc. 2017 IEEE Computing, Communication and Automation. pp. 515-519.

[ref40] 40. Zhang L, Zhang F (2009) A new certificateless aggregate signature scheme. Computer Communications 32(6): 1079–1085.
View Article
Google Scholar

[95] View Article

[96] Google Scholar

[ref41] 41. Shim KA (2011) On the security of a certificateless aggregate signature scheme. IEEE Communications Letters 15(10): 1136–1138.
View Article
Google Scholar

[98] View Article

[99] Google Scholar

[ref42] 42. Xiong H, Guan Z, Chen Z, Li F (2013) An efficient certificateless aggregate signature with constant pairing computations. Information Sciences 219: 225–235.
View Article
Google Scholar

[101] View Article

[102] Google Scholar

[ref43] 43. Zhang F, Shen L, Wu G (2014) Notes on the security of certificateless aggregate signature schemes. Information Sciences 287: 32–37.
View Article
Google Scholar

[104] View Article

[105] Google Scholar

[ref44] 44. Cheng L, Wen Q, Jin Z, Zhang H, Zhou L (2015) Cryptanalysis and improvement of a certificateless aggregate signature scheme. Information Sciences 295: 337–346.
View Article
Google Scholar

[107] View Article

[108] Google Scholar

[ref45] 45. He D, Tian M, Chen J (2014) Insecurity of an efficient certificateless aggregate signature with constant pairing computations. Information Sciences 268: 458–462.
View Article
Google Scholar

[110] View Article

[111] Google Scholar

[ref46] 46. Li J, Yuan H, Zhang Y (2018) Cryptanalysis and improvement for certificateless aggregate signature. Fundamenta Informaticae 157(2): 111–123.
View Article
Google Scholar

[113] View Article

[114] Google Scholar

[ref47] 47. Wang ZHH, Han ZH, Liu J, Zhang DW, Chang L (2016) ID authentication scheme based on PTPM and certificateless public key cryptography in cloud environment. Journal of Software 27(6): 1523–1537.
View Article
Google Scholar

[116] View Article

[117] Google Scholar

[ref48] 48. Au MH, Mu Y, Chen J, Wong DS, Liu JK, Yang G (2007) Malicious KGC attacks in certificateless cryptography. In: Proc. the 2nd ACM Symposium on Information, Computer and Communications Ssecurity. pp. 302-311.

[ref49] 49. Yang X, Chen C, Ma T, Wang J, Wang C (2018) Revocable identity-based proxy re-signature against signing key exposure. PLoS ONE 13(3): e0194783. https://doi.org/10.1371/journal.pone.0194783. pmid:29579125
View Article
PubMed/NCBI
Google Scholar

[120] View Article

[121] PubMed/NCBI

[122] Google Scholar

[ref50] 50. Ogundoyin SO, Awoyemi SO (2018) EDAS: efficient data aggregation scheme for Internet of things. Journal of Applied Security Research 13(3): 347–375.
View Article
Google Scholar

[124] View Article

[125] Google Scholar

[ref51] 51. Kumar P, Kumari S, Sharma V, Li X, Sangaiah AK, Islam SKH (2018) Secure CLS and CL-AS schemes designed for VANETs. The Journal of Supercomputing, 2018: 1–23. https://doi.org/10.1007/s11227-018-2312-y.
View Article
Google Scholar

[127] View Article

[128] Google Scholar

[ref52] 52. Tian M, Huang L (2013) Cryptanalysis of a certificateless signature scheme without pairings. International Journal of Communication Systems, 26(11): 1375–1381.
View Article
Google Scholar

[130] View Article

[131] Google Scholar

Figures

Abstract

1 Introduction

2 Preliminaries

2.1 Formal security model of CLAS

2.2 Bilinear pairing and complexity assumption

3 Cryptanalysis of Cheng et al.’s CLAS scheme

3.1 Review of Cheng et al.’s CLAS scheme

3.2 Attack on Cheng et al.’s CLAS scheme

4 Our improved CLAS scheme

4.1 Construction

4.2 Correctness

4.3 Security analysis

4.4 Performance analysis

4.4.1 Performance comparison.

4.4.2 Experimental evaluation.

5 Conclusions

Supporting information

S1 Data. Time cost of individual signature generation.

S2 Data. Comparison of communication cost.

S3 Data. Time cost of aggregate signature verification.

References