## Figures

## Abstract

Identity-based proxy re-signature (IDPRS) is a novel cryptographic primitive that allows a semi-trusted proxy to convert a signature under one identity into another signature under another identity on the same message by using a re-signature key. Due to this transformation function, IDPRS is very useful in constructing privacy-preserving schemes for various information systems. Key revocation functionality is important in practical IDPRS for managing users dynamically; however, the existing IDPRS schemes do not provide revocation mechanisms that allow the removal of misbehaving or compromised users from the system. In this paper, we first introduce a notion called revocable identity-based proxy re-signature (RIDPRS) to achieve the revocation functionality. We provide a formal definition of RIDPRS as well as its security model. Then, we present a concrete RIDPRS scheme that can resist signing key exposure and prove that the proposed scheme is existentially unforgeable against adaptive chosen identity and message attacks in the standard model. To further improve the performance of signature verification in RIDPRS, we introduce a notion called server-aided revocable identity-based proxy re-signature (SA-RIDPRS). Moreover, we extend the proposed RIDPRS scheme to the SA-RIDPRS scheme and prove that this extended scheme is secure against adaptive chosen message and collusion attacks. The analysis results show that our two schemes remain efficient in terms of computational complexity when implementing user revocation procedures. In particular, in the SA-RIDPRS scheme, the verifier needs to perform only a bilinear pairing and four exponentiation operations to verify the validity of the signature. Compared with other IDPRS schemes in the standard model, our SA-RIDPRS scheme greatly reduces the computation overhead of verification.

**Citation: **Yang X, Chen C, Ma T, Wang J, Wang C (2018) Revocable identity-based proxy re-signature against signing key exposure. PLoS ONE 13(3):
e0194783.
https://doi.org/10.1371/journal.pone.0194783

**Editor: **Muhammad Khurram Khan,
King Saud University, SAUDI ARABIA

**Received: **January 13, 2018; **Accepted: **March 11, 2018; **Published: ** March 26, 2018

**Copyright: ** © 2018 Yang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

**Data Availability: **All relevant data are within the paper and its Supporting Information files.

**Funding: **This work was partially supported by the National Natural Science Foundation of China (No. 61662069, www.nsfc.gov.cn), China Postdoctoral Science Foundation (No. 2017M610817, jj.chinapostdoctor.org.cn), Natural Science Foundation of Gansu Province of China (No. 1506RJZA130, www.gsstc.gov.cn), Science and Technology Project of Lanzhou City of China (No. 2013-4-22, kjj.lanzhou.gov.cn) and Foundation for Excellent Young Teachers by Northwest Normal University (No. NWNU-LKQN-14-7, www.nwnu.edu.cn). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

**Competing interests: ** The authors have declared that no competing interests exist.

## Introduction

A digital signature provides security services such as data integrity, authentication and non-repudiation; therefore, it is one a key technology to ensure information security. In particular, digital signatures can be combined with passwords [1, 2], smart cards [3], biometrics [4], chaotic parallel keyed hash functions [5] and other technologies to achieve identity authentication of parties in communication. Consequently, they have practical applications in systems such as smart cities [6], body area networks [7], the Internet of Things [8] and ubiquitous networks [9]. To meet the security needs of different practical scenarios, researchers have proposed a series of digital signature variants. For instance, a blind signature can effectively protect the content of signed messages; therefore, it is applied to e-commerce, e-voting, e-currency and other systems to protect participants’ interests [10, 11]. A group signature allows any member of a group to sign messages on behalf of the entire group anonymously; therefore, group signatures have been used to protect the privacy and authenticate the identity of vehicles in vehicular ad-hoc networks [12]. A ring signature is a type of group signature with no administrator that can be used in cloud computing and block-chains to achieve unconditional anonymity to protect a user’s privacy [13, 14]. In many scenarios, we need, for example, to verify Alice’s signature, but we do not know her public key or her public key has expired. We want to transform Alice’s signature into Bob’s signature, because Bob’s public key is available. To achieve this transformation, Blaze et al. [15] introduced the concept of a proxy re-signature (PRS). In a PRS scheme, a semi-trusted proxy is allowed to transform Alice’s signature on a message into Bob’s signature on that same message. However, the proxy cannot independently generate a valid signature on any message on behalf of Alice or Bob. Instead, the proxy re-signature functions as a signature conversion method; consequently, it has been widely used in areas such as cross-domain authentication, digital rights management, privacy preservation and auditing in cloud computing environments.

Ateniese and Hohenberger [16] provided a security model for PRS and presented two concrete schemes in 2005: one is multi-use and the other is single-use. Generally speaking, in a multi-use PRS scheme, a proxy can transform a signature from Alice to Bob into a signature from Bob to Carol, but a proxy cannot further convert a transformed signature in a single-use PRS scheme. In the proxy re-signature field, a multi-use PRS is more useful than is a single-use PRS. After Ateniese and Hohenberger’s seminal work [16], other PRS schemes with special properties were proposed, including the universally composable secure PRS [17], the certificateless PRS [18] and the threshold PRS [19]. In particular, Shao et al. [20] proposed an identity-based proxy re-signature (IDPRS) scheme to address the problem of certificate management in traditional PRS schemes. In IDPRS, the user’s email address or other unique identifying information is used as the public key, and the user’s private key is generated by a trusted private key generator (PKG). IDPRS allows a semi-trusted proxy to convert a signature under one identity to another signature under another identity on the same message, but the proxy is unable to produce any signature on behalf of any of these two identities. As a result, IDPRS eliminates the requirement for certificates and simplifies key management, but challenges still remain to be addressed in practical applications.

Shao et al. [20] proposed the first IDPRS scheme in the standard model. Later, Feng et al. [21] proposed a secure IDPRS scheme, but it was not multi-use. Hu et al. also [22] presented an IDPRS scheme without random oracles, but its security relies on a strong difficult problem assumption. Tian [23] proposed an IDPRS scheme from lattices in the random oracle model, but the size of the signature was relatively large and its practicality was poor. In addition, Wang et al. [24] constructed two server-aided proxy re-signature schemes that were provably secure in the random oracle model, but the second scheme cannot resist a collusion attack from the server and a malicious proxy. Moreover, Canetti et al. [25] found that the provably secure scheme in the random oracle model might be insecure in reality when the random oracle is instantiated by a specific hash function. Therefore, it is of practical significance to construct secure RIDPRS schemes in the standard model.

The existing IDPRS schemes do not consider the problem of user revocation [20–23]. A revocation mechanism is essential for practical identity-based cryptosystem [26]. If a user’s key is compromised or a user’s authorization expires, that user needs to be revoked from the system. When users have been revoked, they should no longer be able to use their previous private keys to gain access to sensitive data or to generate valid digital signatures. Researchers have designed a series of revocable cryptographic schemes to achieve user revocation in identity-based settings [27–29]. The main idea behind these schemes is that the PKG periodically updates the private keys of non-revoked users. Tsai et al. [30] proposed a revocable identity-based signature scheme in the standard model, in which a user’s signing key consists of a long-term secret key and a periodically changed update key. However, Tsai et al.’s scheme [30] is insecure against a signing key exposure attack: an adversary can obtain a fixed secret key from a compromised signature key and then combine it with subsequent update keys to forge the signature of any message. Lian et al. [31] proposed a revocable attribute-based signature scheme, but Wei et al. [32] revealed that Lian et al.’s scheme is vulnerable to signing key exposure. If a signature scheme can resist the signing key exposure attack, then the users store their secret keys on physical devices with relatively high security levels, while the update keys can be stored on devices with relatively low security levels (such as mobile phones, smart cards, etc.). However, to the best of our knowledge, no identity-based proxy re-signature scheme with a user revocation mechanism is available. Therefore, how to design a revocable identity-based proxy re-signature (RIDPRS) scheme is an open and interesting question.

In this paper, we formally define the syntax of RIDPRS and present a security model for RIDPRS against signing key exposure. Based on Shao et al.’s IDPRS scheme [20], we design a bidirectional and multi-use RIDPRS scheme. In the proposed scheme, the PKG’s master secret key is divided into two parts: one part is used to construct the user’s fixed secret key, and the other part is used to generate periodically changed update keys for the user. Only a non-revoked user can re-randomize their secret key and update key to generate a corresponding signing key. Consequently, our scheme can not only effectively revoke a user from the system, but also resist signing key exposure attacks. Furthermore, we introduce a new cryptographic primitive called server-aided revocable identity-based proxy re-signature (SA-RIDPRS), which is particularly suitable for verifiers with limited computing power. SA-RIDPRS allows the verifier to delegate most of the computational work involved in signature verification to a server with powerful computing capabilities; the verifier needs to perform only a small number of computational operations to verify the legitimacy of the signature. In addition, we formalize the security model for SA-RIDPRS. Based on our RIDPRS scheme, we also construct an SA-RIDPRS scheme and prove that the proposed scheme is secure against adaptive chosen message and collusion attacks. The results of our analysis show that our two schemes are bidirectional and multi-use, and they achieve user revocation functionality while maintaining efficiency in terms of computational complexity and storage overhead. In our SA-RIDPRS scheme, the verifier verifies the validity of the signature with minimal computational cost by executing the server-aided verification algorithm in conjunction with a server, which efficiently reduces the computational cost of the verifier.

The rest of this paper is organized as follows. Section 2 reviews some preliminaries used in our schemes. Section 3 presents security notions for RIDPRS and SA-RIDPRS. Section 4 constructs an IDPRS scheme and an SA-RIDPRS scheme and gives their security proof and performance analysis. Finally, Section 5 concludes the paper.

## Preliminaries

In this section, we briefly review bilinear parings and the computational Diffie-Hellman (CDH) assumption.

### Bilinear parings

Let *p* be a prime, *G*_{1} and *G*_{2} be two multiplicative cyclic groups of order *p*, and *g* be a generator of *G*_{1}. An efficiently computable bilinear paring *e*: *G*_{1} × *G*_{1} → *G*_{2} is a map with the following properties [16]:

*Bilinear:**e*(*g*^{a},*g*^{b}) =*e*(*g*,*g*)^{ab}=*e*(*g*^{b},*g*^{a}) for any*a*,*b*∈*Z*_{p}.*Non-degenerate:**e*(*g*,*g*) ≠ 1.

### Complexity assumption

The security of our scheme depends on the hardness of the CDH problem. Let *G*_{1} be a cyclic group of prime order *p*, and *g* be a generator of *G*_{1}. Given , where *a*, *b* ∈ *Z*_{p}, the CDH problem is to compute *g*^{ab} ∈ *G*_{1}.

**Definition 1.** We say that the CDH assumption holds if no probabilistic polynomial-time (PPT) algorithm can solve the CDH problem in *G*_{1} with a non-negligible probability [20].

## Formal definition and security model

### Security notions of RIDPRS

An RIDPRS scheme consists of the following eight algorithms (**Setup**, **Extract**, **KeyUp**, **SKGen**, **ReKey**, **Sign**, **ReSign**, **Verify**):

**Setup**(*λ*) → (*pp*,*msk*): Given a security parameter*λ*, this algorithm outputs public parameters*pp*and a master secret key*msk*of the PKG.**Extract**(*pp*,*msk*,*ID*) →*sk*_{ID}: Given*pp*,*msk*and a user’s identity*ID*, this algorithm outputs a secret key*sk*_{ID}of the identity*ID*.**KeyUp**(*pp*,*msk*,*ID*,*t*) →*vk*_{ID,t}: Given*pp*,*msk*, an identity*ID*and a time period*t*, this algorithm outputs an update key*vk*_{ID,t}with respect to identity*ID*and time period*t*.**SKGen**(*pp*,*sk*_{ID},*vk*_{ID,t}) →*dk*_{ID,t}: Given*pp*, a secret key*sk*_{ID}and an update key*vk*_{ID,t}, this algorithm outputs an error symbol ⊥ if the identity*ID*has been revoked during the time period*t*; otherwise, it outputs a signing key*dk*_{ID,t}on (*ID*,*t*).**ReKey**(*pp*,*dk*_{A,t},*dk*_{B,t}) →*rk*_{A→B,t}: Given*pp*and two signing keys (*dk*_{A,t},*dk*_{B,t}) corresponding to identities (*ID*_{A},*ID*_{B}) at time period*t*, this algorithm outputs a re-signing key*rk*_{A→B,t}of the proxy.**Sign**(*pp*,*dk*_{ID,t},*M*) →*σ*: Given*pp*, a signing key*dk*_{ID,t}and a message*M*, this algorithm generates a signature*σ*on*M*.**ReSign**(*pp*,*rk*_{A→B},*ID*_{A},*t*,*M*,*σ*_{A}) →*σ*_{B}: Given*pp*, a re-signing key*rk*_{A→B}and a signature*σ*_{A}on a message*M*with respect to identity*ID*_{A}and time period*t*, this algorithm outputs ⊥ if**Verify**(*pp*,*ID*_{A},*t*,*M*,*σ*_{A}) = 0; otherwise, it outputs a signature*σ*_{B}on*M*with respect to identity*ID*_{B}and time period*t*.**Verify**(*pp*,*ID*,*t*,*M*,*σ*) → {0, 1}: Given*pp*, an identity*ID*, a time period*t*, a message*M*and a signature*σ*, this algorithm outputs 1 if*σ*is a valid signature of*M*on (*ID*,*t*); otherwise, it outputs 0.

**Correctness.** Let (*pp*, *msk*) be the output of the algorithm **Setup**(*λ*). For any message *M* and any identities (*ID*_{A}, *ID*_{B}), if *σ*_{A} = **Sign**(*pp*, *t*, *dk*_{A,t}, *M*) and *σ*_{B} = **ReSign**(*pp*,*rk*_{A→B}, *ID*_{A}, *t*, *M*, *σ*_{A}), then the conditions **Verify**(*pp*, *ID*_{A}, *t*, *M*, *σ*_{A}) = 1 and **Verify**(*pp*, *ID*_{B}, *t*, *M*, *σ*_{B}) = 1 must both hold.

The security of an RIDPRS scheme should be existentially unforgeable under adaptive chosen identity and message attacks. Based on the security model of IDPRS in [20] and the security definition of revocable identity-based signature schemes in [30–32], the existential unforgeability of a bidirectional RIDPRS scheme that captures signing key exposure is formally defined by using the following security game between a challenger and an adversary :

**Setup:**
executes the algorithm **Setup**(*λ*) to generate public parameters *pp* and the PKG’s master secret key *msk*. Then, sends *pp* to .

**Queries:** The adversary adaptively makes the following queries:

*Extract-query:*When asks for a secret key of an identity*ID*, executes the algorithm**Extract**(*pp*,*msk*,*ID*) and returns the corresponding output*sk*_{ID}to .*KeyUp-query:*When inquires about an update key with respect to an identity*ID*and a time period*t*, executes the algorithm**KeyUp**(*pp*,*msk*,*ID*,*t*) and returns an update key*vk*_{ID,t}to .*SKGen-query:*When asks for a signing key with respect to an identity*ID*and a time period*t*, first makes an*Extract-query*for*ID*and a*KeyUp-query*for the tuple (*ID*,*t*) to obtain a secret key*sk*_{ID}and an update key*vk*_{ID,t}, respectively. Then, runs the algorithm**SKGen**(*pp*,*sk*_{ID},*vk*_{ID,t}) to generate a signing key*dk*_{ID,t}, and sends it to .*ReKey-query:*When requests a re-signing key of two identities (*ID*_{A},*ID*_{B}) at time period*t*, first makes the*SKGen-query*on tuples (*ID*_{A},*t*) and (*ID*_{B},*t*) to obtain the corresponding signing keys*dk*_{A,t}and*dk*_{B,t}, respectively. Afterwards, runs the algorithm**ReKey**(*pp*,*dk*_{A,t},*dk*_{B,t}) to output a re-signing key*rk*_{A→B,t}, and then sends it to .*Sign-query:*When requests a signature on a message*M*with respect to an identity*ID*and a time period*t*, first makes a*SKGen-query*on tuple (*ID*,*t*) to obtain a signing key*dk*_{ID,t}. Then, runs the algorithm**Sign**(*pp*,*dk*_{ID,t},*M*) and returns a signature*σ*on*M*to .

**Forgery:** The adversary finally outputs a forged signature *σ** on a message *M** with respect to an identity *ID** and a time period *t**. We say that wins in the above game if the following conditions hold.

**Verify**(*pp*,*ID**,*t**,*M**,*σ**) = 1.- (
*ID**,*t**) has never been queried of the*SKGen-query*. *ID** has never been submitted to the*Extract-query*, and (*ID**,*t**) has never been submitted to the*KeyUp-query*.*ID** has never been submitted to the*ReKey-query*.- (
*ID**,*t**,*M**) has never been queried of the*Sign-query*.

**Definition 2.** A bidirectional RIDPRS scheme is said to be existentially unforgeable against adaptive chosen identity and message attacks if for any polynomial-time adversary the probability of winning in the above game is negligible.

### Security notions of SA-RIDPRS

An SA-RIDPRS scheme consists of an RIDPRS scheme and a server-aided verification protocol. Due to the weaker computing power, the verifier is unable to perform complicated cryptographic operations. Therefore, the verifier needs to execute an interactive verification protocol to verify the validity of the signature with the help of a server. Specifically, a bidirectional SA-RIDPRS scheme is a tuple of the following ten algorithms (**Setup**, **Extract**, **KeyUp**, **SKGen**, **ReKey**, **Sign**, **ReSign**, **Verify**, **SA-Setup**, **SA-Verify**):

- The
**Setup**,**Extract**,**KeyUp**,**SKGen**,**ReKey**,**Sign**,**ReSign**and**Verify**algorithms are the same as those in the RIDPRS scheme described in Section 3.1. **SA-Setup**(*pp*) →*V String*: On input public parameters*pp*, this algorithm generates a secret string*V String*that contains the pre-computed information of the verifier.**SA-Verify**(*pp*,*V String*,*ID*,*t*,*M*,*σ*) → {0, 1}: On input*pp*,*V String*and a signature*σ*on a message*M*with respect to an identity*ID*and a time period*t*, this algorithm outputs 1 if the server convinces the verifier that*σ*is valid; otherwise, it outputs 0.

The security of an SA-RIDPRS scheme includes both the existential unforgeability of RIDPRS and the soundness of the algorithm **SA-Verify**. Existential unforgeability ensures that an attacker cannot generate a valid signature on a new message, whereas soundness ensures that the server cannot convince a verifier that an invalid signature is valid. The unforgeability of a bidirectional SA-RIDPRS scheme is the same as that of the RIDPRS scheme defined in Section 3.1. Based on the soundness of server-aided verification PRS [24], the soundness of the algorithm **SA-Verify** under adaptive chosen message and collusion attacks is defined by the following security game between a challenger and an adversary . In this game, the challenger acts as a verifier while the adversary acts as the server. is allowed to collude with the signer or the proxy; therefore, can generate or transform the signature of any message. The goal of is to convince that an invalid signature is valid. and interact as follows:

**Setup:**
executes the **Setup** and **SA-Setup** algorithms to generate the public parameters *pp* and the string *V String*, respectively. Then, sends *pp* to .

**Queries:**
can adaptively make a number of server-aided verification queries to . For each query on (*ID*_{i}, *t*_{i}, *M*_{i}, *σ*_{i}), runs the algorithm **SA-Verify** with and then returns the corresponding output to as a response.

**Forgery:** The adversary eventually outputs an identity *ID**, a time period *t**, a message *M** and a string *σ**. Let *Ω*_{M*} be the set of all valid signatures on *M**, where *σ** ∉ *Ω*_{M*}. If **Verify**(*pp*, *ID**, *t**, *M**, *σ**) = 0 and **SA-Verify**(*pp*, *V String*, *ID**, *t**, *M**, *σ**) = 1, which means that has convinced that *σ** is a valid signature on *M** with respect to the tuple (*ID**, *t**), then the adversary wins the game.

**Definition 3.** The algorithm **SA-Verify** is soundness if the probability that any polynomial-time adversary wins in the above game is negligible.

**Definition 4.** If an RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks, and the algorithm **SA-Verify** is soundness, then the resulting SA-RIDPRS scheme is said to be secure against adaptive chosen message and collusion attacks.

## Our constructions

In this section, we first construct a bidirectional RIDPRS scheme based on the IDPRS scheme of Shao et al. [20]. Then, we extend it to the SA-RIDPRS scheme. Moreover, we provide security proofs and performance analyses for the proposed schemes.

### Bidirectional and revocable ID-based proxy re-signature scheme

#### Description.

In our RIDPRS scheme, we assume that the length of the identity and the length of the message are *n*_{u}-bit and *n*_{m}-bit strings, respectively. We can achieve these by two collision-resistant hash functions and . The details of our RIDPRS scheme are described as follows:

**Setup**: Given a security parameter*λ*, the PKG does the following:- Choose two multiplicative cyclic groups
*G*_{1}and*G*_{2}of prime order*p*, a generator*g*of*G*_{1}and a bilinear pairing*e*:*G*_{1}×*G*_{1}→*G*_{2}. - Select a collision-resistant hash function , where
*n*_{v}is the fixed length of the output of*H*. - Pick four random elements
*g*_{2},*u*_{0},*v*_{0},*w*_{0}∈*G*_{1}and three random vectors , and from*G*_{1}, where 1 ≤*i*≤*n*_{u}, 1 ≤*j*≤*n*_{v}and 1 ≤*k*≤*n*_{m}. - Choose two random integers and compute .
- Store the master secret key secretly and publish the public parameters .

To simplify the expression, for any identity*ID*= (, any string*T*= (*T*_{1}, …, and any message*M*= (*M*_{1}, …,*M*_{nm}) , we define the following three functions

, and , respectively.- Choose two multiplicative cyclic groups
**Extract**: Given a user’s identity*ID*, the PKG first chooses a random integer*r*_{ID}∈*Z*_{p}and computes a secret key , . Then, the PKG sends*sk*_{ID}to the user via a secure channel.**KeyUp**: Given an identity*ID*and a time period*t*, the PKG randomly chooses*s*_{ID}∈*Z*_{p}, and computes*T*_{ID}=*H*(*ID*,*t*) and*vk*_{ID,t}= (*vk*_{ID,t,1},*vk*_{ID,t,2}) = . Then, the PKG sends an update key*vk*_{ID,t}to the user via a public channel.**SKGen**: On input (*ID*,*t*), if identity*ID*has been revoked within time period*t*, the user is unable to generate a valid signing key because he cannot obtain valid update keys. Otherwise, the user with identity*ID*uses his secret key*sk*_{ID}= (*sk*_{ID,1},*sk*_{ID,2}) and update key*vk*_{ID,t}= (*vk*_{ID,t,1},*vk*_{ID,t,2}) to generate a signing key using the following steps:**ReKey**: On input two signing keys*dk*_{A,t}= (*dk*_{A,t,1},*dk*_{A,t,2},*dk*_{A,t,3}) and*dk*_{B,t}= (*dk*_{B,t,1},*dk*_{B,t,2},*dk*_{B,t,3}) corresponding to two identities*ID*_{A}and*ID*_{B}, the proxy outputs a re-signing key**Sign**: Given a message*M*, a signer randomly chooses*r*_{m}∈*Z*_{p}and uses the signing key*dk*_{ID,t}= (*dk*_{ID,t,1},*dk*_{ID,t,2},*dk*_{ID,t,3}) to compute ,*σ*_{ID,2}=*dk*_{ID,t,2},*σ*_{ID,3}=*dk*_{ID,t,3}and . Then, the signer outputs a signature*σ*_{ID}= (*σ*_{ID,1},*σ*_{ID,2},*σ*_{ID,3},*σ*_{ID,4}) on*M*.**ReSign**: Given a re-signing key*rk*_{A→B,t}= (*rk*_{A→B,t,1},*rk*_{A→B,t,2},*rk*_{A→B,t,3}) and a signature*σ*_{A}= (*σ*_{A,1},*σ*_{A,2},*σ*_{A,3},*σ*_{A,4}) on a message*M*with respect to an identity*ID*_{A}and a time period*t*, the proxy outputs ⊥ if**Verify**(*pp*,*ID*_{A},*t*,*M*,*σ*_{A}) = 0; otherwise, the proxy randomly chooses , and computes ,*σ*_{B,2}=*σ*_{A,2}⋅*rk*_{A→B,t,2},*σ*_{B,3}=*σ*_{A,3}⋅*rk*_{A→B,t,3}and . Then, the proxy outputs a signature*σ*_{B}= (*σ*_{B,1},*σ*_{B,2},*σ*_{B,3},*σ*_{B,4}) for*M*with respect to the identity*ID*_{B}and the time period*t*.**Verify**: Given an identity*ID*, a time period*t*and a signature*σ*_{ID}= (*σ*_{ID,1},*σ*_{ID,2},*σ*_{ID,3},*σ*_{ID,4}) on a message*M*, the verifier first computes*T*_{ID}=*H*(*ID*,*t*). Then, the verifier checks whether the following equation holds: If the above equation holds, the verifier accepts that*σ*_{ID}is valid and outputs 1; otherwise, the verifier outputs 0.

#### Correctness.

For any signature *σ*_{A} = (*σ*_{A,1}, *σ*_{A,2}, *σ*_{A,3}, *σ*_{A,4}) of message *M* on (*ID*_{A}, *t*), any re-signing key *rk*_{A→B,t} = (*rk*_{A→B,t,1}, *rk*_{A→B,t,2}, *rk*_{A→B,t,3}) = (*dk*_{B,t,1}/*dk*_{A,t,1}, *dk*_{B,t,2}/*dk*_{A,t,2}, *dk*_{B,t,3}/*dk*_{A,t,3}) and *ID*_{B}’s signing key *dk*_{B,t} = (*dk*_{B,t,1}, *dk*_{B,t,2}, *dk*_{B,t,3}), where , and . Then, we have a re-signature *σ*_{B} = (*σ*_{B,1}, *σ*_{B,2}, *σ*_{B,3}, *σ*_{B,4}) of *M* with respect to identity *ID*_{B} and time period *t*, where

The following equation shows that our RIDPRS scheme satisfies correctness:

From the above equation, we can see that *σ*_{B} satisfies the condition **Verify**(*pp*, *ID*_{B}, *t*, *M*, *σ*_{B}) = 1, so our RIDPRS scheme is correct. The distribution of the re-signature *σ*_{B} generated by the algorithm **ReSign** is the same as that of the signature generated by *ID*_{B} himself using the algorithm **Sign**, which demonstrates that our RIDPRS scheme is multi-use. By using the re-signing key *rk*_{A→B,t} between *ID*_{A} and *ID*_{B}, it is easy to compute the re-signing key *rk*_{B→A,t} = 1/*rk*_{A→B,t} between *ID*_{B} and *ID*_{A}, which implies that our RIDPRS scheme is bidirectional.

#### Security analysis.

In our RIDPRS scheme, the algorithm **SKGen** re-randomizes a secret key *sk*_{ID} and an update key *vk*_{ID,t} to generate a corresponding signing key for an identity *ID* and time period *t*. Even if an adversary obtains the signing key *dk*_{ID,t}, it is difficult to extract *ID*’s secret key *sk*_{ID} from *dk*_{ID,t}. Moreover, the exposure of *dk*_{ID,t} at time period *t* does not reveal any information concerning other signing keys for identity *ID* at other time periods. Therefore, our RIDPRS scheme can resist signing key exposure attacks.

To simplify the security analysis of our RIDPRS scheme, we classify adversaries into two types: external and internal. The main difference between these two types of attackers is that an external adversary is not allowed to make queries about the secret key of the challenged identity *ID** whereas an internal adversary is not allowed to make queries about the update key of the challenged identity *ID** or the challenged time period *t**. The following two lemmas prove that our RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks.

**Lemma 1.** If a polynomial-time external adversary breaks our RIDPRS scheme with non-negligible probability, then there exists an algorithm that can solve the CDH problem with non-negligible probability.

**Proof.** Assume that an adversary breaks the existential unforgeability of our RIDPRS scheme with the probability *ε* after making at most *q*_{sk} secret key queries, *q*_{vk} update key queries, *q*_{dk} signing key queries, *q*_{rk} re-signing key queries and *q*_{s} signing queries. We will construct an algorithm to solve the CDH problem in *G*_{1} with the probability at least *ε*_{1} by using ’s forgery. Given a random instance of the CDH problem, the goal of is to compute *g*^{ab}. The algorithm interacts with as follows.

**Setup:**
randomly chooses two integers *k*_{u}(0 ≤ *k*_{u} ≤ *n*_{u}) and *k*_{m}(0 ≤ *k*_{m} ≤ *n*_{m}), and sets *g*_{2} = *g*^{b}, *l*_{u} = 2(*q*_{sk} + *q*_{dk} + *q*_{rk} + *q*_{s}) and *l*_{m} = 2*q*_{s} such that *l*_{u}(*n*_{u} + 1)<*p* and *l*_{m}(*n*_{m} + 1)<*p*. To generate the public parameters *pp*, executes the following operations:

- Randomly choose
*x*_{0},*x*_{1}, …,*x*_{nu}∈*Z*_{lu}and*y*_{0},*y*_{1}, …,*y*_{nu}∈*Z*_{p}, then compute and a vector , where for 1 ≤*i*≤*n*_{u}. - Randomly choose
*z*_{0},*z*_{1}, …,*z*_{nv}∈*Z*_{p}and then compute and a vector , where for 1 ≤*j*≤*n*_{v}. - Randomly choose
*c*_{0},*c*_{1}, …,*c*_{nm}∈*Z*_{lm}and*d*_{0},*d*_{1}, …,*y*_{nm}∈*Z*_{p}and then compute and a vector , where for 1 ≤*k*≤*n*_{m}. - Select a collision-resistant hash function .
- Choose a random integer and compute . This calculation implies that the master secret key is but
*a*is unknown to . - Send the public parameters (
*G*_{1},*G*_{2},*e*,*p*,*g*,*g*_{1},*g*_{2},*H*,*u*_{0},*v*_{0}, to .

For any identity , any string and any message , we define the following five functions:

, , , , .

**Queries:** The adversary can issue the following types of queries adaptively:

*Extract-query:*When asks for a secret key query on an identity*ID*, first computes*F*(*ID*). We note that implies (and thus implies ). If , aborts; otherwise, randomly chooses*r*_{ID}∈*Z*_{p}computes and then sends the secret key*sk*_{ID}to .*KeyUp-query:*When issues an update key query on an identity*ID*and a time period*t*, randomly chooses*s*_{ID}∈*Z*_{p}and computes*T*_{ID}=*H*(*ID*,*t*). Then, uses the secret value*β*to compute and returns an update key*vk*_{ID,t}to .*SKGen-query:*For a signing key query on (*ID*,*t*), if identity*ID*has been revoked at time period*t*, outputs ⊥. Otherwise, randomly chooses , and performs an*Extract-query*on*ID*and a*KeyUp-query*on (*ID*,*t*) to obtain a secret key*sk*_{ID}= (*sk*_{ID,1},*sk*_{ID,2}) and an update key*vk*_{ID,t}= (*vk*_{ID,t,1},*vk*_{ID,t,2}), respectively. Then, computes*T*_{ID}=*H*(*ID*,*t*), and returns a signing key*dk*_{ID,t}= (*dk*_{ID,t,1},*dk*_{ID,t,2},*dk*_{ID,t,3}) to .*ReKey-query:*When issues a re-signing key query on two identities (*ID*_{A},*ID*_{B}) and a time period*t*, first makes*SKGen-query*on (*ID*_{A},*t*) and (*ID*_{B},*t*) to obtain the corresponding signing keys*dk*_{A,t}and*dk*_{B,t}, respectively. Then, executes the algorithm**ReKey**(*pp*,*dk*_{A,t},*dk*_{B,t}) to produce a re-signing key*rk*_{A→B,t}and sends it to .*Sign-query:*When issues a signature query on a message*M*with respect to an identity*ID*and a time period*t*, considers the following two cases:- – Case 1: If , makes a
*SKGen-query*on (*ID*,*t*) to obtain a signing key*dk*_{ID,t}. Then, executes the algorithm**Sign**(*pp*,*dk*_{ID,t},*M*) to produce a signature*σ*on*M*and returns it to . - – Case 2: If , further considers the following two subcases:

- – Case 1: If , makes a

**Forgery:** The adversary finally outputs a signature on a message *M** with respect to an identity *ID** and a time period *t**. If or , aborts. Otherwise, to solve the instance of the CDH problem, computes *T*_{ID*} = *H*(*ID**, *t**) and outputs *g*^{ab} as follows:

Now, we analyse the probability that does not abort in the above simulation. If completes the simulation without aborting, then the following events must have occurred:

- In the
*Extract-query*,*SKGen-query*and*ReKey-query*phases, the condition must be satisfied for any queried identity*ID*. - In the
*Sign-query*phase, or must be satisfied for any queried identity*ID*and message*M*. - In the forgery phase, and must be satisfied for the challenged identity
*ID** and message*M**.

Similar to the probability analysis described in [20, 33], we define the following events:

- for
*i*= 1, …,*q*_{sk}+*q*_{dk}+*q*_{rk}+*q*_{s}. - .
- for
*i*= 1, …,*q*_{s}. - .

Hence, the probability that will not abort in the above simulation is
Because *l*_{u}(*n*_{u} + 1) < *p*, we can find that
and
Since *l*_{m}(*n*_{m} + 1) < *p*, we have that
As *l*_{u} = 2(*q*_{sk} + *q*_{dk} + *q*_{rk} + *q*_{s}) and *l*_{m} = 2*q*_{s}, we can obtain the resulting probability
Therefore, can successfully solve the CDH problem in *G*_{1} with a probability of .

**Lemma 2.** If a polynomial-time internal adversary breaks our RIDPRS scheme with a non-negligible probability, then there exists an algorithm that can solve the CDH problem with non-negligible probability.

**Proof.** Assume that an adversary breaks the existential unforgeability of our RIDPRS scheme with the probability *ε* after making at most *q*_{sk} secret key queries, *q*_{vk} update key queries, *q*_{dk} signing key queries, *q*_{rk} re-signing key queries and *q*_{s} signing queries. We can construct an algorithm that solves the CDH problem in *G*_{1} with a probability *ε*_{2} using the adversary’s forgery . is given a random instance of the CDH problem. To calculate *g*^{ab}, interacts with as follows.

**Setup:**
randomly chooses two integers *k*_{v}(0 ≤ *k*_{v} ≤ *n*_{v}) and *k*_{m}(0 ≤ *k*_{m} ≤ *n*_{m}), and sets *g*_{2} = *g*^{b}, *l*_{v} = 2(*q*_{vk} + *q*_{dk} + *q*_{rk} + *q*_{s}) and *l*_{m} = 2*q*_{s} such that *l*_{v}(*n*_{v} + 1) < *p* and *l*_{m}(*n*_{m} + 1) < *p*. Then, generate public parameters *pp* according to the following steps:

- Randomly choose
*x*_{0},*x*_{1}, …,*x*_{nv}∈*Z*_{lv}and*y*_{0},*y*_{1}, …,*y*_{nv}∈*Z*_{p}; then, compute and a vector , where for 1 ≤*j*≤*n*_{v}. - Randomly choose
*z*_{0},*z*_{1}, …,*z*_{nu}∈*Z*_{p}; then, compute and a vector , where for 1 ≤*i*≤*n*_{u}. - Set parameter
*w*_{0}and vector in the same way as is done in Lemma 1. - Select a collision-resistant hash function .
- Choose a random integer and compute , which implies that the master secret key is , but
*a*is unknown to . - Send the public parameters (
*G*_{1},*G*_{2},*e*,*p*,*g*,*g*_{1},*g*_{2},*H*,*u*_{0},*v*_{0}, to .

For an identity , a string and a message , we define five functions:

, , , , .

**Queries:**
answers ’s queries as follows.

*Extract-query:*Upon receiving a secret key query for identity*ID*, randomly chooses*r*_{ID}∈*Z*_{p}and computes Then, sends a secret key*sk*_{ID}to .*KeyUp-query:*Upon receiving an update key query on an identity*ID*and a time period*t*, first computes*T*_{ID}=*H*(*ID*,*t*). If , aborts. Otherwise, randomly chooses*s*_{ID}∈*Z*_{p}and outputs an update key*vk*_{ID,t}= (*vk*_{ID,t,1},*vk*_{ID,t,2}) in response, where*SKGen-query:*answers a signing key query in the same way as it does the*SKGen-query*in Lemma 1.*ReKey-query:*answers a re-signing key query in the same way as it does the*ReKey-query*in Lemma 1.*Sign-query:*Upon receiving a signature query on a message*M*with respect to an identity*ID*and a time period*t*, computes*T*_{ID}=*H*(*ID*,*t*) and considers the following two cases:

**Forgery:** The adversary finally outputs a signature on a message *M** with respect to an identity *ID** and a time period *t**. first computes *T*_{ID*} = *H*(*ID**, *t**). If or , aborts. Otherwise, computes *g*^{ab} as follows:

Similar to the probabilistic analysis for Lemma 1, the probability that algorithm successfully solves the CDH problem in *G*_{1} is at least .

Combining Lemma 1 and Lemma 2, we obtain the following theorem.

**Theorem 1.** Our RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks in the standard model under the CDH assumption.

### Server-aided revocable identity-based proxy re-signature scheme

#### Description.

Based on our RIDPRS scheme, we construct a bidirectional SA-RIDPRS scheme in which the verifier can verify the legality of a signature at relatively low computational cost with the help of a server. Our SA-RIDPRS scheme is described as follows:

- The
**Setup**,**Extract**,**KeyUp**,**SKGen**,**ReKey**,**Sign**,**ReSign**and**Verify**algorithms are the same as those in our RIDPRS scheme described in Section 4.1.1. **SA-Setup:**Given the public parameters*pp*, the verifier chooses a random integer , computes*K*_{0}=*e*(*g*_{2},*g*_{1})^{x}and sets a string .**SA-Verify:**Given a signature*σ*= (*σ*_{1},*σ*_{2},*σ*_{3},*σ*_{4}) on a message*M*with respect to an identity*ID*and a time period*t*, the verifier interacts with a server through the following protocol:- The verifier computes and sends the tuple to the server.
- The server computes
*T*_{ID}=*H*(*ID*,*t*), , and . Then, the server sends (*K*_{2},*K*_{3},*K*_{4}) to the verifier. - The verifier first computes and checks whether the equation
*K*_{1}=*K*_{0}⋅*K*_{2}⋅*K*_{3}⋅*K*_{4}holds. If the equation holds, the verifier accepts that*σ*is valid and outputs 1; otherwise, the verifier outputs 0.

#### Correctness.

For any signature *σ* = (*σ*_{1}, *σ*_{2}, *σ*_{3}, *σ*_{4}) , and a string , we have

Thus, the above equation shows that our SA-RIDPRS scheme satisfies the correctness.

#### Security analysis.

In Section 4.1.3, we demonstrated that our RIDPRS scheme is existentially unforgeable in the standard model. According to Definition 4, our SA-RIDPRS scheme is secure if we prove that the algorithm **SA-Verify** has the soundness property.

**Lemma 3.** The algorithm **SA-Verify** in our SA-RIDPRS scheme has soundness against adaptive chosen message and collusion attacks.

**Proof.** Assume that the adversary is acting as a server with powerful computational capabilities, and the challenger is acting as a verifier. Because is allowed to collude with the signer or the proxy, has access to the signing or re-signing key to generate a valid signature for any message. First, sends an invalid message-signature pair (*M**, *σ**) to . Then, ’s task is to convince that *σ** is a valid signature on a message *M** with respect to an identity *ID** and a time period *t**.

**Setup:**
first runs the algorithm **Setup** to generate public parameters *pp*, and runs the **Extract**, **KeyUp** and **SKGen** algorithms to generate a signing key with respect to the tuple (*ID**, *t**). Then, randomly chooses , computes and secretly stores the string . Finally, sends to the adversary .

**Queries:**
can adaptively make at most *q*_{sv} sever-aided verification queries to . For each query on the tuple (*ID*_{i}, *t*_{i}, *M*_{i}, *σ*_{i}), runs the algorithm **SA-Verify** with and returns the resulting output to .

**Forgery:** The adversary eventually sends a message-signature pair (*M**, *σ** = to , where *σ** is not a valid signature on message *M** with respect to identity *ID** and time period *t**, which means that **Verify**(*pp*, *ID**, *t**, *M**, *σ**) = 0. Subsequently, interacts with as follows.

- uses the secret string to compute Then, sends to .
- computes
*T*_{ID*}=*H*(*ID**,*t**), , , and , and returns to . - computes and verifies whether holds. If this equation holds, then
**SA-Verify**(*pp*,*V String*,*ID**,*t**,*M**,*σ**) = 1.

In the following, we analyse the probability that the invalid message-signature pair satisfies the condition . Since (*σ**)′ = (*σ**)^{x*} and *x** is randomly chosen by from , the probability that can derive *x** from (*σ**)′ is . As , the probability of finding an integer *x** that satisfies the condition is also . Moreover, because *p* is a large prime, can convince that *σ** is a valid signature for message *M** on (*ID**, *t**) with a negligible probability (). Therefore, the algorithm **SA-Verify** in our SA-RIDPRS scheme satisfies the soundness requirement.

By combining Theorem 1, Lemma 3 and Definition 4, the following theorem can be deduced.

**Theorem 2.** In the standard model, our SA-RIDPRS scheme is secure against adaptive chosen message and collusion attacks.

### Performance analysis

In this section, we discuss the performance of our schemes and other IDPRS schemes in the standard model in terms of their computational cost and security properties. Because multiplication and hash function operations have relatively low computational costs, we consider only bilinear pairing and exponentiation operations, which have relatively high computational costs. In Table 1, “*Size*” denotes the size of a signature; “*Sign*”, “*Verify*” and “*ReSign*” denote the computational cost of the **Sign**, **Verify** and **ReSign** algorithms, respectively; and “*Revocation*” denotes whether the scheme includes a user revocation function. *E* represents the time to execute an exponentiation operation; *P* represents the time to execute a bilinear pairing operation; |*p*| represents the length of an element in *Z*_{p}; and |*G*_{1}| represents the length of an element in group *G*_{1}.

As shown in Table 1, in our SA-RIDPRS scheme, the verifier must perform one pairing operation and 4 exponentiations to verify the validity of a signature. In contrast, the verifier must compute 4 pairings in our RIDPRS scheme. Based on the results reported in [34], the computational overhead of a bilinear pair is, at minimum, more than five exponentiations in *G*_{1}. Obviously, our SA-RIDPRS scheme is considerably less computationally intensive than is our RIDPRS scheme; therefore, it substantially reduces the verifier’s computational overhead, making it suitable for limited-resource devices.

In terms of signature size, the signature in our SA-RIDPRS scheme contains 4 elements in *G*_{1}. The signatures in Shao et al.’s scheme [20] and Feng et al.’s scheme [21] contain 3 elements in *G*_{1}, while the signature in Hu et al.’s scheme [22] contains 4 elements in *G*_{1} and one element in *Z*_{p}. However, our two schemes are the only ones that provide user revocation functionality and can withstand signing key exposure attacks.

In the signing phase, our SA-RIDPRS scheme and Shao et al.’s scheme [20] require 2 exponentiations to generate a signature on a message, whereas the schemes of Feng et al. [21] and Hu et al. [22] require 3 and 6 exponentiations respectively.

In the re-signing phase, our SA-RIDPRS scheme performs one pairing operation and 6 exponentiations to create a valid re-signature, while the scheme of Shao et al. [20] requires 3 pairing operations and 2 exponentiations, and that of Feng et al. [21] must perform 4 pairing operations and 5 exponentiations. Hu et al.’s scheme [22] requires 3 pairing operations and 6 exponentiations.

During signature verification, the computational cost in our SA-RIDPRS scheme involves one pairing operation and 4 exponentiations. The schemes of Shao et al. [20] requires 3 pairings, and that of Feng et al. [21] requires 5 pairings and 3 exponentiations. Hu et al.’s scheme [22] requires 3 pairings and 4 exponentiations. In summary, our SA-RIDPRS scheme has considerably less computational overhead than do the other schemes.

We evaluate the performance of our SA-RIDPRS scheme and the three other IDPRS schemes [20–22]. The experiments are implemented in a hardware environment consisting of an Intel Core i7-6500 CPU 2.5 GHz with 8 GB of RAM. The corresponding simulation algorithms are implemented in the C language using the PBC-0.47-VC library and executed on a Windows 10 operating system. We chose the standard parameter *a*.*param* in the PBC library and set the group order *p* = 160 bits. The performance comparison results for all the schemes are shown in Figs 1, 2, 3 and 4.

In Fig 1, we can see that the length of the signature and re-signature in Shao et al.’s scheme [20] are both 532 bits. The length of the signature in Feng et al.’s scheme [21] is 384 bits, but the length of the re-signature is 512 bits. The length of the signature and re-signature in Hu et al.’s scheme [22] are both 532 bits. The length of the signature and re-signature in our SA-RIDPRS scheme are both 512 bits. However, Feng et al.’s scheme [21] is not multi-use because the lengths of signatures and re-signatures are different. While our SA-RIDPRS scheme includes one more element in *G*_{1} than the scheme of Shao et al. [20] does, it also effectively solves the user revocation problem. Therefore, compared with the other three schemes, our SA-RIDPRS scheme has comparable efficiency in terms of signature size. This is consistent with the above theoretical analysis.

According to Table 1, the cost of generating a signature in our SA-RIDPRS scheme is equivalent to that of Shao et al.’s scheme [20]. The experimental results shown in Fig 2 indicate that our SA-RIDPRS scheme has lower computational overhead for signature generation than do the other two schemes [21, 22]. Fig 3 demonstrates that our SA-RIDPRS scheme improves on the other three schemes [20–22] in terms of the computational overhead for re-signature generation. From Fig 4, we can observe that the computational cost of the verifier is not related to the size of the message in our SA-RIDPRS scheme. Because the verifier in our SA-RIDPRS scheme offloads most of the time-consuming bilinear pairing computations to the server via the server-aided verification algorithm, it can perform signature verification at a relatively low computational cost. Thus, our SA-RIDPRS scheme greatly reduces the cost of the verifier. Moreover, our SA-RIDPRS scheme is more efficient than are the other schemes [20–22] in terms of the verifier’s computational overhead. Clearly, the results of these experiments are consistent with the results of the theoretical analysis in Table 1.

## Conclusions

In this paper, we present two IDPRS schemes that include a user revocation mechanism. In our schemes, the PKG constructs an identity-dependent long-term key for all users and periodically generates update keys related to their identities and time periods for non-revoked users. Only non-revoked users can re-randomize the secret key and the update key to generate a corresponding signing key; therefore, our schemes are resistant to signing key exposure attacks. In the standard model, we prove that our schemes are secure under the CDH assumption. In particular, our SA-RIDPRS scheme substantially reduces the verifier’s computational burden. However, the security of our schemes relies on the hardness assumption of the CDH problem, which can be easily solved by quantum algorithms. In the future, we plan to construct a post-quantum secure RIDPRS scheme.

## Acknowledgments

The authors would like to thank anonymous reviewers for their constructive suggestions.

## References

- 1. Kumari S, Chaudhry SA, Wu F, Li X, Farash MS, Khan M.K (2017) An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications 10(1): 92–105.
- 2. Li X, Niu J, Liao J, Liang W (2015) Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update. International Journal of Communication Systems 28(2): 374–382.
- 3. Kumari S, Khan MK (2014) More secure smart card-based remote user password authentication scheme with user anonymity. Security and Communication Networks 7(11): 2039–2053.
- 4. Li F, Khan MK (2012) A biometric identity-based signcryption scheme. Future Generation Computer Systems 28(1): 306–310.
- 5. Wang X, Guo W, Zhang W, Khan MK, Alghathbar K (2013) Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network. Telecommunication Systems 52(2): 515–524.
- 6.
Li X, Niu J, Kumari S, Wu F, Choo KKR (2017) A robust biometrics based three-factor authentication scheme for global mobility networks in smart city. Future Generation Computer Systems. Available from: https://doi.org/10.1016/j.future.2017.04.012.
- 7. Li X, Ibrahim MH, Kumari S, Sangaiah AK, Gupta V, Choo KKR (2017) Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. Computer Networks 129: 429–443.
- 8. Li X, Niu J, Kumari S, Wu F, Sangaiah AK, Choo KKR (2018) A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments. Journal of Network and Computer Applications 103: 194–204.
- 9. Farash MS, Chaudhry SA, Heydari M, Sadough S, Mohammad S, Kumari S, Khan MK (2017) A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security. International Journal of Communication Systems.
- 10. Kutubi MAAR, Alam KMR, Tahsin R, Ali GMN, Chong PHJ, Morimoto Y (2017) An off-line electronic payment system based on an untraceable blind signature scheme. KSII Transactions on Internet and Information Systems 11(5): 2628–2645.
- 11.
Kumar M, Katti CP, Saxena PC (2017) A secure anonymous e-voting system using identity-based blind signature scheme. In: Proc. International Conference on Information Systems Security. pp. 29–49.
- 12.
Zhang L, Li C, Li Y, Luo Q, Zhu R (2017) Group signature based privacy protection algorithm for mobile ad hoc network. In: Proc. IEEE Information and Automation. pp. 947–952.
- 13. Annamalai R, Srikanth J, Prakash M (2015) Integrity and privacy sustenance of shared large scale images in the cloud by ring signature. International Journal of Computer Applications 114(12): 13–18.
- 14.
Sun SF, Au MH, Liu JK, Yuen TH (2017) RingCT 2.0: a compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero. In: Proc. European Symposium on Research in Computer Security. pp. 456–474.
- 15.
Blaze M, Bleumer G, Strauss M (1998) Divertible protocols and atomic proxy cryptography. In: Proc. Advances in Cryptology-Eurocrypt’98. pp. 127–144.
- 16.
Ateniese G, Hohenberger S (2005) Proxy re-signatures: new definitions, algorithms, and applications. In: Proc. the 12th ACM conference on Computer and Communications Security. pp. 310–319.
- 17. Hong X, Gao J, Pan J, Zhang B (2017) Universally composable secure proxy re-signature scheme with effective calculation. Cluster Computing 78(20): 1–10.
- 18.
Hu X, Liu Y, Xu H, Wang J, Zhang X (2015) Analysis and improvement of certificateless signature and proxy re-signature schemes. In: Proc. Advanced Information Technology, Electronic and Automation Control Conference. pp. 166–170.
- 19. Yang X, Gao G, Li Y, Li Y, Wang C (2015) On-line/off-line threshold proxy re-signature scheme through the simulation approach. Applied Mathematics and Information Sciences 9(6): 3251–3261.
- 20.
Shao J, Cao Z, Wang L, Liang X (2007) Proxy re-signature schemes without random oracles. In: Proc. International Conference on Cryptology in India. pp. 197–209.
- 21. Feng J, Lan C, Jia B (2014) ID-based proxy re-signature scheme with strong unforgeability. Journal of Computer Applications 34(11): 3291–3294.
- 22.
Hu X, Zhang Z, Yang Y (2009) Identity based proxy re-signature schemes without random oracle. In: Proc. International Conference on Computational Intelligence and Security, pp. 256–259.
- 23. Tian M (2015) Identity-based proxy re-signatures from lattices. Information Processing Letters 115(4): 462–467.
- 24.
Wang Z, Lv W (2013) Server-aided verification proxy re-signature. In: Proc. 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. pp. 1704–1707.
- 25. Canetti R, Goldreich O, Halevi S (2014) The random oracle methodology, revisited. Journal of the ACM (JACM) 51(4): 557–594.
- 26. Jia X, He D, Zeadally S, Li L (2017) Efficient revocable ID-based signature with cloud revocation server. IEEE Access 5: 2945–2954.
- 27. Lee K, Lee DH, Park JH (2017) Efficient revocable identity-based encryption via subset difference methods. Designs, Codes and Cryptography 85(1): 39–76.
- 28.
Ishida Y, Shikata J, Watanabe Y (2017) CCA-secure revocable identity-based encryption schemes with decryption key exposure resistance. International Journal of Applied Cryptography 3: 288–311. https://doi.org/10.1504/IJACT.2017.086229
- 29. Shen L, Zhang F, Sun Y, Ma J (2017) An efficient revocable ID-based encryption scheme in the standard model. International Journal of Embedded Systems 9(2): 168–176.
- 30. Tsai TT, Tseng YM, Wu TY (2013) Provably secure revocable ID-based signature in the standard model. Security and Communication Networks 6(10): 1250–1260.
- 31.
Lian Y, Xu L, Huang X (2013) Attribute-based signatures with efficient revocation In: Proc. Intelligent Networking and Collaborative Systems. pp. 573–577.
- 32.
Wei J, Huang X, Hu X, Liu W (2015) Revocable threshold attribute-based signature against signing key kxposure. In: Proc. Information Security Practice and Experience. pp. 316–330.
- 33.
Waters B (2005) Efficient identity-based encryption without random oracles. In: Proc. Eurocrypt 2005. pp. 114–127.
- 34. Fan CI, Sun WZ, Huang VSM (2010) Provably secure randomized blind signature scheme based on bilinear pairing. Computers and Mathematics with Applications 60(2): 285–293.