New Certificateless Aggregate Signature Scheme for ...downloads.hindawi.com/journals/scn/2018/2595273.pdf · ResearchArticle New Certificateless Aggregate Signature Scheme for Healthcare

Research ArticleNew Certificateless Aggregate Signature Scheme for HealthcareMultimedia Social Network on Cloud Environment

Libing Wu12 Zhiyan Xu 13 Debiao He 14 and Xianmin Wang 5

1The Computer School Wuhan University Wuhan China2The Co-Innovation Center for Information Supply amp Assurance Technology Anhui University Hefei China3The College of Computer Hubei University of Education Wuhan China4The State Key Laboratory of Cryptology Beijing China5The School of Computer Science and Educational Software Guangzhou University Guangzhou China

Correspondence should be addressed to Zhiyan Xu csxzywhueducn

Received 2 March 2018 Accepted 29 April 2018 Published 13 June 2018

Academic Editor Ilsun You

Copyright copy 2018 Libing Wu et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

With the application of sensor technology in the field of healthcare online data sharing in healthcare industry attracts moreand more attention since it has many advantages such as high efficiency low latency breaking the geographical location andtime constraints However due to the direct involvement of patient health information the privacy and integrity of medicaldata have become a matter of much concern to the healthcare industry To retain data privacy and integrity a number of digitalsignature schemes have been introduced in recent years Unfortunately most of them suffer serious security attacks and do notperform well in terms of computation overhead and communication overhead Very recently Pankaj Kumar et al proposed acertificateless aggregate signature scheme for healthcare wireless sensor networkThey claimed that their signature schemewas ableto withstand a variety of attacks However in this paper we find that their scheme fails to achieve its purpose since it is vulnerableto signature forgery attack and give the detailed attack process Then we propose a new certificateless aggregate signature schemeto fix the security flaws and formally prove that our proposed scheme is secure under the computationally hard Diffie-Hellmanassumption Security analysis and performance evaluation demonstrate that the security of our proposal is improvedwhile reducingthe computation cost Compared with Pankaj Kumar et als scheme our proposed scheme is more efficient and suitable for thehealthcare wireless sensor networks (HWSNs) to maintain security at various levels

1 Introduction

Wireless sensor network (WSN) has been widely used inmany fields such as retail entertainment medicine tourismindustry and emergency management [1] and it providesmany newopportunities for traditional applications of whichhealthcare is one of them Researchers have invented manysensor-based miniature medical devices to replace the tradi-tional thousands of wires connected to hospital equipmentand to increase the mobility of devices The combination ofcomputer network technology and medical field makes thehealthcare industry have more broad prospects for develop-ment [2]

The application of wireless sensor network technologyis mainly divided into two categories medical applications

and nonmedical applications [3] There are two main typesof devices used in medical applications wearable devices andimplanted devicesThe first category refers tomedical devicesthat are used on or near the surface of a human body and thehuman body canmove with the wearable devicesThe secondcategory refers tomedical devices injected inwith the humanbody

As shown in Figure 1 there is a general healthcarewirelesssensor network (HWSN) architecture which consists of thefollowing five components [4] sensor central control unitpatient cloud based network and healthcare professionalThe medical sensor node implanted on the patientrsquos bodyusing air as a transmission medium can transmit patientrsquoshealth data to a remote central control unit (CCU) for furtherprocessing then the health data is sent to the healthcare

HindawiSecurity and Communication NetworksVolume 2018 Article ID 2595273 13 pageshttpsdoiorg10115520182595273

2 Security and Communication Networks

WD

Sensor

CCU

Perso

nal H

ealth

Data

Personal Health Data

Report

Cloud Based Network

Healthcare ProfessionalPatient

Figure 1 A general healthcare wireless sensor network architecture

professional by CCU via Internet and the patientrsquos medicalreport is further generated

In the HWSN information is transmitted from medicalsensor devices to the healthcare professional who analyzes themedical information and further provides a suitable solutionIf the attacker modifies the medical message halfway thehealthcare professional could make a wrong diagnosis basedon the modified message which can be very dangerous tohuman life Because of the direct involvement of patienthealth information it is of crucial importance to address theissue of privacy and integrity of personal health data [5ndash7]

Motivatedwith the above scenariomany digital signatureschemes are proposed for healthcare wireless sensor network(HWSN) to protect the privacy and integrity of patient medi-cal information In this paper we first review Pankaj Kumaretalrsquos certificateless aggregate signature (CL-AS) scheme [8]and point out a previously undiscovered security flaw in thescheme that is we reveal that their proposed scheme suffersthe signature forgery attack We then propose a new CL-ASscheme for the issues of security and privacy in HWSN

11 Our Research Contributions In this paper we propose anew CL-AS scheme which could better protect the integrityand privacy of data in HMSNThemain contributions of thispaper are summarized as below

(i) Firstly we identify a security weakness against PankajKumar et alrsquos CL-AS scheme for HWSN

(ii) Secondly we redefine the architecture of a HWSNwhich is more close to the actual application environ-ment

(iii) Thirdly we propose a CL-AS scheme for HWSN tomend this security flaw and our new scheme cansatisfy the security requirements

(iv) Finally we prove the security of our proposed CL-AS scheme and show that it can improve the security

while reducing the computation cost compared withPankaj Kumar et alrsquos CL-AS scheme

12 Organization of the Paper The remainder of this paperis organized as below Section 2 introduces the related workSection 3 presents the problem statements associated withthis paper and then briefly reviews the CL-AS scheme forHWSN in Section 4 In Section 5 we demonstrate an attackagainst Pankaj Kumar et alrsquos CL-AS scheme for the HWSNFurthermore we present details of the proposed CL-ASscheme in Section 6 In Sections 7 and 8 the security proofand performance analysis of our scheme are described laterFinally we give a summary of this paper in the last section

2 Related Work

In the traditional PKI-based public key cryptography (PKC)as the number of users increases PKC will face a varietyof certificate management issues such as certificate distri-bution storage revocation and high computational cost[11]

Although identity-based public key cryptography (IBC)[12 13] can solve the problem of certificate managementexisting in PKC it has inherent key escrow issue Thisis because the userrsquos private key is generated by the keygeneration center (KGC) based on the userrsquos identity that isKGC can access any userrsquos private key in IBC

To solve the above problems Al-Riyami et al pro-posed certificateless public key cryptosystem (CL-PKC) [14]Because it does not use certificates and the private key isgenerated both by KGC and by the user himself it can solvecertificate management issue in PKC and the key escrowissue in IBC Since Al-Riyami et al introduced the notionof CL-PKC [14] it has attracted more and more researchattention and many certificateless signature (CLS) schemes[15ndash21] have been introduced by researchers

Security and Communication Networks 3

Huang et al [15] proved that the CLS scheme proposedin [14] is vulnerable to the public key replacement attackand further proposed an improved certificateless signaturescheme to solve this weakness Similarly Li et al [16] alsoproposed a new CLS scheme to improve the security of thescheme proposed in [17] which is subject to the public keyreplacement attack as well For a malicious KGC attack thatexists in some certificateless signature schemes Au et al [18]proposed an enhanced security model that allows maliciousKGC to generate key pairs in any way Nevertheless thecertificateless encryption and signature schemes proposed in[19ndash21] have been found to be insecure against maliciousKGC attack

Boneh et al proposed the concept of aggregate signature[22] in Eurocrypt 2003 The aggregator can aggregate 119899 dif-ferent signatures with respect to 119899 messages from 119899 users intoa single short signature which can reduce the bandwidthand computational effort of tiny devices used in HWSNTherefore the aggregate signature is a more suitable choice inresource-constrained HWSN

Combining certificateless public key cryptography withaggregate signature Gong et al [9] proposed the first CL-ASscheme but they did not give a formal security proof to thescheme After pioneer work [9] many CL-AS schemes [1023ndash28] have been proposed for various practical applicationsZhang and Zhang [23] redefined the concept and securitymodel for CL-AS Furthermore they put forward a new CL-AS scheme but their scheme need clock synchronized whilegenerating the aggregate signature and more seriously thescheme has been proved that it cannot resist malicious KGCattack Xiong et al [24] presented a CL-AS scheme butHe et al [25] showed that their scheme was forgeable andfurther proposed a new CL-AS scheme The CL-AS schemeproposed in [10] has been found to be insecure againstthe malicious-but-passive KGC attack by the researchers in[26ndash28]

Recently He and Zeadally [29] present an authenticationscheme for the Ambient Assisted Living (AAL) systemwhich provides technical support for medical monitoringand telehealth services He et al [30] put forward an effi-cient certificateless public auditing scheme for cloud-assistedwireless body area networks Very recently Pankaj Kumar etal proposed a CL-AS scheme for secure communication inHWSN [8] which is claimed to be able to achieve the mes-sage authentication and integrity audit functions while alsoachieving nonrepudiation and confidentiality Unfortunatelywe find that their CL-AS scheme is insecure and vulnerableto signature forgery attack from a malicious-but-passiveKGC

3 Problem Statement

Bilinear map and related hard problems are first describedand then system model of our proposed CL-AS scheme ispresented in this section After that system components ofCL-AS scheme are also described

31 Bilinear Map Suppose that 1198661 and 1198662 are two cyclicgroups with the same prime order 119902 where 1198661 is an additive

cyclic group with a generator 119875 and 1198662 is a multiplicativecyclic group 119890 1198661 times 1198661 rarr 1198662 is a bilinear map For all119875 119876 119879 isin 1198661 119886 119887 isin 119885lowast119902 and 119890 should satisfy the properties asfollows

(1) Bilinearity 119890(119875 119876 + 119879) = 119890(119875 119876)119890(119875 119879) and 119890(119886119875119887119876) = 119890(119886119887119875 119876) = 119890(119875 119886119887119876)(2) Nondegeneracy there exists 119875 isin 1198661 such that 119890(119875119875) = 1(3) Computability there exists efficient algorithm to

calculate 119890(119875 119876)32 Complexity Assumption

(1) Computational Diffie-Hellman (CDH) ProblemGivena generator 119875 of an additive cyclic group 1198661 with theorder 119902 and a random instance (119886119875 119887119875) it is difficultto compute 119886119887119875 where 119886 and 119887 are unknown

(2) Computational Diffie-Hellman (CDH) AssumptionThere does not exist adversary 119860 can solve the119862119863119867 problem in probabilistic polynomial time witha nonnegligible probability 120598 where 120598 gt 0 is a verysmall number

33 SystemModel Thearchitecture of our healthcarewirelesssensor network is shown in Figure 2 There are five entitiesin the framework of a healthcare wireless sensor networkmedical sensor node (MSN)medical server (MS) authorizedhealthcare professional (AHP) signature aggregator (SA)and aggregate signature verifier (ASV) Each entity is specif-ically defined as follows

(1) Medical sensor node Medical sensor node is aresource-limited medical small device on patientrsquosbody belonging to the Care-District Let 119868119863119894 denotethe identity and (119904119896119894 119901119896119894) denote the key pair of thesensor node Each sensor node can use its private keyto generate a signature for the relevant message andsend the signature to the signature aggregator

(2) Medical serverMedical server is a device with strongcomputing power and plenty of storage space whichcan handle a large amount of data received fromsensors It transmits the processed patientrsquos medicalinformation to the AHP In addition it is responsiblefor generating systemparameters119901119886119903119886119898119904 its ownkeypair (119904 119872119878119901119906119887) and the partial private key 119901119901119896119894 foreach sensor node corresponding to its identity andthen secretly sends 119901119901119896119894 to the sensor node

(3) Healthcare professionalHealthcare professional refersto an authorized medical personnel who providespatients with appropriate prescriptions by analyzingthe data information sensed by the sensors

(4) Aggregator Aggregator refers to a certain computingpower of device It is responsible for collecting a singlesignature from Care-District and then generating anaggregate signature and sending it to theMS Supposethat each Care-District contains one aggregator andmany sensors


Figure 2 The architecture of our healthcare wireless sensor network

(5) Aggregate signature verifier Aggregate signature veri-fier refers to a certain computing power of equipmentIt is responsible for verifying an aggregate signaturefrom different Care-District and then outputting averification result

34 System Components Our CL-AS scheme is a collectionof the following seven polynomial time algorithms as below

(1) Setup(1119896) rarr (119901119886119903119886119898119904 119904 119872119878119901119906119887) is a probabilisticalgorithm executed by the MS where 119896 is a securityparameter 119901119886119903119886119898119904 is the system parameters (119904119872119878119901119906119887) is the key pair of MS that is 119904 is the mastersecret key and 119872119878119901119906119887 is the master public key

(2) Partial-Private-Key-Gen (119901119886119903119886119898119904 119904 119872119878119901119906119887119868119863119894) rarr119901119901119896119894 is a probabilistic algorithm executed by the MSwhere 119901119886119903119886119898119904 is the system parameters (119904 119872119878119901119906119887)is the key pair of MS 119868119863119894 isin 0 1lowast is a MSNrsquos identityand 119901119901119896119894 is the partial private key corresponding tothe identity 119868119863119894 of the MSN

(3) User-Key-pair-Gen(119901119886119903119886119898119904 119901119901119896119894) rarr (119904119896119894 119901119896119894) is arandomized algorithm executed by the MSN withidentity 119868119863119894 where 119901119886119903119886119898119904 is the system parameters(119904 119872119878119901119906119887) is the key pair of MS and (119904119896119894 119901119896119894) is thekey pair of the MSN with the identity 119868119863119894

(4) Sign(119901119886119903119886119898119904 (119904119896119894 119901119896119894) Δ 119868119863119894 119898119894) rarr 120590119894 is a random-ized algorithm executed by the signer where 119901119886119903119886119898119904is the system parameters (119904119896119894 119901119896119894) is the key pair ofthe signerΔ is the state information 119868119863119894 is the signerrsquosidentity 119898119894 is the message and 120590119894 is the signature onthe message 119898119894

(5) Verify(119901119886119903119886119898119904 Δ 119868119863119894 119898119894 119901119896119894 120590119894) rarr ldquo0rdquo ldquo1rdquo is aprobabilistic algorithm executed by the verifier where119901119886119903119886119898119904 is the system parameters 119868119863119894 is the signerrsquosidentity 119901119896119894 is the public key of the signer 119898119894 is themessage and 120590119894 is the signature on the message 119898119894 1or 0 as outputs to indicate whether the signature 120590119894 isvalidated

(6) Aggregate(119901119886119903119886119898119904 119868119863119894 119898119894 119901119896119894 120590119894)1le119894le119899 rarr 120590 is adeterministic algorithm executed by the aggregatorwhere 119901119886119903119886119898119904 is the system parameters 119868119863119894 is thesignerrsquos identity 119901119896119894 is the public key of the signer 119898119894is the message 120590119894 is the signature on the message 119898119894and 120590119894 is the signature on the message 119898119894

(7) Aggregate-Verify (119901119886119903119886119898119904 Δ 119868119863119894 119898119894 119901119896119894 120590)1le119894le119899 rarrldquo0rdquo ldquo1rdquo is a deterministic algorithm executed bythe aggregate verifier where 119901119886119903119886119898119904 is the systemparameters and 120590 is the aggregate signature of themessage 119898119894 on the identity 119868119863119894 with public key 1199011198961198941 or 0 act as outputs to indicate whether aggregatesignature 120590 is validated

35 Attack Model In the attack model we introduce anadversary 119860 isin 1198601 1198602 in our model Arsquos ultimate goal isto successfully forge the userrsquos signature on the message 119860possesses with the following capabilities

(1) 119860 can access any hash oracle and correspondingqueries in the security model

(2) 1198601 simulates an outsider attacker who cannot obtainthe master key but can replace any userrsquos public keywith a value of his choice

(3) 1198602 simulates an honest-but-curious MS who is aninsider attacker and has no power to replace any userrsquospublic key but can access the system master key

4 Review of Pankaj Kumar et alrsquos Scheme

Pankaj Kumar et alrsquos CL-AS scheme is composed of sevenalgorithms ie 119878119890119905119906119901119875119886119903119905119894119886119897minus119875119903119894V119886119905119890minus119870119890119910minus119866119890119899119875119903119894V119886119905119890minus119870119890119910minus119866119890119899 119878119894119892119899119881119890119903119894119891119910119860119892119892119903119890119892119886119905119890 and119860119892119892119903119890119892119886119905119890minus119881119890119903119894119891119910The scheme details are described as below

41 Setup By executing the following operations after enter-ing the security parameter 119896 the MS generates the systemparameter 119901119886119903119886119898119904


(1) Generates two cyclic groups 1198661 and 1198662 with the sameorder 119902 where 119902 is a prime 119875 being a generator of 1198661119890 1198661 times 1198661 rarr 1198662 being a bilinear pairing

(2) Randomly selects a number 120572 isin 119885lowast119902 computes119872119878119901119906119887 = 120572119875 and sets 120572 as the master key and 119872119878119901119906119887as the public key of 119872119878

(3) Defines three hash functions 1198671 0 1 rarr 1198661 1198672 0 1 rarr 1198661 1198673 0 1 rarr 119885lowast119902(4) Keeps 120572 secret and 119901119886119903119886119898119904 = (1198661 1198662 119875 119902 119890 1198721198781199011199061198871198671 1198672 1198673) public

42 Partial-Private-Key-Gen By executing the followingoperations MS generates the userrsquos partial private key

(1) Given 119868119863119894 as the identity of a MS it computes 119876119868119863119894 =119867(119868119863119894) and 119901119901119896119868119863119894 = 120572119876119868119863119894 and sets 119901119901119896119868119863119894 as theuserrsquos partial private key

(2) It secretly sends 119901119901119896119868119863119894 to the corresponding MSN

43 Private-Key-Gen By executing the following operationsa sensor with the identity 119868119863119894 generates its private key andpublic key

(1) Selects a random number 119909119894 as the secret value(2) Sets 119901119901119896119868119863119894 119909119894 as its private key(3) Computes 119875119870119868119863119894 = 119909119894119875 as its public key

44 Sign By executing the following operations a signerwith the identity 119868119863119894 generates a signature 120590119894 on the message119898119894

(1) Inputs system parameters 119901119886119903119886119898119904 private key119901119901119896119868119863119894 secret key 119909119894 state information Δ andprivate-public key pair (119909119894 119875119870119868119863119894)

(2) Selects 119903119894 isin 119885lowast119902 randomly and then computes 119877119894 = 119903119894119875(3) Computes 119882 = 1198672(Δ) and ℎ119894 = 1198673(119898119894 119868119863119894 119875119870119868119863119894 119877119894)(4) Computes 119881119894 = 119901119901119896119868119863119894 + 119903119894119882 + ℎ119894119909119894119872119878119901119906119887(5) Outputs (119877119894 119881119894) as the signature of message 119898119894

45 Verify By executing the following operations the verifierverifies the signature 120590119894 = (119877119894 119881119894) of message 119898119894 on identity119868119863119894

(1) Inputs the state information Δ(2) Computes 119876119868119863119894 = 1198671(119868119863119894) 119882 = 1198672(Δ) and ℎ119894 =1198673(119898119894 119868119863119894 119875119870119868119863119894 119877119894)(3) Verifies

119890 (119881119894 119875) = 119890 (119876119868119863119894 + ℎ119894119875119870119868119863119894 119872119878119901119906119887) 119890 (119877119894 119882) (1)

(4) If (1) holds emits 1 and the verifier accepts thesignature 120590119894 otherwise emits 0 and rejects

46 Aggregate By executing the following operations anaggregator generates the aggregate signature 120590 from user-message-public key-signature pairs (119868119863119894 119898119894 119875119870119894 120590119894)1le119894le119899

(1) Inputs 119899 tuples (119868119863119894 119898119894 119875119870119894 120590119894) where 1 le 119894 le 119899(2) Computes 119881 = sum119899119894=1 119881119894(3) Outputs 120590 = (119877 119881) as the aggregate signature where119877 = 1198771 1198771 119877119899

47 Aggregate-Verify By executing the following operationsthe aggregate verifier verifies the validity of the aggregatesignature 120590 = (119877 119881)

(1) Inputs the state information Δ the tuples (119868119863119894119898119894 119875119870119894 120590119894)1le119894le119899 and the aggregate signature 120590 = (119877119881)(2) For 1 le 119894 le 119899 computes 119876119868119863119894 = 1198671(119868119863119894) 119882 = 1198672(Δ)

and ℎ119894 = 1198673(119898119894 119868119863119894 119875119870119868119863119894 119877119894)(3) Verifies

119890 (119881 119875)= 119890 ( 119899sum119894=1

(119876119868119863119894 + ℎ119894119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

119877119894 119882) (2)

(4) If (2) holds emits 1 and the verifier accepts theaggregate signature 120590 otherwise emits 0 and rejects

5 Attack on Pankaj Kumar et alrsquosCL-AS Scheme

As we know that the signature of 120590119894 = (119877119894 119881119894) of message 119898119894on identity 119868119863119894 should be unforgeable However a maliciousMS or an outside attacker may try to forge the signatureOnce the MS or the outside attacker successfully forges thesignature directly or indirectly heshe finishes the signatureforgery attack

In this section we mainly consider the type 2 adversary1198602 and first make a security analysis for Pankaj Kumar et alrsquosCL-AS scheme and then we demonstrate that it is vulnerableto the signature forgery attack the attack details are describedas follows

Setup The challenger executes the 119878119890119905119906119901 algorithm to gen-erate system parameters 119901119886119903119886119898119904 and master key 120572 Then itreturns 119901119886119903119886119898119904 and 120572 to the adversary 1198602Queries The adversary 1198602 could get the signature 120590119895 on themessage 119898119895 signed by 119878119894 with the identity 119868119863119894 via signaturequeries where

120590119895 = 119877119895 = 119903119895119875119881119895 = 119901119901119896119868119863119894 + 119903119895119882 + ℎ119895119909119894119872119878119901119906119887 (3)

Forgery In order to forge the signature 120590lowast119896 on119898119896 signed by 119878119894with the identity 119868119863119894 the adversary 1198602 implements its attackas follows


(1) Lets 119877lowast119896 = 119903lowast119896119875 = 119877119895 = 119903119895119875(2) Computes ℎlowast119896 = 1198673(119898119896 119868119863119894 119875119870119868119863119894 119877lowast119896 )

Verify It is easy to verify the validity of the forged signature120590lowast119896 The verifier calculates 119876119868119863119894 = 1198671(119868119863119894) and 119882 =1198672(Δ) Furthermore the verifier calculates ℎlowast119896 = 1198673(119898119896119868119863119894 119875119870119868119863119894 119877lowast119896 ) Then we use the forged signature 120590lowast119896 to verify(1) and the concrete process is as follows

119890 (119881lowast119896 119875) = 119890 (119901119901119896119868119863119894 + 119903119895119882 + ℎlowast119896120572119875119870119868119863119894 119875)= 119890 (120572119876119868119863119894 119875) 119890 (119903119895119882 119875) 119890 (ℎlowast119896120572119875K119868119863119894 119875)= 119890 (119876119868119863119894 119872119878119901119906119887) 119890 (119903119895119875 119882) 119890 (ℎlowast119896119875119870119868119863119894 119872119878119901119906119887)= 119890 (119876119868119863119894 + ℎlowast119896119875119870119868119863119894 119872119878119901119906119887) 119890 (119877lowast119896 119882)

(4)

Aggregate-Verify It is easy to verify the validity of the forgedsignature 120590lowast For 1 le 119894 le 119899 the verifier calculates 119876119868119863119894 =1198671(119868119863119894) and ℎlowast119896 = 1198673(119898119896 119868119863119894 119875119870119868119863119894 119877lowast119896 ) Furthermore theverifier calculates 119882 = 1198672(Δ) Then we use the forgedsignature to verify (2) the concrete process is as follows

119890 (119881lowast 119875) = 119890 ( 119899sum119896=1

(119901119901119896119868119863119894 + 119903lowast119896119882 + ℎlowast119896120572119875119870119868119863119894) 119875)

= 119890 ( 119899sum119896=1

(120572119876119868119863119894 + ℎlowast119896120572119875119870119868119863119894) 119875) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119876119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119877lowast119896 119882)

(5)

We can find that the signature verifications (1) and (2)hold That is the forged signature pass verification and themalicious KGC can forge the signature successfully PankajKumar et alrsquos CL-AS scheme is insecure

6 Our Proposed CL-AS Scheme

To overcome the security flaw of the original scheme wepropose a new CL-AS scheme Our CL-AS scheme includesseven phases 119878119890119905119906119901 119875119886119903119905119894119886119897minus119875119903119894V119886119905119890minus119870119890119910minus119866119890119899 119875119903119894V119886119905119890minus119870119890119910minus119866119890119899 119878119894119892119899119881119890119903119894119891119910119860119892119892119903119890119892119886119905119890 and119860119892119892119903119890119892119886t119890minus119881119890119903119894119891119910The scheme details are described as below

61 Setup By executing the following operations MS gener-ates the system parameters after taking a security parameter119896


(2) Randomly selects a number 119904 isin 119885lowast119902 as the master keyof MS and calculates 119872119878119901119906119887 = 119904119875 as the public key of119872119878

(3) Chooses four hash functions 1198671 0 1 rarr 1198661 1198672 0 1 rarr 1198661 ℎ1 0 1 rarr 119885lowast119902 and ℎ2 0 1 rarr 119885lowast119902(4) Keeps the master key 119904 secret and the system param-

eters 119901119886119903119886119898119904 = (1198661 1198662 119875 119890 119902 119872119878119901119906119887 1198671 1198672 ℎ1 ℎ2)public

62 Partial-Private-Key-Gen By executing the followingoperations MS generates the MSNrsquos partial private key

(1) Given 119868119863119894 as aMSNrsquos identity MS first computes119876119894 =1198671(119868119863119894) and then computes the MSNrsquos partial privatekey 119901119901119896119894 = 119904119876119894


63 Private-Key-Gen By executing the following operationsa MSN with the identity 119868119863119894 generates its private key andpublic key

(1) Selects a random number 119909119894 as the secret value(2) Sets 119904119896119894 = 119901119901119896119894 119909119894 as its private key(3) Computes 119901119896119894 = 119909119894119875 as its public key


(1) Inputs system parameters 119901119886119903119886119898119904 state informationΔ and private-public key pair (119904119896119894 119901119896119894)(2) Selects 119903119894 isin 119885lowast119902 randomly and then calculates 119877119894 = 119903119894119875(3) Computes 120572119894 = ℎ1(119868119863119894 119901119896119894 119877119894) 120573119894 = ℎ2(119898119894 119868119863119894 119901119896119894119877119894) and 119880 = 1198672(Δ)(4) Computes 119881119894 = 120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880(5) Outputs 120590119894 = (119877119894 119881119894) as the signature of message 119898119894


(1) Inputs the state information Δ(2) Computes 120572119894 = ℎ1(119868119863119894 119901119896119894 119877119894) 120573119894 = ℎ2(119898119894 119868119863119894 119901119896119894119877119894) 119876119894 = 1198671(119868119863119894) and 119880 = 1198672(Δ)(3) Verifies

119890 (119881119894 119875) = 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880) (6)






(1) Inputs the state information Δ the tuples (119868119863119894119898119894 119901119896119894 120590119894)1le119894le119899 and the aggregate signature 120590 =(119877 119881)(2) Computes 119880 = 1198672(Δ) furthermore for 1 le 119894 le 119899

computes 119876119894 = 1198671(119868119863119894) 120572119894 = ℎ1(119868119863119894 119901119896119894 119877119894) and120573119894 = ℎ2(119898119894 119868119863119894 119901119896119894 119877119894)(3) Verifies

119890 (119881 119875)= 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119901119896119894 119880) (7)


7 Security Analysis

A certificateless aggregate signature scheme should satisfy thefollowing requirements correctness and unforgeability

71 Correctness

Theorem 1 The proposed certificateless aggregate scheme iscorrect if and only if the single signature and aggregatesignature generated by our scheme make (1) and (2) hold Thecorrectness of the protocol is elaborated as follows

119890 (119881119894 119875) = 119890 (120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)= 119890 (120572119894119901119901119896119894 119875) 119890 (119903119894119872119878119901119906119887 119875) 119890 (120573119894119909119894119880 119875)= 119890 (120572119894119876119894 119904119875) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 119872119878119901119906119887) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880)

(8)

and

119890 (119881 119875) = 119890 ( 119899sum119894=1

120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)

= 119890 ( 119899sum119894=1

120572119894119901119901119896119894 119875) 119890 ( 119899sum119894=1

119903119894119872119878119901119906119887 119875)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119880 119875) = 119890 ( 119899sum119894=1

120572119894119876119894 119904119875)

sdot 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119909119894119875 119880)

= 119890 ( 119899sum119894=1

120572119894119876119894 119872119878119901119906119887) 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119875 119880) = 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119901119896119894 119880)(9)

72 Unforgeability In this subsection we first give the secu-rity model of CL-AS scheme and then give the security proofto show that the proposal is secure under the security model

Security Model There are two types of adversaries in theCL-AS security model 1198601 and 1198602 1198601 simulates an outsiderattacker who cannot obtain the master key but can replaceany userrsquos public key with a value of his choice while 1198602simulates an honest-but-curious KGC who is an insiderattacker and has no power to replace any userrsquos public key butcan access the system master key

Definition 2 The security model of a CL-AS scheme isdefined by two games (denoted by Game1 and Game2)played between an adversary 119860 isin 1198601 1198602 and a challenger119862 more details are defined below

The adversary 119860 can access the following random oraclemachines in the scheme

Hashqueries119860 can access any hash oracle in the schemeincluding 1198671 1198672 ℎ1 and ℎ2

Setup 119862 performs the 119878119890119905119906119901 algorithm to generate themaster key 119904 and the system parameter list 119901119886119903119886119898119904 Then119862 gives the corresponding response for different types ofadversary

Reveal-Partial-private-key While 119860 submits a partialprivate key query on the identity 119868119863119894 to challenger119862 it checksif there is a record that corresponds to the identity 119868119863119894 inthe 119871119901119901119896 list and if found sends 119901119901119896119894 to 119860 otherwise if119868119863119894 = 119868119863119905119904 it aborts otherwise it generates the partial privatekey 119901119901119896119894 sends it to 119860 and stores it in the list 119871119901119901119896

Reveal-Secret-keyWhile 119860 submits a secret value queryon the identity 119868119863119894 to challenger119862 it checks if there is a recordthat corresponds to the identity 119868119863119894 in the list119871119909 and if foundsends 119909119894 to 119860 otherwise if 119868119863119894 = 119868119863119905119904 it aborts otherwise itgenerates the secret value 119909119894 and sends it to 119860 and stores it inthe list 119871119909

Reveal-Public-KeyWhen adversary 119860 submits a publickey query on the identity 119868119863119894 to challenger119862 it checks if thereis a record that corresponds to the identity 119868119863119894 in the list 119871119901119896if found sends 119901119896119894 to 119860 otherwise it generates the public key119901119896119894 sends it to 119860 and stores it in the list 119871119901119896

Replace-Public-key While 119860 submits a query thatreplaces the public key on the identity 119868119863119894 with 1198601015840119904 choiceof public key 119901119896lowast119894 to challenger 119862 119862 checks if there isa record that corresponds to the identity 119868119863119894 in the list119871119901119896 and if found then it updates the corresponding item


(119868119863119894 119909119894 119901119896119894 119901119901119896119894) to (119868119863119894 119909119894 119901119896lowast119894 119901119901119896119894) in the list 119871119901119896otherwise it aborts

SignWhile 119860 submits a signature query on the message119898119894 with the signerrsquos identity 119868119863119894 to challenger 119862 119862 executesone of the following operations

(1) If the target user 119868119863119894 has not been created it aborts(2) If the target user 119868119863119894 has been created and the related

user public key 119901119896119894 has not been replaced then itreturns a valid signature 120590119894

(3) If the target user 119868119863119894 has been created and thecorresponding user public key 119901119896119894 has been replacedwith 119901119896lowast119894 then it returns a signature 120590lowast119894

We respectively define two games to describe two differenttypes of attackers in the CLS as shown below

Game1 The challenger 119862 interacts with adversary 1198601 asfollows

(1) Inputting 119896 as a security parameter 119862 performs the119878119890119905119906119901 algorithm to generate the master key 119904 and thesystem parameter list 119901119886119903119886119898119904 Then 119862 sends 119901119886119903119886119898119904to 1198601 and keeps 119904 secret

(2) 1198601 is capable of accessing any hash oracle in thescheme and119877119890V119890119886119897minus119875119886119903119905119894119886119897minus119875119903119894V119886119905119890minus119870119890119910119877119890V119890119886119897minus119878119890119888119903119890119905 minus 119870119890119910 119877119890V119890119886119897 minus 119875119906119887119897119894119888 minus 119870119890119910 119877119890119901119897119886119888119890 minus119875119906119887119897119894119888 minus 119870119890119910 and 119878119894119892119899 queries at any stage duringthe simulation in polynomial bound

Forgery 1198601 outputs an aggregate signature 120590lowast withrespect to 119899 user-message-public key-signature pairs (119868119863lowast119894 119898lowast119894 119901119896lowast119894 120590lowast119894 ) where 1 le 119894 le 119899 We say that 1198601 wins 1198661198861198981198901 ifand only if the following conditions are met

(1) 120590lowast is a valid aggregate signature with respect touser-message-public key-signature pairs (119868119863lowast119894 119898lowast119894 119901119896lowast119894 120590lowast119894 ) where 1 le 119894 le 119899

(2) The targeted identity 119868119863lowast119894 has not been submittedduring the 119877119890V119890119886119897 minus 119875119886119903119905119894119886119897 minus 119875119903119894V119886119905119890 minus 119870119890119910 query

(3) (119868119863lowast119894 119898lowast119894 ) has not been submitted during the 119878119894119892119899query


(1) Inputting 119896 as a security parameter 119862 performs the119878119890119905119906119901 algorithm to generate the master key 119904 and thesystem parameter list 119901119886119903119886119898119904 Then 119862 sends 119901119886119903119886119898119904and 119904 to 1198602

(2) 1198602 is capable of accessing any hash oracle in thescheme and119877119890V119890119886119897minus119875119886119903119905119894119886119897minus119875119903119894V119886119905119890minus119870119890119910119877119890V119890119886119897minus119875119906119887119897119894119888minus119870119890119910 and 119878119894119892119899 queries at any stage during thesimulation in polynomial bound



(2) The targeted identity 119868119863lowast119894 has not been submittedduring the 119877119890V119890119886119897 minus 119878119890119888119903119890119905 minus 119870119890119910 query


Provable Security In this section we demonstrate that thenew CL-AS scheme is secure under the security modeldescribed in the previous subsection Our security proofconsists of two parts

In this section we prove that our proposedCL-AS schemeis secure under the security model present in the previoussection and the specific process is described in the followingtwo parts (1) the CL-AS is unforgeable to type 1 adversary1198601and (2) the CL-AS scheme is unforgeable to type 2 adversary1198602Theorem 3 The proposed CL-AS scheme is existentiallyunforgeable against type 1 adversary 1198601 if the CDH problem isdifficult to solve in 1198661Proof We can prove the unforgeability of our CL-AS schemeagainst type 1 adversary with Game1 that involves 1198601 and analgorithm called simulator 119862

Given a random instance of the CDH problem (119875 1198761 =119886119875 1198762 = 119887119875) where 119875 is a generator of 1198661 our ultimate goalis to find the result of 119886119887119875 by solving the CDH problem

(i) Setup 119862 randomly chooses 119868119863119905119904 as the target identityof sensor challenged sets119872119878119901119906119887 = 1198761 = 119886119875 and gen-erates and returns system parameter 119901119886119903119886119898119904 = 11986611198662 119875 119890 119902 119872119878119901119906119887 1198671 1198672 ℎ1 ℎ2 to 1198601 1198601 performsthe inquiries as follows

(ii) 1198671 query 119862 maintains a list denoted 1198711198671 and thestructure of 1198711198671 is (119868119863119894 120575119894 120576119894 119876119894) all the elementsin 1198711198671 are initialized to null When 1198601 performs thequery with the identity 119868119863119894 119862 checks whether a tuple(119868119863119894 120575119894 120576119894 119876119894) exists in 1198711198671 if it exists it returns 119876119894to 1198601 otherwise 119862 randomly selects 120576119894 isin 0 1 and120575119894 isin 119885lowast119902 If 120576119894 = 0 set 119876119894 = 120575119894119875 otherwise if 120576119894 = 1 set119876119894 = 1205751198941198762 = 120575119894119887119875 It returns119876119894 to1198601 and stores (119868119863119894120575119894 120576119894 119876119894) to 1198711198671

(iii) 1198672 query 119862 maintains a list denoted 1198711198672 and thestructure of 1198711198672 is (119872119878119901119906119887 120599 119880) all the elementsin 1198711198672 are initialized to null When 1198601 executes thequery with 119872119878119901119906119887 119862 checks if a tuple (119872119878119901119906119887 120599 119880)exists in 1198711198672 if it exists it returns 119880 to 1198601 otherwise119862 randomly selects 120599 isin 119885lowast119902 and computes 119880 = 120599119875 Itreturns 119880 to 1198601 and stores (119872119878119901119906119887 120599 119880) to 1198711198672

(iv) ℎ1 query 119862 maintains a list denoted 119871ℎ1 and thestructure of 119871ℎ1 is (119868119863119894 119901119896119894 119877119894 120572119894) all the elements in119871ℎ1 are initialized to nullWhen1198601 executes the querywith the tuple (119868119863119894 119901119896119894 119877119894) 119862 check whether a tuple


(119868119863119894 119901119896119894 119877119894 120572119894) exists in 119871ℎ1 if it exists it returns 120572119894to 1198601 otherwise 119862 randomly selects 120572119894 It returns 120572119894to 1198601 and stores (119868119863119894 119901119896119894 119877119894 120572119894) to 119871ℎ1

(v) ℎ2 query119862maintains a list denoted119871ℎ2 and the struc-ture of 119871ℎ2 is (119898119894 119868119863119894 119901119896119894 119877119894 120573119894) all the elements in119871ℎ2 are initialized to nullWhen1198601 executes the querywith the tuple (119898119894 119868119863119894 119901119896119894 119877119894) 119862 checks if a tuple(119898119894 119868119863119894 119901119896119894 119877119894 120573119894) exists in 119871ℎ2 if it exists it returns120573119894 to 1198601 otherwise 119862 randomly selects 120573119894 It returns120573119894 to 1198601 and stores (119898119894 119868119863119894 119901119896119894 119877119894 120573119894) to 119871ℎ2

(vi) Reveal-Partial-Private-Key queries 119862 maintains a listdenoted 119871119901119901119896 and the structure of 119871119901119901119896 is (119868119863119894 119901119901119896119894)all the elements in 119871119901119901119896 are initialized to null When1198601 executes the querywith 119868119863119894119862first checkswhether119868119863119894 = 119868119863119905119904 if it holds output perp otherwise 119862checks whether a tuple (119868119863119894 119901119901119896119894) exists in 119871119901119901119896 ifit exists it returns 119901119901119896119894 to 1198601 otherwise 119862 recalls thecorresponding tuple (119868119863119894 120575119894 120576119894 119876119894) from the list 1198711198671and computes119901119901119896119894 = 120575119894119872119878119901119906119887 = 119886120575119894119875 It returns119901119901119896119894to 1198601 and stores (119868119863119894 119901119901119896119894) to 119871119901119901119896

(vii) Reveal-Secret-Key-queries 119862 maintains a list denoted119871119909 and the structure of 119871119909 is (119868119863119894 119909119894) all the ele-ments in 119871119909 are initialized to null When1198601 performsthe query with the identity 119868119863119894 119862 first checks if119868119863119894 = 119868119863119905119904 if it holds output perp otherwise 119862 checkswhether a tuple exists in (119868119863119894 119909119894) if it exists it returns119909119894 to 1198601 otherwise 119862 randomly selects 119909119894 It returns119909119894 to 1198601 and stores 119909119894 to (119868119863119894 119909119894)

(viii) Reveal-Public-Key queries 119862 maintains a list denoted119871119901119896 and the structure of 119871119901119896 is (119868119863119894 119901119896119894) all theelements in 119871119901119896 are initialized to null When 1198601performs the query with the identity 119868119863119894 119862 checkswhether a tuple (119868119863119894 119901119896119894) exists in 119871119901119896 if it exists119901119896119894it returns 119901119896119894 to 1198601 otherwise it accesses 119871119909 to get119909119894 and computes 119901119896119894 = 119909119894119875 It returns 119901119896119894 to 1198601 andstores (119868119863119894 119901119896119894) to 119871119901119896

(ix) Replace-Public-Key queries When 1198601 executes thequery with the identity (119868119863119894 119901119896lowast119894 ) in response 119862replaces the real public key119901119896119894 of 119868119863119894 with119901119896lowast119894 chosenby 1198601 in the list 119871119901119896

(x) Sign queries When 1198601 performs the query with theuser identity 119868119863119894 and public key 119901119896119894 message 119898119894 119862accesses 1198711198671 1198711198672 119871ℎ1 and 119871ℎ2 to get 120576119894 119876119894 119880 120572119894and 120573119894 respectively Furthermore 119862 randomly selects119903119894 and computes 119877119894 = 119903119894119875 if 120576119894 = 0 119862 computes119881119894 = 120575119894120572119894119872119878119901119906119887+119903119894119872119878119901119906119887+120573119894120599119901119896119894 otherwise if 120576119894 = 1119862 computes 119881119894 = 120575119894120572119894119887119872119878119901119906119887 + 119903119894119872119878119901119906119887 + 120573119894120599119901119896119894It returns 120590119894 = (119877119894 119881119894) to 1198601 as the signature of themessage 119898119894 on the user identity 119868119863119894 with the publickey 119901119896119894

(xi) Forgery Finally1198601 outputs a forged aggregate signa-ture 120590lowast = (119877lowast 119881lowast) from message-identity-public keypairs (119898lowast119894 119868119863lowast119894 119901119896lowast119894 ) where 1 le 119894 le 119899 If all 120576119894 = 0hold 1198601 aborts otherwise without loss of generality

let 119868119863119905119904 = 1198681198631 that is 1205761 = 1 120576119894 = 0 (2 le 119894 le 119899) andthen the forged signature should make the followinghold

119890 (119881lowast 119875)= 119890 ( 119899sum119894=1

(120572lowast119894 119876lowast119894 + 119877lowast119894 ) 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880) (10)

where 119876lowast119894 = 120575lowast119894 119875 (2 le 119894 le 119899) 119876lowast1 = 120575lowast1 119887119875 119880 = 120599119875119881lowast = sum119899119894=1 119881lowast119894 and 119877lowast = 119877lowast1 119877lowast2 119877lowast119899 Furthermore the derivation process is shown as follows

119890 (119881lowast 119875) = 119890 ( 119899sum119894=1

(120572lowast119894 119876lowast119894 + 119877lowast119894 ) 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 (119877lowast1 + 119899sum119894=2


sdot 119890 (120572lowast1119876lowast1 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 120599119875)997904rArr 119890 (120572lowast1119876lowast1 119872119878119901119906119887) = 119890 (119881lowast 119875)

sdot [119890 (119877lowast1 + 119899sum119894=2


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 120599119875)]minus1

997904rArr 119890 (120575lowast1120572lowast1 119886119887119875 119875) = 119890 (119881lowast 119875)sdot [119890 (119877lowast1 + 119899sum

119894=2


sdot 119890 ( 119899sum119894=1


997904rArr 120575lowast1120572lowast1 119886119887119875 = 119881lowast minus [(119903lowast1 + 119899sum119894=2

(120575lowast119894 + 119903lowast119894 )) 119872119878119901119906119887+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]

997904rArr 119886119887119875 = (119881lowast minus (119903lowast1 + 119899sum119894=2

(120575lowast119894 + 119903lowast119894 )) 119872119878119901119906119887minus 119899sum119894=1

120573lowast119894 119909lowast119894 120599) (120575lowast1120572lowast1 )minus1

(11)

However this contradicts the CDH assumption thus thesingle signature and aggregate signature generated by the newscheme are unforgeable


Theorem 4 The proposed certificateless aggregate scheme isexistentially unforgeable against type 2 adversary 1198602 if theCDH problem is difficult to solve in 1198661Proof We can prove the unforgeability of our CL-AS schemeagainst type 2 adversary withGame2 that involves 1198602 and analgorithm called simulator 119862


(i) Setup 119862 randomly chooses 119868119863119905119904 as the target identityof sensor challenged sets 119872119878119901119906119887 = 120582119875 and returnsmaster key 120582 and system parameter 119901119886119903119886119898119904 =1198661 1198662 119875 119890 119902 119872119878119901119906119887 1198671 1198672 ℎ1 ℎ2 to 1198602 1198602 per-forms the inquiries as follows

(ii) ℎ1 ℎ2 and Reveal-Secret-Value queries are the sameas the corresponding queries in Theorem 3 Since1198602 can access the master key there is no need tothe Reveal-Partial-Private-Key queries and Replace-Public-Key queries

(iii) 1198671 query 119862 maintains a list denoted 1198711198671 and thestructure of1198711198671 is (119868119863119894 120575119894 119876119894) all the elements in1198711198671are initialized to null When 1198602 performs the querywith the identity 119868119863119894 119862 checks whether a tuple 1198711198671is (119868119863119894 120575119894 119876119894) exists in 1198711198671 if it exists it returns 119876119894to1198602 otherwise119862 randomly selects 120575119894 and computes119876119894 = 120575119894119875 It returns 119876119894 to 1198602 and stores (119868119863119894 120575119894 119876119894)to 1198711198671

(iv) 1198672 query 119862 maintains a list denoted 1198711198672 and thestructure of 1198711198672 is (119872119878119901119906119887 120599 119885) all the elementsin 1198711198672 are initialized to null When 1198602 executes thequery with 119872119878119901119906119887 119862 checks whether a tuple (119872119878119901119906119887120599 119885) exists in 1198711198672 if it exists it returns 119880 to 1198602 oth-erwise 119862 randomly selects 120599 isin 119885lowast119902 and computes 119880 =1205991198761 = 120599119886119875 It returns 119880 to 1198602 and stores (119872119878119901119906119887120599 119880) to 1198711198672

(v) Reveal-Public-Key queries 119862 maintains a list denoted119871119901119896 and the structure of 119871119901119896 is (119868119863119894 120596119894 119901119896119894) allthe elements in 119871119901119896 are initialized to null When 1198602performs the query with the identity 119868119863119894 119862 checkswhether a tuple (119868119863119894 120596119894 119901119896119894) exists in 119871119901119896 if it exists119901119896119894 it returns 119901119896119894 to 1198602 otherwise 119862 randomlyselects120596119894 isin 0 1 if120596119894 = 0119862 accesses 119871119909 to get 119909119894 andcomputes 119901119896119894 = 119909119894119875 otherwise if120596119894 = 1119862 randomlyselects 119909119894 isin 119885lowast119902 and computes 119901119896119894 = 1199091198941198762 = 119909119894119887119875 Itreturns 119901119896119894 to 1198602 and stores (119868119863119894 120596119894 119901119896119894) to 119871119901119896

(vi) Sign queries When 1198602 performs the query withuserrsquos identity 119868119863119894 and public key 119901119896119894 message 119898119894 119862accesses 1198711198671 1198711198672 119871ℎ1 119871ℎ2 and 119871119901119896 to get 119876119894 119880 120572119894 120573119894and120596119894 respectively Furthermore119862 randomly selects119903119894 and computes 119877119894 = 119903119894119875 if 120596119894 = 0 119862 computes 119881119894 =120575119894120572119894119872119878119901119906119887 + 119903119894119872119878119901119906119887 + 120573119894120599119901119896119894 otherwise if 120596119894 = 1119862 computes 119881119894 = 120575119894120572119894119872119878119901119906119887 + 119903119894119872119878119901119906119887 + 120573119894120599119886119901119896119894It returns 120590119894 = (119877119894 119881119894) to 1198602 as the signature of the

message 119898119894 on userrsquos identity 119868119863119894 with the public key119901119896119894(vii) Forgery Finally1198602 outputs a forged aggregate signa-

ture 120590lowast = (119877lowast 119881lowast) from message-identity-public keypairs (119898lowast119894 119868119863lowast119894 119901119896lowast119894 ) where 1 le 119894 le 119899 If all 120596119894 = 0hold 1198602 aborts otherwise without loss of generalitylet 119868119863119905119904 = 1198681198631 that is 1205961 = 1 120596119894 = 0 (2 le 119894 le 119899) andthen the forged aggregate signature should satisfy

119890 (119881lowast 119875)= 119890 ( 119899sum119894=1

120572lowast119894 119876lowast119894 + 119877lowast119894 ) 119872119878119901119906119887)119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880) (12)

where 119876lowast119894 = 120575lowast119894 119875 119901119896lowast1 = 119909lowast1 119887119875 119901119896lowast119894 = 119909lowast119894 119875 (2 le119894 le 119899) 119880 = 120599119886119875 119881lowast = sum119899119894=1 119881lowast119894 and 119877lowast = 119877lowast1 119877lowast2 119877lowast119899 Furthermore the derivation process is shown as below

119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2


997904rArr 119890 (120573lowast1 120599119886119887119875 119875) = 119890 (119881lowast 119875)sdot [119890 ( 119899sum

119894=1


sdot 119890 ( 119899sum119894=2


(13)

997904rArr 120573lowast1 120599119886119887119875 = 119881lowast minus [( 119899sum119894=1

(120575lowast119894 120572lowast119894 + 119903lowast119894 )) 119872119878119901119906119887

+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]


Table 1 Security comparisons

11986111 11986112 11986113 119878119875 11986121 11986122 11986123 119878119875Gongrsquos Scheme [9] 119873119900 119884119890119904 119873119900 119871 119884119890119904 119873119900 119873119900 119871liursquos Scheme [10] 119884119890119904 119884119890119904 119884119890119904 119867 119873119900 119873119900 119873119900 119871kumarrsquos Scheme [8] 119884119890119904 119884119890119904 119884119890119904 119867 119873119900 119873119900 119873119900 119871Our proposed Scheme 119884119890119904 119884119890119904 119884119890119904 119867 119884119890119904 119884119890119904 119884119890119904 119867

Table 2 symbol-operation-execution time

Symbol Operation Time (119898119904)119879119898119905119904 The time of performing a general hash operation in 119885lowast119902 00002119879119898119905119901 The time of performing a map-to-point operation in 1198661 9773119879119890119888119888minus119901119886 The time of performing a point addition operation in 1198661 0022119879119890119888119888minus119901119898 The time of performing a point multiplication operation in 1198661 3740119879119887119901 The time of performing a bilinear pairing operation 11515

997904rArr 119886119887119875 = (119881lowast minus ( 119899sum119894=1

(120575lowast119894 120572lowast119894 + 119903lowast119894 )) 119872119878119901119906119887minus 119899sum119894=1

120573lowast119894 119909lowast119894 120599) (120573lowast1 120599)minus1(14)


8 Security Comparisons andPerformance Analysis

In this section we first compare the security of the newlyproposed CL-AS schemewith the other three CL-AS schemesand further analyze the performance of the new CL-ASscheme by evaluating the computation overhead

81 Security Comparisons In this subsection we comparethe security of the newly proposed CL-AS scheme withthe other three CL-AS schemes [8ndash10] For the convenienceof description let 1198601 and 1198602 denote the type1 and thetype2 adversaries respectively Furthermore the two typesof adversaries are divided into three levels [31] where 1198611198941denotes general adversary 1198611198942 denotes strong adversary 1198611198943denotes super adversary respectively and 119894 isin 1 2 thevalue of 119894 corresponds to the type 119894 adversary 119884119890119904 denotesthat it can satisfy the corresponding security requirementand 119873119900 denotes that it cannot satisfy the correspondingsecurity requirement 119871 denotes the weaker security and 119867denotes the stronger security under the corresponding attacktypes 119878119875 denotes the security performance The securitycomparisons of the various schemes are listed in Table 1

As shown in Table 1 we can find that the first threeschemes (ie Gongrsquos scheme [9] liursquos scheme [10] andkumarrsquos scheme [8]) cannot satisfy all the security require-ments Especially for Gongrsquos two CL-AS schemes [9] underthe attacks of the type1 and the type2 adversaries none of

them can meet the security levels of 1198613 liu and kumarrsquosschemes cannot resist the malicious KGC attack (1198613 level)In contrast our CL-AS scheme can meet all the securityrequirements Hence our proposed CL-AS scheme has bettersecurity than that of the other three schemes

82 Performance Analysis In this section we analyze theperformance of our CL-AS scheme by evaluating the compu-tation overhead Comparedwith that of kumar et alrsquos schemeour implementation shows that the new proposal can satisfythe security requirement and provide an improved securitywhile reducing the computation cost

In order to achieve a credible security level we choose 119902and 119901 as 160-bits prime number and 512-bits prime numberrespectively A ate pairing 119890 1198661 times 1198661 rarr 1198662 is used in ourexperiments where1198661 and1198662 are cyclic groupswith the sameorder 119902 defined on the super singular elliptic curve 119864(119865119901) 1199102 = 1199093 + 1

We have implemented kumar et alrsquos scheme and thenewly proposed scheme with the MIRACL library [32]on a personal computer (Lenovo with Intel I5-3470 320GHz processor 4G bytes memory and Window 7 operatingsystem) For the sake of simplicity we firstly define thecorresponding relations related symbol-operation-executiontime as shown in Table 2

Because Setup Partial-Private-Key-Gen and Private-Key-Gen phases are executed by MS or user and all of them areone-time operation we laid stress on the comparisons of thecomputation cost in Sign Verify Aggregate and Aggregate-Verify phases

In 119878119894119892n phase the user in kumar et alrsquos scheme needs toperform one general hash operation in119885lowast119902 one map-to-pointhash operation in 1198661 two-point addition operations in 1198661and three-point multiplication operations in 1198661 Thereforethe running time of the 119878119894119892119899 phase is 119879119898119905119904 + 119879119898119905119901 + 2119879119890119888119888minus119901119886 +3119879119890119888119888minus119901119898 whereas the user in the new proposal needs toperform two general hash operations in 119885lowast119902 one map-to-point hash operation in 1198661 two-point addition operations in1198661 and four-pointmultiplication operations in1198661Therefore


Table 3 Computation cost comparisons (millisecond)

kumarrsquos Scheme [8] Our Proposed Scheme119878119894119892119899 119879119898119905119904 + 119879119898119905119901 + 2119879119890119888119888minus119901119886 + 3119879119890119888119888minus119901119898 asymp 210372 2119879119898119905119904 + 119879119898119905119901 + 2119879119890119888119888minus119901119886 + 4119879119890119888119888minus119901119898 asymp 247774119881119890119903119894119891119910 119879119898119905119904 + 119879119898119905119901 + 119879119890119888119888minus119901119886 + 119879119890119888119888minus119901119898 + 3119879119887119901 asymp 480802 2119879119898119905119904 + 119879119898119905119901 + 119879119890119888119888minus119901119886 + 2119879119890119888119888minus119901119898 + 3119879119887119901 asymp 518204119860119892119903119903119890119892119886119905119890 99119879119890119888119888minus119901119886 asymp 2178 99119879119890119888119888minus119901119886 asymp 2178119860119892119892119903119890119892119886119905119890minus119881119890119903119894119891119910 100119879119898119905119904 + 200119879119898119905119901 + 298119879119890119888119888minus119901119886 + 100119879119890119888119888minus119901119898 + 3119879119887119901 asymp2369721 200119879119898119905119904 + 101119879119898119905119901 + 298119879119890119888119888minus119901119886 + 200119879119890119888119888minus119901119898 + 3119879119887119901 asymp1776214

the running time of the 119878119894119892119899 phase in our proposed schemeis 2119879119898119905119904 + 119879119898119905119901 + 2119879119890119888119888minus119901119886 + 4119879119890119888119888minus119901119898 milliseconds

In 119881119890119903119894119891119910 phase the verifier in kumar et alrsquos schemeneeds to perform one general hash operation in119885lowast119902 onemap-to-point hash operation in 1198661 one-point addition operationin 1198661 one-point multiplication operation in 1198661 and three-bilinear pairing operations Therefore the running time ofthe 119881119890119903119894119891119910 phase is 119879119898119905119904 + 119879119898119905119901 + 119879119890119888119888minus119901119886 + 119879119890119888119888minus119901119898 + 3119879119887119901whereas the verifier in the new proposal needs to performtwo general hash operations in 119885lowast119902 one map-to-point hashoperation in 1198661 one-point addition operation in 1198661 two-point multiplication operation in 1198661 and three-bilinearpairing operationsTherefore the running time of the 119881119890119903119894119891119910phase in our proposed scheme is 2119879119898119905119904 + 119879119898119905119901 + 119879119890119888119888minus119901119886 +2119879119890119888119888minus119901119898 + 3119879119887119901 milliseconds

In 119860119892119892119903119890119892119886119905119890 phase the aggregator in kumar et alrsquosscheme needs to perform 119899 minus 1 point addition operationsin 1198661 whereas the aggregator in the new proposal needs toperform 119899 minus 1 point addition operations in 1198661 We can findthat the running time of the 119860119892119892119903119890119892119886119905119890 phase in the twoschemes is equal to (119899 minus 1)119879119890119888119888minus119901119886 milliseconds

In 119860119892119892119903119890119892119886119905119890 minus 119881119890119903119894119891119910 phase the aggregate verifier inkumar et alrsquos scheme needs to perform 119899 general hashoperations in 119885lowast119902 2119899 map-to-point hash operations in 11986613119899 minus 2 point addition operations in 1198661 119899 point multiplicationoperations in 1198661 and three-bilinear pairing operationsTherefore the running time of the 119860119892119892119903119890119892119886119905119890 minus 119881119890119903119894119891119910phase is 119899119879119898119905119904 + 2119899119879119898119905119901 + (3119899 minus 2)119879119890119888119888minus119901119886 + 119899119879119890119888119888minus119901119898 + 3119879119887119901milliseconds whereas the verifier in the new proposal needsto perform 2119899 general hash operations in 119885lowast119902 119899 + 1 map-to-point hash operations in 1198661 3119899 minus 2 point addition operationsin 1198661 2119899 point multiplication operations in 1198661 and three-bilinear pairing operations Therefore the running time ofthe 119860119892119892119903119890119892119886119905119890 minus 119881119890119903119894119891119910 phase in our proposed scheme is2119899119879119898119905119904 + (119899 + 1)119879119898119905119901 + (3119899 minus 2)119879119890119888119888minus119901119886 + 2119899119879119890119888119888minus119901119898 + 3119879119887119901milliseconds

Assuming that 119899 = 100 in the119860119892119892119903119890119892119886119905119890 and119860119892119892119903119890119892119886119905119890minus119881119890119903119894119891119910 phases the computation overhead comparisons areshown in Table 3 and Figure 3 As can be seen from theresults in Table 3 and Figure 3 the computation overheadof our proposed CL-AS scheme is slightly higher than thatof kumar et alrsquos scheme for 119878119894119892119899 and 119881119890119903119894119891119910 phases In119860119892119892119903119890119892119886119905119890 phase the computation overheads of the twoschemes are equal whereas in the 119860119892119903119903119890119892119886119905119890 minus 119881119890119903119894119891119910 phasethe computation overhead of our scheme is much lowerthan that of kumar et alrsquos scheme However compared withthe total computation overheads of these four phases ourschemersquos computation overhead is reduced by 24 percentage

Figure 3 Computation cost comparisons

points compared with the that of kumar et alrsquos scheme [8]That is we enforce the security in a large extent with theefficiency increased by 24 in computation overhead

9 Conclusion

To ensure the privacy and integrity of patients medicalinformation several CL-AS schemes have been put forwardrecently In this paper we first investigate the techniquesof the data signature Then we show that Pankaj Kumar etalrsquos scheme is vulnerable against the malicious attack Thisattack is a serious threat from the inside attacker acting asa MS because it allows the adversary to forge a signature ofmessage 119898119895 using the signature of the message 119898119894 on signer119868119863119894

To overcome this security flaw we put forward a new CL-AS scheme for the issues of integrity and privacy in HMSNThe security analysis shows that our proposed CL-AS schemeis provably secure and can meet the security requirements inHMSN In addition the detailed performance analysis andevaluation demonstrate that our CL-AS scheme can achieve anovel security level while reducing the computation cost OurCL-AS scheme is robust against all types of attacks makingit more useful for protecting the integrity and privacy ofpatients medical information

Data Availability

The data used to support the findings of this study areavailable from the corresponding author upon request


Conflicts of Interest

The authors declare that they have no conflicts of interest

References

[1] D J Cook J C Augusto and V R Jakkula ldquoAmbient intelli-gence Technologies applications and opportunitiesrdquo Pervasiveand Mobile Computing vol 5 no 4 pp 277ndash298 2009

[2] Z Zhang and K Wang ldquoA trust model for multimedia socialnetworksrdquo Social Network Analysis and Mining vol 3 no 4 pp969ndash979 2013

[3] M Al Ameen J Liu and K Kwak ldquoSecurity and privacy issuesin wireless sensor networks for healthcare applicationsrdquo Journalof Medical Systems vol 36 no 1 pp 93ndash101 2012

[4] M R Yuce S W P Ng N L Myo J Y Khan and W LiuldquoWireless body sensor network using medical implant bandrdquoJournal of Medical Systems vol 31 no 6 pp 467ndash474 2007

[5] C Gao Q Cheng X Li and S Xia ldquoCloud-assisted privacy-preserving profile-matching scheme under multiple keys inmobile social networkrdquo Cluster Computing pp 1ndash9 2018

[6] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017

[7] P Li J Li Z Huang C-Z Gao W-B Chen and K ChenldquoPrivacy-preserving outsourced classification in cloud comput-ingrdquo Cluster Computing pp 1ndash10 2017

[8] P Kumar S Kumari V Sharma A K Sangaiah J Wei and XLi ldquoA certificateless aggregate signature scheme for healthcarewireless sensor networkrdquo Sustainable Computing 2017

[9] G Zheng L Yu H Xuan and C Kefei ldquoTwo certificatelessaggregate signatures from bilinear mapsrdquo in Proceedings ofthe SNPD 2007 8th ACIS International Conference on Soft-ware Engineering Artificial Intelligence Networking and Paral-lelDistributed Computing pp 188ndash193 chn August 2007

[10] H Liu S Wang M Liang and Y Chen ldquoNew construction ofefficient certificateless aggregate signaturesrdquo International Jour-nal of Security and Its Applications vol 8 no 1 pp 411ndash422 2014

[11] W Diffie W Diffie and M E Hellman ldquoNew Directions inCryptographyrdquo IEEE Transactions on Information Theory vol22 no 6 pp 644ndash654 1976

[12] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in cryptology (Santa Barbara Calif1984) vol 196 of Lecture Notes in Comput Sci pp 47ndash53Springer Berlin 1985

[13] J Li J Li X Chen C Jia and W Lou ldquoIdentity-based encryp-tion with outsourced revocation in cloud computingrdquo Instituteof Electrical and Electronics Engineers Transactions on Comput-ers vol 64 no 2 pp 425ndash437 2015

[14] S S Al-Riyami and K G Paterson ldquoCertificateless public keycryptographyrdquo Asiacrypt vol 2894 pp 452ndash473 2003

[15] X Huang W Susilo Y Mu and F Zhang ldquoOn the security ofcertificateless signature schemes from Asiacrypt 2003rdquo LectureNotes in Computer Science (including subseries Lecture Notesin Artificial Intelligence and Lecture Notes in Bioinformatics)Preface vol 3810 pp 13ndash25 2005

[16] J Li X Huang YMu andWWu ldquoCryptanalysis and improve-ment of an efficient certificateless signature schemerdquo Journalof Communications and Networks vol 10 no 1 pp 10ndash17 2008

[17] W Yap S Heng and B Goi ldquoAn Efficient CertificatelessSignature Schemerdquo in Emerging Directions in Embedded and

Ubiquitous Computing vol 4097 of Lecture Notes in ComputerScience pp 322ndash331 2006

[18] M H Au J Chen J K Liu Y Mu D S Wong and G YangldquoMalicious KGC attacks in certificateless cryptographyrdquo inProceedings of the 2nd ACM Symposium on Information Com-puter and Communications Security ASIACCS rsquo07 pp 302ndash311March 2007

[19] A W Dent B t Libert and K Paterson ldquoCertificatelessencryption schemes strongly secure in the standard modelrdquo inPublic key cryptography vol 4939 of Lecture Notes in ComputSci pp 344ndash359 Springer Berlin 2008

[20] X Li K Chen and L Sun ldquoCertificateless signature andproxy signature schemes from bilinear pairingsrdquo LithuanianMathematical Journal vol 45 no 1 pp 95ndash103 2005

[21] J K Liu M H Au and W Susilo ldquoSelf-generated-certificatepublic key cryptography and certificateless signatureencryp-tion scheme in the standard modelrdquo in Proceedings of the 2ndACM Symposium on Information Computer and Communica-tions Security (ASIACCS rsquo07) pp 273ndash283 March 2007

[22] D Boneh C Gentry B Lynn and H Shacham ldquoAggregate andverifiably encrypted signatures from bilinear mapsrdquo in LectureNotes in Computer Science vol 2656 of Lecture Notes in ComputSci pp 416ndash432 Springer Berlin 2003

[23] L Zhang and F Zhang ldquoA new certificateless aggregate sig-nature schemerdquo Computer Communications vol 32 no 6 pp1079ndash1085 2009

[24] H Xiong Z Guan Z Chen and F Li ldquoAn efficient certificate-less aggregate signature with constant pairing computationsrdquoInformation Sciences vol 219 pp 225ndash235 2013

[25] D He M Tian and J Chen ldquoInsecurity of an efficient certif-icateless aggregate signature with constant pairing computa-tionsrdquo Information Sciences vol 268 pp 458ndash462 2014

[26] L Cheng Q Wen Z Jin H Zhang and L Zhou ldquoCryptanal-ysis and improvement of a certificateless aggregate signatureschemerdquo Information Sciences vol 295 pp 337ndash346 2015

[27] F Zhang L Shen and G Wu ldquoNotes on the security of certifi-cateless aggregate signature schemesrdquo Information Sciences vol287 pp 32ndash37 2014

[28] Y Zhang and C Wang ldquoComment on new construction ofefficient certificateless aggregate signaturesrdquo International Jour-nal of Security and Its Applications vol 9 no 1 pp 147ndash154 2015

[29] D He and S Zeadally ldquoAuthentication protocol for an ambientassisted living systemrdquo IEEECommunicationsMagazine vol 53no 1 pp 71ndash77 2015

[30] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal no 99 pp 1ndash10 2015

[31] D He S Zeadally B Xu and X Huang ldquoAn Efficient Identity-Based Conditional Privacy-Preserving Authentication SchemeforVehicularAdHocNetworksrdquo IEEETransactions on Informa-tion Forensics and Security vol 10 no 12 pp 2681ndash2691 2015

[32] M Scott Miracla multiprecision integer and rational arith-metic cc++ library shamus software ltd Dublin Ireland 2003httpindigoiemscott

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


WD

Sensor

CCU

Perso

nal H

ealth

Data

Personal Health Data

Report

Cloud Based Network

Healthcare ProfessionalPatient

Figure 1 A general healthcare wireless sensor network architecture

professional by CCU via Internet and the patientrsquos medicalreport is further generated

In the HWSN information is transmitted from medicalsensor devices to the healthcare professional who analyzes themedical information and further provides a suitable solutionIf the attacker modifies the medical message halfway thehealthcare professional could make a wrong diagnosis basedon the modified message which can be very dangerous tohuman life Because of the direct involvement of patienthealth information it is of crucial importance to address theissue of privacy and integrity of personal health data [5ndash7]

Motivatedwith the above scenariomany digital signatureschemes are proposed for healthcare wireless sensor network(HWSN) to protect the privacy and integrity of patient medi-cal information In this paper we first review Pankaj Kumaretalrsquos certificateless aggregate signature (CL-AS) scheme [8]and point out a previously undiscovered security flaw in thescheme that is we reveal that their proposed scheme suffersthe signature forgery attack We then propose a new CL-ASscheme for the issues of security and privacy in HWSN

11 Our Research Contributions In this paper we propose anew CL-AS scheme which could better protect the integrityand privacy of data in HMSNThemain contributions of thispaper are summarized as below

(i) Firstly we identify a security weakness against PankajKumar et alrsquos CL-AS scheme for HWSN

(ii) Secondly we redefine the architecture of a HWSNwhich is more close to the actual application environ-ment

(iii) Thirdly we propose a CL-AS scheme for HWSN tomend this security flaw and our new scheme cansatisfy the security requirements

(iv) Finally we prove the security of our proposed CL-AS scheme and show that it can improve the security

while reducing the computation cost compared withPankaj Kumar et alrsquos CL-AS scheme

12 Organization of the Paper The remainder of this paperis organized as below Section 2 introduces the related workSection 3 presents the problem statements associated withthis paper and then briefly reviews the CL-AS scheme forHWSN in Section 4 In Section 5 we demonstrate an attackagainst Pankaj Kumar et alrsquos CL-AS scheme for the HWSNFurthermore we present details of the proposed CL-ASscheme in Section 6 In Sections 7 and 8 the security proofand performance analysis of our scheme are described laterFinally we give a summary of this paper in the last section

2 Related Work

In the traditional PKI-based public key cryptography (PKC)as the number of users increases PKC will face a varietyof certificate management issues such as certificate distri-bution storage revocation and high computational cost[11]

Although identity-based public key cryptography (IBC)[12 13] can solve the problem of certificate managementexisting in PKC it has inherent key escrow issue Thisis because the userrsquos private key is generated by the keygeneration center (KGC) based on the userrsquos identity that isKGC can access any userrsquos private key in IBC

To solve the above problems Al-Riyami et al pro-posed certificateless public key cryptosystem (CL-PKC) [14]Because it does not use certificates and the private key isgenerated both by KGC and by the user himself it can solvecertificate management issue in PKC and the key escrowissue in IBC Since Al-Riyami et al introduced the notionof CL-PKC [14] it has attracted more and more researchattention and many certificateless signature (CLS) schemes[15ndash21] have been introduced by researchers






3 Problem Statement













































119890 (119881119894 119875) = 119890 (119876119868119863119894 + ℎ119894119875119870119868119863119894 119872119878119901119906119887) 119890 (119877119894 119882) (1)






and ℎ119894 = 1198673(119898119894 119868119863119894 119875119870119868119863119894 119877119894)(3) Verifies

119890 (119881 119875)= 119890 ( 119899sum119894=1

(119876119868119863119894 + ℎ119894119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

119877119894 119882) (2)






120590119895 = 119877119895 = 119903119895119875119881119895 = 119901119901119896119868119863119894 + 119903119895119882 + ℎ119895119909119894119872119878119901119906119887 (3)






(4)


119890 (119881lowast 119875) = 119890 ( 119899sum119896=1

(119901119901119896119868119863119894 + 119903lowast119896119882 + ℎlowast119896120572119875119870119868119863119894) 119875)

= 119890 ( 119899sum119896=1

(120572119876119868119863119894 + ℎlowast119896120572119875119870119868119863119894) 119875) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119876119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119877lowast119896 119882)

(5)








eters 119901119886119903119886119898119904 = (1198661 1198662 119875 119890 119902 119872119878119901119906119887 1198671 1198672 ℎ1 ℎ2)public










119890 (119881119894 119875) = 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880) (6)








119890 (119881 119875)= 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119901119896119894 119880) (7)


7 Security Analysis


71 Correctness


119890 (119881119894 119875) = 119890 (120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)= 119890 (120572119894119901119901119896119894 119875) 119890 (119903119894119872119878119901119906119887 119875) 119890 (120573119894119909119894119880 119875)= 119890 (120572119894119876119894 119904119875) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 119872119878119901119906119887) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880)

(8)

and

119890 (119881 119875) = 119890 ( 119899sum119894=1

120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)

= 119890 ( 119899sum119894=1

120572119894119901119901119896119894 119875) 119890 ( 119899sum119894=1

119903119894119872119878119901119906119887 119875)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119880 119875) = 119890 ( 119899sum119894=1

120572119894119876119894 119904119875)

sdot 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119909119894119875 119880)

= 119890 ( 119899sum119894=1

120572119894119876119894 119872119878119901119906119887) 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119875 119880) = 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119901119896119894 119880)(9)

















































119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (10)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)





sdot [119890 (119877lowast1 + 119899sum119894=2


sdot 119890 ( 119899sum119894=1



119894=2


sdot 119890 ( 119899sum119894=1




120573lowast119894 119909lowast119894 120599]




(11)













119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (12)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2



119894=1


sdot 119890 ( 119899sum119894=2


(13)



+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]






























9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







3 Problem Statement













































119890 (119881119894 119875) = 119890 (119876119868119863119894 + ℎ119894119875119870119868119863119894 119872119878119901119906119887) 119890 (119877119894 119882) (1)






and ℎ119894 = 1198673(119898119894 119868119863119894 119875119870119868119863119894 119877119894)(3) Verifies

119890 (119881 119875)= 119890 ( 119899sum119894=1

(119876119868119863119894 + ℎ119894119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

119877119894 119882) (2)






120590119895 = 119877119895 = 119903119895119875119881119895 = 119901119901119896119868119863119894 + 119903119895119882 + ℎ119895119909119894119872119878119901119906119887 (3)






(4)


119890 (119881lowast 119875) = 119890 ( 119899sum119896=1

(119901119901119896119868119863119894 + 119903lowast119896119882 + ℎlowast119896120572119875119870119868119863119894) 119875)

= 119890 ( 119899sum119896=1

(120572119876119868119863119894 + ℎlowast119896120572119875119870119868119863119894) 119875) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119876119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119877lowast119896 119882)

(5)








eters 119901119886119903119886119898119904 = (1198661 1198662 119875 119890 119902 119872119878119901119906119887 1198671 1198672 ℎ1 ℎ2)public










119890 (119881119894 119875) = 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880) (6)








119890 (119881 119875)= 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119901119896119894 119880) (7)


7 Security Analysis


71 Correctness


119890 (119881119894 119875) = 119890 (120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)= 119890 (120572119894119901119901119896119894 119875) 119890 (119903119894119872119878119901119906119887 119875) 119890 (120573119894119909119894119880 119875)= 119890 (120572119894119876119894 119904119875) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 119872119878119901119906119887) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880)

(8)

and

119890 (119881 119875) = 119890 ( 119899sum119894=1

120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)

= 119890 ( 119899sum119894=1

120572119894119901119901119896119894 119875) 119890 ( 119899sum119894=1

119903119894119872119878119901119906119887 119875)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119880 119875) = 119890 ( 119899sum119894=1

120572119894119876119894 119904119875)

sdot 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119909119894119875 119880)

= 119890 ( 119899sum119894=1

120572119894119876119894 119872119878119901119906119887) 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119875 119880) = 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119901119896119894 119880)(9)

















































119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (10)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)





sdot [119890 (119877lowast1 + 119899sum119894=2


sdot 119890 ( 119899sum119894=1



119894=2


sdot 119890 ( 119899sum119894=1




120573lowast119894 119909lowast119894 120599]




(11)













119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (12)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2



119894=1


sdot 119890 ( 119899sum119894=2


(13)



+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]






























9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


































119890 (119881119894 119875) = 119890 (119876119868119863119894 + ℎ119894119875119870119868119863119894 119872119878119901119906119887) 119890 (119877119894 119882) (1)






and ℎ119894 = 1198673(119898119894 119868119863119894 119875119870119868119863119894 119877119894)(3) Verifies

119890 (119881 119875)= 119890 ( 119899sum119894=1

(119876119868119863119894 + ℎ119894119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

119877119894 119882) (2)






120590119895 = 119877119895 = 119903119895119875119881119895 = 119901119901119896119868119863119894 + 119903119895119882 + ℎ119895119909119894119872119878119901119906119887 (3)






(4)


119890 (119881lowast 119875) = 119890 ( 119899sum119896=1

(119901119901119896119868119863119894 + 119903lowast119896119882 + ℎlowast119896120572119875119870119868119863119894) 119875)

= 119890 ( 119899sum119896=1

(120572119876119868119863119894 + ℎlowast119896120572119875119870119868119863119894) 119875) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119876119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119877lowast119896 119882)

(5)








eters 119901119886119903119886119898119904 = (1198661 1198662 119875 119890 119902 119872119878119901119906119887 1198671 1198672 ℎ1 ℎ2)public










119890 (119881119894 119875) = 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880) (6)








119890 (119881 119875)= 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119901119896119894 119880) (7)


7 Security Analysis


71 Correctness


119890 (119881119894 119875) = 119890 (120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)= 119890 (120572119894119901119901119896119894 119875) 119890 (119903119894119872119878119901119906119887 119875) 119890 (120573119894119909119894119880 119875)= 119890 (120572119894119876119894 119904119875) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 119872119878119901119906119887) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880)

(8)

and

119890 (119881 119875) = 119890 ( 119899sum119894=1

120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)

= 119890 ( 119899sum119894=1

120572119894119901119901119896119894 119875) 119890 ( 119899sum119894=1

119903119894119872119878119901119906119887 119875)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119880 119875) = 119890 ( 119899sum119894=1

120572119894119876119894 119904119875)

sdot 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119909119894119875 119880)

= 119890 ( 119899sum119894=1

120572119894119876119894 119872119878119901119906119887) 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119875 119880) = 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119901119896119894 119880)(9)

















































119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (10)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)





sdot [119890 (119877lowast1 + 119899sum119894=2


sdot 119890 ( 119899sum119894=1



119894=2


sdot 119890 ( 119899sum119894=1




120573lowast119894 119909lowast119894 120599]




(11)













119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (12)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2



119894=1


sdot 119890 ( 119899sum119894=2


(13)



+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]






























9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia
















119890 (119881119894 119875) = 119890 (119876119868119863119894 + ℎ119894119875119870119868119863119894 119872119878119901119906119887) 119890 (119877119894 119882) (1)






and ℎ119894 = 1198673(119898119894 119868119863119894 119875119870119868119863119894 119877119894)(3) Verifies

119890 (119881 119875)= 119890 ( 119899sum119894=1

(119876119868119863119894 + ℎ119894119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

119877119894 119882) (2)






120590119895 = 119877119895 = 119903119895119875119881119895 = 119901119901119896119868119863119894 + 119903119895119882 + ℎ119895119909119894119872119878119901119906119887 (3)






(4)


119890 (119881lowast 119875) = 119890 ( 119899sum119896=1

(119901119901119896119868119863119894 + 119903lowast119896119882 + ℎlowast119896120572119875119870119868119863119894) 119875)

= 119890 ( 119899sum119896=1

(120572119876119868119863119894 + ℎlowast119896120572119875119870119868119863119894) 119875) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119876119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119877lowast119896 119882)

(5)








eters 119901119886119903119886119898119904 = (1198661 1198662 119875 119890 119902 119872119878119901119906119887 1198671 1198672 ℎ1 ℎ2)public










119890 (119881119894 119875) = 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880) (6)








119890 (119881 119875)= 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119901119896119894 119880) (7)


7 Security Analysis


71 Correctness


119890 (119881119894 119875) = 119890 (120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)= 119890 (120572119894119901119901119896119894 119875) 119890 (119903119894119872119878119901119906119887 119875) 119890 (120573119894119909119894119880 119875)= 119890 (120572119894119876119894 119904119875) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 119872119878119901119906119887) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880)

(8)

and

119890 (119881 119875) = 119890 ( 119899sum119894=1

120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)

= 119890 ( 119899sum119894=1

120572119894119901119901119896119894 119875) 119890 ( 119899sum119894=1

119903119894119872119878119901119906119887 119875)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119880 119875) = 119890 ( 119899sum119894=1

120572119894119876119894 119904119875)

sdot 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119909119894119875 119880)

= 119890 ( 119899sum119894=1

120572119894119876119894 119872119878119901119906119887) 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119875 119880) = 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119901119896119894 119880)(9)

















































119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (10)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)





sdot [119890 (119877lowast1 + 119899sum119894=2


sdot 119890 ( 119899sum119894=1



119894=2


sdot 119890 ( 119899sum119894=1




120573lowast119894 119909lowast119894 120599]




(11)













119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (12)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2



119894=1


sdot 119890 ( 119899sum119894=2


(13)



+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]






























9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






(4)


119890 (119881lowast 119875) = 119890 ( 119899sum119896=1

(119901119901119896119868119863119894 + 119903lowast119896119882 + ℎlowast119896120572119875119870119868119863119894) 119875)

= 119890 ( 119899sum119896=1

(120572119876119868119863119894 + ℎlowast119896120572119875119870119868119863119894) 119875) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119903119895119882 119875)

= 119890 ( 119899sum119896=1

(119876119868119863119894 + ℎlowast119896119875119870119868119863119894) 119872119878119901119906119887) 119890 ( 119899sum119896=1

119877lowast119896 119882)

(5)








eters 119901119886119903119886119898119904 = (1198661 1198662 119875 119890 119902 119872119878119901119906119887 1198671 1198672 ℎ1 ℎ2)public










119890 (119881119894 119875) = 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880) (6)








119890 (119881 119875)= 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119901119896119894 119880) (7)


7 Security Analysis


71 Correctness


119890 (119881119894 119875) = 119890 (120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)= 119890 (120572119894119901119901119896119894 119875) 119890 (119903119894119872119878119901119906119887 119875) 119890 (120573119894119909119894119880 119875)= 119890 (120572119894119876119894 119904119875) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 119872119878119901119906119887) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880)

(8)

and

119890 (119881 119875) = 119890 ( 119899sum119894=1

120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)

= 119890 ( 119899sum119894=1

120572119894119901119901119896119894 119875) 119890 ( 119899sum119894=1

119903119894119872119878119901119906119887 119875)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119880 119875) = 119890 ( 119899sum119894=1

120572119894119876119894 119904119875)

sdot 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119909119894119875 119880)

= 119890 ( 119899sum119894=1

120572119894119876119894 119872119878119901119906119887) 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119875 119880) = 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119901119896119894 119880)(9)

















































119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (10)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)





sdot [119890 (119877lowast1 + 119899sum119894=2


sdot 119890 ( 119899sum119894=1



119894=2


sdot 119890 ( 119899sum119894=1




120573lowast119894 119909lowast119894 120599]




(11)













119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (12)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2



119894=1


sdot 119890 ( 119899sum119894=2


(13)



+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]






























9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






119890 (119881 119875)= 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119901119896119894 119880) (7)


7 Security Analysis


71 Correctness


119890 (119881119894 119875) = 119890 (120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)= 119890 (120572119894119901119901119896119894 119875) 119890 (119903119894119872119878119901119906119887 119875) 119890 (120573119894119909119894119880 119875)= 119890 (120572119894119876119894 119904119875) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 119872119878119901119906119887) 119890 (119903119894119875 119872119878119901119906119887) 119890 (120573119894119909119894119875 119880)= 119890 (120572119894119876119894 + 119877119894 119872119878119901119906119887) 119890 (120573119894119901119896119894 119880)

(8)

and

119890 (119881 119875) = 119890 ( 119899sum119894=1

120572119894119901119901119896119894 + 119903119894119872119878119901119906119887 + 120573119894119909119894119880 119875)

= 119890 ( 119899sum119894=1

120572119894119901119901119896119894 119875) 119890 ( 119899sum119894=1

119903119894119872119878119901119906119887 119875)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119880 119875) = 119890 ( 119899sum119894=1

120572119894119876119894 119904119875)

sdot 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887) 119890 ( 119899sum119894=1

120573119894119909119894119875 119880)

= 119890 ( 119899sum119894=1

120572119894119876119894 119872119878119901119906119887) 119890 ( 119899sum119894=1

119903119894119875 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119909119894119875 119880) = 119890 ( 119899sum119894=1

(120572119894119876119894 + 119877119894) 119872119878119901119906119887)

sdot 119890 ( 119899sum119894=1

120573119894119901119896119894 119880)(9)

















































119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (10)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)





sdot [119890 (119877lowast1 + 119899sum119894=2


sdot 119890 ( 119899sum119894=1



119894=2


sdot 119890 ( 119899sum119894=1




120573lowast119894 119909lowast119894 120599]




(11)













119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (12)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2



119894=1


sdot 119890 ( 119899sum119894=2


(13)



+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]






























9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








































119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (10)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)





sdot [119890 (119877lowast1 + 119899sum119894=2


sdot 119890 ( 119899sum119894=1



119894=2


sdot 119890 ( 119899sum119894=1




120573lowast119894 119909lowast119894 120599]




(11)













119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (12)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2



119894=1


sdot 119890 ( 119899sum119894=2


(13)



+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]






























9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia












119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (10)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)





sdot [119890 (119877lowast1 + 119899sum119894=2


sdot 119890 ( 119899sum119894=1



119894=2


sdot 119890 ( 119899sum119894=1




120573lowast119894 119909lowast119894 120599]




(11)













119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (12)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2



119894=1


sdot 119890 ( 119899sum119894=2


(13)



+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]






























9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia













119890 (119881lowast 119875)= 119890 ( 119899sum119894=1


120573lowast119894 119901119896lowast119894 119880) (12)


119890 (119881lowast 119875) = 119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=1

120573lowast119894 119901119896lowast119894 119880)

997904rArr 119890 (119881lowast 119875) = 119890 ( 119899sum119894=1




sdot [119890 ( 119899sum119894=1


sdot 119890 ( 119899sum119894=2



119894=1


sdot 119890 ( 119899sum119894=2


(13)



+ 119899sum119894=1

120573lowast119894 119909lowast119894 120599]






























9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia































9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia












9 Conclusion



Data Availability





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





References




































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


New Certificateless Aggregate Signature Scheme for ...downloads.hindawi.com/journals/scn/2018/2595273.pdf · ResearchArticle New Certificateless Aggregate Signature Scheme for Healthcare

Documents