Table of Contents Author Guidelines Submit a Manuscript
Mobile Information Systems
Volume 2015, Article ID 827320, 11 pages
http://dx.doi.org/10.1155/2015/827320
Research Article

Attribute Based Multisignature Scheme for Wireless Communications

1School of Telecommunications Engineering, Xidian University, Xi’an, Shaanxi 710071, China
2School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore 639798
3School of Computer Science and Technology, Xidian University, Xi’an, Shaanxi 710071, China
4Faculty of Software, Fujian Normal University, Fuzhou, Fujian 350108, China

Received 29 August 2014; Accepted 1 September 2014

Academic Editor: David Taniar

Copyright © 2015 Ximeng Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

With rapidly development of wireless communication, more mobile devices are used in our daily life. Although the need for accessing a wireless network is evident, new problems, such as keeping and preserving user identity’s privacy, should be greatly concerned. Attribute based signature scheme is an important cryptographic primitive which provides a powerful way for user to control their privacy. In wireless environment, the capacity of wireless channel is also valuable resources which is limited. More information can be transmitted through the wireless channel when the cost of using signature to verify the message becomes less. In order to reduce the bandwidth needed to transmit attribute based signatures and keep signer’s privacy, attribute based multisignature scheme (ABMS) was proposed in this paper. Moreover, we formalize and construct the ABMS. Our scheme is existentially unforgeable against chosen message attack on Computational Diffie-Hellman (CDH) assumption in the standard model. The simulation shows that our ABMS scheme is more appropriate for wireless communication to guarantee integrity of the data.

1. Introduction

With the increasing availability of mobile devices, it is convenient for people to make a phone call and surf the internet through the wireless channel. With features of convenient, fast, and easy-to-use, there is a growing demand for consumer to transmit data through the wireless channel. Due to the character of the wireless channel, the data can be easily changed which is affected by transmission channel noise or modified by the malicious attacker. The security and privacy protection of the data collected from wireless devices, either while stored in the data server or during their transmission through the wireless network, is a major concern. Also, preserving identity privacy becomes an increasingly important concern. In Oct. 2013, the attackers are believed to have stolen information on 2.9 million Adobe account holders. That data includes customer names, encrypted credit and debit card numbers, expiration dates, and other customer order information [1]. How to efficiently verify the data integrity and preserve identity privacy is important problem in the wireless environment.

Attribute based signatures (ABS) [2] scheme has attracted much attention as a new public key primitive in the recent years because it provides a powerful way for user to control their privacy and keep the integrity of the data, and it also helps to provide fine-grained access control in anonymous authentication systems. The ABS scheme is analogue of attribute based encryption (ABE) [3, 4] which is an important application of the fuzzy identity-based encryption (FIBE) scheme [3]. A user encrypts a message with a set of attributes such that users whose decryption key has at least common attributes with the ciphertext attribute set can decrypt the message. We call this scheme threshold attribute based encryption (-ABE) to describe simplicity. Wang et al. [5] proposed a new fully secure FIBE scheme based on the FIBE [3] scheme and prove its security by using the “dual system encryption” technique. The ABS scheme extends identity-based signature where the signer is associated with a set of attributes instead of a single identity string. It provides a powerful way for users to control their privacy: the user can choose the subset of their attributes relevant to the specific scenario in signing a document. Considering the following scenario, an institution will release a technical report that may involve a professor at age 45 in the computer science department. Any user who has attributes sets that contain all the above attributes could issue the signature. Because ABS scheme has these advantages, different user wants to sign the same document by using ABS scheme. Yang et al. [6] introduced a new cryptographic primitive called fuzzy identity-based signature (FIBS) which the signature analogue of FIBE scheme and Shahandashti and Safavi-Naini [7] proposed a threshold attribute based signature construction for small attribute universe and large attribute universe. Since FIBS scheme lacks controlling the signer’s privacy, Maji et al. [8] introduced ABE scheme which can provide strong privacy guarantee for the signer and strong unforgeability guarantee for the verifier. In order to sign messages with any subset of their attributes issued from an attribute center, Li and Kim [9] gave hidden attribute based signatures without anonymity revocation scheme which can reach anonymity and unforgeability. Li et al. [10] proposed a new construction of ABS supporting flexible threshold predicate which could compact the signature size and improve the verification time. Later, Cao et al. [11] give multiauthority attribute based signature schemes for expressive policy. In their scheme, they use both AND, OR, threshold, and disjunctive normal form to express a policy. Consider the following case; users often use wireless channel to upload file to the data center. Unfortunately, these communication mechanisms are rather expensive for mobile devices in energy consumption and the capacity of wireless channel is limited. In order to increase throughput of message sent to the data center and increase the battery life of the energy-restricted devices, it is better to exploit fewer bits of transmission in wireless communication to data center. Therefore, it is a challenge to design cryptographic primitives to reduce the communication and storage overhead.

Multisignatures allow multiple signers to jointly authenticate a message using a single compact signature which was first introduced by [12]. It allows a group of players to sign the same message by generating a short signature which can be verified against the set of these players’ public keys. After that, lots of multisignature schemes were proposed in [1315]. But these schemes lacked formal security notions for multisignatures. Micali et al. [16] first formalized the strong notion of security for multisignatures and [17] gave a more general construct in random oracle model where their construction did not restrict the subset of signers. The security is based on random oracles. Lu et al. [18] first proposed sequential aggregate signature and multisignature scheme in the standard model. Because the verification information of identity-based signature (IBS) scheme does not include any certificate or any individual public key for the signer, identity-based multisignature (IDMS) scheme was presented by Cheon et al. [19]. This scheme could reduce the signature size into almost a half and efficiently verify multiple signatures. Gentry and Ramzan [20] designed the efficient identity-based (Multi-/Aggregate) signatures. Their schemes employ a group with a bilinear map in the random oracle model. Later, there are several RSA-based IBMS schemes proposed whose security is based on RSA assumption. The computational costs of RSA-based IBMS scheme are slightly lower in signing and verification because RSA exponentiation is less expensive than bilinear map operations. Recently, Liu et al. [21] proposed an attribute based multisignature scheme in the standard model with can reduce the length of signature. However, the performance of this ABMS scheme is not good. Later, Liu et al. [22] proposed another ABMS scheme for the wireless environment. But the authors do not give performance measurement to show their scheme is efficient.

In this paper, we first propose a scheme called attribute based multisignature (ABMS) scheme to solve problem mentioned above. The ABMS scheme allows a set of signatures (sign on the same message) to be compressed into a single signature. This kind of signature has less signature length than the original one and less computational cost which is more appropriate for the wireless nature where bandwidth is a bottleneck.

Our Contributions. In this work, we make following contributions: (1) We define attribute based multisignature scheme (ABMS), formalize the model, and give security model for ABMS scheme. (2) We give overview of ABMS scheme for wireless communication and a concrete construction of ABMS scheme. (3) We prove that our ABMS scheme is existential unforgeability in the standard model by using the computational Diffie-Hellman problem. (4) We make simulation on a workstation to show that ABMS scheme can greatly decrease the storage overhead in the data center and computational overhead for verifier.

Organization. The rest of paper is organized as follows. In Section 2, we review some concept about bilinear pairing, complexity assumption, flexible threshold predicate, and Lagrange interpolation. In Section 3, we give the formal models and its security model of ABMS scheme. In Section 4, we give the specific construction about the ABMS scheme. In Section 5, we give security proof in the standard model for ABMS scheme. In Section 6, we give performance analysis on ABMS scheme, use the workstation to test the performance of ABMS scheme, and analyze the efficiency of the ABMS scheme. And we conclude this paper in Section 7.

2. Preliminaries

In this section, we introduce the notions which are used to construct ABMS scheme and prove the security of ABMS scheme.

2.1. Bilinear Maps

Let and be two cyclic groups of prime order with the multiplication. Let be a generator of and a bilinear map. Let be a bilinear map having the following properties:(1)bilinearity: For all and , we have ;(2)nondegeneracy: ;(3)computability: There is efficient algorithm to compute bilinear map .

Notice that the map is symmetric since .

2.2. Complexity Assumptions

Definition 1. The challenger chooses at random and outputs . The computational Diffie-Hellman (CDH) problem is to compute . An adversary has at least an if The computational -DH assumption holds if no -time adversary has at least advantage in solving the above game.

2.3. Flexible Threshold Predicate

In this paper, we use predicates consisting of thresholds gates. All predicates for with threshold value . If the number of attribute in exceeds threshold , it outputs 1. Otherwise, it outputs 0. Consider

2.4. Lagrange Interpolation

In this section, we describe Lagrange interpolation which is used in the ABMS schemes. Given points on a degree polynomial, we can use Lagrange interpolation to compute for any . Let be a -element set. We define the Lagrange coefficient of in the computation of as

2.5. Symbols & Notations

The following list shows the symbols and notations used in this work:: bilinear maps,: threshold gate,: predicates consisting of threshold gate ,: Lagrange coefficient with set ,: public parameters,: private key,: original signature,: multisignature,: attribute set.

3. Formal Models and Its Security Model

3.1. Formal Models of ABMS Scheme

The attribute based multisignature scheme has six algorithms called Setup, Extract, StandardSign, StandardVerify, MComb, and MultiVerify. In this section, we describe the six algorithms as follows.

Setup. This algorithm is run by the master entity which inputs the security parameter and generates the public parameters of the scheme and the master secret key MSK. The master entity publishes and keeps the MSK to itself.

Extract. Given an attribute set , the master key MSK and , the master entity will use this algorithm to generate private keys of for all entities participating in the scheme and distribute the private keys to their respective owner through a secure channel.

StandardSign. Given a message , an attribute set , a private key , , and predicate , this algorithm generates the signature of on . The entity with attribute set will use this algorithm for signing.

StandardVerify. Given a signature , a message , attribute set , and , this algorithm outputs accept if a valid signature on message for attribute set and outputs reject otherwise.

MComb. The algorithm is given a signature-public key pair and a message . The is the number of user’s signing the message . It generates and outputs a multisignature .

MultiVerify. The algorithm is given the public parameters , a message , and multisignature . The algorithm outputs accept if it is a valid multisignature and outputs reject otherwise.

3.2. Existential Unforgeability of ABMS Scheme

We define security model for attribute based multisignature scheme between a challenger and an adversary.

Setup. The challenger runs the Setup algorithm and obtains both the public parameters and the master secret key. The challenger gives the to adversary and keeps the master secret key by itself.

Queries. The adversary adaptively makes a polynomial bounded number of queries to the challenger. Each query can be one of the following.(i)Extract Query. The adversary can ask for the private key of any attribute set . The challenger responds by running the Extract algorithm and gives the private key to adversary.(ii)Sign Query. The adversary can ask for the signature of attribute set on message . The challenger responds by first running Extract algorithm to obtain the private key and running the Sign algorithm to obtain a signature which is given to the adversary.

Output. Eventually, it will output a forgery on messages under public parameters . The challenger key must appear in , without loss of generality; we assume that the challenge key appears at index 1. If the condition holds, it outputs 1. Otherwise, it outputs 0.

Definition 2. The attribute based multisignature scheme is -secure against existential forgery in an adaptive chosen-message attack, if no -time adversary makes Extract queries, Sign queries and wins the above game with advantage more than .

4. Our Constructions

In this section, we first give the overview of the whole wireless communication system and then give a concrete construction of the ABMS scheme.

4.1. Overview of Privacy-Preserving Data Integrity Verification Method for Wireless Communication

Bandwidth is scarce resources in the wireless communication. In order to verify the data integrity, the signature method will be brought into the system. But it will greatly increase the communication cost especially when the number of users involved in the system is huge. Meanwhile, the mobile devices are always energy-restricted, such as mobile phone and wireless sensor nodes. More extra computation will increase the consumption of battery power. The main goal of our attribute based multisignature scheme is to reduce both communication overhead and verification cost in order to keep data integrity in the process of wireless communication. Also, it could allow user to control their identity’s privacy. The whole system model can be showed in Figure 1. As Figure 1 shows, there are message provider , a group of signers , verifier , and authority involved in the system. The authority first generates the master key and defines a common universe of attributes, such as “headmaster,” “professor,” “age 45,” and “computer science department.” Then the authority uses master key and attribute sets to construct ’s private key and send it to the corresponding users involved in the system, respectively. Because the message needs to be signed by message provider and a group of signers, the provider first generates the message and the signature associated with the message and then sends it to the group of users. All the users in the same BSS need to sign the message. When signers receive the message-signature pair , they should first verify whether or not the is sent by message provider . If   passed the verification, it is considered that the message is sent by and used to generate his own message and signature pair , to . Then the message and signature pair and ,   to should be compressed into a single message-multisignature pair and it is sent to data center to store. When another user needs to use message , she/he first retrieves the message from the data center and uses signature to verify the message. If the verification holds, we say this message is integrated which is signed by the user to . Otherwise, it shows that the message is modified by the third party servers. If we use traditional methods, we need to transmit    pairs to the verifier. When we use ABMS scheme, the only thing is to create one message-signature pair to transmit in the network which can greatly decrease the transmitting overhead through the network and reduce the storage cost in the data center. The concrete construction of ABMS scheme will be presented in the next section.

Figure 1: ABMS scheme for wireless network.
4.2. Attribute Based Multisignature Scheme

In this section, we give a concrete construction of the ABMS scheme which contains six algorithms: Setup, Extract, StandardSign, StandardVerify, MComb, MultiVerify.

Setup. This algorithm first defines the attributes in the universe as the element in . A default attribute set from is given as . It selects a random generator and a random and compute . Next, it picks a random element and computes . For every user , select a random vector from and then compute . Finally, the algorithm selects random values from and a random vector from and computes . The public parameters are Here, for different users, the public keys are denoted as The master keys are

Extract. This algorithm generates a private key for an attribute set related with users involved in the system. It takes the following steps.(1)Firstly, it chooses a degree polynomial at random with .(2)It then generates a new attribute set . For each , the algorithm chooses and computes ,  .(3)Finally, it outputs as the private key.

StandardSign. This algorithm inputs a private key for the attribute set , message , and predicate . In order to sign message with predicate , that is, to prove the signer owning at least attribute among the -elements attribute set . It selects a -element from the subset and works as follows.(1)First, it selects a default attribute subset with and chooses random values for .(2)It then computes (3)Finally, the algorithm outputs the signature:

StandardVerify. In order to verify the correctness of the signature on with threshold for attributes set , it checks if the following equation holds: If the equation holds, it indicates that the signature is indeed from some users with attributes among . Otherwise, it denotes the signature is not valid.

MComb. For each user in the multisignature, the algorithm inputs a public parameters , public key , and a signature . All the signatures are signed on a single message . Let be an -bit message to be signed by the original signers and denote the th bit of , and let be the set of all for which . Denote as user ’s public keys and its corresponding signature as . Verify that is valid by calling the StandardVerify algorithm. If not, its outputs fail and halt. Otherwise, the algorithm takes following steps.

For each user in the multisignature the algorithm inputs a public parameters , public key , and a signature . All the signatures are signed on a single message . Let be an -bit message to be signed by the original signers and denote the th bit of , and let be the set of all for which . Denote as user ’s public keys and its corresponding signature as . Verify that is valid by calling the StandardVerify algorithm. If not, its outputs fail and halt. Otherwise, the algorithm takes following steps.

This algorithm first initializes , and sets and . For every belong to and , sets . Also, the algorithm initializes and .

For , it calculates Then for every , if    does not exist in , it adds attribute    to the attribute set and sets . If    exists in , it sets and calculates .

For every , if does not exist in , it adds attribute to the attribute set and sets . If exists in , it sets and computes .

The algorithm finally computes:

MultiVerify. Given the public parameters, public keys, a message , and a signature , a verifier accept if the following equality holds:

Otherwise, it outputs reject.

5. Security of ABMS Scheme

In this section, we first show the correctness of our ABMS scheme. Then we prove that our ABMS scheme is existential unforgeability by using hard problem introduced in Section 2.2.

5.1. Correctness

The signature generated from MComb algorithm can be easily checked by verifier:

5.2. Existential Unforgeability

In this section, we show our ABMS scheme which is existential unforgeability by giving the following theorem.

Theorem 3. The attribute based multisignature scheme is -unforgeable if the -CDH assumption holds where and and are the time for a multiplication and an exponentiation in , respectively.

Proof. We will assume that adversary has advantage in attacking the scheme. We will construct the algorithm that solve the CDH with probability at least . The algorithm will be given a group , a generator , and the elements and . In order to use to compute the , must simulate a challenger for . Such a simulation can be created in the following way.
Setup. We assume . Let the default attribute set be for some predefined integer . first define as where is randomly chosen from . Then it chooses a random , and random numbers . It also chooses additional random exponents . Consider
To make the notion easy to follow, we define two functions , The master secret key will be and the following equations holds:
Extract Query. can make requests for private key on such that . We first define three subsets in the following manner: and and . Let . For , compute where are randomly chosen in . For , it could also simulate as
Sign Query. Consider the query for a signature of attribute set on . If  , the simulation aborts. Otherwise, selects a random set such that and . Define where is chosen randomly in . Then it computes for . randomly picks and computes the signature as where
Output. Finally, outputs a signature on some message with public keys for some , where is equal to as the challenge key. Attribute set contains the attribute from user 2 to . Attribute set contains the attribute from user 1 to . It outputs the private key for all keys except the challenge key. Algorithm sets Then we have
If the equation holds and and , computes and outputs: where This is the solution to the given CDH problem.
We will analyze the probability of without aborting to complete the description of the simulation. We require that the following cases happen.
We define the events without abort during Extract queries, Sign queries, From the analysis above, the probability of not aborting is The assumption implies that if , then . Consider We also have that Since the output of and will differ at least one random chosen value, the event and are independent. The event and are independent for any . Hence, we have
Let and we get
If the simulation does not abort, the probability for correct guess of elements subset from element set is . Therefore, the advantage for solving CDH problem is
Algorithm ’s running time is of plus the overhead in handling ’s Sign queries. The time complexity of is where and are the time for a multiplication and an exponentiation in , respectively.

6. Performance Analysis

To analyze the performance of our proposed cryptosystem, we compare our ABMS scheme with Li et al.’s scheme in terms of storage, communication, and computational overheads. We define each type of overheads as follows.

Storage Overhead. The number of key materials holds by each entity and the size of signatures which are stored in the data center.

Computation Overhead. The computation resources which are occupied by the verifier and the total system.

6.1. Storage Overhead

Storage overheads are categorized into following types: the number of public parameters (), private key available in the system, the number of private key which is held by each signing owner, and the size of signature storage in the data center. The total length of public parameters is smaller than Li’s scheme. The length of private key held by each signer is the same as Li’s scheme. The signature size stored in the data center is greatly decreased by using ABMS scheme than Li’s scheme. The signature length of Li’s scheme increases linear growth along with the number of users. While in our ABMS scheme, the lower bound of signature size is associated with the signer who have the maximum number of the attributes compared with other signers. The upper bound of the signature is associated with the number of universal attributes involved in the system. We can aggregate users signature into one short signature which can greatly decrease the storage overhead in the data center, especially when the number of uses involved in the system is huge. Here we compare our scheme with other schemes [23]. We let be the number of signer, the size of the attribute set , and the size of the universal of attribute set. is pairing running time in the MultiVerify algorithm. We make the comparison to list in Table 1. In the next section, we use a real workstation to simulate the ABMS scheme.

Table 1: Performance analysis.

6.2. Computation Overhead

Li’s scheme uses hash function to calculate the attribute. While in our ABMS scheme, we use to construct ABMS scheme which can be proved in the standard model. The number of exponentiation to calculate is associated with the security parameter. When two signers have the same attribute, MComb algorithm increases one more multiplication but decreases one pairing computation for the verifier by running MultiVerify algorithm. The computation cost of multiplication operation is greatly lower than the pairing operation. The computation cost for verification node to verify the signature can be greatly decreased because of the less pairing operations. The total computation cost of the whole system is also decreased because the multiplication operation cost is lower than the pairing operation.

6.3. The Performance Measurements

We now provide some information on the performance achieved by PBC (Pairing-Based Cryptography) library underlying pairing-based cryptosystems. In our experiment, the process is implemented on a workstation with an Inter Pentium CPU running at 2.40 GHz, 6 GB of RAM, and a 5400 RPM 320 GB Serial ATA drive. The OS on the test machine is Ubuntu 12.04 LTS 64-bits with kernel version 3.2.0-23-generic. We use type A pairings which are constructed on the 160-bits elliptic curve group based on the supersingular curve over a 512-bits finite field. On the test machine, we begin by estimating the cost in terms of basic cryptographic operations. The compute pairings in approximately 1.389 ms and exponentiations in and take about 1.994 ms and 0.187 ms, and multiplication in and takes about 0.005 ms and 0.002 ms. All of the computation is running by 10000 times for average. In our simulation system, there are 100 signers involved in the system and the total number of the attributes initialized by the Setup algorithm is 70. The maximum number of attributes belonging to individual signer is 7. We test the total running time and verification time between our ABMS scheme and Li’s scheme [10] and we make the comparison in Figure 2. In Figure 2(a), we show the ABMS scheme’s upper and lower bound of verification time and Li’s ABS verification time. If all the users in the system share the same attribute set, the black line can be achieved which indicate the lower bound verification time of our ABMS scheme. If the attributes associated with users are all different, the blue line can be achieved which indicate the upper bound verification time of our ABMS scheme. When we run the Mcomb algorithm, it will introduce some multiplication in . Because the cost of multiplication in is greatly smaller than the exponentiation and pairing operations, it will not bring much computation cost to the system. When total numbers of attributes belonging to different users do not reach the number of universe attribute set, the verification time of ABMS scheme is almost similar to the original Li’s scheme. If the number of attribute belonging to a group of signers reached the number of universe attributes set, the verification time can be greatly decreased due to the less pairing computation. In Figure 2(b), we test the total running time between ABMS scheme and Li’s scheme. The analysis is similar to the verification time analytic. From both verification and total running time, this algorithm can greatly decrease the computation cost as it can be showed in our simulation.

Figure 2: The simulation results.

7. Conclusion

In this paper, we propose a scheme called attribute based multisignature in order to verify integrity of data efficiently. The ABMS scheme can compress multiple signatures into a single one in order to reduce the bandwidth needed to transmit signatures and the space needed to storage them. It can also provide signer’s anonymity in which we use attributes set instead of identity. Our ABMS scheme is secure against existential unforgeability in an adaptive chosen-message attack under CDH problem. Even more important, ABMS scheme is more appropriate for wireless network communication than traditional ABS scheme.

Disclosure

A preliminary version of this paper has been presented in the 5th International Conference on Intelligent Networking and Collaborative Systems, INCoS 2013, pp. 173–180 [22].

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This research is supported by Changjiang Scholars and Innovative Research Team in University (IRT1078); the Key Program of NSFC-Guangdong Union Foundation under Grant no. U1135002; Major National S&T Program (2011ZX03005002, 2012ZX03001009); the Fundamental Research Funds for the Central Universities (JY10000903001, K5051301017); the National Natural Science Foundation of China (61303218, 61370078, 61402109). The authors thank the sponsors for their support and the reviewers for helpful comments.

References

  1. T. Week, “Adobe says 2.9 m customers at risk after hacking,” 2013, http://www.theweek.co.uk/technology/55448/adobe-says-29m-customers-risk-after-hacking.
  2. S. Shahandashti and R. Safavi-Naini, “Threshold attribute-based signatures and their application to anonymous credential systems,” in Progress in Cryptology—AFRICACRYPT 2009, pp. 198–216, 2009. View at Publisher · View at Google Scholar
  3. A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Advances in Cryptology—EUROCRYPT 2005: Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, vol. 3494 of Lecture Notes in Computer Science, pp. 457–473, Springer, Berlin, Germany, 2005. View at Publisher · View at Google Scholar
  4. V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 89–98, ACM, November 2006. View at Publisher · View at Google Scholar · View at Scopus
  5. X. A. Wang, X. Yang, M. Zhang, and Y. Yu, “Cryptanalysis of a fuzzy identity based encryption scheme in the standard model,” Informatica, vol. 23, no. 2, pp. 299–314, 2012. View at Google Scholar · View at MathSciNet
  6. P. Yang, Z. Cao, and X. Dong, “Fuzzy identity based signature,” IACR Cryptology ePrint Archive Report 2008/002, 2008. View at Google Scholar
  7. S. F. Shahandashti and R. Safavi-Naini, “Threshold attribute-based signatures and their application to anonymous credential systems,” Report 2009/126, ACR Cryptology ePrint Archive, 2009. View at Google Scholar
  8. H. K. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures: achieving attribute-privacy and collusionresistance,” in IACR Cryptology ePrint Archive, p. 328, 2008. View at Google Scholar
  9. J. Li and K. Kim, “Hidden attribute-based signatures without anonymity revocation,” Information Sciences, vol. 180, no. 9, pp. 1681–1689, 2010. View at Google Scholar · View at MathSciNet · View at Scopus
  10. J. Li, M. H. Au, W. Susilo, D. Xie, and K. Ren, “Attribute-based signature and its applications,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communication Security (ASIACCS '10), pp. 60–69, ACM, April 2010. View at Publisher · View at Google Scholar · View at Scopus
  11. D. Cao, B. Zhao, X. Wang, and J. Su, “Flexible multi-authority attribute-based signature schemes for expressive policy,” Mobile Information Systems, vol. 8, no. 3, pp. 255–274, 2012. View at Publisher · View at Google Scholar · View at Scopus
  12. K. Itakura and K. Nakamura, “A public-key cryptosystem suitable for digital multisignatures,” NEC Research and Development, vol. 71, pp. 1–8, 1983. View at Google Scholar · View at Scopus
  13. T. Okamoto, “A digital multisignature scheme using bijective public-key cryptosystems,” ACM Transactions on Computer Systems, vol. 6, no. 4, pp. 432–441, 1988. View at Publisher · View at Google Scholar · View at Scopus
  14. K. Ohta and T. Okamoto, “A digital multisignature scheme based on the Fiat-Shamir scheme,” in Advances in Cryptology—ASIACRYPT '91, vol. 739 of Lecture Notes in Computer Science, pp. 139–148, Springer, Berlin, Germany, 1993. View at Publisher · View at Google Scholar
  15. T. Okamoto, “Multi-signature schemes secure against active insider attacks,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 82, no. 1, pp. 21–31, 1999. View at Google Scholar · View at Scopus
  16. S. Micali, K. Ohta, and L. Reyzin, “Accountable-subgroup multisignatures,” in Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS ’01), pp. 245–254, Philadelphia, Pa, USA, November 2001. View at Publisher · View at Google Scholar · View at Scopus
  17. A. Boldyreva, “Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme,” in Public Key Cryptography—PKC 2003: Proceedings of the 6th International Workshop on Practice and Theory in Public Key Cryptography Miami, FL, USA, January 6–8, 2003, vol. 2567 of Lecture Notes in Computer Science, pp. 31–46, Springer, Berlin, Germany, 2002. View at Publisher · View at Google Scholar
  18. S. Lu, R. Ostrovsky, A. Sahai, H. Shacham, and B. Waters, “Sequential aggregate signatures and multisignatures without random oracles,” in Advances in Cryptology-EUROCRYPT, pp. 465–485, 2006. View at Google Scholar
  19. J. H. Cheon, Y. Kim, and H. Yoon, “A new id-based signature with batch verification,” in IACR Cryptology ePrint Archive, p. 131, 2004. View at Google Scholar
  20. C. Gentry and Z. Ramzan, “Identity-based aggregate signatures,” in Public Key Cryptography, vol. 3958 of Lecture Notes in Computer Science, pp. 257–273, Springer, Berlin, Germany, 2006. View at Publisher · View at Google Scholar
  21. X. Liu, J. Ma, Q. Li, J. Xiong, and F. Huang, “Attribute based multi-signature scheme in the standard model,” in Proceedings of the 9th International Conference on Computational Intelligence and Security (CIS '13), pp. 738–742, IEEE, December 2013. View at Publisher · View at Google Scholar · View at Scopus
  22. X. Liu, T. Zhang, J. Ma, H. Zhu, and F. Cai, “Efficient data integrity verification using attribute based multi-signature scheme in wireless network,” in Proceedings of the 5th IEEE International Conference on Intelligent Networking and Collaborative Systems (INCoS '13), pp. 173–180, IEEE, September 2013. View at Publisher · View at Google Scholar · View at Scopus
  23. J. Li, Q. Wang, C. Wang, and K. Ren, “Enhancing attribute-based encryption with attribute hierarchy,” Mobile Networks and Applications, vol. 16, no. 5, pp. 553–561, 2011. View at Publisher · View at Google Scholar · View at Scopus