Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 2595273, 13 pages
https://doi.org/10.1155/2018/2595273
Research Article

New Certificateless Aggregate Signature Scheme for Healthcare Multimedia Social Network on Cloud Environment

1The Computer School, Wuhan University, Wuhan, China
2The Co-Innovation Center for Information Supply & Assurance Technology, Anhui University, Hefei, China
3The College of Computer, Hubei University of Education, Wuhan, China
4The State Key Laboratory of Cryptology, Beijing, China
5The School of Computer Science and Educational Software, Guangzhou University, Guangzhou, China

Correspondence should be addressed to Zhiyan Xu; nc.ude.uhw@yzxsc

Received 2 March 2018; Accepted 29 April 2018; Published 13 June 2018

Academic Editor: Ilsun You

Copyright © 2018 Libing Wu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

With the application of sensor technology in the field of healthcare, online data sharing in healthcare industry attracts more and more attention since it has many advantages, such as high efficiency, low latency, breaking the geographical location, and time constraints. However, due to the direct involvement of patient health information, the privacy and integrity of medical data have become a matter of much concern to the healthcare industry. To retain data privacy and integrity, a number of digital signature schemes have been introduced in recent years. Unfortunately, most of them suffer serious security attacks and do not perform well in terms of computation overhead and communication overhead. Very recently, Pankaj Kumar et al. proposed a certificateless aggregate signature scheme for healthcare wireless sensor network. They claimed that their signature scheme was able to withstand a variety of attacks. However, in this paper, we find that their scheme fails to achieve its purpose since it is vulnerable to signature forgery attack and give the detailed attack process. Then, we propose a new certificateless aggregate signature scheme to fix the security flaws and formally prove that our proposed scheme is secure under the computationally hard Diffie-Hellman assumption. Security analysis and performance evaluation demonstrate that the security of our proposal is improved while reducing the computation cost. Compared with Pankaj Kumar et al.'s scheme, our proposed scheme is more efficient and suitable for the healthcare wireless sensor networks (HWSNs) to maintain security at various levels.

1. Introduction

Wireless sensor network (WSN) has been widely used in many fields such as retail, entertainment, medicine, tourism, industry, and emergency management [1], and it provides many new opportunities for traditional applications, of which healthcare is one of them. Researchers have invented many sensor-based miniature medical devices to replace the traditional thousands of wires connected to hospital equipment and to increase the mobility of devices. The combination of computer network technology and medical field makes the healthcare industry have more broad prospects for development [2].

The application of wireless sensor network technology is mainly divided into two categories: medical applications and nonmedical applications [3]. There are two main types of devices used in medical applications: wearable devices and implanted devices. The first category refers to medical devices that are used on or near the surface of a human body, and the human body can move with the wearable devices. The second category refers to medical devices injected in/with the human body.

As shown in Figure 1, there is a general healthcare wireless sensor network (HWSN) architecture, which consists of the following five components [4]: sensor, central control unit, patient, cloud based network, and healthcare professional. The medical sensor node implanted on the patient’s body, using air as a transmission medium, can transmit patient’s health data to a remote central control unit (CCU) for further processing, then the health data is sent to the healthcare professional by CCU via Internet, and the patient’s medical report is further generated.

Figure 1: A general healthcare wireless sensor network architecture.

In the HWSN, information is transmitted from medical sensor devices to the healthcare professional who analyzes the medical information and further provides a suitable solution. If the attacker modifies the medical message halfway, the healthcare professional could make a wrong diagnosis based on the modified message, which can be very dangerous to human life. Because of the direct involvement of patient health information, it is of crucial importance to address the issue of privacy and integrity of personal health data [57].

Motivated with the above scenario, many digital signature schemes are proposed for healthcare wireless sensor network (HWSN) to protect the privacy and integrity of patient medical information. In this paper, we first review Pankaj Kumaret al.'s certificateless aggregate signature (CL-AS) scheme [8] and point out a previously undiscovered security flaw in the scheme; that is, we reveal that their proposed scheme suffers the signature forgery attack. We then propose a new CL-AS scheme for the issues of security and privacy in HWSN.

1.1. Our Research Contributions

In this paper, we propose a new CL-AS scheme which could better protect the integrity and privacy of data in HMSN. The main contributions of this paper are summarized as below:(i)Firstly, we identify a security weakness against Pankaj Kumar et al.'s CL-AS scheme for HWSN.(ii)Secondly, we redefine the architecture of a HWSN, which is more close to the actual application environment.(iii)Thirdly, we propose a CL-AS scheme for HWSN to mend this security flaw, and our new scheme can satisfy the security requirements.(iv)Finally, we prove the security of our proposed CL-AS scheme and show that it can improve the security while reducing the computation cost compared with Pankaj Kumar et al.'s CL-AS scheme.

1.2. Organization of the Paper

The remainder of this paper is organized as below. Section 2 introduces the related work. Section 3 presents the problem statements associated with this paper and then briefly reviews the CL-AS scheme for HWSN in Section 4. In Section 5, we demonstrate an attack against Pankaj Kumar et al.'s CL-AS scheme for the HWSN. Furthermore, we present details of the proposed CL-AS scheme in Section 6. In Sections 7 and 8, the security proof and performance analysis of our scheme are described later. Finally, we give a summary of this paper in the last section.

2. Related Work

In the traditional PKI-based public key cryptography (PKC), as the number of users increases, PKC will face a variety of certificate management issues such as certificate distribution, storage, revocation, and high computational cost [11].

Although identity-based public key cryptography (IBC) [12, 13] can solve the problem of certificate management existing in PKC, it has inherent key escrow issue. This is because the user’s private key is generated by the key generation center (KGC) based on the user’s identity; that is, KGC can access any user’s private key in IBC.

To solve the above problems, Al-Riyami et al. proposed certificateless public key cryptosystem (CL-PKC) [14]. Because it does not use certificates and the private key is generated both by KGC and by the user himself, it can solve certificate management issue in PKC and the key escrow issue in IBC. Since Al-Riyami et al. introduced the notion of CL-PKC [14], it has attracted more and more research attention, and many certificateless signature (CLS) schemes [1521] have been introduced by researchers.

Huang et al. [15] proved that the CLS scheme proposed in [14] is vulnerable to the public key replacement attack and further proposed an improved certificateless signature scheme to solve this weakness. Similarly, Li et al. [16] also proposed a new CLS scheme to improve the security of the scheme proposed in [17], which is subject to the public key replacement attack as well. For a malicious KGC attack that exists in some certificateless signature schemes, Au et al. [18] proposed an enhanced security model that allows malicious KGC to generate key pairs in any way. Nevertheless, the certificateless encryption and signature schemes proposed in [1921] have been found to be insecure against malicious KGC attack.

Boneh et al. proposed the concept of aggregate signature [22] in Eurocrypt 2003. The aggregator can aggregate different signatures with respect to messages from users into a single short signature, which can reduce the bandwidth and computational effort of tiny devices used in HWSN. Therefore, the aggregate signature is a more suitable choice in resource-constrained HWSN.

Combining certificateless public key cryptography with aggregate signature, Gong et al. [9] proposed the first CL-AS scheme, but they did not give a formal security proof to the scheme. After pioneer work [9], many CL-AS schemes [10, 2328] have been proposed for various practical applications. Zhang and Zhang [23] redefined the concept and security model for CL-AS. Furthermore, they put forward a new CL-AS scheme, but their scheme need clock synchronized while generating the aggregate signature, and, more seriously, the scheme has been proved that it cannot resist malicious KGC attack. Xiong et al. [24] presented a CL-AS scheme, but He et al. [25] showed that their scheme was forgeable and further proposed a new CL-AS scheme. The CL-AS scheme proposed in [10] has been found to be insecure against the malicious-but-passive KGC attack by the researchers in [2628].

Recently, He and Zeadally [29] present an authentication scheme for the Ambient Assisted Living (AAL) system, which provides technical support for medical monitoring and telehealth services. He et al. [30] put forward an efficient certificateless public auditing scheme for cloud-assisted wireless body area networks. Very recently, Pankaj Kumar et al. proposed a CL-AS scheme for secure communication in HWSN [8], which is claimed to be able to achieve the message authentication and integrity audit functions while also achieving nonrepudiation and confidentiality. Unfortunately, we find that their CL-AS scheme is insecure and vulnerable to signature forgery attack from a malicious-but-passive KGC.

3. Problem Statement

Bilinear map and related hard problems are first described and then system model of our proposed CL-AS scheme is presented in this section. After that, system components of CL-AS scheme are also described.

3.1. Bilinear Map

Suppose that and are two cyclic groups with the same prime order , where is an additive cyclic group with a generator and is a multiplicative cyclic group. is a bilinear map. For all , , and should satisfy the properties as follows:(1)Bilinearity: and .(2)Nondegeneracy: there exists such that .(3)Computability: there exists efficient algorithm to calculate .

3.2. Complexity Assumption

(1)Computational Diffie-Hellman (CDH) Problem: Given a generator of an additive cyclic group with the order and a random instance , it is difficult to compute , where and are unknown.(2)Computational Diffie-Hellman (CDH) Assumption: There does not exist adversary , can solve the problem in probabilistic polynomial time with a nonnegligible probability , where is a very small number.

3.3. System Model

The architecture of our healthcare wireless sensor network is shown in Figure 2. There are five entities in the framework of a healthcare wireless sensor network: medical sensor node (MSN), medical server (MS), authorized healthcare professional (AHP), signature aggregator (SA), and aggregate signature verifier (ASV). Each entity is specifically defined as follows:(1)Medical sensor node. Medical sensor node is a resource-limited medical small device on patient’s body belonging to the Care-District. Let denote the identity and denote the key pair of the sensor node. Each sensor node can use its private key to generate a signature for the relevant message and send the signature to the signature aggregator.(2)Medical server. Medical server is a device with strong computing power and plenty of storage space, which can handle a large amount of data received from sensors. It transmits the processed patient’s medical information to the AHP. In addition, it is responsible for generating system parameters , its own key pair , and the partial private key for each sensor node corresponding to its identity and then secretly sends to the sensor node.(3)Healthcare professional. Healthcare professional refers to an authorized medical personnel who provides patients with appropriate prescriptions by analyzing the data information sensed by the sensors.(4)Aggregator. Aggregator refers to a certain computing power of device. It is responsible for collecting a single signature from Care-District and then generating an aggregate signature and sending it to the MS. Suppose that each Care-District contains one aggregator and many sensors.(5)Aggregate signature verifier. Aggregate signature verifier refers to a certain computing power of equipment. It is responsible for verifying an aggregate signature from different Care-District and then outputting a verification result.

Figure 2: The architecture of our healthcare wireless sensor network.
3.4. System Components

Our CL-AS scheme is a collection of the following seven polynomial time algorithms as below:(1)Setup is a probabilistic algorithm executed by the MS, where is a security parameter, is the system parameters, is the key pair of MS, that is, is the master secret key, and is the master public key.(2)Partial-Private-Key-Gen is a probabilistic algorithm executed by the MS, where is the system parameters, is the key pair of MS, is a MSN’s identity, and is the partial private key corresponding to the identity of the MSN.(3)User-Key-pair-Gen is a randomized algorithm executed by the MSN with identity , where is the system parameters, is the key pair of MS, and is the key pair of the MSN with the identity .(4)Sign is a randomized algorithm executed by the signer, where is the system parameters, is the key pair of the signer, is the state information, is the signer’s identity, is the message, and is the signature on the message .(5)Verify is a probabilistic algorithm executed by the verifier, where is the system parameters, is the signer’s identity, is the public key of the signer, is the message, and is the signature on the message , 1 or 0 as outputs to indicate whether the signature is validated.(6)Aggregate is a deterministic algorithm executed by the aggregator, where is the system parameters, is the signer’s identity, is the public key of the signer, is the message, is the signature on the message , and is the signature on the message .(7)Aggregate-Verify is a deterministic algorithm executed by the aggregate verifier, where is the system parameters and is the aggregate signature of the message on the identity with public key . 1 or 0 act as outputs to indicate whether aggregate signature is validated.

3.5. Attack Model

In the attack model, we introduce an adversary in our model. A’s ultimate goal is to successfully forge the user’s signature on the message. possesses with the following capabilities:(1) can access any hash oracle and corresponding queries in the security model.(2) simulates an outsider attacker, who cannot obtain the master key but can replace any user’s public key with a value of his choice.(3) simulates an honest-but-curious MS, who is an insider attacker and has no power to replace any user’s public key but can access the system master key.

4. Review of Pankaj Kumar et al.'s Scheme

Pankaj Kumar et al.'s CL-AS scheme is composed of seven algorithms, i.e., , , , , , , and . The scheme details are described as below.

4.1. Setup

By executing the following operations, after entering the security parameter , the MS generates the system parameter .(1)Generates two cyclic groups and with the same order , where is a prime. being a generator of . being a bilinear pairing.(2)Randomly selects a number , computes , and sets as the master key and as the public key of (3)Defines three hash functions: , , (4)Keeps secret and public.

4.2. Partial-Private-Key-Gen

By executing the following operations, MS generates the user’s partial private key:(1)Given as the identity of a MS, it computes and and sets as the user’s partial private key.(2)It secretly sends to the corresponding MSN.

4.3. Private-Key-Gen

By executing the following operations, a sensor with the identity generates its private key and public key:(1)Selects a random number as the secret value.(2)Sets as its private key.(3)Computes as its public key.

4.4. Sign

By executing the following operations, a signer with the identity generates a signature on the message :(1)Inputs system parameters , private key , secret key , state information , and private-public key pair (2)Selects randomly and then computes (3)Computes and (4)Computes (5)Outputs as the signature of message .

4.5. Verify

By executing the following operations, the verifier verifies the signature of message on identity :(1)Inputs the state information (2)Computes , and (3)Verifies(4)If (1) holds, emits 1 and the verifier accepts the signature ; otherwise emits 0 and rejects.

4.6. Aggregate

By executing the following operations, an aggregator generates the aggregate signature from user-message-public key-signature pairs :(1)Inputs tuples , where (2)Computes (3)Outputs as the aggregate signature, where .

4.7. Aggregate-Verify

By executing the following operations, the aggregate verifier verifies the validity of the aggregate signature :(1)Inputs the state information , the tuples , and the aggregate signature (2)For , computes , , and (3)Verifies(4)If (2) holds, emits 1 and the verifier accepts the aggregate signature ; otherwise emits 0 and rejects.

5. Attack on Pankaj Kumar et al.'s CL-AS Scheme

As we know that the signature of of message on identity should be unforgeable. However, a malicious MS or an outside attacker may try to forge the signature. Once the MS or the outside attacker successfully forges the signature directly or indirectly, he/she finishes the signature forgery attack.

In this section, we mainly consider the type 2 adversary and first make a security analysis for Pankaj Kumar et al.'s CL-AS scheme, and then we demonstrate that it is vulnerable to the signature forgery attack, the attack details are described as follows.

Setup. The challenger executes the algorithm to generate system parameters and master key . Then it returns and to the adversary .

Queries. The adversary could get the signature on the message signed by with the identity via signature queries, where

Forgery. In order to forge the signature on signed by with the identity , the adversary implements its attack as follows:(1)Lets (2)Computes

Verify. It is easy to verify the validity of the forged signature . The verifier calculates and . Furthermore, the verifier calculates . Then we use the forged signature to verify (1) and the concrete process is as follows:

Aggregate-Verify. It is easy to verify the validity of the forged signature . For , the verifier calculates and . Furthermore, the verifier calculates . Then we use the forged signature to verify (2); the concrete process is as follows:

We can find that the signature verifications (1) and (2) hold. That is, the forged signature pass verification and the malicious KGC can forge the signature successfully; Pankaj Kumar et al.'s CL-AS scheme is insecure.

6. Our Proposed CL-AS Scheme

To overcome the security flaw of the original scheme, we propose a new CL-AS scheme. Our CL-AS scheme includes seven phases: , , , , , , and . The scheme details are described as below.

6.1. Setup

By executing the following operations, MS generates the system parameters after taking a security parameter :(1)Generates two cyclic groups and with the same order , where is a prime. being a generator of . being a bilinear pairing.(2)Randomly selects a number as the master key of MS and calculates as the public key of (3)Chooses four hash functions: , , , and (4)Keeps the master key secret and the system parameters public.

6.2. Partial-Private-Key-Gen

By executing the following operations, MS generates the MSN’s partial private key:(1)Given as a MSN’s identity, MS first computes and then computes the MSN’s partial private key .(2)It secretly sends to the corresponding MSN.

6.3. Private-Key-Gen

By executing the following operations, a MSN with the identity generates its private key and public key:(1)Selects a random number as the secret value.(2)Sets as its private key.(3)Computes as its public key.

6.4. Sign

By executing the following operations, a signer with the identity generates a signature on the message :(1)Inputs system parameters , state information , and private-public key pair (2)Selects randomly and then calculates (3)Computes , , and (4)Computes (5)Outputs as the signature of message .

6.5. Verify

By executing the following operations, the verifier verifies the signature of message on identity :(1)Inputs the state information .(2)Computes , , , and (3)Verifies(4)If (6) holds, emits 1 and the verifier accepts the signature ; otherwise emits 0 and rejects.

6.6. Aggregate

By executing the following operations, an aggregator generates the aggregate signature from user-message-public key-signature pairs :(1)Inputs tuples , where (2)Computes (3)Outputs as the aggregate signature, where .

6.7. Aggregate-Verify

By executing the following operations, the aggregate verifier verifies the validity of the aggregate signature :(1)Inputs the state information , the tuples , and the aggregate signature (2)Computes , furthermore, for , computes , and (3)Verifies(4)If (7) holds, emits 1 and the verifier accepts the aggregate signature ; otherwise emits 0 and rejects.

7. Security Analysis

A certificateless aggregate signature scheme should satisfy the following requirements: correctness and unforgeability.

7.1. Correctness

Theorem 1. The proposed certificateless aggregate scheme is correct, if and only if the single signature and aggregate signature generated by our scheme make (1) and (2) hold. The correctness of the protocol is elaborated as follows: and

7.2. Unforgeability

In this subsection, we first give the security model of CL-AS scheme and then give the security proof to show that the proposal is secure under the security model.

Security Model. There are two types of adversaries in the CL-AS security model: and . simulates an outsider attacker, who cannot obtain the master key but can replace any user’s public key with a value of his choice, while simulates an honest-but-curious KGC, who is an insider attacker and has no power to replace any user’s public key but can access the system master key.

Definition 2. The security model of a CL-AS scheme is defined by two games (denoted by Game1 and Game2) played between an adversary and a challenger ; more details are defined below.

The adversary can access the following random oracle machines in the scheme:

Hash queries: can access any hash oracle in the scheme, including , , , and .

Setup: performs the algorithm to generate the master key and the system parameter list . Then gives the corresponding response for different types of adversary.

Reveal-Partial-private-key: While submits a partial private key query on the identity to challenger , it checks if there is a record that corresponds to the identity in the list and, if found, sends to ; otherwise, if it aborts; otherwise, it generates the partial private key , sends it to , and stores it in the list .

Reveal-Secret-key: While submits a secret value query on the identity to challenger , it checks if there is a record that corresponds to the identity in the list and, if found, sends to ; otherwise, if it aborts; otherwise, it generates the secret value and sends it to and stores it in the list .

Reveal-Public-Key: When adversary submits a public key query on the identity to challenger , it checks if there is a record that corresponds to the identity in the list , if found, sends to ; otherwise it generates the public key , sends it to and stores it in the list .

Replace-Public-key: While submits a query that replaces the public key on the identity with choice of public key to challenger , checks if there is a record that corresponds to the identity in the list and, if found, then it updates the corresponding item to in the list ; otherwise it aborts.

Sign: While submits a signature query on the message with the signer’s identity to challenger , executes one of the following operations:(1)If the target user has not been created, it aborts.(2)If the target user has been created and the related user public key has not been replaced, then it returns a valid signature .(3)If the target user has been created and the corresponding user public key has been replaced with , then it returns a signature .

We, respectively, define two games to describe two different types of attackers in the CLS, as shown below.

Game1: The challenger interacts with adversary as follows:(1)Inputting as a security parameter, performs the algorithm to generate the master key and the system parameter list . Then sends to and keeps secret.(2) is capable of accessing any hash oracle in the scheme and , , , , and queries at any stage during the simulation in polynomial bound.

Forgery: outputs an aggregate signature with respect to user-message-public key-signature pairs , where . We say that wins if and only if the following conditions are met:(1) is a valid aggregate signature with respect to user-message-public key-signature pairs , where .(2)The targeted identity has not been submitted during the query.(3) has not been submitted during the query.

Game2: The challenger interacts with adversary as follows:(1)Inputting as a security parameter, performs the algorithm to generate the master key and the system parameter list . Then sends and to .(2) is capable of accessing any hash oracle in the scheme and , , and queries at any stage during the simulation in polynomial bound.

Forgery: outputs an aggregate signature with respect to user-message-public key-signature pairs , where . We say that wins if and only if the following conditions are met:(1) is a valid aggregate signature with respect to user-message-public key-signature pairs , where .(2)The targeted identity has not been submitted during the query.(3) has not been submitted during the query.

Provable Security. In this section, we demonstrate that the new CL-AS scheme is secure under the security model described in the previous subsection. Our security proof consists of two parts.

In this section, we prove that our proposed CL-AS scheme is secure under the security model present in the previous section, and the specific process is described in the following two parts: the CL-AS is unforgeable to type 1 adversary and the CL-AS scheme is unforgeable to type 2 adversary .

Theorem 3. The proposed CL-AS scheme is existentially unforgeable against type 1 adversary , if the CDH problem is difficult to solve in .

Proof. We can prove the unforgeability of our CL-AS scheme against type 1 adversary with Game1 that involves and an algorithm called simulator .

Given a random instance of the CDH problem , where is a generator of , our ultimate goal is to find the result of by solving the CDH problem.(i) Setup: randomly chooses as the target identity of sensor challenged, sets , and generates and returns system parameter to . performs the inquiries as follows:(ii) query: maintains a list denoted , and the structure of is ; all the elements in are initialized to null. When performs the query with the identity , checks whether a tuple exists in ; if it exists, it returns to ; otherwise, randomly selects and . If , set ; otherwise, if , set . It returns to and stores to .(iii) query: maintains a list denoted , and the structure of is , all the elements in are initialized to null. When executes the query with , checks if a tuple exists in ; if it exists, it returns to ; otherwise, randomly selects and computes . It returns to and stores to .(iv) query: maintains a list denoted , and the structure of is , all the elements in are initialized to null. When executes the query with the tuple , check whether a tuple exists in ; if it exists, it returns to ; otherwise, randomly selects . It returns to and stores to .(v) query: maintains a list denoted , and the structure of is , all the elements in are initialized to null. When executes the query with the tuple , checks if a tuple exists in ; if it exists, it returns to ; otherwise, randomly selects . It returns to and stores to .(vi) Reveal-Partial-Private-Key queries: maintains a list denoted , and the structure of is , all the elements in are initialized to null. When executes the query with , first checks whether ; if it holds, output ; otherwise, checks whether a tuple exists in ; if it exists, it returns to ; otherwise, recalls the corresponding tuple from the list and computes . It returns to and stores to .(vii) Reveal-Secret-Key-queries: maintains a list denoted , and the structure of is , all the elements in are initialized to null. When performs the query with the identity , first checks if ; if it holds, output ; otherwise, checks whether a tuple exists in ; if it exists, it returns to ; otherwise, randomly selects . It returns to and stores to .(viii) Reveal-Public-Key queries: maintains a list denoted , and the structure of is , all the elements in are initialized to null. When performs the query with the identity , checks whether a tuple exists in ; if it exists , it returns to ; otherwise, it accesses to get and computes . It returns to and stores to .(ix) Replace-Public-Key queries: When executes the query with the identity , in response, replaces the real public key of with chosen by in the list .(x) Sign queries: When performs the query with the user identity and public key , message , accesses , , , and to get , , , , and , respectively. Furthermore, randomly selects and computes ; if , computes ; otherwise, if , computes . It returns to as the signature of the message on the user identity with the public key .(xi) Forgery: Finally, outputs a forged aggregate signature from message-identity-public key pairs , where . If all hold, aborts; otherwise, without loss of generality, let ; that is, , , and then the forged signature should make the following hold:where , , , , and .

Furthermore, the derivation process is shown as follows:

However, this contradicts the CDH assumption; thus the single signature and aggregate signature generated by the new scheme are unforgeable.

Theorem 4. The proposed certificateless aggregate scheme is existentially unforgeable against type 2 adversary , if the CDH problem is difficult to solve in .

Proof. We can prove the unforgeability of our CL-AS scheme against type 2 adversary with Game2 that involves and an algorithm called simulator .

Given a random instance of the CDH problem , where is a generator of , our ultimate goal is to find the result of by solving the CDH problem.(i) Setup: randomly chooses as the target identity of sensor challenged, sets , and returns master key and system parameter to . performs the inquiries as follows.(ii), , and Reveal-Secret-Value queries are the same as the corresponding queries in Theorem 3. Since can access the master key, there is no need to the Reveal-Partial-Private-Key queries and Replace-Public-Key queries.(iii) query: maintains a list denoted , and the structure of is , all the elements in are initialized to null. When performs the query with the identity , checks whether a tuple is exists in ; if it exists, it returns to ; otherwise, randomly selects and computes . It returns to and stores to .(iv) query: maintains a list denoted , and the structure of is , all the elements in are initialized to null. When executes the query with , checks whether a tuple exists in ; if it exists, it returns to ; otherwise, randomly selects and computes . It returns to and stores to .(v) Reveal-Public-Key queries: maintains a list denoted , and the structure of is , all the elements in are initialized to null. When performs the query with the identity , checks whether a tuple exists in ; if it exists , it returns to ; otherwise, randomly selects ; if , accesses to get and computes ; otherwise, if , randomly selects and computes . It returns to and stores to .(vi) Sign queries: When performs the query with user’s identity and public key , message , accesses , , , , and to get , , , , and , respectively. Furthermore, randomly selects and computes ; if , computes ; otherwise, if , computes . It returns to as the signature of the message on user’s identity with the public key .(vii) Forgery: Finally, outputs a forged aggregate signature from message-identity-public key pairs , where . If all hold, aborts; otherwise, without loss of generality, let ; that is, , , and then the forged aggregate signature should satisfy:where , , , , , and .

Furthermore, the derivation process is shown as below:

However, this contradicts the CDH assumption; thus the single signature and aggregate signature generated by the new scheme are unforgeable.

8. Security Comparisons and Performance Analysis

In this section, we first compare the security of the newly proposed CL-AS scheme with the other three CL-AS schemes and further analyze the performance of the new CL-AS scheme by evaluating the computation overhead.

8.1. Security Comparisons

In this subsection, we compare the security of the newly proposed CL-AS scheme with the other three CL-AS schemes [810]. For the convenience of description, let and denote the type1 and the type2 adversaries, respectively. Furthermore, the two types of adversaries are divided into three levels [31], where denotes general adversary, denotes strong adversary, denotes super adversary, respectively, and ; the value of corresponds to the type adversary. denotes that it can satisfy the corresponding security requirement and denotes that it cannot satisfy the corresponding security requirement. denotes the weaker security and denotes the stronger security under the corresponding attack types. denotes the security performance. The security comparisons of the various schemes are listed in Table 1.

Table 1: Security comparisons.

As shown in Table 1, we can find that the first three schemes (i.e., Gong’s scheme [9], liu’s scheme [10], and kumar’s scheme [8]) cannot satisfy all the security requirements. Especially for Gong’s two CL-AS schemes [9], under the attacks of the type1 and the type2 adversaries, none of them can meet the security levels of . liu and kumar’s schemes cannot resist the malicious KGC attack ( level). In contrast, our CL-AS scheme can meet all the security requirements. Hence, our proposed CL-AS scheme has better security than that of the other three schemes.

8.2. Performance Analysis

In this section, we analyze the performance of our CL-AS scheme by evaluating the computation overhead. Compared with that of kumar et al.'s scheme, our implementation shows that the new proposal can satisfy the security requirement and provide an improved security while reducing the computation cost.

In order to achieve a credible security level, we choose and as 160-bits prime number and 512-bits prime number, respectively. A ate pairing is used in our experiments, where and are cyclic groups with the same order , defined on the super singular elliptic curve .

We have implemented kumar et al.'s scheme and the newly proposed scheme with the MIRACL library [32] on a personal computer (Lenovo with Intel I5-3470 3.20G Hz processor, 4G bytes memory and Window 7 operating system). For the sake of simplicity, we firstly define the corresponding relations related symbol-operation-execution time as shown in Table 2.

Table 2: symbol-operation-execution time.

Because Setup, Partial-Private-Key-Gen, and Private-Key-Gen phases are executed by MS or user and all of them are one-time operation, we laid stress on the comparisons of the computation cost in Sign, Verify, Aggregate, and Aggregate-Verify phases.

In phase, the user in kumar et al.'s scheme needs to perform one general hash operation in , one map-to-point hash operation in , two-point addition operations in and three-point multiplication operations in . Therefore, the running time of the phase is , whereas the user in the new proposal needs to perform two general hash operations in , one map-to-point hash operation in , two-point addition operations in , and four-point multiplication operations in . Therefore, the running time of the phase in our proposed scheme is milliseconds.

In phase, the verifier in kumar et al.'s scheme needs to perform one general hash operation in , one map-to-point hash operation in , one-point addition operation in , one-point multiplication operation in , and three-bilinear pairing operations. Therefore, the running time of the phase is , whereas the verifier in the new proposal needs to perform two general hash operations in , one map-to-point hash operation in , one-point addition operation in , two-point multiplication operation in , and three-bilinear pairing operations. Therefore, the running time of the phase in our proposed scheme is milliseconds.

In phase, the aggregator in kumar et al.'s scheme needs to perform point addition operations in , whereas the aggregator in the new proposal needs to perform point addition operations in . We can find that the running time of the phase in the two schemes is equal to milliseconds.

In phase, the aggregate verifier in kumar et al.'s scheme needs to perform general hash operations in , map-to-point hash operations in , point addition operations in , point multiplication operations in , and three-bilinear pairing operations. Therefore, the running time of the phase is milliseconds, whereas the verifier in the new proposal needs to perform general hash operations in , map-to-point hash operations in , point addition operations in , point multiplication operations in , and three-bilinear pairing operations. Therefore, the running time of the phase in our proposed scheme is milliseconds.

Assuming that in the and <