The vehicular sensor network (VSN) is an important part of intelligent transportation, which is used for real-time detection and operation control of vehicles and real-time transmission of data and information. In the environment of VSN, massive private data generated by vehicles are transmitted in open channels and used by other vehicle users, so it is crucial to maintain high transmission efficiency and high confidentiality of data. To deal with this problem, in this paper, we propose a heterogeneous fault-tolerant aggregate signcryption scheme with an equality test (HFTAS-ET). The scheme combines fault-tolerant and aggregate signcryption, which not only makes up for the deficiency of low security of aggregate signature, but also makes up for the deficiency that aggregate signcryption cannot tolerate invalid signature. The scheme supports one verification pass when all signcryptions are valid, and it supports unbounded aggregation when the total number of signcryptions grows dynamically. In addition, this scheme supports heterogeneous equality test, and realizes the access control of private data in different cryptographic environments, so as to achieve flexibility in the application of our scheme and realize the function of quick search of plaintext or ciphertext. Then, the security of HFTAS-ET is demonstrated by strict theoretical analysis. Finally, we conduct strict and standardized experimental operation and performance evaluation, which shows that the scheme has better performance.
In the past few years, the application of Internet of Things (IoT) devices has grown at a great lick, including Industrial Internet of Things (IIoT), intelligent supply chain, electronic medical, smart home and other aspects [1]. Among them, internet of vehicles is one of the most important applications, and the VSN is also one of the key research directions in the academic world. Through wireless communication technology, vehicle equipments effectively use all the dynamic data and information of vehicles in the information network platform. And diverse functional services will be provided by vehicle equipments in the operation control of vehicles.
In the environment of the VSN, massive private data generated by vehicles are transmitted in open channels, such as driving operations inside vehicles, information transmission between vehicles and between vehicles and the Internet. In this case, data confidentiality and transmission efficiency are crucial. At the same time, most IoT rely on cloud computing [2] for massive data processing and services, and strict authentication is required for data use. In this case, data confidentiality and user access are necessary. Therefore, maintaining high transmission efficiency and confidentiality of data is a very important challenge.
In 1976, Diffie [3] researched public key cryptography, and then proposed the concept of digital signature. Digital signature technology combines the identity information of the signer with the signed message, indicating that the signer has signed the message. The verifier can verify that the information is really signed by the signer. Moreover, forging a signature by imitating the signer is difficult. Later, certificate-based signature [4], identity-based signature [5–7] and certificateless signature (CLS) schemes [8–10] emerged successively. However, traditional digital signature has higher computational overhead and lower efficient, so it is not suitable for massive data.
Boneh et al. [11] conducted several research studies to raise verification efficiency and reduce storage capacity. Finally, an aggregate signature scheme was proposed in 2003. This scheme uses the properties of bilinear pairs to generate a short signature, which is more flexible, but it requires different messages to be signed and different participants, which has too many restrictions, higher resource cost and lower availability. Cheon et al. [12] proposed an aggregate signature based identity (IBAS) in 2004. Two certificateless aggregate signature schemes (CLAS) were proposed by Gong et al. [13]. After that, schemes for improvement were put forward in abundance. For example, PFCBAS and CL-DVAAS were proposed respectively by Verma et al. [14] and Deng et al. [15]. These two schemes do not need pair operation, which further improves the verification efficiency. In 2021, Han et al. [16] further improved the existing scheme and proposed an efficient pairing-free CLAS (eCLAS), which reduced the length of signature and the computation cost of verification process. Aggregate signature algorithm is convenient, and it greatly improves the efficiency of verification and effectively reduce the storage capacity. However, aggregate signatures still have two problems: first, the confidentiality of aggregate signatures is low; second, the invalidity of aggregate signatures will lead to the negation of all signatures.
To address the first problem of aggregate signature, Selvi et al. [17] first gave an aggregate signcryption scheme in 2009. Aggregate signcryption aggregates multiple signcrypted ciphertext into a single aggregate signcryption, and the recipient only needs to verify the aggregate signcryption. This means increases the confidentiality of aggregate signature and effectively controls the computation and communication costs [18–21]. In 2011, Lu et al. [22] presented certificateless aggregate signcryption (CLAS), which is based on bilinear mapping and verifiably meets confidentiality and unforgeability. Later, Ren et al. [23] gave a provably secure aggregate signcryption scheme based on identity, which greatly reduced communication overhead, but did not achieve complete aggregation. In 2020, Kim et al. [24] presented a certificateless aggregate signcryption. According to the security requirements and computer resource constraints of IoT, this scheme reduces the computation overhead, communication overhead and storage space, and solves the key aging problem. However, the majority of the existing aggregate signcryption schemes do not support fault tolerance function, and invalid signature will cause that all the aggregated signcrypted ciphertext fail to pass verification.
To address the second issue of aggregate signature, Hartung et al. [25] first presented the concept of fault-tolerant aggregate signatures in 2016, emphasizing fault-tolerant and not mentioning aggregate signature too much, but the scheme was not flexible enough to be applied in practice. In 2019, Wang et al. [26] proposed an improved fault-tolerant aggregate signature scheme with improved flexibility, but there are still defects, that is, all signatures may still be negated due to a certain or very few invalid signatures. Xiong et al. [27] proposed SECLS, a secure certificateless signature scheme. The scheme supports invalid signature recognition and batch verification. Zhao et al. [28] gave CLFTAS, certificateless fault-tolerant aggregate signature. These two schemes further made up for the defects of fault-tolerant aggregate signature, but when all signatures are valid, the two schemes have higher computation overhead and lower verification efficiency. Xiong et al. [29] proposed an efficient batch verification scheme, while focusing on invalid signature identification. In addition, most aggregate signature schemes do not consider unbounded scheme and do not support the case that the dynamic growth of the total number of signatures.
To ensure the availability of data and searchability, Boneh et al. [30] combined the function of a keyword search with public key encryption, and then presented PKE-KS. This scheme not only ensures data confidentiality, but also ensures data searchability. However, there is a problem: data can be searched if the keyword and data are encrypted using the same public key. Xiong et al. [31], Huang et al. [32] and Chen et al. [33] respectively gave solutions can solve the privacy problems caused by cloud servers (CSs), to achieve access control. Xiong et al. [34] and Mei et al. [35] respectively proposed solutions to the privacy problems of Internet of vehicles and blockchain. In 2010, Yang et al. [36] combined the function of equality test with public key encryption, and then presented PKE-ET. This scheme is not affected by the public key in the encryption process and can carry out equality test discretionarily between ciphertexts. Since then, many scholars have conducted in-depth studies in this field [37–39]. In 2020, Xiong et al. [40] improved this method and applied it to the IIoT environment, which realized data access control in a heterogeneous environment and further improved data security and confidentiality. After that, Xiong et al. [41] ameliorated the scheme further. Xiong et al. [42] revocable scheme and Wu et al. [43] key agreement scheme focus on key security.
For the sake of resolving the above problems, and considering heterogeneity in actual IoT environment, different entities may have different cryptographic environments, so it is necessary to design a fault-tolerant aggregate signcryption scheme that supports a heterogeneous environment.
As shown in Fig. 1, a vehicle in the PKI system (because the vehicle interior is the on-board unit with computing power and communication ability, so the vehicle can be called on-board unit (OBU)) signcrypts message by using the administrator’s ID and its own private key to form an individual signcryption, then sends it to the roadside unit (RSU). RSU implements fault-tolerant aggregate of multiple signcryptions and sends aggregate signcryption to CS. At the same time, CS receives trapdoor generated by the administrator in the IBC system. When a user wants to use some data in the IBC system, he encrypts the keywords with his own ID and the corresponding trapdoor, and then sends the encrypted messages to CS. CS determines user’s access rights by executing an equality test on the encrypted messages. If the user has right to access these data, CS will return the corresponding data to him.
System model
The detailed contributions of our paper are given below:
The paper constructs a heterogeneous fault-tolerant aggregate signcryption scheme with an equality test (HFTAS-ET). Aggregate signcryption function improves communication data confidentiality and reduces communication overhead. Fault-tolerant function not only tolerates invalid signatures and reduces the verification cost, but also realizes one verification pass when all signcryptions are valid. At the same time, it realizes an unbounded scheme when the number of signcryptions increases dynamically. The scheme supports heterogeneous environment to ensure its flexibility of the scheme, and provides the function of an equality test to control access rights of data in a heterogeneous environment ensuring the confidentiality and availability of data.
The security of the scheme is verified by strict theoretical analysis. Through detailed functional and performance comparisons, we have concluded that our scheme has better performance and higher efficiency than existing schemes.
This scheme is applicable to the VSN.
PreliminariesBilinear Pairing
Suppose G and GT are two cyclic groups and their prime orders both are p. P is a generator of G. Define a map e:G×G→GT satisfies the following three conditions:
Bilinearity: ∀m,n∈G and ∀x,y∈Zp∗, there exists e(xm,yn)=e(m,n)xy.
Nondegeneracy: ∃m,n∈G, such that e(m,n)≠1.
Computability: ∀m,n∈G, there is a viable calculation to compute e(m,n).
Mathematical Assumption
G and GT are two cyclic groups and their prime orders are both p. P is a generator of G. There is a bilinear map e:G×G→GT. For a random number x∈Zp∗, given (P,xP) to calculate e(P,P)1/x is called Bilinear Diffie-Hellman Inversion Problem (BDHIP).
BDHIA holds if there do not exist probabilistic polynomial-time adversary 𝒜 computing BDHIP with probability at least ε. This is called Bilinear Diffie-Hellman Inversion Assumption (BDHIA).
G is a cyclic group and its prime orders is p. P is a generator of G. For a random number x∈Zp∗, given (P,xP) to calculate (1/x)P is called Computational Diffie-Hellman Inversion Problem (CDHIP).
CDHIP holds if there do not exist probabilistic polynomial-time adversary 𝒜 computing CDHIP with probability at least ε. This is called Computational Diffie-Hellman Inversion Assumption (CDHIA).
Cover-Free Families
In our scheme, d-cover-free families (d-CFFs) is the basis of fault tolerance.
D-cover-Free Family: There exists two sets, one is 𝒳={x1,…,xm}, where ∣𝒳∣=m, and the other is 𝒟={D1,…,Dn}, where Di⊆𝒳, 1≤i≤n and ∣𝒟∣=n. These two sets form a set system ℱ=(𝒳,𝒟). A d-cover-free family (d-CFF(m, n)) can be represented a set system as follows: ∀Di0∈𝒟 and other Di1,…,Did∈𝒟, there exists Eq. (1).
Di0⊈∪k=1dDik
If the characteristic vectors of subsets in 𝒟 are regared as columns of ℳ, then ℱ can be represented as a binary incidence matrix ℳ with m rows and n columns. Precisely, if xi∈𝒟, ℳi,k=1, and otherwise ℳi,k=0. ℳ is d-CFF when the corresponding set system is d-CFF.
Nested Family:(ℳ(λ))λ is regarded as a string of incidence matrices of d-CFFs (ℱλ)λ=((𝒳λ,𝒟λ))λ, and ℳ(λ)’s number of rows and columns is r(λ) and c(λ), respectively.
If 𝒳λ⊆𝒳λ+1, r(λ)≤r(λ+1), c(λ)≤c(λ+1), then ℳ(λ+1)=(ℳ(λ)𝒴𝒵𝒲), where 𝒴, 𝒵 and 𝒲 are all 0–1 matrices adapted to the size of ℳ, and 𝒵 consists of some rows of ℳ(λ), several rows of all ones and several rows of all zeros, then (ℳ(λ))λ can be regared as a nested family of d-CFFs incidence matrices.
System ModelFormal Definition
Our scheme contains eight algorithms:
Setup: It is executed by the private key generator (PKG) according to a number k called security parameter, which generates a collection of system public parameters and master secret key MSK.
PKI-Gen: It is executed by PKG according to input a randomly number chosen by a sender si in PKI system and further produces the corresponding secret key SKsi and public key PKsi.
IBC-Gen: It is executed by PKG according to input the ID of a receiver in IBC system and further produces the corresponding secret key SKr.
Trapdoor: Given secret key SKr as input, the receiver generates the corresponding trapdoor tpd.
Signcrypt: It is excuted by OBUs. The sender generates a signcryption σi using the sender’s secret key SKsi, a message Mi and the receiver’s identity ID for computation.
Aggregate: After receiving n senders, n corresponding signcryptions {σi}i=1n, the RSU aggregates all individual signcryptions into a single aggregate signcryption φ by the fault-tolerant aggregate algorithm on the basic of d-CFF.
Unaggregate: Given the fault-tolerant aggregate signcryption φ, the secret key of a receiver SKr, and the public key of n senders {SKsi}i=1n, PKG verifies the signcryption and outputs messages.
Test: After receiving signcryption σA and trapdoor tpdA of receiver A, signcryption σB and trapdoor tpdB of the receiver B, CS executed an equality test and produces the corresponding result.
In this scheme, the identity of the administrator is exclusively denoted by IDadmin. The scheme is performed as a signcryption scheme and the Signcrypt algorithm produces a signcryption of the message M, when ID=IDadmin. Otherwise, the scheme is performed as a general IBE scheme, the Signcrypt algorithm does not run digital signature and only produces encrypted ciphertext of M.
Security Model
Setup: After obtaining a security parameter k, challenger 𝒞 produces the system parameters by executing the Setup algorithm. Then, 𝒞 performs the PKI−Gen algorithm and gets public key and secret key pairs of n senders, {(PKsi#,SKsi#)}i=1n. Afterward, 𝒞 delivers them to adversary 𝒜1.
PhaseI:𝒜1 performs the following queries.
Key Generation Queries: After receiving the ID of the required query from 𝒜1, 𝒞 executes the IBC−Gen algorithm to get the result SKr, and finally sends it to 𝒜1.
Aggregate Queries: After receiving the {σi}i=1n of the required query from 𝒜1, 𝒞 executes the Aggregate algorithm to get the result φ, and finally sends it to 𝒜1.
Unaggregate Queries: After receiving the signcryption φ and receiver’s ID of the required query from 𝒜1, 𝒞 executes the Unsigncrypt algorithm to get the result, and finally sends it to 𝒜1.
Challenge:𝒜1 sends a receiver’s identity ID# and some message M1,0#,M1,1#,{Mi}i=2n∈{0,1}∗ to 𝒞. In Phase I, 𝒜1 is not allowed to query the secret key of ID#. After that, 𝒞 chooses a number b∈{0,1}∗ at random, and sends φ# to 𝒜1 by executing Signcrypt and Aggregate algorithm.
Phase II:𝒜1 is permitted for additional queries in Phase I. And the restriction is that the secret key of ID# and the plaintext of φ# can not be queried during this process.
Guess:𝒜1 exports its own guess of b′.
Definition 1: If all IND-CCA2 adversaries 𝒜1 with the advantage that Adv(𝒜1)=|2Pr[b′=b]−1| can be ignored, then our HFTAS-ET scheme is deemed to be IND-CCA2 secure.
Setup: After obtaining a security parameter k, challenger 𝒞 produces the system parameters by executing the Setup algorithm. Then, 𝒞 performs the PKI−Gen algorithm and gets public key and secret key pairs of n senders, {(PKsi#,SKsi#)}i=1n. Afterward, 𝒞 delivers them to adversary 𝒜2.
Phase I:𝒜2 performs the following queries.
Key Generation Queries: After receiving the ID of the required query from 𝒜2, 𝒞 executes the IBC−Gen algorithm to get the result SKr, and finally sends it to 𝒜2.
Trapdoor Queries: After receiving the required query from 𝒜2, 𝒞 executes the Trapdoor algorithm to get the result tpd, and finally sends it to 𝒜2.
Aggregate Queries: After receiving the {σi}i=1n of the required query from 𝒜2, 𝒞 executes the Aggregate algorithm to get the result φ, and finally sends it to 𝒜2.
Unaggregate Queries: After receiving the signcryption φ and receiver’s ID of the required query from 𝒜2, 𝒞 executes the Unsigncrypt algorithm to get the result, and finally sends it to 𝒜2.
Challenge:𝒜2 sends a receiver’s identity ID# and some message M1#,{Mi}i=2n∈{0,1}∗ to 𝒞. In PhaseI, 𝒜2 is not allowed to query the secret key of ID#. After that, 𝒞 chooses a number b∈{0,1}∗ at random, and sends φ# to 𝒜2 by executing Signcrypt and Aggregate algorithm.
Phase II:𝒜2 is permitted for additional queries in Phase I. And the restriction is that the secret key of ID# and the plaintext of φ# cannot be queried during this process.
Guess:𝒜2 exports its own guess of M1′.
Definition 2: If all OW-CCA2 adversaries 𝒜2 with the advantage that Adv(𝒜2)=|Pr[M1′=M1#]| can be ignored, then our HFTAS-ET scheme is deemed to be OW-CCA2 secure.
Setup: After obtaining a security parameter k, challenger 𝒞 produces the system parameters by executing the Setup algorithm. Then, 𝒞 performes the PKI−Gen algorithm and gets public key of a sender, PKs#. Afterward, 𝒞 delivers it to adversary 𝒜3.
Queries:𝒜3 performs the following queries:
Key Generation Queries: After receiving the ID of the required query from 𝒜3, 𝒞 executes the IBC−Gen algorithm to get the result SKr, and finally sends it to 𝒜3.
Signcryption Queries: After receiving a plaintext M and a receiver’s ID of the required query from 𝒜3, 𝒞 executes the Signcryption algorithm to get the result σ, and finally sends it to 𝒜3.
Forgery:𝒜3 exports a receiver’s ID# and a ciphertext of σ# that isn’t generated by the oracle of Signcryption. 𝒜3 wins if σ# is valid.
Definition 3: If all EUF-CMA adversaries 𝒜3 with the advantage that Adv(𝒜3)=|Pr[𝒜3wins]| can be ignored, then our HFTAS-ET scheme is deemed to be EUF-CMA secure.
ConstructionThe Construction
Setup: Given a random number k as security parameter, PKG produces cyclic groups G and GT, which can be utilized to construct a bilinear map e:G×G→GT. P is a generator of G. Calculate E=e(P,P). Choose system master secret key MSK=(m1,m2), where m1,m2∈Zp∗. Calculate P1=m1P, P2=m2P. Pick these hash functions: H1:{0,1}∗→Zp∗, H2:GT×{0,1}∗→Zp∗, H3:GT→{0,1}∗, H4:GT→Zp∗, H5:{0,1}∗×Zp∗×GT3→{0,1}∗. The system parameters: <G,GT,e,P,P1,P2,E,H1,H2,H3,H4,H5>. Set the special function F(ID), the answer is 1 if ID=IDadmin, otherwise, the answer is 0.
PKI-Gen: PKG input a number asi∈Zp∗ randomly chosen by the sender si in PKI system and produces the corresponding secret key SKsi=(1/asi)P and public key PKsi=asiP.
IBC-Gen: PKG input ID of a receiver in IBC system and produces the corresponding secret key SKr=(SKr1,SKr2), where SKr1=(1/[H1(ID)+m1])P and SKr2=(1/[H1(ID)+m2])P.
Trapdoor: Input the secret key SKr of a receiver, and output the corresponding trapdoor tpd=SKr2.
Signcrypt: Given the SKsi of the sender, the plaintext Mi and the ID of a receiver, the sender calculate the corresponding signcryption according to the following steps:
Randomly pick (u1i,u2i)∈Zp∗.
Set k1i=Eu1i, k2i=Eu2i.
Calculate ti=H2(Mi,k1i⋅k2i).
Output the ciphertext σi=(α1i, α2i, α3i, α4i, α5i), where α1i=(Mi||u2i)⊕H3(k1i), α2i=(u2i⋅H1(Mi))⊕H4(k2i), α3i=u1i(H1(ID)P+P1), α4i=u2i(H1(ID)P+P2), and α5i=F(ID)(u1i+ti)SKsi.
Aggregate: When receiving n signcryptions N={σi=(α1i,α2i,α3i,α4i,α5i)}i=1n from n senders {si}i=1n within its coverage, the RSU aggregates all individual signcryptions into a single aggregate signcryption by the following fault tolerant aggregation algorithm:
The α5i part of each ciphertext is extracted and denoted as Q, i.e., Q={α51,…,α5n}. Then construct the corresponding binary incidence matrix ℳ with r rows and n columns, while meeting d-CFF.
In the matrix ℳ, every column represents a signcryption, and every row represents a sub-validation. If ℳi,j=1, the i-th sub-validation (i.e., ε[i]) contains the j-th signcryption information α5j. Assuming that ε[j] is composed by {α5i}i=1ω of {σi}i=1ω, i.e., ε[j]=∑i=1ωα5i for (1≤j≤r).
Create a new position ε[0] that satisfies the full aggregation of α5i part in all signcryptions until that signcryption, i.e., ε[0]=∑i=1nα5i.
The core of aggregate signcryption ε=(ε[0],ε[1],…,ε[r]).
The fault-tolerant aggregate signcryption: φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n, ε[0], ε[1],…,ε[r])
Unbounded-fault-tolerant aggregate (N1, N2)
Let N1,N2 are two sets of α5i in two exclusive mergeable signcryptions. Assume that the dimension of Nk is nk, where k=1,2 and n1≤n2. Let Q1={α51,…,α5n1}, Q2={α51,…,α5n2}, and corresponding core of aggregate signcryption be ε1=(ε1[0],ε1[1],…,ε1[r]), ε2=(ε2[0],ε2[1],…,ε2[r]).
Let λk satisfies c(ℳ(λk−1))<nk≤c(ℳ(λk)), and rk=r(ℳ(λk)) where k={1,2} and λ1≤λ2. ℳ is a submatrix of ℳ(λ2) and made up of the first n2 columns. Note that ℳ=(ℳ(λ1)𝒴𝒵𝒲), for matrices 𝒴,𝒵,𝒲 meeting the “nesting” attribute.
If one or both of the two sets Nk contain only one individual signcryption, εk is an individual α5k, then εk is expanded into a vector in the manner of Eq. (2), where j is the index of individual signcryption of Qk.
εk[i]={α5ki=0||(ℳ[i,j]=1&&1≤i≤rk)⊥other
Aggregate the corresponding positions of ε1 and ε2 based on ℳ, if they are both vectors. Considering special row type of Z, there are three kinds of row index i: Type0(a row of zeros); Type1(a row of ones); Type2(a repeated row r of ℳ(λ1)). Expand ε1 to make it have the equal dimension as ε2, which is ε1[i] is itself if 1≤i≤n1 and ε1[i]=⊥ if n1+1≤i≤n2. After that, execute as the following.
for i=0, aggregate α5i part in all signcryptions to ensure that one verification pass in the case that all signcryptions are valid, as shown in Eq. (3).
ε[0]=ε1[0]+ε2[0]
for i=1,…,r1, aggregate the corresponding signcryptions, as shown in Eq. (4).
ε[i]=ε1[i]+ε2[i]
for i=r1+1,…,r2, as shown in Eq. (5).
ε[i]={ε2[i]Type0ε1[0]+ε2[i]Type1ε1[r]+ε2[i]Type2
Aggregate with {α1i,N1,α2i,N1,α3i,N1,α4i,N1}i=1n1 of N1 and {α1i,N2,α2i,N2,α3i,N2,α4i,N2}i=1n2 of N2 to constitute the unbounded-fault-tolerant aggregate signcryption: φ=(α11,N1,…,α1n1,N1,α11,N2, …,α1n1,N2, α21,N1,…,α2n1,N1,α21,N2,…,α2n1,N2, α31,N1,…,α3n1,N1,α31,N2,…,α3n1,N2, α41,N1,…, α4n1,N1,α41,N2, …, α4n1,N2, ε[0],ε[1],…,ε[r2])
Output φ.
Unaggregate: After receiving the fault-tolerant aggregate signcryption φ, the secretkey of a receiver SKr, and the public key of n senders {SKsi}i=1n, ε[j] is one of the values ε, where 0≤j≤r, and ε[j]=∑i=1ωα51i. The algorithm executes as follows:
for 1≤i≤ω,
k1i=e(α3i,SKr1), k2i=e(α4i,SKr2).
Mi||u2i=α1i⊕H3(k1i).
ti=H2(Mi,k1i⋅k2i).
When F(ID)=1, verify if α2i⊕(u2i⋅H2(Mi))=H4(k2i) and only if e(Σi=1ωα3i,SKr1)=e(ε[0],∑i=1ωPKsi)E−∑i=1tωi. If hold, all the signcryptions are valid. Meanwhile, create a new set called “The Valid Set” and add all the signcryptions to it. Then output {Mi}i=1n. Otherwise, at least one signcryption is invalid.
When F(ID)=0, verify that α2i⊕(u2i⋅H2(Mi))=H4(k2i). If it holds, output Mi; if not, output ⊥.
Sign: After receiving a sender’s signcryption σA=(α1A,α2A,α3A,α4A,α5A) and a receiver’s signcryption σB=(α1B,α2B,α3B,α4B,α5B). The signer calculates the following:
Test: After receiving a sender’s ciphertext σA=(α1A,α2A,α3A,α4A,α5A), the signature σA′ and the corresponding tpdA, a receiver’s ciphertext σB=(α1B,α2B,α3B,α4B,α5B), the signature σB′ and the corresponding tpdB. The algorithm is executed as follows:
Verify if k1A′=e(σA′,PKsi)E−tA,k1B′=e(σB′,PKsi)E−tB. If hold, execute the algorithm according to the procedure below.
k2A=e(α4A,tpdA), k2B=e(α4B,tpdB).
ZA=α2A⊕H4(k2A), ZB=α2B⊕H4(k2B).
Check k2AZB=k2BZA. If it holds, it means that MA=MB.
The Identification of Invalid Signcryptions
Given the fault-tolerant aggregate signcryption φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41, …, α4n,ε[0],ε[1],…,ε[r]), the secretkey of a receiver SKr, and the public key of n senders {SKsi}i=1n, the verification result e(Σi=1ωα3i,SKr1)≠e(ε[0],∑i=1ωPKsi)E−∑i=1ωti.
Verify if e(Σi=1ωα3i,SKr1)=e(ε[j],∑i=1ωPKsi)E−∑i=1ωti, for each 1≤j≤r.
Let inve denote the number of the equation does not hold, 1≤inve≤r.
Let invs denote the number of invalid signcryption, 1≤invs≤n.
For each ω signcryptions in ε[x], 1≤x≤inve, verify if α2y⊕(u2y⋅H2(My))=H4(k2y), for 1≤y≤ω.
If not hold, this signcryption are not valid. Meanwhile, create a new sete called “The Invalid Set” and add the invalid signcryption to it. Then output Miinvs. Otherwise, the signcryption is considered valid and appended to “The Valid Set”.
Security Analysis
Theorem 1: Suppose that BDHIA holds. Our scheme HFTAS-ET is secure against IND-CCA2.
Proof. Suppose there is a challenger 𝒞 that can solve BDHIP problem and whose advantage is at least ε. The goal of 𝒞 is to compute e(P,P)(1/a), where a∈Zp∗ by knowing an instance (P,aP) of BDHIP. Suppose 𝒜1 can successfully break the HFTAS-ET scheme. A game was placed between challenger 𝒞 and adversary 𝒜1. The details of the operation are as given below:
Setup:𝒞 chooses θ∈{1,…,ρH1}, Lθ∈Zp∗ and λ1,…,λθ−1,λθ+1,…,λρ∈Zp∗ at random, where ρH1 indicates the query times of ℋ1. Compute Li=Lθ−λi, where i=1,…,θ−1,θ+1,…,ρ. 𝒞 calculate the generator P∈G1 and two parameters F=aP, G=a′P by using its input, where a,a′∈Zp∗, and thus it knows ρ−1 pairs (λi,Ui=(1/(a+λi))P), (λi,Vi=(1/(a′+λi))P) for i∈{1,…,ρ}∖θ. Choose P1=−F−LθP=(−a−Lθ)P and P2=−G−LθP=(−a′−Lθ)P, where s1 and s2 are respectively set to s1=−a−Lθ∈Zp∗ and s2=−a′−Lθ∈Zp∗. (Li,−Ui)=(Li,(1/(Li+s1))P), (Li,−Vi)=(Li,[1/(Li+......s2)]P), where i∈{1,…,ρ}∖θ.
𝒞 sends system parameters, P1=−F−LθP=(−a−Lθ)P, P2=−G−LθP=(−a′−Lθ)P, as well as g=e(P,P) to 𝒜1. Afterward, 𝒞 returns {(PKsi#,SKsi#)}i=1n which is n senders’ public/secret-key pair generated by PKI-Gen algorithm.
Phase I:𝒞 simulates the original empty ℋ1, ℋ2, ℋ3 and ℋ4 oracles by preserving LH1, LH2, LH3, and LH4 lists. Assume that each query of ℋ1 is different, and the identity ID# is delivered to ℋ1 at some point. When any other query uses ID, 𝒜1 will query ℋ1(ID) in advance. 𝒞 responds to 𝒜1 according to the following procedure:
ℋ1-Queries:π indexes these queries, and it is originally set to 1. After receiving a query with IDπ, 𝒞 gives Lπ and π to 𝒜1. Meanwhile, (IDπ,Lπ) is appended to LH1.
ℋ2-Queries: After receiving a query with (Mi,ki), 𝒞 judges whether (Mi,ki) exists in LH2. If so, 𝒞 delivers h2i to 𝒜1. Otherwise, 𝒞 selects h2i at random in Zp∗ and sends it to 𝒜1. In addition, 𝒞 get h3i=ℋ(k1i) and h4i=ℋ(k2i) by simulating the random oracle, where k1i⋅k2i=ki. Finally, 𝒞 calculates δi=k1i⋅e(P,P)h2i and adds (Mi,ki,k1i,k2i,δi,h2i) into LH2.
ℋ3-Queries: After receiving a query with k1i, 𝒞 judges whether k1i exists in LH3. If so, 𝒞 delivers h3i to 𝒜1. Otherwise, 𝒞 selects h3i at random in Zp∗ and sends it to 𝒜1. Meanwhile, (k1i,h3i) is appended to LH3.
ℋ4-Queries: After receiving a query with k2i, 𝒞 judges whether k2i exists in LH4. If so, 𝒞 delivers h4i to 𝒜1. Otherwise, 𝒞 selects h4i at random in Zp∗ and sends it to 𝒜1. Meanwhile, (k2i,h4i) is appended to LH4.
Key Generation Queries: After receiving a query with IDπ, 𝒞 searches the LH1 list. If π=θ, 𝒞 aborts. Otherwise, 𝒞 knows ℋ1(IDπ)=Lπ and delivers SKr1=[1/(Lπ+s1)]P, SKr2=[1/(Lπ+s2)]P to 𝒜1.
Aggregate Queries: After receiving a query with {σi=(α1i,α2i,α3i,α4i,α5i)}i=1n, 𝒞 simulates random oracle to obtain ε[0]=∑i=1nα5i and ε[j]=∑i=1ωα5i for 1≤j≤r on the basis of Aggregate step, and return φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n,ε[0],ε[1],…,ε[r]).
Unaggregate Queries: When receiving the query with φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n,ε[0],ε[1],…,ε[r]) and IDi of a receiver, 𝒞 judges whether i equals θ. If not, 𝒞 returns {Mi}i=1n based on Unaggregate. Otherwise, Eq. (6) holds.
Then, 𝒞 calculates δ=e(ε[0],LiP+P1) and searches LH2. If not found, φ is rejected. Otherwise, 𝒞 checks Eq. (7).
e(∑i=1nα3i,∑i=1nSKsi#)e(LiP+P1,ε[0])=e(LiP+P1,∑i=1nh2i⋅SKsi#)
If it holds, return {Mi}i=1n; else, for 1≤j≤r, 𝒞 verifies Eq. (8)e(∑i=1ωα3i,∑i=1ωSKsi#)e(LiP+P1,ε[j])=e(LiP+P1,∑i=1ωh2i⋅SKsi#)
And return the valid set to 𝒜1.
Challenge: After receiving the receiver’s ID#, M1,0#,M1,1#,{Mi}i=2n∈{0,1}∗, the 𝒞 performs algorithm in the following step:
If IDi≠ID#, 𝒞 will abort.
Otherwise, 𝒞 respectively selects b and μ in {0,1}∗ and Zp∗ at random. φ#=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n, ε[0],ε[1],…,ε[r]) is the ciphertext to be challenged. α1i,α2i∈{0,1}∗, α3i=−μP, α4i∈G1, where 1≤i≤n. And ε[j]∈G1, where 1≤j≤r. And give σ# to 𝒜1. Let κ=μ/a and s1=−a−Lθ, so that for 1≤i≤n, we have Eq. (9).
α3i=−μP=−κaP=(Lθ+s1)κP=κLθP+κP1
Phase II:𝒜1 is permitted for additional queries in Phase I. And the restriction is that the secret key of ID# and the plaintext of φ# can not be queried during this process.
Guess:𝒜1 exports its own guess b′∈{0,1}∗. 𝒞 randomly chooses a set (Mi,ki,k1i,k2i,δi,h2i) or (k1i,h3i) from LH2 list or LH3 list and gets f(y)=∑i=1ρ−1ciyi which is a polynomial in P=f(a)P^. Then outputs k1i=e(P,P)κ=e(P^,P^)f(a)2μ/a. If δ#=e(P^,P^)1/a, the BDHIP can be derived via Eq. (10).
e(P,P)1/a=δ#c02e(∑t=0ρ−2ct+1(atP^),c0P^)e(P,∑t=0ρ−2ct+1(atP^))
Theorem 2: Suppose that BDHIA holds. Our scheme HFTAS-ET is secure against OW-CCA2.
Proof. Suppose there is a challenger 𝒞 that can solve the BDHIP problem and has an advantage is at least ε. The goal of 𝒞 is to compute e(P,P)(1/a), where a∈Zp∗ by knowing a instance (P,aP) of BDHIP. Suppose 𝒜2 can successfully break the HFTAS-ET scheme. A game was placed between challenger 𝒞 and adversary 𝒜2. The details of the operation are given below:
Setup:𝒞 chooses θ∈{1,…,ρH1}, Lθ∈Zp∗ and λ1,…,λθ−1,λθ+1,…,λρ∈Zp∗ at random, where ρH1 indicates the query times of ℋ1. Compute Li=Lθ−λi, where i=1,…,θ−1,θ+1,…,ρ. 𝒞 calculate the generator P∈G1 and two parameters F=aP, G=a′P by using its input, where a,a′∈Zp∗, and thus it konws ρ−1 pairs (λi,Ui=(1/(a+λi))P), (λi,Vi=(1/(a′+λi))P) for i∈{1,…,ρ}∖θ. Choose P1=−F−LθP=(−a−Lθ)P and P2=−G−LθP=(−a′−Lθ)P, where s1 and s2 are respectively set to s1=−a−Lθ∈Zp∗ and s2=−a′−Lθ∈Zp∗. (Li,−Ui)=(Li,(1/(Li+s1))P), (Li,−Vi)=(Li,[1/(Li+s2)]P), where i∈{1,…,ρ}∖θ.
𝒞 sends system parameters, P1=−F−LθP=(−a−Lθ)P, P2=−G−LθP=(−a′−Lθ)P, as well as g=e(P,P) to 𝒜2. Afterward, 𝒞 returns {(PKsi#,SKsi#)}i=1n which is n senders’ public/secret-key pair generated by the PKI-Gen algorithm.
Phase I:𝒞 simulates the original empty ℋ1, ℋ2, ℋ3 and ℋ4 oracles by preserving LH1, LH2, LH3, and LH4 lists. Assume that each query of ℋ1 is different, and the identity ID# is delivered to ℋ1 at some point. When any other query uses ID, 𝒜2 will query ℋ1(ID) in advance. 𝒞 responds to 𝒜2 according to the following procedure:
ℋ1-Queries:π indexes these queries, and it is originally set to 1. After receiving a query with IDπ, 𝒞 gives Lπ and π to 𝒜2.
Meanwhile, (IDπ,Lπ)
is appended to LH1.
ℋ2
-Queries: After receiving a query with (Mi,ki),
𝒞
judges whether (Mi,ki) exists in
LH2.
If so, 𝒞 delivers h2i to 𝒜2.
Otherwise, 𝒞 selects h2i at random in Zp∗ and sends it to 𝒜2. In addition, 𝒞 get h3i=ℋ(k1i) and h4i=ℋ(k2i) by simulating the random oracle, where k1i⋅k2i=ki. Finally, 𝒞 calculates δi=k1i⋅e(P,P)h2i and adds (Mi,ki,k1i,k2i,δi,h2i) into LH2.
ℋ3-Queries: After receiving a query with k1i, 𝒞 judges whether k1i exists in LH3. If so, 𝒞 delivers h3i to 𝒜2. Otherwise, 𝒞 selects h3i at random in Zp∗ and sends it to 𝒜2. Meanwhile, (k1i,h3i) is appended to LH3.
ℋ4-Queries: After receiving a query with k2i, 𝒞 judges whether k2i exists in LH4. If so, 𝒞 delivers h4i to 𝒜2. Otherwise, 𝒞 selects h4i at random in Zp∗ and sends it to 𝒜2. Meanwhile, (k2i,h4i) is appended to LH4.
Key Generation Queries: After receiving a query with IDπ, 𝒞 searches the LH1 list. If π=θ, 𝒞 aborts. Otherwise, 𝒞 knows ℋ1(IDπ)=Lπ and delivers SKr1=[1/(Lπ+s1)]P, SKr2=[1/(Lπ+s2)]P to 𝒜2.
Trapdoor Queries: After receiving this query, judge whether π is equal to θ. If so, 𝒞 aborts. Otherwise, 𝒞 returns SKr2=[1/(Lπ+s2)]P to 𝒜2.
Aggregate Queries: After receiving a query with {σi=(α1i,α2i,α3i,α4i,α5i)}i=1n, 𝒞 simulates random oracle to obtain ε[0]=∑i=1nα5i and ε[j]=∑i=1ωα5i for 1≤j≤r on the basis of Aggregate step, and return φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n,ε[0],ε[1],…,ε[r]).
Unaggregate Queries: When receiving the query with φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n,ε[0],ε[1],…,ε[r]) and IDi of a receiver, 𝒞 judges whether i equals θ.If not, 𝒞 returns {Mi}i=1n based on Unaggregate. Otherwise, Eq. (11) holds.
log∑i=1nSKsi∗(ε[0]−∑i=1nh2i⋅SKsi#)=log(LiP+P1)∑i=1nα3i
where h2,i=ℋ2(Mi,k1i⋅k2i). Then, 𝒞 calculates δ=e(ε[0],LiP+P1) and searches LH2. If not found, φ is rejected. Otherwise, 𝒞 checks Eq. (12).
e(∑i=1nα3i,∑i=1nSKsi#)e(LiP+P1,ε[0])=e(LiP+P1,∑i=1nh2i⋅SKsi#)If it holds, return {Mi}i=1n; else, for 1≤j≤r, 𝒞 verifies Eq. (13).
e(∑i=1ωα3i,∑i=1ωSKsi#)e(LiP+P1,ε[j])=e(LiP+P1,∑i=1ωh2i⋅SKsi#)And return the valid set to 𝒜2.
Challenge: After receiving a receiver’s ID#, the meaasges M1#,{Mi}i=2n∈{0,1}∗, 𝒞 performs the algorithm in the following step:
If IDi≠ID#, 𝒞 will abort.
Otherwise, 𝒞 respectively selects b and μ in {0,1}∗ and Zp∗ at random. φ#=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n, ε[0],ε[1],…,ε[r]) is the ciphertext to be challenged. α1i,α2i∈{0,1}∗, α3i=−μP, α4i∈G1, where 1≤i≤n. And ε[j]∈G1, where 1≤j≤r. And give σ# to 𝒜2. Let κ=μ/a and s1=−a−Lθ, so that for 1≤i≤n, we have Eq. (14).
α3i=−μP=−κaP=(Lθ+s1)κP=κLθP+κP1
Phase II:𝒜2 is permitted for additional queries in Phase I. And the restriction is that the secret key of ID# and the plaintext of φ# can not be queried during this process.
Guess:𝒜2 exports its own guess M1′∈M1#. 𝒞 randomly chooses a set (Mi,ki,k1i,k2i,δi,h2i) or (k1i,h3i) from LH2 list or LH3 list and gets f(y)=∑i=0ρ−1ciyi which is a polynomial in P=f(a)P^. Then outputs k1i=e(P,P)κ=e(P^,P^)f(a)2μ/a. If δ#=e(P^,P^)1/a, the BDHIP can be derived via Eq. (15).
e(P,P)1/a=δ#c02e(∑t=0ρ−2ct+1(atP^),c0P^)e(P,∑t=0ρ−2ct+1(atP^))
Theorem 3: Suppose that CDHIA holds. Our scheme HFTAS-ET is secure against EUF-CMA.
Proof. Suppose there is a challenger 𝒞 that can solve the CDHIP problem and whose advantage is at least ε. The goal of 𝒞 is to compute (1/a)P, where a∈Zp∗ by knowing a instance (P,aP) of CDHIP. Suppose 𝒜3 can successfully break the HFTAS-ET scheme. A game was placed between challenger 𝒞 and adversary 𝒜3. The details of the operation are as given below:
Setup:𝒞 obtains system parameters and MSK by performing the Setup and then sends the corresponding results to 𝒜3. In addition, 𝒞 transmits the sender’s public key PKs#=aiP to 𝒜3. 𝒞 simulates the original empty ℋ1, ℋ2, ℋ3 and ℋ4 oracles by preserving every list of LH1, LH2, LH3, and LH4.
Queries:𝒞 responds to 𝒜3 according to the following procedure:
ℋ1-Queries: After receiving a query with IDi, 𝒞 judges whether IDi exists in LH1. If not, 𝒞 selects h1i in Zp∗ at random and sends it to 𝒜3. Otherwise, 𝒞 delivers h1i to 𝒜3 directly. Meanwhile, (IDi,h1i) is appended to LH1.
ℋ2-Queries: After receiving a query with (Mi,ki), 𝒞 judges whether (Mi,ki) exists in LH2. If not, 𝒞 selects h2i in Zp∗ at random and sends it to 𝒜3. Otherwise, 𝒞 delivers h2i to 𝒜3 directly. Meanwhile, ((Mi,ki),h2i) is appended to LH2.
ℋ3-Queries: After receiving a query with k1i, 𝒞 judges whether k1i exists in LH3. If not, 𝒞 selects h3i in Zp∗ at random and sends it to 𝒜3. Otherwise, 𝒞 delivers h3i to 𝒜3 directly. Meanwhile, (k1i,h3i) is appended to LH3.
ℋ4-Queries: After receiving a query with k2i, 𝒞 judges whether k2i exists in LH4. If not, 𝒞 selects h4i in Zp∗ at random and sends it to 𝒜3. Otherwise, 𝒞 delivers h4i to 𝒜3 directly. Meanwhile, (k2i,h4i) is appended to LH4.
Key Generation Queries: After receiving a query with IDπ, 𝒞 searches the LH1 list. If π=θ, 𝒞 aborts. Otherwise, 𝒞 knows ℋ1(IDπ)=Lπ and delivers SKr1=[1/(Lπ+s1)]P, SKr2=[1/(Lπ+s2)]P to 𝒜3.
Signcryption Queries: After receiving a query with the IDi of a receiver and M, 𝒞 performs algorithm in the following step:
Patch the hash value ℋ2(k1i⋅k2i) to δ. 𝒞 fails if ℋ2 is defined.
Calculate α1=(M||u2)⊕H3(k1i)
𝒞 returns σ=(α1,α2,α3,α4,α5) to 𝒜3.
Forgery: According to forking lemma, 𝒜3 can develop a new algorithm 𝒜3′ during the execution. 𝒜3 and 𝒜3′ can export two signatures (M,δ,α5i) and (M,δ′,α5i′), where δ≠δ′ and k1i are the same for both results. After that, 𝒞 can calculate the answer of the CDHIP problem, (1/a)P=(δi−δi′)−1(α5i−α5i′).
Performance Evaluation
In this section, we make a comparison of our scheme and several existing schemes with respect to function comparison, communication and computation overhead.
Features
In Table 1, we list the functionalities of our scheme compared with the previous similar schemes. From this table, it illustrates that only scheme [40] and our scheme can support heterogeneous signcryption network and have a function of equality test. Among the schemes [14–16,28] that support aggregate signature, only our scheme can support both fault-tolerant aggregation and aggregate signcryption. Compared with the scheme [28] that supports fault-tolerant aggregate signature, our scheme is an unbounded fault-tolerant aggregate signcryption scheme, which improves efficiency. In addition, our scheme supports one verification pass when all signcryptions are valid, which further improves efficiency.
Comparison of functionality
Scheme
PFCBAS [14]
CL-DVAAS [15]
eCLAS [16]
SECLS [27]
CLFTAS [28]
HSC-ET [40]
Ours
Heterogeneous
×
×
×
×
×
√
√
Equality test
×
×
×
×
×
√
√
Signcrypt
×
×
×
×
×
√
√
Aggregation
√
√
√
×
√
×
√
Fault-tolerant
×
×
×
√
√
×
√
Unbounded
×
×
×
×
×
×
√
OVS 1
×
×
×
×
×
×
√
Note: OVS: One verification pass.
Communication Overhead and Computation Cost
To easily evaluate and analyze the efficiency of our scheme and existing schemes, we use JPBC library to run the experiment on a machine with Windows 10 operating system and Intel Core i7-11700 CPU at 2.50 GHz.
The experimental scheme consists of pairing-based schemes and ECC-based schemes, therefore it is necessary to ensure the same security level. Therefore, two groups are selected, respectively. One is a bilinear pairing e:G×G→GT, where G has order q on a supersingular curve E:y2=x3+ax+bmodp and p is a 512-bit prime number. The other is an additive group G′ of order q′ covering a supersingular elliptic curve E/Fp:y2=x3+xmodp′, where p, q are two 160-bit prime numbers of 160.
Relevant symbols in this paper are implied in Table 2.
The list of notations and descriptions
Symbol
Meaning
|G|
The size of group G
|Zp|
The size of group Zp
Tsm−ecc
The operation of scale multiplication based on elliptic curve
Tpa−ecc
The operation of point addition based on elliptic curves
Tp
The operation of pairing
Tsm
The operation of scale multiplication on the basis of bilinear pairing
Tpa
The operation of point addition on the basis of bilinear pairing
Th
The operation of hash function
Te
The operation of exponentiation in G
Tmi
A modular inverse in Zp
Tmm
A modular multiplication in Zp
We contrast our scheme and the previous similar schemes in terms of communication overhead. As shown in Table 3, there is not much difference among these schemes. However, the size of aggregate signcryption of our scheme is significantly less than those of schemes [14–16], while almost the same to scheme [28]. And since our scheme is unbounded aggregation of signcryptions, the small gap is tolerable. Overall, our scheme performs better in terms of communication overhead.
Communication overhead comparison
Scheme
The length of secret key
The length of public key
Single signature
Aggregate signature
PFCBAS [14]
|Zp|
|G|
2|G|+4|Zp|
2n|G|+4|Zp|
CL-DVAAS [15]
|G|
2|G|
|G|+2|Zp|
(n+1)|G|+n|Zp|
eCLAS [16]
|Zp|
|G|
|G|+2|Zp|
n|G|+2|Zp|
SECLS [27]
2|Zp|
2|G|
|G|+|Zp|
–
CLFTAS [28]
|Zp|
|G|
|G|+4|Zp|
log2n(|G|+4|Zp|)
HSC-ET [40]
|G|
|G|
2|G|
–
Ours
|G|
|G|
2|G|
2log2n|G|
Table 4 displays a detailed comparison of computation overhead for each phase. Moreover, we perform a detailed comparison experiment as detailed below.
Communication overhead comparison
Scheme
Message signature
Signature aggregate
Aggregate verification
PFCBAS [14]
Tsm−ecc
(n−1)Tpa−ecc
(2n+2)Tsm−ecc
CL-DVAAS [15]
3Tsm−ecc+2Tpa−ecc+2Th
(n+3)Tsm−ecc
(3n+1)Tsm−ecc
eCLAS [16]
Tsm−ecc+Th
nTpa−ecc
(n+1)Tsm−ecc+(2n−1)Tpa−ecc+nTh
SECLS [27]
Tsm−ecc+Tmi+2Tmm+Tpa−ecc
–
(3n+1)Tsm−ecc+nTmm+2nTh+2nTpa−ecc
CLFTAS [28]
2Tsm−ecc+2Th+2Tpa−ecc
2nTpa−ecc
log2n(4Tsm−ecc+5nTpa−ecc)
HSC-ET [40]
2Te+2Th
–
–
Ours
2Te+2Th
nTpa
(2n+2)Tp+3nTh+Te
Fig. 2 shows that time consumption of encryption/signcryption of existing schemes [14–16,27,28,40] and our scheme. Our scheme’s signcryption time consumption is slightly higher than that of scheme [14,16], but obviously much lower than that of [15,27,28]. And scheme [14,16] does not need to consider the impact of signcryption stage on fault-tolerant performance in the signature stage, so our scheme has a better signcryption efficiency.
Comparison of encryption (signcryption) cost
Fig. 3 below shows that time consumption of signatures/signcryptions aggregation in existing schemes [14–16,28] and our scheme. At this stage, our scheme’s time consumption is similar to that of [14–16]. In addition, only the scheme [28] and our scheme are fault-tolerant aggregate signature schemes, while the aggregation time of our scheme is far less than the scheme [28].
Comparison of signatures (signcryptions) aggregation cost
Fig. 4 below shows that the average time consumption of aggregate signature/signcryption verification in the existing scheme [14–16,28] and our scheme. Our scheme maintains logn ratio with the number of signatures. Although our scheme has a little more time consumption when there are few signatures, it will be smaller than other existing schemes when the number of signatures increases.
Comparison of aggregate signature (signcryption) verification cost
Finally, we experiment on identifying invalid signatures/signcryptions, as shown in Fig. 5. We assume that signatures/signcryptions n = 100 has an invalid signature/signcryption. In addition, we use binary search method to identify invalid signatures for the scheme [16]. Our scheme supports the identifying of invalid signcryptions information and fault-tolerance, while the scheme [16] only verify the existence of invalid signatures, but cannot tolerate invalid signatures. Therefore, our scheme sacrifices a little verification efficiency, the time consumption of the scheme [16] is less than ours in the best case. But in the worst case, our scheme has less time consumption than the scheme [16].
Comparison of identifying invalid signatures (signcryptions)
According to the analysis above, it is clear that our scheme has good performance in message signature/signcryption, aggregate signature/signcryption, aggregate signature/signcryption verification and invalid signature/signcryption identification.
Conclusion
In this paper, we give a heterogeneous fault-tolerant aggregate signcryption scheme with equality test, and apply it to the VSN. The scheme adds an unbounded-fault-tolerant function on the basis of aggregate signcryption, which not only strengthens the data confidentiality, but also improves the signcryption verification efficiency. At the same time, the equality test can control data access and ensure the confidentiality of data. In addition, we give a security model of the scheme and prove its security. Finally, experimental operation and performance evaluation show that the scheme has better performance.
Funding Statement
This work was supported in part by the Open Fund of Advanced Cryptography and System Security Key Laboratory of Sichuan Province under Grant SKLACSS-202102, in part by the Intelligent Terminal Key Laboratory of Sichuan Province under Grant SCITLAB-1019.
Conflicts of Interest
The authors declare that they have no conflicts of interest to report regarding the present study.
ReferencesAsghari, P., Rahmani, A. M., Javadi, H. H. S. (2019). Internet of Things applications: A systematic review. Esposito, C., Castiglione, A., Martini, B., Choo, K. K. R. (2016). Cloud manufacturing: Security, privacy, and forensic concerns. Diffie, W. (1976). New direction in cryptography. Thompson, M. R., Essiari, A., Mudumbai, S. (2003). Certificate-based authorization policy in a PKI environment. Shamir, A. (1984). Identity-based cryptosystems and signature schemes. Workshop on the Theory and Application of Cryptographic Techniques, pp. 47–53. Springer, Berlin, Heidelberg.Hess, F. (2002). Efficient identity based signature schemes based on pairings. International Workshop on Selected Areas in Cryptography, pp. 310–324. ST Johns, Canada.Paterson, K. G., Schuldt, J. C. N., Paterson, K. G., Schuldt, J. C. N., Batten, L. M.et al. (2006). Efficient identity-based signatures secure in the standard model. Al-Riyami, S. S., Paterson, K. G. (2003). Certificateless public key cryptography. International Conference on the Theory and Application of Cryptology and Information Security, pp. 452–473. Taipei, Taiwan.Huang, X., Susilo, W., Mu, Y., Zhang, F. (2005). On the security of certificateless signature schemes from Asiacrypt 2003. International Conference on Cryptology and Network Security, pp. 13–25. Berlin, Germany.Harn, L., Ren, J., Lin, C. (2009). Design of DL-based certificateless digital signatures. Boneh, D., Gentry, C., Lynn, B., Shacham, H. (2003). Aggregate and verifiably encrypted signatures from bilinear maps. International Conference on the Theory and Applications of Cryptographic Techniques, pp. 416–432. Warsaw, Poland.Cheon, J. H., Kim, Y., Yoon, H. J. (2004). A new ID-based signature with batch verification. Cryptology ePrint Archive.Gong, Z., Long, Y., Hong, X., Chen, K. (2007). Two certificateless aggregate signatures from bilinear maps. Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007), vol. 3, pp. 188–193. Qungdao, China.Verma, G. K., Singh, B., Kumar, N., Kaiwartya, O., Obaidat, M. S. (2019). Pfcbas: Pairing free and provable certificate-based aggregate signature scheme for the e-healthcare monitoring system. Deng, L., Yang, Y., Gao, R. (2021). Certificateless designated verifier anonymous aggregate signature scheme for healthcare wireless sensor networks. Han, Y., Song, W., Zhou, Z., Wang, H., Yuan, B. (2022). eCLAS: An efficient pairing-free certificateless aggregate signature for secure VANET communication. Selvi, S., Vivek, S. S., Shriram, J., Kalaivani, S., Rangan, C. P. (2009). Identity based aggregate signcryption schemes. International Conference on Cryptology in India, pp. 378–397. New Delhi, India.Wang, H., Liu, Z., Liu, Z., Wong, D. S. (2016). Identity-based aggregate signcryption in the standard model from multilinear maps. Yiliang, H., Fei, C. (2015). The multilinear maps based certificateless aggregate signcryption scheme. 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 92–99. Shanghai, China.Eslami, Z., Pakniat, N. (2014). Certificateless aggregate signcryption: Security model and a concrete construction secure in the random oracle model. Chen, J., Ren, X. (2016). A privacy protection scheme based on certificateless aggregate signcryption and masking random number in smart grid. International Conference on Mechanical Materials and Manufacturing Engineering, pp. 10–13. Wuhan, China.Lu, H., Xie, Q. (2011). An efficient certificateless aggregate signcryption scheme from pairings. 2011 International Conference on Electronics, Communications and Control (ICECC), pp. 132–135. Ningbo, China.Ren, X. Y., Qi, Z. H., Geng, Y. (2012). Provably secure aggregate signcryption scheme. Kim, T. H., Kumar, G., Saha, R., Alazab, M., Buchanan, W. J.et al. (2020). CASCF: Certificateless aggregated signcryption framework for internet-of-things infrastructure. Hartung, G., Kaidel, B., Koch, A., Koch, J., Rupp, A.et al. (2016). Fault-tolerant aggregate signatures. Wang, G., Cao, Z., Dong, X., Liu, J. (2019). Improved fault-tolerant aggregate signatures. Xiong, H., Wu, Y., Su, C., Yeh, K. -H. (2020). A secure and efficient certificateless batch verification scheme with invalid signature identification for the internet of things. Zhao, Y., Dan, G., Ruan, A., Huang, J., Xiong, H. (2021). A certificateless and privacy-preserving authentication with fault-tolerance for vehicular sensor networks. 2021 IEEE Conference on Dependable and Secure Computing (DSC), pp. 1–7. Aizuwakamatsu, Japan.Xiong, H., Jin, C., Alazab, M., Yeh, K. H., Wang, H.et al. (2022). On the design of blockchain-based ecdsa with fault-tolerant batch verification protocol for blockchain-enabled iomt. Boneh, D., Crescenzo, G. D., Ostrovsky, R., Persiano, G. (2004). Public key encryption with keyword search. International Conference on the Theory and Applications of Cryptographic Techniques, pp. 506–522. Interlaken, Switzerland.Xiong, H., Yang, M., Yao, T., Chen, J., Kumari, S. (2021). Efficient unbounded fully attribute hiding inner product encryption in cloud-aided wbans. Huang, X., Xiong, H., Chen, J., Yang, M. (2021). Efficient revocable storage attribute-based encryption with arithmetic span programs in cloud-assisted Internet of Things. Chen, C. M., Tie, Z., Wang, E. K., Khan, M. K., Kumar, S.et al. (2021). Verifiable dynamic ranked search with forward privacy over encrypted cloud data. Xiong, H., Chen, J., Mei, Q., Zhao, Y. (2022). Conditional privacy-preserving authentication protocol with dynamic membership updating for vanets. Mei, Q., Xiong, H., Chen, Y. C., Chen, C. M. (2022). Blockchain-enabled privacy-preserving authentication mechanism for transportation cps with cloud-edge computing. Yang, G., Tan, C. H., Huang, Q., Wong, D. S. (2010). Probabilistic public key encryption with equality test. Cryptographers’ Track at the RSA Conference, pp. 119–131. San Francisco, CA.Lee, H. T., Ling, S., Seo, J. H., Wang, H. (2016). Semi-generic construction of public key encryption and identity-based encryption with equality test. Wu, T., Ma, S., Mu, Y., Zeng, S. (2017). Id-based encryption with equality test against insider attack. Australasian Conference on Information Security and Privacy, pp. 168–183. Auckland, New zealand.Qu, H., Yan, Z., Lin, X. J., Zhang, Q., Sun, L. (2018). Certificateless public key encryption with equality test. Xiong, H., Zhao, Y., Hou, Y., Huang, X., Jin, C.et al. (2020). Heterogeneous signcryption with equality test for IIoT environment. Xiong, H., Hou, Y., Huang, X., Zhao, Y., Chen, C. M. (2022). Heterogeneous signcryption scheme from IBC to PKI with equality test for wbans. Xiong, H., Zhou, Z. D., Wang, L. L., Zhao, Z. T., Huang, X.et al. (2022). An anonymous authentication protocol with delegation and revocation for content delivery networks. Wu, T. Y., Wang, T., Lee, Y. Q., Zheng, W., Kumari, S.et al. (2021). Improved authenticated key agreement scheme for fog-driven iot healthcare system.