A short certificateless aggregate signature against coalition attacks.

Certificateless aggregate signature (CLAS) is a crucial cryptosystem. It can not only compress multiple signatures into a short signature, but also ensure the validity of each signature participating in the aggregation by verifying the validity of an resulting aggregate signature. Therefore, a secure and efficient CLAS scheme is very useful for resource-constrained environments because it greatly reduces the overall length of the signature and the verifier's computational overhead. Cheng et al. presented an efficient CLAS scheme and proved its security in the random oracle model. However, we find that their scheme has security flaws. In this paper, we demonstrate that Cheng et al.'s CLAS scheme is vulnerable to coalition attacks from internal signers. To overcome these attacks, we present an improved CLAS scheme and prove that it is existentially unforgeable under the computational Diffie-Hellman assumption. In addition, our CLAS scheme can not only resist coalition attacks but also generate a very short aggregate signature. The performance analysis results show that our improved CLAS scheme is lower than the related CLAS schemes in terms of communication overhead and computation cost.

1 Introduction

Digital signature is one of the major cryptosystems in modern cryptography, which can authenticate the user’s identity, protect the integrity of the data and achieve the non-repudiation of the user’s behavior. Hence, digital signature is one of the important security technologies in open network environments [1-3], which can ensure data security and identity authentication in new network forms and services [4-6]. In a digital signature scheme, the user uses his/her private key to sign the message, while the corresponding public key is used to verify the legality of the signature generated by the user. However, in a traditional public key cryptosystem, the user’s public key is a random string that cannot be associated with the user’s identity. To authenticate the authenticity of the user’s public key, the user’s identity and public key are usually bound by a public key certificate issued by a certificate authority [7-9]. That is, the validity of the user’s public key is determined by the legitimacy of the corresponding certificate. Unfortunately, the storage and management of numerous public key certificates require huge computational and storage overheads when deployed in the real world, which greatly increases the burden of the system.

To eliminate the problem of certificate management in public key cryptosystems, the concept of identity-based cryptography was proposed by Shamir [10]. In an identity-based signature (IBS) scheme, each user selects a unique identity as his/her public key, such as email address, telephone number, etc., and the user’s private key is computed by a trusted private key generator (PKG). Because the user’s public key is a public identity information, it does not need a certificate to verify the validity of the user’s public key. So, the identity-based signature scheme implements the binding of the public key and the entity identity in another way, and greatly simplifies key management. Boneh and Franklin [11] used bilinear pairing to design the first practical identity-based encryption scheme. Later, many efficient IBS schemes have also been presented [12-14]. However, the PKG can generate each user’s private key, which makes the PKG impersonate the user to sign arbitrary message without being discovered. Hence, key escrow is the main security flaw in identity-based cryptography.

Al-Riyami and Paterson [15] introduced the notion of certificateless signature (CLS) to solve the inherent key escrow problem in identity-based cryptosystems. In a CLS scheme, the user’s private key is composed of the secret value and the partial private key. The secret value is selected by the user himself, and the partial private key is generated by a third party called key generation center (KGC). Since the KGC does not know the secret value of the user, PKG cannot obtain the user’s full private key. In this way, the security threats posed by key escrow are resolved. In addition, the user’s public key is derived from the secret value but no longer requires a certificate for authentication. That is, the CLS scheme can basically solve the problems of both the traditional signature scheme and the IBS scheme. Therefore, CLS has become one of the most important research hotspots in public key cryptography. The first CLS scheme was designed by Al-Riyami and Paterson [15], but Huang et al. [16] found that their scheme [15] was insecure under public key replacement attacks. Subsequently, several efforts have been made to construct more secure CLS schemes [17-21].

Certificateless aggregate signature (CLAS) has the advantages of CLS and aggregate signature, which has attracted great attention from researchers. CLAS can compress n individual signatures of n different messages into a short signature. The verifier only needs to verify the final aggregate signature to determine whether n individual signatures involved in the aggregation are valid. As a result, CLAS not only reduces the signature length and the verifier’s computation costs, but also enhances the security of aggregate signature. CLAS is a very useful technique for reducing communication bandwidth and storage overhead, and it is very suitable for environments with limited computing resources and high-efficiency requirements, such as vehicular ad-hoc networks [22-24], wireless sensor networks [25, 26], the Internet of things [27], and so on [28, 29].

In recent years, researchers have proposed many CLAS schemes [30-32]. Yum and Lee [33] presented a CLAS scheme in the random oracle model. However, Hu et al. [34] found that their CLAS scheme [33] was unable to resist public key replacement attacks. Chen et al. [35] presented another CLAS scheme, but was vulnerable to public key replacement attacks and honest-but-curious KGC attacks [36, 37]. Deng et al. [38] constructed an efficient CLAS scheme and demonstrated its security, but Kumar and Sharma [39] showed that this scheme [38] could not provide unforgeability. Zhang et al. [40] also proposed an efficient CLAS scheme and proved its security in the random oracle model. However, Shim [41] pointed out that their CLAS scheme could not resist collusion attacks from internal users and KGC. Xiong et al. [42] designed a CLS scheme with lower signature verification overhead and further constructed a CLAS scheme with higher performance. However, Zhang et al. [43] pointed out that the CLS and CLAS schemes of Xiong et al. [42] could not withstand attacks from a malicious-but-passive KGC. In addition, Cheng et al. [44] and He et al. [45] noted that the CLS and CLAS schemes of Xiong et al. [42] were also insecure against honest-but-curious KGC attacks, respectively. An improved CLAS scheme was proposed by He et al. [45], but Li et al. [46] demonstrated that this modified scheme was still insecure under malicious-but-passive KGC attacks. Cheng et al. [44] also designed an improved version of Xiong et al.’s CLAS scheme, which was proved to be existentially unforgeable in the random oracle model. Unfortunately, we find that Cheng et al.’s CLAS scheme [44] is also insecure against coalition attacks from the collusion of insider signers. That is, the signers generate multiple invalid individual signatures, but the resulting aggregate signature is valid.

To the best of our knowledge, it is still open and challenging to design a secure and efficient CLAS scheme. In this paper, we focus on this issue, providing a new method for addressing it. We first present a coalition attack of insider signers to show the security flaws of Cheng et al.’s CLAS scheme [44]. Such attacks indicate that the validity of an aggregate signature does not guarantee the legitimacy of each individual signatures participating in the aggregation. However, this result has violated the security objectives of the CLAS scheme. To withstand this kind of practical and powerful attack, we further propose an improved CLAS scheme on the basis of Wang et al.’s CLS scheme [47]. In the random oracle model, we prove that the improved CLAS scheme satisfies existential unforgeability under the computational Diffie-Hellman (CDH) assumption. We also demonstrate that our CLAS scheme is secure against coalition attacks. In our CLAS scheme, an aggregate signature is only a group element, so the length of an aggregate signature is independent of the number of signers involved in the aggregation. Additionally, the analysis results indicate that the improved CLAS scheme has lower computational overhead and communication costs.

The remainder of this paper is organized as follows. Section 2 introduces some preliminaries. Section 3 reviews Cheng et al.’s CLAS scheme [44] and gives the corresponding cryptanalysis. Our improved CLAS scheme is presented in Section 4. Section 5 gives the conclusions.

2 Preliminaries

The following are some preliminaries related to this paper, including the security notions of CLAS, bilinear paring and complexity assumption.

2.1 Formal security model of CLAS

A CLAS scheme mainly includes three entities: KGC, n users and an aggregator, as formally defined in the following seven algorithms [32-34].

Setup(λ) → (pp, msk): Given a security parameter λ, the KGC executes this algorithm to produce the master secret key msk and public parameters pp.

PartialKeyGen(pp, msk, ID) → psk: Upon input of pp, msk and a user ’s identity ID, the KGC executes this algorithm to produce a partial private key psk for .

UserKeyGen(pp, ID) → (usk, pk): Upon input of pp and ID, the user creates its secret value usk and public key pk. Note that the private key of is sk = (usk, psk).

Sign(pp, sk, m) → σ: Upon input of pp, sk and message m, the user generates an individual signature σ on m.

Verify(pp, ID, pk, m, σ) → {0, 1}: Upon input of pp, ID, pk and a signature σ on a message m, this algorithm outputs 1 if σ is valid; else, it outputs 0.

Aggregate : Upon input of n message/signature pairs (m, σ) from n users (i = 1, …, n), the aggregator runs this algorithm to generate an aggregate signature σ on {m1, …, m}.

AggVerify : Given pp and an aggregate signature σ of n messages {m1, …, m} on {ID1, …, ID} and {pk1, …, pk}, this algorithm outputs 1 if σ is valid; else, it outputs 0.

The security model of a CLAS scheme mainly considers two types of attackers [42, 44, 48], named Type I adversary and Type II adversary .

represents a dishonest user (i.e., an external attacker). can know the secret value of each user and replace any user’s public key, but does not know the master secret key msk.

represents a malicious KGC. A honest-but-curious KGC knows msk and generates the user’s private key, but is unable to perform public key replacement. In addition to having the ability of a honest-but-curious KGC, a malicious-but-passive KGC is also allowed to embed trapdoors in msk and public parameters pp during the system initialization phase.

The following uses two security games between an attacker and a challenger to define the unforgeability of a CLAS scheme.

Game 1: The first game is played by and .

Initialization: sends public parameters pp generated by the algorithm Setup(λ) to , and then secretly stores the master secret key msk.

Partial-private-key-query: If asks for a partial private key of an identity ID, then executes the algorithm PartialKeyGen(pp, msk, ID) to produce psk and returns it to .

Public-key-query: If requests a public key of ID, then performs the algorithm UserKeyGen(pp, ID) to produce pk and returns it to .

Secret-value-query: If receives an identity ID sent by , then responds to with a secret value usk output by the algorithm UserKeyGen(pp, ID).

Public-key-replacement-query: If receives ID and sent by , then the public key of ID is replaced by .

Sign-query: When asks for a signature of a message m and an identity ID, runs the algorithm Sign(pp, sk, m) to produce an individual signature σ of m and sends it to .

Forgery: finally produces a forgery , where at least one of n identities is the identity ID* of the target user. Assumed that the t-th signer’s identity and that is an individual signature of on message , where t ∈ {1, …, n}. If the following three conditions are satisfied, then wins the game.

Partial-private-key-query has never received an inquiry about .

Sign-query has never received an inquiry about .

σ* is a valid aggregate signature of on messages .

Game 2: The second game is played by and . We consider that the second type of attacker is a malicious-but-passive KGC, which is a strengthened security model.

Initialization: sends the master secret key msk and public parameters pp generated by the algorithm Setup(λ) to .

Queries: In addition to Partial-private-key-query and Public-key-replacement-query, may initiate other queries defined in Game 1.

Forgery: finally produces a forgery . Assume that the target user’s identity and that is an individual signature of (ID*, pk*) on message , where t ∈ {1, …, n}. If the following three conditions are satisfied, then wins the game.

Secret-value-query has never received an inquiry about .

Sign-query has never received an inquiry about .

σ* is a valid aggregate signature of on messages .

Definition 1. If there is no polynomial-time attacker who can win in the above two games with a non-negligible probability, then a CLAS scheme is said to be existentially unforgeable under adaptive chosen-message attacks [42, 44, 48].

2.2 Bilinear pairing and complexity assumption

Assume that p is a prime number, G1 and G2 are two cyclic groups with order p, and g is a generator of G1. If a map e: G1 × G1 → G2 satisfies the following conditions, then e is called a bilinear pairing [43]:

Bilinearity: For all γ1, γ2 ∈ Z, .

Non-degeneracy:e(g, g) is not an identity element in G2. That is, .

Computability: For any γ1, γ2 ∈ Z, an algorithm for efficiently calculating exists.

Given three elements , the CDH problem is to calculate g ∈ G1, where the unknown values a and b are randomly chosen from .

Definition 2 (CDH assumption). If the probability of any polynomial-time attacker to solve the CDH problem is negligible, then the CDH problem is called intractable [47, 49].

3 Cryptanalysis of Cheng et al.’s CLAS scheme

3.1 Review of Cheng et al.’s CLAS scheme

To overcome the security flaws in Xiong et al.’s CLAS scheme [42], Cheng et al. [44] presented an improved CLAS scheme that is described as follows.

Setup: Given a security parameter λ, the KGC selects two multiplicative cyclic groups G1 and G2 with prime order p, a bit string Q of length l, a generator g in G1 and a bilinear pairing e: G1 × G1 → G2. Then, the KGC randomly selects and computes P = g. The KGC also picks three hash functions H0: {0, 1} → G1, H1: {0, 1}* → G1 and . Finally, the KGC secretly stores the master secret key msk = s and publishes public parameters pp = {G1, G2, p, g, e, Q, P, H0, H1, H2}.

PartialKeyGen: After receiving an identity ID submitted by a user , the KGC computes psk = H1(ID) and sends ID’s partial private key psk to through a secure channel.

UserKeyGen: The user with identity ID randomly selects and computes public key . Then, sets its secret value usk = x and private key sk = (usk, psk) = (x, H1(ID)).

Sign: For a message m, the signer selects a random value and computes , h = H2(m, ID, pk, R) and . Then, outputs σ = (R, V) as an individual signature of m.

Verify: Given ID, pk and an individual signature σ = (R, V) on message m, a verifier computes H0(Q), H1(ID) and h = H2(m, ID, pk, R) and then verifies the following equation: If this equation holds, output 1; otherwise, output 0.

Aggregate: After receiving the message-signature pair (m, σ = (R, V)) from user for i = 1, …, n, the aggregator calculates and outputs an aggregate signature σ = (R1, …, R, V).

AggVerify: Given n identities {ID1, …, ID}, n public keys {pk1, …, pk}, n messages {m1, …, m} and an aggregate signature σ = (R1, …, R, V), a verifier first computes H0(Q), H1(ID) and h = H2(m, ID, pk, R) for i = 1, …, n. Then, the verifier verifies the following equation: If this equation holds, output 1; otherwise, output 0.

3.2 Attack on Cheng et al.’s CLAS scheme

In the random oracle model, Cheng et al.’s CLAS scheme [44] was proved to satisfy the security requirement of existential unforgeability. Unfortunately, in this subsection, we demonstrate that Cheng et al.’s CLAS scheme [44] cannot resist coalition attacks from internal signers. Without loss of generality, suppose that {ID1, pk1} and {ID2, pk2} are the identity/public key pairs of the signers , respectively. As a result, we show that cooperates with to generate invalid individual signature σ on message m for i = 1, 2, whereas the resulting aggregate signature σ on {m1, m2} is valid.

randomly selects and computes and . Then, sends to .

randomly selects and computes and . Then, sends to .

computes and sets as a signature on m1.

computes and sets as a signature on m2.

cooperates with to produce an aggregate signature on messages {m1, m2}, where .

Clearly, are invalid individual signatures of on {m1, m2}, respectively. However, the forged aggregate signature is valid since

Therefore, dishonest signers can jointly forge a valid aggregate signature for arbitrary messages. This shows that even if some individual signatures participating in the aggregation are invalid, the resulting aggregate signature is also valid. That is, the validity of every individual signature involved in the aggregation cannot be guaranteed by the legitimacy of the corresponding aggregate signature. So, Cheng et al.’s CLAS scheme [44] is insecure under coalition attacks.

4 Our improved CLAS scheme

In Cheng et al.’s CLAS scheme [44], dishonest signers can use some invalid individual signatures to jointly generate a valid aggregate signature. However, the main reason for the success of such attacks is due to the fact that signers can exchange their individual signature values with each other during the generation of an aggregate signature.

4.1 Construction

In this subsection, we design an enhanced CLAS scheme for preventing the above coalition attack. The following is the description of our CLAS schem.

Setup: The KGC selects two groups G1 and G2, which have the same prime order p. The KGC randomly selects a generator g in G1 and a bilinear pairing e: G1 × G1 → G2. The KGC picks hash functions H: {0, 1}* → {0, 1} and H1, H3: {0,1}* → G1. The KCG also chooses a random value and calculates P = g. Finally, the KGC publishes public parameters pp = {G1, G2, p, g, e, P, H, H1, H3} and secretly stores the master secret key msk = s.

The algorithms PartialKeyGen and UserKeyGen are the same as those in the CLAS scheme of Cheng et al.

Sign: For a message m, the user uses its secret value usk = x and partial private key psk = H1(ID) to calculate V = H3(m, ID, pk) and Then, outputs σ as an individual signature of m.

Verify: Given ID, pk and an individual signature σ on message m, a verifier computes H1(ID) and V = H3(m, ID, pk), and then checks the following equation: If it holds, accept σ and output 1; else, reject σ and output 0.

Aggregate: Given the message-signature pair (m, σ) from user for i = 1, …, n, the aggregator calculates and outputs an aggregate signature σ on {m1, …, m}.

AggVerify: Given n identities {ID1, …, ID}, n public keys {pk1, …, pk}, n messages {m1, …, m} and an aggregate signature σ, a verifier computes H1(ID) and V = H3(m, ID, pk) for i = 1, …, n. Then, the verifier checks the following equation: If the above equation holds, accept σ as a valid aggregate signature and output 1; else, reject it and output 0.

4.2 Correctness

The correctness of verifying an individual signature σ on message m is given below:

The correctness of verifying an aggregate signature σ on messages {m1, …, m} is given below:

From the above analysis, we can see that our CLAS scheme is correct.

4.3 Security analysis

We prove that the improved CLAS scheme is existentially unforgeable under Type I and Type II adversaries. Also, we demonstrate that our CLAS scheme can withstand coalition attacks.

Theorem 1. If the security of our CLAS scheme is broken by a polynomial-time Type I adversary , then the CDH problem can be solved.

Proof. Suppose that forges a valid aggregate signature with probability ε1 after making at most q random oracle queries to H(i = 1, 3), q partial private key queries, q public key queries, q public key replacement queries, q secret value queries and q signing queries, then we can construct an algorithm to solve the CDH problem. After receiving a random CDH instance , will utilize ’s forgery to calculate the CDH value g.

Initialization: sets P = g and runs the algorithm Setup(λ) to produce other parameters. Then, sends public parameters pp to . Note that the master secret key msk = a is unknown to . Moreover, controls two random oracles to simulate hash functions H1 and H3. To simplify the description, it is assumed that has performed related hash queries before making other inquiries. To avoid collisions and consistently respond to all kinds of queries initiated by , maintains a list and two other lists that are all initially empty. picks a random integer d ∈ [1, q1] and responds to all queries initiated by in the following way.

H1 queries: Upon receiving the i-th H1 inquiry about an identity ID, first checks whether an entry for ID exists in . If yes, sends the corresponding value H1(ID) to . Otherwise, randomly selects and sets If i ≠ d, adds (ID, y, H1(ID)) to ; otherwise, sets the target user’s identity ID* = ID and y* = y, and then adds (ID*, y*, H1(ID*)) to . Finally, sends H1(ID) to .

H3 queries: issues an H3 query for (m, ID, pk). If it is found in , then sends the corresponding value V to . Otherwise, randomly selects and sets . Next, sends V to and adds (m, ID, pk, z, V) to .

Partial-private-key-query: After receiving an identity ID submitted by , considers the following two cases.

If ID = ID*, terminates the game.

If ID ≠ ID*, checks whether contains an entry for ID.

If it exists, sends psk to .

Else, finds the tuple (ID, y, H1(ID)) in and returns a partial private key to . Then, adds (ID, psk, ⊥, ⊥) to .

Public-key-query: On receiving an identity ID, checks if an entry for ID exists in , where pk ≠ ⊥. If yes, sends pk to . Otherwise, randomly selects and sets usk = x and . If ID = ID*, sets the target user’s public key pk* = pk and secret value usk* = usk. Then, adds the corresponding tuple to and returns a public key pk to .

Secret-value-query: If issues a query for an identity ID, first initiates a public key query about ID and then returns the corresponding secret value usk to .

Public-key-replacement-query: If submits an identity ID and a public key , first checks whether there is an entry for ID in . If yes, replaces ID’s public key with ; otherwise, sets ID’s public key to and then adds a new tuple (ID, ⊥, ⊥, pk) in .

Sign-query: asks a signature query on its selected identity ID and message m. If ID = ID*, terminates the game. Else, searches the lists and to find the corresponding tuples (psk, usk, pk) and V = H3(m, ID, pk), respectively. Then, returns to as a signature on m.

Forgery: eventually produces a valid forgery . Suppose that the individual signature is not returned by Sign-query on the target identity and message , where t ∈ {1, …, n}. If or is not found in , aborts. Else, finds (usk* = x*, pk*) corresponding to in . Then, obtains the tuples (ID*, y*, H1(ID*)) and from and , respectively. Since is valid, the following equation must hold: From the above equation, calculates g as Hence, solves the CDH problem.

Next, we analyze the successful probability that can solve the CDH problem instance. If the following events occur, will not quit during the entire simulation game.

During the simulation of Partial-private-key-query, each identity ID queried by is not equal to ID*. The probability is at least .

During the simulation of Sign-query, each identity ID queried by is not equal to ID*. The probability is at least .

In the forgery phase, at least one of n identities is the target user’s identity ID*. The probability of , where t ∈ {1, …, n}, is at least .

V* can be found in . The probability is at least .

Hence, the overall success probability of solving the CDH problem is

Theorem 2. If the security of our CLAS scheme is broken by a polynomial-time Type II adversary , then the CDH problem can be solved.

Proof. Let be a malicious-but-passive KGC. Suppose that forges a valid aggregate signature with probability ε2 after making at most q random oracle queries to H(i = 1, 3), q public key queries, q signing queries and q secret value queries, then there exists a solver that invokes to violate the CDH assumption. Given a CDH instance , the goal of is to calculate g by interacting with .

Initialization: picks a random value as the master secret key msk and calculates P = g. Then, runs Setup(λ) to produce other parameters and sends (pp, msk) to . After that, picks a random integer d ∈ [1, q3] and maintains three initially empty lists , and .

H1 queries: Upon receiving an H1 query on an identity ID, returns the corresponding value H1(ID) to if contains an entry for ID. Otherwise, selects at random and sets . Then, sends to and adds (ID, y, H1(ID)) to .

H3 queries: Upon receiving the i-th H3 query on (m, ID, pk), sends the corresponding V to if an entry for (m, ID, pk) exists in . Otherwise, selects a random value and sets If i ≠ d, adds (m, ID, pk, z, V) to ; otherwise, sets the target user’s identity ID* = ID and pk* = pk and then adds (m, ID*, pk*, z, V) to . Finally, sends V to .

Public-key-query: asks a public key query for ID and if it is found in , then returns pk to . Otherwise, selects a random value and sets If ID ≠ ID*, sets usk = x and adds (ID, x, pk) to . Otherwise, sets the public key pk* = pk of the target user, and adds (ID*, ⊥, pk*) to . Finally, returns pk to . Note that the target user’s secret value usk* = a, while a is unknown to .

Secret-value-query: On receiving the query on ID, aborts if ID = ID*; otherwise, first initiates a public key query about ID and then returns the corresponding secret value usk to .

Sign-query: Upon receiving an identity ID and a message m, proceeds as follows:

If ID = ID*, aborts.

Else, searches the lists and to find (ID, x, pk) and (ID, y, H1(ID)), respectively. Next, makes an H3 query on (m, ID, pk) to obtain V = H3(m, ID, pk). Finally, computes and returns a signature σ on m to .

Forgery: eventually produces a valid forgery . Suppose that the individual signature is not returned by Sign-query on identity and message , where t ∈ {1, …, n}. If or is not found in , aborts. Otherwise, looks up the lists and to obtain the tuples (ID*, y*, H1(ID*)) and , respectively. Since is valid, the following equation must hold: Thus, can use the master key msk = s to calculate the CDH value

Here, we also analyse the probability of using ’s forgery to successfully solve the CDH instance. completes the entire simulation if the following events occur.

ID* has never appeared during secret value queries. The probability is at least .

ID* has never appeared during signing queries. The probability is at least .

In the forgery phase, at least one of n identities is the target user’s identity ID*. The probability of , where t ∈ {1, …, n}, is at least .

V* can be found in . The probability is at least .

Therefore, the overall success probability of solving the CDH problem is

Since the CDH problem is intractable, the success probability of or attacking our CLAS scheme is negligible. According to Theorem 1 and Theorem 2, the following theorem is easily obtained.

Theorem 3. If the CDH assumption holds, then our improved CLAS scheme satisfies existential unforgeability in the random oracle model.

Theorem 4. Our CLAS scheme is secure under coalition attacks.

Proof. If an aggregate signature σ is valid, then the following equation must hold:

Since the hash function H satisfies collision resistance, we conclude that It shows that each individual signature σ participating in the aggregation is valid.

Meanwhile, if every individual signature σ is valid, the following equations hold: Hence, we have This shows that the resulting aggregate signature σ generated by σ(i = 1, …, n) is also valid.

The above analysis indicates that if the internal signers exchange each other’s individual signature value during aggregate signature generation, the collision resistance of H ensures that the final aggregate signature could not pass the signature verification equation. In other words, an aggregate signature is valid in our CLAS scheme if and only if each individual signature used to generate the aggregate signature is also valid. Hence, our CLAS scheme can resist coalition attacks.

4.4 Performance analysis

We compare our CLAS scheme with other similar schemes [27, 30, 31, 35, 39, 42–46] in terms of performance and security properties. In Table 1, we give the description of some symbols that need to be used in this subsection.

Table 1

Definition of some notations.

Symbol	Definition
Size	the overall length of an aggregate signature
Sign	the computational cost of the algorithm Sign
AggVerify	the computational cost of the algorithm AggVerify
Coalition attack	Can a scheme resist coalition attacks?
n	the overall number of signers participating in the aggregation
|G1|	the length of an element in G1
P	the computational cost of a bilinear pairing operation
E	the computational cost of an exponentiation calculation

4.4.1 Performance comparison

Because the computational costs of multiplication, hash function and other cryptographic operations are relatively small, we focus on the time-consuming bilinear pairing and exponentiation operations when analysing the performance. Table 2 shows a detailed performance comparison between our CLAS scheme and the related CLAS schemes, where the required symbols are given in Table 1.

Table 2

Performance comparison of some CLAS schemes.

Scheme	Sign	AggVerify	Size	Coalition attack
Scheme of Cheng et al. [44]	3E	3P+2nE	(n + 1)|G1|	No
Scheme of Zhang et al. [43]	2E	2nP+2nE	|G1|	Yes
Scheme of Liu et al. [27]	3E	3P+2nE	2|G1|	No
Scheme of Xiong et al. [42]	3E	3P+2nE	(n + 1)|G1|	No
Scheme of He et al. [45]	3E	3P+2nE	(n + 1)|G1|	No
Scheme of Du et al. [30]	4E	4P+2nE	2|G1|	No
Scheme of Chen et al. [31]	4E	4P+2nE	(n + 1)|G1|	No
Scheme of Chen et al. [35]	4E	4P+2nE	2|G1|	No
Scheme of Kumar et al. [39]	4E	3P+2nE	(n + 1)|G1|	No
Scheme of Li et al. [46]	4E	3P+2nE	(n + 1)|G1|	No
Our scheme	E	nP	|G1|	Yes

From Table 2, for the computational cost of an individual signature generation, our CLAS scheme needs to perform only one exponentiation operation. Zhang et al.’s scheme [43] needs to perform 2 exponentiations. Cheng et al.’s scheme [44] requires 3 exponentiations, as do the schemes of Liu et al. [27], Xiong et al. [42] and He et al. [45]. The other five CLAS schemes [30, 31, 35, 39, 46] need to perform 4 exponentiations.

In our CLAS scheme, the verification equation for an aggregate signature where e(H1(ID), P)(i = 1, …, n), can be pre-computed. During the aggregate signature verification, our CLAS scheme requires n bilinear pairings. The scheme of Chen et al. [35] requires 4 bilinear pairings and 2n exponentiations, as do Du et al.’s scheme [30] and Chen et al.’s scheme [31]. The CLAS scheme in [27, 39, 42, 44–46] requires 3 bilinear pairings and 2n exponentiations, while Zhang et al.’s scheme [43] requires 2n bilinear pairings and 2n exponentiations.

An aggregate signature is only one element of G1 in our CLAS scheme and Zhang et al.’s scheme [43]. In Liu et al.’s CLAS scheme [27], an aggregate signature is 2 elements in G1, which is the same as in Du et al.’s scheme [30] and Chen et al.’s scheme [35]. In the other six CLAS scenarios [31, 39, 42, 44–46], an aggregate signature consists of (n + 1) elements in G1.

Except for our CLAS scheme and Zhang et al.’s scheme [43], all other CLAS schemes [27, 30, 31, 35, 39, 42, 44–46] are insecure against coalition attacks. However, our CLAS scheme is superior to Zhang et al.’s scheme [43] in terms of computational performance.

4.4.2 Experimental evaluation

We also conduct performance evaluation experiments on the proposed CLAS scheme and other CLAS schemes [43, 44, 46]. The simulated environment is set up on a laptop with the Windows 10 operating system, and the main configuration is Intel(R) Core(TM) i7-6500 CPU @ 2.59 GHz and 8 GB RAM. To execute the bilinear pairing operation quickly, we choose the curve a.param of type A in the PBC-0.47-VC library. The detailed simulation results are shown in Figs 1, 2 and 3.

Fig 1

Time cost of individual signature generation.

Fig 2

Comparison of communication cost.

Fig 3

Time cost of aggregate signature verification.

Fig 1 shows that each signer needs approximately 26 ms to generate an individual signature in our CLAS scheme. The scheme of Zhang et al. [43] needs approximately 49 ms. Cheng et al.’s scheme [44] requires approximately 52 ms, and Li et al.’s scheme [46] requires approximately 91 ms. Therefore, our CLAS scheme requires the least computational cost when generating an individual signature.

The communication overhead of a CLAS scheme mainly relies on the size of the aggregate signature. Table 2 shows that our CLAS scheme and Zhang et al.’s scheme [43] have the same aggregate signature length, and Cheng et al.’s scheme [44] and Li et al.’s scheme [46] also have the same aggregate signature length. Fig 2 shows that the size of an aggregate signature in our CLAS scheme is fixed at 128 bits, while the length of an aggregate signature in Cheng et al.’s scheme [44] increases linearly with the number of signers. Hence, our CLAS scheme greatly reduces the communication cost.

Fig 3 shows that the computational cost of verifying an aggregated signature is linearly increasing with the total number of signatories. Notably, the verification cost of an aggregate signature is less than the total cost of n individual signature verifications participating in the aggregation. Compared with other CLAS schemes [43, 44, 46], Fig 3 shows that our CLAS scheme has lower computational overhead when verifying aggregate signatures.

In summary, the results of the performance evaluations performed in the above experiments are consistent with the theoretical analysis results in Table 2. From the above analysis, we can see that our improved CLAS scheme has lower computational overhead, shorter signature length and higher security.

5 Conclusions

Cheng et al. [44] proposed an efficient CLAS scheme and proved its security. In this paper, we demonstrate that their CLAS scheme [44] cannot resist coalition attacks from internal signers. To prevent these attacks, we design an enhanced CLAS scheme that is secure under coalition attacks. Under the CDH assumption, our improved scheme is proved to satisfy existential unforgeability in the random oracle model. In addition, our CLAS scheme can aggregate n individual signatures into a short signature which is only an element in G1. More importantly, the length of an aggregate signature is fixed and has nothing to do with the total number of signers participating in the aggregation. Therefore, our CLAS scheme is very suitable for network environments with limited resources, such as the Internet of vehicles, and wireless communication networks [50-52].

(XLSX)

Click here for additional data file.

(XLSX)

Click here for additional data file.

(XLSX)

Click here for additional data file.