PSDAAP: Provably Secure Data Authenticated Aggregation Protocols Using Identity-Based Multi-Signature in Marine WSNs

Abstract

Data authenticated aggregation is always a significant issue for wireless sensor networks (WSNs). The marine sensors are deployed far away from the security monitoring. Secure data aggregation for marine WSNs has emerged and attracted the interest of researchers and engineers. A multi-signature enables the data aggregation through one signature to authenticate various signers on the acknowledgement of a message, which is quite fit for data authenticated aggregation marine WSNs. However, most of the previous multi-signature schemes rely on the technique of bilinear pairing involving heavy computational overhead or the management of certificates, which cannot be afforded by the marine wireless sensors. Combined with the concept of identity-based cryptography, a few pairing-free identity-based multi-signature (IBMS) schemes have been designed on the basis of the integer factorization problem. In this paper, we propose two efficient IBMS schemes that can be used to construct provably secure data authenticated aggregation protocols under the cubic residue assumption, which is equal to integer factorization. We also employ two different methods to calculate a cubic root for the cubic residue number during the signer’s private key extraction. The algorithms are quite efficient compared to the previous work, especially for the algorithms of the multi-signature generation and its verification.

1. Introduction

In most of the wireless sensor networks (WSNs), the significant issue for data collection or data aggregation always lies in the center of data transmission, both in the academia and in the industry [1,2,3]. In most scenarios of marine WSNs, all the nearby wireless sensors send their data, such as the temperature, pressure, salinity, and potential of hydrogen (pH value) in the chemistry of the environmental monitoring ocean, to a central node, which is located at a base station or a buoy for data collection, as shown in Figure 1. The central node further sends the aggregated data through the long-distance data transmission networks, such as vessel-based or satellite-based networks [4]. However, marine sensors are always deployed far away from the security monitoring. Thus, the secure data aggregation for marine sensor networks has emerged and attracted the interest of researchers and engineers. In order to mitigate the malicious attackers injecting false data, it is quite necessary for each central node to authenticate these sensing measurements from the nearby sensors in the ocean observation system [5].

Generally, a digital signature often provides the properties of authenticity and non-repudiation through checking the signed acknowledgments from senders [6]. However, in WSNs, the international standards for broadcasting authentication are very vulnerable to signature verification flooding attacks, as the excessive requests for signature verification must run out of the computational resources of those victims [7]. The scenario seems worse, as the marine wireless sensors are powered by a limited battery and cannot afford these overloaded requests in an oceanic environment. To optimize the communication and computational overhead, a variant of digital signature, named multi-signature, permits various signers to sign on a message individually and aggregate partial signatures to a compact signature [8].

A multi-signature can play a significant role in authenticating different sensors’ data by checking a single compact signature to cut down the communication bandwidth for marine wireless devices, as the transmission of one-bit data consumes more energy than the arithmetic operations on several bits [9]. This seems a promising way to solve the data authentication in a multi-user scenario. Since the primitive has been proposed, multi-signature schemes have been paid attention to by most of the network designers and industry engineers. However, in the past years, most of the work on multi-signature schemes has been constructed by relying on the assumed existence of public key infrastructure (PKI) [10,11]; the heavy burdens of the digital public key certificate management bring high communication overhead and storage overhead when PKI is applied and implemented in the wireless networks. The cases become worse when the sensors are deployed in the marine environments (denoted as Problem 1).

To overcome the weakness brought by PKI, identity-based cryptography emerges as a novel cryptographic primitive and a powerful alternative to traditional certificate-based cryptography, which has been raised early on in [12] and is further specifically designed in [13,14]. Identity-based cryptography makes some public, known information a public key, such as the device’s number, IP address, or a username, to mitigate the management problem for the public key certificates. In the extreme case that the bandwidth is a bottleneck, the identities of the signers often appear in the head of the communication packets, instead of in the transmission of the heavy public keys. Inspired by this concept, the first identity-based multi-signature (IBMS) scheme, proposed in [15], uses a mathematical technique named “bilinear mapping”, such as is used in [13], and is proved to be secure, relying on discrete logarithm (DL) assumptions or computational Diffie–Hellman (CDH) assumptions. Because the operation of bilinear mapping involves too much computational overhead [16,17], many bilinear mapping techniques are not suitable for the battery-limited sensors in marine WSNs (denoted as Problem 2).

As a consequence, there is great interest for cryptographic researchers to design pairing-free identity-based cryptographic schemes [18]. The first non-pairing IBMS scheme was proposed in [19] with three-round interactive communications and under R. Rivest, A. Shamir, L. Adleman (RSA) assumptions. Later, a communication efficiency-improved IBMS scheme under RSA assumptions was presented in [20] with two-round interactive communications. Yang et al. [21] proposed an efficient improved IBMS scheme that aims to save the computational resources and communication bandwidth. Even if the RSA assumption approaches the integer factorization assumptions, unfortunately, the RSA assumption has not yet been proved equal to the factorization assumption (denoted as Problem 3).

To satisfy the application requirements and to avoid security concerns in cryptrography, it is common practice to construct alternative cryptographic schemes under a weaker assumption—integer factorization. Recently, cryptographic researchers have been focused on finding a new construction that is proved to be secure directly on the basis of factorization. Chai [22] gave an instance of an identity-based digital signature relying on the quadratic residue assumption. Following this, Wei et al. [6] proposed IBMS schemes using quadratic residue assumptions, under weaker assumptions and a strengthened security model, achieving advantages in the computational consumption and transmission overhead. Xing [23] and Wang [24] presented identity-based signature schemes under the cubic residue assumptions. Wang proposed several signature variants relying on cubic residues, including identity-based ring signature [25], identity-based proxy multi-signature (IBPMS) [26] and threshold ring signature [27]. Wei [28] considered an identity-based multi-proxy signature (IBMPS) scheme for use in a cloud-based data authentication protocol. Zhang [29] proposed a secure multi-entity delegated authentication protocol based on an identity-based multi-proxy multi-signature (IBMPMS) for mobile cloud computing. Unfortunately, none considered constructing IBMS schemes directly based on cubic residues (denoted as Problem 4).

Facing the above problems, this work constructs IBMS schemes relying on the cubic residue assumption equal to integer factoring. Our schemes have merits not only in the efficiency aspect, where we do not rely on the bilinear pairing maps or over exponentiations, but also in the security aspect, where we prove them to be secure under a weaker assumption of factoring to achieve stronger security. The contributions for this paper can be summarized as follows.

• We have proposed two efficient IBMS schemes, denoted as IBMS^CR−1 and IBMS^CR−2, which are suitable for data aggregation among the sensors and collectors in marine WSNs.
• We formally define the security of IBMS and prove IBMS^CR−1 to be secure, relying on the cubic residues in a random oracle model. The computational cost of IBMS^CR−1 is lower, as the exponentiations are cubic exponentials.
• To enhance efficiency, the total computational cost of IBMS^CR−2 is almost four-fifths that of IBMS^CR−1 in implementation. We also prove the security of IBMS^CR−2 on the basis of the cubic residues equalling integer factoring in the random oracle model.

The organization of this paper is as follows. Section 2 gives necessary preliminaries, and Section 3 gives the formal definition of the security model. In Section 4 and Section 5, we propose two concrete IBMS schemes, IBMS^CR−1 and IBMS^CR−2, as well as outline their correctness and full security proof. Section 6 gives the performance comparison. Section 7 gives the conclusion for the paper.

2. Preliminaries

Some fundamental concepts are introduced simply, for further explaining the construction and security proof.

2.1. Cubic Residue

We first introduce the definition of the cubic residue.

Definition 1

(Cubic residue [23]). For an integer $N\equiv 1(mod3)$, a cubic residue modulo N, $c\in {\mathbb{Z}}_N^{*}$, if $x^3\equiv c(modN)$ for some $x\in {\mathbb{Z}}_N^{*}$.

Because the module N is a product for unknown p and q, it is difficult to obtain x from a cubic residue c, that is, the difficulty of obtaining x from c is equal to the factorization of N.

2.2. Cubic Residue Symbol in Eisenstein Ring

Following the work in [23,30,31], we let $\omega$ denote a complex root of $z^2+z+1=0$, which means that $\omega$ is a cubic root of 1. We also have ${\omega }^2=-1-\omega =\overline{\omega }$, where $\overline{\omega }$ is the conjugate complex of $\omega$. The Eisenstein ring is defined as the set $\mathbb{Z}\left[\omega \right]=\{a+b\omega |a,b\in \mathbb{Z}\}$. We introduce the cubic residue symbol as follows:

$${\left(\frac{·}{·}\right)}_3:\mathbb{Z}\left[\omega \right]\times (\mathbb{Z}\left[\omega \right]-(1-\omega )\mathbb{Z}\left[\omega \right])\to \{0,1,\omega ,{\omega }^2\}$$

For a prime p in $\mathbb{Z}\left[\omega \right]$ where p is not associated to $1-\omega$, we have

$${\left(\frac{\alpha }{p}\right)}_3={\alpha }^{\left(N\right(p)-1)/3}(modp)$$

where $N\left(p\right)=p·\overline{p}$ is defined as the norm of p.

2.3. Some Useful Theorems

Theorem 1

(Factorization Theorem [23]). Let $N=pq$, where p and q are large primes. Let c be a cubic residue modulo N, and $r_1$ and $r_2$ be c’s two cubic roots modulo N; that is, $r_1^3\equiv r_2^3\equiv c(modN)$ and $r_1\ne r_2(modN)$. N can be factored by taking $gcd(r_1-r_2,N)$ in polynomial time, where $gcd(x,y)$ is the greatest common divisor of x and y.

Theorem 1 is easily validated, as if $r_1^3\equiv r_2^3\equiv c(modN)$, we have $(r_1-r_2)(r_1^2+r_1{r}_2+r_2^2)\equiv 0(modN)$. There must exist an integer k such that $(r_1-r_2)(r_1^2+r_1{r}_2+r_2^2)=kpq$. If $r_1\ne r_2(modN)$, $r_1-r_2$ cannot be a multiple of N at the same time; $r_1-r_2$ must contain a non-trivial divisor of N, which is p or q. Therefore, the integer N can be factored by Theorem 1. However, the two cubic roots satisfying $r_1\equiv r_2(modN)$ cannot lead directly to factoring the integer N.

The following theorem shows a solution to compute a $3^{\ell }$-th root of a cubic residue without factoring N.

Theorem 2.

Let $\omega \equiv 1(mod3)$, $\ell >0$, c be a cubic residue modulo N, and $X\in Z_N^{*}$ satisfy

$$c^{\omega }\equiv X^{3^{\ell }}(modN)$$

Then we can easily calculate the cubic root y; that is, $y^3\equiv c(modN)$.

Because $\omega \equiv 1(mod3)$, we can denote $\omega =3^r(3\delta +1)$; following this,

$$c^{\omega }\equiv c^{3^r(3\delta +1)}\equiv X^{3^{\ell }}(modN)$$

We take the $3^r$-th root and obtain

$$c^{3\delta +1}\equiv X^{3^{\ell }-r}(modN)$$

Because $c^{3\delta +1}=c^{3\delta }·c$, we have

$$c\equiv \frac{X^{3^{\ell }-r}}{c^{3\delta }}\equiv {\left(\frac{X^{3^{\ell }-r-1}}{c^{\delta }}\right)}^3(modN).$$

Let $y=X^{3^{\ell }-r-1}/c^{\delta }$; then we have $y^3\equiv c(modN)$

Theorem 2 can be used in the security proof for IBMS^CR−1. We introduce the following Theorem [24,29] regarding the cubic residue used in the security proof for IBMS^CR−2.

Theorem 3 

(Cubic residue construction [24,29]). If p and q are two primes with $p\equiv 2(mod3)$ and $q\equiv 4$ or $7(mod9)$, it is easy to produce a cubic residue modulo N. Let $nc$ be a non-cubic modulo q, for any $h\in {\mathbb{Z}}_N^{*}$; we can compute that $\eta =\frac{(q-1)(mod9)}{3}$ , $\lambda =\eta (mod2)+1$, $\beta =(q-1)/3$, $\xi \equiv n{c}^{\eta \beta }(modq)$, $\tau \equiv h^{\lambda \beta }(modq)$ and

$$b=\left\{\begin{array}{cc}0,\hfill & if\tau =1\hfill \\ 1,\hfill & if\tau =\xi \hfill \\ 2,\hfill & if\tau ={\xi }^2\hfill \end{array}\right.$$

We can construct a cubic residue C modulo N; that is, $C=n{c}^b·h(modN)$.

Theorem 4.

Let p, q, N, C, and η be defined as in Theorem 3; we can calculate a cubic root s of $C^{-1}$ by $s\equiv C^{[2^{\eta -1}(p-1)(q-1)-3]/9}(modN).$ Note that $s^3·C\equiv 1(modN)$.

3. Formal Definition and Security Model

3.1. Formal Definition

We assume that there exist n distinct signers, named $I{D}_1,I{D}_2,\dots ,I{D}_n$, to authenticate a message m by cooperatively generating a multi-signature $m\sigma$. The signer $I{D}_i$ is denoted as $signe{r}_i$.

Theorem 5.

A typical IBMS scheme is always made up of six algorithms, that is, Setup, Extra, Sign, Verify, MSign, and MVerify. We describe each of them as follows.

• Setup: $(mpk,msk)\leftarrow$Setup(1${}^k$). The algorithm is controlled by the key generator center (KGC). The KGC generates the system’s master public keys mpk and master secret keys msk when it is given the security parameter k.
• Extra: $s{k}_{ID}\leftarrow$ Extra (mpk, msk, ID). The algorithm is also controlled by the KGC, given msk, mpk, and a user’s identity ID, such as a string. It returns the private key $s{k}_{ID}$ through secure channels.
• Sign: $\sigma \leftarrow$ Sign (mpk, sk, m, ID): The signer uses its private key sk, the identity ID, and the message to be signed m to generate a signature σ on m.
• Verify: $\{0,1\}\leftarrow$ Verify (mpk, ID, m, σ): The algorithm takes the signer’s identity ID, the data m, and a candidate signature σ. If σ is a valid signature, it returns 1. Otherwise, it returns 0.
• MSign: $m\sigma \leftarrow$ MSign (mpk, sk, m, IDSet). The signer with the private sk joins in the multi-signing algorithm, which needs additional parameters, including a message m and an identity set $IDSet=\{I{D}_1,I{D}_2,\dots ,I{D}_n\}$ containing all the identities of the signers. After several rounds of interactive communication, MSign generates a multi-signature mσ.
• MVerify: $\{0,1\}\leftarrow$ MVerify (mpk, IDSet, m, mσ). The algorithm returns 1 if mσ is a valid multi-signature on the message m by authenticating the signers in IDSet.

Correctness. When all of the participating signers honestly and correctly execute the algorithm MSign using the private keys, derived from the algorithm Extra, each of the signers will end the algorithm by obtaining a local multi-signature $m\sigma$ such that

$$\mathbf{MVerify}(IDSet,m,m\sigma ,mpk)=1$$

where all $mpk$ and $msk$ are generated by the algorithm Setup and $IDSet$ includes n identities $I{D}_1,I{D}_2,\dots ,I{D}_n$ for any messages $m\in {\{0,1\}}^{*}$.

3.2. Security Model

This considers an extreme case: the adversary $\mathcal{A}$ compromising the $n-1$ participants and leaving only one honest user, denoted $signe{r}_1$. The $signe{r}_1$ user is controlled by the challenger $\mathcal{C}$. When the game starts, $\mathcal{C}$ gives $\mathcal{A}$ the honest identity of $signe{r}_1$ and allows $\mathcal{A}$ to compromise the other signers’ private keys. It also assume that a secure channel between the signers is not guaranteed. All of the communication among the signers can be eavesdropped upon. $\mathcal{C}$ provides $\mathcal{A}$ a hash oracle, a key extraction oracle and a multi-sign oracle. $\mathcal{A}$’s final target is to successfully forge a multi-signature.

Definition 2.

Considering the games between $\mathcal{A}$ and $\mathcal{C}$.

• Setup: $\mathcal{C}$ executes the algorithm to generate the master public keys mpk and sends mpk to $\mathcal{A}$.
• Query: : $\mathcal{A}$ is allowed to query to $\mathcal{C}$ in an adaptive way.

  -

  Extraction-query (mpk, ID). $\mathcal{C}$ executes Extra to obtain $s{k}_{ID}$ and sends to $\mathcal{A}$ when $\mathcal{A}$ asks for the private key of $signe{r}_{ID}$.

  -

  Multi-signature query (mpk, m, IDSet) $\mathcal{C}$ obtains a multi-signature $m\sigma$ and sends to $\mathcal{A}$ when $\mathcal{A}$ asks for the multi-signature $m\sigma$ on m and $IDSet$.

  -

  Hash-query. $\mathcal{C}$ chooses the returned values by itself and sends to $\mathcal{A}$ when $\mathcal{A}$ asks.

• Forgery. $\mathcal{A}$ makes a multi-signature as a forgery, that is, $m{\sigma }^{*}$ on $m^{*}$ for $IDSe{t}^{*}$, which contains at least one uncompromised user’s identity; meanwhile, $\mathcal{A}$ never sends $(mpk,IDSe{t}^{*},m^{*})$ to the multi-signature query.

Definition 3 (Attack Goals).

The advantage $Ad{v}_{\mathcal{A}}^{\mathit{IBMS}}$ in breaking the $\mathit{KG}\left(k\right)$ problems is defined as

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{A}}^{\mathit{IBMS}}\left(k\right)=Pr\left[x^{3^{\ell }}\equiv y\left(\mathrm{mod}N\right)\left|\begin{array}{c}(N,p,q)\leftarrow \mathit{KG}\left(k\right)\\ y\leftarrow {\mathbb{Z}}_N^{*}\\ x\leftarrow \mathcal{A}(N,\ell ,y)\end{array}\right.\right]\end{array}$$

Definition 4 (Unforgeability).

An adversary $\mathcal{A}$$(t,q_H,q_E,q_S,n,ϵ)$ breaks the scheme if $\mathcal{A}$ executes for a time of t at most, and makes at most $q_H$ hash queries, $q_E$ extraction queries, and $q_S$ multi-signature queries with n participants, and $Ad{v}_{\mathcal{A}}$ is at least ϵ. An IBMS scheme $(t,q_E,q_S,q_H,n,ϵ)$ has unforgeability if there exists no attacker $\mathcal{A}$$(t,q_H,q_E,q_S,n,ϵ)$ that breaks it.

4. Concrete Construction of IBMS^CR-1

4.1. Construction

Inspired by the previous work [6,22,23], we propose a concrete identity-based multi-signature scheme (IBMS^CR−1) with three-round interactive communications among the marine sensors and the generation of a single multi-signature as an authenticated tag.

• Setup $(k,\ell )$: The key generator center inputs security parameters k and ℓ, and then:
  • Chooses two random primes p and q, such that $p\equiv q\equiv 1(mod3)$ and $(p-1)(q-1)/9\equiv -1(mod3)$. Without loss of generality, we assume that $(p-1)/3\equiv -1(mod3)$, $(q-1)/3\equiv 1(mod3)$.
  • Chooses two random primes ${\pi }_1$ and ${\pi }_2$ from the Eisenstein ring $\mathbb{Z}\left[\omega \right]$, s.t. the norms satisfy $N\left({\pi }_1\right)=p$ and $N\left({\pi }_2\right)=q$.
  • Computes $N=p\ast q$. We let $A+B\omega ={\pi }_1{\pi }_2$, $A,B\in \mathbb{Z}$, and then compute $C=-A{B}^{-1}(modN)$. Note that ${\left(\frac{C}{p}\right)}_3={\omega }^2$, and ${\left(\frac{C}{q}\right)}_3=\omega$.
  • Chooses a random number $a\in {\mathbb{Z}}_N^{*}$ such that ${\left(\frac{a}{N}\right)}_3=\omega$.
  • Computes $d=\frac{1}{3}[\frac{1}{9}(p-1)(q-1)+1]$.
  • Selects three hash functions $h_1(·)$, $h_2(·)$, and $h_3(·)$ such that $h_1(·):{\{0,1\}}^{*}\to {\mathbb{Z}}_N^{*}$, $h_2$ and $h_3(·):{\{0,1\}}^{*}\to {\{0,1\}}^{\ell }$.

As a result of the step Setup, the master secret key is $msk=(p,q,d)$, which is securely stored, and the public parameter is $mpk=(N,h_1,h_2,h_3,a,C,\ell )$.

• Extra (mpk, msk, ID): KGC inputs the identity $ID$, computes the hash value of $ID$ as $h_1\left(ID\right)$ and obtains a first symbol $c_{ID,1}$ such that

  $$c_{ID,1}=\left\{\begin{array}{cc}0,\hfill & \mathrm{if}{\left(\frac{h_1\left(ID\right)}{N}\right)}_3=1\hfill \\ 1,\hfill & \mathrm{if}{\left(\frac{h_1\left(ID\right)}{N}\right)}_3={\omega }^2\hfill \\ 2,\hfill & \mathrm{if}{\left(\frac{h_1\left(ID\right)}{N}\right)}_3=\omega \hfill \end{array}\right.$$

  We let $h=a^{c_{ID,1}}·h_1\left(ID\right)$ and we have ${\left(\frac{h}{N}\right)}_3=1$. Following this, KGC computes a second symbol $c_{ID,2}$ such that

  $$c_{ID,2}=\left\{\begin{array}{cc}0,\hfill & \mathrm{if}{\left(\frac{h}{p}\right)}_3={\left(\frac{h}{q}\right)}_3=1\hfill \\ 1,\hfill & \mathrm{if}{\left(\frac{h}{p}\right)}_3=\omega ,{\left(\frac{h}{q}\right)}_3={\omega }^2\hfill \\ 2,\hfill & \mathrm{if}{\left(\frac{h}{p}\right)}_3={\omega }^2,{\left(\frac{h}{q}\right)}_3=\omega \hfill \end{array}\right.$$

  We let $I_{ID}=C^{c_{ID,2}}·a^{c_{ID,1}}·h_1\left(ID\right)$. It is easy to find that $I_{ID}\in {\mathbb{CR}}_N$, as ${\left(\frac{I_{ID}}{p}\right)}_3={\left(\frac{I_{ID}}{q}\right)}_3=1.$ Finally, KGC extracts the private key $s{k}_{ID}$ as a $3^{\ell }$-th root of $I_{ID}$:

  $$s{k}_{ID}\equiv I_{ID}^{d^{\ell }}(modN)$$

  (1)

  KGC sends $s{k}_{ID}$ as well as ($c_{ID,1},c_{ID,2}$) to signer ${}_{ID}$ secretly. Note that $I_{ID}\equiv s{k}_{ID}^{3^{\ell }}(modN)$. Following this, we denote $\widetilde{ID}=\{ID,c_{ID,1},c_{ID,2}\}$.
• Sign and verify: These two algorithms can be derived from [23].
• MSign $(mpk,s{k}_1,m,IDSet)$: For simplicity, IBMS^CR−1 is described from the $M{S}_1$’s point of view. Given the $M{S}_1$’s private key $s{k}_1$, the message m and the identity set $IDSet=\{\widetilde{I{D}_1},\widetilde{I{D}_2},\dots ,\widetilde{I{D}_n}\}$, $M{S}_1$ executes the following algorithm from Algorithm 1. MSign generates $m\sigma =(w,u)$ as the multi-signature.
• MVerify (mpk, IDSet, m, mσ). The algorithm verifies by the following three steps.

  (1)

  For $i=1,2,\dots ,n$, it computes $I_i\equiv C^{c_{I{D}_i,2}}·a^{c_{I{D}_i,1}}·h_1\left(I{D}_i\right)(modN)$.

  (2)

  It computes $\widehat{R}\equiv u^{3^{\ell }}{\left({\prod }_{i=1}^n{I}_i\right)}^{-w}(modN)$.

  (3)

  It checks whether

  $$w=h_3(\widehat{R}\parallel IDSet\parallel m)$$

  (2)

  is satisfied. If Equation (2) is satisfied, MVerify returns 1. This means $m\sigma$ is valid. Otherwise MVerify returns 0.

4.2. Correctness

The correctness follows:

$$u^{3^{\ell }}\equiv \prod _{i=1}^n{u}_i^{3^{\ell }}\equiv \prod _{i=1}^n{r}_i^{3^{\ell }}s{k}_i^{w{3}^{\ell }}\equiv \prod _{i=1}^n{R}_i{I}_i^{{\left(3d\right)}^{\ell }w}\equiv R\prod _{i=1}^n{I}_i^w(modN)$$

We have $\widehat{R}\equiv R\equiv u^{3^{\ell }}{\prod }_{i=1}^n{I}_i^{-w}(modN)$.

Algorithm 1: The MSign Algorithm in IBMS CR−1.

Input: the master public key $mpk$, the private key $sk$, the identity set $IDSet$, the message to be signed m;  Output: a multi-signature $m\sigma$.   1. Each $M{S}_i$ randomly selects $r_i\in {\mathbb{Z}}_N^{*}$ and computes $R_i\equiv r_i^{3^{\ell }}(modN)$ and $t_i=h_2\left(R_i\right)$.   2. $M{S}_i$ only broadcasts $t_i$ to other signers $M{S}_j$ ($j\ne i$) in $IDSet$ and keeps $R_i$ temporarily.   3. After receiving $t_i$ from $M{S}_i$ ($2\le i\le n$), $M{S}_1$ then broadcasts $R_1$ to other $M{S}_i$.   4. After receiving $R_i$ from $M{R}_i$, $M{S}_1$ checks whether $t_i=h_2\left(R_i\right)$ for $2\le i\le n$ is satisfied.   5. If one of these fails, the algorithm stops, which means the attackers have mixed invalid partial signatures. Otherwise, $M{S}_1$ sets $R\equiv {\prod }_{i=1}^n{R}_i(modN)$, $w=h_3(R\parallel IDSet\parallel m)$, and $u_1\equiv r_1·s{k}_1^w(modN)$.   6. $M{S}_1$ broadcasts $u_1$ to other $M{S}_i$.   7. After receiving $u_i$ from $M{S}_i$, $M{S}_1$ aggregates these by $u\equiv {\prod }_{i=1}^n{u}_i(modN)$.   8. Each $M{S}_i$ locally generates a multi-signature $m\sigma =(w,u)$.  Return $m\sigma$;

4.3. Security Proof

IBMS^CR−1 is provably secure under the factorization in the random oracle model.

Theorem 6.

If the factorization problem is $(t^{\prime },{ϵ}^{\prime })$-hard, IBMS^CR−1 is $(t,q_E,q_H,q_S,n,ϵ)$-secure against existential forgery attackers under the adaptively chosen message attack and chosen identity attack. We have estimates for $t^{\prime }$ and ${ϵ}^{\prime }$ as follows:

$${ϵ}^{\prime }⩾\frac{2{ϵ}^2}{3(q_H+1)}-\left(\frac{2n{q}_S{q}_H+n^2{q}_S^2+q_H^2}{2^{{\ell }_R}·(q_H+1)}+\frac{n{q}_S}{2^{{\ell }_0-1}}\right)ϵ-\frac{1}{3·2^{\ell -1}}$$

(3)

Proof. 

We assume $\mathcal{C}$ is given a factorization instance N for a product of unknown p and q, and obtain the result of p or q with a non-negligible probability. $\mathcal{C}$ plays with $\mathcal{A}$ as follows.

Firstly, $\mathcal{C}$ selects $a\in {\mathbb{Z}}_N^{*}$, such as a non-cubic residue and a secure parameter $\ell ⩾160$ (the length of ℓ has been discussed and suggested in [22]), and sends $(N,a,\ell )$ to $\mathcal{A}$ as $mpk$. $\mathcal{C}$ manages several lists: one signature list and three hash lists.

Then, $\mathcal{C}$ starts to answer according to $\mathcal{A}$’s queries, as follows.

• $h_1$-Query $\left(ID\right)$: $\mathcal{C}$ manages a list $(ID,h_1,s,c_{ID,1},c_{ID,2})$. When $\mathcal{A}$ requests the identity $ID$, $\mathcal{C}$ answers as $h_1$. $(c_{ID,1},c_{ID,2})\in {\{0,1\}}^2$ in two bits and $s\in {\mathbb{Z}}_N^{*}$ is used as a secret key. When $\mathcal{A}$ asks on $ID$, $\mathcal{C}$ answers $h_1$ if $ID$ has existed in the $h_1$-list. Otherwise, $\mathcal{C}$ randomly selects $s\in {\mathbb{Z}}_N^{*}$ and $(c_{ID,1},c_{ID,2})\in {\{0,1\}}^2$, calculates

  $$h_1\equiv \frac{s^{3^{\ell }}}{{(-1)}^{c_{ID,2}}·{\left(a\right)}^{c_{ID,1}}}(modN)$$

  (4)

  and returns the answer $h_1$ to $\mathcal{A}$, adding $(ID,h_1,s,c_{ID,1},c_{ID,2})$ to the $h_1$-list.
• $h_2$-Query $\left(R\right)$: $\mathcal{C}$ manages a list $(R,h_2)$. When $\mathcal{A}$ asks on R, $\mathcal{C}$ answers $h_2$ if R has existed in the $h_2$-list. Otherwise, $\mathcal{C}$ randomly selects $h_2\in {\{0,1\}}^{{\ell }_0}$, adds $(R,h_2)$ into the $h_2$-list and returns $h_2$.
• $h_3$-Query $(R,m,IDSet)$: $\mathcal{C}$ manages a list $(R,m,IDSet,h_3)$. When $\mathcal{A}$ asks on $(R,m,IDSet)$, $\mathcal{C}$ returns $h_3$ if $(R,m,IDSet)$ has existed in the $h_3$-list. Otherwise, $\mathcal{C}$ randomly selects $h_3\in {\mathbb{Z}}_N^{*}$, returns $h_3$, and adds $(R,m,IDSet,h_3)$ to the $h_3$-list.
• Extraction query $\left(ID\right)$: $\mathcal{C}$ executes an additional $h_1$-query if $ID$ does not yet exist in the $h_1$-list and returns s and $(c_{ID,1},c_{ID,2})$.
• Multi-signature queries: $\mathcal{C}$ checks in the $h_1$-list for whether $I{D}_1$ exists. If $I{D}_1$ is already in the $h_1$-list, $\mathcal{C}$ has obtained the private key of $signe{r}_1$ and simulates the game as the real algorithm MSign $(s{k}_1,IDSet,m)$ using the secret key $s{k}_1=s_1$. Otherwise, $\mathcal{C}$ does not have the private key of $signe{r}_1$ and executes the following steps:

  -

  $\mathcal{C}$ plays as $signe{r}_1$, and randomly chooses $t_1\leftarrow {\{0,1\}}^{{\ell }_0}$, broadcasting $t_1$ to other signers. $\mathcal{C}$ also waits to receive $t_2,t_3,\cdots ,t_n$ from others; it randomly selects $w\leftarrow {\{0,1\}}^{\ell }$ and $u_1\leftarrow {\mathbb{Z}}_N^{*}$, and calculates

  $$R_1=u_1^{3^{\ell }}{\left({(-1)}^{c_{I{D}_1,2}}·a^{c_{I{D}_1,1}}·h_1\left(I{D}_1\right)\right)}^{-w}$$

  (5)

  If $R_1$ already exists in the $h_2$-list, $\mathcal{C}$ stops. Otherwise, $\mathcal{C}$ sets $(R_1,t_1)$ in the $h_2$-list. $\mathcal{C}$ looks up $R_i$ such that $(R_i,t_i)$ where $2⩽i⩽n$. If for some i the record is found, $\mathcal{C}$ also stops. Otherwise, $\mathcal{C}$ calculates $R={\prod }_{i=1}^n{R}_i(modN)$ and sets $h_3(R\parallel S\parallel m)=w$, or stops if the entry has already existed.

  -

  $\mathcal{C}$ sends $R_1$ to other signers. After receiving $R_2^{\prime },\cdots ,R_n^{\prime }$ from the signers, $\mathcal{C}$ verifies that $h_2\left(R_i^{\prime }\right)\stackrel{?}{=}{t}_i$. $\mathcal{C}$ ends up with the protocol if one of these does not satisfy this, which means $\mathcal{A}$ has to guess the results of the hash value. If $R_i\ne R_i^{\prime }$ for some i, $\mathcal{C}$ stops. $\mathcal{C}$ sends $u_i$ to the signers, receives $u_2,u_3,\cdots ,u_n$, and calculates $u={\prod }_{i=1}^n{u}_i(modN)$. Finally, $\mathcal{C}$ sends $m\sigma =(w,u)$ to $\mathcal{A}$.

At the end of the game, $\mathcal{A}$ generates a multi-signature $m{\sigma }^{*}=(w^{*},u^{*})$ on message $m^{*}$. $\mathcal{C}$ calculates

$$\begin{array}{c}\hfill R^{*}\leftarrow {\left(u^{*}\right)}^{3^{\ell }}\prod _{i=1}^n{\left({(-1)}^{c_{I{D}_i^{*},2}}{a}^{c_{I{D}_i^{*},1}}{h}_1\left(I{D}_i^{*}\right)\right)}^{-w^{*}}\end{array}$$

(6)

and makes an additional query $h_3(R^{*}\parallel IDSe{t}^{*}\parallel m^{*})$. We let $U\subseteq IDSe{t}^{*}=\{I{D}_1^{*},I{D}_2^{*},\dots ,I{D}_n^{*}\}$ denote the honest IDSet, that is, $\mathcal{A}$ never compromised. If $\mathcal{A}$ succeeded in forgery, that is,

• MVerify $(mpk,IDSe{t}^{*},m^{*},{\sigma }^{*})=1$
• $U\ne \varnothing$
• $\mathcal{A}$ has never queried $(IDSe{t}^{*},m^{*})$ to the signature oracle then $\mathcal{C}$ checks the $h_1$-list. If the multi-signature is valid, we can obtain

  $$\begin{array}{ccc}\hfill u{{}^{*}}^{3^{\ell }}& \equiv & R^{*}\prod _{i=1}^n{\left({(-1)}^{c_{I{D}_i,2}}{a}^{c_{I{D}_i,1}}{h}_1\left(I{D}_i^{*}\right)\right)}^{w^{*}}\hfill \\ & \equiv & R^{*}\prod _{i=1}^n{s_i^{*}}^{3^{\ell }{w}^{*}}(modN)\hfill \end{array}$$

  (7)

We let $s^{*}\leftarrow {\prod }_{i=1}^n{\left(s_i^{*}\right)}^{3^{\ell }}(modN)$ and produce $(s^{*},{\sigma }^{*})$.

To factor N by applying the rewinding technique, $\mathcal{C}$ plays with $\mathcal{A}$ once again using the random tapes, which are the same as for the first time. Because $\mathcal{C}$ previously recorded the transcripts, $\mathcal{C}$ obtains the same results for $\mathcal{A}$’s queries.

When $\mathcal{A}$ queries for $h_3$, $\mathcal{C}$ randomly selects an alternative answer $w^{\prime }$ instead of w, as, in the second run, the $h_1$- and $h_2$-query are equal to those of the first round.

$\mathcal{C}$ generates $(s,m\sigma )$ and $(s^{\prime },m{\sigma }^{\prime })$ such that

$$u^{3^{\ell }}\equiv R{s}^{w}and{u}^{\prime 3^{\ell }}\equiv R^{\prime }{s}^{\prime w^{\prime }}$$

By $R=R^{\prime }$, $m=m^{\prime }$ and $s=s^{\prime }$, we have

$$\begin{array}{c}\hfill {\left(\frac{u}{u^{\prime }}\right)}^{3^{\ell }}\equiv s^{(w-w^{\prime })}(modN)\end{array}$$

(8)

Because $w\ne w^{\prime }\in {\{0,1\}}^{{\ell }_0}$ and ${\ell }_0<\ell$, we can obtain $|w-w^{\prime }|<3^{\ell }$. According to Theorem 2, $\mathcal{C}$ can calculate a cubic root $\tilde{s}$ where ${\tilde{s}}^3=s$. Meanwhile, $\mathcal{C}$ checks the $h_1$-list to search for an entry in which $I{D}_i\in IDSet$ and calculates $\overline{s}={\prod }_{i\in IDSet}{s}_i^{3^{\ell -1}}$.

Therefore, ${\tilde{s}}^3\equiv {\overline{s}}^3\equiv s(modN)$. If $\overline{s}\ne \tilde{s}(modN)$, N can be factored by Theorem 1. Otherwise, $\mathcal{C}$ cannot factor N. The probability that $\tilde{s}\ne \overline{s}(modN)$ is 2/3.

Finally, we calculate the probability that $\mathcal{C}$ returns a valid result. Because most of the simulation game is similar to in [6], we set ${ϵ}^{\prime }$, $ϵ$ and ${ϵ}^{*}$ as the probability to factor N by $\mathcal{C}$, the probability to forge a multi-signature in practice by $\mathcal{A}$ and the probability to succeed in the first run before the rewinding technique by $\mathcal{A}$, respectively.

We have

$${ϵ}^{*}⩾ϵ-\frac{q_S(q_H+n{q}_S)}{2^{{\ell }_N}}-\frac{{(q_H+n{q}_S)}^2}{2^{{\ell }_N+1}}-\frac{2q_S(q_H+q_S)}{2^{{\ell }_N}}-\frac{n{q}_S}{2^{{\ell }_0}}$$

(9)

Furthermore, according to the forking lemma [32], we can easily obtain

$$frk⩾{ϵ}^{*}\left(\frac{{ϵ}^{*}}{q_H}-\frac{1}{2^{\ell }}\right)⩾\frac{{{ϵ}^{*}}^2}{q_H+1}-\frac{1}{2^{\ell }}$$

(10)

The probability that $\mathcal{C}$ succeeds to factor N is

$$\begin{array}{ccc}\hfill {ϵ}^{\prime }& ⩾& \frac{2}{3}·frk⩾\frac{2{{ϵ}^{*}}^2}{3(q_H+1)}-\frac{1}{3·2^{\ell -1}}\hfill \\ & ⩾& \frac{2{ϵ}^2}{3(q_H+1)}-\left(\frac{2n{q}_S{q}_H+n^2{q}_S^2+q_H^2}{2^{{\ell }_R}·(q_H+1)}+\frac{n{q}_S}{2^{{\ell }_0-1}}\right)ϵ-\frac{1}{3·2^{\ell -1}}\hfill \end{array}$$

(11)

☐

5. Concrete Construction of IBMS^CR−2

Inspired by the related work [24,26,29], we give a more efficient IBMS construction (named IBMS^CR−2), whose computational overhead in MSign and MVerify is much lower than for those in IBMS^CR−1.

5.1. Construction

• Setup $(k,\ell )$: Given the security parameters, Setup can be executed as follows.

  (1)

  KGC chooses random primes p and q where $p\equiv 2(mod3)$ and $q\equiv 4$ or $7(mod9)$, and calculates the product $N=p·q$.

  (2)

  A non-cubic residue a is selected such that $\left(\frac{a}{q}\right)=-1$.

  (3)

  Several computational parameters are computed:

  $$\begin{array}{ccc}\eta \hfill & =\hfill & [q-1(mod9\left)\right]/3\hfill \\ \lambda \hfill & =\hfill & \eta (mod2)+1\hfill \\ \beta \hfill & =\hfill & (q-1)/3\hfill \\ \xi \hfill & =\hfill & a^{\eta \beta }(modq)\hfill \end{array}$$

  (4)

  Three hash functions $h_1,h_2$ and $h_3$ are picked up, where $h_1$:${\{0,1\}}^{*}\to Z_N^{*}$, $h_2,h_3$:${\{0,1\}}^{*}\to {\{0,1\}}^{\ell }$.

Finally, the algorithm Setup outputs $msk=(p,q,\beta )$ and $mpk=(N,h_1,h_2,h_3,a,\eta ,\lambda )$. KGC keeps $msk$ secretly.

• Extra $(mpk,msk,ID$): KGC computes $sk$ as follows:

  (1)

  KGC computes $\omega =h_1{\left(ID\right)}^{\lambda \beta }(modq)$ and set sa symbol $c_{ID}$ according to $\omega$ and $\xi$:

  $$c_{ID}=\left\{\begin{array}{cc}0,\hfill & \mathrm{if}\omega =1\hfill \\ 1,\hfill & \mathrm{if}\omega =\xi \hfill \\ 2,\hfill & \mathrm{if}\omega ={\xi }^2\hfill \end{array}\right.$$

  KGC denotes $I=a^{c_{ID}}·h_1\left(ID\right)(modN)$.

  (2)

  KGC calculates

  $$sk=I^{\frac{2^{\eta }(p-1)(q-1)-3}{9}}(modN)$$

  (12)

  and securely distributes $sk$ to the signer. We have $s{k}_i^3·I_i\equiv 1(modN)$. Following this, we denote the identity by $\widetilde{I{D}_i}=\{I{D}_i,c_{I{D}_i}\}$.

• Sign and verify: These two algorithms can be derived from [29].
• MSign $(mpk,s{k}_1,m,IDSet)$: Given the $M{S}_1$’s private key $s{k}_1$, the message m and the identity set $IDSet=\{\widetilde{I{D}_1},\widetilde{I{D}_2},...,\widetilde{I{D}_n}\}$, $M{S}_1$ executes the following algorithm in Algorithm 2. MSign generates the multi-signature $m\sigma =(w,u)$.
• MVerify $(mpk,IDSet,m,m\sigma )$. The algorithm verifies by the following three steps:

  (1)

  For $i=1,2,...,n$, it computes $I_i=a^{c_{I{D}_i}}·h_1(I{D}_i)$.

  (2)

  It computes $\widehat{R}=u^3·{\left({\prod }_{i=1}^n{I}_i\right)}^w(modN)$.

  (3)

  It checks whether

  $$w=h_3(\widehat{R}\parallel IDSet\parallel m)$$

  (13)

  is satisfied. If Equation (13) is satisfied, MVerify returns 1. This means $m\sigma$ is valid. Otherwise MVerify returns 0.

Algorithm 2: The MSign algorithm in IBMSCR−2.

Input: the master public key $mpk$, the private key $sk$, the identity set $IDSet$, the message to be signed m;  Output: a multi-signature $m\sigma$.   1. Each $M{S}_i$ randomly selects $r_i\in {\mathbb{Z}}_N^{*}$ and calculates $R_i=r_i^3(modN)$ and $t_i=h_2(R_i)$.   2. Each $M{S}_i$ broadcasts $t_i$ to co-signers $M{S}_j$ ($j\ne i$).   3. After obtaining $t_i$ from $M{S}_i$, $M{S}_1$ broadcasts $R_1$ to other $M{S}_i$.   4. After receiving $R_i$ from other signers, $M{S}_1$ checks whether $t_i=h_2(R_i)$ for $2⩽i⩽n$ is satisfied.   5. If one of these fails, the algorithm stops, which means the attackers have mixed invalid partial signatures. Otherwise, $M{S}_1$ sets $R={\prod }_{i=1}^n{R}_i(modN)$, $w=h_3(R\parallel IDSet\parallel m)$, and $u_1=r_1·s{k}_1^w(modN)$.   6. $S_1$ broadcasts $u_1$ to other $M{S}_i$.   7. After receiving $u_i$ from $M{S}_i$, $M{S}_1$ aggregates these by $u={\prod }_{i=1}^n{u}_i(modN)$.   8. Each $M{S}_i$ locally generates a multi-signature $m\sigma =(w,u)$.  Return $m\sigma$;

5.2. Correctness

The correctness is as follows:

$$u^3·\prod _{i=1}^n{I}_i^w\equiv \prod _{i=1}^n{u}_i^3{I}_i^w\equiv \prod _{i=1}^n{r}_i^3·{(s{k}_i^3·I_i)}^w\equiv \prod _{i=1}^n{R}_i\equiv R(modN)$$

5.3. Security Proof

IBMS^CR−2 is secure under the factorization in the random oracle model.

Theorem 7.

If integer factorization is $(t^{\prime },{ϵ}^{\prime })$-hard, our IBMS^CR−2 scheme is $(t,q_H,q_E,q_S,n,ϵ)$-secure against existential forgery in the random oracle model.

Because most of the simulation game between $\mathcal{A}$ and $\mathcal{C}$ is the same, we give the security proof simply.

Proof. 

When it is given an integer factorization instance N, $\mathcal{C}$ returns p or q if $\mathcal{A}$ succeeds in forging a multi-signature.

$\mathcal{C}$ sends $mpk=\{N,h_1,h_2,h_3,a,\eta ,\lambda \}$ to $\mathcal{A}$. $\mathcal{C}$ maintains several lists ($lis{t}_{h_1}$, $lis{t}_{h_2}$, $lis{t}_{h_3}$, $lis{t}_S$).

• $h_1$-Query. $\mathcal{C}$ manages a list $(ID,c,h_1,s)$. $\mathcal{C}$ sends $h_1$ to $\mathcal{A}$ if $ID$ exists when $\mathcal{A}$ queries the hash value of $ID$. Otherwise, $\mathcal{C}$ randomly selects $s\in {\mathbb{Z}}_N^{*}$ and $c\in \{0,1,2\}$, sets $h_1\equiv s^3/a^c(modN)$, returns $h_1$, and adds $(ID,c,h_1,s)$ to $lis{t}_{h_1}$.
• The $h_2$-query, $h_3$-query and extraction query are similar to IBMS^CR−1.
• The multi-signature query is similar to IBMS^CR−1, except that Equation (5) changes to

  $$R_1=u_1^3\prod _{i=1}^n{\left(a^{c_{I{D}_i}}·h_1(I{D}_1)\right)}^{-w^{*}}$$

  (14)

At the end of the game, $\mathcal{A}$ forges $m{\sigma }^{*}=(w^{*},u^{*})$ with $IDSe{t}^{*}$ on $m^{*}$. $\mathcal{C}$ calculates

$$R^{*}\leftarrow {(u^{*})}^3\prod _{i=1}^n{\left(a^{c_{I{D}_i^{*}}}·h_1(I{D}_i^{*})\right)}^{-w^{*}}$$

(15)

and queries $h_3(R^{*}\parallel IDSe{t}^{*}\parallel m^{*})$ to the hash oracle. If the forgery is valid, we obtain that

$$u{{}^{*}}^3\equiv R^{*}\prod _{i=1}^n{\left(a^{c_{I{D}_i^{*}}}·h_1(I{D}_i^{*})\right)}^{w^{*}}\equiv R^{*}\prod _{i=1}^n{\left({s_i^{*}}^3\right)}^{w^{*}}\equiv R^{*}{s^{*}}^{w^{*}}(modN)$$

(16)

because $s^{*}\leftarrow {\prod }_{i=1}^n{(s_i^{*})}^3(modN)$. $\mathcal{C}$ returns $(s^{*},w^{*},u^{*})$.

We also apply the rewinding technique to factor N. At last, $\mathcal{C}$ obtains $(s,w,u)$ and $(s^{\prime },w^{\prime },u^{\prime })$ such that

$$u^3\equiv R{s}^{w}and{u}^{\prime 3}\equiv R^{\prime }{s}^{\prime w^{\prime }}$$

(17)

Because $R=R^{\prime }$, $m=m^{\prime }$, and $s=s^{\prime }$, we have

$$\begin{array}{c}\hfill {\left(\frac{u}{u^{\prime }}\right)}^3\equiv s^{(w-w^{\prime })}(modN)\end{array}$$

(18)

Because $w\ne w^{\prime }$, two cases emerge:

• If $w-w^{\prime }\equiv 1(mod3)$, we denote $w-w^{\prime }=3k+1$ for an integer k. Therefore, $s\equiv {\left(\frac{u}{u^{\prime }·s^k}\right)}^3$, that is, $\tilde{s}=\frac{u}{u^{\prime }·s^k}$ satisfies ${\tilde{s}}^3\equiv s(modN)$.
• If $w-w^{\prime }\equiv -1(mod3)$, we denote $w-w^{\prime }=3k-1$ for an integer k. Therefore, $s\equiv {(\frac{u·s^k}{u^{\prime }})}^3$, that is, $\tilde{s}=\frac{u·s^k}{u^{\prime }}$ satisfies ${\tilde{s}}^3\equiv s(modN)$.

From the discussion above, $\mathcal{C}$ calculates a cubic root $\tilde{s}$ where ${\tilde{s}}^3=s$. Meanwhile $\mathcal{C}$ searches the entries in the $h_1$-list where $I{D}_i\in IDSet$ and calculates $\overline{s}={\prod }_{i\in IDSet}{s}_i^3$. Therefore, we have ${\tilde{s}}^3\equiv {\overline{s}}^3\equiv s(modN)$. If $\overline{s}\ne \tilde{s}(modN)$, we can factor N by Theorem 1 with a probability that $\tilde{s}\ne \overline{s}(modN)$ of 2/3.

Thus, we have finished the proof. ☐

6. Performance Comparisons

The comparison of security assumptions for related works are given in

Table 1. The comparison of related work on the security assumptions.

Schemes	The Underlying Mathematical Assumptions
[15]	Computational Diffie-Hellman (CDH)
[19]	Discrete Logarithm (DL)
[20]	RSA
[6]	Quadratic Residues
IBMSCR-1	Cubic Residues
IBMSCR-2	Cubic Residues

. These schemes are provably secure on the basis of different hardness assumptions (such as CDH, DL, RSA, quadratic residues, and cubic residues). The aim of these schemes is to find new constructions under simpler hardness assumptions.

We denote $M_p$, $H_m$, $O_p$ and $E_n$ as the operation of scalar multiplication, map-to-point hash function, bilinear pairing, and modular exponentiation, respectively. We ran each of the above operations in a personal computer and used their times from [33] to calculate the total computational cost in the running time (milliseconds), as shown in the columns of

Table 2. The comparison of related work of IBMS on the computational performance.

Schemes	Extract	Sign	Verify	Total Time	Length
[15]	2$H_m$ + 2$M_p$	1$H_m$ + 4$M_p$	3$O_p$	107.52	2 $\left|g\right|$
[19]	1$E_n$	2$E_n$	2$E_n$	26.55	$\ell +\left|N\right|$
[20]	1$E_n$	2$E_n$	2$E_n$	26.55	$\ell +2\left|N\right|$
[6]	1$E_n$	2$E_n$	2$E_n$	26.55	$\ell +\left|N\right|$
IBMSCR-1	1$E_n$	2$E_n$	2$E_n$	26.55	$\ell +\left|N\right|$
IBMSCR-2	2$E_n$	1$E_n$	1$E_n$	21.24	$\ell +\left|N\right|$

.

We have also compared related works on the basis of the cubic residues for the computational performance evaluation in

Table 3. The comparison of related work on computational performance based on the cubic residues.

Schemes	Underlying Cryptographic Primitive	Sign	Verify	Total Time
[28]	IBMPS	3$E_n$	3$E_n$	6$E_n$
[26]	IBPMS	1$E_n$	3$E_n$	4$E_n$
[29]	IBMPMS	3$E_n$	3$E_n$	6$E_n$
IBMSCR-1	IBMS	2$E_n$	2$E_n$	4$E_n$
IBMSCR-2	IBMS	1$E_n$	1$E_n$	2$E_n$

. For consistency, we used the modular exponentiation times to evaluate the Sign and Verify algorithms.

7. Conclusions

Data authenticated aggregation is always a significant issue for marine WSNs. Most data authenticated aggregation is based on the multi-signature, which relies on the technique of bilinear pairing involving heavy computational overhead or the management of certificates beyond marine wireless sensors. We have constructed two efficient IBMS schemes (IBMS^CR−1 and IBMS^CR−2) based on cubic residues, which are much more suitable for data authenticated aggregation in marine WSNs. Without employing the heavy overload of a bilinear pairing technique, our schemes have been designed efficiently. Our schemes have been proven to be secure under chosen identity attacks and chosen message attacks, relying only on the hardness of the integer factorization assumptions.