PSDAAP: Provably Secure Data Authenticated Aggregation Protocols Using Identity-Based Multi-Signature in Marine WSNs

Data authenticated aggregation is always a significant issue for wireless sensor networks (WSNs). The marine sensors are deployed far away from the security monitoring. Secure data aggregation for marine WSNs has emerged and attracted the interest of researchers and engineers. A multi-signature enables the data aggregation through one signature to authenticate various signers on the acknowledgement of a message, which is quite fit for data authenticated aggregation marine WSNs. However, most of the previous multi-signature schemes rely on the technique of bilinear pairing involving heavy computational overhead or the management of certificates, which cannot be afforded by the marine wireless sensors. Combined with the concept of identity-based cryptography, a few pairing-free identity-based multi-signature (IBMS) schemes have been designed on the basis of the integer factorization problem. In this paper, we propose two efficient IBMS schemes that can be used to construct provably secure data authenticated aggregation protocols under the cubic residue assumption, which is equal to integer factorization. We also employ two different methods to calculate a cubic root for the cubic residue number during the signer’s private key extraction. The algorithms are quite efficient compared to the previous work, especially for the algorithms of the multi-signature generation and its verification.


Introduction
In most of the wireless sensor networks (WSNs), the significant issue for data collection or data aggregation always lies in the center of data transmission, both in the academia and in the industry [1][2][3]. In most scenarios of marine WSNs, all the nearby wireless sensors send their data, such as the temperature, pressure, salinity, and potential of hydrogen (pH value) in the chemistry of the environmental monitoring ocean, to a central node, which is located at a base station or a buoy for data collection, as shown in Figure 1. The central node further sends the aggregated data through the long-distance data transmission networks, such as vessel-based or satellite-based networks [4]. However, marine sensors are always deployed far away from the security monitoring. Thus, the secure data aggregation for marine sensor networks has emerged and attracted the interest of researchers and engineers. In order to mitigate the malicious attackers injecting false data, it is quite necessary for each central node to authenticate these sensing measurements from the nearby sensors in the ocean observation system [5]. mapping techniques are not suitable for the battery-limited sensors in marine WSNs (denoted as Problem 2).
As a consequence, there is great interest for cryptographic researchers to design pairing-free identity-based cryptographic schemes [18]. The first non-pairing IBMS scheme was proposed in [19] with three-round interactive communications and under R. Rivest, A. Shamir, L. Adleman (RSA) assumptions. Later, a communication efficiency-improved IBMS scheme under RSA assumptions was presented in [20] with two-round interactive communications. Yang et al. [21] proposed an efficient improved IBMS scheme that aims to save the computational resources and communication bandwidth. Even if the RSA assumption approaches the integer factorization assumptions, unfortunately, the RSA assumption has not yet been proved equal to the factorization assumption (denoted as Problem 3).
To satisfy the application requirements and to avoid security concerns in cryptrography, it is common practice to construct alternative cryptographic schemes under a weaker assumption-integer factorization. Recently, cryptographic researchers have been focused on finding a new construction that is proved to be secure directly on the basis of factorization. Chai [22] gave an instance of an identity-based digital signature relying on the quadratic residue assumption. Following this, Wei et al. [6] proposed IBMS schemes using quadratic residue assumptions, under weaker assumptions and a strengthened security model, achieving advantages in the computational consumption and transmission overhead. Xing [23] and Wang [24] presented identity-based signature schemes under the cubic residue assumptions. Wang proposed several signature variants relying on cubic residues, including identity-based ring signature [25], identity-based proxy multi-signature (IBPMS) [26] and threshold ring signature [27]. Wei [28] considered an identity-based multi-proxy signature (IBMPS) scheme for use in a cloud-based data authentication protocol. Zhang [29] proposed a secure multi-entity delegated authentication protocol based on an identity-based multi-proxy multi-signature (IBMPMS) for mobile cloud computing. Unfortunately, none considered constructing IBMS schemes directly based on cubic residues (denoted as Problem 4).
Facing the above problems, this work constructs IBMS schemes relying on the cubic residue assumption equal to integer factoring. Our schemes have merits not only in the efficiency aspect, where we do not rely on the bilinear pairing maps or over exponentiations, but also in the security aspect, where we prove them to be secure under a weaker assumption of factoring to achieve stronger security. The contributions for this paper can be summarized as follows.

1.
We have proposed two efficient IBMS schemes, denoted as IBMS CR −1 and IBMS CR −2, which are suitable for data aggregation among the sensors and collectors in marine WSNs.

2.
We formally define the security of IBMS and prove IBMS CR −1 to be secure, relying on the cubic residues in a random oracle model. The computational cost of IBMS CR −1 is lower, as the exponentiations are cubic exponentials.

3.
To enhance efficiency, the total computational cost of IBMS CR −2 is almost four-fifths that of IBMS CR −1 in implementation. We also prove the security of IBMS CR −2 on the basis of the cubic residues equalling integer factoring in the random oracle model.
The organization of this paper is as follows. Section 2 gives necessary preliminaries, and Section 3 gives the formal definition of the security model. In Sections 4 and 5, we propose two concrete IBMS schemes, IBMS CR −1 and IBMS CR −2, as well as outline their correctness and full security proof. Section 6 gives the performance comparison. Section 7 gives the conclusion for the paper.

Preliminaries
Some fundamental concepts are introduced simply, for further explaining the construction and security proof.

Cubic Residue
We first introduce the definition of the cubic residue. Definition 1 (Cubic residue [23]). For an integer N ≡ 1 (mod 3), a cubic residue modulo N, c ∈ Z * N , if x 3 ≡ c (mod N) for some x ∈ Z * N .
Because the module N is a product for unknown p and q, it is difficult to obtain x from a cubic residue c, that is, the difficulty of obtaining x from c is equal to the factorization of N.

Cubic Residue Symbol in Eisenstein Ring
Following the work in [23,30,31], we let ω denote a complex root of z 2 + z + 1 = 0, which means that ω is a cubic root of 1. We also have ω 2 = −1 − ω =ω, whereω is the conjugate complex of ω. The Eisenstein ring is defined as the set Z[ω] = {a + bω|a, b ∈ Z}. We introduce the cubic residue symbol as follows: where N(p) = p ·p is defined as the norm of p.

Some Useful Theorems
Theorem 1 (Factorization Theorem [23]). Let N = pq, where p and q are large primes. Let c be a cubic residue modulo N, and r 1 and r 2 be c's two cubic roots modulo N; that is, r 3 1 ≡ r 3 2 ≡ c (mod N) and r 1 = r 2 (mod N). N can be factored by taking gcd(r 1 − r 2 , N) in polynomial time, where gcd(x, y) is the greatest common divisor of x and y.
Theorem 1 is easily validated, as if r 3 1 ≡ r 3 2 ≡ c (mod N), we have (r 1 − r 2 )(r 2 1 + r 1 r 2 + r 2 2 ) ≡ 0 (mod N). There must exist an integer k such that (r 1 − r 2 )(r 2 1 + r 1 r 2 + r 2 2 ) = kpq. If r 1 = r 2 (mod N), r 1 − r 2 cannot be a multiple of N at the same time; r 1 − r 2 must contain a non-trivial divisor of N, which is p or q. Therefore, the integer N can be factored by Theorem 1. However, the two cubic roots satisfying r 1 ≡ r 2 (mod N) cannot lead directly to factoring the integer N.
The following theorem shows a solution to compute a 3 -th root of a cubic residue without factoring N.

Theorem 2.
Let ω ≡ 1 (mod 3), > 0, c be a cubic residue modulo N, and X ∈ Z * N satisfy Then we can easily calculate the cubic root y; that is, y 3 ≡ c (mod N).
Because ω ≡ 1 (mod 3), we can denote ω = 3 r (3δ + 1); following this, We take the 3 r -th root and obtain Let y = X 3 −r−1 /c δ ; then we have y 3 ≡ c (mod N) Theorem 2 can be used in the security proof for IBMS CR −1. We introduce the following Theorem [24,29] regarding the cubic residue used in the security proof for IBMS CR −2.
Theorem 3 (Cubic residue construction [24,29]). If p and q are two primes with p ≡ 2 (mod 3) and q ≡ 4 or 7 (mod 9), it is easy to produce a cubic residue modulo N. Let nc be a non-cubic modulo q, for any h ∈ Z * N ; we can compute that η = (q−1) (mod 9) We can construct a cubic residue C modulo N; that is, Theorem 4. Let p, q, N, C, and η be defined as in Theorem 3; we can calculate a cubic root s of C −1 by

Formal Definition
We assume that there exist n distinct signers, named ID 1 , ID 2 , ..., ID n , to authenticate a message m by cooperatively generating a multi-signature mσ. The signer ID i is denoted as signer i .

Theorem 5.
A typical IBMS scheme is always made up of six algorithms, that is, Setup, Extra, Sign, Verify, MSign, and MVerify. We describe each of them as follows.
• Setup: (mpk, msk) ← Setup (1 k ). The algorithm is controlled by the key generator center (KGC). The KGC generates the system's master public keys mpk and master secret keys msk when it is given the security parameter k. • Extra: sk ID ← Extra (mpk, msk, ID). The algorithm is also controlled by the KGC, given msk, mpk and a user's identity ID, such as a string. It returns the private key sk ID through secure channels. • Sign: σ ← Sign (mpk, sk, m, ID): The signer uses its private key sk, the identity ID, and the message to be signed m to generate a signature σ on m. Correctness. When all of the participating signers honestly and correctly execute the algorithm MSign using the private keys, derived from the algorithm Extra, each of the signers will end the algorithm by obtaining a local multi-signature mσ such that where all mpk and msk are generated by the algorithm Setup and IDSet includes n identities ID 1 , ID 2 , ..., ID n for any messages m ∈ {0, 1} * .

Security Model
This considers an extreme case: the adversary A compromising the n − 1 participants and leaving only one honest user, denoted signer 1 . The signer 1 user is controlled by the challenger C. When the game starts, C gives A the honest identity of signer 1 and allows A to compromise the other signers' private keys. It also assume that a secure channel between the signers is not guaranteed. All of the communication among the signers can be eavesdropped upon. C provides A a hash oracle, a key extraction oracle and a multi-sign oracle. A's final target is to successfully forge a multi-signature.

Definition 2.
Considering the games between A and C.
• Setup: C executes the algorithm to generate the master public keys mpk and sends mpk to A. • Query: A is allowed to query to C in an adaptive way.
-Extraction-query (mpk, ID). C executes Extra to obtain sk ID and sends to A when A asks for the private key of signer ID . -Multi-signature query (mpk, m, IDSet). C obtains a multi-signature mσ and sends to A when A asks for the multi-signature mσ on m and IDSet. -Hash-query. C chooses the returned values by itself and sends to A when A asks.
• Forgery. A makes a multi-signature as a forgery, that is, mσ * on m * for IDSet * , which contains at least one uncompromised user's identity; meanwhile, A never sends (mpk, IDSet * , m * ) to the multi-signature query.

Definition 3 (Attack Goals). The advantage Adv IBMS
A in breaking the KG(k) problems is defined as Definition 4 (Unforgeability). An adversary A (t, q H , q E , q S , n, ) breaks the scheme if A executes for a time of t at most, and makes at most q H hash queries, q E extraction queries, and q S multi-signature queries with n participants, and Adv A is at least . An IBMS scheme (t, q E , q S , q H , n, ) has unforgeability if there exists no attacker A (t, q H , q E , q S , n, ) that breaks it.

Construction
Inspired by the previous work [6,22,23], we propose a concrete identity-based multi-signature scheme (IBMS CR −1) with three-round interactive communications among the marine sensors and the generation of a single multi-signature as an authenticated tag.
• Setup (k, ): The key generator center inputs security parameters k and , and then: 1.

4.
Chooses a random number a ∈ Z * N such that a N 3 = ω.
As a result of the step Setup, the master secret key is msk = (p, q, d), which is securely stored, and the public parameter is mpk = (N, h 1 , h 2 , h 3 , a, C, ).
• Extra (mpk, msk, ID): KGC inputs the identity ID, computes the hash value of ID as h 1 (ID) and obtains a first symbol c ID,1 such that We let h = a c ID,1 · h 1 (ID) and we have h N 3 = 1. Following this, KGC computes a second symbol c ID,2 such that We let I ID = C c ID,2 · a c ID,1 · h 1 (ID). It is easy to find that I ID ∈ CR N , as I ID p 3 Finally, KGC extracts the private key sk ID as a 3 -th root of I ID : KGC sends sk ID as well as (c ID,1 , c ID,2 ) to signer ID secretly. Note that I ID ≡ sk 3 ID (mod N). Following this, we denote ID = {ID, c ID,1 , c ID,2 }. • Sign and verify: These two algorithms can be derived from [23]. (1) For i = 1, 2, ..., n, it computes is satisfied. If Equation (2) is satisfied, MVerify returns 1. This means mσ is valid. Otherwise MVerify returns 0.

Correctness
The correctness follows:

Algorithm 1: The MSign Algorithm in IBMS CR −1.
Input: the master public key mpk, the private key sk, the identity set IDSet, the message to be signed m; Output: a multi-signature mσ.
1. Each MS i randomly selects r i ∈ Z * N and computes R i ≡ r 3 i (mod N) and t i = h 2 (R i ). 2. MS i only broadcasts t i to other signers MS j (j = i) in IDSet and keeps R i temporarily. 3. After receiving t i from MS i (2 ≤ i ≤ n), MS 1 then broadcasts R 1 to other MS i . 4. After receiving R i from MR i , MS 1 checks whether t i = h 2 (R i ) for 2 ≤ i ≤ n is satisfied. 5. If one of these fails, the algorithm stops, which means the attackers have mixed invalid partial signatures. Otherwise, MS 1 sets R ≡ ∏ n i=1 R i (mod N), w = h 3 (R IDSet m), and u 1 ≡ r 1 · sk w 1 (mod N). 6. MS 1 broadcasts u 1 to other MS i . 7. After receiving u i from MS i , MS 1 aggregates these by u ≡ ∏ n i=1 u i (mod N). 8. Each MS i locally generates a multi-signature mσ = (w, u). Return mσ;

Security Proof
IBMS CR −1 is provably secure under the factorization in the random oracle model.

Theorem 6.
If the factorization problem is (t , )-hard, IBMS CR −1 is (t, q E , q H , q S , n, )-secure against existential forgery attackers under the adaptively chosen message attack and chosen identity attack. We have estimates for t and as follows: Proof. We assume C is given a factorization instance N for a product of unknown p and q, and obtain the result of p or q with a non-negligible probability. C plays with A as follows.
Firstly, C selects a ∈ Z * N , such as a non-cubic residue and a secure parameter 160 (the length of has been discussed and suggested in [22]), and sends (N, a, ) to A as mpk. C manages several lists: one signature list and three hash lists.
Then, C starts to answer according to A's queries, as follows.
• h 1 -Query (ID): C manages a list (ID, h 1 , s, c ID,1 , c ID,2 ). When A requests the identity ID, C answers as h 1 . (c ID,1 , c ID,2 ) ∈ {0, 1} 2 in two bits and s ∈ Z * N is used as a secret key. When A asks on ID, C answers h 1 if ID has existed in the h 1 -list. Otherwise, C randomly selects s ∈ Z * N and (c ID,1 , c ID,2 ) ∈ {0, 1} 2 , calculates and returns the answer h 1 to A, adding (ID, h 1 , s, c ID,1 , c ID,2 ) to the h 1 -list. C also waits to receive t 2 , t 3 , · · · , t n from others; it randomly selects w ← {0, 1} and u 1 ← Z * N , and calculates If R 1 already exists in the h 2 -list, C stops. Otherwise, C sets (R 1 , t 1 ) in the h 2 -list. C looks up R i such that (R i , t i ) where 2 i n. If for some i the record is found, C also stops. Otherwise, C calculates R = ∏ n i=1 R i (mod N) and sets h 3 (R S m) = w, or stops if the entry has already existed. -C sends R 1 to other signers. After receiving R 2 , · · · , R n from the signers, C verifies that = t i . C ends up with the protocol if one of these does not satisfy this, which means A has to guess the results of the hash value. If R i = R i for some i, C stops. C sends u i to the signers, receives u 2 , u 3 , · · · , u n , and calculates u = ∏ n i=1 u i (mod N). Finally, C sends mσ = (w, u) to A.
At the end of the game, A generates a multi-signature mσ * = (w * , u * ) on message m * . C calculates and makes an additional query h 3 (R * IDSet * m * ). We let U ⊆ IDSet * = {ID * 1 , ID * 2 , ..., ID * n } denote the honest IDSet, that is, A never compromised. If A succeeded in forgery, that is, A has never queried (IDSet * , m * ) to the signature oracle then C checks the h 1 -list. If the multi-signature is valid, we can obtain We let s * ← ∏ n i=1 (s * i ) 3 (mod N) and produce (s * , σ * ). To factor N by applying the rewinding technique, C plays with A once again using the random tapes, which are the same as for the first time. Because C previously recorded the transcripts, C obtains the same results for A's queries.
When A queries for h 3 , C randomly selects an alternative answer w instead of w, as, in the second run, the h 1 -and h 2 -query are equal to those of the first round.
C generates (s, mσ) and (s , mσ ) such that u 3 ≡ Rs w and u 3 ≡ R s w By R = R , m = m and s = s , we have Because w = w ∈ {0, 1} 0 and 0 < , we can obtain |w − w | < 3 . According to Theorem 2, C can calculate a cubic roots wheres 3 = s. Meanwhile, C checks the h 1 -list to search for an entry in which ID i ∈ IDSet and calculatess = ∏ i∈IDSet s 3 −1 i . Therefore,s 3 ≡s 3 ≡ s (mod N). Ifs =s (mod N), N can be factored by Theorem 1. Otherwise, C cannot factor N. The probability thats =s (mod N) is 2/3.
Finally, we calculate the probability that C returns a valid result. Because most of the simulation game is similar to in [6], we set , and * as the probability to factor N by C, the probability to forge a multi-signature in practice by A and the probability to succeed in the first run before the rewinding technique by A, respectively. We Furthermore, according to the forking lemma [32], we can easily obtain The probability that C succeeds to factor N is

Concrete Construction of IBMS CR −2
Inspired by the related work [24,26,29], we give a more efficient IBMS construction (named IBMS CR −2), whose computational overhead in MSign and MVerify is much lower than for those in IBMS CR −1.

Construction
• Setup (k, ): Given the security parameters, Setup can be executed as follows.
• Extra (mpk, msk, ID): KGC computes sk as follows: (1) KGC computes ω = h 1 (ID) λβ (mod q) and set sa symbol c ID according to ω and ξ: and securely distributes sk to the signer. We have sk 3 i · I i ≡ 1 (mod N). Following this, we denote the identity by ID i = {ID i , c ID i }.
• Sign and verify: These two algorithms can be derived from [29].

Algorithm 2:
The MSign algorithm in IBMS CR −2. Input: the master public key mpk, the private key sk, the identity set IDSet, the message to be signed m; Output: a multi-signature mσ.
1. Each MS i randomly selects r i ∈ Z * N and calculates R i = r 3 i (mod N) and t i = h 2 (R i ). 2. Each MS i broadcasts t i to co-signers MS j (j = i). 3. After obtaining t i from MS i , MS 1 broadcasts R 1 to other MS i . 4. After receiving R i from other signers, MS 1 checks whether t i = h 2 (R i ) for 2 i n is satisfied.
5. If one of these fails, the algorithm stops, which means the attackers have mixed invalid partial signatures. Otherwise, , and u 1 = r 1 · sk w 1 (mod N). 6. S 1 broadcasts u 1 to other MS i . 7. After receiving u i from MS i , MS 1 aggregates these by u = ∏ n i=1 u i (mod N). 8. Each MS i locally generates a multi-signature mσ = (w, u). Return mσ;

Correctness
The correctness is as follows:

Security Proof
IBMS CR −2 is secure under the factorization in the random oracle model.

Theorem 7.
If integer factorization is (t , )-hard, our IBMS CR −2 scheme is (t, q H , q E , q S , n, )-secure against existential forgery in the random oracle model.
Because most of the simulation game between A and C is the same, we give the security proof simply.
Proof. When it is given an integer factorization instance N, C returns p or q if A succeeds in forging a multi-signature.
• h 1 -Query. C manages a list (ID, c, h 1 , s). C sends h 1 to A if ID exists when A queries the hash value of ID. Otherwise, C randomly selects s ∈ Z * N and c ∈ {0, 1, 2}, sets h 1 ≡ s 3 /a c (mod N), returns h 1 , and adds (ID, c, h 1 , s) to list h 1 . • The h 2 -query, h 3 -query and extraction query are similar to IBMS CR −1. • The multi-signature query is similar to IBMS CR −1, except that Equation (5) changes to At the end of the game, A forges mσ * = (w * , u * ) with IDSet * on m * . C calculates and queries h 3 (R * IDSet * m * ) to the hash oracle. If the forgery is valid, we obtain that because s * ← ∏ n i=1 (s * i ) 3 (mod N). C returns (s * , w * , u * ). We also apply the rewinding technique to factor N. At last, C obtains (s, w, u) and (s , w , u ) such that u 3 ≡ Rs w and u 3 ≡ R s w Because R = R , m = m , and s = s , we have Because w = w , two cases emerge: , we denote w − w = 3k − 1 for an integer k. Therefore, s ≡ ( u·s k u ) 3 , that is,s = u·s k u satisfiess 3 ≡ s (mod N).
From the discussion above, C calculates a cubic roots wheres 3 = s. Meanwhile C searches the entries in the h 1 -list where ID i ∈ IDSet and calculatess = ∏ i∈IDSet s 3 i . Therefore, we haves 3 ≡s 3 ≡ s (mod N). Ifs =s (mod N), we can factor N by Theorem 1 with a probability thats =s (mod N) of 2/3. Thus, we have finished the proof.

Performance Comparisons
The comparison of security assumptions for related works are given in Table 1. These schemes are provably secure on the basis of different hardness assumptions (such as CDH, DL, RSA, quadratic residues, and cubic residues). The aim of these schemes is to find new constructions under simpler hardness assumptions. Table 1. The comparison of related work on the security assumptions.

Schemes
The Underlying Mathematical Assumptions [15] Computational Diffie-Hellman (CDH) [19] Discrete Logarithm (DL) [20] RSA [6] Quadratic Residues IBMS CR -1 Cubic Residues IBMS CR -2 Cubic Residues We denote M p , H m , O p and E n as the operation of scalar multiplication, map-to-point hash function, bilinear pairing, and modular exponentiation, respectively. We ran each of the above operations in a personal computer and used their times from [33] to calculate the total computational cost in the running time (milliseconds), as shown in the columns of Table 2. We have also compared related works on the basis of the cubic residues for the computational performance evaluation in Table 3. For consistency, we used the modular exponentiation times to evaluate the Sign and Verify algorithms.

Conclusions
Data authenticated aggregation is always a significant issue for marine WSNs. Most data authenticated aggregation is based on the multi-signature, which relies on the technique of bilinear pairing involving heavy computational overhead or the management of certificates beyond marine wireless sensors. We have constructed two efficient IBMS schemes (IBMS CR −1 and IBMS CR −2) based on cubic residues, which are much more suitable for data authenticated aggregation in marine WSNs. Without employing the heavy overload of a bilinear pairing technique, our schemes have been designed efficiently. Our schemes have been proven to be secure under chosen identity attacks and chosen message attacks, relying only on the hardness of the integer factorization assumptions.