An Aggregate Signature Scheme Based on a Trapdoor Hash Function for the Internet of Things

With the rapid development of the Internet of Things (IoT), it becomes challenging to ensure its security. Identity authentication and integrity verification can be achieved by secure hash functions and digital signature algorithms for IoT applications. In order to solve the issues of bandwidth limitation and computational efficiency of secure communication in IoT applications, an aggregate signature scheme based on multi- trapdoor hash function is proposed in this paper. Firstly, to prevent key exposition, based on the elliptic curve discrete logarithm problem (ECDLP), we constructed a double trapdoor hash function (DTH) and proved its reliability. Secondly, the multi-trapdoor hash function (MTH) based on DTH is presented. Finally, an MTH-based aggregate signature scheme (MTH-AS) with constant signature length is proposed. Based on the assumption of ECDLP, the proposed scheme is proven unforgeable against adaptive chosen message attacks with the Forking Lemma. Different from the most signature schemes with bilinear mapping, the proposed scheme has higher computational efficiency and shorter aggregate signature length. Moreover, it is independent of the number of signers. Security analysis and performance evaluation has revealed that the proposed scheme is an ideal solution for secure IoT applications with limited computing power, storage capacity, or limited bandwidth, such as wireless sensor networks, vehicular ad hoc networks, or healthcare sensor networks.


Introduction
With the development of wireless communication technology, sensor network, microchip technology, and pervasive computing, the Internet of Things (IoT) has been applied in more and more areas, including smart home, smart health, wearable equipment, vehicular ad-hoc network, environmental monitoring, and smart grids, etc. [1]. The IoT collects various information from the physical world through radio frequency identification (RFID) devices, infrared sensors, GPS, sensors, etc. It enables people-to-people, people-to-thing, thing-to-thing connection, and communication, which in turn realizes intelligent perception, recognition, decision-making, and control on the physical world [2]. For example, wearable systems can effectively provide patients with seamless monitoring, remote surgery, telemedicine, timely assistance, and turn hospital-centered medical services into The contributions of this paper are as follows: • Based on ECDLP, we constructed a double trapdoor hash function and a multi-trapdoor hash function respectively. Batch trapdoor collision computation of multi-trapdoor hash function can improve the efficiency of aggregate signature.

•
An aggregate signature scheme based on MTH is proposed. With Forking Lemma, the proposed scheme is proven to be secure against the existing unforgeability on adaptively chosen message attacks.

•
Compared with other bilinear pairings-based schemes, our ECC-based scheme is more efficient in terms of computational overhead. On the other hand, our MTH-AS scheme has the advantage in storage capacity because the length of the proposed aggregate signature is a constant. • Due to the above performance, our MTH-AS scheme is suitable for secure IoT applications with limited computing power, storage capacity, and bandwidth.
The rest of this paper is organized as follows. Section 2 discusses the relevant works. The necessary preliminaries and system model are given in Section 3. Section 4 presents the ECDLP-based double trapdoor hash scheme DTH. Section 5 describes the ECDLP-based multi-trapdoor hash function MTH. Thereafter, we demonstrate the MTH-based aggregate signature scheme for IoTs and carry out performance comparison in Section 6. Finally, the conclusion is offered in Section 7.

Related Work
Hash functions are one-way and collision resistant. Being a special type of hash function, trapdoor hash function [14] is related to the concept of trapdoor commitment [15]. The trapdoor hash function uses some special information (the trapdoor information) to produce a fixed hash value. People who know the trapdoor information open the trapdoor commitment in different ways, thus opening different collisions [15]. That means, the owner of the trapdoor can calculate the trapdoor collision.
Krawczyk et al. [14] first proposed the trapdoor hash function in order to construct chameleon signatures. Thereof, many digital signature schemes were developed based on chameleon signatures. One of the most representative schemes was a solution proposed by Shamir et al. [16] for online/offline signatures. The scheme could resist the adaptive chosen message attacks. However, it encountered key exposure problems of the chameleon hash. That is because collision calculation would lead to exposure of trapdoor information. Focusing on solving this problem, Chen et al. [17] and Atteniese et al. [18] proposed trapdoor hash schemes without key exposure. In 2008, Chen et al. [19] introduced a special double trapdoor hash scheme. This scheme features two trapdoors, long-term trapdoor and temporary trapdoor. It guarantees the safety of long-term trapdoor at the cost of temporary trapdoor leakage.

Symbolic Representation
The symbols used in the proposed scheme are shown in Table 2. Table 2. Symbol description.

Double Trapdoor Hash Function
Different from other hash functions, trapdoor hash function is a probability function with the hash key and the trapdoor key < HK, TK >. The collision resistance of the trapdoor hash functions depends on the user's knowledge state [16]. When both TK and HK are known, it is easy to calculate the trapdoor collision. That is to say, when only HK is known, it is difficult to find two different messages M and M in the message space, and two different auxiliary parameters R and R , which satisfy TH HK (M, R)= TH HK (M , R ). However, when both TK and HK are known, it is easy to calculate R based on M, M and R such that TH HK (M, R)= TH HK (M , R ).
In trapdoor hash function, the calculation of the collision causes the trapdoor key to leak, which is called key exposure. In chameleon signature, the exposure of the trapdoor key affects its transitivity. In online/offline signature scheme, key exposure will result in anyone being able to forge the signature. A hash function without key exposure usually has two trapdoors, i.e., a long-term trapdoor and a temporary trapdoor. Collision calculations only expose the temporary trapdoor, thus preventing the long-term trapdoor key from leaking. Different from the traditional trapdoor hash function family [16], the trapdoor hash function [20] proposed in this paper is a variant of the double trapdoor hash function family [21], using the temporary key pair < HK , TK > to generate trapdoor collisions. : Given the long-term hash key HK, temporary hash key HK', and (M, R), ere is no PPT algorithm to output long-term trapdoor key TK with nony.
Logarithm tic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 so known as the onewayness of ECDLP. The probability that algorithm A P is defined as: Adv A ECDLP (φ)=Pr[A( q, P, Q)= k|0 < k ≤ q-1, Q = kP] he random selection of k ∈ R Z q * and A.
es consist of PPT algorithms: AS = < Setup, KeyGen, Sign, Verify, rify >. And the tuple < Setup, KeyGen, Sign, Verify > constructs a standard lishment, key generation, signature, verification of the short signature rd signature of aggregate signature. ty parameter k, outputs system parameter Params. ticular ID i ∈U (U is a user set), inputs system parameter Params, then and public key < y, Y >.
Mi to be signed, inputs private key y i , outputs individual signature σ i .
c key Yi , message Mi , and individual short signature σ i , if the verification ful, it outputs ACCEPT, otherwise, it outputs REJECT.

Aggregate Signature
Aggregate signatures consist of PPT algorithms: AS = < Setup, KeyGen, Sign, Verify, Aggregate, Aggregate Verify >. And the tuple < Setup, KeyGen, Sign, Verify > constructs a standard system parameter establishment, key generation, signature, verification of the short signature process, called the standard signature of aggregate signature.
• Setup: Inputs security parameter k, outputs system parameter Params. • KeyGen: For a particular ID i ∈ U (U is a user set), inputs system parameter Params, then outputs the private and public key < y, Y >.

Security Model
Assuming k is a security parameter, G MTH_AS A (1 k ) is a game between challenger

Query
V adaptively performs the following oracle query.
-Hash queries: V makes hash oracle queries to all hash functions in the proposed scheme, and challenger B returns the corresponding value.
-Trapdoor hash queries: V inputs < m, r > for trapdoor hash query and the oracle outputs TH Y (m, r).
-Key queries: V inputs the message m i of user i to make key query, and the oracle returns the trapdoor key y of user i to the adversary V.
-Signature queries: V inputs the original message/random value pair < m i , r i >, new message m i ′ and hash key TK i , the oracle outputs the signature.
The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.

Verifier
The verifier are responsible to check the correctness of the received aggregate signature. It can verify the correctness of all individual signatures by one operation. If the aggregation signature is verified correctly, all the messages and the aggregate signature are sent to the data center.

Data Center
The data center has powerful storage space and computing power, which can store and share the validated aggregate signatures and original messages safely. Query V adaptively performs the following oracle query.
-Hash queries: V makes hash oracle queries to all hash functions in the proposed scheme, and challenger B returns the corresponding value.
-Trapdoor hash queries: V inputs < m, r > for trapdoor hash query and the oracle outputs TH Y (m, r).
-Key queries: V inputs the message m i of user i to make key query, and the oracle returns the trapdoor key y of user i to the adversary V. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at st one user among n users.

. System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are ited, it is important to improve computational efficiency and storage capacity. Furthermore, it is o vital to protect data from modification and repudiation. Due to its natural compression perties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As wn in Figure 2, the system model of the aggregated signature in the IoT environment proposed this paper consists of five components: the key generation center (KGC), IoT devices, data gregator, verifier and data center.
KGC The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. e KGC generates system parameters and sends them to all the entities, such as IoT devices, gregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT vice. Then these private keys are sent to each entity through a secure channel.
IoT Devices The IoT devices with limited computational and storage capacity are capable to collect real data m the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, th the system parameter and the private key, each IoT device makes individual signature on the ginal data they collect. Then the IoT devices send message m i , individual signature σ i and blic key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures eceives. It checks the validity of the individual signatures, if they are correct, then aggregates them o a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier. Verifier The verifier are responsible to check the correctness of the received aggregate signature. It can ify the correctness of all individual signatures by one operation. If the aggregation signature is ified correctly, all the messages and the aggregate signature are sent to the data center.

Data Center
The data center has powerful storage space and computing power, which can store and share validated aggregate signatures and original messages safely.
adaptively performs the following oracle query.  The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.

Data Center
The data center has powerful storage space and computing power, which can store and share the validated aggregate signatures and original messages safely. makes hash oracle queries to all hash functions in the proposed scheme, and challenger (U is a user set), inputs system parameter Params, then < y, Y >. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.

Data Center
The data center has powerful storage space and computing power, which can store and share the validated aggregate signatures and original messages safely.
inputs < m, r > for trapdoor hash query and the oracle outputs TH Y (m, r).
-Key queries: The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.

Data Center
The data center has powerful storage space and computing power, which can store and share the validated aggregate signatures and original messages safely.
inputs the message m i of user i to make key query, and the oracle returns the trapdoor key y of user i to the adversary

Forge
Finally, V outputs σ * = ( K * , C * ) as a forged aggregate signature based on new messa The adversary V wins the game if σ * is a valid signature and V does not make a k least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage limited, it is important to improve computational efficiency and storage capacity. Fur also vital to protect data from modification and repudiation. Due to its natural properties, aggregate signatures are ideal for resource-constrained many-to-one IoT ap shown in Figure 2, the system model of the aggregated signature in the IoT environm in this paper consists of five components: the key generation center (KGC), IoT aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our prop The KGC generates system parameters and sends them to all the entities, such as aggregator, verifier and data center. The private keys sk i are computed by the KGC device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to co from the physical world. In order to ensure data integrity, non-repudiation, privacy, and with the system parameter and the private key, each IoT device makes individual sig original data they collect. Then the IoT devices send message m i , individual sign public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individ it receives. It checks the validity of the individual signatures, if they are correct, then ag into a single short signature. Finally, the data aggregator sends the aggregate signature The data center has powerful storage space and computing power, which can st the validated aggregate signatures and original messages safely. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.

Data Center
The data center has powerful storage space and computing power, which can store and share the validated aggregate signatures and original messages safely.
inputs the original message/random value pair < m i , r i >, new message m i and hash key TK i , the oracle outputs the signature. -Trapdoor hash queries: V inputs < m, r > for trapdoor hash query and the oracle outputs TH Y (m, r).
-Key queries: V inputs the message m i of user i to make key query, and the oracle returns the trapdoor key y of user i to the adversary V. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.  -Trapdoor hash queries: V inputs < m, r > for trapdoor hash query and the oracle outputs TH Y (m, r).
-Key queries: V inputs the message m i of user i to make key query, and the oracle returns the trapdoor key y of user i to the adversary V. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier. The adversary V wins the game if σ * is a valid signature and V does not least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, an limited, it is important to improve computational efficiency and storage cap also vital to protect data from modification and repudiation. Due to it properties, aggregate signatures are ideal for resource-constrained many-to-o shown in Figure 2, the system model of the aggregated signature in the IoT in this paper consists of five components: the key generation center (KG aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in The KGC generates system parameters and sends them to all the entities aggregator, verifier and data center. The private keys sk i are computed by device. Then these private keys are sent to each entity through a secure chann 

IoT Devices
The IoT devices with limited computational and storage capacity are cap from the physical world. In order to ensure data integrity, non-repudiation, pr with the system parameter and the private key, each IoT device makes indi original data they collect. Then the IoT devices send message m i , indivi public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all th it receives. It checks the validity of the individual signatures, if they are correc into a single short signature. Finally, the data aggregator sends the aggregate s

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

• KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

• IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

• Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.

• Verifier
The verifier are responsible to check the correctness of the received aggregate signature. It can verify the correctness of all individual signatures by one operation. If the aggregation signature is verified correctly, all the messages and the aggregate signature are sent to the data center.

• Data Center
The data center has powerful storage space and computing power, which can store and share the validated aggregate signatures and original messages safely.

Double Trapdoor Hash Scheme Based on ECDLP
In this section, a scheme of double trapdoor hash function based on ECDLP is presented, which is consisted of the tuple: DTH = < DParGen, DKeyGen, DHashGen, DTrapColGen >.
• DParGen: Select l and a big prime p, where l = p m . Let E(F l ) be an elliptic curve over finite field F l and G a cyclic subgroup of E(F l ). Let P be a generator of G with prime order q and H : {0, 1} * → Z * q , f : G × Z * q × G → Z * q , F : G → Z * q cryptographic hash functions. The system parameters are params = < G, P, q, H, F, f >.
• DKeyGen: Select randomly y ∈ Z * q and compute Y = yP. The trapdoor key is y and the hash key is Y.
• DHashGen: Select randomly t ∈ Z * q , compute A = tP and r = F(A). The trapdoor hash value is h = H(m)P + rY.
• DTrapColGen: Select randomly t ∈ Z * q , compute: The temporary trapdoor key is y = r −1 (H(m) − H(m ) + ry ) mod q and the temporary hash key is Y = y P. Compute: which then outputs < k , r , Y >. < k , r > is the signature on TH HK (m, r)= TH HK (m , r ) verifiable under Y [20]. The verification equation expands:

Security Analysis
(1) Efficiency: Given the system parameter params, the hash key Y and the message/auxiliary parameter pair < m, r >, the trapdoor hash valve h = H( m ) P + rY is computable in PPT. (2) Trapdoor collisions: Given < y, Y >, < m, r > and new message m ( m) ∈ {0, 1} * , choose randomly t ∈ Z * q . Then compute A = t P, r = F(A ).
The temporary trapdoor key is given by That is to say H(m) + ry = H(m ) + r y .
In the equation, the long-term trapdoor key y is not computable because y is unknown. That is, the computation complexity of y is equivalent to ECDLP because y is solved by Y = y P. H(m) + ry = H(m') + r'y'. In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
(4) Collision resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonnegligible probability. Given params and HK, E runs in polynomial time and outputs < m, r, m', r', HK', k' > with non-negligible probability where the following statements hold: TH HK (m, r)=TH HK (m', r') , * as the answer to E. Q continues running E until producing another collision forgery < m 2 , r 2 , m' 2 , r' 2 , Y'', k'' > . Each instance of E is randomly selected. Given TH HK (m 1 , r 1 ) , TH HK' (m 2 , r 2 ) , m 1 ≠ m 2 , r 1 ≠ r 2 , m 1 ≠ m' 1 , r 1 ≠ r' 1 , which satisfy the following equations: According to these two equations, the following can be computed: is assumed to resist the DTH scheme with a non-negligible probability. Given params and HK,

Security Analysis
(1) Efficiency: Given the system parameter params, the hash key Y and the message/auxiliary parameter pair < m, r >, the trapdoor hash valve h = H( m ) P + rY is computable in PPT.
(2) Trapdoor collisions: The temporary trapdoor key is given by That is to say H(m) + ry = H(m') + r'y'.
(3) Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: That is to say: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
(4) Collision resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonnegligible probability. Given params and HK, E runs in polynomial time and outputs < m, r, m', r', HK', k' > with non-negligible probability where the following statements hold: Suppose E can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < G, P, q, Y >, Q needs to find a value z ∈ Z q * so that Z = zP. The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to answer any hash query of O f . Then Q gives two identical answers if the same query is asked twice.
Q runs an instance of E and answers any hash query of O f until E produces collision forgery.
With the Oracle replay attack [38] , Q rewinds E to the point when E queries < TH Y (m, r), r', Y' > to O f , and select randomly a new value x'' ≠ x' ∈ R Z q * as the answer to E. Q continues running E until producing another collision forgery < m 2 , r 2 , m' 2 , r' 2 , Y'', k'' > . Each instance of E is randomly selected. Given , TH HK' (m 2 , r 2 ) , m 1 ≠ m 2 , r 1 ≠ r 2 , m 1 ≠ m' 1 , r 1 ≠ r' 1 , which satisfy the following equations: According to these two equations, the following can be computed: runs in polynomial time and outputs < m, r, m , r , HK , k > with non-negligible probability where the following statements hold: door key is given by H(m) + ry = H(m') + r'y'. s: Given two tuples < Y, m, r > and < Y', m', r' > such that: The PPT collision forger E is assumed to resist the DTH scheme with a nonlity. Given params and HK, E runs in polynomial time and outputs ' > with non-negligible probability where the following statements hold: m' ≠ m , HK' ≠ HK and r' ≠ r struct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < s to find a value z ∈ Z q * so that Z = zP. The hash function f acts as a random imulates. That means Q provides a random value for each new query to uery of O f . Then Q gives two identical answers if the same query is asked of E and answers any hash query of O f until E produces collision forgery.
as the answer to E. Q continues running E until producing another can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < G, P, q, Y >, Q needs to find a value z ∈ Z * q so that Z = zP. The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to answer any hash query of O f . Then Q gives two identical answers if the same query is asked twice. Q runs an instance of

Security Analysis
(1) Efficiency: Given the system parameter params, the hash key Y and the message/auxiliary parameter pair < m, r >, the trapdoor hash valve h = H( m ) P + rY is computable in PPT.
(2) Trapdoor collisions: Given < y, Y >, < m, r > and new message m'(≠ m) ∈ {0,1} * , choose randomly t' ∈ Z q * . Then compute The temporary trapdoor key is given by Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
(4) Collision resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonnegligible probability. Given params and HK, E runs in polynomial time and outputs < m, r, m', r', HK', k' > with non-negligible probability where the following statements hold: Suppose E can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to answer any hash query of O f . Then Q gives two identical answers if the same query is asked twice.
Q runs an instance of E and answers any hash query of O f until E produces collision forgery. The temporary trapdoor key is given by Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: In the equation, the long-term trapdoor key y is not computable because y' is u is, the computation complexity of y' is equivalent to ECDLP because y' is solve Suppose E can construct a PPT algorithm Q for solving ECDLP. Given an instan That means Q provides a random value for each answer any hash query of O f . Then Q gives two identical answers if the same twice.
Q runs an instance of E and answers any hash query of O f until E produces co produces collision forgery. When

A' = t' P, r' = F(A' ). temporary trapdoor key is given by
. exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: . e equation, the long-term trapdoor key y is not computable because y' is unknown. That e computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
sion resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonigible probability. Given params and HK, E runs in polynomial time and outputs r, m', r', HK', k' > with non-negligible probability where the following statements hold: The hash function f acts as a random le O f that Q simulates. That means Q provides a random value for each new query to er any hash query of O f . Then Q gives two identical answers if the same query is asked e.
queries < TH Y (m, r), r , Y > to O f , Q answers x'. With the Oracle replay attack [38], Q rewinds The temporary trapdoor key is given by . Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
Collision resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonnegligible probability. Given params and HK, E runs in polynomial time and outputs < m, r, m', r', HK', k' > with non-negligible probability where the following statements hold:

Security Analysis
(1) Efficiency: Given the system parameter params, the hash key Y and the message/auxiliary parameter pair < m, r >, the trapdoor hash valve h = H( m ) P + rY is computable in PPT.
(2) Trapdoor collisions: Given < y, Y >, < m, r > and new message m'(≠ m) ∈ {0,1} * , choose randomly t' ∈ Z q * . Then compute The temporary trapdoor key is given by Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
(4) Collision resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonnegligible probability. Given params and HK, E runs in polynomial time and outputs < m, r, m', r', HK', k' > with non-negligible probability where the following statements hold: The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to answer any hash query of O f . Then Q gives two identical answers if the same query is asked queries < TH Y (m, r), r , Y > to O f , and select randomly a new value x x ∈ R Z * q as the answer to

Security Analysis
(1) Efficiency: Given the system parameter params, the hash key Y and the message/auxiliary parameter pair < m, r >, the trapdoor hash valve h = H( m ) P + rY is computable in PPT.
(2) Trapdoor collisions: Given < y, Y >, < m, r > and new message m'(≠ m) ∈ {0,1} * , choose randomly t' ∈ Z q * . Then compute The temporary trapdoor key is given by Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
(4) Collision resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonnegligible probability. Given params and HK, E runs in polynomial time and outputs < m, r, m', r', HK', k' > with non-negligible probability where the following statements hold: The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to . Q continues running

Security Analysis
(1) Efficiency: Given the system parameter params, the hash key Y and the parameter pair < m, r >, the trapdoor hash valve h = H( m ) P + rY is compu The temporary trapdoor key is given by In the equation, the long-term trapdoor key y is not computable because y is, the computation complexity of y' is equivalent to ECDLP because y' is (4) Collision resistance: The PPT collision forger E is assumed to resist the DTH negligible probability. Given params and HK, E runs in polynomial < m, r, m', r', HK', k' > with non-negligible probability where the following TH HK (m, That means Q provides a random value for until producing another collision forgery < m 2 , r 2 , m 2 , r 2 , Y , k >. Each instance of

Security Analysis
(1) Efficiency: Given the system parameter params, the hash key Y and the mess parameter pair < m, r >, the trapdoor hash valve h = H( m ) P + rY is computable in The temporary trapdoor key is given by (3) Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: In the equation, the long-term trapdoor key y is not computable because y' is un is, the computation complexity of y' is equivalent to ECDLP because y' is solved (4) The hash function f acts is randomly selected. Given TH HK (m 1 , r 1 ), TH HK (m 2 , r 2 ), m 1 m 2 , r 1 r 2 , m 1 m 1 , r 1 r 1 , which satisfy the following equations: According to these two equations, the following can be computed: This is contrary to the elliptic curve discrete logarithm hypothesis.

Multi-Trapdoor Hash functions based on ECDLP
The multi-trapdoor hash function [20] contains many participants U 1 , . . . , U n , each of them having its own trapdoor/hash key pair {TK i , HK i } n 1 and original message {m i } n 1 . It generates the objective multi-trapdoor hash value h according to {m i , r i } n 1 and { HK i } n 1 , then the participants can produce hash collisions with h based on new messages {m i } n 1 . The multi-trapdoor hash function combines multiple collisions generated by multiple participants to generate a single collision [20], thus saving storage space and bandwidth effectively.

Formal Definition
The multi-trapdoor hash function is composed of tuples < MParGen, MKeyGen, MHashGen, MTrapColGen >. and a new message m j m j , outputs collision parameter < r j , HK j > which satisfies the following equation:

The ECDLP-Based Multi-Trapdoor Hash Function
This section presents an ECDLP-based multi-trapdoor hash function MTH. The algorithm process describes as follows: • MParGen: Similar to DParGen in Section 4. • MKeyGen: For each participant U i , select randomly the long-time trapdoor key y i ∈ Z * q and compute long-time hash key: then outputs y i , Y i n 1 .
• MHashGen: For each U i , select randomly t i ∈ Z * q , compute auxiliary parameters: According to trapdoor collision, compute temporary trapdoor/hash key:

Security Analysis
Theorem 1. The proposed multi-trapdoor hash function scheme is collision resistant.
Proof. The PPT collision forger . he equation, the long-term trapdoor key y is not computable because y' is unknown. That he computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
lision resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonligible probability. Given params and HK, E runs in polynomial time and outputs , r, m', r', HK', k' > with non-negligible probability where the following statements hold: * as the answer to E. Q continues running E until producing another lision forgery < m 2 , r 2 , m' 2 , r' 2 , Y'', k'' > . Each instance of E is randomly selected. Given HK (m 1 , r 1 ) , TH HK' (m 2 , r 2 ) , m 1 ≠ m 2 , r 1 ≠ r 2 , m 1 ≠ m' 1 , r 1 ≠ r' 1 , which satisfy the following ations: ' ording to these two equations, the following can be computed: s is contrary to the elliptic curve discrete logarithm hypothesis.

-Trapdoor Hash functions based on ECDLP
multi-trapdoor hash function [20] . key is given by PT collision forger E is assumed to resist the DTH scheme with a noniven params and HK, E runs in polynomial time and outputs ith non-negligible probability where the following statements hold: quations, the following can be computed: iptic curve discrete logarithm hypothesis. can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < G, P, q, Y >, Q needs to find a value z ∈ Z * q so that Z = zP. Q runs an instance of porary trapdoor key is given by to say osure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: to say: equation, the long-term trapdoor key y is not computable because y' is unknown. That computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
n resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonible probability. Given params and HK, E runs in polynomial time and outputs m', r', HK', k' > with non-negligible probability where the following statements hold: m' ≠ m , HK' ≠ HK and r' ≠ r se E can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < , Y >, Q needs to find a value z ∈ Z q * so that Z = zP. The hash function f acts as a random O f that Q simulates. That means Q provides a random value for each new query to r any hash query of O f . Then Q gives two identical answers if the same query is asked an instance of E and answers any hash query of O f until E produces collision forgery.
With the Oracle replay attack [38] , Q s E to the point when E queries < TH Y (m, r), r', Y' > to O f , and select randomly a new * as the answer to E. Q continues running E until producing another n forgery < m 2 , ing to these two equations, the following can be computed: contrary to the elliptic curve discrete logarithm hypothesis.

Security Analysis
(1) Efficiency: Given the system parameter params, the hash key Y and the message/auxiliary parameter pair < m, r >, the trapdoor hash valve h = H( m ) P + rY is computable in PPT.
(2) Trapdoor collisions: The temporary trapdoor key is given by That is to say (3) Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: That is to say: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
(4) Collision resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonnegligible probability. Given params and HK, E runs in polynomial time and outputs < m, r, m', r', HK', k' > with non-negligible probability where the following statements hold: Suppose E can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < G, P, q, Y >, Q needs to find a value z ∈ Z q * so that Z = zP. The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to answer any hash query of O f . Then Q gives two identical answers if the same query is asked twice.
Q runs an instance of E and answers any hash query of O f until E produces collision forgery.
With the Oracle replay attack [38] , Q rewinds E to the point when E queries < TH Y (m, r), r', Y' > to O f , and select randomly a new value x'' ≠ x' ∈ R Z q * as the answer to E. Q continues running E until producing another collision forgery < m 2 , According to these two equations, the following can be computed: This is contrary to the elliptic curve discrete logarithm hypothesis.

Multi-Trapdoor Hash functions based on ECDLP
The multi-trapdoor hash function [20] contains many participants U1, … , Un, each of them having its own trapdoor/hash key pair {TK i , HK i } 1 y is given by rm trapdoor key y is not computable because y' is unknown. That xity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
collision forger E is assumed to resist the DTH scheme with a nonen params and HK, E runs in polynomial time and outputs non-negligible probability where the following statements hold: m' ≠ m , HK' ≠ HK and r' ≠ r PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < a value z ∈ Z q * so that Z = zP. The hash function f acts as a random s. That means Q provides a random value for each new query to O f . Then Q gives two identical answers if the same query is asked d answers any hash query of O f until E produces collision forgery.
With the Oracle replay attack [38] , Q en E queries < TH Y (m, r), r', Y' > to O f , and select randomly a new e answer to E. Q continues running E until producing another , ations, the following can be computed: tic curve discrete logarithm hypothesis.

ns based on ECDLP
unction [20] With the Oracle replay attack [38], Q rewinds system parameter params, the hash key Y and the message/auxiliary , the trapdoor hash valve h = H( m ) P + rY is computable in PPT.
or key is given by iven two tuples < Y, m, r > and < Y', m', r' > such that: ng-term trapdoor key y is not computable because y' is unknown. That mplexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
PPT collision forger E is assumed to resist the DTH scheme with a non-. Given params and HK, E runs in polynomial time and outputs with non-negligible probability where the following statements hold: TH HK (m, r)=TH HK (m', r') , m' ≠ m , HK' ≠ HK and r' ≠ r ct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < find a value z ∈ Z q * so that Z = zP. The hash function f acts as a random lates. That means Q provides a random value for each new query to y of O f . Then Q gives two identical answers if the same query is asked E and answers any hash query of O f until E produces collision forgery.
With the Oracle replay attack [38] , Q t when E queries < TH Y (m, r), r', Y' > to O f , and select randomly a new s the answer to E. Q continues running E until producing another 2 , r 2 , m' 2 , r' 2 , Y'', k'' > . Each instance of E is randomly selected. Given o equations, the following can be computed: elliptic curve discrete logarithm hypothesis. The temporary trapdoor key is given by That is to say H(m) + ry = H(m') + r'y'.
Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: That is to say: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P.
Collision resistance: The PPT collision forger E is assumed to resist the DTH scheme with a nonnegligible probability. Given params and HK, E runs in polynomial time and outputs < m, r, m', r', HK', k' > with non-negligible probability where the following statements hold: TH HK (m, r)=TH HK (m', r') , m' ≠ m , HK' ≠ HK and r' ≠ r Suppose E can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < G, P, q, Y >, Q needs to find a value z ∈ Z q * so that Z = zP. The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to answer any hash query of O f . Then Q gives two identical answers if the same query is asked twice.
Q runs an instance of E and answers any hash query of O f until E produces collision forgery. When E queries < TH Y (m, r), r', Y' > to O f , Q answers x'. With the Oracle replay attack [38] , Q rewinds E to the point when E queries < TH Y (m, r), r', Y' > to O f , and select randomly a new value x'' ≠ x' ∈ R Z q * as the answer to E. Q continues running E until producing another collision forgery < m 2 , r 2 , m' 2 , r' 2 , Y'', k'' > . Each instance of E is randomly selected. Given TH HK (m 1 , r 1 ) , TH HK' (m 2 , r 2 ) , m 1 ≠ m 2 , r 1 ≠ r 2 , m 1 ≠ m' 1 , r 1 ≠ r' 1 , which satisfy the following equations: { According to these two equations, the following can be computed: This is contrary to the elliptic curve discrete logarithm hypothesis.

lti-Trapdoor Hash functions based on ECDLP
The multi-trapdoor hash function [20]   The temporary trapdoor key is given by That is to say H(m) + ry = H(m') + r'y'.
(3) Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: That is to say: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P. Suppose E can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < G, P, q, Y >, Q needs to find a value z ∈ Z q * so that Z = zP. The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to answer any hash query of O f . Then Q gives two identical answers if the same query is asked twice.
Q runs an instance of E and answers any hash query of O f until E produces collision forgery.
With the Oracle replay attack [38] , Q rewinds E to the point when E queries < TH Y (m, r), r', Y' > to O f , and select randomly a new value x'' ≠ x' ∈ R Z q * as the answer to E. Q continues running E until producing another collision forgery < m 2 , r 2 , m' 2 , r' 2 , Y'', k'' > . Each instance of E is randomly selected. Given TH HK (m 1 , r 1 ) , TH HK' (m 2 , r 2 ) , m 1 ≠ m 2 , r 1 ≠ r 2 , m 1 ≠ m' 1 , r 1 ≠ r' 1 , which satisfy the following equations: { According to these two equations, the following can be computed: This is contrary to the elliptic curve discrete logarithm hypothesis.

Multi-Trapdoor Hash functions based on ECDLP
The multi-trapdoor hash function [20]  The temporary trapdoor key is given by That is to say H(m) + ry = H(m') + r'y'.
(3) Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: That is to say: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P. Suppose E can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < G, P, q, Y >, Q needs to find a value z ∈ Z q * so that Z = zP. The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to answer any hash query of O f . Then Q gives two identical answers if the same query is asked twice.
Q runs an instance of E and answers any hash query of O f until E produces collision forgery.
With the Oracle replay attack [38] , Q rewinds E to the point when E queries < TH Y (m, r), r', Y' > to O f , and select randomly a new value x'' ≠ x' ∈ R Z q * as the answer to E. Q continues running E until producing another collision forgery < m 2 , r 2 , m' 2 , r' 2 , Y'', k'' > . Each instance of E is randomly selected. Given TH HK (m 1 , r 1 ) , TH HK' (m 2 , r 2 ) , m 1 ≠ m 2 , r 1 ≠ r 2 , m 1 ≠ m' 1 , r 1 ≠ r' 1 , which satisfy the following equations: { According to these two equations, the following can be computed: This is contrary to the elliptic curve discrete logarithm hypothesis.

Multi-Trapdoor Hash functions based on ECDLP
The multi-trapdoor hash function [20]  The temporary trapdoor key is given by That is to say H(m) + ry = H(m') + r'y'.
(3) Key exposure freeness: Given two tuples < Y, m, r > and < Y', m', r' > such that: That is to say: In the equation, the long-term trapdoor key y is not computable because y' is unknown. That is, the computation complexity of y' is equivalent to ECDLP because y' is solved by Y' = y' P. Suppose E can construct a PPT algorithm Q for solving ECDLP. Given an instance of ECDLP < G, P, q, Y >, Q needs to find a value z ∈ Z q * so that Z = zP. The hash function f acts as a random oracle O f that Q simulates. That means Q provides a random value for each new query to answer any hash query of O f . Then Q gives two identical answers if the same query is asked twice.
Q runs an instance of E and answers any hash query of O f until E produces collision forgery.
With the Oracle replay attack [38] , Q rewinds E to the point when E queries < TH Y (m, r), r', Y' > to O f , and select randomly a new value x'' ≠ x' ∈ R Z q * as the answer to E. Q continues running E until producing another collision forgery < m 2 , r 2 , m' 2 , r' 2 , Y'', k'' > . Each instance of E is randomly selected. Given TH HK (m 1 , r 1 ) , TH HK' (m 2 , r 2 ) , m 1 ≠ m 2 , r 1 ≠ r 2 , m 1 ≠ m' 1 , r 1 ≠ r' 1 , which satisfy the following equations: { According to these two equations, the following can be computed: This is contrary to the elliptic curve discrete logarithm hypothesis.

Multi-Trapdoor Hash functions based on ECDLP
The multi-trapdoor hash function [20] According to these two equations, the following can be computed It is contrary to the elliptic curve discrete logarithm hypothesis. Thus, the proposed MTH scheme is collision resistant.

The Aggregate Signature Scheme Based on MTH
This section presents an aggregate signature scheme based on MTH, called MTH-AS. The algorithm is presented below. • AHashGen: For each U i , select randomly t i ∈ Z * q , compute auxiliary parameters: A i = t i P and r i = F( A i ).
and computes the trapdoor hash value: Finally, aggregate all the trapdoor hash values as the multi-trapdoor hash value: Then outputs h. • ATrapColGen: For each U i , select the latest timestamp t i ∈ Z * q and compute new auxiliary parameters: A i = t i P and r i = F( A i ).
According to trapdoor collision, compute temporary trapdoor/hash key: Computes: and generates U i 's individual signature: Verify: This algorithm verifies the correctness of the individual signature of U i , computing: If the equation F(B i ) = r i holds, it accepts the participant's individual signature and outputs ACCEPT, otherwise, outputs REJECT. • AggSign: For each participant U j whose individual signature is accepted, computing: outputting the aggregate signature: σ = (K, C).
• AggVerify: Let m be the number of participants in the aggregate signature, that is, the number of individual signatures accepted, computing: If the equation F (B ) = F (C ) holds, accepts the aggregate signature and outputs ACCEPT, otherwise, outputs REJECT.

The Correctness of Aggregate Verify
The aggregate verify equation expands as follows:

Security Proof
Theorem 2. Given an adversary makes at most q f f-hash queries, q H H-hash queries, q S signature queries, q F F-queries, q K key queries, q T trapdoor hash queries within a period t in the random oracle model, and wins the game G MTH_AS A (1 k ) with an non-negligible probability ε, that is, successfully forging the signature of an MTH_AS scheme. Then an algorithm tion of k ∈ R Z q * and A. can be performed in polynomial time t ≤ t + O(q k + 2q T + 2q s )T ME , and solve an instance of ECLDP with probability ε ≥ 1 10 6 q k √ q f ε. Let T ME be the run time for scalar multiplication in elliptic curve.

Proof.
Given an instance of ECLDP (P, yP) G, the goal of the algorithm ≤ k ≤ q-1).
This definition is also known as the onewayness of ECDLP. The probability that algorithm A successfully solves ECDLP is defined as: It is determined by the random selection of k ∈ R Z q * and A.

Aggregate Signature
Aggregate signatures consist of PPT algorithms: AS = < Setup, KeyGen, Sign, Verify, Aggregate, Aggregate Verify >. And the tuple < Setup, KeyGen, Sign, Verify > constructs a standard system parameter establishment, key generation, signature, verification of the short signature process, called the standard signature of aggregate signature.  Setup: Inputs security parameter k, outputs system parameter Params.  KeyGen: For a particular ID i ∈U (U is a user set), inputs system parameter Params, then outputs the private and public key < y, Y >.

Security Model
Assuming k is a security parameter, G A

MTH_AS (1 k ) is a game between challenger B and adversary
V. The attack model is shown below:

Setup
Inputs the security parameter k, B runs the Setup algorithm and returns the system parameter to V.
is to compute y. Assume the hash key of m * is yP. The following is a detailed interaction process between algorithm over the finite field Fl. And P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 ≤ k ≤ q-1).
This definition is also known as the onewayness of ECDLP. The probability that algorithm A successfully solves ECDLP is defined as: It is determined by the random selection of k ∈ R Z q * and A.

Aggregate Signature
Aggregate signatures consist of PPT algorithms: AS = < Setup, KeyGen, Sign, Verify, Aggregate, Aggregate Verify >. And the tuple < Setup, KeyGen, Sign, Verify > constructs a standard system parameter establishment, key generation, signature, verification of the short signature process, called the standard signature of aggregate signature.  Setup: Inputs security parameter k, outputs system parameter Params.  KeyGen: For a particular ID i ∈U (U is a user set), inputs system parameter Params, then outputs the private and public key < y, Y >.

Security Model
Assuming k is a security parameter, G A

MTH_AS (1 k ) is a game between challenger B and adversary
V. The attack model is shown below: The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures .
is a user set), inputs system parameter Params, then Y >. puts private key y i , outputs individual signature σ i . The adversary V wins the game if σ * is a valid signature and V does not make a ke least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage limited, it is important to improve computational efficiency and storage capacity. Furth also vital to protect data from modification and repudiation. Due to its natural properties, aggregate signatures are ideal for resource-constrained many-to-one IoT app shown in Figure 2, the system model of the aggregated signature in the IoT environm in this paper consists of five components: the key generation center (KGC), IoT d aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our prop The KGC generates system parameters and sends them to all the entities, such as aggregator, verifier and data center. The private keys sk i are computed by the KGC device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to col from the physical world. In order to ensure data integrity, non-repudiation, privacy, and with the system parameter and the private key, each IoT device makes individual sign original data they collect. Then the IoT devices send message m i , individual signa . tic Curve Discrete Logarithm inition 2: (Elliptic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve inite field Fl. And P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 . definition is also known as the onewayness of ECDLP. The probability that algorithm A lly solves ECDLP is defined as: determined by the random selection of k ∈ R Z q * and A.  The adversary V wins the game if σ * is a valid signature and V does not make a key query least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resource limited, it is important to improve computational efficiency and storage capacity. Furthermore also vital to protect data from modification and repudiation. Due to its natural compres properties, aggregate signatures are ideal for resource-constrained many-to-one IoT application shown in Figure 2, the system model of the aggregated signature in the IoT environment prop in this paper consists of five components: the key generation center (KGC), IoT devices, aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed sch The KGC generates system parameters and sends them to all the entities, such as IoT dev aggregator, verifier and data center. The private keys sk i are computed by the KGC for each device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authent . ≠ M, there is no PPT algorithm to output long-term trapdoor key TK with nonrobability.

Discrete Logarithm
2: (Elliptic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve Fl. And P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 ion is also known as the onewayness of ECDLP. The probability that algorithm A es ECDLP is defined as: ned by the random selection of k ∈ R Z q * and A. nature signatures consist of PPT algorithms: AS = < Setup, KeyGen, Sign, Verify, egate Verify >. And the tuple < Setup, KeyGen, Sign, Verify > constructs a standard er establishment, key generation, signature, verification of the short signature e standard signature of aggregate signature. ts security parameter k, outputs system parameter Params. r a particular ID i ∈U (U is a user set), inputs system parameter Params, then private and public key < y, Y >. message Mi to be signed, inputs private key y i , outputs individual signature σ i . The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT : Given the long-term hash key HK, temporary hash key HK', and (M, R), ere is no PPT algorithm to output long-term trapdoor key TK with nony.
Logarithm ic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 so known as the onewayness of ECDLP. The probability that algorithm A P is defined as: he random selection of k ∈ R Z q * and A.  (4) Key exposure freeness: Given the long-term hash key HK, temporary hash key HK', and (M, R), (M', R'), M'≠ M, there is no PPT algorithm to output long-term trapdoor key TK with nonnegligible probability.

. E(Fl) is an elliptic curve over the finite field Fl. And P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 ≤ k ≤ q-1).
This definition is also known as the onewayness of ECDLP. The probability that algorithm A successfully solves ECDLP is defined as: It is determined by the random selection of k ∈ R Z q * and A.

Aggregate Signature
Aggregate signatures consist of PPT algorithms: AS = < Setup, KeyGen, Sign, Verify, Aggregate, Aggregate Verify >. And the tuple < Setup, KeyGen, Sign, Verify > constructs a standard system parameter establishment, key generation, signature, verification of the short signature process, called the standard signature of aggregate signature. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, ven the long-term hash key HK, temporary hash key HK', and (M, R), is no PPT algorithm to output long-term trapdoor key TK with nonarithm rve discrete logarithm problem (ECDLP) [37]

Forge
Finally, V outputs σ * = ( K * , C * ) as a forged aggregate signatu The adversary V wins the game if σ * is a valid signature an least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computin limited, it is important to improve computational efficiency and also vital to protect data from modification and repudiatio properties, aggregate signatures are ideal for resource-constrain shown in Figure 2, the system model of the aggregated signatu in this paper consists of five components: the key generatio aggregator, verifier and data center. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center. s: Given the long-term hash key HK, temporary hash key HK', and (M, R), ere is no PPT algorithm to output long-term trapdoor key TK with nonty.
e Logarithm tic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 lso known as the onewayness of ECDLP. The probability that algorithm A LP is defined as: the random selection of k ∈ R Z q * and A.

Elliptic Curve Discrete Logarithm
Definition 2: (Elliptic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve over the finite field Fl. And P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 ≤ k ≤ q-1).
This definition is also known as the onewayness of ECDLP. The probability that algorithm A successfully solves ECDLP is defined as: It is determined by the random selection of k ∈ R Z q * and A.

Aggregate Signature
Aggregate signatures consist of PPT algorithms: AS = < Setup, KeyGen, Sign, Verify, Aggregate, Aggregate Verify >. And the tuple < Setup, KeyGen, Sign, Verify > constructs a standard system parameter establishment, key generation, signature, verification of the short signature process, called the standard signature of aggregate signature.  The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.
. Otherwise, selects a random F i ∈ Z * q , returns F i to The adversary V wins the game if σ * is a valid signature an least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computi limited, it is important to improve computational efficiency an also vital to protect data from modification and repudiatio properties, aggregate signatures are ideal for resource-constrain shown in Figure 2, the system model of the aggregated signatu in this paper consists of five components: the key generatio aggregator, verifier and data center. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed

Elliptic Curve Discrete Logarithm
Definition 2: (Elliptic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve over the finite field Fl. And P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 ≤ k ≤ q-1).
This definition is also known as the onewayness of ECDLP. The probability that algorithm A successfully solves ECDLP is defined as: It is determined by the random selection of k ∈ R Z q * and A.

Aggregate Signature
Aggregate signatures consist of PPT algorithms: AS = < Setup, KeyGen, Sign, Verify, Aggregate, Aggregate Verify >. And the tuple < Setup, KeyGen, Sign, Verify > constructs a standard system parameter establishment, key generation, signature, verification of the short signature process, called the standard signature of aggregate signature.  ve Discrete Logarithm 2: (Elliptic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve ld Fl. And P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 ition is also known as the onewayness of ECDLP. The probability that algorithm A ves ECDLP is defined as: ined by the random selection of k ∈ R Z q * and A. The adversary V wins the game if σ * is a valid signature and V does n least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, limited, it is important to improve computational efficiency and storage c also vital to protect data from modification and repudiation. Due to properties, aggregate signatures are ideal for resource-constrained many-t . Otherwise, selects a random  The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is eness: Given the long-term hash key HK, temporary hash key HK', and (M, R), , there is no PPT algorithm to output long-term trapdoor key TK with nonbility.
crete Logarithm lliptic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve And P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 is also known as the onewayness of ECDLP. The probability that algorithm A CDLP is defined as: by the random selection of k ∈ R Z q * and A. re atures consist of PPT algorithms: AS = < Setup, KeyGen, Sign, Verify, te Verify >. And the tuple < Setup, KeyGen, Sign, Verify > constructs a standard stablishment, key generation, signature, verification of the short signature andard signature of aggregate signature. curity parameter k, outputs system parameter Params. particular ID i ∈U (U is a user set), inputs system parameter Params, then ate and public key < y, Y >. sage Mi to be signed, inputs private key y i , outputs individual signature σ i .  The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are . Otherwise, selects a random y i ∈ Z * q and computes: Given the long-term hash key HK, temporary hash key HK', and (M, R), re is no PPT algorithm to output long-term trapdoor key TK with nony.
Logarithm ic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 o known as the onewayness of ECDLP. The probability that algorithm A P is defined as: he random selection of k ∈ R Z q * and A. arameter k, B runs the Setup algorithm and returns the system parameter to checks whether existing (m i , Y i , y i ∈ L K or not, if so,

Query
V adaptively performs the following oracle query.
-Hash queries: V makes hash oracle queries to all hash functions in the proposed scheme, and challenger B returns the corresponding value.
-Trapdoor hash queries: V inputs < m, r > for trapdoor hash query and the oracle outputs TH Y (m, r).
-Key queries: V inputs the message m i of user i to make key query, and the oracle returns the trapdoor key y of user i to the adversary V.
-Signature queries: V inputs the original message/random value pair < m i , r i >, new message m i ′ and hash key TK i , the oracle outputs the signature.
The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.

Data Center
The data center has powerful storage space and computing power, which can store and share the validated aggregate signatures and original messages safely. and saves (m i , Y i , y i into the hash list L K . If m i = m * holds, the game is over and outputs ∇. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.

Data Center
The data center has powerful storage space and computing power, which can store and share the validated aggregate signatures and original messages safely. -Trapdoor hash queries: V inputs < m, r > for trapdoor hash query and the oracle outputs TH Y (m, r).
-Key queries: V inputs the message m i of user i to make key query, and the oracle returns the trapdoor key y of user i to the adversary V. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are limited, it is important to improve computational efficiency and storage capacity. Furthermore, it is also vital to protect data from modification and repudiation. Due to its natural compression properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applications. As shown in Figure 2, the system model of the aggregated signature in the IoT environment proposed in this paper consists of five components: the key generation center (KGC), IoT devices, data aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed scheme. The KGC generates system parameters and sends them to all the entities, such as IoT devices, aggregator, verifier and data center. The private keys sk i are computed by the KGC for each IoT device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect real data from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authenticity, with the system parameter and the private key, each IoT device makes individual signature on the original data they collect. Then the IoT devices send message m i , individual signature σ i and public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual signatures it receives. It checks the validity of the individual signatures, if they are correct, then aggregates them into a single short signature. Finally, the data aggregator sends the aggregate signature to the verifier.

Data Center
The data center has powerful storage space and computing power, which can store and share the validated aggregate signatures and original messages safely.
, otherwise, selects a random t i ∈ Z * q and computes:

Forge
Finally, V outputs σ * = ( K * , C * ) as a forged aggregate signature based o The adversary V wins the game if σ * is a valid signature and V does n least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, limited, it is important to improve computational efficiency and storage ca also vital to protect data from modification and repudiation. Due to properties, aggregate signatures are ideal for resource-constrained many-to shown in Figure 2, the system model of the aggregated signature in the Io in this paper consists of five components: the key generation center ( aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted The KGC generates system parameters and sends them to all the entit aggregator, verifier and data center. The private keys sk i are computed device. Then these private keys are sent to each entity through a secure cha 

IoT Devices
The IoT devices with limited computational and storage capacity are c from the physical world. In order to ensure data integrity, non-repudiation, with the system parameter and the private key, each IoT device makes in original data they collect. Then the IoT devices send message m i , ind public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all it receives. It checks the validity of the individual signatures, if they are corr into a single short signature. Finally, the data aggregator sends the aggregat  The adversary V wins the game if σ * is a valid signature and V does not m least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and limited, it is important to improve computational efficiency and storage capac also vital to protect data from modification and repudiation. Due to its properties, aggregate signatures are ideal for resource-constrained many-to-on shown in Figure 2, the system model of the aggregated signature in the IoT e in this paper consists of five components: the key generation center (KG aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in o The KGC generates system parameters and sends them to all the entities, aggregator, verifier and data center. The private keys sk i are computed by t device. Then these private keys are sent to each entity through a secure channe 

IoT Devices
The IoT devices with limited computational and storage capacity are capa from the physical world. In order to ensure data integrity, non-repudiation, priv with the system parameter and the private key, each IoT device makes indivi original data they collect. Then the IoT devices send message m i , individ public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the it receives. It checks the validity of the individual signatures, if they are correct, into a single short signature. Finally, the data aggregator sends the aggregate sig

Data Center
The data center has powerful storage space and computing power, whic outputs the aggregate signature σ * = (K * , C * ) of the new message set {m i * } n 1 under the condition of the user's long-term hash key set {Y i * } n 1 and the original message/auxiliary parameter set {m i * , r i * } n 1 , and satisfies the following two conditions at the same time: There is at least a message m i (m * ) to which neither a key query nor an individual signature query is performed.
According to the Forking Lemma [31], the attacker The adversary V wins the game if σ * is a valid signature and V does not make least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and stor limited, it is important to improve computational efficiency and storage capacity. also vital to protect data from modification and repudiation. Due to its nat properties, aggregate signatures are ideal for resource-constrained many-to-one Io shown in Figure 2, the system model of the aggregated signature in the IoT envir in this paper consists of five components: the key generation center (KGC), I aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our p The KGC generates system parameters and sends them to all the entities, suc aggregator, verifier and data center. The private keys sk i are computed by the K device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable t from the physical world. In order to ensure data integrity, non-repudiation, privacy with the system parameter and the private key, each IoT device makes individua original data they collect. Then the IoT devices send message m i , individual public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the indi simply replaces the hash function f withf , a new valid forged signatureσ = (K * ,C * ) is obtained. When j ∈ {1, 2, . . . , n}\{s}, there is s ∈ {1, 2, . . . , n} such that f * j =f * j . When the following equations holds: we can obtain the following equation set: At the same time, the following calculation is available: -Key queries: V inputs the message m i of user i to make key query, and the oracle returns the trapdoor key y of user i to the adversary V. The adversary V wins the game if σ * is a valid signature and V does not make a key query on at least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resources are Curve Discrete Logarithm ition 2: (Elliptic curve discrete logarithm problem (ECDLP) [37]). E(Fl) is an elliptic curve ite field Fl. And P is a q-order generator of E(Fl), when Q∈E(F l ) and Q = kP, find the integer k (0 efinition is also known as the onewayness of ECDLP. The probability that algorithm A ly solves ECDLP is defined as: Adv s the security parameter k, B runs the Setup algorithm and returns the system parameter to is as follows: According to the Forking Lemma [31], we can obtain the following equation: The running time of inputs private key y i , outputs individual signature σ i . -Trapdoor hash queries: V inputs < m, r > for trapdoor hash query and the oracle o TH Y (m, r).
-Key queries: V inputs the message m i of user i to make key query, and the oracle r the trapdoor key y of user i to the adversary V.
-Signature queries: V inputs the original message/random value pair < m i , r i >, new m m i ′ and hash key TK i , the oracle outputs the signature.

Forge
Finally, V outputs σ * = ( K * , C * ) as a forged aggregate signature based on new message set The adversary V wins the game if σ * is a valid signature and V does not make a key quer least one user among n users.

System Model
In many-to-one IoT scenarios where bandwidth, computing power, and storage resour limited, it is important to improve computational efficiency and storage capacity. Furthermo also vital to protect data from modification and repudiation. Due to its natural compr properties, aggregate signatures are ideal for resource-constrained many-to-one IoT applicatio shown in Figure 2, the system model of the aggregated signature in the IoT environment pro in this paper consists of five components: the key generation center (KGC), IoT device aggregator, verifier and data center.

KGC
The KGC is responsible for system setup. It is regarded to be trusted in our proposed s The KGC generates system parameters and sends them to all the entities, such as IoT d aggregator, verifier and data center. The private keys sk i are computed by the KGC for ea device. Then these private keys are sent to each entity through a secure channel.

IoT Devices
The IoT devices with limited computational and storage capacity are capable to collect re from the physical world. In order to ensure data integrity, non-repudiation, privacy, and authe with the system parameter and the private key, each IoT device makes individual signature original data they collect. Then the IoT devices send message m i , individual signature public key pk i to the data aggregator.

Data aggregator
The data aggregator may be a node in the system model that verifies all the individual sign it receives. It checks the validity of the individual signatures, if they are correct, then aggregate into a single short signature. Finally, the data aggregator sends the aggregate signature to the v 

Verifier
The verifier are responsible to check the correctness of the received aggregate signature verify the correctness of all individual signatures by one operation. If the aggregation signa verified correctly, all the messages and the aggregate signature are sent to the data center.

Data Center
The data center has powerful storage space and computing power, which can store and the validated aggregate signatures and original messages safely.

Security Model
Assuming k is a security parameter, G A MTH_AS (1 k ) is a game between challenger B and adversary V. The attack model is shown below:

Setup
Inputs the security parameter k, B runs the Setup algorithm and returns the system parameter to V.
's time to successfully break the ECDLP instance with forged signatures. One key query, trapdoor hash query, and signature query respectively requires 1, 2, and 2 scalar multiplication on the group, so we can obtain: In summary, the aggregate signature scheme proposed in this paper is (t i , ε , q H , q K , q T , q S , n) existing unforgeable under adaptively chosen message attack.

Security Comparisons
As shown in Table 3, the security of our MTH-AS scheme is compared with relevant aggregate signature schemes [11,24,35]. Since our proposed scheme selects the latest timestamp t i , which is included in the messages {t i , r i , A i , Y i , σ i } n 1 . Replay attacks can be found by checking the freshness of the timestamp. Thus, our proposed scheme is resistant against replay attacks. The schemes proposed in literature [11,24,35] are proven to be secure based on the hardness of Co-CDHP, CDHP, CDHP, respectively. As mentioned above, the MTH-AS scheme proposed in this paper is proven to be secure against the existing unforgeability under adaptively chosen message attacks assuming ECDLP is hard. Our MTH-AS scheme could provide message authentication by checking whether the equations k i P + f (h, r i , Y i )Y i = A i , F( A i ) = r i hold. Due to the above security analysis, our MTH-AS scheme is suitable for secure communications in IoT applications with limited computing power, storage capacity, and bandwidth.

Scheme
Hardness Problem

Resistance to Replay Attacks
Kumar [11] CDHP Yes No Boneh [24] Co-CDHP Yes No Cheng [35] CDHP Yes No Our proposed scheme ECDLP Yes Yes

Performance Analysis
In this subsection, performance analysis is mainly carried out from two aspects: the performance comparison of related aggregate signature schemes and the performance comparison of aggregate signatures in IoTs. These schemes are measured by communication cost and computation cost, which are considered in terms of the length of the aggregate signature and the computational complexity of the aggregation verification algorithm respectively.
In this paper, we adopt the performance evaluation method in [39]. The experiments are taken on an Intel I7 3.4 GHz, 4 GB machine with Windows 7 operating system. to obtain the security level of 80 bits, the bilinear pairing e : G 1 × G 1 → G 2 is conducted, where G 1 is an additive group generated by a point P with the order q 1 on the super singular elliptic curve E 1 : y 2 = x 3 + x mod p 1 ( p 1 and q 1 are 512-bit and 160-bit prime number, respectively) [36]. Accordingly the size of the elements in group G 1 (that is L G 1 ) is 128 bytes (64 * 2 = 128). For ECC-based aggregate signature schemes, we use an additive group G generated by a point on a non-singular elliptic curve E : y 2 = x 3 + ax + b mod p 2 with the order q 2 ( p 2 , q 2 are two 160-bit prime numbers, a , b ∈ Z * q ). The size of the elements in group G (that is L G ) is 40 bytes (20 * 2 = 40). Let L q be the size of the elements in Z * q , n the number of signers. Table 4 lists the execution time of the encryption operations below [36,39]. The bilinear pair-to-midpoint addition 0.0071 T HB The hash-to-point operation in bilinear pair 4.4060 T ME The scalar multiplication in elliptic curve 0.4420 T AE The point addition operation in elliptic curve 0.0018 T H The general hash operation 0.0001 (1) The comparison of aggregate signature schemes The scheme proposed in this paper is compared with the related aggregate signature schemes from four aspects: individual signature, aggregate verify, aggregate signature length and correlation between signature length and n. The specific performance comparison results of computation cost are presented in Table 5 and Figure 3. Table 5. The comparison of computation cost.
The comparisons of communication cost are presented in Table 6 and  [34] is 128 * n + 20 bytes. The proposed scheme in this paper has the same constant aggregate signature length as CLAS-Ⅱ [34], which is 60 bytes, obviously superior to that of CAS-1 [29] and CLAS-Ⅰ [34]. The proposed scheme in this paper has great advantages in communication efficiency.   As shown in Table 5, the individual signature time of the proposed scheme is 0.8843 ms, which is longer than that of CLAS-I [34]. However, the aggregate signature overhead of our scheme is better than that of CLAS-I [34]. The proposed scheme in this paper is based on ECC which is more efficient than bilinear pairings in computation cost [39]. Figure 3 shows that the aggregate verification time of our scheme is obviously better than that of the bilinear pairings based aggregate signature schemes [29,32,35], but slightly higher than ECC based schemes [34].
The comparisons of communication cost are presented in Table 6 and Figure 4. Since the size of L G 1 , L G , L q are 128 bytes, 40 bytes, and 20 bytes, respectively, the lengths of Gong et al.'s CAS-1 and CAS-2 scheme [29] are 128 * n + 128 bytes and 2 * 128 = 256 bytes. The communication cost of Zhou et al.'s CLAS-I scheme [34] is 128 * n + 20 bytes. The proposed scheme in this paper has the same constant aggregate signature length as CLAS-II [34], which is 60 bytes, obviously superior to that of CAS-1 [29] and CLAS-I [34]. The proposed scheme in this paper has great advantages in communication efficiency.

Scheme
Aggregate Signature Length Correlation between Signature Length and n Gong-1 [29] (n + 1)L G 1 Yes Gong-2 [29] 2L G 1 No Chen [32] (n + 1)L G 1 Yes Zhou-I [34] nL G + L q Yes Zhou-II [34] L G + L q No Cheng [35] (n + 1)L G 1 Yes Our proposed scheme L G + L q No  Performance improvements are compared in Table 7. For example, compared to individual signatures of CAS-1 [29], the efficiency of performance improvement is approximately 7.8311-0.8843 7.8311 ≈ 88.70%. Other performance improvements are calculated in the same way, assuming that the number of signatures is 50. As shown in Table 7, in terms of individual signature, the computation cost of our scheme is inferior to that of Zhou et al.'s CLAS-Ⅰscheme [34]. However, in terms of aggregate verify, the computation cost of our scheme is superior to all the other schemes [29,32,34,35]. Therefore, the proposed scheme in this paper is more efficient in aggregation verification.  In IoT applications, it incurs lower computation cost and communication cost due to the limited battery capacity, computing power, bandwidth and storage capacity requirements of IoT devices. In this part, we compare the performance of the proposed scheme and other related IoT-based aggregate signature schemes. The cost of signature and verification is an important factor affecting the computing power of the IoT devices. Table 8 and Figure 5 show the comparison of computation cost in IoT-based aggregate signatures. From Figure 5, we can see that the aggregate verification delay of this proposed scheme is similar to that of Cui's scheme [36], but is obviously superior to that of the other schemes [11,12], because bilinear pairings are not used in our scheme and Cui's scheme [36]. Table 8. The comparison of computation cost in IoTs.

Scheme Individual Signature Time Aggregate Verification Time
Kumar [11] 3T MB + 2T AB + T HB + T H ≈ 9.5437ms 3T B + nT MB + 3nT AB ≈ 1.7303n + 12.633ms Horng [12] 2T MB + T AB + T HB ≈ 3.4252ms 3T B + nT MB + nT AB + nT HB + nT H ≈ 6.1222n + 12.633ms Cui [36] T ME + T AE + T H ≈ 0.4439ms (n + 2)T ME + 2nT AE + 2nT H ≈ 0.4458n + 0.884 ms Our proposed scheme 2T ME + 3T H ≈ 0.8843ms (n + 1)T ME + (n + 1)T AE + 2T H ≈ 0.4438n + 0.444 ms The signature length affects the communication capability of IoT devices, which is an important factor in IoT applications. As shown in Table 9 and Figure 6, the signature length of our scheme is a constant (60 bytes), while the signature length of other schemes [11,12,36] are correlate with the IoT devices. In other words, as the number of the signed IoT devices increases, the signature length increases too. Therefore, the scheme proposed in this paper is more suitable for the application of IoTs because it has great advantages in saving bandwidth and storage capacity. Cui [36] T ME + T AE + T H ≈ 0.4439ms (n + 2)T ME + 2nT AE + 2nT H ≈ 0.4458n + 0.884 ms Our proposed scheme 2T ME + 3T H ≈ 0.8843ms (n + 1)T ME + (n + 1)T AE + 2T H ≈ 0.4438n + 0.444 ms The signature length affects the communication capability of IoT devices, which is an important factor in IoT applications. As shown in Table 9 and Figure 6, the signature length of our scheme is a constant (60 bytes), while the signature length of other schemes [11,12,36] are correlate with the IoT devices. In other words, as the number of the signed IoT devices increases, the signature length increases too. Therefore, the scheme proposed in this paper is more suitable for the application of IoTs because it has great advantages in saving bandwidth and storage capacity.

Scheme
Aggregate Signature Length Correlation between Signature Length and n Kumar [11] (n + 1)L G 1 Yes Horng [12] (n + 1)L G 1 Yes Cui [36] (n + 1)L G Yes Our proposed scheme L G + L q No

Scheme Aggregate Signature Length Correlation between Signature Length and n
Kumar [11] (n + 1)L G 1 Yes Horng [12] (n + 1)L G 1 Yes Cui [36] (n + 1)L G Yes Our proposed scheme L G + L q No Sensors 2019, 19, x FOR PEER REVIEW 19 of 21

Conclusions
In this paper, an aggregate signature scheme is proposed based on ECDLP and MTH, which could be used for secure communication in many-to-one IoT applications. In the random oracle model, the proposed scheme is proven to be secure against the existing unforgeability under adaptively chosen message attacks. The proposed scheme has the characteristics of batch trapdoor collision calculation with multi-trapdoor hash functions and does not use bilinear pair operations. Therefore, it is more efficient than other schemes in terms of computation cost. On the other hand, the length of aggregate signature in this proposed scheme does not depend on the number of the signed IoT devices. Thus, the storage space and bandwidth are greatly saved. In summary, the scheme proposed in this paper is suitable for IoT applications with limited computing speed, storage capacity and bandwidth, such as wireless sensor networks, vehicular ad hoc networks, and healthcare sensor networks, etc.

Conclusions
In this paper, an aggregate signature scheme is proposed based on ECDLP and MTH, which could be used for secure communication in many-to-one IoT applications. In the random oracle model, the proposed scheme is proven to be secure against the existing unforgeability under adaptively chosen message attacks. The proposed scheme has the characteristics of batch trapdoor collision calculation with multi-trapdoor hash functions and does not use bilinear pair operations. Therefore, it is more efficient than other schemes in terms of computation cost. On the other hand, the length of aggregate signature in this proposed scheme does not depend on the number of the signed IoT devices. Thus, the storage space and bandwidth are greatly saved. In summary, the scheme proposed in this paper is suitable for IoT applications with limited computing speed, storage capacity and bandwidth, such as wireless sensor networks, vehicular ad hoc networks, and healthcare sensor networks, etc.