An Efficient Certificateless Aggregate Signature Scheme for Blockchain-Based Medical Cyber Physical Systems

Different from the traditional healthcare field, Medical Cyber Physical Systems (MCPS) rely more on wireless wearable devices and medical applications to provide better medical services. The secure storage and sharing of medical data are facing great challenges. Blockchain technology with decentralization, security, credibility and tamper-proof is an effective way to solve this problem. However, capacity limitation is one of the main reasons affecting the improvement of blockchain performance. Certificateless aggregation signature schemes can greatly tackle the difficulty of blockchain expansion. In this paper, we describe a two-layer system model in which medical records are stored off-blockchain and shared on-blockchain. Furthermore, a multi-trapdoor hash function is proposed. Based on the proposed multi-trapdoor hash function, we present a certificateless aggregate signature scheme for blockchain-based MCPS. The purpose is to realize the authentication of related medical staffs, medical equipment, and medical apps, ensure the integrity of medical records, and support the secure storage and sharing of medical information. The proposed scheme is highly computationally efficient because it does not use bilinear maps and exponential operations. Many certificateless aggregate signature schemes without bilinear maps in Internet of things (IoT) have been proposed in recent years, but they are not applied to the medical field, and they do not consider the security requirements of medical data. The proposed scheme in this paper has high computing and storage efficiency, while meeting the security requirements in MCPS.


Introduction
In the big data era, with the development of Internet of Things, smart healthcare provides people with more convenient and high-quality healthcare services [1]. The Medical Cyber Physical System (MCPS) [2] is a special type of Cyber Physical System (CPS) based on the application background of the smart healthcare field, which consists of physical space and cyber space. Physical space includes wearable devices, medical diagnostic equipment, and user space consisting of doctors, nurses, etc. Cyber space is the nerve center of MCPS. It receives sensing information from physical space through a network transmission system. Then cyber space identifies, stores, analyzes, processes, and generates feedback control information. Finally, it sends control information to physical space through a network transmission system. MCPS continuously collects the patient's physical signs data through various wearable devices and medical devices, so that the patient's physical condition can be better detected [3]. In order to provide patients with a more accurate and timely diagnosis, different medical institutions need to share a large amount of physical data collected by the sensors and healthcare staff [4]. At the same time, patient privacy should be protected. Thus, blockchain is needed to utilize peer-to-peer network and cryptography technology to achieve tamper proof, unforgeable, non-repudiation, and verifiable medical records. The combination of MCPS and blockchain [5] promotes the sharing of medical services and resources [6]. However, the block capacity limit is one of the main factors that affects the performance improvement of blockchain.
MCPS controls the embedded medical equipment through a wireless network, which senses and monitors the patient's physical data in real time. When the patient has an abnormal situation, the medical equipment sends the early warning information to the medical institution in time. Once MCPS is under cyberattacks, such as data inconsistency, unauthorized access, and data breaches [7], patients' lives and health will be seriously threatened. In practice, medical institutions need to check the accuracy and integrity of shared and sensed medical data before making medical diagnoses. The medical data, which is collected from wearable devices, medical equipment, medical apps, and healthcare staff needs the responsible healthcare provider to sign on it. A large number of signatures and verifications result in high time and space overheads. At the same time, considering the capacity limitation of the blockchain, the certificateless aggregate signature is an effective method because of its compression characteristics. In recent years, some certificateless aggregate signature schemes [8][9][10] have been proposed. However, the performance of these schemes is not ideal because they use more time-consuming bilinear maps. At the same security level, the Elliptic Curve Cryptography (ECC) is more efficient than bilinear maps [11]. Therefore, with the characteristics of low computation, low storage, high reliability, privacy protection, and timeliness, the certificateless aggregate signature scheme based on ECC is suitable for blockchain-based MCPS.
The contributions of this paper are as follows: • A two-layer storage model in which medical data is stored off-blockchain and shared on-blockchain is proposed. The model meets security and privacy requirements of MCPS.

•
Based on ECC, we present the multi-trapdoor hash function, which is secure and efficient to construct the certificateless aggregate signature scheme.

•
The certificateless aggregate signature scheme based on the multi-trapdoor hash function is proposed in this paper. It can reduce the computation cost of wearable medical devices and miners.
The rest of this paper is organized as follows. Related works are discussed in Section 2. The necessary preliminaries are presented in Section 3. Section 4 presents a multi-trapdoor hash function. In Section 5, we describe the certificateless aggregate signature scheme. A security discussion of the proposed scheme is given in Section 6. Then, we make an efficiency analysis in Section 7. Finally, the conclusion is offered in Section 8.

Blockchain
Blockchain is a decentralized, anonymous, untrusted, tamper proof, and traceable distributed data storage technology [5]. With the development of the medical industry, health data is growing exponentially. How to effectively store, share, and manage medical data involving a large number of patients' privacy has become an obstacle to the development of the healthcare industry. Due to the characteristics of blockchain [12], such as non-tamperability, traceability, and multi private key authorization management, it is possible to share medical data securely among different institutions [13].
According to the difference of open objects, blockchain can be divided into Public Blockchain, Private Blockchain, and Consortium Blockchain. These three types of blockchains are compared in Table 1.
In the special field of MCPS, medical data contains both a large amount of private information and has the need to be shared between different institutions, therefore the Consortium Blockchain is more suitable for the secure storage and sharing of medical data. Xue et al. [14] divided the existing medical institutions into medical institution federate servers (MIPS) and audit federate servers (AFS) according to their credit scores. Through the improved consensus mechanism, the medical data sharing model based on blockchain was realized. In the untrusted environment, Xia et al. [15] designed a sensitive medical data sharing model between cloud service providers based on blockchain through a smart contract and access control mechanism. The security requirements of medical records on integrity, confidentiality, and traceability can be realized by digital signature technology in the blockchain-based medical data sharing system.
In recent years, researchers have conducted in-depth research around blockchain-based multi-signatures [16], aggregate signatures [17,18], ring signatures [19], and homomorphic signatures [20]. Among them, aggregate signatures are favored for their advantages, such as fast computing speed, small storage space, and bandwidth saving. Moreover, some scholars have carried out in-depth research on the combination of quantum computing and the security of blockchain [21]. Gao et al. [21] proposed a lattice-based signature scheme and presented a cryptocurrency scheme based on post-quantum blockchain, which could resist quantum computing attacks.

Certificateless Aggregate Signature
In order to solve the management problems of certificate distribution and storage in the traditional PKI-based (Public Key Infrastructure) public key cryptosystem, Shamir proposed the identity-based public key cryptosystem (ID-PKC) in 1984 [22]. In ID-PKC, the public key is denoted by user information, such as mailbox, address, telephone number, etc. The private key is provided by the key generation center (KGC), a third-party trusted organization. Different from traditional public key cryptosystems, users cannot generate their own private key. For KGC, the user's private key is known, and KGC can decrypt ciphertext and forge identity at will. Therefore, ID-PKC has the defect of key escrow [23], which is only applicable to the environment with low security requirements.
To solve this problem, Al-Riyami and Paterson proposed the notion of certificateless public key cryptography (CL-PKC) in 2003 [24]. Unlike ID-PKC, the private key in CL-PKC consists of a partial private key generated by KGC and the secret value selected by the user. KGC only knows partial private key but cannot get the secret key. It can effectively solve the key escrow problem [25]. Moreover, the public key in CL-PKC does not need certificate verification, so the problem of public key authentication is solved. CL-PKC has neither the certificate management problem nor the key escrow problem. Its calculation efficiency is higher than traditional public key cryptosystems, and its security is higher than ID-PKC. Therefore, it is suitable for application scenarios with higher requirements for computing, storage efficiency, and security.
Boneh et al. first proposed the concept of aggregate signature [26] on EUROCRYPT 2003, which greatly promoted the development of digital signature cryptography. Aggregate signature [26] is suitable for compressing many signatures generated by many different users to many different messages into one short signature, and simplifying the verification of multiple signatures into one verification. Aggregation signature greatly improves storage efficiency and verification time.
In recent years, certificateless aggregate signatures (CLAS) have attracted many scholars' research interests because of the advantages of both a certificateless public key cryptosystem and aggregate signatures. Based on different theoretical foundations, scholars have proposed corresponding certificateless aggregate signature schemes. For example, most researchers proposed certificateless aggregate signature schemes based on bilinear maps [8][9][10]. For the first time, Gong et al. [9] proposed two certificateless identity-based aggregate signature schemes (denoted as CAS-1 and CAS-2 in [9]). In these two schemes, the aggregation verification of CAS-1 used 2n + 1 pairing operations on an elliptic curve. CAS-2 used n + 2 pairing operations and n scalar point multiplication operations on elliptic curves. It is clear that the verification efficiency was very low. Xiong et al. designed a more efficient certificateless aggregate signature scheme [8]. The verification of this scheme used only three pairing operations and 2n scalar multiplication operations. The efficiency of the scheme was not related to the number of signers. Moreover, it did not require a synchronized clock. As such, this scheme was more efficient than the Gong's scheme [9]. However, He et al. [27] and Zhang [10] [28]. Based on the Elliptic Curve Discrete Logarithm Problem (ECDLP), the schemes both used 2n + 1 scalar multiplication operations. The difference is that CLAS-2 provides a shorter constant-level signature length than CLAS-1. Cui et al. [29] proposed a certificateless aggregate signature scheme based on ECC and applied it to vehicular ad hoc networks (VANETs) communication. The verification of this scheme used n scalar multiplications. Since the computational overhead of bilinear pairs is significantly higher than that of scalar multiplication under ECC [11], Zhou's scheme and Cui's scheme had higher computational efficiency.
In recent years, with the development of blockchain technology, more and more scholars have focused on the research of the aggregation signature algorithm based on blockchain [17,18,30]. Gao et al. [18] designed a fair and efficient multi-party contract signing scheme based on blockchain by conducting a certificateless aggregation verifiable encryption signature scheme. Wang et al. [30] realized the full anonymous blockchain by homomorphic encryption, and aggregate signature technology, which effectively protected the privacy of the user's identity and the transaction amount. Neither of these schemes [18,30] is computationally efficient because they both used bilinear maps. Based on the gamma signature proposed by Yao et al. [31], Zhao [17] constructed an aggregate signature scheme without bilinear maps. By applying Zhao's scheme [17] to Bitcoin, it could be found that both computation and storage overhead have decreased to some extent, however the length of this aggregate signature scheme increased with the number of signers. Due to their low computing or communication efficiency, these schemes [17,18,30] were not suitable for wearable medical devices with limited computing and storage resources. On the other hand, these schemes [17,18,30] did not focus on the security requirements of MCPS, such as timeliness and privacy protection.
Some scholars focused on the research of digital signatures in blockchain-based Internet of things (IoT) applications [32,33]. In order to reduce the time cost of transmitting authentication information from blockchain nodes to IoT devices, Danzi et al. [32] proposed a repeat-authenticate scheme. In which blockchain information that consists of a copy of the block header and the signatures of blockchain nodes is multicasted. Kaga et al. [33] proposed a biometrics-based fuzzy signature scheme and applied it into the IoT blockchain system. This scheme achieved the verification of a creator of a transaction. These two schemes payed more attention to authentication of transaction creators or blocks in IoT scenario. However, they did not focus on the effective storage of a large number of digital signatures and the privacy protection of medical data in MCPS scenario. When a patient goes to the hospital, a great deal of medical records will be generated. The digital signatures of these medical records will occupy a large amount of block space, which will seriously affect the performance of the blockchain. At the same time, medical data involves personal privacy, and it is necessary to protect the private data.
The blockchain-based schemes mentioned above are compared in Table 2. From Table 2, we can conclude that none of these solutions [17,18,30,32,33] provide both high computing and communication efficiency. Furthermore, nowadays, certificateless aggregate signatures based on blockchain have not been widely used in MCPS. In this paper, we combine ECC and the multi-trapdoor hash function to propose a certificateless aggregate signature scheme and apply it to secure storage and sharing of MCPS. The proposed scheme provides high computing efficiency and low space occupation, which is suitable for blockchain-based MCPS scenario with limited blockchain capacity and low computing power wearable devices.

Elliptic Curve Discrete Logarithm
Let p, q be two large prime numbers, F p be a finite field determined by p, and E(F p ) be an elliptic curve over F p , which is defined by the equation: y 2 = x 3 + ax + b mod p, where a, b∈F p and 4a 3 + 27b 2 0. If the additive group G consists of the infinity point O and all points on E(F p ), P is a generator of group G with the order q, we have the following definition.

Trapdoor Hash Function
The trapdoor hash function is also called the chameleon function [35]. Different from general hash functions, it has a hash/trapdoor key (HaK, TrK). The hash key (HaK) is public, while the trapdoor key (TrK) is private. The trapdoor hash function uses some special information to generate a fixed hash value, and its collision resistance depends on the user's knowledge of trapdoor information (TrK) [36]. That is, without knowing the trapdoor key TrK, the trapdoor hash function is collision resistant. However, when the hash/trapdoor key is known, the trapdoor collision can be computed [37]. This property of the trapdoor hash function is suitable to construct various digital signature schemes [36][37][38][39].
The trapdoor hash function consists of the following four algorithms [37]: • ParG: Inputs security parameter k, outputs system parameter params; According to the number of trapdoor information (TrK), trapdoor hash functions include the single trapdoor hash function [35], the double trapdoor hash function [39], and the multi-trapdoor hash function [37,38]. A double trapdoor hash function usually has two pairs of hash/trapdoor keys, named long-term hash/trapdoor key and temporary hash/trapdoor key. Double trapdoor hash function protects the long-term trapdoor key from being leaked by sacrificing the temporary trapdoor key. The multi-trapdoor hash function has multiple hash/trapdoor keys, which combines multiple collisions generated by multiple entities to conduct a single collision. As a result, the multi-trapdoor hash function has the advantage of computing efficiency as well as storage space and bandwidth saving. In this paper, we build a certificateless aggregate signature scheme based on the multi-trapdoor hash function, with which a blockchain-based MCPS data storage and sharing model is proposed.

Definition of Certificateless Aggregate Signature
A certificateless aggregate signature consists of the following six algorithms [40]: • Setup: Inputs the security parameter k, KGC outputs the system public parameter K pub and system master key λ. • Partial-Private-Key-Gen: Inputs k, K pub , λ, and user's identity ID i , KGC outputs the partial private key θ i and sends it to the user ID i through a secure channel. • User-Key-Gen: Inputs k, the user ID i outputs secret/public key pair (α i , X i ).
if the verification is correct, the verifier outputs 1, otherwise, the verifier outputs 0.

Security Models of Certificateless Aggregate Signature
According to different capabilities, two types of adversaries are considered in certificateless aggregate signature schemes [9]. In addition, certificateless aggregate signature schemes should be existentially unforgeable under these adversaries, A I and A II .
A I adversary cannot get the system master key, but they can replace the public keys of legitimate users. Usually, A I adversary acts as malicious KGC.
A II adversary can obtain the system master key, however they cannot replace the public keys of legitimate users. A II adversary is often regarded as malicious inside signers.
For these types of adversaries, we define the following two games: (1) Game I: Setup: Challenger Z inputs security parameters k, generates system parameter pars and system master key λ, sends pars to adversary A I , and keeps λ secretly.
Query: A I adaptively performs the following oracle queries: • Hash queries: A I sends a hash oracle query for all hash values in the scheme, and challenger Z returns the corresponding value. • Partial-Key-Gen query: When A I makes a partial private key query on the user ID i , the challenger Z runs the partial private key generation algorithm to generate the corresponding partial private key θ i and returns it to A I .

•
Secret-Key-Gen query: When A I makes a secret key query on the user ID i , the challenger Z runs the secret key generation algorithm to generate the corresponding secret key α i and returns it to A I .

•
Public-Key-Gen query: When A I makes a public key query on the user ID i , the challenger Z runs the public key generation algorithm to generate the corresponding public key ( X i , V i ) and returns it to A I .

•
Public-Key-Replacement query: When A I queries user ID i for public key replacement, Z replaces the corresponding public key of user ID i with a randomly selected PK * DAU i = ( X * i , V * i ) and saves it.
• Signature queries: Inputs message s i , user ID i and corresponding private key (α i , θ i ) and status information Ω i , Z runs the signature algorithm to generate the corresponding signature σ i and returns it to A I .
Forge: After the above polynomial bounded queries, Z outputs the forged aggregate signature σ * = (ω * , D * ). The adversary wins the game if and only if: • Forged signature σ * is a valid signature. • A I cannot query at least one of n users for partial private key.
(2) Game II: Setup: Challenger Z inputs security parameters k, generates system parameter pars and system master key λ, sends pars and λ to adversary A II .
Query: In this stage, adversary A II adaptively performs the polynomial bounded oracle queries which are similar to Game I. The difference is that A II does not perform the public key replacement query and partial private key query.
Forge: Z outputs the forged aggregate signature σ * = (ω * , D * ). The adversary A II wins the game if and only if: A II cannot query at least one of n users for secret value.

System Model
In this paper, a two-layer system model is used to describe the secure storage and sharing of medical records in MCPS. As shown in Figure 1, the off-blockchain layer completes the acquisition, aggregation, and storage of medical data. In our proposed system model, every doctor, nurse, medical device, and medical app has a pseudonym, partial private key, secret value, and public key. The pseudonym is distributed by the Registry Center, and partial private keys are allocated by the KGC. Doctors, nurses, medical equipment, and medical apps are noted as data acquisition units (DAU). The medical record of a patient consists of several medical record items (MRI). Each MRI is signed by the DAU who is responsible for it. A patient's diagnosis and treatment process corresponds to a Central Hospital. When a patient goes to different Central Hospitals, it corresponds to different treatment processes. Each DAU encrypts the collected MRIs with the public key of the Central Hospital, and calculates the hash value of MRIs it is responsible for as digital digest. The DAU's private key is used to individually sign on the digest information. Then, the encrypted MRIs, digest information, and individual signatures are sent to the Central Hospital. The Central Hospital verifies the correctness of the individual signature. If it is correct, the encrypted original medical data is stored in the Medical Cloud. Finally, the Central Hospital combines the individual signatures into an aggregate signature, and sends the digest, aggregate signature, access control, and location index of the original MRIs to the Medical Blockchain. The on-blockchain layer completes the sharing of medical data. Figure 2 shows that each transaction of the Medical Chain contains a digest of the Pi's MRIs, an aggregate signature, access control, and a specific location index of the original medical data stored in the Medical Cloud. Each block contains a hash value linked to the previous block. This hash value can be used to retrieve the block. The Medical Chain uses time stamps to ensure that the blocks are linked in time. The latest generated blocks are broadcast to the entire network. The nodes receiving the information verify the correctness according to the consensus algorithm. If it is correct, they pass the information to other nodes. After most nodes verify the correctness, the miner adds the block into the main chain to form the permanent storage and sharing of medical records. The patient is the owner of medical data, who grants an entity (doctor, institution, researcher, etc.) access to original medical records through access control protocol. When an entity gains access, they look up on the Medical Chain, obtains the position index of medical data in cloud, then they can access the original medical records.
In the above model, one block contains multiple transactions, and one transaction relates to all medical records of one medical treatment process of a patient. By using blockchain to store the digest and aggregate signature, the unforgeability of DAU's service and the integrity of medical data can be guaranteed. Meanwhile, the block capacity limitation can be greatly eased. On the other hand, the encrypted original medical data is stored in the cloud, which is retrieved through the data location index on the blockchain. The access rights of entities are managed through the access control on the blockchain. Therefore, the secure storage and sharing of medical data in MCPS is realized. The on-blockchain layer completes the sharing of medical data. Figure 2 shows that each transaction of the Medical Chain contains a digest of the P i 's MRIs, an aggregate signature, access control, and a specific location index of the original medical data stored in the Medical Cloud. Each block contains a hash value linked to the previous block. This hash value can be used to retrieve the block. The Medical Chain uses time stamps to ensure that the blocks are linked in time. The latest generated blocks are broadcast to the entire network. The nodes receiving the information verify the correctness according to the consensus algorithm. If it is correct, they pass the information to other nodes. After most nodes verify the correctness, the miner adds the block into the main chain to form the permanent storage and sharing of medical records. The patient is the owner of medical data, who grants an entity (doctor, institution, researcher, etc.) access to original medical records through access control protocol. When an entity gains access, they look up on the Medical Chain, obtains the position index of medical data in cloud, then they can access the original medical records.
In the above model, one block contains multiple transactions, and one transaction relates to all medical records of one medical treatment process of a patient. By using blockchain to store the digest and aggregate signature, the unforgeability of DAU's service and the integrity of medical data can be guaranteed. Meanwhile, the block capacity limitation can be greatly eased. On the other hand, the encrypted original medical data is stored in the cloud, which is retrieved through the data location index on the blockchain. The access rights of entities are managed through the access control on the blockchain. Therefore, the secure storage and sharing of medical data in MCPS is realized.

Security Requirements
The following security requirements are important for medical data in MCPS: • Non-repudiation: Medical data is the record of treatment process, which has the function of legal evidence. Any modification of a medical record should be nonrepudiation; • Integrity: As an important record of the patient's treatment, medical data should be guaranteed to be accurate, which means it cannot be tampered by anyone in any way. In other words, any data tampering can be detected; • Privacy: Medical data involves patient's personal privacy, which should be kept confidential. It could not be allowed to be disclosed at will, only the authorized users can access it; • Traceability: When medical disputes occur between doctors and patients, medical data should be traceable as legal evidence; • Timeliness: Time factor is one of the key points in the whole treatment process. It is necessary to make effective time judgment on each sensitive link in the treatment process, so as to ensure the authenticity and effectiveness of medical data. Among these security requirements, tamper-proofing, data integrity, and privacy protection are crucial issues in MCPS [4]. It is necessary to use relevant technical means, such as identity authentication, blockchain technology, digital signatures, to achieve secure storage and sharing of medical information.

System Framework
The certificateless aggregate signature scheme based on the trapdoor hash function proposed in this paper consists of the following algorithms: • Setup: The algorithm is completed by KGC. Inputs security parameter k, outputs master key λ, system parameter pars. • Pseudonym-Gen: The algorithm generates pseudonyms for each entity by Registry Center. Inputs the real identity of each DAUi or patient Pj (denoted as RID DAU i and RID P j ), outputs its pseudonym PID DAU i or PID P j .
• DAUi Key-Gen: DAUi generates its secret value-public key pair (α i , X i ) and sends X i to KGC through the secure channel. After receiving DAUi's pseudonym RID DAU i , system parameters pars, public key X i and master key λ, KGC outputs the DAUi's partial private key θ i . The public key (long-term hash key) of the DAUi is X i , the long-term trapdoor key is α i , and the private key is θ i .

Security Requirements
The following security requirements are important for medical data in MCPS: • Non-repudiation: Medical data is the record of treatment process, which has the function of legal evidence. Any modification of a medical record should be non-repudiation; • Integrity: As an important record of the patient's treatment, medical data should be guaranteed to be accurate, which means it cannot be tampered by anyone in any way. In other words, any data tampering can be detected; • Privacy: Medical data involves patient's personal privacy, which should be kept confidential. It could not be allowed to be disclosed at will, only the authorized users can access it; • Traceability: When medical disputes occur between doctors and patients, medical data should be traceable as legal evidence; • Timeliness: Time factor is one of the key points in the whole treatment process. It is necessary to make effective time judgment on each sensitive link in the treatment process, so as to ensure the authenticity and effectiveness of medical data.
Among these security requirements, tamper-proofing, data integrity, and privacy protection are crucial issues in MCPS [4]. It is necessary to use relevant technical means, such as identity authentication, blockchain technology, digital signatures, to achieve secure storage and sharing of medical information.

System Framework
The certificateless aggregate signature scheme based on the trapdoor hash function proposed in this paper consists of the following algorithms: • Setup: The algorithm is completed by KGC. Inputs security parameter k, outputs master key λ, system parameter pars. • Pseudonym-Gen: The algorithm generates pseudonyms for each entity by Registry Center. Inputs the real identity of each DAU i or patient P j (denoted as RID DAU i and RID P j ), outputs its pseudonym PID DAU i or PID P j .
• DAU i Key-Gen: DAU i generates its secret value-public key pair (α i , X i ) and sends X i to KGC through the secure channel. After receiving DAU i 's pseudonym RID DAU i , system parameters pars, public key X i and master key λ, KGC outputs the DAU i 's partial private key θ i . The public key (long-term hash key) of the DAU i is X i , the long-term trapdoor key is α i , and the private key is θ i .
• Hash-Gen: In this algorithm, the trapdoor hash value of DAU i is generated. Inputs system parameter pars, original message s i , DAU i 's hash key X i , auxiliary parameter u i , outputs DAU i 's trapdoor hash value TH X i ( s i , u i ).

The Proposed Multi-Trapdoor Hash Function
The proposed multi-trapdoor hash function based on ECC is presented in this section.

•
ParG: Suppose the security parameter k, KGC selects large prime numbers p, q and elliptic curves over finite fields y 2 = x 3 + ax + b mod p, a, b ∈ F p . Given G is a cyclic subgroup of E(F p ), P is a q-order generator of G, KGC takes secure hash function: W = G → Z * q . KGC outputs the system parameter pars = (G, P, q, W).
• KeyG: Each DAU i selects randomly trapdoor key α i ∈ Z * q and computes hash key: HashG: Each DAU i randomly selects the auxiliary parameter u i , computes trapdoor hash value: Finally, the Central Hospital calculates multi-trapdoor hash value: Each DAU i randomly selects temporary trapdoor key β i ∈ Z * q and computes temporary hash key Y i = β i P. The collision parameter is given as Trapdoor collision is one of the properties of trapdoor hash functions [37]. Given hash keys ( X i , Y i ), trapdoor keys ( α i , β i ), message/auxiliary parameter pair (s i , u i ), and new message s i , collision parameter is given by That is From the above proof process, we can conclude that the owner of the trapdoor key can compute the trapdoor collision based on the given input. The proposed multi-trapdoor hash function aggregates multiple trapdoor collisions into one trapdoor collision, which improves the calculation efficiency. On the other hand, people who do not know the trapdoor key cannot calculate the trapdoor collision. Therefore, the proposed multi-trapdoor hash function is secure and efficient to construct the certificateless aggregate signature scheme.

The Proposed Certificateless Aggregate Signature Scheme
The proposed certificateless aggregate signature scheme based on the multiple trapdoor hash function is presented in this section. We introduce an attribute-based signature [41] and state the information, so that the requirements for medical data in blockchain-based MCPS can be better satisfied.

Setup
In this subsection, KGC will generate the system parameter and send it to data acquisition units DAU i , patients P j , and Central Hospitals. Suppose the security parameter k, KGC selects large prime numbers p, q and elliptic curves over finite fields y 2 = x 3 + ax + b mod p, a, b ∈ F p . Given G is a cyclic subgroup of E(F p ), P is a q-order generator of G, KGC takes seven secure hash functions: KGC randomly selects λ ∈ Z * q as the system master key. Then, the public key is K pub = λP. Finally, KGC outputs the system parameter pars = (G, P, q, K pub , W 1 , W 2 , W 3 , W 4 , W 5 , W 6 , H).

Pseudonym-Gen
In this phase, the Registry Center calculates the pseudonyms for DAU i and P j according to their real identities. The pseudonym system [42] is used to provide conditional privacy protection for doctors, nurses, patients, medical devices, etc. When relevant organizations need to know their real identity, the Registry Center can index their real identity. The Registry Center performs the following procedure to generate pseudonyms for DAU i and P j .

•
The Registry Center accepts DAU i 's real identity RID DAU i and calculates its pseudo identity ID DAU i = W 1 (RID DAU i ). After selecting a random a i ∈ Z * q , DAU i calculates F i = a i P, PID DAU i ,1 = λW 2 ( F i ), and sends PID DAU i ,1 to the Registry Center through the secure channel. The Registry Center calculates PID DAU i ,2 = W 3 ( ID DAU i , PID DAU i ,1 ), and outputs pseudonym PID DAU i = (PID DAU i ,1 , PID DAU i ,2 ).

•
The Registry Center accepts P j 's real identity RID P j and calculates its pseudo identity ID P j = W 1 (RID P j ). After selecting a random b j ∈ Z * q , P j calculates E j = b j P, PID P j ,1 = λW 2 (E j ), and sends PID P j ,1 to the Registry Center through the secure channel. The Registry Center calculates PID P j ,2 = W 3 ( ID P j , PID P j ,1 ), and outputs pseudonym PID P j = (PID P j ,1 , PID P j ,2 ).
At the same time, the Registry Center builds an index table between the real identities of DAU i (P j ) and their pseudonyms, such as (RID DAU i , PID DAU i ), (RID P j , PID P j ), so that when relevant organizations need to know the real identities of DAU i or P j , the Registry Center could return their real identities.

DAU i Key-Gen
In this stage, DAU i completes secret value/public parameter pair generation and sends the public parameter to KGC. With the received public parameter, KGC computes partial private key/partial public key pair. These two key pairs constitute the public keys and private keys of DAU i . Because the keys of DAU i are obtained by two entities (KGC and DAU), it is effective to protect the security of the keys.
DAU i randomly selects the secret value α i ∈ Z * q , calculates X i = α i P as the public parameter. Then, DAU i sends the public parameter X i to the KGC and the Central Hospital.
It then inputs the pseudonym PID DAU i and public parameters X i of DAU i , KGC randomly selects γ i ∈ Z * q as the secret value, calculates V i = γ i P and DAU i 's partial private key θ i = γ i + λW 4 ( PID DAU i , X i , V i ), then sends V i and θ i to DAU i through the secure channel. DAU i verifies the correctness of partial private key θ i by checking whether the equation DAU i 's public and private keys are: The partial private key and pseudonym effectively protect DAU i 's identity information. It plays a role of privacy protection.

Hash-Gen
In this section, each DAU i generates its own trapdoor hash value and sends it to the Central Hospital. Then, the Central Hospital combines all verified trapdoor hash values into a single value. Based on the trapdoor hash value, the trapdoor collision can be calculated, which can be used to achieve the individual signature.
Firstly, it inputs system parameter pars, original message s i , DAU i 's hash key (public parameter) X i , DAU i randomly selects auxiliary parameter u i , and calculates trapdoor hash value Where the original message s i depends on the attribute value of DAU i . That is to say, if DAU i is a doctor or a nurse, then s i is composed of the ID of the hospital where he or she works, his or her working department, and position titles, etc.; if DAU i is a medical equipment or app, then s i is composed of DAU i 's pseudonym PID DAU i , its manufacturer, categories, the affiliated institutions (hospitals, communities, scientific research institutions, etc.), etc. Using a series of attributes related to the signer to determine their identity can effectively protect the privacy of the signer, such as phone number, home address, email, etc.
When a patient P j starts data interaction with a DAU i , the trapdoor hash value T i of DAU i is calculated in advance and sent to the Central Hospital. When the treatment of P j is completed (assuming that P j generates n MRIs with n DAU i s), the Central Hospital aggregates the trapdoor hash value T = n i=1 T i of all the DAU i s responsible for P j 's MRIs, and sends T to each DAU i , which interacts with P j .

Individual-Sign
In this subsection, each DAU i that provides medical services to the patient P j completes an individual signature on the medical data for which it is responsible. We define the state information of DAU i as Ω i , that is, the pseudonym of P j associated with this DAU i . Only the individual signatures with the same Ω i (that is, for the same patient) can be aggregated.
DAU i selects the latest timestamp t i and calculates θ i = W 6 ( t i , V i , Ω i ), y i = θ i P. The latest timestamp ensures the timeliness of data collection and resists replay attacks. DAU i randomly selects temporary trapdoor key β i ∈ Z * q , and calculates the temporary hash key Y i = β i P and the trapdoor hash value TH Y i (s i , u i ) = W 5 (s i , Y i )Y i + u i P. s i represents the digest of P j 's MRI, which is in the charge of DAU i during this treatment. According to trapdoor collision (that is

Individual-Verify
In this stage, the Central Hospital achieves the verification of DAU i 's individual signature. When the Central Hospital receives DAU i 's individual signature σ i = (y i , d i ) and new auxiliary parameter u i , the Central Hospital performs the following steps: Check whether d i P + (X i + V i + K pub W * 4 )H * = y i holds or not. If it holds, the Central Hospital accepts σ i and then stores the encrypted original medical data in the Medical Cloud.

Aggregate-Sign
In this phase, the Central Hospital aggregates the accepted individual signatures for medical data from the same patient. The Central Hospital checks the status information Ω i of each DAU i whose individual signature σ i is accepted. For individual signatures with the same Ω i , the Central Hospital calculates ω = n i = 1 y i , D = n i = 1 d i , and the aggregate signature σ = (ω, D). Then, the Central Hospital forms a transaction by P j 's MRI digest, aggregation signature, access control, and the specific location of the original medical data in the Medical Cloud. Finally, a transaction request is sent to the Medical Chain.

Aggregate-Verify
After the miner receives the message, the aggregate signature is verified through the consensus mechanism. If the equation DP + n i=1 (X i + V i + K pub W * 4 ) H * = ω holds, the information is broadcast to other nodes in the network. The other nodes start consensus verification of the transaction and broadcast on the network. After the verification is successful, the transaction is added to the block.

Correctness Proof
The correctness proof of the aggregate is verified as follows:

Theorem 1.
In the random oracle model, the proposed certificateless aggregate signature scheme is existentially unforgeable against adaptive chosen-message attacks under the assumption that the ECDLP problem is hard. This theorem is obtained by combining Lemmas 1 and 2.

Lemma 1.
Given an A I type adversary C 1 makes at most q S Sign queries, q K Partial-Key-Gen queries, q SK Partial-Key-Gen queries within a period t in the random oracle model, and wins the game with an non-negligible probability ε, that is, successfully forging the signature of the proposed scheme. Then, an algorithm T 1 can be performed in polynomial time, and solve an instance of ECDLP with probability (supposing the number of aggregate signatures is n) ε ≥ Proof. Suppose T 1 is a solution of ECDLP and (P, xP) G as an instance of ECDLP, the goal of the algorithm T 1 is to compute x. Suppose T 1 makes q S Sign queries on q S identities, and generates n aggregate signatures at the challenge stage, T 1 selects PID DAU k as the target victim, and the probability of the selection is µ ∈ [ 1 q S + n , 1 q S + 1 ]. We set up a game between adversary C 1 and challenger Z 1 , and the detailed interaction process is as follows: Setup: Given K pub = xP, challenger Z 1 inputs security parameters k, generates system parameter pars = (G, P, q, K pub , W 1 , W 2 , W 3 , W 4 , W 5 , W 6 , H), and sends pars to adversary C 1 . Z 1 needs to maintain nine lists ( L W 4 , L W 5 , L W 6 , L H , L P , L PK , L SK , L T , L S ), whose initial values are empty.
Query: C 1 adaptively performs the following oracle queries.
• W 4 hash query: When C 1 makes a W 4 hash query with parameter (PID DAU i , If the list L W 4 does not include the tuple (*, *, *, δ W 4 ), Z 1 sends δ W 4 to C 1 and saves (PID DAU i , X i , V i , δ W 4 ) into the hash list L W 4 .
• W 5 hash query: When C 1 makes a W 5 hash query with parameter (s i , X i ), Z 1 checks whether existing (s i , X i , δ W 5 ) ∈ L W 5 or not, if so, Z 1 sends δ W 5 to C 1 . Otherwise, Z 1 selects a random δ W 5 ∈ Z * q . If the list L W 5 does not include the tuple (*, *, δ W 5 ), Z 1 sends δ W 5 to C 1 and saves (s i , X i , δ W 5 ) into the hash list L W 5 .
• W 6 hash query: When C 1 makes a W 6 hash query with parameter (t i , V i , Ω i ), Z 1 checks whether existing (t i , V i , Ω i , δ W 6 ) ∈ L W 6 or not, if so, Z 1 sends δ W 6 to C 1 . Otherwise, Z 1 selects a random δ W 6 ∈ Z * q . If the list L W 6 does not include the tuple (*, *, *, δ W 6 ), Z 1 sends δ W 6 to C 1 and saves (t i , V i , Ω i , δ W 6 ) into the hash list L W 6 .
• H hash query: When C 1 makes an H hash query with parameter (PID DAU i , T, u i ), Z 1 checks whether existing (PID DAU i , T, u i , δ H ) ∈ L H or not, if so, Z 1 sends δ H to C 1 . Otherwise, then Z 1 selects a random δ H ∈ Z * q . If the list L H does not include the tuple (*, *, *, δ H ), Z 1 sends δ H to C 1 and saves (PID DAU i , T, u i , δ H ) into the hash list L H .

•
Partial-Key-Gen query: When C 1 makes a Partial-Key-Gen query with parameter (PID DAU i , X i ), Z 1 checks whether existing ( PID DAU i , θ i , V i ) ∈ L P or not. - -If L P does not include the tuple ( PID DAU i , θ i , V i ) and PID DAU i PID DAU k , Z 1 selects a random θ i , δ W 4 ∈ Z * q , computes V i = θ i P − K pub δ W 4 , sends ( θ i , V i ) to C 1 and saves ( PID DAU i , θ i , V i ) into the hash list L P . If list L W 4 does not include corresponding tuple, then Z 1 adds tuple (PID DAU i , -If L P does not include the tuple ( PID DAU i , θ i , V i ) and PID DAU i = PID DAU k , Z 1 randomly selects θ i , δ W 4 ∈ Z * q , lets V k = γ r P (γ r ∈ Z * q is a known random number to Z 1 ), then saves ( PID DAU k , θ k , V k ) into the hash list L P and sends ( θ k , V k ) to C 1 If list L W 4 does not include corresponding tuple, then Z 1 adds tuple (PID DAU k , X k , V k , δ W 4 ) into L W 4 .

•
Secret-Key-Gen query: Suppose that the query is on a pseudo identity PID DAU i . If the list L SK includes (PID DAU i , α i , θ i ), Z 1 sends (α i , θ i ) to C 1 Otherwise, Z 1 selects a random α i ∈ Z * q and computes X i = α i P. Then Z 1 makes a Partial-Key-Gen query by (PID DAU i , X i ) and adds Public-Key-Gen query: Suppose that the query is on a pseudo identity PID DAU i . If the list L PK includes (PID DAU i , X i , V i ), Z 1 sends ( X i , V i ) to C 1 Otherwise, Z 1 selects a random α i ∈ Z * q and computes X i = α i P. Then Z 1 makes a Partial-Key query by (PID DAU i , X i ) and adds (PID DAU i , X i , V i ) into list L PK . Z 1 sends ( X i , V i ) to C 1 and adds (PID Public-Key-Replacement query: C 1 can select a new public key PK * DAU i = ( X * i , V * i ) to replace the original public key PK DAU i of any legitimate DAU i .

•
Hash-Gen query: When C 1 makes a Hash-Gen query with parameter (s i , u i ), Z 1 checks whether existing (s i , u i , T i ) ∈ L T or not, if so, Z 1 returns T i to C 1 . Otherwise, selects a random α i ∈ Z * q and computes: Sends T i to C 1 and saves (s i , u i , T i ) into the hash list L T . • Sign query: When C 1 makes a sign query with parameter (α i , Ω i , s i , s i ), Z 1 checks whether PID DAU i = PID DAU k or not, if so, Z 1 randomly selects t i ∈ Z * q and β i ∈ Z * q , and computes: Then, Z 1 generates individual signature (y i , d i ) and sends it to C 1 . Otherwise, Z 1 outputs failure and halts.

•
Aggregate-Sign query: When all of the PID DAU i (1 ≤ i ≤ n) satisfies PID DAU i PID DAU k , Z 1 randomly selects t i ∈ Z * q and β i ∈ Z * q for every DAU i (1 ≤ i ≤ n). Then Z 1 calculates Then, Z 1 generates aggregate signature (ω, D) and sends it to C 1 . Otherwise, if PID DAU i = PID DAU k , Z 1 outputs failure and halts. • Individual-Verify query: When C 1 makes an Individual-Verify query, Z 1 checks whether the corresponding tuple of PID DAU i is included in list L PK .
-If the corresponding tuple of PID DAU i is included in list L PK and PID DAU i T , u i ) and verifies whether the equation d i P = y i + (X i + V i + K pub W * 4 )H * holds or not, if so, Z 1 returns 1 to C 1 , otherwise, returns 0 to C 1 . - If the corresponding tuple of PID DAU i is included in list L PK and PID DAU i = PID DAU k , Z 1 returns 1 to C 1 when the list L H includes the tuple (PID DAU i , T, u i , δ H ), otherwise, Z 1 returns 0 to C 1 - If the corresponding tuple of PID DAU i is not included in list L PK , Z 1 returns 1 to C 1 when the list L H includes the tuple (PID DAU i , T, u i , δ H ), otherwise, Z 1 returns 0 to C 1 Forge: After the above polynomial bounded queries, Z 1 outputs the aggregate signature σ * = (ω * , D * ) of PID DAU i (1 ≤ i ≤ n), in which at least one PID DAU i (i ∈ [1, n]) does not make Partial-Key-Gen query and Secret-Key-Gen query, and at least one message s i (i ∈ [1, n]) does not make Sign query.
If all the PID DAU i (1 ≤ i ≤ n) satisfies PID DAU i PID DAU k , then Z 1 outputs failure and halts. Otherwise, if one PID DAU i (1 ≤ i ≤ n) satisfies PID DAU i = PID DAU k , then Z 1 queries the corresponding tuples of PID DAU i (1 ≤ i ≤ n) in the lists L PK , L SK , L H and checks whether the equation Otherwise, Z 1 cannot solve the discrete logarithmic problem, because: with Partial-Key-Gen and Secret-Key-Gen, Z 1 will terminate the simulation. Suppose that

•
Event E 1 represents that at least a PID DAU k (1 ≤ k ≤ n) does not make Partial-Key-Gen query and Secret-Key-Gen query.

•
Event E 2 represents that Z 1 does not terminate at the Sign-query stage.

•
Event E 3 represents that Z 1 does not terminate at the challenge stage.
The probability of solving the ECDLP by algorithm T 1 is as follows: The probability that Z 1 does not terminate during the whole simulation is at least Since µ ∈ [ 1 q S + n , 1 q S + 1 ], when q S is large enough, (1 − ϕ) q S tends to e −1 , so the probability that Z 1 does not terminate during the simulation is at least In summary, if Z 1 is not terminated during the simulation, and C 1 breaks the unforgeability of the proposed scheme with a non-negligible probability ε, T 1 can successfully solve ECDLP with a non-negligible probability: Given an A II type adversary C 2 makes at most q S Sign queries, q K Partial-Key-Gen queries, q SK Partial-Key-Gen queries within a period t in the random oracle model, and wins the game with an non-negligible probability ε, that is, successfully forging the signature of the proposed scheme. Then, an algorithm T 2 can be performed in polynomial time, and solve an instance of ECDLP with probability (supposing the number of aggregate signatures is n) ε ≥ Proof. Suppose T 2 is a solution of ECDLP and (P, xP) G as an instance of ECDLP. The goal of the algorithm T 2 is to compute x. T 2 selects PID DAU k as the target victim, and the probability of the selection is µ ∈ [ 1 q S + n , 1 q S + 1 ]. We set up a game between adversary C 2 and challenger Z 2 , and the detailed interaction process is as follows: Setup: Challenger Z 2 inputs security parameters k, generates system parameter pars, and sends pars = (G, P, q, K pub , W 1 , W 2 , W 3 , W 4 , W 5 , W 6 , H) to adversary C 2 . Z 2 needs to maintain nine lists ( L W 4 , L W 5 , L W 6 , L H , L P , L PK , L SK, L T , L S ), whose initial values are empty.
Query: Adversary C 2 makes the same queries as that of W 4 hash, W 5 hash, W 6 hash, H hash, Secret-Key-Gen, Public-Key-Gen, Hash-Gen, Sign query, Aggregate-Sign query in Lemma 1.

•
Partial-Key-Gen query: When C 2 makes a Partial-Key-Gen query with parameter (PID DAU i , X i ), Z 2 checks whether existing ( PID DAU i , θ i , V i ) ∈ L P or not. - Individual-Verify query: When C 2 makes an Individual-Verify query with parameter (PID DAU i , s i ), Z 2 checks whether the corresponding tuple of PID DAU i is included in list L PK .
-If the corresponding tuple of PID DAU i is included in list L PK and PID DAU i and verifies whether the equation d i P+ (X i + V i + K pub W * 4 )H * = y i holds or not, if so, Z 2 returns 1 to C 2 , otherwise, returns 0 to C 2 . - If the corresponding tuple of PID DAU i is included in list L PK and PID DAU i = PID DAU k , Z 2 returns 1 to C 2 when the list L H includes the tuple (PID DAU i , T, u i , δ H ), otherwise, Z 2 returns 0 to C 2 Forge: After the above polynomial bounded queries, Z 2 outputs the aggregate signature σ * = (ω * , D * ) of PID DAU i (1 ≤ i ≤ n), in which at least one PID DAU i (i ∈ [1, n]) does not perform the Partial-Key-Gen query and Secret-Key-Gen query, and at least one message, s i (i ∈ [1, n]) does not make Sign query.
If all the PID DAU i (1 ≤ i ≤ n) satisfy PID DAU i PID DAU k , then Z 2 outputs failure and halts. Otherwise, if one PID DAU K (1 ≤ K ≤ n) satisfies PID DAU K = PID DAU k , then Z 2 queries the corresponding tuples of PID DAU i (1 ≤ i ≤ n) in the lists L PK , L SK , L H , L W 4 and checks whether the Otherwise, Z 2 cannot solve the discrete logarithmic problem, because: It can be seen from the proof of Lemma 1 that the probability that Z 2 does not terminate during the simulation is at least Therefore, if Z 2 is not terminated during the simulation, and C 2 breaks the unforgeability of the proposed scheme with a non-negligible probability, T 2 can successfully solve ECDLP with a non-negligible probability:

Security Analysis
• Message authentication: As Theorem 1 states, no polynomial adversary could forge a valid message under the assumption that the ECDLP problem is hard. Therefore, the Central Hospital verifies the validity and integrity of the message (PID DAU i , Thus, the proposed scheme for MCPS provides message authentication. • Identity privacy protection: The pseudonym proposed in this paper is divided into two types: the pseudonym of DAUs (PID DAU i , 1 ≤ i ≤ n ) and the pseudonym of patients (PID P j , 1 ≤ j ≤ n). PID DAU i and PID P j are generated by combining the randomly chosen secret value a i or b j and the system master key λ. No adversary could compute the real identity from the pseudonym without knowing the secret a i or b i and λ. Thus, the pseudonym proposed in this paper can protect the identity privacy of DAUs and patients.

•
Resistance to replay attack: Whenever DAU i makes an individual signature, it chooses a latest timestamp t i . The Central Hospital will check the freshness of the timestamp t i in order to detect the replay attacks. • Resistance to modification attack: According to Theorem 1, the Central Hospital can protect the integrity of message (PID DAU i , X i , V i , t i , u i , σ i ). Therefore, any modification on the message will be detected by checking whether the equation d i P = y i + (X i + V i + K pub W * 4 )H * holds or not.

•
Resistance to spam attack [17]: Because of natural compression property of the aggregate signature, the proposed signature scheme can combine n individual signature into one short signature. The length of the aggregate signature will not increase with the increase of the number of signers. Therefore, in the blockchain-based MCPS, more transactions can be added into a block. However, the attacker has to send more transactions to congest the network. It will spend more transaction fee which will increase the cost of spam attacks.

Efficiency Analysis
Certificateless aggregate signatures can be classified into pairing-based certificateless aggregate signatures and ECC-based certificateless aggregate signatures. In this paper, we adopt the same efficiency evaluation method as reference [11,29], in which the simulations are conducted on an Intel I7 3.4 GHz, 4 GB machine with Windows 7. Pairing-based aggregate signature schemes can be simulated on the bilinear pairing e : G 1 × G 1 → G 2 . G 1 is an additive group generated with the order q 1 on the type A elliptic curve E 1 : y 2 = x 3 + x mod p 1 , where p 1 and q 1 are 512-bit and 160-bit prime number, respectively [11]. For ECC-based aggregate signature schemes, the simulation can be conducted over the non-singular elliptic curve E : y 2 = x 3 + ax + b mod p 2 . G is an additive group generated on E with the order q 2 , where p 2 , q 2 are two 160-bit prime numbers, respectively. The above mentioned bilinear pairing and elliptic curve constructed in the experiments are on the same security level of 80 bits. As shown in Tables 3 and 4, the running time of these encryption operations has been presented. Table 3. Different encryption operation running time [11,29,37].

Encryption Operation Description Time (ms)
t p The bilinear pair operation 4.2110 t mp The scalar multiplication in the bilinear pair 1.7090 t ap The bilinear pair-to-midpoint addition 0.0071 t hp The hash-to-point operation in bilinear pair 4.4060 t mecc The scalar multiplication in elliptic curve 0.4420 t aecc The point addition operation in elliptic curve 0.0018 t h The general hash operation 0.0001 Table 4. Group parameter [11,29,37].

Symbol Description Length (bytes)
The size of elements in group G 1 128 |G| The size of elements in group G 40 |q| The size of the elements in Z * q 20 The computation cost and communication cost are two important factors to evaluate certificateless aggregate signature schemes. In this section, the efficiency analysis is divided into two parts. First, we compare the proposed scheme with related certificateless aggregate signature schemes. Second, we compare the proposed scheme with related aggregate signature schemes based on blockchains.
1. The efficiency analysis of certificateless aggregate signature schemes Table 5 compares the computation cost of the proposed scheme and related certificateless aggregate signature schemes [9,29].

-
In the individual sign algorithm, DAU i needs three scalar multiplications in the elliptic curve and two general hash operations to generate individual signature. The computation cost of our scheme in individual signature is smaller than related certificateless aggregate signature schemes [9,29]. -In the individual-verify algorithm, the Central Hospital needs three scalar multiplications, three point addition operations in the elliptic curve, and two general hash operations to verify the DAU i 's individual signature. The computation cost of our scheme in individual verification is smaller than that of Gong et al.'s scheme [9], but slightly higher than that of Cui et al.'s scheme [29]. -As shown in Figure 3, in the aggregate verify algorithm, the Central Hospital needs (2n+1) scalar multiplications, (2n + 1) point addition operations in the elliptic curve, and 2n general hash operations to verify the aggregate signature. The computation cost of our scheme in aggregate verification is smaller than Gong et al.'s scheme [9], but slightly higher than that in Cui et al.'s scheme [29]. (2n + 1)t mecc + (2n + 1)t aecc + 2nT H ≈ 0.8878n + 0.4438ms  Table 6 shows the communication cost of our scheme and related certificateless aggregate signature schemes. In the proposed scheme, the aggregate signature length, such as that of CAS-2 in [9], is a constant, which does not increase with the number of individual signatures.
From Figure 4, we can see that the communication cost of the proposed scheme is obviously smaller than that of CAS-1 [9] and Cui et al.'s scheme [29], and slightly smaller than that of CAS-2 [9].   Table 6 shows the communication cost of our scheme and related certificateless aggregate signature schemes. In the proposed scheme, the aggregate signature length, such as that of CAS-2 in [9], is a constant, which does not increase with the number of individual signatures.  [29] (n + 1) G Yes Our scheme G + q No From Figure 4, we can see that the communication cost of the proposed scheme is obviously smaller than that of CAS-1 [9] and Cui et al.'s scheme [29], and slightly smaller than that of CAS-2 [9].

The comparison of certificateless aggregate signatures based on blockchain
In this subsection, we compare the computation cost and communication cost of the proposed scheme with two most recently proposed certificateless aggregate signature schemes based on blockchain [17,18]. As shown in Table 7 and Figure 5, in the individual sign algorithm and aggregate verify algorithm, the computation cost of the proposed scheme is lower than that of Gao et al.'s scheme [18], but it is close to Zhao et al.'s scheme [17]. In the individual verify algorithm, the computation cost of the proposed scheme is lower than Gao et al.'s scheme [18] but slightly higher

The comparison of certificateless aggregate signatures based on blockchain
In this subsection, we compare the computation cost and communication cost of the proposed scheme with two most recently proposed certificateless aggregate signature schemes based on blockchain [17,18]. As shown in Table 7 and Figure 5, in the individual sign algorithm and aggregate verify algorithm, the computation cost of the proposed scheme is lower than that of Gao et al.'s scheme [18], but it is close to Zhao et al.'s scheme [17]. In the individual verify algorithm, the computation cost of the proposed scheme is lower than Gao et al.'s scheme [18] but slightly higher than that of Zhao et al.'s scheme [17].  As shown in Table 8 and Figure 6, the aggregate signature length of the two most recently proposed certificateless aggregate signature schemes [17,18] based on blockchain is correlated to the individual signature number. However, the aggregate signature length of our scheme is |G|+|q|, which is a constant and is obviously lower than the other two schemes [17,18]. That is to say, the storage capacity of the aggregate signature does not increase with the increase of the DAUi's in each transaction, which can effectively improve the storage efficiency of each block.  As shown in Table 8 and Figure 6, the aggregate signature length of the two most recently proposed certificateless aggregate signature schemes [17,18] based on blockchain is correlated to the individual signature number. However, the aggregate signature length of our scheme is G + q , which is a constant and is obviously lower than the other two schemes [17,18]. That is to say, the storage capacity of the aggregate signature does not increase with the increase of the DAU i 's in each transaction, which can effectively improve the storage efficiency of each block. Table 8. Communication cost of schemes based on blockchain.

Conclusions
In this paper, a certificateless aggregate signature scheme based on blockchain is proposed, which can be used for secure storage and sharing of medical data in MCPS. To improve performance, the function of trapdoor collision calculation in trapdoor hash function is included in our proposed scheme. The security analysis presents that the proposed scheme is existentially unforgeable against adaptive chosen-message attacks, which is resistant to replay attack and modification attack. The proposed scheme provides message authentication and identity privacy protection, which satisfies the security requirements of MCPS. Compared with pairing-based schemes, the scheme proposed in this paper is based on ECC with better computational efficiency, and the computational cost of our scheme is lower. More importantly, the aggregate signature length of the proposed scheme is independent of the number of signers, which can effectively increase the number of transactions stored in each block. Therefore, the proposed scheme can alleviate the capacity limitation of blockchain and prevent spam attacks to a certain extent.
In the future work, we will focus on the lattice-based digital signature algorithm and combine it with blockchain to improve the security of blockchain. More importantly, we will apply our research to practice and obtain measurement results from practical implementation.