A Security-Enhanced Certificateless Aggregate Authentication Protocol with Revocation for Wireless Medical Sensor Networks

Abstract

Wireless medical sensor networks (WMSNs) enable continuous patient monitoring by transmitting sensitive physiological data over open wireless links. Given the resource-constrained nature and large-scale deployment of such networks, authentication mechanisms must be both lightweight and privacy-preserving. Moreover, due to the frequent turnover of patients and devices in hospital environments, timely member revocation is crucial to prevent discharged or compromised entities from injecting forged reports that could mislead medical diagnosis. Although existing pairing-free certificateless aggregate authentication schemes are efficient, they often suffer from critical security and privacy vulnerabilities. Recently, an efficient certificateless authentication scheme with revocation has been proposed. However, our analysis reveals that the scheme presents the following security vulnerabilities: (i) member witnesses can be recovered from public information, (ii) revocation checks can be bypassed via identity grafting attack, and (iii) user identities can be linked due to the long-term use of static pseudonyms. To address these issues, we propose a security-enhanced certificateless aggregate authentication protocol with revocation for WMSNs. Our design enforces strong identity–membership binding to resist grafting attacks, employs a non-interactive zero-knowledge membership proof to preserve witness secrecy, and adopts dynamic pseudonym rotation to achieve unlinkability. We provide formal security proofs and comprehensive performance comparisons. The results indicate that, at the same security level, our protocol achieves more efficient signature verification while maintaining communication overhead comparable to existing schemes. In addition, the overhead introduced by our revocation mechanism remains constant, making it well suited for large-scale WMSNs deployments with frequent membership changes.

1. Introduction

Wireless medical sensor networks (WMSNs) are a transformative healthcare-oriented IoT paradigm that integrates wearable or implantable sensors to establish a comprehensive monitoring ecosystem [1]. The continuous collection and reporting of critical physiological signals, including heart rate, blood pressure, and blood glucose levels, has been demonstrated to facilitate chronic disease management, rehabilitation tracking, and real-time in-hospital monitoring [2]. However, such networks are inherently exposed to eavesdroppable and interference-prone wireless environments, and the system attack surface is inevitably expanded, exposing patients to the risks of privacy leakage and data tampering.

Authentication mechanisms for WMSNs must achieve a high level of security while also accommodating strict resource constraints [3]. On the one hand, the integrity and authenticity of medical data are non-negotiable; once sensitive medical data are tampered with or forged, this may directly mislead clinical decisions and even endanger patients’ lives. On the other hand, sensor nodes are typically battery-powered and have limited computation, storage, and bandwidth. Consequently, traditional public key infrastructure (PKI) becomes too heavyweight due to costly certificate management [4], while identity-based cryptography (IBC) introduces key-escrow risks [5]. Certificateless public key cryptography (CL-PKC) does not inherit intrinsic escrow concerns while eliminating certificates, and thus emerges as a balanced solution. In addition, to alleviate network congestion caused by concurrent reporting from massive nodes, researchers have proposed various “aggregation” mechanisms, which can be mainly classified into data aggregation and signature aggregation. Data aggregation aims to statistically or computationally fuse multiple sensor readings to extract meaningful information while reducing data volume [6], but it usually needs to be processed at intermediate aggregators, which may enlarge the privacy exposure surface and introduce tampering or injection risks. In contrast, signature aggregation focuses on the cryptographic scalability of authentication. Certificateless aggregate signature (CLAS) schemes allow aggregators to compress multiple signatures into a single verifiable object for batch verification, reducing the authentication communication and verification overhead [7]. However, early CLAS constructions mostly relied on expensive bilinear pairing operations, and recent research has shifted towards the design of more lightweight pairing-free aggregatable signatures.

Despite these advances, a key gap remains when deploying them to real medical environments. Hospital settings are highly dynamic: frequent events such as patient discharge, device replacement, sensor loss, or temporary device lending require the system to revoke membership promptly; otherwise, compromised or misplaced devices may continue to authenticate with still-valid credentials and inject forged data. Meanwhile, the long-term use of static pseudonyms may render messages linkable, enabling patient privacy to be continuously tracked across sessions and over time. Therefore, authentication mechanisms for practical WMSNs must not only be lightweight and efficient but also satisfy the engineering requirements of instant revocation and unlinkability.

Recently, Shen et al. [8] proposed a novel RSA-accumulator-based CLAS scheme that facilitates dynamic membership management without expensive bilinear pairings. Although their design demonstrates notable efficiency, our detailed cryptanalysis reveals several critical security flaws: (1) membership witnesses can be recovered from public information and cross-session observations; (2) insufficient binding between membership credentials and signing keys enables a revoked entity to graft another valid membership and bypass revocation checking; and (3) long-term static pseudonyms and public-key components render messages linkable, endangering patient location and behavioral privacy.

Motivated by these observations, we propose a security-enhanced revocable certificateless aggregate authentication protocol tailored for WMSNs, which patches these weaknesses while enabling more efficient authentication and revocation. Our main contributions are summarized as follows.

• We revisit Shen et al.’s [8] scheme, identify its logical flaws in membership-witness protection and identity-binding mechanisms, and provide concrete attack paths.
• We propose a security-enhanced certificateless aggregate authentication protocol. We introduce a strong identity–membership binding mechanism to prevent grafting attacks, employ a zero-knowledge membership proof to protect witness secrecy, and adopt dynamic pseudonym rotation to achieve enhanced privacy protection.
• We provide formal security proofs and verification for the proposed protocol, and conduct systematic performance analysis and comparative evaluation in terms of computation, communication, and revocation overhead. The results demonstrate that our protocol achieves stronger security guarantees while maintaining favorable efficiency, making it more suitable for resource-constrained and dynamic WMSNs.

The remainder of this paper is organized as follows. Section 2 reviews related work. Section 3 introduces preliminaries and the system model. Section 4 and Section 5 review Shen et al.’s [8] scheme and present the corresponding cryptanalysis and concrete attack scenarios. Section 6 details our proposed protocol. Section 7 and Section 8 provide the security analysis and performance evaluation. Finally, Section 9 and Section 10 discuss the feasibility, limitations and future work of the paper, and give the final conclusion.

2. Related Work

The evolution of authentication protocols in WMSNs is largely constrained by the need to balance stringent security requirements with the limited resources of sensor nodes [9]. PKI-based solutions rely on digital certificates, yet certificate issuance, storage, and validation introduce additional management and communication overheads [10]. Identity-based cryptography (IBC/IBS) derives public keys from identities to simplify certificate management [11]; however, since user private keys are generated by a key generation center (KGC), IBC inherently suffers from the key-escrow problem. Although pairing-free IBS designs can reduce computation in sensor networks, they do not fundamentally eliminate the risks associated with escrow risks [12].

To balance the certificate-management burden and the key-escrow risk, Al-Riyami and Paterson introduced certificateless public key cryptography (CL-PKC), while the original construction was later shown to be insecure against Type-II adversaries [13]. Following CL-PKC, many schemes employed bilinear pairings to realize authentication, anonymity, and aggregation [14,15,16]. For instance, Meher et al. proposed a certificateless anonymous mutual-authentication protocol for WBANs and adopted a hybrid design combining DLP, ECDLP, and bilinear pairings to ensure security [16]. Nevertheless, pairing operations are expensive and thus remain unsuitable for resource-constrained WMSNs. In contrast, recent studies have increasingly explored pairing-free (ECC-based) certificateless authentication and certificateless aggregate signature (CLAS) designs. In the domain of healthcare WMSNs, Gayathri et al. proposed an efficient pairing-free CLAS scheme [17]. Liu et al. later proved that this scheme fails against Type-I and Type-II adversaries and presented an improved construction [18]. Subsequently, Qiao et al. analyzed Liu et al.’s scheme, demonstrated that it remains insecure against Type-II adversaries, and further proposed a new pairing-free CLAS scheme [19]. However, Yan et al. demonstrated that Qiao et al.’s scheme is still vulnerable to Type-I adversaries [20]. In the field of certificateless conditional privacy-preserving authentication for highly dynamic networks, Zhu et al. devised a security-enhanced scheme [21]. Yang et al. demonstrated the scheme’s vulnerability to Type-I and Type-III adversaries and proposed an improved design [22]; subsequently, Wu et al. subsequently revealed the vulnerability of Yang et al.’s improved scheme and presented a new certificateless aggregate signature construction to enhance security [23]. Overall, many pairing-free certificateless proposals repeatedly undergo a cycle of proposal, cryptanalysis, and patching under standard certificateless threat models. Moreover, the majority of these pairing-free designs do not take member revocation into consideration, a factor which serves to limit their suitability for the highly dynamic nature of practical WMSNs.

It is evident that, in order to address the limitations in authentication that are a consequence of dynamic membership changes, a number of revocation strategies have been integrated into certificateless settings. The most straightforward approach is based on certificate revocation lists (CRLs) or blacklists. The schemes devised by Zhang et al. and Guo et al. employ CRLs or blacklists [24,25]. However, Zhang et al.’s revocation check mainly targets the validity of specific signatures rather than directly revoking the signer’s membership, which limits its effectiveness against compromised nodes. Furthermore, Guo et al.’s scheme was recently reported to be vulnerable to Type-I adversaries [26]. Furthermore, the proliferation of such lists is directly proportional to the number of revoked users, resulting in a substantial augmentation of the storage and broadcast burden. In order to reduce the financial burden associated with CRL maintenance costs, Zhou et al. adopted the utilization of periodic time keys [27]. However, the revocation process may be subject to delays, owing to the implementation of discrete update intervals. Subsequently, Li et al. proposed an immediate-update revocation mechanism [28], and Wang et al. designed a revocation method by updating an area-related private key [29]. However, these approaches typically require the recomputation and distribution of fresh credentials to legitimate users via secure point-to-point delivery, resulting in limited update efficiency. Although Liang et al.’s polynomial-broadcast revocation update [30] circumvents point-to-point communication, the broadcast polynomial must embed coefficients for all current legitimate members, which may still incur substantial computation or communication costs during updates. Consequently, this may impede scalability in WMSNs.

In order to address the issues of scalability, the use of cryptographic accumulators as a compact alternative has been explored [31]. Representative accumulator models include those based on Merkle hash trees, bilinear pairings, and the strong RSA assumption. Camacho et al. [32] proposed a Merkle-hash-tree-based scheme that defines the root as the accumulator value. However, the membership proof size is $O\left(\log N\right)$. This logarithmic growth significantly increases communication costs as the network scales. Camenisch et al. [33] proposed a pairing-based accumulator framework. This framework requires a predefined upper bound q on the number of members, features $O\left(q\right)$-size public parameters, and incurs high computational costs due to pairing operations. As a result, it is unsuitable for large-scale, resource-constrained networks. In contrast, RSA cryptographic accumulators provide $O\left(1\right)$-size public parameters and $O\left(1\right)$-size membership witnesses, while supporting unbounded dynamic additions and deletions [34], which better matches the lightweight computation and efficient communication requirements of dynamic environments such as WMSNs. In recent work, Shen et al. proposed a certificateless authentication scheme based on an RSA accumulator [8]. This scheme employs an accumulator value and a membership witness to facilitate dynamic management of membership states. It disseminates update information via broadcast, thereby achieving notable efficiency advantages. However, subsequent analysis indicates that the construction still leaves several security aspects open. This paper proposes a revocable certificateless aggregate authentication protocol that is both more secure and more efficient, together with a more rigorous security proof and performance evaluation.

3. Preliminaries

In this section, we provide a concise overview of the cryptographic primitives employed in our construction. The subsequent section will introduce the system and security models of the proposed certificateless authentication scheme. The primary notations employed in the present proposal are outlined in

Table 1. Notations in our proposal.

Symbol	Definition
$\lambda$	Security parameter
t	Private key of TA
$T_{pub}$	Public key of TA
s	Private key of KGC
$P_{pub}$	Public key of KGC
$params$	System public parameters
$I{D}_i$	Real identity of $S{N}_i$
$PI{D}_i$	Pseudonym of $S{N}_i$
$I{D}_{prime}$	Prime selected for pseudonym binding
$pp{k}_i$	Partial private key of $S{N}_i$
$s{k}_i$	Full private key of $S{N}_i$
$P{K}_i$	Public key of $S{N}_i$
$acc$	RSA accumulator value
$wi{t}_i$	Membership witness of $S{N}_i$
${\pi }_i$	NIZK membership proof
${\delta }_i$	Authentication signature of $S{N}_i$
$m_i$	Medical message
$T_i$	Timestamp
$AUX$	Accumulator update message

.

3.1. Cryptographic Preliminaries

3.1.1. Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) is based on group operations over an elliptic curve defined on a finite field, and is usually modeled as an additive cyclic group $\mathbb{G}$. Let $\mathbb{G}$ be of order q with generator P. For any $x\in {\mathbb{Z}}_q^{*}$, scalar multiplication is denoted by $xP$.

3.1.2. RSA Accumulator

RSA accumulator is a cryptographic primitive that aggregates a large set of values into a constant-size digest. Let $X=\{x_1,x_2,\dots ,x_n\}$ be a set of prime numbers. The accumulator value is computed as $Acc=g^{{\prod }_{i=1}^n{x}_i}\left(\mathrm{mod}N\right)$, where N is an RSA modulus and g is a generator. For a specific element $x_k\in X$, its membership witness $w_k$ is the accumulation of all other elements: $w_k=g^{{\prod }_{x_j\in X,j\ne k}{x}_j}\left(\mathrm{mod}N\right)$. The membership of $x_k$ can be efficiently verified by checking the equation $w_k^{x_k}\equiv Acc\left(\mathrm{mod}N\right)$.

3.1.3. Non-Interactive Zero-Knowledge Proof

Non-interactive zero-knowledge (NIZK) proofs allow a prover to convince a verifier that a public statement holds with respect to a hidden witness, while revealing nothing about the witness and requiring no interaction. In this paper, we adopt a Fiat–Shamir-based NIZK membership proof [35], whose proof generation and verification typically follow a three-move structure as follows:

(1) Commitment: The prover generates a commitment based on fresh randomness.

(2) Challenge: The challenge is computed via a hash function over the statement and the commitment to bind them.

(3) Response: The prover computes a response from the witness, the randomness, and the challenge.

The construction of NIZK proofs typically requires to satisfy completeness, zero-knowledge, and soundness so that an honest prover can always generate an acceptable proof, no verifier can learn any additional secret information from the proof, and no malicious prover can convince the verifier of a false statement.

3.2. Security Assumptions

3.2.1. ECDLP Assumption

The security of our ECC-based public-key components relies on the Elliptic Curve Discrete Logarithm Problem (ECDLP). Specifically, given a pair $(P,Q)$ where $Q=xP$ for an unknown $x\in {\mathbb{Z}}_q^{*}$, no probabilistic polynomial-time (PPT) adversary can compute x with non-negligible probability.

3.2.2. Strong RSA Assumption

The security of the RSA accumulator relies on the Strong RSA assumption. Given an RSA modulus N and a random element $z\in {\mathbb{Z}}_N^{*}$, the Strong RSA assumption states that no probabilistic polynomial-time (PPT) adversary can find a pair $(u,e)$ such that $u^e\equiv z\left(\mathrm{mod}N\right)$ with non-negligible probability, where e is a prime integer greater than 1.

3.2.3. Integer Factorization Assumption

Let $N=pq$ be an RSA modulus, where p and q are large primes. The integer factorization assumption states that for any probabilistic polynomial-time (PPT) adversary, the success probability of factoring N to recover p and q is negligible, which makes such factorization computationally infeasible.

3.3. System Model

Figure 1 depicts the system model of the proposed scheme, which involves five primary entities: Trusted Authority (TA), Key Generation Center (KGC), Sensor Node (SN), Ward Node (WN), and Medical Server (MS).

• Trusted Authority (TA): The TA is a fully trusted entity with significant computational capabilities. It is responsible for system initialization, generating RSA accumulator parameters, and generating pseudonyms for users. Additionally, the TA maintains the accumulator state and manages the batch joining and revocation of members by broadcasting update parameters.
• Key Generation Center (KGC): The KGC is a semi-trusted entity responsible for generating partial private keys. It cannot access the user’s full private key, thereby avoiding the key escrow problem.
• Sensor Node (SN): The SN is a resource-constrained device that is deployed on the patient. Its role is to collect physiological data such as heart rate and body temperature, sign the data, and transmit it to the Ward Node.
• Ward Node (WN): The WN functions as a gateway for a specific medical area, typically a hospital ward. It collects data transmitted by SNs within the area, verifies their membership proofs, and aggregates multiple valid signatures into a single one to reduce transmission bandwidth consumption. It then forwards the data to the Medical Server.
• Medical Server (MS): The MS is a back-end entity responsible for storing and processing medical data. It receives aggregated data from WNs, verifies the validity of the aggregate signatures, and provides authorized medical personnel with access to patients’ health statuses.

3.4. Security Model

In CLAS schemes, we adopt the standard security model and classify adversaries into five types according to their capabilities and resources, including the conventional Type-I to Type-III adversaries [21], as well as the attack-specific adversaries for witness recovery and identity grafting.

• Type-I Adversary (${\mathcal{A}}_{\mathit{I}}$): Models an external adversary capable of replacing public keys but lacking access to the master secret key.
• Type-II Adversary (${\mathcal{A}}_{\mathit{II}}$): Models a malicious KGC possessing the master secret key but is restricted from replacing users’ public keys.
• Type-III Adversary (${\mathcal{A}}_{\mathit{III}}$): Models an adversary launching fully chosen-key attacks to compromise aggregation soundness by forging a valid aggregate signature from invalid components.
• Witness-Recovery Adversary (${\mathcal{A}}_{\mathit{WR}}$): Models a malicious insider capable of eavesdropping the public information transmitted over the open channel, aiming to recover a legitimate user’s witness $wi{t}_i$ via computation, thereby breaking witness secrecy.
• Identity-Grafting Adversary (${\mathcal{A}}_{\mathit{IG}}$): Models a revoked-but-malicious insider capable of obtaining a valid membership witness of an unrevoked user, aiming to graft legitimate identities onto its own pseudonym and generate signatures acceptable to the verifier.

To formally prove that our proposed scheme achieves Existential Unforgeability under Chosen Message Attacks (EUF-CMA) and Aggregate Soundness, we define three standard challenge-response games between a challenger $\mathcal{C}$ and three adversaries (${\mathcal{A}}_I,{\mathcal{A}}_{II},{\mathcal{A}}_{III}$).

• Game I: Against Type-I Adversary (${\mathcal{A}}_{\mathit{I}}$).

Setup Phase: $\mathcal{C}$ runs Setup to generate $params$ and the master secret key s, sends $params$ to ${\mathcal{A}}_I$, and keeps s secret.

Query Phase: ${\mathcal{A}}_I$ adaptively issues the following queries.

(1) Create-User: on input $PI{D}_i$, $\mathcal{C}$ creates the user state and returns the public key $P{K}_i$.

(2) Reveal-Partial-Private-Key: on input $PI{D}_i$, $\mathcal{C}$ returns the partial private key $pp{k}_i$.

(3) Reveal-Secret-Value: on input $PI{D}_i$, $\mathcal{C}$ returns the user’s secret value $x_i$.

(4) Reveal-Witness: on input $PI{D}_i$, $\mathcal{C}$ returns the accumulator witness $wi{t}_i$.

(5) Reveal-Public-Key: on input $PI{D}_i$, $\mathcal{C}$ returns the current $P{K}_i$.

(6) Replace-Public-Key: on input $(PI{D}_i,P{K}_i^{\prime })$, $\mathcal{C}$ replaces the current $P{K}_i$ with $P{K}_i^{\prime }$.

(7) Sign: on input $(PI{D}_i,m_i)$, $\mathcal{C}$ returns a valid authentication transcript for $m_i$ under the current key material of $PI{D}_i$.

Forgery Phase: ${\mathcal{A}}_I$ outputs a tuple $(PI{D}^{*},m^{*},{\delta }^{*},P{K}^{*},{\pi }^{*},T^{*})$ and wins if the following hold.

(1) The transcript is accepted by the verification algorithm.

(2) ${\mathcal{A}}_I$ never queried Reveal-Partial-Private-Key on $PI{D}^{*}$.

(3) ${\mathcal{A}}_I$ never queried Sign on $(PI{D}^{*},m^{*})$.

• Game II: Against Type-II Adversary (${\mathcal{A}}_{\mathit{II}}$).

Setup Phase: $\mathcal{C}$ runs Setup to obtain $(params,s)$ and sends both $(params,s)$ to ${\mathcal{A}}_{II}$.

Query Phase: ${\mathcal{A}}_{II}$ can adaptively issue Create-User, Reveal-Secret-Value, Reveal-Witness, Reveal-Public-Key, and Sign queries as defined in Game I. In this game, the Replace-Public-Key query is not allowed.

Forgery Phase: ${\mathcal{A}}_{II}$ outputs $(PI{D}^{*},m^{*},{\delta }^{*},P{K}^{*},{\pi }^{*},T^{*})$ and wins if the following hold.

(1) The transcript is accepted by the verification algorithm.

(2) ${\mathcal{A}}_{II}$ never queried Reveal-Secret-Value on $PI{D}^{*}$.

(3) ${\mathcal{A}}_{II}$ never queried Sign on $(PI{D}^{*},m^{*})$.

• Game III: Against Type-III Adversary (${\mathcal{A}}_{\mathit{III}}$).

Setup Phase: $\mathcal{C}$ runs Setup and sends $params$ to ${\mathcal{A}}_{III}$.

Query Phase: ${\mathcal{A}}_{III}$ is allowed to adaptively issue the following queries.

(1) Reveal-Full-Private-Key: on input $PI{D}_i$, $\mathcal{C}$ returns the full private key material of $PI{D}_i$ (including $x_i,pp{k}_i$).

(2) AggVerify: on input an aggregate candidate ${\delta }_{agg}$ with a set of message–identity pairs ${\left\{(m_i,PI{D}_i)\right\}}_{i=1}^n$, $\mathcal{C}$ runs AggVerify and returns the result.

Forgery Phase: ${\mathcal{A}}_{III}$ outputs aggregate transcript ${\delta }_{agg}^{*}$ on ${\left\{(m_i,PI{D}_i)\right\}}_{i=1}^n$ and wins if the following hold.

(1) $\mathsf{AggVerify}$ accepts ${\delta }_{agg}^{*}$.

(2) There exists an index i such that the individual $\mathsf{Verify}$ rejects the corresponding component transcript for $(PI{D}_i,m_i)$.

4. Review of Shen et al.’s [8] Scheme

This section provides an overview of the certificateless authentication scheme proposed by Shen et al. [8], which integrates RSA accumulators to manage member dynamics in CLAS. The scheme consists of four primary phases: Setup, Registration, Authentication, and Membership Key Update.

4.1. Setup

The system initialization is collaboratively performed by the Trusted Authority (TA) and the Key Generation Center (KGC).

The TA selects global parameters $\{\mathbb{G},q,P\}$ for the elliptic curve group and hash functions $H_0$∼$H_5$. Both authorities generate their master secret keys ($t,s\in {\mathbb{Z}}_q^{*}$) and publish the corresponding public keys $T_{pub}=t·P$ and $P_{pub}=s·P$.

To support dynamic membership, the TA initializes the RSA accumulator by determining the modulus N and the base value $Ac{c}_{init}=g$.

Then the system parameters $params=\{\mathbb{G},q,P,P_{pub},T_{pub},N,g,H_0,H_1,H_2,H_3,H_4,H_5\}$ are broadcast to all entities.

4.2. Registration

In this phase, a new entity (SN or MS) interacts with the TA and KGC to register its identity and establish a valid key pair. The detailed procedure is executed as follows:

(1) A user ${\mathrm{User}}_i$ selects a random secret $x_i\in {\mathbb{Z}}_q^{*}$ and computes $X_i=x_i·P$. Additionally, the user chooses a unique random prime number $I{D}_{prime}$ from the prime set $Z_{prime}$. The tuple $(I{D}_i,I{D}_{prime},X_i)$ is transmitted to the TA via a secure channel, where $I{D}_i$ represents the user’s real identity.

(2) Upon receiving the request, the TA sets the first part of the pseudonym as $PI{D}_{i,1}=I{D}_{prime}$. To mask the real identity, the second part is computed as $PI{D}_{i,2}=I{D}_i\oplus H_0(g·P_{pub},I{D}_{prime})$. The full pseudonym is defined as $PI{D}_i=(PI{D}_{i,1},PI{D}_{i,2})$.

(3) The TA retrieves the current accumulator value $ac{c}_{TA}$ to initialize the user’s witness $wi{t}_i=ac{c}_{TA}$. It then forwards the pseudonym $PI{D}_i$ to the KGC.

(4) The KGC selects a random $r_i\in {\mathbb{Z}}_q^{*}$ and computes $R_i=r_i·P$. It then generates the partial private key using its master secret key s via the equation $pp{k}_i=r_i+s·h_1\left(\mathrm{mod}q\right)$, where $h_1=H_1(P_{pub},X_i,R_i,PI{D}_{i,2})$. The KGC returns the tuple $(pp{k}_i,R_i,wi{t}_i)$ to the user.

(5) Upon receiving the data, ${\mathrm{User}}_i$ computes the current accumulator value locally by $ac{c}_i=wi{t}_i^{PI{D}_{i,1}}\left(\mathrm{mod}N\right)$. This value is stored for future membership verification.

(6) ${\mathrm{User}}_i$ computes a public witness $pwi{t}_i=wi{t}_i^{h_2}\left(\mathrm{mod}N\right)$, where $h_2=H_2(PI{D}_i,X_i,ac{c}_i)$. Finally, the user sets the full private key as $s{k}_i=(x_i,pp{k}_i,wi{t}_i)$ and the full public key as $P{K}_i=(X_i,R_i,pwi{t}_i)$.

4.3. Authentication

This phase involves the processes of generating and verifying individual signatures, as well as the aggregation performed by the Ward Node (WN).

4.3.1. Signature Generation

To sign a medical data message $m_i$, the entity ${\mathrm{User}}_i$ executes the following operations:

(1) ${\mathrm{User}}_i$ selects a random number $u_i\in {\mathbb{Z}}_q^{*}$ and computes $U_i=u_i·P$.

(2) ${\mathrm{User}}_i$ computes two hash values required for the signature: $h_3=H_3(PI{D}_i,R_i,U_i)$ and $h_4=H_4(PI{D}_i,m_i,U_i,P{K}_i,T_i)$, where $T_i$ is the current timestamp.

(3) The signature ${\sigma }_i$ is calculated by: ${\sigma }_i=u_i+h_3·x_i+h_4·pp{k}_i\left(\mathrm{mod}q\right)$.

(4) Finally, ${\mathrm{User}}_i$ outputs the signature tuple ${\delta }_i=({\sigma }_i,U_i)$ and transmits the packet $({\delta }_i,m_i,PI{D}_i,P{K}_i,T_i)$ to the Ward Node.

4.3.2. Signature Verification

Upon receiving the data packet, the verifier ${\mathrm{User}}_j$ performs the following checks:

(1) ${\mathrm{User}}_j$ verifies if the timestamp satisfies $|T_j-T_i| \le \Delta T$. If the delay exceeds the threshold, the message is discarded.

(2) To ensure ${\mathrm{User}}_i$ is a valid member, ${\mathrm{User}}_j$ computes $h_2^{\prime }=H_2(PI{D}_i,X_i,ac{c}_j)$ and verifies if $pwi{t}_i^{PI{D}_{i,1}}\equiv ac{c}_j^{h_2^{\prime }}\left(\mathrm{mod}N\right)$, where $ac{c}_j$ is the locally accumulator value.

(3) If the membership is valid, ${\mathrm{User}}_j$ computes $h_1^{\prime }=H_1(P_{pub},X_i,R_i,PI{D}_{i,2})$, $h_3^{\prime }=H_3(PI{D}_i,R_i,U_i)$ and $h_4^{\prime }=H_4(PI{D}_i,m_i,U_i,P{K}_i,T_i)$. The signature is accepted if the equation ${\sigma }_i·P=U_i+h_3^{\prime }·X_i+h_4^{\prime }·(R_i+h_1^{\prime }·P_{pub})$ holds.

4.3.3. Aggregate Signature Generation

To reduce verification overhead, the Ward Node (WN) aggregates valid signatures destined for the Medical Server. The procedure is as follows:

(1) Upon receiving n message tuples, the WN checks the timestamp of each message. Any tuple with a delay exceeding the threshold $\Delta T$ is discarded.

(2) The WN verifies the validity of each sender using its local accumulator $ac{c}_{WN}$. For each user ${\mathrm{User}}_i$, it computes $h_{2,i}^{\prime }=H_2(PI{D}_i,X_i,ac{c}_{WN})$ and checks if the equation $pwi{t}_i^{PI{D}_{i,1}}\equiv ac{c}_{WN}^{h_{2,i}^{\prime }}\left(\mathrm{mod}N\right)$ holds. Tuples failing this check are rejected.

(3) To resist information injection attacks, the WN generates a random vector $\eta =\{{\eta }_2,\dots ,{\eta }_n\}$, where each ${\eta }_i$ is a distinct small integer chosen from $[2,2^l]$. Note that the first signature remains unweighted.

(4) The WN computes the aggregate signature ${\sigma }_{agg}={\sigma }_1+{\sum }_{i=2}^n{\eta }_i·{\sigma }_i\left(\mathrm{mod}q\right)$. The final aggregate tuple ${\delta }_{agg}=({\sigma }_{agg},{\left\{U_i\right\}}_{i=1}^n)$ is then transmitted with the current timestamp.

4.3.4. Aggregate Signature Verification

Upon receiving the batch from the WN, the recipient ${\mathrm{User}}_k$ (Medical Server) verifies the aggregate signature as follows:

(1) ${\mathrm{User}}_k$ confirms that $|T_k-T_{agg}| \le \Delta T$.

(2) For each $i\in \{1,\dots ,n\}$, ${\mathrm{User}}_k$ computes the hash values $h_{3,i}^{\prime },h_{4,i}^{\prime }$ and $h_{1,i}^{\prime }$ based on the received public keys and messages.

(3) The aggregate signature is valid if the following equation holds: ${\sigma }_{agg}·P=U_{agg}+X_{agg}+R_{agg}+P_{pub}·\left(h_{1,1}^{\prime }{h}_{4,1}^{\prime }+{\sum }_{i=2}^n{\eta }_i{h}_{1,i}^{\prime }{h}_{4,i}^{\prime }\right)$, where the aggregated components are defined as $U_{agg}=U_1+{\sum }_{i=2}^n{\eta }_i{U}_i$, $X_{agg}=h_{3,1}^{\prime }{X}_1+{\sum }_{i=2}^n{\eta }_i{h}_{3,i}^{\prime }{X}_i$, and $R_{agg}=h_{4,1}^{\prime }{R}_1+{\sum }_{i=2}^n{\eta }_i{h}_{4,i}^{\prime }{R}_i$.

4.4. Membership Key Update

Shen et al. [8] used an RSA accumulator-based mechanism to manage dynamic membership. By broadcasting an Auxiliary Update message ($AUX$), the TA allows users to update their witnesses locally without having to reinitialize the system.

4.4.1. AUX Distribution

The TA generates and broadcasts the $AUX$ message based on the specific membership change scenario described below.

(1) When a new user with the prime identifier $PI{D}_{n,1}$ joins the system ($token=1$), the TA selects a random $\psi \in {\mathbb{Z}}_q^{*}$ to derive $\mathsf{\Psi }=\psi ·P$. It then computes the signature $Sig=\psi +{\gamma }_n·t$, where ${\gamma }_n=H_5(P_{pub},\mathsf{\Psi },PI{D}_{n,1}\left|\right|token)$. Subsequently, the TA updates the global accumulator by computing $ac{c}_{TA}^{new}=ac{c}_{TA}^{PI{D}_{n,1}}\left(\mathrm{mod}N\right)$ and broadcasts the message $AUX=\{Sig,PI{D}_{n,1},token,\mathsf{\Psi },T_m\}$.

(2) When an existing user with $PI{D}_{r,1}$ is revoked ($token=0$), the TA generates a corresponding signature using ${\gamma }_r=H_5(P_{pub},\mathsf{\Psi },PI{D}_{r,1}\left|\right|token)$. In this case, the accumulator is updated by removing the revoked user’s prime representative: $ac{c}_{TA}^{new}=ac{c}_{TA}^{PI{D}_{r,1}^{-1}\left(\mathrm{mod}\varphi \left(S\right)\right)}\left(\mathrm{mod}N\right)$. Finally, the TA broadcasts $AUX=\{Sig,PI{D}_{r,1},token,\mathsf{\Psi },T_m\}$.

4.4.2. Key Updating

Upon receiving $AUX$, a valid user ${\mathrm{User}}_u$ updates their keys as follows:

(1) ${\mathrm{User}}_u$ validates the timestamp $T_m$ and checking $Sig·P=\mathsf{\Psi }+\gamma ·T_{pub}$.

(2) If $token\ne 0$, ${\mathrm{User}}_u$ updates the witness and accumulator directly: $wi{t}_u^{\prime }=wi{t}_u^{PI{D}_{n,1}}\left(\mathrm{mod}N\right)$ and $ac{c}_u^{\prime }=ac{c}_u^{PI{D}_{n,1}}\left(\mathrm{mod}N\right)$.

(3) If $token=0$, ${\mathrm{User}}_u$ computes integers $v,w$ satisfying $v·PI{D}_{u,1}+w·PI{D}_{r,1}=1$ via the Extended Euclidean algorithm. The values are updated as $wi{t}_u^{\prime }=wi{t}_u^w·ac{c}_u^v\left(\mathrm{mod}N\right)$ and $ac{c}_u^{\prime }={\left(wi{t}_u^{\prime }\right)}^{PI{D}_{u,1}}\left(\mathrm{mod}N\right)$.

(4) ${\mathrm{User}}_u$ computes the new public witness $pwi{t}_u^{\prime }={\left(wi{t}_u^{\prime }\right)}^{H_2(PI{D}_u,X_u,ac{c}_u^{\prime })}$ to finalize the key pair.

5. Cryptanalysis of Shen et al.’s [8] Scheme

Despite the security proofs provided in the random oracle model, a detailed cryptanalytic review has revealed that there are intrinsic design flaws in the scheme proposed by Shen et al. [8]. Specifically, it fails to ensure witness secrecy, sound revocation, and message unlinkability, all of which are critical for wireless medical sensor networks.

5.1. Witness Recovery Attack

Shen et al.’s [8] scheme security relies on the secrecy of the accumulator witness $wi{t}_i$. To formalize the witness recovery attack, we consider a polynomial-time witness-recovery adversary ${\mathcal{A}}_{WR}$, which represents a legitimate-but-malicious insider. ${\mathcal{A}}_{WR}$ has the following capabilities:

(1) ${\mathcal{A}}_{WR}$ can eavesdrop on the TA update broadcast information;

(2) ${\mathcal{A}}_{WR}$ can eavesdrop on the transcripts of the same user across different sessions;

(3) ${\mathcal{A}}_{WR}$ can perform polynomial-time computations on the collected data.

We say that ${\mathcal{A}}_{WR}$ succeeds if it outputs a valid accumulator witness $wi{t}_i$ of some legitimate target user $U_i$, thereby breaking witness secrecy.

Under this adversarial model, we show that an insider can derive the witness of a newly joining user from the broadcast information, and can also recover any target user’s $wi{t}_i$ from public witnesses across multiple sessions. The concrete attacks are as follows.

5.1.1. Recovery via Member-Joining Broadcast

This attack exploits the fact that the witness of a newly joining user is initialized as the current accumulator value. Hence, any registered user who can maintain the current accumulator can immediately obtain the new user’s witness.

Attack procedure:

Let $\mathcal{A}$ be a legitimate malicious user holding a valid identity prime $PI{D}_{\mathcal{A},1}$ and witness $wi{t}_{\mathcal{A}}$. $\mathcal{A}$ can locally compute the current accumulator value as

$$ac{c}_{\mathrm{old}}=wi{t}_{\mathcal{A}}^{PI{D}_{\mathcal{A},1}}\left(\mathrm{mod}N\right).$$

When a new user ${\mathrm{User}}_n$ joins, the TA broadcasts the new accumulator element $PI{D}_{n,1}$ and initializes the new witness as the current accumulator:

$$wi{t}_n=ac{c}_{\mathrm{old}}.$$

Therefore, upon intercepting the broadcast, the malicious user $\mathcal{A}$ immediately obtains the valid components $\{PI{D}_{n,1},wi{t}_n\}$.

5.1.2. Recovery via Extended Euclidean Algorithm

In Shen et al.’s [8] scheme, user publishes $pwi{t}_i=wi{t}_i^{h_2}\left(\mathrm{mod}N\right)$, where $h_2$ is derived from the session transcript and varies with the accumulator $acc$. We show that a legitimate but malicious insider can recover the secret witness $wi{t}_i$ by collecting two $pwit$ values of the same target across different sessions and applying the Extended Euclidean Algorithm.

Attack procedure:

Let $\mathcal{A}$ be a legitimate malicious user. Following the protocol, $\mathcal{A}$ can obtain the current accumulator value $acc$ and can link two broadcasts belonging to the same target ${\mathrm{User}}_i$.

In session $t_1$, $\mathcal{A}$ captures the target’s public witness

$$pwi{t}_1=wi{t}_i^{h_2}\mathrm{mod}N,h_2=H_2(PI{D}_i,X,i,ac{c}_1),$$

After the system state is updated, the accumulator changes from $ac{c}_1$ to $ac{c}_2$. In a later session $t_2$, $\mathcal{A}$ captures another public witness from the same target:

$$pwi{t}_2=wi{t}_i^{h_2^{\prime }}\mathrm{mod}N,h_2^{\prime }=H_2(PI{D}_i,X,i,ac{c}_2).$$

Under the random oracle model, the output of $H_2(·)$ can be treated as a random integer. According to the result of Nymann et al. [36], the probability that two integers are coprime is $P=\mathrm{Pr}[\gcd (h_2,h_2^{\prime })=1]=6/{\pi }^2\approx 0.6079$. Thus, by collecting two sessions, the adversary obtains a coprime pair $(h_2,h_2^{\prime })$ with probability of about P. More generally, if the adversary collects k sessions, there are $\left({\displaystyle \genfrac{}{}{0pt}{}{k}{2}}\right)$ candidate pairs, and the probability of obtaining at least one coprime pair can be estimated as $\mathrm{Pr}(\exists i<j:\gcd (h_i,h_j)=1)\approx 1-{(1-P)}^{\left({\displaystyle \genfrac{}{}{0pt}{}{k}{2}}\right)}$. When $k=3$, this probability can be as high as $1-{(1-P)}^3\approx 0.9397$.

Once a coprime pair $(h_2,h_2^{\prime })$ is obtained, A runs the Extended Euclidean Algorithm to find integers $(a,b)$ satisfying $a{h}_2+b{h}_2^{\prime }=1$. It then computes

$$pwi{t}_1^a·pwi{t}_2^b\equiv wi{t}_i^{a{h}_2}·wi{t}_i^{b{h}_2^{\prime }}\equiv wi{t}_i^{a{h}_2+b{h}_2^{\prime }}\equiv wi{t}_i\left(\mathrm{mod}N\right),$$

Consequently, the insider adversary recovers the secret witness $wi{t}_i$ and obtains the valid components $\{PI{D}_{i,1},wi{t}_i\}$.

5.2. Identity Grafting Attack

In Shen et al.’s [8] scheme, the revocation mechanism relies solely on the invalidation of the accumulator element $PI{D}_{i,1}$. To formalize the identity grafting attack, we consider a polynomial-time identity-grafting adversary ${\mathcal{A}}_{IG}$, which represents a revoked-but-malicious insider. ${\mathcal{A}}_{IG}$ has the following capabilities:

(1) ${\mathcal{A}}_{IG}$ can retain its long-term secret and continue generating signatures;

(2) ${\mathcal{A}}_{IG}$ can eavesdrop on the public information transmitted over the open channel;

(3) ${\mathcal{A}}_{IG}$ can obtain a valid membership pair $(PI{D}_{j,1},wi{t}_j)$ of some unrevoked user $U_j$.

We say that ${\mathcal{A}}_{IG}$ succeeds if, although its own identity has already been revoked, it can still output an authentication transcript that is accepted by the verifier.

Under this adversarial model, we show that ${\mathcal{A}}_{IG}$ can graft the valid membership pair of $U_j$ into its own pseudonym and generate a valid signature, thereby bypassing the revocation check. The concrete attack procedure is given as follows.

Attack Procedure:

Let $\mathcal{A}$ be a legitimate but revoked user with identity $PI{D}_{\mathcal{A}}=(PI{D}_{\mathcal{A},1},PI{D}_{\mathcal{A},2})$, public key components $(X_{\mathcal{A}},R_{\mathcal{A}})$, and private keys $(x_{\mathcal{A}},pp{k}_{\mathcal{A}})$. Note that $pp{k}_{\mathcal{A}}$ satisfies $pp{k}_{\mathcal{A}}=r_{\mathcal{A}}+s·h_{1,\mathcal{A}}$, where $h_{1,\mathcal{A}}=H_1(P_{pub},X_{\mathcal{A}},R_{\mathcal{A}},PI{D}_{\mathcal{A},2})$. After revocation, $PI{D}_{\mathcal{A},1}$ is removed from the accumulator $acc$, invalidating $\mathcal{A}$’s witness.

Using the witness recovery methods from Section 5.1, $\mathcal{A}$ obtains a valid membership pair $\{PI{D}_{j,1},wi{t}_j\}$ belonging to an active, non-revoked user ${\mathrm{User}}_j$. $\mathcal{A}$ then constructs a grafted identity $PI{D}^{*}$ by combining the valid accumulator element of ${\mathrm{User}}_j$ with its own identity verification element:

$$PI{D}^{*}=(PI{D}_1^{*},PI{D}_2^{*}):=(PI{D}_{j,1},PI{D}_{\mathcal{A},2}).$$

To pass the membership verification, $\mathcal{A}$ computes the updated hash $h_2^{*}$ and the corresponding public witness $pwi{t}^{*}$ using the current accumulator $acc$:

$$h_2^{*}=H_2(PI{D}^{*},X_{\mathcal{A}},acc),pwi{t}^{*}=wi{t}_j^{h_2^{*}}\left(\mathrm{mod}N\right).$$

$\mathcal{A}$ generates a valid signature for a message m using its revoked (but mathematically valid) signing keys. $\mathcal{A}$ selects a random $u^{*}\in {\mathbb{Z}}_q^{*}$, computes $U^{*}=u^{*}·P$, and calculates the signature verification hashes based on the grafted identity $PI{D}^{*}$:

$$h_3^{*}=H_3(PI{D}^{*},R_{\mathcal{A}},U^{*}),h_4^{*}=H_4(PI{D}^{*},m,U^{*},P{K}_{\mathcal{A}},T).$$

Using its original private keys $x_{\mathcal{A}}$ and $pp{k}_{\mathcal{A}}$, $\mathcal{A}$ computes the signature ${\sigma }^{*}$:

$${\sigma }^{*}=u^{*}+h_3^{*}·x_{\mathcal{A}}+h_4^{*}·pp{k}_{\mathcal{A}}\left(\mathrm{mod}q\right).$$

Finally, $\mathcal{A}$ broadcasts the forged packet ${\mathcal{M}}^{*}=(PI{D}^{*},{\sigma }^{*},U^{*},X_{\mathcal{A}},R_{\mathcal{A}},pwi{t}^{*},m,T)$.

Verification Analysis:

Upon receiving ${\mathcal{M}}^{*}$, the verifier computes $h_2^{\prime }=H_2(PI{D}^{*},X_{\mathcal{A}},acc)$ and checks if

$${\left(pwi{t}^{*}\right)}^{PI{D}_1^{*}}\equiv ac{c}^{h_2^{\prime }}\left(\mathrm{mod}N\right).$$

Since $PI{D}_1^{*}=PI{D}_{j,1}$ and $pwi{t}^{*}$ is derived from the valid $wi{t}_j$, this verification holds.

The verifier calculates $h_1^{\prime }=H_1(P_{pub},X_{\mathcal{A}},R_{\mathcal{A}},PI{D}_2^{*})$, $h_3^{\prime }=H_3(PI{D}^{*},R_{\mathcal{A}},U^{*})$, and $h_4^{\prime }=H_4(PI{D}^{*},m,U^{*},P{K}_{\mathcal{A}},T)$. It then checks the equation:

$${\sigma }^{*}·P\stackrel{?}{=}{U}^{*}+h_3^{\prime }·X_{\mathcal{A}}+h_4^{\prime }·(R_{\mathcal{A}}+h_1^{\prime }·P_{pub}).$$

Because ${\sigma }^{*}$ is generated using the correct private keys corresponding to $X_{\mathcal{A}}$ and $R_{\mathcal{A}}$, and the only hash value whose input the adversary cannot tamper with, namely $h_1^{\prime }$ (which is computed by the KGC and embedded into the partial private key $ppk$), is not bound to $PI{D}_1^{*}$, the equality is fully satisfied during verification as well.

Thus, the verifier accepts ${\mathcal{M}}^{*}$ as valid, the revocation is completely bypassed.

5.3. Message Linkability Attack

In Shen et al.’s [8] scheme, the identity-related fields carried in each packet, including the pseudonym $PI{D}_i=(PI{D}_{i,1},PI{D}_{i,2})$ and the public key components $(X_i,R_i)$, remain static and repeatedly appear within a long observation window. Therefore, a passive eavesdropper can group packets by the repeated $PI{D}_i$ or $(X_i,R_i)$ and link multiple messages to the same sender. In wireless medical sensor networks, this enables the persistent tracking of a patient’s communication trace, allowing the adversary to infer healthcare-related habits and activity patterns from external features such as transmission timing and traffic direction. This violates unlinkability.

Moreover, message linkability directly enables the witness recovery attack described in Section 5.1. This attack requires linking two public witnesses of the same user across different sessions; thus, static identity fields both leak privacy and provide the necessary condition for cross-session witness recovery.

6. The Proposed Protocol

To remedy the intrinsic design flaws in Shen et al.’s [8] scheme, the main improvements of our protocol are summarized as follows (

Table 2. Summary of key improvements on Shen et al.’s [8] scheme.

Aspect	Limitations in Shen et al.’s [8]	Improvements in Ours
Security	Vulnerable to witness recovery attack.	Non-interactive zero-knowledge proof.
Revocation	Vulnerable to identity grafting attack.	Strong identity–membership binding.
Unlinkability	Static single pseudonym.	Pseudonym pool with dynamic rotation.
Complexity	Multi-hash-assisted binding structure.	Single-hash-driven signature design.

).

• In the certificateless partial private key $pp{k}_i$, we bind the prime pseudonym $PI{D}_{i,1}$ to $(PI{D}_{i,2},X_i,R_i)$ via a hash function, preventing identity grafting attacks.
• We adopt a non-interactive zero-knowledge membership proof, enabling a user to prove the relation $ac{c}_j=wi{t}_i^{PI{D}_{i,1}}\mathrm{mod}N$ while keeping $wi{t}_i$ hidden, and prevent witness recovery attacks based on extended Euclid algorithm.
• We introduce a per-user pseudonym pool with periodic switching, and TA broadcasts only a product-form update exponent E for the pool, which prevents message linkability and witness recovery attacks based on broadcast updates.
• We redesign the signature computation into a single-hash-driven linear form, improving the efficiency of signature generation and verification.

6.1. Setup

With the security parameter $\lambda$, TA and KGC initialize the algebraic environments, public key, hash interfaces, and the RSA-accumulator for the certificateless authentication system, while keeping their secret values private.

(1) TA selects a cyclic group $\mathbb{G}$ with $\left|\mathbb{G}\right|=q$ and generator P. It chooses $t\in {\mathbb{Z}}_q^{*}$ and publishes the corresponding public key $T_{pub}=t·P$.

(2) KGC chooses its master secret $s\in {\mathbb{Z}}_q^{*}$ and releases the master public key $P_{pub}=s·P$.

(3) TA instantiates the following hash functions that are used in the protocol:

$H_0:\mathbb{G}\times {\mathbb{Z}}_N^{*}\to {\{0,1\}}^{*}$,

$H_1:{\mathbb{G}}^3\times {\left({\{0,1\}}^{*}\right)}^2\to {\mathbb{Z}}_q^{*}$,

$H_2:{\mathbb{G}}^2\times {\left({\mathbb{Z}}_N^{*}\right)}^2\times {\left({\{0,1\}}^{*}\right)}^2\to {\{0,1\}}^{*}$,

$H_3:{\mathbb{G}}^3\times {\left({\mathbb{Z}}_N^{*}\right)}^3\times {\left({\{0,1\}}^{*}\right)}^4\to {\mathbb{Z}}_q^{*}$,

$H_4:{\mathbb{G}}^2\times {\mathbb{Z}}_N^{*}\times {\left({\{0,1\}}^{*}\right)}^3\to {\mathbb{Z}}_q^{*}$.

(4) TA generates the RSA modulus for the accumulator by selecting two large primes $B,D$ and setting $N=BD$. It then initializes the accumulator by choosing a random generator $g\in {\mathbb{Z}}_N^{*}$ and setting $ac{c}_{\mathrm{init}}=g$.

(5) Finally, TA publishes the system parameters as $params=\{\mathbb{G},q,P,N,T_{pub},P_{pub},H_0,H_1,H_2,H_3,H_4\}$.

6.2. Registration

Upon receiving a registration request from a user ${\mathrm{User}}_i$ with real identity $I{D}_i$, the TA allocates a pseudonym pool and accumulator-membership witnesses, while the KGC issues the corresponding certificateless partial private keys that are bound to $PI{D}_{i,1}$ to prevent Identity Grafting Attack.

(1) ${\mathrm{User}}_i$ randomly selects n secret values ${\left\{x_k\right\}}_{k=1}^n\in Z_q^{*}$ and computes the corresponding public keys $X_k=x_k·P$ for each $k\in \{1,\dots ,n\}$. It then sends $(I{D}_i,{\left\{X_k\right\}}_{k=1}^n)$ to TA through a secure channel.

(2) For the k-th public key of ${\mathrm{User}}_i$ (for $k=1,\dots ,n$), TA chooses a fresh prime representative $I{D}_{k,\mathrm{prime}}$ and sets $PI{D}_{k,1}=I{D}_{k,\mathrm{prime}}$, where $\gcd (I{D}_{k,\mathrm{prime}},N)=1$ holds. It then computes $PI{D}_{k,2}=I{D}_i\oplus H_0\left(t·X_k,I{D}_{k,\mathrm{prime}}\right)$, and stores the tracing record in its private table for future identity recovery.

(3) Then TA computes the batch exponent $E_i={\prod }_{k=1}^{n}PI{D}_{k,1}\mathrm{mod}\phi \left(N\right)$, and performs accumulator update as $ac{c}_{new}=ac{c}_{old}^{E_i}\mathrm{mod}N$. For each $k\in \{1,\dots ,n\}$, TA further computes the witness exponent $E_k={\prod }_{\ell =1,\ell \ne k}^{n}PI{D}_{\ell ,1}\mathrm{mod}\phi \left(N\right)$ and derives the corresponding membership witness as $wi{t}_k=ac{c}_{old}^{E_k}\mathrm{mod}N$. Then TA sends ${\left\{(PI{D}_{k,1},PI{D}_{k,2},wi{t}_k)\right\}}_{k=1}^n$ to ${\mathrm{User}}_i$, sends ${\left\{(PI{D}_{k,1},PI{D}_{k,2},X_k)\right\}}_{k=1}^n$ to KGC via a secure channel.

(4) Upon receiving the message from TA, for each k, KGC randomly selects $r_k\in {\mathbb{Z}}_q^{*}$ and computes $R_k=r_k·P$. It then computes $h_1=H_1(P_{pub},X_k,R_k,PI{D}_{k,1},PI{D}_{k,2})$, and outputs the certificateless partial private key $pp{k}_k=(r_k+h_1·s)\mathrm{mod}q$. KGC securely returns ${\left\{(R_k,pp{k}_k)\right\}}_{k=1}^n$ to ${\mathrm{User}}_i$, and ${\mathrm{User}}_i$ keeps ${\left\{pp{k}_k\right\}}_{k=1}^n$ secret.

(5) After receiving the messages from TA and KGC, ${\mathrm{User}}_i$ first verifies the correctness of each $pp{k}_k$ by checking whether $pp{k}_k·P\stackrel{?}{=}{R}_k+h_1·P_{pub}$, where $h_1=H_1(P_{pub},X_k,R_k,PI{D}_{k,1},PI{D}_{k,2})$. Then, ${\mathrm{User}}_i$ randomly selects an index $k^{*}\in \{1,\dots ,n\}$ and computes the latest accumulator value as $ac{c}_{\mathrm{new}}=wi{t}_{k^{*}}^{PI{D}_{k^{*},1}}\mathrm{mod}N.$ Finally, ${\mathrm{User}}_i$ stores $ac{c}_{\mathrm{new}}$ and ${\left\{(PI{D}_{k,1},PI{D}_{k,2},wi{t}_k)\right\}}_{k=1}^n$ locally for subsequent authentication.

(6) For each k, ${\mathrm{User}}_i$ sets the full private key as $s{k}_k=(x_k,pp{k}_k)$, the pseudo-identity as $PI{D}_k=(PI{D}_{k,1},PI{D}_{k,2})$, and the corresponding public key as $P{K}_k=(X_k,R_k)$.

6.3. Authentication

To prevent message linkability attacks, ${\mathrm{User}}_i$ maintains a pool of n pseudonym instances ${\left\{(PI{D}_{k,1},PI{D}_{k,2},wi{t}_k,P{K}_k)\right\}}_{k=1}^n$ and periodically switches among them, denoting the selected instance as $PI{D}_i=(PI{D}_{i,1},PI{D}_{i,2})$, $P{K}_i=(X_i,R_i)$, and $wi{t}_i$. The verifier validates the attached zero-knowledge membership proof and the signature with respect to the latest accumulator value $ac{c}_j$.

6.3.1. Zero-Knowledge Membership Proof Generation

To keep $wi{t}_i$ secret while proving valid membership, ${\mathrm{User}}_i$ generates a non-interactive zero-knowledge membership proof ${\pi }_i$ for the relation $ac{c}_j\equiv wi{t}_i^{PI{D}_{i,1}}\left(\mathrm{mod}N\right)$. Such a proof follows the standard three-move structure: (1) commitment, (2) challenge, and (3) response. In our design, non-interactivity is achieved via the Fiat–Shamir transformation [35], where the challenge is generated by a hash function. The detailed procedure is as follows.

(1) ${\mathrm{User}}_i$ picks a random $a_i\in {\mathbb{Z}}_N^{*}$ and computes the commitment $A_i=a_i^{PI{D}_{i,1}}\mathrm{mod}N$.

(2) ${\mathrm{User}}_i$ computes the challenge $c_i=H_2(X_i,R_i,A_i,ac{c}_j,PI{D}_{i,1},PI{D}_{i,2})$.

(3) ${\mathrm{User}}_i$ computes the response $C_i=a_i·wi{t}_i^{c_i}\mathrm{mod}N$.

Finally, ${\mathrm{User}}_i$ outputs the proof ${\pi }_i=(A_i,C_i)$. Since the challenge does not involve $m_i$ and $T_i$, ${\mathrm{User}}_i$ can precompute the proof during idle time, which significantly reduces the online overhead during authentication.

6.3.2. Signature Generation

${\mathrm{User}}_i$ generates a signature using the partial private key and the user secret key.

(1) ${\mathrm{User}}_i$ randomly selects $u_i\in {\mathbb{Z}}_q^{*}$ and computes $U_i=u_i·P$.

(2) ${\mathrm{User}}_i$ computes the hash $h_3=H_3(U_i,X_i,R_i,A_i,C_i,ac{c}_j,PI{D}_{i,1},PI{D}_{i,2},m_i,T_i)$.

(3) ${\mathrm{User}}_i$ computes the signature scalar ${\sigma }_i=u_i+h_3·(x_i+pp{k}_i)\mathrm{mod}q$, and outputs ${\delta }_i=({\sigma }_i,U_i)$ as the signature.

(4) Finally, ${\mathrm{User}}_i$ sends $({\delta }_i,m_i,PI{D}_i,P{K}_i,{\pi }_i,T_i)$ to the verifier.

6.3.3. Signature Verification

Upon receiving the authentication message, the verifier first checks the membership proof, and then verifies the signature.

(1) Parse the received tuple as $({\delta }_i,m_i,PI{D}_i,P{K}_i,{\pi }_i,T_i)$, where ${\delta }_i=({\sigma }_i,U_i)$, $PI{D}_i=(PI{D}_{i,1},PI{D}_{i,2})$, $P{K}_i=(X_i,R_i)$, and ${\pi }_i=(A_i,C_i)$. Use the latest accumulator value $ac{c}_j$ maintained locally.

(2) If $|T_{ver}-T_i|<\Delta T$, compute $c_i=H_2(X_i,R_i,A_i,ac{c}_j,PI{D}_{i,1},PI{D}_{i,2})$ and regard the ZKP as valid only when $C_i^{PI{D}_{i,1}}\stackrel{?}{=}{A}_i·ac{c}_j^{c_i}\mathrm{mod}N$.

(3) Compute $h_1=H_1(P_{pub},X_i,R_i,PI{D}_{i,1},PI{D}_{i,2})$.

(4) Compute $h_3=H_3(U_i,X_i,R_i,A_i,C_i,ac{c}_j,PI{D}_{i,1},PI{D}_{i,2},m_i,T_i)$.

(5) The signature is accepted only when ${\sigma }_i·P\stackrel{?}{=}{U}_i+h_3·(R_i+X_i)+(h_3·h_1)·P_{pub}$.

6.3.4. Aggregate Signature Generation

In scenarios involving high traffic, the Ward Node (WN) aggregates multiple authenticated tuples destined for the same verifier, thereby reducing the verification overhead.

(1) Upon receiving ${\left\{({\delta }_i,m_i,PI{D}_i,P{K}_i,{\pi }_i,T_i)\right\}}_{i=1}^n$ from different ${\mathrm{User}}_i$, WN first checks timestamps and discards any tuple with $|T_{WN}-T_i|>\Delta T$.

(2) For each remaining tuple, WN performs the individual checks using the locally stored latest accumulator value $ac{c}_j$: compute $c_i=H_2(X_i,R_i,A_i,ac{c}_j,PI{D}_{i,1},PI{D}_{i,2})$ and accept ${\pi }_i=(A_i,C_i)$ only when $C_i^{PI{D}_{i,1}}\stackrel{?}{=}{A}_i·ac{c}_j^{c_i}\mathrm{mod}N$.

(3) WN generates a coefficient vector $\eta =\{{\eta }_2,{\eta }_3,\dots ,{\eta }_n\}$ of random integers, where, for example, ${\eta }_i\in [2,2^{\ell }]$ and ℓ is determined by the batch size, and sets ${\eta }_1=1$ by default.

(4) WN computes the aggregate scalar as ${\sigma }_{agg}={\sigma }_1+{\sum }_{i=2}^n{\eta }_i{\sigma }_i\mathrm{mod}q$, and outputs the aggregate signature as ${\delta }_{agg}=({\sigma }_{agg},{\left\{U_i\right\}}_{i=1}^n,\eta )$, which is then delivered to the verifier together with the corresponding batch payload and the aggregation timestamp $T_{agg}$.

6.3.5. Aggregate Signature Verification

Upon receiving the aggregated packet, the verifier validates the batch using a single aggregate equation in relation to the accumulator value, $ac{c}_j$, which is maintained locally.

(1) Check the freshness of the aggregation timestamp $T_{agg}$ and abort if $|T_{ver}-T_{agg}|>\Delta T$, where $T_{ver}$ is the verifier’s current local time.

(2) For each $i\in \{1,\dots ,n\}$, compute $h_{1,i}=H_1(P_{pub},X_i,R_i,PI{D}_{i,1},PI{D}_{i,2})$ and $h_{3,i}=H_3(U_i,X_i,R_i,A_i,C_i,ac{c}_j,PI{D}_{i,1},PI{D}_{i,2},m_i,T_i)$, and set ${\eta }_1=1$.

(3) Compute the aggregate points $U_{agg}=U_1+{\sum }_{i=2}^n{\eta }_i{U}_i$, $V_{agg}=h_{3,1}(R_1+X_1)+{\sum }_{i=2}^n{\eta }_i{h}_{3,i}(R_i+X_i)$, and $W_{agg}=(h_{3,1}{h}_{1,1}+{\sum }_{i=2}^n{\eta }_i{h}_{3,i}{h}_{1,i})·P_{pub}$.

(4) The aggregate signature is regarded as valid only when the following equation holds: ${\sigma }_{agg}·P\stackrel{?}{=}{U}_{agg}+V_{agg}+W_{agg}$.

6.4. Membership Witness Update

To support dynamic membership management, the TA broadcasts an authenticated auxiliary message to synchronize the accumulator value and enable legitimate entities to update their membership witnesses after member joining or revocation events.

(1) Let the current accumulator value be $ac{c}_{old}\in Q{R}_N$, and the TA computes the updated value as $ac{c}_{new}\in Q{R}_N$ after processing the latest event.

(2) For batch joining, the TA defines the joining exponent $E_{add}={\prod }_{\ell \in \mathcal{J}}PI{D}_{\ell ,1}$, where $\mathcal{J}$ denotes the pools of newly joined pseudonym primes.

(3) For batch revocation, the TA defines the revocation exponent $E_{rev}={\prod }_{\ell \in \mathcal{R}}PI{D}_{\ell ,1}$, where $\mathcal{R}$ denotes the pools of revoked pseudonym primes.

6.4.1. AUX Distribution

According to the membership-change scenario indicated by $token$, the TA prepares the $AUX$ message. The detailed distribution process performed by the TA is as follows.

(1) Batch joining ($token=1$): when a set of new pseudonym primes ${\left\{PI{D}_{\ell ,1}\right\}}_{\ell \in \mathcal{J}}$ of ${\mathrm{User}}_i$ is admitted, TA computes the joining exponent $E_{add}={\prod }_{\ell \in \mathcal{J}}PI{D}_{\ell ,1}$ and updates the accumulator as $ac{c}_{new}=ac{c}_{old}^{E_{add}}\mathrm{mod}N$.

(2) Batch revocation ($token=0$): when a revocation report $({\delta }_i,m_i,PI{D}_i,P{K}_i,{\pi }_i,T_i)$ is submitted, the TA recovers the real identity by the inline formula $I{D}_i=PI{D}_{i,2}\oplus H_0(t·X_i,PI{D}_{i,1})$. The TA then computes the revocation exponent over all pseudonym primes of this user as $E_{rev}={\prod }_{\ell \in \mathcal{R}}PI{D}_{\ell ,1}$ and updates the accumulator as $ac{c}_{new}=ac{c}_{old}^{E_{rev}^{-1}}\mathrm{mod}N$.

(3) The TA randomly selects $\psi \in {\mathbb{Z}}_q^{*}$, $\mathsf{\Psi }=\psi ·P$, sets $E=E_{add}$ if $token=1$ and $E=E_{rev}$ if $token=0$, then it computes $h_4=H_4(P_{pub},\mathsf{\Psi },E,ac{c}_{new},token,T_m)$, $\mathrm{Sig}=\psi +h_4·t\mathrm{mod}q$, where $T_m$ is the current timestamp, finally broadcasting $AUX=\{\mathrm{Sig},E,ac{c}_{new},token,\mathsf{\Psi },T_m\}$ over the public channel.

Notably, broadcasting only the product-form exponent E for a user’s pseudonym pool makes it computationally infeasible to recover each individual $PI{D}_{(l,1)}$ from E under the large-integer factorization assumption, which prevents the eavesdropping-based witness recovery in Shen et al.’s [8] public update broadcast.

6.4.2. Witness Updating

After receiving $AUX=\{\mathrm{Sig},E,ac{c}_{new},token,\mathsf{\Psi },T_m\}$, a legitimate entity updates its locally stored accumulator value and membership witnesses under the latest system state.

(1) The receiver checks the freshness of the update by verifying $|T_n-T_m| \le \Delta T$, where $T_n$ denotes its current local timestamp. If the check fails, it discards $AUX$.

(2) The receiver computes $h_4=H_4(P_{pub},\mathsf{\Psi },E,ac{c}_{new},token,T_m)$ and checking $\mathrm{Sig}·P\stackrel{?}{=}\mathsf{\Psi }+h_4·T_{pub}$. If the equation does not hold, it discards $AUX$.

(3) Updating after joining ($token=1$): for each stored witness $wit$ bound to a pseudonym prime $PI{D}_1$ in the pseudonym pool, updates $wit\leftarrow wi{t}^{E_{add}}\mathrm{mod}N$.

(4) Updating after revocation ($token=0$): since $\gcd (PI{D}_1,E_{rev})=1$ holds for any non-revoked user, for each stored witness $wit$ bound to a pseudonym prime $PI{D}_1$, the receiver computes $(v,w)$ such that $v·PI{D}_1+w·E_{rev}=1$ and updates witness $wit\leftarrow {\left(ac{c}_{new}\right)}^v·{\left(wit\right)}^w\mathrm{mod}N$.

Above revocation updating follows from Bézout’s identity $v·PI{D}_1+w·E_{rev}=1$ and the relation $ac{c}_{old}=ac{c}_{new}^{E_{rev}}\mathrm{mod}N$. Let $wi{t}^{\prime }={\left(ac{c}_{new}\right)}^v·{\left(wit\right)}^w\mathrm{mod}N$, then

$$\begin{array}{cc}\hfill {\left(wi{t}^{\prime }\right)}^{PI{D}_1}& ={\left(ac{c}_{new}\right)}^{v·PI{D}_1}·{\left(wi{t}^{PI{D}_1}\right)}^w\mathrm{mod}N\hfill \\ & ={\left(ac{c}_{new}\right)}^{v·PI{D}_1}·{\left(ac{c}_{old}\right)}^w\mathrm{mod}N\hfill \\ & ={\left(ac{c}_{new}\right)}^{v·PI{D}_1}·{\left(ac{c}_{new}^{E_{rev}}\right)}^w\mathrm{mod}N\hfill \\ & ={\left(ac{c}_{new}\right)}^{v·PI{D}_1+w·E_{rev}}\mathrm{mod}N\hfill \\ & =ac{c}_{new}\mathrm{mod}N.\hfill \end{array}$$

which ensures the consistency of $wi{t}^{\prime }$ with $ac{c}_{new}$. For a revoked pseudonym prime, $\gcd (PI{D}_1,E_{rev})\ne 1$ holds and thus the coefficients $(v,w)$ do not exist, so the corresponding witness cannot be updated.

7. Security Analysis

7.1. Formal Security Proof

Since the successful forgery of an aggregate signature implies the forgery of at least one constituent individual signature, we prove the EUF-CMA security of our proposed scheme in Theorems 1 and 2. We also prove the aggregate soundness against fully chosen-key attacks in Theorem 3.

Theorem 1. 

If there exists a Type-I adversary ${\mathcal{A}}_I$ that can output a valid forgery with advantage ${ϵ}_I$ in Game I, then there exists a PPT simulator ${\mathcal{B}}_1$ that solves the ECDLP with non-negligible probability of at least ${ϵ}_I^2/\left(e(Q_{cu}+1)(Q_{h1}+Q_{sig}+1)\right)$, where $Q_{cu}$, $Q_{h1}$, and $Q_{sig}$ denote the maximum numbers of Create-User, $H_1$, and Sign queries, respectively.

Proof. 

Given an ECDLP instance $(P,aP)$, ${\mathcal{B}}_1$ sets $P_{pub}=aP$ and runs ${\mathcal{A}}_I$ as a subroutine in the random oracle model to extract a.

Setup: ${\mathcal{B}}_1$ selects $t\leftarrow {\mathbb{Z}}_q^{*}$ randomly and sets $T_{pub}=t·P$. It initializes the RSA-accumulator parameters exactly as in the real protocol and outputs $params$. It maintains lists $L_{ID}$, $L_{PK}$, $L_1$, $L_2$, and $L_3$ for consistency, and picks $\tau \leftarrow \{1,2,\dots ,Q_{cu}+1\}$ to guess the target identity.

Query Stage: ${\mathcal{A}}_I$ adaptively issues the following queries.

(1) $H_1$ Query: On input $(P_{pub},X_i,R_i,PI{D}_{i,1},PI{D}_{i,2})$, if there exists a record in $L_1$, ${\mathcal{B}}_1$ returns the stored $h_{1,i}$; otherwise it selects $h_{1,i}\leftarrow {\mathbb{Z}}_q^{*}$ randomly, stores the tuple into $L_1$, and returns $h_{1,i}$.

(2) $H_2$ Query: On input $(X_i,R_i,A_i,ac{c}_j,PI{D}_{i,1},PI{D}_{i,2})$, if there exists a record in $L_2$, ${\mathcal{B}}_1$ returns the stored $c_i$; otherwise it selects $c_i\leftarrow {\{0,1\}}^{*}$ randomly, stores the tuple into $L_2$, and returns $c_i$.

(3) $H_3$ Query: On input $(U_i,X_i,R_i,A_i,C_i,ac{c}_j,PI{D}_{i,1},PI{D}_{i,2},m_i,T_i)$, if there exists a record in $L_3$, ${\mathcal{B}}_1$ returns the stored $h_{3,i}$; otherwise it selects $h_{3,i}\leftarrow {\mathbb{Z}}_q^{*}$ randomly, stores the tuple into $L_3$, and returns $h_{3,i}$.

(4) Create-User Query: On input $PI{D}_i$, if $PI{D}_i\in L_{ID}$ return ⊥; otherwise ${\mathcal{B}}_1$ performs as follows.

(i) ${\mathcal{B}}_1$ selects $x_i,pp{k}_i,h_{1,i}\leftarrow {\mathbb{Z}}_q^{*}$ randomly and sets $X_i=x_i·P$.

(ii) ${\mathcal{B}}_1$ sets $R_i=pp{k}_i·P-h_{1,i}·P_{pub}$ so that $pp{k}_i·P=R_i+h_{1,i}·P_{pub}$ holds.

(iii) ${\mathcal{B}}_1$ programs $H_1(P_{pub},X_i,R_i,PI{D}_{i,1},PI{D}_{i,2})=h_{1,i}$ by inserting the tuple into $L_1$.

(iv) ${\mathcal{B}}_1$ assigns consistent pseudonym components and an accumulator witness $wi{t}_i$ as in registration, stores $(PI{D}_i,X_i,R_i,x_i,pp{k}_i,wi{t}_i)$ into $L_{ID}$ and $(PI{D}_i,P{K}_i=(X_i,R_i))$ into $L_{PK}$. If this is the $\tau$-th distinct creation, set $PI{D}^{*}\leftarrow PI{D}_i$. Finally return $P{K}_i$.

(5) Reveal Queries: If the queried $PI{D}_i$ has no record, ${\mathcal{B}}_1$ first runs Create-User on $PI{D}_i$. Then it answers the following:

(i) Reveal-Public-Key returns the current $P{K}_i$ from $L_{PK}$;

(ii) Reveal-Secret-Value returns $x_i$;

(iii) Reveal-Partial-Private-Key returns $pp{k}_i$ unless $PI{D}_i=PI{D}^{*}$, ${\mathcal{B}}_1$ aborts;

(iv) Reveal-Witness returns $wi{t}_i$.

(6) Replace-Public-Key Query: On input $(PI{D}_i,P{K}_i^{\prime })$, ${\mathcal{B}}_1$ updates $L_{PK}$ with $P{K}_i^{\prime }$ and marks the effective signing secret of $PI{D}_i$ as unknown.

(7) Sign Query: On input $(PI{D}_i,m_i)$, ${\mathcal{B}}_1$ obtains the current public key $P{K}_i=(X_i,R_i)$ from $L_{PK}$ and parses $(PI{D}_{i,1},PI{D}_{i,2},wi{t}_i)$ from $L_{ID}$, and then generates a valid membership proof ${\pi }_i=(A_i,C_i)$ under the current accumulator value as in the real protocol.

If $P{K}_i$ has not been replaced and $PI{D}_i\ne PI{D}^{*}$, ${\mathcal{B}}_1$ returns a real signature transcript as in the protocol. Otherwise, ${\mathcal{B}}_1$ simulates a valid signature transcript as follows: it queries $H_1(P_{pub},X_i,R_i,PI{D}_{i,1},PI{D}_{i,2})$ to obtain $h_{1,i}$, sets $Y_i=(X_i+R_i)+h_{1,i}·P_{pub}$, selects ${\sigma }_i,h_{3,i}\leftarrow {\mathbb{Z}}_q^{*}$ randomly, sets $U_i={\sigma }_i·P-h_{3,i}·Y_i$, programs $H_3(U_i,X_i,R_i,A_i,C_i,ac{c}_j,PI{D}_{i,1},PI{D}_{i,2},m_i,T_i)=h_{3,i}$ in $L_3$, and returns ${\delta }_i=({\sigma }_i,U_i)$ together with $(PI{D}_i,P{K}_i,{\pi }_i,T_i)$.

Forgery: After all the queries have been completed, ${\mathcal{A}}_I$ outputs a valid forgery $(PI{D}^{*},m^{*},{\delta }^{*},P{K}^{*},{\pi }^{*},T^{*})$, where ${\delta }^{*}=({\sigma }^{*},U^{*})$, $P{K}^{*}=(X^{*},R^{*})$, and ${\pi }^{*}=(A^{*},C^{*})$.

If $PI{D}^{*}\ne PI{D}_i^{*}$, then ${\mathcal{B}}_1$ outputs ⊥ and aborts.

Otherwise, let $h_1^{*}$ be the output of $H_1(P_{pub},X^{*},R^{*},PI{D}_1^{*},PI{D}_2^{*})$ and let $h_3^{*}$ be the output of $H_3(U^{*},X^{*},R^{*},A^{*},C^{*},ac{c}_j,PI{D}_1^{*},PI{D}_2^{*},m^{*},T^{*})$ recorded in $L_3$.

By the correctness of verification, the forged transcript satisfies

$$\left\{\begin{array}{cc}\hfill {\sigma }^{*}·P& =U^{*}+h_3^{*}·(X^{*}+R^{*})+h_3^{*}·h_1^{*}·P_{pub},\hfill \\ \hfill {\sigma }^{{*}^{\prime }}·P& =U^{*}+h_3^{*}·(X^{*}+R^{*})+h_3^{*}·h_1^{{*}^{\prime }}·P_{pub},\hfill \end{array}\right.$$

where ${\delta }^{{*}^{\prime }}=({\sigma }^{{*}^{\prime }},U^{*})$ is obtained by rewinding ${\mathcal{A}}_I$ and replaying the random oracle $H_1$ such that $h_1^{*}\ne h_1^{{*}^{\prime }}$ while the other transcript components remain unchanged.

Subtracting the above two equations yields

$$({\sigma }^{*}-{\sigma }^{{*}^{\prime }})·P=h_3^{*}·(h_1^{*}-h_1^{{*}^{\prime }})·P_{pub}=h_3^{*}·(h_1^{*}-h_1^{{*}^{\prime }})·aP.$$

Therefore, ${\mathcal{B}}_1$ outputs

$$a\equiv ({\sigma }^{*}-{\sigma }^{{*}^{\prime }})·{\left(h_3^{*}·(h_1^{*}-h_1^{{*}^{\prime }})\right)}^{-1}\left(\mathrm{mod}q\right)$$

as the solution to the given ECDLP instance.

Let $E_1$ denote the event that the simulation does not abort in the query stage, $E_2$ denote the event that ${\mathcal{B}}_1$ correctly guesses the target identity, and $E_3$ denote the event that ${\mathcal{B}}_1$ obtains two valid forgeries with different $H_1$ outputs by the Forking Lemma [37]. Then $\mathrm{Pr}\left[E_2\right]\ge 1/(Q_{cu}+1)$ and $\mathrm{Pr}[E_3\mid E_1\wedge E_2]\ge {ϵ}_I^2/\left(e(Q_{h1}+Q_{sig}+1)\right)$. Hence, ${\mathcal{B}}_1$ solves the ECDLP with probability of at least ${ϵ}_I^2/\left(e(Q_{cu}+1)(Q_{h1}+Q_{sig}+1)\right)$.

Therefore, the above reduction shows that if a Type-I adversary can produce a valid forgery in Game I, then one can construct a PPT algorithm to solve the ECDLP with non-negligible probability. Since the ECDLP is assumed to be hard, such a Type-I forgery is infeasible for any PPT adversary. Hence, the proposed scheme is secure against Type-I adversarial forgery attacks. □

Theorem 2. 

In the random oracle model, if there exists a Type-II adversary ${\mathcal{A}}_{II}$ that can output a valid forgery in Game II with non-negligible advantage ${ϵ}_{II}$, then one can construct a PPT algorithm that solves the ECDLP with non-negligible probability.

Proof. 

The proof is similar to that of Theorem 1 and thus is omitted for brevity. It is only necessary to mention that in Game II, ${\mathcal{A}}_{II}$ does not initiate the Replace-Public-Key query. Following the same reduction strategy as in Theorem 1, if ${\mathcal{A}}_{II}$ can produce a valid forgery with non-negligible advantage, then one can construct a PPT algorithm that solves the ECDLP with non-negligible probability.

Since the ECDLP is assumed to be hard, such a Type-II forgery is infeasible for the PPT adversary. Hence, the proposed scheme is secure against Type-II adversarial forgery attacks. □

Theorem 3. 

If there exists a Type-III adversary ${\mathcal{A}}_{III}$ that wins Game III with advantage ${ϵ}_{III}$, then there exists a PPT simulator ${\mathcal{B}}_3$ that breaks the soundness guarantee of the simplified small exponent test (SET) [38] with non-negligible probability. In particular, ${ϵ}_{III}\le (Q_{av}+1)·2^{-\ell }$, where $Q_{av}$ denotes the maximum number of AggVerify queries and ℓ is the bit-length parameter used to sample the aggregation coefficients.

Proof. 

Given a challenger that samples the aggregation coefficients as required by the simplified SET, ${\mathcal{B}}_3$ runs ${\mathcal{A}}_{III}$ as a subroutine and uses any successful information-injection forgery to violate the SET soundness bound.

Setup: ${\mathcal{B}}_3$ runs Setup to generate $params$ and provides $params$ to ${\mathcal{A}}_{III}$. It maintains a user state list $L_{ID}$ and initializes all hash-oracle lists as in the real protocol.

Query Stage: ${\mathcal{A}}_{III}$ adaptively issues the following queries.

(1) Reveal-Full-Private-Key: on input $PI{D}_i$, if $PI{D}_i$ has no record, ${\mathcal{B}}_3$ internally creates a consistent state for $PI{D}_i$ as in the registration algorithm; then it returns the full private key materials $(x_i,pp{k}_i)$ honestly from $L_{ID}$.

(2) AggVerify: on inputting an aggregate candidate consisting of an aggregate scalar ${\sigma }_{agg}$ and a batch ${\left\{(m_i,PI{D}_i,P{K}_i,{\pi }_i,T_i,U_i,{\sigma }_i)\right\}}_{i=1}^n$, ${\mathcal{B}}_3$ samples a fresh coefficient vector $\eta =\{{\eta }_2,\dots ,{\eta }_n\}$ with ${\eta }_i\in [2,2^{\ell }]$ and sets ${\eta }_1=1$. It then runs AggVerify according to the protocol using this $\eta$ and returns the decision bit. Let $Q_{av}$ denote the total number of such queries.

Forgery: After all the queries have been completed, ${\mathcal{A}}_{III}$ outputs a valid aggregate forgery ${\delta }_{agg}^{*}$ on a batch ${\left\{(m_i,PI{D}_i,P{K}_i,{\pi }_i,T_i,{\delta }_i)\right\}}_{i=1}^n$, where ${\delta }_i=({\sigma }_i,U_i)$.

By the correctness of AggVerify, the acceptance of ${\delta }_{agg}^{*}$ under the sampled coefficients ${\eta }^{*}$ implies the weighted aggregate verification equation holds.

Moreover, since ${\delta }_{agg}^{*}$ is a Type-III forgery, there exists an index k such that the individual verification equation is not satisfied for the k-th constituent transcript.

For each constituent transcript ${\delta }_i=({\sigma }_i,U_i)$, define its verification residue as

$${\Delta }_i\triangleq {\sigma }_i·P-\left(U_i+h_{3,i}·(X_i+R_i)+h_{3,i}{h}_{1,i}·P_{pub}\right),$$

Therefore, ${\Delta }_k\ne \mathcal{O}$ for some index k. On the other hand, the weighted aggregate verification equation is equivalent to

$$\sum _{i=1}^n{\eta }_i^{*}{\Delta }_i=\mathcal{O}.$$

For any fixed non-zero residue vector $({\Delta }_1,\dots ,{\Delta }_n)$ with at least one ${\Delta }_k\ne \mathcal{O}$, the simplified SET soundness guarantees that, over a uniformly sampled ${\eta }^{*}$ with ${\eta }_i^{*}\in [2,2^{\ell }]$, the probability that the above cancellation happens is at most $2^{-\ell }$. Therefore, each AggVerify attempt can succeed with probability at most $2^{-\ell }$, and by a union bound over at most $Q_{av}$ adaptive AggVerify queries and the final output, we have ${ϵ}_{III}\le (Q_{av}+1)·2^{-\ell }$, which is negligible for a proper choice of ℓ.

Therefore, the above proof shows that a successful Type-III information-injection forgery would require the invalid constituent transcripts to cancel out under the randomly sampled aggregation coefficients. By the soundness guarantee of the simplified SET, this event can occur only with negligible probability. Hence, such a Type-III forgery is infeasible for any PPT adversary, and the proposed scheme achieves aggregate soundness. □

7.2. Formal Verification by ProVerif

We use ProVerif to formally verify the protocol within the Dolev–Yao adversary model, in which the adversary controls the public channel and can eavesdrop on, replay and forge messages according to symbolic rules. Following the standard perfect-cryptography abstraction in ProVerif, the verification results complement our computational analysis, which is based on number-theoretic assumptions.

(1) We first declare the public/private constants, variables, channels, and cryptographic primitives, and introduce abstract interfaces for signature verification and RSA-accumulator membership proofs.

(2) We then model the protocol participants as processes and implement the full message flow of our scheme over a public channel, so that the adversary can intercept, modify, and forward all transmissions.

(3) Finally, we define session events and formulate secrecy and authentication queries. The secrecy targets include $ID$, $wit$, $ppk$, and x, while the authentication target is an injective correspondence between the user completion and verifier acceptance events.

As shown in Figure 2, all secrecy queries hold for $ID$, $wit$, $ppk$, and x, indicating that the network adversary cannot derive these values from protocol transcripts, thereby confirming the confidentiality of the protocol.

Moreover, ProVerif confirms the injective nature of our protocol’s authentication, ensuring that each verifier acceptance corresponds to a unique and genuine user execution. This demonstrates explicit resistance to replay attacks and provides consistent session matching for entity authentication.

7.3. Informal Security Analysis

To facilitate an intuitive understanding of the security rationale, we provide an informal analysis of the protocol construction. This explains how the desired security properties are achieved against network adversaries and malicious insiders.

(1) Message authenticity and integrity: a verifier only accepts a message if both the membership proof with respect to the latest accumulator value $ac{c}_j$ and the signature verification succeed. Any modification to $(m_i,PI{D}_i,P{K}_i,T_i)$ changes the hash challenge and breaks verification, and an adversary without the legitimate signing secret cannot forge an authentication transcript that passes verification.

(2) Anonymity and traceability: the transmitted pseudonym $PI{D}_i=(PI{D}_{i,1},PI{D}_{i,2})$ together with the attached proof and signature does not reveal the real identity $I{D}_i$ to any entity on the public channel. Except for TA, any party can only validate the authentication without being able to recover $I{D}_i$; meanwhile, TA can extract the real identity from a reported transcript via $I{D}_i=PI{D}_{i,2}\oplus H_0(t·X_i,PI{D}_{i,1})$, thereby enabling traceability.

(3) Revocability: TA enforces revocation by updating the RSA accumulator, enabling a one-shot batch removal of all pseudonyms in the revoked user’s pseudonym pool so that the corresponding pseudonym primes $PI{D}_{i,1}$ are no longer accumulated in the latest $ac{c}_j$. Consequently, any authentication attempt initiated with any pseudonym of the revoked user will be rejected, and the revoked user cannot generate a valid membership proof for the current accumulator value.

(4) Security properties of the NIZK proof: the membership proof ${\pi }_i=(A_i,C_i)$ is used to prove that the user holds a valid membership witness corresponding to the current RSA accumulator state, and it satisfies the following properties.

(i) Completeness: if ${\mathrm{User}}_i$ indeed holds a valid witness $wi{t}_i$ and correctly generates $A_i$, $c_i$, and $C_i$ according to the protocol, the verification equation always holds, because $C_i^{PI{D}_{i,1}}\equiv {(a_i·wi{t}_i^{c_i})}^{PI{D}_{i,1}}\equiv a_i^{PI{D}_{i,1}}·{\left(wi{t}_i^{PI{D}_{i,1}}\right)}^{c_i}\equiv A_i·ac{c}_j^{c_i}\left(\mathrm{mod}N\right)$.

(ii) Zero-knowledge: the publicly verifiable transcript contains only $(A_i,C_i)$ and the challenge $c_i$ computed from public information, while the fresh randomness $a_i$ is re-sampled each time; thus, even for the same witness, many different transcripts can be produced, and no useful information about $wi{t}_i$ is revealed.

(iii) Soundness: if an adversary does not hold a valid witness, producing an accepting $(A_i,C_i)$ is equivalent to forging evidence that the membership relation holds without knowing $wi{t}_i$. Under the Strong RSA assumption, such a forgery is infeasible.

(5) Resistance to replay attacks: each authentication transcript in the proposed scheme is associated with a timestamp $T_i$ and accepted only within the allowed freshness interval. Therefore, even if an adversary intercepts a valid transcript and replays it later, the verifier will reject it once the timestamp becomes outdated. In addition, the hash challenge depends on the transmitted message components and session-dependent inputs, so an old transcript cannot be reused in another authentication context without causing the verification equations to fail. Hence, the proposed scheme resists replay attacks.

(6) Resistance to witness recovery attacks: the user proves the membership relation $ac{c}_j=wi{t}_i^{PI{D}_{i,1}}\mathrm{mod}N$ through a non-interactive zero-knowledge membership proof. Based on the completeness, zero-knowledge, and soundness properties of the above NIZK membership proof, the proof reveals no information about $wi{t}_i$, and recovering $wi{t}_i$ from the publicly verifiable proof transcript can be reduced to solving the Strong RSA problem over N. In addition, during membership updates, the TA broadcasts only product-form update exponents of pseudonym primes. Under the hardness assumption of integer factorization, even an insider adversary cannot determine which new pseudonyms have been added from such public broadcasts, let alone derive the corresponding witnesses. Therefore, the proposed scheme resists witness recovery attacks.

(7) Resistance to identity grafting attacks: in the proposed scheme, $PI{D}_{i,1}$ is cryptographically bound to $PI{D}_{i,2}$, $X_i$, and $R_i$ through the hash function, and this binding is further embedded into the partial private key $pp{k}_i$. Since $pp{k}_i$ is generated and distributed by the KGC, the user cannot arbitrarily modify this binding. As a result, the identity-related membership component and the signing-related key material cannot be recombined across different users. Even if an adversary obtains a valid membership component of another non-revoked pseudonym, it still cannot graft that component onto its own public key or partial private key to produce a valid authentication transcript. Hence, the proposed scheme resists identity grafting attacks.

(8) Resistance to message linkability attacks: the proposed scheme provides unlinkability by allowing each user to maintain a pseudonym pool and periodically switch the active pseudonym. Therefore, authentication transcripts generated in different sessions are associated with different pseudonyms, making it difficult for an external adversary to link them to the same user. Moreover, the real identity is concealed in the transmitted pseudonym, and only the TA can recover it when necessary. Hence, the proposed scheme resists message-linking attacks.

8. Performance Analysis

We evaluate the proposed scheme against other relevant CLS/CLAS schemes. Our analysis begins with a Security and Functionality Comparison, followed by a thorough evaluation of computation, communication, and revocation overheads. To ensure a fair and robust comparison, we select baselines that cover a range of cryptographic settings, including schemes based on bilinear mappings [15,27] and schemes that do not use bilinear mappings [8,19,21,30]. Furthermore, we benchmark the revocation functionality of our scheme against representative state-of-the-art schemes with user revocation support [25,27,28,30].

8.1. Security and Functionality Comparison

As summarized in

Table 3. Security and functionality comparison with related schemes.

Property	[15]	[30]	[19]	[27]	[25]	[28]	[21]	[8]	Ours
Resistance to Type-I	✓	✓	×	✓	×	✓	×	✓	✓
Resistance to Type-II	✓	✓	✓	✓	✓	✓	✓	✓	✓
Resistance to Type-III	×	−	×	×	✓	✓	×	✓	✓
Without Pairing	×	✓	✓	×	✓	✓	✓	✓	✓
Unlinkability	×	✓	×	×	✓	×	×	×	✓
Revocability	×	✓	×	✓	✓	✓	×	×	✓

“−” indicates that the corresponding security notion is not explicitly defined in the original scheme.

, the compared schemes present different trade-offs in security and functionality. The schemes in [15,27] introduce heavyweight bilinear pairing operations. Moreover, several schemes do not achieve full certificateless security: refs. [19,21,25] cannot resist Type-I adversaries, and refs. [15,19,21,27] are not Type-III secure; refs. [30] is marked as “−” for Type-III since it does not explicitly define this notion. In addition, unlinkability is only supported by [25,30], while revocability is provided only by [25,27,28,30]. In contrast, our scheme is the only one that simultaneously achieves Type-I/II/III security, remains pairing-free, and supports both unlinkability and revocability, which better fits practical authentication in wireless medical sensor networks.

8.2. Computation Overhead Analysis

To provide a fair and reproducible evaluation of the performance discrepancies among different schemes under a consistent security level, we instantiate all primitives at the common 80-bit security threshold. Specifically, for ECC-based operations, we adopt a 160-bit elliptic curve, where the underlying prime field size is $\left|p\right|=160$ bits and the scalar field has $\left|q\right|=160$ bits, so elements in ${\mathbb{Z}}_q^{*}$ are 20 bytes. Under the uncompressed representation, an elliptic-curve point is encoded as $\left|\mathbb{G}\right|=40$ bytes. For pairing-based baselines, we instantiate pairing primitives on a Tate-pairing-friendly supersingular curve with embedding degree $k=2$; under the same setting, the prime field size is $\left|p\right|=512$ bits and a source-group element is encoded as $|{\mathbb{G}}_1|=128$ bytes. For RSA-accumulator-related operations, we set the RSA modulus size to $\left|N\right|=1024$ bits to match the same 80-bit security level; thus, an element in ${\mathbb{Z}}_N^{*}$ is encoded as 128 bytes.

We adopt the runtime benchmarks of basic cryptographic primitives reported in [8]. The measurements in [8] were obtained on an Intel Core i5-9500T 2.20 GHz platform with 8 GB RAM running Ubuntu 22.04, implemented in C/C++ using the MIRACL cryptographic library. Each primitive runtime is averaged over 1000 executions, as summarized in

Table 4. Execution time of cryptographic operations.

Symbol	Meaning	Time (ms)
$T_{bp}$	Bilinear Pairing	2.412
$T_{bpm}$	Pairing-based Scalar Multiplication	1.039
$T_{bpa}$	Pairing-based Point Addition	0.008
$T_{bhtp}$	Pairing-based Map-to-point Hash	2.607
$T_{em}$	Scalar Multiplication	0.772
$T_{sem}$	Small Scalar Multiplication	0.075
$T_{ea}$	Point Addition	0.007
$T_h$	General Secure Hash	0.001
$T_{me}$	Modular Exponentiation	0.175

, and these benchmarks are used to translate the operation counts of SN/WN/MS into rough computation overhead in our evaluation.

For the computation overhead, we focus on the costs of individual signing/verification and aggregate verification. The operation counts and the derived time expressions are summarized in

Table 5. Computation overhead comparison among related schemes.

Scheme	Individual Signing (ms)	Individual Verification (ms)	Aggregate Verification (ms)
[15]	$4T_{bpm}+T_{bpa}+2T_h$	$3T_{bp}+5T_{bpm}+2T_h$	$3T_{bp}+(3n+2)T_{bpm}+2n{T}_h=3.119n+9.314$
[30]	$3T_{em}+5T_h$	$6T_{em}+5T_{ea}+5T_h$	$6n{T}_{em}+5n{T}_{ea}+5n{T}_h=4.672n$
[19]	$T_{em}+T_h$	$3T_{em}+3T_{ea}+2T_h$	$(2n+1)T_{em}+(4n-1)T_{ea}+(2n+1)T_h=1.574n+0.766$
[25]	$T_{em}+T_h$	$3T_{em}+2T_h$	$(2n-1)T_{em}+2n{T}_h=1.546n-0.772$
[27]	$4T_{bpm}+T_{bpa}+4T_{bhtp}$	$4T_{bp}+T_{bpa}+4T_{bhtp}$	$4T_{bp}+(2n-1)T_{bpa}+4n{T}_{bhtp}=10.444n+9.640$
[28]	$4T_{em}+4T_{ea}+6T_h$	$7T_{em}+5T_{ea}+6T_h$	$7n{T}_{em}+5n{T}_{ea}+6n{T}_h=5.445n$
[21]	$T_{em}+2T_h$	$4T_{em}+3T_{ea}+3T_h$	$(2n+2)T_{em}+3n{T}_{ea}+(n-1)T_{sem}+3n{T}_h=1.643n+1.469$
[8]	$T_{em}+2T_h$	$4T_{em}+3T_{ea}+4T_h+2T_{me}$	$(2n+2)T_{em}+3n{T}_{ea}+(n-1)T_{sem}+3n{T}_h=1.643n+1.469$
Ours	$T_{em}+T_h$	$3T_{em}+3T_{ea}+3T_h+2T_{me}$	$(n+2)T_{em}+3n{T}_{ea}+(2n-2)T_{sem}+2n{T}_h=0.945n+1.394$

, and the results are illustrated in Figure 3.

As shown in Figure 3a,b, our scheme maintains a low individual cost. Individual signing requires $T_{em}+T_h$ and individual verification requires $3T_{em}+3T_{ea}+3T_h+2T_{me}$, resulting in a total cost of $3.463$ ms per authentication. It is clearly more efficient than pairing-based schemes [15,27] since their runtime is dominated by heavyweight pairing-related operations. Compared with pairing-free designs [19,25], our total cost per authentication is slightly higher; however, Table 3 shows that refs. [19,25] do not achieve full security and functionality simultaneously, where ref. [19] fails to resist Type-I adversaries and does not provide unlinkability or revocability, and ref. [25] cannot resist Type-I adversaries.

For aggregate verification, the overhead of all schemes increases linearly with the number of aggregated signatures n as depicted in Figure 3c. Our aggregate verification cost is $(n+2)T_{em}+3n{T}_{ea}+(2n-2)T_{sem}+2n{T}_h=0.945n+1.394$, which yields the lowest growth rate among the compared schemes; for instance, when $n=100$, our scheme requires $95.894$ ms as shown in Figure 3d.

Overall, the above results demonstrate that our scheme is computationally efficient, offering low individual authentication costs and a small, linear growth rate in aggregate verification as n increases.

8.3. Communication Overhead Analysis

For the communication overhead, we compare the related schemes in terms of the transmitted signature length. Let $|{\mathbb{G}}_1|$, $\left|\mathbb{G}\right|$, and $|{\mathbb{Z}}_q^{*}|$ denote the element sizes in ${\mathbb{G}}_1$, $\mathbb{G}$, and ${\mathbb{Z}}_q^{*}$, respectively. Under the 80-bit security setting, we set $|{\mathbb{G}}_1|=128$ bytes, $\left|\mathbb{G}\right|=40$ bytes, and $|{\mathbb{Z}}_q^{*}|=20$ bytes. The signature-size comparison results are summarized in

Table 6. Communication overhead comparison in terms of signature size ($\left|\mathsf{\Lambda }\right|$ = 80, l = 10).

Scheme	Individual Signature (Bytes)	Aggregate Signature (Bytes)
[15]	${\mathbb{G}}_1+{\mathbb{Z}}_q^{*}=148$	$n{\mathbb{G}}_1+n{\mathbb{Z}}_q^{*}=148n$
[30]	$4\mathbb{G}+3{\mathbb{Z}}_q^{*}=220$	$4n\mathbb{G}+3n{\mathbb{Z}}_q^{*}=220n$
[19]	$\mathbb{G}+{\mathbb{Z}}_q^{*}=60$	$n\mathbb{G}+{\mathbb{Z}}_q^{*}=40n+20$
[25]	$2\mathbb{G}=80$	$2\mathbb{G}=80$
[27]	$\mathbb{G}+{\mathbb{Z}}_q^{*}=60$	$\mathbb{G}+{\mathbb{Z}}_q^{*}=60$
[28]	$6\mathbb{G}+2{\mathbb{Z}}_q^{*}=280$	$6n\mathbb{G}+2n{\mathbb{Z}}_q^{*}=280n$
[21]	$\mathbb{G}+{\mathbb{Z}}_q^{*}=60$	$n\mathbb{G}+(n+1){\mathbb{Z}}_q^{*}=60n+20$
[8]	$\mathbb{G}+{\mathbb{Z}}_q^{*}=60$	$n\mathbb{G}+\left(nl/2\left|\mathsf{\Lambda }\right|+1\right){\mathbb{Z}}_q^{*}=41.25n+20$
Ours	$\mathbb{G}+{\mathbb{Z}}_q^{*}=60$	$n\mathbb{G}+\left(nl/2\left|\mathsf{\Lambda }\right|+1\right){\mathbb{Z}}_q^{*}=41.25n+20$

, and the aggregate signature size versus the number of aggregated signatures n is shown in Figure 4.

In our scheme, the size of an individual signature is 60 bytes, which is the smallest among the schemes compared in Table 6, indicating a lightweight per-message transmission cost for frequent authentications. For the aggregate signature, in addition to the n group elements, our construction introduces a compact extra term derived from the small-integer masking vector, where multiple small integers are efficiently packed into ${\mathbb{Z}}_q^{*}$ elements. Let l denote the bit-length of each small integer and let A denote the bit-length budget associated with the target security level; then the aggregate signature size is $n\left|\mathbb{G}\right|+\left(⌈nl/\left(2A\right)⌉+1\right)\left|{\mathbb{Z}}_q^{*}\right|$. As illustrated in Figure 4, the aggregate signature size grows linearly with n, and our scheme shares the same low growth rate as [8], remaining in a relatively small range even when a large number of signatures are aggregated. In contrast, several schemes incur a much steeper linear growth due to transmitting multiple group elements and/or multiple ${\mathbb{Z}}_q^{*}$ elements per signer, resulting in larger aggregated messages. Although [25,27] achieve constant-size aggregate signatures, they cannot provide comparable security and functionality simultaneously: ref. [25] fails to resist Type-I adversaries, and ref. [27] relies on heavyweight bilinear pairing operations and does not provide unlinkability.

Therefore, our scheme achieves favorable communication efficiency. The individual signature is compact, and the aggregate signature size grows linearly with n, which has a relatively low growth rate compared to other schemes.

8.4. Revocation Overhead Analysis

To evaluate the extra burden introduced by revocation, we compare our scheme with representative revocable schemes from two aspects, namely, revocation communication overhead and revocation storage overhead. Following the same byte-length setting as in Section 8.3, we set $|{\mathbb{G}}_1|=128$ bytes, $\left|\mathbb{G}\right|=40$ bytes, and $|{\mathbb{Z}}_q^{*}|=20$ bytes; to quantify accumulator-related update information, we set $|{\mathbb{Z}}_N^{*}|=128$ bytes. A pseudonym-related identifier is treated as a fixed-length bitstring and counted as 20 bytes, which can be encoded as one element in ${\mathbb{Z}}_q^{*}$, and the timestamp $t_i$ is assumed to be 4 bytes. In the revocation communication comparison, we only count the revocation-specific update payload delivered from TA to users and omit auxiliary authentication fields used solely to authenticate the update message such as broadcast signatures, and their verification-related components, because these fields can be instantiated in the same manner across schemes and do not affect the underlying revocation mechanism. Moreover, we consider the overhead incurred when revoking a single user while the system still contains n active users. The comparison results are summarized in

Table 7. Revocation overhead comparison in terms of communication and storage.

Scheme	Communication Message	Overhead	Size (Bytes)	Storage Data	Overhead	Size (Bytes)
[27]	$\{I{D}_i,T_i,t_i\}$	$n\left(\left|\mathbb{G}\right|+|{\mathbb{Z}}_q^{*}|+|T|\right)$	$64n$	$n·\{I{D}_i,T_i,t_i\}$	$n\left(\left|\mathbb{G}\right|+|{\mathbb{Z}}_q^{*}|+|T|\right)$	$64n$
[28]	$\{{{\rm Y}}_{AI{D}_i},{\xi }_{AI{D}_i,t}\}$	$n\left(\left|\mathbb{G}\right|+|{\mathbb{Z}}_q^{*}|\right)$	$60n$	$n·\{AI{D}_i,t_i\}$	$n\left(|{\mathbb{Z}}_q^{*}|+|T|\right)$	$24n$
[25]	$\left\{FI{D}_i\right\}$	$n|{\mathbb{Z}}_q^{*}|$	$20n$	$n\left\{FI{D}_i\right\}$	$n|{\mathbb{Z}}_q^{*}|$	$20n$
[30]	$\{B_0,a_0,a_1,\dots ,a_n\}$	$\left|\mathbb{G}\right|+n|{\mathbb{Z}}_q^{*}|$	$40+20n$	B	$|{\mathbb{Z}}_q^{*}|$	20
Ours	$\{ac{c}_{new},E\}$	$|{\mathbb{Z}}_N^{*}|+|{\mathbb{Z}}_q^{*}|$	148	$ac{c}_{new}$	$|{\mathbb{Z}}_N^{*}|$	128

, and Figure 5 shows the revocation communication costs under different revocation schemes.

In terms of revocation communication, the schemes in [25,27,28] essentially rely on point-to-point dissemination. The manager needs to deliver revocation-related information to each affected user, so the communication cost increases linearly with the number of users. Specifically, refs. [27,28] use time-periodic key updates, and revocation effectiveness usually depends on the next update cycle. This can result in delayed membership changes. In contrast, ref. [30] adopts revocation by broadcast polynomial for revocation, which avoids per-user delivery. However, the broadcast payload still increases linearly with system scale, as the coefficient set $\{B_0,a_0,\dots ,a_n\}$ expands with n. In our scheme, only the set of values $\{ac{c}_{new},E\}$ is broadcast per revocation event. Thus, the revocation communication overhead remains constant at $O\left(1\right)$, regardless of n. This advantage is clearly reflected in Figure 5, where the cost of our scheme remains at 148 bytes, whereas the cost of other schemes increases with n.

In terms of revocation storage, ref. [25] needs to maintain an explicit revocation list ($\{FI{D}_1,\dots ,FI{D}_n\}$), which results in linear storage growth as revoked users accumulate. The time-periodic approaches in [27,28] also require storing per-user records or update materials, leading to storage overhead proportional to n. Although ref. [30] only stores a compact value B and thus achieves constant storage, its revocation broadcast message still grows with n, making it difficult to simultaneously achieve scalable communication and storage. Benefiting from the RSA accumulator, our scheme only keeps the latest accumulator value $ac{c}_{new}$, which restricts the revocation storage overhead to $O\left(1\right)$ and avoids long-term linear expansion.

Overall, our scheme achieves a constant overhead size for both revocation communication and storage. This makes it well-suited for large-scale wireless medical sensor networks deployments with frequent membership changes.

9. Discussion

Although the proposed scheme achieves the intended security and privacy objectives under the adopted threat model, practical deployment in wireless medical sensor networks still involves system-level considerations beyond formal security proofs and theoretical cost analysis. This section discusses the engineering feasibility of the newly introduced computations on resource-constrained sensor nodes, summarizes the main limitations of the current approach, and outlines directions for future improvements and extensions.

9.1. Implementation Feasibility

Our enhanced design introduces several mechanisms to strengthen security and privacy. Among them, the components that are most relevant to the implementation burden on end devices mainly include: the added non-interactive zero-knowledge (NIZK) membership proof in the authentication phase, and the dynamic pseudonym pool with periodic rotation for achieving unlinkability. Accordingly, this subsection focuses on (1) the feasibility of ZK proof generation on resource-constrained sensor nodes and (2) the management of dynamic pseudonym pools and the associated overhead trade-offs.

First, regarding ZK membership proof generation, we adopt a Fiat–Shamir-based non-interactive membership proof, whose computation can be naturally decomposed into offline precomputation and lightweight online generation. Specifically, the randomness and intermediate values related to the commitment can be precomputed and cached when the node is idle; in the online phase, the node only needs to derive the hash challenge from the current message and context and then perform a small number of scalar operations to output the proof. As a result, the major cost of the added proof step can be shifted to the offline stage, keeping the extra overhead on the real-time authentication path low. Moreover, the required basic primitives, such as hashing and modular exponentiation, are consistent with those used elsewhere in the protocol, facilitating the reuse of existing cryptographic libraries on embedded platforms.

Second, regarding the management of the dynamic pseudonym pool, the pool size n is a configurable parameter that balances unlinkability and resource consumption: a larger n reduces the reuse frequency of any single pseudonym and hence enhances long-term unlinkability; however, the node must store n tuples $(PI{D}_k,P{K}_k,wi{t}_k)$ and the associated secret materials, and it must also update the witnesses for all stored pseudonyms upon membership updates, leading to storage and maintenance costs that grow linearly with n. It is worth emphasizing that each authentication session uses only one pseudonym, so the per-session signing and verification costs are essentially independent of n; the system sensitivity to n mainly stems from the combined effect of pool size and update frequency. Considering the resource constraints of WMSN devices and the dynamics of hospital scenarios, a moderate n can be selected according to the storage budget and the expected update frequency. In addition, two engineering strategies can be adopted: (i) a threshold replenishment mechanism for pseudonym resources, where the node requests and loads a new batch of pseudonyms from the TA once the number of remaining unused pseudonyms falls below a preset threshold to avoid pool depletion and sustain rotation; and (ii) a batched, on-demand witness refresh strategy, which amortizes the update computation over multiple reporting periods. These strategies improve practicality without changing the protocol logic, while preserving unlinkability and feasibility.

9.2. Limitations

This scheme relies upon a Trusted Authority (TA) as a fully trustworthy and perpetually available authority entity, responsible for issuing pseudonym pools, maintaining RSA accumulator states, and broadcasting membership updates. In practical deployment, the TA may present a single point of failure: should the TA be compromised or temporarily unavailable, the security of witness issuance and the continuity of dynamic membership management would be jeopardized.

Although our performance evaluation is systematic, it primarily relies on theoretical performance analysis and formal simulation verification. End-to-end testing has not yet been conducted in real-world WMSNs scenarios or on actual sensor hardware platforms. Considering that real wireless medical environments often exhibit link quality fluctuations, interference, and packet loss and retransmission issues, the actual runtime latency and load of the protocol may deviate from theoretical estimates.

The current design prioritizes authentication and signature functions to guarantee integrity, confidentiality, and revocability but does not provide an end-to-end encryption mechanism to safeguard the confidentiality of medical payloads.

9.3. Future Work

In the future, we plan to develop a system prototype and construct a more realistic wireless medical sensor network (WMSN) test platform for end-to-end evaluation. This will include assessing overall authentication latency, actual energy consumption, and robustness under unstable wireless channels, thereby further validating the engineering feasibility of the proposed protocol in complex medical environments.

To address potential single-point-of-failure risks in the TA, we will explore more robust distributed alternatives, such as blockchain-based distributed ledgers or secret sharing techniques, to support credential issuance and revocation management. This will enhance system availability and mitigate the impact of TA compromise.

We will investigate integrating lightweight cryptographic mechanisms at the protocol layer to provide end-to-end confidentiality for medical payloads, further strengthening security and privacy protection over open wireless links.

Future work will introduce data aggregation mechanisms to further reduce bandwidth consumption and improve overall efficiency. Concurrently, we will study system-level design considerations and challenges when combining data aggregation with signature aggregation in wireless medical sensor networks.

10. Conclusions

This paper analyzes the recently proposed revocable certificate-free aggregate authentication scheme based on RSA accumulators by Shen et al. [8], revealing its potential security vulnerabilities and presenting concrete attack scenarios. Building upon this foundation, we propose a security-enhanced pairing-free certificateless aggregate authentication protocol with efficient revocation. This protocol integrates strong identity–membership binding, non-interactive zero-knowledge membership proofs, and a dynamic pseudonym rotation mechanism. It satisfies the requirements for lightweight authentication, privacy protection, and dynamic membership management in large-scale resource-constrained deployment environments. Formal analysis and performance comparisons demonstrate that, at equivalent security levels, this protocol achieves compact communication overhead and efficient aggregate verification while maintaining constant revocation update overhead. It is thus suitable for large-scale WMSNs deployments with frequent member changes.