Attribute Based Multisignature Scheme for Wireless Communications

With rapidly development of wireless communication, more mobile devices are used in our daily life. Although the need for accessing a wireless network is evident, new problems, such as keeping and preserving user identity’s privacy, should be greatly concerned. Attribute based signature scheme is an important cryptographic primitive which provides a powerful way for user to control their privacy. In wireless environment, the capacity of wireless channel is also valuable resources which is limited. More information can be transmitted through the wireless channel when the cost of using signature to verify the message becomes less. In order to reduce the bandwidth needed to transmit attribute based signatures and keep signer’s privacy, attribute based multisignature scheme (ABMS) was proposed in this paper. Moreover, we formalize and construct the ABMS. Our scheme is existentially unforgeable against chosen message attack on Computational Diffie-Hellman (CDH) assumption in the standard model. The simulation shows that our ABMS scheme is more appropriate for wireless communication to guarantee integrity of the data.


Introduction
With the increasing availability of mobile devices, it is convenient for people to make a phone call and surf the internet through the wireless channel.With features of convenient, fast, and easy-to-use, there is a growing demand for consumer to transmit data through the wireless channel.Due to the character of the wireless channel, the data can be easily changed which is affected by transmission channel noise or modified by the malicious attacker.The security and privacy protection of the data collected from wireless devices, either while stored in the data server or during their transmission through the wireless network, is a major concern.Also, preserving identity privacy becomes an increasingly important concern.In Oct. 2013, the attackers are believed to have stolen information on 2.9 million Adobe account holders.That data includes customer names, encrypted credit and debit card numbers, expiration dates, and other customer order information [1].How to efficiently verify the data integrity and preserve identity privacy is important problem in the wireless environment.
Attribute based signatures (ABS) [2] scheme has attracted much attention as a new public key primitive in the recent years because it provides a powerful way for user to control their privacy and keep the integrity of the data, and it also helps to provide fine-grained access control in anonymous authentication systems.The ABS scheme is analogue of attribute based encryption (ABE) [3,4] which is an important application of the fuzzy identity-based encryption (FIBE) scheme [3].A user encrypts a message with a set of  attributes such that users whose decryption key has at least  common attributes with the ciphertext attribute set can decrypt the message.We call this scheme threshold attribute based encryption (-ABE) to describe simplicity.Wang et al. [5] proposed a new fully secure FIBE scheme based on the FIBE [3] scheme and prove its security by using the "dual system encryption" technique.The ABS scheme extends identity-based signature where the signer is associated with 2 Mobile Information Systems a set of attributes instead of a single identity string.It provides a powerful way for users to control their privacy: the user can choose the subset of their attributes relevant to the specific scenario in signing a document.Considering the following scenario, an institution will release a technical report that may involve a professor at age 45 in the computer science department.Any user who has attributes sets that contain all the above attributes could issue the signature.Because ABS scheme has these advantages, different user wants to sign the same document by using ABS scheme.Yang et al. [6] introduced a new cryptographic primitive called fuzzy identity-based signature (FIBS) which the signature analogue of FIBE scheme and Shahandashti and Safavi-Naini [7] proposed a threshold attribute based signature construction for small attribute universe and large attribute universe.Since FIBS scheme lacks controlling the signer's privacy, Maji et al. [8] introduced ABE scheme which can provide strong privacy guarantee for the signer and strong unforgeability guarantee for the verifier.In order to sign messages with any subset of their attributes issued from an attribute center, Li and Kim [9] gave hidden attribute based signatures without anonymity revocation scheme which can reach anonymity and unforgeability.Li et al. [10] proposed a new construction of ABS supporting flexible threshold predicate which could compact the signature size and improve the verification time.Later, Cao et al. [11] give multiauthority attribute based signature schemes for expressive policy.In their scheme, they use both AND, OR, threshold, and disjunctive normal form to express a policy.Consider the following case; users often use wireless channel to upload file to the data center.Unfortunately, these communication mechanisms are rather expensive for mobile devices in energy consumption and the capacity of wireless channel is limited.In order to increase throughput of message sent to the data center and increase the battery life of the energy-restricted devices, it is better to exploit fewer bits of transmission in wireless communication to data center.Therefore, it is a challenge to design cryptographic primitives to reduce the communication and storage overhead.
Multisignatures allow multiple signers to jointly authenticate a message using a single compact signature which was first introduced by [12].It allows a group of players to sign the same message by generating a short signature which can be verified against the set of these players' public keys.After that, lots of multisignature schemes were proposed in [13][14][15].But these schemes lacked formal security notions for multisignatures.Micali et al. [16] first formalized the strong notion of security for multisignatures and [17] gave a more general construct in random oracle model where their construction did not restrict the subset of signers.The security is based on random oracles.Lu et al. [18] first proposed sequential aggregate signature and multisignature scheme in the standard model.Because the verification information of identity-based signature (IBS) scheme does not include any certificate or any individual public key for the signer, identity-based multisignature (IDMS) scheme was presented by Cheon et al. [19].This scheme could reduce the signature size into almost a half and efficiently verify multiple signatures.Gentry and Ramzan [20] designed the efficient identity-based (Multi-/Aggregate) signatures.Their schemes employ a group with a bilinear map in the random oracle model.Later, there are several RSA-based IBMS schemes proposed whose security is based on RSA assumption.The computational costs of RSA-based IBMS scheme are slightly lower in signing and verification because RSA exponentiation is less expensive than bilinear map operations.Recently, Liu et al. [21] proposed an attribute based multisignature scheme in the standard model with can reduce the length of signature.However, the performance of this ABMS scheme is not good.Later, Liu et al. [22] proposed another ABMS scheme for the wireless environment.But the authors do not give performance measurement to show their scheme is efficient.
In this paper, we first propose a scheme called attribute based multisignature (ABMS) scheme to solve problem mentioned above.The ABMS scheme allows a set of signatures (sign on the same message) to be compressed into a single signature.This kind of signature has less signature length than the original one and less computational cost which is more appropriate for the wireless nature where bandwidth is a bottleneck.
Our Contributions.In this work, we make following contributions: (1) We define attribute based multisignature scheme (ABMS), formalize the model, and give security model for ABMS scheme.(2) We give overview of ABMS scheme for wireless communication and a concrete construction of ABMS scheme.(3) We prove that our ABMS scheme is existential unforgeability in the standard model by using the computational Diffie-Hellman problem.(4) We make simulation on a workstation to show that ABMS scheme can greatly decrease the storage overhead in the data center and computational overhead for verifier.
Organization.The rest of paper is organized as follows.In Section 2, we review some concept about bilinear pairing, complexity assumption, flexible threshold predicate, and Lagrange interpolation.In Section 3, we give the formal models and its security model of ABMS scheme.In Section 4, we give the specific construction about the ABMS scheme.In Section 5, we give security proof in the standard model for ABMS scheme.In Section 6, we give performance analysis on ABMS scheme, use the workstation to test the performance of ABMS scheme, and analyze the efficiency of the ABMS scheme.And we conclude this paper in Section 7.

Preliminaries
In this section, we introduce the notions which are used to construct ABMS scheme and prove the security of ABMS scheme.

Bilinear Maps.
Let G and G  be two cyclic groups of prime order  with the multiplication.Let  be a generator of G and  a bilinear map.Let  : G × G → G  be a bilinear map having the following properties: (1) bilinearity: For all , V ∈ G and ,  ∈ Z  , we have (  , V  ) = (, V)  ; (2) nondegeneracy: (, ) ̸ = 1; (3) computability: There is efficient algorithm to compute bilinear map  : Notice that the map  is symmetric since (  , V  ) = (, V)  = (  , V  ).

Complexity
2.4.Lagrange Interpolation.In this section, we describe Lagrange interpolation which is used in the ABMS schemes.
Given  points (1), . . ., () on a  − 1 degree polynomial, we can use Lagrange interpolation to compute () for any  ∈ Z  .Let  be a -element set.We define the Lagrange coefficient Δ , () of () in the computation of () as  Setup.This algorithm is run by the master entity which inputs the security parameter and generates the public parameters  of the scheme and the master secret key MSK.The master entity publishes  and keeps the MSK to itself.

Formal Models and Its Security Model
Extract.Given an attribute set , the master key MSK and , the master entity will use this algorithm to generate private keys of  for all entities participating in the scheme and distribute the private keys to their respective owner through a secure channel.
StandardSign.Given a message , an attribute set , a private key , , and predicate Υ  * (⋅), this algorithm generates the signature  of  on .The entity with attribute set  will use this algorithm for signing.
StandardVerify.Given a signature , a message , attribute set , and , this algorithm outputs accept if a valid signature on message for attribute set and outputs reject otherwise.
MComb.The algorithm is given a signature-public key pair {(  ,   )}  =1 and a message .The  is the number of user's signing the message .It generates and outputs a multisignature   .
MultiVerify.The algorithm is given the public parameters {  }  =1 , a message , and multisignature   .The algorithm outputs accept if it is a valid multisignature and outputs reject otherwise.

Existential Unforgeability of ABMS Scheme.
We define security model for attribute based multisignature scheme between a challenger and an adversary.
Setup.The challenger runs the Setup algorithm and obtains both the public parameters  and the master secret key.The challenger gives the  to adversary and keeps the master secret key by itself.
Queries.The adversary adaptively makes a polynomial bounded number of queries to the challenger.Each query can be one of the following.
(i) Extract Query.The adversary can ask for the private key of any attribute set . must appear in {  }  =1 , without loss of generality; we assume that the challenge key appears at index 1.If the condition holds, it outputs 1.Otherwise, it outputs 0. Definition 2. The attribute based multisignature scheme is (,   ,   , )-secure against existential forgery in an adaptive chosen-message attack, if no -time adversary makes   Extract queries,   Sign queries and wins the above game with advantage more than .

Our Constructions
In this section, we first give the overview of the whole wireless communication system and then give a concrete construction of the ABMS scheme.

Overview of Privacy-Preserving Data Integrity Verification
Method for Wireless Communication.Bandwidth is scarce resources in the wireless communication.In order to verify the data integrity, the signature method will be brought into the system.But it will greatly increase the communication cost especially when the number of users involved in the system is huge.Meanwhile, the mobile devices are always energy-restricted, such as mobile phone and wireless sensor nodes.More extra computation will increase the consumption of battery power.The main goal of our attribute based multisignature scheme is to reduce both communication overhead and verification cost in order to keep data integrity in the process of wireless communication.Also, it could allow user to control their identity's privacy.The whole system model can be showed in Figure 1.As Figure 1 shows, there are message provider ( 1 ), a group of signers (  2 ,   3 , . . .,    ), verifier , and authority involved in the system.The authority first generates the master key and defines a common universe of attributes, such as "headmaster, " "professor, " "age 45, " and "computer science department." Then the authority uses master key and attribute sets to construct  1 ,   2 , . . .,    's private key and send it to the corresponding users involved in the system, respectively.Because the message needs to be signed by message provider and a group of signers, the provider first generates the message and the signature associated with the message and then sends it to the group of users.All the users in the same BSS need to sign the message.When signers (  2 ,   3 , . . .,    ) receive the message-signature pair (,   ), they should first verify whether or not the (,   ) is sent by message provider  1 .If (,   ) passed the verification, it is considered that the message is sent by  1 and used  to generate his own message and signature pair (,     ),  = 2 to .Then the message and signature pair (,   ) and (,     ),  = 2 to  should be compressed into a single message-multisignature pair (,  MS ) and it is sent to data center to store.When another user  needs to use message , she/he first retrieves the message from the data center and uses signature  MS to verify the message.If the verification holds, we say this message is integrated which is signed by the user    ( = 2 to ).Otherwise, it shows that the message is modified by the third party servers.If we use traditional methods, we need to transmit  pairs to the verifier.When we use ABMS scheme, the only thing is to create one message-signature pair to transmit in the network which can greatly decrease the transmitting overhead through the network and reduce the storage cost in the data center.The concrete construction of ABMS scheme will be presented in the next section.Setup.This algorithm first defines the attributes in the universe U as the element in Z  .A  − 1 default attribute set from Z  is given as Ω = {Ω 1 , Ω 2 , . . ., Ω −1 }.It selects a random generator  ∈ G and a random   ∈ Z *  and compute  1 =    ∈ G. Next, it picks a random element  2 and computes  () = ( 1 ,  2 ).For every user , select a random vector t = ( 1 ,  2 , . . .,  +−1 ) from Z +−1  and then compute . Finally, the algorithm selects random values   from Z  and a random vector y = ( 1 ,  2 , . . .,   ) from Z   and computes U = ( 1 ,  2 , . . .,   ) = (  1 ,   2 , . . .,    ).The public parameters are Here, for different users, the public keys are denoted as PK () =  () . ( The master keys are Extract.This algorithm generates a private key for an attribute set  related with users involved in the system.It takes the following steps. (1) Firstly, it chooses a −1 degree polynomial at random with (0) =   .(2) It then generates a new attribute set ω =  ∪ Ω.For each  ∈ ω, the algorithm chooses and computes  0 = (3) Finally, it outputs  = ( 0 ,  1 ) ∈ ω (7) as the private key.
StandardSign.This algorithm inputs a private key for the attribute set , message , and predicate Υ , * (⋅).In order to sign message  with predicate Υ , * (⋅), that is, to prove the signer owning at least  attribute among the -elements attribute set  * .It selects a -element from the subset   ⊆  ∩  * and works as follows.
(1) First, it selects a default attribute subset Ω  ⊆ Ω with |Ω  | =  −  and chooses  +  −  random values    ∈ Z  for  ∈  * ∪ Ω  .(2) It then computes (3) Finally, the algorithm outputs the signature: StandardVerify.In order to verify the correctness of the signature  = ( 0 , {  } ∈ * ∪ Ω  ,   0 ) on  with threshold  for attributes set  * ∪Ω  , it checks if the following equation holds: If the equation holds, it indicates that the signature is indeed from some users with  attributes among  * .Otherwise, it denotes the signature is not valid.
MComb.For each user in the multisignature, the algorithm inputs a public parameters , public key PK () , and a signature  () .All the signatures are signed on a single message .Let  be an   -bit message to be signed by the original signers   1 ,   2 , . . .,    and   denote the th bit of , and let M ⊆ {1, 2, . . .,   } be the set of all  for which   = 1.Denote PK () as user 's public keys and its corresponding signature   as  () = ( ()  0 , {  } () ∈ * ∪Ω  ,  () 0 ).Verify that  () is valid by calling the StandardVerify algorithm.If not, its outputs fail and halt.Otherwise, the algorithm takes following steps.
For each user in the multisignature the algorithm inputs a public parameters , public key PK () , and a signature  () .All the signatures are signed on a single message .Let  be an   -bit message to be signed by the original signers   1 ,   2 , . . .,    and   denote the th bit of , and let M ⊆ {1, 2, . . .,   } be the set of all  for which   = 1.Denote PK () as user 's public keys and its corresponding signature   as  () = ( ()  0 , {  } () ∈ * ∪Ω  ,  () 0 ).Verify that  () is valid by calling the StandardVerify algorithm.If not, its outputs fail and halt.Otherwise, the algorithm takes following steps.

Security of ABMS Scheme
In this section, we first show the correctness of our ABMS scheme.Then we prove that our ABMS scheme is existential unforgeability by using hard problem introduced in Section 2.2.

Correctness.
The signature   generated from MComb algorithm can be easily checked by verifier: 5.2.Existential Unforgeability.In this section, we show our ABMS scheme which is existential unforgeability by giving the following theorem.
Theorem 3. The attribute based multisignature scheme is (,   ,   , )-unforgeable if the (  ,   )-CDH assumption holds where , and  and  are the time for a multiplication and an exponentiation in G, respectively.
Proof.We will assume that adversary A has advantage  in attacking the scheme.We will construct the algorithm B that solve the CDH with probability at least   .The algorithm B will be given a group G, a generator , and the elements   and   .In order to use A to compute the   , B must simulate a challenger for A. Such a simulation can be created in the following way.
We will analyze the probability of B without aborting to complete the description of the simulation.We require that the following cases happen.
We define the events   ,  * , ,  without abort during Extract queries, Sign queries, From the analysis above, the probability of B not aborting is The assumption   (  + 1) <  implies that if ( * ) = 0(mod ), then ( * ) = 0(mod   ).Consider We also have that Since the output of (  1 ) and (  2 ) ( 1 ̸ =  2 ) will differ at least one random chosen value, the event (  1 ) = 0(mod   ) and (  2 ) = 0(mod   ) are independent.The event   and  * are independent for any .Hence, we have Pr [ Let   = 2  and we get Pr If the simulation does not abort, the probability for correct guess of  −  elements subset Ω * from  − 1 element set Ω is 1/ ( −1 − ).Therefore, the advantage for solving CDH problem is Algorithm B's running time is of A plus the overhead in handling 's   Sign queries.The time complexity of B is where  and  are the time for a multiplication and an exponentiation in G, respectively.

Performance Analysis
To analyze the performance of our proposed cryptosystem, we compare our ABMS scheme with Li et al. 's scheme in terms of storage, communication, and computational overheads.We define each type of overheads as follows.
Storage Overhead.The number of key materials holds by each entity and the size of signatures which are stored in the data center.
Computation Overhead.The computation resources which are occupied by the verifier and the total system.6.1.Storage Overhead.Storage overheads are categorized into following types: the number of public parameters (), private key available in the system, the number of private key  () ( = 1 : ) which is held by each signing owner, and the size of signature storage in the data center.The total length of public parameters is smaller than Li's scheme.The length of private key held by each signer is the same as Li's scheme.The signature size stored in the data center is greatly decreased by using ABMS scheme than Li's scheme.The signature length of Li's scheme increases linear growth along with the number of users.While in our ABMS scheme, the lower bound of signature size is associated with the signer who have the maximum number of the attributes compared with other signers.The upper bound of the signature is associated with the number of universal attributes involved in the system.We   can aggregate  users signature into one short signature which can greatly decrease the storage overhead in the data center, especially when the number of uses involved in the system is huge.Here we compare our scheme with other schemes [23].We let  be the number of signer, |  +   −   | the size of the attribute set  *  ∪ Ω   , and |U| the size of the universal of attribute set. is pairing running time in the MultiVerify algorithm.We make the comparison to list in Table 1.In the next section, we use a real workstation to simulate the ABMS scheme.

Computation
Overhead.Li's scheme uses hash function to calculate the attribute.While in our ABMS scheme, we use   to construct ABMS scheme which can be proved in the standard model.The number of exponentiation to calculate   is associated with the security parameter.When two signers have the same attribute, MComb algorithm increases one more multiplication but decreases one pairing computation for the verifier by running MultiVerify algorithm.The computation cost of multiplication operation is greatly lower than the pairing operation.The computation cost for verification node to verify the signature can be greatly decreased because of the less pairing operations.The total computation cost of the whole system is also decreased because the multiplication operation cost is lower than the pairing operation.

The Performance Measurements.
We now provide some information on the performance achieved by PBC (Pairing-Based Cryptography) library underlying pairing-based cryptosystems.In our experiment, the process is implemented on a workstation with an Inter Pentium CPU running at 2.40 GHz, 6 GB of RAM, and a 5400 RPM 320 GB Serial ATA drive.The OS on the test machine is Ubuntu 12.04 LTS 64-bits with kernel version 3.2.0-23-generic.We use type A pairings which are constructed on the 160-bits elliptic curve group based on the supersingular curve  2 =  3 +  over a 512-bits finite field.On the test machine, we begin by estimating the cost in terms of basic cryptographic operations.The compute pairings in approximately 1.389 ms and exponentiations in G and G  take about 1.994 ms and 0.187 ms, and multiplication in G and G  takes about 0.005 ms and 0.002 ms.All of the computation is running by 10000 times for average.In our simulation system, there are 100 signers involved in the system and the total number of the attributes initialized by the Setup algorithm is 70.The maximum number of attributes belonging to individual signer is 7.We test the total running time and verification time between our ABMS scheme and Li's scheme [10] and we make the comparison in Figure 2. In Figure 2(a), we show the ABMS scheme's upper and lower bound of verification time and Li's ABS verification time.If all the users in the system share the same attribute set, the black line can be achieved which indicate the lower bound verification time of our ABMS scheme.If the attributes associated with users are all different, the blue line can be achieved which indicate the upper bound verification time of our ABMS scheme.When we run the Mcomb algorithm, it will introduce some multiplication in G.Because the cost of multiplication in G is greatly smaller

3. 1 .
Formal Models of ABMS Scheme.The attribute based multisignature scheme has six algorithms called Setup, Extract, StandardSign, StandardVerify, MComb, and Multi-Verify.In this section, we describe the six algorithms as follows.
The total running time
The challenger responds by running the Extract algorithm and gives the private key to adversary.
(ii) Sign Query.The adversary can ask for the signature of attribute set  on message .The challenger responds by first running Extract algorithm to obtain the private key and running the Sign algorithm to obtain a signature which is given to the adversary.Output.Eventually, it will output a forgery  * on messages  under public parameters {  }  =1 .The challenger key 1 , ..., att k3 )Figure1: ABMS scheme for wireless network.
∪ Ω   , if  does not exist in   ∪ Ω  , it adds attribute  to the attribute set   ∪ Ω  and sets   =    , if  does not exist in  * /  , it adds attribute  to the attribute set  * /  and sets   =     .If  exists in  * /  , it sets  ()  =     and computes   =   ⋅ ()  .The algorithm finally computes: