Certificateless Multisignature Scheme Suitable for Network Coding

Network coding can save the wireless network resources and improve the network throughput by combining the routing with coding. Traditional multisignature from certificateless cryptosystem is not suitable for the network coding environment. In this paper, we propose a certificateless multisignature scheme suitable for network coding (NC-CLMSS) by using the sequential multisignature and homomorphic hash function. NC-CLMSS is based on the CDH and ECDL problems, and its security is detailedly proved in the random oracle (RO) model. In NC-CLMSS, the source node generates a multisignature for the message, and the intermediate node linearly combines the receiving message. NC-CLMSS can resist the pollution and forgery attacks, and it has the fixed signature length and relatively high computation efficiency.


Introduction
As the network information interaction technology, the network coding [1] has routing and coding functions and allows the router to encode the received data. Network coding has the merits of high transmission efficiency, fast speed, strong robustness, and good stability, but it is vulnerable to the pollution attacks in the data transmission process. In recent years, the researchers have proposed a series of network-coding signature schemes [2][3][4][5][6] to solve the network coding contamination, where the schemes in [4,5] effectively solved the replay attacks by using the time stamps; the certificateless network-coding homomorphism signature [6] is designed by using the homomorphic hash function; it can resist the replay attacks with forgery attacks at the same time and has lower computational overhead with the communication cost.
In real scenario, there are many applications to use the signature technology. With the development of communication technology, the scholars proposed many signature varieties (including multisignature) suitable for various application scenarios, such as medical field [7][8][9][10], privacy security [11], vehicle-mounted network [12,13], multicast network [14,15], e-government [16], e-commerce [17], and campus management facilities [18]. Multisignature first generates the partial signature of the same message, and then, the signature collector integrates the partial signatures into a signature. In terms of the order of partial signatures, multisignature can be divided into sequential multisignature [19] and broadcast multisignature [20,21]. Compared with ordinary multisignature, the sequential multisignature has the following characteristics: (1) the signature length has nothing to do with the number of signatures; (2) instead of using the public key of each signer, the group public key can be used to verify the signature; (3) signers sign the messages in a concrete order, otherwise a valid multisignature cannot be obtained; (4) it is not computationally feasible to obtain the valid signatures without the joint operation of all signers. From now on, there is no sequential multisignature suitable for network coding, as described in Figure 1, so we will devise such a scheme to resist the pollution and forgery attacks in wireless networks.

Contributions.
For the above reasons, a new certificateless multisignature scheme for the network coding (NC-CLMSS) is devised by combining the certificateless public key with sequential multisignature. In NC-CLMSS, the users at the source node generate the sequential multisignatures for the messages in a fixed order and transfer the signed messages from the router to the intermediate node. Intermediate node performs the linear combination of received information. Meanwhile, the destination node can verify the correctness of the signature without knowing the signer private key. Destination node filters out the contaminated information and forwards the validated data to the next receiving node. NC-CLMSS overcomes the key escrow and certificate management issues; moreover, it can resist the forgery attacks with pollution attacks in the multisource network-coding environment and has relatively better transmission efficiency.

Bilinear Pairing.
Assume G 1 and G 2 are additive and multiplication cyclic groups with the prime order q, respectively. P is a generator of the cyclic group G 1 . e: G 1 × G 1 ⟶G 2 is an admissible bilinear pairing if e is a map with the following properties: e (aP, bP) � e (P, P) ab , for any a, b ∈ z * q , and P ∈ G 1 ; e (P, P) ≠ 1; there exists an efficient algorithm to compute e (P, Q), for any P, Q ∈ G 1 . Definition 1. (ECDL problem). Given (P, aP) ∈ G 1 , for any a ∈ z * q , the ECDL (elliptic curve discrete logarithm) problem is to calculate a ∈ z * q .

Multisource Network
Model. Multisource network coding [22] has a set of source nodes. In the multisource model, each encoding message has a uniformly assigned two-dimensional index. Model for multisource transmission network is shown in Figure 2.
Multisource network coding is regarded as a directed acyclic graph R � (E′, V), where E′ is the set of edges in the network and V is the set of all nodes. U � u 1 , u 2 , . . . , u m ⊂ V is the set of the source nodes and D � d 1 , d 2 , . . . , d k ⊂ V is the set of the sink nodes; m multicast messages are expressed by v � (v 1 , v 2 , . . . , v m ); the source nodes' set U sends v � (v 1 , v 2 , . . . , v m ) to the sink nodes D, where each message vector v i is composed of n elements over finite field F, where v i is written as Let j be the unique index uniformly assigned to each message, and the same multicast message sent by different source nodes has the same index. Each packet w � (w 1 , w 2 , . . . , w l ) can be sent by arbitrary intermediate node in network, and w is the linear combination of l messages received by this node. Table 1, the readers can see the meaning of notations relevant to this article.

Algorithm Definition.
A NC-CLMSS is defined by six polynomial time algorithms as follows.
Setup: input a security parameter ρ and finally output the master key s with a system parameter set μ. Extract: input μ with the user identity ID i and finally output a pair (R i , D i ) of partial public/private keys. KeyGen: input μ with the user identity ID i and finally output a pair (x i , P i ) of public/private keys.  Multisignature: input μ, the master key s, the message v t , the private key (D i , x i ), and public key (R i , P i ) and finally output a signature σ i .
Combination: input the message vector w 1 , . . . , w m and finally output a combined signature σ. Verification: input μ, σ i , and σ, the public key (R i , P i ), and the message v t ; the verifier outputs a result based on the verification case.

Security Model.
A NC-CLMSS must meet the existential unforgeability against the adaptive chosen-message attacks (UF-CMA). For the UF-CMA security model of NC-CLMSS, we think about the game EXP1/EXP2 between a challenger C and a polynomial time adversary A 1 or A 2 .
where A 1 is a malicious user who can change any user public key but cannot know the master private key; A 2 is a malicious KGC who knows the system master key but cannot change any user public key. After that, A 1 or A 2 carries out the adaptive queries as follows:

Security and Communication Networks
Finally, A 1 /A 2 outputs a forged signature σ * . In the adaptive queries, A 1 should not request the full private key of ID s ; A 2 cannot request the private key of ID s . In addition, σ * should not be returned by any multisignature oracle.

Definition 3.
A NC-CLMSS is said to be UF-CMA secure if no polynomial time adversary A 1 /A 2 succeeds in EXP1/ EXP2 with a non-negligible advantage.

Setup.
Given a security parameter ρ, KGC (key generation center) chooses cyclic groups G 1 and G 2 with the prime order q, as described in Section 2.1. P is a generator of G 1 and e: G 1 × G 1 ⟶G 2 . KGC selects secure hash functions: KGC chooses a master key s ∈ R Z * q and maintains its secret and then calculates the system public key P pub � sP. Finally, KGC publishes the system parameter set: μ � G 1 , G 2 , q, P, e, P pub , H 0 , H 1 , H 2 .

Extract.
Given the identity ID i of the user N i and μ, KGC randomly chooses r i ∈ Z * q and calculates R i � r i P, . ., ID n }, D i is the partial private key of N i , and R i is the partial public key of N i .

KeyGen.
Given the identity ID i of the user N i and μ, this user N i (i∈{1, 2, . . ., n}) randomly chooses a secret value x i ∈ Z * q and calculates the public key P i � x i P. Note that . ., ID n } is an identity set of n users and N 1 ⟶N 2 ⟶. . .⟶N n denotes the signature sequence of n users. In other words, the user N i (i ∈ {1, 2, . . ., n}) signs the message v t with the sequence N 1 ⟶N 2 ⟶. . .⟶N n . Firstly, N 1 calculates where σ 1 is the partial signature of the message v t from the user en, the signature of the user N n is σ n � n i�1 SIGN i . Finally, σ � (σ 1 , σ 2 , . . . , σ d ) and v t are sent to the intermediate code and sink node.

Combination.
Given the local coding vector α � (α 1 , . . . , α m ) and global vector β � (β 1 , . . . , β m ), the intermediate node combines the message vector as follows: en, the message vector v t is also denoted as w � m j�1 β j v j , and the signature corresponding to the 4.6. Verify. After receiving the multisignature and combination signature, the verifier calculates If the equality e(σ n , P) � e(T, n i�1 (l i P i + R i + h i P pub )) holds, the multisignature is valid and invalid otherwise.

Single Signature Verification.
Given the signature σ i of the message v t , then the signature verification process of the user N i (i ∈ {1, 2, . . ., n}) is as follows:

Combination Verification. Given the message
is the multisignature corresponding to w. In the verification phase, it is necessary to check the correctness of the following equality: where h i � H 0 (ID i , R i ). In the multisource network coding, the intermediate nodes combine the messages from different source nodes and form a combination signature. Different source nodes may send the same message. In order to distinguish the possible combination of the same message vector, the global coding vector is expressed as where the global coding vector β j (u k ) ∈ β j (u 1 ), . . . , β j (u d ) and source node user u k ∈ {u 1 , u 2 , . . ., u d }.
en, the message vector is expressed as w � m j�1 d k�1 β j (u k )v j . Hence, the multisignature of message vector w can be expressed as σ � m j�1 d k�1 (σ j (u k )) β j (u k ) , and then, the i-th component in the multisignature can be expressed as en, the relevant equality is verified as follows: From the verification process of single message, we know e(σ n , P) � e(T, n i�1 (l i P i + R i + h i P pub )). en, the verification process is denoted as Proof. C receives a random instance (P, aP, bP) ∈ G 1 of CDH problem, and its aim is to use A 1 (the subroutine of C) to calculate abP ∈ G 1 . C maintains the initially empty lists L 0 , L 1 , L 2 , and L 3 to store the query-answer values of several oracles. Firstly, O setup C (ρ) ⟶ μ A 1 , where P pub � aP. en, A 1 adaptively issues the polynomial time queries as follows.

Security Analysis
H 0 queries: A 1 issues an H 0 query. C outputs h i to A 1 if the relevant tuple is in the list L 0 ; otherwise, C returns a random h i ∈ R Z * q and stores (ID i , R i , h i ) in L 0 . H 1 queries: A 1 issues an H 1 query. C returns l i if a matching tuple is in the list L 1 ; otherwise, C returns l i ∈ R Z * q and stores (ID i , L, P i , R i , v t , l i ) in L 1 . H 2 queries: A 1 issues an H 2 query. If it is not the θ-th query (θ ∈ {1, 2, . . ., q 0 } (q 0 is the query times relevant to the H 0 oracle) and a matching tuple is in the list L 2 , C outputs T � lP (l ∈ R Z * q ) and stores (v t , l i , P pub , l, T) in L 2 ; otherwise, C returns T � bP and stores (v t , l i , P pub , -, T) in L 2 . Partial private key queries: A 1 requests a partial private key of ID i . If it is not the θ-th query, C chooses r i ∈ R Z * q to calculate R i � r i P such that D i satisfies D i P � R i + h i P pub and finally returns D i as the answer and stores (ID i , r i , R i , D i ,-,-) in the list L 3 ; otherwise, C fails and aborts the game. Public key queries: A 1 requests a public key of ID i . C calculates P i � x i P (x i ∈ R Z * q ) and finally returns PK i � (R i , P i ) and updates the list L 3 with (ID i , r i , R i , D i , x i , P i ). Secret value queries: A 1 requests a secret value of ID i . C returns x i from L 3 if the corresponding public key has not been replaced.
Public key replacement: if it is not the θ-th query, the public key of ID i is replaced by A 1 ; otherwise, C fails and aborts the game. Multisignature queries: for a multisignature query of message v t , C runs the relevant algorithm and returns a result if it is not the θ-th query; otherwise, C signs v t Security and Communication Networks 5 with the sequence N 1 ⟶N 2 ⟶. . .⟶N n . Firstly, C calculates for N 1 as follows: T � H 2 v t , L, P pub , where σ 1 is the partial signature of v t for N 1 . en, C calculates for N i (i ∈ {1, 2, . . ., n}) relevant to (v t , σ i−1 ) as follows: If e(σ i−1 , P) � e(T, i−1 j�1 (l j P j + R j + h j P pub )) holds, C calculates for N i as follows: Finally, C calculates σ n � n i�1 SIGN i and delivers σ � (σ 1 , σ 2 , . . . , σ d ) which is sent to A 1 . Combination queries: A 1 requests a combination query. For the local coding vector α � (α 1 , . . . , α m ), global vector β � (β 1 , . . . , β m ), and message vector (w 1 , w 2 , . . . , w m ), C combines the message vector w � m i�1 α i w i . en, the message vector is also denoted as w � m j�1 β j v j , and the signature process relevant to w is σ j � m i�1 σ α i i,j , where σ i, j (1 ≤ i ≤ m and 1 ≤ j ≤ l) denotes the j-th element of σ i . Finally, C outputs a combined signature σ � m i�1 σ α i i . Verification queries: A 1 requests a verification query. C runs the verification algorithm and returns a result if it is not the θ-th query; otherwise, C calculates If the equality e(σ n , P) � e(T, n i�1 (l i P i + R i + h i P pub )) holds, C returns σ and ⊥ otherwise.
Finally, A 1 outputs a forgery signature σ * . In the adaptive queries, A 1 cannot request a full private key of ID i , and σ * is not returned by any multisignature oracle. If it is not the θ-th query, C fails and aborts the game; otherwise, C calls the H 0 , H 1 , and H 2 oracles and then searches the list L 3 . Finally, C verifies the following equality: From the above equality, we can obtain the solution of CDH problem: □ 6.1. Probability Estimation. Probability that C succeeds in the above-mentioned game is estimated as follows. Here, it is necessary to think about three events: E 1 is the event that C does not abort the game E 2 is the event that A 1 successfully forge a signature E 3 is the event that there exists at least one record of nontarget identity in successful forgery case In E 1 , there exists one time not querying the target identity, and then, Pr [E 1 ] ≥ 1/(l s + l r ), where l s is the times of secret value query and l r is the query times of public key replacement, E 2 denotes that A 1 wins in the game, then Pr [E 2 |E 1 ] ≥ ε, and E 3 at least occurs once time in n queries, then Pr [E 3 |E 1 ∧E 2 ] ≥ 1/n. Hence, the success probability that C solves the CDH problem is

Theorem 2. In the RO model, if the polynomial time adversary A 2 can break the UF-CMA-II security of NC-CLMSS, a challenge algorithm C must be able to solve the CDH problem.
Proof. C receives a random instance (P, aP, bP) ∈ G 1 of CDH problem, and its aim is to utilize A 2 (the subroutine of C) to determine the value of abP ∈ G 1 . C maintains the initially empty lists L 0 , L 1 , L 2 , and L 3 to save the queryanswer values of several oracles. Firstly, O setup C (ρ) ⟶ μ , s A 2 .
6 Security and Communication Networks en, A 2 adaptively performs the polynomial time queries as below: H 0 queries: for an H 0 query, if (ID i , R i , h i ) is in the list L 0 , C returns h i ; otherwise, C returns h i ∈ R Z * q and stores (ID i , R i , h i ) in L 0 . H 1 queries: for an H 1 query, if the matching tuple is in the list L 1 , C returns l i ; otherwise, C returns l i ∈ R Z * q and stores (ID i , L, P i , R i , v t , l i ) in L 1 . H 2 queries: for an H 2 query, if it is not the θ-th query (θ ∈ {1, 2, . . .,q 0 } (q 0 is the query times relevant to H 0 oracle) and the relevant tuple is in the list L 2 , C randomly outputs T � lP ∈ G 1 (l ∈ R Z * q ) as the answer; after that, C stores (v t , l i , P pub , l, T) in L 2 , otherwise, C returns T � bP ∈ G 1 and stores (v t , l i , P pub ,-,T) in L 2 . Partial private key queries: for a partial private key query for identity ID i . C calculates R i � r i P, D i � r i + h i s (r i ∈ R Z * q ) and returns D i and stores (ID i , r i , R i , D i , -, -) in the list L 3 .
Public key queries: for a public key query for identity ID i , if it is not the θ-th query, C calculates P i � x i P (x i ∈ R Z * q ) and finally returns PK i � (R i , P i ) and updates L 3 with (ID i , Signature queries: A 2 issues a multisignature query for message v t . If it is not the θ-th query, C runs the multisignature algorithm to output a result; otherwise, C signs v t with the sequence N 1 ⟶N 2 ⟶. . .⟶N n . Firstly, C calculates for N 1 as follows: T � H 2 v t , L, P pub , where σ 1 is the partial signature of v t for N 1 . en, C calculates for N i (i ∈ {1, 2, . . ., n}) relevant to (v t , σ i−1 ) as follows: If e(σ i−1 , P) � e(T, i−1 j�1 (l j P j + R j + h j P pub )) holds, C calculates for N i as follows: Verification queries: for a verification query, C runs the verification algorithm and returns a result if it is not the θ-th query; otherwise, C calculates (1 ≤ i ≤ n) and T � H 2 (v t , L, P pub ). If e(σ n , P) � e(T, n i�1 (l i P i + R i + h i P pub )) holds, C returns σ and ⊥ otherwise.
Finally, A 2 outputs a forgery signature σ * . In queries, A 2 cannot query the secret value of ID i , and σ * is not returned by signature oracle. If it is not the θ-th query, C fails and aborts the game; otherwise, C calls the H 0 , H 1 , and H 2 oracles and then searches the list L 3 and then verifies as follows: CDH problem solution can be obtained from equation (19): Theorem 3. Our NC-CLMSS can prevent the pollution attacks in the multisource network coding environment.
Proof. In NC-CLMSS, the signature process takes place at the source node and intermediate node. For the source node, the attacker can capture any node in the network and uses it Security and Communication Networks to launch the attacks; this node sends the polluted information to the next node, but it is equivalent to solving the elliptic curve discrete logarithm (ECDL) problem for the attacker obtaining the signer private key from the public key. For the intermediate nodes, the attacker captures the signature from source node and tries to forge a signature; then, the attacker must own the user private key, and it is also equivalent to solving the ECDL problem. NC-CLMSS can resist the pollution attacks in the network-coding environment because solving the ECDL problem is computationally infeasible.

Performance Analysis
In this section, the performance comparison is made between NC-CLMSS and existing schemes in [19][20][21] based on the computational complexity. Schemes in [19][20][21] cannot resist the pollution attacks; the schemes in [20,21] are not sequential multisignature. Our NC-CLMSS is a sequential multisignature and can resist pollution attacks. Table 2 describes the time complexity of main cryptography operations. Experimental environment for the performance analysis in this section: the processor is Intel (R) Core (TM) i7-6700HQ CPU @2.60GHz; the system type is the 64-bit operating system. Based on this system, we use C programming language, PBC library, and OpenSSL program to obtain the cryptography operation time, as shown in Table 2. Table 3 describes the computational efficiency of several schemes. From Table 3, the computational complexity of NC-CLMSS is relatively lower than other schemes in [19][20][21].
Simulation curves of signature time-consuming of comparison schemes are shown in Figure 3. Simulation curves of verification time-consuming comparison are shown in Figure 4. Simulation curves of total algorithm time comparison are shown in Figure 5. Assume the number n of signature members is 10, 20, 30, 40, 50, and 60, respectively. Experiment results show the running time of different schemes increases linearly with the increase of the number of signed members. As shown in Figure 3, in the signature    phase, the growth rate of NC-CLMSS is relatively slower than other schemes. From Figure 4, the computational efficiency of NC-CLMSS is the highest. In terms of total time in Figure 5, NC-CLMSS takes the least time. Hence, NC-CLMSS is a relatively better cryptography algorithm in several schemes.

Summary
Network encoding cryptography has many merits, but there exists the inevitable problem how to resist the pollution attacks and forgery attacks in the message transmission process. By using the techniques of the certificateless multisignature and multisource network coding cryptosystem, we construct a certificateless multisignature scheme suitable for network coding (NC-CLMSS). Under the ECDL and CDH assumptions, this algorithm is proved to satisfy the UF-CMA security and can resist the pollution attacks; its computational complexity is relatively lower.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.

Authors' Contributions
Huifang Yu worked on the security model, instance design, and security proof; Zhewei Qi worked on the instance design and simulation experiment; Danqing Liu worked on the introduction and formal algorithm definition; Ke Yang estimated the probability.