Certificateless Network Coding Ring Signature Scheme

Traditional certificateless ring signature is not suitable for the network coding environment. In this view, a new certificateless network coding ring signature (CL-NCRS) is devised by using the techniques of multisource network coding and certificateless ring signature. Network coding is a kind of information interaction technology and can improve system robustness and save wireless network resources. CL-NCRS satisfies the unforgeability and unconditional anonymity; moreover, it has relatively higher communication and computational efficiency.


Introduction
Network coding is a kind of information interaction technology with the functions of routing and coding and has large information throughput and good robustness. If the nodes encode the messages in a certain mode instead of forwarding them, the network structure can obtain maximum transmission efficiency in theory [1]. In 2002, Cai and Yeung proposed the first network coding security model [2]; the source nodes must understand the internal structure of network, and the edge set may be eavesdropped. Zhou and Xu [3] proposed an antipollution network coding cipher algorithm using homomorphic digital signature which can determine the attackers' location and so can resist the pollution attacks in time. Yu and Li [4] proposed single source network coding homomorphic signature scheme by using the generation identifier and homomorphic hash function, it reduces the communication overhead and saves network resources, and it can resist the intrageneration and intergeneration pollutions. Wang et al. [5] proposed the hybrid network coding scheme that can resist data pollution attacks, label pollution attacks, and intergenerational pollution attacks. Abovementioned network coding schemes are only suitable for single source network coding. Multisource network coding is much more complex. Niu et al. [6] proposed the antipollution multisource network coding cipher algorithm. Li and Mei [7] proposed homomorphic signature scheme using the generation identifier which can prevent the replay attacks and use the linear operation to reduce the node computing requirement. Network coding signature schemes in [8][9][10] can effectively prevent the forgery attacks, but the computation overhead in signature and verification phases is high. Li et al. [11] proposed new network coding signature by using homomorphism to solve the problem of identity authentication in multisource network coding.
In ring signature, there is no group administrator and all members in the ring have the same status. A user represents a group of users to sign the message with their own private key. e ring signer can sign the message on behalf of a group of users in completely anonymous way; when the verifier receives the signature, the verifier only knows that the signer comes from a ring but does not know who is the real signer; therefore, it also enhances the privacy of the signer. Ring signature overcomes the defect of excessive authority of the group administrator in group signature. Traditional certificateless ring signature is not appropriate to multisource network coding; it is worth devising an antipollution and certificateless ring signature scheme.
In this paper, on the basis of homomorphic hash function and ring signature theory [12,13], an efficient and certificateless network coding ring signature (CL-NCRS) is devised. In CL-NCRS, the source node generates a ring signature for each message vector by using the private key, and the intermediate node linearly combines the received messages and directly generates the ring signature of the combination message by using the homomorphic hash function. CL-NCRS has the unconditional anonymity and UF-CMA security (unforgeability against adaptive message-chosen attacks) [14,15], and it can defense the pollution attacks.

Multisource Network Coding Model.
In multisource network coding, each source node can send multiple messages and a unified index. Assume G � (M, E) is a multisource network, then M is the node set and E is the edge set. As shown in Figure 1, the source node set is denoted by S � s 1 , . . . , s m ⊂ M, and the destination node set is denoted by is the message sent on any side of the multicast network, the linear combination of l messages received by the intermediate node can be expressed as (1) e coding coefficient vector α � (α 1 , ..., α l ) is called the local coding vector; then the message W on one side of message transmission can also be expressed by the linear combination of original message where β � (β 1 , . . . , β m ) is called the global coding vector. If the receiving node t i receives m linearly independent messages (w 1 , . . . , w m ) and the global coding vector is (β 1 , ..., β m ), the original message (V 1 , . . . , V m ) can be recovered in the following way: Since the received m messages are linearly independent and the matrix G t i is full rank and invertible, then the original message (V 1 , . . ., V m ) is obtained by the following method: In order to facilitate the decoding of the destination node, the global coding vector β i and the message can be transmitted together. e extended original message can be regarded as a vector in the m + n dimension vector space V′/F: at is to say, Hence, the encoded message can be represented as W i � (w i,1 , . . . , w i,n , β i,1 , β i,2 , . . . , β i,m ) � (w i,1 , . . . , w i,(m+n) ).

Homomorphic Hash Function.
e trusted third party (TTP) generates a hash parameter set G � (p, q, r → ), where p and q are two large primes and satisfy the condition q|p − 1.
Parameter r → is a row vector of 1 × (m + n) which is randomly composed of all elements with order q in Z q : r → � (1, . . . , m + n), r p i ≡ 1modp, r i ∈ Z p and 1 ≤ i ≤ m + n.

(7)
Homomorphism verification of the hash function: for message vector W i � (w 1 , . . . , w (m+n) ) received by any node in network, we have

DL Problem.
Given a finite cyclic group G � 〈g〉 � g k | k � 0, 1, . . . , where g is a generator of group G, n � |G|. For a ∈ [0, n] and g ∈ G, it is easy to calculate h � g a . Given g and h ∈ G, the discrete logarithm (DL) problem is to find a(0 ≤ a ≤ n) such that h � g a .

Flowchart of CLRS.
In this section, we show the working process of a certificateless ring signature (CLRS) by Figure 2.

Algorithm Definition.
A certificateless network coding ring signature (CL-NCRS) scheme is defined as follows. Setup: input a security parameter 1 k ; this algorithm outputs the master key x and a set ϕ of the system parameter.
Extract: input ϕ and a user's identity ID i ; this algorithm outputs this the corresponding partial private key D i .
KeyGen: input ϕ and a user's identity ID i ; this algorithm outputs this user's secret value x i and public key Y i .
Ring signature: input ϕ, the master key x, the message v → j , the partial private key D i , the secret value x i , and the public key Y i ; this algorithm outputs a signature σ → . Combine: input the coding vector α → � (α 1 , . . . , α l ) and the message vector ( w → 1 , . . . , w → l ); this algorithm outputs a combined message vector w → and the corresponding signature σ. Verification: input ϕ, σ → , the signer's identity ID i , the public key Y i , and the message v → j . If the verification equation is true, the verifier accepts the signature and stops the game otherwise.

Security Model.
In this section, the UF-CMA security model of CL-NCRS is in terms of the game G 1 (G 2 ) between the challenger B and adversary A1 (A2) is discussed [16].
Public key queries: A 1 (A 2 ) queries a public key for the identity ID i ; B returns a public key.
Partial private key queries: A 1 (A 2 ) queries a partial private key for the identity ID i ; B returns a partial private key.
Secret value queries: A 1 (A 2 ) queries a secret value for the identity ID i ; B returns a secret value.
Public key replacement: A 1 replaces the previous Y i with a new public key Y i ′ chosen in a suitable range. Ring signature queries: A 1 (A 2 ) submits a signature query for a message. B returns a signature σ by calling the signature algorithm.
Combination queries: A 1 (A 2 ) submits a combination query. B returns a combination signature.
Verification queries: A 1 (A 2 ) submit a verification query. If the verification equation holds, B outputs a plaintext and otherwise stops the game.
Finally, A 1 (A 2 ) outputs a forged signature. In queries, A1 should not request the full private key of identity IDs; A 2 cannot query the private key of identity IDs. In addition, the forged signature should not be returned by any signcryption oracle. A 1 (A 2 ) wins the G 1 (G 2 ) if the result of unsigncryption is not the symbol ⊥. We define the advantage of A 1 (A 2 ) as the probability which it wins the game G 1 (G 2 ).

Setup.
In the setup algorithm, G 1 and G 2 are two multiplicative cyclic groups with order q; g is a generator of group G 1 ; e: G 1 × G 1 ⟶ G 2 is a bilinear map, as shown in Section 2.3; H 1 : 0, 1 { } * ⟶ G 1 and H 2 : 0, 1 { } * ⟶ Z * q are one-way hash functions. KGC (Key Generator Center) chooses a master key x from Z q * and calculates the system public key Y � g x . Finally, KGC keeps the master key x secret but publishes a set ϕ � G 1 , G 2 , Y, g, q, e, H 1 , H 2 of system parameter.

Extract.
In the extraction algorithm, KGC calculates a user's partial private key and ID i is the identity of user. en, KGC sends D i to the user.

KeyGen.
In the key generation algorithm, a user with ID i chooses x i from Z q * as a secret value and calculates the corresponding public key Y i � g x i . e full private key of this user is (x i , D i ).

Ring Signature.
In this algorithm, ID s is the identity of ring signer ID s ∈ ID 1 , . . . , ID c , the full private key of the ring signer is (x s , D s ), the public key of the ring signer is Y s , and v → ∈ 0, 1 { } * is a message. Relevant operation steps are carried out as follows: (1) For j � 1, 2, . . ., c (j ≠ s), ring signer randomly selects a j ∈ Z q * and calculates σ j � Y i Y a j Security and Communication Networks , and its corresponding ring sig- represents the j-th element of σ → i . en, the combined signature can be expressed as follows: 4.6. Verification. Given the public keys

Signature Verification.
After receiving a ring signature σ → � (σ 1 , . . . , σ c ), the receiver calculates η � H 2 ( v → ) and then verifies the following equality: e verification process of above equality is as follows: In the multisource network coding environment, the intermediate nodes combine the messages from different source nodes and form a combination signature. Each source node s i has a unique identifier u i ∈ u 1 , ..., u c , the global coding vector of each source node user is expressed as β j (u 1 ), . . . , β j (u c ), respectively. In order to distinguish the possible combination of the same message vector, the message vector is expressed as w Ring signature of message vector w → can be expressed as , and then, the i-th component in ring signature can be expressed as  denotes the i-th component of ring signature σ → j (u k ). en, the verification process of the equality e(Q s , Y η j Y s ) � c i�1 e(σ i , g) is as follows: en, the verification equality e(Q s , Y η Y s ) � c j�1 e(σ j (u s ), g) holds and the verification of , and the verification process of this equality is shown as follows:

Security Analysis
In CL-NCRS, no external attacker can obtain any message signature without the members' private key. CL-NCRS is vulnerable to two types of adversaries: A 1 and A 2 . Here, A 1 is a malicious user who can change the public key of any user but cannot know the master key of the system; A 2 is a malicious KGC who knows the master key of the system but cannot change any user's public key and provide the security proof of existential unforgeability, unconditional anonymity, and antipollution attacks under adaptive chosen-plaintext attacks.

Theorem 1. In the random oracle model, if a probabilistic polynomial time adversary A 1 can break the UF-CMA-I security of CL-NCRS with probability ε, then there must exist an algorithm B to solve the discrete logarithm (DL) problem with
probability ε′ (q p , q s , and q r are the query times of partial private key, secret value, and public key replacement, respectively), where ε ′ ≥ (ε/e(q s + q p + q r )).
Proof. Given a discrete logarithm random instance (g, g a ) ∈ G 1 , the aim of the challenger B is to use the adversary A 1 as a subroutine to obtain the value of a. B selects a challenge identity ID * and maintains the initially empty lists L 1 , L 2 , L 3 , L 4 , and L 5 which represent the H 1 query list, the H 2 query list, the public key query list, the signature query list, and the combination query list, respectively. At first, B runs the setup algorithm to obtain the system parameter ϕ � G 1 , G 2 , Y � g a , g, q, e, H 1 , H 2 and then sends ϕ to A 1 , where a acts as the master key of system and is unknown to B. en, A 1 adaptively carries out a series of polynomial bounded queries as follows.
Public key queries: A 1 queries a public key for the identity ID i . B returns Y i to A 1 and adds (U, ID i , Y i , x i , − ) into the list L 3 . Secret value queries: A 1 queries a secret value for the identity ID i . If ID i ≠ ID * , B outputs the secret value x i from the list L 3 ; otherwise, B fails and terminates the game.
Public key replacement: A 1 chooses Y i ′ to replace the public key of the identity ID i . If ID i � ID * , B fails and terminates the game; otherwise, B updates list L 3 with (U, ID i , Y i ′ , − ). Ring signature queries: A 1 submits a ring signature query. If ID s ≠ ID * and the public key of identity ID i is not replaced, B returns a signature by running ring signature algorithm. If ID s � ID * and the public key of identity ID i has been replaced, B responds as follows: Combination queries: A 1 submits a combination query. B calculates the combination message vectors w → � l j�1 α j w → j , and the signature of w where σ i,j (1 ≤ i ≤ m and 1 ≤ j ≤ c) represents the j-th element  (u s ), g) holds, B outputs a valid ring signature and terminates the game otherwise.
After a series of adaptive queries, A 1 outputs a forgery ( v → * , U, ID * , a * j , η * , σ * j , σ * s ) to B. A 1 does not know the private key of any member in the ring. In the probabilistic polynomial time, two valid signatures are generated as follows: en, the solution a of DL problem instance can be obtained via the above equalities: Referring to the probability analysis in [16], we obtain that the probability ε ′ ≥ (ε/e(q s + q p + q r )) of B in solving the discrete logarithm problem in polynomial time is negligible. Hence, A 1 cannot break the UF-CMA-I security of CL-NCRS. □ Theorem 2. In the random oracle model, if a probabilistic polynomial time adversary A 2 can break the UF-CMA-II security of CL-NCRS with probability ε then, there must exist an algorithm B to solve the discrete logarithm (DL) problem with probability ε′ (q s is the query time relevant to the secret value oracle), where ε ′ ≥ (ε/eq s ).
Proof. Given a discrete logarithm random instance (g, g a ) ∈ G 1 , the purpose of B is to use the adversary A 1 as a subroutine to obtain the value of a. L 1 , L 2 , L 3 , L 4 , and L 5 store the values of the query and answer of various random oracles. At first, B runs the initialization algorithm to obtain ϕ � G 1 , G 2 , Y � g x , g, q, e, H 1 , H 2 and then sends ϕ and x to A 2 . en, A 2 carries out a series of queries in an adaptive way. Note that the H 1 and H 2 oracle queries and answers are as those in eorem 1.
Public key queries: A 2 queries a public key for the identity ID i . B returns Y i ←g x i to A 2 as the answer and adds (U, ID i , Y i , x i , − ) to the list L 3 if ID i ≠ ID * ; otherwise, B returns Y i ←g a to A 2 as the answer and adds (U, ID i , Y i , − , − ) to the list L 3 .
Partial private key queries: A 2 queries a partial private key for the identity ID i . B responds as follows: (1) if ID i � ID * , B fails and terminates the game; (2) if ID i ≠ ID * and there is a query value, B returns D i ←g xλ i to A 2 .
Secret value queries: A 2 queries a secret value for the identity ID i . B calls the public key oracle and returns a secret value x i if ID i ≠ ID * and terminates the game otherwise.
Ring signature queries: for a ring signature query, B returns a signature to A 2 by calling the ring signature algorithm if ID s ≠ ID * ; otherwise, B responds as follows: Combination queries: A 2 issues a combination query.
in the list L 5 . Verification queries: A 2 submits a verification query. B outputs a valid ring signature if e(Q s , Y η Y s ) � c j�1 e(σ j , g) and terminates the game otherwise.
After a sequence of adaptive queries, A 2 outputs a forgery ( v → * , U, ID * , a * j , η * , σ * j , σ * s ) to B. A 2 does not know the private key of any member in the ring. In the probabilistic polynomial time, two valid signatures are obtained as follows: en, the solution a of the discrete logarithm problem can be obtained by the above two signatures: Referring to the probability analysis in [16], the probability of B in solving the discrete logarithm problem in the probabilistic polynomial time is negligible. Hence, A 2 cannot break the UF-CMA-II security of CL-NCRS. Proof. In CL-NCRS, if the adversary attempts to forge a ring signature, it must obtain a ring signer's private key by solving the discrete logarithm problem. As we know, it is computationally infeasible to solve the discrete logarithm problem. If the adversary wants to forge a valid signature, the forger has to perform the following operations: (1) e forger attempts to sign a forged message directly.
In the ring signature algorithm of CL-NCRS, it is needful to use the signer's private key and a j ∈ Z * q (1 ≤ j ≤ c and j ≠ s) to sign the message. Obtaining the private key from the ring signer's public key is equivalent to solving the discrete logarithm problem; and it is also equivalent to solving the discrete logarithm problem to obtain a j from a signature.
(2) e forger tried to obtain a valid signature by exhaustive search. Assume that the length of an element in ring signature is n and the number of ring members is m, then the size of ring signature is n × m. For example, if n is 256 bit on the elliptic curve, the size of ring signature is 256 ×m, and it is difficult to solve the discrete logarithm of 1589 bit [17]. Obviously, it is impossible to obtain a valid ring signature.

Theorem 4. CL-NCRS can satisfy the unconditional anonymity of ring signers.
A CL-NCRS can meet the unconditional anonymity [18][19][20]: no attacker can obtain the private key of all possible signers in illegal ways.
For the adversary, since a j (j ≠ s and a j ≠ 1) is randomly chosen from Z * q , then the probability of selecting a 1 , a 2 , . . . , a s− 1 , a s+1 , . . . , a c in turn is , the probability of selecting all a 1 , a 2 , . . . , a c in turn is Here, ξ has nothing to do with the identity of the ring signer. If the adversary obtains the private keys of all users in the ring and even if the verifier can verify the ring signature, the probability of inferring the identity of the real ring signer from valid signature is less than 1/c. It is obvious that CL-NCRS satisfies the unconditional anonymity of the real signer.

Performance Analysis
In this section, we provide the performance comparison between CL-NCRS and relevant schemes [15,21,22]. Table 1 shows the comparison of the relevant features of several schemes. According to the analysis, it is found that Chen's scheme and Zhao's scheme are not suitable for the network coding environment. Table 2 shows the time complexity of main cryptography operations [4]. Table 3 shows the comparison case of several schemes, where l is the output     Table 3, it can be seen that the computational complexity of CL-NCRS is relatively lower. Simulation curves of time-consuming signature of several schemes are shown in Figure 3. Simulation curves of time-consuming verification of several schemes are shown in Figure 4. e simulation curve of total algorithm time of several schemes is shown in Figure 5. Because two comparison schemes are not suitable for the network coding environment, for the convenience, we omit the network coding combination phase. e number of ring members n is 10, 20, 30, 40, and 50. Experiment results show that the running time of different schemes increases linearly with the increase of the number of ring members. As shown in Figure 3, in the signature phase, the growth rate of CL-NCRS is relatively slower than that of other schemes. As seen from Figure 4, the computational efficiency of CL-NCRS is the highest. In terms of total time in Figure 5, CL-NCRS takes the least time. In addition, the computational cost of other schemes is relatively high. Hence, CL-NCRS is the good cryptography scheme with short communication length and high computation efficiency.

Conclusion
Based on the certificateless ring signature and homomorphic hash function, a new certificateless network coding ring signature (CL-NCRS) is proposed. CL-NCRS satisfies the unforgeability against adaptive chosen-message attacks and unconditional anonymity of the real ring signer. CL-NCRS can resist the pollution attacks in the network coding environment and has the characteristics of low computation complexity and strong robustness. e limitation of this scheme is that it requires to send the message in undistorted ways.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.