cost-effective authentic and anonymous data sharing with ...kailiu/mypaper/ieee-tc-2015-1.pdf · 1...

1

Cost-Effective Authentic and Anonymous DataSharing with Forward Security

Xinyi Huang, Joseph K. Liu+, Shaohua Tang, Yang Xiang, Kaitai Liang, Li Xu, Jianying Zhou

Abstract—Data sharing has never been easier with the advances of cloud computing, and an accurate analysis on the shared dataprovides an array of benefits to both the society and individuals. Data sharing with a large number of participants must take into accountseveral issues, including efficiency, data integrity and privacy of data owner. Ring signature is a promising candidate to constructan anonymous and authentic data sharing system. It allows a data owner to anonymously authenticate his data which can be putinto the cloud for storage or analysis purpose. Yet the costly certificate verification in the traditional public key infrastructure (PKI)setting becomes a bottleneck for this solution to be scalable. Identity-based (ID-based) ring signature, which eliminates the processof certificate verification, can be used instead. In this paper, we further enhance the security of ID-based ring signature by providingforward security: If a secret key of any user has been compromised, all previous generated signatures that include this user still remainvalid. This property is especially important to any large scale data sharing system, as it is impossible to ask all data owners to re-authenticate their data even if a secret key of one single user has been compromised. We provide a concrete and efficient instantiationof our scheme, prove its security and provide an implementation to show its practicality.

Keywords—Authentication, data sharing, cloud computing, forward security, smart grid.

F

1 INTRODUCTION

The popularity and widespread use of “CLOUD" havebrought great convenience for data sharing and collec-tion [46], [29], [37], [51], [8]. Not only can individu-als acquire useful data more easily, sharing data withothers can provide a number of benefits to our societyas well [14], [49], [53]. As a representative example,consumers in Smart Grid [40] can obtain their energyusage data in a fine-grained manner and are encouragedto share their personal energy usage data with others,e.g., by uploading the data to a third party platform suchas Microsoft Hohm [39] (Fig. 1). From the collected dataa statistical report is created, and one can compare theirenergy consumption with others (e.g., from the sameblock). This ability to access, analyze, and respond tomuch more precise and detailed data from all levels ofthe electric grid is critical to efficient energy usage.

Due to its openness, data sharing is always deployedin a hostile environment and vulnerable to a numberof security threats. Taking energy usage data sharingin Smart Grid as an example, there are several securitygoals a practical system must meet, including:

• +Joseph K. Liu is the corresponding author.• X. Huang and L. Xu are with the School of Mathematics and Computer

Science, Fujian Normal University, Fuzhou, China, 350108. E-mail:{xyhuang, xuli}@fjnu.edu.cn.

• J K. Liu and J. Zhou are with the Institute for Infocomm Research (I2R),1 Fusionopolis Way, #21-01 Connexis, South Tower, Singapore 138632.E-mail: {ksliu, jyzhou}@i2r.a-star.edu.sg.

• S. Tang is with the School of Computer Science, South China Universityof Technology, Guangzhou, China. E-mail: [email protected].

• Y. Xiang is with the School of Information Technology, Deakin University,Australia. E-mail: [email protected].

• K. Liang is with the Department of Computer Science, City University ofHong Kong, Hong Kong. E-mail: [email protected].

1

2

User N

Fig. 1. Energy Usage Data Sharing in Smart Grid

• Data Authenticity: In the situation of Smart Grid,the statistic energy usage data would be misleadingif it is forged by adversaries. While this issue alonecan be solved using well established cryptographictools (e.g., message authentication code or digitalsignatures), one may encounter additional difficul-ties when other issues are taken into account, suchas anonymity and efficiency;

• Anonymity: Energy usage data contains vast infor-mation of consumers, from which one can extractthe number of persons in the home, the types ofelectric utilities used in a specific time period, etc.Thus, it is critical to protect the anonymity of con-sumers in such applications, and any failures to doso may lead to the reluctance from the consumersto share data with others; and

• Efficiency: The number of users in a data sharingsystem could be HUGE (imagine a smart grid witha country size ), and a practical system must reduce

2

the computation and communication cost as muchas possible. Otherwise it would lead to a waste ofenergy, which contradicts the goal of Smart Grid.

This paper is devoted to investigating fundamental secu-rity tools for realizing the three properties we described.Note that there are other security issues in a data sharingsystem which are equally important, such as availability(service is provided at an acceptable level even undernetwork attacks) and access control (only eligible userscan have the access to the data). But the study of thoseissues is out of the scope of this paper.

1.1 Identity-based Ring Signature

The aforementioned three issues remind us a crypto-graphic primitive “identity-based ring signature", an effi-cient solution on applications requiring data authenticityand anonymity.

1.1.1 ID-based Cryptosystem

Identity-based (ID-based) cryptosystem, introduced byShamir [45], eliminated the need for verifying the va-lidity of public key certificates, the management ofwhich is both time and cost consuming. In an ID-based cryptosystem, the public key of each user is easilycomputable from a string corresponding to this user’spublicly known identity (e.g., an email address, a resi-dential address, etc.). A private key generator (PKG) thencomputes private keys from its master secret for users.This property avoids the need of certificates (which arenecessary in traditional public-key infrastructure) andassociates an implicit public key (user identity) to eachuser within the system. In order to verify an ID-basedsignature, different from the traditional public key basedsignature, one does not need to verify the certificate first.The elimination of the certificate validation makes thewhole verification process more efficient, which will leadto a significant save in communication and computationwhen a large number of users are involved (say, energyusage data sharing in smart-grid).

Ring signature is a group-oriented signature withprivacy protection on signature producer. A user cansign anonymously on behalf of a group on his ownchoice, while group members can be totally unawareof being conscripted in the group. Any verifier can beconvinced that a message has been signed by one of themembers in this group (also called the Rings), but theactual identity of the signer is hidden. Ring signaturescould be used for whistle blowing [42], anonymousmembership authentication for ad hoc groups [11] andmany other applications which do not want complicatedgroup formation stage but require signer anonymity.There have been many different schemes proposed (e.g.,[1], [50], [33], [23], [34], [32], [19], [44], [13], [30], [31],[31], [38]) since the first appearance of ring signature in1994 [21] and the formal introduction in 2001 [42].

Bob

Data Center

Energy Usage Data, ID-Ring Signature

Identity Information of Ring Members

Fig. 2. A Solution based on ID-based Ring Signature

1.1.2 An Affirmative Advantage in Big DataDue to its natural framework, ring signature in ID-basedsetting has a significant advantage over its counterpart intraditional public key setting, especially in the big dataanalytic environment. Suppose there are 10000 users inthe ring, the verifier of a traditional public key basedring signature must first validate 10000 certificates of thecorresponding users, after which one can carry out theactual verification on the message and signature pair. Incontrast, to verify an ID-based ring signature, only theidentities of ring users, together with the pair of messageand signature are needed. As one can see, the eliminationof certificate validation, which is a costly process, savesa great amount of time and computation. This savingwill be more critical if a higher level of anonymity isneeded by increasing the number of users in the ring.Thus, as depicted in Fig. 2, ID-based ring signature ismore preferable in the setting with a large number ofusers such as energy data sharing in smart grid:• Step 1: The energy data owner (say, Bob) first setups

a ring by choosing a group of users. This phaseonly needs the public identity information of ringmembers, such as residential addresses, and Bobdoes not need the collaboration (or the consent)from any ring members.

• Step 2: Bob uploads his personal data of electronicusage, together with a ring signature and the iden-tity information of all ring members.

• Step 3: By verifying the ring signature, one can beassured that the data is indeed given out by avalid resident (from the ring members) while cannotfigure out who the resident is. Hence the anonymityof the data provider is ensured together with dataauthenticity. Meanwhile, the verification is efficientwhich does not involve any certificate verification.

The first ID-based ring signature scheme was pro-posed in 2002 [57] which can be proven secure in therandom oracle model. Two constructions in the standardmodel were proposed in [4]. Their first constructionhowever was discovered to be flawed [24], while thesecond construction is only proven secure in a weakermodel, namely, selective-ID model. The first ID-basedring signature scheme claimed to be secure in the stan-dard model is due to Han et al. [25] under the trustedsetup assumption. However, their proof is wrong andis pointed out by [48]. Other existing ID-based ring

3

signature schemes include [17], [5], [58], [20], [18], [41],[26], [48].

1.2 The Motivation1.2.1 Key ExposureID-based ring signature seems to be an optimal trade-off among efficiency, data authenticity and anonymity,and provides a sound solution on data sharing with alarge number of participants. To obtain a higher levelprotection, one can add more users in the ring. But doingthis increases the chance of key exposure as well.

Key exposure is the fundamental limitation of ordi-nary digital signatures. If the private key of a signeris compromised, all signatures of that signer becomeworthless: future signatures are invalidated and no pre-viously issued signatures can be trusted. Once a keyleakage is identified, key revocation mechanisms mustbe invoked immediately in order to prevent the genera-tion of any signature using the compromised secret key.However, this does not solve the problem of forgeabilityfor past signatures.

The notion of forward secure signature was proposedto preserve the validity of past signatures even if thecurrent secret key is compromised. The concept wasfirst suggested by Anderson [2], and the solutions weredesigned by Bellare and Miner [7]. The idea is dividingthe total time of the validity of a public key into T timeperiods, and a key compromise of the current time slotdoes not enable an adversary to produce valid signaturespertaining to past time slots.

1.2.2 Key Exposure in Big Data Sharing SystemThe issue of key exposure is more severe in a ringsignature scheme: if a ring member’s secret key is ex-posed, the adversary can produce valid ring signaturesof any documents on behalf of that group. Even worse,the “group" can be defined by the adversary at willdue to the spontaneity property of ring signature: Theadversary only needs to include the compromised userin the “group" of his choice. As a result, the exposureof one user’s secret key renders all previously obtainedring signatures invalid (if that user is one of the ringmembers), since one cannot distinguish whether a ringsignature is generated prior to the key exposure or bywhich user. Therefore, forward security is a necessaryrequirement that a big data sharing system must meet.Otherwise, it will lead to a huge waste of time andresource.

While there are various designs of forward-securedigital signatures [54], [55], [56], adding forward securityon ring signatures turns out to be difficult. As far asthe authors know, there are only two forward securering signature schemes [35], [36]. However, they are bothin the traditional public key setting where signatureverification involves expensive certificate check for everyring member. This is far below satisfactory if the sizeof the ring is huge, such as the users of a Smart Grid.

To summarize, the design of ID-based ring signaturewith forward security, which is the fundamental tool forrealizing cost-effective authentic and anonymous datasharing, is still an open problem.

1.3 Contribution

In this paper, we propose a new notion called ForwardSecure ID-based Ring Signature, which is an essentialtool for building cost-effective authentic and anonymousdata sharing system:• For the first time, we provide formal definitions on

forward secure ID-based ring signatures;• We present a concrete design of forward secure ID-

based ring signature. No previous ID-based ringsignature schemes in the literature have the propertyof forward security, and we are the first to providethis feature;

• We prove the security of the proposed scheme inthe random oracle model, under the standard RSAassumption; and

• Our implementation is practical, in the followingways:

1) It is in ID-based setting. The elimination ofthe costly certificate verification process makesit scalable and especially suitable for big dataanalytic environment.

2) The size of a secret key is just one integer.3) Key update process only requires an exponen-

tiation.4) We do not require any pairing in any stage.

2 DEFINITION

2.1 Mathematical Assumption

Definition 1 (RSA Problem): Let N = pq, where p andq are two k-bit prime numbers such that p = 2p′ + 1and q = 2q′ + 1 for some primes p′, q′. Let e be a prime1

greater than 2` for some fixed parameter `, such thatgcd(e, φ(N)) = 1. Let y be a random element in Z∗N .We say that an algorithm S solves the RSA problem ifit receives an input the tuple (N, e, y) and outputs anelement z such that ze = y mod N .

2.2 Security Model

A (1, n) ID-Based Forward Secure Ring Signature(IDFSRS) scheme is a tuple of probabilistic polynomial-time (PPT) algorithms:• Setup. On input an unary string 1λ where λ is a

security parameter, the algorithm outputs a mastersecret key msk for the third party PKG (Private KeyGenerator) and a list of system parameters paramthat includes λ and the descriptions of a user secret

1. Note that we use a slightly modified version [22], [26] of theoriginal RSA problem definition in which we require the exponentto be a prime number.

4

key space D, a message space M as well as asignature space Ψ.

• Extract. On input a list param of system parameters,an identity IDi ∈ {0, 1}∗ for a user and the mastersecret key msk, the algorithm outputs the user’ssecret key ski,0 ∈ D such that the secret key is validfor time t = 0. In this paper, we denote time asnon-negative integers. When we say identity IDi

corresponds to user secret key ski,0 or vice versa,we mean the pair (IDi, ski,0) is an input-output pairof Extract with respect to param and msk.

• Update. On input a user secret key ski,t for a timeperiod t, the algorithm outputs a new user secretkey ski,t+1 for the time period t+ 1.

• Sign. On input a list param of system parameters,a time period t, a group size n of length polynomialin λ, a set L = {IDi ∈ {0, 1}∗|i ∈ [1, n]} of nuser identities, a message m ∈ M, and a secret keyskπ,t ∈ D, π ∈ [1, n] for time period t, the algorithmoutputs a signature σ ∈ Ψ.

• Verify. On input a list param of system parameters,a time period t, a group size n of length polynomialin λ, a set L = {IDi ∈ {0, 1}∗|i ∈ [1, n]} of n useridentities, a message m ∈ M, a signature σ ∈ Ψ, itoutputs either valid or invalid.

Correctness. A (1, n) IDFSRS scheme should satisfy theverification correctness – signatures signed by honest sign-er are verified to be invalid with negligible probability.

2.3 Notions of Security

The security of IDFSRS consists of two aspects: forwardsecurity and anonymity. Before giving their definition,we consider the following oracles which together modelthe ability of the adversaries in breaking the security ofIDFSRS.• Extration Oracle (EO): On input an identity IDi and

a time period t, the corresponding secret key ski,t ∈D for that time period is returned.

• Signing Oracle (SO): On input a time period t, agroup size n, a set L of n user identities, a messagem ∈M, a valid signature σ is returned.

Now we are ready to define the security of IDFSRS:1) Forward Security: Forward security of IDFSRS

scheme is defined in the following game betweenthe simulator S and the adversary A in which A isgiven access to oracles EO and SO:

a) S generates and gives A the system parame-ters param.

b) A may query the oracles according to anyadaptive strategy.

c) A chooses a time t∗, a group size n∗ ∈ N, a setL∗ of n∗ identities and a message m∗ ∈M.

d) Amay continue to query the oracles accordingto any adaptive strategy.

e) A outputs a signature σ∗t∗ .A wins the game if:

• Verify(t∗,L∗,m∗, σ∗t∗) = valid.• None of the identities in L∗ has been queried

to EO with time t ≤ t∗ as the time inputparameter. (Unlimited query to EO with timet > t∗ to be the time input parameter.)

• (t∗,L∗,m∗) are not queried to SO.We denote AdvfsA (λ) the probability of A winningthe game.Definition 2 (Forward Secure): A (1, n) IDFSRSscheme is forward secure if for any PPT adversaryA, AdvfsA (λ) is a negligible function of λ.

2) Anonymity: It should not be possible for an adver-sary to tell the identity of the signer with a prob-ability larger than 1/n, where n is the cardinalityof the ring, even assuming that the adversary hasunlimited computing resources. We denote

AdvanonA (λ) = Pr[A guesses the identity

of the signer correctly]− 1/n.

Definition 3 (Anonymity): A (1, n) IDFSRS schemeis unconditional anonymous if for any group of nusers, any message m ∈ M, any time t and anyvalid signature, any adversary A, even with un-bounded computational power, cannot identify theactual signer with probability better than randomguessing. In other words, A can only output theidentity of the actual signer with probability nobetter than 1/n. That is, AdvanonA (λ) = 0.

3 OUR PROPOSED ID-BASED FORWARD SE-CURE RING SIGNATURE SCHEME

This section is devoted to the description and analysisof our proposed ID-based forward secure ring signaturescheme.

3.1 The Design

We assume that the identities and user secret keys arevalid into T periods and makes the time intervals public.We also set the message space M = {0, 1}∗.• Setup. On input of a security parameter λ, the PKG

generates two random k-bit prime numbers p and qsuch that p = 2p′+ 1 and q = 2q′+ 1 where p′, q′ aresome primes. It computes N = pq. For some fixedparameter `, it chooses a random prime number esuch that 2` < e < 2`+1 and gcd(e, φ(N)) = 1. Itchooses two hash functions H1 : {0, 1}∗ → Z∗N andH2 : {0, 1}∗ → {0, 1}`. The public parameters paramare (k, `, e,N,H1, H2) and the master secret key mskis (p, q).

• Extract. For user i, where i ∈ Z, with identityIDi ∈ {0, 1}∗ requests for a secret key at time periodt (denoted by an integer), where 0 ≤ t < T , the PKGcomputes the user secret key

ski,t = [H1(IDi)]1

e(T+1−t) mod N

5

using its knowledge of the factorization of N .• Update. On input a secret key ski,t for a time periodt, if t < T the user updates the secret key as

ski,t+1 = (ski,t)e mod N.

Otherwise the algorithm outputs “⊥" meaning thatthe secret key has expired.

• Sign. To sign a message m ∈ {0, 1}∗ in time periodt, where 0 ≤ t < T , on behalf of a ring of identitiesL = {ID1, . . . , IDn}, a user with identity IDπ ∈ Land secret key skπ,t:

1) For all i ∈ {1, . . . , n}, i 6= π, choose randomAi ∈ Z∗N and compute

Ri = Aie(T+1−t)

mod N

andhi = H2(L,m, t, IDi, Ri).

2) Choose random Aπ ∈ Z∗N and compute

Rπ = Aπe(T+1−t)

·n∏

i=1,i6=π

H1(IDi)−hi mod N

andhπ = H2(L,m, t, IDπ, Rπ).

3) Compute s = (skπ,t)hπ ·

∏ni=1Ai mod N.

4) Output the signature for the list of identities L,the message m, and the time period t as σ =(R1, . . . , Rn, h1, . . . , hn, s).

• Verify. To verify a signature σ for a message m, a listof identities L and the time period t, check whetherhi = H2(L,m, t, IDi, Ri) for i = 1, . . . , n and

se(T+1−t)

=

n∏i=1

(Ri ·H1(IDi)

hi)

mod N.

Output valid if all equalities hold. Otherwise outputinvalid.

3.2 Correctness

We shall show that signatures signed by honest signersare always verified to be valid. For the verificationequation

se(T+1−t)

=

n∏i=1

(Ri ·H1(IDi)

hi)

mod N :

Left Hand Side:

= se(T+1−t)

=

((skπ,t)

hπ ·n∏i=1

Ai mod N

)e(T+1−t)

=

((H1(IDπ)

1

e(T+1−t))hπ

·n∏i=1

Ai mod N

)e(T+1−t)

= H1(IDπ)hπ ·n∏i=1

(Ai)e(T+1−t)

mod N

Right Hand Side:

=

n∏i=1

(Ri ·H1(IDi)

hi)

mod N

=

(n∏

i=1,i6=π

(Ri ·H1(IDi)

hi))

·

(Rπ ·H1(IDπ)hπ

)mod N

=

(n∏

i=1,i6=π

(Ai

e(T+1−t)·H1(IDi)

hi))·((

Aπe(T+1−t)

·n∏

i=1,i6=π

H1(IDi)−hi)

·H1(IDπ)hπ

)mod N

=( n∏i=1

Aie(T+1−t)

)·H1(IDπ)hπ mod N

= Left hand side

3.3 Security Analysis

Theorem 1 (Forward Security): Let A be a PPT forger.For some message m and a set L containing n identities,suppose A on inputs the security parameter λ, queriesan extraction oracle qE times, a signing oracle qs times,the H1 random oracle qH1 times and the H2 randomoracle qH2 times, outputs a forged signature with non-negligible probability ε. Then we can solve the strongRSA problem with probability at least ε′ in polynomialtime where ε′ ≥ ε2

1560qeVqH2,nT

, and VqH2,n = qH2

· (qH2−

1) · . . . · (qH2− n+ 1) and T is the total number of time

period.Proof: Our proof consists of the following parts.

Setup: Let (N, e, y) be an instance of the RSA problemas stated in Definition 1. We are going to constructa PPT algorithm S that will use the adversary A tosolve the given instance of the strong RSA problem. S

6

must simulate all necessary oracles and responds to A’squeries.

First, S sends the public parameter (N, e) to A. With-out loss of generality, we can assume that A asks therandom oracle H1 for the value H1(ID) before askingfor the secret key of ID. We define t∗ be the breakinperiod such that A is not allowed to query EO forany identities included in L∗ (the set of identities ofthe forged signature output by A), while there is nolimitation for time input parameter t > t∗. A is allowedto choose any t∗ ≤ T . S needs to guess the breakinperiod t∗ chosen by A. S randomly chooses t̂, 1 < t̂ ≤ T ,hoping that the breakin period falls at t̂ or later, so thatthe forgery will be for a time period earlier than t̂.

Oracle Simulation:• H1 random oracle: Let us define µ = (5/6)1/qe . S

constructs a table TABH1to simulate the random

oracle H1. Every time an identity IDi is asked byA, S acts as follows: first S checks if this inputis already in the table. If it is the case, S sendsto A the corresponding value H1(IDi) = hIDi .Otherwise, S chooses a bit βi ∈ {0, 1}, with Pr[βi =0] = µ and Pr[βi = 1] = 1 − µ. Then S choosesat random a different element xi ∈ Z∗N and de-fines hIDi = yβie

(T+1−t̂)xie(T+1)

mod N . The entry(IDi, hIDi , xi, βi) is stored in the table TABH1 . Thevalue H1(IDi) = hIDi is sent to A. The conditionhIDi 6= hIDj must be satisfied for all different entriesi 6= j of the table. If this is not the case, S repeatsthis process.

• H2 random oracle: S constructs another tableTABH2 to simulate the random oracle H2. If theinput element is stored in the table, S returns thecorresponding value as the output. Otherwise,S randomly chooses an element r ∈ {0, 1}` asthe output, and stores the value in the table forconsistency.

• Extraction Oracle (EO): When A asks for the secretkey of a user with identity IDi at time period t, Slooks for IDi in the table TABH1

. If βi = 0, then Sextracts the xi value and computes ski,t = xi

et modN as the secret key of the user with identity IDi

at time t. It returns ski,t to A. If βi = 1, S halts ift < t̂. Otherwise (that is, t ≥ t̂), S extracts the xivalue and computes ski,t = ye

(t−t̂)xiet mod N as the

secret key of the user with identity IDi at time t.Note that the probability that S halts in this step isless than 1− µqe = 1/6.

• Signing Oracle (SO): When A asks for a valid sig-nature for message m for a set of identities Lcontaining n′ identities in the time period t, wheren′ ≤ n, S simulates the signing oracle. First weassume A has not asked for the secret key of anyidentities in L, otherwise A could obtain a validring signature by itself. We also assume that A hasasked for the H1 random oracle query for H1(IDi)for all identities IDi ∈ L. Therefore there exist

entries (IDi, hIDi , xi, βi) in the table TABH1, for all

i ∈ {1, . . . , n′}. S answers the query as follow:– If βi = 0 for some i ∈ {1, . . . , n′}, or t ≥ t̂, S

knows the corresponding secret key by simulat-ing the EO and uses the secret key to computea valid signature according to the algorithm.

– If βi = 1 for all i ∈ {1, . . . , n′} and t < t̂:1) S randomly chooses π ∈ {1, . . . , n′}.2) For all i ∈ {1, . . . , n′}, i 6= π, choose random

Ai ∈ Z∗N , pairwise different, compute

Ri = Aie(T+1−t)

mod N,

and by querying the random oracle H2, com-pute hi = H2(L,m, t, IDi, Ri).

3) Choose random hπ ∈ {0, 1}` and s ∈ Z∗N .4) Compute

Rπ = se(T+1−t)

·H1(IDπ)−hπ

·n′∏

i=1,i6=π

(R−1i ·H1(IDi)

−hi)

mod N.

If Rπ = 1 mod N or Rπ = Ri for some i 6= π,go back to the previous step.

5) Backpack the random oracle H2 by settingH2(L,m, t, IDπ, Rπ) = hπ .

6) Return the signature σ =(R1, . . . , Rn′ , h1, . . . , hn′ , s).

Forgery: Assume A chooses a breakin period t∗ < t̂. Thatis, the forged signature σ∗ is valid for time period t∗ < t̂ .S randomly chooses an H2 query and hopefully it is theH2 query for closing the gap of the ring. Using standardrewind technique, S rewinds to the point just beforesupplying the answer of the H2 query, and supplies adifferent answer to this particular query. Denote σ∗ =(R∗1, . . . , R

∗n′ , h

∗1, . . . , h

∗n′ , s

∗) as the first signature forgerygiven by A. If S guesses correctly, A outputs a differentsignature σ′

∗= (R′

∗1, . . . , R

′∗n′ , h

′∗1, . . . , h

′∗j , . . . , h

′∗n′ , s

′∗)such that

• For all i ∈ {1, . . . , n′}, R∗i = R′∗i .

• For all i ∈ {1, . . . , n′}, i 6= j, h∗i = h′∗i . But h∗j 6= h′

∗j

for one j ∈ {1, . . . , n′}.• s∗ 6= s′

∗.

Then we can obtain

s∗e(T+1−t∗)

=

n′∏i=1

(R∗i ·H1(IDi)

h∗i

)mod N

and

s′∗e(T+1−t∗)

=

n′∏i=1

(R∗i ·H1(IDi)

h′∗i

)mod N

Dividing two equations, we obtain( s∗s′∗

)e(T+1−t∗)

= H1(IDj)h∗j−h

′∗j mod N.

7

Now we look at the table TABH1for the entry

(IDj , hIDj , xj , βj) corresponding to the identity IDj .Since the forged signatures are valid and the secret keyof user IDj for any time t ≤ t∗ < t̂ has not beenqueried, with probability 1 − µ, we have βj = 1 andhIDj = H1(IDj) = ye

(T+1−t̂)xje(T+1)

mod N . Then therelation becomes( s∗s′∗

)e(T+1−t∗)

·xj(h′∗j−h

∗j )·e

(T+1)

= ye(T+1−t̂)·(h∗j−h

′∗j ) mod N.

(1)After simplification, equation (1) becomes( s∗

s′∗

)e(t̂−t∗)· xj(h

′∗j−h

∗j )·e

t̂

= yh∗j−h

′∗j mod N. (2)

Since h∗j and h′∗j are outputs of the hash function H2 :

{0, 1}∗ → {0, 1}`, we have |h∗j − h′∗j | < 2` < e. Also as

e is a prime number, it holds that gcd(e, |h∗j − h′∗j |) = 1.

That means there exists two integers a and b such thatae+ b(h∗j − h′

∗j ) = 1. Finally we have

z =

(( s∗s′∗

)e(t̂−t∗−1)

· xj(h′∗j−h

∗j )·e

t̂−1

)b· ya mod N

as the solution of the given instance of the RSA problem.It is the correct solution because

ze =

(( s∗s′∗

)e(t̂−t∗−1)

· xj(h′∗j−h

∗j )·e

t̂−1

)eb· yea mod N

= y(h∗j−h

′∗j )b · yea mod N (from Equation (2))

= yae+b(h∗j−h

′∗j ) mod N

= y mod N

Probability Analysis: For a successful simulation, thereshould be no collision in any stage. There are two kindsof collisions that may occur:

1) A tuple (L,m, t, IDi, Ri) that S outputs from thesigning oracle, inside a simulated ring signature,has been asked before to the random oracle H2 byA. The probability of such a collision is less thanq2 · qs · 1

2k≤ 1

6 .2) The same tuple (L,m, t, IDi, Ri) is output by S in

two different simulated ring signatures. Using thebirthday paradox from probability theory, we havethe probability of this collision is less than q2s

2 ·12k≤

16 .

Altogether the probability of collision is less than 1/3.Now we can compute the probability that S obtains a

valid signature:

εS = Pr[S succeeds ]

= Pr[S does not halt AND no collisions inthe simulations AND A succeeds ]

≥ Pr[A succeeds |S does not halt AND nocollisions in the simulations ]

·(

1− Pr[S halts OR collisions in the

simulations ])

≥ ε ·(

1− 1

6− 1

3

)=

ε

2.

By the ring forking lemma [27], S obtains two valid ringsignatures for the same message and same ring such thath∗j 6= h′

∗j with probability

ε̃ ≥ ε2S65VqH2

,n,

where

VqH2,n = qH2 · (qH2 − 1) · . . . · (qH2 − n+ 1).

In additional, S also needs to guess the breaking periodcorrectly. The probability is at least 1

T . Summing up, theprobability of S in solving the given instance of the RSAproblem is

ε′ ≥ 1

T· (1− µ)ε̃

≥ (1− µ) · ε2S65VqH2

,nT

≥ (1− µ) ·(ε2

)265VqH2

,nT

≥ ε2

1560qeVqH2,nT

.

Theorem 2: Our proposed scheme is unconditionalanonymous.

Proof: Given a valid signature σ =(R1, . . . , Rn, h1, . . . , hn, s), all Ri are generated fromAi, where Ai is a random number. hi are outputs fromthe hash function H2 which are also random numbersin the random oracle model. s is determined by allAis. Thus, given a message and a ring, valid signaturesproduced by two different signers have the samedistribution, and the signature gives no informationabout the identity of the actual signer.

3.4 Efficiency AnalysisOur scheme requires the exponent e greater than 2`,where ` is the bit length of the hash function H2. Usuallya secure hash function requires at least 160 bits output.However, if we set ` = 160 it will be quite inefficient.In order to offset this, we can use γ different hash

8

TABLE 1Computation complexity of algorithms

Exponentiation Multiplicative inverse Multiplication HashSetup - - 1 -

Extract (for 1 user) 2 1 1 1Update 1 - - -

Sign 3× n× `/`′ - (2× n− 1)× `/`′ n× `/`′Verify (n+ 2)× `/`′ - (2× n− 1)× `/`′ n× `/`′

Notation:n: number of users in the ring;`′: length of the output of hash function in the scheme;`: length of the output of a secure hash function (usually it is 160);

TABLE 2Space requirement

Space required

Public parameters O(1)( 4 integers + descriptions of 2 hash functions )

Secret key |N | bitsSignature (n× (|N |+ `′) + |N |)× `/`′ bits

Notation:N : RSA modulus;

|N |: the length of N in binary bits;n: number of users in the ring;

functions such that each hash function outputs `′ bitswhere γ`′ = `. For example, we can use 8 differenthash functions such that each outputs 20 bits. In thisway, we only need to set 220 < e < 221 which is stillan acceptable value. But we need to repeat the signingand verification procedures (those require H2 operation)8 times for each time using a different hash function H2

in order to achieve 160-bit hash function security.On the other side, the size of public parameters is a

constant, which only consists of some security param-eters, 2 integers and some hash functions. The secretkey is very short. It is only an integer. Assume weuse 1024-bit RSA security level, the secret key is just1024 bits. For every key update process, we just requirean exponentiation with exponent e over modulus Noperation. The signing and verification algorithms donot require any pairing operation.

The computation complexity and space requirementof our scheme are shown in Table 1 and 2 respectively.

3.5 Comparison

We compare our scheme with related work in terms offeatures, computation, and space requirement, as shownin Table 3. Note that the verification for non ID-based 1-out-of-n ring signature schemes require additional cer-tificate verification for n users. We exclude the costand space for those n certificates verification in thiscomparison, as it may vary in different scenarios.

3.6 Implementation and Experimental Results

We implement the Smart Grid example introduced inSection 1, and evaluate the performance of our IDFSRSscheme with respect to three entities: the private keygenerator (PKG), the energy data owner (user), and theservice provider (data center). In the experiments, theprograms for three entities are implemented using thepublic cryptographic library MIRACL [43], programmedin C++. All experiments were repeated 100 times toobtain average results shown in this paper, and allexperiments were conducted for the cases of |N | = 1024bits and |N | = 2048 bits respectively.

The average time for the PKG to setup the systemis shown in Table 4, where the testbed for the PKGis a DELL T5500 workstation equipped with 2.13 GHzIntel Xeon dual-core dual-processor with 12GB RAMand running Windows 7 Professional 64-bit operatingsystem. It took 151 ms and 2198 ms for the PKG to setupthe whole system for |N | = 1024 bits and |N | = 2048 bitsrespectively.

The average time for the data owner (user) to signenergy usage data with different choices of n and Tare shown in Fig. 3 and 4, for |N | = 1024 bits and|N | = 2048 bits respectively. The testbed for the user is alaptop personal computer equipped with 2.10 GHz IntelCPU with 4GB RAM and running Windows 7 operatingsystem.

The average time for the the service provider (datacenter) to verify the ring signature with different choicesof n and T are shown in Fig. 5 and 6, for |N | = 1024

9

TABLE 3Comparison with other Forward Secure Ring Signature Schemes

[35] [36] Our Scheme

Features

UnconditionalX X XAnonymity

ID-based X X X

Assumption Factorization CDH, Subgroup RSADecisionalWithout ROM X X X

Computation Pairing 0 0 0

complexity Multiplication n2 + 23× n+ 5+

(2× n− 1)× `/`′of Sign |H|+ log2(T )

Exponentiation n 2× n+ 8 3× n× `/`′

Computation Pairing 0 n+ 4 0

complexity Multiplication n2 + n3× n+ 2+

(2× n− 1)× `/`′of Verify |H|+ log2(T )

Exponentiation n2 + n 0 (n+ 2)× `/`′

Space Requirement Secret Key (bits) 2× |N | 2× (log2(T ) + 1)× |G| |N |Signature (bits) n× (|N |+ `′) (2× n+ 3)× |G| (n× (|N |+ `) + |N |)× `/`′

Notation:ROM: Random Oracle Model;T : number of time slots;

|H|: the length of the hash of the message in binary bits;|N |: the length of N in binary bits;|G|: the length of a group element in G for elliptic curve group; (If 160 bit elliptic curve is used, |G| = 160 bits.)n: number of users in the ring;`: a fixed integer;

TABLE 4Average time for the PKG to setup the system

|N | (bits) Time (ms)1024 1512048 2198

bits and |N | = 2048 bits respectively. The testbed forthe date center is a DELL T5500 workstation equippedwith 2.13 GHz Intel Xeon dual-core dual-processor with12GB RAM and running Windows 7 Professional 64-bitoperating system.

4 APPLICATIONS OF FORWARD SECURE ID-BASED RING SIGNATURES

In addition to energy data sharing in smart-grid, wesketch three other situations which may also need for-ward secure ID-based ring signatures.

WHISTLE BLOWING: Suppose Bob is a member of thecity council. One day he wishes to leak a secret newsfrom the council meeting to a journalist. The news issupposed to be kept secret. Thus Bob wants to remainanonymous, yet such that the journalist is convincedthat the leak was indeed from a council member. Bobcannot send to the journalist a standard digitally signed

message, since such a message, although it convincesthe journalist that it came from a council member, doesso by directly revealing Bob’s identity. Neither does itwork for Bob to send the journalist a message througha standard anonymizer, since the anonymizer strips offall source identification and authentication in a waythat the journalist would have no reason to believe thatthe message really came from a council member at all.Using another primitive called group signature [15], [12],[3], [6], [9], [10] does not solve the problem neither. Agroup signature allows a signer to sign a message onbehalf of a group. The verifier only knows that one ofthe users of the group signs the message yet does notknow who is the actual signer. It does not work in thiscase, because it requires prior cooperation of the othergroup members to set up, and leaves Bob vulnerable tolater identification by the group manager, who may becontrolled by the government. The correct approach forBob is to send the secret information to the journalistthrough an anonymizer, signed with a ring signaturethat names each council member including himself as aring member. The journalist can verify the ring signatureon the message, and learn that it definitely came froma council member. However, neither he nor anyone(including those council members inside the ring) candetermine the actual source of the leak. Forward securityenhances the protection of all entities. Without forward

10

(Unit: ms)T=100 T=200 T=300 T=400

n=10 852 1108 1310 1545n=20 1669 2152 2590 3057n=30 2496 3291 3916 4602n=40 3307 4399 5148 6084n=50 4180 5522 6630 7722n=60 4929 6505 7924 9188n=70 5768 7503 9220 10639n=80 6693 8830 10406 12277n=90 7426 9828 11825 13916n=100 8144 11045 13182 15226Parameters: |N | = 1024, |k| = 512, |`| = 160.

(a)

0

2000

4000

6000

8000

10000

12000

14000

16000

10 20 30 40 50 60 70 80 90 100

The number of users in the ring

The

aver

age

time

(ms)

T=100T=200T=300T=400

(b)

Fig. 3. The average time for the data owner to sign energy usage data, N = 1024

(Unit: ms)T=100 T=200 T=300 T=400


(a)

0

10000

20000

30000

40000

50000

60000

70000

80000

10 20 30 40 50 60 70 80 90 100


The

aver

age

time

(ms)

T=100T=200T=300T=400

(b)

Fig. 4. The average time for the data owner to sign energy usage data, N = 2048

(Unit: ms)T=100 T=200 T=300 T=400


(a)0

500

1000

1500

2000

2500

3000

3500

4000

4500

10 20 30 40 50 60 70 80 90 100


The

aver

age

time

(ms)

T=100T=200T=300T=400

(b)

Fig. 5. The average time for the service provider to verify the ring signature, |N | = 1024

11

(Unit: ms)T=100 T=200 T=300 T=400


(a)

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

10 20 30 40 50 60 70 80 90 100


The

aver

age

time

(ms)

T=100T=200T=300T=400

(b)

Fig. 6. The average time for the service provider to verify the ring signature, |N | = 2048

security, if a secret key of a council member Alice isexposed, every ring signature containing Alice in thering will become invalid. That means any previous ringsignature given by Bob will be invalid (assuming Aliceis included in the signature). This will greatly affect theaccuracy of the report by the journalist who may rely onBob for leaking important secret information.

E-CONTRACT SIGNING: A 1-out-of-2 ring signature(containing two users in the ring) can be used to con-struct concurrent signature [16], [47]. A concurrent sig-nature allows two entities to produce two signatures insuch a way that, from the point of view of any thirdparty, both signatures are ambiguous with respect tothe identity of the signing party until an extra pieceof information (the keystone) is released by one of theparties. Upon release of the keystone, both signaturesbecome binding to their true signers concurrently.

Concurrent signature is one of the essential tools forbuilding e-contract signing and fair exchange protocolin the paradigm. It can protect both parties against acheating party. Consider the following example of fairtendering of contracts. Suppose that A has a buildingconstruction contract that she wishes to put out to tender,and suppose companies B and C wish to put in proposalsto win the contract. This process is sometimes open toabuse by A since she can privately show B’s signedproposal to C to enable C to better the proposal. Usingconcurrent signatures, B would sign his proposal toconstruct the building for an amount X, but keep thekeystone private. If A wishes to accept the proposal, shereturns a payment instruction to pay B amount X. Sheknows that if B attempts to collect the payment, thenA will obtain the keystone through the banking systemto allow the public to verify that the signature is reallygenerated by B. But A may also wish to examine C’sproposal before deciding which to accept. However thereis no advantage for A to show B’s signature to C since

at this point B’s signature is ambiguous and so C willnot be convinced of anything at all by seeing it. We seethat the tendering process is immune to abuse by A.

Adding forward security to it can further improve thesecurity protection level. With forward security, the keyexposure of either party does not affect the e-contractspreviously signed. This provides a more fair, justice,safety and efficient environment for commercial usersdoing business in an e-commerce platform.

E-AUCTION: Similar to e-contract signing, ring signatureschemes can be used to construct e-auction protocols[28], [52]. By using ring signature, a winner-identifiableanonymous auction protocol can be build efficiently.That is to say, the auctioneer can authenticate the realidentity of the winner at the end of the protocol withoutadditional interactions with the winning bidder eventhough all the bidders bid anonymously. Adding for-ward security further provides additional security to allentities involved in the auction activity. The loss of secretkey by anybody does not affect the overall result. It isone of the best way to safeguard the robustness of thee-auction.

5 CONCLUSION

Motivated by the practical needs in data sharing, weproposed a new notion called Forward Secure ID-BasedRing Signature. It allows an ID-based ring signaturescheme to have forward security. It is the first in the liter-ature to have this feature for ring signature in ID-basedsetting. Our scheme provides unconditional anonymityand can be proven forward-secure unforgeable in therandom oracle model, assuming RSA problem is hard.Our scheme is very efficient and does not require anypairing operations. The size of user secret key is justone integer, while the key update process only requiresan exponentiation. We believe our scheme will be very

12

useful in many other practical applications, especially tothose require user privacy and authentication, such asad-hoc network, e-commerce activities and smart grid.

Our current scheme relies on the random oracle as-sumption to prove its security. We consider a provablysecure scheme with the same features in the standardmodel as an open problem and our future research work.

ACKNOWLEDGEMENT

The authors would like to thank Ke Jiang, ZhiliangPeng and Ming Lu, who are postgraduate students withSouth China University of Technology, for doing theimplementations of the proposed scheme.

This work is supported by National Natural ScienceFoundation of China (Grant NOs. 61202450, U1135004and 61170080), Distinguished Young Scholars Fundof Department of Education, Fujian Province, China(JA13062), Ph.D. Programs Foundation of Ministry ofEducation of China (Grant NO. 20123503120001), Fu-jian Normal University Innovative Research Team (NO.IRTL1207), Guangdong Province Universities and Col-leges Pearl River Scholar Funded Scheme (2011), High-level Talents Project of Guangdong Institutions of HigherEducation (2012) and Natural Science Foundation ofFujian Province (No. 2013J01222).

REFERENCES

[1] M. Abe, M. Ohkubo, and K. Suzuki. 1-out-of-n Signatures froma Variety of Keys. In ASIACRYPT 2002, volume 2501 of LectureNotes in Computer Science, pages 415–432. Springer, 2002.

[2] R. Anderson. Two remarks on public-key cryptology. Manuscript,Sep. 2000. Relevant material presented by the author in an invitedlecture at the Fourth ACM Conference on Computer and Com-munications Security, 1997.

[3] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A Practical andProvably Secure Coalition-Resistant Group Signature Scheme. InCRYPTO 2000, volume 1880 of Lecture Notes in Computer Science,pages 255–270. Springer, 2000.

[4] M. H. Au, J. K. Liu, T. H. Yuen, and D. S. Wong. Id-basedring signature scheme secure in the standard model. In IWSEC,volume 4266 of Lecture Notes in Computer Science, pages 1–16.Springer, 2006.

[5] A. K. Awasthi and S. Lal. Id-based ring signature and proxy ringsignature schemes from bilinear pairings. CoRR, abs/cs/0504097,2005.

[6] M. Bellare, D. Micciancio, and B. Warinschi. Foundations ofgroup signatures: formal definitions, simplified requirements anda construction based on general assumptions. In EUROCRYPT’03,volume 2656 of Lecture Notes in Computer Science. Springer, 2003.

[7] M. Bellare and S. Miner. A forward-secure digital signaturescheme. In Crypto’99, volume 1666 of Lecture Notes in ComputerScience, pages 431–448. Springer-Verlag, 1999.

[8] J.-M. Bohli, N. Gruschka, M. Jensen, L. L. Iacono, and N. Marnau.Security and privacy-enhancing multicloud architectures. IEEETrans. Dependable Sec. Comput., 10(4):212–224, 2013.

[9] A. Boldyreva. Efficient Threshold Signature, Multisignature andBlind Signature Schemes Based on the Gap Diffie-Hellman GroupSignature Scheme. In PKC’03, volume 567 of Lecture Notes inComputer Science, pages 31–46. Springer, 2003.

[10] D. Boneh, X. Boyen, and H. Shacham. Short Group Signatures. InCRYPTO 2004, volume 3152 of Lecture Notes in Computer Science,pages 41–55. Springer, 2004.

[11] E. Bresson, J. Stern, and M. Szydlo. Threshold ring signatures andapplications to ad-hoc groups. In M. Yung, editor, CRYPTO 2002,volume 2442 of Lecture Notes in Computer Science, pages 465–480.Springer, 2002.

[12] J. Camenisch. Efficient and generalized group signatures. InEUROCRYPT 97, volume 1233 of Lecture Notes in Computer Science,pages 465–479. Springer, 1997.

[13] N. Chandran, J. Groth, and A. Sahai. Ring signatures of sub-linear size without random oracles. In ICALP 2007, volume 4596of Lecture Notes in Computer Science, pages 423–434. Springer, 2007.

[14] K. Chard, K. Bubendorfer, S. Caton, and O. F. Rana. Social cloudcomputing: A vision for socially motivated resource sharing. IEEET. Services Computing, 5(4):551–563, 2012.

[15] D. Chaum and E. van Heyst. Group Signatures. In EUROCRYPT91, volume 547 of Lecture Notes in Computer Science, pages 257–265.Springer, 1991.

[16] L. Chen, C. Kudla, and K. G. Paterson. Concurrent signatures. InEUROCRYPT, volume 3027 of Lecture Notes in Computer Science,pages 287–305. Springer, 2004.

[17] H.-Y. Chien. Highly efficient id-based ring signature from pair-ings. In APSCC, pages 829–834, 2008.

[18] S. S. Chow, R. W. Lui, L. C. Hui, and S. Yiu. Identity BasedRing Signature: Why, How and What Next. In D. Chadwickand G. Zhao, editors, EuroPKI, volume 3545 of Lecture Notes inComputer Science, pages 144–161. Springer, 2005.

[19] S. S. M. Chow, V. K.-W. Wei, J. K. Liu, and T. H. Yuen. Ringsignatures without random oracles. In ASIACCS, pages 297–302.ACM, 2006.

[20] S. S. M. Chow, S.-M. Yiu, and L. C. K. Hui. Efficient identity basedring signature. In ACNS 2005, volume 3531 of Lecture Notes inComputer Science, pages 499–512. Springer, 2005.

[21] R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partialknowledge and simplified design of witness hiding protocols.In CRYPTO 94, volume 839 of Lecture Notes in Computer Science,pages 174–187. Springer, 1994.

[22] R. Cramer and V. Shoup. Signature Schemes Based on theStrong RSA Assumption. In ACM Conference on Computer andCommunications Security, pages 46–51. ACM, 1999.

[23] Y. Dodis, A. Kiayias, A. Nicolosi, and V. Shoup. AnonymousIdentification in Ad Hoc Groups. In EUROCRYPT 2004, volume3027 of Lecture Notes in Computer Science, pages 609–626. Springer,2004.

[24] A. L. Ferrara, M. Green, S. Hohenberger, and M. Ø. Pedersen.Practical short signature batch verification. In CT-RSA, volume5473 of Lecture Notes in Computer Science, pages 309–324. Springer,2009. Full version appeared in http://eprint.iacr.org/2008/015.

[25] J. Han, Q. Xu, and G. Chen. Efficient id-based threshold ringsignature scheme. In EUC (2), pages 437–442. IEEE ComputerSociety, 2008.

[26] J. Herranz. Identity-based ring signatures from RSA. Theor.Comput. Sci., 389(1-2):100–117, 2007.

[27] J. Herranz and G. Sáez. Forking Lemmas for Ring SignatureSchemes. In T. Johansson and S. Maitra, editors, INDOCRYPT2003, volume 2904 of Lecture Notes in Computer Science, pages 266–279. Springer, 2003.

[28] M. Klonowski, L. Krzywiecki, M. Kutylowski, and A. Lauks. Step-out ring signatures. In MFCS, volume 5162 of Lecture Notes inComputer Science, pages 431–442. Springer, 2008.

[29] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou. Scalable andsecure sharing of personal health records in cloud computingusing attribute-based encryption. IEEE Trans. Parallel Distrib. Syst.,24(1):131–143, 2013.

[30] D. Y. W. Liu, J. K. Liu, Y. Mu, W. Susilo, and D. S. Wong. Revocablering signature. J. Comput. Sci. Technol., 22(6):785–794, 2007.

[31] J. K. Liu, M. H. Au, W. Susilo, and J. Zhou. Online/offlinering signature scheme. In ICICS, volume 5927 of Lecture Notesin Computer Science, pages 80–90. Springer, 2009.

[32] J. K. Liu, W. Susilo, and D. S. Wong. Ring signature withdesignated linkability. In IWSEC ’06, volume 4266 of Lecture Notesin Computer Science, pages 104–119. Springer, 2006.

[33] J. K. Liu, V. K. Wei, and D. S. Wong. A separable thresholdring signature scheme. In ICISC, volume 2971 of Lecture Notesin Computer Science, pages 12–26. Springer, 2003.

[34] J. K. Liu and D. S. Wong. On the Security Models of (Thresh-old) Ring Signature Schemes. In ICISC 2004, Lecture Notes inComputer Science. Springer, 2004.

[35] J. K. Liu and D. S. Wong. Solutions to key exposure problem inring signature. I. J. Network Security, 6(2):170–180, 2008.

[36] J. K. Liu, T. H. Yuen, and J. Zhou. Forward secure ring signaturewithout random oracles. In ICICS, volume 7043 of Lecture Notesin Computer Science, pages 1–14. Springer, 2011.

13

[37] X. Liu, Y. Zhang, B. Wang, and J. Yan. Mona: Secure multi-ownerdata sharing for dynamic groups in the cloud. IEEE Trans. ParallelDistrib. Syst., 24(6):1182–1191, 2013.

[38] C. A. Melchor, P.-L. Cayrel, P. Gaborit, and F. Laguillaumie. Anew efficient threshold ring signature scheme based on codingtheory. IEEE Transactions on Information Theory, 57(7):4833–4842,2011.

[39] Microsoft. Conserve Energy, Save Money - Microsoft Hohm, 2009.http://www.microsoft-hohm.com/.

[40] National Institute of Standards and Technology. NIST IR 7628:Guidelines for Smart Grid Cyber Security, August 2010.

[41] L. Nguyen. Accumulators from Bilinear Pairings and Application-s. In A. J. Menezes, editor, CT-RSA 2005, volume 3376 of LectureNotes in Computer Science, pages 275–292. Springer, 2005.

[42] R. L. Rivest, A. Shamir, and Y. Tauman. How to Leak a Secret.In ASIACRYPT 2001, volume 2248 of Lecture Notes in ComputerScience, pages 552–565. Springer, 2001.

[43] M. Scott. MIRACL - a multiprecision integer and rational arith-metic C/C++ library. Shamus Software Ltd. http://www.shamus.ie/index.php.

[44] H. Shacham and B. Waters. Efficient ring signatures withoutrandom oracles. In Public Key Cryptography, volume 4450 of LectureNotes in Computer Science, pages 166–180. Springer, 2007.

[45] A. Shamir. Identity-Based Cryptosystems and Signature Schemes.In CRYPTO 1984, volume 196 of Lecture Notes in Computer Science,pages 47–53. Springer, 1984.

[46] S. Sundareswaran, A. C. Squicciarini, and D. Lin. Ensuringdistributed accountability for data sharing in the cloud. IEEETrans. Dependable Sec. Comput., 9(4):556–568, 2012.

[47] W. Susilo, Y. Mu, and F. Zhang. Perfect Concurrent SignatureSchemes. In ICICS 2004, volume 3269 of Lecture Notes in ComputerScience, pages 14–26. Springer, Oct. 2004.

[48] P. P. Tsang, M. H. Au, J. K. Liu, W. Susilo, and D. S. Wong. Asuite of non-pairing id-based threshold ring signature schemeswith different levels of anonymity (extended abstract). In ProvSec,volume 6402 of Lecture Notes in Computer Science, pages 166–183.Springer, 2010.

[49] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou. Privacy-preserving public auditing for secure cloud storage. IEEE Trans.Computers, 62(2):362–375, 2013.

[50] D. S. Wong, K. Fung, J. K. Liu, and V. K. Wei. On the RS-CodeConstruction of Ring Signature Schemes and a Threshold Settingof RST. In ICICS, volume 2836 of Lecture Notes in Computer Science,pages 34–46. Springer, 2003.

[51] Y. Wu, Z. Wei, and R. H. Deng. Attribute-based access toscalable media in cloud-assisted content sharing networks. IEEETransactions on Multimedia, 15(4):778–788, 2013.

[52] H. Xiong, Z. Qin, and F. Li. An anonymous sealed-bid electronicauction based on ring signature. I. J. Network Security, 8(3):235–242, 2009.

[53] G. Yan, D. Wen, S. Olariu, and M. Weigle. Security challenges invehicular cloud computing. IEEE Trans. Intelligent TransportationSystems, 14(1):284–294, 2013.

[54] J. Yu, R. Hao, F. Kong, X. Cheng, J. Fan, and Y. Chen. Forward-secure identity-based signature: Security notions and construc-tion. Inf. Sci., 181(3):648–660, 2011.

[55] J. Yu, F. Kong, H. Zhao, X. Cheng, R. Hao, and X.-F. Guo. Non-interactive forward-secure threshold signature without randomoracles. J. Inf. Sci. Eng., 28(3):571–586, 2012.

[56] T. H. Yuen, J. K. Liu, X. Huang, M. H. Au, W. Susilo, and J. Zhou.Forward secure attribute-based signatures. In ICICS, volume 7618of Lecture Notes in Computer Science, pages 167–177. Springer, 2012.

[57] F. Zhang and K. Kim. ID-Based Blind Signature and RingSignature from Pairings. In ASIACRYPT 2002, volume 2501 ofLecture Notes in Computer Science, pages 533–547. Springer, 2002.

[58] J. Zhang. An efficient identity-based ring signature scheme and itsextension. In ICCSA (2), volume 4706 of Lecture Notes in ComputerScience, pages 63–74. Springer, 2007.

Xinyi Huang received his Ph.D. degree fromthe School of Computer Science and SoftwareEngineering, University of Wollongong, Australi-a, in 2009. He is currently a Professor at theFujian Provincial Key Laboratory of Network Se-curity and Cryptology, School of Mathematicsand Computer Science, Fujian Normal Universi-ty, China. His research interests include cryptog-raphy and information security. He has publishedover 70 research papers in refereed internationalconferences and journals. His work has been

cited more than 1000 times at Google Scholar. He is in the EditorialBoard of International Journal of Information Security (IJIS, Springer)and has served as the program/general chair or program committeemember in over 40 international conferences.

Joseph K. Liu received the PhD degree ininformation engineering from the Chinese Uni-versity of Hong Kong in July 2004, speciallizingin cryptographic protocols for securing wirelessnetworks, privacy, authentication and provablesecurity. He is now a research scientist in theInfocomm Security Department at the Institutefor Infocomm Research, Singapore. His currenttechnical focus is particularly lightweight cryp-tography, wireless security, security in smart gridsystem and cloud computing environment.

Shaohua Tang received the B.Sc. and M.Sc.degrees in applied mathematics from South Chi-na University of Technology, China, in 1991and 1994, respectively, and the Ph.D. degreein communication and information system fromSouth China University of Technology, in 1998.He was a visiting scholar with North CarolinaState University, USA, and a visiting professorwith University of Cincinnati, USA. He has beena full professor with the School of ComputerScience and Engineering, South China Univer-

sity of Technology since 2004. His current research interests includeinformation security, networking, and information processing. He is amember of the IEEE and the IEEE Computer Society.

14

Yang Xiang received his PhD in Computer Sci-ence from Deakin University, Australia. He iscurrently a full professor at School of InformationTechnology, Deakin University. He is the Directorof the Network Security and Computing Lab (N-SCLab). His research interests include networkand system security, distributed systems, andnetworking. In particular, he is currently lead-ing his team developing active defense systemsagainst large-scale distributed network attacks.He is the Chief Investigator of several projects in

network and system security, funded by the Australian Research Council(ARC). He has published more than 130 research papers in manyinternational journals and conferences, such as IEEE Transactions onComputers, IEEE Transactions on Parallel and Distributed Systems,IEEE Transactions on Information Security and Forensics, and IEEEJournal on Selected Areas in Communications. Two of his papers wereselected as the featured articles in the April 2009 and the July 2013issues of IEEE Transactions on Parallel and Distributed Systems. He haspublished two books, Software Similarity and Classification (Springer)and Dynamic and Advanced Data Mining for Progressing TechnologicalDevelopment (IGI-Global). He has served as the Program/General Chairfor many international conferences such as ICA3PP 12/11, IEEE/IFIPEUC 11, IEEE TrustCom 13/11, IEEE HPCC 10/09, IEEE ICPADS08, NSS 11/10/09/08/07. He has been the PC member for more than60 international conferences in distributed systems, networking, andsecurity. He serves as the Associate Editor of IEEE Transactions onComputers, IEEE Transactions on Parallel and Distributed Systems,Security and Communication Networks (Wiley), and the Editor of Journalof Network and Computer Applications. He is the Coordinator, Asia forIEEE Computer Society Technical Committee on Distributed Processing(TCDP). He is a Senior Member of the IEEE.

Kaitai Liang received the B.Eng. degree of Soft-ware Engineering, the M.Sc. degree of Comput-er Applied Technology from South China Agri-cultural University, China in 2008 and 2011. Heis currently a Ph.D. candidate in the Departmentof Computer Science at the City University ofHong Kong. His primary research interest is ap-plied cryptography; in particular, cryptographicprotocols, encryption/signature, RFID, and cloudsecurity. He is also interested in other topics ininformation security, such as network security,

wireless security database security, and security in cloud computing.

Li Xu is a Professor and Doctoral Supervisor atthe School of Mathematics and Computer Sci-ence at Fujian Normal University. He receivedhis B.S and M.S degrees from Fujian NormalUniversity in 1992 and 2001. He received hisPh.D. degree from Nanjing University of Postsand Telecommunications in 2004. Now he is theVice Dean of the School of Mathematics andComputer Science and the Director of the KeyLab of Network Security and Cryptography inFujian Province. His interests include wireless

networks and communication, network and information security, com-plex networks and systems, intelligent information in communicationnetworks, etc. Prof. Xu has been invited to act as PC chair or memberat more than 30 international conferences. He is a member of IEEE andACM, and a senior member of CCF and CIE in China. He has publishedover 100 papers in refereed journals and conferences.

Jianying Zhou is a senior scientist at Institutefor Infocomm Research and the head of Info-comm Security Department. He received PhD inInformation Security from University of Londonin 1997. His research interests are in computerand network security, mobile and wireless secu-rity. He is a co-founder and steering committeemember of International Conference on AppliedCryptography and Network Security (ACNS).

cost-effective authentic and anonymous data sharing with ...kailiu/mypaper/ieee-tc-2015-1.pdf · 1...

Documents