cost-effective authentic and anonymous data sharing with forward

Cost-Effective Authentic and AnonymousData Sharing with Forward Security

Xinyi Huang, Joseph K. Liu, Shaohua Tang,Member, IEEE, Yang Xiang, Senior Member, IEEE,

Kaitai Liang, Li Xu,Member, IEEE, and Jianying Zhou

Abstract—Data sharing has never been easier with the advances of cloud computing, and an accurate analysis on the shared data

provides an array of benefits to both the society and individuals. Data sharing with a large number of participants must take into account

several issues, including efficiency, data integrity and privacy of data owner. Ring signature is a promising candidate to construct an

anonymous and authentic data sharing system. It allows a data owner to anonymously authenticate his data which can be put into the

cloud for storage or analysis purpose. Yet the costly certificate verification in the traditional public key infrastructure (PKI) setting

becomes a bottleneck for this solution to be scalable. Identity-based (ID-based) ring signature, which eliminates the process of

certificate verification, can be used instead. In this paper, we further enhance the security of ID-based ring signature by providing

forward security: If a secret key of any user has been compromised, all previous generated signatures that include this user still remain

valid. This property is especially important to any large scale data sharing system, as it is impossible to ask all data owners to re-

authenticate their data even if a secret key of one single user has been compromised. We provide a concrete and efficient instantiation

of our scheme, prove its security and provide an implementation to show its practicality.

Index Terms—Authentication, data sharing, cloud computing, forward security, smart grid

Ç

1 INTRODUCTION

THE popularity and widespread use of “CLOUD” havebrought great convenience for data sharing and collec-

tion [8], [29], [37], [46], [51]. Not only can individuals acquireuseful datamore easily, sharing datawith others can providea number of benefits to our society aswell [14], [49], [53]. As arepresentative example, consumers in Smart Grid [40] canobtain their energy usage data in a fine-grained manner andare encouraged to share their personal energy usage datawith others, e.g., by uploading the data to a third party plat-form such asMicrosoft Hohm [39] (Fig. 1). From the collecteddata a statistical report is created, and one can compare theirenergy consumption with others (e.g., from the same block).This ability to access, analyze, and respond to much moreprecise and detailed data from all levels of the electric grid iscritical to efficient energy usage.

Due to its openness, data sharing is always deployed in ahostile environment and vulnerable to a number of securitythreats. Taking energy usage data sharing in Smart Grid asan example, there are several security goals a practical sys-tem must meet, including:

� Data Authenticity. In the situation of smart grid, thestatistic energy usage data would be misleading if itis forged by adversaries. While this issue alone canbe solved using well established cryptographic tools(e.g., message authentication code or digital signa-tures), one may encounter additional difficultieswhen other issues are taken into account, such asanonymity and efficiency;

� Anonymity. Energy usage data contains vast informa-tion of consumers, fromwhich one can extract the num-ber of persons in the home, the types of electric utilitiesused in a specific time period, etc. Thus, it is critical toprotect the anonymity of consumers in such applica-tions, and any failures to do so may lead to the reluc-tance from the consumers to share data with others; and

� Efficiency. The number of users in a data sharing sys-tem could be HUGE (imagine a smart grid with acountry size), and a practical system must reduce thecomputation and communication cost as much aspossible. Otherwise it would lead to a waste ofenergy, which contradicts the goal of smart grid.

This paper is devoted to investigating fundamental securitytools for realizing the three properties we described. Note thatthere are other security issues in a data sharing system whichare equally important, such as availability (service is providedat an acceptable level even under network attacks) and accesscontrol (only eligible users can have the access to the data). Butthe study of those issues is out of the scope of this paper.

� X. Huang and L. Xu are with the Fujian Provincial Key Laboratory ofNetwork Security and Cryptology, School of Mathematics and ComputerScience, Fujian Normal University, Fuzhou, China, 350108.E-mail: {xyhuang, xuli}@fjnu.edu.cn.

� J.K. Liu and J. Zhou are with the Infocomm Security Department, Institutefor Infocomm Research, 1 Fusionopolis Way, #21-01 Connexis, SouthTower, Singapore 138632. E-mail: {ksliu, jyzhou}@i2r.a-star.edu.sg.

� S. Tang is with the School of Computer Science, South China University ofTechnology, Guangzhou, China. E-mail: [email protected].

� Y. Xiang is with the School of Information Technology, Deakin University,Australia. E-mail: [email protected].

� K. Liang is with the Department of Computer Science, City University ofHong Kong, Hong Kong. E-mail: [email protected].

Manuscript received 16 Sept. 2013; revised 15 Feb. 2014; accepted 16 Mar.2014. Date of publication 2 Apr. 2014; date of current version 13 Mar. 2015.Recommended for acceptance by K. Li.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference the Digital Object Identifier Below.Digital Object Identifier no. 10.1109/TC.2014.2315619

IEEE TRANSACTIONS ON COMPUTERS, VOL. 64, NO. 4, APRIL 2015 971

0018-9340� 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

1.1 Identity-Based Ring Signature

The aforementioned three issues remind us a cryptographicprimitive “identity-based ring signature”, an efficient solu-tion on applications requiring data authenticity andanonymity.

1.1.1 ID-Based Cryptosystem

Identity-based (ID-based) cryptosystem, introduced byShamir [45], eliminated the need for verifying the validity ofpublic key certificates, the management of which is bothtime and cost consuming. In an ID-based cryptosystem, thepublic key of each user is easily computable from a stringcorresponding to this user’s publicly known identity (e.g.,an email address, a residential address, etc.). A private keygenerator (PKG) then computes private keys from its mastersecret for users. This property avoids the need of certificates(which are necessary in traditional public-key infrastruc-ture) and associates an implicit public key (user identity) toeach user within the system. In order to verify an ID-basedsignature, different from the traditional public key basedsignature, one does not need to verify the certificate first.The elimination of the certificate validation makes thewhole verification process more efficient, which will lead toa significant save in communication and computation whena large number of users are involved (say, energy usagedata sharing in smart-grid).

Ring signature is a group-oriented signature with pri-vacy protection on signature producer. A user can signanonymously on behalf of a group on his own choice, whilegroup members can be totally unaware of being conscriptedin the group. Any verifier can be convinced that a messagehas been signed by one of the members in this group (alsocalled the Rings), but the actual identity of the signer is hid-den. Ring signatures could be used for whistle blowing [42],anonymous membership authentication for ad hoc groups[11] and many other applications which do not want com-plicated group formation stage but require signer anonym-ity. There have been many different schemes proposed (e.g.,[1], [13], [19], [23], [30], [31], [32], [33], [34], [38], [44], [50])since the first appearance of ring signature in 1994 [21] andthe formal introduction in 2001 [42].

1.1.2 An Affirmative Advantage in Big Data

Due to its natural framework, ring signature in ID-based set-ting has a significant advantage over its counterpart in tradi-tional public key setting, especially in the big data analytic

environment. Suppose there are 10,000 users in the ring, theverifier of a traditional public key based ring signature mustfirst validate 10,000 certificates of the corresponding users,after which one can carry out the actual verification on themessage and signature pair. In contrast, to verify an ID-basedring signature, only the identities of ring users, together withthe pair of message and signature are needed. As one cansee, the elimination of certificate validation, which is a costlyprocess, saves a great amount of time and computation. Thissaving will be more critical if a higher level of anonymity isneeded by increasing the number of users in the ring. Thus,as depicted in Fig. 2, ID-based ring signature is more prefera-ble in the setting with a large number of users such as energydata sharing in smart grid:

� Step 1: The energy data owner (say, Bob) first setupsa ring by choosing a group of users. This phase onlyneeds the public identity information of ring mem-bers, such as residential addresses, and Bob does notneed the collaboration (or the consent) from any ringmembers.

� Step 2: Bob uploads his personal data of electronicusage, together with a ring signature and the identityinformation of all ring members.

� Step 3: By verifying the ring signature, one can beassured that the data is indeed given out by a validresident (from the ring members) while cannotfigure out who the resident is. Hence the anonymityof the data provider is ensured together with dataauthenticity. Meanwhile, the verification is efficientwhich does not involve any certificate verification.

The first ID-based ring signature scheme was proposedin 2002 [57] which can be proven secure in the random ora-cle model. Two constructions in the standard model wereproposed in [4]. Their first construction however was dis-covered to be flawed [24], while the second construction isonly proven secure in a weaker model, namely, selective-ID model. The first ID-based ring signature schemeclaimed to be secure in the standard model is due to Hanet al. [25] under the trusted setup assumption. However,their proof is wrong and is pointed out by [48]. Other exist-ing ID-based ring signature schemes include [5], [17], [18],[20], [26], [41], [48], [58].

1.2 The Motivation

1.2.1 Key Exposure

ID-based ring signature seems to be an optimal trade-offamong efficiency, data authenticity and anonymity, andprovides a sound solution on data sharing with a largenumber of participants. To obtain a higher level protection,

Fig. 1. Energy usage data sharing in smart grid.

Fig. 2. A solution based on ID-based ring signature.

972 IEEE TRANSACTIONS ON COMPUTERS, VOL. 64, NO. 4, APRIL 2015

one can add more users in the ring. But doing this increasesthe chance of key exposure as well.

Key exposure is the fundamental limitation of ordinarydigital signatures. If the private key of a signer is compro-mised, all signatures of that signer become worthless: futuresignatures are invalidated and no previously issued signa-tures can be trusted. Once a key leakage is identified, keyrevocation mechanisms must be invoked immediately inorder to prevent the generation of any signature using thecompromised secret key. However, this does not solve theproblem of forgeability for past signatures.

The notion of forward secure signature was proposed topreserve the validity of past signatures even if the currentsecret key is compromised. The concept was first suggestedby Anderson [2], and the solutions were designed by BellareandMiner [7]. The idea is dividing the total time of the valid-ity of a public key into T time periods, and a key compro-mise of the current time slot does not enable an adversary toproduce valid signatures pertaining to past time slots.

1.2.2 Key Exposure in Big Data Sharing System

The issue of key exposure is more severe in a ring signaturescheme: if a ring member’s secret key is exposed, the adver-sary can produce valid ring signatures of any documents onbehalf of that group. Even worse, the “group” can be definedby the adversary at will due to the spontaneity property ofring signature: The adversary only needs to include the com-promised user in the “group” of his choice. As a result, theexposure of one user’s secret key renders all previouslyobtained ring signatures invalid (if that user is one of thering members), since one cannot distinguish whether a ringsignature is generated prior to the key exposure or by whichuser. Therefore, forward security is a necessary requirementthat a big data sharing system must meet. Otherwise, it willlead to a hugewaste of time and resource.

While there are various designs of forward-secure digi-tal signatures [54], [55], [56], adding forward security onring signatures turns out to be difficult. As far as theauthors know, there are only two forward secure ring sig-nature schemes [35], [36]. However, they are both in thetraditional public key setting where signature verificationinvolves expensive certificate check for every ring mem-ber. This is far below satisfactory if the size of the ring ishuge, such as the users of a smart grid. To summarize,the design of ID-based ring signature with forward secu-rity, which is the fundamental tool for realizing cost-effec-tive authentic and anonymous data sharing, is still anopen problem.

1.3 Contribution

In this paper, we propose a new notion called forwardsecure ID-based ring signature, which is an essential toolfor building cost-effective authentic and anonymous datasharing system:

� For the first time, we provide formal definitions onforward secure ID-based ring signatures;

� We present a concrete design of forward secure ID-based ring signature. No previous ID-based ring sig-nature schemes in the literature have the property of

forward security, and we are the first to provide thisfeature;

� We prove the security of the proposed scheme in therandom oracle model, under the standard RSAassumption; and

� Our implementation is practical, in the followingways:

1) It is in ID-based setting. The elimination of thecostly certificate verification process makes itscalable and especially suitable for big data ana-lytic environment.

2) The size of a secret key is just one integer.3) Key update process only requires an

exponentiation.4) We do not require any pairing in any stage.

2 DEFINITION

2.1 Mathematical Assumption

Definition 1 (RSA Problem). Let N ¼ pq, where p and q aretwo k-bit prime numbers such that p ¼ 2p0 þ 1 andq ¼ 2q0 þ 1 for some primes p0; q0. Let e be a prime1 greaterthan 2‘ for some fixed parameter ‘, such thatgcdðe;fðNÞÞ ¼ 1. Let y be a random element in Z�

N . We saythat an algorithm S solves the RSA problem if it receives aninput the tuple ðN; e; yÞ and outputs an element z such thatze ¼ ymodN .

2.2 Security Model

A ð1; nÞ ID-based forward secure ring signature (IDFSRS)scheme is a tuple of probabilistic polynomial-time (PPT)algorithms:

� Setup. On input an unary string 1� where � is a secu-rity parameter, the algorithm outputs a master secretkey msk for the third party private key generatorand a list of system parameters param that includes� and the descriptions of a user secret key space D, amessage spaceM as well as a signature spaceC.

� Extract. On input a list param of system parameters,an identity IDi 2 f0; 1g� for a user and the mastersecret key msk, the algorithm outputs the user’ssecret key ski;0 2 D such that the secret key is validfor time t ¼ 0. In this paper, we denote time as non-negative integers. When we say identity IDi corre-sponds to user secret key ski;0 or vice versa, wemean the pair ðIDi; ski;0Þ is an input-output pair ofExtractwith respect to param andmsk.

� Update. On input a user secret key ski;t for a timeperiod t, the algorithm outputs a new user secret keyski;tþ1 for the time period tþ 1.

� Sign. On input a list param of system parameters, atime period t, a group size n of length polynomial in�, a set L ¼ fIDi 2 f0; 1g�ji 2 ½1; n�g of n user identi-ties, a message m 2 M, and a secret keyskp;t 2 D;p 2 ½1; n� for time period t, the algorithmoutputs a signature s 2 C.

1. Note that we use a slightly modified version [22], [26] of the origi-nal RSA problem definition in which we require the exponent to be aprime number.

HUANG ET AL.: COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARINGWITH FORWARD SECURITY 973

� Verify. On input a list param of system parameters, atime period t, a group size n of length polynomial in�, a set L ¼ fIDi 2 f0; 1g�ji 2 ½1; n�g of n user identi-ties, a message m 2 M, a signature s 2 C, it outputseither valid or invalid.

Correctness. A ð1; nÞ IDFSRS scheme should satisfy theverification correctness—signatures signed by honest signerare verified to be invalid with negligible probability.

2.3 Notions of Security

The security of IDFSRS consists of two aspects: forwardsecurity and anonymity. Before giving their definition, weconsider the following oracleswhich togethermodel the abil-ity of the adversaries in breaking the security of IDFSRS.

� Extration Oracle (EO). On input an identity IDi and atime period t, the corresponding secret key ski;t 2 Dfor that time period is returned.

� Signing Oracle (SO). On input a time period t, agroup size n, a set L of n user identities, a messagem 2 M, a valid signature s is returned.

Now we are ready to define the security of IDFSRS:

1) Forward Security. Forward security of IDFSRSscheme is defined in the following game between thesimulator S and the adversary A in which A is givenaccess to oracles EO and SO:

a) S generates and gives A the system parametersparam.

b) A may query the oracles according to any adap-tive strategy.

c) A chooses a time t�, a group size n� 2 N, a set L�

of n� identities and a messagem� 2 M.d) A may continue to query the oracles according

to any adaptive strategy.e) A outputs a signature s�

t� .Awins the game if:

� Verifyðt�;L�;m�; s�t� Þ ¼ valid.

� None of the identities in L� has been queried toEO with time t � t� as the time input parameter.(Unlimited query to EO with time t > t� to bethe time input parameter.)

� ðt�;L�;m�Þ are not queried to SO.We denote Advfs

A ð�Þ the probability of A winningthe game.Definition 2 (Forward Secure). A ð1; nÞ IDFSRSscheme is forward secure if for any PPT adversary A,Advfs

A ð�Þ is a negligible function of �.2) Anonymity. It should not be possible for an adversary

to tell the identity of the signer with a probabilitylarger than 1=n, where n is the cardinality of thering, even assuming that the adversary has unlim-ited computing resources. We denote

AdvanonA ð�Þ ¼ Pr½A guesses the identity

of the signer correctly� � 1=n:

Definition 3 (Anonymity). A ð1; nÞIDFSRS scheme isunconditional anonymous if for any group of n users, anymessage m 2 M, any time t and any valid signature, any

adversary A, even with unbounded computational power,cannot identify the actual signer with probability betterthan random guessing. In other words, A can only outputthe identity of the actual signer with probability no betterthan 1=n. That is,Advanon

A ð�Þ ¼ 0.

3 OUR PROPOSED ID-BASED FORWARD SECURE

RING SIGNATURE SCHEME

This section is devoted to the description and analysis of ourproposed ID-based forward secure ring signature scheme.

3.1 The Design

We assume that the identities and user secret keys are validinto T periods and makes the time intervals public. We alsoset the message spaceM ¼ f0; 1g�.

� Setup. On input of a security parameter �, the PKGgenerates two random k-bit prime numbers p and qsuch that p ¼ 2p0 þ 1 and q ¼ 2q0 þ 1 where p0; q0 aresome primes. It computes N ¼ pq. For some fixedparameter ‘, it chooses a random prime number esuch that 2‘ < e < 2‘þ1 and gcdðe;fðNÞÞ ¼ 1. Itchooses two hash functions H1 : f0; 1g� ! Z�

N andH2 : f0; 1g� ! f0; 1g‘. The public parameters paramare ðk; ‘; e;N;H1; H2Þ and the master secret key mskis ðp; qÞ.

� Extract. For user i, where i 2 Z, with identityIDi 2 f0; 1g� requests for a secret key at time periodt (denoted by an integer), where 0 � t < T , the PKGcomputes the user secret key

ski;t ¼ ½H1ðIDiÞ�1

eðTþ1�tÞ modN

using its knowledge of the factorization ofN .

� Update. On input a secret key ski;t for a time period t,if t < T the user updates the secret key as

ski;tþ1 ¼ ðski;tÞe modN:

Otherwise the algorithm outputs “?” meaning thatthe secret key has expired.

� Sign. To sign a message m 2 f0; 1g� in time period t,where 0 � t < T , on behalf of a ring of identitiesL ¼ fID1; . . . ; IDng, a user with identity IDp 2 Land secret key skp;t:

1) For all i 2 f1; . . . ; ng; i 6¼ p, choose randomAi 2 Z�

N and compute

Ri ¼ AieðTþ1�tÞ

modN

and

hi ¼ H2ðL;m; t; IDi; RiÞ:

2) Choose random Ap 2 Z�N and compute

Rp ¼ ApeðTþ1�tÞ

�Yn

i¼1;i 6¼p

H1ðIDiÞ�hi modN


and

hp ¼ H2ðL;m; t; IDp; RpÞ:3) Compute s ¼ ðskp;tÞhp �

Qni¼1 Ai modN:

4) Output the signature for the list of identities L,the message m, and the time period t ass ¼ ðR1; . . . ; Rn; h1; . . . ; hn; sÞ:

� Verify. To verify a signature s for a message m, a listof identities L and the time period t, check whetherhi ¼ H2ðL;m; t; IDi; RiÞ for i ¼ 1; . . . ; n and

seðTþ1�tÞ ¼

Yni¼1

ðRi �H1ðIDiÞhiÞmodN:

Output valid if all equalities hold. Otherwise outputinvalid.

3.2 Correctness

We shall show that signatures signed by honest signers arealways verified to be valid. For the verification equation

seðTþ1�tÞ ¼

Yni¼1

�Ri �H1ðIDiÞhi

�modN:

Left Hand Side:

¼ seðTþ1�tÞ

¼ ðskp;tÞhp �

Yni¼1

Ai modN

!eðTþ1�tÞ

¼ �

H1ðIDpÞ1

eðTþ1�tÞ�hp �Yn

i¼1

Ai modN

!eðTþ1�tÞ

¼ H1ðIDpÞhp �Yni¼1

ðAiÞeðTþ1�tÞ

modN:

Right Hand Side:

¼Yni¼1


�modN

¼ Yn

i¼1;i 6¼p


�! � Rp �H1ðIDpÞhp

!modN

¼ Yn

i¼1;i 6¼p

�Ai

eðTþ1�tÞ �H1ðIDiÞhi�!

� Ap

eðTþ1�tÞ �Yn

i¼1;i 6¼p

H1ðIDiÞ�hiÞ �H1ðIDpÞhp!

modN

¼�Yn

i¼1

AieðTþ1�tÞ

��H1ðIDpÞhp modN

¼ Left hand side:

3.3 Security Analysis

Theorem 1 (Forward Security). Let A be a PPT forger. For

some message m and a set L containing n identities, suppose

A on inputs the security parameter �, queries an extraction

oracle qE times, a signing oracle qs times, theH1 random oracle

qH1times and the H2 random oracle qH2

times, outputs a

forged signature with non-negligible probability �. Then we

can solve the strong RSA problem with probability at least �0

in polynomial time where �0 � �2

1560qeVqH2;nT

, and VqH2;n ¼

qH2� ðqH2

� 1Þ . . . ðqH2� nþ 1Þ and T is the total number of

time period.

Proof. Our proof consists of the following parts.Setup. Let ðN; e; yÞ be an instance of the RSA problem

as stated in Definition 1. We are going to construct a PPTalgorithm S that will use the adversary A to solve thegiven instance of the strong RSA problem. S must simu-late all necessary oracles and responds to A’s queries.

First, S sends the public parameter ðN; eÞ to A.Without loss of generality, we can assume that A asksthe random oracle H1 for the value H1ðIDÞ before ask-ing for the secret key of ID. We define t� be thebreakin period such that A is not allowed to query EOfor any identities included in L� (the set of identitiesof the forged signature output by A), while there isno limitation for time input parameter t > t�. A isallowed to choose any t� � T . S needs to guess thebreakin period t� chosen by A. S randomly chooses t̂,1 < t̂ � T , hoping that the breakin period falls at t̂ orlater, so that the forgery will be for a time period ear-lier than t̂.

Oracle Simulation.

� H1 random oracle. Let us define m ¼ ð5=6Þ1=qe . Sconstructs a table TABH1

to simulate the randomoracle H1. Every time an identity IDi is asked byA, S acts as follows: first S checks if this input isalready in the table. If it is the case, S sends to Athe corresponding value H1ðIDiÞ ¼ hIDi

. Other-wise, S chooses a bit bi 2 f0; 1g, withPr½bi ¼ 0� ¼ m and Pr½bi ¼ 1� ¼ 1� m. Then Schooses at random a different element xi 2 Z�

N

and defines hIDi¼ ybie

ðTþ1�t̂Þxi

eðTþ1ÞmodN . The

entry ðIDi; hIDi; xi;biÞ is stored in the table

TABH1. The value H1ðIDiÞ ¼ hIDi

is sent to A. Thecondition hIDi

6¼ hIDjmust be satisfied for all dif-

ferent entries i 6¼ j of the table. If this is not thecase, S repeats this process.

� H2 random oracle. S constructs another tableTABH2

to simulate the random oracle H2. If theinput element is stored in the table, S returns thecorresponding value as the output. Otherwise, Srandomly chooses an element r 2 f0; 1g‘ as theoutput, and stores the value in the table forconsistency.

� Extraction Oracle ðEOÞ. When A asks for thesecret key of a user with identity IDi at timeperiod t, S looks for IDi in the table TABH1

. Ifbi ¼ 0, then S extracts the xi value and computesski;t ¼ xi

et modN as the secret key of the userwith identity IDi at time t. It returns ski;t to A. Ifbi ¼ 1, S halts if t < t̂. Otherwise (that is, t � t̂), Sextracts the xi value and computesski;t ¼ ye

ðt�t̂Þxi

et modN as the secret key of theuser with identity IDi at time t. Note that the


probability that S halts in this step is less than1� mqe ¼ 1=6.

� Signing Oracle ðSOÞ. When A asks for a valid sig-nature for message m for a set of identities L con-taining n0 identities in the time period t, wheren0 � n, S simulates the signing oracle. First weassume A has not asked for the secret key of anyidentities in L, otherwise A could obtain a validring signature by itself. We also assume that Ahas asked for the H1 random oracle query forH1ðIDiÞ for all identities IDi 2 L. Therefore thereexist entries ðIDi; hIDi

; xi;biÞ in the table TABH1,

for all i 2 f1; . . . ; n0g. S answers the query asfollow:

- If bi ¼ 0 for some i 2 f1; . . . ; n0g, or t � t̂, Sknows the corresponding secret key by simu-lating the EO and uses the secret key to com-pute a valid signature according to thealgorithm.

- If bi ¼ 1 for all i 2 f1; . . . ; n0g and t < t̂:

1) S randomly chooses p 2 f1; . . . ; n0g.2) For all i 2 f1; . . . ; n0g; i 6¼ p, choose ran-

dom Ai 2 Z�N , pairwise different, com-

pute

Ri ¼ AieðTþ1�tÞ

modN;

and by querying the random oracle H2,compute hi ¼ H2ðL;m; t; IDi; RiÞ.

3) Choose random hp 2 f0; 1g‘ and s 2 Z�N .

4) Compute

Rp ¼ seðTþ1�tÞ �H1ðIDpÞ�hp

�Yn0

i¼1;i 6¼p

�R�1

i �H1ðIDiÞ�hi�modN:

If Rp ¼ 1 modN or Rp ¼ Ri for some i 6¼ p,go back to the previous step.

5) Backpack the random oracle H2 by set-tingH2ðL;m; t; IDp; RpÞ ¼ hp.

6) Return the signature s ¼ ðR1; . . . ; Rn0 ;h1; . . . ; hn0 ; sÞ.

Forgery. Assume A chooses a breakin period t� < t̂.That is, the forged signature s� is valid for time periodt� < t̂ . S randomly chooses an H2 query and hopefullyit is the H2 query for closing the gap of the ring. Usingstandard rewind technique, S rewinds to the point justbefore supplying the answer of the H2 query, and sup-plies a different answer to this particular query. Denotes� ¼ ðR�

1; . . . ; R�n0 ; h

�1; . . . ; h

�n0 ; s

�Þ as the first signatureforgery given by A. If S guesses correctly, A outputs adifferent signature s0� ¼ ðR0�

1; . . . ; R0�n0 ; h

0�1; . . . ; h

0�j ; . . . ;

h0�n0 ; s

0�Þ such that

� For all i 2 f1; . . . ; n0g, R�i ¼ R0�

i .

� For all i 2 f1; . . . ; n0g; i 6¼ j, h�i ¼ h0�

i . But h�j 6¼ h0�

j

for one j 2 f1; . . . ; n0g.� s� 6¼ s0�.

Then we can obtain

s�eðTþ1�t�Þ ¼

Yn0i¼1

�R�

i �H1ðIDiÞh�i�modN

and

s0�eðTþ1�t�Þ ¼

Yn0i¼1

�R�

i �H1ðIDiÞh0�i�modN:

Dividing two equations, we obtain

s�

s0�

� �eðTþ1�t�Þ

¼ H1ðIDjÞh�j�h0�j modN:

Now we look at the table TABH1for the entry

ðIDj; hIDj; xj;bjÞ corresponding to the identity IDj. Since

the forged signatures are valid and the secret key of user

IDj for any time t � t� < t̂ has not been queried, with

probability 1� m, we have bj ¼ 1 and hIDj¼ H1ðIDjÞ ¼

yeðTþ1�t̂Þ

xjeðTþ1Þ

modN . Then the relation becomes

s�

s0�

� �eðTþ1�t�Þ

�xjðh0�j�h�

jÞ�eðTþ1Þ ¼ y

eðTþ1�t̂Þ�ðh�j�h0�j Þ modN: (1)

After simplification, equation (1) becomes

s�

s0�

� �eðt̂�t�Þ

� xjðh0�j�h�

jÞ�et̂ ¼ y

h�j�h0�j modN: (2)

Since h�j and h0�

j are outputs of the hash function

H2 : f0; 1g� ! f0; 1g‘, we have jh�j � h0�

j j < 2‘ < e. Also

as e is a prime number, it holds that gcdðe; jh�j � h0�

j jÞ ¼ 1.

That means there exists two integers a and b such that

aeþ bðh�j � h0�

j Þ ¼ 1. Finally we have

z ¼��

s�

s0�

�eðt̂�t��1Þ


jÞ�et̂�1

�b

� ya modN

as the solution of the given instance of the RSA problem.

It is the correct solution because

ze ¼�� s�

s0��eðt̂�t��1Þ


jÞ�et̂�1

�eb

� yea modN

¼ yðh�

j�h0�j Þb � yea modN (from Equation (2))

¼ yaeþbðh�

j�h0�j Þ modN

¼ ymodN:

Probability Analysis. For a successful simulation, thereshould be no collision in any stage. There are two kindsof collisions that may occur:

1) A tuple ðL;m; t; IDi; RiÞ that S outputs from thesigning oracle, inside a simulated ring signature,has been asked before to the random oracle H2 byA. The probability of such a collision is less thanq2 � qs � 1

2k� 1

6.2) The same tuple ðL;m; t; IDi; RiÞ is output by S in

two different simulated ring signatures. Using the


birthday paradox from probability theory, we havethe probability of this collision is less thanq2s2 � 1

2k� 1

6.Altogether the probability of collision is less than 1=3.

Now we can compute the probability that S obtains avalid signature:

�S ¼ Pr½S succeeds�¼ Pr½S does not halt AND no collisions in

the simulations AND A succeeds�� Pr½A succeeds jS does not halt AND no

collisions in the simulations�� ð1� Pr½S halts OR collisions in the

simulations�Þ

� � � 1� 1

6� 1

3

� �

¼ �

2:

By the ring forking lemma [27], S obtains two validring signatures for the same message and same ring suchthat h�

j 6¼ h0�j with probability

~� � �2S65VqH2

;n;

where

VqH2;n ¼ qH2

� ðqH2� 1Þ . . . ðqH2

� nþ 1Þ:

In additional, S also needs to guess the breaking periodcorrectly. The probability is at least 1

T . Summing up, theprobability of S in solving the given instance of the RSAproblem is

�0 � 1

T� ð1� mÞ~�

� ð1� mÞ � �2S65VqH2

;nT

� ð1� mÞ ��2

�265VqH2

;nT

� �2

1560qeVqH2;nT

:

tuTheorem 2. Our proposed scheme is unconditional anonymous.

Proof. Given a valid signature s ¼ ðR1; . . . ; Rn; h1; . . . ; hn; sÞ,all Ri are generated from Ai, where Ai is a random num-ber. hi are outputs from the hash function H2 which arealso random numbers in the random oracle model. s isdetermined by all Ais. Thus, given a message and a ring,valid signatures produced by two different signers havethe same distribution, and the signature gives no infor-mation about the identity of the actual signer. tu

3.4 Efficiency Analysis

Our scheme requires the exponent e greater than 2‘, where ‘is the bit length of the hash function H2. Usually a securehash function requires at least 160 bits output. However, ifwe set ‘ ¼ 160 it will be quite inefficient. In order to offsetthis, we can use g different hash functions such that eachhash function outputs ‘0 bits where g‘0 ¼ ‘. For example, wecan use 8 different hash functions such that each outputs20 bits. In this way, we only need to set 220 < e < 221

which is still an acceptable value. But we need to repeat thesigning and verification procedures (those require H2 oper-ation) 8 times for each time using a different hash functionH2 in order to achieve 160-bit hash function security.

On the other side, the size of public parameters is a con-stant, which only consists of some security parameters, twointegers and some hash functions. The secret key is veryshort. It is only an integer. Assume we use 1,024-bit RSAsecurity level, the secret key is just 1,024 bits. For every keyupdate process, we just require an exponentiation withexponent e over modulus N operation. The signing and ver-ification algorithms do not require any pairing operation.

The computation complexity and space requirement ofour scheme are shown in Tables 1 and 2 respectively.

3.5 Comparison

We compare our scheme with related work in terms of fea-tures, computation, and space requirement, as shown inTable 3. Note that the verification for non ID-based 1-out-of-n ring signature schemes require additional certificate veri-fication for n users. We exclude the cost and space for thosen certificates verification in this comparison, as it may varyin different scenarios.

3.6 Implementation and Experimental Results

We implement the smart grid example introduced inSection 1, and evaluate the performance of our IDFSRSscheme with respect to three entities: the private key genera-tor, the energy data owner (user), and the service provider

TABLE 1Computation Complexity of Algorithms

Notation:n: number of users in the ring;‘0: length of the output of hash function in the scheme;‘: length of the output of a secure hash function (usually it is 160).


(data center). In the experiments, the programs for threeentities are implemented using the public cryptographiclibrary MIRACL [43], programmed in C++. All experimentswere repeated 100 times to obtain average results shown inthis paper, and all experiments were conducted for the casesof jNj ¼ 1;024 bits and jN j ¼ 2;048 bits respectively.

The average time for the PKG to setup the system isshown in Table 4, where the testbed for the PKG is a DELLT5500 workstation equipped with 2.13 GHz Intel Xeondual-core dual-processor with 12 GB RAM and runningWindows 7 Professional 64-bit operating system. It took 151and 2,198 ms for the PKG to setup the whole system forjNj ¼ 1;024 bits and jN j ¼ 2;048 bits respectively.

The average time for the data owner (user) to sign energyusage data with different choices of n and T are shown inFigs. 3 and 4, for jN j ¼ 1;024 bits and jN j ¼ 2;048 bitsrespectively. The testbed for the user is a laptop personalcomputer equipped with 2.10 GHz Intel CPU with 4 GBRAM and running Windows 7 operating system.

The average time for the service provider (data center) toverify the ring signature with different choices of n and Tare shown in Figs. 5 and 6, for jNj ¼ 1;024 bits andjNj ¼ 2;048 bits respectively. The testbed for the date centeris a DELL T5500 workstation equipped with 2.13 GHz IntelXeon dual-core dual-processor with 12 GB RAM and run-ning Windows 7 Professional 64-bit operating system.

4 APPLICATIONS OF FORWARD SECURE ID-BASED

RING SIGNATURES

In addition to energy data sharing in smart-grid, we sketchthree other situations which may also need forward secureID-based ring signatures.

TABLE 3Comparison with Other Forward Secure Ring Signature Schemes

Notation:ROM: Random Oracle Model;T : number of time slots;

jHj: the length of the hash of the message in binary bits;jNj: the length ofN in binary bits;jGj: the length of a group element in G for elliptic curve group; (If 160 bit elliptic curve is used, jGj ¼ 160 bits.)

n: number of users in the ring;‘: a fixed integer.

TABLE 2Space Requirement

, Notation:N: RSA modulus;jNj: the length ofN in binary bits;n: number of users in the ring.

TABLE 4Average Time for the PKG to Setup the System


Fig. 3. The average time for the data owner to sign energy usage data, jN j ¼ 1;024.

Fig. 4. The average time for the data owner to sign energy usage data, jN j ¼ 2;048.

Fig. 5. The average time for the service provider to verify the ring signature, jNj ¼ 1;024.


WHISTLE BLOWING. Suppose Bob is a member of the citycouncil. One day he wishes to leak a secret news from thecouncil meeting to a journalist. The news is supposed to bekept secret. Thus Bob wants to remain anonymous, yet suchthatthejournalist isconvincedthattheleakwasindeedfromacouncilmember.Bobcannot send to the journalist a standarddigitally signed message, since such a message, although itconvinces the journalist that it came from a council member,does so by directly revealing Bob’s identity. Neither does itwork for Bob to send the journalist amessage througha stan-dard anonymizer, since the anonymizer strips off all sourceidentification and authentication in away that the journalistwouldhavenoreason tobelieve that themessage really camefroma councilmember at all. Using another primitive calledgroup signature [3], [6], [9], [10], [12], [15] does not solve theproblem neither. A group signature allows a signer to sign amessage on behalf of a group. The verifier only knows thatone of the users of the group signs the message yet does notknow who is the actual signer. It does not work in this case,becauseit requirespriorcooperationoftheothergroupmem-berstosetup,andleavesBobvulnerabletolater identificationby thegroupmanager,whomaybe controlledby thegovern-ment. The correct approach forBob is to send the secret infor-mation to the journalist through an anonymizer, signedwitha ring signature that names each council member includinghimself as a ring member. The journalist can verify the ringsignature on the message, and learn that it definitely camefrom a council member. However, neither he nor anyone(including those councilmembers inside the ring) can deter-mine theactual sourceof the leak.Forwardsecurityenhancesthe protection of all entities. Without forward security, if asecret key of a council member Alice is exposed, every ringsignature containing Alice in the ring will become invalid.Thatmeans anyprevious ring signature given byBobwill beinvalid (assuming Alice is included in the signature). Thiswill greatly affect the accuracy of the report by the journalistwho may rely on Bob for leaking important secretinformation.

E-contract Signing. A 1-out-of-2 ring signature (contain-ing two users in the ring) can be used to construct

concurrent signature [16], [47]. A concurrent signatureallows two entities to produce two signatures in such a waythat, from the point of view of any third party, both signa-tures are ambiguous with respect to the identity of the sign-ing party until an extra piece of information (the keystone)is released by one of the parties. Upon release of the key-stone, both signatures become binding to their true signersconcurrently.

Concurrent signature is one of the essential tools forbuilding e-contract signing and fair exchange protocol inthe paradigm. It can protect both parties against a cheatingparty. Consider the following example of fair tendering ofcontracts. Suppose that A has a building construction con-tract that she wishes to put out to tender, and supposecompanies B and C wish to put in proposals to win thecontract. This process is sometimes open to abuse by Asince she can privately show B’s signed proposal to C toenable C to better the proposal. Using concurrent signa-tures, B would sign his proposal to construct the buildingfor an amount X, but keep the keystone private. If Awishes to accept the proposal, she returns a paymentinstruction to pay B amount X. She knows that if Battempts to collect the payment, then A will obtain thekeystone through the banking system to allow the publicto verify that the signature is really generated by B. But Amay also wish to examine C’s proposal before decidingwhich to accept. However there is no advantage for A toshow B’s signature to C since at this point B’s signature isambiguous and so C will not be convinced of anything atall by seeing it. We see that the tendering process isimmune to abuse by A.

Adding forward security to it can further improve thesecurity protection level. With forward security, the keyexposure of either party does not affect the e-contracts pre-viously signed. This provides a more fair, justice, safety andefficient environment for commercial users doing businessin an e-commerce platform.

E-auction. Similar to e-contract signing, ring signatureschemes can be used to construct e-auction protocols [28],[52]. By using ring signature, a winner-identifiable

Fig. 6. The average time for the service provider to verify the ring signature, jNj ¼ 2;048.


anonymous auction protocol can be build efficiently. That isto say, the auctioneer can authenticate the real identity ofthe winner at the end of the protocol without additionalinteractions with the winning bidder even though all thebidders bid anonymously. Adding forward security furtherprovides additional security to all entities involved in theauction activity. The loss of secret key by anybody does notaffect the overall result. It is one of the best way to safeguardthe robustness of the e-auction.

5 CONCLUSION

Motivated by the practical needs in data sharing, we pro-posed a new notion called forward secure ID-based ring sig-nature. It allows an ID-based ring signature scheme to haveforward security. It is the first in the literature to have thisfeature for ring signature in ID-based setting. Our schemeprovides unconditional anonymity and can be proven for-ward-secure unforgeable in the random oracle model,assuming RSA problem is hard. Our scheme is very efficientand does not require any pairing operations. The size of usersecret key is just one integer, while the key update processonly requires an exponentiation. We believe our scheme willbe very useful in many other practical applications, espe-cially to those require user privacy and authentication, suchas ad-hoc network, e-commerce activities and smart grid.

Our current scheme relies on the random oracle assump-tion to prove its security. We consider a provably securescheme with the same features in the standard model as anopen problem and our future research work.

ACKNOWLEDGMENTS

The authors would like to thank Ke Jiang, Zhiliang Peng andMing Lu, who are postgraduate students with South ChinaUniversity of Technology, for doing the implementations ofthe proposed scheme. This work was supported by NationalNatural Science Foundation of China (Grant NOs. 61202450,U1135004 and 61170080), Distinguished Young ScholarsFund of Department of Education, Fujian Province, China(JA13062), Ph.D. Programs Foundation of Ministry of Educa-tion of China (Grant NO. 20123503120001), Fujian NormalUniversity Innovative Research Team (NO. IRTL1207),Guangdong Province Universities and Colleges Pearl RiverScholar Funded Scheme (2011), High-level Talents Project ofGuangdong Institutions of Higher Education (2012), NaturalScience Foundation of Fujian Province (No. 2013J01222), andFok Ying Tung Education Foundation (Grant No. 141065).Joseph K. Liu is the corresponding author.

REFERENCES

[1] M. Abe, M. Ohkubo, and K. Suzuki, “1-out-of-n signatures from avariety of keys,” in Proc. 8th Int. Conf. Theory Appl. Cryptol. Inform.Security: Adv. Cryptol., 2002, vol. 2501, pp. 415–432.

[2] R. Anderson, “Two remarks on public-key cryptology,” Manu-script, Sep. 2000. (Relevant material presented by the author in aninvited lecture at the Fourth ACM Conference on Computer andCommunications Security, 1997.)

[3] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, “A practicaland provably secure coalition-resistant group signature scheme,”in Proc. 20th Annu. Int. Cryptol. Conf. Adv. Cryptol., 2000, vol. 1880,pp. 255–270.

[4] M. H. Au, J. K. Liu, T. H. Yuen, and D. S. Wong, “ID-based ringsignature scheme secure in the standard model,” in Proc. 1st Int.Workshop Security Adv. Inform. Comput. Security, 2006, vol. 4266,pp. 1–16.

[5] A. K. Awasthi and S. Lal, “Id-based ring signature and proxy ringsignature schemes from bilinear pairings,” CoRR, vol. abs/cs/0504097, 2005.

[6] M. Bellare, D. Micciancio, and B. Warinschi, “Foundations ofgroup signatures: Formal definitions, simplified requirementsand a construction based on general assumptions,” in Proc. 22ndInt. Conf. Theory Appl. Cryptographic Techn., 2003, vol. 2656,pp. 614–629.

[7] M. Bellare and S. Miner, “A forward-secure digital signaturescheme,” in Proc. 19th Annu. Int. Cryptol. Conf., 1999, vol. 1666,pp. 431–448.

[8] J.-M. Bohli, N. Gruschka, M. Jensen, L. L. Iacono, and N. Marnau,“Security and privacy-enhancing multicloud architectures,” IEEETrans. Dependable Sec. Comput., vol. 10, no. 4, pp. 212–224, Jul.\Aug. 2013.

[9] A. Boldyreva, “Efficient threshold signature, multisignatureand blind signature schemes based on the gap Diffie-Hellmangroup signature scheme,” in Proc. 6th Int. Workshop TheoryPractice PublicKey Cryptography: Public Key Cryptography, 2003,vol. 567, pp. 31–46.

[10] D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” inProc.Annu. Int.Cryptol.Conf.Adv.Cryptol., 2004, vol. 3152,pp.41–55.

[11] E. Bresson, J. Stern, and M. Szydlo, “Threshold ring signaturesand applications to ad-hoc groups,” in Proc. 22nd Annu. Int. Cryp-tol. Conf. Adv. Cryptol., 2002, vol. 2442, pp. 465–480.

[12] J. Camenisch, “Efficient and generalized group signatures,” inProc. Int. Conf. Theory Appl. Cryptographic Techn., 1997, vol. 1233,pp. 465–479.

[13] N. Chandran, J. Groth, and A. Sahai, “Ring signatures of sub-linear size without random oracles,” in Proc. 34th Int. Colloq.Automata, Lang. Programming, 2007, vol. 4596, pp. 423–434.

[14] K. Chard, K. Bubendorfer, S. Caton, and O. F. Rana, “Social cloudcomputing: A vision for sociallymotivated resource sharing,” IEEETrans.Serv.Comput.,vol.5,no.4,pp.551–563,FourthQuarter2012.

[15] D. Chaum and E. van Heyst, “Group signatures,” in Proc. Work-shop Theory Appl. Cryptographic Techn., 1991, vol. 547, pp. 257–265.

[16] L. Chen, C. Kudla, and K. G. Paterson, “Concurrent signatures,”in Proc. Int. Conf. Theory Appl. Cryptographic Techn., 2004, vol. 3027,pp. 287–305.

[17] H.-Y. Chien, “Highly efficient ID-based ring signature frompairings,” in Proc. IEEE Asia-Pacific Serv. Comput. Conf., 2008,pp. 829–834.

[18] S. S. Chow, R. W. Lui, L. C. Hui, and S. Yiu, “Identity based ringsignature: Why, how and what next,” in Proc. 2nd Eur. Public KeyInfrastructure Workshop, 2005, vol. 3545, pp. 144–161.

[19] S. S. M. Chow, V.K.-W. Wei, J. K. Liu, and T. H. Yuen, “Ring sig-natures without random oracles,” in Proc. ACM Symp. Inform.,Comput., Commun. Security, 2006, pp. 297–302.

[20] S. S. M. Chow, S.-M. Yiu, and L. C. K. Hui, “Efficient identitybased ring signature,” in Proc. 3rd Int. Conf. Appl. CryptographyNetw. Security, 2005, vol. 3531, pp. 499–512.

[21] R. Cramer, I. Damga rd, and B. Schoenmakers, “Proofs of partialknowledge and simplified design of witness hiding protocols,” inProc. 14th Annu. Int. Cryptol. Conf. Adv. Cryptol., 1994, vol. 839,pp. 174–187.

[22] R. Cramer and V. Shoup, “Signature schemes based on the strongRSA assumption,” in Proc. ACM Conf. Comput. Commun. Security,1999, pp. 46–51.

[23] Y. Dodis, A. Kiayias, A. Nicolosi, and V. Shoup, “Anonymousidentification in Ad Hoc groups,” in Proc. Int. Conf. Theory Appl.Cryptographic Techn., 2004, vol. 3027, pp. 609–626.

[24] A. L. Ferrara, M. Green, S. Hohenberger, and M. Ø. Pedersen.(2009). Practical short signature batch verification,” in Proc.Cryptographers’ Track RSA Conf. Topics Cryptol., vol. 5473, pp. 309–324 [Online]. Available: http://eprint.iacr.org/2008/015

[25] J. Han, Q. Xu, and G. Chen, “Efficient ID-based threshold ring sig-nature scheme,” in Proc. IEEE/IFIP Int. Conf. Embedded UbiquitousComput., 2008, pp. 437–442.

[26] J. Herranz, “Identity-based ring signatures from RSA,” Theor.Comput. Sci., vol. 389, no. 1-2, pp. 100–117, 2007.

[27] J. Herranz and G. S�aez, “Forking lemmas for ring signatureschemes,” in Proc. 4th Int. Conf. Cryptol. India, 2003, vol. 2904,pp. 266–279.


[28] M. Klonowski, L. Krzywiecki, M. Kutylowski, and A. Lauks,“Step-out ring signatures,” in Proc. 33rd Int. Symp. Math. Found.Comput. Sci., 2008, vol. 5162, pp. 431–442.

[29] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable and securesharing of personal health records in cloud computing using attri-bute-based encryption,” IEEE Trans. Parallel Distrib. Syst., vol. 24,no. 1, pp. 131–143, Jan. 2013.

[30] D. Y. W. Liu, J. K. Liu, Y. Mu, W. Susilo, and D. S. Wong,“Revocable ring signature,” J. Comput. Sci. Tech., vol. 22, no. 6,pp. 785–794, 2007.

[31] J. K. Liu, M. H. Au, W. Susilo, and J. Zhou, “Online/offline ringsignature scheme,” in Proc. 11th Int. Conf. Inform. Commun. Secu-rity, 2009, vol. 5927, pp. 80–90.

[32] J. K. Liu, W. Susilo, and D. S. Wong, “Ring signature with desig-nated linkability,” in Proc. 1st Int. Conf. Security, 2006, vol. 4266,pp. 104–119.

[33] J. K. Liu, V. K. Wei, and D. S. Wong, “A separable threshold ringsignature scheme,” in Proc. 6th Int. Conf. Inform. Security Cryptol.,2003, vol. 2971, pp. 12–26.

[34] J. K. Liu and D. S. Wong, “On the security models of (Threshold)ring signature schemes,” in Proc. 6th Int. Conf. Inform. SecurityCryptol., 2004, pp. 12–26.

[35] J. K. Liu and D. S. Wong, “Solutions to key exposure problemin ring signature,” I. J. Netw. Secur., vol. 6, no. 2, pp. 170–180,2008.

[36] J. K. Liu, T. H. Yuen, and J. Zhou, “Forward secure ring signaturewithout random oracles,” in Proc. 13th Int. Conf. Inform. Commun.Security, 2011, vol. 7043, pp. 1–14.

[37] X. Liu, Y. Zhang, B. Wang, and J. Yan, “Mona: Secure multi-ownerdata sharing for dynamic groups in the cloud,” IEEE Trans. Paral-lel Distrib. Syst., vol. 24, no. 6, pp. 1182–1191, Jun. 2013.

[38] C. A. Melchor, P.-L. Cayrel, P. Gaborit, and F. Laguillaumie, “Anew efficient threshold ring signature scheme based on codingtheory,” IEEE Trans. Inform. Theory, vol. 57, no. 7, pp. 4833–4842,Jul. 2011.

[39] Microsoft. (2009). Conserve energy, save money-Microsoft Hohm.[Online]. Available: http://www.microsoft-hohm.com/

[40] NIST IR 7628: Guidelines for Smart Grid Cyber Security, NIST IR7628: Guidelines for Smart Grid Cyber Security, Aug. 2010.

[41] L. Nguyen, “Accumulators from bilinear pairings andapplications,” in Proc. Int. Conf. Topics Cryptol., 2005, vol. 3376,pp. 275–292.

[42] R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” inProc. 7th Int. Conf. Theory Appl. Cryptol. Inform. Security: Adv. Cryp-tol., 2001, vol. 2248, pp. 552–565.

[43] M. Scott. (2013). MIRACL-A multiprecision integer and rationalarithmetic C/C++ library, Shamus Software Ltd., [Online]. Avail-able: http://www.shamus.ie/index.php

[44] H. Shacham and B. Waters, “Efficient ring signatures without ran-dom oracles,” in Proc. 10th Int. Conf. Practice Theory Public KeyCryptography, 2007, vol. 4450, pp. 166–180.

[45] A. Shamir, “Identity-based cryptosystems and signatureschemes,” in Proc. CRYPTO 84 Adv. Cryptol., 1984, vol. 196,pp. 47–53.

[46] S. Sundareswaran, A. C. Squicciarini, and D. Lin, “Ensuring dis-tributed accountability for data sharing in the cloud,” IEEE Trans.Dependable Secure Comput., vol. 9, no. 4, pp. 556–568, Jul./Aug.2012.

[47] W. Susilo, Y. Mu, and F. Zhang, “Perfect concurrent signatureschemes,” in Proc. 6th Int. Conf. Inform. Commun. Security, Oct.2004, vol. 3269, pp. 14–26.

[48] P. P. Tsang, M. H. Au, J. K. Liu, W. Susilo, and D. S. Wong, “Asuite of non-pairing ID-based threshold ring signature schemeswith different levels of anonymity (extended abstract),” in Proc.4th Int. Conf. Provable Security, 2010, vol. 6402, pp. 166–183.

[49] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving public auditing for secure cloud storage,” IEEE Trans.Comput., vol. 62, no. 2, pp. 362–375, Feb. 2013.

[50] D. S. Wong, K. Fung, J. K. Liu, and V. K. Wei, “On the RS-Codeconstruction of ring signature schemes and a threshold setting ofRST,” in Proc. 5th Int. Conf. Inform. Commun. Security, 2003,vol. 2836, pp. 34–46.

[51] Y. Wu, Z. Wei, and R. H. Deng, “Attribute-based access to scalablemedia in cloud-assisted content sharing networks,” IEEE Trans.Multimedia, vol. 15, no. 4, pp. 778–788, Jun. 2013.

[52] H. Xiong, Z. Qin, and F. Li, “An anonymous sealed-bid electronicauction based on ring signature,” I. J. Netw. Secur., vol. 8, no. 3,pp. 235–242, 2009.

[53] G. Yan, D. Wen, S. Olariu, and M. Weigle, “Security challenges invehicular cloud computing,” IEEE Trans. Intell. Transp. Syst.,vol. 14, no. 1, pp. 284–294, Mar. 2013.

[54] J. Yu, R. Hao, F. Kong, X. Cheng, J. Fan, and Y. Chen, “Forward-secure identity-based signature: Security notions and con-struction,” Inform. Sci., vol. 181, no. 3, pp. 648–660, 2011.

[55] J. Yu, F. Kong, H. Zhao, X. Cheng, R. Hao, and X.-F. Guo, “Non-interactive forward-secure threshold signature without randomoracles,” J. Inform. Sci. Eng., vol. 28, no. 3, pp. 571–586, 2012.

[56] T. H. Yuen, J. K. Liu, X. Huang, M. H. Au, W. Susilo, and J. Zhou,“Forward secure attribute-based signatures,” in Proc. 14th Int.Conf. Inform. Commun. Security, 2012, vol. 7618, pp. 167–177.

[57] F. Zhang and K. Kim, “ID-based blind signature and ring signa-ture from pairings,” in Proc. 8th Int. Conf. Theory Appl. Cryptol.Inform. Security, 2002, vol. 2501, pp. 533–547.

[58] J. Zhang, “An efficient identity-based ring signature scheme andits extension,” in Proc. Int. Conf. Comput. Sci. Appl., 2007, vol. 4706,pp. 63–74.

Xinyi Huang received the PhD degree from theSchool of Computer Science and Software Engi-neering, University of Wollongong, Australia, in2009. He is currently a professor at the FujianProvincial Key Laboratory of Network Securityand Cryptology, School of Mathematics andComputer Science, Fujian Normal University,China. His research interests include cryptogra-phy and information security. He has publishedmore than 70 research papers in refereed inter-national conferences and journals. His work has

been cited more than 1,000 times at Google Scholar. He is in the edito-rial board of International Journal of Information Security (IJIS, Springer)and has served as the program/general chair or program committeemember in more than 40 international conferences.

Joseph K. Liu received the PhD degree in infor-mation engineering from the Chinese Universityof Hong Kong in July 2004, speciallizing in cryp-tographic protocols for securing wireless net-works, privacy, authentication and provablesecurity. He is currently a research scientist inthe Infocomm Security Department at the Insti-tute for Infocomm Research, Singapore. His cur-rent technical focus is particularly lightweightcryptography, wireless security, security in smartgrid system and cloud computing environment.

Shaohua Tang received the BSc and MScdegrees in applied mathematics, and the PhDdegree in communication and information systemfrom the South China University of Technology,in 1991, 1994, and 1998, respectively. He was avisiting scholar with North Carolina State Univer-sity, USA, and a visiting professor with Universityof Cincinnati, USA. He has been a full professorwith the School of Computer Science and Engi-neering, South China University of Technologysince 2004. His current research interests include

information security, networking, and information processing. He is amember of the IEEE and the IEEE Computer Society.


Yang Xiang received the PhD degree in com-puter science from Deakin University, Australia.He is currently a full professor at the School ofInformation Technology, Deakin University. He isthe director of the Network Security and Comput-ing Lab (NSCLab). His research interests includenetwork and system security, distributed sys-tems, and networking. In particular, he is cur-rently leading his team developing activedefense systems against large-scale distributednetwork attacks. He is the chief investigator of

several projects in network and system security, funded by the Austra-lian Research Council (ARC). He has published more than 130 researchpapers in many international journals and conferences, such as IEEETransactions on Computers, IEEE Transactions on Parallel and Distrib-uted Systems, IEEE Transactions on Information Security and Foren-sics, and IEEE Journal on Selected Areas in Communications. Two ofhis papers were selected as the featured articles in the April 2009 andthe July 2013 issues of IEEE Transactions on Parallel and DistributedSystems. He has published two books, Software Similarity and Classifi-cation (Springer) and Dynamic and Advanced Data Mining for Progress-ing Technological Development (IGI-Global). He has served as theprogram/general chair for many international conferences such asICA3PP 12/11, IEEE/IFIP EUC 11, IEEE TrustCom 13/11, IEEE HPCC10/09, IEEE ICPADS 08, NSS 11/10/09/08/07. He has been the PCmember for more than 60 international conferences in distributed sys-tems, networking, and security. He serves as the associate editor ofIEEE Transactions on Computers, IEEE Transactions on Parallel andDistributed Systems, Security and Communication Networks (Wiley),and the editor of Journal of Network and Computer Applications. He isthe coordinator, Asia for IEEE Computer Society Technical Committeeon Distributed Processing (TCDP). He is a senior member of the IEEE.

Kaitai Liang received the BEng degree of soft-ware engineering, and the MSc degree of com-puter applied technology from South ChinaAgricultural University, China in 2008 and 2011,respectively. He is currently working toward thePhD degree in the Department of Computer Sci-ence at the City University of Hong Kong. His pri-mary research interest is applied cryptography;in particular, cryptographic protocols, encryption/signature, RFID, and cloud security. He is alsointerested in other topics in information security,

such as network security, wireless security database security, and secu-rity in cloud computing.

Li Xu received the BS and MS degrees fromFujian Normal University, in 1992 and 2001, andthe PhD degree from the Nanjing University ofPosts and Telecommunications in 2004. He is aprofessor and a doctoral supervisor at the Schoolof Mathematics and Computer Science at FujianNormal University. He is currently the vice deanof the School of Mathematics and Computer Sci-ence and the director of the Key Lab of NetworkSecurity and Cryptography in Fujian Province.His interests include wireless networks and com-

munication, network and information security, complex networks andsystems, intelligent information in communication networks, etc. He hasbeen invited to act as a PC chair or member at more than 30 interna-tional conferences. He has published over 100 papers in refereed jour-nals and conferences. He is a member of the IEEE and ACM, and asenior member of CCF and CIE in China.

Jianying Zhou received the PhD degree in infor-mation security from the University of London in1997. He is currently a senior scientist at theInstitute for Infocomm Research and the head ofInfocomm Security Department. His researchinterests include computer and network security,mobile and wireless security. He is a co-founderand steering committee member of InternationalConference on Applied Cryptography and Net-work Security (ACNS).

" For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


cost-effective authentic and anonymous data sharing with forward

Documents