Efficient identity-based signature scheme with batch authentication for delay tolerant mobile sensor network

The Journal of China Universities of Posts and Telecommunications August 2013, 20(4): 80–86 www.sciencedirect.com/science/journal/10058885

http://jcupt.xsw.bupt.cn

Efficient identity-based signature scheme with batch authentication for delay tolerant mobile sensor network LI Wen-ji (), ZHENG Kang-feng, ZHANG Dong-mei, YE-Qing, YANG Yi-xian 1. Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, China 2. National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications, Beijing 100876, China

Abstract Identity-based cryptography (IBC) has drawn a lot of attentions in delay tolerant environment. However, the high computational cost of IBC becomes the most critical issue in delay tolerant mobile sensor network (DTMSN) because of the limited processing power. In this paper, an efficient identify-based signature scheme with batch authentication (ISBA) is proposed for DTMSN. ISBA designs an online/offline signature with batch authentication to reduce the computational cost, and improves data delivery mechanism to increase the number of messages for each batch authentication. Simulation results show that ISBA not only realizes a lower computational cost than existed schemes, but also does not induce negative impact on the delivery performance. Keywords

IBC, DTMSN, signature, batch authentication, computational cost

1 Introduction DTMSN is an emerging sensor network which could be used in many applications of information gathering [1]. Unlike traditional networks, DTMSN is characterized by the intermittent connectivity with unpredictable mobility, low node density and resource-scarcity. Due to no end-to-end connectivity, DTMSN has to transmit data in the mode of ‘store-and-forward’. Previous researches on DTMSN mainly focus on routing issues [2–4], but security issues still have not been given enough attentions. Without any security mechanism, attacks easily generate large amount of unwanted traffic to seriously reduce the delivery performance. To filter these forged messages, message signature and authentication are critical security services for DTMSN. Most of security schemes of wireless sensor network (WSN) adopt symmetric key algorithms [5–6], but they cannot support message signature. Traditional public key system [7] is also difficult to check the validity of signature without

Received date: 15-01-2013 Corresponding author: LI Wen-ji, E-mail: [email protected] DOI: 10.1016/S1005-8885(13)60073-4

connectivity. IBC has been seen as a promising solution for securing delay tolerant network (DTN) [8]. Asokan et al. [9] analyzes the applicability of IBC in DTN, and indicates that the entity of IBC could compute all necessary authenticators even when there is no connectivity. Some identity-based online/offline signature schemes (IBOOS) are designed for sensor nodes with limited resources in WSN [10–11]. Although IBOOS has a light computational cost in the online phase, it ignores that the batch authentication is one of main methods to reduce computational cost. Several signature schemes with batch authentication (SBA) also have been proposed [12–14]. Batch bundle authentication (BBA) is the first SBA scheme for delay tolerant environment [15], but it has a significantly high computational cost. Opportunistic batch bundle authentication scheme (OBBA) still belongs to BBA [16], because it only analyzes how to efficiently generate one signature for multiple bundles. Efficient ID-based signature scheme (EIBS) points out that BBA is invalid to verify signatures with the batch authentication when these messages are signed by distinct signers [17], and gives a new approach to solve this problem, but it still

Issue 4

LI Wen-ji, et al. / Efficient identity-based signature scheme with batch authentication for…

has a high computational cost. In this paper, we propose an efficient ISBA for DTMSN. ISBA not only combines and improves IBOOS in Ref. [11] and SBA in Ref. [12] to reduce the computational cost, but also improves motive state-aware data delivery scheme (MSAD) to obtain more messages for each batch authentication [4]. Simulation results show that ISBA has a lower computational cost than pass SBA schemes, and does not induce negative impact on the delivery performance.

2 2.1

Network model and assumptions

81

2) Although many identity authentication mechanisms can detect invalid nodes, an adversary may still inject invalid packets by man-in-middle attack. Both false message and invalid signature could be injected into DTMSN. Intermediate nodes have to spend a lot computational efforts in validating these messages.

3 Proposed identity-based signature scheme with batch authentication 3.1 Identity-based online/offline signature with batch authentication

Network model

As the same to most of existed routing schemes, we consider that there are one sink node and many common nodes in DTMSN. The sink node is static and located at the center of model. The movement of each common node is based on random way-point model (RWP) [18]. all nodes have a same communication radius r. As shown from Fig. 1, the sink node is the controller of the network and collects messages from common nodes. Each common node collects its interested information, forwards messages by using MSAD routing scheme, and ultimately sends messages to the sink node in the mode of ‘store-andforward’.

The goal of online/offline signature with batch authentication is to realize online/offline signature and batch authentication at the same time. Online/offline signature has a light computational cost in the online signature phase, and batch authentication reduces computational cost by validating multiple signatures in each authentication instead of verifying them one by one. Our scheme combines and improves the online/offline signature scheme in Ref. [11] and signature scheme with batch authentication in Ref. [12]. At the phase of system setup, OSM utilizes private key generator (PKG) to generate system parameters and the secret key of each node. After network running, each source node generates one signature for each new message. When an intermediary node receives multiple messages from other nodes, it will adopt the batch authentication to validate these signatures. 1) System setup We consider that PKG is located at the sink node, which is trusted and security. Identities of the sink node and N nodes respectively are IDsink , ID1 , ID2 ,..., ID N . The sink node initializes PKG and distributes keys to nodes before the network is deployed. Given the security parameter k, PKG generates efficient bilinear parameters ( p, P, G1 , G2 , eˆ) , and eˆ is a non-degenerated, efficiently and

Fig. 1

2.2

Network model of DTMSN

Assumptions

1) Before joining the DTMSN, each common node registers to the sink node with an offline security manager (OSM), and obtains its corresponding ID-based secret key. DTMSN has the function of intrusion detection. Once a common node is captured and discloses its secret key, other nodes could obtain this information and reject messages of captured nodes.

computable bilinear map. The sink node and all nodes adopt two common collision-resistant cryptographic Hash functions: H1 :{0,1}* → ∗p , H 2 :{0,1}∗ × G2 × G1 → ∗p ; the sink node chooses a random number β ∈

∗ p

as the

master secret key, and computes Ppub ← β P as the public key of the system; then, the system parameters (G1 , G2 , eˆ, P, Ppub , H1 , H 2 ) may be published. Each common node contacts the sink node in a secure way, obtains system parameters and its private key S ID = ( H1 (ID) + β ) −1 P .

82

The Journal of China Universities of Posts and Telecommunications

2) Signature generation When the source node generates a new message, it needs to sign this message with its private key. After the message is forwarded, intermediate nodes check the validity of this message by validating its signature. Specific signing mechanism is shown as follow: a) Offline signature: given ID of the source node and its private key S ID , choose a random number a ∈ ∗p

2013

ii) Verification: if rbatch eˆ( P, P) hbatch = eˆ(θ batch S ′, H1 (ID) P + Ppub ) , accept this batch message. b) Batch authentication for Type 2: suppose the intermediate node receives messages {mi ′j ′ |1i ′k ′, 0 < j ′ < li′} with signatures {(IDi ′ , ri ′j ′ , θi ′j ′ , Si′′ ) |1i ′k ′, 1j ′li′′ } from the sender with {IDi ′ |1i ′k ′} , the

with a reasonable period, and compute a −1 . Then, choose a random number x ∈ ∗p for each message. compute

receiver can verify these signatures simultaneously by the following: i) Combination: compute {hi ′j ′ = H 2 (mi ′j ′ , ri ′j ′ , Si′′ ) |1

r = eˆ( P, P ) x , S ′ = aS ID , and output the offline signature

i ′k ′,1j ′li′′ },

δ = (r , x, a −1 , S ′) . b) Online Signature: given a message m and the offline signature δ , compute h = H 2 (m, r , S′) , θ = ( x + h) ⋅ −1

a mod p, and output the online signature σ = (ID, r , θ , S ′) . c) Verify: intermediate nodes validate the signature σ by computing h = H 2 (m, r , S′) , and accept it as a valid signature if reˆ( P, P )h = eˆ(θ S ′, H1 (ID) P + Ppub ) . 3) Batch authentication on signatures The goal of batch authentications in DTMSN is to verifying the multiple signatures simultaneously. Intermediate nodes may receive two types of batch messages, which will be summarized as follows: Type 1 A given intermediate node may receive messages which are generated by the same source node. Type 2 A given intermediate node may receive messages which are generated by multiple source nodes. In the routing scheme MADS, each intermediate node always firstly forwards its own messages. When the number of forwarding messages in each link is not larger than the number of sender’s own messages, the receiver will validate messages of Type 1. Due to sender’s own messages is limited, the number of forwarding messages in one link may be larger than the number of sender’s own messages, the receiver will validate messages of Type 2. The following shows how batch verifications of Type 1 and Type 2 are implemented: a) Batch verifications for Type 1: suppose the intermediate node receives l messages {m j |1jl} with signatures {(ID, rj , θ j , S ′) |1jl} from the sender with ID, the receiver can verify these signatures simultaneously by the following: i) Combination: compute {h j = H 2 (m j , rj , S ′) |1jl} , l

l

l

j =1

j =1

j =1

then compute rbatch = ∏ rj , θ batch = ∑ θ j , hbatch = ∑ h j .

k′

k′

then

compute

li′′

′ = ∏∏ ri ′j ′ , rbatch i ′ =1 j ′ =1

li′′

′ = ∑∑ hi ′j ′ . hbatch i ′ =1 j ′ =1

⎛ k ′ li′′ ′ ′ eˆ( P, P )hbatch = eˆ ⎜ ∑∑ ( H1 (IDi ′ ) ⋅ ii) Verification: if rbatch ⎝ i ′ =1 j ′=1 ′ li′′ k ⎛ ⎞ θi ′j ′ Si′′ ), P ) eˆ ⎜ ∑∑ (θi ′j ′ Si′′ ), Ppub ⎟ , accept this message. ⎝ i ′=1 j ′=1 ⎠ 4) Security analysis a) Correctness Individual authentication can be easily proved by straightforward calculating: eˆ(θ S ′, H1 (ID) P + Ppub ) = eˆ((( x + h)a −1 mod p)aSID , H1 (ID) P + Ppub ) = eˆ(( x + h)SID , H1 (ID) P + Ppub ) = eˆ(( x + h)( H1 (ID) + β )−1 P, H1 (ID) P + β P ) = eˆ( P, P ) x + h = reˆ( P, P )h b) Unforgeability By analyzing the existential unforgeability against adaptive chosen messages attacks (EUF-CMA), we prove that our signature scheme has the property of unforgeability. For detailed discussion on security analysis of the batch authentication, see Ref. [12]. Theorem 1 Assume that there is an adaptively chosen message and given identity attacker F making qH i′′ queries to oracles H i ′′ (i ′′ = 1, 2) and qS queries to the signing oracle has an advantage ε[10(qS + 1) ⋅ (qS + qH 2 )] 2k to produce a forgery within a time t. Then, there exists an algorithm B which is able to solve q-SDH problem [19] for q = qH1 in the expected time t ′

120 686qH1 qH 2 (t + O(qSτ P ))

where τ P

q ε ⎛⎜1 − k ⎝ 2 and τ M1

⎞ ⎟ ⎠

+ O(q 2τ M1 )

respectively denote the cost for

Issue 4

LI Wen-ji, et al. / Efficient identity-based signature scheme with batch authentication for…

83

pairing operation and a scalar multiplication in G1 .

defined value. Otherwise, B returns a random h2 ∈

Proof Firstly, we show that our scheme is able to apply the forking lemma in Ref. [20]. For a message m, the tuple σ 1 , h, σ 2 is required to meet three-phase

and inserts (m, r , S ′, h2 ) into H 2 -list .

honest-verifier zero-knowledge identification protocol. Although the actual output of our signature is the tuple r , θ , S ′ , the values σ 1 , h, σ 2 can easily be derived

H1 -list , and returns the previously computed Ti ′′′ to F.

from the output. Specifically, σ 1 = r || S ′ is the commitment of the demonstrator, h = H 2 (m, r , S′) is a

* p

Key extraction queries: if ID = ID* , B fails and stops. Otherwise, B recovers the match pair (ID, w) from Signature queries: when makes a signature query for m and ID, B randomly picks θ , h ∈ *p and S ′ ∈ G1 , computes S ′′ = θ S ′ , r = eˆ( S ′′, H1 (ID)Q + Qpub )eˆ( P , P ) − h , and backpatches to define the hash value H 2 (m, r , S′) as

hash value which is used for the verifier’s challenge and σ 2 = θ S ′ = ( x + h) SID is the response of the demonstrator which depends on σ 1 , h and S ID .

already defined). Then, B returns (r , θ , S ′) to F.

Next, we show how to apply this forking lemma, the algorithm B takes as input ( P, α P, α 2 P,..., α q P ) and

We are able to apply the forking lemma as the following: If F is an efficient forger, we can construct a Las Vegas

aims to find a pair (c, (c + α )−1 P ) . At the setup phase, it

machine F′ that uses F to produce two valid signatures

q −1

picks w1 , w2 ,..., wq −1 ∈

* p

and expands

f ( z) = ∏ ( z + i ′′′=1

q −1

wi ) = ∑ ci z i to obtain c0 ,..., cq −1 ∈ i ′′′= 0

obtained as Q =

q −1

∑c j ′′= 0

j ′′

* p

. A generator Q is

(α j ′′ P ) = f (α ) P , and the public

q

j ′′=1

1i ′′′q − 1 , the algorithm B expands fi ′′′ ( z ) = f ( z ) /( z + wi ′′′ ) = ∑ di ′′′ z , Ti ′′′ = i ′′′= 0

i ′′′

q −2

* p

(B fails in the unlikely event that H 2 (m, r , S′) is

((ID* , m* ), r1 , θ1 , S1′)

((ID* , m* ), r2 , θ 2 , S2′ )

and

with

H 2 (m , r1 , S1′) ≠ H 2 (m , r2 , S2′ ) . Note that w ≠ w1 ,..., wq −1 *

*

*

with probability at least 1 − 2− k q. B computes ( H 2 (m* , r1 , S1′) − H 2 (m* , r2 , S2′ ))−1 (θ1 S1′ − θ 2 S2′ ) = f (α )(α + w* ) −1 P,

key is fixed to Qpub = ∑ c j ′′−1 (α j ′′ P) = α f (α ) P = α Q . For q −2

h∈

∑ d j′′α P = fi′′′ (α ) P =(α + wi′′′ ) Q , j ′′

−1

j ′′= 0

and obtains the pairs ( wi ′′′ , Ti ′′′ ) . Then, F is initialized with the generator Q and Qpub .

and uses long division and writes the polynomial f as f ( z ) = ψ ( z )( z + w* ) +ψ −1 for some polynomial ψ ( z ) = q− 2

∑ψ u=0

u

z u and some ψ −1 ∈ q− 2

∑ψ

written as

u=0

u

* p

. So ( z + w* )−1 f ( z ) can be

z u + ( z + w* )−1ψ −1 , B computes

(α +

q−2 ⎛ ⎞ w* )−1 P = (1 ψ −1 ) ⎜ T * − ∑ψ uα u P ⎟ and eventually outputs u =0 ⎝ ⎠ * * −1 ( w , (α + w ) P ) as the solution of q-SDH problem.

B simulates F’s challenger and is ready to answer F’s

It finally comes that, if F succeeds in a time t with

queries in EUF-CMA game. B first initializes a counter t ′′

probability ε ⎡⎣10(qS + 1)(qS + qH 2 ) ⎤⎦ 2k , then B solves

and launches F on the input H1 (ID ) for a randomly *

chosen challenge identity ID* ∈ {0,1}* . For simplicity, we assume that H1 queries are distinct, and that any query involving an identifier ID is preceded by the random oracle query H1 (ID) . H1 w ∈ *

queries: if ID = ID* , B * p

. Otherwise, it answers

returns a random w = wt ′′ ∈

* p

the

q-SDH

{⎡⎣120 686q

problem

in

expected

t ′

time

}

qH 2 (t + O(qSτ P )) ⎤⎦ ⎡⎣ε (1 − q / 2 ) ⎤⎦ + O(q τ M1 ) , where the last term accounts for the cost of preparation phase. k

H1

2

3.2 Improve data delivery mechanism

and

increments t ′′ . In both cases, B stores (ID, w) into a list H1 -list . H 2 queries: if the value of H 2 was previously defined for the input (m, r , S′) , B returns the previously

In DTMSN, most of routing schemes need to forward multiple copies for each message into the network, so message queue of nodes is easily filled. In order to reduce the number of copies, these routing schemes do not allow nodes to receive messages when the message queue is full, and discard messages only when these messages are

84

The Journal of China Universities of Posts and Telecommunications

directly forwarded to the sink node or beyond the survival time (ST) of DTMSN. Therefore, nodes have not enough remaining buffers to efficiently realize batch authentication as traditional DTN. At the same time, the computational cost of batch authentication for Type 1 is much lower than Type 2. Each node in the routing scheme MSAD firstly forwards its own messages, so it can more easily obtain the chance of batch authentication for Type 1. To reduce the computational cost, our scheme adopts MSAD to get more chance of batch authentication for Type 1. Additionally, we set the minimum remaining space, denoted by η . The new connection can not be established until the remaining space of the receiver isn’t less than η .

2013

one message batch has a very high computational cost, so nodes directly discard all messages in this batch when the message batch contains invalid signatures. We ignore the influence of the signature overhead, because it’s insignificant when message size is enough large. All default parameters for the simulation are set as Table 1. The following results are the average from 50 independent simulations. Table 1

Simulation parameters

Parameter

Default value

Network size/( m × m )

200 × 200

Number of sensor node

100

Transmission radius/m

3

According to the simulation with default parameters in Sect. 4, the distribution probability of forwarding number for each link is shown in Fig. 2. Obviously, with η

Speed of sensor node/ (m ⋅ s −1 )

1~5

Pause time in RWP/s

0~40

Length of message queue

200

increasing, the average number of each batch authentication becomes larger, so computational cost for validating signatures will be lower.

Message generation rate/ s −1

0.02

Transmission bandwidth/ (messages ⋅ s−1 )

50

Position of sink node/(m,m)

(100,100)

4.1

Maximum delay tolerant value/s

2 000

Simulation time/s

20 000

Comparison of theoretical computational cost

Denote the computational cost by P a computation of the pairing, M 1 a scalar multiplication in G1 , E an expectations operation in G2 , H M the MapToPoint operation, A a point addition in G1 and M 2 a multiplication in G2 . According to the computational Fig. 2

4

Distribution probability of forwarding number for each link

Performance evaluation

In this section, we use the simulation tool NetLogo to simulate the MSAD routing scheme, and compare the computational cost of ISBA, BBA and EIBS. It’s worth nothing that, BBA adopts the individual authentication in the case of Type 2. Because detecting invalid signatures for Table 2

costs of cryptographic primitives primitives presented in Ref. [12], we regard M 2 as the baseline and obtain normalized computational costs of primitives: M 2 = 1, A = 2, E = 100, H M = 100, M1 = 260 and P = 1 500. The normalized computational cost of three schemes is summarized in Table 2. Obviously, ISBA makes a great improvement on computational cost, and specific simulation results are given at next section.

Comparison of computational cost

ISBA

BBA

Offline signature

1E = 100

−

−

Online signature

0

2 M 1 = 520

2 M 1 = 520

1P + 2 M 1 + 1E + 1A + 1M 2 = 2 123

2 P + 1M 1 + 1H M + 1A = 3 362

Individual authentication Authentication for Type 1 Authentication for Type 2

1P + 2M 1 + 1E + 1A + nM 2 = 2 122 + n 2 P + 2nM 1 + 1E + 2(n − 1) A + nM 2 = 3 096 + 525n

2 P + 1M 1 + 1H M + (2n − 1) A = 3 358 + 4n (2 P + 1M 1 + 1H M + 1A)n = 3 362n

EIBS

2 P + 1M 1 + 1H M + 1A = 3 362 2 P + 1M 1 + 1H M + (3n − 2) A = 3 356 + 6n ( n + 1) P + nM 1 + nH M + (2n − 1) A = 1 498 + 1 864n

Issue 4

LI Wen-ji, et al. / Efficient identity-based signature scheme with batch authentication for…

85

4.2 Performance analysis with different η We simulate MSAD routing scheme with different η , and evaluate from three performance indicators: average computational cost, delivery radio and average delay. The average computational cost per second of each node is shown in Fig. 3(a). Obviously, the computational cost significantly decreases by increasing η , and ISBA has a greater advantage on computational cost than BBA and EIBS. With η increasing, computational costs of two schemes reduce, and the gap of computational cost between two schemes becomes smaller, because the number of message authentications decreases. However, η could not increase without limited. As shown from Figs. 3(b) and 3(c), with η increasing, the delivery radio improves in the beginning and has a significant decline later, while average delay is in an accelerated increase. When we set η equal to 8, the normalized computational cost of ISBA, EIBS and BBA are respectively 128.6 , 261.2 and 428.1 , the delivery radio is 90.5% , average delay is 138.5 s which is also reasonable in delay tolerant environment. So ISBA does not induce negative impact on the delivery performance.

Fig. 3

(c) Impact on average delay Performance impact with different η

4.3 Analysis of computational cost with different radio of invalid link Duo to the man-in-middle attack, invalid signatures may be injected in certain links. We evaluate computational cost impact of three schemes under different invalid link radio. As shown from Fig. 4, ISBA has a lower computational cost than other schemes. With the radio increasing, computational costs of three schemes become larger in the beginning, because nodes spend more computational cost in validating invalid messages. Then, computational costs have a certain decline, because nodes have more remaining buffer to increase the number of messages for the batch authentication if this radio is larger. When the invalid link radio is less than 16, the growth of ISBA on computational cost is a slower than other schemes, so ISBA has a significant advantage under link attacks.

(a) Impact on average computational cost

Fig. 4 Impact on computational cost with different invalid link radio

5 Conclusions (b) Impact on delivery radio

In this paper, we have proposed an signature scheme with batch authentication for DTMSN, which can

86

The Journal of China Universities of Posts and Telecommunications

efficiently reduce the computational cost. On the one hand, our scheme simultaneously supports the online/offline signature and the batch authentication, so it has a significantly lower computational cost than other signature schemes. On the other hand, we improve data delivery mechanism based on the routing scheme MSAD, increase the number of messages for each batch authentication, and greatly reduce the computational cost. In future, our work will include identity authentication and privacy preservation in DTMSN.

9.

10.

11. 12.

Acknowledgements This work was supported by the National Natural Science

13.

Foundation of China (61070204, 61101108, 61121061), The National S&T Major Program of China (2011ZX03002-005-01).

References 1. Fall K. A delay-tolerant network architecture for challenged internets. Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (SIGCOMM’03), Aug 25−29, 2003, Karlsruhe, Germany. New York, NY, USA: ACM, 2003: 27−34 2. Xu F L, Liu M, Gong H G, et al. Relative distance-aware data delivery scheme for delay tolerant mobile sensor networks. Journal of Software, 2010, 21(3): 490−504 (in Chinese). 3. Yang K W, Zheng K F, Yang Y X, et al. Motion state-based data delivery scheme of delay tolerant mobile sensor networks. Journal on Communications, 2011, 31(11): 138−146 (in Chinese). 4. Li W J, Zheng K F, Zhang D M, et al. Motive state-based data delivery scheme of delay tolerant mobile sensor network. Journal of Nanjing University of Science and Technology, 2012, 36(9): 150−156 (in Chinese) 5. Sanchez D S, Baldus H. A deterministic pairwise key pre-distribution scheme for mobile sensor networks. Proceedings of the 1st International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm’05), Sep 5−9, 2005, Athens Greece. Piscataway, NJ, USA: IEEE, 2005: 277−288 6. Chan H W, Perrig A, Song D. Random key predistribution schemes for sensor networks. Proceedings of the 2003 IEEE Symposium on Security and Privacy (S&P’03), May 11−14, 2003, Berkeley, CA, USA. Los Alamitos, CA, USA: IEEE Computer Society, 2003:197−213 7. Samuel H, Zhuang W. Preventing unauthorized messages in DTN based mobile Ad hoc networks. Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM’09), Nov 30−Dec 4, 2009, Honolulu, HI, USA. Piscataway, NJ, USA: IEEE, 2009: 6p 8. Boneh D, Franklin M. Identity-based encryption from the weil pairing. Advances in Cryptology: Proceedings of the 21st Annual International

14.

15.

16.

17.

18.

19.

20.

2013

Cryptology Conference (CRYPTO ’01), Aug 19−23, 2001, Santa Barbara, CA, USA. LNCS 2139. Berlin, Germany: Springer–Verlag, 2001: 213−229 Asokan N, Kostiainen K, Ginzboorg P, et al. Applicability of identity-based cryptography for disruption-tolerant networking. Proceedings of the 1st ACM/SIGMOBILE Workshop on Mobile Opportunistic Networking (MobiOpp’07), Jun 11, 2007, San Juan, Puerto Rico. New York, NY, USA: ACM, 2007: 52−56 Ming Y, Wang Y M. Improved identity based online/offline signature scheme. Proceedings of the 7th International Conference on Autonomic and Trusted Computing (UIC/ATC’10), Oct 26−29, 2010, Xi’an, China. Piscataway, NJ, USA: IEEE, 2010: 126−131 Li F, Zhong D, Takagi T. Practical identity-based signature for wireless sensor networks. Wireless Communications Letters, 2012, 1(6): 637−640 Cui S, Duan P, Chan C W. An efficient identity-based signature scheme with batch verifications. Proceeding of the 1st International Conference on Scalable Information Systems (INFOSCALE’06), May 29−Jun 1, 2006, Hong Kong, China. New York, NY, USA: ACM, 2006: 22−28 Li R P, Yu J, Li G W, et al. A new identity-based blind signature scheme with batch verifications. Proceeding of the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE’07), Apr 26−28, Seoul, Republic of Korea. Piscataway, NJ, USA: IEEE, 2007: 1051−1056 Wu T Y, Tsai T T, Tseng Y M. Revocable id-based signature scheme with batch verifications. Proceeding of the 8th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP’12), Jul 18−20, 2012, Piraeus, UK. Piscataway, NJ, USA: IEEE, 2012: 49−54 Zhu H J, Lu R X, Shen X M, et al. BBA: an efficient batch bundle authentication scheme for delay tolerant networks. Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM’08), Nov 30−Dec 4, 2008, New Orleans, LA, USA. Piscataway, NJ, USA: IEEE, 2008: 5p Zhu H J, Lin R X, Shen X M, et al. An opportunistic batch bundle authentication scheme for energy constrained DTNs. Proceedings of the 29th Annual Joint Conference of the IEEE Computer and Communications (INFOCOM’10), Mar 14−19, 2010, San Diego, CA, USA. Piscataway, NJ, USA: IEEE, 2010: 605−613 Tseng Y M, Wu T Y, Wu J D. Toward efficient ID-based signature schemes with batch verifications from bilinear pairings. Proceedings of the 4th International Conference on Availability, Reliability and Security (ARES’09), Mar 16−19, 2009, Fukuoka, Japan. Los Alamitos, CA, USA: IEEE Computer Society, 2009: 935−940 Hyytiä E, Lassila P, Nieminen L, et al. Spatial node distribution of the random waypoint mobility model with applications. IEEE Transactions on Mobile Computing, 2006, 5(6): 680−694 Barreto P S L M, Libert B, MacCullagh N, et al. Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. Advances in Cryptology: Proceedings of the 11th International Conference on the Theory and Application of Cryptology and Information Security (Asiacrypt’05), Dec 4−8, 2005, Chennai (Madras), India. LNCS 3788. Berlin, Germany: Springer-Verlag, 2005: 515−532 Pointcheval D, Stern J. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 2000, 13(3): 361−396

(Editor: WANG Xu-ying)