454 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO.
2, FEBRUARY 2017
Efficient Hierarchical Identity-Based Signature With
Batch Verification for Automatic Dependent
Surveillance-Broadcast System
Debiao He, Neeraj Kumar, Member, IEEE, Kim-Kwang Raymond Choo, Senior Member, IEEE, and Wei Wu
Abstract— The automatic-dependent surveillance-broad-
cast (ADS-B) is generally regarded as the most important
module in air traffic surveillance technology. To obtain better
airline security, ADS-B system will be deployed in most airspace
by 2020, where aircraft will be equipped with an ADS-B device
that periodically broadcasts messages to other aircraft and
ground station controllers. Due to the open communication
environment, the ADS-B system is subject to a broad range
of attacks. To simultaneously implement both integrity and
authenticity of messages transmitted in the ADS-B system,
Yang et al. proposed a new authentication frame based on
the three-level hierarchical identity-based signature (TLHIBS)
scheme with batch verification, as well as constructing
two schemes for the ADS-B system. However, neither TLHIBS
schemes are sufficiently lightweight for practical deployment due
to the need for complex hash-to-point operation or expensive
certification management. In this paper, we construct an
efficient TLHIBS scheme with batch verification for the ADS-B
system. Our scheme does not require hash-to-point operation or
(expensive) certification management. We then prove the TLHIBS
scheme secure in the random oracle model. We also demonstrate
the practicality of the scheme using experiments, whose findings
indicate that the TLHIBS scheme supports attributes required by
the ADS-B system without the computation cost in Chow et al.’s
scheme and Yang et al.’s TLHIBS schemes.
Manuscript received March 22, 2016; revised August 15, 2016 and
September 27, 2016; accepted October 21, 2016. Date of publication
October 27, 2016; date of current version November 21, 2016. The work
of D. He was supported in part by the National Natural Science Foundation
of China under Grant 61572379, Grant 61501333, and Grant U1536204, in
part by the National High-Tech Research and Development Program of China
(863 Program) under Grant 2015AA016004, in part by the Open Fund of
State Key Laboratory of Cryptology, and in part by the Natural Science
Foundation of Hubei Province of China under Grant 2015CFB257. The work
of W. Wu was supported by the National Natural Science Foundation of
China under Grant 61472083 and Grant 61402110. The associate editor
coordinating the review of this manuscript and approving it for publication was
Dr. Sherman S.-M. Chow. (Corresponding author: Wei Wu.)
D. He is with the State Key Laboratory of Software Engineering, Computer
School, Wuhan University, Wuhan 430072, China, and also with the
State Key Laboratory of Cryptology, Beijing 100878, China (e-mail: hede-
biao@163.com).
N. Kumar is with the Department of Computer Science and Engineering,
Thapar University, Patiala 147004, India (e-mail: nehra04@yahoo.co.in).
K.-K. R. Choo is with the Department of Information Systems and Cyber
Security, The University of Texas at San Antonio, San Antonio, TX 78249,
USA, also with the School of Information Technology and Mathematical
Sciences, University of South Australia, Adelaide, SA5001, Australia, and
also with the School of Computer Science, China University of Geosciences,
Wuhan 430074, China (e-mail: raymond.choo@fulbrightmail.org).
W. Wu is with the Fujian Provincial Key Laboratory of Network Security
and Cryptology, School of Mathematics and Computer Science, Fujian Normal
University, Fuzhou 350007, China (e-mail: weiwu81@gmail.com).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TIFS.2016.2622682
1556-6013 © 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
Index Terms— Automatic dependent surveillance-broadcast,
authentication, batch verification, hierarchical identity-based
signature, provable security.
I. I NTRODUCTION
W ITH the rapid advancements in space technologies,
the air travel is becoming more accessible, and the
aviation sector is getting more competitive (e.g. in terms of
cost). There is a significant growth in air traffic in the last
few decades. For example, according to Strohmeier et al. [1],
there are reportedly 26,000 aircraft movements per day in
Europe. Efficient and effective handling of such significant
air traffic load remains an operational challenge to air traffic
controls (ATCs) around the world.
In traditional ATC technologies, radar systems are used for
communications among aircraft. There are two kinds of radars
in the system, namely, primary surveillance radars (PSRs)
and secondary surveillance radars (SSRs). PSR broadcasts
high-frequency signals and uses the reflected echoes to deter-
mine the aircraft’s position. SSR comprises a ground based
interrogator and an aircraft transponder, and based on the
transponder’s reply to the interrogator, the aircraft distance
from the ground station is determined. The reply from the
aircraft transponder also contains information such as air-
craft identity, and can be used to determine geographical
position, pressure altitude data, etc [2]. There are, however,
limitations with traditional ATC technologies. For example,
traditional ATC technologies are incapable of handling the
rapidly growing air traffic volume which also resulted in low
precision and detection accuracy required in today’s aviation
sector [3].
High profile incidents including the missing Malaysia
Airlines Flight 370 on 8 March 2014 [4], [5] have high-
lighted the importance of advanced air traffic control and
monitoring system, such as the Automatic Dependent
Surveillance-Broadcast (ADS-B) system, as well as the capa-
bility to conduct forensic examination of such systems [6].
ADS-B combines satellite-based positioning with a radio fre-
quency data-link; thus, an aircraft equipped with the ADS-B
transmitter is able to transmit information about its current
status (e.g. geographical position updates, intents and speed) to
nearby aircraft and ground stations equipped with the ADS-B
receiver periodically and automatically. A typical architecture
of the ADS-B system is shown in Fig. 1.
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION
Fig. 1. A typical ADS-B system architecture.
Without the need for complex interactions with other
aircraft or ground stations, ADS-B system enjoys much better
performance and precision in comparison to traditional ATC
technologies. Accurate information transmitted from aircraft
allows ATCs to more efficiently and effectively monitor air-
craft location and path in real-time, and facilitates air traf-
fic management. Hence, aircraft and ground controllers can
make proactive scheduling decisions. The importance of the
ADS-B system is evidenced by the amount of efforts expended
in its standardization, etc by the U.S. Federal Aviation Admin-
istration (FAA), European Organisation for the Safety of
Air Navigation (EUROCONTROL), and International Civil
Aviation Organization. ADS-B systems are scheduled to be
deployed in most airspace by 2020, as part of the next
generation air transportation systems [7].
From a security perspective, we note that messages trans-
mitted in the wireless channels of the ADS-B system are not
protected cryptographically [7], [8]. Therefore, an adversary is
able to intercept, modify, inject and replay messages at will,
and carry out a range of attacks. This has also attracted the
attention of security researchers, and a number of practical
attacks against such systems using relatively inexpensive and
easily available tools (e.g. aircraft spoofing attack and ground
station flood denial attack) have been reported in recent years
(see [7], [9]–[12]). These attacks could have real-world and
fatal consequences, such as aircraft hijacking and mid-air
collision. It is, undeniably, urgent to address existing security
issues in the ADS-B system in order to secure air traffic.
Data integrity and message authenticity are two pressing
security issues that need to be addressed. Data integrity
ensures that the received messages have not been modified
during transmission, and message authenticity ensures that the
received message is indeed transmitted by the aircraft which
claimed to have done so. This prevents an adversary from
modifying or injecting messages at will to conduct attacks
such as spoofing attack and virtual trajectory modification
attack [13]. Unsurprisingly, there have been several studies
on ensuring data integrity and message authenticity in the
ADS-B system. Approaches to achieve secure authentication
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
455
in the ADS-B system can be broadly categorized into non-
cryptographic approaches (see [14]–[16]) and cryptographic
approaches (see [17]–[19]). In this paper, we will focus on
the cryptographic approaches.
A. Related Work
Using symmetric cryptography, Valovage et al. [17]
designed a scheme to guarantee both integrity and authenticity
of messages transmitted in the ADS-B system. Independently,
Robinson et al. [18] and Kacem et al. [19] presented key man-
agement and authentication schemes for the ADS-B system
using keyed hashed message authentication code (HMAC).
However, these approaches are not practical as the same key
must be pre-loaded in all aircraft [20]. In addition, those
schemes do not guarantee other important security attributes,
such as forward secrecy and backward secrecy.
To address limitations in approaches based on
symmetric cryptography, Feng et al. [21] proposed an
authentication scheme using asymmetric cryptography, where
a public key infrastructure (PKI) is employed to manage
aircraft certifications. In a later work, Buchholz [22] proposed
an authentication scheme using dual PKI to handle certificate
revocation. However, certification management in both above
schemes [21], [22] becomes unwieldy due to the rapid
increase in the number of aircraft.
Using the identity-based signature, Baek et al. [23] pro-
posed an authentication scheme to address the certification
management limitations in existing solutions based on tra-
ditional public key infrastructure (PKI) [21], [22]. However,
the performance of Baek et al.’s scheme is far from being
satisfactory because aircraft have to verify the authenticity
of received messages one at a time. Due to the hierarchical
structure, the Hierarchical Identity-Based Signature (HIBS)
scheme is suitable for addressing security problems existing
in the ADS-B system.
A number of HIBS schemes have been proposed in the past
decade since the seminal paper of Gentry and Silverberg [24],
who introduced the concept of HIBS and presented the
first HIBS scheme. Chow et al. [25] proposed the first
HIBS scheme with a proof of security in the random oracle
model. Galindo et al. [26] proposed a generic construction
of identity-based signature schemes from PKI-based signature
schemes [27]. Using this method, we can transform any one
PKI-based hierarchical signature scheme to a HIBS scheme.
In the construction of Galindo et al., the Private Key Gener-
ator (PKG) generates a random key-pair for each user and
binds the public key to his/her identity through generating
a signature. The signature generated by the KGC will be
involved in the signature generated by the user, and the
verifier has to verify its security before verifying the user’s
signature. Thus, this results in an increased signature size and
computation cost. Hence, Galindo et al.’s generic construction
is not sufficiently efficient for real-world deployment.
For improved performance, Li et al. [28], [29] proposed
several HIBS schemes with security proofs. However, these
schemes are still not practical since the sizes of signature
and private key increase with the depth of levels. To improve
security, several HIBS schemes [30]–[33] proven secure in
456 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017
the standard model were presented in the last several years.
However, these schemes are not suitable for ADS-B system
deployment, as they are unable to support batch verification.
Camenisch et al. [34] proposed the first batch verifier to
support batch verification of general signature schemes. Subse-
quently, we can transform the above schemes to HIBS schemes
with batch verification.
The private keys of participants in the discussed schemes
are generated by the PKG; thus, complicating hierarchical
management of the ADS-B system. In addition, the num-
ber of some complicated operations (e.g., bilinear pairing
operation and hash-to-point operation) involved in the batch
verification increase linearly with the number of the signatures.
To address these challenges, Yang et al. [35] divided the
ADS-B system into three hierarchical levels to simplify
hierarchical management and proposed two Three-Level
Hierarchical Identity-Based Signature (TLHIBS) schemes for
the hierarchical structure.
Although both Yang et al.’s TLHIBS schemes can address
some existing limitations in existing schemes, their schemes
suffer from other weaknesses. Firstly, based on the perfor-
mance of their first TLHIBS scheme, it is not practical for
ADS-B system deployment since the number of hash-to-point
operations involved in the batch verification linearly increases
with the number of signatures. Secondly, their first TLHIBS
scheme only supports partial batch verification (i.e., the
scheme can only simultaneously verify signatures from the
same airline identity). Lastly, their second TLHIBS scheme is
not practical since it requires a certificate authority to assure
the airline/aircraft’s identities and public keys. Therefore,
neither of Yang et al.’s TLHIBS schemes can be practically
deployed in a real-world ADS-B system.
B. Our Contributions
To address weaknesses in Yang et al.’s TLHIBS schemes
and satisfy security and performance requirements from prac-
tical applications, we need to design an efficient TLHIBS
scheme for the ADS-B system. Major contributions of the
paper are summarized as follows.
• First, we summarize the network model and the security
requirements of the TLHIBS scheme for the ADS-B
system.
• Second, we propose an efficient TLHIBS scheme
and show it is provably secure and can meet sum-
marized security requirements. We also implement
the batch verification of the proposed scheme using
Camenisch et al. method [34].
• Finally, we give detailed performance analysis to show
the proposed TLHIBS scheme has a lower computation
cost than Yang et al.’s schemes.
C. The Organization of the Rest Paper
The rest of the paper is organized as follows. In Section II,
we present the notations used in this paper. In Section III,
we describe the proposed TLHIBS scheme for the ADS-B
system. In Sections IV and V, we examine the security and the
performance of the proposed TLHIBS scheme, respectively.
Finally, we conclude the paper in Section VI.
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
II. P RELIMINARIES
A. Bilinear Pairings
Bilinear pairings have been widely applied in modern
cryptography, and in this section, we present the necessary
background information about bilinear pairings to understand
the proposed scheme.
Let e : G 1 × G 1 → G 2 be a rational function, where
G 1 and G 2 are two groups with a prime order q. Let P and
g denote the generators of G 1 and G 2 , respectively. e is called
a bilinear pairing if it can satisfy the following attributes:
• Bilinearity: For elements S, T ∈ G 1 and a, b ∈ Z q∗ , we
have the equation e(a · S, b · T ) = e(S, T )a·b .
• Nondegeneracy: At one element T ∈ G 1 such that
e(P, P) = 1G 2 holds.
• Computability: For any two elements S, T ∈ G 1 , we can
calculate e(S, T ) efficiently.
It is known that there is no polynomial-time algorithm to
solve the following problems, which form the basis of our
scheme.
• Discrete Logarithm (DL) Problem: For an element
X ∈ G 1 , the DL problem is computing x ∈ Z q∗ to make
the equation X = x · P holds.
• Computational Diffie-Hellman (CDH) Problem: For
two elements a· P, b· P ∈ G 1 with two unknown elements
a, b ∈ Z q∗ , the CDH problem is computing (a·b)· P ∈ G 1 .
B. Definition of the TLHIBS Scheme
The TLHIBS scheme for the ADS-B system consists of six
algorithms, namely: Setup, E xtr act AL , E xtr act AC , Sign,
V eri f y, and BV eri f y.
• Setup: This algorithm takes a security parameter k as
input to produce the master private key mpk and the
system parameters par ams.
• E xtr act AL : This algorithm takes an airline AL’s iden-
tity I D AL , the master private key msk and the system
parameters par ams as inputs to produce AL’s private
key pr k AL .
• E xtr act AC : This algorithm takes an aircraft AC’s iden-
tity I D AC , AL’s private key pr k AL and the system
parameters par ams as inputs to produce AC’s private
key pr k AC .
• Sign: This algorithm takes a message m, AC’s private
key pr k AC and the system parameters par ams as inputs
to produce a digital signature σ .
• V eri f y: This algorithm takes a message m, a digital sig-
nature σ , AC’s identity I D AC and the system parameters
par ams as inputs to verify if σ is legitimate.
• BV eri f y: This algorithm takes a group of messages
{m 1 , · · · , m n }, a group of digital signatures {σ1 , · · · , σn },
a group of identities {I D AC1 , · · · , I D ACn } and the sys-
tem parameters par ams as inputs to simultaneously
verify if {σ1 , · · · , σn } are legitimate.
C. ADS-B system network infrastructure
In the underlying network infrastructure (similar to
Yang et al.’s approach [35]), the root private key generator
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION
Fig. 2. ADS-B system network infrastructure.
R P K G, an airline AL i and an aircraft ACi, j are regarded as
the first level L − 0, the second level L − 1 and the third level
L − 2, respectively (see Fig. 2).
The authentication process is as follows.
1). R P K G executes Setup algorithm and outputs its master
private key msk, and system parameters par ams. R P K G then
keeps msk secret and publishes par ams.
2). Each AL i registers with R P K G by sending its identity
I D AL i to R P K G. Then, R P K G executes E xtr act AL to
generate AL i ’s private key pr k AL i which is returned to AL i .
AL i keeps the received private key secret.
3). Each ACi, j registers with AL i by sending its identity
I D ACi, j to AL i . Then, AL i executes E xtr act AC to generate
ACi, j ’S private key pr k ACi, j which is returned to ACi, j . ACi, j
keeps the received private key secret.
4). Prior to sending a message m i , ACi, j executes Sign to
output a digital signature σi and broadcasts {I D ACi, j , m i , σi }
to nearby aircraft and ground stations.
5). Upon receiving multiple messages {I D ACi, j , m i , σi }, the
receiver equipped with an ADS-B receiver executes BV eri f y
to verify data integrity and message authenticity of received
messages.
D. Design Goals
A TLHIBS scheme for the ADS-B system should satisfy
the following security attributes and features [20]–[23].
1) No Certification Management: The complexity and cost
of certification management increase with number of the par-
ticipants. In addition, it is necessary to verify the authenticity
of the certification prior to use. To ensure better performance
and availability in the ADS-B system, certification manage-
ment should not be avoided in the design of a TLHIBS scheme.
2) No Hash-to-Point Operation: Implementing secure hash-
to-point operation is complex and expensive, and consequently,
degrades the performance of the ADS-B system. Thus, hash-
to-point operation should be avoided in a TLHIBS scheme for
the ADS-B system.
3) Full Batch Verification: It is not practical for the receiver
to verify the authenticity of the received messages one at
a time; thus, full batch verification in a TLHIBS scheme is
an essential feature (i.e. a verifier can check the authenticity
of multiple messages from aircraft from different airlines
simultaneously).
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
457
4) Scalability: It is challenging to manage the ADS-B
system due to the rapid increase in the number of aircraft using
a rigid three hierarchical levels. Thus, the hierarchical level
in the ADS-B system needs to be dynamic (e.g. hierarchical
levels can be easily scaled up or down depending on demands).
5) Provable Security: Without the rigor of a security proof,
system implementers (and users) cannot be assured of the
security (claims) of the system. It is, thus, common practice
during the design of cryptographic scheme that the security of
the scheme is demonstrated using a widely accepted security
model [26]. In other words, a TLHIBS scheme needs to be
proved secure in a security model.
III. T HE P ROPOSED TLHIBS S CHEME
In this section, we present the proposed TLHIBS scheme,
which comprises six algorithms, namely: Setup, E xtr act AL ,
E xtr act AC , Sign, V eri f y and BV eri f y.
A. Setup
This algorithm is executed by the root key generation
center (RK GC) to produce system parameters and master
private key, and the process is as follows:
1). RK GC randomly picks a large prime integer q and
chooses two groups G 1 , G 2 with the order q.
2). RK GC randomly picks two generators P, Q of G 1 and
chooses a bilinear pairing e : G 1 × G 1 → G 2 .
3). RK GC randomly picks an element s ∈ Z q∗ and
computes Ppub = s · P.
4). RK GC chooses three cryptographic hash functions
h i : {0, 1}∗ → Z q∗ (i = 1, 2, 3), publishes par ams =
{q, G 1 , G 2 , e, P, Q, Ppub , h 1 , h 2 , h 3 }, and keeps s secret.
B. E xtr act AL
This algorithm is executed by RK GC to produce the private
key of an airline AL, and the process is as follows:
1). AL sends its identity I D AL to K GC.
2). RK GC randomly produces r AL ∈ Z q∗ and com-
putes R AL = r AL · P, α AL = h 1 (I D AL , R AL ) and
S AL = (r AL + α AL · s) · Q.
3). RK GC sends {R AL , S AL } to AL securely.
C. E xtr act AC
This algorithm is executed by AL to produce the private key
of an aircraft AC in its system, and the process is as follows:
1). AC sends its identity I D AC to AL.
2). AL randomly produces r AC ∈ Z q∗ and computes
R AC = r AC · P, α AC = h 2 (I D AL , R AL , I D AC , R AC ) and
S AC = S AL + α AC · r AC · Q.
3). AL sends {I D AL , R AL , I D AC , R AC , S AC } to AC
securely.
D. Sign
This algorithm is executed by AC to produce a digital
signature of the message m, and the process is as follows:
1). AC randomly produces rm ∈ Z q∗ and computes
Rm = rm · P, αm = h 3 (m, I D AL , R AL , I D AC , R AC , Rm ) and
Sm = S AC + αm · rm · Q.
2). AC outputs σ = {R AL , R AC , Rm , Sm } as a digital
signature of m.
458 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017

E. V eri f y following equations.

This algorithm is executed by a verifier to 
n 
n

determine the authenticity of a digital signature e( δi · Sm i , P) = e( δi · (S ACi + αm i · rm i · Q), P)

σ = {R AL , R AC , Rm , Sm } of the message m, and i=1 i=1

the process is as follows: 1). The verifier computes 

n
= e( δi · (S AL i + α ACi · r ACi · Q
α AL = h 1 (I D AL , R AL ), α AC = h 2 (I D AL , R AL , I D AC , R AC )
i=1
and αm = h 3 (m, I D AL , R AL , I D AC , R AC , Rm ).
+αm i · rm i · Q), P)
2). The verifier checks if e(Sm , P) and e(R AL +α AL · Ppub +
α AC · R AC + αm · Rm , Q) are equal. 
n
= e( δi · ((r AL i + α AL i · s) · Q
3). If they are equal, the verifier confirms the legitimacy of i=1
the message and outputs 1; otherwise, the verifier rejects the + α ACi · r ACi · Q + αm i · rm i · Q), P)
message and outputs 0.

n
Since Ppub = s· P, R AL = r AL · P, S AL = (r AL +α AL ·s)· Q, = e( δi · (r AL i + α AL i · s + α ACi · r ACi
R AC = r AC · P, S AC = S AL + α AC · r AC · Q, Rm = rm · P and i=1
Sm = S AC + αm · rm · Q, we arrive at the following equations. + αm i · rm i ) · Q, P)

n
e(Sm , P) = e(S AC + αm · rm · Q, P) = e( δi · (r AL i + α AL i · s + α ACi · r ACi
= e(S AL + α AC · r AC · Q + αm · rm · Q, P) i=1

= e((r AL + α AL · s) · Q + α AC · r AC · Q + αm i · rm i ) · P, Q)

n
+ αm · rm · Q, P) = e( δi · (r AL i · P + α AL i · s · P
= e((r AL + α AL · s + α AC · r AC + αm · rm ) · Q, P) i=1
= e((r AL + α AL · s + α AC · r AC + αm · rm ) · P, Q) + α ACi · r ACi · P + αm i · rm i · P), Q)
= e(r AL · P + α AL · s · P + α AC · r AC · P 
n
= e( δi · (R AL i + α AL i · Ppub
+ αm · rm · P, Q) i=1
= e(R AL + α AL · Ppub + α AC · R AC + αm · Rm , Q) + α ACi · R ACi + αm i · Rm i ), Q)
(1) 
n n
= e(( δi · α AL i ) · Ppub + (δi · R AL i
i=1 i=1
Therefore, the correctness of the V er f i y algorithm is
+ δi · α ACi · R ACi + δi · αm i · Rm i ), Q)
demonstrated.
(2)
Therefore, the correctness of the BV er f i y algorithm is
F. BV eri f y
demonstrated.
To improve performance, the proposed TLHIBS scheme Note: We assume a verifier to be honest. In other words,
supports batch verification. Suppose that a group of signatures the verifier faithfully executes the instructions in the BV er f i y
σi = {R AL i , R ACi , Rm i , Sm i }ni=1 about messages {m i }ni=1 , algorithm. As pointed out by one of the reviewers, in the case
were {I D AL i }ni=1 and {I D ACi }ni=1 are the airline identities and of a malicious verifier, the latter can choose for instances
the aircraft identities, respectively. Like Yang et al. [35] did, δi = 1, resulting in BV er f i y vulnerable from the false
we also implement the batch verification using Camenisch et acceptance problem described in [36].
al. method [34]. The batch verification of the group signatures
is executed as follows: IV. S ECURITY A NALYSIS
1). For i = 1, · · · , n, the verifier computes α AL i = We describe the security model before demonstrating the
h 1 (I D AL i , R AL i ), α ACi = h 2 (I D AL i , R AL i , I D ACi , R ACi ) security of the proposed TLHIBS scheme.
and αm i = h 3 (m i , I D AL i , R AL i , I D ACi , R ACi , Rm i ).
2). The verifier randomly picks a group of numbers A. Security Model
{δ1 , δ2 · · · , δn } with lb bits, where lb is a small number We adapt the security model for signature schemes [37] to
(e.g., 80). n n prove the security of the proposed scheme. Existential unforge-
n checks if e( i=1 δi ·Sm i , P) and e(( i=1 δi ·
3). The verifier ability against selective identity and chosen message attack
α AL i )· Ppub + i=1 (δi · R AL i +δi ·α ACi · R ACi +δi ·αm i · Rm i ), Q) are formally defined through a game between an adversary A
are equal. and a challenger C . There are three phases in this game, as
4). If they are equal, then the verifier determines that these described below:
messages are legitimate and outputs 1; otherwise, the verifier Setup Phase. In this phase, A selects a target airline
rejects the messages and outputs 0. identity I D ∗AL and aircraft identity I D ∗AC , and sends them
Since Ppub = s · P, R AL i = r AL i · P, S AL i = (s + α AL i · to C . C executes Setup to produce the master private key
r AL i ) · Q, R AC = r AC · P, S AC = S AL + α AC · r AC · Q, mpk and system parameters par ams, and returns par ams
Rm = rm · P and Sm i = S ACi + αm i · rm i · Q, we arrive at the to A .

Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION
Query Phase. In this phase, A adaptively issues H AS H
query, Cr eate AL query, Cr eate AC query, Corr upt AL query,
Corr upt AC query and Signi ng query. C ’s responses to the
respective queries are presented below:
• H AS H query: When receiving a message m, C randomly
picks an element r ∈ Z q∗ , stores (m, r ) in the list L H AS H ,
and returns r to A .
• Cr eate AL query: When receiving AL’s identity I D AL , C
executes E xtr act AL to produce AL’s private key pr k AL ,
and stores (I D AL , pr k AL ) in the list L AL .
• Cr eate AC query: When receiving AC’s identity I D AC ,
C executes E xtr act AC to produce AC’s private key
pr k AC , and stores (I D AC , pr k AC ) in the list L AC .
• Corr upt AL query: When receiving AL’s identity I D AL ,
C returns AL’s private key pr k AL to A .
• Corr upt AC query: When receiving AC’s identity I D AC ,
C returns AC’s private key pr k AC to A .
• Signi ng query: When receiving AC’s identity I D AC and
a message m, C returns m’s digital signature σ to A .
Output Phase. In this phase, A forges a digital signature
σ ∗ of a message m ∗ corresponding to AL ∗ ’s identity I D AL ∗
and AC ∗ ’s identity I D AC ∗ .
We say that A wins in the above game if all the following
conditions hold.
1). σ ∗ is valid (i.e. V eri f y(m ∗ , I D AL ∗ , I D AC ∗ , σ ∗ ) = 1).
2). A has not made a Corr upt AL query with AL ∗ ’s identity
I D AL ∗ .
3). A has not made a Corr upt AC query with AC ∗ ’s identity
I D AC ∗ .
4). A has not made a Signi ng query with
(m ∗ , I D AL ∗ , I D AC ∗ ).
Definition 2: We say a TLHIBS scheme for the ADS-B
system is existential unforgeable against selective identity and
chosen message attack, if and only if, no polynomial-time
adversary A is able to win the above game with a non-
negligible advantage.
B. Security Proof
In this section, we demonstrate that the proposed TLHIBS
scheme is secure under the above security model.
Theorem 1: The proposed TLHIBS scheme for the
ADS-B system is provably secure in the random oracle model,
assuming that the underlying CDH problem is hard.
Proof: If the adversary A is able to win the game presented
in Section IV-A with a non-negligible advantage , then
we can construct a challenger C to solve the underlying
CDH-problem.
Given an instance (P, a · P, b · P) of the CDH-problem,
the task of C is to compute a · b · P. C sets Ppub ← a ·
P, Q ← b · P and sends the system parameters par ams =
{q, G 1 , G 2 , e, P, Ppub , h 1 , h 2 , h 3 } to A . C randomly picks an
airline AL ∗ ’s identity I D AL ∗ and an aircraft AC ∗ ’s identity
I D AC ∗ as challenge identities, and answers A ’s queries as
follows.
• h 1 (I D AL , R AL ): C maintains a list L h 1 which has
been initialized to empty. C checks if a tuple
(I D AL , R AL , α AL ) exists in L h 1 . If it exists, C returns
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
459
α AL to A ; otherwise, C randomly selects a number α AL ,
inserts (I D AL , R AL , α AL ) and returns α AL to A .
• h 2 (I D AL , R AL , I D AC , R AC ): C maintains a list L h 2
which has been initialized to empty. C checks if a tuple
(I D AL , R AL , I D AC , R AC , α AC ) exists in L h 2 . If it exists,
C returns α AC to A ; otherwise, C randomly selects a
number α AC , inserts (I D AL , R AL , I D AC , R AC , α AC ) and
returns α AC to A .
• h 3 (m, I D AL , R AL , I D AC , R AC , Rm ): C maintains a list
L h 3 which has been initialized to empty. C checks
if a tuple (m, I D AL , R AL , I D AC , R AC , Rm , αm ) exists
in L h 3 . If it exists, C returns αm to A ; oth-
erwise, C randomly selects a number αm , inserts
(m, I D AL , R AL , I D AC , R AC , αm ) and returns αm to A .
• Cr eate AL (I D AL ): C maintains a list L AL which
has been initialized to empty. C checks if a tuple
(I D AL , r AL , R AL , S AL ) exists in L AL . If it exists, C
returns R AL to A ; otherwise C performs the follows
steps:
– If I D AL = I D AL ∗ , C randomly picks two elements
r AL , α AL ∈ Z q∗ , computes R AL = r AL · P and
sets S AL ←⊥. C stores (I D AL , r AL , R AL , S AL ) and
(I D AL , R AL , α AL ) in L AL and L h 1 , respectively.
Finally, C returns R AL to A .
– Otherwise (I D AL = I D AL ∗ ),C randomly picks two
elements r AL , α AL ∈ Z q∗ and computes R AL =
r AL · P − α AL · Ppub , S AL = r AL · Q. C stores
(I D AL , r AL , R AL , S AL ) and (I D AL , R AL , α AL ) in
L AL and L h 1 , respectively. Finally, C returns R AL
to A .
• Cr eate AC (I D AL , I D AC ): C maintains a list L AC which
has been initialized to empty. C checks if a tuple
(I D AL , I D AC , r AC , R AC , S AC ) exists in L AC . If it exists,
C returns R AC to A ; otherwise C performs the follows
steps.
– If I D AL = I D AL ∗ , C looks up L AL for the
tuple (I D AL , r AL , R AL , S AL ). C randomly picks
two elements r AC , α AC ∈ Z q∗ and computes
R AC = r AC · P, S AC = S AL + α AC · r AC ·
Q. C stores (I D AL , I D AC , r AC , R AC , S AC ) and
(I D AL , R AL , I D AC , R AC , α AC ) in L AC and L h 2 ,
respectively. Finally, C returns R AC to A .
– Otherwise (I D AL = I D AL ∗ ), C looks up L AL
for the tuple (I D AL , r AL , R AL , S AL ) and checks if
I D AC and I D ∗AC are equal.
∗ If they are equal,C randomly picks two
elements r AC , α AC ∈ Z q∗ and computes
R AC = r AC · P and sets S AC ←⊥.
C stores (I D AL , I D AC , r AC , R AC , S AC ) and
(I D AL , R AL , I D AC , R AC , α AC ) in L AC and L h 2 ,
respectively. Finally, C returns R AC to A .
∗ Otherwise (I D AC = I D ∗AC ), C randomly
picks two elements r AC , α AC ∈ Z q∗ and computes
R AC = α −1AC ·(r AC · P −α AL · Ppub − R AL ), S AC =
r AC · Q. C stores (I D AL , I D AC , r AC , R AC , S AC )
and (I D AL , R AL , I D AC , R AC , α AC ) in L AC
and L h 2 , respectively. Finally, C returns
R AC to A .
460 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017
• Corr upt AL (I D AL ): C looks up L AL for the tuple
(I D AL , r AL , R AL , S AL ) and sends (R AL , S AL ) to A .
• Corr upt AC (I D AC ): C looks up L AC for the tuple
(I D AL , I D AC , r AC , R AC , S AC ) and sends (R AC , S AC )
to A .
• Signi ng(m, I D AC ): C checks if I D AC = I D AC ∗ holds
and performs the following:
– If it holds,C randomly picks two elements rm , αm ∈
Z q∗ and computes Rm = αm −1 · (r · P − α
m AL ·
Ppub − R AL − α AC · R AC ), Sm = rm · Q. C
stores (m, I D AL , R AL , I D AC , R AC , Rm , αm ) in L h 3
and outputs σ = {R AL , R AC , Rm , Sm } as a digital
signature of m.
– Otherwise (I D AC = I D AC ∗ ), C randomly pro-
duces rm , αm ∈ Z q∗ and computes Rm =
rm · P, Sm = S AC + αm · rm · Q. C stores
(m, I D AL , R AL , I D AC , R AC , Rm , αm ) in L h 3 and
outputs σ = {R AL , R AC , Rm , Sm } as a digital sig-
nature of m.
Finally, A outputs a digital signature σ =
{R AL , R AC , Rm , Sm } of the message m corresponding
to I D AL and I D AC . If I D AL = I D ∗AL or I D AC = I D ∗AC ,
C aborts the game. Thus, we have
e(Sm , P) = e(R AL + α AL · Ppub + α AC · R AC
+ αm · Rm , Q).
According to [37, Lemma 8], we know that A can output
another valid signature σ  = {R AL , R AC , Rm , Sm } with the
probability η ≥ 19 by choosing another random oracle h 1 ,
which has the same probability distribution as h 1 . Therefore,
we have
e(Sm , P) = e(R AL + α AL · Ppub + α AC · R AC
+ αm · Rm , Q).
From Equations (3) and (4), we obtain:
e(Sm − Sm , P) = e(R AL + α AL · Ppub + α AC · R AC
+ αm · Rm − (R AL + α AL · Ppub
+ α AC · R AC + αm · Rm ), Q)
= e(α AL · Ppub − α AL · Ppub , Q)
= e((α AL − α AL ) · a · P, b · P)
= e((α AL − α AL ) · a · b · P, P)
C outputs (α AL − α AL )−1 · (Sm − Sm ) as the solution to the
given CDH-problem. According to the above simulation, we
know that the probability of C solving the CDH-problem is
related to the following events:
• E 1 : I D AL and I D ∗AL are equal.
• E 2 : I D AC and I D ∗AC are equal.
• E 3 : A is able to forge two legitimate digital signatures.
Let qh 1 and qh 2 respectively denote the numbers of h 1
queries and h 2 queries made in the above game; thus, we
obtain Pr [E 1 ] = q1h , Pr [E 2 |E 1 ] ≥ q1h and Pr [E 3 |E 1 ∧
1 2
E2 ] ≥ 1
9 · . Therefore, the probability that C solves the
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
CDH-problem is
Pr [E 1 ∧ E 2 ∧ E 3 ]
= Pr [E 3 |E 1 ∧ E 2 ]Pr [E 2 |E 1 ]Pr [E 1 ]
1 1 1
≥ · ·
9 qh 1 qh 2

= (6)
9 · qh 1 · qh 2
Because  is non-negligible and qh 1 and qh 2 are polynomial-
bounded, we conclude that C is able to solve the
CDH-problem with a non-negligible probability 9·qh  ·qh . Due
1 2
to the hardness of the CDH-problem, we know that the
proposed TLHIBS scheme for the ADS-B system is secure
in the random oracle model.
Similar to the approach in Camenisch et al. [34], we arrive at
the following theorem to demonstrate that the proposed batch
verification algorithm is secure. Due to page limitations, we
will omit the full details of the proof.
Theorem 2: The proposed batch verification algorithm is a
batch verifier for our TLHIBS scheme for the ADS-B system,
and is secure in the random oracle model, assuming that the
underlying CDH problem is intractable.
V. E VALUATIONS
(3) We now demonstrate that the scheme satisfies the
design goals introduced in Section II-D and analyze its
performance.
A. Attributes and Features
1) No Certification Management: In the proposed TLHIBS
scheme, the verifier only needs the airline AL’s identity I D AL
and the aircraft AC’s identity I D AC to verify the legitimacy
of a digital signature. Therefore, certification management is
(4) not required in the scheme.
2) No Hash-to-Point Operation: It is clear that only general
hash functions h 1 , h 2 and h 3 are used in the proposed TLHIBS
scheme, thus, avoiding the need for complex and expensive
hash-to-point operations in Sign or V eri f y.
3) Full Bath Verification: To verify the legitimacy of a
group of signatures σi = {R AL i , R ACi , Rm i , Sm i }ni=1 from a
group of aircraft {ACi }ni=1 registered with different airlines
{AL i }ni=1 one by one, the verifier needs to carry out 2×n bilin-
ear pairing operations, 3 × n point multiplication operations,
(5) 3×n point addition operations, and 3×n general hash functions
operations. If BV eri f y is used, the verifier only needs to carry
out 2 bilinear pairing operations, 2 ×n +1 point multiplication
operations, 3×n−2 point addition operations, and 3×n general
hash functions operations. Therefore, BV eri f y significantly
reduces the computation cost and the proposed scheme is able
to support full bath verification.
4) Scalability: In both E xtr at AL and E xtr act AC algo-
rithms of the proposed schemes, entity at any hierarchical
level can extract the private keys of the next level using
the same method. Therefore, the hierarchical level in the
proposed TLHIBS scheme could be easily scaled up or down,
as required.
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION
TABLE I
C OMPARATIVE S UMMARY: ATTRIBUTES AND F EATURES
5) Provable Security: According to Theorem 1, we know
that the proposed TLHIBS scheme is secure in the random
oracle model assuming the intractability of the underlying
CDH problem.
A comparative summary is presented in Table I, where
AT T −1, AT T −2, AT T −3, AT T −4 and AT T −5 denote no
certification management, no hash-to-point operation, full bath
verification, scalability and provable security, respectively.
It can be observed from Table I that both Yang et al.’s
TLHIBS schemes do not support no hash-to-point operation
and scalability. In addition, Yang et al.’s first scheme does
not support full bath batch verification, and their second
scheme for the ADS-B system does not support no certification
management. In contrast, the proposed scheme supports all
the necessary attributes and features. Therefore, the proposed
TLHIBS scheme is more suitable for ADS-B deployment.
B. Computation Costs
We now analyze the computation and communication costs
of the proposed TLHIBS scheme. To ensure a fair comparison,
we adjust Chow et al.’s scheme [25] to the ADS-B system
by transforming the scheme to a TLHIBS scheme with batch
verification using Camenisch et al.’s method [34]. After the
“transformation”, we then compare computation and commu-
nication costs of the four TLHIBS schemes.
To ensure a baseline security level (i.e. 1024-bits RSA
algorithm), we use the Ate pairing e : G 1 × G 1 → G 2 in
our experiments, where G 1 with order q is generated by a
point on a super singular elliptic curve E(Fp ) : y 2 = x 3 + 1
defined on the finite field Fp , q is a 160-bits prime number,
and p is a 512-bits prime number. The following notations are
used to denote runtime for the respective operations:
• Tbp : The runtime of executing a bilinear paring operation
e : G1 × G1 → G2.
• Tmt p : The runtime of executing a map-to-point hash
function H : {0, 1}∗ → G 1 .
• T pm : The runtime of executing a point multiplication
operation r · R, where the size of r is 160 bits and R ∈ G 1 .
• Tmpm : The runtime of executing a multiple point multi-
plication operation r · R + s · S + t · T , where the sizes
of r, s, t are 160 bits and R, S, T ∈ G 1 .
• Tspm : The runtime of executing a short point multiplica-
tion operation r · R, where the size of r is 80 bits and
R ∈ G1.
• T pa : The runtime of executing a point addition operation
R + S, where R, S ∈ G 1 .
• Tex p : The runtime of executing an exponentiation opera-
tion gr , where g ∈ G 2 and the size of r is 160 bits.
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
461
• Tmul : The runtime of executing a multiplication operation
g1 · g2 , where g1 , g2 ∈ G 2 .
• Th : The runtime of executing a general hash operation
h : {0, 1}∗ → Z q∗ .
We then implement the above operations on a personal
computer (Lenovo with an Intel I5-3470 3.20GHz processor,
4G bytes memory and the Window 7 operating system) using
the MIRACL library [38]. The respective runtime is listed
in Table II.
To generate an airline AL’s private key, the root private
key center R P K C in Chow et al.’s scheme needs to exe-
cute one hash-to-point operation one point addition operation
and two point multiplication operation. Therefore, R P K C’s
runtime is Tmt p + T pa + 2 × T pm = 9.773 + 0.022 + 2 ×
3.740 = 17.275 ms. To generate an aircraft AC’s private
key, R P K C in Chow et al.’s scheme needs to execute one
hash-to-point operation one point addition operation and two
point multiplication operation. Therefore, R P K C’s runtime
is Tmt p + T pa + 2 × T pm = 9.773 + 0.022 + 2 × 3.740 =
17.275 ms. To generate a digital signature, AC in Chow et al.’s
scheme needs to execute four point multiplication operations
and one general hash function operation. Therefore, AC ’s
runtime is 4 × Tsm + Th = 4 × 3.740 + 0.053 = 15.013 ms.
To verify the legitimacy of a digital signature, the verifier in
Chow et al.’s scheme needs to execute four bilinear pairing
operations, three point multiplication operation, three point
addition operation and one general hash function operation.
Therefore, the verifier’s runtime is 4 × Tbp + 3 × T pm +
3 × T pa + Th = 4 × 11.515 + 3 × 3.740 + 3 × 0.022 +
0.053 = 57.399 ms. To verify the legitimacy of a group of
signatures σi = {R AL , R ACi , Rm i , Sm i }ni=1 from aircraft ACi
registered with the same airline simultaneously, the verifier
in Chow et al.’s scheme needs to execute four bilinear pairing
operations, n hash-to-point operations, 4n short point multipli-
cation operations, n multiple point multiplication operations,
three exponentiation operations and n general hash function
operations. Therefore, the verifier’s runtime is 4 × Tbp + n ×
Tmt p +4n ×Tspm +n ×Tmpm +3×Tex p +n ×Th = 4×11.515+
n × 9.773 + 4n × 2.089 + n × 5.735 + 3 × 0.591 + n × 0.053 =
23.917n + 47.833 ms.
To generate an airline AL’s private key, R P K C in
Yang et al.’s first TLHIBS scheme needs to execute one
hash-to-point operation and one point multiplication operation.
Therefore, R P K C’s runtime is Tmt p +T pm = 9.773+3.740 =
13.513 ms. To generate an aircraft AC’s private key, AL in
Yang et al.’s first TLHIBS scheme needs to execute two hash-
to-point operations, two multiplication addition operations
and one point addition operation. Therefore, AL’s runtime is
2 × Tmt p + 2 × T pm + T pa = 2 × 9.773 + 2 × 13.405 +
0.022 = 27.048 ms. To generate a digital signature, AC in
Yang et al.’s first TLHIBS scheme needs to execute two point
multiplication operations, one point addition operation and one
general hash function operation. Therefore, AC ’s runtime is
2 × Tsm + T pa + Th = 2 × 3.740 + 0.022 + 0.053 = 7.555 ms.
To verify the legitimacy of a digital signature, the verifier
in Yang et al.’s first TLHIBS scheme needs to execute five
bilinear pairing operations, two hash-to-point operations, one
point multiplication operation, one point addition operation
462 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017
TABLE II
RUNTIME OF R ELATED O PERATIONS ( IN M ILLISECOND )
TABLE III
C OMPARATIVE S UMMARY: C OMPUTATION C OSTS ( IN M ILLISECOND )
and one general hash function operation. Therefore, the ver-
ifier’s runtime is 5 × Tbp + 2 × Tmt p + T pm + T pa + Th =
5 × 11.515 + 2 × 9.773 + 3.740 + 0.022 + 0.053 = 80.936 ms.
To verify the legitimacy of a group of signatures σi =
{R AL , R ACi , Rm i , Sm i }ni=1 from aircraft ACi registered with
the same airline simultaneously, the verifier in Yang et al.’s
first TLHIBS scheme needs to execute five bilinear pairing
operations, 2n hash-to-point operations, n point multiplication
operations in G 1 , 3 short point multiplication operations in
G 1 , 6n − 5 point addition operations in G 1 and n general
hash function operations. Therefore, the verifier’s runtime is
5 × Tbp + 2n × Tmt p + n × T pm + 3n × Tspm + (6n − 5) ×
T pa + n × Th = 5 × 11.515 + 2n × 9.773 + n × 3.740 + 3n ×
2.089 + (6n − 5) × 0.022 + n × 0.053 = 29.738n + 57.465 ms.
To generate an airline AL’s private key, R P K C in
Yang et al.’s second TLHIBS scheme needs to execute one
hash-to-point operation and one point multiplication operation.
Therefore, R P K C’s runtime is Tmt p +T pm = 9.773+3.740 =
13.513 ms. To generate an aircraft AC’s private key, AL
in Yang et al.’s second TLHIBS scheme needs to execute
two hash-to-point operations, two multiplication addition oper-
ations and one point addition operation. Therefore, AL’s
runtime is 2 × Tmt p + 3 × T pm + T pa = 2 × 9.773 + 3 × 3.740 +
0.022 = 30.788 ms. To generate a digital signature, AC in
Yang et al.’s second TLHIBS scheme needs to execute two
point multiplication operations, one point addition operation
and one general hash function operation. Therefore, AC ’s
runtime is 2 × Tsm + T pa + Th = 2 × 3.740 + 0.022 + 0.053 =
7.555 ms. To verify the legitimacy of a digital signature, the
verifier in Yang et al.’s second TLHIBS scheme needs to
execute three bilinear pairing operations, one point multipli-
cation operation, one point addition operation and one general
hash function operation. Therefore, the verifier’s runtime is
3 × Tbp + T pm + T pa + Th = 3 × 11.515 + 3.740 + 0.022 +
0.053 = 38.360 ms. To verify the legitimacy of a group of
signatures σi = {R AL , R ACi , Rm i , Sm i }ni=1 from aircraft ACi
registered with different airlines simultaneously, the verifier in
Yang et al.’s second TLHIBS scheme needs to execute three
bilinear pairing operations, n point multiplication operations
in G 1 , 3n short point multiplication operations, 4n − 3 point
addition operations and n general hash function operations.
Therefore, the verifier’s runtime is 3 × Tbp + n × T pm + 3n ×
Tspm +(4n −3)× T pa +n × Th = 3×11.515+n ×3.740 +3n ×
2.089 + (4n − 3) × 0.022 + n × 0.053 = 10.148n + 34.479 ms.
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
Note: We did not consider the runtime for verifying the
authenticity of the aircraft’s certification in the above analysis.
Otherwise, the runtime of Yang et al.’s second scheme
would be similar to that of Yang et al.’s first scheme.
To generate an airline AL’s private key, R P K C in the
proposed TLHIBS scheme needs to execute two point multi-
plication operations and one general hash function operation.
Therefore, R P K C’s runtime is 2 × T pm + Th = 2 × 3.740 +
0.053 = 7.533 ms. To generate an aircraft AC’s private key,
AL in The proposed TLHIBS scheme needs to execute two
multiplication multiplication operations, one point addition
operation and one general hash function operation. Therefore,
AL’s runtime is 2 × T pm + T pa + Th = 2 × 3.740 + 0.022 +
0.053 = 7.555 ms. To generate a digital signature, AC
needs to execute two multiplication multiplication operations,
one point addition operation and one general hash function
operation. Therefore, AC ’s runtime is 2 × T pm + T pa + Th =
2 × 3.740 + 0.022 + 0.053 = 7.555 ms. To verify the
legitimacy of a digital signature, the verifier in the proposed
scheme needs to execute two bilinear pairing operations, three
point multiplication operations, three point addition operations
and three general hash functions operations. Therefore, the
verifier’s runtime is 2 × Tbp + 3 × T pm + 3 × T pa + 3 × Th =
2 × 11.515 + 3 × 3.740 + 3 × 0.022 + 3 × 0.053 = 34.475
ms. To verify the legitimacy of a group of signatures σi =
{R AL , R ACi , Rm i , Sm i }ni=1 from aircraft ACi registered with
different airlines simultaneously, the verifier in the proposed
scheme needs to execute 2 bilinear pairing operations, one
point multiplication operation, n small point multiplication
operations, n multiple point multiplication, n + 1 point addi-
tion operations and 3 × n general hash functions operations.
Therefore, the verifier’s runtime is 2 × Tbp + T pm + n × Tspm +
n×Tmpm +n×T pa +3n×Th = 2×11.515+3.740+n×2.089+
n × 5.735 + n × 0.022 + 3n × 0.053 = 8.005n + 26.77 ms.
We compare the computation costs of our proposed TLHIBS
scheme with those of Chow et al.’s scheme and Yang et al.’s
two TLHIBS schemes (see Table III), and those of the
BV eri f y algorithm in these schemes (see Fig. 3). It is clear
that the proposed TLHIBS scheme has a lower computa-
tion cost than Chow et al.’s scheme and Yang et al.’s two
TLHIBS schemes in the E xtr act AL , E xtr act AC , V eri f y
and BV eri f y algorithms. In addition, the proposed TLHIBS
scheme and both Yang et al.’s TLHIBS schemes have the same
computation costs in the Sign algorithm. In the E xtr act AL
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION
Fig. 3. Computation costs of the B V eri f y algorithm.
TABLE IV
C OMPARATIVE S UMMARY: C OMMUNICATION C OSTS ( IN B IT )
algorithm, our proposed TLHIBS scheme has a 56.39, a 44.25
and a 44.25 percent improved performance over those of
Yang et al.’s scheme, Yang et al.’s first TLHIBS scheme and
Yang et al.’s second TLHIBS scheme, respectively. In the
E xtr act AC algorithm, our proposed TLHIBS scheme enjoys a
56.26, a 72.07 and a 75.46 over those of Yang et al.’s scheme,
Yang et al.’s first scheme and Yang et al.’s second scheme,
respectively. In the Sign algorithm, our proposed TLHIBS
scheme and both Yang et al.’s TLHIBS schemes have a 49.67
percent improvement over that of Chow et al.’s scheme. It is
clear that our scheme outperforms Chow et al.’s scheme and
both Yang et al.’s schemes.
C. Communication Costs
We now analyze the communication cost of the proposed
TLHIBS scheme and compare its performance with those of
Chow et al.’s scheme [25] scheme and both Yang et al.’s
schemes [35].
According to the above analysis, we know that the size
of p is 512 bits. Therefore, the size of an element in G 1
is 512+512=1024 bits. The signature generated by Chow
et al.’s scheme is {x, y1 , y2 , z}, where x, y1 , y2 , z ∈ G 1 .
Therefore, the communication cost of Chow et al.’s scheme
is 1024 × 4 = 4096 bits. The signature generated by either
of Yang et al.’s schemes is {U, V, P, R}, where U, V, P, R ∈
G 1 . Therefore, the communication cost of both Yang et al.’s
schemes is 1024 × 4 = 4096 bits. The signature gener-
ated by our proposed scheme is {R AL , R AC , Rm , Sm }, where
R AL , R AC , Rm , Sm ∈ G 1 . Therefore, the communication cost
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
463
of our proposed schemes is 1024 × 4 = 4096 bits. As shown
in Table IV, Chow et al.’s scheme, both Yang et al.’s schemes
and our proposed scheme have the same communication costs.
VI. C ONCLUSION
In this paper, we presented an efficient Three-Level Hierar-
chical Identity-Based Signature (TLHIBS) scheme designed
for ADS-B system. We demonstrated that our scheme has
the necessary attributes and features without compromising on
performance. Specifically, our comparative summary indicated
that our scheme outperforms Chow et al.’s scheme and both
Yang et al.’s schemes [35]. We also proved the security
of the scheme assuming the intractability of the underlying
CDH problem. The strong security and lightweight compu-
tation design suggest that the scheme is suitable for ADS-B
deployment.
Future work will include evaluating the proposed scheme
in a real-world environment, with the aims of evaluating and
refining the scheme. We also observed that aircraft in the
schemes proposed in this paper and by Yang et al. [35]
required the sending of identities in plaintext. This could
be exploited by an adversary, resulting in the leakage of
user’s privacy. Future work will include extending the scheme
to provide anonymity (anonymous TLHIBS scheme for the
ADS-B system).
R EFERENCES
[1] M. Strohmeier, M. Schafer, V. Lenders, and I. Martinovic, “Realities
and challenges of nextgen air traffic management: The case of ADS-B,”
IEEE Commun. Mag., vol. 52, no. 5, pp. 111–118, May 2014.
[2] Agenda Item 3: Overview of Primary and Secondary Surveillance
Radars, Int. Civil Aviation Organization, Montreal, QC, Canada, 2011.
[3] Minimum Aviation System Performance Standards for Automatic Depen-
dent Surveillance Broadcast (ADS-S), Radio Tech. Commiss. Aeronau-
tics, 2002.
[4] N. Scientis. (2014). Data Transmission System on MH370 Deliberately
Disabled. [Online]. Available: https://www.newscientist.com/article/
dn25232-data-transmission-system-on-mh370-deliberatelydisabled/#.
U0LbO61dWdA
[5] (2015). Radio Spectrum Allocated for Global Flight Tracking.
[Online]. Available: http://www.itu.int/net/pressoffice/press releases/
2015/51.aspx#.VuyTVHoQgaJ
[6] D. Mink, A. Yasinsac, K.-K. R. Choo, and W. Glisson, “Next generation
aircraft architecture and digital forensic,” in Proc. 22nd Amer. Conf. Inf.
Syst. (AMCIS), 2016, pp. 1–10.
[7] M. Strohmeier, V. Lenders, and I. Martinovic, “On the security of the
automatic dependent surveillance-broadcast protocol,” IEEE Commun.
Surv. Tuts., vol. 17, no. 2, pp. 1066–1087, 2nd Quart. 2015.
[8] C. Rekkas and M. Rees, “Towards ADS-B implementation in europe,”
in Proc. Tyrrhenian Int. Workshop Digit. Commun.-Enhanced Surveill.
Aircraft Veh. (TIWDC/ESAV), Sep. 2008, pp. 1–4.
[9] A. Costin and A. Francillon, Ghost in the Air (Traffic): On Insecurity of
ADS-B Protocol and Practical Attacks on ADS-B Devices. San Francisc,
CA, USA: Black Hat USA, 2012, pp. 1–12.
[10] D. McCallie, J. Butts, and R. Mills, “Security analysis of the ADS-B
implementation in the next generation air transportation system,” Int. J.
Critical Infrastructure Protection, vol. 4, no. 2, pp. 78–87, 2011.
[11] L. Purton, H. Abbass, and S. Alam, “Identification of ADS-B system
vulnerabilities and threats,” in Proc. Austral. Transp. Res. Forum,
Canberra, Australia, 2010, pp. 1–16.
[12] K. Sampigethaya, “Visualization & assessment of ADS-B security
for green ATM,” in Proc. IEEE/AIAA 29th Digital Avionics Syst.
Conf. (DASC), Oct. 2010, pp. 3.A.3-1–3.A.3-16.
[13] M. Schäfer, V. Lenders, and I. Martinovic, “Experimental analysis
of attacks on next generation air traffic communication,” in Applied
Cryptography and Network Security. Berlin, Germany: Springer, 2013,
pp. 253–271.
464 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017
[14] B. Danev, D. Zanetti, and S. Capkun, “On physical-layer identification
of wireless devices,” ACM Comput. Surv. (CSUR), vol. 45, no. 1, 2012,
Art. no. 6.
[15] I. A. Mantilla-Gaviria, M. Leonardi, G. Galati, and
J. V. Balbastre-Tejedor, “Localization algorithms for multilateration
(MLAT) systems in airport surface surveillance,” Signal, Image Video
Process., vol. 9, no. 7, pp. 1549–1558, 2015.
[16] M. Strohmeier, V. Lenders, and I. Martinovic, “Lightweight location
verification in air traffic surveillance networks,” in Proc. 1st ACM
Workshop Cyber-Phys. Syst. Secur., 2015, pp. 49–60.
[17] K. Samuelson, E. Valovage, and D. Hall, “Enhanced ADS-B research,”
in Proc. IEEE Aerospace Conf., Mar. 2006, pp. 1–7.
[18] R. V. Robinson, K. Sampigethaya, M. Li, S. Lintelman, R. Poovendran,
and D. von Oheimb, “Secure network-enabled commercial airplane
operations: It support infrastructure challenges,” in Proc. First CEAS
Eur. Air Space Conf. Century Perspect., 2007, pp. 1–10.
[19] T. Kacem, D. Wijesekera, and P. Costa, “Integrity and authenticity of
ADS-B broadcasts,” in Proc. IEEE Aerosp. Conf., Mar. 2015, pp. 1–8.
[20] K. Sampigethaya, R. Poovendran, S. Shetty, T. Davis, and
C. Royalty, “Future E-enabled aircraft communications and security:
The next 20 years and beyond,” Proc. IEEE, vol. 99, no. 11,
pp. 2040–2055, Nov. 2011.
[21] Z. Feng, W. Pan, and Y. Wang, “A data authentication solution of
ADS-B system based on ×. 509 certificate,” in Proc. 27th Int. Congr.
Aeronautical Sci, (ICAS), 2010, pp. 1–6.
[22] A. K. Buchholz, “DPP: Dual path PKI for secure aircraft data commu-
nication,” Ph.D. dissertation, Dept. Comput. Sci. Appl., Falls Church,
VA, USA, 2013.
[23] J. Baek, Y.-J. Byon, E. Hableel, and M. Al-Qutayri, “An authentica-
tion framework for automatic dependent surveillance-broadcast based
on online/offline identity-based signature,” in Proc. Eighth Int. Conf.
P2P, Parallel, Grid, Cloud Internet Comput. (3PGCIC), Oct. 2013,
pp. 358–363.
[24] C. Gentry and A. Silverberg, “Hierarchical ID-based cryptography,” in
Proc. Int. Conf. Theory Appl. Cryptol. Inf. Secur., 2002, pp. 548–566.
[25] S. S. M. Chow, L. C. Hui, S. M. Yiu, and K. Chow, “Secure hierarchical
identity based signature and its application,” in Proc. Int. Conf. Inf.
Commun. Secur., 2004, pp. 480–494.
[26] D. Galindo, J. Herranz, and E. Kiltz, “On the generic construction of
identity-based signatures with additional properties,” in Proc. Int. Conf.
Theory Appl. Cryptol. Inf. Secur., 2006, pp. 178–193.
[27] B. Waters, “Efficient identity-based encryption without random oracles,”
in Proc. Annu. Int. Conf. Theory Appl. Cryptograph. Techn., 2005,
pp. 114–127.
[28] J. Li, F. Zhang, and Y. Wang, “A new hierarchical ID-based cryptosys-
tem and CCA-secure PKE,” in Proc. Int. Conf. Embedded Ubiquitous
Comput., 2006, pp. 362–371.
[29] J. Li, F.-G. Zhang, and Y.-M. Wang, “Two efficient hierarchical identity
based signature schemes,” Dianzi Xuebao (Acta Electronica Sinica),
vol. 35, no. 1, pp. 150–152, 2007.
[30] X. Hu, S. Huang, and F. Xun, “Practical hierarchical identity based
encryption scheme without random oracles,” IEICE Trans. Fundam.
Electron., Commun. Comput. Sci., vol. E92-A, no. 6, pp. 1494–1499,
2009.
[31] L. Zhang, Y. Hu, and Q. Wu, “New construction of short hierarchical
ID-based signature in the standard model,” Fundam. Inf., vol. 90,
nos. 1–2, pp. 191–201, 2009.
[32] L.-Y. Zhang, Y.-P. Hu, and W. Qing, “Adaptively secure hierarchical
identity-based signature in the standard model,” The J. China Univ. Posts
Telecommun., vol. 17, no. 6, pp. 95–100, 2010.
[33] P. Chen, J. Su, B. Zhao, X. Wang, and I. You, “An escrow-free
online/offline HIBS scheme for privacy protection of people-centric
sensing,” Secur. Communi. Netw., vol. 9, no. 14, pp. 2302–2312, 2016,
doi: 10.1002/sec.1492.
[34] J. Camenisch, S. Hohenberger, and M. ∅. Pedersen, “Batch verification
of short signatures,” in Proc. Annu. Int. Conf. Theory Appl. Cryptograph.
Techn., 2007, pp. 246–263.
[35] A. Yang, X. Tan, J. Baek, and D. Wong, “A new ADS-B authentica-
tion framework based on efficient hierarchical identity-based signature
with batch verification,” IEEE Trans. Serv. Comput., to be published.
doi: 10.1109/TSC.2015.2459709.
[36] J. K. Liu, T. H. Yuen, M. H. Au, and W. Susilo, “Improvements on
an authentication scheme for vehicular sensor networks,” Expert Syst.
Appl., vol. 41, no. 5, pp. 2559–2564, 2014.
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
[37] D. Pointcheval and J. Stern, “Security arguments for digital signatures
and blind signatures,” J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000.
[38] S. S. Ltd. (2011). Miracl Library. [Online]. Available: http://
www.shamus.ie/index.php?page=home,
Debiao He received the Ph.D. degree in applied
mathematics from the School of Mathematics and
Statistics, Wuhan University, in 2009. He is currently
an Associate Professor with the State Key Lab
of Software Engineering, Computer School, Wuhan
University. His main research interests include cryp-
tography and information security, in particular,
cryptographic protocols.
Neeraj Kumar (M’16) received the PhD degree in
CSE from Shri Mata Vaishno Devi University, Katra
(J&K), India. He was a postdoctoral research fellow
with Coventry University, Coventry, United King-
dom. He is working as an associate professor in the
Department of Computer Science and Engineering,
Thapar University, Patiala, Punjab, India. He has
published more than 150 technical research papers
in leading journals and conferences from IEEE,
Elsevier, Springer, John Wiley etc. Some of his
research findings are published in top cited journals
such as the IEEE Transactions on Industrial Electronics, the IEEE Transactions
on Dependable and Secure Computing, the IEEE Transactions on Information
Forensics and Security, the IEEE Transactions on Consumer Electronics, the
IEEE Network, the IEEE Com, IEEE WC, the IEEE Internet of Things
Journal, the IEEE Systems Journal, the Future Generation Computer Systems,
the Journal of Network and Computer Applications, and the Computer
Communications. He has guided many research scholars leading to PhD and
ME/MTech. His research is supported by funding from DST, TCS, CSIR, and
UGC. He is a member of he IEEE.
Kim-Kwang Raymond Choo (SM’15) received
the Ph.D. degree in information security from the
Queensland University of Technology, Australia, in
2006. He currently holds the Cloud Technology
Endowed Professorship at The University of Texas at
San Antonio, and is an Associate Professor with the
University of South Australia, and a Guest Professor
with the China University of Geosciences, Wuhan.
He is a Fellow of the Australian Computer Society.
He is a recipient of various awards including the
ESORICS 2015 Best Paper Award, the Winning
Team of the Germany’s University of Erlangen-Nuremberg (FAU) Digital
Forensics Research Challenge 2015, the 2014 Highly Commended Award
by the Australia New Zealand Policing Advisory Agency, the Fulbright
Scholarship in 2009, the 2008 Australia Day Achievement Medallion, and
the British Computer Society’s Wilkes Award in 2008.
Wei Wu received the Ph.D. degree from the School
of Computer Science and Software Engineering,
University of Wollongong, Australia, in 2011. She
is currently an Associate Professor with the Fujian
Provincial Key Laboratory of Network Security
and Cryptology, School of Mathematics and Com-
puter Science, Fujian Normal University, China. Her
research focus is on public key cryptography and
its applications. She has authored over 40 papers in
refereed international journals and conferences.