Professional Documents
Culture Documents
2, FEBRUARY 2017
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION 455
A. Related Work
Using symmetric cryptography, Valovage et al. [17]
designed a scheme to guarantee both integrity and authenticity
of messages transmitted in the ADS-B system. Independently,
Robinson et al. [18] and Kacem et al. [19] presented key man-
agement and authentication schemes for the ADS-B system
using keyed hashed message authentication code (HMAC).
However, these approaches are not practical as the same key
must be pre-loaded in all aircraft [20]. In addition, those
schemes do not guarantee other important security attributes,
such as forward secrecy and backward secrecy.
To address limitations in approaches based on
Fig. 1. A typical ADS-B system architecture. symmetric cryptography, Feng et al. [21] proposed an
authentication scheme using asymmetric cryptography, where
Without the need for complex interactions with other a public key infrastructure (PKI) is employed to manage
aircraft or ground stations, ADS-B system enjoys much better aircraft certifications. In a later work, Buchholz [22] proposed
performance and precision in comparison to traditional ATC an authentication scheme using dual PKI to handle certificate
technologies. Accurate information transmitted from aircraft revocation. However, certification management in both above
allows ATCs to more efficiently and effectively monitor air- schemes [21], [22] becomes unwieldy due to the rapid
craft location and path in real-time, and facilitates air traf- increase in the number of aircraft.
fic management. Hence, aircraft and ground controllers can Using the identity-based signature, Baek et al. [23] pro-
make proactive scheduling decisions. The importance of the posed an authentication scheme to address the certification
ADS-B system is evidenced by the amount of efforts expended management limitations in existing solutions based on tra-
in its standardization, etc by the U.S. Federal Aviation Admin- ditional public key infrastructure (PKI) [21], [22]. However,
istration (FAA), European Organisation for the Safety of the performance of Baek et al.’s scheme is far from being
Air Navigation (EUROCONTROL), and International Civil satisfactory because aircraft have to verify the authenticity
Aviation Organization. ADS-B systems are scheduled to be of received messages one at a time. Due to the hierarchical
deployed in most airspace by 2020, as part of the next structure, the Hierarchical Identity-Based Signature (HIBS)
generation air transportation systems [7]. scheme is suitable for addressing security problems existing
From a security perspective, we note that messages trans- in the ADS-B system.
mitted in the wireless channels of the ADS-B system are not A number of HIBS schemes have been proposed in the past
protected cryptographically [7], [8]. Therefore, an adversary is decade since the seminal paper of Gentry and Silverberg [24],
able to intercept, modify, inject and replay messages at will, who introduced the concept of HIBS and presented the
and carry out a range of attacks. This has also attracted the first HIBS scheme. Chow et al. [25] proposed the first
attention of security researchers, and a number of practical HIBS scheme with a proof of security in the random oracle
attacks against such systems using relatively inexpensive and model. Galindo et al. [26] proposed a generic construction
easily available tools (e.g. aircraft spoofing attack and ground of identity-based signature schemes from PKI-based signature
station flood denial attack) have been reported in recent years schemes [27]. Using this method, we can transform any one
(see [7], [9]–[12]). These attacks could have real-world and PKI-based hierarchical signature scheme to a HIBS scheme.
fatal consequences, such as aircraft hijacking and mid-air In the construction of Galindo et al., the Private Key Gener-
collision. It is, undeniably, urgent to address existing security ator (PKG) generates a random key-pair for each user and
issues in the ADS-B system in order to secure air traffic. binds the public key to his/her identity through generating
Data integrity and message authenticity are two pressing a signature. The signature generated by the KGC will be
security issues that need to be addressed. Data integrity involved in the signature generated by the user, and the
ensures that the received messages have not been modified verifier has to verify its security before verifying the user’s
during transmission, and message authenticity ensures that the signature. Thus, this results in an increased signature size and
received message is indeed transmitted by the aircraft which computation cost. Hence, Galindo et al.’s generic construction
claimed to have done so. This prevents an adversary from is not sufficiently efficient for real-world deployment.
modifying or injecting messages at will to conduct attacks For improved performance, Li et al. [28], [29] proposed
such as spoofing attack and virtual trajectory modification several HIBS schemes with security proofs. However, these
attack [13]. Unsurprisingly, there have been several studies schemes are still not practical since the sizes of signature
on ensuring data integrity and message authenticity in the and private key increase with the depth of levels. To improve
ADS-B system. Approaches to achieve secure authentication security, several HIBS schemes [30]–[33] proven secure in
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
456 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017
the standard model were presented in the last several years. II. P RELIMINARIES
However, these schemes are not suitable for ADS-B system A. Bilinear Pairings
deployment, as they are unable to support batch verification.
Bilinear pairings have been widely applied in modern
Camenisch et al. [34] proposed the first batch verifier to
cryptography, and in this section, we present the necessary
support batch verification of general signature schemes. Subse-
background information about bilinear pairings to understand
quently, we can transform the above schemes to HIBS schemes
the proposed scheme.
with batch verification.
Let e : G 1 × G 1 → G 2 be a rational function, where
The private keys of participants in the discussed schemes
G 1 and G 2 are two groups with a prime order q. Let P and
are generated by the PKG; thus, complicating hierarchical
g denote the generators of G 1 and G 2 , respectively. e is called
management of the ADS-B system. In addition, the num-
ber of some complicated operations (e.g., bilinear pairing a bilinear pairing if it can satisfy the following attributes:
• Bilinearity: For elements S, T ∈ G 1 and a, b ∈ Z q∗ , we
operation and hash-to-point operation) involved in the batch
verification increase linearly with the number of the signatures. have the equation e(a · S, b · T ) = e(S, T )a·b .
• Nondegeneracy: At one element T ∈ G 1 such that
To address these challenges, Yang et al. [35] divided the
ADS-B system into three hierarchical levels to simplify e(P, P) = 1G 2 holds.
• Computability: For any two elements S, T ∈ G 1 , we can
hierarchical management and proposed two Three-Level
Hierarchical Identity-Based Signature (TLHIBS) schemes for calculate e(S, T ) efficiently.
the hierarchical structure. It is known that there is no polynomial-time algorithm to
Although both Yang et al.’s TLHIBS schemes can address solve the following problems, which form the basis of our
some existing limitations in existing schemes, their schemes scheme.
• Discrete Logarithm (DL) Problem: For an element
suffer from other weaknesses. Firstly, based on the perfor-
mance of their first TLHIBS scheme, it is not practical for X ∈ G 1 , the DL problem is computing x ∈ Z q∗ to make
ADS-B system deployment since the number of hash-to-point the equation X = x · P holds.
• Computational Diffie-Hellman (CDH) Problem: For
operations involved in the batch verification linearly increases
with the number of signatures. Secondly, their first TLHIBS two elements a· P, b· P ∈ G 1 with two unknown elements
scheme only supports partial batch verification (i.e., the a, b ∈ Z q∗ , the CDH problem is computing (a·b)· P ∈ G 1 .
scheme can only simultaneously verify signatures from the
same airline identity). Lastly, their second TLHIBS scheme is B. Definition of the TLHIBS Scheme
not practical since it requires a certificate authority to assure The TLHIBS scheme for the ADS-B system consists of six
the airline/aircraft’s identities and public keys. Therefore, algorithms, namely: Setup, E xtr act AL , E xtr act AC , Sign,
neither of Yang et al.’s TLHIBS schemes can be practically V eri f y, and BV eri f y.
deployed in a real-world ADS-B system. • Setup: This algorithm takes a security parameter k as
B. Our Contributions input to produce the master private key mpk and the
system parameters par ams.
To address weaknesses in Yang et al.’s TLHIBS schemes • E xtr act AL : This algorithm takes an airline AL’s iden-
and satisfy security and performance requirements from prac- tity I D AL , the master private key msk and the system
tical applications, we need to design an efficient TLHIBS parameters par ams as inputs to produce AL’s private
scheme for the ADS-B system. Major contributions of the key pr k AL .
paper are summarized as follows. • E xtr act AC : This algorithm takes an aircraft AC’s iden-
• First, we summarize the network model and the security
tity I D AC , AL’s private key pr k AL and the system
requirements of the TLHIBS scheme for the ADS-B parameters par ams as inputs to produce AC’s private
system. key pr k AC .
• Second, we propose an efficient TLHIBS scheme
• Sign: This algorithm takes a message m, AC’s private
and show it is provably secure and can meet sum- key pr k AC and the system parameters par ams as inputs
marized security requirements. We also implement to produce a digital signature σ .
the batch verification of the proposed scheme using • V eri f y: This algorithm takes a message m, a digital sig-
Camenisch et al. method [34]. nature σ , AC’s identity I D AC and the system parameters
• Finally, we give detailed performance analysis to show
par ams as inputs to verify if σ is legitimate.
the proposed TLHIBS scheme has a lower computation • BV eri f y: This algorithm takes a group of messages
cost than Yang et al.’s schemes. {m 1 , · · · , m n }, a group of digital signatures {σ1 , · · · , σn },
C. The Organization of the Rest Paper a group of identities {I D AC1 , · · · , I D ACn } and the sys-
tem parameters par ams as inputs to simultaneously
The rest of the paper is organized as follows. In Section II, verify if {σ1 , · · · , σn } are legitimate.
we present the notations used in this paper. In Section III,
we describe the proposed TLHIBS scheme for the ADS-B
system. In Sections IV and V, we examine the security and the C. ADS-B system network infrastructure
performance of the proposed TLHIBS scheme, respectively. In the underlying network infrastructure (similar to
Finally, we conclude the paper in Section VI. Yang et al.’s approach [35]), the root private key generator
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION 457
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
458 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017
= e((r AL + α AL · s) · Q + α AC · r AC · Q + αm i · rm i ) · P, Q)
n
+ αm · rm · Q, P) = e( δi · (r AL i · P + α AL i · s · P
= e((r AL + α AL · s + α AC · r AC + αm · rm ) · Q, P) i=1
= e((r AL + α AL · s + α AC · r AC + αm · rm ) · P, Q) + α ACi · r ACi · P + αm i · rm i · P), Q)
= e(r AL · P + α AL · s · P + α AC · r AC · P
n
= e( δi · (R AL i + α AL i · Ppub
+ αm · rm · P, Q) i=1
= e(R AL + α AL · Ppub + α AC · R AC + αm · Rm , Q) + α ACi · R ACi + αm i · Rm i ), Q)
(1)
n n
= e(( δi · α AL i ) · Ppub + (δi · R AL i
i=1 i=1
Therefore, the correctness of the V er f i y algorithm is
+ δi · α ACi · R ACi + δi · αm i · Rm i ), Q)
demonstrated.
(2)
Therefore, the correctness of the BV er f i y algorithm is
F. BV eri f y
demonstrated.
To improve performance, the proposed TLHIBS scheme Note: We assume a verifier to be honest. In other words,
supports batch verification. Suppose that a group of signatures the verifier faithfully executes the instructions in the BV er f i y
σi = {R AL i , R ACi , Rm i , Sm i }ni=1 about messages {m i }ni=1 , algorithm. As pointed out by one of the reviewers, in the case
were {I D AL i }ni=1 and {I D ACi }ni=1 are the airline identities and of a malicious verifier, the latter can choose for instances
the aircraft identities, respectively. Like Yang et al. [35] did, δi = 1, resulting in BV er f i y vulnerable from the false
we also implement the batch verification using Camenisch et acceptance problem described in [36].
al. method [34]. The batch verification of the group signatures
is executed as follows: IV. S ECURITY A NALYSIS
1). For i = 1, · · · , n, the verifier computes α AL i = We describe the security model before demonstrating the
h 1 (I D AL i , R AL i ), α ACi = h 2 (I D AL i , R AL i , I D ACi , R ACi ) security of the proposed TLHIBS scheme.
and αm i = h 3 (m i , I D AL i , R AL i , I D ACi , R ACi , Rm i ).
2). The verifier randomly picks a group of numbers A. Security Model
{δ1 , δ2 · · · , δn } with lb bits, where lb is a small number We adapt the security model for signature schemes [37] to
(e.g., 80). n n prove the security of the proposed scheme. Existential unforge-
n checks if e( i=1 δi ·Sm i , P) and e(( i=1 δi ·
3). The verifier ability against selective identity and chosen message attack
α AL i )· Ppub + i=1 (δi · R AL i +δi ·α ACi · R ACi +δi ·αm i · Rm i ), Q) are formally defined through a game between an adversary A
are equal. and a challenger C . There are three phases in this game, as
4). If they are equal, then the verifier determines that these described below:
messages are legitimate and outputs 1; otherwise, the verifier Setup Phase. In this phase, A selects a target airline
rejects the messages and outputs 0. identity I D ∗AL and aircraft identity I D ∗AC , and sends them
Since Ppub = s · P, R AL i = r AL i · P, S AL i = (s + α AL i · to C . C executes Setup to produce the master private key
r AL i ) · Q, R AC = r AC · P, S AC = S AL + α AC · r AC · Q, mpk and system parameters par ams, and returns par ams
Rm = rm · P and Sm i = S ACi + αm i · rm i · Q, we arrive at the to A .
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION 459
Query Phase. In this phase, A adaptively issues H AS H α AL to A ; otherwise, C randomly selects a number α AL ,
query, Cr eate AL query, Cr eate AC query, Corr upt AL query, inserts (I D AL , R AL , α AL ) and returns α AL to A .
Corr upt AC query and Signi ng query. C ’s responses to the • h 2 (I D AL , R AL , I D AC , R AC ): C maintains a list L h 2
respective queries are presented below: which has been initialized to empty. C checks if a tuple
• H AS H query: When receiving a message m, C randomly (I D AL , R AL , I D AC , R AC , α AC ) exists in L h 2 . If it exists,
picks an element r ∈ Z q∗ , stores (m, r ) in the list L H AS H , C returns α AC to A ; otherwise, C randomly selects a
and returns r to A . number α AC , inserts (I D AL , R AL , I D AC , R AC , α AC ) and
• Cr eate AL query: When receiving AL’s identity I D AL , C returns α AC to A .
executes E xtr act AL to produce AL’s private key pr k AL , • h 3 (m, I D AL , R AL , I D AC , R AC , Rm ): C maintains a list
and stores (I D AL , pr k AL ) in the list L AL . L h 3 which has been initialized to empty. C checks
• Cr eate AC query: When receiving AC’s identity I D AC , if a tuple (m, I D AL , R AL , I D AC , R AC , Rm , αm ) exists
C executes E xtr act AC to produce AC’s private key in L h 3 . If it exists, C returns αm to A ; oth-
pr k AC , and stores (I D AC , pr k AC ) in the list L AC . erwise, C randomly selects a number αm , inserts
• Corr upt AL query: When receiving AL’s identity I D AL , (m, I D AL , R AL , I D AC , R AC , αm ) and returns αm to A .
C returns AL’s private key pr k AL to A . • Cr eate AL (I D AL ): C maintains a list L AL which
• Corr upt AC query: When receiving AC’s identity I D AC , has been initialized to empty. C checks if a tuple
C returns AC’s private key pr k AC to A . (I D AL , r AL , R AL , S AL ) exists in L AL . If it exists, C
• Signi ng query: When receiving AC’s identity I D AC and returns R AL to A ; otherwise C performs the follows
a message m, C returns m’s digital signature σ to A . steps:
Output Phase. In this phase, A forges a digital signature – If I D AL = I D AL ∗ , C randomly picks two elements
σ ∗ of a message m ∗ corresponding to AL ∗ ’s identity I D AL ∗ r AL , α AL ∈ Z q∗ , computes R AL = r AL · P and
and AC ∗ ’s identity I D AC ∗ . sets S AL ←⊥. C stores (I D AL , r AL , R AL , S AL ) and
We say that A wins in the above game if all the following (I D AL , R AL , α AL ) in L AL and L h 1 , respectively.
conditions hold. Finally, C returns R AL to A .
1). σ ∗ is valid (i.e. V eri f y(m ∗ , I D AL ∗ , I D AC ∗ , σ ∗ ) = 1). – Otherwise (I D AL = I D AL ∗ ),C randomly picks two
2). A has not made a Corr upt AL query with AL ∗ ’s identity elements r AL , α AL ∈ Z q∗ and computes R AL =
I D AL ∗ . r AL · P − α AL · Ppub , S AL = r AL · Q. C stores
3). A has not made a Corr upt AC query with AC ∗ ’s identity (I D AL , r AL , R AL , S AL ) and (I D AL , R AL , α AL ) in
I D AC ∗ . L AL and L h 1 , respectively. Finally, C returns R AL
4). A has not made a Signi ng query with to A .
(m ∗ , I D AL ∗ , I D AC ∗ ). • Cr eate AC (I D AL , I D AC ): C maintains a list L AC which
Definition 2: We say a TLHIBS scheme for the ADS-B has been initialized to empty. C checks if a tuple
system is existential unforgeable against selective identity and (I D AL , I D AC , r AC , R AC , S AC ) exists in L AC . If it exists,
chosen message attack, if and only if, no polynomial-time C returns R AC to A ; otherwise C performs the follows
adversary A is able to win the above game with a non- steps.
negligible advantage. – If I D AL = I D AL ∗ , C looks up L AL for the
tuple (I D AL , r AL , R AL , S AL ). C randomly picks
two elements r AC , α AC ∈ Z q∗ and computes
B. Security Proof R AC = r AC · P, S AC = S AL + α AC · r AC ·
In this section, we demonstrate that the proposed TLHIBS Q. C stores (I D AL , I D AC , r AC , R AC , S AC ) and
scheme is secure under the above security model. (I D AL , R AL , I D AC , R AC , α AC ) in L AC and L h 2 ,
Theorem 1: The proposed TLHIBS scheme for the respectively. Finally, C returns R AC to A .
ADS-B system is provably secure in the random oracle model, – Otherwise (I D AL = I D AL ∗ ), C looks up L AL
assuming that the underlying CDH problem is hard. for the tuple (I D AL , r AL , R AL , S AL ) and checks if
Proof: If the adversary A is able to win the game presented I D AC and I D ∗AC are equal.
in Section IV-A with a non-negligible advantage , then ∗ If they are equal,C randomly picks two
we can construct a challenger C to solve the underlying elements r AC , α AC ∈ Z q∗ and computes
CDH-problem. R AC = r AC · P and sets S AC ←⊥.
Given an instance (P, a · P, b · P) of the CDH-problem, C stores (I D AL , I D AC , r AC , R AC , S AC ) and
the task of C is to compute a · b · P. C sets Ppub ← a · (I D AL , R AL , I D AC , R AC , α AC ) in L AC and L h 2 ,
P, Q ← b · P and sends the system parameters par ams = respectively. Finally, C returns R AC to A .
{q, G 1 , G 2 , e, P, Ppub , h 1 , h 2 , h 3 } to A . C randomly picks an ∗ Otherwise (I D AC = I D ∗AC ), C randomly
airline AL ∗ ’s identity I D AL ∗ and an aircraft AC ∗ ’s identity picks two elements r AC , α AC ∈ Z q∗ and computes
I D AC ∗ as challenge identities, and answers A ’s queries as R AC = α −1AC ·(r AC · P −α AL · Ppub − R AL ), S AC =
follows. r AC · Q. C stores (I D AL , I D AC , r AC , R AC , S AC )
• h 1 (I D AL , R AL ): C maintains a list L h 1 which has and (I D AL , R AL , I D AC , R AC , α AC ) in L AC
been initialized to empty. C checks if a tuple and L h 2 , respectively. Finally, C returns
(I D AL , R AL , α AL ) exists in L h 1 . If it exists, C returns R AC to A .
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
460 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION 461
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
462 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017
TABLE II
RUNTIME OF R ELATED O PERATIONS ( IN M ILLISECOND )
TABLE III
C OMPARATIVE S UMMARY: C OMPUTATION C OSTS ( IN M ILLISECOND )
and one general hash function operation. Therefore, the ver- Note: We did not consider the runtime for verifying the
ifier’s runtime is 5 × Tbp + 2 × Tmt p + T pm + T pa + Th = authenticity of the aircraft’s certification in the above analysis.
5 × 11.515 + 2 × 9.773 + 3.740 + 0.022 + 0.053 = 80.936 ms. Otherwise, the runtime of Yang et al.’s second scheme
To verify the legitimacy of a group of signatures σi = would be similar to that of Yang et al.’s first scheme.
{R AL , R ACi , Rm i , Sm i }ni=1 from aircraft ACi registered with To generate an airline AL’s private key, R P K C in the
the same airline simultaneously, the verifier in Yang et al.’s proposed TLHIBS scheme needs to execute two point multi-
first TLHIBS scheme needs to execute five bilinear pairing plication operations and one general hash function operation.
operations, 2n hash-to-point operations, n point multiplication Therefore, R P K C’s runtime is 2 × T pm + Th = 2 × 3.740 +
operations in G 1 , 3 short point multiplication operations in 0.053 = 7.533 ms. To generate an aircraft AC’s private key,
G 1 , 6n − 5 point addition operations in G 1 and n general AL in The proposed TLHIBS scheme needs to execute two
hash function operations. Therefore, the verifier’s runtime is multiplication multiplication operations, one point addition
5 × Tbp + 2n × Tmt p + n × T pm + 3n × Tspm + (6n − 5) × operation and one general hash function operation. Therefore,
T pa + n × Th = 5 × 11.515 + 2n × 9.773 + n × 3.740 + 3n × AL’s runtime is 2 × T pm + T pa + Th = 2 × 3.740 + 0.022 +
2.089 + (6n − 5) × 0.022 + n × 0.053 = 29.738n + 57.465 ms. 0.053 = 7.555 ms. To generate a digital signature, AC
To generate an airline AL’s private key, R P K C in needs to execute two multiplication multiplication operations,
Yang et al.’s second TLHIBS scheme needs to execute one one point addition operation and one general hash function
hash-to-point operation and one point multiplication operation. operation. Therefore, AC ’s runtime is 2 × T pm + T pa + Th =
Therefore, R P K C’s runtime is Tmt p +T pm = 9.773+3.740 = 2 × 3.740 + 0.022 + 0.053 = 7.555 ms. To verify the
13.513 ms. To generate an aircraft AC’s private key, AL legitimacy of a digital signature, the verifier in the proposed
in Yang et al.’s second TLHIBS scheme needs to execute scheme needs to execute two bilinear pairing operations, three
two hash-to-point operations, two multiplication addition oper- point multiplication operations, three point addition operations
ations and one point addition operation. Therefore, AL’s and three general hash functions operations. Therefore, the
runtime is 2 × Tmt p + 3 × T pm + T pa = 2 × 9.773 + 3 × 3.740 + verifier’s runtime is 2 × Tbp + 3 × T pm + 3 × T pa + 3 × Th =
0.022 = 30.788 ms. To generate a digital signature, AC in 2 × 11.515 + 3 × 3.740 + 3 × 0.022 + 3 × 0.053 = 34.475
Yang et al.’s second TLHIBS scheme needs to execute two ms. To verify the legitimacy of a group of signatures σi =
point multiplication operations, one point addition operation {R AL , R ACi , Rm i , Sm i }ni=1 from aircraft ACi registered with
and one general hash function operation. Therefore, AC ’s different airlines simultaneously, the verifier in the proposed
runtime is 2 × Tsm + T pa + Th = 2 × 3.740 + 0.022 + 0.053 = scheme needs to execute 2 bilinear pairing operations, one
7.555 ms. To verify the legitimacy of a digital signature, the point multiplication operation, n small point multiplication
verifier in Yang et al.’s second TLHIBS scheme needs to operations, n multiple point multiplication, n + 1 point addi-
execute three bilinear pairing operations, one point multipli- tion operations and 3 × n general hash functions operations.
cation operation, one point addition operation and one general Therefore, the verifier’s runtime is 2 × Tbp + T pm + n × Tspm +
hash function operation. Therefore, the verifier’s runtime is n×Tmpm +n×T pa +3n×Th = 2×11.515+3.740+n×2.089+
3 × Tbp + T pm + T pa + Th = 3 × 11.515 + 3.740 + 0.022 + n × 5.735 + n × 0.022 + 3n × 0.053 = 8.005n + 26.77 ms.
0.053 = 38.360 ms. To verify the legitimacy of a group of We compare the computation costs of our proposed TLHIBS
signatures σi = {R AL , R ACi , Rm i , Sm i }ni=1 from aircraft ACi scheme with those of Chow et al.’s scheme and Yang et al.’s
registered with different airlines simultaneously, the verifier in two TLHIBS schemes (see Table III), and those of the
Yang et al.’s second TLHIBS scheme needs to execute three BV eri f y algorithm in these schemes (see Fig. 3). It is clear
bilinear pairing operations, n point multiplication operations that the proposed TLHIBS scheme has a lower computa-
in G 1 , 3n short point multiplication operations, 4n − 3 point tion cost than Chow et al.’s scheme and Yang et al.’s two
addition operations and n general hash function operations. TLHIBS schemes in the E xtr act AL , E xtr act AC , V eri f y
Therefore, the verifier’s runtime is 3 × Tbp + n × T pm + 3n × and BV eri f y algorithms. In addition, the proposed TLHIBS
Tspm +(4n −3)× T pa +n × Th = 3×11.515+n ×3.740 +3n × scheme and both Yang et al.’s TLHIBS schemes have the same
2.089 + (4n − 3) × 0.022 + n × 0.053 = 10.148n + 34.479 ms. computation costs in the Sign algorithm. In the E xtr act AL
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
HE et al.: EFFICIENT HIERARCHICAL IDENTITY-BASED SIGNATURE WITH BATCH VERIFICATION 463
VI. C ONCLUSION
In this paper, we presented an efficient Three-Level Hierar-
chical Identity-Based Signature (TLHIBS) scheme designed
for ADS-B system. We demonstrated that our scheme has
the necessary attributes and features without compromising on
performance. Specifically, our comparative summary indicated
that our scheme outperforms Chow et al.’s scheme and both
Yang et al.’s schemes [35]. We also proved the security
of the scheme assuming the intractability of the underlying
CDH problem. The strong security and lightweight compu-
tation design suggest that the scheme is suitable for ADS-B
deployment.
Future work will include evaluating the proposed scheme
in a real-world environment, with the aims of evaluating and
Fig. 3. Computation costs of the B V eri f y algorithm. refining the scheme. We also observed that aircraft in the
schemes proposed in this paper and by Yang et al. [35]
TABLE IV required the sending of identities in plaintext. This could
C OMPARATIVE S UMMARY: C OMMUNICATION C OSTS ( IN B IT ) be exploited by an adversary, resulting in the leakage of
user’s privacy. Future work will include extending the scheme
to provide anonymity (anonymous TLHIBS scheme for the
ADS-B system).
R EFERENCES
[1] M. Strohmeier, M. Schafer, V. Lenders, and I. Martinovic, “Realities
algorithm, our proposed TLHIBS scheme has a 56.39, a 44.25 and challenges of nextgen air traffic management: The case of ADS-B,”
IEEE Commun. Mag., vol. 52, no. 5, pp. 111–118, May 2014.
and a 44.25 percent improved performance over those of [2] Agenda Item 3: Overview of Primary and Secondary Surveillance
Yang et al.’s scheme, Yang et al.’s first TLHIBS scheme and Radars, Int. Civil Aviation Organization, Montreal, QC, Canada, 2011.
Yang et al.’s second TLHIBS scheme, respectively. In the [3] Minimum Aviation System Performance Standards for Automatic Depen-
dent Surveillance Broadcast (ADS-S), Radio Tech. Commiss. Aeronau-
E xtr act AC algorithm, our proposed TLHIBS scheme enjoys a tics, 2002.
56.26, a 72.07 and a 75.46 over those of Yang et al.’s scheme, [4] N. Scientis. (2014). Data Transmission System on MH370 Deliberately
Yang et al.’s first scheme and Yang et al.’s second scheme, Disabled. [Online]. Available: https://www.newscientist.com/article/
dn25232-data-transmission-system-on-mh370-deliberatelydisabled/#.
respectively. In the Sign algorithm, our proposed TLHIBS U0LbO61dWdA
scheme and both Yang et al.’s TLHIBS schemes have a 49.67 [5] (2015). Radio Spectrum Allocated for Global Flight Tracking.
percent improvement over that of Chow et al.’s scheme. It is [Online]. Available: http://www.itu.int/net/pressoffice/press releases/
2015/51.aspx#.VuyTVHoQgaJ
clear that our scheme outperforms Chow et al.’s scheme and [6] D. Mink, A. Yasinsac, K.-K. R. Choo, and W. Glisson, “Next generation
both Yang et al.’s schemes. aircraft architecture and digital forensic,” in Proc. 22nd Amer. Conf. Inf.
Syst. (AMCIS), 2016, pp. 1–10.
[7] M. Strohmeier, V. Lenders, and I. Martinovic, “On the security of the
C. Communication Costs automatic dependent surveillance-broadcast protocol,” IEEE Commun.
Surv. Tuts., vol. 17, no. 2, pp. 1066–1087, 2nd Quart. 2015.
We now analyze the communication cost of the proposed [8] C. Rekkas and M. Rees, “Towards ADS-B implementation in europe,”
TLHIBS scheme and compare its performance with those of in Proc. Tyrrhenian Int. Workshop Digit. Commun.-Enhanced Surveill.
Chow et al.’s scheme [25] scheme and both Yang et al.’s Aircraft Veh. (TIWDC/ESAV), Sep. 2008, pp. 1–4.
schemes [35]. [9] A. Costin and A. Francillon, Ghost in the Air (Traffic): On Insecurity of
ADS-B Protocol and Practical Attacks on ADS-B Devices. San Francisc,
According to the above analysis, we know that the size CA, USA: Black Hat USA, 2012, pp. 1–12.
of p is 512 bits. Therefore, the size of an element in G 1 [10] D. McCallie, J. Butts, and R. Mills, “Security analysis of the ADS-B
is 512+512=1024 bits. The signature generated by Chow implementation in the next generation air transportation system,” Int. J.
Critical Infrastructure Protection, vol. 4, no. 2, pp. 78–87, 2011.
et al.’s scheme is {x, y1 , y2 , z}, where x, y1 , y2 , z ∈ G 1 . [11] L. Purton, H. Abbass, and S. Alam, “Identification of ADS-B system
Therefore, the communication cost of Chow et al.’s scheme vulnerabilities and threats,” in Proc. Austral. Transp. Res. Forum,
is 1024 × 4 = 4096 bits. The signature generated by either Canberra, Australia, 2010, pp. 1–16.
[12] K. Sampigethaya, “Visualization & assessment of ADS-B security
of Yang et al.’s schemes is {U, V, P, R}, where U, V, P, R ∈ for green ATM,” in Proc. IEEE/AIAA 29th Digital Avionics Syst.
G 1 . Therefore, the communication cost of both Yang et al.’s Conf. (DASC), Oct. 2010, pp. 3.A.3-1–3.A.3-16.
schemes is 1024 × 4 = 4096 bits. The signature gener- [13] M. Schäfer, V. Lenders, and I. Martinovic, “Experimental analysis
of attacks on next generation air traffic communication,” in Applied
ated by our proposed scheme is {R AL , R AC , Rm , Sm }, where Cryptography and Network Security. Berlin, Germany: Springer, 2013,
R AL , R AC , Rm , Sm ∈ G 1 . Therefore, the communication cost pp. 253–271.
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.
464 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 12, NO. 2, FEBRUARY 2017
[14] B. Danev, D. Zanetti, and S. Capkun, “On physical-layer identification [37] D. Pointcheval and J. Stern, “Security arguments for digital signatures
of wireless devices,” ACM Comput. Surv. (CSUR), vol. 45, no. 1, 2012, and blind signatures,” J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000.
Art. no. 6. [38] S. S. Ltd. (2011). Miracl Library. [Online]. Available: http://
[15] I. A. Mantilla-Gaviria, M. Leonardi, G. Galati, and www.shamus.ie/index.php?page=home,
J. V. Balbastre-Tejedor, “Localization algorithms for multilateration
(MLAT) systems in airport surface surveillance,” Signal, Image Video
Process., vol. 9, no. 7, pp. 1549–1558, 2015.
[16] M. Strohmeier, V. Lenders, and I. Martinovic, “Lightweight location Debiao He received the Ph.D. degree in applied
verification in air traffic surveillance networks,” in Proc. 1st ACM mathematics from the School of Mathematics and
Workshop Cyber-Phys. Syst. Secur., 2015, pp. 49–60. Statistics, Wuhan University, in 2009. He is currently
[17] K. Samuelson, E. Valovage, and D. Hall, “Enhanced ADS-B research,” an Associate Professor with the State Key Lab
in Proc. IEEE Aerospace Conf., Mar. 2006, pp. 1–7. of Software Engineering, Computer School, Wuhan
[18] R. V. Robinson, K. Sampigethaya, M. Li, S. Lintelman, R. Poovendran, University. His main research interests include cryp-
and D. von Oheimb, “Secure network-enabled commercial airplane tography and information security, in particular,
operations: It support infrastructure challenges,” in Proc. First CEAS cryptographic protocols.
Eur. Air Space Conf. Century Perspect., 2007, pp. 1–10.
[19] T. Kacem, D. Wijesekera, and P. Costa, “Integrity and authenticity of
ADS-B broadcasts,” in Proc. IEEE Aerosp. Conf., Mar. 2015, pp. 1–8.
[20] K. Sampigethaya, R. Poovendran, S. Shetty, T. Davis, and
C. Royalty, “Future E-enabled aircraft communications and security:
The next 20 years and beyond,” Proc. IEEE, vol. 99, no. 11,
pp. 2040–2055, Nov. 2011. Neeraj Kumar (M’16) received the PhD degree in
CSE from Shri Mata Vaishno Devi University, Katra
[21] Z. Feng, W. Pan, and Y. Wang, “A data authentication solution of
(J&K), India. He was a postdoctoral research fellow
ADS-B system based on ×. 509 certificate,” in Proc. 27th Int. Congr.
Aeronautical Sci, (ICAS), 2010, pp. 1–6. with Coventry University, Coventry, United King-
dom. He is working as an associate professor in the
[22] A. K. Buchholz, “DPP: Dual path PKI for secure aircraft data commu-
Department of Computer Science and Engineering,
nication,” Ph.D. dissertation, Dept. Comput. Sci. Appl., Falls Church,
Thapar University, Patiala, Punjab, India. He has
VA, USA, 2013.
[23] J. Baek, Y.-J. Byon, E. Hableel, and M. Al-Qutayri, “An authentica- published more than 150 technical research papers
in leading journals and conferences from IEEE,
tion framework for automatic dependent surveillance-broadcast based
Elsevier, Springer, John Wiley etc. Some of his
on online/offline identity-based signature,” in Proc. Eighth Int. Conf.
research findings are published in top cited journals
P2P, Parallel, Grid, Cloud Internet Comput. (3PGCIC), Oct. 2013,
such as the IEEE Transactions on Industrial Electronics, the IEEE Transactions
pp. 358–363.
on Dependable and Secure Computing, the IEEE Transactions on Information
[24] C. Gentry and A. Silverberg, “Hierarchical ID-based cryptography,” in
Forensics and Security, the IEEE Transactions on Consumer Electronics, the
Proc. Int. Conf. Theory Appl. Cryptol. Inf. Secur., 2002, pp. 548–566.
[25] S. S. M. Chow, L. C. Hui, S. M. Yiu, and K. Chow, “Secure hierarchical IEEE Network, the IEEE Com, IEEE WC, the IEEE Internet of Things
Journal, the IEEE Systems Journal, the Future Generation Computer Systems,
identity based signature and its application,” in Proc. Int. Conf. Inf.
the Journal of Network and Computer Applications, and the Computer
Commun. Secur., 2004, pp. 480–494.
Communications. He has guided many research scholars leading to PhD and
[26] D. Galindo, J. Herranz, and E. Kiltz, “On the generic construction of
identity-based signatures with additional properties,” in Proc. Int. Conf. ME/MTech. His research is supported by funding from DST, TCS, CSIR, and
UGC. He is a member of he IEEE.
Theory Appl. Cryptol. Inf. Secur., 2006, pp. 178–193.
[27] B. Waters, “Efficient identity-based encryption without random oracles,”
in Proc. Annu. Int. Conf. Theory Appl. Cryptograph. Techn., 2005,
pp. 114–127.
[28] J. Li, F. Zhang, and Y. Wang, “A new hierarchical ID-based cryptosys- Kim-Kwang Raymond Choo (SM’15) received
tem and CCA-secure PKE,” in Proc. Int. Conf. Embedded Ubiquitous the Ph.D. degree in information security from the
Comput., 2006, pp. 362–371. Queensland University of Technology, Australia, in
[29] J. Li, F.-G. Zhang, and Y.-M. Wang, “Two efficient hierarchical identity 2006. He currently holds the Cloud Technology
based signature schemes,” Dianzi Xuebao (Acta Electronica Sinica), Endowed Professorship at The University of Texas at
vol. 35, no. 1, pp. 150–152, 2007. San Antonio, and is an Associate Professor with the
[30] X. Hu, S. Huang, and F. Xun, “Practical hierarchical identity based University of South Australia, and a Guest Professor
encryption scheme without random oracles,” IEICE Trans. Fundam. with the China University of Geosciences, Wuhan.
Electron., Commun. Comput. Sci., vol. E92-A, no. 6, pp. 1494–1499, He is a Fellow of the Australian Computer Society.
2009. He is a recipient of various awards including the
[31] L. Zhang, Y. Hu, and Q. Wu, “New construction of short hierarchical ESORICS 2015 Best Paper Award, the Winning
ID-based signature in the standard model,” Fundam. Inf., vol. 90, Team of the Germany’s University of Erlangen-Nuremberg (FAU) Digital
nos. 1–2, pp. 191–201, 2009. Forensics Research Challenge 2015, the 2014 Highly Commended Award
[32] L.-Y. Zhang, Y.-P. Hu, and W. Qing, “Adaptively secure hierarchical by the Australia New Zealand Policing Advisory Agency, the Fulbright
identity-based signature in the standard model,” The J. China Univ. Posts Scholarship in 2009, the 2008 Australia Day Achievement Medallion, and
Telecommun., vol. 17, no. 6, pp. 95–100, 2010. the British Computer Society’s Wilkes Award in 2008.
[33] P. Chen, J. Su, B. Zhao, X. Wang, and I. You, “An escrow-free
online/offline HIBS scheme for privacy protection of people-centric
sensing,” Secur. Communi. Netw., vol. 9, no. 14, pp. 2302–2312, 2016,
doi: 10.1002/sec.1492. Wei Wu received the Ph.D. degree from the School
[34] J. Camenisch, S. Hohenberger, and M. ∅. Pedersen, “Batch verification of Computer Science and Software Engineering,
of short signatures,” in Proc. Annu. Int. Conf. Theory Appl. Cryptograph. University of Wollongong, Australia, in 2011. She
Techn., 2007, pp. 246–263. is currently an Associate Professor with the Fujian
[35] A. Yang, X. Tan, J. Baek, and D. Wong, “A new ADS-B authentica- Provincial Key Laboratory of Network Security
tion framework based on efficient hierarchical identity-based signature and Cryptology, School of Mathematics and Com-
with batch verification,” IEEE Trans. Serv. Comput., to be published. puter Science, Fujian Normal University, China. Her
doi: 10.1109/TSC.2015.2459709. research focus is on public key cryptography and
[36] J. K. Liu, T. H. Yuen, M. H. Au, and W. Susilo, “Improvements on its applications. She has authored over 40 papers in
an authentication scheme for vehicular sensor networks,” Expert Syst. refereed international journals and conferences.
Appl., vol. 41, no. 5, pp. 2559–2564, 2014.
Authorized licensed use limited to: Universidad de los Andes. Downloaded on April 02,2020 at 04:44:45 UTC from IEEE Xplore. Restrictions apply.