A Large-scale Concurrent Data Anonymous Batch Verification Scheme for Mobile Healthcare Crowd Sensing

04/05/2018 ∙ by Jingwei Liu, et al. ∙ IEEE Xidian University NetEase, Inc 0

Recently, with the rapid development of big data, Internet of Things (IoT) brings more and more intelligent and convenient services to people's daily lives. Mobile healthcare crowd sensing (MHCS), as a typical application of IoT, is becoming an effective approach to provide various medical and healthcare services to individual or organizations. However, MHCS still have to face to different security challenges in practice. For example, how to quickly and effectively authenticate masses of bio-information uploaded by IoT terminals without revealing the owners' sensitive information. Therefore, we propose a large-scale concurrent data anonymous batch verification scheme for MHCS based on an improved certificateless aggregate signature. The proposed scheme can authenticate all sensing bio-information at once in a privacy preserving way. The individual data generated by different users can be verified in batch, while the actual identity of participants is hidden. Moreover, assuming the intractability of CDHP, our scheme is proved to be secure. Finally, the performance evaluation shows that the proposed scheme is suitable for MHCS, due to its high efficiency.



There are no comments yet.


page 1

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Iot, as a promising paradigm, can change the interactive way between networks and the physical world [1]. Meanwhile, with the popularization and development of wireless sensors, a new perceptual architecture - mobile crowd sensing (MCS) [2, 3], has emerged. It provides a important technical support for the integration of the physical world with higher layer applications in IoT. As an important application branch of MCS, mobile healthcare crowd sensing (MHCS) provides more convenient medical and healthcare services for organizations or individual.

Fig. 1: A simple architecture of the MHCS system

Mobile healthcare crowd sensing (MHCS), combining the merits of mobile crowd sensing with remote healthcare, is becoming a research hotspot. On one hand, participants in MCS upload health data collected by mobile terminals to cloud server and enjoy various services by healthcare organizations. On the other hand, remote healthcare system can provide health information and medical service anytime and anywhere, by analyzing the individual health data and patient vital signs submitted to remote health apps installed in mobile terminals or monitoring devices. Therefore, MHCS can not only provide real-time medical services to individual or community, but also improve the ability of healthcare organizations to monitor, track and control certain diseases on some regions.

However, there are still many security threats and privacy issues in MHCS: a) the collected health data may deduce users’ sensitive information, such as identity, personal activities and health status; b) the data may be obtained or changed by an opponent, which will bring damage to people’s health and property, even people’s lives; c) these data collected by mobile devices should be processed safely in a real-time manner, otherwise the quality of medical service will be reduced. Therefore, the security and privacy preservation for MHCS is need to be considered emergently. So, more and more privacy-preserving schemes [4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20] have been proposed in recent years. In this work, we also mainly focus on the privacy preservation for MHCS.

According to [5], a simple architecture of the MHCS system consists of MHCS participants, a cloud sever, and healthcare organizations. In MHCS, as shown in Fig. 1, the cloud sever publishes sensing task for specific purpose. The participants receive a sensing task published from cloud sever, then they collect and upload the relevant health data to the sever. Meanwhile, the cloud sever will deliver the requested information to specific organizations or healthcare institutes so as to make further analysis. However, millions of participants submit numerous biomedical data to the cloud sever, which will lead to data transmission obstacles and storage capacity burdens. An efficient approach named aggregate signature (AS) can improve the efficiency of the verification on numerous signatures and reduce the overhead of storage and bandwidth. The first AS scheme based on traditional public key cryptography was proposed by Boneh et al. [6] in 2003. It allowed multiple users to generate the signatures on different messages respectively and verify them in batch.

Following Boneh’s work, many AS schemes were proposed subsequently, but most of them were involved in the complicated certificate management problem. Thus, certificateless public key cryptosystem (CL-PKC) appeared to solve this issue. In 2007, Castro and Dahab [21] first introduced the concept of certificateless aggregate signature (CL-AS) that combined the merits of aggregate signature with CL-PKC. Then, Gong et al. raised the formal security model for CL-AS in [22] in the same year. After the initial work, lots of CL-AS have been proposed [23, 24, 25, 26].

In this paper, we put forward a large-scale concurrent data anonymous batch verification scheme for MHCS. The main work of this paper are summarized as follows:

  • The proposed scheme can provide bio-information batch verification and anonymous authentication for MHCS systems.

  • Based on the hardness of the Computational Diffie-Hellman Problem (CDHP), it is formally proved that our scheme is secure against the existential forgery attack on adaptively chosen message.

  • In the quantitative performance evaluation, our scheme achieves less computation overhead compared with the previous schemes. It is very suitable for the MHCS systems in practice.

The rest part of this paper is organized as follows. Firstly, we introduce the reference model, security model and design goals in Section II. In Section III, we improve a CL-AS scheme with the security proof. In Section IV, we describe the the large-scale concurrent data anonymous batch verification scheme in detail. In Section V, we analyze the performance. Finally, we conclude this paper in Section VI.

Ii Models and Design Goals

For a better understanding, we first put forward the relevant models for MHCS, and then raise design goals.

Ii-a Reference Model

The reference model for MHCS scenarios consists of four entities: Requestor, Data Center (DC), Management Server (MS), and MHCS Participants, as shown in Fig.2.

  • Requestor: The requestors can submit healthcare sensing tasks to DC for some specific purposes. And they can further analyze the final report from DC to predict certain medical or health issues in some regions.

  • Data Center (DC): It can publish and manage healthcare sensing tasks according to the demands of the requestors. Also, it is responsible for aggregating and verifying all collected health data from different participants.

  • Management Server (MS): MS is a trusted third party who can manage the participants’ registration information in MHCS systems. It is in charge of issuing the a half private keys for legitimate participants and distributes the index of the participants to cover their actual identity. Here, DC can use the index to authenticate the uploaded health data from the participants.

  • MHCS Participants: MHCS Participants refer to the mobile clients who collect and submit relevant health data using smart terminals for Data Center (DC).

Fig. 2: The reference model for MHCS systems
a cyclic additive group of order a generator of
a cyclic multiplicative group of order a bilinear map:
digital signature of the participant with healthcare data of the participant with
aggregate signature An adversary on type
DC’s public key DC’s private key
MS’s public key MS’s private key
the public key of the participant with the private key of the participant with
system security parameter a large prime number
a hash function: a hash function:
TABLE I: Notations

Ii-B Security Model

As security issues studied in [27, 28, 29, 30], design of multi-party mobile computing scheme requires extra caution on security and privacy issue. To make better security analysis, we refer to the security model defined in [31], in which there are two types of opponents who are able (or unable) to replace certain participants’ public key without (or with) the management server’s private key. In this model, it can be proved that our scheme is secure against the above two kinds of opponents, if the following computational Diffie-Hellman problem (CDHP) is intractable. Here, we give the definition of the CDHP: in a large prime order cycle additive group , with a generator and unknown , get finally.

Ii-C Design Goals

Our design goals aim at designing a large-scale concurrent data anonymous batch verification scheme for MHCS, which achieves following properties:

  • Batch authentication: The authentication information in the signed bio-data from large-scale MHCS participants could be aggregated and verified effectively by DC.

  • Non-repudiation: MHCS participants cannot deny that they have submitted the related health data to DC.

  • Anonymity: Although DC can acquire and check the aggregated authentication message, it cannot obtain the real identity of the data provider.

Iii An Improved CL-AS Scheme

Key management is essential for security [32, 33, 34].To provide a cryptographic essential for our design goals, we primarily propose an improved CL-AS scheme and then give the relevant security proof in this section. It can not only be used to realize batch verification, but also can deal with the key escrow problem of identity-based public key cryptosystem (ID-PKC)[35]. Due to these merits, it could be the key to designing a large-scale concurrent data anonymous batch verification scheme for mobile healthcare crowd sensing systems. Before describing the new certificateless aggregate signature scheme, we first introduce the concept of bilinear pairing.

Iii-a Bilinear Pairing

A bilinear pairing map, formally defined as , should satisfy the following three properties, in which is a additive group, is a multiplicative group, is the order, is the generator of .

  • Bilinear: , or , ;

  • Non-degenerate: , satisfy . Here, is the generator of ;

  • Computable: should be efficient, .

Iii-B Design of the new CL-AS Scheme

In this part, the detailed CL-AS scheme is constructed. We give the specification on Setup, Set-Partial-Key, Signing, Verification, Aggregation, and Aggregate Verification, described as follows:

  • Setup: Key Generation Center (KGC) initializes and establishes the system as follows:

    • Construct two cyclic groups and with additive operation and multiplicative operation respectively. Their order is a secure large prime meeting a security parameter . Set a pairing operator, that satisfies the properties described above. Then, select two secure hash functions and .

    • Key Generation Center (KGC) picks a random number for . Here, is its private/public key pair. Then, KGC publishes as the system parameters, while store as its private key secretly.

  • Set-Partial-Key: It consists of two part algorithms, one is to generate the partial key by a client or a signer, the other one is to compute the partial key by the KGC.

    • A client or a signer, marked as , obtains his or her partial secret key by choosing randomly and the partial public key by computing .

    • sends his/her to KGC and request the partial key for the identity . KGC calculates , for it and distributes the half private key to through secure channels. Hence, can obtain the public key and the private key . Note that, each identity only can be used once.

  • Signing: The signer chooses randomly and then sign a message , as follows:


    Then, the signer view the pair as the signature on .

  • Verification: To ensure the validity of the signature signed by a on the message , the verification procedure is as follows:


    Obviously, if the above equations hold, the signature is valid. Additionally, the proposed scheme also satisfies correctness:

  • Aggregation: To obtain the final signature from all of the message , the aggregator computes in the following way:


    The is the final aggregated signature.

  • Aggregate Verification: On receiving an aggregate signature for aggregating (from ) and the public key , the verifier will authenticate the aggregate signature. And the signature can be authenticated correctly, if the integrated formula holds: . Here, we give the proof of the equation on its correctness as follows:

Iii-C Security Proof

To make it convincing, it is proved that the proposed CL-AS scheme is existentially unforgeable against adaptively chosen message attacks in the random oracle model if the CDHP is intractable. As described in section II, two types adversary, named and who attempt to forge a legal signature with different abilities (able/unable to use the PKC’s private key). We will prove the security of the proposed CL-AS under and ’s attacks respectively. The detailed proofs are as follows:

Theorem 1. If the adversary could break the proposed scheme by making queries to , queries to Extract-Queries, queries to Secret-Key-Queries, queries to Public-Key-Queries, queries to Replace-Public-Key queries, and to CLAS-Sign-Queries, so CDHP could be solved within:

with probability:

Proof. Let be a challenger trying to solve a CDHP instance in . For , we set and . is a CDHP instance in . interacts with as the model in [24]. sets . Suppose

is a PPT Turing machine taking only open data as input,who has a advantage to break the proposed CLAS scheme with non-negligible probability. Given two random oracles which are

and respectively, gives the parameters to . tries to simulate all above oracles to obtain the valid signatures of any message as the real signer. List is maintained by . Throughout the proof process, means the value of a variable is invalid. In particularly, can query as follows:

  • H-Queries: On receiving a query on from , with a list of tuple , called , can simulate oracle as follows:

    • If already exists in , outputs related .

    • Otherwise, sets with probability and with probability . If , chooses and outputs . If , then . In both cases, inserts a tuple to .

  • H-Queries: simulates by maintaining a list with . Here, , and . On inputting to , does as follows:

    • If already exists in , outputs the same answer.

    • Otherwise, chooses and inserts a tuple to . Finally, it outputs as the answer.

  • Extract-Queries: makes the query on .

    • Firstly, recovers the corresponding from the list . If , returns failure. If and contains , checks if .

    • If , returns the current to . Otherwise, is set as . computes , then inserts a tuple to the list and outputs as the answer.

    • Again, if , the list does not contain . Then, sets and computes . Finally, inserts a tuple to and replies as output.

  • Public-Key-Queries: makes the query on an identity .

    • If is in , checks if . If holds, selects and . It updates to and replies to . Otherwise, returns to .

    • If is not in , let , then selects a random and sets . inserts a tuple to and replies to .

  • Secret-Key-Queries: makes the query on an identity .

    • If is in , checks if . If holds, selects a random . It also returns and adds tuple to the list . Otherwise, , replies to .

    • If is not in , sets and replies a random to .

  • Replace-Public-Key queries: chooses new public key for an identity .

    • If is in , sets and . It updates a tuple to the list .

    • If is not in , sets and , then it inserts a tuple to the list .

  • CLAS-Sign-Queries: In this queries, provides valid signatures of any message of with list , , , and answers the query as follows:

    • If is not empty and , checks if . If , makes Public-Key-Queries to generate and .

    • If is empty, makes Public-Key-Queries to generate and and adds them to list .

    • tries to generate the signature. If , returns failure. Otherwise, picks a random , and computes

    • Output as the signature on .

    It is easy to verify via the above equation, so the simulation is perfect. If does not abort this game, none can distinguish the simulation from a legal signer.

Eventually, with nonnegligible probability, obtains two valid signatures and with help of , where . Then, we the following two equations:


Multiplying both side of equation (5) with and both side of equation (6) with , we can obtain (7) and (8)


Subtract (8) from (7)


Then, obtains in and in , respectively. If , aborts. Otherwise, if , , now . Because of , we can obtain (10) and (11) as follows:


Therefore, finds as the solution to CDHP and solves CDHP with the probability

There are three events needed by to succeed: is the result of any Extract-Queries raised by does not abort. represents generates a valid signature that can be verified. represents the probability that outputs a valid forgery and does not leave the game. The probability of success is that all the three events mentioned above happen:


  • Claim 1: The probability of happening is at least , because and it takes at leat queries. So, .

  • Claim 2: The Probability that happens is at least . So

  • Claim 3: The probability that happens is at least , because , and both happen. So

Therefore, we can conclude that the probability of all three events happening is as follows:

We suppose . Then,

If is sufficiently large, tends to . So, the final probability is as follows:

A forged aggregate signature could be generated in the following way by :


Theorem 2. The proposed CL-AS scheme is existentially unforgeable against the second kind of adversary assuming the CDHP is hard.

Proof. This security property also relies on the hardness of CDHP. Assuming the CDHP is intractable, we can prove that our scheme is secure in the similar way in Theorem 1. Thus, we omit the proof in detail.

Iv A Large-scale Concurrent Data Anonymous Batch Verification Scheme for MHCS

Due to the unique security requirements of mobile healthcare crowd sensing, we design an anonymous batch verification scheme for large-scale concurrent data. It can provide privacy-preserving batch verification of the uploaded health data in MHCS and achieve multi-user access authentication.

Iv-a Scheme Description

The proposed scheme consists of five algorithms, such as: Initialization, Registration, Signing, Anonymous Aggregation, and Batch Verification. Here, we list some notations in Table I to facilitate our understanding. Then, we give the assumption of the time synchronization between the requested DC and MHCS participants. The proposed scheme is introduced as follows:

  • Initialization. MS establishes an enrollment system as follows:

    • MS define as a additive group, as a multiplicative group, as the order, as the generator of , as a bilinear map, and as two secure hash functions.

    • Given , MS selects its private key randomly and calculates its public key . Then, it opens the system parameters . We suppose that DC regards as its long-term key pair, where .

  • Registration. A participant and the MS perform the following steps to access a DC as follows:

    • The participant, marked as , chooses a random number as the half private key, and it obtains from MS who computes , where as the other half part private key. sets as its private key. Then, it sends to MS.

    • Upon receiving , MS chooses a random number and calculates


      Thus, MS stores serial number . Then, it sends and to the participant with . All of the registration information should be transmitted via a secure channel.

    Fig. 3: The flowchart of the concurrent data anonymous batch verification scheme
  • Signing. chooses a random number and a time stamp , where is the system time to maintain the freshness of the message, and calculates


    Each required sensing data could be verified by


    respectively. Then, uploads to DC who issues the sensing task. Additionally, we can easily prove the correctness of the equation (15) as follows:

  • Anonymous Aggregation. DC plays a role of the aggregator to merge all collected authentication information of different participants to a single verification message. Upon receiving , DC calculates . For an aggregate set of participants and a set of signatures , when the time T is up, DC aggregates all the received signatures as follows:


    Then, DC treats on all health data as the aggregated authentication message.

  • Batch Verification. As illustrated in Fig. 3, DC verifies the validity of . If the equation holds, DC approves all health data uploaded by participants within the time slot T as legal data. Otherwise, DC aborts this procedure. Here, DC can verify the validity of the equation as follows:

Iv-B Security Analysis

For convincing, we analyze the security of the large-scale concurrent data anonymous batch verification scheme in this part.

Scheme Signing Verification Aggregation Aggregate Verification

4nH+3nS 5nH+4nP+2nS 0 4P+2nS
Malhi-Batra nH+4nS 2nH+3nP+3nS 0 3P+3nS
XGCL nH+3nS 2nH+3nP+2nS 0 3P+2nS
Ours nH+2nS 2nH+2nP+nS 2nS 2P


Theorem 3. The proposed scheme satisfies batch authentication, non-repudiation, and anonymity.

Proof. We will give the proof as follows:

Iv-B1 Batch authentication

The proposed scheme is secure due to the intractability of the CDHP. So DC can authenticate the identities of MHCS participants by their signatures on health data. Meanwhile, it can aggregate all signatures from large-scale participants to a single verification message and verify the message by checking . Thus, our scheme can achieve anonymous batch verification.

Iv-B2 Non-repudiation

In our scheme, MHCS participant cannot deny that he/she has submitted the health data. DC can verify his/her signature via the corresponding public key. Then, MS can find serial number according to the public key and obtain the real identity of the participant.

Iv-B3 Anonymity

In the phase of aggregate verification, due to the distribution of is random, DC cannot get the real identity of the MHCS participant from . Therefore, even if the opponent has unlimited computing power, it is unable to guess the actual participant’s identity with the nonnegligible advantage. Thus, the proposed scheme achieves anonymity.

V Performance Evaluate

In this section, we evaluate the performance of the proposed scheme in two aspects, including computation overhead and storage overhead. Firstly, comparing our scheme with other three existing schemes, we assess the performance of the computation overhead in terms of the computation complexity and time overhead on signing, anonymous aggregation and batch verification. Then, we analyze the storage overhead of the proposed scheme.

V-a Computation Overhead

V-A1 Computation Complexity

We select three existing schemes [23, 24, 36] to compare the computation complexity with our scheme. Due to the computation overhead is mostly caused by three basic cryptographic operations, so we mainly focus on the time consumption of these operations. Here, we only count on computation consumption, while the pre-computation efforts are omitted. We define as a pairing operation, as a scalar multiplication in and as hash functions.

Table II shows the complexity comparison between different schemes. We find that, in the signing stage, our scheme only requires operations, while the schemes in [23, 24, 36] require , and respectively. In the verification stage, our scheme needs operations, rather than in [23], in [24] and in [36]. In addition, in aggregation stage, only our scheme needs scalar multiplications, but it only requires two pairing operations in aggregate verification stage. Hence, compared with the schemes in [23, 24, 36], our scheme has the least total computation overhead in all four stages – signing, verification, aggregation and aggregate verification.

Meanwhile, Fig. 4 shows the comparison of computation cost between different schemes. And we also find that our scheme has lowest computation complexity than the other schemes [23, 24, 36], with the increasing of the number of participants. As a whole, our scheme achieve the best performance of the computation complexity.

V-A2 Time Overhead

In order to evaluate and test the performance of time overhead on our scheme, we compare our scheme with other three schemes [23, 24, 36]. For quantitative analysis, we first construct a simulation platform to measure the time overhead. The simulation environment is Ubuntu OS over an Inter Pentium 2.1 GHz processor. We choose type A curve in the Pairing-Based Cryptography (PBC) library – , to complete the simulation. Here, we assume that participants try to upload their health data in a certain time slot T.

Next, we view aggregation as the integration of aggregation and aggregate verification. Then, we record the start time from the beginning of the signing stage to simulate these schemes. Therefore, we can obtain the time overhead of different schemes as shown in Fig. 5. Compared with the schemes in [23, 24, 36], the proposed scheme can save 50%, 42.1%, 39% running time respectively.

(a) “H” operation vs. the number of participants
(b) “P” operation vs. the number of participants
(c) “S” operation vs. the number of participants
Fig. 4: Comparison of computation cost between different schemes
(a) Time cost on signing
(b) Time cost on verification
(c) Time cost on Aggregation
Fig. 5: Comparison of time consumption between different schemes

Fig. 6: The storage overhead of our scheme

V-B Storage Overhead

In the proposed scheme, the Data Center (DC) needs to store all collected authentication information of different participants continuously until batch verification is done. Meanwhile, as the aggregator, DC can, in real time, merge the collected authentication information into a single verification message, due to the advantage of the equation (16). When time T is up, DC can verify these data in batch. Therefore, the storage overhead of the proposed scheme can be reduced differently according to the number of MHCS participants. For quantitative analysis, we adopt the type A curve with base field size of 512 bits, the cyclic group order of 160 bits, and the embedding degree 2. So, bits, bits, and bits. Here, we assume that the size of health data is 160 bits as [37].

As mentioned before, the verification information of the participant is . Therefore, the corresponding storage overhead of the authentication data is bits. Here, denotes the storage overhead of the participant . When the time T is up, the total storage overhead of the participants in this time slot is bits. Otherwise, if the verification stage does not utilize the scheme in the batch mode, the total storage overhead of the participants is bits. For better demonstration, we depict the storage overhead on the aforementioned two cases in Fig. 6. Then, we can conclude that the storage overhead is greatly reduced in the batch mode.

For all above, the proposed scheme achieves a better performance in terms of computation overhead and storage overhead. It is efficient and suitable for mobile healthcare crowd sensing.

Vi Conclusion

In this paper, based on an improved CL-AS algorithm, we design an anonymous batch verification scheme for large-scale concurrent data in MHCS scenarios. It meets the EUF-CMA security in the random oracle model based on the intractability of the CDHP. And it can achieve three properties including batch authentication, non-repudiation, and anonymity. Moreover, our scheme can be deployed in MHCS system to offer batch health data authentication and privacy preservation simultaneously. Through quantitative performance analysis, we find that the proposed scheme achieves lower computation overhead and provides better efficiency compared with the existing schemes, and its storage overhead is also reduced greatly. The proposed scheme is an efficient solution for the MHCS systems.


  • [1] R. R. Rajkumar, I. Lee, L. Sha, and J. Stankovic, “Cyber-physical systems: the next computing revolution,” in in Proc. 47th Design Automation Conference.   ACM, 2010, pp. 731–736.
  • [2] R. K. Ganti, F. Ye, and H. Lei, “Mobile crowdsensing: current state and future challenges,” IEEE Communications Magazine, vol. 49, no. 11, 2011.
  • [3] B. Guo, Z. Yu, X. Zhou, and D. Zhang, “From participatory sensing to mobile crowd sensing,” in in Proc. IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops 2014).   IEEE, 2014, pp. 593–598.
  • [4] X. O. Wang, W. Cheng, P. Mohapatra, and T. Abdelzaher, “Artsense: Anonymous reputation and trust in participatory sensing,” in in Proc. IEEE INFOCOM 2013.   IEEE, 2013, pp. 2517–2525.
  • [5] N. D. Lane, E. Miluzzo, H. Lu, D. Peebles, T. Choudhury, and A. T. Campbell, “A survey of mobile phone sensing,” IEEE Communications magazine, vol. 48, no. 9, 2010.
  • [6] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in in Proc. Eurocrypt’03, vol. 2656.   Springer, 2003, pp. 416–432.
  • [7] H. Zhu, R. Lu, C. Huang, L. Chen, and H. Li, “An efficient privacy-preserving location-based services query scheme in outsourced cloud,” IEEE Transactions on Vehicular Technology, vol. 65, no. 9, pp. 7729–7739, 2016.
  • [8] J. Shao, X. Lin, R. Lu, and C. Zuo, “A threshold anonymous authentication protocol for vanets,” IEEE Transactions on vehicular technology, vol. 65, no. 3, pp. 1711–1720, 2016.
  • [9] X. Liu, R. Choo, R. Deng, R. Lu, and J. Weng, “Efficient and privacy-preserving outsourced calculation of rational numbers,” IEEE Transactions on Dependable and Secure Computing, 2016.
  • [10] H. Bao and R. Lu, “A new differentially private data aggregation with fault tolerance for smart grid communications,” IEEE Internet of Things Journal, vol. 2, no. 3, pp. 248–258, 2015.
  • [11] Q. Wang, Y. Zhang, X. Lu, Z. Wang, Z. Qin, and K. Ren, “Rescuedp: Real-time spatio-temporal crowd-sourced data publishing with differential privacy,” in in Proc. IEEE INFOCOM 2016.   IEEE, 2016, pp. 1–9.
  • [12] G. Zhuo, Q. Jia, L. Guo, M. Li, and P. Li, “Privacy-preserving verifiable data aggregation and analysis for cloud-assisted mobile crowdsourcing,” in in Proc. IEEE INFOCOM 2016.   IEEE, 2016, pp. 1–9.
  • [13] B. Wang, B. Li, and H. Li, “Oruta: Privacy-preserving public auditing for shared data in the cloud,” IEEE Transactions on Cloud Computing, vol. 2, no. 1, pp. 43–56, 2014.
  • [14] S.-J. Horng, S.-F. Tzeng, P.-H. Huang, X. Wang, T. Li, and M. K. Khan, “An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks,” Information Sciences, vol. 317, pp. 48–66, 2015.
  • [15] K. A. Shim, “An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks,” IEEE Transactions on Vehicular Technology, vol. 61, no. 4, pp. 1874–1883, 2012.
  • [16] J. Liu, Z. Zhang, X. Chen, and K. S. Kwak, “Certificateless remote anonymous authentication schemes for wirelessbody area networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 332–342, 2014.
  • [17] L. Zhang, C. Hu, Q. Wu, J. Domingo-Ferrer, and B. Qin, “Privacy-preserving vehicular communication authentication with hierarchical aggregation and fast response,” IEEE Transactions on Computers, vol. 65, no. 8, pp. 2562–2574, 2016.
  • [18] H. Zhu, L. Gao, and H. Li, “Secure and privacy-preserving body sensor data collection and query scheme,” Sensors, vol. 16, no. 2, p. 179, 2016.
  • [19] X. Yuan, X. Wang, J. Lin, and C. Wang, “Privacy-preserving deep packet inspection in outsourced middleboxes,” in in Proc. IEEE INFOCOM 2016.   IEEE, 2016, pp. 1–9.
  • [20]

    Q. Wang, S. Hu, K. Ren, J. Wang, Z. Wang, and M. Du, “Catch me in the dark: Effective privacy-preserving outsourcing of feature extractions over image data,” in

    in Proc. IEEE INFOCOM 2016.   IEEE, 2016, pp. 1–9.
  • [21] R. Castro and R. Dahab, “Efficient certificateless signatures suitable for aggregation.” IACR Cryptology ePrint Archive, vol. 2007, p. 454, 2007.
  • [22] Z. Gong, Y. Long, X. Hong, and K. Chen, “Two certificateless aggregate signatures from bilinear maps,” in

    in Proc. 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007)

    , vol. 3.   IEEE, 2007, pp. 188–193.
  • [23] H. Tu, D. He, and B. Huang, “Reattack of a certificateless aggregate signature scheme with constant pairing computations,” The Scientific World Journal, vol. 2014, 2014.
  • [24] A. K. Malhi and S. Batra, “An efficient certificateless aggregate signature scheme for vehicular ad-hoc networks,” Discrete Mathematics and Theoretical Computer Science, vol. 17, no. 1, p. 317, 2015.
  • [25] L. Zhang and F. Zhang, “A new certificateless aggregate signature scheme,” Computer Communications, vol. 32, no. 6, pp. 1079–1085, 2009.
  • [26] H. Xiong, Q. Wu, and Z. Chen, “Strong security enabled certificateless aggregate signatures applicable to mobile computation,” in in Proc. 3rd International Conference on Intelligent Networking and Collaborative Systems (INCoS2011).   IEEE, 2011, pp. 92–99.
  • [27] L. Wu, X. Du, and X. Fu, “Security threats to mobile multimedia applications: Camera-based attacks on mobile phones,” IEEE Communications Magazine, vol. 52, no. 3, pp. 80–87, 2014.
  • [28] L. Wu, X. Du, and J. Wu, “Mobifish: A lightweight anti-phishing scheme for mobile phones,” in Computer Communication and Networks (ICCCN), 2014 23rd International Conference on.   IEEE, 2014, pp. 1–8.
  • [29] X. Huang and X. Du, “Achieving big data privacy via hybrid cloud,” in Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on.   IEEE, 2014, pp. 512–517.
  • [30] X. Du and H.-H. Chen, “Security in wireless sensor networks,” IEEE Wireless Communications, vol. 15, no. 4, 2008.
  • [31] X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu, “Certificateless signatures: New schemes and security models 1,” The Computer Journal, vol. 55, no. 4, pp. 457–474, 2011.