In the big data era, a mass of mobile terminals (such as smart phones, tablets and laptops) equipped with a variety of sensors (e.g., GPS, accelerator, camera) are producing huge amount of sensing data. It changes the traditional crowd sensing mode to Mobile Crowd Sensing (MCS) [1, 2, 3] as illustrated in Fig. 1, where the sensing tasks could be released more quickly and conveniently, and the sensing data could be collected promptly. At present, MCS systems have been widely used in vehicular networks (for the location information and traffic data), body area networks (for physical bio-information) [4, 5], Internet of things (for the real-time condition), social networks and so on [6, 7]. This trend has accelerated the progress of smart cities.
Recently, more and more researchers have been studying the trend and providing a broad prospect of MCS systems, in which participants submit the sensing data or other requested information via their intelligent terminals to third parties who are interested in these data for specific purposes. The collected data may be very sensitive since it is likely to reveal the privacy of the device owner [8, 9], such as identity, location, health status, and personal activities. It may lead to many uncertain security threats and affect the enthusiasm of the participants. Therefore, users’ privacy-preserving and security issues should be taken into consideration seriously in MCS systems [10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20].
In , a typical architecture of MCS system was introduced, which usually includes three participants: a group of clients, a network management (NM), and a query service provider (SP). Upon receiving a sensing task, participants gather and submit the required sensing data to the cloud server of a SP. Once collecting enough sensing data, the SP forwards the result to the requester for further analysis. However, if MCS systems deploy traditional public key cryptography to authenticate these data, it may raise heavy burdens of the certificate verification and management. An available approach is to introduce Certificateless Public Key Cryptography (CL-PKC), which does not involve complicated certificate management any more. In 2003, Al Riyami and Paterson proposed the first certificateless public key cryptosystem (CL-PKC) . By combining the merits of traditional key management system (PKC) and identity-based cryptography (IDC) , CL-PKC is used to implement the implicit certification (through users’ IDs) to address the inherent key escrow problem in IDC (through the user’s secret information). CL-PKC has been attracting more and more attentions in recent years [24, 25, 26, 27, 28, 29, 30].
Ring signature is a kind of effective cryptogram essential  to protect users’ privacy, which was first introduced in 2001. Any member in a specific group can generate a signature anonymously on behalf of the group, and anyone else including the other members in the group can verify this signature. Since no information about the signer’s actual identity is revealed, the verifier cannot determine which member generated the signature. However, designing a ring signature scheme based on certificateless cryptography is not trivial. In 2007, Chow et al. proposed the first certificateless ring signature (CL-RS) . After this original work, many certificateless ring signatures [33, 34, 35] were published subsequently.
In this paper, by deploying an improved CL-RS, we proposed an enhanced certificateless privacy-preserving data authentication scheme for MCS systems. The proposed scheme is proved to be secure from existential forgery on adaptive chosen message and identity attacks in random oracle model, assuming that the k-Collision Attack Algorithm (k-CAA) problem and the Inverse Computational Diffie-Hellman (Inv-CDH) problem are intractable. Finally, the performance is evaluated. The simulation results show that the proposed EPDA is more efficient for the privacy-preserving MCS scenario.
The rest part of this paper is organized as follows. The preliminaries are introduced in section II. In Section III, the enhanced privacy-preserving data authentication scheme for MCS system is presented in detail, including the security analysis. In Section IV, the performance of EPDA is evaluated. Finally, the conclusion is given in Section V.
|a large prime number||secure hash function|
|a cyclic additive group of order||a generator of|
|a cyclic multiplicative group of order||a generator of|
|two types of adversaries||sensing data|
|a challenger||digital signature|
|network manager’s public key||network manager’s private key|
|the public key of the user with||the private key of the user with|
|the public key set of participants||the identity set of participants|
To facilitate the understanding of the cryptogram essential in EPDA, we introduce the basic definitions and the properties of bilinear pairings over elliptic curve group. Also, we give the security model for EPDA. For easier illustration, Table I lists some important notations which will be further explained where they occur for the first time.
Ii-a Bilinear Pairings
The bilinear pairings of algebraic curves are defined as a mapping: where is a cyclic additive group generated by , whose order is a prime , and is a cyclic multiplicative group of the same order . Bilinear pairings have the following properties:
Bilinear: , and . This can be related as , and ;
Non-degenerate: There exists such that , where denotes the identity element of ;
Computable: There is an efficient algorithm to compute for all .
To prove the security of EPDA, we assume the following hard problems in :
Definition 1. k-Collision Attack Algorithm Problem (k-CAAP): Given a fixed and known integer , a ()-tuple , output a pair such that .
Definition 2. Inverse Computational Diffie-Hellman Problem (Inv-CDHP): Given and for , output .
Ii-B Security Model
We assume there are two types of opponents with different capabilities in EPDA:
is an attacker who is able to replace public keys, extract partial private keys and make sign queries without the master secret key.
is an attacker who can obtain the master secret key. It may replace the public keys, extract partial private keys and make sign queries.
We will prove the security properties of EPDA in the existential unforgeability under adaptive chosen message and identity attacks (EUF-CL-RS-CMIA2) model 
for both two types of adversaries. Also, we will give the analysis on anonymity. An opponent could reveal the real identity of any signer with the probability no more than, while the member in the group is with the probability no more than . Here, is the number of the group.
Iii Enhancing Privacy-Preserving Data Authentication for Mobile Crowd Sensing
To meet the unconditional privacy-preserving demands in some certain MCS scenarios, we propose an enhanced privacy-preserving data authentication scheme for MCS system, which can preserve the anonymity of participants, by deploying an improved certificateless ring signature as the cryptogram essential.
Iii-a Design Objectives
With different kinds of micro-sensors for location, temperature, and biomedical being integrated into the intelligent terminals, it has been possible for a mass of users to sense and upload sensing data to the MCS cloud upon different requests. For instance, an institution of public health service may intend to gather participants’ bio-information, like heart rates, blood pressure and so on at different times to study the changing trend of these factors in a day to reveal the relationship of each other. Moreover, the transportation management bureau may make use of the sensing data for monitoring and managing the urban traffic situation. Crowd sensing data collected by various intelligent terminals bring a various of convenient services for the querying clients or institutions, as the ubiquitous access of the Internet enables nearly real-time feedback. It saves lots of time and cost for the sensing data requester. However, no matter how promising the MCS is, it will not be well accepted only when the principle privacy issue is resolved perfectly. For example, a user’s sensing data might involve private information like identity, location, and so on. Leaking out these private information to the cloud servers or other users could cause critical privacy disclosure or even physical attacks [14, 15, 18, 19, 20]. Therefore, the participants might not be willing to accept the sensing tasks on account of privacy issues.
To begin with, we assume there is a TTP (Trusted Third Party) in the MCS system defined as NM which can generate and certify cryptographic keys. All participants should interact with NM in advance for key distribution. In addition, the MCS is operating over insecure networks. Therefore, anonymity is a basic property and the existence of active rivals who attempt to subvert the real identities of MCS clients can not be ignored. Based on the above assumptions and considering the characteristic of the mobile crowd sensing system. We design an authentication scheme with the following properties:
Achieving anonymous sensing data authentication regardless of particular MCS scenarios over insecure channels.
Operating with relatively low computational cost.
Iii-B Design Architecture
There will be three types of entities: MCS clients, the Network Manager (NM), and the Query Service Provider (SP) in the framework of EPDA, as shown in Fig. 2. In general, MCS clients refer to the participants in different regions equipped with smart phones to collect and submit various sensing data. SPs could be cloud servers of health organizations or research institutions. Additionally, NM is in charge of generating the partial private key for each user and publish identity indexes based on clients’ public keys, which are used to authenticate all sensing data. In EPDA, NM is modeled as a trusted but curious third party. Note that the partial private key generated by NM is not sufficient to impersonate a legitimate client.
Iii-C The Enhanced Privacy-Preserving Data Authentication Scheme
In general, the NM generates the system parameters firstly. Then, the NM generates the public keys and partial private keys for clients based on their identities in the register stage. Meanwhile, each client in MCS system calculates his/her partial private key based on a secure random number. The MCS participants use the private key for signing the sensing data, and SPs use a list of public keys for verifying respectively. When a client submits the signed sensing data to an SP, the SP will verify if the received sensing data is from a legitimate participant by checking the signature. If the verification equation holds, the uploaded data is valid. In EPDA, we will utilize an improved variant of CL-RS, which can ensure that though SPs can verify the signed sensing data in authentication procedure, they are not able to recover the actual identity of any participant. Supposing that SPs and clients are time synchronization, our protocol can be illustrated as follows:
Initialization. In the first place, given security system parameter , NM generates keys for all participants in EPDA and initializes the authentication procedure. Let and denote two cyclic groups of prime order and be a pairing operator that satisfies the properties of bilinear and nondegenerate. Let denote the set of identities of clients and be the set of corresponding public keys. The NM determines its public or private key pair , where , and publicizes the system parameters .
Registration. To accomplish MCS tasks distributed by any SP, a client need register to the NM. The whole registration steps shown in Fig. 3 should be performed in turn:
The client sends his/her to the NM firstly.
Upon receiving , the NM calculates , where , and sends back to the client.
The client chooses a random , and computes , and . Then s/he sends to the NM.
The NM calculates and adds a record of to the database. Then, the NM sends to the SP. The SP maintains two lists: and .
Uploading. Upon receiving a sensing task from the SP, each participant gathers and uploads the required sensing data. Firstly, s/he chooses randomly, and then computes , , , and , where is the system time to keep the freshness of the messages. Eventually, the participant outputs the signature on sensing as and uploads it to the corresponding query service provider.
Verify. As shown in Fig. 4, the SP first checks the system time , and then verifies the signature on the submitted sensing , by checking if holds. If it does, the SP accepts the . Otherwise, the SP discards this submission.
Iii-D Security Analysis
In this section, we give the security proof in EUF-CL-RS-CMIA2 model.
Theorem 1. The proposed EPDA is existential unforgeable against both and adversaries in the random oracle model under intractability assumptions of k-CCAP and Inv-CDHP respectively.
Proof. The security of the data authentication protocol relies on the intractability of k-CCAP and inv-CDHP. It can be deduced similarly as the security proof in . Due to the page limitation, we omit the proof in detail.
Theorem 2. The proposed EPDA is unconditionally anonymous.
Proof. Although is randomly selected in , there is always a satisfying for each client (), which is similar to . It is impossible for any adversary to reveal the identity of a client from , thus we can ensure anonymity of the participants in MCS system.
Iv Performance Analysis
Iv-1 Computational comparison with other schemes
We now compare our scheme with other similar schemes in [32, 34, 35]. We mainly consider the time-consuming operations including the bilinear pairing operation (BP), scalar multiplication in (SM), exponentiation in (EXP) and hash operation (Hash), n is the number of clients. The number of these operations in the selected schemes are shown in Table II.
In the signing stage, the proposed EPDA requires only one BP operation that is the most complex operation, while the schemes in [32, 34, 35] need 1, 2 and 3 such operations respectively. However, in all schemes, the number of BP operation does not increase with the number of users, so it has the least effect on the performance in this stage when the MCS task involves a large number of users. In contrast to BP operation, the computation on the other three types of operations will vary with the number of users. In EPDA, 2n-1 scalar multiplication, 1 exponentiation and 1 Hash operations are involved, so its time consumption in this stage is approximately, while that in [32, 34, 35] are about , and respectively.
In the verification stage, the proposed EPDA requires n bilinear pairing, 1 exponentiation and 1 Hash operations, but no scalar multiplication. So its time consumption in this stage is approximately, while the schemes in [32, 34, 35] require , and respectively. According to above analysis, EPDA is more efficient with the increasing of the number of users.
Iv-2 Performance evaluation of EPDA
In order to evaluate and test the performance of the selected schemes, we first set up a simulation hardware environment to measure the computation overhead of each scheme. The simulation environment is Linux Ubuntu OS over an Intel Pentium G630 2.7 GHz processor and 4096MB memory. The ECC-based function library is pbc-0.5.14. In order to better evaluate the system performance, we assume that there are n users that try to upload their sensing data in a certain time slot. We choose type A curve to complete the simulation. Type A pairings are constructed on the curve . The algorithms run more efficient and faster over type A curve than other types of curves, especially for the exponentiation computations. So this kind of curve is often used to implement the elliptic curve cryptography.
Fig. 5 shows that the time overhead on key generation among these schemes is very close, while that in EPDA is least.
We repeat the execution of each scheme for 1000 times, and draw up the time consumption by calculating the average value in different stages. Fig. 6 shows the comparison of the time consumption on signing, verification, and total time consumption between different schemes with the various number of users, respectively. The scheme in  requires much less execution time than the schemes in  and , but takes larger amount of running time than EPDA. As the number of users increases, the gap grows rapidly. According to the simulation results, EPDA has the highest efficiency.
In this paper, we put forward an enhanced privacy-preserving data authentication scheme for MCS scenario, by deploying an improved certificateless ring signature as the cryptographic primitive. The proposed EPDA can be implemented in MCS systems to provide both data authentication and privacy protection with unconditional anonymous verification property. Formal security analysis is also conducted, which lays theoretic foundation to strengthen the soundness of EPDA. The performance comparison between our scheme and the existing schemes shows that the proposed scheme can achieve both low computation complexity and time efficiency. It is an effective solution to the challenges of privacy leak faced by MCS systems.
This work is supported by Natural Science Basic Research Plan in Shaanxi Province of China (No. 2016JM6057), the 111 Project (B08038) and Collaborative Innovation Center of Information Sensing and Understanding at Xidian University.
-  M. Ra, B. Liu, T. F. La Porta, and R. Govindan, ”Medusa: a programming framework for crowd-sensing applications,” In Proc. 10th Intl. Conf. on Mobile systems, applications, and services, 2012, pp. 337-350.
-  R. K. Ganti, F. Ye, and H. Lei, ”Mobile crowd sensing: current state and future challenges,” IEEE Communications Magazine, vol. 49, no. 11, pp. 32-39, 2011.
-  A. Zanella, N. Bui, A. Castellani, L. Vangelista, and M. Zorzi, ”Internet of Things for Smart Cities,” IEEE Internet of Things Journal, Vol. 1, No. 1, pp. 22-32, 2014.
-  J. W. Liu, Z. H. Zhang, X. F. Chen, K. S. Kwak, ”Certificateless Remote Anonymous Authentication Schemes for Wireless Body Area Networks,” IEEE Transactions on Parallel and Distributed Systems, Vol. 25, No. 2, pp. 332-342, Feb. 2014.
-  J. W. Liu, J. P. Han, L. F. Wu, R. Sun and X. J. Du, ”VDAS: Verifiable Data Aggregation Scheme for Internet of Things,” in Proc. IEEE ICC 2017, 2017.
-  Y. Xiao, H. H. Chen, X. Du and M. Guizani, ”Stream-based Cipher Feedback Mode in Wireless Error Channel,” IEEE Transactions on Wireless Communications, Vol. 8, No. 2, pp. 662 - 666, February 2009.
-  S. Liang, and X. Du, ”Permission-Combination-based Scheme for Android Mobile Malware Detection,” in Proc. IEEE ICC 2014, Sydney, Australia, June 2014.
-  M. Allahbakhsh, A. Ignjatovic, B. Benatallah, and S. Beheshti, ”Reputation management in crowdsourcing systems,” in Proc. 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing, 2012, pp. 664-671.
-  I. Krontiris, F. C. Freiling, and T. Dimitriou, ”Location privacy in urban sensing networks: research challenges and directions,” Wireless Communications, Vol. 17, No. 5, pp. 30-35, 2010.
-  Y. Qian, and N. Moayeri, ”Design of Secure and Application-Oriented VANETs,” in Proc. IEEE VTC 2008 - Spring, Singapore, May 11-14, 2008.
-  J. Zhou, R. Q. Hu and Y. Qian, ”Scalable Distributed Communication Architectures to Support Advanced Metering Infrastructure in Smart Grid,” IEEE Transactions on Parallel and Distributed Systems, Vol.23, No.9, pp.1632-1642, September 2012.
-  X. Du and F. Lin, ”Maintaining Differentiated Coverage in Heterogeneous Sensor Networks,” EURASIP Journal on Wireless Communications and Networking, vol. 5, issue 4, pp. 565-572, Sept. 2005.
-  X. Du, M. Zhang, K. Nygard, S. Guizani, and H. H. Chen, ”Self-Healing Sensor Networks with Distributed Decision Making,” International Journal of Sensor Networks, Vol. 2, No. 5/6, pp. 289-298, 2007.
-  X. Chen, X. Wu, X. Li, Y. He, and Y. Liu, ”Privacy-preserving high quality map generation with participatory sensing,” in Proc. IEEE INFOCOM 2014, 2014, pp. 2310-2318.
-  Q. Li, G. Cao, and T. La Porta, ”Efficient and privacy-aware data aggregation in mobile sensing,” IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 2, pp. 115-129, 2014.
-  X. Du, Y. Xiao, M. Guizani, and H. H. Chen, ”An Effective Key Management Scheme for Heterogeneous Sensor Networks,” Ad Hoc Networks, vol. 5, issue 1, pp 24-34, Jan. 2007.
-  X. Du, M. Guizani, Y. Xiao and H. H. Chen, ”A Routing-Driven Elliptic Curve Cryptography based Key Management Scheme for Heterogeneous Sensor Networks,” IEEE Transactions on Wireless Communications, Vol. 8, No. 3, pp. 1223-1229, March 2009.
-  X. Du and H. H. Chen, ”Security in Wireless Sensor Networks,” IEEE Wireless Communications Magazine, vol. 15, issue. 4, pp. 60-66, Aug. 2008.
-  L. Guo, X. Zhu, C. Zhang, and Y. Fang, ”Privacy-preserving attribute-based friend search in geosocial networks with untrusted servers,” in Proc. GLOBECOM 2013, 2013, pp. 629-634.
-  G. Zhuo, Q. Jia, L. Guo, M. Li, and P. Li, ”Privacy-preserving Verifiable Data Aggregation and Analysis for Cloud-assisted Mobile Crowdsourcing,” in Proc. IEEE INFOCOM 2016, 2016.
-  N. D. Lane, E. Miluzzo, H. Lu, D. Peebles, T. Choudhury, and A. T. Campbell, ”A survey of mobile phone sensing,” IEEE Communications Magazine, vol. 48, no. 9, pp. 140-150, 2010.
-  S. S. Al-Riyami and K. G. Paterson, ”Certificateless Public Key Cryptography,” in Proc. AsiaCrypt 2003, LNCS 2894, 2003, pp. 452-473.
-  A. Shamir, ”Identity-Based Cryptosystems and Signature Schemes,” in Proc. CRYPTO 1984, LNCS196, 1984, pp. 47-53.
-  M. C. Gorantla and A. Saxena, ”An Efficient Certificateless Signature Scheme,” in Proc. CIS 2005, LNAI 3802, 2005, pp. 110-116.
-  X. Huang, W. Susilo, Y. Mu, and F. Zhang, ”On the Security of Certificateless Signature Schemes from Asiacrypt 2003,” in Proc. CANS 2005, LNCS 3810, 2005, pp. 13-25.
-  W. S. Yap, S. H. Heng, and B. M. Goi, ”An Efficient Certificateless Signature Scheme,” in Proc. EUC 2006, LNCS 4097, 2006, pp. 322-331.
-  Z. Zhang, D. S. Wong, J. Xu, and D. Feng, ”Certificateless Public Key Signature: Security Model and Efficient Construction,” in Proc. ACNS 2006, LNCS 3989, 2006, pp. 293-308.
-  A. Dent, B. Libert, and K. Paterson, ”Certificateless encryption schemes strongly secure in the standard model,” in Proc. PKC 2008, LNCS 4939, 2008, pp. 344-359.
-  X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu, ”Certificateless signature revisited,” in Proc. ACISP 2007, LNCS 4586, 2007, pp. 308-322.
-  L. Zhang and F. Zhang, ”A new provably secure certificateless signature scheme,” in Proc. IEEE ICC 2008, 2008, pp. 1685-1689.
-  R. L. Rivest, A. Shamir, and Y. Tauman, ”How to Leak a Secret,” in Proc. AsiaCrypt 2001, LNCS 2248, 2001, pp. 552-565.
-  S. S. Chow and W. S. Yap, ”Certificateless ring signatures,” Cryptology ePrint Archive, Report 2007/236, 2007. http://eprint.iacr.org/2007/236.
-  S. Chang, D. S. Wong, Y. Mu, Z. Zhang, ”Certificateless Threshold Ring Signature,” Information Sciences, vol. 179, no. 20, pp. 3685-3696, 2009.
-  L. Zhang, F. Zhang, W. Wu, ”A Provably Secure Ring Signature Scheme in Certificateless Cryptography,” in Proc. ProvSec 2007, LNCS 4784, 2007, pp. 103-121.
-  H. Wang, ”Certificateless Ring Signature Scheme from Anonymous Subsets,” in Proc. 2010 International Conference on Multimedia Information Networking and Security, pp. 413-417, 2010.