Lightweight certificateless linearly homomorphic network coding signature scheme for electronic health system

With the flourishing development of the Internet of Things (IoT), the electronic health system (EHS) as a leading technology has attracted widespread attention. However, the unsatisfactory network transmission throughput hinders practical applications of EHS to some extent. Network coding can solve this problem, but it also incurs another drawback called pollution attack. Pollution attack can be prevented by using homomorphic network coding signature schemes to check whether a corrupted packet is injected. However, existing schemes require high computational cost for signature verification which will reduce the transmission efficiency. A lightweight certificateless linearly homomorphic network coding signature scheme is proposed. This scheme requires a quite low computational cost when both signing and verifying a data packet. In addition, it is proved that the scheme is secure, and it was implemented by using the Java Pairing ‐ Based Cryptography Library (JPBC) on a personal computer (PC). The simulation results illustrate that our scheme is efficient.


| INTRODUCTION
The Internet of Things (IoT), as an emerging technology, has been widely used in real-world applications that bring convenience to our daily lives. According to a previous study [1], there are about 22 billion IoT devices in 2018, and there will be nearly 50 billion IoT devices in 2030. In the medical field, IoT devices can facilitate the treatment and improve the health state of people all over the world.
As shown in Figure 1, a typical electronic health system consists of some smart terminals (such as smart doctors, respiratory monitors, urine analysers etc.), and a centralized health repository. The smart terminals can transmit the collected data to a centralized health repository in real time via the IoT networks [2]. Therefore, the doctors or other medical staff can grasp the health status of the patients without face to face. To obtain the patient's information as soon as possible, it is essential to improve the network transmission throughput.
Network coding was introduced by Ahlswede et al. [3] for improving the throughput of networks. It is an effective technique to enhance throughput, robustness and fault tolerance of the network [4]. A smart terminal first divides the file into n data packets using the network coding technique before it sends a file to the other terminals. The intermediate router node will encode all input packets into a single output packet before forwarding them. In this circumstance, even some nodes or links fail, the destination node can obtain the original message with high probability as long as the destination node has received adequate correct packets.
Although network coding can enhance the robustness of the IoT network, IoT still faces some security risks. A security problem is the medical data stored in centralized health repository may be misused and damaged. Fortunately, many schemes have been proposed to against these risks by guaranteeing the data integrity [5][6][7] and confidentiality [8,9] in storage terminal. There are still some other security risks on IoT networks [10], such as replay attacks or duplication attacks [11], vulnerable authentication protocols [12] and the transport level end-to-end security [13]. However, a serious security risk in the network coding system is pollution attack. Although this may also occur in a traditional network system without network coding, its effect is far more serious with network coding. As we all know, a third-party application can easily access the network and inject the invalid data packets to disturb linear network coding. Since network coding involves mixing of packet inside the network, a junk data packet will spread throughout the network quickly by forwarding. Such that, the destination node cannot retrieve the original message correctly even it has received all data packets.
To solve this problem, many network coding signature schemes [14][15][16][17][18][19][20][21] have been presented. The key feature is that the intermediate router node can use the network coding signature scheme to check whether the data packet is corrupted, because it can combine all input packets' signatures into an output signature. What counts is that the output signature must match with the output data packet. It enables the intermediate node and the destination node to detect possible errors. However, one of the main weaknesses of these schemes is that they require high computational cost for signature verification. It may cause the network delay because the intermediate router node has limited computing power. Therefore, these schemes are not suitable for EHS.
We propose a lightweight certificateless linearly homomorphic network coding signature scheme (CL-LHS) for electronic health systems, which features the following notable properties: (1) Each node needs to have the ability to detect the integrity of data and discard the invalid data packets, since any errors (e.g. hardware damage or third-party applications attack) may cause the data packet to be corrupted. (2) The intermediate nodes can forward data packets without delay, this can increase the efficiency of medical services. (3) An unforgeable verifiable tag is necessary for the intermediate node to test corrupted packets and combine uncorrupted packets. (4) The centralized health repository cannot obtain the full signing private key of the medical device. It makes patients more confident that their data stored in repository is secure. These features effectively improve deployment scalability of the proposed scheme.

| Our contributions
We construct a lightweight CL-LHS. We demonstrate the proposed scheme is efficient and secure in electronic health systems. Moreover, we implement the proposed scheme on a personal computer (PC) for evaluation. Concretely, the contributions of this paper are summarized as follows: 1. We construct a lightweight certificateless linearly homomorphic network coding signature scheme. In our scheme, the computation cost is quite low in signature generation and verification. Moreover, the computation cost of signing a data packet is constant, and the verification cost is only dependent on the number of the combined packets. 2. We offer a thorough security analysis of our scheme under k-CAA (k-Collusion Attack Algorithm) assumption. The scheme is existentially unforgeable (EUF) under adaptively chosen identity and adaptively chosen subspace attacks. 3. We demonstrate the theoretical analysis and the simulation experiments of our scheme, respectively. The simulation results illustrate our scheme is more practical than other schemes.

| Related work
The concept of IoT was first coined by Kevin Ashton in 1999 [22]. It is a huge network formed by connecting various information sensor devices to the Internet. Specifically, a smart medical sensor device is the integration of a traditional medical device and many sensors. With the explosive growth of the IoT, electronic health systems have also received widespread attention. To capture the best treatment time, it is important to improve the transmission throughput. Network coding, which can improve network transmission throughput, was introduced in 2000 [3]. It has been considered for use in the IoT network [23]. Using network coding, pollution attack is a stumbling block against secure data transmission [24,25].
In EHS, medical data should be transmitted securely. Many homomorphic network coding signature schemes have been proposed to ensure secure data transmission in network coding. The notion of the homomorphic signature can be traced back to Desmedt [26]. Its formal definition has not been proposed until the work of Jonson et al. [27]. After that, various homomorphic signature schemes have been investigated. For instance, linearly homomorphic signature schemes [14,[17][18][19]28,29], polynomial homomorphic signature schemes [30,31], fully homomorphic signature schemes [32] and the homomorphic aggregate signature schemes [33]. Among these, linearly homomorphic signature schemes are particularly useful in linear network coding.
Based on Public Key Infrastructure (PKI), many linearly homomorphic signature schemes are proposed to prevent pollution attacks. Yu et al. [28] introduced an efficient signature scheme for securing network coding. In the study by Yu et al. [28], the scheme has low computation cost and communication cost since it only requires modular addition and modular multiplication. However, Yu et al.'s scheme faces a security vulnerability which was indicated in [34]. Boneh et al. [14] presented a secure linearly homomorphic signature scheme for network coding against pollution attacks. In this scheme, the signer needs to compute n expensive map-to-point hash computations when signing an n-dimensional vector. The constant-size of the packet for each file cannot maximize the utilization of network resources. Attrapadung et al. [29] presented a homomorphic network coding signature scheme in the standard model. It is not practical in EHS because four bilinear maps are necessary for the verification. Zhang et al. [33] designed a linearly homomorphic aggregate signature scheme based on the SIS hardness assumption. The scheme has poor efficiency with the more considerable signature length and high expense in verification. Cheng et al. [17] introduced a homomorphic subspace signature for network coding. However, it needs to spend a lot of communication cost because the size of the signature is much larger than the size of the data packet. All the above schemes require the management of public key certificates which is rather complicated and brings a heavy burden.
To alleviate the burden of certificate management, some schemes are proposed based on an identity-based public cryptosystem. [18][19][20]35,36] are concerned with identity-based linearly homomorphic signature schemes for network coding against pollution attacks. Jiang et al. proposed a dynamic-identity-based signature scheme for secure network coding which it can rapidly detect/drop the corrupted data packets [35]. However, the size of private key in their scheme is very large. Sadrhaghighi [19] proposed a structural thought without a specific scheme, and Zhang et al. [20] presented an identity-based linearly homomorphic signature schemes in which the construction method is similar to the study by Boneh et al. [14]. The schemes in the studies by Chang et al. and Lin et al. [21,36] require high computation cost in generating a signature. When the data packet is large, computing too many map-to-point hash values and exponential operations will also cause high delay. Li et al.'s scheme [18], considering multiple-sources, requires high communication cost and storage cost, since the parameter generation centre needs publishing a series of parameters for generating a signature, and these parameters should be stored in sensors and destination node. In the identity-based public cryptosystem, the medical device will be no longer trustable once the private key is informed by a third party. The reason is that the third party can acquire all medical devices' signing private keys stored in the centralized health repository.
In addition, most of the above linearly homomorphic schemes have a high verification computation cost, the intermediate node cannot but spend a lot of time checking the received data packets which increases the network transmission delay. We construct a CL-LHS for EHS. Our scheme requires a quite low computational cost for signing and verifying a data packet.

| Organization
In Section 2, we recall some preliminaries used throughout this study. Then, we present a lightweight pairing-based certificateless linearly homomorphic signature scheme in Section 3 and prove it is secure in Section 4. Subsequently, we give the performance evaluation in Section 5. Finally, we conclude in Section 6.

| Preliminaries
The construction of our lightweight CL-LHS uses the bilinear map as a fundamental tool, and the security analysis of our scheme is based on the k-CAA assumption. We briefly review the bilinear map and introduce the k-CAA problem.
Definition 1 Suppose G 1 ; G T are two groups with sizeable prime order q. A map e : G 1 � G 1 → G T is called a bilinear map if it satisfies the following properties: 1. Bilinearity: for any a; b ∈ Z q and g ∈ G 1 , we have e g a ; g b À � ¼ e g; g ð Þ ab . 2. Non-degeneracy: if g is a generator of G 1 , then e g; g ð Þ is a generator of G T . 3. Computability: for any g ∈ G 1 , e g; g ð Þ is efficiently computable.
k-CAA Problem: Suppose G 1 is a cyclic groups with sizeable prime order q, x; h 1 ; …; h k ∈ Z q * are k þ 1 integers. Given g; g x ∈ G 1 and k pairs h 1 ; g xþh 1 -133 k-CAA Assumption: We say that k-CAA assumption holds in G 1 if the advantage is negligible in solving the k-CAA problem for any probabilistic polynomial-time algorithm.

| Definition
Definition 2 A certificateless linearly homomorphic network coding signature scheme CL-LHS consists of nine probabilistic polynomial-time algorithms, and the details are specified as follows: The Key Generation Center (KGC) runs the algorithm. On input a security parameter 1 k , the KGC generates public parameters params and system master private key msk. The public parameters params should include a prime field F q with which the vector space for signing is based on.
Generate-Partial-Private-Key params; msk; ID ð Þ → D ID . The KGC runs the algorithm. On input the system public parameters params, the system master key msk, and a user identity ID, the algorithm outputs a partial private key D ID for user ID.
Set-Secret-Value params; ID ð Þ → x ID . The user runs the algorithm. On input the system public parameters params and a user identity ID, the algorithm outputs the user's secret value x ID .
Set-Private-Key params; ID; D ID ; x ID ð Þ → sk ID . The user runs the algorithm. On input the system public parameters params, a user identity ID, the user's partial private key D ID and the user's secret value x ID , the algorithm outputs the user's full private key sk ID .
Set-Public-Key params; ID; sk ID ð Þ → pk ID . The user runs the algorithm. On input the system public parameters params, a user identity ID and the user's full private key sk ID , the algorithm outputs the user's public key pk ID . TagGen params; ID; sk ID ; vid ð Þ → τ. The signer runs the algorithm. The algorithm takes the system public parameters params, a user identity ID, the user's full private key sk ID and the identifier vid of a subspace V as input. The algorithm outputs a tag τ for the subspace V.
Sign params; ID; sk ID ; τ; v ð Þ → σ. The signer runs the algorithm. The algorithm takes the system public parameters params, a user identity ID, the user's full private key sk ID , the tag τ of a subspace V and a vector v ∈ V as input. The algorithm outputs a signature σ.
Note that to sign a subspace V, the signer should first generate a tag τ for V and then generate all signatures for a set of basis vectors v 1 , …, v m ∈ V. After that the signature of any vector in V with tag τ can be derived by the algorithm Combine.
Combine params; ID; vid; τ; The combiner runs the algorithm. On input the system public parameters params, a user identity ID, the identifier vid of a subspace V, the tag τ of the subspace V and c i ; v i ; σ i f g m i¼1 , where c i ∈ F q ; v i ∈ V , and σ i is the signature of the vector v i . The algorithm outputs a vector/signature pair ðv ; σ Þ, where v ¼ ∑ m i¼1 c i v i . Verify params; ID; pk ID ; vid; τ; v ; σ � � → 0 or 1. The verifier runs the algorithm. On input the system public parameters params, a user identity ID and its public key pk ID , the identifier vid of a subspace V, the tag τ of the subspace V, a vector v ∈ V and its signature σ , the algorithm outputs either 0 (reject) or 1 (accept).
A secure certificateless linearly homomorphic network coding scheme must satisfy the requirement of correctness. For each output (params, msk) by the algorithm Setup, the following holds: (1) For all ID, if user's partial private key D ID is generated by the algorithm Generate ¡ Partial ¡ Private ¡ Key (params, ID) and user's secret value x ID is generated by the algorithm Set ¡ Secret ¡ Value(params, ID), then the user's private/public key is (sk ID , pk ID ), where sk ID ← Set ¡ Private ¡ Key (params, ID, D ID , x ID ) and pk ID ← Set ¡ Public ¡ Key(params, ID, sk ID ).
is equivalent to that generated by the algorithm Sign ðparams; ID; sk ID ; τ; ∑ m i¼1 c i v i Þ, the probability of Verify ðparams; ID; pk ID ; vid; τ; ∑ m i¼1 c i v i ; σ Þ ¼ 1 holds is 1, otherwise the probability of the verification equation holds is negligible.

| Security model
To define the security model for CL-LHSs, we consider the existential-unforgeability under adaptively chosen identity and adaptively chosen subspace attacks. There are two types of probabilistic polynomial-time adversaries in this security model. The Type I adversary models an outside adversary who can substitute a user's public key by some value choosing by itself. However, he does not know the master secret key of the system. The Type II adversary models a malicious KGC who knows the system master secret key while he cannot substitute the user's pubic key. Now, we specify the formal security model of CL-LHSs by the following two games between an adversary and a challenger.
Game 1: The game 1 between the Type I adversary A I and the challenger C is as follows: Initialization: On input a security parameter 1 k , the challenger C runs the algorithm Setup 1 k À � to generate the public parameters params and the system master private key msk, then sends params to A I and keeps msk secret.
Queries: A I can adaptively issue the following queries: � Generate-Partial-Private-Key queries: The adversary A I queries the partial private key of a user with identity ID, the challenger C runs the algorithm Generate-Partial-Private-Key to generate the user's partial private key D ID and sends it to A I . � Extract-Secret-Value queries: The adversary A I queries the secret value of a user with identity ID, the challenger C runs the algorithm Set-Secret-Value to generate the user's secret value x ID and sends it to A I . � Extract-Public-Key queries: The adversary A I queries the public key of a user with identity ID, the challenger C runs the algorithm Set-Public-Key to generate the user's public key pk ID and sends it to A I . � Replace-Public-Key queries: The adversary A I gives a user identity ID and a new public key pk 0 ID . The challenger C records the latest public key pk 0 ID , the user's original public key pk ID is substituted by pk 0 ID . � TagGen queries: The adversary A I chooses a user identity ID, the user's secret value x ID associated with current public key pk ID and an identifier vid of subspace V. The challenger C runs the algorithm TagGen to generate the tag τ for the subspace V and returns it to A I . � Sign queries: The adversary A I chooses a user identity ID, the user's secret value x ID associated with current public key pk ID , a subspace V and a tag τ of the subspace V which is an output of TagGen queries. The challenger C runs the algorithm Sign to generate the signature σ 1 , …, σ m for basis vectors v 1 , …, v m ∈ V and returns them to A I .
Note that if the Replace-Public-Key query on ID has not been issued, then A I does not to provide the secret value x ID associated with public key pk ID , in this case, we have x ID ¼ ⊥.
2. The Generate-Partial-Private-Key query on ID* has never been submitted. 3. The adversary has never submitted a TagGen query on where the secret value x ID * is corresponded to the latest pk ID * . 4. The adversary has submitted a TagGen query on (ID * ; x ID * ; vid * ;V*), but τ ≠ τ*. Where the secret value x ID * is corresponded to the latest pk ID * and τ is the output of TagGen query on ID * ; We define the advantage of an adversary A I wins the game 1 as ϵ A I ¼Pr½A I wins�.

Definition 3 (Security against A I ):
We say that a certificateless linearly homomorphic network coding signature scheme is secure against Type I adversary under adaptively chosen identity and adaptively chosen subspace attacks if no polynomial adversary can wins game 1 with a non-negligible advantage.

Game 2:
The game between the Type II adversary A II and the challenger C is as follows: Initialization: On input a security parameter 1 k , the challenger C runs the algorithm setup (1 k ) to generate the public parameters params and the system master private key msk, then sends params and msk to the adversary A II .
Queries: A II can adaptively issue the following queries: � Extract-Secret-Value queries: The adversary A II queries the secret value of a user with identity ID, the challenger C runs the algorithm Set-Secret-Value to generate the user's secret value x ID and sends it to A II . � Extract-Public-Key queries: The adversary A II queries the public key of a user with identity ID, the challenger C runs the algorithm Set-Public-Key to generate the user's public key pk ID and sends it to A II . � TagGen queries: The adversary A II chooses a user identity ID, the user's secret value x ID and an identifier vid of subspace V. The challenger C runs the algorithm TagGen to generate the tag τ for the subspace V and returns it to A II . � Sign queries: The adversary A II chooses a user identity ID, the user's secret value x ID , a subspace V and a tag τ of the subspace V which is an output of TagGen queries. The challenger C runs the algorithm Sign to generate the signature σ 1 , …, σ m for basis vectors v 1 , …, v m ∈ V and returns them to A II .
2. The Extract-Secret-Value query on ID* has never been submitted. 3. The adversary has never submitted a TagGen query on

The adversary has submitted a TagGen query on
We define the advantage of an adversary A II wins the game 1 as ϵ A II ¼PrA II wins�.

| An overview
To improve network transmission throughput, in EHS networks, the source node transmits the collected data to the destination node via the linear network coding. Before transmission, the source node splits the collected data into vectors The augmented method is as follows: The data vector component v i L is left-most n items and the global coefficient vector component v i R is the right-most m items. Suppose the destination node obtains m linearly independent vectors ṽ 1 , ṽ 2 , …, ṽ m . The destination node computes an m � m matrix B such that The original vectors w 1 , w 2 , …, w m is then given by To prevent pollution attack in network coding, each augmented vector v i should append with a valid signature sign(v i ) to construct a complete data packet. The require- A linear homomorphic network coding signature scheme can achieve this requirement. In previous works, most of schemes employ the form of homomorphic function construction from the study by Khan and Salah [14], such that a one-way function mapped to G 1 and g j ∈ G 1 . In our scheme, we construct the novel homomorphic function is a one-way function mapped to Z q and ω ∈ G T . Obviously, the homomorphic function we designed is more efficient because we reduce the number of expensive exponential computation. Figure 2 shows the process of communication between two entities (source node and destination node) using network coding with linearly homomorphic signature. The detailed demonstration of the communication process is as follows. A third party (i.e. KGC) generates some parameters as public information in the system initialization phase, and the source node needs to access into the system before communicating. To join the system, each node provides its public key (unique identifier, such as serial number) to KGC. The KGC issues a partial private key once it received the access requirement from the node. So far, the node becomes the legal user and can communicate with other entities in F I G U R E 2 A description of network coding in IoT networks. IoT, Internet of Things the same system. The source node should sign the vector v i using a method that demonstrated in signature generation phase before sending data packets, and load the vector and the related signature information into a data packet. The source node sends data packets to neighbour nodes (such as router, repeater). The node should first check data packets' integrity that it received. If a vector and the corresponding signature can pass the verification given in subsection 3.5, the data packet is uncorrupted. The intermediate node encodes all uncorrupted data packets and generates the corresponding signature according to step 2 in subsection 3.5. The intermediate node then forwards the merged data packet to the next node. The destination node will recover the original data by the decoding rule when it received sufficient uncorrupted data packets.
We describe the algorithms of the proposed scheme as follows which is also presented in Table 1.

| System setup
In the system setup phase, the health-centre as the KGC generates the system public parameters and the system master private key by running the algorithm Setup. Taking a security parameter 1 k as input, the health-centre first chooses a cyclic group G 1 with the prime order q and a symmetric bilinear map e : G 1 � G 1 → G T . Also, the health-centre picks a generator g ∈ G 1 , a random integer s ∈ Z * q as the master secret key and sets P pub ¼ g s as the system master public key. Then, the health-centre chooses three collision-resistant hash functions: The health-centre publishes the system public parameters params ¼ <q; g; G 1 ; G T ; e; P pub ; H 1 ; H 2 ; H 3 ; ω> and keeps the system master private key msk ¼ s secret, where ω ¼ e g; g ð Þ.

| User registration
The user registration consists of the following three steps.
Step 1: The health-centre generates the user's partial private key D ID ¼ z ID ; R ID ð Þ by running the algorithm Generate-Partial-Private-Key. Taking the public parameters params and a user identity ID as input, the health-centre randomly selects r ID ∈ Z * q and computes R ID ¼ g r ID , Then the healthcentre sends the partial private key D ID to the user with identity ID via secure channel.
Step 2: The user generates his/her secret value x ID by running the algorithm Set-Secret-Value. Taking the public parameters params and a user identity ID as input, the user randomly selects x ID ∈ Z * q as his/her secret value.
Step 3: The user first checks the partial private key, if the following equation g z ID ¼ R ID ⋅ P H 1 ðID‖PK‖R ID Þ pub holds, then the user sets his/her full secret key sk ID ¼ (D ID , x ID ) by running the algorithm Set-Private-Key. In addition, the user computes U ID ¼ g x ID by running the algorithm Set-Public-Key and sets his/her public key pk ID ¼ (U ID , R ID ).

| Signature generation
The signature generation consists of three steps. We describe the signature generation process as follows: Step 1: The user (source node) first splits the file into m packets, and each packet can be regard as n-dimensional vector According to the encoding rule in network coding, the user augments the vector w i to v i according to Equation (1) , v m } denote the subspace with the identifier vid spanned by the m augmented vectors.
Step 2: The user generates the tag for the subspace V with the identifier vid by running the algorithm TagGen. The detailed process as follows: -137 1. The user first selects x ∈ Z * q at random, and then computes Step 3: The user generates the signatures for a basis vector of the subspace V by running the algorithm Sign. The user computes the signature σ i ¼ (σ i1 , σ i2 ) of the vector w i : The user sends tag τ of the subspace V, the data packets v 1 , …, v m and the corresponding signatures σ 1 , …, σ m to all neighbour nodes.

| Data detection
The process consists of two steps. We describe the detection of data packets as follows: Step 1: The node (intermediate router node or the destination node) first checks the integrity of all received packets fv i g l i¼1 ; l ∈ 1; m�, Step 2: The intermediate router node combines all uncorrupted data packets and the corresponding signatures with the coding coefficient Case 1: The intermediate router node first checks the tag τ of the subspace. If Equation (6) holds, the node checks all received data packets. If Equation (7) holds, the node combines all the uncorrupted data packets into a combined one and computes its signature. Meanwhile, the intermediate router node forwards the combined data packets with its signature to the neighbour nodes and discards all corrupted data packets.
Case 2: The destination node first checks the tag τ of the subspace. If Equation (6) holds, the node checks all received data packets. If Equation (7) holds and the node has received enough uncorrupted data packets, the node can recover the original data by decoding. Also, the destination node discards all corrupted data packets.

| Correctness
We analyse the correctness of the scheme from the following three aspects:

| Security analysis
We can prove that our CL-LHS scheme is existentially unforgeable under adaptively chosen identity and adaptively chosen subspace attacks in the random oracle model.

Theorem 1 If the Type I adversary A I can break the lightweight certificateless linearly homomorphic
network coding signature scheme with advantage at most ϵ A I and running time at most t, the k-CAA problem can be solved with non-negligible advantage where q ke ; q H 1 ; q t are the number of queries made to Generate-Partial-Private-Key Queries, H 1 Queries and TagGen Queries, respectively.
Proof: Given some public parameters params ¼ ðq; G 1 ; G T ; g; eÞ. Suppose there is a polynomialtime adversary A I , we construct another polynomial-time algorithm B to solve the k-CAA problem by interacting with A I . Let k þ 1 ¼ q H 2 , if given a random input of k-CAA problem instance g, W ¼ g a , and k pairs ðh 1 ; ðg aþh 1 Þ À 1 Þ; …; ðh k ; ðg aþh k Þ À 1 Þ, the algorithm B is required to output a new pair ðh; ðg aþh Þ À 1 Þ for h ∉ h 1 , h 2 , …, h k .
Initialization: B sets P pub ¼ W as the system master public key, and then sends the public parameters params ¼ ðq; g; G 1 ; G T ; e; W ; H 3 ; ωÞ to A I , where H 3 : 0; 1 f g * � Z n � G 1 → Z * q ; ω ¼ eðg; gÞ. The two hash functions H 1 , H 2 are reviewed as random oracle.
Oracle Simulation: A I can adaptively issue the following queries.  randomly selects x IDi ∈ Z * q , sends it to A I and adds ID i ; x IDi ð Þ into L 2 list.
Extract-Public-Key Queries: B maintains a list L 3 consisting of the tuples ID i ; pk ID i À � . The list is initially empty. On receiving a query on an identity ID i , B iterates over the L 3 list. If ID i is in the L 3 list, then B sends pk ID i to A I . Otherwise, B first takes out the secret value x ID i from the list L 2 , if ID i is not in the L 2 list, then B randomly selects x ID i ∈ Z * q and adds the tuple ID i ; x ID i ð Þ into L 2 -list. Then, B executes the following: in the L 1 list, and sets pk ID i ¼ ðU ID i ; R ID i Þ. Then, B sends pk ID i to A I and adds the tuple ðID i ; pk ID i Þ into L 3 list.
Then, B sends pk ID i to A I and adds the tuple ðID i ; pk ID i Þ into L 3 list.

Replace-Public-Key Queries:
A I sends a user identity ID i and a new public key pk 0 The list is initially empty. On receiving a query on Otherwise, B does the following: TagGen Queries: A I maintains a list L 4 consisting of (ID i , vid i , V, x i , τ i ). The list is initially empty. A I adaptively chooses a user identity ID i , a subspace V with the identifier vid, user's secret value x ID i associated with current public key U ID i (if the U ID i is the original one, then x ID i ¼ ⊥). If there is a tuple containing (ID i , vid i , V) in the L 4 list, then B sends τ i to A I . Otherwise, B does the following: (a) B takes out the user's partial private key z ID i from the list L 1 , and the secret value x ID i from the list L 2 .
B reselects x i ∈ Z * q at random and imitates A I to issue a H 2 query on (ID i , vid i , Y i ). B takes out the β i from the L H 2 list.
The correctness of the tag τ i can be testified by � If i ¼ t, the user's partial private key is unknown to B. B first iterates over the L H 2 list, and then does the following: (a) If c t ¼ 1, then B terminates the simulation and outputs ⊥.
, and sets the tag of the subspace V, The correctness of the tag τ i can be testified by Sign Queries: A I adaptively chooses a user identity ID i , a subspace V with the identifier vid, a tag τ of the subspace V which is an output of TagGen queries, user's secret value x ID i associated with current public key U ID i (if the U ID i is the original one, then � If i ≠ t, B takes out the random value x i and the tag τ i from the L 4 list and does the following.
The correctness of σ i can be testified by � If i ¼ t, the user's partial private key is unknown to B. B first takes out the random value x i and the tag τ i from the L 4 list and does the following.
The correctness of σ i can be testified by Output: Eventually the adversary A I outputs a tuple (ID * ; pk ID * , vid*, τ*, v*, σ*), where vid is the identifier of the subspace V*, τ* is the tag of the subspace V* and the vector v* ∈ V*. The adversary A I wins the game if the following four conditions are satisfied: (a) The Generate-Partial-Private-Key query on ID* has never been submitted. (b) The adversary has never submitted a TagGen query on where the secret value x ID � is corresponded to the latest U ID � . (c) The adversary has submitted a TagGen query on (ID � ; x ID � ; vid � , V*), but τ≠τ*. Where the secret value x ID � is corresponded to the latest pk ID � and τ is the output of TagGen query on ID � ; x ID � ; vid � ; V � ð Þ. (d) Verify ðparams; ID * ; pk ID * ; vid * ; τ * ; v * ; σ * Þ ¼ 1.
That is, If ID*≠ID t , then B terminates the simulation and outputs ⊥.
� If E 1 happens, then we consider the following three circumstances: (a) The simulator B does not output ⊥ in the Generate-Partial-Private-Key queries phase. The probability is ð1 À 1 q H 1 Þ q ke that the simulation not terminated. (b) The simulator B does not output ⊥ in the TagGen Query phase. The probability is ð1 À 1 q H 1 ξÞ q t that the simulation not terminated. Therefore, we have In summary, we have ϵ 0

Theorem 2
If the Type II adversary A II can break the certificateless linearly homomorphic network coding signature scheme with advantage at most ϵ A II and running time at most t, the k-CAA problem can be solved with non-negligible advantage, where q H 1 ; q sv ; q t are the number of queries made to H 1 Queries, Extract-Secret-Value Queries and TagGen Queries, respectively. Proof: Given some public parameters params ¼ ðq; G 1 ; G T ; g; eÞ. Suppose there is a polynomial-time adversary A II , we construct another polynomial-time algorithm B to solve the k-CAA problem by interacting with A II .
Let k þ 1 ¼ q H 2 , if given a random input of k-CAA problem instance g, W ¼ g a , and k pairs ðh 1 ; ðg aþh 1 Þ À 1 Þ; …; ðh k ; ðg aþh k Þ À 1 Þ, the algorithm B is required to output a new pair ðh * ; ðg aþh Þ À 1 Þ for h* ∉ h 1 , h 2 , …, h k . Initialization: B randomly selects s ∈ Z * q as the system master private key, computes P pub ¼ g s as the system master public key, and then sends the public parameters params ¼ ðq; g; G 1 ; G T ; e; P pub ; H 3 ; ωÞ and s to A II , where terminates the simulation and outputs ⊥.
Extract-Public-Key Queries: B maintains a list L 3 consisting of tuples ID i ; pk ID i À � . The list is initially empty. On receiving a query on an identity ID i , B iterates over the L 3 list. If ID i is in the L 3 list, then B sends pk ID i to A II . Otherwise, B first takes out the secret value x ID i from the list L 2 , if ðID i ; x ID i Þ is not in the L 2 list, then B randomly selects x ID i ∈ Z * q and adds the tuple ID i ; x ID i ð Þ into L 2 -list. Then, B executes the following: in the L 1 list, and sets pk ID i ¼ ðU ID i ; R ID i Þ. Then, B sends pk ID i to A II and adds the tuple ðID i ; pk ID i Þ into L 3 list. � If i ¼ t, then B randomly selects a random r ID i , computes R IDi ¼ g r IDi , U IDi ¼ W and sets pk ID i ¼ ðU ID i ; R ID i Þ.
Then, B sends pk ID i to A II and adds the tuple ðID i ; pk ID i Þ into L 3 list.
The list is initially empty. On receiving a query on Otherwise, B does the following: ; h k f g that has never been selected, computes β i ¼ ðr ID i þ sb i Þ=h 0 i , and sets H 2 (ID i ‖vid‖Y i ) ¼ β i . B then sends β i to A II , and adds the tuple TagGen Queries: A II maintains a list L 4 consisting of (ID i , vid i , V, x i , τ i ). The list is initially empty. A II adaptively chooses a user identity ID i , a subspace V with the identifier vid, user's secret value x ID i (if A II does not know the secret value, he/she can provide x ID i ¼ ⊥). If there is a tuple containing (ID i , vid i , V) in the L 4 list, then B sends τ i to A II . Otherwise, B does the following: (a) B computes the user's partial private key z ID i , and takes out the secret value x ID i from the list L 2 .
The correctness of tag τ i can be testified by � If i ¼ t, the user's secret value is unknown to B. B first iterates over the L H 2 list, and then does the following: (a) If c t ¼ 1, then B terminates the simulation and outputs ⊥. (b) If c t ¼ 0, then B selects randomly x i ∈ Z * q and computes , and sets the tag of the subspace V, The correctness of the tag τ i can be testified by Sign Queries: A II adaptively chooses a user identity ID i , a subspace V with the identifier vid of V, a tag τ which is an output of TagGen queries, user's secret value x ID i (if A II does not know the secret value, he/she can provide x ID i ¼ ⊥ The correctness of σ i,j can be testified by The correctness of signature σ i,j can be testified by Output: Eventually the adversary A II outputs a tuple (ID * ; pk ID * , vid*, τ*, v*, σ*), where vid is the identifier of the subspace V*, τ* is the tag of the subspace V* and the vector v* ∈ V*. The adversary A II wins the game if the following four conditions are achieved: (a) The Extract-Secret-Value query on ID* has never been submitted. (b) The adversary has never submitted a TagGen query on ID � ; ⊥; vid � ; V � ð Þ.
In summary, we have ϵ 0

| Theoretical analysis
We give in Table 2 [35], and our scheme in efficiency and functionality. Let T H denote map-to-point hash operation, T P denote bilinear pairing operation, T E 1 ; T E 2 denote exponential operation in G 1 ; G T , respectively, and T M 1 ; T M 2 denote multiplicative operation in G 1 ; G T , respectively. We omit the map to Z q hash operation, additive operation in Z q and the inverse operation in Z * q , since the cost of these operations is negligible. To facilitate comparison, we assume a file F can be split to m vectors and each vector is n-dimensional. That is, the augmented vector is (m þ n)-dimensional. Let N ¼ m þ n denote the dimension of the augmented vector and c denote the number vectors to be combined.
The source node generates signatures for the file F needs NT E 1 in Jiang et al.'s scheme [35], and needs mðN þ  [21]. The computation cost in both two schemes is related to the dimension N of the augmented vector in signature generation and data detection.
In signature phase of our scheme, the source node only needs 1 exponentiation in G 1 and 2m + 1 exponentiation in G 2 . The computation cost of the intermediate node in checking a combined vector is 2T The computation cost in generating signatures for vectors and checking data packets is independent of the dimension N of the augment vector. It is only depend on the number c of the vectors to be combined.
FromTable2, we saythatour scheme is more efficientthan the other schemes. Particularly, our scheme requires less computation cost in the signature generation and detection. Therefore, our scheme can improve the data transmission efficiency in EHS networks. In addition, we provide comparisons based on some criteria such as verifiable tag and semi-honest third party.

| Experiment analysis
The computation cost of our scheme is evaluated through experiment in this section. We use a simulator built in Java, and

Scheme
Sig.comp Detect.comp

Verifiable tag
Semi-honest Third Party [35] NT E1 ðN þ 2cÞT E1 þ T H þ 2ðc À 1ÞT M1 þ 2T P � � -143 perform the scheme on a PC with a 3.2 GHz quad-core processor. The curve we employed in the simulation is of a.
properties, which is one of the standard parameters in JPBC library [37]. It provides a symmetric pairing and the security parameter is λ ¼ 160 bits. Figure 3 shows the computation cost at each stage, including our scheme, Chang et al.'s [21] scheme and Jiang et al.'s [35] scheme, respectively. To facilitate the simulation, we split a file F into five vectors, the dimension of the original vector is 5, and the number of the combined vectors is 5.
As is shown in Figure 3, it is clear that our scheme has the lower computation cost than the other two schemes in both Signature Generation phase and Data Detection phase. In our scheme, the total time cost is about 33 ms in System Setup phase and User Registration phase. It is lower than Jiang et al. node or destination node spends about 31 ms to combine five received vectors and checks the combined vector. Meanwhile, the time cost of the node is 369 ms in Chang et al.'s scheme which is about 12 times that of our scheme and the time cost of the node is 213 ms in Jiang et al.'s scheme which is about 7 times that of our scheme. It means that our scheme is more efficient. Figure 4 shows a more detailed computation cost of our scheme in Signature Generation phase and Data Detection phase. Suppose there are 500 sectors, the maximum transmission unit is no more than 50 sectors (i.e. the maximum value of the packet) and the number of the combined vectors is 5. Therefore, the dimensions of the original vectors are 15,20,25,30,35 and the corresponding numbers of the vectors are 34, 25, 20, 17, 15, respectively. As shown in Figure 4, the computation cost increases as the dimension grows. To improve transmission efficiency, the user should try to make the vector dimension as large as possible under the maximum transmission unit. The computation cost of Data Detection is constant when the numbers of the combined vectors are unchanging. Figure 5 shows the computation cost of data detection for different number of the combined vectors. To facilitate the illustration, the dimension of the original vector is 25 and the number of the vectors is 20. The number of the combined vectors is from 5 to 25. As shown in Figure 5, the computation cost increases with the increase in the number of combined vectors. The experiment results demonstrate that our proposed scheme is practical in EHS.

| CONCLUSION
We first formalize the formal definition as well as the security model for CL-LHSs. We then construct a secure and efficient CL-LHS. The scheme can be used in network coding to detect corrupted data packet for secure transmission. Even if some corrupted data packets have been discarded, the destination node can retrieve the original message with high probability as long as the destination node has received adequate uncorrupted data packets. As the intermediate node only needs low computation cost to detect the received data packet, our scheme increases the transmission efficiency while the current network throughput is unchanged. The correctness and security of the proposed protocol are proved in our security model. The computation cost in signature generation and data detection has been evaluated using theoretic analysis and simulated experiments. The simulation results demonstrate that our protocol is more efficient than other related schemes for network coding in EHS.