I. Introduction
II. Preliminaries
 1. Bilinear Map
 2. Notations and their Descriptions
 3. Computational Problems
Adv CDH, t (𝒜)=Pr[𝒜(P, xP, yP)=xyP/x, y∈ Z q * ].
III. New IDS Scheme
 1. System Setup
 2. Key Extract
This algorithm, run by the KGC, receives an identity ID∈{0, 1}* of a user and then computes
Q
_{ID}
=
H
_{1}
(ID) and
d
_{ID}
=
sQ
_{ID}
∈
G
. The KGC securely transmits (
Q
_{ID}
,
d
_{ID}
) to the user with identity “ID.” The user keeps
d
_{ID}
securely and makes
Q
_{ID}
public.
 3. Signature Generation
The user provides the following information as input for this algorithm: identity ID, private key
d
_{ID}
, Params, and message
m
∈{0, 1}*. The computations performed are as follows:

▪ Select an integerr∈Zq*at random and computeU=gr∈GT,h=H2(m, ID, U)∈Zq*,andV=hdID+rPpub∈G.

▪ Generate the signature on messagemof the user with identity ID asσ= (U,V)∈GT×G.
 4. Signature Verification
Any
verifier
can run this algorithm, which takes the signature
σ
on a message
m
by a user with identity ID as input. The verification is done as follows:

▪ Compute the hash valueh=H2(m, ID, U)∈Zq*.

▪ Verify the validity of the equatione^(P, V)=e^(Ppub, hQID)U.If it is valid, then accept the signature; else, reject the signature.
IV. Security Analysis
This section presents a proof of correctness and a security reduction of the proposed IDS scheme under an adaptively chosen message and ID attack under a random oracle paradigm.
 1. Proof of Correctness
The following equation shows that the proposed IDS scheme is correct; the verification equation is valid:
e ^ (P, V) = e ^ (P, h d ID +r P pub ) = e ^ (P, h d ID ) e ^ (P, r P pub ) = e ^ (sP, h Q ID ) e ^ (sP, P) r = e ^ ( P pub , h Q ID ) U.
 2. Security Reduction
In the following, we prove that the proposed scheme is unforgeable under chosen message and identity attacks under a random oracle paradigm, with the assumption that the CDH problem is hard.
Theorem 1.
Let 𝒜 be a probabilistic polynomial time forger who forges the proposed IDS scheme with nonnegligible advantage. Then, there is an algorithm 𝐵 that can output the given CDH instance (
P
,
aP
,
bP
)∈
G
with a nonnegligible advantage in probabilistic polynomial time.
Proof.
Let 𝒜 be a forger who breaks the proposed IDS scheme. We show that by using 𝒜 one can construct an algorithm 𝐵 that can solve the CDH problem. Algorithm 𝐵 is given (
P
,
aP
,
bP
) as a random instance of the CDH problem in
G
; that is, its goal is to output
abP
∈
G
. Algorithm 𝐵 simulates an original signer to obtain a valid signature from 𝒜, and by doing so, it can solve the CDH problem.
A. Setup/Queries
Algorithm 𝐵 sets
P
_{pub}
=
aP
as the system’s overall public key and provides 𝒜 with Params. At any time, 𝒜 may make queries to oracles
H
_{1}
,
H
_{2}
, key extract, and signature. We presume that prior to any query from key extract, both a signature query and a
H
_{1}
query have already been made on an identity ID. To respond to these queries, algorithm 𝐵 does the following:

▪H1– queries: Algorithm 𝐵 keeps a list,L1, which is empty initially of tuples, (ID,c,d,v) to respond toH1– queries. Upon receiving a query from theH1oracle for ID∈{0, 1}*, made by 𝒜, algorithm 𝐵 proceeds as follows:(i) IfL1consists of the queried ID, then algorithm 𝐵 responds withH1(ID) =v∈G.(ii) If not, then algorithm 𝐵 flips a coind∈{0, 1} generated at random, such that Pr[d= 0] =1/ (qK+1). Here,qKdenotes a query made to the key extraction oracle.(iii) Now, algorithm 𝐵 picks a random integerc∈Zq*and computesv=c(bP)∈Gford= 0, andv=cP∈Gford= 1.(iv) Algorithm 𝐵 adds (ID,c,d,v) to listL1and returnsH1(ID) =v∈Gto 𝒜

▪H2– queries: Algorithm 𝐵 keeps a listL2of tuples, (m, ID,U,w), which is empty initially. To respond toH2queries made by 𝒜 on tuple (m, ID,U), algorithm 𝐵 proceeds as follows:(i) IfL2contains queried tuple (m, ID,U), then algorithm 𝐵 providesH2(m, ID, U)=w∈Zq*.(ii) If not, then algorithm 𝐵 picks a random integerw∈Zq*,inserts (m, ID,U,w) inL2and returnsH2(m, ID, U)=w∈Zq*to 𝒜.
B. Key Extraction Queries
Upon receiving the private key queries on an identity ID by 𝒜, algorithm 𝐵 retrieves the respective tuple (ID,
c
,
d
,
v
) from
L
_{1}
and does the following:

1) It outputs “failure” and then halts, ford= 0.

2) Ifd = 1, then it computes and returnsdID=cPpub=c(aP) =a(cP) ∈Gto 𝒜.
C. Signature Queries
Upon receiving the signature query on a message
m
under ID from 𝒜, algorithm 𝐵 retrieves the
H
_{1}
oracle and obtains the tuple (ID,
c
,
d
,
v
) from
L
_{1}
. Algorithm 𝐵 then selects a random integer
x∈ Z q *
and computes
U
=
g^{x}
. In addition, if the list
L
_{2}
contains the tuple (
m
, ID,
U
,
w
), then 𝐵 chooses
w ′ ∈ Z q *
and tries again; that is, 𝐵 adds (
m
, ID,
U
,
w'
) to
L
_{2}
. Now, 𝐵 computes
V
= (
wc
+
x
)
P
_{pub}
and returns σ = (
U
,
V
) to 𝒜 as the queried signature.
The responses to signature queries are valid, as well the output
σ
. This can be seen from the following:
e ^ (P, V) = e ^ ( P, (wc+x) P pub ) = e ^ (P, wc P pub ) e ^ (P, x P pub ) = e ^ (aP, wcP) e ^ (aP, xP) = e ^ ( P pub , w Q ID )U.
D. Forgery
Eventually, 𝒜 stops by conceding failure or returns a forgery
σ
on
m
under ID. Algorithm 𝐵 obtains (ID,
c
,
d
,
v
) from
L
_{1}
, declares failure if
d
= 1, and stops. If not, then it computes
Q
_{ID}
=
c
(
bP
) for
d
= 0. The forged signature
σ
must satisfy
e ^ (P, V)= e ^ ( P pub , w Q ID )U.
Now, 𝐵 retrieves the respective tuple (
m
, ID,
U
,
w
) from
L
_{2}
and computes
V
= (
wc
+
x
)
P
_{pub}
; thus, we have
e ^ ( P pub , w Q ID )U = e ^ ( P pub , w(c(bP)) ) e ^ ( P pub , P) x = e ^ ( P pub , wcbP+xP) = e ^ (P, wcabP+x P pub ) = e ^ (P, V) ⇒ V=wcabP+x P pub .
Now, 𝐵 outputs
abP
as a solution to the CDH instance by computing
abP
=
w
^{−1}
c
^{−1}
(
V
−
xP
_{pub}
). This concludes the description of algorithm 𝐵. ■
V. Batch Verifications of Proposed IDS Scheme
This section presents batch verifications of different types for the proposed IDS scheme. To verify a
k
batch signature,{(ID
_{i}
,
m_{i}
,
σ_{i}
)}
_{i=1, 2, …, n}
, for
n
≤
k
, the verifier uses the following batch verify algorithms:

1) For Type 2 batch verifications: In this case, we have ID = ID1= … = IDn. The verifier computesQIDi=H1(IDi)∈Gandhi=H2(mi,Ui), fori= 1, 2, … ,n. In addition, the verifier computesU=∏i=1nUi,whereUi=gri. The Type 2 batch verification algorithm outputs “1” if the following equation holds; otherwise, it outputs “0”:
e ^ ( P, ∑ i=1 n V i )= e ^ ( P pub , ∑ i=1 n h i Q ID )U.

2) For Type 3 (or 1) batch verifications: The verifier first computesQIDi=H1(IDi) ∈Gandhi=H2(mi,Ui), fori= 1, 2, … ,n. In addition, the verifier computesU=∏i=1nUi,whereUi=gri. The Type 3 (or 1) batch verification algorithm outputs “1” if the following equation holds; otherwise, it outputs “0”:
e ^ ( P, ∑ i=1 n V i )= e ^ ( P pub , ∑ i=1 n h i Q ID i )U.
One can verify that the batch verifications of the proposed IDS scheme are correct as shown below.
Proof of Correctness
. For Type 2 batch verifications, we have the following:
e ^ ( P, ∑ i=1 n V i ) = e ^ ( P, ∑ i=1 n ( h i d ID + r i P pub ) ) = e ^ ( P pub , ∑ i =1 n h i Q ID ) e ^ ( P pub , ∑ i=1 n r i P ). = e ^ ( P pub , ∑ i=1 n h i Q ID )U.
For Type 3 (or 1) batch verifications, we have the following:
e ^ ( P, ∑ i=1 n V i ) = e ^ ( P, ∑ i=1 n ( h i d ID i + r i P pub ) ) = e ^ ( P pub , ∑ i=1 n ( h i Q ID i + r i P) ) = e ^ ( P pub , ∑ i=1 n ( h i Q ID i ) ) e ^ ( P pub , ∑ i=1 n r i P ) = e ^ ( P pub , ∑ i=1 n h i Q ID i )U.
VI. Security Analysis of Batch Verifications of Proposed IDS Scheme
In this section, we will show that the proposed IDS scheme provides
k
batch existential unforgeability against adaptive chosen message and ID attacks.
Definition 1.
The proposed
k
batch IDS scheme offers existential unforgeability under adaptively chosen message and ID attacks if there is no probabilistic polynomial time adversary/forger 𝒜 with nonnegligible advantage in the following game played between 𝒜 and a challenger, 𝒞 :

1) Setup: This phase is similar to the one in Theorem 1.

2) Queries: Forger 𝒜 makes similar queries as in Theorem 1.

3)kbatch forgery: For some integern≤k, the forger 𝒜 outputsnsignatures (IDi,mi,σi) , fori= 1, 2, … ,n. Note that there exists at least one indexisuch that IDiis not asked the extract query and (IDi,mi) in the key extraction oracle and a tuple (IDi,mi) is also not asked in the sign query; that is, the forger 𝒜 owns at most (n− 1) private keys ofnidentities. Forger 𝒜 wins the game if the batch verify algorithm outputs “1.” The advantage of the forger 𝒜 is as the probability that 𝒜 wins.
 1. Security ofkBatch Signature for Type 2
A security proof for Type 2 batch verifications of the proposed IDS scheme is presented below.
Theorem 2.
Let 𝒜 be a probabilistic polynomialtime forger who can forge the Type 2
k
batch signature of the proposed IDS scheme with a nonnegligible advantage under a random oracle paradigm. Then, there is an algorithm 𝒜 that can output the given CDH instance with nonnegligible advantage in probabilistic polynomialtime.
Proof.
Assume that 𝒜 is a forger who can forge a Type 2
k
batch signature under adaptively chosen message and ID attacks with a nonnegligible advantage. As in Theorem 1, we show that there exists an algorithm 𝐵 that solves the given instance of the CDH problem using 𝒜. Algorithm 𝐵 runs the
setup
algorithm to obtain the public and private keys. The public key is sent to 𝒜. As discussed in Theorem 1, 𝒜 issues queries and is answered by 𝐵.
Algorithm 𝐵 obtains the corresponding tuple (ID
_{i}
,
c_{i}
,
d_{i}
,
v_{i}
) from list
L
_{1}
, declares failure if
d
= 1, and stops. If not, it computes
Q
_{ID}
=
c
(
bP
) for
d
= 0.
The signature
σ
= (
U
,
V
) must satisfy the equation
e ^ ( P, ∑ i=1 n V i )= e ^ ( P pub , ∑ i=1 n h i Q ID )U.
Now, 𝐵 recovers the corresponding tuple (
m_{i}
, ID,
U_{i}
,
w_{i}
) from list
L
_{2}
and computes
V
_{1}
= (
w
_{1}
c
+
x
_{1}
)
P
_{pub}
. Consider
e ^ ( P pub , w 1 Q ID ) e ^ ( P pub , x 1 P)= e ^ (aP, w 1 c(bP)+ x 1 P) e ^ (P, w 1 c(abP)+ x 1 P pub )= e ^ (P, V 1 ). ⇒ V 1 = w 1 c(abP)+ x 1 P pub ⇒ w 1 c(abP)= V 1 − x 1 P pub .
Now, 𝐵 outputs
abP
as a solution to the CDH instance by computing
abP
=
w
_{1}
^{−1}
c
^{−1}
(
V
_{1}
−
x
_{1}
P
_{pub}
). ■
 2. Security ofkBatch Signature for Types 1 and 3
In the following, we prove the security of batch verifications of Types 1 and 3 of the proposed IDS scheme. Notice that a Type 1 batch verification is a subcase of Type 3. Thus, it is enough to prove the security of a
k
batch signature of Type 3.
Theorem 3.
Let 𝒜 be a probabilistic polynomialtime forger who can forge a Type 3
k
batch signature of the proposed IDS scheme with a nonnegligible advantage under a random oracle paradigm. Then, there is an algorithm 𝐵 that can output the given CDH instance with nonnegligible advantage in probabilistic polynomialtime.
Proof.
Let ID
_{i}
, for
i
= 1, 2, … ,
n
, denote the identities of distinct signers participating in a signing. From Definition 1, an adversary owns at most (
n
− 1) private keys of
n
signers. Assume that there exists a probabilistic polynomialtime adversary 𝒜 that can forge a
k
batch signature of the proposed IDS scheme of Type 3 for adaptively chosen message and
ID
attacks with a nonnegligible advantage.
As in Theorem 1, there exists a probabilistic polynomialtime algorithm 𝐵 that returns a forged
k
batch signature of Type 3,
σ
on messages {
m_{i}
} under {ID
_{i}
}, for
i
= 1, 2, … ,
n
, and 𝒜 must not have requested a signature on
m
_{1}
under ID
_{1}
.
Algorithm 𝐵 obtains (ID
_{i}
,
c_{i}
,
d_{i}
,
v_{i}
) from
L
_{1}
and continues if
d
_{1}
= 0 and
d_{i}
= 1 for 2 ≤
i
≤
n
. If not, then 𝐵 declares failure and stops. We have
Q
_{ID1}
=
c
_{1}
(
bP
) for
d
_{1}
= 0 and
Q
_{IDi}
=
c_{i}P
for
d_{i}
= 1,
i
> 1. The forged Type 3
k
batch signature
σ
must satisfy the equation
e ^ ( P, ∑ i=1 n V i )= e ^ ( P pub , ∑ i=1 n w i Q ID i )U.
Now, 𝐵 retrieves the
n
respective tuples (ID
_{i}
,
m_{i}
,
U_{i}
,
w_{i}
) from
L
_{2}
and computes
V_{i}
= (
w_{i}c_{i}
+
x_{i}
)
P
_{pub}
, for
i
> 1; thus, we have
e ^ (P, V i ) = e ^ (P,( w i c i + x i ) P pub ) = e ^ ( P pub , w i Q ID i ) U i ,
which implies
σ_{i}
is valid. Now, 𝐵 considers
V 1 =V− ∑ i=2 n V i ,
and outputs
e ^ (P, V 1 )= e ^ ( P, V− ∑ i=2 n V i )= e ^ (P, w 1 c 1 abP+ k 1 P pub ). ⇒ V 1 = w 1 c 1 abP+ x 1 P pub ⇒ w 1 c 1 abP= V 1 − x 1 P pub .
Now, 𝐵 outputs
abP
as a solution to the CDH instance by computing
abP
=
w
_{1}
^{−1}
c
^{−1}
(
V
_{1}
−
x
_{1}
P
_{pub}
). ■
VII. Complexity Analysis
In this section, we present the complexity issues and compare the computational efficiency of the proposed IDS scheme supporting batch verifications with related schemes. For comparison, we consider the timeconsuming operations. According to
[23]
and
[24]
, 1
T
_{p}
≈ 1200
t
_{m}
, 1
T
_{m}
≈ 29
t
_{m}
, and 1
T
_{a}
≈ 0.12
t
_{m}
, where
T
_{a}
denotes the time for evaluating a point addition in
G
,
T
_{m}
denotes the time for evaluating a point scalar multiplication over
G
,
T
_{p}
denotes the time to compute one pairing operation, and
t
_{m}
denotes the time to perform a modular multiplication in
Z q * .
An efficiency comparison of the proposed IDS scheme supporting batch verifications with related schemes; Yoon and others
[11]
; and Tseng and others
[16]
is presented in
Table 2
.
Scheme  Type 2 batch verifications  Types 3 batch verifications 
Yoon and others [11]  2T_{p} + nT_{m} + (2n−2)T_{a} = (29.24n + 2399.76)t_{m}  (n + 1)T_{p} + nT_{m} + (2n−2)T_{a} = (1229.24n + 1199.76)t_{m} 
Tseng and others [16]  2T_{p} + nT_{m} + (2n−2)T_{a} = (29.24n + 2399.76)t_{m}  (n + 1)T_{p} + nT_{m} + (2n−2)T_{a} = (1229.24n + 1199.76)t_{m} 
Proposed scheme  2T_{p} + nT_{m} = (29n + 2400)t_{m}  2T_{p} + nT_{m} + (n−1)T_{a} = (29.12n + 2399.88)t_{m} 
Compared with the other operations, the pairing evaluation is the most costly in terms of time. Despite the fact that much research has taken place to speed up the pairing computation
[22]
, it is still time consuming. The proposed IDS scheme is efficient when compared to the schemes in
[11]
and
[16]
for batch verifications of Types 2 and 3. In particular, for batch verifications of Type 3, the pairing operations in the schemes in
[11]
and
[16]
grow linearly with that of the signers, whereas the proposed IDS scheme requires a constant number (only two) of pairing operations irrespective of the number of signers, which reduces greatly the computational complexity. Hence, the proposed IDS scheme supporting batch verifications is more efficient than the related existing schemes.
VIII. Conclusion
In this paper, we have proposed a new, efficient IDS scheme using bilinear pairings supporting batch verifications. We have proved that various types of batch verifications for the proposed IDS scheme are unforgeable under a random oracle paradigm with the assumption that the CDH problem is intractable. In addition, a security reduction of the proposed IDS scheme and its batch verifications has been obtained without the use of a forking lemma
[21]
, and so is tightly related to the CDH problem. For batch verifications of Type 3, the proposed IDS scheme requires a constant number of pairing operations, which greatly improves the computational efficiency. In summary, the performance of our scheme is good, which makes the scheme applicable in practice. Both the security and high efficiency of the batch verifications mean that it is possible to apply them in environments where computational issues are seen as the main constraints, such as in adhoc networks. In future, we will extend our batch verification schemes for various forms of anonymous authentication, such as group signatures, ecash, evoting, intelligent cars to control traffic, and anonymous credentials.
BIO
gopalcrypto786@gmail.com
P.V.S.S.N. Gopal received his MS degree in applied mathematics and MPhil in (commutative algebra) mathematics from Pondicherry University, Puducherry, India, in 2001 and 2008, respectively. He received his PhD degree in applied mathematics from Andhra University, Visakhapatnam, India, in 2015. His research interests include abstract algebra, linear algebra, number theory, and elliptic curve cryptography. He is a lifetime member of the Cryptology Research Society of India.
Corresponding Author vasucrypto@yahoo.com
P. Vasudeva Reddy received his MS and PhD degrees in mathematics from Sri Venkateswara University, Tirupati, India, in 1998 and 2006, respectively. He received his MTech degree in computer science and technologynetworks from Andhra University, Visakhapatnam, India, in 2010. He is currently working as a professor with the Department of Engineering Mathematics, Andhra University. His research interests include algebra & number theory applications and cryptography. He has several publications in national and international reputed journals. He is an associate editor for the International Journal of Cryptography and Security. He is a member of the International Association of Engineers, and lifetime member of both the Cryptology Research Society of India and the Indian Mathematical Society.
gowri3478@yahoo.com
T. Gowri received her BTech degree in electronics and communications engineering from Nagarjuna University, Guntur, India, in 2000 and her MTech degree in electronics and communications engineering from Jawaharlal Nehru Technological University (A), Anantapur, India, in 2006. She is currently working as an assistant professor with the Department of Electronics and Communication Engineering, Gandhi Institute of Technology and Management University, Visakhapatnam, India. Her research interests include computer electronics, digital signal processing, and information security.
Fiat A.
“Batch RSA,”
Adv. Cryptology
Santa Barbara, CA, USA
Aug. 20–24, 1989
175 
185
Lim C.H.
,
Lee P.J.
1994
“Security of Interactive DSA Batch Verification,”
IEEE Electron. Lett.
30
(19)
1592 
1593
DOI : 10.1049/el:19941112
Yen S.M.
,
Laih C.S.
1995
“Improved Digital Signature Suitable for Batch Verification,”
IEEE Trans. Comput.
44
(7)
957 
959
DOI : 10.1109/12.392857
Bellare M.
,
Garay J.A.
,
Rabin T.
“Fast Batch Verification for Modular Exponentiation and Digital Signatures,”
Int. Conf. Theory Appl. Cryptographic Techn.
Espoo, Finland
May 31–June 4, 1998
236 
250
Shamir A.
“IdentityBased Cryptosystems and Signature Schemes,”
Adv. Cryptology
Santa Barbara, CA, USA
Aug. 19–22, 1984
47 
53
Boneh D.
,
Franklin M.
“IdentityBased Encryption from the Weil Pairing,”
Adv. Cryptology
Santa Barbara, CA, USA
Aug. 19–23, 2001
213 
229
Cha J.C.
,
Cheon J.H.
“An IdentityBased Signature Scheme from Gap DiffieHellman Groups,”
Int. Workshop Practice Theory Public Key Cryptography
Miami, FL, USA
Jan. 6–8, 2003
18 
30
Hess F.
“Efficient Identity Based Signature Schemes Based on Pairings,”
Sel. Areas Cryptography
St. John’s, Canada
Aug. 15–16, 2002
310 
324
Paterson K.G.
2002
“IDBased Signatures from Pairings on Elliptic Curves,”
IEEE Electron. Lett.
38
(18)
1025 
1026
DOI : 10.1049/el:20020682
Gopal P.V.S.S.N.
,
Reddy P.V.
,
Gowri T.
“New Identity Based Signature Scheme Using Bilinear Pairings over Elliptic Curves,”
IEEE Int. Adv. Comput. Conf.
Ghaziabad, India
Feb. 22–23, 2013
361 
365
Yoon H.
,
Cheon J.H.
,
Kim Y.
“Batch Verifications with IDBased Signatures,”
Int. Conf. Inf. Security Cryptology
Seoul, Rep. of Korea
Dec. 2–3, 2004
233 
248
Cao T.
,
Lin D.
,
Xue R.
2006
“Security Analysis of Some Batch Verifying Signatures from Pairings,”
Int. J. Netw. Security
3
(2)
138 
143
Cui S.
,
Duan P.
,
Chan C.W.
“An Efficient IdentityBased Signature Scheme with Batch Verifications,”
Int. Conf. Scalable Inf. Syst.
Hong Kong, China
May 29–June 1, 2006
152
(22)
Chiang H.F.
,
Yen S.M.
,
Lin H.C.
“Security Analysis of Batch Verification on IdentityBased Signature Schemes,”
WSEAS Int. Conf. Comput.
Crete Island, Greece
July 26–28, 2007
50 
55
Zhang C.
“An Efficient IdentityBased Batch Verification Scheme for Vehicular Sensor Networks,”
IEEE Conf. Comput. Commun.
Phoenix, AZ, USA
Apr. 15–17, 2008
816 
824
Tseng Y.M.
,
Wu T.Y.
,
Wu J.D.
“Towards Efficient IDBased Signature Schemes with Batch Verifications from Bilinear Pairings,”
IEEE Int. Conf. Availability, Rel. Security
Fukuoka, Japan
Mar. 16–19, 2009
935 
940
Hwang J.Y.
2015
“New Efficient Batch Verification for an IdentityBased Signature Scheme,”
Security Commun. Netw.
8
(15)
2524 
2535
DOI : 10.1002/sec.1194
Ren Y.
2015
“An Efficient Batch Verifying Scheme for Detecting Illegal Signatures,”
Int. J. Netw. Security
17
(4)
463 
470
Goh E.J.
,
Jarecki S.
“A Signature Scheme as Secure as the DiffieHellman Problem,”
Int. Conf. Theory Appl. Cryptographic Techn.
Warsaw, Poland
May 4–8, 2003
401 
415
Katz J.
,
Wang N.
“Efficiency Improvements for Signature Schemes with Tight Security Reductions,”
ACM Conf. Comput. Commun. Security
Washington, DC, USA
Oct. 27–30, 2003
155 
164
Pointcheval D.
,
Stern J.
2000
“Security Arguments for Digital Signatures and Blind Signatures,”
J. Cryptology
13
(3)
361 
396
DOI : 10.1007/s001450010003
Barreto P.S.L.M.
“Efficient Algorithms for PairingBased Cryptosystems,”
Adv. Cryptology
Santa Barbara, CA, USA
Aug. 18–22, 2002
354 
369
Koblitz N.
,
Menezes A.
,
Vanstone S.
2000
“The State of Elliptic Curve Cryptography,”
Des., Codes, Cryptography
19
(2)
173 
193
DOI : 10.1023/A:1008354106356
Menezes A.
,
Van Oorschot P.
,
Vanstone S.
1996
Handbook of Applied Cryptography
CRC Press, LLC
Boca Raton, USA