Next Article in Journal
A Novel Low-Power-Consumption All-Fiber-Optic Anemometer with Simple System Design
Next Article in Special Issue
A Multi-Objective Partition Method for Marine Sensor Networks Based on Degree of Event Correlation
Previous Article in Journal
Developing Fine-Grained Actigraphies for Rheumatoid Arthritis Patients from a Single Accelerometer Using Machine Learning
Previous Article in Special Issue
Position, Orientation and Velocity Detection of Unmanned Underwater Vehicles (UUVs) Using an Optical Detector Array
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

PSDAAP: Provably Secure Data Authenticated Aggregation Protocols Using Identity-Based Multi-Signature in Marine WSNs

1
College of Information Technology, Shanghai Ocean University, Shanghai 201306, China
2
Department of Computer Science and Technology, East China Normal University, Shanghai 200241, China
*
Author to whom correspondence should be addressed.
Sensors 2017, 17(9), 2117; https://doi.org/10.3390/s17092117
Submission received: 21 July 2017 / Revised: 28 August 2017 / Accepted: 6 September 2017 / Published: 14 September 2017
(This article belongs to the Special Issue Marine Sensing)

Abstract

:
Data authenticated aggregation is always a significant issue for wireless sensor networks (WSNs). The marine sensors are deployed far away from the security monitoring. Secure data aggregation for marine WSNs has emerged and attracted the interest of researchers and engineers. A multi-signature enables the data aggregation through one signature to authenticate various signers on the acknowledgement of a message, which is quite fit for data authenticated aggregation marine WSNs. However, most of the previous multi-signature schemes rely on the technique of bilinear pairing involving heavy computational overhead or the management of certificates, which cannot be afforded by the marine wireless sensors. Combined with the concept of identity-based cryptography, a few pairing-free identity-based multi-signature (IBMS) schemes have been designed on the basis of the integer factorization problem. In this paper, we propose two efficient IBMS schemes that can be used to construct provably secure data authenticated aggregation protocols under the cubic residue assumption, which is equal to integer factorization. We also employ two different methods to calculate a cubic root for the cubic residue number during the signer’s private key extraction. The algorithms are quite efficient compared to the previous work, especially for the algorithms of the multi-signature generation and its verification.

1. Introduction

In most of the wireless sensor networks (WSNs), the significant issue for data collection or data aggregation always lies in the center of data transmission, both in the academia and in the industry [1,2,3]. In most scenarios of marine WSNs, all the nearby wireless sensors send their data, such as the temperature, pressure, salinity, and potential of hydrogen (pH value) in the chemistry of the environmental monitoring ocean, to a central node, which is located at a base station or a buoy for data collection, as shown in Figure 1. The central node further sends the aggregated data through the long-distance data transmission networks, such as vessel-based or satellite-based networks [4]. However, marine sensors are always deployed far away from the security monitoring. Thus, the secure data aggregation for marine sensor networks has emerged and attracted the interest of researchers and engineers. In order to mitigate the malicious attackers injecting false data, it is quite necessary for each central node to authenticate these sensing measurements from the nearby sensors in the ocean observation system [5].
Generally, a digital signature often provides the properties of authenticity and non-repudiation through checking the signed acknowledgments from senders [6]. However, in WSNs, the international standards for broadcasting authentication are very vulnerable to signature verification flooding attacks, as the excessive requests for signature verification must run out of the computational resources of those victims [7]. The scenario seems worse, as the marine wireless sensors are powered by a limited battery and cannot afford these overloaded requests in an oceanic environment. To optimize the communication and computational overhead, a variant of digital signature, named multi-signature, permits various signers to sign on a message individually and aggregate partial signatures to a compact signature [8].
A multi-signature can play a significant role in authenticating different sensors’ data by checking a single compact signature to cut down the communication bandwidth for marine wireless devices, as the transmission of one-bit data consumes more energy than the arithmetic operations on several bits [9]. This seems a promising way to solve the data authentication in a multi-user scenario. Since the primitive has been proposed, multi-signature schemes have been paid attention to by most of the network designers and industry engineers. However, in the past years, most of the work on multi-signature schemes has been constructed by relying on the assumed existence of public key infrastructure (PKI) [10,11]; the heavy burdens of the digital public key certificate management bring high communication overhead and storage overhead when PKI is applied and implemented in the wireless networks. The cases become worse when the sensors are deployed in the marine environments (denoted as Problem 1).
To overcome the weakness brought by PKI, identity-based cryptography emerges as a novel cryptographic primitive and a powerful alternative to traditional certificate-based cryptography, which has been raised early on in [12] and is further specifically designed in [13,14]. Identity-based cryptography makes some public, known information a public key, such as the device’s number, IP address, or a username, to mitigate the management problem for the public key certificates. In the extreme case that the bandwidth is a bottleneck, the identities of the signers often appear in the head of the communication packets, instead of in the transmission of the heavy public keys. Inspired by this concept, the first identity-based multi-signature (IBMS) scheme, proposed in [15], uses a mathematical technique named “bilinear mapping”, such as is used in [13], and is proved to be secure, relying on discrete logarithm (DL) assumptions or computational Diffie–Hellman (CDH) assumptions. Because the operation of bilinear mapping involves too much computational overhead [16,17], many bilinear mapping techniques are not suitable for the battery-limited sensors in marine WSNs (denoted as Problem 2).
As a consequence, there is great interest for cryptographic researchers to design pairing-free identity-based cryptographic schemes [18]. The first non-pairing IBMS scheme was proposed in [19] with three-round interactive communications and under R. Rivest, A. Shamir, L. Adleman (RSA) assumptions. Later, a communication efficiency-improved IBMS scheme under RSA assumptions was presented in [20] with two-round interactive communications. Yang et al. [21] proposed an efficient improved IBMS scheme that aims to save the computational resources and communication bandwidth. Even if the RSA assumption approaches the integer factorization assumptions, unfortunately, the RSA assumption has not yet been proved equal to the factorization assumption (denoted as Problem 3).
To satisfy the application requirements and to avoid security concerns in cryptrography, it is common practice to construct alternative cryptographic schemes under a weaker assumption—integer factorization. Recently, cryptographic researchers have been focused on finding a new construction that is proved to be secure directly on the basis of factorization. Chai [22] gave an instance of an identity-based digital signature relying on the quadratic residue assumption. Following this, Wei et al. [6] proposed IBMS schemes using quadratic residue assumptions, under weaker assumptions and a strengthened security model, achieving advantages in the computational consumption and transmission overhead. Xing [23] and Wang [24] presented identity-based signature schemes under the cubic residue assumptions. Wang proposed several signature variants relying on cubic residues, including identity-based ring signature [25], identity-based proxy multi-signature (IBPMS) [26] and threshold ring signature [27]. Wei [28] considered an identity-based multi-proxy signature (IBMPS) scheme for use in a cloud-based data authentication protocol. Zhang [29] proposed a secure multi-entity delegated authentication protocol based on an identity-based multi-proxy multi-signature (IBMPMS) for mobile cloud computing. Unfortunately, none considered constructing IBMS schemes directly based on cubic residues (denoted as Problem 4).
Facing the above problems, this work constructs IBMS schemes relying on the cubic residue assumption equal to integer factoring. Our schemes have merits not only in the efficiency aspect, where we do not rely on the bilinear pairing maps or over exponentiations, but also in the security aspect, where we prove them to be secure under a weaker assumption of factoring to achieve stronger security. The contributions for this paper can be summarized as follows.
  • We have proposed two efficient IBMS schemes, denoted as IBMSCR−1 and IBMSCR−2, which are suitable for data aggregation among the sensors and collectors in marine WSNs.
  • We formally define the security of IBMS and prove IBMSCR−1 to be secure, relying on the cubic residues in a random oracle model. The computational cost of IBMSCR−1 is lower, as the exponentiations are cubic exponentials.
  • To enhance efficiency, the total computational cost of IBMSCR−2 is almost four-fifths that of IBMSCR−1 in implementation. We also prove the security of IBMSCR−2 on the basis of the cubic residues equalling integer factoring in the random oracle model.
The organization of this paper is as follows. Section 2 gives necessary preliminaries, and Section 3 gives the formal definition of the security model. In Section 4 and Section 5, we propose two concrete IBMS schemes, IBMSCR−1 and IBMSCR−2, as well as outline their correctness and full security proof. Section 6 gives the performance comparison. Section 7 gives the conclusion for the paper.

2. Preliminaries

Some fundamental concepts are introduced simply, for further explaining the construction and security proof.

2.1. Cubic Residue

We first introduce the definition of the cubic residue.
Definition 1
(Cubic residue [23]). For an integer N 1 ( mod 3 ) , a cubic residue modulo N, c Z N * , if  x 3 c ( mod N ) for some x Z N * .
Because the module N is a product for unknown p and q, it is difficult to obtain x from a cubic residue c, that is, the difficulty of obtaining x from c is equal to the factorization of N.

2.2. Cubic Residue Symbol in Eisenstein Ring

Following the work in [23,30,31], we let ω denote a complex root of z 2 + z + 1 = 0 , which means that ω is a cubic root of 1. We also have ω 2 = 1 ω = ω ¯ , where ω ¯ is the conjugate complex of ω . The Eisenstein ring is defined as the set Z [ ω ] = { a + b ω | a , b Z } . We introduce the cubic residue symbol as follows:
· · 3 : Z [ ω ] × ( Z [ ω ] ( 1 ω ) Z [ ω ] ) { 0 , 1 , ω , ω 2 }
For a prime p in Z [ ω ] where p is not associated to 1 ω , we have
α p 3 = α ( N ( p ) 1 ) / 3 ( mod p )
where N ( p ) = p · p ¯ is defined as the norm of p.

2.3. Some Useful Theorems

Theorem 1
(Factorization Theorem [23]). Let N = p q , where p and q are large primes. Let c be a cubic residue modulo N, and r 1 and r 2 be c’s two cubic roots modulo N; that is, r 1 3 r 2 3 c ( mod N ) and r 1 r 2 ( mod N ) . N can be factored by taking gcd ( r 1 r 2 , N ) in polynomial time, where gcd ( x , y ) is the greatest common divisor of x and y.
Theorem 1 is easily validated, as if r 1 3 r 2 3 c ( mod N ) , we have ( r 1 r 2 ) ( r 1 2 + r 1 r 2 + r 2 2 ) 0 ( mod N ) . There must exist an integer k such that ( r 1 r 2 ) ( r 1 2 + r 1 r 2 + r 2 2 ) = k p q . If r 1 r 2 ( mod N ) , r 1 r 2 cannot be a multiple of N at the same time; r 1 r 2 must contain a non-trivial divisor of N, which is p or q. Therefore, the integer N can be factored by Theorem 1. However, the two cubic roots satisfying r 1 r 2 ( mod N ) cannot lead directly to factoring the integer N.
The following theorem shows a solution to compute a 3 -th root of a cubic residue without factoring N.
Theorem 2.
Let ω 1 ( mod 3 ) , > 0 , c be a cubic residue modulo N, and X Z N * satisfy
c ω X 3 ( mod N )
Then we can easily calculate the cubic root y; that is, y 3 c ( mod N ) .
Because ω 1 ( mod 3 ) , we can denote ω = 3 r ( 3 δ + 1 ) ; following this,
c ω c 3 r ( 3 δ + 1 ) X 3 ( mod N )
We take the 3 r -th root and obtain
c 3 δ + 1 X 3 r ( mod N )
Because c 3 δ + 1 = c 3 δ · c , we have
c X 3 r c 3 δ X 3 r 1 c δ 3 ( mod N ) .
Let y = X 3 r 1 / c δ ; then we have y 3 c ( mod N )
Theorem 2 can be used in the security proof for IBMSCR−1. We introduce the following Theorem [24,29] regarding the cubic residue used in the security proof for IBMSCR−2.
Theorem 3 
(Cubic residue construction [24,29]). If p and q are two primes with p 2 ( mod 3 ) and q 4 or 7 ( mod 9 ) , it is easy to produce a cubic residue modulo N. Let n c be a non-cubic modulo q, for any h Z N * ; we can compute that η = ( q 1 ) ( mod 9 ) 3 , λ = η ( mod 2 ) + 1 , β = ( q 1 ) / 3 , ξ n c η β ( mod q ) , τ h λ β ( mod q )  and
b = 0 , i f   τ = 1 1 , i f   τ = ξ 2 , i f   τ = ξ 2
We can construct a cubic residue C modulo N; that is, C = n c b · h ( mod N ) .
Theorem 4.
Let p, q, N, C, and η be defined as in Theorem 3; we can calculate a cubic root s of C 1 by s C [ 2 η 1 ( p 1 ) ( q 1 ) 3 ] / 9 ( mod N ) . Note that s 3 · C 1 ( mod N ) .

3. Formal Definition and Security Model

3.1. Formal Definition

We assume that there exist n distinct signers, named I D 1 , I D 2 , , I D n , to authenticate a message m by cooperatively generating a multi-signature m σ . The signer I D i is denoted as s i g n e r i .
Theorem 5.
A typical IBMS scheme is always made up of six algorithms, that is, Setup, Extra, Sign, Verify, MSign, and MVerify. We describe each of them as follows.
  • Setup: ( m p k , m s k ) Setup(1 k ). The algorithm is controlled by the key generator center (KGC). The KGC generates the system’s master public keys mpk and master secret keys msk when it is given the security parameter k.
  • Extra: s k I D Extra (mpk, msk, ID). The algorithm is also controlled by the KGC, given msk, mpk, and a user’s identity ID, such as a string. It returns the private key s k I D through secure channels.
  • Sign: σ Sign (mpk, sk, m, ID): The signer uses its private key sk, the identity ID, and the message to be signed m to generate a signature σ on m.
  • Verify: { 0 , 1 } Verify (mpk, ID, m, σ): The algorithm takes the signer’s identity ID, the data m, and a candidate signature σ. If σ is a valid signature, it returns 1. Otherwise, it returns 0.
  • MSign: m σ MSign (mpk, sk, m, IDSet). The signer with the private sk joins in the multi-signing algorithm, which needs additional parameters, including a message m and an identity set I D S e t = { I D 1 , I D 2 , , I D n } containing all the identities of the signers. After several rounds of interactive communication, MSign generates a multi-signature mσ.
  • MVerify: { 0 , 1 } MVerify (mpk, IDSet, m, mσ). The algorithm returns 1 if mσ is a valid multi-signature on the message m by authenticating the signers in IDSet.
Correctness. When all of the participating signers honestly and correctly execute the algorithm MSign using the private keys, derived from the algorithm Extra, each of the signers will end the algorithm by obtaining a local multi-signature m σ such that
MVerify ( I D S e t , m , m σ , m p k ) = 1
where all m p k and m s k are generated by the algorithm Setup and I D S e t includes n identities I D 1 , I D 2 , , I D n for any messages m { 0 , 1 } * .

3.2. Security Model

This considers an extreme case: the adversary A compromising the n 1 participants and leaving only one honest user, denoted s i g n e r 1 . The s i g n e r 1 user is controlled by the challenger C . When the game starts, C gives A the honest identity of s i g n e r 1 and allows A to compromise the other signers’ private keys. It also assume that a secure channel between the signers is not guaranteed. All of the communication among the signers can be eavesdropped upon. C provides A a hash oracle, a key extraction oracle and a multi-sign oracle. A ’s final target is to successfully forge a multi-signature.
Definition 2.
Considering the games between A and C .
  • Setup: C executes the algorithm to generate the master public keys mpk and sends mpk to A .
  • Query: : A is allowed to query to C in an adaptive way.
    -
    Extraction-query (mpk, ID). C executes Extra to obtain s k I D and sends to A when A asks for the private key of s i g n e r I D .
    -
    Multi-signature query (mpk, m, IDSet) C obtains a multi-signature m σ and sends to A when A asks for the multi-signature m σ on m and I D S e t .
    -
    Hash-query. C chooses the returned values by itself and sends to A when A asks.
  • Forgery. A makes a multi-signature as a forgery, that is, m σ * on m * for I D S e t * , which contains at least one uncompromised user’s identity; meanwhile, A never sends ( m p k , I D S e t * , m * ) to the multi-signature query.
Definition 3 (Attack Goals).
The advantage A d v A IBMS in breaking the KG ( k ) problems is defined as
A d v A IBMS ( k ) = Pr x 3 y ( mod N ) ( N , p , q ) KG ( k ) y Z N * x A ( N , , y )
Definition 4 (Unforgeability).
An adversary A ( t , q H , q E , q S , n , ϵ ) breaks the scheme if A executes for a time of t at most, and makes at most q H hash queries, q E extraction queries, and q S multi-signature queries with n participants, and A d v A is at least ϵ. An IBMS scheme ( t , q E , q S , q H , n , ϵ ) has unforgeability if there exists no attacker A ( t , q H , q E , q S , n , ϵ ) that breaks it.

4. Concrete Construction of IBMSCR-1

4.1. Construction

Inspired by the previous work [6,22,23], we propose a concrete identity-based multi-signature scheme (IBMSCR−1) with three-round interactive communications among the marine sensors and the generation of a single multi-signature as an authenticated tag.
  • Setup ( k , ) : The key generator center inputs security parameters k and , and then:
    • Chooses two random primes p and q, such that p q 1 ( mod 3 ) and ( p 1 ) ( q 1 ) / 9 1 ( mod 3 ) . Without loss of generality, we assume that ( p 1 ) / 3 1 ( mod 3 ) , ( q 1 ) / 3 1 ( mod 3 ) .
    • Chooses two random primes π 1 and π 2 from the Eisenstein ring Z [ ω ] , s.t. the norms satisfy N ( π 1 ) = p and N ( π 2 ) = q .
    • Computes N = p q . We let A + B ω = π 1 π 2 , A , B Z , and then compute C = A B 1 ( mod N ) . Note that C p 3 = ω 2 , and C q 3 = ω .
    • Chooses a random number a Z N * such that a N 3 = ω .
    • Computes d = 1 3 [ 1 9 ( p 1 ) ( q 1 ) + 1 ] .
    • Selects three hash functions h 1 ( · ) , h 2 ( · ) , and h 3 ( · ) such that h 1 ( · ) : { 0 , 1 } * Z N * , h 2 and h 3 ( · ) : { 0 , 1 } * { 0 , 1 } .
As a result of the step Setup, the master secret key is m s k = ( p , q , d ) , which is securely stored, and the public parameter is m p k = ( N , h 1 , h 2 , h 3 , a , C , ) .
  • Extra (mpk, msk, ID): KGC inputs the identity I D , computes the hash value of I D as h 1 ( I D ) and obtains a first symbol c I D , 1 such that
    c I D , 1 = 0 , if h 1 ( I D ) N 3 = 1 1 , if h 1 ( I D ) N 3 = ω 2 2 , if h 1 ( I D ) N 3 = ω
    We let h = a c I D , 1 · h 1 ( I D ) and we have h N 3 = 1 . Following this, KGC computes a second symbol c I D , 2 such that
    c I D , 2 = 0 , if h p 3 = h q 3 = 1 1 , if h p 3 = ω , h q 3 = ω 2 2 , if h p 3 = ω 2 , h q 3 = ω
    We let I I D = C c I D , 2 · a c I D , 1 · h 1 ( I D ) . It is easy to find that I I D CR N , as I I D p 3 = I I D q 3 = 1 . Finally, KGC extracts the private key s k I D as a 3 -th root of I I D :
    s k I D I I D d ( mod N )
    KGC sends s k I D as well as ( c I D , 1 , c I D , 2 ) to signer I D secretly. Note that I I D s k I D 3 ( mod N ) . Following this, we denote I D ˜ = { I D , c I D , 1 , c I D , 2 } .
  • Sign and verify: These two algorithms can be derived from [23].
  • MSign ( m p k , s k 1 , m , I D S e t ) : For simplicity, IBMSCR−1 is described from the M S 1 ’s point of view. Given the M S 1 ’s private key s k 1 , the message m and the identity set I D S e t = { I D 1 ˜ , I D 2 ˜ , , I D n ˜ } , M S 1 executes the following algorithm from Algorithm 1. MSign generates m σ = ( w , u ) as the multi-signature.
  • MVerify (mpk, IDSet, m, mσ). The algorithm verifies by the following three steps.
    (1)
    For i = 1 , 2 , , n , it computes I i C c I D i , 2 · a c I D i , 1 · h 1 ( I D i ) ( mod N ) .
    (2)
    It computes R ^ u 3 i = 1 n I i w ( mod N ) .
    (3)
    It checks whether
    w = h 3 ( R ^ I D S e t m )
    is satisfied. If Equation (2) is satisfied, MVerify returns 1. This means m σ is valid. Otherwise MVerify returns 0.

4.2. Correctness

The correctness follows:
u 3 i = 1 n u i 3 i = 1 n r i 3 s k i w 3 i = 1 n R i I i ( 3 d ) w R i = 1 n I i w ( mod N )
We have R ^ R u 3 i = 1 n I i w ( mod N ) .
Algorithm 1: The MSign Algorithm in IBMS CR−1.
Input: the master public key m p k , the private key s k , the identity set I D S e t , the message to be signed m;
Output: a multi-signature m σ .
  1. Each M S i randomly selects r i Z N * and computes R i r i 3 ( mod N ) and t i = h 2 ( R i ) .
  2. M S i only broadcasts t i to other signers M S j ( j i ) in I D S e t and keeps R i temporarily.
  3. After receiving t i from M S i ( 2 i n ), M S 1 then broadcasts R 1 to other M S i .
  4. After receiving R i from M R i , M S 1 checks whether t i = h 2 ( R i ) for 2 i n is satisfied.
  5. If one of these fails, the algorithm stops, which means the attackers have mixed invalid partial signatures. Otherwise, M S 1 sets R i = 1 n R i ( mod N ) , w = h 3 ( R I D S e t m ) , and u 1 r 1 · s k 1 w ( mod N ) .
  6. M S 1 broadcasts u 1 to other M S i .
  7. After receiving u i from M S i , M S 1 aggregates these by u i = 1 n u i ( mod N ) .
  8. Each M S i locally generates a multi-signature m σ = ( w , u ) .
Return m σ ;

4.3. Security Proof

IBMSCR−1 is provably secure under the factorization in the random oracle model.
Theorem 6.
If the factorization problem is ( t , ϵ ) -hard, IBMSCR−1 is ( t , q E , q H , q S , n , ϵ ) -secure against existential forgery attackers under the adaptively chosen message attack and chosen identity attack. We have estimates for t and ϵ as follows:
ϵ 2 ϵ 2 3 ( q H + 1 ) 2 n q S q H + n 2 q S 2 + q H 2 2 R · ( q H + 1 ) + n q S 2 0 1 ϵ 1 3 · 2 1
Proof. 
We assume C is given a factorization instance N for a product of unknown p and q, and obtain the result of p or q with a non-negligible probability. C plays with A as follows.
Firstly, C selects a Z N * , such as a non-cubic residue and a secure parameter 160 (the length of has been discussed and suggested in [22]), and sends ( N , a , ) to A as m p k . C manages several lists: one signature list and three hash lists.
Then, C starts to answer according to A ’s queries, as follows.
  • h 1 -Query ( I D ) : C manages a list ( I D , h 1 , s , c I D , 1 , c I D , 2 ) . When A requests the identity I D , C answers as h 1 . ( c I D , 1 , c I D , 2 ) { 0 , 1 } 2 in two bits and s Z N * is used as a secret key. When A asks on I D , C answers h 1 if I D has existed in the h 1 -list. Otherwise, C randomly selects s Z N * and ( c I D , 1 , c I D , 2 ) { 0 , 1 } 2 , calculates
    h 1 s 3 ( 1 ) c I D , 2 · ( a ) c I D , 1 ( mod N )
    and returns the answer h 1 to A , adding ( I D , h 1 , s , c I D , 1 , c I D , 2 ) to the h 1 -list.
  • h 2 -Query ( R ) : C manages a list ( R , h 2 ) . When A asks on R, C answers h 2 if R has existed in the h 2 -list. Otherwise, C randomly selects h 2 { 0 , 1 } 0 , adds ( R , h 2 ) into the h 2 -list and returns h 2 .
  • h 3 -Query ( R , m , I D S e t ) : C manages a list ( R , m , I D S e t , h 3 ) . When A asks on ( R , m , I D S e t ) , C returns h 3 if ( R , m , I D S e t ) has existed in the h 3 -list. Otherwise, C randomly selects h 3 Z N * , returns h 3 , and adds ( R , m , I D S e t , h 3 ) to the h 3 -list.
  • Extraction query ( I D ) : C executes an additional h 1 -query if I D does not yet exist in the h 1 -list and returns s and ( c I D , 1 , c I D , 2 ) .
  • Multi-signature queries: C checks in the h 1 -list for whether I D 1 exists. If I D 1 is already in the h 1 -list, C has obtained the private key of s i g n e r 1 and simulates the game as the real algorithm MSign ( s k 1 , I D S e t , m ) using the secret key s k 1 = s 1 . Otherwise, C does not have the private key of s i g n e r 1 and executes the following steps:
    -
    C plays as s i g n e r 1 , and randomly chooses t 1 { 0 , 1 } 0 , broadcasting t 1 to other signers. C also waits to receive t 2 , t 3 , , t n from others; it randomly selects w { 0 , 1 } and u 1 Z N * , and calculates
    R 1 = u 1 3 ( 1 ) c I D 1 , 2 · a c I D 1 , 1 · h 1 ( I D 1 ) w
    If R 1 already exists in the h 2 -list, C stops. Otherwise, C sets ( R 1 , t 1 ) in the h 2 -list. C looks up R i such that ( R i , t i ) where 2 i n . If for some i the record is found, C also stops. Otherwise, C calculates R = i = 1 n R i ( mod N ) and sets h 3 ( R S m ) = w , or stops if the entry has already existed.
    -
    C sends R 1 to other signers. After receiving R 2 , , R n from the signers, C verifies that h 2 ( R i ) = ? t i . C ends up with the protocol if one of these does not satisfy this, which means A has to guess the results of the hash value. If R i R i for some i, C stops. C sends u i to the signers, receives u 2 , u 3 , , u n , and calculates u = i = 1 n u i ( mod N ) . Finally, C sends m σ = ( w , u ) to A .
At the end of the game, A generates a multi-signature m σ * = ( w * , u * ) on message m * . C calculates
R * ( u * ) 3 i = 1 n ( 1 ) c I D i * , 2 a c I D i * , 1 h 1 ( I D i * ) w *
and makes an additional query h 3 ( R * I D S e t * m * ) . We let U I D S e t * = { I D 1 * , I D 2 * , , I D n * } denote the honest IDSet, that is, A never compromised. If A succeeded in forgery, that is,
  • MVerify ( m p k , I D S e t * , m * , σ * ) = 1
  • U
  • A has never queried ( I D S e t * , m * ) to the signature oracle then C checks the h 1 -list. If the multi-signature is valid, we can obtain
    u * 3 R * i = 1 n ( 1 ) c I D i , 2 a c I D i , 1 h 1 ( I D i * ) w * R * i = 1 n s i * 3 w * ( mod N )
We let s * i = 1 n ( s i * ) 3 ( mod N ) and produce ( s * , σ * ) .
To factor N by applying the rewinding technique, C plays with A once again using the random tapes, which are the same as for the first time. Because C previously recorded the transcripts, C obtains the same results for A ’s queries.
When A queries for h 3 , C randomly selects an alternative answer w instead of w, as, in the second run, the h 1 - and h 2 -query are equal to those of the first round.
C generates ( s , m σ ) and ( s , m σ ) such that
u 3 R s w a n d u 3 R s w
By R = R , m = m and s = s , we have
u u 3 s ( w w ) ( mod N )
Because w w { 0 , 1 } 0 and 0 < , we can obtain | w w | < 3 . According to Theorem 2, C can calculate a cubic root s ˜ where s ˜ 3 = s . Meanwhile, C checks the h 1 -list to search for an entry in which I D i I D S e t and calculates s ¯ = i I D S e t s i 3 1 .
Therefore, s ˜ 3 s ¯ 3 s ( mod N ) . If s ¯ s ˜ ( mod N ) , N can be factored by Theorem 1. Otherwise, C cannot factor N. The probability that s ˜ s ¯ ( mod N ) is 2/3.
Finally, we calculate the probability that C returns a valid result. Because most of the simulation game is similar to in [6], we set ϵ , ϵ and ϵ * as the probability to factor N by C , the probability to forge a multi-signature in practice by A and the probability to succeed in the first run before the rewinding technique by A , respectively.
We have
ϵ * ϵ q S ( q H + n q S ) 2 N ( q H + n q S ) 2 2 N + 1 2 q S ( q H + q S ) 2 N n q S 2 0
Furthermore, according to the forking lemma [32], we can easily obtain
f r k ϵ * ϵ * q H 1 2 ϵ * 2 q H + 1 1 2
The probability that C succeeds to factor N is
ϵ 2 3 · f r k 2 ϵ * 2 3 ( q H + 1 ) 1 3 · 2 1 2 ϵ 2 3 ( q H + 1 ) 2 n q S q H + n 2 q S 2 + q H 2 2 R · ( q H + 1 ) + n q S 2 0 1 ϵ 1 3 · 2 1

5. Concrete Construction of IBMSCR−2

Inspired by the related work [24,26,29], we give a more efficient IBMS construction (named IBMSCR−2), whose computational overhead in MSign and MVerify is much lower than for those in IBMSCR−1.

5.1. Construction

  • Setup ( k , ) : Given the security parameters, Setup can be executed as follows.
    (1)
    KGC chooses random primes p and q where p 2 ( mod 3 ) and q 4 or 7 ( mod 9 ) , and calculates the product N = p · q .
    (2)
    A non-cubic residue a is selected such that a q = 1 .
    (3)
    Several computational parameters are computed:
    η = [ q 1 ( mod 9 ) ] / 3 λ = η ( mod 2 ) + 1 β = ( q 1 ) / 3 ξ = a η β ( mod q )
    (4)
    Three hash functions h 1 , h 2 and h 3 are picked up, where h 1 : { 0 , 1 } * Z N * , h 2 , h 3 : { 0 , 1 } * { 0 , 1 } .
Finally, the algorithm Setup outputs m s k = ( p , q , β ) and m p k = ( N , h 1 , h 2 , h 3 , a , η , λ ) . KGC keeps m s k secretly.
  • Extra ( m p k , m s k , I D ): KGC computes s k as follows:
    (1)
    KGC computes ω = h 1 ( I D ) λ β ( mod q ) and set sa symbol c I D according to ω and ξ :
    c I D = 0 , if   ω = 1 1 , if   ω = ξ 2 , if   ω = ξ 2
    KGC denotes I = a c I D · h 1 ( I D ) ( mod N ) .
    (2)
    KGC calculates
    s k = I 2 η ( p 1 ) ( q 1 ) 3 9 ( mod N )
    and securely distributes s k to the signer. We have s k i 3 · I i 1 ( mod N ) . Following this, we denote the identity by I D i ˜ = { I D i , c I D i } .
  • Sign and verify: These two algorithms can be derived from [29].
  • MSign ( m p k , s k 1 , m , I D S e t ) : Given the M S 1 ’s private key s k 1 , the message m and the identity set I D S e t = { I D 1 ˜ , I D 2 ˜ , . . . , I D n ˜ } , M S 1 executes the following algorithm in Algorithm 2. MSign generates the multi-signature m σ = ( w , u ) .
  • MVerify ( m p k , I D S e t , m , m σ ) . The algorithm verifies by the following three steps:
    (1)
    For i = 1 , 2 , . . . , n , it computes I i = a c I D i · h 1 ( I D i ) .
    (2)
    It computes R ^ = u 3 · i = 1 n I i w ( m o d N ) .
    (3)
    It checks whether
    w = h 3 ( R ^ I D S e t m )
    is satisfied. If Equation (13) is satisfied, MVerify returns 1. This means m σ is valid. Otherwise MVerify returns 0.
Algorithm 2: The MSign algorithm in IBMSCR−2.
Input: the master public key m p k , the private key s k , the identity set I D S e t , the message to be signed m;
Output: a multi-signature m σ .
  1. Each M S i randomly selects r i Z N * and calculates R i = r i 3 ( m o d N ) and t i = h 2 ( R i ) .
  2. Each M S i broadcasts t i to co-signers M S j ( j i ).
  3. After obtaining t i from M S i , M S 1 broadcasts R 1 to other M S i .
  4. After receiving R i from other signers, M S 1 checks whether t i = h 2 ( R i ) for 2 i n is satisfied.
  5. If one of these fails, the algorithm stops, which means the attackers have mixed invalid partial signatures. Otherwise, M S 1 sets R = i = 1 n R i ( m o d N ) , w = h 3 ( R I D S e t m ) , and u 1 = r 1 · s k 1 w ( m o d N ) .
  6. S 1 broadcasts u 1 to other M S i .
  7. After receiving u i from M S i , M S 1 aggregates these by u = i = 1 n u i ( m o d N ) .
  8. Each M S i locally generates a multi-signature m σ = ( w , u ) .
Return m σ ;

5.2. Correctness

The correctness is as follows:
u 3 · i = 1 n I i w i = 1 n u i 3 I i w i = 1 n r i 3 · ( s k i 3 · I i ) w i = 1 n R i R ( mod N )

5.3. Security Proof

IBMSCR−2 is secure under the factorization in the random oracle model.
Theorem 7.
If integer factorization is ( t , ϵ ) -hard, our IBMSCR−2 scheme is ( t , q H , q E , q S , n , ϵ ) -secure against existential forgery in the random oracle model.
Because most of the simulation game between A and C is the same, we give the security proof simply.
Proof. 
When it is given an integer factorization instance N, C returns p or q if A succeeds in forging a multi-signature.
C sends m p k = { N , h 1 , h 2 , h 3 , a , η , λ } to A . C maintains several lists ( l i s t h 1 , l i s t h 2 , l i s t h 3 , l i s t S ).
  • h 1 -Query. C manages a list ( I D , c , h 1 , s ) . C sends h 1 to A if I D exists when A queries the hash value of I D . Otherwise, C randomly selects s Z N * and c { 0 , 1 , 2 } , sets h 1 s 3 / a c ( mod N ) , returns h 1 , and adds ( I D , c , h 1 , s ) to l i s t h 1 .
  • The h 2 -query, h 3 -query and extraction query are similar to IBMSCR−1.
  • The multi-signature query is similar to IBMSCR−1, except that Equation (5) changes to
    R 1 = u 1 3 i = 1 n a c I D i · h 1 ( I D 1 ) w *
At the end of the game, A forges m σ * = ( w * , u * ) with I D S e t * on m * . C calculates
R * ( u * ) 3 i = 1 n a c I D i * · h 1 ( I D i * ) w *
and queries h 3 ( R * I D S e t * m * ) to the hash oracle. If the forgery is valid, we obtain that
u * 3 R * i = 1 n a c I D i * · h 1 ( I D i * ) w * R * i = 1 n s i * 3 w * R * s * w * ( mod N )
because s * i = 1 n ( s i * ) 3 ( mod N ) . C returns ( s * , w * , u * ) .
We also apply the rewinding technique to factor N. At last, C obtains ( s , w , u ) and ( s , w , u ) such that
u 3 R s w a n d u 3 R s w
Because R = R , m = m , and s = s , we have
u u 3 s ( w w ) ( mod N )
Because w w , two cases emerge:
  • If w w 1 ( mod 3 ) , we denote w w = 3 k + 1 for an integer k. Therefore, s u u · s k 3 , that is, s ˜ = u u · s k satisfies s ˜ 3 s ( mod N ) .
  • If w w 1 ( mod 3 ) , we denote w w = 3 k 1 for an integer k. Therefore, s ( u · s k u ) 3 , that is, s ˜ = u · s k u satisfies s ˜ 3 s ( mod N ) .
From the discussion above, C calculates a cubic root s ˜ where s ˜ 3 = s . Meanwhile C searches the entries in the h 1 -list where I D i I D S e t and calculates s ¯ = i I D S e t s i 3 . Therefore, we have s ˜ 3 s ¯ 3 s ( mod N ) . If s ¯ s ˜ ( mod N ) , we can factor N by Theorem 1 with a probability that s ˜ s ¯ ( mod N ) of 2/3.
Thus, we have finished the proof. ☐

6. Performance Comparisons

The comparison of security assumptions for related works are given in Table 1. These schemes are provably secure on the basis of different hardness assumptions (such as CDH, DL, RSA, quadratic residues, and cubic residues). The aim of these schemes is to find new constructions under simpler hardness assumptions.
We denote M p , H m , O p and E n as the operation of scalar multiplication, map-to-point hash function, bilinear pairing, and modular exponentiation, respectively. We ran each of the above operations in a personal computer and used their times from [33] to calculate the total computational cost in the running time (milliseconds), as shown in the columns of Table 2.
We have also compared related works on the basis of the cubic residues for the computational performance evaluation in Table 3. For consistency, we used the modular exponentiation times to evaluate the Sign and Verify algorithms.

7. Conclusions

Data authenticated aggregation is always a significant issue for marine WSNs. Most data authenticated aggregation is based on the multi-signature, which relies on the technique of bilinear pairing involving heavy computational overhead or the management of certificates beyond marine wireless sensors. We have constructed two efficient IBMS schemes (IBMSCR−1 and IBMSCR−2) based on cubic residues, which are much more suitable for data authenticated aggregation in marine WSNs. Without employing the heavy overload of a bilinear pairing technique, our schemes have been designed efficiently. Our schemes have been proven to be secure under chosen identity attacks and chosen message attacks, relying only on the hardness of the integer factorization assumptions.

Acknowledgments

This work was supported by the Natural Science Foundation of China (NSFC grant nos. 61402282, 61672339 and 41671431), the Shanghai Youth Talent Development Program (grant no. 14YF1410400), and the Shanghai Local University Capacity Enhancement Program (grant no. 15590501900).

Author Contributions

The work was conducted under the cooperation of authors. Lifei Wei conceived the scheme 1, and wrote the partial paper; Lei Zhang conceived the scheme 2 and wrote the partial paper, Dongmei Huang guided the study and reviewed the manuscript; Kai Zhang conceived the security proof and wrote the partial paper; Liang Dai gave the figures and verified the results; Guojian Wu introduced the background of marine sensor networks.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Bosman, H.; Iacca, G.; Tejada, A.; Wortche, H.J.; Liotta, A. Spatial anomaly detection in sensor networks using neighborhood information. Inform. Fusion J. 2017, 33, 41–56. [Google Scholar] [CrossRef]
  2. Bosman, H.; Iacca, G.; Tejada, A.; Wortche, H.J.; Liotta, A. Ensembles of incremental learners to detect anomalies in ad hoc sensor networks. Ad Hoc Netw. 2015, 35, 14–36. [Google Scholar] [CrossRef]
  3. Ahn, J.; Green, M.; Hohenberger, S. Synchronized aggregate signatures: New definitions, constructions and applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), Chicago, IL, USA, 4–8 October 2010. [Google Scholar]
  4. Wei, L.; Zhang, L.; Huang, D.; Zhang, K. Efficient and Provably Secure Identity-based Multi-Signature Schemes for Data Aggregation in Marine Wireless Sensor Networks. In Proceedings of the 14th IEEE International Conference on Networking, Sensing and Control (ICNSC 2017), Calabria, Italy, 16–18 May 2017. [Google Scholar]
  5. Huang, D.; Zhao, D.; Wei, L.; Wang, Z.; Du, Y. Modeling and analysis in marine big data: Advances and challenges. Math. Probl. Eng. 2015, 2015, 1–13. [Google Scholar] [CrossRef]
  6. Wei, L.; Cao, Z.; Dong, X. Secure identity-based multisignature schemes under quadratic residue assumptions. Secur. Commun. Netw. 2013, 6, 689–701. [Google Scholar] [CrossRef]
  7. Hsiao, H.; Studer, A.; Chen, C.; Perrig, A.; Bai, F.; Bellur, B.; Iyer, A. Flooding-resilient broadcast authentication for vanets. In Proceedings of the 17th Annual International Conference on Mobile Computing and Networking (MOBICOM 2011), Las Vegas, NV, USA, 20–22 September 2011. [Google Scholar]
  8. Itakura, K.; Nakamura, K. A public-key cryptosystem suitable for digital multisignatures. NEC Res. Dev. 1983, 71, 1–8. [Google Scholar]
  9. Barr, K.C.; Asanovic, K. Energy-aware lossless data compression. ACM Trans. Comput. Syst. 2006, 24, 250–291. [Google Scholar] [CrossRef]
  10. Bagherzandi, A.; Cheon, J.; Jarecki, S. Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), Alexandria, VA, USA, 27–31 October 2008. [Google Scholar]
  11. Ma, C.; Weng, J.; Li, Y.; Deng, R. Efficient discrete logarithm based multi-signature scheme in the plain public key model. Des. Codes Cryptogr. 2010, 54, 121–133. [Google Scholar] [CrossRef]
  12. Shamir, A. Identity-based cryptosystems and signature schemes. In Proceedings of the 4th International Cryptology Conference (CRYPTO 1984), Santa Barbara, CA, USA, 19–22 August 1984. [Google Scholar]
  13. Boneh, D.; Franklin, M. Identity-based encryption from the Weil pairing. SIAM J. Comput. 2003, 32, 586–615. [Google Scholar]
  14. Cocks, C. An Identity Based Encryption Scheme Based on Quadratic Residues. In Proceedings of the 8th IMA International Conference on Cryptography and Coding, Cirencester, UK, 17–19 December 2001. [Google Scholar]
  15. Gentry, C.; Ramzan, Z. Identity-based aggregate signatures. In Proceedings of the 9th International Conference on Theory and Practice of Public-Key Cryptography (PKC 2006), New York, NY, USA, 24–26 April 2006. [Google Scholar]
  16. Lu, R.; Lin, X.; Zhu, H.; Liang, X.; Shen, X. BECAN: A Bandwidth-Efficient Cooperative Authentication Scheme for Filtering Injected False Data in Wireless Sensor Networks. IEEE Trans. Parallel Distrib. Syst. 2012, 23, 32–43. [Google Scholar]
  17. Zhang, K.; Wei, L.; Li, X.; Qian, H. Provably Secure Dual-Mode Publicly Verifiable Computation Protocol in Marine Wireless Sensor Networks. In Proceedings of the 10th International Conference on Wireless Algorithms, Systems, and Applications (WASA 2017), Guilin, China, 19–21 June 2017. [Google Scholar]
  18. Lu, Y.; Li, J. A Pairing-Free Certificate-Based Proxy Re-encryption Scheme for Secure Data Sharing in Public Clouds. Future Gener. Comput. Syst. 2016, 62, 140–147. [Google Scholar] [CrossRef]
  19. Bellare, M.; Neven, G. Identity-Based Multi-signatures from RSA. In Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA 2007), San Francisco, CA, USA, 5–9 February 2007. [Google Scholar]
  20. Bagherzandi, A.; Jarecki, S. Identity-Based Aggregate and Multi-Signature Schemes Based on RSA. In Proceedings of the 13th International Conference on Practice and Theory in Public Key Cryptography (PKC 2010), Paris, France, 26–28 May 2010; pp. 480–498. [Google Scholar]
  21. Yang, F.; Lo, J.; Liao, C. Improving an efficient id-based rsa multisignature. J. Ambient Intell. Hum. Comput. 2011, 4, 249–254. [Google Scholar] [CrossRef]
  22. Chai, Z.; Cao, Z.; Dong, X. Identity-based signature scheme based on quadratic residues. Sci. China Inform. Sci. 2007, 50, 373–380. [Google Scholar] [CrossRef]
  23. Xing, D.; Cao, Z.; Dong, X. Identity based signature scheme based on cubic residues. Sci. China Inform. Sci. 2011, 54, 2001–2012. [Google Scholar] [CrossRef]
  24. Wang, Z.; Wang, L.; Zheng, S.; Yang, Y.; Hu, Z. Provably secure and efficient identity-based signature scheme based on cubic residues. Int. J. Netw. Secur. 2012, 14, 33–38. [Google Scholar]
  25. Wang, F.; Lin, C. Secure and efficient identity-based proxy multisignature using cubic residues. J. Univ. Electr. Sci. Technol. China 2013, 42, 778–783. [Google Scholar]
  26. Wang, F.; Chang, C.-C.; Lin, C.; Chang, S.-C. Secure and efficient identity-based proxy multi-signature using cubic residues. Int. J. Netw. Secur. 2016, 18, 90–98. [Google Scholar]
  27. Wang, F.; Lin, C.; Lian, G. Efficient identtiy based threshold ring signature based on cubic residues. J. Wuhan Univ. (Nat. Sci.) 2013, 59, 75–81. [Google Scholar]
  28. Wei, L.; Zhang, L.; Zhang, K.; Dong, M. An Efficient and Secure Delegated Multi-Authentication Protocol for Mobile Data Owners in Cloud. In Proceedings of the 10th International Conference on Wireless Algorithms, Systems, and Applications (WASA15), Qufu, China, 10–12 August 2015. [Google Scholar]
  29. Zhang, L.; Wei, L.; Huang, D.; Zhang, K.; Dong, M.; Ota, K. Medaps: Secure multi-entities delegated authentication protocols for mobile cloud computing. Secur. Commun. Netw. 2016, 9, 3777–3789. [Google Scholar] [CrossRef]
  30. Damgard, I.; Frandsen, G. Efficient algorithms for gcd and cubic residuosity in the ring of Eisenstein integers. J. Symb. Comput. 2005, 39, 643–652. [Google Scholar] [CrossRef]
  31. Benhamouda, F.; Herranz, J.; Joye, M.; Libert, B. Efficient cryptosystems from 2k. J. Cryptol. 2016, 1–31. [Google Scholar]
  32. Coron, J. On the exact security of full domain hash. In Proceedings of the 20th Annual International Cryptology Conference (CRYPTO 2000), Santa Barbara, CA, USA, 20–24 August 2000. [Google Scholar]
  33. He, D.; Chen, J.; Zhang, R. An efficient and provably-secure certificateless signature scheme without bilinear pairings. Int. J. Commun. Syst. 2012, 25, 1432–1442. [Google Scholar] [CrossRef]
Figure 1. Data collection in marine wireless sensor networks (WSNs).
Figure 1. Data collection in marine wireless sensor networks (WSNs).
Sensors 17 02117 g001
Table 1. The comparison of related work on the security assumptions.
Table 1. The comparison of related work on the security assumptions.
SchemesThe Underlying Mathematical Assumptions
[15]Computational Diffie-Hellman (CDH)
[19]Discrete Logarithm (DL)
[20]RSA
[6]Quadratic Residues
IBMSCR-1Cubic Residues
IBMSCR-2Cubic Residues
Table 2. The comparison of related work of IBMS on the computational performance.
Table 2. The comparison of related work of IBMS on the computational performance.
SchemesExtractSignVerifyTotal TimeLength
[15]2 H m + 2 M p 1 H m + 4 M p 3 O p 107.522 | g |
[19]1 E n 2 E n 2 E n 26.55 + | N |
[20]1 E n 2 E n 2 E n 26.55 + 2 | N |
[6]1 E n 2 E n 2 E n 26.55 + | N |
IBMSCR-11 E n 2 E n 2 E n 26.55 + | N |
IBMSCR-22 E n 1 E n 1 E n 21.24 + | N |
Table 3. The comparison of related work on computational performance based on the cubic residues.
Table 3. The comparison of related work on computational performance based on the cubic residues.
SchemesUnderlying Cryptographic PrimitiveSignVerifyTotal Time
[28]IBMPS3 E n 3 E n 6 E n
[26]IBPMS1 E n 3 E n 4 E n
[29]IBMPMS3 E n 3 E n 6 E n
IBMSCR-1IBMS2 E n 2 E n 4 E n
IBMSCR-2IBMS1 E n 1 E n 2 E n

Share and Cite

MDPI and ACS Style

Wei, L.; Zhang, L.; Huang, D.; Zhang, K.; Dai, L.; Wu, G. PSDAAP: Provably Secure Data Authenticated Aggregation Protocols Using Identity-Based Multi-Signature in Marine WSNs. Sensors 2017, 17, 2117. https://doi.org/10.3390/s17092117

AMA Style

Wei L, Zhang L, Huang D, Zhang K, Dai L, Wu G. PSDAAP: Provably Secure Data Authenticated Aggregation Protocols Using Identity-Based Multi-Signature in Marine WSNs. Sensors. 2017; 17(9):2117. https://doi.org/10.3390/s17092117

Chicago/Turabian Style

Wei, Lifei, Lei Zhang, Dongmei Huang, Kai Zhang, Liang Dai, and Guojian Wu. 2017. "PSDAAP: Provably Secure Data Authenticated Aggregation Protocols Using Identity-Based Multi-Signature in Marine WSNs" Sensors 17, no. 9: 2117. https://doi.org/10.3390/s17092117

APA Style

Wei, L., Zhang, L., Huang, D., Zhang, K., Dai, L., & Wu, G. (2017). PSDAAP: Provably Secure Data Authenticated Aggregation Protocols Using Identity-Based Multi-Signature in Marine WSNs. Sensors, 17(9), 2117. https://doi.org/10.3390/s17092117

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop