Reusable Mesh Signature Scheme for Protecting Identity Privacy of IoT Devices

The development of the Internet of Things (IoT) plays a very important role for processing data at the edge of a network. Therefore, it is very important to protect the privacy of IoT devices when these devices process and transfer data. A mesh signature (MS) is a useful cryptographic tool, which makes a signer sign any message anonymously. As a result, the signer can hide his specific identity information to the mesh signature, namely his identifying information (such as personal public key) may be hidden to a list of tuples that consist of public key and message. Therefore, we propose an improved mesh signature scheme for IoT devices in this paper. The IoT devices seen as the signers may sign their publishing data through our proposed mesh signature scheme, and their specific identities can be hidden to a list of possible signers. Additionally, mesh signature consists of some atomic signatures, where the atomic signatures can be reusable. Therefore, for a large amount of data published by the IoT devices, the atomic signatures on the same data can be reusable so as to decrease the number of signatures generated by the IoT devices in our proposed scheme. Compared with the original mesh signature scheme, the proposed scheme has less computational costs on generating final mesh signature and signature verification. Since atomic signatures are reusable, the proposed scheme has more advantages on generating final mesh signature by reconstructing atomic signatures. Furthermore, according to our experiment, when the proposed scheme generates a mesh signature on 10 MB message, the memory consumption is only about 200 KB. Therefore, it is feasible that the proposed scheme is used to protect the identity privacy of IoT devices.


Background
The Internet of Things (IoT) is an important environment for processing data at the edge of a network [1], where a huge amount of data is generated in IoT. Thus, we are always surrounded by IoT data in our homes, cars and offices. IoT devices are responsible for acquiring, storing and transferring data, as shown in Figure 1. By collecting, processing and analyzing the data through IoT devices, consumers and organizations can gain valuable insights, the data can further help them construction of mesh signature is similar to another anonymous signature, attribute-based signature (ABS) [5]. Compared with other kind of anonymous signatures (ring signature, attribute-based signature and group signature [6]), the mesh signature consists of some atomic signatures, where the atomic signatures can be reusable. Thus, the merit is very suitable for IoT devices. As IoT devices can generate a large amount of data every day, if each IoT device both needs to sign and then publish its data, then the signing cost is very heavy for itself, which needs to consume a lot of energy. However, for many IoT devices, some publishing data are the same. Thus, if each IoT device may reuse some "old" signatures by itself on the same data, then it will save the signing cost so as to decrease the number of signatures generated by IoT devices. Therefore, for a large amount of data published by the IoT devices, mesh signature is suitably used for publishing the same data. We have the following example to show that how the structure of mesh signature is used to protect the identities of IoT devices. For example, IoT device 1, IoT device 2 and IoT device 3 belong to a online group at the edge of the network, where the public verification key of IoT device 1 is VK d1 , the public verification key of IoT device 2 is VK d2 and the public verification key of IoT device 3 is VK d3 . These devices both need to send their data to the IoT data collector, as shown in Figure 2. When the IoT device 1 issues a tuple of messages {Msg1,Msg2,Msg3} to the IoT data collector, it does not want to disclose that these messages are only published by itself. Therefore, this device may create such mesh signature, Then this device issues these messages by the names of three devices, thus its specific identity can be hidden into these names. Additionally, another feature of mesh signature is that it is modularized and its atomic signatures can be reusable, which is suitable for the same data published by the IoT devices. For example, IoT  , where the atomic signature − 2 that binds to IoT device 2 is reused. As mesh signature has perfect anonymity, it does not disclose any fact that how the two signatures σ 1 and σ 2 are made up as long as the signatures σ 1 and σ 2 are valid.
However, although mesh signatures may be used in many security fields [3,[7][8][9][10][11][12][13][14][15][16][17][18][19][20], few researchers focused on the improvement of mesh signatures because of their complexity. Currently the generation of mesh signatures consists of two main steps: (1) generating some atomic signatures; (2) generating a final mesh signature based on previous atomic signatures. Because atomic signatures can be reused, randomization technology is employed so that any adversary cannot know which atomic signatures were reused. Compared with other similar anonymous signature schemes, the generation of mesh signatures is relatively complicated in the existing schemes. In this paper, we focus on improving mesh signatures, where we construct a novel mesh signature scheme for IoT devices.

Our Contributions
In this paper, we present an improved mesh signature for protecting the identities of IoT devices. Also, we give a syntax of mesh signature in IoT. In this paper, our detailed contributions are as follows: • We present a syntax for mesh signature in IoT. Compared with the works of [2,4], we further clearly describe the frame of mesh signature in IoT. Under the proposed syntax, we present a fully anonymous mesh signature scheme for IoT devices, where the IoT devices may be seen as the signers to sign their data and their specific identities can be hidden. Additionally, the atomic signatures on the same data can be reusable so as to decrease the number of signatures generated by IoT devices. • In our proposed scheme, we have limitedly defined the access structure of language expression by monotone-span programs, thus the proposed mesh signature can resist the collusion attacks and its access structure still support generalized monotone predicates. Also, under the security frame proposed by [2,4], our proposed scheme is secure in the standard model, where the security of our scheme can be reduced to the CDH assumption. Also, the proposed scheme has the anonymity with enough security to protecting the identities of IoT devices.

•
Compared with the original mesh signature scheme [2], the proposed scheme preserves the original modularity. Although generating atomic signatures in the proposed scheme needs more computational cost, the proposed scheme has less computational costs on generating final mesh signature and signature verification. Since atomic signatures are reusable, the proposed scheme has more advantages on generating final mesh signature by reconstructing atomic signatures. According to our experiment, it is feasible that the proposed scheme is used to protect the identity privacy of IoT devices.

Organization
The rest of this paper is organized as follows. In Section 2, we discuss the related works about the privacy protection of IoT devices. In Section 3, we review the complexity assumptions and the related technologies on which we build. In Section 4, we show a syntax for MS in IoT. In Section 5, we propose an improved mesh signature scheme for protecting the identities of IoT devices. In Section 6, we analyze the efficiency and security of the proposed scheme. Finally, we draw our conclusions in Section 7.

Related Work
Currently, many signature schemes have been used to protect the privacy (identities) of IoT devices. Li [21] proposed an attribute-based signature to receive WiFi beacons and use Doppler Effect and multipath signal to produce signatures. In their scheme, because these generated signatures do not need sensor attachments, the related identities are still anonymous. Karati [1] proposed a secure certificateless signature scheme to protect industrial-IoT Environments. The proposed signature scheme is proved to be secure under bilinear strong Diffie-Hellman (BSDH) assumptions, which can resist the Type-I and Type-II attacks. Furthermore, they analyzed the performance of their scheme, which is superior to other similar schemes. Sun [22] proposed a decentralized multi-authority attribute-based signature scheme for IoT devices. Compared with other similar signature schemes, their proposed scheme has more perfect privacy and can resist authority corruption. Furthermore, their scheme employs an extra cloud server to sign messages so as to decrease the signing cost. Xie [23] proposed a novel group signature based on lattice for anonymous authentication in IoT. In their scheme, a user may dynamically join a network group, and their proposed scheme easily revoke a group membership when the user quits the group. Also, their scheme can effectively resist the frameability attack, where other users cannot forge any user's signature. Furthermore, their scheme is proved to be secure under lattice problem. Mughal [24] proposed a lightweight shortened signature scheme to secure the communication between devices in human centered IoT. In their scheme, the signing and verification procedures need less costs. Also, for different document protection requirements, their scheme provides the parameter selection function to make signature/verification. Their scheme is enough secure to resist traffic analysis attacks. Additionally, compared with other similar signature schemes, their scheme provides an experimental environment to test that whether their scheme can secure the communication procedure between cell phones (or smart devices). The obtained results show their scheme is effective. Cui [25] also proposed an attribute-based signature to protect industrial-IoT Environments under constrained resources. Their scheme employs a server to decrease the signing and verification cost, where a signing procedure can be immediately ceased when a signer is revoked. Li [26] proposed an effective ring signcryption scheme to protect the data transmission procedure from sensors to servers in IoT under public key infrastructure. They proved that their scheme is indistinguishable under adaptive chosen ciphertext attacks and unforgeable under adaptive chosen message attacks, whose security can be reduced to the computational Diffie-Hellman (CDH) assumption.
Additionally, many new anonymous signature schemes were also proposed, where the group signature [27][28][29][30][31], ring signature [32][33][34] and attribute-based signature [35][36][37] all belong to anonymous signatures. Libert et al. [28] proposed an effective group signature. Their proposed scheme has linear size public keys, linear size revocation list and constant signature size. Furthermore, the verification time is constant. We [31] proposed a traceable identity-based group signature, which employs verifier-local revocation to revoke users. Under the proposed security frame, the security of our scheme can be reduced to the CDH assumption. Yuen et al. [32] proposed a linkable ring signature, which is based on the logic operations, such as "and", "or" and "threshold". In their scheme, a sub-linear size O(d · √ n) signature can be generated, where d is a threshold and n is the number of potential signers in a ring. Liu et al. [33] also proposed a perfect anonymous linkable ring signature scheme, where the generated signature size is still linear with the number of possible signers in a ring. Au et al. [34] proposed a novel identity-based linkable ring signature scheme, which is revocable-iff-linked. Kaafarani et al. [35] proposed some traceable attribute-based signatures, which are decentralized. Their schemes provide anonymity under adaptive chosen-ciphertext attack. We [37] proposed an attribute-based signature, which supports monotone predicates. Compared with other similar schemes, our scheme is efficient by decreasing the signing and verification cost. Boyen first proposed the original mesh signature in [2], which may be seen as the extension of ring signature. Compared with other kind of anonymous signatures, the most advantage of mesh signature is that it can modularize the construction of signature and provide much richer predicate expression of language. In 2015, Boyen proposed a revised version in [4]. He considered that the construction of mesh signature is more flexible than that of ring signature, thus they proposed the notion of mesh signature, in which the access structure is used to construct different combinations of atomic signatures; and mesh signature does not disclose that which atomic signature was used, thus atomic signatures can be reusable when a new mesh signature needs to be generated. However, as the modularity of mesh signature is open to the construction of access structure of language expression, original mesh signature [2,4] has a security weakness that this scheme cannot satisfy the strict unforgeability because multiple illegal signers may collusively pool their obtained atomic signatures together and then generate final mesh signature which none of them could produce.

Bilinear Maps
Let G 1 and G 2 be groups of prime order q and g be a generator of G 1 . We say G 2 has an admissible bilinear map, e : G 1 × G 1 → G 2 if the following two conditions hold. The map is bilinear; for all a, b, we have e g a , g b = e(g, g) a·b . The map is non-degenerate; we must have that e (g, g) = 1.

Computational Diffie-Hellman Assumption
Definition 1 (Computational Diffie-Hellman (CDH) Problem). Let G 1 be a group of prime order q and g be a generator of G 1 ; for all (g, g a , g b ) ∈ G 1 , with a, b ∈ Z q , the CDH problem is to compute g a·b . Definition 2. The (h, ε)-CDH assumption holds if noh-time algorithm can solve the CDH problem with probability at least ε.

A Syntax for MS in IoT
In this section, we present a syntax for mesh signature in IoT, where each IoT device is seen as a signer, they need to issue their data to the IoT data collector. Intuitively, a mesh signature is the combination of some atomic signatures, which satisfies the condition that the monotone boolean expression Υ over access structure (or expression structure) is true. Therefore, in our proposed syntax we set that the monotone boolean expression Υ is associated with a list of tuples that consist of public key and message and its value is true if one IoT device possesses some corresponding atomic signatures on the verified messages under the public verification keys, as shown in Figure 3. In Figure 3, when one IoT device belonging to a network group needs to issue its data set to the IoT data collector, the whole language expression Expression is represented by the form Expression ::= {Lag 1 OP Lag 2 ......OP Lag l }, where Lag i is sub-expression belongs to the whole expression, OP denotes the operation on the sub-expressions, l is the number of involved IoT devices belonging to the same network group (or the number of atomic clauses in a mesh structure). The more detailed and generalized form is as follows: where we set l = m 1 + m 2 + m 3 . Then we consider the monotone boolean expression Υ over access structure is true only if Υ(Lag 1 , Lag 2 ......Lag l ) = 1. Thus, for the previous-mentioned example, , the form of the atomic signature [VK i : (1) System-Setup: The authority system runs the randomized algorithm, and inputs a security parameter 1 k .
In addition, the algorithm outputs all related public system parameters MRK and a master system private key msk on the parameter 1 k . (2) Generate-Key: The authority system runs the randomized algorithm, and inputs (MRK, msk), and then outputs the IoT device's private/public key pair (sk i , pk i ) to the device i, where i ∈ {1, 2......, n} (we set that n is the number of the IoT devices).

Improved Mesh Signature Scheme for IoT Devices
In the section, we propose an improved mesh signature scheme for protecting the identities of IoT devices. Currently the generation of mesh signatures consists of two main steps: (1) generating some atomic signatures; (2) generating a final mesh signature based on previous atomic signatures. Because atomic signatures can be reused, in our construction the randomization technology is also employed so that any adversary cannot know which atomic signatures were reused. Compared with the original mesh signature [2,4], we have limitedly defined the access structure of language expression by monotone-span programs, thus improved mesh signature can still support generalized monotone predicates over access structure. Let MS=(System-Setup, Generate-Key, Mesh-Sign, Mesh-Verify) be a mesh signature scheme in IoT. In MS, all detailed algorithms are described as follows (shown in Figure 4): (1) MS.System-Setup: The system runs this setup algorithm, and inputs the parameter 1 k (used as the security level). Also, we set that G 1 and G 2 are the groups of prime order q, g is a generator of G 1 , and that e : G 1 × G 1 → G 2 denotes the bilinear map. In addition, we set that H : {0, 1} * → Z 1 k ·q denotes one hash function and it can be used to output integers in Z 1 k ·q .
Additionally, we assume that the monotone span programs related to claim-predicates have their width at most t max in our construction.
Then the following parameters are outputted in the system. The algorithm randomly chooses a ∈ Z q and sets g 1 = g a . Five group elements y, f , ϑ, ψ and ∈ G 1 are randomly picked. Also, the algorithm generates a t max -length vector Ψ = (u i ), whose element u i is randomly picked from G 1 . Finally the algorithm outputs the public parameters MPK=(G 1 , G 2 , e, g, g 1 , y, f , ϑ, ψ, , Ψ), where msk = a is a master private key in the system. (2) MS.Generate-Key: The system runs the algorithm and then generates IoT device's private/public key pair. For the device i, the algorithm inputs (MRK, msk), and then it randomly picks a i,0 , a i,1 ∈ Z q , sets sk i,0 = a i,0 and computes sk i,1 = f msk · y a i,1 = f a · y a i,1 , pk i,0 = g a i,0 and pk i,1 = g a i,1 , where we set sk i =(sk i,0 , sk i,1 ) as the private key of the device i and pk i =(pk i,0 , pk i,1 ) as the public key of the device i. • atomic signature The algorithm randomly chooses z i ∈ Z q and a vector (r i,k ) with r i,k ∈ Z q and k ∈ [1, 2......l], and then computes the atomic signatures as follows: - where we assume the signing needs to involve l IoT devices, pk k is the public key of the k-th device with pk k ∈ PK_List; -For V = (v 1 , v 2 , ....., v l ), generate the claim-predicate Υ which satisfies Υ(V) = 1, and then transform the claim-predicate Υ to its corresponding monotone span program Λ ∈ Z q l×t max ; The algorithm outputs the atomic signatures Remark: As one of the atomic signatures, we can denote • mesh signature The algorithm randomly chooses b, c, t, d 0 , d 1 , ....., d l ∈ Z q , and then computes the mesh signature as follows: - The algorithm finally generates and outputs a mesh signature where pk k is the public key of the k-th device with pk k ∈ PK_List.
• The algorithm computes If the equation is correct, the algorithm outputs accept, otherwise it outputs reject.

Security Analysis
In our proposed mesh signature scheme, we need to consider the two notions "one-more unforgeability" and "full anonymity". First, any IoT device cannot forge a new mesh signature on any corrupted or fresh information. Second, the anonymity of IoT device will be preserved even if some atomic signatures are reused to generate a new mesh signature, namely mesh signature and its atomic signatures must be anonymous, where we need to use the technology of randomization to randomize the generated signatures. Under the security frame proposed by [2,4], our scheme is proven to be unforgeable and anonymous. Theorem 1. Our proposed scheme is (h, ε, q k , q a , q m )-unforgeable, where we assume that the (h , ε )-CDH assumption can hold in G 1 , and: q k denotes the queries number of "Generate-Key" oracle, q a denotes the queries number of "Atomic Signature" oracle, q m denotes the queries number of "Mesh Signature" oracle, C mul denotes the time of a multiplication in G 1 , C exp denotes the time of an exponentiation in G 1 . (This proof is provided to Appendix A.1) Theorem 2. Our proposed scheme is (h, ε, q k , q a , q m )-anonymous, where we assume that the (h , ε )-CDH assumption can hold in G 1 , and: (q m 1 + q m 2 ) · [(4 · l · t max + 3 · l + 13) · C exp + (4 · l · t max + 4 · l + 8) · C mul ]), q k 1 and q k 2 denote the queries numbers of "Generate-Key" oracle in the query phases 1 and 2 respectively, q a 1 and q a 2 denote the queries numbers of "Atomic Signature" oracle in the query phases 1 and 2 respectively, q m 1 and q m 2 denote the queries numbers of "Mesh Signature" oracle in the query phases 1 and 2 respectively, C mul denotes the time of a multiplication in G 1 , C exp denotes the time of an exponentiation in G 1 . (This proof is provided to Appendix A.2)

Efficiency Analysis
In the proposed scheme, the length of the atomic signatures is (2 · l + l · t max ) · |G 1 |, the length of the mesh signature is (4 + 2 · l + t max ) · |G 1 |, where |G 1 | is the size of element in G 1 . Because x i,0,k , x i,1,k , ψ r i,k in s k,j may be pre-computed (To make our analysis simple, we set the time of integer and hash computations is ignored.), signing a message set for the atomic signatures only computes at most l · t max exponentiations in G 1 and l · t max multiplications in G 1 . Also, because X 1 , X 2 , X 3 , X 4 , X 5,k , g d k in I k , ∏ l k=1 (x i,0,k ) · ψ d 0 +b · d 0 in X 0 , sk i,1 · y c · g c in Q j may be pre-computed, signing a message set for the mesh signature only computes at most 4 · l · t max + l + 1 exponentiations in G 1 and 4 · l · t max + l + 1 multiplications in G 1 . In the verify algorithm, because the value e( f , g 1 ) can be pre-computed and cached, the verification needs (2 · l + 1) · t max + 5 pairing computations, 2 · l · t max exponentiations in G 1 , 2 · l · t max + 5 multiplications in G 1 . Furthermore, we compare our proposed scheme with the original mesh signature scheme [2] in detail. Table 1 shows the performance comparison according to our theoretical analysis (In this comparison, we assume that the order of assigned structure tree in [2] is set to t max .), where C mul denotes the time of a multiplication in G 1 , C exp denotes the time of an exponentiation in G 1 and C pair denotes the time of a pairing computation. According to Table 1, we can know although generating atomic signatures in our scheme needs more computational cost, our scheme has less computational costs on generating final mesh signature and signature verification. Since atomic signatures are reusable, our scheme has more advantages on generating final mesh signature by reconstructing atomic signatures.

Atomic Signatures Mesh Signature Verification
Original scheme [2] (6 · (l + 1) · t max ) · C exp + ((l + 1) · t max + 1) · C pair + C exp (4 · l · t max + t max ) · C mul 3 · (l + 1) · t max · C exp + 3 · l · t max · C mul Our scheme (4 · l · t max + l + 1)· ((2 · l + 1) · t max + 5) · C pair + l · t max · (C exp + C mul ) (C exp + C mul ) 2 · l · t max · C exp + (2 · l · t max + 5) · C mul Additionally, we make some experiments to test and evaluate the actual performance of our scheme. In the tests, we employ the paring based cryptography (PBC) library to simulate our scheme, where the experimental computer is under Intel Core i5 2.7 GHz and RAM 8GB. In our experiments, we use the Type A parings in PBC library to construct the parings, where the lengths of the parameters p and q are respectively set as 160 bits and 512 bits. Furthermore, the parameter l is set to {1, 10, 20, 30, 40, 50}, and then we test our scheme and the original scheme [2] 10 times on average under the different settings of l. Table 2 shows the actual performance comparison of our scheme and the original scheme. Similar to our theoretical analysis, our scheme has less computational costs on generating final mesh signature and signature verification, compared with the original scheme. Since our scheme is used to protect the identity privacy of IoT devices, we further test our memory consumption through signing different sizes of messages. Figure 5 shows the change of memory consumption by signing different sizes of messages, where the sizes of messages are set to 100 KB, 1 MB, 10 MB, 20 MB, 50 MB respectively. In Figure 5, when our scheme generates a mesh signature on 10 MB message, the memory consumption is only about 200 KB. Therefore, it is feasible that our scheme is used to protect the identity privacy of IoT devices.

Conclusions
IoT devices are responsible for acquiring, storing, and transferring data. Currently, many IoT devices are located on the edge of a network and lack of protection measures to resist various attacks [38][39][40][41][42][43]. Therefore, these devices are more vulnerable to some attacks, such as device theft, device manipulation, identity theft, data eavesdropping and so on. Thus, the privacy of IoT devices needs to be focused. It is very important to protect the identities of IoT devices when these devices process and transfer data [44][45][46][47][48][49][50][51][52]. Then we present a syntax about mesh signature in IoT. Under the proposed syntax, we present a fully anonymous mesh signature scheme for IoT devices, where the IoT devices may be seen as the signers to sign their data and their specific identities can be hidden. In our proposed scheme, the generation of mesh signatures consists of two main steps: (1) generating some atomic signatures; (2) generating a final mesh signature based on previous atomic signatures. Additionally, as IoT devices can generate a large amount of data every day, if each IoT device both needs to sign and then publish its data, then the signing cost is very heavy for itself. Thus, if each IoT device reuses some "old" signatures by itself on the same data, it will save the signing cost so as to decrease the number of signatures generated by IoT devices. In our proposed scheme, the atomic signatures on the same data can be reusable so as to decrease the number of signatures. Although the atomic signatures can be reused, the randomization technology is employed so that any adversary cannot know which atomic signatures were reused. Thus, the merit is very suitable for IoT devices. Furthermore, in our proposed scheme we have limitedly defined the access structure of language expression by monotone-span programs, thus the proposed mesh signature can resist the collusion attacks and its access structure still support generalized monotone predicates. Compared with the original mesh signature scheme, our proposed scheme has its advantage, which has linear size length of signature.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A.
Appendix A.1. Unforgeability Proof of Theorem 1. We set that MS is our proposed mesh signature scheme. Also we set that A is an adversary with the tuple (h, ε, q k , q a , q m ) that can make attack to MS. To make interaction with the adversary A, an algorithm B is constructed. For (g, g a , g b )∈ G 1 , B may make interaction with A to compute g a·b . Then the algorithm B can be assumed to solve the CDH problem with probability at least ε and in time at mosth , which is contrary to the (h , ε )-CDH assumption. Therefore, we may build a simulation procedure as follows: Setup: The parameter 1 k is inputted. Also, we set that G 1 and G 2 are the groups of prime order q, g is a generator of G 1 , and that e : G 1 × G 1 → G 2 denotes the bilinear map. In addition, we set that H : {0, 1} * → Z 1 k ·q denotes one hash function and it can be used to output integers in Z 1 k ·q . Additionally, we assume that the monotone span programs related to claim-predicates have their width at most t max in our construction.
Then the following parameters are outputted. The algorithm sets g 1 = g a and f = g b with a, b ∈ Z q (B does not know a and b), chooses ω, β, ι, ϕ, ∈ Z q , and then sets y = f ω = g β , ϑ = g ι , ψ = g ϕ and = g . In addition, the algorithm chooses j ∈ Z q for all js with j ∈ [1, 2......t max ], and then sets u j = g j for all js with j ∈ [1, 2......t max ]. Then this system outputs all the parameters MRK=(G 1 , G 2 , e, g, g 1 , y, f , ϑ, ψ, , Ψ = (u j )), where msk = a is seen as the master key of the system. Queries: A makes the following key and signature queries, then B gives its answers as follows: • Generate-Key(): Given the public parameters MRK, for the device i, the algorithm randomly chooses a i,0 , a i,1 ∈ Z q , sets sk i,0 = a i,0 and computes sk i,1 = y a i,1 , pk i,0 = g a i,0 and pk i,1 = g a i,1 · g − 1 ω 1 , where sk i =(sk i,0 , sk i,1 ) is the private key of the device i and pk i =(pk i,0 , pk i,1 ) is the public key of the device i, and then the private/public key pair is passed to the adversary A.
Remark: To the correctness of sk i and pk i , they may be changed as follows: Setting a i,1 = a i,1 − a ω , then sk i,1 = f a · y a i,1 and pk i,1 = g a i,1 . Therefore, sk i and pk i is a valid private/public key pair.
If a i,1 − a ω = 0 mod q, the above procedure cannot occur and aborts. Otherwise, a private/public key pair is outputted to A. The message M is divided to msg 1 , msg 2 , ......msg l ; then the algorithm computes v k = H(msg k ||pk k ) with k ∈ [1, 2......l], where we assume the signing needs to involve l devices, pk k is the public key of the k-th device with pk k ∈ PK_List; - , generate the claim-predicate Υ which satisfies Υ(V) = 1, and then transform the claim-predicate Υ to the monotone span program Λ ∈ Z q l×t max ; If v k = H(msg k ||pk k ) = 0 mod q with k ∈ [1, 2......l], then the above procedure cannot ocur and aborts. Otherwise, the atomic signatures are passed to the adversary A. •

Mesh-Sign():
Given the public parameters MRK, the atomic signatures σ a = (x i,0,k ), (x i,1,k ), (s k,j ) on the public key list PK_List and the message M (with respect to the device i), and the monotone boolean expression Υ, the algorithm finishes the following steps: · g c , X 4 = y sk i,0 · y c according to the corresponding sk i,0 , X 5,k = x i,1,k · g d 0 +t = g r i,k +d 0 +t with k ∈ - The algorithm finally generates and outputs a mesh signature Similarly, setting a i,1 = a i,1 − a ω , σ m is a valid mesh signature. If a i,1 − a ω = 0 mod q, the above procedure cannot occur and aborts. Otherwise, a mesh signature σ m is outputted to A. Forgery: If B finally does not abort, then A can return its forgery with probability at least ε, (MRK, PK_List * , M * , Υ * , Φ * ), where Υ * can be converted to the corresponding monotone span program Λ * ∈ Z q l×t max , the vector − → η * = η * k is related to the satisfying assignment Then we may get the following: where Υ * (V * ) = 1, and Finally, the algorithm B computes and outputs which solves the given CDH problem. Then, we compute the probability that B does not abort. For the complete simulation procedure of B, we must assure that all key queries can have a i,1 − a ω = 0 mod q, all atomic signature queries can have v k = H(msg k ||pk k ) = 0 mod q for all k ∈ [1, 2......l], and all mesh signature queries can have a i,1 − a ω = 0 mod q. Therefore, if B will not abort, then we must assure that the following three conditions hold: (a) a i,1 − a ω = 0 mod q in related key queries; (b) v k = H(msg k ||pk k ) = 0 mod q for all k ∈ [1, 2......l] in related atomic signature queries; (c) a i,1 − a ω = 0 mod q in related mesh signature queries. To make our analysis easier to understand, we define the events E j , R j and T j as E j :a i,1 − a ω = 0 mod q, with j=1, 2......q k , q k denotes the queries number of "Generate-Key" oracle; R j :v k = H(msg k ||pk k ) = 0 mod q for all k ∈ [1, 2......l], with j=1, 2......q a , q a denotes the queries number of "Atomic Signature" oracle; T j :a i,1 − a ω = 0 mod q, with j=1, 2......q m , q m denotes the queries number of "Mesh Signature" oracle.
The probability that B is completely simulated is Pr(not_abort) = Pr Therefore, Therefore, we can get that ε = (1 − q k q ) · [1 − q a + q a · (1 − 1 q ) l ] · (1 − q m q ) · ε. If B is completely simulated, then A generates a valid mesh signature forgery with probability at least ε, and B may be used to compute g a·b . The time cost of B mainly includes the time of the exponentiations and multiplications in queries. We assume that the time of other lightweight computations is ignored (such as integer addition, integer multiplication and hash computation), then the time cost of B is Thus, Theorem 1 follows.

Appendix A.2. Anonymity
Proof of Theorem 2. (This proof is similar to that of Theorem 1, the difference between them is to add the queries of phase 2.) We set that MS is our proposed mesh signature scheme. Also we set that A is an adversary with the tuple (h, ε, q k , q a , q m ) that can make attack to MS. To make interaction with the adversary A, an algorithm B is constructed. For (g, g a , g b )∈ G 1 , B may make interaction with A to compute g a·b . Then the algorithm B can be assumed to solve the CDH problem with probability at least ε and in time at mosth , which is contrary to the (h , ε )-CDH assumption. Therefore, we may build a simulation procedure as follows: 1. Setup: The parameter 1 k is inputted. Also, we set that G 1 and G 2 are the groups of prime order q, g is a generator of G 1 , and that e : G 1 × G 1 → G 2 denotes the bilinear map. In addition, we set that H : {0, 1} * → Z 1 k ·q denotes one hash function and it can be used to output integers in Z 1 k ·q . Additionally, we assume that the monotone span programs related to claim-predicates have their width at most t max in our construction.
Then the following parameters are outputted. The algorithm sets g 1 = g a and f = g b with a, b ∈ Z q (B does not know a and b), chooses ω, β, ι, ϕ, ∈ Z q , and then sets y = f ω = g β , ϑ = g ι , ψ = g ϕ and = g . In addition, the algorithm chooses j ∈ Z q for all js with j ∈ [1, 2......t max ], and then sets u j = g j for all js with j ∈ [1, 2......t max ]. Then this algorithm outputs all the parameters MRK=(G 1 , G 2 , e, g, g 1 , y, f , ϑ, ψ, , Ψ = (u j )), where msk = a is seen as the master key of the system. 2. Queries Phase 1: A makes the following key and signature queries, then B gives its answers as follows: • Generate-Key(): Given the public parameters MRK, for the device i, the algorithm randomly chooses a i,0 , a i,1 ∈ Z q , sets sk i,0 = a i,0 and computes sk i,1 = y a i,1 , pk i,0 = g a i,0 and pk i,1 = g a i,1 · g − 1 ω 1 , where sk i =(sk i,0 , sk i,1 ) is the private key of the device i and pk i =(pk i,0 , pk i,1 ) is the public key of the device i, and then the private/public key pair is passed to the adversary A. Similarly, setting a i,1 = a i,1 − a ω , then sk i,1 = f a · y a i,1 and pk i,1 = g a i,1 . Therefore, sk i and pk i is a valid private/public key pair.
If a i,1 − a ω = 0 mod q, the above procedure cannot occur and aborts. Otherwise, a private/public key pair is outputted to A. The message M is divided to msg 1 , msg 2 , .....msg l ; then the algorithm computes v k = H(msg k ||pk k ) with k ∈ [1, 2......l], where we assume the signing needs to involve l devices, pk k is the public key of the k-th device with pk k ∈ PK_List; -For V = (v 1 , v 2 , .....v l ), generate the claim-predicate Υ which satisfies Υ(V) = 1, and then transform the claim-predicate Υ to the monotone span program Λ ∈ Z q l×t max ; If v k = H(msg k ||pk k ) = 0 mod q with k ∈ [1, 2......l], then the above procedure cannot occur and will abort; otherwise the atomic signatures are passed to the adversary A.
The algorithm finally generates and outputs a mesh signature Similarly, setting a i,1 = a i,1 − a ω , σ m is a valid mesh signature. If a i,1 − a ω = 0 mod q, the above procedure cannot occur and aborts. Otherwise, a mesh signature σ m is passed to A.
The challenger randomly chooses a bit x ∈ {0, 1}, and then the following is outputted as

Queries Phase 2:
A makes the following key and signature queries, then B gives its answers as follows: • Generate-Key(): Given the public parameters MRK, for the device i, the algorithm randomly chooses a i,0 , a i,1 ∈ Z q , sets sk i,0 = a i,0 and computes sk i,1 = y a i,1 , pk i,0 = g a i,0 and pk i,1 = g a i,1 · g − 1 ω 1 , where sk i =(sk i,0 , sk i,1 ) is the private key of the device i and pk i =(pk i,0 , pk i,1 ) is the public key of the device i, and then the private/public key pair is passed to the adversary A. Similarly, setting a i,1 = a i,1 − a ω , then sk i,1 = f a · y a i,1 and pk i,1 = g a i,1 . Therefore, sk i and pk i is a valid private/public key pair.
If a i,1 − a ω = 0 mod q, the above procedure cannot occur and aborts. Otherwise, a private/public key pair is outputted to A.
• Atomic-Sign(): Given the public parameters MRK, the public key list PK_List and the message M, where PK_List is a list of the public keys of the devices involved with this query (with respect to the device i), the algorithm finishes the following steps:

-
The algorithm randomly chooses sk i,0 , z i ∈ Z q and a vector (r i,k ) with r i,k ∈ Z q and k ∈ [1, 2......, l], computes x i,0,k = g sk i,0 l · r i,k and x i,1,k = g r i,k with k ∈ [1, 2......, l], and then saves sk i,0 where sk i,0 = a i,0 ; - The message M is divided to msg 1 , msg 2 , ....., msg l ; then the algorithm computes v k = H(msg k ||pk k ) with k ∈ [1, 2......, l], where we assume the signing needs to involve l devices, pk k is the public key of the k-th device with pk k ∈ PK_List; -For V = (v 1 , v 2 , ....., v l ), generate the claim-predicate Υ which satisfies Υ(V) = 1, and then transform the claim-predicate Υ to the monotone span program Λ ∈ Z q l×t max ; If v k = H(msg k ||pk k ) = 0 mod q with k ∈ [1, 2......, l], the above procedure cannot be occur and will abort; otherwise the atomic signatures are passed to the adversary A. •
Similarly, setting a i,1 = a i,1 − a ω , σ m is a valid mesh signature. If a i,1 − a ω = 0 mod q, the above procedure cannot occur and aborts. Otherwise, a mesh signature σ m is passed to A.

Guess:
If B finally does not abort, then the adversary A can output its result x ∈ {0, 1} with probability at least ε and succeeds if x = x. Then we may get the following: where Υ * (V * ) = 1, and Therefore, the algorithm B computes and outputs which solves the given CDH problem.
Therefore, the probability that B is completely simulated is Pr(not_abort) = Pr It is easy to see that the events R j 2 and q m 2 T j 2 are independent.
Then we may compute Pr( Therefore, Pr(not_abort) = Pr Therefore, we can get that ε = (1 − ). If B is completely simulated, then A generates a valid mesh signature forgery with probability at least ε, and B may be used to compute g a·b . The time cost of B mainly includes the time of the exponentiations and multiplications in queries. We assume that the time of other lightweight computations is ignored, then the time cost of B is h =h + O((q k 1 + q k 2 ) · [3 · C exp + C mul ] + (q a 1 + q a 2 ) · [(2 · l · t max + 3) · C exp + (l · t max + 1) · C mul ] + (q m 1 + q m 2 ) · [(4 · l · t max + 3 · l + 13) · C exp + (4 · l · t max + 4 · l + 8) · C mul ]).