Certi�cateless Network Coding Scheme from Certi�cateless Public Auditing Protocol

—In recent years, network coding has received extensive attention and been applied to various computer network systems, since it has been mathematically proven to enhance the network robustness and maximize the network throughput. However, it is well-known that it is extremely vulnerable under pollution attacks. Certiﬁcatelss network coding scheme (CLNS) is a recently-proposed mechanism to defend against pollution attacks for network coding, which avoids the tedious management of certiﬁcates and the key-escrow attack. Until now, only a few constructions were presented and more ones should be given in order to enrich this ﬁeld. In this paper, for the ﬁrst time, we study the general construction of CLNS from certiﬁcateless public auditing protocol (CL-PAP), although the two areas seem to be quite different in their nature and are studied independently. Since there are many candidates of CL-PAPs, we naturally obtain abundant constructions of CLNSs according to our systematic way. In addition, in order to show the power of our general construction, we also present a concrete implementation given a speciﬁc CL-PAP. The performance analysis and experimental result show that the implemented CLNS is competitive in the existing network coding schemes.


I. INTRODUCTION
T HE traditional way of data transmission is based on storing-and-forwarding routing mechanism.For the long time, it has been generally believed that processing the transmitted data on the intermediate node will not produce any benefits.Until the network coding was first proposed by Ahlswede et al. [1] in 2000, it completely overturned the traditional view and established its important position in modern network communication research.Network coding (NC) is an information exchange scheme that combines routing and coding, which has the advantages of optimized throughput, stronger robustness and lower power consumption.However, it is highly vulnerable to pollution attacks, because the intermediate nodes will combine polluted packets with other honest packets during the transmission, then destination nodes will waste resources to decode incorrect packets.
Linearly homomorphic signature can effectively solve pollution attacks, intermediate nodes are allowed to verify packets and discard polluted packets in transmission [5].Boneh et al. [2] applied homomorphic signature scheme in network Genqing Bian and Mingxuan Song are with the School of Information and Control Engineering, Xi'an University of Architecture and Technology, Shaanxi, 710055, P.R.China.E-mail: bgq 00@163.com;songmingxuan@xauat.edu.cn.
Bilin Shao is with the School of with the School of Management, Xi'an University of Architecture and Technology, Shaanxi, 710055, P.R.China.Email: sblin0462@sina.com.coding, which can effectively defend against pollution attacks by introducing the CDH assumption, random oracle model and bilinear map.In this mechanism, all nodes have to acquire the public key of the source node rather than share a same private key.
In traditonal certificate-based network coding, in order to correlate user's public key to his identity, the most popular method is to generate a user's digital certificate by certificate authority (CA).In order to confirm the relationship between the public key and identity of source nodes, other nodes must verify the validity of the corresponding certificate before using this public key.At present, public key infrasturcture (PKI) is the core and foundation of network security construction, it uses digital certificates to manage public keys and binds user's public key to his identity through CA.Because generating and managing many certificates are time-consuming, PKI is costly to deploy and cumbersome to use in practice.Therefore, additional validation of each certificate with CA and PKI in network coding will significantly degrade its performance.
To solve the certificate management problem, Shamir et al. [17] introduced identity-based cryptography in 1984, which can be used in identity-based network coding.The solution is utilizing user's information such as email or ID number ect. as his public key, which can eliminate the need for public key certificate.Furthermore, the private key of user is generated from key generation center (KGC) by combining user's public key with KGC's master key.
However, since KGC possesses private keys of all users, which makes identity-based network coding faces key-escrow problems, that is KGC may forge the user's signature.To solve this problem, Al-Riyami et al. [20] proposed the theory of certificateless public key cryptography in 2003, which suggested certificateless signature (CLS).Then, for the first time, Chang et al. [6] proposed the certificateless network coding scheme in 2020, but there are still few concrete certificateless network coding schemes in current researches.In view of this situation, we consider how to relate network coding with cloud storage in order to discover more concrete certificateless network coding schemes.
In the field of cloud storage, the concept of cloud auditing was put forward by Juels et.al [4] and Ateniese et.al [29] at same time, they proposed proof of retrievability (PoR) protocol and provable data possession (PDP) protocol respectively, among which PoR protocol can verify whether the cloud service provider (CSP) has complete data of the user.In order to verify the integrity of outsourced data, the data owner can leverage PoR protocol to verify the integrity of outsourced data.
Subsequently, Shacham et al. [28] came up with a concrete public auditing protocol on the basis of message autentication code (MAC) and digital signature.The public auditing namely the data owner can entrust third party auditors (TPA) to implement the data integrity auditing on his behalf without downloading all data.As mentioned above, KGC is not completely trusted, because data owner's private key is entirely generated by KGC.Hence, the certificateless public auditing protocol (CL-PAP) solved the problems of key escrow.In CL-PAPs, the data owner's private key consists of two parts, one generated by the himself and the other generated by KGC, while the public key can be generated by a public verifier with the data owner's identity such as his email or ID number to ensure that he uses correct public key during the auditing process.
Although network coding and cloud storage are two different fields of the networking, they are both fundamentally concerned on data integrity auditing.Specifically, under what conditions can the public auditing protocol be constructed from the network coding scheme or the public auditing protocol be transformed into the network coding scheme.The relationship between them has been revealed by some researchers.In 2016, Chen et al. [8] proposed a cloud storage protocol based on a secure network coding scheme and enhanced it to support public auditing.In 2021, Chang et al. [27] presented a general construction from an admissible PoR protocol to secure network coding scheme and they describe some concrete instantiations.This relationship between these two fields can naturally be extended under certificateless public key cryptography.
Our Contributions: In this paper, we propose a certificateless public auditing protocol, and give it some conditions to become an admissible certificateless public auditing protocol.Then, for the first time, we present a general construction in order to transform this admissible protocol into the certificateless network coding scheme.After that, to show the powerful ability of our general construction, we give a concrete admissible CL-PAP and transform it into a CLNS.Finally, we evaluate the performance of the transformed CLNS with other two network coding schemes in terms of communication overheads and computing costs.According to experimental result, we can see that our transformed CLNS is competitive.
Related Works: In the field of network coding, Attrapadung [12] et al. proposed a standard model of homomorphic network coding signatures in 2011.Later, Lin et al. [18] proposed a linearly homomorphic proxy signature scheme.In order to avoid certificate management, Lin et al. [19] and Chang et al. [31] introduced different identity-based linearly homomorphic signature schemes, among which Chang's scheme can resist the related-key attack.In addition, Fan et al. [13] and Liu et al. [25] respectively proposed privacy-preserving signature schemes for network coding.To solve the key-escrow attack, the certificateless linearly homomorphic signature has been applied in network coding, Chang et al. [6] introduced certificateless network coding in 2020.In recent works, Wu et al. [9] applied certificateless network coding scheme in the IOT.
As for the cloud storage, Chen et.al [14] introduced a novel remote data checking for distributed storage systems.Zhu et.
al [24] designed a audit system which support dynamic data operations.To improve security and performance, Wang et.al [15] proposed a privacy-preserving public auditing protocol for shared clould data and a public auditing protocol with efficient user revoation [16] successively.In 2017, Shen et al. [23] considered a public auditing protocol with dynamic structure.In 2021, Wang et.al [32] introduced a secure cloud storage auditing protocol which can tolerance small data errors.For certificate management issues, Wang et.al [21] proposed an identity-based public auditing protocol for multicloud storage.After the advent of certificateless public key cryptography, many certificateless public auditing protocols have been proposed by researchers [7], [22], [26], [30].
Organizations: This article is organized as follows.In Section 2, we first introduce basic notions and preliminaries including bilinear map, linear network coding and complexity assumptions.Then, in Section 3, we describe several different network coding system models, focusing on the certificateless network coding scheme and its security model.Later, we introduce the certificateless public auditing protocol with security model and construct an admissible certificateless public auditing protocol in Section 4. In Section 5, we propose a general construction for transforming an admissible CL-PAP to a CLNS.We show a concrete instantiation in Section 6. Performance analysis and conclusion are demonstrated in Section 7 and Section 8.

II. NOTIONS AND PRELIMINARIES
In this section, we introduce some basic notations and basic cryptographic tools consist of bilinear map, linear network coding and complexity assumptions.
Basic Notions: We use k denote the security parameter.PPT means probabilistic polynomial time.Given a prime number p, Z p and Z ⇤ p denote finite fields [0, 1, ••• ,p 1] and [1, 2, ••• ,p 1] respectively.Besides, v denotes a vector and v i denotes its i-th element.

A. Bilinear Map
Suppose G 1 and G 2 are two multiplicative groups which have the same prime order p, g is a generator of G 1 .e : G 1 ⇥G 1 !G 2 is a bilinear map if it satisfies the following properties: 1) Computability: for any u, v 2 G 1 , e(u, v) is efficiently computable.2) Non-degeneracy: there exist two elements u, v 2 G 1 such that e(u, v) 6 =1. 3) Bilinearity: for any a, b 2 Z ⇤ p and u, v 2 G 1 , e(u a ,v b )= e(u, v) ab .

B. Linear Network Coding
There are three steps to complete the file transmission in a linear network coding scheme: • A file to be transmitted can be regarded as a sequence order of n-dimensional vectors v1 , ••• , vm 2 Z n p .Before the transmission starts, the source node augments them to v 1 , ••• , v m as In this way, v 1 , ••• , v m form an augmented basis of a subspace V.The augmented vectors will be transmitted as packets by the source node.• On receiving packets (i.e., vectors) w 1 , ••• , w l 2 Z m+n p on its l incoming edges, the intermediate node computes the packet (i.e., a linear combination) w = P l i c i w i , where c i is is randomly selected from Z p .Then, each intermediate node sends the vector w on its outgoing edges.
• For a destination node (i.e., receiver) who wants to recover the original file, he has to receive m linearly independent vectors w 1 , ••• , w m .Suppose w R i (w L i ) denotes the right-most n (left-most m) positions of the vector w i .Then the receiver computes an m⇥m matrix Q such that Finally, the receiver can recover original file by computing 0 B @ v1 . . .

C. Complexity Assumptions
Definition 1 (CDH problem).e : G 1 ⇥G 1 !G 2 is a bilinear map and g is a generator of G 1 .Give (g, g x ,g y ) where x, y are chosen randomly from Z p .The problem is for any PPT algorithm to compute and output g xy .
Definition 2 (CDH assumption).The advantage for any PPT algorithm A to solve the CDH Problem is negligible, which can be defined as: Definition 3 (DL assumption).Suppose α 2 Z ⇤ p and g is a generator of G 1 , given g and g α as input.For any PPT algorithm A to output α is computational infeasible, which can be defined as:

III. CERTIFICATELESS NETWORK CODING
In this section, we briefly introduce different network coding with their system models first.Then, we give a certificateless network coding scheme and its security model.• Upon receving some (v 1 ,σ 1 ), (v 2 ,σ 2 ), ••• , (v l ,σ l ) as packet-tag paris, an intermediate node N i first checks the validity of all pairs and discards the "polluted" ones.For the "unpolluted" pairs, it randomly chooses l coefficients c 1 ,c 2 , ••• ,c l 2 Z p to compute "combined" vector v 0 and its signature σ 0 as new pair (v 0 ,σ 0 ), then transmit the new pair to adjacent nodes.• After the destination node R j collects enough paris ),R j also first check the validity of paris and discard "polluted" ones.Finally, it can recover the original vectors 2) Indentity-Based Network Coding: In PKI, CA issues certificate for public key authentication and bind the user's public key to his corresponding identity.But PKI introduces certificate management problems such as certificate distribution, revocation, storage, and computational overhead of certificate validation.To solve the certificate management problem, Shamir et al. [17] introduced an identity-based homomorphic signature scheme which can be used for network coding.
There is also a KGC to generate user's private key in identity-based network coding except for the three nodes mentioned above.Concretely, the public key PK of KGC is unique and universal, it needs not has to execute public key certification of each source node.That is, for intermediate nodes and destination nodes, only the common public key PK of KGC is needed for signature verification.A source node S i sends his identity ID i to KGC, then the KGC returns a private key SK IDi for signing vectors.For intermediate nodes or destination nodes, they use PK verify the validity of vectorsignature paris.
3) Certificateless Network Coding: Since KGC knows the private keys of all users, identity-based network coding faces key-escrow problems.Therefore, Al-Riyami et al. [20] proposed the concept of certificateless signature (CLS).In CLS scheme, the user's private key is a combination of a partial private key and a secret value.The partial private key is generated from KGC by using the master key and an identity from the user.
Concretely, in certificateless network coding, after S sends his indentity ID to KGC, KGC only returns partial private key PP ID of S. As for S, he randomly chooses a secret value s ID , then combine s ID and PP ID to generate his full private key SK ID .Meanwhile, public key PK ID of S is also computed by s ID .Therefore, SK ID is used for signing vectors to compute out signatures.Then the intermediate nodes or destination nodes can obtain PK ID and use it verify the vector-signature pairs.
• Setup(k)!(msk, params): This algorithm runs by KGC, after inputting security parameter k, it outputs a master key msk only known by himself.System parameters params are including the length n of each vector.
This algorithm runs by intermediate node to process received vector-signature pairs.Upon receiving l vector-signature pairs with same identifier id, the intermediate node randomly chooses l coefficients and outputs a combined vector v = P l i=1 c i v i with its combined signature σ (w.r.t.ID).

C. Security Model
In a CLNS, there are two types of adversaries to be considered.Note that in CLNS the algorithm Combine doesn't need to input private key, therefore, the adversaries can obtain the results after running it and do other things they don't need.In addition, we need to focus on a valid forgery, because the adversaries can use several vector-signature pairs to generate a new pair by combination algorithm.According to our analysis, we consider two adversaries A I and A II .The former one A I is an usual adversary who can not access the system's master key but can replace the public key with a value.The latter one A II can access master key but can not replace the public key who can be considered as a malicious KGC.
The security of CLNS can be characterized by two games Game-1 and Game-2, in which A I interacts with its challenger CH I and A II interacts with its challenger CH II respectively.These games are based on the difficulty of the CDH problem.In particular, for the adversary in Game-1 we give it some following restrictions.First, the challenge identity ID ⇤ has not been replaced by a public key and its partial private key has not been extracted.Then, the adversary A I can not access its full private key.Game-1: A I is an usual adversary playes with his challenger.
• -Signing-Queries: When A I queries a vector v i 2 Z n p , the challenger chooses a file identifier id and returns it to A I .Then, the challenger runs Sign (ID,SK ID ,PK ID ,id,V) !T, then returns id and T to A I .
• Output-1: A I outputs a file identifier id ⇤ and a nonzero vector v ⇤ with its signature σ ⇤ all respect to ID ⇤ and PK ID ⇤ .In this case, the adversary A I wins the Game- )!1 and one of the following two conditions holds: 1) When v ⇤ 6 =0and id ⇤ 6 = id i to any id i appeared in signing queries.(Type-1 forgery) 2) Suppose id ⇤ = id i for some i and v ⇤ / 2 S i , where S i is a subspace spanned by vectors corresponding to id i .(Type-2 forgery) We denote Adv CLNS A I (k) as the advantage or probability of A I winning the Game-1.Game-2: A II is an adversary like a malicious KGC interacts with its challenger in this game.
• Setup-2: CH II also runs Setup(k)!(msk, params), then give msk and params to A II .• Queries-2: A II can adaptively make queries including Private-Key-Extract, Public-Key-Query and Signing-Queries which are same as ones in Game-1.• Output-2: A II outputs a file identifier id ⇤ and a nonzero vector v ⇤ with its signature σ ⇤ all respect to ID ⇤ and PK ID ⇤ , here ID ⇤ has not been issued as a Private-Key-Extract query.On this occasion, the adversary A II wins the Game-2 if Verify(ID ⇤ ,PK ID ⇤ ,id ⇤ , v ⇤ ,σ ⇤ )!1 and one of the following two conditions holds: 1) When v ⇤ 6 =0and id ⇤ 6 = id i to any id i appeared in signing queries.(Type-1 forgery) 2) Suppose id ⇤ = id i for some i and v ⇤ / 2 S i , where S i is a subspace spanned by vectors corresponding to id i .(Type-2 forgery) We denote Adv CLNS A II (k) as the advantage or probability of A II winning the Game-2.
The CLNS is secure under the adaptive chosen message attack if for any PPT adversaries A I and A II , their advantages Adv CLNS A I (k) and Adv CLNS A II (k) of winning above games are negligible.IV.CERTIFICATELESS PUBLIC AUDITING In this section, we introduce the certificateless public auditing protocol including its system model and security model.Then, we make some constraints as conditions on this protocol in order to transform it into a certificateless network coding scheme.

A. System Model
In a certificateless public auditing protocol (CL-PAP), there are four entities including KGC, CSP, data owner and TPA.The main functions of each entity are described as follows: • KGC is completely trusted which generates master key, public parameters and data owner's partial private key based on data owner's identity (i.e., email and name).• CSP is semi-trusted, it provides sufficient storage space and retrieval capabilities.With multiple motivations, the CSP may modified or delete user's storage file.• Data owner is the user who owns the data, he outsources the data to the CSP.In general, he is able to divide the data file into a number of blocks to modify the data blocks efficiently.• TPA is completely trusted.According to the public parameters, data owner's identity and auditing challenge, the TPA or a public verifier checks the correctness of the cloud data belongs to data owner without managing certificates, he can not access any specific data information in auditing process.Generally, a certificateless public auditing protocol considers a data owner wants to store a file F to CSP, he is able to divide the file into m blocks and each of them . In order to audit the cloud data, the data owner can use some key to generate an authenticated signature σ i corresponding to a block v i for 1 6 i 6 m.Then, the data file F and its authenticated signatures set T will be stored together by CSP.During the auditing process, the TPA launches a challenge chal to CSP, then the CSP returns a proof Γ based on challenge and data user's cloud data.Finally, the TPA checks the validity of the proof.Note that the data owner and TPA can both perform the audit process by themselves.
• Setup 0 (k)!(msk, params): This algorithm runs by KGC and outputs system parameters and master key.After inputting a security parameter k, it outputs params and a master key msk.Note that params is public and KGC keeps the msk secret.runs by data owner, it generates an authenticated data file which will be stored on CSP.Upon inputting data file F , private SK ID and public key PK ID , the algorithm first divides F into m blocks and for each block v i has the form of (m + n)-dimensional vector over Z p .Then, the algorithm generates an authenticated signature for each block.Finally, it randomly chooses a file identifier id and outputs an authenticated file F 0 including id, the original file F and signatures set T , that is F 0 = {id, F, T }. • Chal 0 (l)!chal:This algorithm runs by data owner or TPA.It generates a challenge message denoted as chal, which has l elements and submits the challenge to CSP. • ProofGen 0 (chal, F 0 )!Γ: This algorithm runs by CSP.It inputs received challenge message chal and an authenticated data file F 0 , then computes and outputs an integrity proof Γ which will be ruturned to the data owner or TPA.• Verify 0 (ID,PK ID ,id,chal,Γ)!1/0:This algorithm executes by data owner or TPA, after receiving a proof Γ from CSP, they check its validity.It inputs a public key PK ID , data owner's identity ID, file identifier id, challenge message chal and proof Γ, then output 1 or 0 (accept or reject).Correctness: The correctness of CL-PAP requires for all (SK ID ,PK ID ) generated by Setup 0 , Extract 0 , KeyGen 0 , any F 0 Outsource 0 (SK ID ,PK ID ,F,id), any chal Chal 0 (l), and an honest proof Γ generated by ProofGen 0 (chal, F 0 ), it holds that Verify 0 (PK ID ,ID,id,chal,Γ).

C. Security Model
There are three types of adversaries A 0 I , A 0 II and A 0 III in CL-PAPs, abilities of A 0 I and A 0 II are same as A I and A II .For the adversary A 0 III , he is regard as a malicious CSP and can forge the integrity proof without actual data, and the advantages of three adversaries are denoted as Adv CL-PAP Here, we define three following games Game-1 0 , Game-2 0 and Game-3 0 played by the defined adversaries with their challengers CH 0 I , CH 0 II and CH 0 III .Game-1 0 : A 0 I can not access the system's master key but can replace the public key with a value.
- -Signing-Queries 0 : A 0 I submits ID and F , the challenger runs Outsource 0 (SK ID ,PK ID ,F,id) !F 0 and returns F 0 to A 0 I .• Output-1 0 : A 0 I outputs a signatures set T ⇤ on all blocks with ID ⇤ and PK ID ⇤ .The adversary A 0 I wins the game if the following conditions holds: 1) For the data file F ⇤ with ID ⇤ and PK ID ⇤ , the signature T ⇤ is valid.2) A 0 I does not query the private key SK ID ⇤ and the partial private key PP ID ⇤ with the identity ID ⇤ , and he replaces the public key with PK ID ⇤ .3) A 0 I does not query signature T ⇤ for ID ⇤ and F ⇤ .The CL-PAP is secure against signature forgery under the public key replacement attack if for the PPT adversary A 0 I , his advantage Adv CL-PAP A 0 I (k) of winning the game is negligible.Game-2 0 : A 0 II is a malicious KGC playes game with his challenger.
• Setup-2 0 : CH 0 II runs Setup 0 (k)!(msk, params), then give msk and params to A 0 II .• Queries-2 0 : A 0 II can adaptively perform queries including Secret-Value-Extract 0 , Public-Key-Query 0 and Signing-Queries 0 which are same as ones in Game-1 0 .• Output-2 0 : A 0 II outputs a signatures set T ⇤ on all blocks with ID ⇤ and PK ID ⇤ .The adversary A 0 II wins the game if the following conditions holds: 1) For the data file F ⇤ with ID ⇤ and PK ID ⇤ , the signature T ⇤ is valid.2) A 0 II does not query the secret value s ID ⇤ and signature T ⇤ for ID ⇤ and F ⇤ .
The CL-PAP is secure against signature forgery under the malicious KGC attack if for the PPT adversary A 0 II , his advantage Adv CL-PAP A 0 II (k) of winning the game is negligible.Game-3 0 : A 0 III is a semi-trusted CSP who can forge the proof without actual data.
• Output-3 0 : CH 0 III randomly sends a challenge message chal to A 0 III , then A 0 III returns a forged proof Γ ⇤ as respond.The adversary A 0 II wins the game if chal contains the index which has been queried in Signing-Queries 0 and 1 Verify 0 (PK ID ,ID,id,chal,Γ ⇤ ) holds.The CL-PAP is secure against proof forgery under the semi-trusted CSP attack if for the PPT adversary A 0 III , his advantage Adv CL-PAP A 0 III (k) of winning the game is negligible.

D. Admissible CL-PAP
We make some slight modifications on CL-PAP in order to transform it into a certificateless network coding scheme and therefore we give the following constraints as conditions.
• The challenge message chal has the form of index and coefficient.That is, the j-th element of chal has the form of (µ j ,ν j ), where µ j is the index of challenge block's position and ν j is a random coefficient on Z p .In most exsisting CL-PAPs, this kind of challenge message is suitable for instantiating CLNSs.• The proof Γ has the form of linear combination.In other words, a proof Γ which is generated by ProofGen 0 should have the form of (u,σ), where u is a linear combination of packets with index and coefficient in chal, and σ is signature of u.Since in CLNSs the transmitted pairs have the form of (pakage, tag), for the CSP it should return the proof Γ like this form.

• The Proof Γ can be aggregated. There exists an algorithm
Aggr 0 which can aggregate some proofs with same id into a new proof Γ. Concretely, input s proof-coefficient pairs (Γ 1 ,c 1 ), ••• , (Γ s ,c s ) and id, the algorithm Aggr 0 can output a new combined proof Γ=( w,σ), where w is a linear combination of vectors with coefficient c 1 , ••• ,c s in all Γ i and σ is the tag of w.This property is designed to describe the Combine algorithm in the CLNS.Definition 4 (Admissble CL-PAP).A certificateless public auditing protocol is called admissible CL-PAP if it has properties of above three conditions.

V. C ONSTRUCT CLNS FROM ADMISSIBLE CL-PAP
In this section, we give a general construction of a CLNS from an admissble CL-PAP, then we give the security analysis.
i=1 !(v,σ):For the inputs ID, PK ID and id, upon receiving tuples (c 1 , v 1 ,σ 1 ), ••• , (c l , v l ,σ l ) with same file identifier id, define each Γ i =( v i ,σ i ) according to the condition that "The proof Γ has the form of linear combination", where 1 6 i 6 l.Then, aggregate Γ 1 , ••• , Γ l into a new Γ based on the condition that "The Proof Γ can be aggregated", that is • Verify(ID,PK ID ,id,y,σ)!1/0:For the inputs ID, PK ID , id, a vector y 2 Z m+n p and a signature σ, this algorithm first divides y =(y 1 ,y 2 , ••• ,y m+n ), then sets the challenge message chal = {(i, y i ) m i=1 } according to the condition that "The challenge message chal has the form of index and coefficient" and sets Γ=( y,σ).Finally, it runs Verify 0 (ID,PK ID ,id,chal,Γ) and outputs 0 (reject) or 1 (accept).

B. Security Analysis
The security of transformed CLNS will be depicted as follows.Note that there are only two types of adversaries, because there is no CSP as entity in network coding.
Theorem 1.The transformed CLNS is secure if the admissble CL-PAP is secure.
Concretely, suppose there exist two adversaries A I and A II attack on the CLNS.Meanwhile, there are other two adversaries B I and B II attack the admissible CL-PAP, they regard A I and A II as its own subroutine respectively.Therefore, we divide the security proof of our construction into two parts: Proof 1 and Proof 2.
Proof 1: A I attacks the CLNS and B I simulates environment for A I as following steps.Setup: B I obtains (msk, params), then gives params to A I .Queries: A I can adaptively perform the following queries and B I answers these queries.
-Private-Key-Extract: B I uses ID to choose a secret value s ID .Then, it continues to runs KeyGen 0 (ID,PP ID )and outputs SK ID , then returns SK ID to A I .-Public-Key-Query: B I also runs KeyGen 0 (ID,PP ID ) and returns PK ID to A I .-Public-Key-Replace: A I replaces the public key PK ID with anotehr value PK ID ⇤ and A I does not need to provide the secret value corresponding to PK ID ⇤ .-Signing-Queries: For the file V ⇢ Z m⇥n p will be queried, it can be splited into n-dimensional vectors v1 , Then, B I runs Outsource 0 algorithm and obtains F 0 , whereafter B I parses F 0 = {id, F, T } and returns (id, T ) to A I .
-Combining-Queries: For the tuples (id, {c i ,σ i , v i } l i=1 ) will be queried, B I defines each a new Γ based on the condition that "The Proof Γ can be aggregated", that is Aggr 0 (id, (Γ i ,c i ) l i=1 ) ! Γ=(v,σ).Finally, B I returns Γ to A I .Output: When A I outputs a file identifier id ⇤ and a nonzero vector y ⇤ with its signature σ ⇤ all respect to ID ⇤ and PK ID ⇤ .B I parses In this case, if and satisfy one of the following conditions: 1) v ⇤ 6 =0and id ⇤ 6 = id i to any id i appeared in Signing-Queries.2) id ⇤ equals some queried file V i 's identifier id i but y ⇤ / 2 S i .Then, A I uses (ID ⇤ ,PK ID ⇤ ,id ⇤ , Γ ⇤ ) to forge corresonding chal ⇤ successfully.The Proof 1 ends.
Proof 2: A II attacks the CLNS and B II simulates environment for A II as follows.Setup: B II obtains (msk, params), then gives msk and params to A II .Queries: A II can adaptively perform the following queries and B II answers corresponding queries.
-Private-Key-Extract: B II chooses a secret value s ID based on an ID.Then, it runs KeyGen 0 (ID,PP ID ) and outputs SK ID , then returns SK ID to A II .
-Public-Key-Query: B II also runs KeyGen 0 (ID,PP ID ) and returns PK ID to A II .-Signing-Queries: Given the queried file V ⇢ Z m⇥n p , it can be splited as v1 , Then, B II runs Outsource 0 algorithm and obtains F 0 , whereafter B II parses F 0 = {id, F, T } and returns (id, T ) to A II .
-Combining-Queries: Given tuples (id, {c i ,σ i , v i } l i=1 ) will be queried, B II defines each Output: A II outputs a file identifier id ⇤ , a nonzero vector y ⇤ and a signature σ ⇤ , all of them corresponding to In this situation, if and one of the following conditions holds: 1) v ⇤ 6 =0and id ⇤ 6 = id i to any id i appeared in Signing-Queries.2) id ⇤ equals some queried file V i 's identifier id i but y ⇤ / 2 S i .In this way, A II utilizes msk and (ID ⇤ ,PK ID ⇤ ,id ⇤ , Γ ⇤ ) successfully forges chal.The Proof 2 ends.
Combining above Proof 1 and Proof 2, we can derive that our general construction from admissible CL-PAP to CLNS is secure.The proof of Theorem 1 ends.

VI. OUR CONCRETE INSTANTIATION
In this section, to show the power of our general construction in practice, we construct a concrete certificateless network coding scheme from an admissible certificateless public auditing protocol.
• Setup 0 (k)!(msk, params): Given a security parameter k, KGC chooses two cyclic groups G 1 , G 2 with same order p and a bilinear map e : G 1 ⇥ G 1 !G 2 , we set g is the generator of G 1 .Then, KGC randomly chooses a λ 2 Z ⇤ p as his master key and defines h = g λ .The KGC also chooses m + n elements (g 1 ,g 2 , ••• ,g m+n ) 2 G 1 randomly and defines H 1 : {0, 1} ⇤ !G 1 and H 2 : {0, 1} ⇤ !G 1 are two hash functions.The public system parameters params are • Extract 0 (msk, ID)!PP ID : Given an identity ID of data owner, KGC computes partial private key PP ID = H 1 (ID) λ 2 G 1 and returns PP ID to data owner.
• KeyGen 0 (ID,PP ID )!(s ID ,SK ID ,PK ID ): The data owner randomly chooses s ID 2 Z ⇤ p as secret value, then he generates his full private key SK ID =( PP ID ,s ID ) and public key PK ID = g s ID .
The conditions of "The challenge message chal has the form of index and coefficient" and "The proof Γ has the form of linear combination" are obvious for above CL-PAP .As for the condition of "The Proof Γ can be aggregated", in the following we design an aggregation algorithm Aggr 0 .
• Aggr 0 (id, {c i , Γ i } s i=1 )!Γ: Given the file identifier id and Finally, output the proof Γ=(v,σ)=(v, (g,σ 0 )) which has been aggregated.Then, based on our general construction, the transformed CLNS from above admissible CL-PAP can be depicted as follows.

That is to check whether
If it equals, then output 1.If not, output 0. Correctness: Given a data owner's identity ID,afull private key SK ID , a public key PK ID , a file identifier id, a set V =( v1 , ••• , vm ) 2 Z n p and a signature set T Sign(ID,SK ID ,PK ID ,id,V), if the admissble CL-PAP is secure, then the correctness of verification equation in transformed CLNS can be checked as follows.
As for the security of the transformed CLNS, we give a inference of Theorem 1.
Theorem 2. If the CDH assumption on G 1 holds, at the same time the two hash functions H 1 and H 2 are modeled as the random racle, then the transformed CLNS is secure.

VII. PERFORMANCE ANALYSIS
This section we first compare the communication overheads and computational costs of our transformed CLNS with other similar network coding schemes in [3] and [9].Then we evaluate their performance by experimental analysis.

A. Communication Overheads
First of all, we consider the communication overheads for KGC to users.In our proposed CLNS, a data owner sends his ID to KGC and KGC returns a partial private key PP ID , therefore, the communication overheads for KGC to users is |G 1 |, that is the size of PP ID .In the same way, we can get the overhead for KGC to users in [3] and [9]  Second, we consider the communication overheads for source nodes.Since the source node transmits the all vectors to others, we compute the signature size for single vector to denote its overhead.In our scheme, the size of a single signature σ i equals to |G 1 |.In the similar way, we obtain that the overhead for soure node is 4 |G 1 | +2|Z p | and 2 |G 1 | in [3] and [9].
Next, we compare the size of full private key SK ID .The size of SK ID in our scheme equals to |G 1 | + |Z p |. From this, we can figure out the size of SK ID in [9] equals to |G 1 |+|Z p |.Note that in [3] the SK ID is equivalent to its PP ID , hence, this overhead for this item doesn't exist.Here, we use "-" represent the item is null.
The detailed comparisons of communication overheads are listed in TABLE I.According to comparisons, the size of PP ID , SK ID and signature(for single vector) in our transformed CLNS are competitive.

B. Computation Costs
We represent T bp , T exp , T mul , T lc as the execution time of a bilinear pairing operation, a modular exponentiation operation on G 1 , a multiplication operation on G 1 and a linear combination of l vectors.For convenience, we omit the computation like pseudorandom permutation, hash operation, addition on Z p , multiplication on Z p and so on, because their computation costs are negligible.Suppose there is a source node will transmit a file in network, that is he transmits the packets v1 , ••• , vm and generates signatures for them.Particularly, for the augmented pakage v i , its generated signature is Therefore, the computation cost for the σ 0 i is (n + 2) • (T exp + T mul ).As for the intermediate node or destination node, he needs to execute the Verify algorithm and Combine algorithm.
Then, he verifies each vector-signature pair (y,σ 0 ) by checking whether e(σ 0 ,g)=e  Likewise, we can obtain the computation costs of [3] and [9].The detailed comparisons of computation costs are listed in TABLE II.Based on computation costs analysis, we can find the efficiency of our scheme is comparable and our general generation from admissible CL-PAP to CLNS is feasible.

C. Experimental Analysis
In this subsection, we evaluate the computation costs of our transformed CLNS and schemes in [3] and [9] by experiments.According to "Charm" [10] framework, we choose the 512bit SS elliptic curve from PBC library [11] and implement For the sake of simplicity, we set m = n.Particularly, we consider the time consumption of signature generation and verification for all vectors and change parameter m (or n) from 10 to 50.After choosing 50 times different random data packets and performing the experiments, we list the average results in Fig. 3 and Fig. 4. From the experimental result, we can see that our transformed CLNS is better than the other two schemes in terms of signature generation.As for the signature verfication, our transformed CLNS is still comparable.

VIII. CONCLUSION
In this paper, we consider how to construct more concrete certificateless network coding schemes.First of all, we introduce an admissible certificateless public auditing protocol.Thereafter, we propose a general construction of certificateless network coding scheme from admissible certificateless public auditing protocol.Then, we give a concrete implementation in order to show the power of our general construction.In addition, we evaluate the performence of our transformed CLNS with other previous schemes.The experimental result shows our transformed CLNS is comparable and more efficient.

Fig. 1 .
Fig. 1.System model of certifateless network coding Setup-1: CH I runs Setup(k)!(msk, params), it keeps msk secret and gives params to A I .• Queries-1: A I can adaptively perform the following queries but comply with above restrictions.-Partial-Private-Key-Extract: Given user's ID, the challenger runs Extract(msk, ID)!PP ID and returns PP ID to A I .-Private-Key-Extract: The challenger uses ID to run SetSecretValue(ID)!sID and outputs secret value s ID .Then, it continues to runs SetPrivateKey (s ID ,PP ID ) ! SK ID and outputs SK ID , then returns SK ID to A I .-Public-Key-Query: Upon receiving a query with the ID, the challeger runs SetPublicKey(s ID )!PK ID and returns PK ID to A I .-Public-Key-Replace: A I can replace the public key PK ID with anotehr value PK 0 ID and note that A I does not need to provide the secret value corresponding to PK 0 ID .

Fig. 2 .
Fig. 2. System model of certifateless public auditing Partial-Private-Key-Extract 0 : Given a user's ID, the challenger runs Extract 0 (msk, ID)!PP ID and returns PP ID to A 0 I .-Secret-Value-Extract 0 : A 0 I sends an identity ID to challenger CH 0 I , the challenger returns a secret value s ID to A 0 I .-Public-Key-Query 0 : Upon receiving an identity ID from A 0 I , the challenger CH 0 I returns PK ID to A 0 I after performing KeyGen 0 (ID,PP ID ).-Public-Key-Replace 0 : A 0 I may replace the public key PP ID with another value PP 0 ID .
is |Z p | +2|G 1 | and |G 1 |.We use |G 1 | and |Z p | denote the length of G 1 and Z p . m

Fig. 4 .
Fig. 4. Time consumption of signature verification ID : This algorithm executes by source node to generate his secret value.For the user with ID, it inputs params and outputs his secret value s ID .• SetPrivateKey(s ID ,PP ID )!SK ID : This algorithm runs by source node to generate his private key.Particularly, it takes the user's secret value s ID and partial private key PP ID , then it outputs his full private key SK ID .• SetPublicKey(s ID )!PK ID : This algorithm also runs by source node to generate his public key.Precisely, it takes the user's secret value s ID and outputs public key PK ID .
• Extract(msk, ID)!PP ID : This algorithm also runs by KGC to produce partial private key.It inputs msk and user's identity ID, then outputs his partial private key SK ID .• SetSecretValue(ID)!s • Sign(ID,SK ID ,PK ID ,id,V)!T : This algorithm is used to signing and run by source node.For the user's identity ID, user's private key SK ID and public key PK ID , a file identifier id and a set V as input, it outpus a signature set T .The set V has m pieces of vectors v1 , ••• , vm 2 Z n p , it computes signature t i for each augmented vector This algorithm executes by destination nodes or intermediate nodes to check the received vector-signature pairs if it has validity.It inputs a tuple (ID,PK ID ,id,y,σ) and outputs 0 (reject) or 1 (accept).Correctness: The correctness of CLNS requires each key pair (SK ID ,PK ID ) generated by Setup, Extract, SetSecret-Value, SetPrivateKey, SetPublicKey, it holds that: 1) if T Sign(ID,SK ID ,PK ID ,id,V), then for all id and v i 2 Z m+n p ,1 Verify(ID,PK ID ,id,v,σ); and 2) if for all id and i, 1 • Extract 0 (msk, ID)!PP ID : This algorithm runs by KGC to generate data owner's partial private key.Concretely, given the data owner's identity ID and KGC's msk, it outputs partial private key PP ID , KGC sends PP ID to data owner with ID through a secure channel.• KeyGen 0 (ID,PP ID )!(s ID ,SK ID ,PK ID ): This is a key generation algorithm runs by data owner.In particular, it takes PP ID and data owner randomly chooses a secret value s ID as input.Then output user's corresponding full private key SK ID and public key PK ID .• Outsource 0 (SK ID ,PK ID ,F,id)!F 0 : This algorithm • Extract(msk, ID)!PP ID : For the inputs msk and ID, this algorithm runs Extract 0 (msk, ID)!PP ID and outputs partial private key PP ID .• SetSecretValue(ID)!s ID : For the input ID, this algorithm runs KeyGen 0 (ID,PP ID ) and outputs secret value s ID .• SetPrivateKey(s ID ,PP ID )!SK ID : This algorithm also runs KeyGen 0 (ID,PP ID ).It inputs s ID and PP ID and outputs full private key SK ID .• SetPublicKey(s ID )!PK ID : This algorithm also runs KeyGen 0 (ID,PP ID ) and outputs public key PK ID .• Sign(ID,SK ID ,PK ID ,id,V)!T : For the inputs ID, SK ID , PK ID , id and a set V has m pieces of vectors v1 , ••• , vm 2 Z n p , this algorithm first augments each vector as • Extract(msk, ID)!PP ID : For the inputs msk and ID, this algorithm runs Extract 0 (msk, ID) !PP ID .Output partial private key PP ID = H 1 (ID) λ .• SetSecretValue(ID)!s ID : Given the identity ID, this algorithm runs KeyGen 0 (ID,PP ID ) ! s ID .Output s ID as the secret value.• SetPrivateKey(s ID ,PP ID )!SK ID : For the inputs s ID and ID, this algorithm performs KeyGen 0 (ID,PP ID ) ! SK ID .Output SK ID =(PP ID ,s ID ) as the full private key.• SetPublicKey(s ID )!PK ID : For the input s ID , this algorithm also runs KeyGen 0 (ID,PP ID ) ! PK ID .Output PK ID = g s ID as the public key.• Sign(ID,SK ID ,PK ID ,id,V)!T : For the inputs ID, SK ID , PK ID , id and a set V has m pieces of vectors v1 , ••• , vm 2 Z n p , this algorithm first augments these vectors as v i 2 Z m+n p where 1 6 i 6 m and define F