Secure Data Fusion Analysis on Certiﬁcateless Short Signature Scheme Based on Integrated Neural Networks and Elliptic Curve Cryptography

In the traditional public key cryptosystem based on certiﬁcates, the issuance and management of user certiﬁcates are realized through the authoritative certiﬁcate center, but amount of time is spent in the transmission and veriﬁcation of user public key certiﬁcates. After a malicious user obtaining legitimate users’ private keys, he can select a secret value and signature process to generate the ﬁnal private key, public key and signature. And he will announce that he is the legal user, while others are unable to distinguish this process. This is the defect of traditional digital signature scheme without certiﬁcate. Therefore, this paper proposes a certiﬁcateless short signature scheme based on integrated neural networks and elliptic curve cryptography for secure data fusion analysis. The security of the solution is based on Inv-CDH problem. The complete security proof is given under the stochastic predictor model. It is proved that the new model can resist existence forgery in adaptive selective message attack with new adversary. Experiment results show that the calculation amount of our proposed certiﬁcateless short signature scheme is small and the e ﬃ ciency is high compared with other state-of-the-art schemes.


Introduction
Messages transmitted through wireless sensor network nodes or users must be verified to become the useful information. The signature algorithm based on Public Key Infrastructure (PKI) provides a guarantee tool for information security [1][2][3]. The signature scheme needs to provide a certificate issued by an authoritative authority to prove that the public key is corresponding to the user and has not been tampered with or replaced by a third party. Certificate retraction, storage, distribution and verification are managed by an authoritative certification authority. The calculation, communication latency and storage space caused by these operations are unacceptable in wireless sensor networks. Therefore, people use Identity Public Key key cryptosystem. Certificateless short signature draw the advantages of certificateless signature and short signature and widely used in the field of electronic payment and e-commerce. In recent years, scholars have studied more certificateless signature schemes.
Huang [10] proposed an efficient certificate-free signature scheme, which did not need pairing operation to improve the operational efficiency of the scheme. Dong [11] proposed an improved certificate-free signature scheme, which used the secret value selected by the user as the signature private key to improve the security of the scheme. He [12] proposed a certificateless short signature scheme that could prove security, which did not use Hash function mapping. Pang [13] presented a certificateless short signature scheme under the standard model, which only needed one bilinear pair operation. Zuo [14] proposed a strongly provable secure certificate-free short signature scheme, which could resist public-key substitution attacks. Chang [15] proposed a certificateless short signature scheme based on bilinear pairings, which could resist public key replacement adversary attacks. Islam [16] proposed an efficient short signature scheme based on certificate, which improved the operation efficiency by reducing double-line pair operation. Wang [17] proposed an efficient certificateless short signature scheme based on bilinear pairings, and gave the security proof of the scheme. Liu [18] presented an efficient and provably secure certificateless signature scheme, which could resist two types of super attacks and existential forgery attacks. Dan [19] proposed an irrevocable short signature scheme without certificate, which had strong unforgery against adaptive selective message attack. Sahu [20] proposed a certificate-safe and efficient certificate-free signature scheme, which proved its unfalsifiability based on the difficulty of discrete logarithm. Liu [21] proposed a certificateless group signature scheme based on bilinear pairings, which had the advantages of certificateless cryptography and met the requirements of group signature scheme.
However, in the certificate-free public key cryptography system, the public key is not bound to the user's identity, so there is no authentication relationship between the public key and the holder. In this paper, our motivation is that we modify the definition of certificateless signature, and propose a certificateless short signature scheme. This paper is organized as follows. After some preliminary works, Section 3 detailed introduces the integrated neural networks for feature extraction of certificateless signature. Section 4 presents our new certificateless signature scheme. Section 5 and section 6 analyze our proposed scheme from performance and security points of view. In Section 7, the paper ends with some concluding remarks.

Preliminaries
Definition 1. Assuming G 1 is the q-order additive cyclic group. G 2 is the q-factorial cyclic group. Z * q is the non-zero modular. Bilinear pair [22] is defined as the following mapping: This mapping satisfies the following three properties: • Bilinear. There is P , Q ∈ G 1 and a, b ∈ Z * q ; • Non-degeneration. There is P , Q ∈ G 1 , and e(P , Q) 1; • Computability. For all P , Q ∈ G 1 , there is an effective algorithm to calculate e(P , Q).
Definition 2. Elliptic Curve Discrete Logarithm Problem (ECDLP) [23]. Given two elements P , Q ∈ G 1 , and the integer a ∈ Z * q , so that Q = aP is established.
q is an unknown random number), to calculate (a + b) −1 P ∈ G 1 .

Architecture of INN
The multi-classification integrated neural network system constructed in this paper is an organic whole, each sub-network is independent of each other, but also cooperates with each other as shown in figure 1.
Here, the realization of neural network subject is divided into two parts, one is how to train the network, the other is how to perform classification. The specific realization process is as follows. The training 2 EAI Endorsed Transactions Scalable Information Systems 10 2021 -01 2022 | Volume 9 | Issue 34 | e3 process of neural network is the learning process. The training set consists of two parts [24,25]. The authentication training set includes the same type of real signatures and forged short signatures to enhance the sensitivity of the neural network to the same type of real signatures. The recognition training set consists of the real signatures of this category and the real signatures of other categories randomly selected in a certain proportion. Neural networks mainly learn about the differences between different categories. For ease of use and administration, it creates a file for each subnetwork. The archive consists of two parts. One part records the structural characteristics of the network and the meaning of the input and output units. The other part contains the weights and accuracy learned for the two training set networks. Since an independent classifier is built for each person's signature sample, when the signature sample of a new category is added, only pretreatment and feature extraction are needed for the new category sample, and a new classification sub-network is added to the recognition network body and trained without retraining the whole integrated network.
Sub-networks can begin to perform classification when their archives and knowledge are sound. The feature vectors transmitted by the feature assignment network and the weights learned by the neural network are calculated to score the signature categories independently. The scoring results of the three neural networks are sent to the decision fusion sub-network with D-S evidence theory fusion, and the confidence degree of the corresponding categories is obtained. The fusion rules are as follows; Theorem 1. Θ is an identification framework. For n evidences E 1 , E 2 , · · · , E n ⊂ Θ, the corresponding basic probability allocation is M 1 , M 2 , · · · , M n , then the obtained combined evidence after the combination of the n evidences is: K reflects the degree of conflict between evidences, which is called conflict probability. The coefficient 1/(1 − K) is called the normalization factor.

Implementation of decision fusion subnetwork
For the fusion sub-network i, let the score of neural network N N ij be score j , and the accuracy is r j . Recognition framework D = sort i , ¬sort i . sort i belongs to category i. ¬sort i does not belong to category i.
So the problem of finding the confidence of class i is transformed into finding M i = M 1 ⊕ M 2 ⊕ M 3 . In signature authentication, the confidence of class i is the possibility that the signature is a real signature, if M i > 0.5, it is a real signature; otherwise, it is a forged signature.

Implementation of decision fusion recognition network
Let the classification vector formed by the recognition network be sort = sort 1 , · · · , sort m . The confidence vector is T = T 1 , · · · , T m . The confidence weight vector is R = R 1 , · · · , R m . For decision fusion identification network, identification framework D = sort 1 , · · · , sort m , ¬sort 1 , · · · , ¬sort m . The probability assignment function is M i : 2 D → [0, 1] and satisfies: The output of the converged network is: Where, the probability that the signature sample belongs to the i-th category is M(sort i ).
If M(D) < maxM(sort 1 ), M(sort 2 ), · · · , M(sort m ), then the signature sample belongs to the category with the largest probability.
If M(D) ≥ maxM(sort 1 ), M(sort 2 ), · · · , M(sort m ), then the signature sample is rejected (the signature sample is not in the known category of neural network learning).

Setup. Key Generation Center (KGC) sets parame-
ter k to generate system public parameter params and system master key s. Build a certificateless system. KGC secretly stores s and publishes params.
2. ssv. Set a secret value. Given the user's identity ID, the Private Key Generator (PKG). It uses the system parameter params and ID to generate the user's secret value x ID and calculate the generated user part public y n ID = x ID P .

Set
Public Key. The user generates the user's public key pk ID through params and the user's secret value x ID and exposes the public key. The public key space is defined by the system public parameter params and the user's identity ID.
6. Sign. Signature. Given the system parameter params, signature information m, user ID, public key pk ID and private key sk ID . The signature algorithm is executed to generate signature S. 7. sv. Signature verify. Given the system parameter params, the signer's identity ID, public key pk ID , message m and signature S, verify the signature S.
If it returns 1, then it indicates that the signature is valid. If it returns 0, then it indicates that the signature is invalid.

Attacker model
The traditional certificateless cryptography mainly discusses two adversary types. Type 1: adversary is dishonest user. Type 2 adversary is malicious but passive KGC. Their specific capabilities are as follows: 1. Type 1. Adversary A 1 does not know the master key and the user's partial private key. It can replace the user's public key.
2. Type 2. Adversary A 2 knows the system master key and the user's partial private key. It cannot replace the user's public key.
In the scheme, part user's private keys are bound to part users' public keys and users' ID, respectively. There is an authentication relationship between the public key and the holder, so that the user's public key cannot be replaced by the type 1 adversary. That is, there is no type 1 adversary [26,27]. However, the above reasons cannot completely exclude the type 2 adversary. In the actual situation, it is considered that KGC is not necessarily malicious, that is, the master key of the system will not be disclosed. However, it may leak users' private keys during key management or key transmission. The users may also have the possibility of disclosure when using part of the private keys. However, the attack mode of type 2 adversary is malicious KGC leaking the system master key. Therefore, this paper no longer considers type 2 adversary and proposes two new adversaries.
1. Type 3. Adversary A 3 does not hold the system master key but knows part of the private key. It cannot replace the user's public key.
2. Type 4. Adversary A 4 holds the system master key but does not know part of the private key. It can replace the user's public key.

Certificateless Short Signature Scheme
The scheme contains seven steps as follows: 1. System establishment. Set security parameter k, q-order addition cyclic group G 1 and q-order multiplication cyclic group G 2 . q is prime and q > 2 k . Given a bilinear pair e : P is the generator of G 1 . Let g = e(P , P ), KGC selects two different security hash functions: Randomly choose a number s = Z * q as the system master key, system public key y pub = sP ∈ G 1 . KGC secretly saves s and publishes system parameters k, G 1 , G 2 , e, q, P , g, y pub , H 1 , H 2 .
2. Secret value establishment. The user ID randomly selects x ID = Z * q as its secret value and calculates part of the user's public key y ID = x ID P ∈ G 1 .

Partial
private key extraction. Given ID ∈ (0, 1) * , KGC calculates Q ID = H 1 (ID, y ID ), k = H 1 (ID, timestamp) and then calculates partial private key d ID = k s+Q ID P . Let K = kP , k is as the authorization identification code of partial private key application. Where timestamp is the time of partial private key application. (k, timestamp) is used to distinguish partial private keys applied at different times, which is saved by KGC. It can be used to broadcast to revoke part of the leaked private key. Finally, KGC is sent to the user through the secure channel (d ID , K).

4.
Private key establishment. Given the user's partial private key d ID , secret value x ID and public parameter params. User's private key is (d ID , x ID ).

5.
Public key establishment. Known user's secret value x ID , parameter params, generate pk ID = x ID y pub + Q ID y ID . Where the user's public key is (y ID , pk ID , K) and user exposes the user's public key.
6. Signature. Known message m ∈ (0, 1) * . The user signs the message m. The steps to get the signature are as follows: (a) Computing h ID = H 2 (ID, m, pk ID ).
7. Signature verification. Known m, S. The verification steps are as follows: • Computing Q ID = H 1 (ID, y ID ).
• If e(S, pk ID + h ID (y pub + Q ID P )) = e(K, P ) is correct, then signature verification is successful. Otherwise, signature verification is failed. The correctness of the scheme is proved as follows: P roof = e(S, pk ID + h ID (y pub + Q ID P )) = e(S, x ID y pub + Q ID y ID + h ID (sP + Q ID P ))

Security Analysis
Many references had proved the type 1 and type 2. This paper only gives the proof for type 1, type 2, type 3 adversary in the random predictor model. The proof for type 4 adversary is basically similar to type 3. It will not give the detailed proof in this paper.
Theorem. Let A I be the type 1 attacker. Given C an instance (g, g a , g a 2 , · · · , g a q s +1 ). C can obtain a new (c, g 1 a+c ). Obviously, for any polynomial a+c qs , c q s ) through the following algorithm.
• Calculating h = g f (a) and h a = g u(a) , so h is the generator of G 1 with q-order.
• If h = 1, then c j = −a can solve Inv-CDH problem, this probability is negligible. Therefore, c j −a.
• for i = 1, 2, · · · , q s , calculating C will execute setup algorithm and generate system parameter params = G 1 , G 2 , q, h, y, e, H. Here, the main public key is y = h x . C returns params to A I and executes the following simulation algorithm.
1. Generating user request. C randomly selects i ∈ 1, 2, · · · , q CU . ID * = ID. For the j − th request of A I , if j i, then C randomly selects z j , s j ∈ Z * q and computes u j = h z j , w j = h s i , d j = s j + xH(ID j , u j , w j ). (ID j , z j , u j , s j , w j , d j ) will be added into the table E. If j = i, then C randomly selects z * ∈ Z * q and calculates u * = h z * . Let w * = h a . (ID * , z * , u * , w * ) will be added into (b) If ID i = ID * , suppose that c k is unused value in (c 1 , c 2 , · · · , c q s ), then C calculates r = (c k − xH(ID * , u * , w * ) − m)/z * and returns (r, h 1 a+c k ) as the signature for A I .
After the simulation, A I outputs a valid signature (ID i , m * , r * , σ * ), if ID i ID * , the algorithm is failed. Otherwise, C computes, It can be seen that (c * , σ * ) satisfies σ * = h 1 a+c * . Obviously, the probability that A I does not query the private key corresponding to ID i is at least (1 − (1/q CU )) q ppk . The probability that A I does not query the secret value is at least (1 − (1/q CU )) q sv . The probability that ID i = ID * in a forged signature (ID i , m * , r * , σ * ) is at least 1/q CU . In the signature query, the probability that the corresponding public key has not been replaced is (1 − q rp /q CU ) q s . If A I can successfully forge a valid signature with probability ε, then C solves the Inv-CDH problem with probability ε = ε EAI Endorsed Transactions Scalable Information Systems 10 2021 -01 2022 | Volume 9 | Issue 34 | e3 q rp q CU ) q s . According to the difficulty of Inv-CDH problem, ε is negligible. Therefore, the scheme is unforgeable under type A I attack.
Theorem. In the random predictor model under the Inv-CDH assumption problem, for the adaptive selective message attack of type 3 adversary, the proposed scheme can resist existential forgery.
Lemma. Assume that type 3 adversary A 3 , after finite inquiries, it breaks the scheme in polynomial time t with a non-negligible advantage ε. q X and t X are secret value inquiry number and one query time, respectively. q Y and t Y are part of the public inquiry number and one query time, respectively. q H 11 is the number of times that adversary A 3 first queries the predictor in the partial private key extraction stage. t H 11 is the one query time. q H 12 is the number of times that adversary A 3 second queries the predictor in the partial private key extraction stage. t H 11 is the one query time. q H 2 is the number of times that adversary A 3 queries the predictor. t H 1 is the one query time. q E is number of partial private key parsing queries. t E is the one query time. q pk is the number of public key queries. t pk is the one query time. q s is the number of signature queries. t s is the one query time. So there is an algorithm C, which can solve Inv-CDH problem with a nonnegligible advantage ε in time t .
Proof. Suppose the Inv-CDH problem instance of challenge C is that given b ∈ Z * q and (P , aP ) ∈ G 1 , where a ∈ Z * q is unknown to calculate 1 a+b P . Set security parameter k and C for system initialization, select random number s ∈ Z * q as the system master key, y pub = sP . C selects identity ID * as the challenge identity, sends (k, G 1 , G 2 , P , y pub , H 1 , H 2 to A 3 ). Assume that A 3 cannot do the same query. The corresponding H 1 and H 2 predictions have been made before private key query, public key query, signature query and forged signature. All record lists are initialized empty.
• Secret value inquiry. C maintains a list L and records structure as an array (ID i , x i , y i ). When A 3 submits a secret value query about ID: 1. When ID = ID * , C terminates the simulation and prints "FALSE" to mark the event as E 1 .
2. When ID ID * , query the list L. If L has a record, then it returns the corresponding record x ID to A 3 ; Otherwise, it randomly selects x ID ∈ Z * q to calculate y ID = x ID P , return x ID to A 3 , and add (ID, x ID , y ID ) into L.
• Partial public key query. When A 3 submits a partial public key query about ID: 1. When ID = ID * , C returns y ID = aP to A 3 , and adds (ID, ⊥, aP ) to list L, where ⊥ means null.
2. When ID ID * , C queries the list L, and returns the y ID of the corresponding record to A 3 , if L has records; Otherwise, it performs the secret value query first and returns the corresponding y ID to A 3 .
• The first H 1 query of partial private key extraction stage. C maintains a list L and records structure as an array (ID i , y i , Q i ). When A 3 submits a H 1 query about (ID, y), if (ID, y ID , Q ID ) is already in LH 11 , C returns Q ID to A 3 ; Otherwise, it selects a random value Q ID , returns Q ID to A 3 and records (ID, y ID , Q ID ) to list LH 11 .
• The second H 1 query of partial private key extraction stage. C maintains a list LH 12 . This list is composed of ID i , timestamp i , k i . When A 3 submits a H 1 query about (ID, timestamp ID ), if (ID, timestamp ID , k ID ) is already in LH 12 , C returns k ID to A 3 ; Otherwise, it selects a random value k ID , returns k ID to A 3 and records (ID, timestamp ID , k ID ) to list LH 12 .
• Partial private key query. When A 3 submits a partial private key query about identity ID, C first executes H 1 predictor query to get array (ID, y ID , Q ID ). Then it executes H 1 again and obtains array (ID, timestamp ID , k ID ), and returns d ID to A 3 .
• Public key query. C maintains list L pk and records structure as an array (ID i , y i , Q i , pk i , x i ). When A 3 submits a public key query about identity ID, C checks whether the query value already exists in the list, and returns the corresponding value (y ID , pk ID ) to A 3 . Otherwise, the following operation is performed: 1. When ID = ID * , C finds (ID, y ID , Q ID ) in LH 11 , returns pk ID = aP to A 3 , and adds (ID, y ID , Q ID , pk ID , x ID ) to list L pk . pk ID = x ID y pub + Q ID y ID . 6 EAI Endorsed Transactions Scalable Information Systems 10 2021 -01 2022 | Volume 9 | Issue 34 | e3 Secure Data Fusion Analysis on Certificateless Short Signature Scheme Based on Integrated Neural Networks and Elliptic Curve Cryptography 2. When ID ID * , C first queries the secret value to get the corresponding answer (ID, x ID , y ID ), then executes H 1 query to get the array (ID, y ID , Q ID ), returns (y ID , pk ID ) to A 3 . It records (ID, y ID , Q ID , pk ID , x ID ) into list L pk . pk ID = x ID y pub + Q ID y ID .
• H 2 query. C maintains a list LH 2 , records structure as an array ID i , m i , Q i , k i , pk i , h i . When A 3 submits a H 2 query about (ID, m ID , pk ID ). C checks whether the query value already exists in the list, and returns the corresponding value (h ID ) to A 3 . Otherwise, the following operation is performed: 1. When ID = ID * , C regards b as the value of H 2 (ID, m ID , pk ID ) and returns b to A 3 .
(ID, m ID , Q ID , k ID , pk ID , b) is added to list LH 2 .
2. When ID ID * , C randomly selects h ID , regards h ID as the value of H 2 (ID, m ID , pk ID ) and returns h ID to A 3 . (ID, m ID , Q ID , k ID , pk ID , b) is added to list LH 2 .
• Signature query. When A 3 submits the signature query of (ID, m ID ), C performs the following operations: 1. When ID = ID * , it stops the query and returns "FALSE", records the event as E 2 .
2. When ID ID * , C obtains the record (ID, x ID , y ID ) from L. Then it obtains the record (ID, m ID , Q ID , k ID , pk ID , h ID ) from LH 2 , and obtains the signature S ID of C to message m ID through calculation" Finally, A 3 stops query and outputs a valid message signature pair (m ID * , S ID * ) about ID * . C calls the array (ID * , y ID * , Q ID * , pk ID * , x ID * ) and (ID * , m * , Q ID * , k ID * , pk ID * , h ID * ) respectively. Meanwhile, h ID * = b and y ID * = aP . According to the verification equation: E = e(S ID * , pk ID * + h ID * (y pub + Q ID * P )) = e(S ID * , x ID * y pub + Q ID * y ID * + h ID * (sP + Q ID * P )) = e(S ID * , x ID * (sP + Q ID * P ) + h ID * (s + Q ID * P )) = e(S ID * , (x ID * + h ID * )(sP + Q ID * P )) = e(S ID * , (a + b)(sP + Q ID * P )) = e((a + b)(sP + Q ID * P )S ID * , P ) = e(K, P ) (11) C can successfully calculates 1 a+b P = k −1 ID * (s + Q ID * )S ID * , that is, ¡¤ it outputs k −1 ID * (s + Q ID * )S ID * as the answer for the Inv-CDH problem, so C solves the Inv-CDH problem.
The following analysis shows the C's time and advantages in successfully solving difficult problems: • The answers for the query of H 1 , H 2 are evenly and independently distributed in Z * q , and the answers are valid.
• Only when events E 1 and E 2 do not occur, the answers obtained by the private key query and the signature predictor query are valid.
• If E 1 and E 2 do not occur, C can solve an instance of Inv-CDH problem, the probability of E 1 and E 2 neither occurring: When A 3 forges a valid signature without query H 2 , there is a loophole in this simulation. The occurrence probability is 1 2 k , so the advantage in this game is: Running time is:

Performance Analysis
we first give the unforgeability analysis. This paper proposes that the scheme cannot be forged under adaptive selection message attack. The security analysis of A-I and A-II forgery attacks is given below. 1) For A-I attackers. This type of attacker cannot obtain the system master key s, but it can replace the public key of a legitimate user. Assuming that the A-I attacker replaces the public key P K π = (X π , R π ) of the valid user ID π with P K * π = (X * π , R * π ), 7 EAI Endorsed Transactions Scalable Information Systems 10 2021 -01 2022 | Volume 9 | Issue 34 | e3 and uses the replaced public key to successfully forgery a signature (R, v) for message M, then based on the signature verification algorithm, it calculates h = H 2 (ID π , M, R * π , X * π , R), h 1 = H 1 (ID π , R * π , X * π , R), and the signature verification equation vP = R + h(R * π + h 1 P pub + X * π ) is correct. Because R, R * π and X * π participate in the computation of h = H 2 (ID π , M, R * π , X * π , R), so there will be a vP = r + hr * π + hh 1 s + hx * π ), where R = rP , X * π = x * π P , R * π = r * π P , so it can launch s = (v − r − hr * π − hx * π )/hh 1 . That is, the master key s can be calculated by P pub = sP with A-I attacker, thus solving the ECDLP problem. However, ECDLP is a difficult problem that cannot be solved in the real world at present, so the counterfeiting attacks of A-I cannot be successful.
1) For A-II attackers. This type of attacker can obtain the system master key s, but it cannot replace the public key of a legitimate user. Assuming that the A-I attacker replaces the public key P K * π = (X * π , R * π ) of the valid user ID π successfully to forgery a signature (R, v) for message M. Then based on the signature verification algorithm, it calculates h = H 2 (ID π , M, R π , X π , R ), h 1 = H 1 (ID π , R π , X π ), and the signature verification equation v P = R + h R π + h 1 P pub + X π ) is correct. The true signature output value of user ID π for message M is (R, v). According to the improved signature verification algorithm, it can get h = H 2 (ID π , M, R π , X π , R), h 1 = H 1 (ID, ID π , R π , X π ), vP = R + h(R π + h 1 P pub + X π ). The following will be obtained.
According to R = ϑP , ϑ ∈ Z * q , it solves ϑ = v − h ( v−r P ). That is, the A-II attackers are used as subroutines to solve the ECDLP problem successfully. However, the secure assumes that the ECDLP problem is a difficult problem that cannot be solved in the real world at present, so the forgery attack of the A-II attackers cannot be successful. Table 1 gives the performance comparison between proposed scheme and other schemes including PFP [28], SRSA [29], PCPA [30] and IECS [31]. Where, mp represents the multiple point operation on group G 1 . bp represents the bilinear pair operation. eo denotes the exponential operation with relatively high computation cost.
In the signature stage, the scheme in this paper requires two multiple point operations. PFP requires two multiple point operations. SRSA requires two large exponential operations. IECS requires three multiple point operations. In signature verification phase, the proposed scheme needs three multiple point operations and three bilinear pairings computations. PFP requires In conclusion, this scheme has higher efficiency than other schemes. Moreover, the scheme in this paper has lower computational complexity and more advantages in computational efficiency.

Conclusions
This paper modifies the definition of certificateless signature and proposes a certificateless short signature scheme based on random predictor model. The scheme in this paper calculates the user's partial public key while generating the secret value, and associates the user's identity with the user's partial public key when extracting the partial private key. Thus it establishes the authentication relationship between the user's public key and the user. Compared with the classical signature schemes and the relevant certificateless signature schemes, the results show that the proposed scheme has better performance and lower computational complexity. It can meet the requirements of practical applications.