Strongly Unforgeable Certificateless Signature Scheme in the Standard Model

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

33

Strongly Unforgeable Certificateless Signature Scheme in the

Standard Model

Xiaoqin Shen

School of Sciences, Xi’an University of Technology, Xi’an, 710054, PR China

xqshen@xaut.edu.cn

Abstract— Certificateless signature scheme eliminates the

need of certificates in the traditional signature scheme and solves the inherent key escrow problem in the identity based signature scheme. In this paper, we propose a new construction of certificateless signature which is strongly unforgeable in the standard model with the computational Diffie-Hellman assumption in bilinear groups. As far as we know, this is the first certificateless signature scheme, which possesses the property of strong unforgeability in the standard model.

Keywords—Digital signature; Certificateless signature; Strong unforgeability.

I. INTRODUCTION

Public key cryptography (PKC) is an important technique to realize network and information security. Traditional public key cryptography requires a trusted certification authority (CA) to issue a certificate binding the identity and the public key of an entity, that is, a signature of CA on the public key. It requires a large amout of storage and computing time to manage the certificates. To solve the problem, Shamir firstly proposed the notion of identity-based public key cryptography (ID-PKC) [1] in 1984. ID-PKC sets the identity information of a user (such as IP address, e-mail address, etc.) to be the public key. A trusted third part called Private Key Generator (PKG) generates the private key from the public key (identity of a user), and send back it to the user through a secure channel. ID-PKC does not require the certificate of a public key anymore since the user’s public key is a publicly information. However, ID-PKC needs a trusted PKG to generate a private key for an entity according to his identity. So we are confronted with the key escrow problem. Fortunately, the two problems in traditional PKC and ID-PKC can be prohibited by introducing certificateless public key cryptography (CL-PKC) [2], which fills the gap between traditional PKC and ID-PKC.

The basic idea of CL-PKC is to generate a public/private pair for a user by using a master key of a Key Generation Center (KGC) with a random secret value selected by the user. Thus, the CL-PKC can be seen as a model that is intermediate between traditional PKC and ID-PKC.

Hence, CL-PKC eliminates the user of certificates in traditional PKC and solves the key escrow problem in ID-PKC.

The construction of a secure and efficient certificateless signature (CLS) scheme is not easy because the construction of a CLS scheme conceptually incorporates mechanisms to authenticate user’s identity, random public key, and a message to be signed at the same time. Recently, many researchers have been investigating CLS schemes [2-24].

The standard security notion of a digital signature scheme is the existential unforgeability under adaptive chosen message attacks [25]. In this model, an adversary who is given a signature for some messages of his choice should not be able to generate a signature for a new message. However, most existing signature schemes are randomized and allow many possible signatures for the same message. In 2002, An et al. [26] proposed a new security notion called strong unforgeability. A signature scheme is said to be strongly unforgeable if it is existentially unforgeable under adaptive chosen message attacks and, given signatures



₁

,



,



n on the message

m

, the adversary cannot produce a new signature

1,

,

i

n

  

（



 

）

, on the same message

m

.

Strongly unforgeable signatures have a lot of application include building IND-CCA2 secure public encryption scheme, signcryption, etc. In this paper, bases on Waters’s signature scheme [27], a new construction of certificateless signature is present. As far as the authors know, the proposed scheme is firstly provably secure in the standard model which captures stong unforgeability and high efficiency. The strong unforgeability of our scheme relies on the hardness of Computational Diffie-Hellman problem.

II. PRELIMINARY A. Bilinear Pairings

(2)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

34

The map

e G

:

₁



G

₁



G

₂ is said to be an admissible bilinear pairing with the following properties:

1) Bilinearity: For all

u v

,



G

₁ , and

a b

,



Z

q,

(

a

,

b

)

( , )

ab

e u v



e u v

.

2) Non-degeneracy:

e g g

( , )



1

.

3) Computability: There exists an efficient algorithm to compute

e u v

( , )

for all

u v

,



G

₁.

B. Complexity Assumptions

The security of our scheme relies on the hardness of the following problem.

Computational Diffie-Hellman (CDH) Problem: Given 1

,

a

,

b

g g

g



G

, for unknown

a b

,



Z

_q, compute

g

ab. The success probability of a polynomial algorithm

A

in solving CDH problem is denoted as

Pr[ ( ,

,

)

]

CDH a b ab

A

Succ



A g g

g



g





Definition 1. The computational

( , )



t

CDH assumption holds if no t-time adversary has at least



in solving CDH problem.

III. FORMAL MODEL OF CERTIFICATLESS SIGNATURE A. Certificateless signature scheme

A certificateless signature scheme is defined by five algorithms: Setup, Partial-Private-Key-Extract, User-Key-Generate, Sign and Verify. The description of each algorithm is as follows:

Setup: This algorithm takes as input a security parameter

k

and outputs a master key

msk

and system parameters

params

. After the algorithm is performed by the Key Generator Center (KGC), it publishes the system parameters

params

and keeps the master key

msk

secret.

Partial-Private-Key-Extract: This algorithm takes as input

params

,

msk

and an identity

ID



{0,1}

 of an entity, and returns a partial private key

psk

_ID and sends

ID

psk

to the corresponding owner

ID

via a secure channel.

User-Key-Generate: This algorithm takes as input

params

, an entity’s identity

ID

and returns a randomly chosen secret value

x

_ID and a corresponding public key

ID

pk

.

The entity

ID

runs the algorithm to generate his public key, and then distribute the public key

pk

_ID without being certificated.

Sign: This algorithm takes as input

params

,

ID

, the partial private key

psk

_ID, secret value

x

_ID, the message

M

and returns a signature



.

Verify: This algorithm takes as input

params

,

ID

and the message/signature pair

(

M

, )



, and returns True if



is a valid signature and returns



otherwise.

B. Security Model

As defined in [2], we consider two types adversaries: Type I. The adversary

A

_I represents a normal third party attacker and models an “outside” adversary. That is,

I

A

is not allowed access to the master key but

A

_I may request public key and replace public keys with values of its choice.

Type II. The adversary

A

_II represents a malicious-but-passive KGC and models an “inside” adversary. That is,

II

A

is allowed to generate the master key and all system parameters but not replace the user’s public key.

Strong existential unforgeability against adaptive

A

_I

Game 1: The first game is performed between a challenger

C

and an adversary

A

_I for certificateless signature schemes as follows.

Setup. The challenger

C

runs the Setup algorithm to obtain the system parameters

params

.

C

then sends

params

to the adversary A_I .

Queries.

A

_I can adaptively issue the following queries: Public Key Request

(

ID

)

:

A

supplies an identity

ID

and requests the public key for

ID

,

C

returns the corresponding public key

pk

_ID to

A

.

Partial-Private-Key-Extract

(

ID

)

:

A

ID

and requests

ID

’s partial private key,

C

returns the partial private key

psk

_ID to

A

.

(3)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

35

Public Key Replace

(

ID pk

,

_ID



)

: When

A

ID

and a new valid public key

pk

_ID



,

C

replaces the current public key with

pk

_ID



.

Sign

(

ID M

,

)

: When an adversary

A

supplies a message

M

, the identity

ID

and requests the signature,

C

returns signature



to

A

. It is possible for the challenger

C

not to be aware of user’s secret value when the associated public key has been replaced. In this case, we need

A

to provide the user’s secret value to

C

.

Forgery. Eventually,

A

_I outputs



 on a message

M

 for

ID

 such that

(1)



 is a valid signature on a message

M

 for

ID

. (2)

(

ID M



,



,





)

is not among the triples

(

ID M

_i

,

_i

,



_i

)

during the Sign queries.

(3)

ID

 is not been submitted as one of the Partial- Private-Key-Extract queries and Secret-Value-Extract queries.

We define

I

EF CLS CMA A

Succ   to be the success probability of

A

_I wins in Game 1.

Strong existential unforgeability against adaptive

A

II

Game 2: The second game is performed between a challenger

C

and an adversary

A

_II for certificateless signature schemes as follows.

Setup. The adversary

A

_II runs Setup algorithm to obtain a master key

msk

and public system parameters

params

.

A

_II gives

msk

and

params

to the challenger

C

.

Queries.

A

_II can adaptively issue the Public Key Request and Sign queries to

C

. Note that here

A

_II cannot replace any public key. Obviously,

A

_II can compute the partial private keys of any users by itself with the master key

msk

.

Forgery. Eventually,

A

_II outputs



 on a message

M

 for

ID

 such that :

1)



 is a valid signature on a message

M

 for

ID

.

2)

(

ID M



,



,





)

is not among the triples

(

ID M

_i

,

_i

,



_i

)

during the Sign queries. We define

II EF CLS CMA A

Succ   to be the success probability of

A

_II wins in Game 2.

Definition 2. A certificateless signature scheme is

( , ,



t q

_pk

,

q

_pp

,

q

_sv

,

q

_pr

,

q

_s

)

-strongly existentially unforgeable under adaptively chosen message attacks in Class II if no

t

-time adversaries (

A

_I and

A

_II), making at most

q

_pk Public Key Request queries,

q

_pp Partial-Private-Key-Extract queries (

q

_pp



0

for

A

_II ),

q

_sv

Secret-Value-Extract queries (

q

_sv



0

for

A

_II ),

q

_pr

Public Key Replace queries (

q

_pr



0

for

A

_II ) and

q

_s Sign queries, have a success probability of at least



in Game 1 and Game 2.

IV. OUR SCHEME

Our scheme is based on Waters scheme [27]. Let

: {0,1}

{0,1}

nu u

H





and

: {0,1}

{0,1}

nm

m

H





be

two collision-resistant cryptographic hash functions for some

n n

_u

,

_m



Z

.

Setup. The KGC Randomly choose





Z

_p,

g

₂



G

₁

and compute

g

₁



g

 . Additionally, the KGC selects randomly the following elements

u m

  

,

G

₁,

u

_i



G

₁

for

i

 

1,

,

n

_u and

m

_j



G

₁ for

j

 

1,

,

n

_m . Let

U



{ }

u

i and

M



{

m

j

}

.

The public parameters

params

are 1 2 1 2

( ,

e G G g g g u

,

, ,

,

, , U,



m



, M)

and the master key is 2

g

.

(4)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

36

Define

U



{1,



,

n

_u

}

to be the set of indicies such that

u i

[ ]



1

. To generate partial private key of identity

ID

, the KGC randomly picks

r

_u



Z

_p and computes (1) (2)

2

(

) ,

(

,

)

u u

r r

i i

g



u

g

psk





_



_









U



u

.

User Key Generate. An entity with identity

ID

chooses randomly a secret value

x



Z

_p and computes a public key

pk



e g g

(

₁

,

₂

)

x.

Private Key Extract. An entity with identity

ID

picks

p

r



Z

 and computes

(1) (2)

(1) (2) 2

(

) (

) , (

)

(

) ,

)

(

,

)

x r x r

i i

x t t

i i

psk

u

psk

g



u

g

sk

 







(

)

U U

u

Where

t



r x

_u



r

.

CL-Sign. To sign a message

m



{0,1}

, the signer with identity

ID

picks

r r

 

,

Z

_p randomly and carries out the follows steps:

1) Compute



₁



sk

(2)



g

rand



₂



g

r. 2) Compute

m

( ,

₁

,

₂

,

i

,

)

i

H

m

 

u

u pk









U

u

.

Let

m[ ]

j

be the j-th bit of

m

and

{1,

,

n

m

}





M

m[ ] 1

j



.

3) Compute (1)

3

(

)

(

)

r r

i j

sk

u

m



 

 













U M

u

.

4) Output the signature





(

  

₁

,

₂

,

₃

)

.

CL-Verify. Given a signature





(

  

₁

,

₂

,

₃

)

for an identity ID and public key

pk

on a message m, a verifier does the following:

1) Compute

m

( ,

₁

,

₂

,

i

,

)

i

H

m

 

u

u pk









U

u

Let

m[ ]

j

to be the j-th bit of

m

and

{1,

,

n

m

}





M

m[ ] 1

j



.

2) Check the equation whether

3 1 2

(

, )

(

_i

,

)

(

_j

,

)

i j

e



g

pk e u

u



e m

m



 













U M

u

hold. If the equation holds, it output 1, otherwise 0. V. ANALYSIS OF THE PROPOSED SCHEME

In this section, we will give an analysis for the certificateless signature scheme including the correctness and the proof of security.

A. Correctness

The correctness can be easily verified by the following equalities (1) 3 2 2 2 ( , ) ( ) ( ) , ( ) ( ) ( ) , ( , ) ( ) , ( ) , ( , ) ( , ) ( r r i j i j

x t r r

i i j

x t r r

i j

x t r

i

i j

e g e sk u u m m g

e g u u u u m m g

e g g e u u g e m m g e g g e u u g e m

                                              _  _               



U M

U U M

U M

U

u u

u u u

u u u u 2 1 2 , ) ( , ) ( , ) ( , ) ( , ) u r j

r x r r

i j

m g pk e u u g g e m m pk e u u e m m

                    



M U M U M u u u u

B. Security Proof

Theorem 1. The certificateless signature scheme is strongly existentially unforgeable in the standard model under the CDH assumption.

This theorem follows Lemma 1 and Lemma 2.

Lemma 1. The certificateless signature scheme is

( , ,



t q

_pk

,

q

_pp

,

q

_sv

,

q

_pr

,

q

_s

)

-secure during Game 1, assuming that

( , )



 

t

-CDH assumption holds in

G

₁ , where

16(

q

_pk

q

_pp

q q n

_s

) (

_s _u

1)(

n

_m

1)



 



((

_pk _pp _s

)

_e

(

_pp _s _u _s _m

) )

_m

t



O

q



q



q t



q



q n



q n t

and

e

(5)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

37

Proof. In Class I attack, assume there exists an adversary

I

A

who can

( , ,



t q

pk

,

q

pp

,

q

sv

,

q

pr

,

q

s

)

break our

proposed scheme. We will construct an algorithm

F

that makes use of

A

_I to solve the CDH problem with probability at least





and in time at most

t



.

F

takes as input a random CDH challenge

( ,

g g

a

,

g

b

)

in

G

₁ and outputs

g

ab. In order to use

A

_I

to solve the problem,

F

will simulate the challenger

C

and all queries for

A

_I.

To avoid collision and consistently respond to these queries,

_F

maintains a List

L



{

ID psk

,

_ID

,

x

_ID

,

pk

_ID

}

which is initially empty.

_F

answers the queries of

A

_I as follows:

Setup: Let

l

_u



2(

q

_pk



q

_pp



q

_d



q

_s

)

and

2

m s

l



q

.

F

randomly chooses the following elements: 1) Three integers

0 

k

_u



n

_u and

0 

k

_m



n

_m

(

l n

_u

(

_u

 

1)

q

and

l

_m

(

n

_m

 

1)

q

). 2) An integer

u l

x

 

Z

and

n

_u -dimensional vector

( ,

x

1



,

x

nu

)



Z

lu_.

3) An integer

m l

Z



 

and

n

_m -dimensional

vector

( ,



1



,



nm

)



Z

lm_.

4) An integer

y

 

Z

_q and

n

_u -dimensional vector

( ,

y

1



,

y

nu

)



Z

q_.

5) An integer



 

Z

_q and

n

_m -dimensional vector

(



1

,



,



nm

)



Z

q_.

To make the notation easy to follow, we define six functions:

(u)

_i _u _u

i

F

x

l k





 





U

,

(u)

_i

i

J

y











Uu ,

(m)

k m m

k

I



l k













M

,

(m)

k

H













M .

F

sets system parameters as follows: 1)

g

₁



g

a and

g

₂



g

b.

2)

_u

 

_g

₂l ku ux

_g

y_and

2

i i

x y

i

u



g g

(

1  

i

n

_u),

which means that, for any

u

, we have (u ) (u )

2

F J

i i

u

g









U

. 3) _m _g₂l km m_g and

2

j j

j

m



g g

 

(

1  

j

n

m), which means that, for any

m

, we

have _j ₂I(m) H(m)

j

m

g









M

.

Finally,

F

returns ( , ₁, ₂, , ₁, , , , ₁,

u

n

g g g u u u m m

,

)

m n

m



to

A

_I.

Public Key Request Queries: Upon receiving a query for a public key of an identity

ID

, if the list

L

contains the corresponding entry,

F

returns

pk

_ID . Otherwise,

F

picks a random

x

_ID and computes

(

₁

,

₂

)

xID ID

pk



e g g

.

Then

F

stores the

(

x

_ID

,

pk

_ID

)

in the list

L

and returns public key

pk

_ID to

A

_I .

Partial-Private-Key-Extract Queries: Upon receiving a query for a partial private key of an identity

ID

, if the list

L

F

returns

psk

_ID. Otherwise,

F

computes

u

_ID



H

_u

(

ID

)

and generates the partial private key of

ID

as follows:

(1) If

F

(u )

ID



0 mod

l

u ,

F

randomly picks

ID q

r



Z

 and defines

(u )

ID ID

ID

a

r

F





.

_F

computes

(1) (2)

(u ) 1

(u ) (u ) (u ) (u )

1 2 1

(

,

)

(

) ,

ID

ID ID ID ID ID ID

ID ID ID

J

F F J r F r

psk

g

 











_





_





(2) If

F

(u )

_ID



0 mod

l

_u ,

F

aborts and reports failure.

Finally,

F

stores the partial private keys in the list

L

and returns

psk

_ID to

A

_I.

(6)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

38

Otherwise,

F

makes a Public Key Request Query on

ID

and returns the corresponding

x

_ID to

A

_I.

Public Key Replace Queries: When

A

_I requests to replace the current public key

pk

_ID of an identity

ID

with a new and valid public key

pk

_ID



chosen by him. If the list

L

contains the

pk

_ID,

F

replaced it with the new public key

pk

_ID



. Otherwise,

F

directly sets

ID ID

pk



pk



and stores the corresponding entry in the list

L

.

Sign Queries: When

A

_I issues sign query on the message

M

under the identity

ID

, if

L

contains the corresponding entries

L



{

ID psk

,

ID

,

x

ID

,

pk

ID

}

,

F

runs Private Key Extract algorithm and CL-Sign algorithm to generate



. Otherwise,

F

computes

u



H

_u

(

ID

)

and does as follows:

1) If

F

(u)



0 mod

l

_u,

F

firstly makes a Partial-Private-Key-Extract Query on

ID

and a Public Key Request Query on

ID

to obtain

psk

_ID and

(

x

_ID

,

pk

_ID

)

, respectively. Then,

F

runs Private Key Extract algorithm and CL-Sign algorithm to generate



.

2) If

F

(u)



0 mod

l

_u and

I

(m)



0 mod

l

_m,

F

ID

to obtain

(

x

_ID

,

pk

_ID

)

.

F

randomly picks

1

, ,

ID q

r

r r



Z

 and computes



₁



_g

x rID ID

_g

r _,

1 (m)

2 1

ID x

r I

g g





 ,

1 2

m

_m

(

,

_i

,

_ID

)

i

H

M

 

u

u pk









U

u

,

1

(m) (m)

3 1

(

)

(

)

ID

ID ID H

x

r r x r

I

i j

g

u

m



 

 













I D

U M

u

.

Finally,

F

returns





(

  

₁

,

₂

,

₃

)

to

A

_I .

Forgery. The adversary

A

_I outputs a forgery signature 1 2 3

(

,

)





_

  

  

of the message

M

 under

ID

.

F

computes

u

ID

H

u

(

ID

)



_



and 1 2

m

_m

(

,

_i

,

_ID

)

i

H

M

 

u

u pk



  









U

u

.

If

F

(u )

_ID



0 mod

q

or

I

(m )





0 mod

q

,

_F

will abort it. Otherwise, when

F

(u )

ID

0 mod

q



_

and

(m )

0 mod

I





q

,

_F

computes

3

(u ) (m )

1 2

ID ID

abx

J H

g



  



 



.

Since

F

can retrieve the secret value

x

_ID from 1 2

( ,

)

xID ID

pk





g g

 , and thus outputs ab

g as the solution to the CDH problem instance.

This completes the description of simulation. It remains to analyze the probability of

F

not aborting.

F

will not abort if all the following cases happen:

A:

F

(u )

ID



0 mod

l

u during the

Partial-Private-Key-Extract queries.

B:

F

(u )

ID



0 mod

l

u or

I

(m)



0 mod

l

m during

the Sign queries.

C:

F

(u )

ID

0 mod

q



_

and

I

(m )





0 mod

q

during the forgery phase.

Let

1 1

u ,



, u

q be the identity appearing in either Public

Key Request queries or Partial Private Key Extract queries

or Sign queries not involving the identity in forgery phase. Clearly, we will have

q

1



q

pk



q

pp



q

s.

Define the following events:

A

i:

F

(u )

i



0 mod

l

u where

i

 

1,

,

q

1.

B

_i:

I

(m )

i



0 mod

l

m where

i

 

1,

,

q

s

C

:

F

(u )

_ID



0 mod

q

D

:

I

(m )





0 mod

q

The success probability of

F

is 1

1 1

Pr[

]

Pr[ A

B

C

D]

s q q

i i

abort

 







 

 

.

Since the functions

F

( )



and

I

( )



are selected independently, therefore, the events

1

( A

C)

q i i





and

1

( B

D)

s q

i i

(7)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

39

According to

l n

_u

(

_u

 

1)

q

, it is easy to see that

(u)

0 mod

(u)

0 mod

_u

F



q



F



l

.

Furthermore, this implies that if

F

(u)



0 mod

l

_u , there will be an unique

k

_u with

0 

k

_u



n

_u such that

(u)

0 mod

F



q

. For the randomness of 1

, ,

,

u

u n

k u u





u

, we have

Pr[C]

Pr[ (u )

0 mod ]

Pr[ (u )

0 mod ]

Pr[ (u )

0 mod ]Pr[ (u )

0 mod |

(u )

0 mod ]

1

1 (

1)

ID

ID u ID

ID u

u u

F

q

F

q

F

l

F

q F

l

n



 











On the other hand, for any i, the event

A

i and

C

are

independent, so we have

1 1

1

1 1

1

1 1

Pr[

A

C]

Pr[C]Pr[

A | C]

Pr[C] 1 Pr[

A | C]

Pr[D] 1

Pr[ A | C]

1

1 (

1)

1

1 (

1)

q q

i i

q i i

q

i i

u u u

pk pp s

u u u

q

l

n

l

q

l

n

l

 

















_



 

_











_





_











_



_

 











_



_

 





Similarly, we have

1 1

Pr[ B

D]

Pr[D]Pr[ B | D]

1 (1

)

(

1)

s s

q q

i

i i

s

m m m

q

l n

l

 

 











Let

l

u



2(

q

pk



q

pp



q

s

)

and

l

w



2 q

s , then we

have

1

1 1

Pr[

]

Pr[ A

B

C

D]

1

1 (1

)

(

1)

(

1)

1 16(

) (

1)(

1)

s q q

i i

pk pp s s

u u u m m m

pk pp s s u m

abort

q

l

n

l

l n

l

q

q q n

n

 







 

 









_



_





_

_







If

the simulation does not abort, the success probability of

I

A

is at least



. Thus

F

can solve the CDH problem instance with probability

16(

q

pk

q

pp

q q n

s

) (

s u

1)(

n

m

1)



 



.

Algorithm

F

’s running time is the same as

A

I ’s

running time plus the time it takes to respond to

q

_pk

Public Key Request queries,

q

_pp Partial-Private-Key-Extract queries,

q

_sv Secret-Value-Extract queries,

q

_pr

Public Key Replace queries and

q

_s Sign queries. Each Public Key Request query needs to carry out

O

(1)

exponentiations. Each Partial-Private-Key-Extract query needs to do

O

(1)

exponentiations and

O

(1)

multiplications. It performs

O

(1)

exponentiations and

(

n

u



n

m

)

O

multiplications to make a Sign query. If we assume each exponentiation takes time

t

_e and each multiplication takes time

t

_m, the total running time is at most tO((qpkqppq ts)e(qppq ns uq n ts m) )m .

Thus, the lemma follows. □

Lemma 2. The certificateless signature scheme is

( , ,



t q

pk

,

q

s

)

-secure during Game 2, assuming that

( , )



 

t

-CDH assumption holds in

G

₁, where

4(

q

_pk

q q n

_s

) (

_s _u

1)(

n

_m

1)



 



((

_pk _s

)

_e

(

_s _u _s _m

) )

_m

t

  

t

O

q



q t



q n



q n t

(8)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

40

Proof. In Class II attack, assume there exists an adversary

A

_II who can

( , ,



t q

pk

,

q

s

)

break our proposed

scheme. We will construct an algorithm

F

that makes use of

A

_II to solve the CDH problem with probability at least





and in time at most

t



.

F

takes as input a random CDH challenge

( ,

g g

a

,

g

b

)

in

G

₁ and outputs

g

ab. In order to use

A

_II

to solve the problem,

F

will simulate the challenger

C

and all queries for

A

_II. To avoid collision and consistently respond to these queries,

F

maintains a List

{

,

ID

,

ID

,

ID

}

L



ID psk

x

pk

which is initially empty.

Then

F

replies the queries of

A

_II as follows:

Setup: The adversary

A

_II randomly chooses





Z

_q as the master key, and assigns

g

₁



g

 and other public system parameters are identical to those of Lemma 1. Then

II

A

sends all system parameters and



to

F

.

Public Key Request Queries: Upon receiving a query for a public key of an identity

ID

, if the list

L

F

returns

pk

_ID . Otherwise,

F

picks a random

x

_ID



Z

_q and computes

(

b

,

a

)

xID ID

pk



e g

g

 (the implicitly defined secret value is

ax

_ID). Then

F

stores

(

x

_ID

,

pk

_ID

)

in the list

L

and returns public key

pk

_ID to

A

_II.

Sign Queries: When

A

_I issues sign query on the message

M

under the identity

ID

, if

L

contains the corresponding entries

x

_A, otherwise

F

ID

_A to obtain the corresponding

A

x

. Then

F

computes

u



H

_u

(

ID

)

and does as follows:

1) If

F

(u)



0 mod

l

_u ,

F

randomly

r r

 

,

Z

_q

and computes (u ) 1

(

)

ID F

a r

g





_

 

,



₂



g

r and (u )

(u )

3

(

)

(

)

(

)

ID ID ID J

x F

a r r

i j

g

u

m





  

 













I D

U M

u

2) If

F

(u )

_ID



0 mod

l

_u and

I

(m)



0 mod

l

_m ,

F

firstly randomly picks

r

_ID

, ,

r r

 

₁

Z

_q and computes

(2) 1

(

)

A A r x

a r r

g

sk

g



_

_



_

_



, 1 (m)

2

(

)

A x

r a I

g









 ,

1 (m)

(u ) (m)

3

(

)

(

)

(

)

(

)

ID

ID ID ID H

x

J r x

a I a r

i i r

j j

g

u

m





 















I D

U M

u

Forgery. The adversary

A

_II outputs a forgery signature 1 2 3

(

,

)





_

  

  

of the message

M

 under the

ID

.

F

computes

u

ID

H ID

u

(

)



_



and 1 2

m

_m

(

,

_i

,

_ID

)

i

H

M

 

u

u pk



  









U

u

. If

(u )

_ID

0 mod

F





q

or

I

(m )





0 mod

q

,

F

will

abort it. Otherwise, when

F

(u )

ID

0 mod

q



_

and

(m )

0 mod

I





q

,

F

computes

3

(u ) (m )

1 2

ID ID

ab x

J H

g





  



 



.

Since

_F

knows



and also retrieve the secret value

ID

x

 from

L

, and thus outputs gab as the solution to the CDH problem instance.

We omit the analysis of the success probability and the time complexity, which are similar to that of Lemma 1. Thus, the lemma follows.

VI. CONCLUSION

We have introduced the concept of strong unforgeability of digital signatures to certificateless signatures and defined the security model of this kind of cryptographic primitive. We also constructed a new certificateless signature scheme and showed that the scheme is strongly unforgeable without using the random oracle model.

(9)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

41

VII. ACKNOWLEDGEMENTS

This paper is supported by National Nature Science Foundation of China (NSFC11101330, NSFC 61004122) and Education Office Foundation of Shaanxi Province (2010JK728) and Natural Science Foundation of Shaanxi Province (2011JQ1007).

REFERENCES

[1] Shamir, A. 1984. Identity-based cryptosystem and signature scheme. Advances in Cryptology- Crypto 1984, LNCS 196, Berlin: Springer-Verlag, 1984, pp. 47-53.

[2] Al-Riyami, S., and Paterson, K. 2003. Certificateless public key cryptography. Advances in Cryptology-Asiacrypt 2003. Berlin: Springer-Verlag, LNCS 2894, 2003, pp. 452-473.

[3] Yum, D. H., and Lee, P. J. 2004. Generic construction of certificateless signature. In: ACISP 2004, Berlin: Springer-Verlag, LNCS 3108, 2004, pp. 200-211.

[4] Chen, X. Li, K. and Sun, L. 2005. Certificateless signature and proxy signature schemes from bilinear pairings. Lithuanian Mathematical Journal, 45 (1), 2005, pp. 76-83.

[5] Gorantla, M. C. and Saxena, A. 2005. An efficient certificateless signature scheme. In: CIS 2005, Berlin: Springer-Verlag, LNAI 3802, 2005, pp. 110-116.

[6] Huang, X., Susilo,W., Mu, Y., and Zhang, F. 2005. On the security of certificateless signature schemes from asiacrypt 2003. In: CANS 2005, Berlin: Springer-Verlag, LNCS 3810, 2005, pp. 13-25. [7] Z. Zhang, D. Wong, J. Xu, and D. Feng. 2006. Certificateless

public-key signature: security model and efficient construction. In: ACNS 2006, Berlin: Springer-Verlag, LNCS 3989, 2006, pp. 293-308. [8] Hu, B. C., Wong, D. S., Zhang, Z., and Deng, X. 2006. Key

replacement attack against a generic construction of certificateless signature. In: ACISP 2006, Berlin: Springer-Verlag, LNCS 4058, 2006, pp. 235-246.

[9] Huang, X., Mu, Y., Susilo, W., Wong, D.S., and Wu, W. 2007. Certificateless signature revisited. In: ACISP 2007, Berlin: Springer-Verlag, LNCS 4586, 2007, pp. 308-322.

[10]Choi, K.Y., Park, J.H., Hwang, J.Y., and Lee, D.H. 2007. Efficient certificateless signature schemes. In: ACNS 2007, Berlin: Springer-Verlag, LNCS 4521, 2007, pp. 443-458.

[11]Liu, J., Au, M., and Susilo, W. 2007. Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model. In: ASIACCS 2007, ACM, 2007, pp. 273-283.

[12]Wang L., Cao, Z., Li, X., and Qian, H. 2007. Simulatability and security of certificateless threshold signatures. Information Sciences, 177 (6), 2007, pp. 1382-1394.

[13]Long, Y. and Chen, K. 2007. Certificateless threshold cryptosystem secure against chosen-ciphertext attack. Information Sciences, 177 (24), 2007, pp. 5620-5637.

[14]Duan S. 2008. Certificateless undeniable signature scheme. Information Sciences, 178(3), 2008, pp. 742-755.

[15]H. Xiong, Z. Qin, and F. Li. 2008. An improved certificateless signature scheme secure in the standard model. Fundamenta Informaticae, 88, 2008, pp. 1-14.

[16]Zhang, L. and Zhang, F. 2008. A new provably secure certificateless signature scheme. In: IEEE International Conference on Communications, 2008, pp. 1685-1689.

[17]Du, H. and Wen, Q. 2009. Efficient and provably-secure certificateless short signature scheme from bilinear pairings. Computer Standards and Interfaces, 31(2), 2009, pp. 390-394. [18]Chang, S., Wong, D. S., Mu, Y., and Zhang, Z.F. 2009.

Certificateless threshold ring signature. Information Sciences, 179, 2009, pp. 3685-3696.

[19]Shim, K. 2009. Breaking the short certificateless signature scheme. Information Sciences, 179, 2009, pp. 303-306.

[20]Liu, Z., Hu, Y., Zhang, X., and Ma, H. 2010. Certificateless signcryption scheme in the standard model. Information Sciences, 180, 2010, pp. 452-464.

[21]Yuan, H., Zhang, F., Huang, X., Mu, Y., Susilo, W., and Zhang, L. 2010. Certificateless threshold signature scheme from bilinear maps. Information Sciences, 180, 2010, pp. 4714-4728.

[22]Choi, K. Y., Park, J. H., and Lee, D. H. 2011. A new provably secure certificateless short signature scheme. Computers and Mathematics with Applications, 61, 2011, pp. 1760-1768.

[23]Weng, J., Yao, G., Deng, R., Chen, M. and Li, X. 2011. Cryptanalysis of a certificateless signcryption scheme in the standard model. Information Sciences, 181, 2011, pp. 661-667.

[24]Xiong, H., Li, F., and Qin,Z. 2010. Certificateless threshold signature secure in the standard model. Information Sciences, 2010, doi:10.1016/j.ins.2010.06.010.

[25]Goldwasse,r S., Micali, S., Rivest, R. 1988. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing, 1988, 17(2), 281-308.

[26]An, J., Dodis, Y., Rabin, T. 2002. On the security of joint signature and encryption. Advances in Cryptology-Eurocrypt 2002, LNCS 2332. Springer-Verlag, pp. 83-107.