International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (
ISSN 2250-2459
, Volume 2, Issue 4, April 2012)
33
Strongly Unforgeable Certificateless Signature Scheme in the
Standard Model
Xiaoqin Shen
School of Sciences, Xi’an University of Technology, Xi’an, 710054, PR China
xqshen@xaut.edu.cn
Abstract— Certificateless signature scheme eliminates the
need of certificates in the traditional signature scheme and solves the inherent key escrow problem in the identity based signature scheme. In this paper, we propose a new construction of certificateless signature which is strongly unforgeable in the standard model with the computational Diffie-Hellman assumption in bilinear groups. As far as we know, this is the first certificateless signature scheme, which possesses the property of strong unforgeability in the standard model.
Keywords—Digital signature; Certificateless signature; Strong unforgeability.
I. INTRODUCTION
Public key cryptography (PKC) is an important technique to realize network and information security. Traditional public key cryptography requires a trusted certification authority (CA) to issue a certificate binding the identity and the public key of an entity, that is, a signature of CA on the public key. It requires a large amout of storage and computing time to manage the certificates. To solve the problem, Shamir firstly proposed the notion of identity-based public key cryptography (ID-PKC) [1] in 1984. ID-PKC sets the identity information of a user (such as IP address, e-mail address, etc.) to be the public key. A trusted third part called Private Key Generator (PKG) generates the private key from the public key (identity of a user), and send back it to the user through a secure channel. ID-PKC does not require the certificate of a public key anymore since the user’s public key is a publicly information. However, ID-PKC needs a trusted PKG to generate a private key for an entity according to his identity. So we are confronted with the key escrow problem. Fortunately, the two problems in traditional PKC and ID-PKC can be prohibited by introducing certificateless public key cryptography (CL-PKC) [2], which fills the gap between traditional PKC and ID-PKC.
The basic idea of CL-PKC is to generate a public/private pair for a user by using a master key of a Key Generation Center (KGC) with a random secret value selected by the user. Thus, the CL-PKC can be seen as a model that is intermediate between traditional PKC and ID-PKC.
Hence, CL-PKC eliminates the user of certificates in traditional PKC and solves the key escrow problem in ID-PKC.
The construction of a secure and efficient certificateless signature (CLS) scheme is not easy because the construction of a CLS scheme conceptually incorporates mechanisms to authenticate user’s identity, random public key, and a message to be signed at the same time. Recently, many researchers have been investigating CLS schemes [2-24].
The standard security notion of a digital signature scheme is the existential unforgeability under adaptive chosen message attacks [25]. In this model, an adversary who is given a signature for some messages of his choice should not be able to generate a signature for a new message. However, most existing signature schemes are randomized and allow many possible signatures for the same message. In 2002, An et al. [26] proposed a new security notion called strong unforgeability. A signature scheme is said to be strongly unforgeable if it is existentially unforgeable under adaptive chosen message attacks and, given signatures
1,
,
n on the messagem
, the adversary cannot produce a new signature1,
,
i
i
n
(
)
, on the same messagem
.Strongly unforgeable signatures have a lot of application include building IND-CCA2 secure public encryption scheme, signcryption, etc. In this paper, bases on Waters’s signature scheme [27], a new construction of certificateless signature is present. As far as the authors know, the proposed scheme is firstly provably secure in the standard model which captures stong unforgeability and high efficiency. The strong unforgeability of our scheme relies on the hardness of Computational Diffie-Hellman problem.
II. PRELIMINARY A. Bilinear Pairings
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (
ISSN 2250-2459
, Volume 2, Issue 4, April 2012)
34
The mape G
:
1
G
1
G
2 is said to be an admissible bilinear pairing with the following properties:1) Bilinearity: For all
u v
,
G
1 , anda b
,
Z
q,(
a,
b)
( , )
abe u v
e u v
.2) Non-degeneracy:
e g g
( , )
1
.3) Computability: There exists an efficient algorithm to compute
e u v
( , )
for allu v
,
G
1.B. Complexity Assumptions
The security of our scheme relies on the hardness of the following problem.
Computational Diffie-Hellman (CDH) Problem: Given 1
,
a,
bg g
g
G
, for unknowna b
,
Z
q, computeg
ab. The success probability of a polynomial algorithmA
in solving CDH problem is denoted asPr[ ( ,
,
)
]
CDH a b ab
A
Succ
A g g
g
g
Definition 1. The computational
( , )
t
CDH assumption holds if no t-time adversary has at least
in solving CDH problem.III. FORMAL MODEL OF CERTIFICATLESS SIGNATURE A. Certificateless signature scheme
A certificateless signature scheme is defined by five algorithms: Setup, Partial-Private-Key-Extract, User-Key-Generate, Sign and Verify. The description of each algorithm is as follows:
Setup: This algorithm takes as input a security parameter
k
and outputs a master keymsk
and system parametersparams
. After the algorithm is performed by the Key Generator Center (KGC), it publishes the system parametersparams
and keeps the master keymsk
secret.Partial-Private-Key-Extract: This algorithm takes as input
params
,msk
and an identityID
{0,1}
of an entity, and returns a partial private keypsk
ID and sendsID
psk
to the corresponding ownerID
via a secure channel.User-Key-Generate: This algorithm takes as input
params
, an entity’s identityID
and returns a randomly chosen secret valuex
ID and a corresponding public keyID
pk
.The entity
ID
runs the algorithm to generate his public key, and then distribute the public keypk
ID without being certificated.Sign: This algorithm takes as input
params
,ID
, the partial private keypsk
ID, secret valuex
ID, the messageM
and returns a signature
.Verify: This algorithm takes as input
params
,ID
and the message/signature pair
(
M
, )
, and returns True if
is a valid signature and returns
otherwise.B. Security Model
As defined in [2], we consider two types adversaries: Type I. The adversary
A
I represents a normal third party attacker and models an “outside” adversary. That is,I
A
is not allowed access to the master key butA
I may request public key and replace public keys with values of its choice.Type II. The adversary
A
II represents a malicious-but-passive KGC and models an “inside” adversary. That is,II
A
is allowed to generate the master key and all system parameters but not replace the user’s public key.Strong existential unforgeability against adaptive
A
IGame 1: The first game is performed between a challenger
C
and an adversaryA
I for certificateless signature schemes as follows.Setup. The challenger
C
runs the Setup algorithm to obtain the system parametersparams
.C
then sendsparams
to the adversary AI .Queries.
A
I can adaptively issue the following queries: Public Key Request(
ID
)
:A
supplies an identityID
and requests the public key for
ID
,C
returns the corresponding public keypk
ID toA
.Partial-Private-Key-Extract
(
ID
)
:A
supplies an identityID
and requestsID
’s partial private key,C
returns the partial private key
psk
ID toA
.International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (
ISSN 2250-2459
, Volume 2, Issue 4, April 2012)
35
Public Key Replace(
ID pk
,
ID
)
: WhenA
supplies an identityID
and a new valid public keypk
ID
,C
replaces the current public key withpk
ID
.Sign
(
ID M
,
)
: When an adversaryA
supplies a messageM
, the identityID
and requests the signature,C
returns signature
toA
. It is possible for the challengerC
not to be aware of user’s secret value when the associated public key has been replaced. In this case, we needA
to provide the user’s secret value toC
.Forgery. Eventually,
A
I outputs
on a messageM
forID
such that(1)
is a valid signature on a messageM
forID
. (2)(
ID M
,
,
)
is not among the triples(
ID M
i,
i,
i)
during the Sign queries.(3)
ID
is not been submitted as one of the Partial- Private-Key-Extract queries and Secret-Value-Extract queries.We define
I
EF CLS CMA A
Succ to be the success probability of
A
I wins in Game 1.Strong existential unforgeability against adaptive
A
IIGame 2: The second game is performed between a challenger
C
and an adversaryA
II for certificateless signature schemes as follows.Setup. The adversary
A
II runs Setup algorithm to obtain a master keymsk
and public system parametersparams
.A
II givesmsk
andparams
to the challengerC
.Queries.
A
II can adaptively issue the Public Key Request and Sign queries toC
. Note that hereA
II cannot replace any public key. Obviously,A
II can compute the partial private keys of any users by itself with the master keymsk
.Forgery. Eventually,
A
II outputs
on a messageM
forID
such that :1)
is a valid signature on a messageM
forID
.2)
(
ID M
,
,
)
is not among the triples(
ID M
i,
i,
i)
during the Sign queries. We defineII EF CLS CMA A
Succ to be the success probability of
A
II wins in Game 2.Definition 2. A certificateless signature scheme is
( , ,
t q
pk,
q
pp,
q
sv,
q
pr,
q
s)
-strongly existentially unforgeable under adaptively chosen message attacks in Class II if not
-time adversaries (A
I andA
II), making at mostq
pk Public Key Request queries,q
pp Partial-Private-Key-Extract queries (q
pp
0
forA
II ),q
svSecret-Value-Extract queries (
q
sv
0
forA
II ),q
prPublic Key Replace queries (
q
pr
0
forA
II ) andq
s Sign queries, have a success probability of at least
in Game 1 and Game 2.IV. OUR SCHEME
Our scheme is based on Waters scheme [27]. Let
: {0,1}
{0,1}
nu uH
and: {0,1}
{0,1}
nmm
H
betwo collision-resistant cryptographic hash functions for some
n n
u,
m
Z
.Setup. The KGC Randomly choose
Z
p,g
2
G
1and compute
g
1
g
. Additionally, the KGC selects randomly the following elementsu m
,
G
1,u
i
G
1for
i
1,
,
n
u andm
j
G
1 forj
1,
,
n
m . LetU
{ }
u
i andM
{
m
j}
.The public parameters
params
are 1 2 1 2( ,
e G G g g g u
,
, ,
,
, , U,
m
, M)
and the master key is 2g
.International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (
ISSN 2250-2459
, Volume 2, Issue 4, April 2012)
36
DefineU
{1,
,
n
u}
to be the set of indicies such thatu i
[ ]
1
. To generate partial private key of identityID
, the KGC randomly picksr
u
Z
p and computes (1) (2)2
(
) ,
(
,
)
u u
r r
i i
g
u
u
g
psk
psk
U
u
.User Key Generate. An entity with identity
ID
chooses randomly a secret valuex
Z
p and computes a public keypk
e g g
(
1,
2)
x.Private Key Extract. An entity with identity
ID
picksp
r
Z
and computes(1) (2)
(1) (2) 2
(
) (
) , (
)
(
(
) ,
)
(
,
)
x r x r
i i
x t t
i i
psk
u
u
psk
g
g
u
u
g
sk
sk
(
)
U Uu
u
Where
t
r x
u
r
.CL-Sign. To sign a message
m
{0,1}
, the signer with identityID
picksr r
,
Z
p randomly and carries out the follows steps:1) Compute
1
sk
(2)
g
rand
2
g
r. 2) Computem
m( ,
1,
2,
i,
)
i
H
m
u
u pk
U
u
.Let
m[ ]
j
be the j-th bit ofm
and{1,
,
n
m}
M
to be the set of indicies such thatm[ ] 1
j
.3) Compute (1)
3
(
)
(
)
r r
i j
i j
sk
u
u
m
m
U M
u
u
.4) Output the signature
(
1,
2,
3)
.CL-Verify. Given a signature
(
1,
2,
3)
for an identity ID and public keypk
on a message m, a verifier does the following:1) Compute
m
m( ,
1,
2,
i,
)
i
H
m
u
u pk
U
u
Letm[ ]
j
to be the j-th bit ofm
and{1,
,
n
m}
M
to be the set of indicies such thatm[ ] 1
j
.2) Check the equation whether
3 1 2
(
, )
(
i,
)
(
j,
)
i j
e
g
pk e u
u
e m
m
U M
u
u
hold. If the equation holds, it output 1, otherwise 0. V. ANALYSIS OF THE PROPOSED SCHEME
In this section, we will give an analysis for the certificateless signature scheme including the correctness and the proof of security.
A. Correctness
The correctness can be easily verified by the following equalities (1) 3 2 2 2 ( , ) ( ) ( ) , ( ) ( ) ( ) , ( , ) ( ) , ( ) , ( , ) ( , ) ( r r i j i j
x t r r
i i j
i i j
x t r r
i j
i j
x t r
i
i j
e g e sk u u m m g
e g u u u u m m g
e g g e u u g e m m g e g g e u u g e m
U MU U M
U M
U
u u
u u u
u u u u 2 1 2 , ) ( , ) ( , ) ( , ) ( , ) u r j
r x r r
i j
i j
i j
i j
m g pk e u u g g e m m pk e u u e m m
M U M U M u u u uB. Security Proof
Theorem 1. The certificateless signature scheme is strongly existentially unforgeable in the standard model under the CDH assumption.
This theorem follows Lemma 1 and Lemma 2.
Lemma 1. The certificateless signature scheme is
( , ,
t q
pk,
q
pp,
q
sv,
q
pr,
q
s)
-secure during Game 1, assuming that( , )
t
-CDH assumption holds inG
1 , where16(
q
pkq
ppq q n
s) (
s u1)(
n
m1)
((
pk pp s)
e(
pp s u s m) )
mt
O
q
q
q t
q
q n
q n t
and
e
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (
ISSN 2250-2459
, Volume 2, Issue 4, April 2012)
37
Proof. In Class I attack, assume there exists an adversaryI
A
who can( , ,
t q
pk,
q
pp,
q
sv,
q
pr,
q
s)
break ourproposed scheme. We will construct an algorithm
F
that makes use ofA
I to solve the CDH problem with probability at least
and in time at mostt
.F
takes as input a random CDH challenge( ,
g g
a,
g
b)
inG
1 and outputsg
ab. In order to useA
Ito solve the problem,
F
will simulate the challengerC
and all queries for
A
I.To avoid collision and consistently respond to these queries,
F
maintains a ListL
{
ID psk
,
ID,
x
ID,
pk
ID}
which is initially empty.
F
answers the queries ofA
I as follows:Setup: Let
l
u
2(
q
pk
q
pp
q
d
q
s)
and2
m s
l
q
.F
randomly chooses the following elements: 1) Three integers0
k
u
n
u and0
k
m
n
m(
l n
u(
u
1)
q
andl
m(
n
m
1)
q
). 2) An integeru l
x
Z
andn
u -dimensional vector( ,
x
1
,
x
nu)
Z
lu.3) An integer
m l
Z
andn
m -dimensionalvector
( ,
1
,
nm)
Z
lm.4) An integer
y
Z
q andn
u -dimensional vector( ,
y
1
,
y
nu)
Z
q.5) An integer
Z
q andn
m -dimensional vector(
1,
,
nm)
Z
q.To make the notation easy to follow, we define six functions:
(u)
i u ui
F
x
x
l k
U
,
(u)
ii
J
y
y
Uu ,
(m)
k m mk
I
l k
M
,
(m)
kk
H
M .
F
sets system parameters as follows: 1)g
1
g
a andg
2
g
b.2)
u
g
2l ku uxg
y and2
i i
x y
i
u
g g
(1
i
n
u),which means that, for any
u
, we have (u ) (u )2
F J
i i
u
u
g
g
U
. 3) m g2l km mg and
2
j j
j
m
g g
(
1
j
n
m), which means that, for anym
, wehave j 2I(m) H(m)
j
m
m
g
g
M
.
Finally,
F
returns ( , 1, 2, , 1, , , , 1,u
n
g g g u u u m m
,
)
m n
m
toA
I.Public Key Request Queries: Upon receiving a query for a public key of an identity
ID
, if the listL
contains the corresponding entry,F
returnspk
ID . Otherwise,F
picks a random
x
ID and computes(
1,
2)
xID IDpk
e g g
.Then
F
stores the(
x
ID,
pk
ID)
in the listL
and returns public keypk
ID toA
I .Partial-Private-Key-Extract Queries: Upon receiving a query for a partial private key of an identity
ID
, if the listL
contains the corresponding entry,F
returnspsk
ID. Otherwise,F
computesu
ID
H
u(
ID
)
and generates the partial private key ofID
as follows:(1) If
F
(u )
ID
0 mod
l
u ,F
randomly picksID q
r
Z
and defines(u )
ID ID
ID
a
r
r
F
.F
computes(1) (2)
(u ) 1
(u ) (u ) (u ) (u )
1 2 1
(
,
)
(
) ,
ID
ID ID ID ID ID ID
ID ID ID
J
F F J r F r
psk
psk
psk
g
g
g
g
g
(2) If
F
(u )
ID
0 mod
l
u ,F
aborts and reports failure.Finally,
F
stores the partial private keys in the listL
and returns
psk
ID toA
I.International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (
ISSN 2250-2459
, Volume 2, Issue 4, April 2012)
38
Otherwise,F
makes a Public Key Request Query onID
and returns the correspondingx
ID toA
I.Public Key Replace Queries: When
A
I requests to replace the current public keypk
ID of an identityID
with a new and valid public key
pk
ID
chosen by him. If the listL
contains thepk
ID,F
replaced it with the new public keypk
ID
. Otherwise,F
directly setsID ID
pk
pk
and stores the corresponding entry in the listL
.Sign Queries: When
A
I issues sign query on the messageM
under the identityID
, ifL
contains the corresponding entriesL
{
ID psk
,
ID,
x
ID,
pk
ID}
,F
runs Private Key Extract algorithm and CL-Sign algorithm to generate
. Otherwise,F
computesu
H
u(
ID
)
and does as follows:
1) If
F
(u)
0 mod
l
u,F
firstly makes a Partial-Private-Key-Extract Query onID
and a Public Key Request Query onID
to obtainpsk
ID and(
x
ID,
pk
ID)
, respectively. Then,F
runs Private Key Extract algorithm and CL-Sign algorithm to generate
.2) If
F
(u)
0 mod
l
u andI
(m)
0 mod
l
m,F
makes a Public Key Request Query onID
to obtain(
x
ID,
pk
ID)
.F
randomly picks1
, ,
ID q
r
r r
Z
and computes
1
g
x rID IDg
r ,1 (m)
2 1
ID x
r I
g g
,1 2
m
m(
,
,
,
i,
ID)
i
H
M
u
u pk
U
u
,1
(m) (m)
3 1
(
)
(
)
ID
ID ID H
x
r r x r
I
i j
i j
g
u
u
m
m
I D
U M
u
.Finally,
F
returns
(
1,
2,
3)
toA
I .Forgery. The adversary
A
I outputs a forgery signature 1 2 3(
,
,
)
of the message
M
underID
.F
computesu
IDH
u(
ID
)
and 1 2
m
m(
,
,
,
i,
ID)
i
H
M
u
u pk
U
u
.If
F
(u )
ID
0 mod
q
orI
(m )
0 mod
q
,F
will abort it. Otherwise, whenF
(u )
ID0 mod
q
and
(m )
0 mod
I
q
,F
computes3
(u ) (m )
1 2
ID ID
abx
J H
g
.Since
F
can retrieve the secret valuex
ID from 1 2( ,
)
xID IDpk
g g
, and thus outputs abg as the solution to the CDH problem instance.
This completes the description of simulation. It remains to analyze the probability of
F
not aborting.F
will not abort if all the following cases happen:A:
F
(u )
ID
0 mod
l
u during thePartial-Private-Key-Extract queries.
B:
F
(u )
ID
0 mod
l
u orI
(m)
0 mod
l
m duringthe Sign queries.
C:
F
(u )
ID0 mod
q
and
I
(m )
0 mod
q
during the forgery phase.Let
1 1
u ,
, u
q be the identity appearing in either PublicKey Request queries or Partial Private Key Extract queries
or Sign queries not involving the identity in forgery phase. Clearly, we will have
q
1
q
pk
q
pp
q
s.Define the following events:
A
i:F
(u )
i
0 mod
l
u wherei
1,
,
q
1.B
i:I
(m )
i
0 mod
l
m wherei
1,
,
q
sC
:F
(u )
ID
0 mod
q
D
:I
(m )
0 mod
q
The success probability of
F
is 11 1
Pr[
]
Pr[ A
B
C
D]
s q q
i i
i i
abort
.Since the functions
F
( )
andI
( )
are selected independently, therefore, the events1
1
( A
C)
q i i
and1
( B
D)
s q
i i
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (
ISSN 2250-2459
, Volume 2, Issue 4, April 2012)
39
According tol n
u(
u
1)
q
, it is easy to see that(u)
0 mod
(u)
0 mod
uF
q
F
l
.Furthermore, this implies that if
F
(u)
0 mod
l
u , there will be an uniquek
u with0
k
u
n
u such that(u)
0 mod
F
q
. For the randomness of 1, ,
,
,
u
u n
k u u
u
, we havePr[C]
Pr[ (u )
0 mod ]
Pr[ (u )
0 mod ]
Pr[ (u )
0 mod ]Pr[ (u )
0 mod |
(u )
0 mod ]
1
1
(
1)
ID
ID
ID u ID
ID u
u u
F
q
F
q
F
l
F
q F
l
l
n
On the other hand, for any i, the event
A
i andC
areindependent, so we have
1 1
1
1
1 1
1
1 1
Pr[
A
C]
Pr[C]Pr[
A | C]
Pr[C] 1 Pr[
A | C]
Pr[D] 1
Pr[ A | C]
1
1
1
(
1)
1
1
1
(
1)
q q
i i
i i
q i i
q
i i
u u u
pk pp s
u u u
q
l
n
l
q
q
q
l
n
l
Similarly, we have
1 1
Pr[ B
D]
Pr[D]Pr[ B | D]
1
(1
)
(
1)
s s
q q
i
i i
s
m m m
q
l n
l
Let
l
u
2(
q
pk
q
pp
q
s)
andl
w
2
q
s , then wehave
1
1 1
Pr[
]
Pr[ A
B
C
D]
1
1
1
1
(1
)
(
1)
(
1)
1
16(
) (
1)(
1)
s q q
i i
i i
pk pp s s
u u u m m m
pk pp s s u m
abort
q
q
q
q
l
n
l
l n
l
q
q
q q n
n
If
the simulation does not abort, the success probability of
I
A
is at least
. ThusF
can solve the CDH problem instance with probability16(
q
pkq
ppq q n
s) (
s u1)(
n
m1)
.
Algorithm
F
’s running time is the same asA
I ’srunning time plus the time it takes to respond to
q
pkPublic Key Request queries,
q
pp Partial-Private-Key-Extract queries,q
sv Secret-Value-Extract queries,q
prPublic Key Replace queries and
q
s Sign queries. Each Public Key Request query needs to carry outO
(1)
exponentiations. Each Partial-Private-Key-Extract query needs to do
O
(1)
exponentiations andO
(1)
multiplications. It performs
O
(1)
exponentiations and(
n
u
n
m)
O
multiplications to make a Sign query. If we assume each exponentiation takes timet
e and each multiplication takes timet
m, the total running time is at most tO((qpkqppq ts)e(qppq ns uq n ts m) )m .Thus, the lemma follows. □
Lemma 2. The certificateless signature scheme is
( , ,
t q
pk,
q
s)
-secure during Game 2, assuming that( , )
t
-CDH assumption holds inG
1, where4(
q
pkq q n
s) (
s u1)(
n
m1)
((
pk s)
e(
s u s m) )
mt
t
O
q
q t
q n
q n t
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (
ISSN 2250-2459
, Volume 2, Issue 4, April 2012)
40
Proof. In Class II attack, assume there exists an adversaryA
II who can( , ,
t q
pk,
q
s)
break our proposedscheme. We will construct an algorithm
F
that makes use ofA
II to solve the CDH problem with probability at least
and in time at mostt
.F
takes as input a random CDH challenge( ,
g g
a,
g
b)
inG
1 and outputsg
ab. In order to useA
IIto solve the problem,
F
will simulate the challengerC
and all queries for
A
II. To avoid collision and consistently respond to these queries,F
maintains a List{
,
ID,
ID,
ID}
L
ID psk
x
pk
which is initially empty.Then
F
replies the queries ofA
II as follows:Setup: The adversary
A
II randomly chooses
Z
q as the master key, and assignsg
1
g
and other public system parameters are identical to those of Lemma 1. ThenII
A
sends all system parameters and
toF
.Public Key Request Queries: Upon receiving a query for a public key of an identity
ID
, if the listL
contains the corresponding entry,F
returnspk
ID . Otherwise,F
picks a random
x
ID
Z
q and computes(
b,
a)
xID IDpk
e g
g
(the implicitly defined secret value isax
ID). ThenF
stores(
x
ID,
pk
ID)
in the listL
and returns public keypk
ID toA
II.Sign Queries: When
A
I issues sign query on the messageM
under the identityID
, ifL
contains the corresponding entriesx
A, otherwiseF
makes a Public Key Request Query onID
A to obtain the correspondingA
x
. ThenF
computesu
H
u(
ID
)
and does as follows:1) If
F
(u)
0 mod
l
u ,F
randomlyr r
,
Z
qand computes (u ) 1
(
)
ID F
a r
g
g
,
2
g
r and (u )(u )
3
(
)
(
)
(
)
ID ID ID J
x F
a r r
i j
i j
g
u
u
m
m
I D
U M
u
2) If
F
(u )
ID
0 mod
l
u andI
(m)
0 mod
l
m ,F
firstly randomly picksr
ID, ,
r r
1Z
q and computes(2) 1
(
)
A A r x
a r r
g
g
sk
g
, 1 (m)
2
(
)
A x
r a I
g
g
,1 (m)
(u ) (m)
3
(
)
(
)
(
)
(
)
ID
ID ID ID H
x
J r x
a I a r
i i r
j j
g
g
u
u
m
m
I DU M
u
Forgery. The adversary
A
II outputs a forgery signature 1 2 3(
,
,
)
of the message
M
under theID
.F
computesu
IDH ID
u(
)
and 1 2
m
m(
,
,
,
i,
ID)
i
H
M
u
u pk
U
u
. If(u )
ID0 mod
F
q
orI
(m )
0 mod
q
,F
willabort it. Otherwise, when
F
(u )
ID0 mod
q
and
(m )
0 mod
I
q
,F
computes3
(u ) (m )
1 2
ID ID
ab x
J H
g
.Since
F
knows
and also retrieve the secret valueID
x
fromL
, and thus outputs gab as the solution to the CDH problem instance.We omit the analysis of the success probability and the time complexity, which are similar to that of Lemma 1. Thus, the lemma follows.
VI. CONCLUSION
We have introduced the concept of strong unforgeability of digital signatures to certificateless signatures and defined the security model of this kind of cryptographic primitive. We also constructed a new certificateless signature scheme and showed that the scheme is strongly unforgeable without using the random oracle model.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (
ISSN 2250-2459
, Volume 2, Issue 4, April 2012)
41
VII. ACKNOWLEDGEMENTSThis paper is supported by National Nature Science Foundation of China (NSFC11101330, NSFC 61004122) and Education Office Foundation of Shaanxi Province (2010JK728) and Natural Science Foundation of Shaanxi Province (2011JQ1007).
REFERENCES
[1] Shamir, A. 1984. Identity-based cryptosystem and signature scheme. Advances in Cryptology- Crypto 1984, LNCS 196, Berlin: Springer-Verlag, 1984, pp. 47-53.
[2] Al-Riyami, S., and Paterson, K. 2003. Certificateless public key cryptography. Advances in Cryptology-Asiacrypt 2003. Berlin: Springer-Verlag, LNCS 2894, 2003, pp. 452-473.
[3] Yum, D. H., and Lee, P. J. 2004. Generic construction of certificateless signature. In: ACISP 2004, Berlin: Springer-Verlag, LNCS 3108, 2004, pp. 200-211.
[4] Chen, X. Li, K. and Sun, L. 2005. Certificateless signature and proxy signature schemes from bilinear pairings. Lithuanian Mathematical Journal, 45 (1), 2005, pp. 76-83.
[5] Gorantla, M. C. and Saxena, A. 2005. An efficient certificateless signature scheme. In: CIS 2005, Berlin: Springer-Verlag, LNAI 3802, 2005, pp. 110-116.
[6] Huang, X., Susilo,W., Mu, Y., and Zhang, F. 2005. On the security of certificateless signature schemes from asiacrypt 2003. In: CANS 2005, Berlin: Springer-Verlag, LNCS 3810, 2005, pp. 13-25. [7] Z. Zhang, D. Wong, J. Xu, and D. Feng. 2006. Certificateless
public-key signature: security model and efficient construction. In: ACNS 2006, Berlin: Springer-Verlag, LNCS 3989, 2006, pp. 293-308. [8] Hu, B. C., Wong, D. S., Zhang, Z., and Deng, X. 2006. Key
replacement attack against a generic construction of certificateless signature. In: ACISP 2006, Berlin: Springer-Verlag, LNCS 4058, 2006, pp. 235-246.
[9] Huang, X., Mu, Y., Susilo, W., Wong, D.S., and Wu, W. 2007. Certificateless signature revisited. In: ACISP 2007, Berlin: Springer-Verlag, LNCS 4586, 2007, pp. 308-322.
[10]Choi, K.Y., Park, J.H., Hwang, J.Y., and Lee, D.H. 2007. Efficient certificateless signature schemes. In: ACNS 2007, Berlin: Springer-Verlag, LNCS 4521, 2007, pp. 443-458.
[11]Liu, J., Au, M., and Susilo, W. 2007. Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model. In: ASIACCS 2007, ACM, 2007, pp. 273-283.
[12]Wang L., Cao, Z., Li, X., and Qian, H. 2007. Simulatability and security of certificateless threshold signatures. Information Sciences, 177 (6), 2007, pp. 1382-1394.
[13]Long, Y. and Chen, K. 2007. Certificateless threshold cryptosystem secure against chosen-ciphertext attack. Information Sciences, 177 (24), 2007, pp. 5620-5637.
[14]Duan S. 2008. Certificateless undeniable signature scheme. Information Sciences, 178(3), 2008, pp. 742-755.
[15]H. Xiong, Z. Qin, and F. Li. 2008. An improved certificateless signature scheme secure in the standard model. Fundamenta Informaticae, 88, 2008, pp. 1-14.
[16]Zhang, L. and Zhang, F. 2008. A new provably secure certificateless signature scheme. In: IEEE International Conference on Communications, 2008, pp. 1685-1689.
[17]Du, H. and Wen, Q. 2009. Efficient and provably-secure certificateless short signature scheme from bilinear pairings. Computer Standards and Interfaces, 31(2), 2009, pp. 390-394. [18]Chang, S., Wong, D. S., Mu, Y., and Zhang, Z.F. 2009.
Certificateless threshold ring signature. Information Sciences, 179, 2009, pp. 3685-3696.
[19]Shim, K. 2009. Breaking the short certificateless signature scheme. Information Sciences, 179, 2009, pp. 303-306.
[20]Liu, Z., Hu, Y., Zhang, X., and Ma, H. 2010. Certificateless signcryption scheme in the standard model. Information Sciences, 180, 2010, pp. 452-464.
[21]Yuan, H., Zhang, F., Huang, X., Mu, Y., Susilo, W., and Zhang, L. 2010. Certificateless threshold signature scheme from bilinear maps. Information Sciences, 180, 2010, pp. 4714-4728.
[22]Choi, K. Y., Park, J. H., and Lee, D. H. 2011. A new provably secure certificateless short signature scheme. Computers and Mathematics with Applications, 61, 2011, pp. 1760-1768.
[23]Weng, J., Yao, G., Deng, R., Chen, M. and Li, X. 2011. Cryptanalysis of a certificateless signcryption scheme in the standard model. Information Sciences, 181, 2011, pp. 661-667.
[24]Xiong, H., Li, F., and Qin,Z. 2010. Certificateless threshold signature secure in the standard model. Information Sciences, 2010, doi:10.1016/j.ins.2010.06.010.
[25]Goldwasse,r S., Micali, S., Rivest, R. 1988. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing, 1988, 17(2), 281-308.
[26]An, J., Dodis, Y., Rabin, T. 2002. On the security of joint signature and encryption. Advances in Cryptology-Eurocrypt 2002, LNCS 2332. Springer-Verlag, pp. 83-107.