127 PDF

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015
Strongly Unforgeable Revocable Certificateless Signature

Yuh-Min Tseng*, Tung-Tso Tsai, Sen-Shan Huang and Ying-Hao Hung
Department of Mathematics, National Changhua University of Education,
Jin-De Campus, Changhua City 500, Taiwan
*
Corresponding authors E-mail: ymtseng@cc.ncue.edu.tw
ABSTRACT
Certificateless public-key systems (CL-PKS) were
introduced to simultaneously solve the key escrow
problem in ID-based public-key systems and
eliminate the need of certificates in traditional
public-key systems. Since certificates are not
required in CL-PKS settings, the existing user
revocation mechanisms for traditional public-key
systems are no longer suitable for certificateless
public-key systems. Indeed, the design of efficient
revocation mechanisms for CL-PKS settings is a
critical issue. In 2014, Sun et al. proposed the first
revocable certificateless signature (RCLS) scheme
possessing existential unforgeability by adopting
Tseng and Tsais revocation mechanism for IDbased public-key systems. However, Sun et al.s
RCLS scheme lacks computation efficiency for both
signing and verifying phases. In the article, we
propose an efficient RCLS scheme while retaining
the merits of Tseng and Tsais revocation
mechanism. Under the computational Diffie
Hellman assumption, we formally prove that our
scheme offers strong unforgeability against adaptive
chosen-message attacks in the random oracle model.
When compared with Sun et al.s RCLS scheme,
our scheme not only has better performance but also
achieves stronger security.
KEYWORDS
Revocation, Certificateless signature, Strong
unforgeability, Provable security, Bilinear pairing.
1 INTRODUCTION
The concept of identity (ID)-based public-key
systems was first introduced by Shamir [1] in
1984. Boneh and Franklin [2, 3] realized the
practical construction of ID-based public-key
ISBN: 978-1-941968-16-1 2015 SDIWC
system using bilinear pairings such as Weil,

Tate, Ate pairings and so on. The ID-based
public-key system is an attractive paradigm for
public-key cryptography, in which a users
identity information such as social security
number, e-mail address or IP address is viewed
as her/his public key for encryption or signature
verification. Hence, an ID-based public-key
system significantly reduces the system
complexity for establishing and managing
certificates of public keys and removes the
computation cost for pre-validating certificates
in traditional public-key systems. However, an
ID-based public-key system inherently suffers
from the key escrow problem in the sense that
the private key generator (PKG) can decrypt
ciphertexts or sign messages on behalf of any
user since it possesses each users private key.
Al-Riyami and Paterson [4] proposed a new
paradigm for public-key cryptography, termed
certificateless
public-key
system
that
simultaneously solves the key escrow problem
in ID-based public-key systems and eliminates
the need of certificates in traditional public-key
systems. In a certificateless public-key system,
the key generation center (KGC) and a user
cooperate to generate the users private key
which consists of two components, namely, a
partial private key and a secret value. The
partial private key remains issued by the KGC.
The secret value is randomly determined by the
user and the corresponding users public key
does not require a certificate to guarantee its
authenticity. Hence, the KGC has no access to
the users private key so that the key escrow
problem is resolved. Afterwards, the study of
certificateless public-key cryptography has
18
received significant attention from researchers

and a large number of literatures have been
presented such as certificateless public-key
encryption (CL-PKE) [5-9] and certificateless
signature (CLS) [10-17].
Although a certificateless public-key system is
a
good
construction
for
public-key
cryptography, it raises a critical problem, how
to revoke misbehaving/compromised users,
due to the lack of the usage of certificates. In
traditional public-key systems, the associated
certificate of a public key must be verified
before usage to ensure that it has not been
revoked or expired. Typically, a trusted
certificate authority (CA) maintains a certificate
revocation list (CRL) [18] containing the
revoked public keys which can be queried by
users. Obviously, the CRL solution does not
work for certificateless public-key systems and
ID-based public-key systems since both
systems eliminate the need of certificates.
In 2003, Al-Riyami and Paterson [4] suggested
that a CL-PKS construction might inherit the
revocation solution presented by Boneh and
Franklin [2, 3]. In their revocation solution,
users must periodically receive the current
partial private keys from the KGC. In such a
case, the KGC and non-revoked users need to
encrypt and decrypt these current partial private
keys for each period, respectively. As a result,
the revocation solution causes the KGC and
non-revoked users extra computation burden
for transmitting new partial private keys
periodically. Indeed, some previous work on
designing the revocation mechanisms for
certificateless public-key systems can be found
in [19-21], which employed an online
mediator called SEM (Security Mediator). The
online SEM is a specific semi-trusted third
party who holds shares of all users partial
private keys and helps users to decrypt
ciphertexts or sign messages. When a user is
revoked, the SEM is instructed to stop helping
the user. However, the online SEM could
ISBN: 978-1-941968-16-1 2015 SDIWC
become a bottleneck for performance and

communication.
In 2013, Tsai and Tseng [22] and Shen et al.
[23], independently, adopted Tseng and Tsais
revocation mechanism with a public channel
[24] for ID-based public-key systems to
propose a revocable certificateless public-key
encryption (RCL-PKE) scheme. In both
schemes, a users full private key consists of
three components, namely, an initial secret key,
a time update key and a secret value. In
addition, the secret value is chosen by the user
and the initial secret key remains unchanged
since being issued by the KGC, but the time
update key is renewed by the KGC periodically
via public channels (e.g., emails). To revoke a
user, the KGC simply stops issuing the new
time update key for the user.
Quite recently, Sun et al. [25] also adopted
Tseng and Tsais revocation mechanism [24] to
propose the first revocable certificateless
signature (RCLS) scheme. Sun et al.s scheme
possesses existential unforgeability against
adaptive chosen-message attacks, but lacks
computation efficiency for both signing and
verifying phases. In this article, we will propose
an efficient RCLS scheme with strong
unforgeability while retaining the merits of
Tseng and Tsais revocation mechanism. A
revocable certificateless signature scheme is
said to be strongly unforgeable if it possesses
existential unforgeability and an adversary who
is given signatures on a message is unable to
generate a new signature on the message. We
first present the security notions for strongly
unforgeable RCLS schemes that include three
types of adversaries, namely, an outsider, the
KGC and a revoked user. An outsider is not a
member of the system, but it can obtain the
time update keys of arbitrary identities from
public channels. The KGC certainly possesses
the system secret key so that it knows the initial
secret keys and time update keys of arbitrary
identities. A revoked user used to be a member
who had been previously revoked by the KGC,
19
but still possesses the corresponding initial

secret key. For security analysis, we prove that
under the computational DiffieHellman
assumption, the proposed RCLS scheme offers
strong unforgeability against adaptive chosenmessage attacks for three types of adversaries
in the random oracle model. Performance
comparisons are made to demonstrate that our
scheme has better performance than Sun et al.s
scheme [25] in terms of computation costs of
both signing and verifying phases.
The modified Weil, Tate and Ate pairings

defined on an elliptic curve over a finite field
are concrete examples of the admissible bilinear
map . We refer the reader to [3, 26] for more
comprehensive descriptions of such pairings.
The rest of the paper is organized as follows.

Preliminaries are given in Section 2. We
formally present the framework and security
notions for RCLS schemes in Section 3. A
concrete RCLS scheme is proposed in Section 4.
We analyze the security of the proposed RCLS
scheme in Section 5. In Section 6, we present
performance analysis and comparisons. In
Section 7, conclusions and future work are
given.
2 PRELIMINARIES
In the section, we briefly review the concept of
bilinear pairings and a related security
assumption on which our scheme is based.
2.1 Bilinear Pairings
Let G1 and G2 be additive and multiplicative
cyclic groups of large prime order q,
respectively. Typically, G1 is a subgroup of a
group of points on an elliptic curve over a finite
field. We call : G1G1 G2 an admissible
bilinear map if it satisfies the following
properties:
(1) Bilinearity: (aP, bQ)= (P, Q)ab for all P,
QG1 and a, bZq*.
(2) Non-degeneracy: There exists PG1 such
that (P, P)1.
(3) Computability: There exists an efficient
algorithm to compute (P, Q) for all P,
QG1.
ISBN: 978-1-941968-16-1 2015 SDIWC
2.2 Security Assumption

Here, we present a hard mathematical problem
and define its corresponding assumption. Let
G1 be defined as above.
Computational Diffie-Hellman (CDH)
problem: Given P, aP, bPG1 with
uniformly random choices of a, bZq*, the
CDH problem is to compute abP.
Definition 1. The CDH assumption is defined

as follows. Given P, aP, bP G1 with
uniformly random choices of a, bZq*, there
exists no probabilistic polynomial-time
adversary (PPT) A with non-negligible
probability who can compute abP. The
successful probability (advantage) of the
adversary A is presented as
AdvA = Pr[A(P, aP, bP) = abP | PG1, a, b
Zq*],
where the probability is measured over the
random choices of a, b Zq* consumed by A.
3 FRAMEWORK AND ADVERSARIAL
MODELS OF RCLS
3.1 Framework
Here, we present the framework of revocable
certificateless signature (RCLS) schemes. A
RCLS scheme consists of three types of entities,
namely, the KGC, a signer (user), and a verifier
(user). In 2014, Sun et al. [25] defined the
framework of RCLS schemes by adding a
Time-Key-Update algorithm in the framework
of the certificateless signature (CLS) schemes
in [12, 13]. A revocable certificateless signature
scheme consists of eight polynomial-time
algorithms.
20
- Setup: This algorithm, run by the KGC, takes

a security parameter l and the total number z
of all periods as input, and then returns a
master secret key s and a list of public
parameters Params. We assume that Params
is made public and available for all the other
algorithms.
- Initial-Key-Extract: This algorithm, run by
the KGC, takes the master secret key s and a
users identity ID as input, and then
generates the users initial key DID. It returns
DID to the user via a secure channel.
- Time-Key-Update: This algorithm, run by the
KGC, takes as input the master secret key s, a
users identity ID and a period t, and then
returns the time update key TID,t to the user
via a public channel (e.g. e-mail).
- Set-Secret-Value: This algorithm, run by a
user with identity ID, selects a random value
xID in Zq* which is set as the secret value of
ID and outputs the users secret value xID to
the user.
- Set-Private-Key: This algorithm, run by a
user, takes DID, TID,t and xID as input, and
then returns the private key KID,t. Note that
the algorithm is implicitly performed after
running
Initial-Key-Extract,
Time-KeyUpdate and Set-Secret-Value algorithms.
- Set-Public-Key: This algorithm, run by a user,
takes an entity IDs secret value xID as input
and returns the corresponding public key PID.
The KGC also records the public key PID.
- Sign: This algorithm, run by a signer (user),
takes as input a period t, an identity ID, the
public key PKID, the private key KID,t and a
message m as input, and then produces a
signature .
- Verify: This algorithm, run by a verifier
(user), takes as input a message/signature
ISBN: 978-1-941968-16-1 2015 SDIWC
pair (m, ), a period t and an identity ID with

the public key PID, and then outputs accept
if the signature is valid, or reject otherwise.
3.2 Adversarial Model
In the security notions for certificateless
signature (CLS) schemes, there are two types of
adversaries with different capabilities, namely,
Type I and Type II adversaries [12, 14]. A Type
I adversary AI acts as an outsider who has no
access to the master secret key s, but has the
ability to replace the public key of any entity
with a value of her/his choice. A Type II
adversary AII models the KGC who has access
to the master secret key s, but cannot replace
any users public key. In 2013, Chen et al. [17]
wrote a survey article on security models for
certificateless signature schemes. They
presented eight potential security models on
adversaries activities and behaviors. In
particular, the strongest one of these models is
an improvement of [12, 14] by additionally
requiring
strong
unforgeability.
A
certificateless signature scheme is said to be
strongly unforgeable if it possesses existential
unforgeability and an adversary who is given
signatures on a message is unable to generate a
new signature on the message.
Based on the security notions for CLS schemes
in [10, 12], Sun et al. [25] defined the security
notions for RCLS schemes by adding a new
type of adversary, namely, Type III adversary.
A Type III adversary AIII acts as a revoked user
who holds her/his initial key DID and has the
ability to replace the public key of any entity
with a value of her/his choice. However, AIII
will no longer be issued the current time update
key TID,t since being revoked and have no
access to the master secret key s. In the
following, we formally define the security
notions for RCLS schemes by combining Sun
et al.s security model for RCLS schemes with
Chen et al.s strongest security model for CLS
schemes in mentioned above. The security
notions for RCLS schemes are modeled using
21
the following three games (Games I, II, III)

between a challenger C and three types of
adversaries, respectively.
Game I (for an outsider, AI)
- Setup. The challenger C runs the setup
algorithm to produce a master secret key s
and a list of public parameters Params.
Params is given to AI and s is kept secret
by C.
- Queries. The adversary AI may make a
number of queries to the challenger C in
an adaptive manner as follows.
Initial-Key-Extract query (ID). The
challenger C runs the Initial-Key-Extract
algorithm to return the users initial key
DID to AI.
Time-Key-Update query (ID, t). The
challenger C runs the Time-Key-Update
algorithm to generate the users time
update key TID,t corresponding to the
identity ID and the period t. C then
returns TID,t to AI.
Secret-Value query (ID). The adversary
AI requests the secret value of a user
with identity ID. C returns the secret
value xID to AI.
Public-Key query (ID). The adversary AI
requests the public key of a user with
identity ID. C returns the public key PID
to AI.
Public-Key-Replacement query (ID, P'ID).
The adversary AI chooses a new public
key P'ID for the user with identity ID.
The challenger C records this
replacement.
Super-Sign query (m, ID, t, PID). Upon
receiving this query, the challenger C
runs the Sign algorithm to return a valid
signature on the message m under the
ISBN: 978-1-941968-16-1 2015 SDIWC
identity ID with the public key PID in the

period t. Note that, if PID is a replaced
public key chosen by AI, then AI need
not supply the corresponding secret
value, which is used to generate PID, to
the challenger C. The Super-Sign query
was first defined in [12] and is now
regarded as an oracle with full attack
power.
- Forgery. The adversary AI generates a
tuple (m*, *, ID*, t*, PID*). We say that
the adversary AI wins Game I if the
following conditions are satisfied:
(1) The response of the Verify algorithm
on (m*, *, ID*, t*, PID*) is accept.
(2) (m*, *, ID*, t*, PID*) did not appear
as a response in the Super-Sign
query.
(3) ID* has never been submitted during
the Initial-Key-Extract query.
The advantage of the adversary AI is
defined as the probability that AI wins Game I.
Game II (for the KGC, AII)
Params and s are sent to AII.
- Queries. The adversary AII may make a
number of queries as in Game I. Note that
the adversary AII has no need to request the
Initial-Key-Extract query and Time-KeyUpdate query since the KGC has owned
the master secret key s.
- Forgery. The adversary AII generates a
tuple (m*, *, ID*, t*, PID*). We say that
the adversary AII wins Game II if the
22
query, where PID* is the ID*s

original public key.
(3) ID* has never been submitted during
the Secret-Value query.
The advantage of the adversary AII is
defined as the probability that AII wins Game II.
phase of every game above is, instead,

weakened as that (m*, ID*, t*, PID*) has never
been submitted during the Super-Sign query.
Hence, strong unforgeability offers adversaries
more capabilities than existential unforgeability
does.
4 CONCRETE RCLS SCHEME
Game III (for a revoked user, AIII)

Params is given to AIII and s is kept secret
by C.
- Queries. The adversary AIII may make a
number of queries as in Game I in an
adaptive manner.
- Forgery. The adversary AIII generates a
tuple (m*, *, ID*, t*, PID*). We say that the
adversary AIII wins Game III if the
query.
(3) (ID*, t*) has never been submitted
during the Time-Key-Update query.
The advantage of the adversary AIII is
defined as the probability that AIII wins Game
III.
Definition 2. A revocable certificateless
signature (RCLS) scheme offers strong
unforgeability against adaptive chosen-message
attacks if no probabilistic polynomial-time
adversary has a non-negligible advantage in all
the games above (Game I, Game II and Game
III).
Remark:
Note
that,
for
existential
unforgeability in revocable certificateless
signatures, the condition (2) in the Forgery
ISBN: 978-1-941968-16-1 2015 SDIWC
The proposed RCLS scheme consists of eight

algorithms, namely, Setup, Initial-Key-Extract,
Time-Key-Update,
Set-Secret-Value,
Setprivate-key, Set-Public-Key, Sign and Verify
algorithms.
-
Setup: Given a security parameter l, the

KGC first generates two groups G1 and G2
of prime order q > 2l, an admissible bilinear
map : G1G1 G2, and a random
generator P of G1. Let T = {1, 2,, z}
denote the set of periods, where z is the
total number of all periods. Next, the KGC
randomly chooses a master secret key s
Zq* and computes Ppub = sP as the system
public key. The KGC picks four hash
functions H0, H1: {0, 1}* G1 and H2, H3:
{0, 1}*Zq*. The public parameters are
presented as Params = <G1, G2, q, , P, Ppub,
H0, H1, H2, H3>.
Initial-Key-Extract: Given a users identity

ID {0, 1}*, the KGC computes QID =
H0(ID, P) and the corresponding initial key
DID = sQID. The KGC returns DID to the
user via a secure channel.
Time-Key-Update: Given a users identity

ID and a period t T, the KGC computes
RID,t = H1(ID, t, P) and the users time
update key TID,t = sRID,t for the period t.
The KGC sends TID,t to the user using a
public channel (e.g. e-mail).
Set-Secret-Value: The entity ID selects a

random value xID Zq* which is set as the
secret value of ID.
23
Set-Private-Key: The entity ID takes DID,

TID,t and xID as input, and sets her/his
private key KID,t=(SID,t, xID) for the period t,
where SID,t =DID+TID,t.
Set-Public-Key: Given the entity IDs secret

value xID, the algorithm returns the
corresponding public key PID = xIDPpub.
Sign: In a period t, given a message m, a

non-revoked signer with identity ID uses
her/his private key KID,t=(SID,t, xID) to
perform the following steps:
(1) Choose a random number rZq* and
compute U=rPpub, f=H2(U, ID, t, PID,
m) and h=H3(U, ID, t, PID, m).
(2) Compute V=(r+h+fxID)SID,t.
(3) Output = (U, V) as the signature on
m.
-
Verify: Given a signature tuple (m, , ID, t,

PID) with = (U, V), a verifier performs
the following steps to validate the
signature tuple:
(1) Compute QID=H0(ID, P), RID,t=H1(ID,
t, P), f=H2(U, ID, t, PID, m) and
h=H3(U, ID, t, PID, m).
(2) Verify (P, V)=(QID+RID,t, U+hPpub
+fPID). If it holds, output accept.
Otherwise, output reject.
5 SECURITY ANALYSIS
In this section, we give the security analysis of
the proposed RCLS scheme. Under the CDH
assumption, Lemmas 1, 2 and 3 below show
that our RCLS scheme is secure against the
adversaries of all three types, respectively, in
Games I, II and III defined in Section 3.2. As a
direct consequence of these lemmas, our scheme
offers strong unforgeability against adaptive
chosen-message attacks in the random oracle
model under the CDH assumption, which is
stated as Theorem 4.
ISBN: 978-1-941968-16-1 2015 SDIWC
Lemma 1. In the random oracle model, if an

outsider (adversary AI) with a non-negligible
advantage can forge a valid signature to the
proposed RCLS scheme in polynomial time
under adaptive chosen-message attacks, then the
CDH problem can be resolved with a nonnegligible advantage.
Proof. If an outsider AI can forge a valid
signature to the proposed RCLS scheme, then
we show that we can construct an algorithm C
to solve the CDH problem. We assume that the
algorithm C receives a random instance <G1, G2,
, P, aP, bP>, where P G1, a, b Zq*, and we
would try to compute abP. In the following, we
show how the challenger C can use AI to
compute abP. Here, the algorithm C acts as the
challenger of Game I.
Setup: The challenger C sets Ppub= aP, selects
Params=<G1, G2, q, , P, Ppub, H0, H1, H2,
H3> and sends Params to AI as the public
parameters, where the hash functions H0, H1,
H2 and H3 act as random oracles [27, 28]
controlled by C.
Queries: Suppose that AI can make H0 queries
defined below at most qH0 times. The
challenger C randomly chooses i[1, qH0]
and let ID' denote the identity of the i-th
query to the oracle H0. We assume that the
associated H0 and H1 oracle queries must be
issued before AI makes the Initial-KeyExtract query and Time-Key-Update query,
respectively.
- H0 queries: The challenger C maintains an
initially empty list L0 of tuples (ID, u,
QID). Upon receiving a query along with
a pair (ID, P), the same response is given
if the query has been asked before.
Otherwise, C simulates the random
oracle H0 as follows.
(1) If ID=ID', the challenger C sets QID=
bP, adds (ID, , QID) in the list L0
and returns QID
24
as response.
(2) Otherwise, C randomly selects a
value u Zq*, sets QID= uP, adds
(ID, u, QID) in L0 and
returns QID as response.
- H1 queries: C keeps an initially empty list
L1 of tuples (ID, t, v, RID,t). When a tuple
(ID, t, P) is submitted to the H1 oracle,
the same response is given if the query
has been asked before. Otherwise, C
selects a random value v Zq*, sets
RID,t= vP, adds (ID, t, v, RID,t) in L1, and
returns RID,t.
L2 of tuples (U, ID, t, PID, m, f). Upon
receiving a query with a tuple (U, ID, t,
PID, m), the same response is given if the
query has been asked before. Otherwise,
C selects a random value f Zq*, adds
(U, ID, t, PID, m, f) in L2, and returns f.
L3 of tuples (U, ID, t, PID, m, h). Upon
receiving a query with a tuple (U, ID, t,
PID, m), the same response is given if the
C selects a random value h Zq*, adds
(U, ID, t, PID, m, h) in L3, and returns h.
- Initial-Key-Extract queries: The challenger
C maintains an initially empty list LK of
tuples (ID, DID). When an identity ID is
submitted to this oracle, the same
response is given if the query has been
asked before. Otherwise, the challenger
C performs the following steps.
(1) If ID=ID', C aborts because it cannot
answer the query coherently.
(2) Otherwise, C accesses to the
corresponding tuple (ID, u, QID) in
L0, sets DID= uPpub, adds (ID, DID)
in LK, and returns DID.
ISBN: 978-1-941968-16-1 2015 SDIWC
- Time-Key-Update queries: The challenger

C maintains an initially empty list LT of
tuples (ID, t, TID,t). Upon receiving a
query along with a pair (ID, t), the same
C accesses to the corresponding tuple
(ID, t, v, RID,t) in L1 and sets TID,t = vPpub.
Finally, C adds (ID, t, TID,t) in LT and
returns TID,t.
- Secret-Value queries: The challenger C
maintains an initially empty list LS of
tuples (ID, xID, PID). Upon receiving an
identity ID, C returns xID or if (ID, xID,
PID) or (ID, , PID) appears in LS,
respectively. Otherwise, C selects a
random value xID Zq*, computes PID =
xIDPpub, adds (ID, xID, PID) in LS, and
returns xID.
- Public-Key queries: Upon receiving an
identity ID, C returns PID if (ID, xID, PID)
or (ID, , PID) appears in LS. Otherwise,
C randomly selects a value xID Zq*,
computes PID = xIDPpub, adds (ID, xID,
PID) in LS, and returns PID.
-
Public-Key-Replacement queries: AI
requests to replace the public key PID of
an identity ID with a new public key P'ID
chosen by AI. Upon receiving a pair (ID,
P'ID), C updates the original public key
tuple in LS by (ID, , P'ID). Note that the
public key replacement does not require
the secret value corresponding to the
new public key.
- Super-Sign queries: When a tuple (m, ID, t,

PID) is submitted to this query, the
challenger C performs the following
steps to generate a valid signature
without the knowledge of the
corresponding secret value of PID.
25
(1) Access to the corresponding tuples

(ID, -, QID) and (ID, t, v, RID,t) in the
lists L0 and L1, respectively.
(2) Choose three random values r, f,
hZq* and compute U= rP(fPID
+hPpub) and V= r(QID+RID,t).
(3) Add (U, ID, t, PID, m, f) in L2 and (U,
ID, t, PID, m, h) in L3, and return
=(U, V) as the signature on m.
Note that the signature tuple = (U, V) is
indeed a valid signature because it can pass
the verification as follows:
(QID+RID,t, U+hPpub+fPID)
= (QID+RID,t, rP(fPID+hPpub)+h
Ppub +fPID)
= (QID+RID,t, rP)= (P, r(QID+RID,t))
= (P, V).
Forgery: Finally, suppose that the adversary AI
forges a valid signature tuple (m*, * , ID*, t*,
PID*) with * = (U*, V*). If ID*ID', the
challenger C aborts. Otherwise, if ID*=ID',
by applying the Forking lemma in [29], C
replays AI with the same random tape but
with a different hash value of H3 to obtain
another valid signature (m*, ', ID*, t*, PID*)
with ' =(U*, V'). Since * and ' are two
valid signatures on m*, we have two
equalities
(P, V*)=(QID*+RID*,t*, U*+h*Ppub+ f*PID*)
and
(P, V')=(QID*+RID*,t*, U*+h'Ppub+ f*PID*),
where h* and h' are two hash values of
H3(U*, ID*, t*, PID*, m*). By the property of
bilinear pairings, we combine the last two
equalities to obtain
(P, V* V')=(QID*+RID*,t*, h*Ppub h'Ppub).
By Ppub = aP, it leads
(P, V* V')=(QID*+RID*,t*, (h* h')aP).
By the property of bilinear pairings, we have
(P, V* V')=(P, (h* h')(aQID*+ aRID*,t*)),
which implies
(P, V* V')=(P, (h* h')(abP + TID*,t*)),
ISBN: 978-1-941968-16-1 2015 SDIWC
since QID*= bP and aRID*,t*=TID*,t*. Finally,

by accessing to the list LT, the challenger can
obtain the value of TID*,t* and then evaluate
(V*V' (h* h') TID*,t* )/ (h* h')
which is exactly equal to abP. This resolves
the CDH problem.
Lemma 2. In the random oracle model, if the
KGC (adversary AII) with a non-negligible
advantage can forge a valid signature to the
proposed RCLS scheme in polynomial time
under adaptive chosen-message attacks, then the
CDH problem can be solved with a nonnegligible advantage.
Proof. If the KGC AII can forge a valid signature
to the proposed RCLS scheme, then we show
that we can construct an algorithm C to solve
the CDH problem. We assume that the
show how the challenger C can use AII to
challenger of Game II.
Setup: The challenger C chooses a master
secret key s Zq* and computes the system
public key Ppub = sP. C selects Params=<G1,
G2, q, , P, Ppub, H0, H1, H2, H3> as the public
parameters, and sends s and Params to AII,
where the hash functions H0, H1, H2 and H3
act as random oracles [27, 28] controlled by
C.
Queries: Suppose that AII can make H0 queries
query to the oracle H0. The adversary AII may
make queries in an adaptive manner as
follows.
- H0 queries: The challenger C maintains an
26

Otherwise, C simulates the random
oracle H0 as follows.
(1) If ID=ID', the challenger C sets QID=
aP, adds (ID, , QID) in the list L0
and returns QID as answer.
value u Zq*, sets QID= uP, adds
(ID, u, QID) in L0 and returns QID as
answer.
simulates the random oracle H1 as
follows.
(1) If ID=ID', the challenger C selects a
random value v Zq*, sets RID,t =
v(aP), adds (ID, t, v, RID,t) in the list
L1 and returns RID,t.
value v Zq*, sets RID,t= vP, adds
(ID, t, v, RID,t) in L1, and returns RID,t
as response.
- H2 and H3 queries remain the same as
defined in the proof of Lemma1.
- Secret-Value queries: C maintains an
initially empty list LS of tuples (ID, xID,
PID). Upon receiving an identity ID, C
returns if there exists (ID, , PID) in LS,
in which case the public key of ID has
been previously replaced. Otherwise, C
performs the following steps.
(1) If ID=ID', the challenger C aborts.
(2) Otherwise, if (ID, xID, PID) appears in
LS, C returns xID. If not, C then
selects a random value xID Zq*,
computes PID = xIDPpub, adds (ID,
xID, PID) in LS and returns xID.
ISBN: 978-1-941968-16-1 2015 SDIWC
- Public-Key queries: Upon receiving an

identity ID, the challenger C returns
PID=bP if ID=ID'. If IDID' and (ID, xID,
PID) appears in LS, then C returns PID.
Otherwise, C randomly selects a value
xID Zq*, sets PID = xIDPpub, adds (ID,
xID, PID) in LS and returns PID.
- Public-Key-Replacement queries: AII can
request to replace the public key PID of
an identity ID with a new public key P'ID
chosen by AII. Upon receiving a pair (ID,
P'ID), the challenger C aborts if ID=ID'.
Otherwise, C updates the original public
key tuple in LS by (ID, , P'ID).
- Super-Sign queries: When a tuple (m, ID, t,
PID) is submitted to this query, the
challenger C performs the following
steps to generate a valid signature
without the knowledge of the
corresponding secret value of PID.
(1) Access to the corresponding tuples
(ID, u, QID) and (ID, t, v, RID,t) in the
lists L0 and L1, respectively.
(2) Choose three random values r, f,
hZq* and compute U= rP(fPID
+hPpub) and V= r(QID+RID,t).
(3) Add (U, ID, t, PID, m, f) in L2 and (U,
ID, t, PID, m, h) in L3, and return
=(U, V) as the signature on m.
Forgery: Finally, suppose that the adversary
AII forges a valid signature tuple (m*, *, ID*,
t*, PID*) with * = (U*, V*). If ID*ID', the
challenger C aborts. Otherwise, if ID*=ID',
by applying the Forking lemma in [29], C
replays AII with the same random tape but
with a different hash value of H2 to obtain
another valid signature (m*, ', ID*, t*, PID*)
with ' =(U*, V'). Since * and ' are two
valid signatures on m*, we have two
equalities
(P, V*)=(QID*+RID*,t*, U*+h*Ppub+ f*PID*)
and
(P, V')=(QID*+RID*,t*, U*+h*Ppub+ f'PID*),
27
where f* and f' are two hash values of H2(U*,

ID*, t*, PID*, m*). By the property of bilinear
pairings, we combine the last two equalities
to obtain
(P, V* V')=(QID*+RID*,t*, f*PID* f'PID*),
which, by QID* = aP, RID*,t*=vaP and PID* =
bP, leads to
(P, V* V')=((1+v)aP, (f* f')bP).
By the property of bilinear pairings, we have
(P, V* V')=(P, (1+v) (f* f')abP).
Hence, we arrive at
abP = (V*V')/((1+v)(f* f')).
This resolves the CDH problem.
Lemma 3. In the random oracle model, if a
revoked user (adversary AIII) with a nonnegligible advantage can forge a valid signature
to the proposed RCLS scheme in polynomial
time under adaptive chosen-message attacks,
then the CDH problem can be solved with a
non-negligible advantage.
Proof. If a revoked user AIII can forge a valid
signature to the proposed RCLS scheme, then
we show that we can construct an algorithm C
to solve the CDH problem. We assume that the
show how the challenger C can use AIII to
challenger of Game III.
Setup: The challenger C sets Ppub= aP, selects
Params=<G1, G2, q, , P, Ppub, H0, H1, H2,
H3> and sends Params to AIII as the public
parameters, where the hash functions H0, H1,
H2 and H3 act as random oracles [27, 28]
controlled by C. Let T = {1, 2,, z} denote
the set of periods, where z is the total number
of all periods. The challenger C randomly
chooses j [1, z] and let t' denote the j-th
period.
Queries: Suppose that AIII can make H1 queries
ISBN: 978-1-941968-16-1 2015 SDIWC

query to the oracle H0. The adversary AIII
may make all types of queries defined in the
proof of Lemma 1, except that the H0, H1,
Initial-Key-Extract and Time-Key-Update
queries are modified as follows. In addition,
We assume that the associated H0 and H1
oracle queries must be issued before AIII
makes the Initial-Key-Extract query and
Time-Key-Update query, respectively.
- H0 queries: The challenger C keeps an
Otherwise, C selects a random value
uZq*, sets QID=uP, adds (ID, u, QID) in
L0, and returns QID.
simulates the random oracle H1 as
follows.
(1) If ID=ID' and t= t', the challenger C
sets RID,t= bP, adds (ID, t, , RID,t)
in the list L1 and returns RID,t.
value vZq*, sets RID,t= vP, adds
(ID, t, v, RID,t) in L1,
and returns RID,t.
- Initial-Key-Extract queries: The challenger
C maintains an initially empty list LK of
tuples (ID, DID). When an identity ID is
submitted to this oracle, the same
response in the list LK is given if the
C accesses to the corresponding tuple
(ID, u, QID) in L0, sets DID= uPpub, adds
(ID, DID) in LK, and returns DID.
28
- Time-Key-Update queries: The challenger

C maintains an initially empty list LT of
tuples (ID, t, TID,t). Upon receiving a
query with a pair (ID, t), the same
C performs the following steps.
(1) If ID=ID' and t= t', C aborts because
it cannot answer the query
coherently.
(2) Otherwise, the challenger C accesses
to the corresponding tuple (ID, t, v,
RID,t) in L1, sets TID,t = vPpub, adds
(ID, t, TID,t) in LT and returns TID,t.
Forgery: Finally, suppose that the adversary
AIII can forge a valid signature tuple (m*, *,
ID*, t*, PID*) with * =(U*, V*). If IDID' or
tt', the challenger C aborts. Otherwise, if
ID=ID' and t=t', by applying the Forking
lemma in [29], C replays AIII with the same
random tape but with a different hash value
of H3 to obtain another valid signature (m*,
', ID*, t*, PID*) with ' =(U*, V'). By similar
arguments in the Forgery phase in the proof
of Lemma 1, we have
(P, V* V')=(P, (h* h')(aQID*+ aRID*,t*)),
which implies
(P, V* V')=(P, (h* h')(DID*+abP)),
since aQID*=DID* and RID*,t*= bP.
Finally, by accessing to the list LK, the
challenger can obtain the value of DID* and
then evaluate
(V*V'(h* h') DID*)/ (h* h'),
which is exactly equal to abP. This resolves
the CDH problem.
Theorem 4. In the random oracle model, the
proposed RCLS scheme offers strong
attacks under the CDH assumption.
Proof. By Definition 2 presented in Section 3.2,
we say that a RCLS scheme offers strong
attacks if no PPT adversary has a non-negligible
ISBN: 978-1-941968-16-1 2015 SDIWC
advantage in Game I, Game II and Game III. By

Lemmas 1, 2 and 3, under the CDH assumption,
we have proved that no PPT adversary of any
type can forge a valid signature with a nonnegligible advantage to the proposed RCLS
scheme in polynomial time. Hence, we conclude
the theorem.
6 COMPARISONS
Here, we make performance comparisons
between Sun et al.s RCLS scheme [25] and
ours. For convenience to evaluate the
computation cost, we consider several timeconsuming operations. Let TGe, TGmul and TGH
denote the computational costs of a bilinear
pairing operation , a multiplication operation of
points in G1 and a map-to-point hash function,
respectively. We emphasize that TGe is more
time-consuming than TGmul and TGH [30, 31].
For the signing phase, it requires 2TGmul to
generate a signature =(U, V). For the verifying
phase, 2TGe+2TGmul+2TGH is required to
validate a signature. Table 1 lists the
comparisons between Sun et al.s scheme and
ours in terms of security property and
computation costs for both signing and
verifying phases.
Table 1. Comparisons between Sun et al.s RCLS
scheme and our scheme.
Sun et al.s RCLS Our RCLS
scheme [25]
scheme
Existential
Strong
Security property
unforgeability
unforgeability
Computational cost
3TGmul+2TGH
2TGmul
for signing
2TGe+2TGmul
Computational cost
4TGe +4TGH
for verification
+2TGH
7 CONCLUSION
In the article, we proposed an efficient RCLS
scheme possessing strong unforgeability.
Performance comparisons were made to
demonstrate that our scheme has better
performance than Sun et al.s RCLS scheme in
terms of the computation costs for both signing
29
and verifying phases. The security notions for

RCLS schemes were presented to formalize the
possible threats that include three types of
adversaries, namely, an outsider, the KGC and
a revoked user. In the random oracle model and
under the computational DiffieHellman
assumption, we have formally proven that the
proposed RCLS scheme is strong unforgeability
against adaptive chosen-message attacks for
three types of adversaries. Finally, two
interesting issues on RCLS schemes are worth
studying, namely, a provably secure RCLS
scheme without random oracles and an efficient
RCLS scheme with short signature size. We
leave them as the future work.
ACKNOWLEDGMENT
This research was partially supported by Ministry of
Science and Technology, Taiwan, R.O.C., under contract
no. MOST 103-2221- E-018-022-MY2.
[8]
A. W. Dent, A survey of certificateless encryption

schemes and security models, International Journal
of Information Security, vol. 7, no. 5, pp.349377,
Oct. 2008.
[9]
G. Yang and C. H. Tan, Certificateless public key

encryption: A new generic construction and two
pairing-free schemes, Theoretical Computer
Science, vol. 412, no. 810, pp. 662674, Aug. 2011.
[10]
X. Huang, W. Susilo, Y. Mu, and F. Zhang, On the

security of a certificateless signature scheme from
Asiacrypt 2003, in Proc. CANS05, LNCS 3810,
2005, pp. 1325.
[11]
Z. Zhang, D. Wong, J. Xu, and D. Feng,

Certificateless public-key signature: security model
and efficient construction, in Proc. ACNS06,
LNCS 3989, 2006, pp. 293308.
[12]
X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu,

Certificateless signature revisited, in Proc. ACISP
2007, LNCS 4586, 2007, pp. 308322.
[13]
L. Zhang and F. Zhang, A new provably secure

certificateless signature scheme, in Proc. IEEE
ICC08, 2008, pp. 16851689.
[14]
H. Xiong, Z. Qin, and F. Li, An improved

certificateless signature scheme secure in the
standard model, Fundamenta Informaticae, vol. 88,
pp. 193206, Dec. 2008.
[15]
Y. Yu, Y. Mu, G. Wang, Q. Xia, and B. Yang,

Improved certificateless signature scheme provably
secure in the standard model, IET Information
Security, vol. 6, pp.102110, Jun. 2012.
[16]
R. Tso, X. Huang, and W. Susilo, Strongly secure

certificateless short signatures, The Journal of
Systems and Software, vol. 85, no. 6, pp. 14091417,
Jun. 2012.
[17]
Y.C. Chen, R. Tso, W. Susilo, X. Huang, and G.

Horng, Certificateless signatures: structural
extensions of security models and new provably
secure schemes, Cryptology ePrint Archive, Report
2013/193, 2013.
[18]
R. Housley, W. Polk, W. Ford, and D. Solo,

Internet X.509 public key infrastructure certificate
and certificate revocation list (CRL) profile, RFC
3280, IETF, 2002.
REFERENCES
[1]
A. Shamir, Identity-based cryptosystems and

signature schemes, in Proc. Crypto84, LNCS 196,
1984, pp. 4753.
[2]
D. Boneh and M. Franklin, Identity-based

encryption from the Weil pairing, in Proc.
Crypto01, LNCS 2139, 2001, pp. 213229.
[3]
D. Boneh and M. Franklin, Identity-Based

Encryption from the Weil Pairing, SIAM J.
Comput., vol. 32, pp. 586615, Jun. 2003.
[4]
S. S. Al-Riyami and K. G. Paterson, Certificateless

public key cryptography, in Proc. Asiacrypt03,
LNCS 2894, 2003, pp. 452473.
[5]
S. S. Al-Riyami and K. G. Paterson, CBE from CLPKE: A generic construction and efficient schemes,
in Proc. PKC05, LNCS 3386, 2005, pp. 398415.
[6]
B. Libert and J. J. Quisquater, On constructing

certificateless cryptosystems from identity based
encryption, in Proc. PKC06, LNCS 3958, 2006, pp.
474490.
[19]
H. S. Ju, D. Y. Kim, D. H. Lee, J. Lim, and K. Chun,

Efficient revocation of security capability in
certificateless public key cryptography, in Proc.
KES05, LNCS 3682, 2005, pp. 453459.
[7]
M. H. Au, J. Chen, J. K. Liu, Y. Mu, D. S. Wong,

and G. Yang, Malicious KGC attack in
certificateless cryptography, in Proc. ASIACCS07,
2007, pp. 302311.
[20]
S. Chow, C. Boyd, and J. Nieto, Security-mediated

certificateless cryptography, in Proc. PKC06,
LNCS 3958, 2006, pp. 508524.
ISBN: 978-1-941968-16-1 2015 SDIWC
30
[21]
W. Yap, S. Chow, S. Heng, and B. Goi, Security

mediated certificateless signatures, in Proc.
ACNS07, LNCS 4521, 2007, pp. 459477.
[22]
T. T. Tsai and Y. M. Tseng, Revocable

certificateless public key encryption, IEEE Systems
Journal,
Article
in
press
(DOI:
10.1109/JSYST.2013.2289271), 2015.
[23]
L. Shen, F. Zhang, and Y. Sun, Efficient revocable

certificateless encryption secure in the standard
model, The Computer Journal, vol. 57, no. 4, pp. 592601, 2014.
[24]
Y. M. Tseng and T. T. Tsai, Efficient revocable IDbased encryption with a public channel, The
Computer Journal, vol. 55, no. 4, pp. 475486, Apr.
2012.
[25]
Y. Sun, F. Zhang and L. Shen, A revocable

certificateless signature scheme, Journal of
Computers, vol. 9, no. 8, pp. 1843-1850, Aug. 2014.
[26]
L. Chen, Z. Cheng, and N. P. Smart, Identity-based

key agreement protocols from pairings, Int. J. of Inf.
Security, vol. 6, pp.213241, Jul. 2007.
[27]
M. Bellare and P. Rogaway, Random oracles are

practical: a paradigm for designing efficient
protocols, in Proc. CCS93, 1993, pp. 6273.
[28]
R. Canetti, O. Goldreich, and S. Halevi, The

random oracle methodology, revisited, Journal of
ACM, vol. 51, no. 4, pp. 557594, Jul. 2004.
[29]
D. Pointcheval and J. Stern, Security arguments for

digital signatures and blind signatures, Journal of
Cryptology, vol.13, no.3, pp.361396, Jul. 2000.
[30]
M. Scott, Computing the Tate pairing, in Proc.

CT-RSA05, LNCS 3376, 2005, pp. 293304.
[31]
M. Scott, N. Costigan, and W. Abdulwahab,

Implementing
cryptographic
pairings
on
smartcards, in Proc. CHES06, LNCS 4249, 2006,
pp. 134147.
ISBN: 978-1-941968-16-1 2015 SDIWC
31

127 PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

127 PDF

Transféré par

Droits d'auteur :

Formats disponibles

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

Strongly Unforgeable Revocable Certificateless Signature

ISBN: 978-1-941968-16-1 2015 SDIWC

system using bilinear pairings such as Weil,

received significant attention from researchers

ISBN: 978-1-941968-16-1 2015 SDIWC

become a bottleneck for performance and

but still possesses the corresponding initial

The modified Weil, Tate and Ate pairings

The rest of the paper is organized as follows.

ISBN: 978-1-941968-16-1 2015 SDIWC

2.2 Security Assumption

Definition 1. The CDH assumption is defined

- Setup: This algorithm, run by the KGC, takes

ISBN: 978-1-941968-16-1 2015 SDIWC

pair (m, ), a period t and an identity ID with

the following three games (Games I, II, III)

ISBN: 978-1-941968-16-1 2015 SDIWC

identity ID with the public key PID in the

query, where PID* is the ID*s

phase of every game above is, instead,

Game III (for a revoked user, AIII)

ISBN: 978-1-941968-16-1 2015 SDIWC

The proposed RCLS scheme consists of eight

Setup: Given a security parameter l, the

Initial-Key-Extract: Given a users identity

Time-Key-Update: Given a users identity

Set-Secret-Value: The entity ID selects a

Set-Private-Key: The entity ID takes DID,

Set-Public-Key: Given the entity IDs secret

Sign: In a period t, given a message m, a

Verify: Given a signature tuple (m, , ID, t,

ISBN: 978-1-941968-16-1 2015 SDIWC

Lemma 1. In the random oracle model, if an

ISBN: 978-1-941968-16-1 2015 SDIWC

- Time-Key-Update queries: The challenger

- Super-Sign queries: When a tuple (m, ID, t,

(1) Access to the corresponding tuples

ISBN: 978-1-941968-16-1 2015 SDIWC

since QID*= bP and aRID*,t*=TID*,t*. Finally,

a pair (ID, P), the same response is given

ISBN: 978-1-941968-16-1 2015 SDIWC

- Public-Key queries: Upon receiving an

where f* and f' are two hash values of H2(U*,

ISBN: 978-1-941968-16-1 2015 SDIWC

challenger C randomly chooses i[1, qH1]

- Time-Key-Update queries: The challenger

ISBN: 978-1-941968-16-1 2015 SDIWC

advantage in Game I, Game II and Game III. By

and verifying phases. The security notions for

A. W. Dent, A survey of certificateless encryption

G. Yang and C. H. Tan, Certificateless public key

X. Huang, W. Susilo, Y. Mu, and F. Zhang, On the

Z. Zhang, D. Wong, J. Xu, and D. Feng,

X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu,

L. Zhang and F. Zhang, A new provably secure

H. Xiong, Z. Qin, and F. Li, An improved

Y. Yu, Y. Mu, G. Wang, Q. Xia, and B. Yang,

R. Tso, X. Huang, and W. Susilo, Strongly secure

Y.C. Chen, R. Tso, W. Susilo, X. Huang, and G.

R. Housley, W. Polk, W. Ford, and D. Solo,

A. Shamir, Identity-based cryptosystems and

since QID= bP and aRID,t=TID,t*. Finally,