Certificateless universal designated verifier signature schemes

THE JOURNAL OF CHINA UNIVERSITIES OF POSTS AND TELECOMMUNICATIONS Volume 14, Issue 3, September 2007

MING Yang, SHEN Xiao-qin, WANG Yu-min

Certificateless universal designated verifier signature schemes CLC number TN918. 1

Document A

Abstract Universal designated verifier signature schemes allows a signature holder to designate the signature to a desire designated verifier, in such a way that only designated verifier can verify this signature, but is unable to convince anyone else of this fact. The previous constructions of universal designated verifier signature rely on the underlying public key infrastructure, that needs both signers and verifiers to verify the authenticity of the public keys, and hence, the certificates are required. This article presents the first model and construction of the certificateless universal designated verifier signature scheme, in which the certificates are not needed. The proposed scheme satisfies all the requirements of the universal designated verifier signature in the certificateless system. Security proofs are provided for the scheme based on the random oracle model, assuming that the Bilinear diffie-hellman (BDH) problem is hard to solve.

Keywords certificateless cryptography, universal designated verifier signature, bilinear pairing

1 Introductlon Digital signatures, one of the general primitives of cryptography, have many applications in information security to provide authentication, data integrity, and non-repudiation [ 1-41. Universal designated verifier signature (UDVS), introduced by Steinfeld et al. [5]is an important tool to protect the privacy of the signature holder from dissemination of signatures by verifiers. A UDVS scheme can function as a standard publicly verifiable signature scheme but has additional functionality which allows any holder of a signature (not necessarily the signer) to designate the signature to any desired designated verifier (using the verifier's public key). Given the designated signature, the designated verifier can verify if the message is signed by the signer but cannot prove the same fact to a third party, since he can also produce such a

Article ID 1005-8885 (2007) 03-0085-06 proof statement using his private key. The authors refer to Refs. [6, 71 for more related study and applications of UDVS. The first construction of the identity-based universal designated verifier signature scheme was proposed in Ref. [6]. The notion of identity-based public key cryptography (ID-PKC) was introduced by Shamir[8], in which the public key of a user can be derived from his unique identifier information. ID-PKC eliminates the certificates and greatly simplifies the key management. However, an inherent problem of ID-PKC is key escrow, that is, the private key of each user is know to private key generator(PKG), who can then forge signature on any message for any user. Thus it seems that ID-PKC should be considered to be suitable only for small private networks with lower security requirements. To alleviate the key escrow problem of ID-based cryptography and certificate authorities in traditional public key cryptography, Al-Riyami and Paterson [9] introduced and made concrete the concept of certificateless public key cryptography (CL-PKC) in Asiacrypt 2003. Unlike ID-PKC, in the certificateless system, a misted third-party key generation center (KGC) only knows the partial private key of the user and the user must use the secret value, which is chosen by the user himself, to obtain the full private key. For more about the certificateless cryptography, one can refer Ref. [9]. Several recent outstanding results on certificateless signature are given in Refs. [lo-131. In this article, the first model and construction of the certificateless universal designated verifier signature (CLUDVS) scheme is proposed. A formal definition of the certificateless universal designated verifier signature and an efficient construction of CLUDVS scheme based on the bilinear pairing are provided. The scheme satisfies all the required properties of the CLUDVS. Secure proofs for the scheme based on the random oracle model are provided, assuming that the BDH problem is hard to solve.

2 Received date. 2006-12-07 MING Yang ( C :), SHEN Xiao-qin, WANG Yu-min State Key Laboratory of Integrated Service Network, Xidian University, Xi'an 710071, China E-mail: [email protected]

Prellmlnarler

2.1 Bilinear pairings Throughout this article, 2, denotes (O,l, ...,q- I } , and 2,'

86

The Journal of CHUPT

denotes Z , \ [ 0} . Let GI be additive group of prime order q and G, be a multiplicative group with the same order. Let P denote a generator in GI . Let e : G ,xC, +G2 bilinear map with following properties: 1) Bilinearity: e(aP,bQ)=e(P,Q)"b for all

be a

P , Q E G,

and for all a , h~ Z , .

2) Non-degeneracy: there exists Q E G, such that e(P,Q)# 1

2007

Setup is a probabilistic polynomial algorithm, run by the KGC that takes as input a security parameter k , and returns the master-key s and system parameters a. IC is publicly and authentically available, but that only the KGC knows master-key s . Partial-Private-Key-Extract is a deterministic polynomial algorithm, run by the KGC once for each user, that takes as input n , master key s , and a user identity I, . It outputs the

for any P E G I .

user's partial private key D, . The corresponding partial private

3) Computability: there is an efficient algorithm to compute e(P, Q ) for all P , Q E GI .

key is distributed to that user in a suitably secure manner. Set-Secret-Value is a probabilistic polynomial algorithm, run by the user, that takes as inputs s and a user's identity I, . It outputs a secret value x, for that identity.

Such a bilinear map is called an admissible bilinear pairing

[14]. The modified Weil pairings and Tate pairings of elliptic curves can be used to construct efficient admissible bilinear pairings.

2.2 Complexity assumptlons Let

full private key S, for that user.

G,,G,,P,e be as above. The BDH problem in

(G,,G,,e) is as follows: given a randomly chosen P E G, , as well as U P , b P , and cP (for unknown randomly chosen a , b , c ~Z, 1, compute e(P,P)"" .

For the BDH problem to be hard, GI and G, must be chosen so that there is no known algorithm for efficiently solving the diffie-hellman problem in either GI or G,. If the BDH problem is hard for a pairing e , then it indicates that e is non-degenerate. BDH assumption. Given a BDH parameter generator (PG), the advantage b,(A) that an algorithm A has in solving the BDH problem is defined to be the probability that the algorithm A outputs e(P,P)"b' on inputs G,,G,,e,P,aP,

bP,cP , where(G,,G,,e) is the output of PG for sufficiently large security parameter k , P is a random generator of GI and a,b,c

are random elements of

assumption is that b , ( A ) is

Set-Private-Key is a probabilistic polynomial algorithm, run by the user, that takes as input n , a user's partial private key D, , and a user's secret value x, . The algorithm outputs the

Z4

.

The BDH

negligible for all efficient

algorithms A .

3 Certlflcateleu unhremal designated verMer dgnature schemes

Set-Public-Key is a deterministic polynomial algorithm, run by the user, that takes as input K , a user's identity I, , and the user's secret value x, . It outputs a public key

for that

user and the resulting public key is widely and freely distributed. Sign is a probabilistic polynomial algorithm that is executed by the signer S . It takes as input w , the signer's private keys,, an identity I, corresponding to the private key S, , and a message m .The algorithm outputs a signature o for m . Public Verification is a deterministic polynomial algorithm that takes as input n , an identity I , , and the signer's public key P, , a message m and its signature 6 , and outputs either accept or reject as the verification decision. Designation is a deterministic polynomial algorithm, run by the signature holder SH , that takes as input IC , the signer's public key P,, the designated verifier's public key fDV ,a message m , and a valid signature CT on m , and outputs a designated signature d for m . Designated Verification is a deterministic polynomial algorithm run by the designated verifierDV , that takes as input a message m , a designated signature a' for m , the signer's public key 'P , and designated verifier's private key ,S ,

, and outputs either accept or reject.

3.1 The model 3.2 Security notlons

There are four parties involved in the CLUDVS schemes: a trusted third-party KGC, a signer S , a signature holder SH , and a designated verifier DV . The model of CLUDVS is a tuple of nine polynominal-time algorithms (Setup, PartialPrivate-Key-Extract, Set-Secret-Value, Set-Private-Key, SetPublic-Key, Sign, Public Verification, Designation, and Designated Verification) as follows:

A CLUDVS scheme should satisfy the following security properties. Non-Transferability. The designated verifier DV cannot convince anyone else of the authenticity of the designated signature, because he can always produce an indistinguishable signature from the one that was designated by the signature

No. 3

87

MING Yang, et al.: Certificateless universal designated verifier signature schemes

holder SH . Unforgeability. In the case of a CLUDVS scheme, there are actually two types of unforgeability properties, the d -unforgeability property implies CT -unforgeability property. Only d-unforgeability is proved. As defined in Refs. [9, 151, there are two types of adversary with different capabilities: 1) Type I adversary. Such an adversary A, does not have access to the master-key. However A, has the ability to replace public keys of any entity with values of his choice, because there is no certificate involved in certificateless universal designated verifier signature scheme. Given the public keys of the signer and the designated verifier, system parameters A , an adaptively chosen message adversary A, can make hash queries and sign queries in the

Partial-Private-Key-Extract.This algorithm takes as input an identity ItE (O,l)* ,

{S,DV}returns its corresponding

iE

partial private key as follow: 1) Q, = H I(I,) is computed.

2) The partial pnvate key D, = sQ, is output.

D, is transported to the user i as partial private key over a confidential and authentic channel, and user i can verify its correctness by checking e(D,,P ) = e(Q,,P,.,) . Set-Secret-Value. This algorithm takes as input z and the user’s identity I , E {O,l]* , and a random x, E Zf and outputs x, , i~ {S,DV)are selected as the user’s secret value.

Set-Private-Key. This algorithm takes as input z , the user’s partial private key D, , the user’s secret value x, E Z,‘ ,

polynomial time. Finally, A, outputs a message-signature pair

and outputs full private key S, by computing S, = x,D, =

and the new public key of the signer. A, is successful if the

x,sQ,, i s {S,DV) .

message has never been queried during sign queries and the message-signature pair is valid under the new public key chosen by A , .

Set-Public-Key. This algorithm takes as input a and the user’s secret value x, E Z,‘ , and outputs the user’s public

2) Type I1 adversary. Adversary A,, has access to the master key but cannot perform public key replacement. Given the public keys of the signer and the designated verifier, system parameters a and master key, an adaptively chosen message adversary A,, can make hash queries and sign queries in the polynomial time. Finally, A,, outputs a message-signature pair. A,, is successful if the message has never been queried during sign queries and the message-signature pair is valid. Definition 1 A certificateless universal designated verifier signature scheme is unforgeable against adaptively chosen message attacks if it is secure against both types of adversary.

4 Thescheme

key

= ( X , , q ) , where

X , = x,P and

= x,&,

= x,sP ,

i~ {S,DV).

Sign. To sign a mesagern€ M , the signer S performs the following steps:. 1 ) U = rQ, is computed, where r e Zf , h = H,(U II rn) .

2) V = ( r + h)S, is computed. 3) Output the signature on rn as CT = ( U , V ) . Public Verification. To verify a signature ( U , V ) on a message m for a public key P, = ( X , , Y , ) , the following steps are performed: 7

1) Whether e(X,,$u,)=e(Y,,P)

holds with equality is

tested. If not, then output I and abort. 2) h = H,(U II rn) is computed. 7

3) Whether e(P,V)=e(Y,,hQ, + U ) holds with equality is In this section, the first construction of a CLUDVS scheme is proposed based on bilinear pairings. The scheme is as follows. Setup This algorithm runs as follows: 1) Run PG on input, a security parameter k to generate (G,,G,,e), where C, and G, are groups of prime order q ( q 3 2 ‘ ) and e :GI xC, --i, C, is a bilinear pairing,

2) A random generator P E G, is selected. 3) A randomly master-key s is selected from Z i and

P’,, = sP is set. 4) The cryptographic hash function H, :{O,l}* -+ GI is set andH,:G,x(O,l)*-+Z,’.

. The message space, M

designated verifier’s public key P,, =(X,,,Y,,)

and a

message-signature pair (rn,o= ( U , V ) ) , V ’ = e(V,X,,) is computed, where X,, = xDvP . The designated verifier signature is d =(U,V’) for rn . Designated Verification. Given a signer’s public key P, = ( X s , Y s ) ,a message-designated signature pair (rn,o’=

(U,V’)) , and designated verifier’s private key

S,, ,

DV performs the following steps:

cub, H I ,H , } . The

The system parameters, a = {GI,G,, e, P, master-key is s E Z:

tested. If so, then output is accepted. Otherwise, output is rejected. Designation. Given the signer’s public key 4 = ( X , , Y s ) , a

= (0, 1)’

.

1) Whether e ( X , ,Ppub)4 e(Y,, P ) holds with equality is tested. If not, then output I and abort.

88

2007

The Journal of CHUFT

2) h = H,(U II m) is computed.

qH2 to the hash H , and H , queries, 4, to sign queries. If

3) Whether 0’2 e(x,,,Y,,hQ, + U ) holds with equality is

E

verified. If that so, then output is accepted. Otherwise, output is rejected.

> lOq,, (q, + l)(q, + qH,)I q , then the BDH problem can be

resolved with expected time 2‘6120 686 qH,q H 2 i / & .

Proof Recall that A, does not have access to the master

S Securtty analysis of the scheme

key s , but can perform any public key replacement. Algorithm B needs to be known to u s e 4 as subroutine to

5.1 Correctness and consistency

solve the BDH problem. B receives a random instance (P,uP,bP,cP) of the BDH

The correctness and consistency of the scheme is justified as: e(X,,P,,,)=e(x,P,sP) =e(x,sP,P)=e(x,P,,,,P)=e(Y,,P) e(P,V) = e ( P , ( r+ H,(U II m))S,) = e(P,rS,)e(P, H2(U II m)S,) = e(P,rx,sQ,)e(P,H,(U IIm)x,sQ,)= e(x,sP, rQ,)e(x,sP, H,(U IIm)Q,) = e(Y,, U )e(Y,, H , (U 11 m)Q, 1= e(Y,, H,(U 11 m)Q, + U ) e(x,,Y,,H,(U IIm)Q, + U ) = e ( Y , , H , ( U IIm)Q, + U ) x D = v

e(P,V)’”“=e(x,,P,V) = e( X , , ,V ) = d

problem and has to compute the value of e( P , P)ub‘ . First, B starts by setting Q, = U P ,

cuh = b P , X,,

= c P . B also

chooses x, E Z,* and sets P, = ( X , , Y , ) = (x,P,x,P,,,) PDv = (XDv,YDv)= (cP,xDvP,,,)= (cP,bcP) the parameters to A,

. B

. B

and

returns all

controls A, and replaces A, ’s

interaction with the signer by simulation. 5 selects two random numbers a ’ , u ” ~Z , such that u’-u*= Z(modq) . Then B will control A, as follows. Public-Key-Replacement. At any time during the simulation, for any user i whose identity I , , adversary A, can choose

5.2 Non-transferablllty

a new secret value x and compute the new public key ( X , Y ) . A, then replaces the public key of the user i with

Theorem 1 The CLUDVS scheme is non-transferable. Proof The purpose of the non-transferability property is to

( X , Y ) and ( x , X , Y , I , ) is submitted to B

prevent a designated verifier DV from using the designated verifier signature o’=(U,V‘) on a message m to produce evidence which convinces a third party that the message m was signed by the signer S . It is easy to prove this property. Since the designated verifier DV can always compute V’= e(x,,Y,,H,(U II m)Q, + U ) by himself after observing U . When the third party receives a signature d =(U,V’) on the message m , helshe cannot distinguish whether it was made by the real signer S , or was produced by the designated verifier DV . Because both the signer and designated verifier can generate a designated verifier signature, although the third party can understand that it was made by either the signer or the designated verifier, she cannot understand who actually made the signature. On the other hand, because only the signer and the designated verifier can generate a designated verifier signature, the designated verifier can verify it when he receives it from the signer. The CLUDVS scheme is satisfied with the non-transferablity property.

5.3

Unforgeablllty

Theorem 2 Let A, be type 1 adversary, in the random oracle model, against the proposed scheme, that produces an existential forgery with probability E , with time Z, making qH, and

.

B records

these replacements which will be used later. Hash query. 1)Algorithm B simulates the hash function H,. At any time adversary A, can query H I . To respond to these queries, algorithm B maintains a list H , -list 2) Algorithm B simulates the hash function H ,

. . At

any

time adversary A, can query H , . To respond to these queries, algorithm B maintains a list H , -list . First round: when

A, requests the value of H,(U II m ) , for the given parameters, B responds with U’E Z , . Otherwise, it responds with the H , -list

that has been generated. Eventually, output of

the first round is o‘,=(U,v?, where q’=e(xDvY,u’Q, + U ) under the public key ( X , Y ) , which is chosen by A, . Second round: when A, requests the value of H,(U II rn) , for the given parameters, B responds with U responds with the H , -list

~ Z E,

.

Otherwise, it

that has been generated.

Eventually, output of the second round is D; = ( U , V i ) , where Vi=e(xDvY,a”Qs+ U ) under the public key(X,Y), which is chosen by A,

.

Sign queries. At any time A, can query the sign algorithm and B will answer A, ’s queries as follows: 1) h,z E Z i is chosen at random. 2) U = zP - hQ, is computed.

No. 3

89

MING Yang, et al.: Certificateless universal designated verifier signature schemes

3) V = zY, is computed.

will control A,, as follows.

4 ) h = H,(U 1 I rn) is set.

Hash query. 1) Similar to the Theorem 2. 2)Algorithrn B will simulate the hash function H ,

Return ( U , V ) to A, as a signature onm . FoGery. A, eventually outputs a new valid designated verifier signature on the message rn . According to forking lemma [ 161, if E > 10qH,(q, +l)(q, + q H , ) / q , and then by replaying A, with the same tape, but different choices of H , ,A, outputs two valid signatures 0;= (U,V,' ) and 0:= (U,V:) same message m under the public key ( X , Y ) .

on the

.

At

any time adversary A,, can query H , . To respond to these queries, algorithm B maintains a list H , -list . First round: when A,, requests the value of H,(U II rn) , for the given parameters, B responds with U'E 2, . Otherwise, it responds with the H , -list that has been generated. Eventually, output of the first round is o:=(U,V,') , where V,'=e(x,,Y,,

From the two forgeries, B consequently obtains the following: o~=e(x,,Y,a'Q, + U ) ando: =e(x,,Y,u'Q, + U ) .

u'Q, + U ) . Second round: when A,, requests the value of H,(U Ilm) , for the given parameters, B responds with Z,, . Otherwise, it responds with the H , -list

U"E

Form this equation, B has:

that has

been generated. Eventually, output of the second round is 0;= ( U , V : ) , where V,'=e(xDvYs,a"Qs+ U ) . Sign queries. Similar to Theorem 2. Forgery. A,, outputs a new valid designated verifier signature

e(x,,xsP,Q, =e(xY,,,Q,) =e(xbcP,aP)=e(P,P)"bcx B is assumed to keep a record of private-public key pairs of A , . Hence, B has the knowledge of x corresponding to the public key ( X , Y ) and (V,',V:) , e(P,P)"" can be obtained by computing (V,'/V,')"

' = e(P,P)"br. The total

running time T' of solving the BDH problem is roughly equal to the running time of the forking lemma, which is bound by 2'6120 686 q H , q H 2 r / E, as desired. Thus, this

on the message rn . According to forking lemma [16], if E > 10qH,(9, +l)(q, + q H , ) / qand , then by replaying A,, with the same tape but different choices of H , , A,, outputs two valid signatures o:=(U,V,') and 0;=(U,V,') on the same message m. When this happens, B obtains V,'=e(x,,Y,,

u'Q,

+ U ) and V,' = e(x,,Y,

,u"Q, i-U ) . Therefore, B can obtain

completes the proof. Theorem 3 Let A,, be type I1 adversary, in the random oracle model, against the proposed scheme, that produces an existential forgery with probability E , with time r , making qH, and qH, to the hash H , and H , queries, q, to sign queries. If E > IOq,, (q, +l)(q, + q H 2 ) / qthen , the BDH

e(csbP,aP)= e(P,P)abcT From the equation, B can obtain (V,'lVi)"' = e(P,P)""

.

Because B has the knowledge of master key s and (V,',V;) , then e(P,P)"" can be obtained by computing

time

(V,'lVi)' ' . The total running time r' of solving the BDH

Proof Recall that A,, has access to the master key s , but

problem is roughly equal to the running time of the forking , as desired. lemma, which is bound b y d 6 1 2 0 686 q H , q H Z r I E

problem can be resolved ~ ' 6 1 2 0686 q H , q H , r I E .

with

expected

cannot perform any public key replacement. The building of algorithm B is shown, which will solve the BDH problem using All's capability as follows. The purpose of algorithm B is to compute e(P,P)"b' given P,aP,bP,cP , for some unknown a,b,cE Z,' . First, B Q, = U P ,X , = bP and X , , = CPare set. Then the algorithm B randomly chooses s E 2: and

cubsP , P, =

= ( X , ,Y,) =

(bP,sX,), P,, = (XDv,YDv)= (cP,sX,,) are set. return all the parameters to A,

.

B

will

Because A,, is type I1

adversary, B will also send the master key s to A,, .

B selects two random numbers a',a".~Z , , such that u'-a'= I(mod q) is similar to the type 1 attack. Then B

Thus, this completes the proof. Remark. In Ref. [17] Lipmaa et al. introduced a new security property for designated verifier signatures: the nondelegability. This means that neither the signer nor the designated verifier should be able to produce a "meta-key" which allows generating of new signatures without revealing their secret. Even if this requirement is debatable, the scheme is delegability (for instance, the designated verifier DV can be publish x,,Y, ). As suggested in Ref. [18], delegability is inherent to all UDVS.

6

Efflclency

The scheme is compared with the ID-based UDVS scheme in

The Journal of CHUPT

90

Ref. [6] from computation overhead and the result is summarized in Table 1. (the operation of hash is ignored in all schemes). denotes the pairing operation, P, the point scalar multiplication on G, , Ad the point addition on G, . Table 1 Comparison of the scheme and the scheme 161 Phase Sign

Scheme

Public verification

p, +4 p, + Ad

Designation Designation verification

p,

2 pm

2 P, +3

P, + A,

The scheme [6]

2 pm P, +2

4 + Ad pa

1 P, + I

P, +1 A,

From Table 1, it is easy to see that in sign and designated phase, the scheme is as efficient as the scheme in Ref. [6].In public verification and designated verification phase, the scheme costs a little bit more computation than the scheme in Ref. [6],but the scheme is the CLUDVS and thus alleviates inherent key escrow problem of ID-based UDVS scheme in Ref. [6].

7

Conclusions

In this article, the notion and construction of certificateless universal designated verifier signature (CLUDVS) scheme is proposed. This notion was formalized by proposing their model and security requirement. Security proofs were also provided for the scheme in the random oracle model and proved that the scheme is unforgeable to both types of adversaries in certificateless model under the assumption of the Bilinear diffie-hellman problem. Acknowledgements This work is supported by the National Natural Science Foundation of China (60473027).

References 1. Gu Li-ze, Zhang Sheng, Yang Yi-xian. An inproved proxy

multi-signature scheme. The Journal of China Universities of Posts and Telecommunications, 2005, 12(1): 10-14 Jia Xiao-yun, Luo Shou-shan, Yuan Chao-wei. A new signature scheme with shared verification. The Journal of China Universities of Posts and Telecommunications, 2006, 13(2): 66-69 Mi Jun-li, Zhang Jian-zhong. New dynamic threshold signature scheme. The Journal of Chongqing University of Posts and Telecommunications: Natural Science, 2006, 18(3): 390-392 (in Chinese) Li Li-yuan, Xu Qiu-liang. A threshold proxy signature scheme with actual signers. The Journal of Beijing University of Posts and Telecommunications, 2006,29(4): 103-106 (in Chinese) Steinfeld R, Bull L, Wang H, et al. Universal designated-verifier signatures. Proceedings of ASIACRYPT'03, Nov 30-Dec 4, 2003, Taipei, China. Berlin: Springer-Verlag, 2003: 523-542

2007

6. Bang Fang-guo, Susilo W, Mu Y, et al. Identity-based universal designated verifier signatures. In Proceedings of 2005 IFIP International Conference on Embedded and Ubiquitous Computing. Dec 6-9, 2005, Nagasaki, Japan. Berlin: SpringerVerlag, 2005: 825-834 7. Zhang R, Furukawa J, Imai H. Short signature and universal designated verifier signature without random oracles. Proceedings of Applied Cryptography and Network Security, Jun 7-10,2005, New York, NY, USA. Berlin: Springer-Verlag, 2005: 483498 8. Shamir A. Identity-based cryptosystems and signature schemes. In Proceedings of Crypto'84, Aug 19-22, 1984, Santa Barbara, CA, USA. Berlin: Springer-Verlag, 1985: 47-53 9. Al-Riyami S, Paterson K. G. Certificateless public key cryptography. Proceedings of ASIACRYFT'03, Nov 30-Dec 4, 2003, Taipei, China. Berlin: Springer-Verlag, 2003: 4 5 2 4 7 3 10. Yum D H, Lee P J. Generic construction of certificateless signature. In Proceedings of 9th Australasian Conference on Information Security and Privacy (ACISP04), Jul 13-15, 2004, Sydney, Australia. Berlin: Springer-Verlag, 2004: 200-21 1 11. Gorantla M C, Saxena A. An efficient certificateless signature scheme. Proceedings of 2005 International Conference on Computational Intelligence and Security (CIS'O5), Dec 15-1 9, 2005, Xi'an, China. Berlin: Springer-Verlag, 2005: 110-1 16 12. Li X, Chen K, Sun L. Certificateless signature and proxy signature schemes from bilinear pairings. Lithuanian Mathematical Journal, 2005,45( I): 76-83 13. Zhang Zhen-feng, Wong Duncan S, Xu Jing, et al. Certificateless public-key signature: security model and efficient construction. Proceedings of 4th International Conference on Applied Cryptography and Network Security (ACNS'06), Jun 6-9, 2006, Singapore. Berlin: Springer-Verlag, 2006: 293-308 14. Boneh D, Franklin M. Identity-based encryption from the weil pairing. In Proceedings of Crypto'Ol, Aug 19-23, 2001, Santa Barbara, CA, USA. Berlin: Springer-Verlag, 2001: 213-229 15. Huang Xinyi, Susilo Willy, Mu Yi, et al. Certificateless designated verifier signature schemes. Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA06), Apr 18-20, 2006, Vienna, Austria. Piscataway, NJ, USA: EEE, 2006: 15-19 16. Pointcheval D, Stern J. Security proofs for signature schemes. Proceedings of Eurocrypt'96, May 12-16, 1996, Saragossa, Spain. Berlin: Springer-Verlag, 1996: 387-398 17. Lipmaa H, Wang G, Bao F. Designated verifier signature schemes: attacks, new security notions and a new construction. In Proceedings of 32nd International Colloquium on Automation, Languages and Programming (ICALPOS), Jul 11-15, 2005, Lisbon, Portugal. Berlin: Springer-Verlag, 2005: 459-471 18. Vergnaud D. New extensions of pairing-based signatures into universal designated verifier signatures. Proceedings of 32nd International Colloquium on Automation, Languages and Programming (ICALP'M), Jul 10-14, 2006, Venice, Italy. Berlin: Springer-Verlag, 2006: 58-69

To p. 94

94

2007

The Journal of CHUPT

stored in the smart card, which are, b and K , and several computations on hash function and exclusive-or operation, which will not increase the computational cost significantly. Therefore, the proposed scheme is more secure and efficient. Acknowledgements This work is supported by the National Natural Science Foundation of China (90604022) and Natural Science Foundation of Beijing ( 4062025).

Biographies: HU Lan-lan, from Henan Province, Ph. D. in the Information Security Center, Beijing University of Posts and Telecommunications. Her research interests include information security, InternetAntranet security, cryptography, etc.

NIU Xin-xin, received the Ph. D. degree from the Department. of Electronic Engineering, the Chinese University of Hong Kong in 1997. A

References

professor in the Information Security Center,

1. Chang C C, Wu T C. Remote password authentication with smart cards. IEE Proceedings-E, 1991, 138(3): 165-168 2. Chien H Y, Jan J K, Tseng Y M. An efficient and practical solution to remote authentication: smart card. Computers & Security, 2002,21(4): 372-375 3. Hsu C L. Security of two remote user authentication schemes using smart cards. IEEE Transactions on Consumer Electronics, 2003,49(4): 1196-1 198 4. Liu Jun-qing, Sun Jun, Li Tian-hao. An enhanced remote login authentication with smart card. Proceedings of IEEE Workshop on Signal Processing Systems Design and Implementation, Nov 2-4, 2005, Athems, Greece. Piscataway, NJ, USA: IEEE, 2005: 229-232 5. Ku Wei-chi, Chen Chien-ming, Lee Hui-lung. Cryptanalysis of a variant of Peyravian-Zunic’s password authentication scheme. IElCE Transactions on Communications, 2003, E86-B(5): 1682-1 684

From p. 90 Biographies: MING

Yang,

from

Shannxi

Province, Ph. D. Candidate in Xidian University, interested in the research on cryptography and digital signature.

SHEN Xiao-qin, from Hubei Province, Ph. D. Candidate in XI’AN JIAOTONG University, interested in the research on computational mathematics, probability.

Beijing University of Posts and Telecommunications. Her research interests include information security, data hiding, digital watermarking, digital signal processing, etc. YANG Yi-xian, from Sichuan Province. He received the Ph. D. degree from the Department. of Information Engineering, Beijing University of Posts and Telecommunications in 1988. A professor in the Information Security Center, Beijing University of Posts and Telecommunications. His research interests include information security, Internethtranet security, cryptography, coding theory, etc.

WANG Yu-min, from Beijing, professor in Xidian University, interested in the research on information theory, coding, and cryptography.