Provably secure certificate-based signature scheme without pairings

Provably secure certificate-based signature scheme without pairings

Information Sciences 233 (2013) 313–320 Contents lists available at SciVerse ScienceDirect Information Sciences journal homepage: www.elsevier.com/l...
Download PDF
213KB Sizes 2 Downloads 139 Views
Report

Information Sciences 233 (2013) 313–320

Contents lists available at SciVerse ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Provably secure certificate-based signature scheme without pairings Jiguo Li ⇑, Zhiwei Wang, Yichen Zhang College of Computer and Information Engineering, Hohai University, Nanjing 210098, PR China

a r t i c l e

i n f o

Article history: Received 15 May 2011 Received in revised form 24 July 2012 Accepted 13 January 2013 Available online 30 January 2013 Keywords: Certificate-based signature Pairing Random oracle model Key replacement attack

a b s t r a c t In order to simplify certificate management in traditional public key cryptography and solve the key escrow problem in identity-based cryptography, the notion of certificatebased cryptography was introduced. Recently, Ming and Wang proposed a certificatebased signature scheme without pairings. They claimed that the scheme was existentially unforgeable against adaptive chosen message and identity attacks in the random oracle. In this paper, we show that the scheme is insecure against a malicious certifier under existing security model. We also propose a new efficient certificate-based signature scheme without pairings, which is proven secure in the random oracle model. Compared with the existed certificate-based signature schemes without parings, our scheme enjoys shorter signature length and less operation cost. Crown Copyright Ó 2013 Published by Elsevier Inc. All rights reserved.

1. Introduction In traditional public key cryptography (PKC), as user’s public key usually is a random string selected from a given set, the authenticity of the key needs to be certified by a certification authority (CA) with respect to the user’s identity. Anyone who wants to send a confidential message or verify a signature must first verify the corresponding certificate to check the validity of the public key. However, the issues associated with certificate management, including revocation, storage and distribution and the computational cost of certificate verification are facing many challenges. To solve the certificate management problem, Shamir [1] introduced the concept of identity-based cryptography (IBC) in 1984. This notion is to use a binary string which can uniquely identify a user as the user’s public key, such as identity number, email address, and IP address. Private keys are generated for users by a trusted third party called private key generator (PKG). Although IBC eliminates the need for certificates, the key escrow problem is inherent. Because the PKG knows any user’s private key, it can always impersonate any user or decrypt any ciphertexts. Moreover, the users’ private keys must be sent over secure channels. In Asiacrypt 2003, Al-Riyami and Paterson proposed a new paradigm called certificateless public key cryptography (CLPKC) [2]. CL-PKC also needs a trusted third party which is called key generation center (KGC). Unlike IBC, the KGC only generates a user’s partial private key, a user computes his full private key by combining his partial private key and a secret key chosen by himself, thus the key escrow problem in IBC can be overcome through this way. However, due to the lack of certificates, CL-PKC is easily suffered from key replacement attack [3,4] and key distribution problem also exists. In parallel to CL-PKC, Gentry introduced the notion of certificate-based encryption (CBE) in Eurocrypt 2003 [5]. A CBE scheme combines a public key encryption scheme and an identity-based encryption scheme while preserving their features. Each user generates his own private and public key and then requests a certificate from the CA. Unlike traditional PKC, the ⇑ Corresponding author. E-mail addresses: [email protected], [email protected] (J. Li). 0020-0255/$ - see front matter Crown Copyright Ó 2013 Published by Elsevier Inc. All rights reserved. http://dx.doi.org/10.1016/j.ins.2013.01.013

314

J. Li et al. / Information Sciences 233 (2013) 313–320

certificate in CBE is implicitly used as a part of the user’s private key for decryption. Although the CA knows the certificate of a user, it does not have the user’s private key, it cannot decrypt any ciphertexts. So key escrow problem doesn’t exist in CBE, and it also simplifies certificate management and eliminates third-party query in traditional PKC. Following Gentry’s idea, Kang, Park and Hahn proposed the security notion of certificate-based signature (CBS) [6]. They also proposed two concrete certificatebased signature schemes and a certificate-based proxy signature scheme. Unfortunately, Li et al. [7] pointed out that one of their schemes was insecure against key replacement attack and proposed a new efficient certificate-based signature scheme. Recently, Li et al. [8] presented a short certificate-based signature scheme, which requires only one pairing operation in signature generation and verification. In addition, the signature size of their scheme is only one group element. Subsequently, several certificate-based signature schemes [9–13] were proposed. Li et al. [14] defined an enhanced security model for certificatebased signcryption and proposed a new certificate-based signcryption scheme. As we know, more and more cryptography algorithms are applied to insecure environments such as mobile devices, so the exposure of secret key is inevitable. To alleviate the influence of key exposure, Li et al. [15,16] presented a forward-secure certificate-based signature scheme and a certificatebased key-insulated signature respectively. Nevertheless, the above schemes require pairing operations. According to the current MIRACL [17] implementation, a 512-bit Tate pairing takes 20 ms whereas a 1024-bit prime modular exponentiation takes 8.80 ms. In spite of the recent advances in implementation technique, the pairing computation is still considered as expensive comparing with normal operations such as modular exponentiations in finite fields. Research on cryptography protocol without pairing is mainly focused on certificateless encryption. In 2005, Baek et al. [18] proposed the first certificateless encryption scheme without pairing. Unfortunately, their scheme exists one drawback that the security proof only holds for a weaker security model in which the Type I adversary is not allowed to replace the public key associated with the challenge identity. Sun et al. [19] eliminated this limitation and construct a strongly secure certificateless encryption scheme without pairing. Recently, Selvi et al. [20] constructed an efficient certificateless signcryption scheme without pairing. However, certificateless encryption scheme suffers from the denial of decryption (DoD) Attack. In order to solve the above problem, Lai and Kou [21] proposed a self-generated-certificate public key encryption without pairing, which captured the DoD Attack. Liu et al. [22] first proposed a certificated-based signature scheme without pairings and another certificatebased signature scheme whose security can be proven in the standard model. However, Zhang [23] showed that the scheme without pairings was insecure and gave an improved scheme with pairings. Furthermore, Ming et al. [24] and Zhang et al. [25] proposed a new certificate-based signature scheme without pairings respectively in 2009. Our Contribution. In IAS 2009, Ming and Wang proposed a certificate-based signature scheme without pairings which was claimed secure against two attack games. In this paper, we first analyze the security of the scheme and show that the scheme is subject to universal forgery for a Type II adversary. Furthermore, we construct a new certificate-based signature scheme. Under the discrete logarithm assumption, we prove that our scheme is existentially unforgeable against adaptive chosen message and identity attacks in the random oracle model. Compared with the existed certificated-based signature schemes without parings, our scheme enjoys shorter signature length and less operation cost. Organization of the Paper. The rest of the paper is organized as follows. Section 2 gives some definitions and security models of CBS. We provide the corresponding attack in Section 3. In Section 4, we propose a new certificate-based signature scheme without pairings. We provide the security proof in Section 5. In Section 6, we analyze the performances of the proposed CBS schemes without pairings. Finally, we conclude the paper in Section 7. 2. Preliminaries 2.1. Mathematical assumption Definition 1 (Discrete Logarithm (DL) Assumption). Given a group G of prime order q with generator g and elements Y 2 G, the discrete logarithm (DL) problem in G is to output a 2 Zq such that Y = ga. An adversary A has at least an e advantage if

Pr½Aðg; YÞ ¼ ajY ¼ g a  P e We say that the (e, t)  DL assumption holds in a group G if no algorithm running in time at most t can solve DL problem in G with advantage at least e. 2.2. Outline of certificate-based signatures A certificate-based signature scheme is defined by five algorithms: Setup, UserKeyGen, Certify, Sign and Verify. The description of each algorithm is as follows: 1. Setup: This algorithm takes as input a security parameter 1k and returns the certifier’s master secret key msk and system public parameters params. 2. UserKeyGen: This algorithm takes the system public parameters params as input. It returns a public key PK and a secret key usk.

J. Li et al. / Information Sciences 233 (2013) 313–320

315

3. Certify: This algorithm takes master secret key msk, system public parameters params, the identity of a user ID and its public key PKID as input. It returns the user’s certificate CertID. 4. Sign: This algorithm takes system public parameters params, a message m, the identity ID of a user and its certificate CertID, public key PKID and secret key usk as input. It returns a signature r. 5. Verify: This algorithm takes a message/signature pair (m, r), system public parameters params, the user’s identity ID and its public key PKID as input. It returns 0 or 1. With output value 1, we say that r is a valid signature of the message, otherwise invalid. 2.3. Security model As defined in [6,7], we should consider two types of adversaries for a CBS scheme, a Type I adversary AI and a Type II adversary AII. The adversary AI models a malicious user who wants to forge a valid signature under the public key PK ID whose certificate is not known to him. That is, AI is not allowed to access to the certifier’s master secret key msk, but AI may request public keys and replace public keys with values of his choice. The adversary AII models the malicious certifier in possession of the master secret key msk who can not replace the user’s public key. We consider two games against the Type I and Type II adversaries as follows: Game I. The first game is performed between a challenger C and the Type I adversary AI for a certificate-based signature scheme as follows: Setup: The challenger C runs the algorithm Setup, returns params to the adversary AI and keeps msk secret. Queries: AI may adaptively issue the following queries to C: UserKeyGen Query: This oracle maintains a list L which is initially empty and used to record the information for each user. On input a user’s identity ID, if ID has already been created, nothing is carried out. Otherwise, C runs the algorithm UserKeyGen to produce a secret/public key pair (uskID, PKID) and adds (ID, uskID, PKID) to the list L. In this case, ID is said to be created. In both cases, the public key PKID is returned. Here we assume that other oracles only respond to the identity ID which has been created. PKReplace Query: On input a user’s identity ID and public key PK 0ID ; C replaces the user’s original public key PKID with PK 0ID . Corruption Query: On input a user’s identity ID, C checks the list L. If ID has already been created, C returns the corresponding secret key uskID. Otherwise, nothing is returned. Certification Query: On input a user’s identity ID and public key PKID, C runs the algorithm Certify and returns the user’s certificate CertID. Note that CertID is the certificate of the pair (ID, PKID). Sign Query: On input a pair (ID, m), C runs the algorithm Sign and returns the signature r. Note that if the user’s public key PKID has been replaced by AI, AI is required to supply the corresponding secret key uskID. Forge: Finally, AI outputs a message m⁄ and a signature r⁄ corresponding to a target identity ID⁄ and a public key PK ID . The adversary wins the game if – r⁄ is a valid signature on the message m⁄ under the public key PK ID and the system’s master public key mpk.   – ID ; PK ID has never been submitted to the Certification Query. – (ID⁄, m⁄) has never been submitted to the Sign Query. We define SuccAI to be the success probability that AI wins in the above game. Definition 2. We say a certificate-based signature scheme is secure against a (t, q) chosen message and chosen identity adversary AI, if AI runs in polynomial time t, makes at most q queries and SuccAI is negligible. Game II. The second game is performed between a challenger C and the Type II adversary AII for a certificate-based signature scheme as follows: Setup: The challenger C runs the algorithm Setup, returns params and msk to the adversary AII. Queries: AII may adaptively issue the following queries to C: UserKeyGen Query: This oracle maintains a list L which is initially empty and used to record the information for each user. On input a user’s identity ID, if ID has already been created, nothing is carried out. Otherwise, C runs the algorithm UserKeyGen to produce a secret/public key pair (uskID, PKID) and adds (ID, uskID, PKID) to the list L. In this case, ID is said to be created. In both cases, the public key PKID is returned. Here we assume that other oracles only respond to the identity ID which has been created. Corruption Query: On input a user’s identity ID, C checks the list L. If ID has already been created, C returns the corresponding secret key uskID. Otherwise, nothing is returned. Sign Query: On input a pair (ID, m), C runs the algorithm Sign and returns the signature r. Forge: Finally, AII outputs a message m⁄ and a signature r⁄ corresponding to a target identity ID⁄. The adversary wins the game if – r⁄ is a valid signature on the message m⁄ under the public key PK ID and the system’s master public key mpk. – ID⁄ has never been submitted to the Corruption Query.

316

J. Li et al. / Information Sciences 233 (2013) 313–320

– (ID⁄, m⁄) has never been submitted to the Sign Query. We define SuccAII to be the success probability that AII wins in the above game. Definition 3. We say a certificate-based signature scheme is secure against a (t, q) chosen message and chosen identity adversary AII, if AII runs in polynomial time t, makes at most q queries and SuccAII is negligible. 3. Security analysis of Ming-Wang’s certificate-based signature scheme In order to facilitate analysis, we review the CBS scheme in [24] as follows: Setup: Given a security parameter 1k where k 2 N, the algorithm works as follows: – Generate two primes p and q such that qjp  1. – Select a generator g 2 Zp . – Pick a random number s 2 Zq and compute mpk ¼ g s 2 Zp . – Choose two cryptographic hash functions H0 : f0; 1g ! Zq and H1 : f0; 1g ! Zq . The system parameters are params = hp, q, g, mpk, H0, H1i and master secret key msk is s. UserKeyGen: Given params, select a random number xID 2 Zq as the user private key SKID and compute PK ID ¼ g xID 2 Zp as the user public key. Certify: Given params, master secret key s, user public key PKID and user identity ID 2 {0, 1}⁄, randomly pick w 2 Zq and compute W ¼ g w 2 Zp ; d ¼ w þ sH0 ðIDkPK ID kWÞ, output a certificate CertID = hW, di. Sign: Given system parameters params, user identity ID, user private key xID, user certificate CertID and message m 2 {0, 1}⁄, the algorithm works as follows: – Choose a random number r 2 Zq and compute R ¼ g r 2 Zp . – Compute h = H1(IDkPKIDkWkRkm). – Compute v = r + (d + xID)h. The signature is r = hR, W, vi. Verify: Given params, public key PKID and message/signature pair hm, ri, this algorithm checks the equation

R ¼ g v ðW  PK ID ÞH1 ðIDkPK ID kWkRkmÞ mpk

H0 ðIDkPK ID kWÞH1 ðIDkPK ID kWkRkmÞ

If the equality holds, output accept; otherwise, reject. We will show that the scheme above is insecure against a CBS Type II adversary. The attack method is as follows: 0 0 The adversary first chooses a random value r0 2 Zq , computes R0 ¼ g r 2 Zp ; W 0 ¼ PK 1 ID ; h0 ¼ H0 ðIDkPK ID kW Þ; h1 ¼ H1 ðIDkPK ID kW 0 kR0 kmÞ; v 0 ¼ r0 þ s  h0  h1 . Then the forged signature on message is r0 = (R0 , W0 , v0 ). This is because signature r0 can satisfy the verification equation as follows: 0

0

g v ðW 0  PK ID ÞH1 ðIDkPK ID kW kR kmÞ mpk 0

H0 ðIDkPK ID kWÞH1 ðIDkPK ID kW 0 kR0 kmÞ

0

¼ g r þsh0 h1  g sh0 h1 ¼ g r

0

According to the above verification procedure, we know that the above equation holds. Therefore, it indicates that our attack is successful. Then we can show that a Type II adversary can forge signatures for any message and the scheme is insecure against a malicious certifier. 4. Our new certificate-based signature scheme In the following, our improved scheme is proposed, the detail steps are shown as follows: Setup: Given a security parameter 1k where k 2 N, the algorithm works as follows: – Generate two primes p and q such that qjp  1. – Select a generator g 2 Zp . – Pick a random number x 2 Zq and compute y = gxmod p. – Choose three cryptographic hash functions

H0 : f0; 1g  Zp  Zp ! Zq ; H1 : f0; 1g  Zp  Zp  Zp ! Zq ; H2 : f0; 1g  Zp  Zp  Zp ! Zq : The system parameters are params = hp, q, g, y, H0, H1, H2i and master secret key msk is x. UserKeyGen: Given params, select a random number xID 2 Zq as the user private key uskID and compute PK ID ¼ g xID mod p as the user public key. Certify: Given params, master secret key x, user public key PKID and user identityID 2 {0, 1}⁄, randomly pick s 2 Zq and compute W = gsmod p, R = s + xH0(ID, PKID, W)mod q, output the user’s certificate CertID = hW, Ri. Sign: Given params, user identity ID, user private key xID, user certificate CertID and message m 2 {0, 1}⁄, the algorithm works as follows: – Choose a random number r 2 Zq and compute U = grmod p. – Compute h1 = H1(m, PKID, U, W) and h2 = H2(m, ID, PKID, U, W).

J. Li et al. / Information Sciences 233 (2013) 313–320

317

– Compute z = R + xID  h1 + r  h2mod q. The signature is r = hU, W, zi. Verify: Given params, user public key PK ID and message/signature pair (m, r ), compute h 0 = H 0 (ID, PK ID , W), h1 = H1(m, PKID, U, W),h2 = H2(m, ID, PKID, U, W). This algorithm checks the equation

g z ¼ W  yh0  PK hID1  U h2 mod p: If the equality holds, output 1;otherwise, output 0.Correctness It is easy to see that the improved signature scheme is correct. If a signature r = hU, W, zi is valid, then it can pass the verification equation. Because

W  yh0  PK hID1  U h2 ¼ g s  g xh0  g xID h1  g rh2 ¼ g sþxh0  g xID h1 þrh2 ¼ g RþxID h1 þrh2 ¼ g z : 5. Security analysis Theorem 1 (Unforgeability against Game I Adversary). We assume the exponentiation operation in Zp takes time te. In the random oracle model, if there is a Type I chosen message and chosen identity adversary AI which runs in polynomial time at most t, makes at most qHi (for i = 0,1,2) Hi queries, qk UserKeyGen queries, qr PKReplace queries, qc corruption queries, qe certification queries and qs sign queries and wins the Game I defined in Section 2.3 with a probability e, then there exists an algorithm B which can solve the discrete logarithm problem with a probability e0 in polynomial time t0 , where

e0 P

1 qH 0

1

1 qH 0

!qe þqs

e; t0 6 2t þ ðqk þ 2qe þ 4qs Þte :

Proof. Let (p, q, g, Y = ga) be a random instance of the DLP taken as input by B. Its goal is to output a. In the proof, we regard the hash functions as the random oracles. For consistence, B needs maintain five lists Lk, Le, L0, L1, L2 which are initially empty. List Lk is used to record the UserKeyGen queries and PKReplace queries, list Le is used to record the certification queries and lists L0, L1, L2 are used to record Hi queries. Firstly B sets the master public key y = Y = ga and gives the system parameters p, q, g, y to AI. Next, B randomly chooses an index j such that 1 6 j 6 qH0 , where qH0 denotes the maximum number of queries to the random oracle H0. Note that we let IDj = ID⁄ where IDj is the j  th query to the random oracle H0 and j is chosen at the beginning of the above simulation of H0. Algorithm B will simulate the oracles and interact with the adversary AI as follows: UserKeyGen Query: On input a user’s identity IDi, B scans the list Lk to check whether IDi has already been defined. If not, B picks a random number xIDi 2 Zq and sets PK IDi ¼ g xIDi mod p. Then B adds ðIDi ; xIDi ; PK IDi Þ to the list Lk and returns PK IDi to AI. Otherwise, the defined value is returned. H0 Query: On input ðIDi ; PK IDi ; W i Þ, B scans the list L0 to check whether H0 has already been defined for that input. If not, B picks a random number di 2 Zq and returns as a hash value of ðIDi ; PK IDi ; W i Þ. Then B adds ðIDi ; PK IDi ; W i ; di Þ to the list L0. Otherwise, the defined value is returned. H1 Query: On input ðmi ; PK IDi ; U i ; W i Þ, B scans the list L1 to check whether H1 has already been defined for that input. If not, B picks a random number ei 2 Zq and returns as a hash value of ðmi ; PK IDi ; U i ; W i Þ. Then B adds ðmi ; PK IDi ; U i ; W i ; ei Þ to the list L1. Otherwise, the defined value is returned. H2 Query: On input ðmi ; IDi ; PK IDi ; U i ; W i Þ, B scans the list L2 to check whether H2 has already been defined for that input. If not, B picks a random number ki 2 Zq and returns as a hash value of ðmi ; IDi ; PK IDi ; U i ; W i Þ. Then B adds ðmi ; IDi ; PK IDi ; U i ; W i ; ki Þ to the list L2. Otherwise, the defined value is returned. PKReplace Query: On input a user’s identity IDi and public key PK 0IDi , B scans the list Lk to check whether IDi has been defined. If so, B sets PK IDi ¼ PK 0IDi and xIDi ¼?. Otherwise, B adds ðIDi ; ?; PK 0IDi Þ to the list Lk. Corruption Query: On input a user’s identity IDi, B scans the list Lk to check whether IDi has already been defined. If not, B chooses a random number xIDi 2 Zq and sets PK IDi ¼ g xIDi mod p. Then B adds ðIDi ; xIDi ; PK IDi Þ to the list Lk and returns xIDi to AI. Otherwise, the defined value is returned. Certification Query: On input a user’s identity IDi and public key PK IDi , B responds as follows: – If i – j, B scans the list Le to check whether IDi has already been defined. If not, B chooses two random numbers di ; Ri 2 Zq and computes W i ¼ g Ri  ydi mod p. Then B scans the list L0 to check whether ðIDi ; PK IDi ; W i Þ has already been defined. If so, B must rechoose di ; Ri 2 Zq until there is no collision. B further adds ðIDi ; PK IDi ; W i ; di Þ to the list L0, adds ðIDi ; PK IDi ; W i ; Ri Þ to list Le and returns CertIDi ¼ hW i ; Ri i to AI. Otherwise, the defined value is returned. – If i = j, B aborts. Sign Query: On input a pair (IDi, mi), B first makes UserKeyGen query and corruption query and gets PK IDi ; xIDi . If xIDi ¼?, AI is required to supply the corresponding secret key xIDi . Otherwise B responds as follows: – If i – j, B makes certification query and uses ðCertIDi ; xIDi Þ to sign  the message  1 mi. e kj – If i = j, B chooses dj ; zj ; ej ; kj 2 Zq at random and computes U j ¼ g zj  PK IDjj ; W j ¼ ydj . Then B sets H0 ðIDj ; PK IDj ; W j Þ ¼ dj ; H1 ðmj ; PK IDj ; U j ; W j Þ ¼ ej , H2 ðmj ; IDj ; PK IDj ; U j ; W j Þ ¼ kj . If hash functions H0, H1 and H2 turn out to have already been defined, B must rechoose the random values until there is no collision. Otherwise, B adds ðIDj ; PK IDj ; W j ; dj Þ to list L0, adds ðmj ; PK IDj ; U j ; W j ; ej Þ to list L1, adds ðmj ; IDj ; PK IDj ; U j ; W j ; kj Þ to list L2. Finally, (Uj, Wj, zj) is returned to AI.

318

J. Li et al. / Information Sciences 233 (2013) 313–320

  Eventually, AI outputs a forgery signature r⁄ = (W⁄, U⁄, z⁄) on message m⁄ with respect to ID ; PK ID . If ID⁄ – IDj, B aborts. Otherwise, using the forking lemma [26], B replays AI with the same random tape but different choice of the hash function H0. Note that the special step in the simulation of H1, H2 remains the same after forking. Then B can obtain another valid signature r0 = (W⁄, U⁄, z0 ). Then 



h



0

0

h



g z ¼ W   yh0  PK ID1  U h2 g z ¼ W   yh0  PK ID1  U h2 

0

z From these two forgeries, B can compute a ¼ hz h 0 . So B has successfully solved the DLP through this process. 0 0 According to the simulation, B can get the value of a if and only if all the following events happen: E1: B does not abort when answering oracle queries. E2: AI outputs a forgery signature successfully. E3: In the forgery output by AI, the identity of forgery signature is IDj.

 qe þqs From the simulation, we have Pr ½E1  P 1  qH1 ; Pr ½E2 jE1  ¼ e; Pr ½E3 jE1 ^ E2  ¼ qH1 , thus the success probability of B 0 0  qe þqs 0 1 1 e. solving DLP is e P qH 1  qH 0

0

The running time t0 of algorithm B is twice the running time t of AI plus the time needed to respond the oracle queries and the time to compute the DLP. We assume the exponentiation in Zp takes time te. Therefore, the total running time of B is t0 6 2t + (qk + 2qe + 4qs)te. h

Theorem 2 (Unforgeability against Game II Adversary). We assume the exponentiation operation in Zp takes time te. In the random oracle model, if there is a Type II chosen message and chosen identity adversary AII which runs in polynomial time at most t, makes at most qHi (for i = 0, 1, 2) Hi queries, qk UserKeyGen queries, qc corruption queries and qs sign queries and wins the Game II defined in Section 2.3 with a probability e, then there exists an algorithm B which can solve the discrete logarithm problem with a probability e0 in polynomial time t0 , where 0

e

1 P qH 0

1 1 qH0

!qc þqs

e; t0 6 2t þ ðqk þ 2qc þ 4qs Þte :

Proof. Let (p, q, g, Y = ga) be a random instance of the DLP taken as input by B. Its goal is to output a. In the proof, we regard the hash functions as the random oracles. For consistence, B needs maintain four lists Lk, L0, L1, L2 which are initially empty. List Lk is used to record the UserKeyGen queries and lists L0, L1, L2 are used to record Hi queries. Firstly B choose s 2 Zq at random, sets the master public key y = gs and gives the system parameters hp, q, g, yi and master secret key s to AII. Next, B randomly chooses an index j such that 1 6 j 6 qH0 , where qH0 denotes the maximum number of queries to the random oracle H0. Note that we let IDj = ID⁄ where IDj is the j  th query to the random oracle H0 and j is chosen at the beginning of the above simulation of H0. Algorithm B will simulate the oracles and interact with the adversary AII as follows: UserKeyGen Query: On input a user’s identity IDi, B scans the list Lk to check whether IDi has already been defined. If so, the defined value is returned. Otherwise, B responds as follows: – If i – j, B chooses a random number xIDi 2 Zq and sets PK IDi ¼ g xIDi mod p. Then B adds ðIDi ; xIDi ; PK IDi Þ to the list Lk and returns PK IDi to AII. – If i = j, B sets PK IDj ¼ Y. Then B adds ðIDj ; ?; PK IDj Þ to the list Lk and returns PK IDj to AII. H0 Query: On input ðIDi ; PK IDi ; W i Þ; B scans the list L0 to check whether H0 has already been defined for that input. If not, B picks a random number di 2 Zq and returns as a hash value of ðIDi ; PK IDi ; W i Þ. Then B adds ðIDi ; PK IDi ; W i ; di Þ to the list L0. Otherwise, the defined value is returned. H1 Query: On input ðmi ; PK IDi ; U i ; W i Þ, B scans the list L1 to check whether H1 has already been defined for that input. If not, B picks a random number ei 2 Zq and returns as a hash value of ðmi ; PK IDi ; U i ; W i Þ. Then B adds ðmi ; PK IDi ; U i ; W i ; ei Þ to the list L1. Otherwise, the defined value is returned. H2 Query: On input ðmi ; IDi ; PK IDi ; U i ; W i Þ; B scans the list L2 to check whether H2 has already been defined for that input. If not, B picks a random number ki 2 Zq and returns as a hash value of ðmi ; IDi ; PK IDi ; U i ; W i Þ. Then B adds ðmi ; IDi ; PK IDi ; U i ; W i ; ki Þ to the list L2. Otherwise, the defined value is returned. Corruption Query: On input a user’s identity IDi, B responds as follows: – If i – j, B scans the list Lk to check whether IDi has already been defined. If not, B chooses a random number xIDi 2 Zq and sets PK IDi ¼ g xIDi mod p. Then B adds ðIDi ; xIDi ; PK IDi Þ to the list Lk and returns xIDi to AII. Otherwise, the defined value is returned. – If i = j, B aborts.

319

J. Li et al. / Information Sciences 233 (2013) 313–320

Sign Query: On input a pair (IDi, mi),B first makes UserKeyGen query and corruption query and gets PK IDi ; xIDi . Then B responds as follows: – If i – j, B makes certification query and uses ðCertIDi ; xIDi Þ to sign the message  mi. e k1 j ; W j ¼ ydj . Then B sets – If i = j, B chooses dj ; zj ; ej ; kj 2 Zq at random and computes U j ¼ g zj  PK IDJj H0 ðIDj ; PK IDj ; W j Þ ¼ dj ; H1 ðmj ; PK IDj ; U j ; W j Þ ¼ ej ; H2 ðmj ; IDj ; PK IDj ; U j ; W j Þ ¼ kj . If hash functions H0, H1, H2 turn out to have already been defined, B must rechoose the random values until there is no collision. Otherwise, B adds ðIDj ; PK IDj ; W j ; dj to list L0, adds ðmj ; PK IDj ; U j ; W j ; ej Þ to list L1, adds ðmj ; IDj ; PK IDj ; U j ; W j ; kj Þ to list L2. Finally, (Uj, Wj, zj) is returned to AII.   Eventually, AII outputs a forgery signature r⁄ = (W⁄, U⁄, z⁄) on message m⁄ with respect to ID ; PK ID . If ID⁄ – IDj, B aborts. Otherwise, using the forking lemma [26], B replays AII with the same random tape but different choice of the hash function H1. Note that the special step in the simulation of H0, H2 remains the same after forking. Then B can obtain another valid signature r0 = (W⁄, U⁄, z0 ). Then 



h



0



h0



g z ¼ W   yh0  PK ID1  U h2 g z ¼ W   yh0  PK ID1  U h2 

0

z From these two forgeries, B can compute a ¼ hz h 0 . So B has successfully solved the DLP through this process. 1 1 According to the simulation, B can get the value of a if and only if all the following events happen: E1: B does not abort when answering oracle queries. E2: AII outputs a forgery signature successfully. E3: In the forgery output by AII, the identity of forgery signature is IDj.

 qc þqs ; P r ½E2 jE1  ¼ e; Pr ½E3 jE1 ^ E2  ¼ q1 , thus the success probability of B From the simulation, we have P r ½E1  P 1  q1 H0 H0  qc þqs e. solving DLP is e0 P qH1 1  qH1 0

0

The running time t0 of algorithm B is twice the running time t of AII plus the time needed to respond the oracle queries and the time to compute the DLP. We assume the exponentiation operation in Zp takes time te. Therefore, the total running time of B is t0 6 2t + (qk + qc + 4qs)te. h 6. Efficiency comparison In this section, we will analyze our proposed scheme by comparing with Liu et al. scheme [22], Ming et al. scheme [24] and Zhang et al. scheme [25] from computation efficiency and signature length and summarize the result in following table. We denote by E the modular exponentiation, A the modular addition, M the modular multiplication, H the hash function, jZp j the bit length of an element in group Zp ; jZq j the bit length of an element in group Zq .

Scheme

Sign

Verify

Signature length

Scheme in [22] Scheme in [24] Scheme in [25] Our Scheme

E + 2M + A + H E + M + 2A + H 3E + 3M + 3A + 2H E + 2M + 2A + 2H

7E + 5M + 3H 3E + 4M + 2H 7E + 5M + 4H 4E + 3M + 3H

3jZp j 2jZp j þ jZq j 7jZp j 2jZp j þ jZq j

Note that Liu et al. scheme [22] and Ming et al. scheme [24] are insecure against chosen message and chosen identity adversary in the random oracle model. The security proof is not given in Zhang et al. scheme [25]. While comparing with Zhang et al. scheme [25], our scheme enjoys shorter signature length and less operation cost.

7. Conclusion In this paper, we first analyze the security of the scheme presented by Ming and Wang [24] in IAS 2009 which was claimed secure against two attack games of certificate-based signature scheme. Then we show that the scheme is subject to universal forgery against a Type II adversary. We also propose a new certificate-based signature scheme without pairings. Under the discrete logarithm assumption, our scheme is shown to be existentially unforgeable against adaptive chosen message and identity attacks in the random oracle model. Compared with the existed certificated-based signature schemes without parings, our scheme enjoys shorter signature length and less operation cost.

320

J. Li et al. / Information Sciences 233 (2013) 313–320

Acknowledgements We would like to thank anonymous referees for their helpful comments and suggestions. This work is supported by the National Natural Science Foundation of China (61272542, 61103183, 61103184), the Fundamental Research Funds for the Central Universities (2009B21114, 2010B07114), the Six Talent Peaks Program of Jiangsu Province of China (2009182) and Program for New Century Excellent Talents in Hohai University. References [1] A. Shamir, Identity-based cryptosystems and signature schemes, in: G.R. Blakely, D. Chaum (Eds.), CRYPTO 1984, vol. 196, LNCS, 1985, pp. 47–53. [2] S.S. Al-Riyami, K.G. Paterson, Certificateless public key cryptography, in: Laih, C.S. (Ed.), ASIACRYPT 2003, LNCS, vol. 2894, 2003, pp. 452–473. [3] X.Y. Huang, W. Susilo, Y. Mu, F.T. Zhang, On the security of certificateless signature schemes from asiacrypt 2003, in: CANS 2005, LNCS, vol. 3810, 2005, pp. 13–25. [4] J.G. Li, X.Y. Huang, Y. Mu, W. Wu, Crytanalysis and improvement of an efficient certificateless signature scheme, Journal of Communications and Networks 10 (1) (2008) 10–17. [5] C. Gentry, Certificate-based encryption and the certificate revocation problem, in: E. Biham (Ed.), EUROCRYPT 2003, LNCS, vol. 2656, 2003, pp. 272– 293. [6] B.G. Kang, J.H. Park, S.G. Hahn, A certificate-based signature scheme, in: T. Okamato (Ed.), CT-RSA, 2004, LNCS, vol. 2964, 2004, pp. 99–111. [7] J.G. Li, X.Y. Huang, Y. Mu, W. Susilo, Q.H. Wu, Certificate-based signature: security model and efficient construction, in: J. Lopez, P. Samarati, J.L. Ferrer (Eds.), EuroPKI 2007, LNCS, vol. 4582, 2007, pp. 110–125. [8] J.G. Li, X.Y. Huang, Y.C. Zhang, L.Z. Xu, An efficient short certificate-based signature scheme, Journal of Systems and Software 85 (2) (2012) 314–322. [9] M.H. Au, J.K. Liu, W. Susilo, T.H. Yuen, Certificate based (linkable) ring signature, in: E. Dawson, D.S. Wong (Eds.), ISPEC 2007, LNCS, vol. 4464, 2007, pp. 79–92. [10] L.H. Wang, J. Shao, Z.F. Cao, M. Mambo, A. Yamamura, A certificate-based proxy cryptosystem with revocable proxy decryption power, in: K. Srinathan, C. Pandu Rangan, M. Yung (Eds.), INDOCRYPT 2007, LNCS, vol. 4859, 2007, pp. 297–311. [11] W. Wu, Y. Mu, W. Susilo, X.Y. Huang, Certificate-based signatures: new definitions and a generic construction from certificateless signatures, in: K.I. Chung, K. Sohn, M. Yung (Eds.), WISA 2008, LNCS, vol. 5379, 2009, pp. 99–114. [12] J.G. Li, L.Z. Xu, Y.C. Zhang, Provably secure certificate-based proxy signature schemes, Journal of Computers 4 (6) (2009) 444–452. [13] J.G. Li, X.Y. Huang, Y. Mu, W. Susilo, Q.H. Wu, Constructions of certificate-based signature secure against key replacement attacks, Journal of Computer Security 18 (3) (2010) 421–449. [14] J.G. Li, X.Y. Huang, M.X. Hong, Y.C. Zhang, Certificate-based signcryption with enhanced security features, Computers and Mathematics with Applications 64 (6) (2012) 1587–1601. [15] J.G. Li, Y.C. Zhang, H.Y. Teng, A forward-secure certificate-based signature scheme in the standard model, in: Y. Xiang et al. (Eds.), CSS 2012, LNCS, vol. 7672, 2012, pp. 362–376. [16] H.T. Du, J.G. Li, Y.C. Zhang, T. Li, Y.X. Zhang, Certificate-based key-insulated signature, in: Y. Xiang et al. (Eds.), ICDKE 2012, LNCS, vol. 7646, 2012, pp. 493–507. [17] MIRACL, Multiprecision Integer and Rational Arithmetic C/C++ Library, . [18] J. Baek, R. Safavi-Naini, W. Susilo, Certificateless public key encryption without pairing, in: J. Zhou et al. (Eds.), ISC 2005, LNCS, vol. 3650, 2005, pp. 134– 148. [19] Y.X. Sun, F.T. Zhang, J. Baek, Strongly secure certificateless public key encryption without pairing, in: F. Bao et al. (Eds.), CANS 2007, LNCS, vol. 4856, 2007, pp. 194–208. [20] S. Selvi, S. Vivek, C. Rangan, Cryptanalysis of certificateless signcryption schemes and an efficient construction without pairing, in: F. Bao et al. (Eds.), Inscrypt 2009, LNCS, vol. 6151, 2010, pp. 75–92. [21] J.Z. Lai, W.D. Kou, Self-generated-certificate public key encryption without pairing, in: T. Okamoto, X. Wang (Eds.), PKC 2007, LNCS, vol. 4450, 2007, pp. 476–489. [22] J.K. Liu, J. Baek, W. Susilo, J. Zhou, Certificate-based signature scheme without pairings or random oracles, in: T.C. Wu et al. (Eds.), ISC 2008, LNCS, vol. 5222, 2008, pp. 285–297. [23] J. Zhang, On the security of a certificate-based signature scheme and its improvement with pairings, in: F. Bao, H. Li, G. Wang (Eds.), ISPEC 2009, LNCS, vol. 5451, 2009, pp. 47–58. [24] Y. Ming, Y. Wang, Efficient certificate-based signature scheme, IAS 2009, vol.2, IEEE, 2009, pp. 87–90. [25] J. Zhang, H. Chen, Q. Geng, An efficient certificate-based signature scheme without pairings, in: WCSE 2009, IEEE, vol.2, 2009, pp. 44–48. [26] D. Pointcheval, J. Stern, Security proofs for signature schemes, in: EURPCRYPT 1996, LNCS, vol. 1070, 1996, pp. 387–398.