This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

A New Provably Secure Certificateless Signature Scheme Lei Zhang

Futai Zhang

College of Mathematics and Computer Science Nanjing Normal University, P.R. China Email: lei [email protected]

College of Mathematics and Computer Science Nanjing Normal University, P.R. China Email: [email protected]

Abstract—Certificateless public key cryptography was introduced by Al-Riyami and Paterson to overcome the key escrow problem of ID-PKC. In this paper, we present an efficient certificateless signature scheme using bilinear maps. The scheme can be proved secure in the strongest security model of certificateless signature schemes. In terms of computational cost, totally, only two pairing operations are required for signing and verification. It is more efficient than the other existing certificateless signature schemes secure against a super type I/II adversary. Index Terms—certificateless cryptography, certificateless signature, computational Diffie-Hellman problem, random oracle model.

I. I NTRODUCTION Identity-based public key cryptography (ID-PKC) was first introduced by Shamir [13] in 1984. In their setting, the public key of a user is just his identity such as his telephone number or email address. This simplifies certificate management procedures of public key infrastructure (PKI) in traditional public key cryptography. However, ID-PKC suffers from the key escrow problem. That is a third party, the Private Key Generator (PKG) who is responsible for the generation of private keys for users, knows the private key of every user in the system. In order to overcome this drawback, Al-Riyami and Paterson [1] invented a new paradigm called certificateless public key cryptography (CL-PKC). CL-PKC also uses a third party called Key Generation Center (KGC) to help a user to generate his secret key. However, the KGC only provides a partial private key for each user. The full private key is generated by the user who makes use of the partial private key obtained from the KGC and the secret information chosen by himself. Hence, CL-PKC removes the key escrow problem. The public key of the user is computed from the KGC’s public parameters and his secret information, and is published by the user himself. Related Works: Several certificateless signature (CLS) schemes have been presented since its first try in [1]. Huang et al. [8] pointed out a security drawback of the primal CLS scheme in [1] and defined the security model of CLS schemes. Later, Zhang et al. [17] improved the security model of CLS schemes and presented a more efficient CLS scheme. In [15], Yum and Lee presented a generic way to construct CLS schemes. However, Hu et al. [7] showed that their construction is insecure and presented a new construction. The security model of CLS schemes was further developed

in [7]. Recently, Choi et al. [5]1 , Yap el al. [14] presented some efficient CLS schemes whose securities were proved in the first security model of CLS schemes presented by Huang et al [8]. Unfortunately, Yap el al.’s scheme [14] is not secure and was broken [11], [16]. The reason is that this model does not essentially capture the most powerful ability of the Type I adversary. Up to now, the security of most of the existing CLS schemes were proved using the random oracle model. A concrete CLS scheme secure in the standard model was proposed by Liu et al. [10]. A new kind of Type II attack‘Malicious but Passive KGC attack’ is introduced in [2]. In the new attack, the KGC is assumed malicious at the very beginning of the Setup stage of the system. Very recently, Huang et al. [9] revisited the security models of certificateless signature schemes. They further classified the Type I/II adversary into three types, namely the normal, strong and super Type I/II adversary. Their ability are from weak to strong. A normal adversary can only obtain some messagesignature pairs which are valid under the original public key from the target signer. While a strong adversary can obtain message-signature pairs which are valid under the replaced public key if he can supply the secret value corresponding to the replaced public key. And a super adversary can obtain some message-signature pairs which are valid under the public key chosen by himself without supplying the secret value corresponding to the public key. In [4], [11], [16], they gave examples to show that a type I adversary can break a CLS scheme without knowing the secret value corresponding to the verification public key. So, to capture the most powerful ability of the adversary, we should consider it as a super type I/II adversary. Two new CLS schemes are also presented in [9]. The first one has a rather short signature length2 with its security proved in a very weak model where the Type I adversary is a normal Type I adversary. The other one is very efficient. It requires only two pairing operations. Its security was proved in the strongest security model where the Type I/II adversary is a super adversary. But it has a long signature length. So far as we know, there are only a few CLS schemes 1 They presented two efficient CLS schemes, the first one requires two pairing operations and the second one requires one pairing operation. But, the second one has a long signature length. 2 In [6], Du and Wen proposed a very efficient short CLS scheme, however, there’s some mistake in their proof.

978-1-4244-2075-9/08/$25.00 ©2008 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

[9], [17] secure against a super type I/II adversary. Our Contribution: In this paper, we present a very efficient CLS scheme, which requires only two pairing operations. The signature length of our new scheme is 2/3 of Huang et al.’s scheme [9]. As to the security aspect, our new CLS scheme is proved secure in the strongest security model of CLS schemes where the Type I/II adversary is a super Type I/II adversary. We complete our security proof using the random oracle model [3] assuming the hardness of the computational Diffie-Hellman problem over groups with bilinear maps. II. P RELIMINARIES A. Bilinear Maps Let G1 be an additive group of prime order q and G2 be a multiplicative group of the same order. An admissible map e : G1 × G1 −→ G2 is called a bilinear map if it satisfies the following properties: 1) Bilinear: e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 , a, b ∈ Zq∗ . 2) Non-degeneracy: There exists P, Q ∈ G1 such that e(P, Q) = 1. 3) Computable: There exists an efficient algorithm to compute e(P, Q) for any P, Q ∈ G1 . Discrete Logarithm (DL) Problem: Given a generator g of a cyclic group G with order q, and h ∈ G∗ to find an integer a ∈ Zq∗ such that h = g a . Computational Diffie-Hellman (CDH) Problem: Given a generator g of a cyclic group G with order q, and given (g a , g b ) for unknown a, b ∈ Zq∗ , to compute g ab . B. Framework of Certificateless Signature Schemes A CLS scheme consists of six algorithms [9]. The description of each algorithm is as follows. • Setup: This algorithm is run by the KGC that accepts as input a security parameter to generate a master-key and a list of system parameters params. • Partial-Private-Key-Extract: This algorithm is run by the KGC that accepts as input a user’s identity ID, a parameter list params and a master-key to produce the user’s partial private key DID . • Set-Secret-Value: This algorithm is run by a user that accepts as input a parameter list params and this user’s identity ID to produce the user’s secret value xID . • Set-Public-Key: This algorithm is run by a user that takes as input a parameter list params, this user’s identity ID and secret value xID to produce the public key PID for this user. • Sign: This algorithm is run by a particular user that accepts a parameter list params, a message M ∈ M(M is the message space), the user’s identity ID, public key PID , partial private key DID and secret value xID to produce a signature σ on message M . • Verify: This algorithm is run by a verifier that accepts a message M , a signature σ, a parameter list params, a signer’s identity ID and corresponding public key PID and to output true if the signature is valid, or ⊥ otherwise.

C. Adversarial Model of Certificateless Signature Schemes There are two types of adversaries namely Type I adversary and Type II adversary with different capabilities in CL-PKC. A Type I adversary AI does not have access to the master-key, but he has the ability to replace the public key of any entity with a value of his choice. While a Type II Adversary AII has access to the master-key but cannot replace the target user’s public key. The security of a CLS scheme is modeled via the following two games between a challenger C and an adversary AI or AII . Game 1 (for Type I Adversary) Setup: C runs the Setup algorithm, takes as input a security parameter to obtain a master-key and the system parameter list params. C then sends params to the adversary AI while keeps the master-key secret. Attack: The adversary AI can perform a polynomially bounded number of the following types of queries in an adaptive manner. • Partial-Private-Key Queries P P K(IDi ): AI can request the partial private key of any user with identity IDi . In response, C outputs the partial private key Di of the user. • Public-Key Queries P K(IDi ): AI can request the public key of a user whose identity is IDi . In response, C outputs the public key for identity IDi . • Secret-Value Queries SV (IDi ): AI can request the secret value of a user whose identity is IDi . In response, C outputs the secret value xi for identity IDi (It outputs ⊥, if the user’s public key has been replaced). • Public-Key-Replacement Queries P KR(IDi , Pi ): For any user whose identity is IDi , AI can choose a new public key Pi . AI then sets Pi as the new public key of this user. C will record this replacement. • Sign Queries S(Mi , IDi , Pi ): AI can request a user’s (whose identity is IDi ) signature on a message Mi . On receiving a query S(Mi , IDi , Pi ), C generates a signature σi on message Mi and returns σi as the answer. It is required that σi is a valid signature on message Mi under identity IDi and public key Pi (Pi is chosen by AI , and AI need not supply the secret value which is used to generate Pi ). Forgery: Finally, AI outputs a tuple (M ∗ , σ ∗ , ID∗ , PID∗ ). We say that AI wins Game 1, if 1) σ ∗ is a valid signature under identity ID∗ and the corresponding public key PID∗ . 2) AI has never requested the Partial-Private-Key of the user whose identity is ID∗ . ∗ ) has never been submitted during the 3) S(M ∗ , ID∗ , PID Sign Queries. Game 2 (for Type II Adversary ) Setup: C runs the Setup algorithm, takes as input a security parameter to obtain the system parameter list params and also the system’s master-key. C then sends params and master-key to the adversary AII .

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

Attack: The adversary AII can perform a polynomially bounded number of the following types of queries in an adaptive manner. • Public Key Queries P K(IDi ): AII can request the public key of a user (whose identity is IDi ) of his choice. In response, C outputs the public key Pi for identity IDi . • Secret-Value Queries SV (IDi ): AII can choose a user whose identity is IDi , and request this user’s secret value. In response, C outputs the secret value xi for identity IDi (It outputs ⊥, if the user’s public key has been replaced). • Public-Key-Replacement Queries P KR(IDi , Pi ): For any user whose identity is IDi , AII can choose a new public key Pi . AII then sets Pi as the new public key of this user. • Sign Queries S(Mi , IDi , Pi ): AII can request a user’s (whose identity is IDi ) signature on a message Mi . On receiving a query S(Mi , IDi , Pi ), C replies with a signature σi on message Mi for the user whose identity is IDi and public key is Pi . (Pi is chosen by AII , and AII need not supply the secret value which is used to generate Pi ). Forgery: Finally, AII outputs a tuple (M ∗ , σ ∗ , ID∗ , PID∗ ). We say that AII wins Game 2, if this tuple satisfies the following requirements: 1) σ ∗ is a valid signature on message M ∗ under identity ID∗ and the corresponding public key PID∗ , i.e. it passes the verification algorithm. 2) AII has never requested the Secret-Value of the user whose identity is ID∗ . 3) AII has not requested the Public-Key-Replacement query on ID∗ . 4) S(M ∗ , ID∗ , PID∗ ) has never been queried during the Sign Queries. Definition 1: A CLS scheme is existentially unforgeable under adaptively chosen-message attack iff the success probability of any polynomially bounded adversary in the above two games is negligible. III. O UR C ERTIFICATELESS S IGNATURE S CHEME A. An Efficient Construction The construction of our efficient CLS scheme is as follows. • Setup: Given a security parameter , the KGC chooses a cyclic additive group G1 which is generated by P with prime order q, chooses a cyclic multiplicative group G2 of the same order and a bilinear map e : G1 × G1 −→ G2 . The KGC also chooses a random λ ∈ Zq∗ as the master-key and sets PT = λP , chooses cryptographic hash functions H1 : {0, 1}∗ −→ G1 , H2 : {0, 1}∗ −→ Zq∗ , H3 : {0, 1}∗ −→ Zq∗ . The system parameter list is params=(G1 , G2 , e, P, PT , H1 , H2 , H3 ). The message ∗ space is M = {0, 1} . • Partial-Private-Key-Extract: This algorithm accepts params, master-key λ and a user’s identity IDi ∈ {0, 1}∗ . It generates the partial private key for the user as follows.

1) Computes Qi = H1 (IDi ||P )3 . 2) Outputs the partial private key Di = λQi . • Set-Secret-Value: This algorithm takes as input params and a user’s identity IDi . It then selects a random xi ∈ Zq∗ and outputs xi as the user’s secret value. • Set-Public-Key: This algorithm accepts params, a user’s identity IDi and this user’s secret value xi ∈ Zq∗ as input. It produces the user’s public key Pi = xi P . • Sign: To sign a message M ∈ M using the partial private key Di and the secret value xi , the signer, whose identity is IDi and the corresponding public key is Pi , performs the following steps. 1) Choose a random r ∈ Zq∗ , compute R = rP . 2) Compute u = H2 (R||Pi ||M ), v = H3 (R||Pi ||M ). 3) Compute V = (uxi + r)Qi + vDi . 4) Output σ = (R, V ) as the signature on M . • Verify: To verify a signature σ on a message M for an identity IDi and public key Pi , the verifier performs the following steps. 1) Compute Qi = H1 (IDi ||P ), u = H2 (R||Pi ||M ), v = H3 (R||Pi ||M ). ? 2) Verify e(V, P ) = e(uPi + vPT + R, Qi ). If the equation holds, output true. Otherwise, output ⊥. Using the technique describe in [1], our scheme can easily achieve the trust level 3 [1]. B. Comparison We compare the efficiency of our scheme with that of the other two available CLS schemes secure against super type I and type II adversaries. The comparison is shown in Table 1. Here we only consider the costly operations and we omit the computation efforts which can be pre-computed by the signer in the Sign phase. We denote by P a pairing operation, by S a scalar multiplication in G1 , by H a MapToPoint hash operation and by E an exponentiation in G2 . We use the notation SL meaning signature length, PKL meaning public key length, P1 meaning the length of a point in G1 and Z1 meaning the length of a point in Zq∗ . Table 1. Comparison of Three CLS Schemes Schemes Scheme in [9] Scheme in [17] Our Scheme

Sign 3S, 1E 3S, 2H 2S

Verify 2P, 2S, 1E, 1H 4P, 3H 2P, 2S, 1H

SL 2Z1 , 1P1 2P1 2P1

PKL 1P1 1P1 1P1

The comparison shows that in the signing phase our CLS scheme requires only two scalar multiplication in G1 . It is faster than the schemes in [9], [17]. In the verification phase, our scheme also yields a computational advantage. It requires the least computational effort compared with the other two. In addition, the signature length of our scheme is about 2/3 of that of Huang et al.’s scheme [9]. And the public key of our scheme requires one point in G1 , which is the same as that in the other two schemes [9], [17]. 3 We add the system parameter P to the hash function H in order to avoid 1 the malicious KGC attack.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

IV. S ECURITY P ROOF Assuming that the CDH problem is hard, we now show the security of our CLS scheme. Theorem 1: Our CLS scheme is unforgeable against a super type I adversary in the random oracle model assuming the CDH problem is intractable. Proof. Let C be a CDH attacker who receives a random instance (P, aP, bP ) of the CDH problem in G1 and has to compute the value of abP . AI is a super type I adversary who interacts with C as modeled in Game 1. We show how C can use AI to solve the CDH problem, i.e. to compute abP . C sets PT = aP , selects params=(G1 , G2 , e, P, PT , H1 , H2 , H3 ) and sends params to AI . We consider hash functions H1 , H2 and H3 as random oracles. H1 Queries: Suppose AI can make at most qH1 times H1 queries, C chooses J ∈ [1, qH1 ]. C maintains an initially empty list H1 of tuples (IDj , αj , Qj ). The same answer from the list H1 will be given if the request has been asked before. On receiving a new query H1 (IDi ||P ), C simulates the random oracle H1 as follows. 1) If i = J, set Qi = bP , add (IDi , ⊥, Qi ) to H1 and return Qi as answer. 2) Otherwise, pick αi ∈ Zq∗ at random, set Qi = αi P , add (IDi , αi , Qi ) to H1 and return Qi as answer. H2 Queries: C keeps an initially empty list H2 of tuples (Rj , Pj , Mj , uj ). Whenever AI issues a query (Ri ||Pi ||Mi ) to H2 , the same answer from the list H2 will be given if the request has been asked before. If the query (Ri ||Pi ||Mi ) is new, C selects a random ui ∈ Zq∗ adds (Ri , Pi , Mi , ui ) to H2 and returns ui as answer. H3 Queries: C keeps an initially empty list H3 of tuples (Rj , Pj , Mj , vj ). Whenever AI issues a query (Ri ||Pi ||Mi ) to H3 , the same answer from the list H3 will be given if the request has been asked before. For a new query (Ri ||Pi ||Mi ), C selects a random vi ∈ Zq∗ adds (Ri , Pi , Mi , vi ) to H3 and returns vi as answer. Partial-Private-Key Queries: C keeps an initially empty list K of tuples (IDj , xj , Dj , Pj ). When AI issues a query P P K(IDi ), the same answer from the list K will be given if the request has been asked before. If the query is new, C does the following. 1) If IDi = IDJ , abort. 2) Else if there’s a tuple (IDi , xi , Di , Pi ) on K a) If there is a tuple (IDi , αi , Qi ) on H1 , set Di = αi PT and return Di as answer. b) Otherwise, first make an H1 query on (IDi ||P ) to generate (IDi , αi , Qi ), then set Di = αi PT and return Di as answer. 3) Otherwise, do the following. a) If there’s a tuple (IDi , αi , Qi ) on H1 , compute Di = αi PT , set xi = Pi = ⊥, return Di as answer and add (IDi , xi , Di , Pi ) to K. b) Else, generate the tuple (IDi , αi , Qi ) the same way as he simulates the random oracle H1 . Compute

Di = αi PT , set xi = Pi = ⊥, then return Di as answer and add (IDi , xi , Di , Pi ) to K. Public-Key Queries: On receiving a query P K(IDi ), the current public key from the list K will be given if the request has been asked before. Otherwise, C does as follows. 1) If there’s a tuple (IDi , xi , Di , Pi ) on K (In this case, the public key Pi of IDi has not been set), choose xi ∈ Zq∗ , compute Pi = xi P , return Pi as answer and update (IDi , xi , Di , Pi ) to (IDi , xi , Di , Pi ). 2) Otherwise, choose xi ∈ Zq∗ , set Pi = xi P , return Pi as answer, set Di = ⊥ and add (IDi , xi , Di , Pi ) to K. Secret-Value Queries: On receiving a query SV (IDi ), if the public key of IDi has been replaced, C returns ⊥. Otherwise, if there’s a tuple (IDi , xi , Di , Pi ) on K, C returns xi as answer; else, C first makes P K(IDi ) then returns xi as answer. Public-Key-Replacement Queries: AI can choose a new public key for the user whose identity is IDi . On receiving a query P KR(IDi , Pi ), C first finds the tuple (IDi , xi , Di , Pi ) on K (if such a tuple does not exists on K or Pi = ⊥, C first makes P K(IDi )), then C updates Pi to Pi . Sign Queries: On receive a Sign query S(Mi , IDi , Pi ), where Pi denotes the public key chosen by AI , C generates the signature as follows. (Note AI need not supply the secret value which is used to generate Pi .) 1) Choose ui , vi , ri ∈ Zq∗ at random, set Ri = ri P − (ui Pi + vi PT ). 2) Set H2 (Ri ||Pi ||Mi ) = ui , H3 (Ri ||Pi ||Mi ) = vi . 3) Compute Vi = ri H1 (IDi ||P ) and output σi = (Ri , Vi ). Forgery: Finally, AI returns a successful forgery (M ∗ , σ ∗ = (R∗ , V ∗ ), ID∗ , PID∗ ) which means (R∗ , V ∗ ) is a valid signature on message M ∗ under identity ID∗ and public key PID∗ . If ID∗ = IDJ , C aborts. By forking lemma [12], C replays AI with the same random tape but different choice of the hash function H3 to get another forged signature (M ∗ , σ ∗ = (R∗ , V ∗ ), ID∗ , PID∗ ). ∗ Since σ ∗ and σ ∗ must satisfy e(V ∗ , P ) = e(u∗ PID + ∗ ∗ ∗ ∗ ∗ ∗ ∗ v PT + R , Q ) and e(V , P ) = e(u PID + v PT + R∗ , Q∗ ) respectively (where u∗ = H2 (R∗ ||PID∗ ||M ∗ ), v ∗ = H3 (R∗ ||PID∗ ||M ∗ ), v ∗ = H3 (R∗ ||PID∗ ||M ∗ ), Q∗ = H1 (ID∗ ||P ), and v ∗ = v ∗ ). Hence we have e(V ∗ −V ∗ , P ) = e((v ∗ −v ∗ )PT , Q∗ ). By our setting PT = aP, Q∗ = bP , C can compute abP = (v ∗ −v ∗ )−1 (V ∗ −V ∗ ). So C has successfully obtained the solution of the CDH problem. Theorem 2: Our CLS scheme is unforgeable against a super type II adversary in the random oracle model assuming the CDH problem is intractable. Proof. Let C be a CDH attacker who receives a random instance (P, aP, bP ) of the CDH problem in G1 and has to compute the value of abP . AII is a type II adversary who interacts with C as defined in Game 2. We show how C can use AII to solve the CDH problem, i.e. to compute abP . C selects λ ∈ Zq∗ as the master-key, computes PT = λP , selects the system parameters params=(G1 , G2 , e, P, PT , H1 , H2 , H3 ). When the simulation is started, AII is provided with params and the master-key λ.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

H1 Queries: Suppose AII can make at most qH1 times H1 queries, C chooses J ∈ [1, qH1 ]. C maintains an initially empty list H1 of tuples (IDj , αj , Qj ). Whenever receiving an H1 query on (IDi ||P ), the same answer from the list H1 will be given if the request has been asked before. For a new query, if IDi = IDJ , C sets Qi = bP , adds (IDi , ⊥, Qi ) to H1 and returns Qi as answer; else, C picks αi ∈ Zq∗ at random, sets Qi = αi P , adds (IDi , αi , Qi ) to H1 and returns Qi as answer. H2 Queries: C keeps a list H2 of tuples (Rj , Pj , Mj , uj ). This list is initially empty. Whenever AII issues a query (Ri ||Pi ||Mi ) to H2 , the same answer from the list H2 will be given if the request has been asked before. If the query is new, C selects a random ui ∈ Zq∗ adds (Ri , Pi , Mi , ui ) to H2 and returns ui as answer. H3 Queries: C keeps a list H3 of tuples (Rj , Pj , Mj , vj ). This list is initially empty. Whenever AII issues a query (Ri ||Pi ||Mi ) to H3 , the same answer from the list H3 will be given if the request has been asked before. For a new query, C selects a random vi ∈ Zq∗ adds (Ri , Pi , Mi , vi ) to H3 and returns vi as answer. Public-Key Queries: C keeps an initially empty list K of tuples (IDj , xj , Pj ). On receiving a query P K(IDi ), the current public key from the list K of the user whose identity is IDi will be given if the request has been asked before. For a new query, if IDi = IDJ , C returns Pi = aP as answer and adds (IDi , ⊥, Pi ) to K; else, C picks xi ∈ Zq∗ , computes Pi = xi P , adds (IDi , xi , Pi ) to K and returns Pi as answer. Secret-Value Queries: On receiving a query SV (IDi ), if the public key of IDi has been replaced, C returns ⊥; otherwise, if IDi = IDJ , C aborts; else if there’s a tuple (IDi , xi , Pi ) on K, C returns xi as answer; else, C first makes P K(IDi ), then recovers the tuple (IDi , xi , Pi ) from K, returns xi as answer. Public-Key-Replacement Queries: AII can choose a new public key for the user whose identity is IDi . On receiving a query P KR(IDi , Pi ), if IDi = IDJ , C aborts; otherwise, C finds the tuple (IDi , xi , Pi ) on K (if such a tuple doesn’t exists on K, C makes P K(IDi ) at first) and updates Pi to Pi . Sign Queries: On receive a Sign query S(Mi , IDi , Pi ), C generates the signature as follows. 1) Choose ui , vi , ri ∈ Zq∗ at random, set Ri = ri P − (ui Pi + vi PT ). 2) Set H2 (Ri ||Pi ||Mi ) = ui , H3 (Ri ||Pi ||Mi ) = vi . 3) Compute Vi = ri H1 (IDi ||P ) and output σi = (Ri , Vi ). Forgery: Eventually, AII returns a tuple (M ∗ , σ ∗ = (R∗ , V ∗ ), ID∗ , PID∗ ) meaning that (R∗ , V ∗ ) is a valid signature on message M ∗ under identity ID∗ and public key PID∗ . If ID∗ = IDJ , C aborts. Using forking lemma [12], C replays AII with the same random tape but different choice of the hash function H2 to get another forged signature σ ∗ = (R∗ , V ∗ ). Since σ ∗ and σ ∗ must satisfy e(V ∗ , P ) = e(u∗ PID∗ + v ∗ PT + R∗ , Q∗ ) and e(V ∗ , P ) = e(u∗ PID∗ + v ∗ PT + R∗ , Q∗i ) respectively (where u∗ = H2 (R∗ ||PID∗ ||M ∗ ), u∗ = H2 (R∗ ||PID∗ ||M ∗ ), v ∗ = H3 (R∗ ||PID∗ ||M ∗ ), Q∗ =

H1 (ID∗ ||P ) and u∗ = u∗ ), we have e(V ∗ − V ∗ , P ) = e((u∗ −u∗ )PID∗ , Q∗ ). Since by our setting PID∗ = aP, Q∗ = bP , C can compute abP = (u∗ − u∗ )−1 (V ∗ − V ∗ ). So C has successfully obtained the solution of the CDH problem. V. C ONCLUSION It is interesting and important to construct efficient CLS schemes secure against a super type I/II adversary. In this paper, we have put forward such an efficient CLS scheme. By our construction, only two pairing operations are required in signing and verification. It is more efficient than the other CLS schemes achieving the same security level. The security of our new scheme has been proved in the strongest security model for CLS schemes where the type I/II adversary is a super type I/II adversary. ACKNOWLEDGMENT Project supported by the nature science foundation of China (No. 60673070), the nature science foundation of Jiangsu province (No. BK2006217). R EFERENCES [1] S. Al-Riyami and K. Paterson. Certificateless public key cryptography. Asiacrypt 2003, LNCS, vol. 2894, pages 452-473, Springer-Verlag, 2003. [2] M. Au, J. Chen, J. Liu, Y. Mu, D. Wong and G. Yang. Malicious KGC Attacks in Certificateless Cryptography. ACM ASIACCS’07, pages 302311, 2007. [3] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. ACM CCCS’93, pages 62-73, 1993. [4] X. Cao, K. G. Paterson, and W. Kou. An attack on a certificateless signature scheme. Cryptology ePrint Archive, Report 2006/367, 2006. [5] K. Choi, J. Park, J. Hwang, and D. Lee. Efficient certificateless signature schemes. ACNS 2007, LNCS, vol. 4521, pages 443-458, SpringerVerlag, 2007. [6] H. Du and Q. Wen. Efficient and provably-secure certificateless short signature scheme from bilinear pairings. Cryptology ePrint Archive, Report 2007/250, 2007. [7] B. Hu, D. Wong, Z. Zhang and X. Deng. Key replacement attack against a generic construction of certificateless signature. ACISP 2006, LNCS, vol. 4058, pages 235-346, Springer-Verlag, 2006. [8] X. Huang, W. Susilo, Y. Mu and F. Zhang. On the security of a certificateless signature scheme. CANS 2005, LNCS, vol. 3810, pages 13-25, Springer-Verlag, 2005. [9] X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless signature revisited. ACISP 2007, LNCS, vol. 4586, pages 308-322, Springer-Verlag, 2007. [10] J. Liu, M. Au and W. Susilo. Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model. ACM ASIACCS’07, pages 273-283, 2007. [11] J. Park. An attack on the certificateless signature scheme from EUC Workshops 2006. Cryptology ePrint Archive, Report 2006/442, 2006. [12] D. Pointcheval and J. Stern, Security proofs for signature schemes. EUROCRYPT’96, LNCS, vol. 1070, pages 387-398, Springer-Verlag, 1996. [13] A. Shamir. Identity based cryptosystems and signature schemes. Crypto’84, LNCS, vol.196, pages 47-53, Springer-Verlag, 1984. [14] W. Yap, S. Heng, and B. Goi1. An efficient certificateless signature scheme. EUC Workshops 2006, LNCS, vol. 4097, pages 322-331, Springer-Verlag, 2006. [15] D. Yum and P. Lee. Generic construction of certificateless signature. ACISP 2004, LNCS, vol. 3108, pages 200-211, Springer-Verlag, 2004. [16] Z. Zhang, D. Feng. Key replacement attack on a certificateless signature scheme. Cryptology ePrint Archive, Report 2006/453, 2006. [17] Z. Zhang, D. Wong, J. Xu and D. Feng. Certificateless public-key signature: security model and efficient construction. ACNS 2006, LNCS, vol. 3989, pages 293-308, Springer-Verlag, 2006.

A New Provably Secure Certificateless Signature Scheme Lei Zhang

Futai Zhang

College of Mathematics and Computer Science Nanjing Normal University, P.R. China Email: lei [email protected]

College of Mathematics and Computer Science Nanjing Normal University, P.R. China Email: [email protected]

Abstract—Certificateless public key cryptography was introduced by Al-Riyami and Paterson to overcome the key escrow problem of ID-PKC. In this paper, we present an efficient certificateless signature scheme using bilinear maps. The scheme can be proved secure in the strongest security model of certificateless signature schemes. In terms of computational cost, totally, only two pairing operations are required for signing and verification. It is more efficient than the other existing certificateless signature schemes secure against a super type I/II adversary. Index Terms—certificateless cryptography, certificateless signature, computational Diffie-Hellman problem, random oracle model.

I. I NTRODUCTION Identity-based public key cryptography (ID-PKC) was first introduced by Shamir [13] in 1984. In their setting, the public key of a user is just his identity such as his telephone number or email address. This simplifies certificate management procedures of public key infrastructure (PKI) in traditional public key cryptography. However, ID-PKC suffers from the key escrow problem. That is a third party, the Private Key Generator (PKG) who is responsible for the generation of private keys for users, knows the private key of every user in the system. In order to overcome this drawback, Al-Riyami and Paterson [1] invented a new paradigm called certificateless public key cryptography (CL-PKC). CL-PKC also uses a third party called Key Generation Center (KGC) to help a user to generate his secret key. However, the KGC only provides a partial private key for each user. The full private key is generated by the user who makes use of the partial private key obtained from the KGC and the secret information chosen by himself. Hence, CL-PKC removes the key escrow problem. The public key of the user is computed from the KGC’s public parameters and his secret information, and is published by the user himself. Related Works: Several certificateless signature (CLS) schemes have been presented since its first try in [1]. Huang et al. [8] pointed out a security drawback of the primal CLS scheme in [1] and defined the security model of CLS schemes. Later, Zhang et al. [17] improved the security model of CLS schemes and presented a more efficient CLS scheme. In [15], Yum and Lee presented a generic way to construct CLS schemes. However, Hu et al. [7] showed that their construction is insecure and presented a new construction. The security model of CLS schemes was further developed

in [7]. Recently, Choi et al. [5]1 , Yap el al. [14] presented some efficient CLS schemes whose securities were proved in the first security model of CLS schemes presented by Huang et al [8]. Unfortunately, Yap el al.’s scheme [14] is not secure and was broken [11], [16]. The reason is that this model does not essentially capture the most powerful ability of the Type I adversary. Up to now, the security of most of the existing CLS schemes were proved using the random oracle model. A concrete CLS scheme secure in the standard model was proposed by Liu et al. [10]. A new kind of Type II attack‘Malicious but Passive KGC attack’ is introduced in [2]. In the new attack, the KGC is assumed malicious at the very beginning of the Setup stage of the system. Very recently, Huang et al. [9] revisited the security models of certificateless signature schemes. They further classified the Type I/II adversary into three types, namely the normal, strong and super Type I/II adversary. Their ability are from weak to strong. A normal adversary can only obtain some messagesignature pairs which are valid under the original public key from the target signer. While a strong adversary can obtain message-signature pairs which are valid under the replaced public key if he can supply the secret value corresponding to the replaced public key. And a super adversary can obtain some message-signature pairs which are valid under the public key chosen by himself without supplying the secret value corresponding to the public key. In [4], [11], [16], they gave examples to show that a type I adversary can break a CLS scheme without knowing the secret value corresponding to the verification public key. So, to capture the most powerful ability of the adversary, we should consider it as a super type I/II adversary. Two new CLS schemes are also presented in [9]. The first one has a rather short signature length2 with its security proved in a very weak model where the Type I adversary is a normal Type I adversary. The other one is very efficient. It requires only two pairing operations. Its security was proved in the strongest security model where the Type I/II adversary is a super adversary. But it has a long signature length. So far as we know, there are only a few CLS schemes 1 They presented two efficient CLS schemes, the first one requires two pairing operations and the second one requires one pairing operation. But, the second one has a long signature length. 2 In [6], Du and Wen proposed a very efficient short CLS scheme, however, there’s some mistake in their proof.

978-1-4244-2075-9/08/$25.00 ©2008 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

[9], [17] secure against a super type I/II adversary. Our Contribution: In this paper, we present a very efficient CLS scheme, which requires only two pairing operations. The signature length of our new scheme is 2/3 of Huang et al.’s scheme [9]. As to the security aspect, our new CLS scheme is proved secure in the strongest security model of CLS schemes where the Type I/II adversary is a super Type I/II adversary. We complete our security proof using the random oracle model [3] assuming the hardness of the computational Diffie-Hellman problem over groups with bilinear maps. II. P RELIMINARIES A. Bilinear Maps Let G1 be an additive group of prime order q and G2 be a multiplicative group of the same order. An admissible map e : G1 × G1 −→ G2 is called a bilinear map if it satisfies the following properties: 1) Bilinear: e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 , a, b ∈ Zq∗ . 2) Non-degeneracy: There exists P, Q ∈ G1 such that e(P, Q) = 1. 3) Computable: There exists an efficient algorithm to compute e(P, Q) for any P, Q ∈ G1 . Discrete Logarithm (DL) Problem: Given a generator g of a cyclic group G with order q, and h ∈ G∗ to find an integer a ∈ Zq∗ such that h = g a . Computational Diffie-Hellman (CDH) Problem: Given a generator g of a cyclic group G with order q, and given (g a , g b ) for unknown a, b ∈ Zq∗ , to compute g ab . B. Framework of Certificateless Signature Schemes A CLS scheme consists of six algorithms [9]. The description of each algorithm is as follows. • Setup: This algorithm is run by the KGC that accepts as input a security parameter to generate a master-key and a list of system parameters params. • Partial-Private-Key-Extract: This algorithm is run by the KGC that accepts as input a user’s identity ID, a parameter list params and a master-key to produce the user’s partial private key DID . • Set-Secret-Value: This algorithm is run by a user that accepts as input a parameter list params and this user’s identity ID to produce the user’s secret value xID . • Set-Public-Key: This algorithm is run by a user that takes as input a parameter list params, this user’s identity ID and secret value xID to produce the public key PID for this user. • Sign: This algorithm is run by a particular user that accepts a parameter list params, a message M ∈ M(M is the message space), the user’s identity ID, public key PID , partial private key DID and secret value xID to produce a signature σ on message M . • Verify: This algorithm is run by a verifier that accepts a message M , a signature σ, a parameter list params, a signer’s identity ID and corresponding public key PID and to output true if the signature is valid, or ⊥ otherwise.

C. Adversarial Model of Certificateless Signature Schemes There are two types of adversaries namely Type I adversary and Type II adversary with different capabilities in CL-PKC. A Type I adversary AI does not have access to the master-key, but he has the ability to replace the public key of any entity with a value of his choice. While a Type II Adversary AII has access to the master-key but cannot replace the target user’s public key. The security of a CLS scheme is modeled via the following two games between a challenger C and an adversary AI or AII . Game 1 (for Type I Adversary) Setup: C runs the Setup algorithm, takes as input a security parameter to obtain a master-key and the system parameter list params. C then sends params to the adversary AI while keeps the master-key secret. Attack: The adversary AI can perform a polynomially bounded number of the following types of queries in an adaptive manner. • Partial-Private-Key Queries P P K(IDi ): AI can request the partial private key of any user with identity IDi . In response, C outputs the partial private key Di of the user. • Public-Key Queries P K(IDi ): AI can request the public key of a user whose identity is IDi . In response, C outputs the public key for identity IDi . • Secret-Value Queries SV (IDi ): AI can request the secret value of a user whose identity is IDi . In response, C outputs the secret value xi for identity IDi (It outputs ⊥, if the user’s public key has been replaced). • Public-Key-Replacement Queries P KR(IDi , Pi ): For any user whose identity is IDi , AI can choose a new public key Pi . AI then sets Pi as the new public key of this user. C will record this replacement. • Sign Queries S(Mi , IDi , Pi ): AI can request a user’s (whose identity is IDi ) signature on a message Mi . On receiving a query S(Mi , IDi , Pi ), C generates a signature σi on message Mi and returns σi as the answer. It is required that σi is a valid signature on message Mi under identity IDi and public key Pi (Pi is chosen by AI , and AI need not supply the secret value which is used to generate Pi ). Forgery: Finally, AI outputs a tuple (M ∗ , σ ∗ , ID∗ , PID∗ ). We say that AI wins Game 1, if 1) σ ∗ is a valid signature under identity ID∗ and the corresponding public key PID∗ . 2) AI has never requested the Partial-Private-Key of the user whose identity is ID∗ . ∗ ) has never been submitted during the 3) S(M ∗ , ID∗ , PID Sign Queries. Game 2 (for Type II Adversary ) Setup: C runs the Setup algorithm, takes as input a security parameter to obtain the system parameter list params and also the system’s master-key. C then sends params and master-key to the adversary AII .

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

Attack: The adversary AII can perform a polynomially bounded number of the following types of queries in an adaptive manner. • Public Key Queries P K(IDi ): AII can request the public key of a user (whose identity is IDi ) of his choice. In response, C outputs the public key Pi for identity IDi . • Secret-Value Queries SV (IDi ): AII can choose a user whose identity is IDi , and request this user’s secret value. In response, C outputs the secret value xi for identity IDi (It outputs ⊥, if the user’s public key has been replaced). • Public-Key-Replacement Queries P KR(IDi , Pi ): For any user whose identity is IDi , AII can choose a new public key Pi . AII then sets Pi as the new public key of this user. • Sign Queries S(Mi , IDi , Pi ): AII can request a user’s (whose identity is IDi ) signature on a message Mi . On receiving a query S(Mi , IDi , Pi ), C replies with a signature σi on message Mi for the user whose identity is IDi and public key is Pi . (Pi is chosen by AII , and AII need not supply the secret value which is used to generate Pi ). Forgery: Finally, AII outputs a tuple (M ∗ , σ ∗ , ID∗ , PID∗ ). We say that AII wins Game 2, if this tuple satisfies the following requirements: 1) σ ∗ is a valid signature on message M ∗ under identity ID∗ and the corresponding public key PID∗ , i.e. it passes the verification algorithm. 2) AII has never requested the Secret-Value of the user whose identity is ID∗ . 3) AII has not requested the Public-Key-Replacement query on ID∗ . 4) S(M ∗ , ID∗ , PID∗ ) has never been queried during the Sign Queries. Definition 1: A CLS scheme is existentially unforgeable under adaptively chosen-message attack iff the success probability of any polynomially bounded adversary in the above two games is negligible. III. O UR C ERTIFICATELESS S IGNATURE S CHEME A. An Efficient Construction The construction of our efficient CLS scheme is as follows. • Setup: Given a security parameter , the KGC chooses a cyclic additive group G1 which is generated by P with prime order q, chooses a cyclic multiplicative group G2 of the same order and a bilinear map e : G1 × G1 −→ G2 . The KGC also chooses a random λ ∈ Zq∗ as the master-key and sets PT = λP , chooses cryptographic hash functions H1 : {0, 1}∗ −→ G1 , H2 : {0, 1}∗ −→ Zq∗ , H3 : {0, 1}∗ −→ Zq∗ . The system parameter list is params=(G1 , G2 , e, P, PT , H1 , H2 , H3 ). The message ∗ space is M = {0, 1} . • Partial-Private-Key-Extract: This algorithm accepts params, master-key λ and a user’s identity IDi ∈ {0, 1}∗ . It generates the partial private key for the user as follows.

1) Computes Qi = H1 (IDi ||P )3 . 2) Outputs the partial private key Di = λQi . • Set-Secret-Value: This algorithm takes as input params and a user’s identity IDi . It then selects a random xi ∈ Zq∗ and outputs xi as the user’s secret value. • Set-Public-Key: This algorithm accepts params, a user’s identity IDi and this user’s secret value xi ∈ Zq∗ as input. It produces the user’s public key Pi = xi P . • Sign: To sign a message M ∈ M using the partial private key Di and the secret value xi , the signer, whose identity is IDi and the corresponding public key is Pi , performs the following steps. 1) Choose a random r ∈ Zq∗ , compute R = rP . 2) Compute u = H2 (R||Pi ||M ), v = H3 (R||Pi ||M ). 3) Compute V = (uxi + r)Qi + vDi . 4) Output σ = (R, V ) as the signature on M . • Verify: To verify a signature σ on a message M for an identity IDi and public key Pi , the verifier performs the following steps. 1) Compute Qi = H1 (IDi ||P ), u = H2 (R||Pi ||M ), v = H3 (R||Pi ||M ). ? 2) Verify e(V, P ) = e(uPi + vPT + R, Qi ). If the equation holds, output true. Otherwise, output ⊥. Using the technique describe in [1], our scheme can easily achieve the trust level 3 [1]. B. Comparison We compare the efficiency of our scheme with that of the other two available CLS schemes secure against super type I and type II adversaries. The comparison is shown in Table 1. Here we only consider the costly operations and we omit the computation efforts which can be pre-computed by the signer in the Sign phase. We denote by P a pairing operation, by S a scalar multiplication in G1 , by H a MapToPoint hash operation and by E an exponentiation in G2 . We use the notation SL meaning signature length, PKL meaning public key length, P1 meaning the length of a point in G1 and Z1 meaning the length of a point in Zq∗ . Table 1. Comparison of Three CLS Schemes Schemes Scheme in [9] Scheme in [17] Our Scheme

Sign 3S, 1E 3S, 2H 2S

Verify 2P, 2S, 1E, 1H 4P, 3H 2P, 2S, 1H

SL 2Z1 , 1P1 2P1 2P1

PKL 1P1 1P1 1P1

The comparison shows that in the signing phase our CLS scheme requires only two scalar multiplication in G1 . It is faster than the schemes in [9], [17]. In the verification phase, our scheme also yields a computational advantage. It requires the least computational effort compared with the other two. In addition, the signature length of our scheme is about 2/3 of that of Huang et al.’s scheme [9]. And the public key of our scheme requires one point in G1 , which is the same as that in the other two schemes [9], [17]. 3 We add the system parameter P to the hash function H in order to avoid 1 the malicious KGC attack.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

IV. S ECURITY P ROOF Assuming that the CDH problem is hard, we now show the security of our CLS scheme. Theorem 1: Our CLS scheme is unforgeable against a super type I adversary in the random oracle model assuming the CDH problem is intractable. Proof. Let C be a CDH attacker who receives a random instance (P, aP, bP ) of the CDH problem in G1 and has to compute the value of abP . AI is a super type I adversary who interacts with C as modeled in Game 1. We show how C can use AI to solve the CDH problem, i.e. to compute abP . C sets PT = aP , selects params=(G1 , G2 , e, P, PT , H1 , H2 , H3 ) and sends params to AI . We consider hash functions H1 , H2 and H3 as random oracles. H1 Queries: Suppose AI can make at most qH1 times H1 queries, C chooses J ∈ [1, qH1 ]. C maintains an initially empty list H1 of tuples (IDj , αj , Qj ). The same answer from the list H1 will be given if the request has been asked before. On receiving a new query H1 (IDi ||P ), C simulates the random oracle H1 as follows. 1) If i = J, set Qi = bP , add (IDi , ⊥, Qi ) to H1 and return Qi as answer. 2) Otherwise, pick αi ∈ Zq∗ at random, set Qi = αi P , add (IDi , αi , Qi ) to H1 and return Qi as answer. H2 Queries: C keeps an initially empty list H2 of tuples (Rj , Pj , Mj , uj ). Whenever AI issues a query (Ri ||Pi ||Mi ) to H2 , the same answer from the list H2 will be given if the request has been asked before. If the query (Ri ||Pi ||Mi ) is new, C selects a random ui ∈ Zq∗ adds (Ri , Pi , Mi , ui ) to H2 and returns ui as answer. H3 Queries: C keeps an initially empty list H3 of tuples (Rj , Pj , Mj , vj ). Whenever AI issues a query (Ri ||Pi ||Mi ) to H3 , the same answer from the list H3 will be given if the request has been asked before. For a new query (Ri ||Pi ||Mi ), C selects a random vi ∈ Zq∗ adds (Ri , Pi , Mi , vi ) to H3 and returns vi as answer. Partial-Private-Key Queries: C keeps an initially empty list K of tuples (IDj , xj , Dj , Pj ). When AI issues a query P P K(IDi ), the same answer from the list K will be given if the request has been asked before. If the query is new, C does the following. 1) If IDi = IDJ , abort. 2) Else if there’s a tuple (IDi , xi , Di , Pi ) on K a) If there is a tuple (IDi , αi , Qi ) on H1 , set Di = αi PT and return Di as answer. b) Otherwise, first make an H1 query on (IDi ||P ) to generate (IDi , αi , Qi ), then set Di = αi PT and return Di as answer. 3) Otherwise, do the following. a) If there’s a tuple (IDi , αi , Qi ) on H1 , compute Di = αi PT , set xi = Pi = ⊥, return Di as answer and add (IDi , xi , Di , Pi ) to K. b) Else, generate the tuple (IDi , αi , Qi ) the same way as he simulates the random oracle H1 . Compute

Di = αi PT , set xi = Pi = ⊥, then return Di as answer and add (IDi , xi , Di , Pi ) to K. Public-Key Queries: On receiving a query P K(IDi ), the current public key from the list K will be given if the request has been asked before. Otherwise, C does as follows. 1) If there’s a tuple (IDi , xi , Di , Pi ) on K (In this case, the public key Pi of IDi has not been set), choose xi ∈ Zq∗ , compute Pi = xi P , return Pi as answer and update (IDi , xi , Di , Pi ) to (IDi , xi , Di , Pi ). 2) Otherwise, choose xi ∈ Zq∗ , set Pi = xi P , return Pi as answer, set Di = ⊥ and add (IDi , xi , Di , Pi ) to K. Secret-Value Queries: On receiving a query SV (IDi ), if the public key of IDi has been replaced, C returns ⊥. Otherwise, if there’s a tuple (IDi , xi , Di , Pi ) on K, C returns xi as answer; else, C first makes P K(IDi ) then returns xi as answer. Public-Key-Replacement Queries: AI can choose a new public key for the user whose identity is IDi . On receiving a query P KR(IDi , Pi ), C first finds the tuple (IDi , xi , Di , Pi ) on K (if such a tuple does not exists on K or Pi = ⊥, C first makes P K(IDi )), then C updates Pi to Pi . Sign Queries: On receive a Sign query S(Mi , IDi , Pi ), where Pi denotes the public key chosen by AI , C generates the signature as follows. (Note AI need not supply the secret value which is used to generate Pi .) 1) Choose ui , vi , ri ∈ Zq∗ at random, set Ri = ri P − (ui Pi + vi PT ). 2) Set H2 (Ri ||Pi ||Mi ) = ui , H3 (Ri ||Pi ||Mi ) = vi . 3) Compute Vi = ri H1 (IDi ||P ) and output σi = (Ri , Vi ). Forgery: Finally, AI returns a successful forgery (M ∗ , σ ∗ = (R∗ , V ∗ ), ID∗ , PID∗ ) which means (R∗ , V ∗ ) is a valid signature on message M ∗ under identity ID∗ and public key PID∗ . If ID∗ = IDJ , C aborts. By forking lemma [12], C replays AI with the same random tape but different choice of the hash function H3 to get another forged signature (M ∗ , σ ∗ = (R∗ , V ∗ ), ID∗ , PID∗ ). ∗ Since σ ∗ and σ ∗ must satisfy e(V ∗ , P ) = e(u∗ PID + ∗ ∗ ∗ ∗ ∗ ∗ ∗ v PT + R , Q ) and e(V , P ) = e(u PID + v PT + R∗ , Q∗ ) respectively (where u∗ = H2 (R∗ ||PID∗ ||M ∗ ), v ∗ = H3 (R∗ ||PID∗ ||M ∗ ), v ∗ = H3 (R∗ ||PID∗ ||M ∗ ), Q∗ = H1 (ID∗ ||P ), and v ∗ = v ∗ ). Hence we have e(V ∗ −V ∗ , P ) = e((v ∗ −v ∗ )PT , Q∗ ). By our setting PT = aP, Q∗ = bP , C can compute abP = (v ∗ −v ∗ )−1 (V ∗ −V ∗ ). So C has successfully obtained the solution of the CDH problem. Theorem 2: Our CLS scheme is unforgeable against a super type II adversary in the random oracle model assuming the CDH problem is intractable. Proof. Let C be a CDH attacker who receives a random instance (P, aP, bP ) of the CDH problem in G1 and has to compute the value of abP . AII is a type II adversary who interacts with C as defined in Game 2. We show how C can use AII to solve the CDH problem, i.e. to compute abP . C selects λ ∈ Zq∗ as the master-key, computes PT = λP , selects the system parameters params=(G1 , G2 , e, P, PT , H1 , H2 , H3 ). When the simulation is started, AII is provided with params and the master-key λ.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

H1 Queries: Suppose AII can make at most qH1 times H1 queries, C chooses J ∈ [1, qH1 ]. C maintains an initially empty list H1 of tuples (IDj , αj , Qj ). Whenever receiving an H1 query on (IDi ||P ), the same answer from the list H1 will be given if the request has been asked before. For a new query, if IDi = IDJ , C sets Qi = bP , adds (IDi , ⊥, Qi ) to H1 and returns Qi as answer; else, C picks αi ∈ Zq∗ at random, sets Qi = αi P , adds (IDi , αi , Qi ) to H1 and returns Qi as answer. H2 Queries: C keeps a list H2 of tuples (Rj , Pj , Mj , uj ). This list is initially empty. Whenever AII issues a query (Ri ||Pi ||Mi ) to H2 , the same answer from the list H2 will be given if the request has been asked before. If the query is new, C selects a random ui ∈ Zq∗ adds (Ri , Pi , Mi , ui ) to H2 and returns ui as answer. H3 Queries: C keeps a list H3 of tuples (Rj , Pj , Mj , vj ). This list is initially empty. Whenever AII issues a query (Ri ||Pi ||Mi ) to H3 , the same answer from the list H3 will be given if the request has been asked before. For a new query, C selects a random vi ∈ Zq∗ adds (Ri , Pi , Mi , vi ) to H3 and returns vi as answer. Public-Key Queries: C keeps an initially empty list K of tuples (IDj , xj , Pj ). On receiving a query P K(IDi ), the current public key from the list K of the user whose identity is IDi will be given if the request has been asked before. For a new query, if IDi = IDJ , C returns Pi = aP as answer and adds (IDi , ⊥, Pi ) to K; else, C picks xi ∈ Zq∗ , computes Pi = xi P , adds (IDi , xi , Pi ) to K and returns Pi as answer. Secret-Value Queries: On receiving a query SV (IDi ), if the public key of IDi has been replaced, C returns ⊥; otherwise, if IDi = IDJ , C aborts; else if there’s a tuple (IDi , xi , Pi ) on K, C returns xi as answer; else, C first makes P K(IDi ), then recovers the tuple (IDi , xi , Pi ) from K, returns xi as answer. Public-Key-Replacement Queries: AII can choose a new public key for the user whose identity is IDi . On receiving a query P KR(IDi , Pi ), if IDi = IDJ , C aborts; otherwise, C finds the tuple (IDi , xi , Pi ) on K (if such a tuple doesn’t exists on K, C makes P K(IDi ) at first) and updates Pi to Pi . Sign Queries: On receive a Sign query S(Mi , IDi , Pi ), C generates the signature as follows. 1) Choose ui , vi , ri ∈ Zq∗ at random, set Ri = ri P − (ui Pi + vi PT ). 2) Set H2 (Ri ||Pi ||Mi ) = ui , H3 (Ri ||Pi ||Mi ) = vi . 3) Compute Vi = ri H1 (IDi ||P ) and output σi = (Ri , Vi ). Forgery: Eventually, AII returns a tuple (M ∗ , σ ∗ = (R∗ , V ∗ ), ID∗ , PID∗ ) meaning that (R∗ , V ∗ ) is a valid signature on message M ∗ under identity ID∗ and public key PID∗ . If ID∗ = IDJ , C aborts. Using forking lemma [12], C replays AII with the same random tape but different choice of the hash function H2 to get another forged signature σ ∗ = (R∗ , V ∗ ). Since σ ∗ and σ ∗ must satisfy e(V ∗ , P ) = e(u∗ PID∗ + v ∗ PT + R∗ , Q∗ ) and e(V ∗ , P ) = e(u∗ PID∗ + v ∗ PT + R∗ , Q∗i ) respectively (where u∗ = H2 (R∗ ||PID∗ ||M ∗ ), u∗ = H2 (R∗ ||PID∗ ||M ∗ ), v ∗ = H3 (R∗ ||PID∗ ||M ∗ ), Q∗ =

H1 (ID∗ ||P ) and u∗ = u∗ ), we have e(V ∗ − V ∗ , P ) = e((u∗ −u∗ )PID∗ , Q∗ ). Since by our setting PID∗ = aP, Q∗ = bP , C can compute abP = (u∗ − u∗ )−1 (V ∗ − V ∗ ). So C has successfully obtained the solution of the CDH problem. V. C ONCLUSION It is interesting and important to construct efficient CLS schemes secure against a super type I/II adversary. In this paper, we have put forward such an efficient CLS scheme. By our construction, only two pairing operations are required in signing and verification. It is more efficient than the other CLS schemes achieving the same security level. The security of our new scheme has been proved in the strongest security model for CLS schemes where the type I/II adversary is a super type I/II adversary. ACKNOWLEDGMENT Project supported by the nature science foundation of China (No. 60673070), the nature science foundation of Jiangsu province (No. BK2006217). R EFERENCES [1] S. Al-Riyami and K. Paterson. Certificateless public key cryptography. Asiacrypt 2003, LNCS, vol. 2894, pages 452-473, Springer-Verlag, 2003. [2] M. Au, J. Chen, J. Liu, Y. Mu, D. Wong and G. Yang. Malicious KGC Attacks in Certificateless Cryptography. ACM ASIACCS’07, pages 302311, 2007. [3] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. ACM CCCS’93, pages 62-73, 1993. [4] X. Cao, K. G. Paterson, and W. Kou. An attack on a certificateless signature scheme. Cryptology ePrint Archive, Report 2006/367, 2006. [5] K. Choi, J. Park, J. Hwang, and D. Lee. Efficient certificateless signature schemes. ACNS 2007, LNCS, vol. 4521, pages 443-458, SpringerVerlag, 2007. [6] H. Du and Q. Wen. Efficient and provably-secure certificateless short signature scheme from bilinear pairings. Cryptology ePrint Archive, Report 2007/250, 2007. [7] B. Hu, D. Wong, Z. Zhang and X. Deng. Key replacement attack against a generic construction of certificateless signature. ACISP 2006, LNCS, vol. 4058, pages 235-346, Springer-Verlag, 2006. [8] X. Huang, W. Susilo, Y. Mu and F. Zhang. On the security of a certificateless signature scheme. CANS 2005, LNCS, vol. 3810, pages 13-25, Springer-Verlag, 2005. [9] X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless signature revisited. ACISP 2007, LNCS, vol. 4586, pages 308-322, Springer-Verlag, 2007. [10] J. Liu, M. Au and W. Susilo. Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model. ACM ASIACCS’07, pages 273-283, 2007. [11] J. Park. An attack on the certificateless signature scheme from EUC Workshops 2006. Cryptology ePrint Archive, Report 2006/442, 2006. [12] D. Pointcheval and J. Stern, Security proofs for signature schemes. EUROCRYPT’96, LNCS, vol. 1070, pages 387-398, Springer-Verlag, 1996. [13] A. Shamir. Identity based cryptosystems and signature schemes. Crypto’84, LNCS, vol.196, pages 47-53, Springer-Verlag, 1984. [14] W. Yap, S. Heng, and B. Goi1. An efficient certificateless signature scheme. EUC Workshops 2006, LNCS, vol. 4097, pages 322-331, Springer-Verlag, 2006. [15] D. Yum and P. Lee. Generic construction of certificateless signature. ACISP 2004, LNCS, vol. 3108, pages 200-211, Springer-Verlag, 2004. [16] Z. Zhang, D. Feng. Key replacement attack on a certificateless signature scheme. Cryptology ePrint Archive, Report 2006/453, 2006. [17] Z. Zhang, D. Wong, J. Xu and D. Feng. Certificateless public-key signature: security model and efficient construction. ACNS 2006, LNCS, vol. 3989, pages 293-308, Springer-Verlag, 2006.