Information Sciences 180 (2010) 4714–4728

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Certiﬁcateless threshold signature scheme from bilinear maps Hong Yuan a, Futai Zhang a,b,*, Xinyi Huang c, Yi Mu d, Willy Susilo d, Lei Zhang e a

School of Computer Science and Technology, Nanjing Normal University, PR China Jiangsu Engineering Research Center on Information Security and Privacy Protection Technology, Nanjing, PR China School of Information Systems, Singapore Management University, Singapore d Center for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Australia e UNESCO Chair in Data Privacy, Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili, Catalonia, Spain b c

a r t i c l e

i n f o

Article history: Received 28 October 2009 Received in revised form 20 May 2010 Accepted 26 July 2010

Keywords: Certiﬁcateless threshold signature Bilinear map Veriﬁable secret sharing CDH problem Simulatability

a b s t r a c t A (t, n) threshold signature scheme allows t or more group members to generate signatures on behalf of a group with n members. In contrast to the traditional public key cryptography based on public key infrastructure (PKI) and identity-based public key cryptography (IDPKC), certiﬁcateless public key cryptography (CL-PKC) offers useful properties as it does not require any certiﬁcates to ensure the authenticity of public keys and the key escrow problem is eliminated. In this paper, we investigate the notion of threshold signature schemes in CL-PKC. We start by pointing out the drawbacks in the two existing certiﬁcateless threshold signature schemes. Subsequently, we present an elaborate description of a generic certiﬁcateless (t, n) threshold signature scheme with a new security model. The adversaries captured in the new model are more powerful than those considered in the existing schemes. Furthermore, we establish the simulatability for certiﬁcateless threshold signature schemes and prove the relationship between the security of certiﬁcateless threshold signature schemes and that of the underlying non-threshold certiﬁcateless signature schemes. As an instantiation, we present a concrete certiﬁcateless threshold signature scheme based on bilinear maps using the techniques of veriﬁable secret sharing and distributed key generation. The proposed scheme is shown to be existentially unforgeable against adaptively chosen message attacks assuming the hardness of Computational Difﬁe– Hellman (CDH) problem. Ó 2010 Elsevier Inc. All rights reserved.

1. Introduction 1.1. Background In practical applications, traditional public key cryptography (PKC for short) requires the support of public key infrastructure (PKI for short) which introduces the costly and cumbersome certiﬁcate management problem. Although this disadvantage is removed in identity-based public key cryptography (ID-PKC for short) [18], it gives rise to the drawback of key escrow. As a new paradigm of public key cryptography, certiﬁcateless public key cryptography (CL-PKC for short) [1] not only gets rid of the certiﬁcate management problem in traditional PKC but also eliminates the key escrow problem in ID-PKC. Hence, it has received considerable attention from the security research community since its invention. In a certiﬁcateless cryptosystem, each entity has two secrets: a secret value and a partial private key. The secret value is generated by the entity * Corresponding author at: School of Computer Science and Technology, Nanjing Normal University, PR China. E-mail addresses: [email protected] (H. Yuan), [email protected], [email protected] (F. Zhang), [email protected] (X. Huang), [email protected] edu.au (Y. Mu), [email protected] (L. Zhang). 0020-0255/$ - see front matter Ó 2010 Elsevier Inc. All rights reserved. doi:10.1016/j.ins.2010.07.021

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4715

himself, while a third party-key generation center (KGC), who holds a master key, generates the partial private key from the user’s identity information. The entity’s private key is the output of a function that requires the secret value and the partial private key as input. KGC does not have the actual private key of an entity and the key escrow problem in ID-PKC is eliminated. The entity can use the actual private key to generate the public key, which could be available to other entities by transmitting it along with signatures or by placing it in a public directory. In particular, there is no certiﬁcate in CL-PKC, which avoids the costly certiﬁcate management issues in PKI based traditional PKC. The idea of threshold cryptography is to distribute the secret information (e.g., a private key) and the computation (e.g., decryption or signature signing) amongst a group of participants in order to prevent a single point of failure or abuse. As an important primitive in group security and distributed settings, threshold signatures have been extensively studied in traditional PKC and ID-PKC. We believe that it is also worthwhile to investigate the application of this primitive in CL-PKC. The focus of this paper is on employing the advantages of CL-PKC to provide secure and efﬁcient solutions of threshold signatures for a practical use. 1.2. Related work In the following, we provide a brief review of some related work on threshold signatures with respect to traditional PKC, ID-PKC and CL-PKC. We will point out some shortcomings in two existing certiﬁcateless threshold signature schemes [21,22]. 1.2.1. Threshold signatures in traditional PKC Threshold signatures in traditional PKC have been extensively studied in [4,5,9,20]. The authors of [5] formalized the notion of unforgeability for threshold signatures and described a concrete scheme based on ElGamal signature. Gennaro et al. [9] provided a complete solution on threshold implementation of digital signature standard (DSS). They designed various distributed veriﬁable secret-sharing schemes as building blocks to construct robust and secure threshold DSS signature schemes. In threshold signature schemes in traditional PKC, the transmission and veriﬁcation of group members’ certiﬁcates have to involve a considerably amount of communication and computation cost. This may greatly offset the efﬁciency. 1.2.2. ID-based threshold signature ID-PKC was introduced by Shamir [18], whose original motivation is to ease the certiﬁcate management in the e-mail system. In ID-PKC, an user’s public key can be derived directly from certain aspects of his/her identity information (e.g., email-address), while the associate private key is computed and issued secretly to the user by a trusted third party PKG (private key generation center). This property avoids the necessity of certiﬁcates, and associates an implicit public key to each user. However, it makes key escrow an inherent problem which is undesirable from the user’s point of view. Baek and Zheng [3] proposed the ﬁrst identity-based threshold signature scheme from bilinear map in 2004. To alleviate the key escrow problem, Chen et al. [7] proposed an identity-based threshold signature scheme without trusted PKG. (More precisely, Chen et al.’s scheme is essentially a threshold signature scheme in CL-PKC but its security analysis is made in the framework of ID-PKC). 1.2.3. Certiﬁcateless threshold signature CL-PKC [1] was introduced by Al-Riyami and Paterson in 2003 to overcome the key escrow problem in ID-PKC. Recently, certiﬁcateless signature (CLS) schemes have been well investigated [12,13,19]. Several CLS schemes were proposed [6,11– 16,23–27]. In [13], Huang et al. revisited the security models of certiﬁcateless signature schemes and further classiﬁed the Type I/II adversaries into three types, namely normal, strong and super Type I/II adversaries, among which super Type I/II adversaries have the strongest attacking power. Wang et al. [21] proposed the ﬁrst certiﬁcateless threshold signature scheme (CLTHS for short) in the random oracle model. To exhibit the security of the proposal, they developed the theory of simulatability and relationship between the certiﬁcateless threshold signature scheme and the underlying (non-threshold) ID-based signature scheme. Their scheme requires a PKG clerk and several distributed PKGs to compute the partial private key for an user. To do so, the PKG clerk ﬁrst generates the master key and then shares it among several distributed PKGs using a (u, m)-secret-sharing scheme. With the share of the master key, each distributed PKG can generate a sub-partial private key for the user, which will be sent back to the PKG clerk. Upon receiving valid sub-partial private keys from at least u distributed PKGs, the PKG clerk can calculate the partial private key of the user. As one can see, while their scheme does use distributed PKGs, partial private keys are still generated by a single party (PKG clerk), which makes the use of distributed PKGs cumbersome and inefﬁcient. We believe in the scenario of distributed PKGs it is desirable that the generation of the master key is conducted by all distributed PKGs in a cooperative manner, rather than by a single party (which is the case in [21]). In generating an user’s partial private key, each member of the distributed PKGs calculates and sends a sub-partial private key (using his share of the master key) to the corresponding user directly. The user can then derive the partial private key by itself from at least t (t is the threshold) valid sub-partial private keys. A further observation shows that Wang et al.’s scheme cannot detect any misbehavior of dishonest participants. In the sharing of the master key s, PKG clerk could cheat by sending si – RðiÞ; Pipub ¼ si P to some PKGi (where R(x) is the sharing polynomial selected by the PKG clerk), which is undetectable. Similarly, PKGi could cheat by using a false master key share s0 i

4716

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

(different from his actual master key share si) to generate Pipub ¼ s0i P. It then uses the fake s0i to generate the sub-partial private key for an user. No one can ﬁnd these kinds of cheating. Similar problems also exist in the sharing of user’s secret value if player j publishes a false fvkj = cjP – f(j)P. This may cause serious security problems. As an example, player j may use this fake fskj = cj instead of the true fskj to sign messages, and other players may be totally unaware of this kind of cheating. In this case, no one but the cheating player j is able to calculate a valid threshold signature of the group. The sharing of partial private keys is also spoiled by similar problems. Another drawback of Wang et al.’s scheme is the long signature length. In their scheme, a signature (T, a, b, c, W) consists of two elements of G1 and three elements of G2, where (G1, G2) are groups with bilinear mapping ^e : G1 G1 ! G2 . This leads to a signature length of more than 3400 bits for a 160-bit prime q (the order of group G1), which is apparently too long as most existing secure certiﬁcateless signature schemes produce signatures consisting of only two elements of G1 or one element of G2 and one element of Zq. Recently, Xiong et al. [22] presented a certiﬁcateless threshold signature scheme which was proven secure in the standard model. They introduced new security deﬁnitions and notations for their scheme and utilized the simulatability of certiﬁcateless threshold signature schemes to prove the scheme to be secure. However, the security model deﬁned in [22] is very weak. As an obvious drawback, their signing oracle cannot provide any valid signatures if the user’s public key has been replaced. There are also some security ﬂaws in their construction of threshold signature scheme. In the step of Complete-Key-Gen-andShare, their method of sharing the complete secret signing key may lead to the decrease of the threshold since the sharing polynomial is in fact determined by Lagrange interpolation using t points (0, ax), (1, a1x), . . ., (t 1, at1x). This interpolation may result in a polynomial of degree less than t 1, which means less than t players can collude to reveal the complete signing key or generate a valid signature on any message. Also, the veriﬁcation shares for checking the validity of complete key shares only commit to one of the random secrets, which could also make the cheating behavior of some dishonest players undetectable (as we have shown previously in Wang et al.’s scheme).

1.3. Motivation and our contribution Like threshold signature schemes based on traditional PKI and ID-PKC, certiﬁcateless threshold signature schemes have wide applications where a group of members need to cooperatively sign a message on behalf of the whole group, and are especially useful when there is a need to distinguish a threshold signature from a signature generated by a single party who possesses the secret signing key of the group. For example, let Bob be the Board chairman of a company. He has the secret signing key SK of the board in certiﬁcateless public key setting. With this secret signing key, he is able to sign any document on behalf of the board. A threshold signature scheme is necessary when the chairman is unavailable but some very important documents need to be signed by the majority of the board. While it is useful to know who is responsible for a signature, in some cases we need to distinguish the chairman’s signature and the board members’ threshold signature. In certiﬁcateless public key cryptography, the chairman can share the partial private key of the board among the board members, and let the board members generate the secret value of the board using an information theoretically secure distributed key generation protocol. In this way, the board members can produce signatures that are distinguishable from those generated by the chairman alone. We believe this is a distinctive property of certiﬁcateless threshold signatures. As we have shown in Section 1.2, the two existing certiﬁcateless threshold signature schemes [21,22] are far from satisfactory (both in security and in efﬁciency). Thus, as an indispensible component of CL-PKC, certiﬁcateless threshold signature deserves further investigations, especially on reasonable security notions and on efﬁcient constructions of certiﬁcateless threshold signature schemes. The contribution of this paper is as follows. A new security model for CLTHS is proposed. In the new model, we capture the security notions via two games, which simulate two types of adversaries respectively. The adversaries we are concerned about are super (Type I/II) adversaries deﬁned in [13], and are stronger than those considered in [21,22]. Our security model allows the adversary to obtain partial private keys and secret values of any users under natural restrictions. The sign oracles provide the adversary with all signature shares generated by signature generation servers. We believe that the new model is more natural and more reasonable than those in [21,22]. In order to prove the security, we deﬁne the notion of simulatability of a certiﬁcateless threshold signature scheme, and establish the simulatability theorem which depicts the security relationship between a certiﬁcateless threshold signature scheme and its underlying (non-threshold) certiﬁcateless signature scheme. It is necessary to construct certiﬁcateless threshold signature systems from existing secure and efﬁcient certiﬁcateless signature schemes. As an example, we present a concrete construction from an existing secure and efﬁcient certiﬁcateless signature scheme by employing techniques of veriﬁable secret sharing and distributed key generation. The security of our construction is proven under CDH assumptions.

2. Preliminaries To keep this paper self-contained, we brieﬂy review the basic facts about the admissible bilinear map. We then present the complexity assumptions on which the secret sharing, distributed key generation and our certiﬁcateless threshold signature scheme are based.

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4717

2.1. Bilinear map The admissible bilinear map ^ e is deﬁned as follows. Let G1 be an additive group of prime order q, and let G2 be a multiplicative group of the same order. Let P denote a generator of G1. A map ^ e : G1 G1 ! G2 is called a bilinear map if it satisﬁes the following properties: Bilinear: ^eðaP; bQ Þ ¼ ^eðP; Q Þab for all P, Q 2 G1, a; b 2 Z q . Non-degeneracy: There exist P, Q 2 G1 such that ^ eðP; Q Þ – 1 . Computable: There exists an efﬁcient algorithm to compute ^ eðP; Q Þ for any P, Q 2 G1. 2.2. Complexity assumptions We now describe some complexity assumptions in groups G1 and G2. Note that throughout this paper, the groups G1 and G2 are those described in the above deﬁnition of bilinear map. Discrete logarithm problem (DLP): The DLP in G1 is described as follows. Given two group elements P and Q, ﬁnd an integer x 2 Z q , such that Q = xP whenever such an integer exists. Computational Difﬁe–Hellman problem (CDHP): The CDHP in G1 is that given (P, aP, bP), for random unknown a; b 2 Z q , compute abP. Modiﬁed generalized bilinear inversion problem (mGBIP): The mGBIP proposed in [3] is deﬁned as follows. Given h 2 G2 and P 2 G1, compute S 2 G1 such that ^ eðS; PÞ ¼ h. (Readers can refer to [3] for a detailed description.) We assume that the above mentioned complexity problems are hard in groups G1 and G2 with pairing ^e. Notice that the mGBI assumption (that is, the mGBI problem is intractable) can be implied by the CDH assumption. The proof is sketched as below: assume that an attacker ACDH of the CDH problem is given a random instance (P, aP, bP), where a; b 2 Z q and P is a generator of G1. Suppose there is another algorithm AmGBI which can solve the mGBI problem with nonnegligible success probability. In the reduction, ACDH runs AmGBI with the input (h = e(aP, bP), P). Let S be the output of AmGBI , and ACDH will set S as its output. Clearly, S is a correct solution of the given CDH instance (P, aP, bP) as long as S is a correct solution of the mGBI instance (h = e(aP, bP), P). Thus, the mGBI problem can be directly reduced to the CDH problem. 2.3. Outline of certiﬁcateless threshold signature schemes

Deﬁnition 1 (Certiﬁcateless threshold signatures). A certiﬁcateless (t, n) threshold signature scheme CLTHS consists of the following algorithms or protocols. A probabilistic key system parameter generation algorithm GC(k): Given a security parameter k 2 N, this algorithm generates the master secret key msk and a list of system parameters params. Note that the parameter list params is given to all interested parties while the matching master key msk is kept secret. A probabilistic partial private key extraction algorithm EX(params, msk, ID): Given an identity ID, a parameter list params and a master key msk, this algorithm generates a partial private key associated with ID, denoted by ppkID. A probabilistic partial private key distribution protocol DK(params, ppkID, n, t): Given a partial private key ppkID associated with an identity ID, n signature generation servers and a threshold parameter t, this protocol generates n shares of ppkID and securely provides each signature generation server Ci(1 6 i 6 n) with a corresponding share. It also generates and publishes a set of veriﬁcation keys that can be used to check the validity of each partial private key share. We denote n o n o i i the partial private key shares and the matching veriﬁcation keys by ppkID i ¼ 1; . . . ; n and v skID i ¼ 1; . . . ; n, respeci

i

tively. For each i, 1 6 i 6 n, Ci keeps ppkID secret, while v skID is publicly known to all including the adversary. A probabilistic distributed secret value generation protocol GS(params, ID, n, t): Given an identity ID, a parameter list params, the number n of signature generation servers, and a threshold t, this protocol generates a distributed secret value for identity ID. It implies that n signature generation servers without a dealer jointly generate a secret value xID and its corresponding public value pkID. As a result, xID is shared among n signature generation servers using a veriﬁable (t, n) threshold secret-sharing scheme. Each signature generation server Ci holds a secret share xiID and the corresponding pubi lic veriﬁcation share pkID is known to all signature generation servers. A deterministic public key extraction protocol PK (params, ID, xID): Given a parameter list params, an identity ID and the secret value xID, this protocol generates the public key PID related to ID. Particularly, the public key in our scheme is just the value pkID obtained in the previous protocol, which is the corresponding public value of the secret value. i A probabilistic signature generation protocol S (params, ppkID ; xiID ; M): Given a parameter list params, a message M, a share i ppkID of the partial private key ppkID and a share xiID of the secret value xID associated with ID each signature generation server Ci computes a signature share ri for M. After that, a dealer (selected at random from the current servers) combines at least t valid shares together and output a valid signature (r).

4718

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

A deterministic signature veriﬁcation algorithm V (params, ID, pkID, M) (r): Given a signer’s identity (ID), a public key pkID, a message M and its signature (r), this algorithm checks the validity of (r). The output of this algorithm is either ‘‘Valid” or ‘‘Invalid”. Remark. The key system parameter generation algorithm GC and the partial private key extraction algorithm EX are both run by the trusted KGC. The partial private key distribution protocol DK makes use of an appropriate secret-sharing technique to distribute the partial private key among n signature generation servers. This process depends on the cryptographic services that the KGC can offer-KGC could execute protocol DK if it is capable of organizing threshold signature, or a trusted normal user (for example a selected leader of the group) could run DK if KGC only has the functionality of issuing partial private keys for users. 3. Security notions for certiﬁcateless threshold signatures 3.1. Existential unforgeability for certiﬁcateless threshold signatures against adaptive chosen message attacks Similarly to the adversaries against CLS deﬁned in [13], there are basically two types of super adversaries in CLTHS: BI and BII . BI simulates attacks when the adversary (anyone except the KGC) replaces the public key of any entity with a value of his choice. However, BI does not have access to the master secret key. Adversary BII simulates attacks when the adversary has the master secret key but cannot replace the target user’s public key. Due to the security requirement of (t, n) threshold signatures [9], we further assume that super adversaries ( BI and BII ) against CLTHS can corrupt up to t 1 signature generation servers. Also we consider the malicious adversaries that may cause corrupted servers to divert from the speciﬁed protocol in any way. We assume that the computational power of adversaries is adequately modeled by a probabilistic polynomial time Turing machine. The adversaries we consider here are static, i.e., they choose corrupted servers at the beginning of the protocol. Now we deﬁne the security of a CLTHS scheme via the following two games between a challenger C and a super adversary BI ðBII Þ. Game 1. (for Super Type I Adversary). Setup: C runs the key/system parameter generation algorithm GC to obtain a master secret key msk and the system parameter list params. Then C sends params to the adversary BI while keeping msk secret. Phase 1: BI corrupts t 1 signature generation servers. For convenience, we assume that the corrupted signature generation servers are C1, . . ., Ct1. Phase 2: BI can make following queries in an adaptive manner. – Partial-private-key queries PPK(ID): BI can request the partial private key of any user with identity ID. On receiving ID, C runs the partial private key extraction algorithm EX of CLTHS by taking ID as input and obtains a corresponding partial private key ppkID, which is given to BI . – Secret value queries SV(ID): BI can request the secret value of any user with identity ID. In response, C runs secret value generation protocol GS of CLTHS by taking ID as input and obtains a secret value xID, the corresponding public value i pkID, the secret value share xiID and the matching veriﬁcation share pkID for every signature generation server. Then, C sends xID to BI . Note that C outputs \ if the user’s public key has been replaced. 0 0 – Public key-replacement queries PKR ID; pkID : For any user with identity ID, BI can choose a new public key pkID and then 0 sets pkID as the new public key of this user. C will keep a record of this replacement. – Sign queries S(ID, M, pkID): BI can request a user’s (whose identity is ID) signature on a message M. On receiving M, C runs the signature generation protocol S of CLTHS and responds to BI with ri for i = 1, . . ., n output by S. It is required i that ri for i = 1, . . ., n are valid signature shares on message M under identity ID and the public key pkID . It is evident that BI is able to calculate a full signature of M with enough signature shares. Phase 3: BI submits the target identity ID*. On receiving ID*, C ﬁrst runs the algorithm EX of CLTHS to obtain a partial private key ppkID , and then runs the partial private key distribution protocol DK of CLTHS by taking ppkID as input to i share it among n signature generation servers. We denote the partial private key shares by ppkID for i = 1, . . ., n. C gives i ppkID for i = 1, . . ., t 1 to BI . Then, BI issues a sequence of requests as in Phase 2 except the Partial-Private-Key request on the challenge identity ID*. Forgery: Finally, BI outputs ðID ; M ; r ; pkID Þ. We say that BI wins Game 1, if 1. r* is a valid signature of a message M* under identity ID* and the corresponding public key pkID . 2. ðID ; M ; pkID Þ never appears as one of sign queries. We deﬁne BI ’s success probability by

SuccEUF—CLTHS—CMA ðkÞ ¼ Pr½Vðparams; ID ; M ; r Þ ¼ v alid: CLTHS;BI An attacker BI is said to (tCMA, qPPK, qPK, qSV, qPKR, qS, e)-break a certiﬁcateless threshold signature scheme if BI runs in time at most tCMA, and can make at most qPPK partial private key queries, qPK public-key queries, qSV secret-value queries, qPKR

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4719

EUF—CLTHS—CMA public-key-replacement queries, qS sign queries, and the success probability SuccCLTHS;B ðkÞ is at least e. Note that the I running time and the number of queries are all polynomials in the security parameter k. Game 2. (for Super Type II Adversary).

Setup: C runs the key/system parameter generation protocol GC to obtain a master secret key msk and the system parameter list params. C then sends params and msk to the adversary BII . Phase 1: BII corrupts t 1 signature generation servers which we denote as C1, . . ., Ct1. Phase 2: BII adaptively makes secret-value queries, public-key-replacement queries and sign queries as described in Game 1. Phase 3: BII submits the target identity ID*, and then issues a sequence of requests as in Phase 2. Notice that for BII ’s signature query SðID ; M; pkID Þ; C responds with a valid signature as described before. Note also that no secret-value queries or public-key-replacement queries on ID* are allowed. Forgery: Finally, BII outputs ðID ; M ; r ; pkID Þ. We say that BII wins Game 2, if 1. r* is a valid signature of a message M* under identity ID* and the corresponding public key pkID . 2. ðID ; M ; pkID Þ never appears as one of sign queries. We deﬁne BII ’s success probability by

SuccEUF—CLTHS—CMA ðkÞ ¼ Pr½Vðparams; ID ; M ; r Þ ¼ v alid: CLTHS;BII An attacker BII is said to (tCMA, qSV, qPKR, qS, e)-break a certiﬁcateless threshold signature scheme if it runs in time at most tCMA, and can make at most qSV secret-value queries, qPKR public-key-replacement queries, qS sign queries, and the success probability SuccEUF—CLTHS—CMA ðkÞ is at least e. Note that the running time and the number of queries are all polynomials in CLTHS;BII the security parameter k. We now deﬁne the existential unforgeability of CLTHS against adaptively chosen message attacks, which we call ‘‘EUF–CLTHS–CMA”. Deﬁnition 2 (EUF–CLTHS–CMA). A certiﬁcateless threshold signature scheme CLTHS is said to be EUF–CLTHS–CMA secure if the success probability of any polynomially bounded adversary in the above two games is negligible. Accordingly, we use ‘‘EUF–CLS–CMA” to mean the existential unforgeability of a CLS against adaptively chosen message attacks.

3.2. Relationship between EUF–CLTHS–CMA and EUF–CLS–CMA In order to prove the unforgeability of a CLTHS scheme, we use the concept of simulatable adversary view. Intuitively, this means that for every adversary, there is a simulator, on input the public value and all information of corrupted players, can produce an output distribution which is computationally indistinguishable from the view of the adversary that interacts with honest players in a regular run of the protocol which ends with the public value as its public output. In other words, the run of the protocol provides no useful information to the adversary other than the public information. Motivated by Gennaro et al.’s [9] methodology for proving the security of threshold signature schemes, we deﬁne the simulatability of CLTHS as follows. Deﬁnition 3 (Simulatability of CLTHS). Let CLTHS = (GC, EX, DK, GS, PK, S, V) be a certiﬁcateless (t, n) threshold signature scheme. The scheme CLTHS is said to be simulatable if the following properties hold.

1. The protocol DK is simulatable. That is, there exists a simulator SIMDK that, on input the public output by GC of CLTHS, an identityID, t 1 (partial private key shares that matches to ID held by the corrupted signature generation servers and the i public information fv skID g i ¼ 1; . . . ; n associated with the partial private key ppkID, can simulate the view of the attacker i on an execution of DK of CLTHS that ends with fv skID g i ¼ 1; . . . ; n as the public output. 2. The protocol GS is simulatable. That is, there exists a simulator SIMGS that, on input the public output by GC of CLTHS, an identity ID t 1 secret value shares that matches to ID held by the corrupted signature generation servers and the public value pkID associated with the secret value xID can simulate the view of the attacker on an execution of GS of CLTHS that generates the given pkID as the public output. 3. The protocol S is simulatable. That is, there exists a simulator SIMS that, on input the public output by GC of CLTHS, an identity ID, a message M, and a signature r on M, t 1 partial private key shares and t 1 secret value shares that matches to ID held by the corrupted signature generation servers, and the public output of DK and GS of CLTHS, can simulate the view of the attacker on an execution of S of CLTHS that generates r as output. We state and prove the following theorem regarding the relationship between the security of CLTHS and that of the underlying CLS. The theorem shows that an EUF–CLS–CMA secure certiﬁcateless signature scheme can be used as a building

4720

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

block to construct an EUF–CLTHS–CMA secure certiﬁcateless threshold signature scheme as long as the simulatability is ensured. Theorem 1. If the CLTHS scheme is simulatable and the underlying CLS scheme is EUF–CLS–CMA secure, then the CLTHS is EUF– CLTHS–CMA secure. More precisely,

SuccEUF—CLTHS—CMA ðt CMA Þ 6 SuccEUF—CLS—CMA ðt 0CMA Þ; CLTHS CLS where t 0CMA ¼ tCMA þ T SIMDK þ T SIMGS þ T SIMS . Here, T SIMDK ; T SIMGS T SIMS denote the running time of the simulator SIMDK, SIMGSSIMS, respectively. Proof. Let BI and BII denote two types of attackers wish to break the EUF–CLTHS–CMA security of the CLTHS scheme. Let AI and AII denote two types of attackers against the underlying (non-threshold) CLS scheme. The proof consists of two parts, depending on the types of attackers. h Part 1 (for Type I Attacker). Our aim is to show that if there exists an attacker BI that can break the EUF–CLTHS–CMA security of the CLTHS scheme, then there will inevitably be an attacker AI that can break the EUF–CLS–CMA security of the underlying CLS scheme. To prove this, we show how the view of BI in the real attack Game 1 of EUF–CLTHS–CMA deﬁned in Section 3.1, which we denote by GB, can be simulated to obtain a new game GA which is related to the ability of the attacker AI to defeat the EUF–CLS–CMA security of the underlying CLS scheme, under the assumption that CLTHS is simulatable (note that the security model for type I adversary of CLS scheme can be found in [25]). To achieve this, we regard AI as the challenger in game GB, and queries issued by BI will be directly sent to AI who will use BI to attack the underlying CLS scheme. Game GB: As mentioned before, this game is identical to the real attack Game 1 described in Section 3.1. We denote by EB the event that BI outputs a valid message/signature pair as a forgery. We use a similar notion EA for Game GA. Since Game GB is the same as the real attack game, we have

Pr½EB ¼ SuccEUF—CLTHS—CMA ðkÞ CLTHS;BI Game GA: First, we replace the system parameters params in GB by the corresponding system parameters in GA. Note that neither AI nor BI has the knowledge of the master secret key msk. We then enter into the following query in Phase 2 of the attack Game 1. – Whenever BI issues a partial private key query PPK(ID)/secret-value query SV ID, AI sends the query to his challenger. On receiving ID, the challenger runs the partial private key-extract/set-secret-value protocol of CLS by taking ID as input and responds with the resulting partial private key ppkID/secret value xID. Then AI sends the value ppkID/xIDto BI . (Note that it outputs \ for the secret-value query, if the user’s public key has been replaced). 0 – If BI issues a public-key-replacement query PKRðID; pkID Þ AI sends the query to his challenger and then updates pkID to 0 pkID . – If BI issues a sign query S(ID, M, pkID), AI sends the query to his challenger to get a corresponding signature r. Having obtained r, AI runs SIMS taking params, the outputs generated by SIMDK and SIMGS, which includes t 1 corrupted partial private key shares, secret value shares, the identity ID, and the message/signature pair (M,r) as input. AI then sends SIMS’s outputs to BI . If BI submits a target identity ID*, AI runs SIMDK by taking params and ID*as input) to simulate the view of BI and forwards ID* as the target identity to his challenger. (Note that during the execution of SIMDK, BI is given t 1 partial private key shares of corrupted signature generation severs. Note also that AI does not make a partial private key request of ID* and hence does not know the value ppkID . Then BI issues public-key-replacement and sign queries on ID*. There is no need for BI to issue secret-value query because he may have chosen a secret value to generate a new public key. For such queries, AI will respond as deﬁned in Section 3.1. If BI outputs (ID*, M*, r ; pkID ) in Forgery Phase, AI then sets ðID ; M ; r ; pkID Þ as its own forgery. Note that BI ’s view in the real attack game is identical to its view in Game GA as long as the CLTHS is simulatable. Hence we have

Pr½EB 6 Pr½EA : Due to the deﬁnition of Pr[EB] and Pr[EA], we have

SuccEUF—CLTHS—CMA ðkÞ 6 SuccEUF—CLS—CMA ðkÞ: CLTHS;BI CLS;AI Part 2 (for Type II Attacker). Similar to the case of Type I Attacker, we show how the view of BII in the real attack (Game 2 of EUF–CLTHS–CMA deﬁned in Section 3.1), which we denote by G0B , can be simulated to obtain a new game G0A where the attacker AII can break the EUF–CLS–CMA security of the CLS scheme, under the assumption that CLTHS is simulatable (the security model for type II

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4721

adversary of CLS scheme can be found in [25]). To achieve this, we regard the attacker AII as a challenger in game G0B . Queries issued by BII will be directly sent to AII who can make use of his challenger in game G0A to generate correct responses. Game G0B : As mentioned before, this game is identical to the real attack Game 2 described in Section 3.1. We denote by E0B the event that BII outputs a valid message/signature pair as a forgery. We use a similar notion E0A for Game G0A . Since Game G0 B is the same as the real attack game, we have

Pr½E0B ¼ SuccEUF—CLTHS—CMA ðkÞ: CLTHS;BII Game G0A : First, we replace the system parameters params and master secret key msk in G0B by the corresponding system parameters and master secret key in G0 A. We then enter into the following query in Phase 2 of the attack Game 2. – Whenever BII issues a secret-value query SV(ID), AII sends the query to his challenger. On receiving ID, the challenger runs the set-secret-value algorithm of CLS taking ID as input and returns the resulting secret value xID. Then AII sends the value xID to BII . Note that it outputs \, if the user’s public key has been replaced. 0 – If BII issues a public-key-replacement query PKRðID; pkID Þ; AII sends the query to his challenger and then updates pkID to 0 pkID . – If BII issues a Sign query S(ID,M,pkID), AII sends the query to his challenger to get a corresponding signature r. Having obtained r, AII runs SIMS by taking params, the outputs generated by SIMDK and SIMGS, which includes t 1 corrupted partial private key shares and secret value shares, an identity ID, and the message/signature pair (M,r) as input. AII then sends SIMS’s outputs to BII . Once BII submits a target identity ID*, it can issue Sign queries on ID* which are answered in same way as described above. Note that BII is not allowed to issue public-key-replacement query or secret-value query on ID* since BII can get the full signing key of ID* as long as any one of them is allowed. If BII outputs ðID ; M ; r ; pkID Þ in Forgery Phase, AII then sets it as his own forgery. Note from the simulation that BII ’s view in the real attack game is identical to its view in Game G0A as long as the CLTHS is simulatable. Hence we have

Pr½E0B 6 Pr½E0A : Due to the deﬁnition of Pr[E0 B] and Pr[E0 A], we have

SuccEUF—CLTHS—CMA ðkÞ 6 SuccEUF—CLS—CMA ðkÞ: CLTHS;BII CLS;AII

4. Building blocks 4.1. Zhang–Zhang certiﬁcateless signature scheme We ﬁrst review Zhang–Zhang certiﬁcateless signature scheme [25], which we denote by ‘‘ZZCLS”. We will use this as a basic certiﬁcateless signature scheme to construct our certiﬁcateless threshold signature scheme in Section 5. Note that the ZZCLS scheme was proven secure in the strongest security model of CLS schemes assuming the hardness of the CDH problem over groups with bilinear maps. Key/system parameter generation algorithm GC(k): This algorithm is run by the KGC to generate its master secret key msk and a list of system parameters params. – Choose a cyclic additive group G1 which is generated by P with prime order q, choose a cyclic multiplicative group G2 of the same order and a bilinear map ^e : G1 G1 ! G2 . – Pick a random k 2 Z q as the master secret key and set Ppub = kP. – Choose three cryptographic hash functions H1: {0,1}* ? G1, H2 : f0; 1g ! Z q , H3 : f0; 1g ! Z q . – Keep k as secret and publish params ¼ ðG1 ; G2 ; ^e; P; Ppub ; H1 ; H2 ; H3 Þ. Partial private key extraction algorithm EX(params, msk, ID): This algorithm is run by the KGC to generate a partial private key associated with ID. – Compute Q ID ¼ H1 ðIDkPÞ. – Output the partial private key DID = kQID. Secret value setting algorithm GS(params, ID): This algorithm takes as in put params and a user’s identity ID. It then selects a random xID 2 Z q and outputs xID as the user’s secret value. Public key extraction algorithm PK(params, ID, xID ): This algorithm accepts params, a user’s identity ID and this user’s secret value xID as input. It produces the user’s public key PID = xIDP. Signature generation algorithm S(params, DID, xID, M): To sign a message M using the partial private key DID and the secret value xID, the signer, whose identity is ID and the corresponding public key is PID, performs the following steps.

4722

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

– Choose a random r 2 Z p , compute R = rP. – Compute u ¼ H2 ðRkP ID kMÞ; v ¼ H3 ðRkP ID kMÞ. – Compute V = (uxID + r)QID + vDID. – Output r = (R, V) as the signature on M. Signature veriﬁcation algorithm V(params, ID, PID, M, r): To verify a signature r on a message M for an identity ID and the public key PID, the veriﬁer performs the following steps. – Compute Q ID ¼ H1 ðIDkPÞ; u ¼ H2 ðRkPID kMÞ; v ¼ H3 ðRkP ID kMÞ. – Verify ^ eðV; PÞ ¼ ^eðuP ID þ v Ppub þ R; Q ID Þ. If the equation holds output ‘‘Valid”. Otherwise, output ‘‘Invalid”. 4.2. Review of secret-sharing over a group G1 In order to construct a certiﬁcateless threshold signature scheme from the above ZZCLS scheme, we need to share the partial private key DID among signature generation servers. This can be achieved by using a (t, n)-secret-sharing scheme over group G1 presented in [2]. Due to space limitation, we omit the details of this technique. Readers can be referred to [2] for a detailed explication. 4.3. Review of computationally secure veriﬁable secret-sharing protocol based on the bilinear map In cryptography, a secret-sharing scheme is known as veriﬁable if auxiliary information is included that allows players to verify their shares as consistent. More formally, veriﬁable secret-sharing (VSS) ensures that even if the dealer is malicious there is a well-deﬁned secret that the players can later reconstruct. With regard to the threshold signature scheme, veriﬁable secret sharing is a useful tool for preventing malicious attacks. In other words, VSS gives threshold signature schemes robustness. Various solutions to the veriﬁable secret sharing have been known and used for a long time. However, taking into account that our certiﬁcateless threshold signature scheme is based on the bilinear maps, here we make use of a new scheme proposed by Baek and Zheng [3], which we call ‘‘computationally secure veriﬁable secret-sharing protocol based on the bilinear map (Comp-Secure-VSSBP)”, motivated by Feldman’s VSS scheme [8]. This protocol will be used to distribute a user’s partial private key DID in the ZZCLS scheme among a number of signature generation servers. We describe the CompSecure-VSSBP in Fig. 1. The following lemma shows the correctness of the protocol Comp-Secure-VSSBP. Lemma 1. In Comp-Secure-VSSBP, shares held by all uncorrupted participants can be interpolated to a unique PLF of degree t 1, and t or more of these shares can reconstruct the secret S. The protocol Comp-Secure-VSSBP is computationally secure in that the value a0 ¼ ^ eðS; PÞ is revealed during the execution of the protocol and hence the secrecy S of depends on the computational assumption that it is hard for an attacker to obtain S from ^eðS; PÞ, which is actually the mGBI assumption. As mentioned in Section 2.2, the mGBI assumption is implied by the CDH assumption, so the security of protocol Comp-Secure-VSSBP can be regarded as based on the hardness of the CDH problem. Lemma 2. In Comp-Secure-VSSBP, the attacker that learns less than t shares of the secret S obtains no information about S assuming that CDH problem is computationally intractable. Please refer to [3] for detailed proofs of the two lemmas.

Fig. 1. Computationally secure veriﬁable secret-sharing protocol based on the bilinear map.

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4723

4.4. Distributed secret value generation protocol for our scheme Distributed secret key generation is a main component of threshold cryptosystems. It allows a set of n servers to jointly generate a pair of public and secret keys according to the distribution deﬁned by the underlying cryptosystem without having to ever compute, reconstruct, or store the secret key in any single location and without assuming any trusted party

Fig. 2. Distributed secret-value generation protocol for the CLTHS scheme.

4724

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

(dealer). While the public key is output in the clear, the secret key is maintained as a (virtual) secret shared via a threshold scheme. Solutions to the distributed generation of private keys for discrete-log based cryptosystems have been studied in [5,10]. Here we construct a protocol ‘‘distributed secret-value generation protocol for the CLTHS Scheme (DSG)”, which is very similar to Gennaro et al.’s [10] distributed key generation protocol for discrete-logarithm based cryptographic schemes. Differences between them are as follows. Firstly, the domain of the public value is changed from Z p to G1 . For example, while our protocol allows a set of n servers to jointly generate a secret s 2 Z q and its corresponding public value is c ¼ sP 2 G1 , a predetermined set of parties in Gennaro et al.’s protocol jointly generate a secret k 2 Z q and its corresponding public value is y ¼ g k 2 Z p . Secondly, the broadcasting information and the veriﬁcation equation are also changed from Z p to G1 . Lastly, the computation of Ank is different in the simulator constructed to prove the security of the DSG. We use a variant of the non-interactive and information-theoretic secure VSS protocol due to Perdersen [17] as a building block in our solution, which can tolerate up to t 1 malicious faults without revealing any information on the secret, and we denote it by Perdersen-VSS. Due to the lack of space, we do not explicitly describe Perdersen-VSS here, as its description is implicitly contained in Step 1 of our DSG protocol. Suppose that the threshold t and the number n of parties satisfy 1 6 t 6 n < q. Let (G1, q, P) be the common parameters, as deﬁned in Section 2.1. Our protocol DSG is depicted in details in Fig. 2.

Fig. 3. Simulator for the distributed secret value generation protocol DSG.

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4725

The correctness and security (please refer to [10] for detailed deﬁnitions) of DSG can be proven in a similar way as that of the protocol in [10]. For simplicity, we only present the correctness statement (Lemma 3) and a modiﬁed simulator SIM-DSG in Fig. 3, while the concrete proof procedure is omitted. From the protocol we know that the generated secret is s 2 Z q , and its corresponding public value is c ¼ sP 2 G1 . Finally, Ci holds secret shares xi, x0 i, i = 1, . . ., n. Public information Cik, Aik, Ak, i = 1, . . ., n, k = 0, . . ., t 1, are known to all parties. It is easy P k to see that xi P ¼ t1 k¼0 i Ak . In our threshold signature scheme in Section 5, this protocol is employed by n signature generation servers to generate the secret value xID of an Identity ID as well as the random number r used in signing phase. Lemma 3 (Correctness). In the above protocol DSG, all subsets of t shares provided by honest parties deﬁne the same unique secret key s, and all honest parties have the same value of public key c = sP, where s is uniformly distributed in Zq. Lemma 4 (Secrecy). In the above protocol DSG, no information on s can be learned by the adversary except for that implied by the value c = sP. From the above lemmas we derive the following theorem. Theorem 2. Protocol DSG in Fig. 2 is a secure protocol for distributed secret value generation, namely it satisﬁes the above correctness and secrecy requirements with threshold t.

5. Our certiﬁcateless threshold signature scheme With the building blocks presented in the previous section, we now construct a certiﬁcateless threshold signature scheme based on the bilinear map, which is called ‘‘CLTHSBP”. CLTHSBP consists of the following algorithms or protocols. For simplicity, we omit the details of sub-protocols Comp-Secure-VSSBP and DSG, and only describe the signiﬁcant information resulted from them. Key/system parameter generation algorithm GC(k): Given a security parameter k, the KGC performs the following: – Choose a cyclic additive group G1 which is generated by P with prime order q, choose a cyclic multiplicative group G2 of the same order and a bilinear map ^e : G1 G1 ! G2 . – Pick a random k 2 Z q as the master secret key and set Ppub = kP. – Choose three cryptographic hash functions H1:{0,1}* ? G1, H2 : f0; 1g ! Z q , H3 : f0; 1g ! Z q . – Keep k as secret and publish params ¼ ðG1 ; G2 ; ^e; P; Ppub ; H1 ; H2 ; H3 Þ. Partial private key extraction algorithm EX(params, msk, ID): This algorithm is run by the KGC to generate a partial private key associated with ID. – Compute Q ID ¼ H1 ðIDkPÞ. – Output the partial private key DID = kQID. Partial private key distribution protocol DK(params, msk, ID, n, t): A trusted user (as discussed in Section 2.3, this user could be the KGC itself) who possesses a partial private key DID associated with an identity ID performs the following: – Run Comp-Secure-VSSBP with the input ðG1 ; q; ;^ e; P; P pub ; H1 ; t; n; DID Þ to share DID among n signature generation servers, denoted by C1, C2, . . ., Cn. Denote the partial private key share of Ci by DiID for i = 1, . . ., n. Denote the public veriﬁcation information output at the end of the execution of Comp-Secure-VSSBP by a0, a1, . . ., at1, where t is a threshold. Distributed secret value generation protocol GS(params, ID, n, t): Each signature generation server Ci performs the following steps to jointly generate a secret value xID for an identity ID: – Taking (G1, q, P, t, n) as input, all signature generation servers execute DSG to jointly generate a secret value xID and a public value PID = xIDP. (Note that the public value PID is exactly the public key we want to generate in the next protocol.) Denote the resulting share held by server Ci by xiID for i = 1, . . ., n. P k Denote the public veriﬁcation information output at the end of the execution of DSG by pkID ¼ i2J Aik for 0 k = 0, . . ., t 1. Note that pkID ¼ PID . Public key extraction protocol PK(params, ID, xID): The user’s public key PID corresponding to the user’s secret value xID can be directly obtained from the above protocol without any additional computation. As shown in the protocol DSG, the public information of the secret value is the public key PID, which is exactly we need. Signature generation protocol S params; DiID ; xID ; M : Each signature generation server Ci performs the following to jointly generate a signature on a given message M:

4726

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

– Run DSG to jointly generate a secret random value r 2 Z q and a public value R = rP. Denote by ri the resulting share held by server Ci, where i = 1, . . ., n. P Denote the public veriﬁcation information output at the end of the execution of DSG by Rk ¼ i2J Aik for k = 0, . . ., t 1. Note that R0 = R. – Compute u ¼ H2 ðRkP ID kMÞ; v ¼ H3 ðRkP ID kMÞ. – Broadcast V i ¼ uxiID þ ri Q ID þ v DiID . Any one can verify the validity of Ci’s signature share by checking

^eðV i ; PÞ ¼

t1 Y j¼0

ij j

a

!v

^e u

! ! t1 t1 X X j j j i Rj ; Q ID i PID þ j¼0

– Construct V by computing V ¼

pU0;j ¼

Y

j¼0

P

i2U

pU0;j V i , where

j=ðj iÞÞ ðmod qÞ

j2U;j–i

is the Lagrange coefﬁcient for jUj P t. – Output r = (R,V) as the whole signature on M. Signature veriﬁcation algorithm V(params, ID, PID, M, r): One can verify if r = (R,V) is a valid signature of an entity with identity ID and public key PID on message M by performing the following steps: – Compute Q ID ¼ H1 ðIDkPÞ; u ¼ H2 ðRkPID kMÞ; v ¼ H3 ðRkP ID kMÞ. – Verify ^ eðV; PÞ ¼ ^eðuP ID þ v Ppub þ R; Q ID Þ. If the equation holds output ‘‘Valid”. Otherwise, output ‘‘Invalid”. Note that the protocols GC, EX, PK and V of CLTHSBP are the same as those of ZZCLS scheme described in Section 4.1. 6. Security analysis of the proposed scheme In this section, we prove the security of the proposed CLTHSBP. According to Theorem 1 we only need to show that the underlying certiﬁcateless signature scheme ZZCLS is EUF–CLS–CMA secure and CLTHSBP is simulatable. As mentioned before, the ZZCLS scheme has been proven to be EUF–CLS–CMA secure against the super adversaries assuming that the CDH problem is intractable [25]. Thus, we only need to prove the following lemma. Lemma 5. The proposed CLTHSBP is simulatable. Proof. We describe the following three simulators SIMDK, SIMGS, SIMS of CLTHSBP to ensure the simulatability of our scheme. The simulator SIMDK for the partial private key distribution protocol DK of CLTHSBP can be constructed in the same way as that in [3] for the proof of veriﬁable secret-sharing scheme (CVSSBM), which ensures the security of the Comp-SecureVSSBP. Similarly, the simulator SIMGS for the distributed secret value generation protocol GS of CLTHSBP can be constructed in the same way as that in the proof of Theorem 2, which ensures the security of the DSG. Now we present the simulator SIMS for the signature generation protocol S of CLTHSBP. As described in Fig. 4, the simulator SIMS takes as input the public output of protocol GC of CLTHSBP, an identity ID, a signature (R, V) on a message M, 1 t1 t 1 partial private key shares D1ID ; . . . ; Dt1 ID and t 1 shares xID ; . . . ; xID of the secret value held by the corrupted signature 0 1 t1 generation servers, and the public outputs a0 ; a1 ; . . . ; at1 ; pkID ; pkID ; . . . ; pkID ; of DK and GS, can generate valid transcripts of the signature generation protocol S of CLTHSBP. From the adversary’s view, these transcripts are computationally indistinguishable from the actual transcripts generated during the execution of the protocol. We exhibit the proof by analyzing the information generated by the signature generation protocol S and the simulator SIMS in each step (the numbering of steps corresponds to that in the signature generation protocol S). For Step 1, both the protocol and the simulator execute a distributed generation of a random secret value using unconditionally secure veriﬁable secret sharing. The simulatability of this step follows from the simulatability of DSG, which has been proved previously. For Steps 2 and 5, it is evident that their outputs are identically distributed since they have identical operations. For Steps 3 and 4, the broadcast values V1, . . ., Vn generated by protocol S interpolate to some randomly and uniformly distributed value in G1 . The signature shares V 1 ; . . . ; V n output by SIMS interpolate to a value V which is randomly and uniformly distributed in G1 . We also have V i ¼ uxiID þ ri Q ID þ v DiID for i = 1, . . ., t 1, and hence each V i is generated in the same manner as that of Vi (Step 3 in SIMS). h Due to Theorem 1, Lemma 5 and the unforgeability of ZZCLS (as proved in [25]), we obtain the following theorem. Theorem 3. The CLTHSBP is existentially unforgeable against adaptively chosen message attacks, under the assumptions that the CDH problem on G1 is intractable.

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4727

Fig. 4. Simulator for the signature generation protocol S of CLTHSBP.

7. Conclusion In this paper, we discuss the issues related to threshold signatures in certiﬁcateless public key cryptography. A stronger security model for certiﬁcateless threshold signatures is presented. In our new model, adversaries are more powerful than those considered in other security models of certiﬁcateless threshold signature schemes. To make the security proof easy and convenient, we establish the simulatability theorem for certiﬁcateless threshold signature schemes. We also propose a new certiﬁcateless threshold signature scheme from bilinear maps. The new scheme contains several improvements when compared with the existing ones [21,22]. We use a secure veriﬁable secret-sharing protocol to share the partial private key among signature generation servers. This can help to detect the misbehaviors during the sharing phase. To share the secret value, we employ the technique of information-theoretic secure distributed key generation, and thus no single party can have the group’s secret value. Such techniques not only greatly enhance the robustness of our scheme, but also ensure the simulatability. Three simulators (especially the simulator for the signature generation protocol) for our scheme are constructed to show the simulatability of the proposed certiﬁcateless threshold signature scheme. The simulatability demonstrates that our threshold signature scheme is provably secure against the strongest adversaries in the random oracle model provided that the CDH problem is hard. Our scheme is efﬁcient and only has a signature length of two elements of G1, which is much shorter than other certiﬁcateless threshold signature schemes. Thus, the proposed scheme is practical and can be applied in real applications where threshold signature is needed in certiﬁcateless settings. Acknowledgments The authors are very grateful to the anonymous reviewers for their valuable comments and suggestions. This research is supported by the Natural Science Foundation of China under Grant No. 60673070 and Natural Science Foundation of Jiangsu Province under Grant No. BK2006217. References [1] S. Al-Riyami, K. Paterson, Certiﬁcateless public key cryptography, in: Proceedings of the Asiacrypt 2003, Taipei, Taiwan, 2003, pp. 452–473.

4728

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

[2] J. Baek, Y. Zheng, Identity-based threshold decryption, in: Proceedings of 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 2004, pp. 262–276. [3] J. Baek, Y. Zheng, Identity-based threshold signature scheme from the bilinear pairings, in: Proceedings of the international Conference on Information and Technology: Coding and Computing, Las Vegas, USA, 2004, pp. 124–128. [4] A. Boldyreva, Efﬁcient threshold signatures: multisignatures and blind signatures based on the Gap–Difﬁe–Hellman-group signature scheme, in: Proceedings of 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, 2003, pp. 31–46. [5] M. Cerecedo, M. Matsumoto, H. Imai, Efﬁcient and secure multiparty generation of digital signatures based on discrete logarithms, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E76-A (1993) 532–545. [6] S. Chang, D.S. Wong, Y. Mu, Z. Zhang, Certiﬁcateless threshold ring signatures, Information Sciences 179 (20) (2009) 3685–3696. [7] X. Chen, F. Zhang, D.M. Konidala, K. Kim, New ID-based threshold signature scheme from bilinear pairings, in: Proceedings of 5th International Conference on Cryptology in India, Chennai, India, 2004, pp. 371–383. [8] P. Feldman, A practical scheme for non-interactive veriﬁable secret sharing, in: Proceedings of IEEE 28th Annual Symposium on the Foundations of Computer Science, Los Angeles, California, USA, 1987, pp. 427–437. [9] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Robust threshold DSS signatures, Information and Computation 164 (1) (2001) 54–84. [10] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Secure distributed key generation for discrete-log based cryptosystem, Journal of Cryptology 20 (1) (2007) 51–83. [11] B. Hu, D. Wong, Z. Zhang, X. Deng, Key replacement attack against a generic construction of certiﬁcateless signature, in: Proceedings of 11th Australasian Conference on Information Security and Privacy, Melbourne, Australia, 2006, pp. 235–246. [12] X. Huang, W. Susilo, Y. Mu, F. Zhang, On the security of a certiﬁcateless signature scheme, in: Proceedings of 4th International Conference on Cryptology and Network Security, Xiamen, China, 2005, pp. 13–25. [13] X. Huang, Y. Mu, W. Susilo, D. Wong, W. Wu, Certiﬁcateless signature revisited, in: Proceedings of 12th Australasian Conference on. Information Security and Privacy, Townsville, Australia, 2007, pp. 308–322. [14] J. Liu, M. Au, W. Susilo, Self-generated-certiﬁcate public key cryptography and certiﬁcateless signature/encryption scheme in the standard model, in: Proceedings of ACM 2007 ACM Symposium on Information, Computer and Communications Security, Singapore, 2007, pp. 273–283. [15] Z. Liu, Y. Hu, X. Zhang, H. Ma, Certiﬁcateless signcryption scheme in the standard model, Information Sciences 180 (3) (2010) 452–464. [16] Y. Long, K. Chen, Efﬁcient chosen-ciphertext secure certiﬁcateless threshold key encapsulation mechanism, Information Sciences 180 (7) (2010) 1167– 1181. [17] T.P. Pedersen, Non-interactive and information-theoretic secure veriﬁable secret sharing, in: Proceedings of 11th Annual International Cryptology Conference, Santa Barbara, CA, USA, 1991, pp. 129–140. [18] A. Shamir, Identity-Based cryptosystems and signature schemes, in: Proceedings of 4th Annual International Cryptology Conference, Santa Barbara, CA, USA, 1984, pp. 47–53. [19] K.A. Shim, Breaking the short certiﬁcateless signature scheme, Information Sciences 179 (3) (2009) 303–306. [20] D. Stinson, R. Strobl, Provably secure distributed Schnorr signatures and a (t, n) threshold scheme for implicit certiﬁcates, in: Proceedings of 6th Australasian Conference on Information Security and Privacy, Sydney, Australia, 2001, pp. 417–434. [21] L. Wang, Z. Cao, X. Li, H. Qian, Simulatability and security of certiﬁcateless threshold signatures, Information Science 177 (2007) 1382–1394. [22] H. Xiong, Z. Qin, F. Li, Simulatability and security of certiﬁcateless threshold signature without random oracles, in: Proceedings of 2008 International Conference Computational Intelligence and Security, Suzhou, China, 2008, pp. 308–313. [23] D. Yum, P. Lee Generic construction of certiﬁcateless signature, in: Proceedings of 9th Australasian Conference on Information Security and Privacy Sydney Australia, 2004, pp. 200–211. [24] Z. Zhang, D. Wong, J. Xu, D. Feng, Certiﬁcateless public-key signature: security model and efﬁcient construction, in: Proceedings of International Conference on Applied Cryptography and Network Security 2006, Singapore, 2006, pp. 293–308. [25] L. Zhang, F. Zhang, A new provably secure certiﬁcateless signature scheme, in: Proceedings of IEEE International Conference on Communications, Beijing, China, 2008, pp. 1685-1689. [26] L. Zhang, F. Zhang, A new certiﬁcateless aggregate signature scheme, Computer Communications 32 (2009) 1079–1085. [27] L. Zhang, F. Zhang, Q. Wu, J. Domingo-Ferrer, Simulatable certiﬁcateless two-party authenticated key agreement protocol, Information Sciences 180 (6) (2010) 1020–1030.

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Certiﬁcateless threshold signature scheme from bilinear maps Hong Yuan a, Futai Zhang a,b,*, Xinyi Huang c, Yi Mu d, Willy Susilo d, Lei Zhang e a

School of Computer Science and Technology, Nanjing Normal University, PR China Jiangsu Engineering Research Center on Information Security and Privacy Protection Technology, Nanjing, PR China School of Information Systems, Singapore Management University, Singapore d Center for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Australia e UNESCO Chair in Data Privacy, Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili, Catalonia, Spain b c

a r t i c l e

i n f o

Article history: Received 28 October 2009 Received in revised form 20 May 2010 Accepted 26 July 2010

Keywords: Certiﬁcateless threshold signature Bilinear map Veriﬁable secret sharing CDH problem Simulatability

a b s t r a c t A (t, n) threshold signature scheme allows t or more group members to generate signatures on behalf of a group with n members. In contrast to the traditional public key cryptography based on public key infrastructure (PKI) and identity-based public key cryptography (IDPKC), certiﬁcateless public key cryptography (CL-PKC) offers useful properties as it does not require any certiﬁcates to ensure the authenticity of public keys and the key escrow problem is eliminated. In this paper, we investigate the notion of threshold signature schemes in CL-PKC. We start by pointing out the drawbacks in the two existing certiﬁcateless threshold signature schemes. Subsequently, we present an elaborate description of a generic certiﬁcateless (t, n) threshold signature scheme with a new security model. The adversaries captured in the new model are more powerful than those considered in the existing schemes. Furthermore, we establish the simulatability for certiﬁcateless threshold signature schemes and prove the relationship between the security of certiﬁcateless threshold signature schemes and that of the underlying non-threshold certiﬁcateless signature schemes. As an instantiation, we present a concrete certiﬁcateless threshold signature scheme based on bilinear maps using the techniques of veriﬁable secret sharing and distributed key generation. The proposed scheme is shown to be existentially unforgeable against adaptively chosen message attacks assuming the hardness of Computational Difﬁe– Hellman (CDH) problem. Ó 2010 Elsevier Inc. All rights reserved.

1. Introduction 1.1. Background In practical applications, traditional public key cryptography (PKC for short) requires the support of public key infrastructure (PKI for short) which introduces the costly and cumbersome certiﬁcate management problem. Although this disadvantage is removed in identity-based public key cryptography (ID-PKC for short) [18], it gives rise to the drawback of key escrow. As a new paradigm of public key cryptography, certiﬁcateless public key cryptography (CL-PKC for short) [1] not only gets rid of the certiﬁcate management problem in traditional PKC but also eliminates the key escrow problem in ID-PKC. Hence, it has received considerable attention from the security research community since its invention. In a certiﬁcateless cryptosystem, each entity has two secrets: a secret value and a partial private key. The secret value is generated by the entity * Corresponding author at: School of Computer Science and Technology, Nanjing Normal University, PR China. E-mail addresses: [email protected] (H. Yuan), [email protected], [email protected] (F. Zhang), [email protected] (X. Huang), [email protected] edu.au (Y. Mu), [email protected] (L. Zhang). 0020-0255/$ - see front matter Ó 2010 Elsevier Inc. All rights reserved. doi:10.1016/j.ins.2010.07.021

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4715

himself, while a third party-key generation center (KGC), who holds a master key, generates the partial private key from the user’s identity information. The entity’s private key is the output of a function that requires the secret value and the partial private key as input. KGC does not have the actual private key of an entity and the key escrow problem in ID-PKC is eliminated. The entity can use the actual private key to generate the public key, which could be available to other entities by transmitting it along with signatures or by placing it in a public directory. In particular, there is no certiﬁcate in CL-PKC, which avoids the costly certiﬁcate management issues in PKI based traditional PKC. The idea of threshold cryptography is to distribute the secret information (e.g., a private key) and the computation (e.g., decryption or signature signing) amongst a group of participants in order to prevent a single point of failure or abuse. As an important primitive in group security and distributed settings, threshold signatures have been extensively studied in traditional PKC and ID-PKC. We believe that it is also worthwhile to investigate the application of this primitive in CL-PKC. The focus of this paper is on employing the advantages of CL-PKC to provide secure and efﬁcient solutions of threshold signatures for a practical use. 1.2. Related work In the following, we provide a brief review of some related work on threshold signatures with respect to traditional PKC, ID-PKC and CL-PKC. We will point out some shortcomings in two existing certiﬁcateless threshold signature schemes [21,22]. 1.2.1. Threshold signatures in traditional PKC Threshold signatures in traditional PKC have been extensively studied in [4,5,9,20]. The authors of [5] formalized the notion of unforgeability for threshold signatures and described a concrete scheme based on ElGamal signature. Gennaro et al. [9] provided a complete solution on threshold implementation of digital signature standard (DSS). They designed various distributed veriﬁable secret-sharing schemes as building blocks to construct robust and secure threshold DSS signature schemes. In threshold signature schemes in traditional PKC, the transmission and veriﬁcation of group members’ certiﬁcates have to involve a considerably amount of communication and computation cost. This may greatly offset the efﬁciency. 1.2.2. ID-based threshold signature ID-PKC was introduced by Shamir [18], whose original motivation is to ease the certiﬁcate management in the e-mail system. In ID-PKC, an user’s public key can be derived directly from certain aspects of his/her identity information (e.g., email-address), while the associate private key is computed and issued secretly to the user by a trusted third party PKG (private key generation center). This property avoids the necessity of certiﬁcates, and associates an implicit public key to each user. However, it makes key escrow an inherent problem which is undesirable from the user’s point of view. Baek and Zheng [3] proposed the ﬁrst identity-based threshold signature scheme from bilinear map in 2004. To alleviate the key escrow problem, Chen et al. [7] proposed an identity-based threshold signature scheme without trusted PKG. (More precisely, Chen et al.’s scheme is essentially a threshold signature scheme in CL-PKC but its security analysis is made in the framework of ID-PKC). 1.2.3. Certiﬁcateless threshold signature CL-PKC [1] was introduced by Al-Riyami and Paterson in 2003 to overcome the key escrow problem in ID-PKC. Recently, certiﬁcateless signature (CLS) schemes have been well investigated [12,13,19]. Several CLS schemes were proposed [6,11– 16,23–27]. In [13], Huang et al. revisited the security models of certiﬁcateless signature schemes and further classiﬁed the Type I/II adversaries into three types, namely normal, strong and super Type I/II adversaries, among which super Type I/II adversaries have the strongest attacking power. Wang et al. [21] proposed the ﬁrst certiﬁcateless threshold signature scheme (CLTHS for short) in the random oracle model. To exhibit the security of the proposal, they developed the theory of simulatability and relationship between the certiﬁcateless threshold signature scheme and the underlying (non-threshold) ID-based signature scheme. Their scheme requires a PKG clerk and several distributed PKGs to compute the partial private key for an user. To do so, the PKG clerk ﬁrst generates the master key and then shares it among several distributed PKGs using a (u, m)-secret-sharing scheme. With the share of the master key, each distributed PKG can generate a sub-partial private key for the user, which will be sent back to the PKG clerk. Upon receiving valid sub-partial private keys from at least u distributed PKGs, the PKG clerk can calculate the partial private key of the user. As one can see, while their scheme does use distributed PKGs, partial private keys are still generated by a single party (PKG clerk), which makes the use of distributed PKGs cumbersome and inefﬁcient. We believe in the scenario of distributed PKGs it is desirable that the generation of the master key is conducted by all distributed PKGs in a cooperative manner, rather than by a single party (which is the case in [21]). In generating an user’s partial private key, each member of the distributed PKGs calculates and sends a sub-partial private key (using his share of the master key) to the corresponding user directly. The user can then derive the partial private key by itself from at least t (t is the threshold) valid sub-partial private keys. A further observation shows that Wang et al.’s scheme cannot detect any misbehavior of dishonest participants. In the sharing of the master key s, PKG clerk could cheat by sending si – RðiÞ; Pipub ¼ si P to some PKGi (where R(x) is the sharing polynomial selected by the PKG clerk), which is undetectable. Similarly, PKGi could cheat by using a false master key share s0 i

4716

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

(different from his actual master key share si) to generate Pipub ¼ s0i P. It then uses the fake s0i to generate the sub-partial private key for an user. No one can ﬁnd these kinds of cheating. Similar problems also exist in the sharing of user’s secret value if player j publishes a false fvkj = cjP – f(j)P. This may cause serious security problems. As an example, player j may use this fake fskj = cj instead of the true fskj to sign messages, and other players may be totally unaware of this kind of cheating. In this case, no one but the cheating player j is able to calculate a valid threshold signature of the group. The sharing of partial private keys is also spoiled by similar problems. Another drawback of Wang et al.’s scheme is the long signature length. In their scheme, a signature (T, a, b, c, W) consists of two elements of G1 and three elements of G2, where (G1, G2) are groups with bilinear mapping ^e : G1 G1 ! G2 . This leads to a signature length of more than 3400 bits for a 160-bit prime q (the order of group G1), which is apparently too long as most existing secure certiﬁcateless signature schemes produce signatures consisting of only two elements of G1 or one element of G2 and one element of Zq. Recently, Xiong et al. [22] presented a certiﬁcateless threshold signature scheme which was proven secure in the standard model. They introduced new security deﬁnitions and notations for their scheme and utilized the simulatability of certiﬁcateless threshold signature schemes to prove the scheme to be secure. However, the security model deﬁned in [22] is very weak. As an obvious drawback, their signing oracle cannot provide any valid signatures if the user’s public key has been replaced. There are also some security ﬂaws in their construction of threshold signature scheme. In the step of Complete-Key-Gen-andShare, their method of sharing the complete secret signing key may lead to the decrease of the threshold since the sharing polynomial is in fact determined by Lagrange interpolation using t points (0, ax), (1, a1x), . . ., (t 1, at1x). This interpolation may result in a polynomial of degree less than t 1, which means less than t players can collude to reveal the complete signing key or generate a valid signature on any message. Also, the veriﬁcation shares for checking the validity of complete key shares only commit to one of the random secrets, which could also make the cheating behavior of some dishonest players undetectable (as we have shown previously in Wang et al.’s scheme).

1.3. Motivation and our contribution Like threshold signature schemes based on traditional PKI and ID-PKC, certiﬁcateless threshold signature schemes have wide applications where a group of members need to cooperatively sign a message on behalf of the whole group, and are especially useful when there is a need to distinguish a threshold signature from a signature generated by a single party who possesses the secret signing key of the group. For example, let Bob be the Board chairman of a company. He has the secret signing key SK of the board in certiﬁcateless public key setting. With this secret signing key, he is able to sign any document on behalf of the board. A threshold signature scheme is necessary when the chairman is unavailable but some very important documents need to be signed by the majority of the board. While it is useful to know who is responsible for a signature, in some cases we need to distinguish the chairman’s signature and the board members’ threshold signature. In certiﬁcateless public key cryptography, the chairman can share the partial private key of the board among the board members, and let the board members generate the secret value of the board using an information theoretically secure distributed key generation protocol. In this way, the board members can produce signatures that are distinguishable from those generated by the chairman alone. We believe this is a distinctive property of certiﬁcateless threshold signatures. As we have shown in Section 1.2, the two existing certiﬁcateless threshold signature schemes [21,22] are far from satisfactory (both in security and in efﬁciency). Thus, as an indispensible component of CL-PKC, certiﬁcateless threshold signature deserves further investigations, especially on reasonable security notions and on efﬁcient constructions of certiﬁcateless threshold signature schemes. The contribution of this paper is as follows. A new security model for CLTHS is proposed. In the new model, we capture the security notions via two games, which simulate two types of adversaries respectively. The adversaries we are concerned about are super (Type I/II) adversaries deﬁned in [13], and are stronger than those considered in [21,22]. Our security model allows the adversary to obtain partial private keys and secret values of any users under natural restrictions. The sign oracles provide the adversary with all signature shares generated by signature generation servers. We believe that the new model is more natural and more reasonable than those in [21,22]. In order to prove the security, we deﬁne the notion of simulatability of a certiﬁcateless threshold signature scheme, and establish the simulatability theorem which depicts the security relationship between a certiﬁcateless threshold signature scheme and its underlying (non-threshold) certiﬁcateless signature scheme. It is necessary to construct certiﬁcateless threshold signature systems from existing secure and efﬁcient certiﬁcateless signature schemes. As an example, we present a concrete construction from an existing secure and efﬁcient certiﬁcateless signature scheme by employing techniques of veriﬁable secret sharing and distributed key generation. The security of our construction is proven under CDH assumptions.

2. Preliminaries To keep this paper self-contained, we brieﬂy review the basic facts about the admissible bilinear map. We then present the complexity assumptions on which the secret sharing, distributed key generation and our certiﬁcateless threshold signature scheme are based.

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4717

2.1. Bilinear map The admissible bilinear map ^ e is deﬁned as follows. Let G1 be an additive group of prime order q, and let G2 be a multiplicative group of the same order. Let P denote a generator of G1. A map ^ e : G1 G1 ! G2 is called a bilinear map if it satisﬁes the following properties: Bilinear: ^eðaP; bQ Þ ¼ ^eðP; Q Þab for all P, Q 2 G1, a; b 2 Z q . Non-degeneracy: There exist P, Q 2 G1 such that ^ eðP; Q Þ – 1 . Computable: There exists an efﬁcient algorithm to compute ^ eðP; Q Þ for any P, Q 2 G1. 2.2. Complexity assumptions We now describe some complexity assumptions in groups G1 and G2. Note that throughout this paper, the groups G1 and G2 are those described in the above deﬁnition of bilinear map. Discrete logarithm problem (DLP): The DLP in G1 is described as follows. Given two group elements P and Q, ﬁnd an integer x 2 Z q , such that Q = xP whenever such an integer exists. Computational Difﬁe–Hellman problem (CDHP): The CDHP in G1 is that given (P, aP, bP), for random unknown a; b 2 Z q , compute abP. Modiﬁed generalized bilinear inversion problem (mGBIP): The mGBIP proposed in [3] is deﬁned as follows. Given h 2 G2 and P 2 G1, compute S 2 G1 such that ^ eðS; PÞ ¼ h. (Readers can refer to [3] for a detailed description.) We assume that the above mentioned complexity problems are hard in groups G1 and G2 with pairing ^e. Notice that the mGBI assumption (that is, the mGBI problem is intractable) can be implied by the CDH assumption. The proof is sketched as below: assume that an attacker ACDH of the CDH problem is given a random instance (P, aP, bP), where a; b 2 Z q and P is a generator of G1. Suppose there is another algorithm AmGBI which can solve the mGBI problem with nonnegligible success probability. In the reduction, ACDH runs AmGBI with the input (h = e(aP, bP), P). Let S be the output of AmGBI , and ACDH will set S as its output. Clearly, S is a correct solution of the given CDH instance (P, aP, bP) as long as S is a correct solution of the mGBI instance (h = e(aP, bP), P). Thus, the mGBI problem can be directly reduced to the CDH problem. 2.3. Outline of certiﬁcateless threshold signature schemes

Deﬁnition 1 (Certiﬁcateless threshold signatures). A certiﬁcateless (t, n) threshold signature scheme CLTHS consists of the following algorithms or protocols. A probabilistic key system parameter generation algorithm GC(k): Given a security parameter k 2 N, this algorithm generates the master secret key msk and a list of system parameters params. Note that the parameter list params is given to all interested parties while the matching master key msk is kept secret. A probabilistic partial private key extraction algorithm EX(params, msk, ID): Given an identity ID, a parameter list params and a master key msk, this algorithm generates a partial private key associated with ID, denoted by ppkID. A probabilistic partial private key distribution protocol DK(params, ppkID, n, t): Given a partial private key ppkID associated with an identity ID, n signature generation servers and a threshold parameter t, this protocol generates n shares of ppkID and securely provides each signature generation server Ci(1 6 i 6 n) with a corresponding share. It also generates and publishes a set of veriﬁcation keys that can be used to check the validity of each partial private key share. We denote n o n o i i the partial private key shares and the matching veriﬁcation keys by ppkID i ¼ 1; . . . ; n and v skID i ¼ 1; . . . ; n, respeci

i

tively. For each i, 1 6 i 6 n, Ci keeps ppkID secret, while v skID is publicly known to all including the adversary. A probabilistic distributed secret value generation protocol GS(params, ID, n, t): Given an identity ID, a parameter list params, the number n of signature generation servers, and a threshold t, this protocol generates a distributed secret value for identity ID. It implies that n signature generation servers without a dealer jointly generate a secret value xID and its corresponding public value pkID. As a result, xID is shared among n signature generation servers using a veriﬁable (t, n) threshold secret-sharing scheme. Each signature generation server Ci holds a secret share xiID and the corresponding pubi lic veriﬁcation share pkID is known to all signature generation servers. A deterministic public key extraction protocol PK (params, ID, xID): Given a parameter list params, an identity ID and the secret value xID, this protocol generates the public key PID related to ID. Particularly, the public key in our scheme is just the value pkID obtained in the previous protocol, which is the corresponding public value of the secret value. i A probabilistic signature generation protocol S (params, ppkID ; xiID ; M): Given a parameter list params, a message M, a share i ppkID of the partial private key ppkID and a share xiID of the secret value xID associated with ID each signature generation server Ci computes a signature share ri for M. After that, a dealer (selected at random from the current servers) combines at least t valid shares together and output a valid signature (r).

4718

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

A deterministic signature veriﬁcation algorithm V (params, ID, pkID, M) (r): Given a signer’s identity (ID), a public key pkID, a message M and its signature (r), this algorithm checks the validity of (r). The output of this algorithm is either ‘‘Valid” or ‘‘Invalid”. Remark. The key system parameter generation algorithm GC and the partial private key extraction algorithm EX are both run by the trusted KGC. The partial private key distribution protocol DK makes use of an appropriate secret-sharing technique to distribute the partial private key among n signature generation servers. This process depends on the cryptographic services that the KGC can offer-KGC could execute protocol DK if it is capable of organizing threshold signature, or a trusted normal user (for example a selected leader of the group) could run DK if KGC only has the functionality of issuing partial private keys for users. 3. Security notions for certiﬁcateless threshold signatures 3.1. Existential unforgeability for certiﬁcateless threshold signatures against adaptive chosen message attacks Similarly to the adversaries against CLS deﬁned in [13], there are basically two types of super adversaries in CLTHS: BI and BII . BI simulates attacks when the adversary (anyone except the KGC) replaces the public key of any entity with a value of his choice. However, BI does not have access to the master secret key. Adversary BII simulates attacks when the adversary has the master secret key but cannot replace the target user’s public key. Due to the security requirement of (t, n) threshold signatures [9], we further assume that super adversaries ( BI and BII ) against CLTHS can corrupt up to t 1 signature generation servers. Also we consider the malicious adversaries that may cause corrupted servers to divert from the speciﬁed protocol in any way. We assume that the computational power of adversaries is adequately modeled by a probabilistic polynomial time Turing machine. The adversaries we consider here are static, i.e., they choose corrupted servers at the beginning of the protocol. Now we deﬁne the security of a CLTHS scheme via the following two games between a challenger C and a super adversary BI ðBII Þ. Game 1. (for Super Type I Adversary). Setup: C runs the key/system parameter generation algorithm GC to obtain a master secret key msk and the system parameter list params. Then C sends params to the adversary BI while keeping msk secret. Phase 1: BI corrupts t 1 signature generation servers. For convenience, we assume that the corrupted signature generation servers are C1, . . ., Ct1. Phase 2: BI can make following queries in an adaptive manner. – Partial-private-key queries PPK(ID): BI can request the partial private key of any user with identity ID. On receiving ID, C runs the partial private key extraction algorithm EX of CLTHS by taking ID as input and obtains a corresponding partial private key ppkID, which is given to BI . – Secret value queries SV(ID): BI can request the secret value of any user with identity ID. In response, C runs secret value generation protocol GS of CLTHS by taking ID as input and obtains a secret value xID, the corresponding public value i pkID, the secret value share xiID and the matching veriﬁcation share pkID for every signature generation server. Then, C sends xID to BI . Note that C outputs \ if the user’s public key has been replaced. 0 0 – Public key-replacement queries PKR ID; pkID : For any user with identity ID, BI can choose a new public key pkID and then 0 sets pkID as the new public key of this user. C will keep a record of this replacement. – Sign queries S(ID, M, pkID): BI can request a user’s (whose identity is ID) signature on a message M. On receiving M, C runs the signature generation protocol S of CLTHS and responds to BI with ri for i = 1, . . ., n output by S. It is required i that ri for i = 1, . . ., n are valid signature shares on message M under identity ID and the public key pkID . It is evident that BI is able to calculate a full signature of M with enough signature shares. Phase 3: BI submits the target identity ID*. On receiving ID*, C ﬁrst runs the algorithm EX of CLTHS to obtain a partial private key ppkID , and then runs the partial private key distribution protocol DK of CLTHS by taking ppkID as input to i share it among n signature generation servers. We denote the partial private key shares by ppkID for i = 1, . . ., n. C gives i ppkID for i = 1, . . ., t 1 to BI . Then, BI issues a sequence of requests as in Phase 2 except the Partial-Private-Key request on the challenge identity ID*. Forgery: Finally, BI outputs ðID ; M ; r ; pkID Þ. We say that BI wins Game 1, if 1. r* is a valid signature of a message M* under identity ID* and the corresponding public key pkID . 2. ðID ; M ; pkID Þ never appears as one of sign queries. We deﬁne BI ’s success probability by

SuccEUF—CLTHS—CMA ðkÞ ¼ Pr½Vðparams; ID ; M ; r Þ ¼ v alid: CLTHS;BI An attacker BI is said to (tCMA, qPPK, qPK, qSV, qPKR, qS, e)-break a certiﬁcateless threshold signature scheme if BI runs in time at most tCMA, and can make at most qPPK partial private key queries, qPK public-key queries, qSV secret-value queries, qPKR

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4719

EUF—CLTHS—CMA public-key-replacement queries, qS sign queries, and the success probability SuccCLTHS;B ðkÞ is at least e. Note that the I running time and the number of queries are all polynomials in the security parameter k. Game 2. (for Super Type II Adversary).

Setup: C runs the key/system parameter generation protocol GC to obtain a master secret key msk and the system parameter list params. C then sends params and msk to the adversary BII . Phase 1: BII corrupts t 1 signature generation servers which we denote as C1, . . ., Ct1. Phase 2: BII adaptively makes secret-value queries, public-key-replacement queries and sign queries as described in Game 1. Phase 3: BII submits the target identity ID*, and then issues a sequence of requests as in Phase 2. Notice that for BII ’s signature query SðID ; M; pkID Þ; C responds with a valid signature as described before. Note also that no secret-value queries or public-key-replacement queries on ID* are allowed. Forgery: Finally, BII outputs ðID ; M ; r ; pkID Þ. We say that BII wins Game 2, if 1. r* is a valid signature of a message M* under identity ID* and the corresponding public key pkID . 2. ðID ; M ; pkID Þ never appears as one of sign queries. We deﬁne BII ’s success probability by

SuccEUF—CLTHS—CMA ðkÞ ¼ Pr½Vðparams; ID ; M ; r Þ ¼ v alid: CLTHS;BII An attacker BII is said to (tCMA, qSV, qPKR, qS, e)-break a certiﬁcateless threshold signature scheme if it runs in time at most tCMA, and can make at most qSV secret-value queries, qPKR public-key-replacement queries, qS sign queries, and the success probability SuccEUF—CLTHS—CMA ðkÞ is at least e. Note that the running time and the number of queries are all polynomials in CLTHS;BII the security parameter k. We now deﬁne the existential unforgeability of CLTHS against adaptively chosen message attacks, which we call ‘‘EUF–CLTHS–CMA”. Deﬁnition 2 (EUF–CLTHS–CMA). A certiﬁcateless threshold signature scheme CLTHS is said to be EUF–CLTHS–CMA secure if the success probability of any polynomially bounded adversary in the above two games is negligible. Accordingly, we use ‘‘EUF–CLS–CMA” to mean the existential unforgeability of a CLS against adaptively chosen message attacks.

3.2. Relationship between EUF–CLTHS–CMA and EUF–CLS–CMA In order to prove the unforgeability of a CLTHS scheme, we use the concept of simulatable adversary view. Intuitively, this means that for every adversary, there is a simulator, on input the public value and all information of corrupted players, can produce an output distribution which is computationally indistinguishable from the view of the adversary that interacts with honest players in a regular run of the protocol which ends with the public value as its public output. In other words, the run of the protocol provides no useful information to the adversary other than the public information. Motivated by Gennaro et al.’s [9] methodology for proving the security of threshold signature schemes, we deﬁne the simulatability of CLTHS as follows. Deﬁnition 3 (Simulatability of CLTHS). Let CLTHS = (GC, EX, DK, GS, PK, S, V) be a certiﬁcateless (t, n) threshold signature scheme. The scheme CLTHS is said to be simulatable if the following properties hold.

1. The protocol DK is simulatable. That is, there exists a simulator SIMDK that, on input the public output by GC of CLTHS, an identityID, t 1 (partial private key shares that matches to ID held by the corrupted signature generation servers and the i public information fv skID g i ¼ 1; . . . ; n associated with the partial private key ppkID, can simulate the view of the attacker i on an execution of DK of CLTHS that ends with fv skID g i ¼ 1; . . . ; n as the public output. 2. The protocol GS is simulatable. That is, there exists a simulator SIMGS that, on input the public output by GC of CLTHS, an identity ID t 1 secret value shares that matches to ID held by the corrupted signature generation servers and the public value pkID associated with the secret value xID can simulate the view of the attacker on an execution of GS of CLTHS that generates the given pkID as the public output. 3. The protocol S is simulatable. That is, there exists a simulator SIMS that, on input the public output by GC of CLTHS, an identity ID, a message M, and a signature r on M, t 1 partial private key shares and t 1 secret value shares that matches to ID held by the corrupted signature generation servers, and the public output of DK and GS of CLTHS, can simulate the view of the attacker on an execution of S of CLTHS that generates r as output. We state and prove the following theorem regarding the relationship between the security of CLTHS and that of the underlying CLS. The theorem shows that an EUF–CLS–CMA secure certiﬁcateless signature scheme can be used as a building

4720

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

block to construct an EUF–CLTHS–CMA secure certiﬁcateless threshold signature scheme as long as the simulatability is ensured. Theorem 1. If the CLTHS scheme is simulatable and the underlying CLS scheme is EUF–CLS–CMA secure, then the CLTHS is EUF– CLTHS–CMA secure. More precisely,

SuccEUF—CLTHS—CMA ðt CMA Þ 6 SuccEUF—CLS—CMA ðt 0CMA Þ; CLTHS CLS where t 0CMA ¼ tCMA þ T SIMDK þ T SIMGS þ T SIMS . Here, T SIMDK ; T SIMGS T SIMS denote the running time of the simulator SIMDK, SIMGSSIMS, respectively. Proof. Let BI and BII denote two types of attackers wish to break the EUF–CLTHS–CMA security of the CLTHS scheme. Let AI and AII denote two types of attackers against the underlying (non-threshold) CLS scheme. The proof consists of two parts, depending on the types of attackers. h Part 1 (for Type I Attacker). Our aim is to show that if there exists an attacker BI that can break the EUF–CLTHS–CMA security of the CLTHS scheme, then there will inevitably be an attacker AI that can break the EUF–CLS–CMA security of the underlying CLS scheme. To prove this, we show how the view of BI in the real attack Game 1 of EUF–CLTHS–CMA deﬁned in Section 3.1, which we denote by GB, can be simulated to obtain a new game GA which is related to the ability of the attacker AI to defeat the EUF–CLS–CMA security of the underlying CLS scheme, under the assumption that CLTHS is simulatable (note that the security model for type I adversary of CLS scheme can be found in [25]). To achieve this, we regard AI as the challenger in game GB, and queries issued by BI will be directly sent to AI who will use BI to attack the underlying CLS scheme. Game GB: As mentioned before, this game is identical to the real attack Game 1 described in Section 3.1. We denote by EB the event that BI outputs a valid message/signature pair as a forgery. We use a similar notion EA for Game GA. Since Game GB is the same as the real attack game, we have

Pr½EB ¼ SuccEUF—CLTHS—CMA ðkÞ CLTHS;BI Game GA: First, we replace the system parameters params in GB by the corresponding system parameters in GA. Note that neither AI nor BI has the knowledge of the master secret key msk. We then enter into the following query in Phase 2 of the attack Game 1. – Whenever BI issues a partial private key query PPK(ID)/secret-value query SV ID, AI sends the query to his challenger. On receiving ID, the challenger runs the partial private key-extract/set-secret-value protocol of CLS by taking ID as input and responds with the resulting partial private key ppkID/secret value xID. Then AI sends the value ppkID/xIDto BI . (Note that it outputs \ for the secret-value query, if the user’s public key has been replaced). 0 – If BI issues a public-key-replacement query PKRðID; pkID Þ AI sends the query to his challenger and then updates pkID to 0 pkID . – If BI issues a sign query S(ID, M, pkID), AI sends the query to his challenger to get a corresponding signature r. Having obtained r, AI runs SIMS taking params, the outputs generated by SIMDK and SIMGS, which includes t 1 corrupted partial private key shares, secret value shares, the identity ID, and the message/signature pair (M,r) as input. AI then sends SIMS’s outputs to BI . If BI submits a target identity ID*, AI runs SIMDK by taking params and ID*as input) to simulate the view of BI and forwards ID* as the target identity to his challenger. (Note that during the execution of SIMDK, BI is given t 1 partial private key shares of corrupted signature generation severs. Note also that AI does not make a partial private key request of ID* and hence does not know the value ppkID . Then BI issues public-key-replacement and sign queries on ID*. There is no need for BI to issue secret-value query because he may have chosen a secret value to generate a new public key. For such queries, AI will respond as deﬁned in Section 3.1. If BI outputs (ID*, M*, r ; pkID ) in Forgery Phase, AI then sets ðID ; M ; r ; pkID Þ as its own forgery. Note that BI ’s view in the real attack game is identical to its view in Game GA as long as the CLTHS is simulatable. Hence we have

Pr½EB 6 Pr½EA : Due to the deﬁnition of Pr[EB] and Pr[EA], we have

SuccEUF—CLTHS—CMA ðkÞ 6 SuccEUF—CLS—CMA ðkÞ: CLTHS;BI CLS;AI Part 2 (for Type II Attacker). Similar to the case of Type I Attacker, we show how the view of BII in the real attack (Game 2 of EUF–CLTHS–CMA deﬁned in Section 3.1), which we denote by G0B , can be simulated to obtain a new game G0A where the attacker AII can break the EUF–CLS–CMA security of the CLS scheme, under the assumption that CLTHS is simulatable (the security model for type II

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4721

adversary of CLS scheme can be found in [25]). To achieve this, we regard the attacker AII as a challenger in game G0B . Queries issued by BII will be directly sent to AII who can make use of his challenger in game G0A to generate correct responses. Game G0B : As mentioned before, this game is identical to the real attack Game 2 described in Section 3.1. We denote by E0B the event that BII outputs a valid message/signature pair as a forgery. We use a similar notion E0A for Game G0A . Since Game G0 B is the same as the real attack game, we have

Pr½E0B ¼ SuccEUF—CLTHS—CMA ðkÞ: CLTHS;BII Game G0A : First, we replace the system parameters params and master secret key msk in G0B by the corresponding system parameters and master secret key in G0 A. We then enter into the following query in Phase 2 of the attack Game 2. – Whenever BII issues a secret-value query SV(ID), AII sends the query to his challenger. On receiving ID, the challenger runs the set-secret-value algorithm of CLS taking ID as input and returns the resulting secret value xID. Then AII sends the value xID to BII . Note that it outputs \, if the user’s public key has been replaced. 0 – If BII issues a public-key-replacement query PKRðID; pkID Þ; AII sends the query to his challenger and then updates pkID to 0 pkID . – If BII issues a Sign query S(ID,M,pkID), AII sends the query to his challenger to get a corresponding signature r. Having obtained r, AII runs SIMS by taking params, the outputs generated by SIMDK and SIMGS, which includes t 1 corrupted partial private key shares and secret value shares, an identity ID, and the message/signature pair (M,r) as input. AII then sends SIMS’s outputs to BII . Once BII submits a target identity ID*, it can issue Sign queries on ID* which are answered in same way as described above. Note that BII is not allowed to issue public-key-replacement query or secret-value query on ID* since BII can get the full signing key of ID* as long as any one of them is allowed. If BII outputs ðID ; M ; r ; pkID Þ in Forgery Phase, AII then sets it as his own forgery. Note from the simulation that BII ’s view in the real attack game is identical to its view in Game G0A as long as the CLTHS is simulatable. Hence we have

Pr½E0B 6 Pr½E0A : Due to the deﬁnition of Pr[E0 B] and Pr[E0 A], we have

SuccEUF—CLTHS—CMA ðkÞ 6 SuccEUF—CLS—CMA ðkÞ: CLTHS;BII CLS;AII

4. Building blocks 4.1. Zhang–Zhang certiﬁcateless signature scheme We ﬁrst review Zhang–Zhang certiﬁcateless signature scheme [25], which we denote by ‘‘ZZCLS”. We will use this as a basic certiﬁcateless signature scheme to construct our certiﬁcateless threshold signature scheme in Section 5. Note that the ZZCLS scheme was proven secure in the strongest security model of CLS schemes assuming the hardness of the CDH problem over groups with bilinear maps. Key/system parameter generation algorithm GC(k): This algorithm is run by the KGC to generate its master secret key msk and a list of system parameters params. – Choose a cyclic additive group G1 which is generated by P with prime order q, choose a cyclic multiplicative group G2 of the same order and a bilinear map ^e : G1 G1 ! G2 . – Pick a random k 2 Z q as the master secret key and set Ppub = kP. – Choose three cryptographic hash functions H1: {0,1}* ? G1, H2 : f0; 1g ! Z q , H3 : f0; 1g ! Z q . – Keep k as secret and publish params ¼ ðG1 ; G2 ; ^e; P; Ppub ; H1 ; H2 ; H3 Þ. Partial private key extraction algorithm EX(params, msk, ID): This algorithm is run by the KGC to generate a partial private key associated with ID. – Compute Q ID ¼ H1 ðIDkPÞ. – Output the partial private key DID = kQID. Secret value setting algorithm GS(params, ID): This algorithm takes as in put params and a user’s identity ID. It then selects a random xID 2 Z q and outputs xID as the user’s secret value. Public key extraction algorithm PK(params, ID, xID ): This algorithm accepts params, a user’s identity ID and this user’s secret value xID as input. It produces the user’s public key PID = xIDP. Signature generation algorithm S(params, DID, xID, M): To sign a message M using the partial private key DID and the secret value xID, the signer, whose identity is ID and the corresponding public key is PID, performs the following steps.

4722

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

– Choose a random r 2 Z p , compute R = rP. – Compute u ¼ H2 ðRkP ID kMÞ; v ¼ H3 ðRkP ID kMÞ. – Compute V = (uxID + r)QID + vDID. – Output r = (R, V) as the signature on M. Signature veriﬁcation algorithm V(params, ID, PID, M, r): To verify a signature r on a message M for an identity ID and the public key PID, the veriﬁer performs the following steps. – Compute Q ID ¼ H1 ðIDkPÞ; u ¼ H2 ðRkPID kMÞ; v ¼ H3 ðRkP ID kMÞ. – Verify ^ eðV; PÞ ¼ ^eðuP ID þ v Ppub þ R; Q ID Þ. If the equation holds output ‘‘Valid”. Otherwise, output ‘‘Invalid”. 4.2. Review of secret-sharing over a group G1 In order to construct a certiﬁcateless threshold signature scheme from the above ZZCLS scheme, we need to share the partial private key DID among signature generation servers. This can be achieved by using a (t, n)-secret-sharing scheme over group G1 presented in [2]. Due to space limitation, we omit the details of this technique. Readers can be referred to [2] for a detailed explication. 4.3. Review of computationally secure veriﬁable secret-sharing protocol based on the bilinear map In cryptography, a secret-sharing scheme is known as veriﬁable if auxiliary information is included that allows players to verify their shares as consistent. More formally, veriﬁable secret-sharing (VSS) ensures that even if the dealer is malicious there is a well-deﬁned secret that the players can later reconstruct. With regard to the threshold signature scheme, veriﬁable secret sharing is a useful tool for preventing malicious attacks. In other words, VSS gives threshold signature schemes robustness. Various solutions to the veriﬁable secret sharing have been known and used for a long time. However, taking into account that our certiﬁcateless threshold signature scheme is based on the bilinear maps, here we make use of a new scheme proposed by Baek and Zheng [3], which we call ‘‘computationally secure veriﬁable secret-sharing protocol based on the bilinear map (Comp-Secure-VSSBP)”, motivated by Feldman’s VSS scheme [8]. This protocol will be used to distribute a user’s partial private key DID in the ZZCLS scheme among a number of signature generation servers. We describe the CompSecure-VSSBP in Fig. 1. The following lemma shows the correctness of the protocol Comp-Secure-VSSBP. Lemma 1. In Comp-Secure-VSSBP, shares held by all uncorrupted participants can be interpolated to a unique PLF of degree t 1, and t or more of these shares can reconstruct the secret S. The protocol Comp-Secure-VSSBP is computationally secure in that the value a0 ¼ ^ eðS; PÞ is revealed during the execution of the protocol and hence the secrecy S of depends on the computational assumption that it is hard for an attacker to obtain S from ^eðS; PÞ, which is actually the mGBI assumption. As mentioned in Section 2.2, the mGBI assumption is implied by the CDH assumption, so the security of protocol Comp-Secure-VSSBP can be regarded as based on the hardness of the CDH problem. Lemma 2. In Comp-Secure-VSSBP, the attacker that learns less than t shares of the secret S obtains no information about S assuming that CDH problem is computationally intractable. Please refer to [3] for detailed proofs of the two lemmas.

Fig. 1. Computationally secure veriﬁable secret-sharing protocol based on the bilinear map.

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4723

4.4. Distributed secret value generation protocol for our scheme Distributed secret key generation is a main component of threshold cryptosystems. It allows a set of n servers to jointly generate a pair of public and secret keys according to the distribution deﬁned by the underlying cryptosystem without having to ever compute, reconstruct, or store the secret key in any single location and without assuming any trusted party

Fig. 2. Distributed secret-value generation protocol for the CLTHS scheme.

4724

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

(dealer). While the public key is output in the clear, the secret key is maintained as a (virtual) secret shared via a threshold scheme. Solutions to the distributed generation of private keys for discrete-log based cryptosystems have been studied in [5,10]. Here we construct a protocol ‘‘distributed secret-value generation protocol for the CLTHS Scheme (DSG)”, which is very similar to Gennaro et al.’s [10] distributed key generation protocol for discrete-logarithm based cryptographic schemes. Differences between them are as follows. Firstly, the domain of the public value is changed from Z p to G1 . For example, while our protocol allows a set of n servers to jointly generate a secret s 2 Z q and its corresponding public value is c ¼ sP 2 G1 , a predetermined set of parties in Gennaro et al.’s protocol jointly generate a secret k 2 Z q and its corresponding public value is y ¼ g k 2 Z p . Secondly, the broadcasting information and the veriﬁcation equation are also changed from Z p to G1 . Lastly, the computation of Ank is different in the simulator constructed to prove the security of the DSG. We use a variant of the non-interactive and information-theoretic secure VSS protocol due to Perdersen [17] as a building block in our solution, which can tolerate up to t 1 malicious faults without revealing any information on the secret, and we denote it by Perdersen-VSS. Due to the lack of space, we do not explicitly describe Perdersen-VSS here, as its description is implicitly contained in Step 1 of our DSG protocol. Suppose that the threshold t and the number n of parties satisfy 1 6 t 6 n < q. Let (G1, q, P) be the common parameters, as deﬁned in Section 2.1. Our protocol DSG is depicted in details in Fig. 2.

Fig. 3. Simulator for the distributed secret value generation protocol DSG.

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4725

The correctness and security (please refer to [10] for detailed deﬁnitions) of DSG can be proven in a similar way as that of the protocol in [10]. For simplicity, we only present the correctness statement (Lemma 3) and a modiﬁed simulator SIM-DSG in Fig. 3, while the concrete proof procedure is omitted. From the protocol we know that the generated secret is s 2 Z q , and its corresponding public value is c ¼ sP 2 G1 . Finally, Ci holds secret shares xi, x0 i, i = 1, . . ., n. Public information Cik, Aik, Ak, i = 1, . . ., n, k = 0, . . ., t 1, are known to all parties. It is easy P k to see that xi P ¼ t1 k¼0 i Ak . In our threshold signature scheme in Section 5, this protocol is employed by n signature generation servers to generate the secret value xID of an Identity ID as well as the random number r used in signing phase. Lemma 3 (Correctness). In the above protocol DSG, all subsets of t shares provided by honest parties deﬁne the same unique secret key s, and all honest parties have the same value of public key c = sP, where s is uniformly distributed in Zq. Lemma 4 (Secrecy). In the above protocol DSG, no information on s can be learned by the adversary except for that implied by the value c = sP. From the above lemmas we derive the following theorem. Theorem 2. Protocol DSG in Fig. 2 is a secure protocol for distributed secret value generation, namely it satisﬁes the above correctness and secrecy requirements with threshold t.

5. Our certiﬁcateless threshold signature scheme With the building blocks presented in the previous section, we now construct a certiﬁcateless threshold signature scheme based on the bilinear map, which is called ‘‘CLTHSBP”. CLTHSBP consists of the following algorithms or protocols. For simplicity, we omit the details of sub-protocols Comp-Secure-VSSBP and DSG, and only describe the signiﬁcant information resulted from them. Key/system parameter generation algorithm GC(k): Given a security parameter k, the KGC performs the following: – Choose a cyclic additive group G1 which is generated by P with prime order q, choose a cyclic multiplicative group G2 of the same order and a bilinear map ^e : G1 G1 ! G2 . – Pick a random k 2 Z q as the master secret key and set Ppub = kP. – Choose three cryptographic hash functions H1:{0,1}* ? G1, H2 : f0; 1g ! Z q , H3 : f0; 1g ! Z q . – Keep k as secret and publish params ¼ ðG1 ; G2 ; ^e; P; Ppub ; H1 ; H2 ; H3 Þ. Partial private key extraction algorithm EX(params, msk, ID): This algorithm is run by the KGC to generate a partial private key associated with ID. – Compute Q ID ¼ H1 ðIDkPÞ. – Output the partial private key DID = kQID. Partial private key distribution protocol DK(params, msk, ID, n, t): A trusted user (as discussed in Section 2.3, this user could be the KGC itself) who possesses a partial private key DID associated with an identity ID performs the following: – Run Comp-Secure-VSSBP with the input ðG1 ; q; ;^ e; P; P pub ; H1 ; t; n; DID Þ to share DID among n signature generation servers, denoted by C1, C2, . . ., Cn. Denote the partial private key share of Ci by DiID for i = 1, . . ., n. Denote the public veriﬁcation information output at the end of the execution of Comp-Secure-VSSBP by a0, a1, . . ., at1, where t is a threshold. Distributed secret value generation protocol GS(params, ID, n, t): Each signature generation server Ci performs the following steps to jointly generate a secret value xID for an identity ID: – Taking (G1, q, P, t, n) as input, all signature generation servers execute DSG to jointly generate a secret value xID and a public value PID = xIDP. (Note that the public value PID is exactly the public key we want to generate in the next protocol.) Denote the resulting share held by server Ci by xiID for i = 1, . . ., n. P k Denote the public veriﬁcation information output at the end of the execution of DSG by pkID ¼ i2J Aik for 0 k = 0, . . ., t 1. Note that pkID ¼ PID . Public key extraction protocol PK(params, ID, xID): The user’s public key PID corresponding to the user’s secret value xID can be directly obtained from the above protocol without any additional computation. As shown in the protocol DSG, the public information of the secret value is the public key PID, which is exactly we need. Signature generation protocol S params; DiID ; xID ; M : Each signature generation server Ci performs the following to jointly generate a signature on a given message M:

4726

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

– Run DSG to jointly generate a secret random value r 2 Z q and a public value R = rP. Denote by ri the resulting share held by server Ci, where i = 1, . . ., n. P Denote the public veriﬁcation information output at the end of the execution of DSG by Rk ¼ i2J Aik for k = 0, . . ., t 1. Note that R0 = R. – Compute u ¼ H2 ðRkP ID kMÞ; v ¼ H3 ðRkP ID kMÞ. – Broadcast V i ¼ uxiID þ ri Q ID þ v DiID . Any one can verify the validity of Ci’s signature share by checking

^eðV i ; PÞ ¼

t1 Y j¼0

ij j

a

!v

^e u

! ! t1 t1 X X j j j i Rj ; Q ID i PID þ j¼0

– Construct V by computing V ¼

pU0;j ¼

Y

j¼0

P

i2U

pU0;j V i , where

j=ðj iÞÞ ðmod qÞ

j2U;j–i

is the Lagrange coefﬁcient for jUj P t. – Output r = (R,V) as the whole signature on M. Signature veriﬁcation algorithm V(params, ID, PID, M, r): One can verify if r = (R,V) is a valid signature of an entity with identity ID and public key PID on message M by performing the following steps: – Compute Q ID ¼ H1 ðIDkPÞ; u ¼ H2 ðRkPID kMÞ; v ¼ H3 ðRkP ID kMÞ. – Verify ^ eðV; PÞ ¼ ^eðuP ID þ v Ppub þ R; Q ID Þ. If the equation holds output ‘‘Valid”. Otherwise, output ‘‘Invalid”. Note that the protocols GC, EX, PK and V of CLTHSBP are the same as those of ZZCLS scheme described in Section 4.1. 6. Security analysis of the proposed scheme In this section, we prove the security of the proposed CLTHSBP. According to Theorem 1 we only need to show that the underlying certiﬁcateless signature scheme ZZCLS is EUF–CLS–CMA secure and CLTHSBP is simulatable. As mentioned before, the ZZCLS scheme has been proven to be EUF–CLS–CMA secure against the super adversaries assuming that the CDH problem is intractable [25]. Thus, we only need to prove the following lemma. Lemma 5. The proposed CLTHSBP is simulatable. Proof. We describe the following three simulators SIMDK, SIMGS, SIMS of CLTHSBP to ensure the simulatability of our scheme. The simulator SIMDK for the partial private key distribution protocol DK of CLTHSBP can be constructed in the same way as that in [3] for the proof of veriﬁable secret-sharing scheme (CVSSBM), which ensures the security of the Comp-SecureVSSBP. Similarly, the simulator SIMGS for the distributed secret value generation protocol GS of CLTHSBP can be constructed in the same way as that in the proof of Theorem 2, which ensures the security of the DSG. Now we present the simulator SIMS for the signature generation protocol S of CLTHSBP. As described in Fig. 4, the simulator SIMS takes as input the public output of protocol GC of CLTHSBP, an identity ID, a signature (R, V) on a message M, 1 t1 t 1 partial private key shares D1ID ; . . . ; Dt1 ID and t 1 shares xID ; . . . ; xID of the secret value held by the corrupted signature 0 1 t1 generation servers, and the public outputs a0 ; a1 ; . . . ; at1 ; pkID ; pkID ; . . . ; pkID ; of DK and GS, can generate valid transcripts of the signature generation protocol S of CLTHSBP. From the adversary’s view, these transcripts are computationally indistinguishable from the actual transcripts generated during the execution of the protocol. We exhibit the proof by analyzing the information generated by the signature generation protocol S and the simulator SIMS in each step (the numbering of steps corresponds to that in the signature generation protocol S). For Step 1, both the protocol and the simulator execute a distributed generation of a random secret value using unconditionally secure veriﬁable secret sharing. The simulatability of this step follows from the simulatability of DSG, which has been proved previously. For Steps 2 and 5, it is evident that their outputs are identically distributed since they have identical operations. For Steps 3 and 4, the broadcast values V1, . . ., Vn generated by protocol S interpolate to some randomly and uniformly distributed value in G1 . The signature shares V 1 ; . . . ; V n output by SIMS interpolate to a value V which is randomly and uniformly distributed in G1 . We also have V i ¼ uxiID þ ri Q ID þ v DiID for i = 1, . . ., t 1, and hence each V i is generated in the same manner as that of Vi (Step 3 in SIMS). h Due to Theorem 1, Lemma 5 and the unforgeability of ZZCLS (as proved in [25]), we obtain the following theorem. Theorem 3. The CLTHSBP is existentially unforgeable against adaptively chosen message attacks, under the assumptions that the CDH problem on G1 is intractable.

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

4727

Fig. 4. Simulator for the signature generation protocol S of CLTHSBP.

7. Conclusion In this paper, we discuss the issues related to threshold signatures in certiﬁcateless public key cryptography. A stronger security model for certiﬁcateless threshold signatures is presented. In our new model, adversaries are more powerful than those considered in other security models of certiﬁcateless threshold signature schemes. To make the security proof easy and convenient, we establish the simulatability theorem for certiﬁcateless threshold signature schemes. We also propose a new certiﬁcateless threshold signature scheme from bilinear maps. The new scheme contains several improvements when compared with the existing ones [21,22]. We use a secure veriﬁable secret-sharing protocol to share the partial private key among signature generation servers. This can help to detect the misbehaviors during the sharing phase. To share the secret value, we employ the technique of information-theoretic secure distributed key generation, and thus no single party can have the group’s secret value. Such techniques not only greatly enhance the robustness of our scheme, but also ensure the simulatability. Three simulators (especially the simulator for the signature generation protocol) for our scheme are constructed to show the simulatability of the proposed certiﬁcateless threshold signature scheme. The simulatability demonstrates that our threshold signature scheme is provably secure against the strongest adversaries in the random oracle model provided that the CDH problem is hard. Our scheme is efﬁcient and only has a signature length of two elements of G1, which is much shorter than other certiﬁcateless threshold signature schemes. Thus, the proposed scheme is practical and can be applied in real applications where threshold signature is needed in certiﬁcateless settings. Acknowledgments The authors are very grateful to the anonymous reviewers for their valuable comments and suggestions. This research is supported by the Natural Science Foundation of China under Grant No. 60673070 and Natural Science Foundation of Jiangsu Province under Grant No. BK2006217. References [1] S. Al-Riyami, K. Paterson, Certiﬁcateless public key cryptography, in: Proceedings of the Asiacrypt 2003, Taipei, Taiwan, 2003, pp. 452–473.

4728

H. Yuan et al. / Information Sciences 180 (2010) 4714–4728

[2] J. Baek, Y. Zheng, Identity-based threshold decryption, in: Proceedings of 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 2004, pp. 262–276. [3] J. Baek, Y. Zheng, Identity-based threshold signature scheme from the bilinear pairings, in: Proceedings of the international Conference on Information and Technology: Coding and Computing, Las Vegas, USA, 2004, pp. 124–128. [4] A. Boldyreva, Efﬁcient threshold signatures: multisignatures and blind signatures based on the Gap–Difﬁe–Hellman-group signature scheme, in: Proceedings of 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, 2003, pp. 31–46. [5] M. Cerecedo, M. Matsumoto, H. Imai, Efﬁcient and secure multiparty generation of digital signatures based on discrete logarithms, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E76-A (1993) 532–545. [6] S. Chang, D.S. Wong, Y. Mu, Z. Zhang, Certiﬁcateless threshold ring signatures, Information Sciences 179 (20) (2009) 3685–3696. [7] X. Chen, F. Zhang, D.M. Konidala, K. Kim, New ID-based threshold signature scheme from bilinear pairings, in: Proceedings of 5th International Conference on Cryptology in India, Chennai, India, 2004, pp. 371–383. [8] P. Feldman, A practical scheme for non-interactive veriﬁable secret sharing, in: Proceedings of IEEE 28th Annual Symposium on the Foundations of Computer Science, Los Angeles, California, USA, 1987, pp. 427–437. [9] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Robust threshold DSS signatures, Information and Computation 164 (1) (2001) 54–84. [10] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Secure distributed key generation for discrete-log based cryptosystem, Journal of Cryptology 20 (1) (2007) 51–83. [11] B. Hu, D. Wong, Z. Zhang, X. Deng, Key replacement attack against a generic construction of certiﬁcateless signature, in: Proceedings of 11th Australasian Conference on Information Security and Privacy, Melbourne, Australia, 2006, pp. 235–246. [12] X. Huang, W. Susilo, Y. Mu, F. Zhang, On the security of a certiﬁcateless signature scheme, in: Proceedings of 4th International Conference on Cryptology and Network Security, Xiamen, China, 2005, pp. 13–25. [13] X. Huang, Y. Mu, W. Susilo, D. Wong, W. Wu, Certiﬁcateless signature revisited, in: Proceedings of 12th Australasian Conference on. Information Security and Privacy, Townsville, Australia, 2007, pp. 308–322. [14] J. Liu, M. Au, W. Susilo, Self-generated-certiﬁcate public key cryptography and certiﬁcateless signature/encryption scheme in the standard model, in: Proceedings of ACM 2007 ACM Symposium on Information, Computer and Communications Security, Singapore, 2007, pp. 273–283. [15] Z. Liu, Y. Hu, X. Zhang, H. Ma, Certiﬁcateless signcryption scheme in the standard model, Information Sciences 180 (3) (2010) 452–464. [16] Y. Long, K. Chen, Efﬁcient chosen-ciphertext secure certiﬁcateless threshold key encapsulation mechanism, Information Sciences 180 (7) (2010) 1167– 1181. [17] T.P. Pedersen, Non-interactive and information-theoretic secure veriﬁable secret sharing, in: Proceedings of 11th Annual International Cryptology Conference, Santa Barbara, CA, USA, 1991, pp. 129–140. [18] A. Shamir, Identity-Based cryptosystems and signature schemes, in: Proceedings of 4th Annual International Cryptology Conference, Santa Barbara, CA, USA, 1984, pp. 47–53. [19] K.A. Shim, Breaking the short certiﬁcateless signature scheme, Information Sciences 179 (3) (2009) 303–306. [20] D. Stinson, R. Strobl, Provably secure distributed Schnorr signatures and a (t, n) threshold scheme for implicit certiﬁcates, in: Proceedings of 6th Australasian Conference on Information Security and Privacy, Sydney, Australia, 2001, pp. 417–434. [21] L. Wang, Z. Cao, X. Li, H. Qian, Simulatability and security of certiﬁcateless threshold signatures, Information Science 177 (2007) 1382–1394. [22] H. Xiong, Z. Qin, F. Li, Simulatability and security of certiﬁcateless threshold signature without random oracles, in: Proceedings of 2008 International Conference Computational Intelligence and Security, Suzhou, China, 2008, pp. 308–313. [23] D. Yum, P. Lee Generic construction of certiﬁcateless signature, in: Proceedings of 9th Australasian Conference on Information Security and Privacy Sydney Australia, 2004, pp. 200–211. [24] Z. Zhang, D. Wong, J. Xu, D. Feng, Certiﬁcateless public-key signature: security model and efﬁcient construction, in: Proceedings of International Conference on Applied Cryptography and Network Security 2006, Singapore, 2006, pp. 293–308. [25] L. Zhang, F. Zhang, A new provably secure certiﬁcateless signature scheme, in: Proceedings of IEEE International Conference on Communications, Beijing, China, 2008, pp. 1685-1689. [26] L. Zhang, F. Zhang, A new certiﬁcateless aggregate signature scheme, Computer Communications 32 (2009) 1079–1085. [27] L. Zhang, F. Zhang, Q. Wu, J. Domingo-Ferrer, Simulatable certiﬁcateless two-party authenticated key agreement protocol, Information Sciences 180 (6) (2010) 1020–1030.