This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

1

Demonstrably Secure Signature Scheme Resistant to k-Traitor Collusion Attack Tomasz Hyla, Jerzy Peja´s

Abstract—The paper presents the proposal of a new implicit and explicit certificate-based signature scheme (IE-CBS-kCAA scheme) using Sakai-Kasahara’s type keys. The scheme security depends on the computational difficulty of solving the modified Collusion Attack Algorithm with k traitors (k-mCAA problem), reducible in particular cases to the known k-CAA problem. The originality of the scheme consists not only in the formulation and application of a new difficult computational problem, but also in its design to meet the paradigm of public key cryptography based on implicit and explicit certificates. Due to such an approach, the proposed signature scheme can be used in the traditional public key infrastructure with revocation of explicit certificates and in non-standard infrastructures without revocation of implicit certificates. In the paper, the security model is formulated and it is shown that the IE-CBS-kCAA signature scheme is existentially unforgeable against adaptively chosen messages in the random oracle model. Moreover, it results from the comparison of the IE-CBS-kCAA scheme with other signature schemes based on implicit and/or explicit certificates that its computational efficiency is at a similar level. Computational tests have also shown that the scheme can be used in practice. Index Terms—signature scheme, implicit and explicit certificates-based public key cryptography, bilinear pairing, security analysis, k-CAA problem

I. I NTRODUCTION The idea of the Collusion Attack Algorithm with k traitors is simple. Let us assume that any group of users is given, who thanks to the knowledge of individual secrets, can use a particular service, e.g. pay-per-view television, creation of a digital signature, or message encryption. The security mechanisms of the service are built in such a way that any user belonging to an authorized set of users can use the service. Moreover, it must be ensured that even when all unauthorized users cooperate with each other, it would still be impossible to use the service illegally. It is obvious that two different situations are possible. In the first, trivial case, unauthorized users may receive a secret from one or more authorized users, referred to as traitors. They can use it until the service provider detects the fraud. In the second case, unauthorized users may try to create a new secret based on received or captured secrets (assigned to any unauthorized user) that can be considered by authorized users as the proper one, and will result in qualifying the fraudster as a valid member of an authorized users’ group. The latter T. Hyla and J. Peja´s are with Faculty of Computer Science and Information Technology, West Pomeranian University of Technology, ul. Zolnierska 52, 71-210 Szczecin, Poland e-mail: [email protected] A preliminary version of this paper [1] appeared in Proceedings of the CISIM 2017 Conference, June 16-18, Bialystok, Poland, LNCS 10244, pp. 638-651. Enhancements over [1] are given in Sect. I-A Manuscript received March xx, 2018; revised January 1, 2001.

situation is particularly dangerous when the generated secret (private key) can be used to create a digital signature or in secret text decryption operations. Collusion Attack Algorithm with k traitors (the k-CAA problem) was formulated in 2002 by S. Mitsunari et al. [2]. This problem and its later variants [3] belong to the group of computationally difficult problems. This is because if a group of traitors with a population of less than k users reveal their private keys, then it is computationally infeasible to recreate or generate another private key for a user from outside of this group. This type of properties of the k-CAA problem and its variants contributed to the fact that the problems of k traitors cooperation have become very useful in pairing based cryptography for the construction of new encryption or signature schemes (El Mrabet et al. [4]). One of the first practical examples of using the k-CAA problem is the encryption scheme proposed in 2003 by Sakai and Kasahara [5] and simplified later by Zhang et al. [6] and Scott [7]. These schemes belong to the group of IDbased encryption (IBE) schemes, in which specific algorithms for generating private keys were used, guaranteeing that the schemes are afforded adaptive chosen ciphertext security in the random oracle model, as long as an effective algorithm for solving the k-CAA problem does not exist. This mentioned keys generation feature is so characteristic that such schemes and other similar schemes are recognized as schemes based on Sakai-Kasahara key construction. The Sakai-Kasahara key construction is also used in signature schemes. One of the first schemes of this type is the ID-based short signature scheme (ZSS), proposed in 2004 by Zhang et al. [6]. B. C. Hu et al. [8] demonstrated that the scheme is vulnerable to message-and-key replacement attacks. Nevertheless, this scheme is a basic element of many new signature schemes (e.g.: P. Barreto et al. [9], Du and Wen [10]) and, moreover, it allows simplifying proof of their security. The main disadvantage of ID-based schemes is the inability to achieve in many cases Girault’s level-3 security specifications [11]. This is due to the fact that the Trusted Authority (TA) knows the private keys of all users. What’s worse, TA can restore any user’s private key at any time. This property of ID-based schemes would be difficult to eliminate even when using hardware means of generating keys, e.g. smart cards with cryptoprocessors, and forwarding them to users later. The solution to this problem were supposed to be the certificateless signature schemes (CLS scheme), whose idea was proposed in the paper published by S. Al-Riyami and K. Paterson [12]. One of the first certificateless signature schemes based on the k-CAA problem was the scheme proposed by Du and Wen

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

[13] . However, in 2011, Fan et al. [14] and Choi et al. [15] independently showed that the scheme cannot be protected from Super Type I adversaries and hence does not allow Girault’s level-3 security specifications to be achieved. The improved version of the Du and Wen scheme [13], proposed by Fan et al. [14], also does not allow to achieve this level of security. Examples of cryptanalysis of the signature scheme proposed by Fan et al. can be found in the works [16], [17] and [18]. The Du-Wen’s short CLS scheme is vulnerable to Type-I adversaries because this signature scheme is not randomized, i.e. multiple queries of the signature algorithm for the same message always generates a signature with the same value. This situation allows the adversary to easily obtain a partial private key used by the signer when signing. Key replacement attacks are effective when applied to certain certificateless cryptosystems (Huang, X., et al. [19]) because no explicit authentication is required to obtain public keys. Of course, it is possible to construct a certificateless cryptosystem that defends against such attacks, but a less complex solution was proposed by C. Gentry [20]. This solution is primary used for encryption purposes and is referred to as certificate-based encryption, but it has been quickly generalized for use in certificate-based signature schemes (B. G. Kang et al. [21], J. Li et al. [22], J. Li et al. [23] and W. Wu et al. [24]). The solution proposed by Gentry does not automatically denote that all certificate-based schemes can resist key replacement attacks (e.g., in J. Li et al. [23]). Many of the certificate-based signature schemes designed in recent years are also based on the k-CAA problem or its variants. Two examples of such schemes are the proposals presented in the works of J. K. Liu et al. [25] and J. Li et al. [26]. Although the authors of both schemes declared that they are secure in the random oracle model, Cheng et al. [27] and Hung [28] showed, respectively, that both schemes cannot protect against a Type I adversary that can obtain a partially private key of an uncertified targeted user. The paper [29] proposes the encryption scheme IE-CBE belonging to the new category of public key cryptography schemes based on an implicit and explicit certificates. Schemes belonging to this schema category are confirmation of the observation [30] that the collision of ID-based, certificateless and certificate-based schemes with practice inevitably leads us to or at least close to the proven traditional public key infrastructure (PKI) mechanisms. The IE-CBE scheme has been designed based on the k-CAA problem. To the best of our knowledge, there is no corresponding signature scheme based on both implicit and explicit certificates, as well as computational difficulty of the k-CAA problem or its variants. Hence, the problem of designing such secure signature schemes remains still a challenging open problem. The above mentioned attacks on signature schemes occur for several reasons and especially because signature schemes are not randomized and are not properly secured against adversaries who can attempt to obtain full or partial user private keys.

2

A. Contributions The present work is the full version of our paper. In comparison to the conference version [1], it provides a full formal security proof, an extended introduction, the syntax of the scheme, the results of performance tests, and other additional information. The basic result presented in the paper is the proposal of the first signature scheme based on implicit and explicit certificates using Sakai-Kasahara’s key construction. Its security depends on the computational difficulty of solving k-mCAA problem, reducible in particular cases to the known k-CAA problem. The main property of the schema is that the public availability of the explicit certificate prevents the recovery of the implicit certificate. This feature of both certificates is of great practical importance and allows to verify the signature in the IE-CBS-kCAA scheme directly on the basis of an explicit certificate or indirectly on the basis of an implict certificate. In the first case, the verification can be ensured as for PKI certificates. In turn, in the second one the verification of the signature is performed similarly to the certificate-based signature schemes, without the need to refer to an explicit certificate. The signature scheme IE-CBS-kCAA is an existentially unforgeable against adaptive chosen-message and identity attacks (EUF-CMA) in the random oracle model. The sketch of proof presented in paper [1] indicates that the security problem of IE-CBS-kCAA scheme can be reduced to the computational difficulty of k-mCAA problem (the variant of the collusion at-tack algorithm with k-traitors) and discrete logarithm (DL) problem. In this full version of the paper, the complete proof of the IE-CBS-kCAA scheme security is presented. For the purposes of the proof, two games were defined, and then based on General Forking Lemma [39], two wrappers and related reduction algorithms were developed allowing to solve the problems of k-mCAA and discrete logarithm. Such a possibility, however, openly contradicts the assumption of the difficulty of solving both problems, which shows that the proposed scheme is secure. Finally, we show that although the proposed scheme does not belong to a short signature scheme category, it is computationally more efficient and has a similar signature length as other (implicit) certificate-based signature schemes described in [24] and [31] with a similar level of security.

B. Paper Organisation The rest of this paper is organized as follows. In the following section, we briefly review background information. Before presenting our results, we first present the syntax of the signature scheme based on implicit and explicit certificates (Section III) and our security model that protects against two different types of attacks (see Section IV). In Section V, the IE-CBS-kCAA randomized signature scheme from pairings is proposed, and its security proof in the random oracle is presented in Section V-C. The efficiency of our scheme is discussed in Section VI. Finally, we present the study’s conclusions.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

3

II. P RELIMINARIES In this section, we briefly review the definition for groups equipped with an asymmetric bilinear map and precisely state hardness assumptions.

Here we briefly review the definition for groups equipped with an asymmetric bilinear map and precisely state the hardness assumptions. Definition 1: (Asymmetric bilinear map groups). Let G1 and G2 be two cyclic groups of some prime order p > 2k for some security parameter k ∈ N , and let GT be a multiplicative group. We say that (G1 , G2 , GT ) are asymmetric bilinear map groups when a bilinear map satisfies the following properties: 1) Bilinearity: for (P, Q) ∈ G1 × G2 and a, b ∈ Zp∗ , eˆ(aP, bQ) = eˆ(P, Q)ab . 2) Non-degeneracy: for each P ∈ G1 such that P 6= 1G1 , Q ∈ G2 holds for eˆ(P, Q) 6= 1G2 ; in other words, when P and Q are two generators of respectively G1 and G2 , then eˆ(P, Q) is a generator of GT ; 3) Computability: given (P, Q) ∈ G1 × G2 , an efficient algorithm for computing eˆ(P, Q) exists; 4) An efficient and publicly computable (but not invertible) isomorphism ψ : G2 → G1 such that ψ(Q) = P exists. Such bilinear map groups are instantiable with ordinary elliptic curves such as MNT curves [32] or with curves studied by Barreto and Naehrig [33]. B. Security Assumptions In this section, we present mathematical problems used in this paper and define corresponding assumptions. Definition 2: (Discrete Logarithm (DL) problem [1]). Given generator P ∈ G1 and T ∈ G∗1 compute a ∈ Zp∗ such that T = aP . The DL is (t, ε) hard when the probability of any probabilistic t-polynomial-time algorithm ADL solving the DL problem in G1 is defined as: (1)

A The DL assumption denotes the probability of AdvDL being negligible for every probabilistic polynomial time algorithm A.

Definition 3: (k-CAA problem, Mitsunari et al. [2]). For a positive integer k and s ∈ Zp∗ , Q ∈ G2 , given:

Q, Q0 = sQ, h∗ , h1 , ..., hk ∈ Zp∗ , h∗ ∈ / {h1 , ..., hk }, 1 1 Q, ..., Q h1 +s hk +s n o compute a new pair h∗ , h∗1+s Q . The k-CAA is (t, εk−CAA )-hard when for all t-time adversaries Ak−CAA , we have:

(2)

(3)

= P r Ak−CAA Q, Q0 , =

A. Bilinear Groups

A AdvDL = P r{ADL (P, aP ) = a|a ∈ Zp∗ } < εDL

A Advk−CAA = (

1 1 Q, ..., h1 + s hk + s

Q =

1 Q|s ∈ Zp∗ , Q ∈ G2 , h∗ , h1 , ..., hk ∈ Zp∗ , h∗ + s ) h∗ ∈ / {h1 , ..., hk }

< εk−CAA

The k-CAA problem is believed to be hard, i.e., no polynomial time algorithm can solve it with non-negligible probability. We define a new variant of the k-CAA problem hereinafter referred to as the k-mCAA problem (compare [2]). Definition 4: (k-mCAA problem [1]). For randomly selected values s, r∗ , h∗ , r1 , ..., rk , hk ∈ Zp∗ , and Q ∈ G2 , given: / {h1 , ..., hk }, Q, Q0 = sQ, h∗ , h1 , ..., hk ∈ Zp∗ , h∗ ∈ r∗ Q, r1 Q, ..., rk Q, r∗ Q ∈ / {r1 Q, ..., rk Q}, 1 1 Q, ..., r1 h1 +s rk hk +s Q (4) n o compute a new pair h∗ , r∗ h1∗ +s Q . We say that the k-mCAA is (t, εk−mCAA )-hard when for all ttime adversaries Ak−mCAA , we have:

A Advk−mCAA = Q, Q0 , r1 Q, ..., rk Q, Ak−mCAA = 1 1 r1 h1 +s Q, ..., rk hk +s Q 1 = r∗ h∗ +s Q = Pr ∗ , Q ∈ G2 , h∗ , h1 , ..., hk ∈ Zp∗ , |s ∈ Z p |h∗ ∈ / {h1 , ..., hk }, r∗ Q ∈ / {r1 Q, ..., rk Q} < εk−mCAA

(5)

The k-mCAA assumption denotes the probability that A Advk−mCAA is negligible for every probabilistic polynomialtime algorithm A. The k-mCAA is difficult to break because even when h∗ is known, the probability of finding a number x ∈ Zp∗ such that x = (s + r∗ h∗ )−1 (mod p) with two unknowns s and r∗ is negligible and equal to (p(p − 1))−1 . Definition 4 is derived from the definition for the k-CAA3 problem, formulated by S. H. Islam et al. [34]. In contrast to the original definition, it is assumed that additional values r1 Q, ..., rk Q are input into the k-mCAA problem. Let us assume that r∗ = 1 and ri = 1, (i = 1, ..., k). Then the k-mCAA problem is transformed into a k-CAA problem. Thus, this k-CAA problem can be understood as a special case of the k-mCAA problem. Similarly, if ri = r∗ , (i = 1, ..., k), then the k-mCAA problem is equivalent to the original kCAA3 problem from [34]. III. S YNTAX OF AN IMPLICIT AND EXPLICIT CERTIFICATE - BASED SIGNATURE SCHEME The IE-CBS-kCAA scheme is defined by seven polynomialtime algorithms (compare also W. Wu et al. [24], L. Chen et

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

al. [3] , F. Zhang et al. [6], T. Hyla et al. [31]). With a security parameter 1k , these algorithms function as follows: Definition 5: (IE-CBS-kCAA scheme). An implicit and explicit certificate-based signature scheme includes the following seven polynomial-time algorithms: •

•

•

•

•

•

•

Setup (1k ) → (s, params). This algorithm takes a security parameter 1k as input and returns the certifier’s master private key s and system parameters params, which are shared in the system. A TA runs the algorithm and after completion keeps the master private key s secret, while params are publicly accessible to all users of the system. Create-User (params, IDS ) → (sIDs , P kIDs ). The user runs the algorithm, which takes as input system parameters params and the signer’s identity IDs . It outputs the user’s secret key value sIDs and corresponding public key P kIDs . Implicit-Cert-Gen (params, s, IDs , P kIDs ) → 0 00 (CIIDs , Sk IDs , RIDs , RIDs ). This algorithm takes as input the system parameter params, master private key s, the identity IDs of a user and its public key P kIDs . It outputs the user’s certificate information CIIDs , an implicit certificate Sk IDs and two components 00 0 (RIDs , RIDs ) with the secret key rIDs of the user’s implicit and explicit certificates. TA runs the algorithm once for each user and the corresponding implicit certificate is distributed to the user secretly. Explicit-Cert-Gen (params, CIIDs , s, rIDs , qIDs ) → CertIDs . This algorithm takes as input the system parameter params, master private key s, the user’s certificate information CIIDs , and the secret key rIDs related to the user’s implicit and explicit certificates. It outputs an explicit certificate CertIDs that is sent to the user through a public channel. A TA runs this algorithm once for each user. 0 Set-Private-Key (params, CIIDs , sIDs , P kIDs , RIDs , 00 RIDs , Sk IDs ) → Sk IDs . The user runs this algorithm. The algorithm takes as input system parameters params, the user’s certificate information CIIDs , a secret key sIDs , its respective public key P kIDs , an implicit certifi0 00 cate Sk IDs and two components (RIDs , RIDs ) related to it, and it returns the corresponding full user’s private key SkIDs = (sIDs , Sk IDs ). 0 Sign (params, m, CIIDs , (SkIDs , P kIDs ), RIDs , 00 RIDs ) → σ. The signer runs algorithm Sign to generate signature σ by taking as input: the params, a message m, the user’s certificate information CIIDs , its key pair 0 00 (SkIDs , P kIDs ) and two components (RIDs , RIDs ) of the user’s implicit and explicit certificates. 0 00 Verify (params, m, σ, CIIDs , P kIDs , RIDs , RIDs , CertIDs ) → {true, f alse}. Anyone can run algorithm Verify to check the signature validity. Taking as input 0 a message-signature pair (m, σ), CIIDs , P kIDs , RIDs , 00 RIDs , CertIDs , this algorithm outputs true if σ is a valid signature on m created by IDs . Otherwise, it outputs f alse.

For the sake of correctness, when σ = Sign (params,

4

0

00

m, CIIDs , (SkIDs , P kIDs ), RIDs , RIDs ) then Verify 0 00 (params, m, σ, CIIDs , P kIDs , RIDs , RIDs , CertIDs ) = 1, where public parameters params and, the signer’s private/public key pair (SkIDs , P kIDs ) and certificate CertIDs are respectively generated according to specifications of algorithms: Setup, Create-User, Implicit-Cert-Gen and ExplicitCert-Gen. Remark. Algorithms Implicit-Cert-Gen and Explicit-CertGen end successfully when the TA positively verifies the identity and certificate information CIIDs related to a given identity. In addition, when a user requests a certificate of a public key P kIDs , he must demonstrate to the certifier his possession of the corresponding SkIDs , which can be performed in the same way that it is undertaken in the traditional PKI. IV. S ECURITY MODEL In this paper, we consider only one type of security notion involving existential unforgeability (EUF) under a chosenmessage attack (CMA) in the random oracle model (EUFCMA). In this attack, an adversary who is allowed to ask the signer to sign any message of his choice adaptively according to previous answers, should not be able to generate a new valid message-signature pair. A. Adversaries and oracles The security model of the proposed IE-CBS-kCAA scheme, hereinafter referred to as EUF-IECBS-kCAA-CMA, is defined by two games played by the challenger C and adversary A assuming that the adversary chooses which game to play. In both cases, adversary A = (A1 , A2 ) is trying to pass EUF-CMA security barriers of the IE-CBS-kCAA scheme, i.e., the formal model describing existential unforgeability. To describe these games, we use the widely accepted two types of adversaries with different capabilities: the Type I Adversary and Type II Adversary (e.g., T. Hyla, et al. [31]). The Type I Adversary (A1 ) is able to compromise the user’s secret key or replace the user’s public key, but he is unable to acquire the TA’s master secret key and the user’s partial private key issued by the TA. We assume that adversary A1 models the security against non-certified users and eavesdroppers, i.e., against users, who are not registered and who do not have certificates issued by the TA. The Type II Adversary (A2 ) can obtain the TA’s master secret key and the user’s implicit certificate, but he cannot compromise the user’s secret key or replace her/his target public key. In this case it is reasonable to consider attack scenarios that target certified users, i.e., users who come into possession of a private/public key pair and of explicit certificates before the master key s is known to the adversary. The formal security model of the implicit and explicit certificate-based signature schemes divides potential adversaries by level of attack power and classifies the Type I/II adversary into three types (see Li, J., et al. [23] and Huang, X., et al. [35]): a Normal Adversary, Strong Adversary and Super Adversary. The adversaries are differentiated by the information they must have to obtain valid signatures. A

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

Normal Type I/II Adversary must have the original public key, a Strong Type I/II Adversary must have a public key replaced by himself if he additionally submits the secret value corresponding to the replaced public key and a Super Type I/II Adversary must only have the replaced public key. The most powerful attacks are made by the Super Type I/II Adversary, who may issue the following queries: • Create-User-Query. This oracle takes as input query ID. When user identity ID has already been created, nothing is carried out by the oracle. Otherwise, challenger C runs algorithms Create-User used to obtain secret value sID and public key P kID . Next, the oracle adds hID, sID , P kID i to the LU list, which is initially empty. In this case, the user with identity ID is said to be created. In both cases the oracle returns P kID . • Public-Key-Replacement-Query. When ID is created, 0 the oracle takes as input query (CIID , P kID , P kID ), finds user ID in list LU and replaces original user’s 0 public key P kID with P kID . Otherwise, no action is taken. Note that the adversary is not required to provide 0 secret value sID . • Corruption-Query. This oracle takes as input query ID. It browses list LU and when ID denotes the identity that has been created, the oracle outputs secret key sID . • Implicit-Cert-Gen-Query. With the input of identity index (CIID , P kID ), this oracle returns implicit certificate Sk ID whenever a user with identity index (CIID , P kID ) has been created. Otherwise, symbol ⊥ is returned. • Explicit-Cert-Gen-Query. For a certificate request for a user with identity index (CIID , P kID ), this oracle returns explicit certificate CertID and two additional 00 0 components (RID , RID ). When a user with CIID .ID is not created (this notation denotes field ID of the user’s certificate information CI), symbol ⊥ is returned. • Super-Sign-Query. When ID has not been created, the oracle returns ⊥. Otherwise, it takes as input query 00 0 (m, CIID , P kID , RID , RID ) where m denotes the message to be signed, and then it returns valid signature σID such that Verify (params, m, σID , CIID , P kID , 0 00 RID , RID , CertID ) → true. In this instance, P kID is a current public key of user ID in list LU and it can be replaced by the adversary or returned from oracle CreateUser-Query. B. Games played against a Super Type I/II Adversary To investigate the existential unforgeability of the IE-CBSkCAA scheme when subjected to a Super Type I/II Adversary (A1 / A2 ) we can now define two games (Game I and Game II) played between challenger C and the two types of adversaries (A1 and A2 , respectively). Game I. This game is played between challenger C and adversary A1 under an adaptively chosen message and user identity ID. Setup. Challenger C executes algorithm Setup (1k ) → (s, params) in the IE-CBS-kCAA scheme to obtain public parameter params and master secret key s. Adversary A1 is given params, challenger C keeps master secret key s secret.

5

Queries. In this phase, A1 can adaptively submit queries to the following oracles defined in Section IV-A: CreateUser-Query, Implicit-Cert-Gen-Query, Explicit-CertGen-Query, Public-Key-Replacement-Query, CorruptionQuery and Super-Sign-Query. Forgery. Eventually, after some or all queries are made, ˆ wˆ1 , wˆ2 , E), ˆ ID, adversary A1 outputs forgery (m, ˆ σ ˆ = (h, 0 00 ˆ ˆ CIID , m, P kID , RID , RID , CertID ). Constrains. Adversary A1 wins the game when the forgery satisfies the following requirements: (a) σ ˆ is a valid signature given with message m ˆ under public key P kID and explicit certificate CertID , i.e., Verify ˆ0 , R ˆ 00 , CertID ) → (params, m, ˆ σ ˆ , CIID , P kID , R ID ID true. Here, P kID is chosen by A1 and may not be the one returned by the Create-User-Query oracle. (b) (ID, P kID ) has never been submitted to Implicit-CertGen-Query and Explicit-Cert-Gen-Query oracles. ˆ0 , R ˆ 00 ) has never been submitted (c) (m, ˆ CIID , P kID , R ID ID to oracle Super-Sign-Query. The chance of an adaptive chosen message and adversary A1 with chosen identity index (ID, P kID ) wins the above A1 game is defined as AdvIE−CBS−kCAA . Game II. In this Game adversary A2 with chosen identity index (ID, P kID ) interacts with its challenger C under an adaptively chosen message. Setup. Challenger C executes algorithm Setup (1k ) → (s, params) in the IE-CBS-kCAA scheme to obtain public parameter params and master secret key s. C then sends (params, s) to adversary A2 . Queries. In this phase, adversary A2 and can adaptively access the following oracles: Create-User-Query, Public -Key-Replacement-Query, Corruption-Query and SuperSign-Query. Oracles Implicit-Cert-Gen-Query and ExplicitCert-Gen-Query are not accessible and are no longer needed because adversary A2 , which holds master key s, can generate all user partial keys and certificates. Forgery. At the end of this phase, after some or all queries are made, adversary A2 outputs forgery (m, ˆ σ ˆ = ˆ wˆ1 , wˆ2 , E), ˆ 00 , CertID ). ˆ ID, CIID , m, P kID , R ˆ0 , R (h, ID ID Constrains. Adversary A2 wins the game when the forgery satisfies the following requirements: (a) σ ˆ is a valid signature sent with message m ˆ under public key P kID and explicit certificate CertID , i.e., Verify ˆ0 , R ˆ 00 , CertID ) → (params, m, ˆ σ ˆ , CIID , P kID , R ID ID true. Here, P kID is the output returned by the CreateUser-Query oracle for ID. (b) ID has never appeared as a Corruption-Query. ˆ0 , R ˆ 00 ) has never been submitted (c) (m, ˆ CIID , P kID , R ID ID to oracle Super-Sign-Query In this game, adversary A2 may call the Public-KeyReplacement-Query oracle and obtain all secrets corresponding to identity indices other than (ID, P kID ). The success probability of an adaptive chosen message and adversary A2 with chosen identity index (ID, P kID ) wining A2 the above game is defined as AdvIE−CBS−kCAA . Definition 6: An implicit and explicit certificate signature scheme IE-CBS-kCAA offers existential unforgeability against

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

6

chosen message attacks (EUF-IECBS-kCAA-CMA) when no probabilistic polynomial-time adversary has a non-negligible probability of winning Games I and II. V. N EW IMPLICIT AND EXPLICIT CERTIFICATE - BASED SIGNATURE SCHEME IE-CBS- K CAA The IE-CBS-kCAA scheme contains seven polynomial time algorithms: Setup, Create-User, Implicit-Cert-Gen, Explicit-Cert-Gen, Set-Private-Key, Sign and Verify. A detailed description of all algorithms of the IE-CBS-kCAA scheme is presented below: 1) Setup: the system parameters are params = {G1 , G2 , GT , eˆ, P, P0 , Q, Q0 , H1 , H2 } where |G1 | = |G2 | = |GT | = p for some prime number p ≥ 2k (k is the system security number), where (P, Q) are generators of respectively G1 and G2 such that eˆ(P, Q) = g, P0 = sP and where Q0 = sQ for system master public keys with master secret key s ∈ Zp∗ , H1 , H2 : Γ × {0, 1}∗ → Zp are two secure cryptographic hash functions. Γ × {0, 1}∗ is a string space that can be used to define a user with identity ID. In the cases discussed, when ID includes more information than the identity, we denote it as CI (Certificate Information). 2) Create-User (params, IDs ): user IDs chooses a random number sIDs ∈ Zp∗ , sets sIDs as the secret key and produces corresponding public key P kIDs = sIDs P ; the resulting public key is widely and freely distributed, e.g., the TA publishes it in its public repository. 3) Implicit-Cert-Gen (params, s, IDs , P kIDs ): for IDs , with an S identity, his public key is P kIDs , and trusted authority TA: a) composes the user’s certificate information CIIDs , including the TA’s public keys (P0 , Q0 ), identifiers IDs and IDT A of user S and the TA, respectively, and the time period τ for which information CIIDs is valid; 0 b) randomly selects rIDs ∈ Zp∗ and computes (RIDs , 00 RIDs ) = (rIDs P, rIDs Q); 0 00 c) for P kIDs and (RIDs , RIDs ) generates S partial private key (an implicit certificate) as: Sk IDs =

1 Q s + rIDs qIDs

(6)

0

” where qIDs = H1 (CIIDs , P kIDs , RIDs , RID ) and s transmits it to user S secretly; in addition, TA sends 0 00 (RIDs , RIDs , CIIDs ). 4) Explicit-Cert-Gen (params, s, IDs , rIDs ,qIDs ): TA generates explicit certificate CertIDs for signer S using parameters received from S and values calculated during the execution of the Implicit-Cert-Gen algorithm: a) TA generates the explicit certificate for entity S, which binds its identity to public key components:

CertIDs =

1 s + rIDs qIDs

b) TA sends CertIDs to entity S.

P

(7)

5) Set-Private-Key (params, CIIDs ,sIDs , P kIDs , 0 00 RIDs , RIDs , Sk IDs ): user S checks whether 0 eˆ(qIDs RID + P0 , Sk IDs ) = eˆ(P, Q) = g and then s formulates his private key in as SkIDs = (sIDs , Sk IDs ) . 00 00 6) Sign (params, m, CIIDs , SkIDs , P kIDs , RIDs , RIDs ): to sign message m ∈ {0, 1}∗ , signer S follows the following steps: a) selects two random numbers k1 , k2 ∈R Zp∗ ; b) computes hash value: 0

” ) qIDs = H1 (CIIDs , P kIDs , RIDs , RID s

(8)

then generates signature σ = (h, w1 , w2 , E) where: h = H2 (m, k1 P, U, qIDs )

E=

k1 − k2−1 h Sk IDs k1 h + sIDs

w1 = k1 − hsIDs

(mod p)

w2 = k2 (k1 h + sIDs ) (mod p)

(9)

(10)

(11) (12)

while U = g k1 k2 . c) if in (10) k1 h + sIDs = 0, then steps (a) and (b) are repeated. 00 0 7) Verify (params, m, σ, CIIDs , P kIDs , RIDs , RIDs , CertIDs ): to verify the message-signature-certificate triple, i.e., (m, σ = (h, w1 , w2 , E), CertIDs ), V completes the following steps: a) computes hash qIDs using (8) and values: w2 0 U 0 =ˆ e qIDs RID + P0 , E · s h 00 · eˆ CertIDs , qIDs RIDs + Q0

(13)

k1 P = w1 P + hP kIDs

(14)

b) if (15, 16) are true, then return accept; otherwise, reject. h ≡ H2 (m, k1 P , U 0 , qIDs )

(15)

00 g ≡ eˆ CertIDs , qIDs RIDs + Q0

(16)

A. Correctness of the IE-CBS-kCAA scheme Assume that digital signature σ and explicit certificate CertIDd have been generated using the Sign and ExplicitCert-Gen algorithms, respectively. Therefore, σ is a valid

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

7

signature sent with message m because it is accepted by verification algorithm Verify: w2 0 U 0 = eˆ qIDs RIDs + P0 , E · (17) h 00 · eˆ CertIDs , qIDs RIDs + Q0 = k2 (k1 h+sIDs ) 0 k1 − k2−1 h · Sk IDs = eˆ qIDs RIDs + P0 , k1 h + sIDs h 00 · eˆ CertIDs , qIDs RIDs + Q0 = 0 = eˆ qIDs RIDs + P0 , (k1 k2 − h)Sk IDs · h 00 · eˆ CertIDs , qIDs RIDs + Q0 = 1 = eˆ (s + rIDs qIDs )P, (k1 k2 − h) Q · s + rIDs qIDs 1 · eˆ P, h(s + rIDs qIDs )Q = s + rIDs qIDs = eˆ (P, Q)

k1 k2

=U

Hence, 0

0

h = H2 (m, k1 P , U , qIDs ) = = H2 (m, w1 P + hP kIDs , U, qIDs ) = h

(18)

Moreover, it is now easy to demonstrate the correctness of the explicit certificate: 0

00

g = eˆ(CertIDs , qIDs RID + Q0 ) = 1 P, (s + rIDs qIDs )Q = = eˆ s + rIDs qIDs = eˆ (P, Q) = g

(19)

B. IE-CBS-kCAA scheme modification Any certificate-based signature scheme contains an implicit certificate that is a part of a user’s private key. Hence, it seems natural to modify any particular signature scheme based on both explicit and implicit certificates and to reduce it to an implicit certificate-based signature scheme Assume that in our case we remove the Explicit-CertGen algorithm from the IE-CBS-kCAA scheme. The resulting scheme is a new scheme based on an implicit certificate (ICBS-kCAA scheme in short). The introduced change requires one to remove certificate verification from algorithm Verify and to modify equation (13) as follows: w 2 0 h U 0 = eˆ qIDs RIDs + P0 , E eˆ (P, Q) (20) These changes simplify signature verification. Moreover, when users use a full version of the IE-CBS-kCAA scheme, in some cases (when acceptable, e.g., in a closed trust zone), the signature verification can be performed as follows: 0

h ≡H2 (m, w1 P + hP kIDs , eˆ(qIDs )RIDs + h

+ P0 , E)w2 eˆ (P, Q) , qIDs ) where qIDs is defined in (8).

(21)

C. Security analysis We prove the security of the IE-CBS-kCAA scheme by reducing the security level from higher-level construction to lower-level primitive. More precisely, we remove the adversary by breaking the protocol into an algorithm that can solve the respective k-mCAA or a discrete logarithm (DL) problem with non-negligible probability. In our reductions, we use the general forking lemma, proposed by Bellare and Neven [36], similar to [31]. We briefly recall this using Lemma 1 (see also [37], [38]). Lemma 1 (General Forking Lemma [37]). Fix integer γ ≥ 1 and set H of size |H| ≥ 2. Let B (Algorithm B is simply a wrapper that takes as explicit input answers to the random oracles) be a randomized algorithm that on input x, h1 , ..., hγ returns pair (J, σ) where J ∈ {0, 1, ..., γ} and σ are referred to as the side output. Let IG be a randomized algorithm refereed to as the input generator. Let acc = P rbJ ≥ 1 : x ∈R IG h1 , ..., hγ ∈R H; (J, σ) $ B(x, h1 , ..., hγ )c be the ← − accepting probability of B. Forking game FB associated with B proceeds as follows: Algorithm FB (x) selects random coins ρ for B h1 , ..., hγ ∈R H; (J, σ) $ B(x, h1 , ..., hγ ; ρ)//Run_0 ← − if (J = 0) then return (0, ⊥, ⊥) 0 0 0 0 hJ , ..., hγ ∈R H; (J , σ ) $ ← − 0 0 B(x, h1 , ..., hJ−1 , hJ , ..., hγ ; ρ) //Run_1 0 0 if (J = J and hJ 6= hJ ) then 0 return (1, σ, σ ) else return (0, ⊥, ⊥) End of Algorithm FB (x) 0 Let gfrk = P rbb = 1 : x ∈R IG; (b, σ, σ ) $ FB (x)c. Then: ← − 1 acc − (22) gf rk ≥ acc γ |H| At the end of Run 0, randomized algorithm B returns σ, the forgery produced by the adversary and J, and the index to the oracle query used by the adversary to forge. In Run 1 algorithm FB launches oracle replay attack by rewinding the input tape to the J-th oracle query and then rerunning adversary A using a different random oracle. Lemma 2. Suppose that hash functions H1 and H2 are random oracles, and that in Game 1 against the IE-CBS-kCAA scheme, adversary A1 facts as an uncertified user. When TypeI adversary A1 has a non-negligible advantage against our IECBS-kCAA scheme, then a reduction R1 solves the k-mCAA problem over group G2 with non-negligible probability: 1 R k−mCAA ≥

2 γ 2 e(qE + 1)2

(23)

where e denotes the base of the natural logarithm, where qE is the upper bound on the number of queries sent to the Implicit-Cert-Gen-Query oracle and where γ = qH2 is the upper bound on the number of queries sent to the H2 -Query oracle.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

Proof. Similarly, to approach the case given in [31], our reduction proceeds over two phases. First we describe intermediate algorithm B1 (i.e., the wrapper) that interacts with adversary A1 and returns a side output. Second, we show how to build reduction algorithm R1 that launches general forking game FB1 with wrapper B1 . As a result, algorithm R1 is obtained, which includes one pairing equation with one unknown and which returns the correct solution to the k-mCAA problem. The Wrapper Assume that the algorithm B1 is given a random instance 4 = (G2 , p, P, sP, Q, sQ, (r1 q1 +s)−1 Q, ..., (rk qk +s)−1 Q) of k-mCAA problem. The goal is to compute (r∗ q ∗ + s)−1 Q for some q ∗ ∈ / {q1 , ..., qk }, r∗ Q ∈ / {r1 Q, ...,rk Q}, and given q1 , ..., qk ∈ Zp∗ , r1 Q, ...,rk Q, (r1 q1 + s)−1 )P , ..., (rk qk + s)−1 )P . We show that Type I adversary A1 can be converted to algorithm B1 , which can solve a random instance 4 of the kmCAA problem (see Definition 4). Assume also that γ = qH2 and H = Zp . Wrapper B1 takes as arguments a description of group (G1 , G2 , p, P, Q), a challenge (r1 q1 + s)−1 )Q , ..., (rk qk + s)−1 )Q with a set of random elements q1 , ..., qk ∈ Zp∗ and h1 , ..., hγ ∈ Zp∗ , for which B1 responds to the series of queries sent to the H2 -Query hash oracle. It returns a triple (J, σ) where J refers to indices of the target H2 query and where σ is the side output. In addition, adversary A1 ˆ = H2 (m, ˆ kID , U, cˆ) always requests H2 hash of h ˆ w ˆ1 P + hP 00 0 ˆ ˆ ˆ ˆ where U = eˆ(ˆ cRID + P0 , E) eˆ(Cert, cˆRID + Q0 )h , cˆ = 0 00 0 ˆ ˆ ), P kID = sˆID P , R ˆ ,R ˆP H1 (CIID , P kID , R ID = r ID ID 00 ˆ and RID = rˆQ, which outputs as its forgery. To track the index of the current random oracle query, B1 maintains counter ctr, which is initially set to 1, and two tables LH1 and LH2 , manage random oracles H1 and H2 . Wrapper B1 interacts with adversary A1 as described below. Algorithm B1 (4) Initialize. ctr = 0, lists LH1 and LH2 are empty. Setup. B1 sets P and Q as the generators of groups G1 and G2 , respectively and sets master public keys P0 = sP andQ0 = sP (master secret key s is unknown to everyone, including B1 ). Then, B1 defines system parameters params = {G1 , G2 , GT , eˆ, P, P0 , Q, Q0 , H1 , H2 } and sends them to the adversary A1 . Queries: A1 can query the following oracles polynomial number of times. 1) Create-User-Query (params, ID). Suppose a query is made on identity ID and that B1 responds as follows: a) B1 scans list LU with tuples in form hIDi , sIDi , P kIDi i to check whether IDi = ID. If this is the case, the previously defined value P kIDi is returned. b) Otherwise, B1 selects sID ∈R Zp at random and calculates public key P kID = sID P . B1 returns P kID and stores a tuple hIDi , sID , P kID i in the LU list. 0 00 2) H1 -Query (CIIDi , P kIDi , RIDi , RIDi ) Algorithm B1 0 maintains a list LH1 of tuples hCIIDi , P kIDi , RIDi , 00 RIDi , coini , ci , Ci , CertIDi i. On receiving such a query 0 00 on (CIIDi , P kIDi , RIDi , RIDi ), algorithm B1 returns

8

ci directly when LH1 contains a tuple hCIIDi , P kIDi , 0 00 RIDi , RIDi , coini , ci , Ci , CertIDi i. Otherwise: a) if the query is made explicitly by A1 , B1 randomly selects c ∈R Zp∗ and sets coin = Ci = CertIDi =⊥, where ⊥ denotes that these fields are unknown to B1 ; b) otherwise, B1 flips a biased coin that outputs value coin = 1 with a probability of ς and coin = 0 with a probability of 1 − ς (the value of ς will be optimized later); then: i) if coin = 0, it randomly selects a value qj ∈ {q1 , ..., qk } and sets c = qj , C = (rj c + s)−1 Q, 0 CertID = (rj c + s)−1 P , RIDi = rj P and 00 RIDi = rj Q; ii) otherwise, if coin = 1: A) it randomly selects c ∈R Zp∗ and (ri c + s) = t ∈R Zp∗ such that c ∈ / {q1 , ..., qk } and calcu00 −1 lates RIDi = c (tQ − Q0 ); 00 B) if RIDi ∈ {r1 Q, ..., rk Q}, then BI repeats step 0 A and otherwise calculates RIDi = c−1 (tP − −1 P0 ), C = t Q, and CertIDi = t−1 P . 00 0 c) hCIIDi , P kIDi , RIDi , RIDi , coini , ci , Ci , CertIDi i is stored in LH1 and c is output as the answer. 0 3) H2 -Query (m, k1 P, U, H1 (CIIDi , P kIDi , RIDi , 00 RIDi )). Algorithm B1 maintains a list LH2 of tuples hmi , (k1 P )i , Ui , ci , ctri , w2,i , hi i. In this instance (mi , k1 P, U, c) where c = 00 0 H1 (CIIDi , P kIDi , RIDi , RIDi ). This is the query to H1 -Query with h being the corresponding output. 00 0 B1 runs H1 -Query (CIIDi , P kIDi , RIDi , RIDi ) and obtains requested hash value c. For each request made on (m, k1 P, U, c), algorithm B1 returns hi directly when LH2 contains tuple hmi , (k1 P )i , Ui , ci , ctri , w2,i,hi i. Otherwise, B1 returns h = hctr as the output, adds tuple hmi , k1 P, U , c, ctr, ⊥, hi to LH2 and increments ctr by one. 0 4) Public-Key-Replacement-Query (ID, P kID , P kID ). For a public key replacement query: a) B1 tries to find a tuple hIDi , sIDi , P kIDi i in the LU list such that IDi = ID and P kIDi = P kID . When this does not exist, B1 outputs ⊥. b) Otherwise, B1 replaces hIDi , sIDi , P kIDi i with 0 hIDi , ⊥, P kIDi i. Here, the secret value related to the new public key is not needed to replace the public key. 5) Corruption-Query (ID). For corruption query ID, B1 will check list LU . When the user with identity ID is registered, B1 tries to find a tuple hIDi , sIDi , P kIDi i and returns sIDs i to A1 . If this is not the case, B1 selects a random number sID ∈R Zp , sets P kID = sID P , adds hID, sID , P kID i to the LU list and returns sIDi to A1 . 6) Implicit-Cert-Gen-Query (ID, P kID ). At any time, A1 or B1 (see Super-Sign-Query and Explicit-Cert-Gen-Query) can query this oracle based on identity ID and public key P kID . a) On the Implicit-Cert-Gen-Query for ID, B1 first checks list LU . When a user with ID is not created, B1 returns ⊥.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

9

0

b) Now, B1 tries to find tuple hCIIDi , P kIDi , RIDi , 00 RIDi , coini , ci , Ci , CertIDi i in LH1 that fulfils the following conditions: CIIDi .ID = ID, P kIDi = P kID and coini 6= ⊥. If such a tuple exists, then BI : i) if coin = 1, failure (denoted by E1 ) is output and stops, because it is not allowed to answer the query; 0 00 ii) otherwise, it outputs (Ci , RIDi , RIDi , CIIDi ); c) Otherwise, B1 i) composes ID user’s certificate information CIID ; ii) runs H1 -Query (CIID , P kID , ⊥, ⊥) and repeats step (b). 7) Explicit-Cert-Gen-Quer (CIID , P kID ). Upon receiving such a query on identity ID with certificate information CIID and public key P kID : a) B1 first checks list LU . If a user with CIID .ID is not created, B1 returns ⊥. 0 00 b) If there is a tuple hCIIDi , P kIDi , RIDi , RIDi , coini , ci , Ci , CertIDi i in LH1 such that CIIDi .ID = ID, P kIDi = P kID and coini 6= ⊥, and B1 outputs 00 0 a tuple (CertIDi , RIDi , RIDi , CIIDi ). c) Otherwise, B1 runs H1 -Query (CIID , P kID , ⊥, ⊥) and repeats step (b). 8) Super-Sign-Query (m, CIID , P kI D). For a sign query, B1 outputs ⊥ if a user with CI.ID has not been created. Otherwise: 00 0 a) if there is no a tuple hCIIDj , P kIDj , RIDj , RIDj , coinj , cj , Cj , CertIDj i in LH1 such that CIIDi .ID = ID, P kIDi = P kID and coinj 6= ⊥, B1 runs H1 Query (CIID , P kID , ⊥, ⊥); b) next, B1 calculates the signature as follows: i) it sets c = cj , Cert = CertIDj ; ii) it selects w1 , w2 ∈R Zp∗ and E ∈R G1 at random and sets h = hctr ; 0 iii) and it then computes U = eˆ(cRIDj + 00 P0 , E)w2 eˆ(Cert, cRIDj +Q0 )h and k1 P = w1 P + hP kID ; c) B1 tries to find tuple (m, k1 P, U, c) in the LH2 list; if such a tuple appears in tuple hm, (k1 P )i , Ui , cj , ctri , ww,i , hi i of the LH2 list, i.e., m = mi , k1 P = (k1 P )i , U = Ui and c = cj , B1 increment index ctr by one and repeats from step (b) and point (ii); d) B1 adds tuple hm, k1 P , U, c, ctr, w2 , hi to LH2 and increments ctr by one; 0 e) B1 returns tuple (m, σ = (h, w1 , w2 , E), P kID , RIDj , 00 RIDj , Cert) to A1 , where σ denotes the signature given on message m. Note that the user’s secret value is not used by the sign query oracle, rendering it a Super-Sign oracle. Output. At the end of the game, a successful adversary ˆ wˆ1 , wˆ2 , E), ˆ P kID , R0 , outputs a valid forgery (m, ˆ σ ˆ = (h, ID 00 0 00 RID , CertID ) for (m, ˆ CIID , P kID , RID , RID ). Hence, ˆ = H2 (m, ˆ kID , U, cˆ), where U = we have h ˆ wˆ1 P + hP 0 00 ˆ ˆ ˆ ˆ eˆ(ˆ cRID + P0 , E) eˆ(Cert, cˆRID + Q0 )h , cˆ = H1 (CIID , 0 00 0 ˆ ˆ ˆ ˆ 00 = P kID , RID , RID ), P kID = sˆID P , RID = rˆP and R ID

rˆQ. In this instance, P kID is chosen by A1 and may not be the one returned by the oracle Create-User-Query. In addition, (ID, P kID ) and (m, ˆ CIID , P kID ) have never appeared as Implicit-Cert-Gen-Query, Explicit-Cert-Gen-Query or SuperSign-Query queries, respectively. Let hCIID , P kID , Rˆ0 , Rˆ00 , ctri , coin, cˆ, ⊥, ⊥i and hm, ˆ ˆ kID , U, cˆ, ctrj , wˆ2 , hi ˆ be the respective tuples of wˆ1 P + hP LH1 and LH2 that correspond to the target valid forgery σ ˆ. ˆ cˆ, U , E, ˆ P kID , Hence, wrapper B1 returns (ctrj , coin, h, ˆ0 , R ˆ 00 , CertID )) as its output. R ID ID ˆ wˆ2 , cˆ, U , Note that side-output σ consists of (coin, h, 0 00 ˆ ˆ ˆ E, P kID , RID , RID , CertID ). If tuple (m, ˆ wˆ1 P + ˆ kID , U, cˆ) has not been queried to random oracle H2 hP Query, B1 will issue this query itself to ensure that tuples hCIID , P kID , Rˆ0 , Rˆ00 , ctri , coin, cˆ, ⊥, ⊥i and hm, ˆ wˆ1 P + ˆ kID , U, cˆ, ctrj , wˆ2 , hi ˆ are listed on respective lists LH and hP 1 LH2 (here we use an approach similar to that used in [35], [39]). Remark. When an adversary outputs an invalid forgery, B1 outputs failure (denoted by E2 ) and aborts. End of Algorithm B1 (4) Reduction algorithm R1 Now we can show how to build reduction algorithm R1 that can exploit the general-forking algorithm associated with the above wrapper B1 . Let 4 = (G2 , p, Q, sQ, (r1 q1 + s)−1 Q, ..., (rk qk + s)−1 Q) be the given k-mCAA problem. Reduction algorithm R1 invoke general-forking algorithm FB1 to solve the k-mCAA problem. It runs FB1 on challenge 4, with H2 -Query involved in the replay attack. If FB1 fails, R1 aborts outputs failure (denoted by E2 ) and stops. On the other hand, if FB1 is successful, R1 returns a set of two valid sideoutputs as two unknowns and solves it Sk = (r∗ q ∗ + s)−1 Q, where q ∗ ∈ / {q1 , ..., qk } and r∗ Q ∈ / {r1 Q, ..., rk Q}. It can be verified that R1 really returns the correct solution to the k-mCAA problem. Algorithm R1 (4) (b, {σ0 , σ1 }) $ FB1 (4) ← − if (b == 0) then return 0 // Event E3 ˆ i , wˆ2i , cˆi , U ˆi , E ˆi , P k, Rˆ0 , Rˆ00 , Cert) parse σi as (βˆi , h ˆ ˆ ˆ ˆ0 = U ˆ1 and cˆ0 = cˆ1 let β = β0 = β1 , U if βˆ == 1 then ˆ0 − h ˆ 1 )−1 (wˆ2,0 E ˆ0 − wˆ2,1 E ˆ1 ) return Sk = (h otherwise return 0 // Event E4 End of Algorithm R1 (4) Correctness of the solution to the k-mCAA problem If the multiple-forking algorithm FB1 does not fail, R1 obtains two sets of side-outputs σ0 and σ1 where σi (for ˆ i , wˆ2,i , cˆi , U ˆi , E ˆi , P k, R ˆ0 , R ˆ 00 , i = 0, 1) is written as (βˆi , h ID ID Cert). To measure this phenomenon, compare output σ from ˆ0 = U ˆ1 , βˆ0 = βˆ1 , wrapper B1 . Additionally, we assume that U 0 ˆ cˆ0 = cˆ1 , P k = sˆID P , R = rˆQ P . R1 outputs failure (denoted by E4 ) and stops, if βˆ is equal to 0. Algorithm R1 obtains two valid signature forgeries σˆi = ˆ i , wˆ1,i , wˆ2,i , E ˆi , P k, R ˆ0 , R ˆ 00 , Cert), (i = 0, 1) for (m, ˆ h ID ID the same message m, ˆ public key P k, explicit certificate Cert 0 00 ˆ , R ˆ ). Based on two sets of side-outputs σ0 and and (R ID ID σ1 the following equation is applied:

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

wˆ2,0 hˆ 0 ˆ 0 + P0 , E ˆ0 ˆ 00 + Q0 eˆ cˆR eˆ Cert, cˆR = 0 wˆ2,1 hˆ 1 ˆ + P0 , E ˆ1 ˆ 00 + Q0 = eˆ cˆR eˆ Cert, cˆR

10

(24)

P r[¬E4 |¬E3 ] = ζ 2

By making suitable arrangements, the equation (24) can be converted into the following form: 0 ˆ 0 Sk = ˆ + P0 , w ˆ0 + h eˆ cˆR ˆ2,0 E 0 ˆ 1 Sk ˆ + P0 , w ˆ1 + h = eˆ cˆR ˆ2,1 E

(25)

1 (r∗ cˆ +

s)

Q=

ˆ0 − w ˆ1 ) (w ˆ2,0 E ˆ2,1 E ˆ ˆ (h0 − h1 )

(26)

where cˆ ∈ / {q1 , ..., gk } and rˆQ ∈ / {r1 Q, ..., rk Q} Probability analysis The probability that algorithm R1 solves the k-mCAA problem remains to be computed. According to the simulation, algorithm R1 can calculate value Sk when and only when the following events occur: ¬E1 : B1 does not fail during the simulation, ¬E2 : A1 outputs a valid forgery, ¬E3 : FB1 does not fail, ¬E4 : R1 does not fail, i.e., in interaction with adversary A1 outputs two valid forgeries with a coin value βˆ of 1. We denote the probability at which FB is successful during the first run as acc1 . As FB1 is successful during the first run when no aborting occurs during the query phase (event E1 does not occur) and as adversary A1 produces a valid forgery (event E2 does not occur), we have: acc1 ≥ P r[¬E1 ∧ ¬E2 ] = P r[¬E1 ]P r[¬E2 , ¬E1 ]

(27)

Event E1 occurs only when A1 makes an implicit certificate extract query using an identity with coin = 1 (see ImplicitCert-Gen-Query). Therefore, P r[¬E1 ] = (1 − ζ)qE

(28)

In addition, the probability of adversary A1 producing a valid forgery when event E1 does not occur is equal to P r[¬E2 |¬E1 ] = ε. Now, if events E3 and E4 do not occur, then the advantage of the algorithm R1 in solving k-mCAA problem is: P r[¬E3 ∧ ¬E4 ] = P r[¬E3 ]P r[¬E4 , ¬E3 ]

(29)

Let gf rk be the probability at which FB1 is successful. As event E4 occurs when FB1 fails, we have: P r[¬E3 ] = gf rk

(32)

Finally, derived from R1 being successful in solving the k-mCAA problem can be calculated as follows: (1 − ζ)qE ε 1 R1 2 qE − (33) εk−mCAA ≥ ζ (1 − ζ) ε γ p Assuming that p >> 1, the above expression is maximized at ζ = 1/(1 + qE ). Therefore:

Finally, we obtain the solution to the k-mCAA problem (see Definition 4): Sk =

The probability that event E4 does not occur, when event E3 has not occurred, is the same as the probability at which coin value βˆ of valid forgeries is not equal to 0. Thus:

(30)

From the general-forking lemma (see Lemma 1) for γ = qH2 and |H| = p, we have: 1 (1 − ζ)qE ε 1 acc1 qE − ≥ (1 − ζ) ε − gf rk ≥ acc1 γ p γ p (31)

2qE 2 ε 2 (1 − ζ) 1 εR ≥ ζ = (34) k−mCAA γ 2qE 2 1 ε 1 ε2 1 − = ≥ (qE + 1)2 qE + 1 γ γe(qE + 1)2 )

where e is the base of the natural logarithm. This ends the proof. Now, for Game 2 applied to the Super Type 2 adversary where the adversary models the certified entities, we demand that signers are honest and that their tuples (ID, P kID , CertID ) have been registered with the TA. For this assumption, the following lemma can be demonstrated using the random oracle model: Lemma 3. Suppose that hash functions H1 and H2 are random oracles and that in Game 2 against the IE-CBS-kCAA scheme, adversary A2 models the certified users. If Type-II adversary A2 has a non-negligible advantage ε against our IE-CBS-kCAA scheme, then reduction R2 solves the DL problem for group G1 with non-negligible probability: εk−mCAA ≥

ε2 γe((qR + qC ) + 1)2

(35)

where e denotes the base of the natural logarithm where qR and qC denote the upper bound on the number of respective queries sent to Public-Key-Replacement-Query and Corruption-Query oracles where γ = qH2 is the upper bound on the number of queries sent to the H2 -Query oracle. Proof. As shown in algorithm R1 (see Lemma 2), we first describe wrapper B2 and then show how the reduction R2 involves invoking the FB2 algorithm on wrapper B2 to solve the DL problem. Algorithm R2 is given a random instance of the DL problem 4 = (G1 , p, P, αP ) for αP ∈ P kcert where P kcert is a set of users’ public keys P kID that were certified before the TA’s master secret key was compromised. The Wrapper Suppose that γ = qH2 and H = Zp . Wrapper B2 takes as arguments as challenge Pα = αP with α ∈ Zp and a set of random elements h1 , ..., hγ ∈ Zp . It returns a pair (J, σ) where J refers to the target H2 query and where σ is the side output. Algorithm B2 maintains counter ctr initially set to 1 and two tables LH1 and LH2 to manage the respective random H1 and H2 oracles. Algorithm B2 simulates the oracles and interacts with forger A2 as described below. In addition, adversary A2 ˆ = H2 (m, ˆ kID , U, cˆ), always requests a H2 hash of h ˆ wˆ1 + hP which it outputs as its forgery (see wrapper B1 ).

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

All oracles are simulated by wrapper B2 . However, unlike wrapper B1 for the Super Type 1 adversary, there are no Implicit-Cert-Gen-Query and Explicit-Cert-Gen-Query oracles. Algorithm B2 (4) Initialize. ctr = 0; lists LH1 and LH2 are empty. Setup. B2 sets P and Q as generators of groups G1 and G2 , respectively, and sets master public keys P0 = sP and Q0 = sP where s is a random number in Zp∗ . Next, B2 defines system parameters params = {G1 , G2 , GT , eˆ, P, P0 , Q, Q0 , H1 , H2 } and sends them to adversary A2 . Queries: A2 can query the following oracles over polynomial number of times. 1) Create-User-Query (params, ID). Suppose that a query is made on identity ID, B2 responds as follows: a) B2 scans list LU containing tuples hIDi , sIDi , P kIDi , coini i to check whether IDi = ID. when this is the case, the previously defined value P kIDi is returned. b) Otherwise, B2 flips a biased coin that outputs value coin = 1 with a probability of ζ or coin = 0 with a probability of 1 − ζ (a value of ζ is optimized later), and then: i) if coin = 0, sID ∈R Zp is selected at random and public key P kID = sID P is calculated; ii) otherwise, if coin = 1, value P kID ∈ P Kcert is randomly selected; iii) P kID is returned to A2 and tuple hIDi , ⊥, P kIDi , coini i is stored in the LU list. 00 0 2) H1 -Query (CIIDi , P kIDi , RIDi , RIDi ) Algorithm B2 0 maintains a list LH1 of tuples hCIIDi , P kIDi , RIDi , 00 RIDi , ci i. Upon receiving a query on (CIIDi , P kIDi , 00 0 RIDi , RIDi ), algorithm B2 returns ci directly, when 0 00 LH1 contains a tuple hCIIDi , P kIDi , RIDi , RIDi , ci i. Otherwise B2 randomly selects c ∈R Zp∗ , stores it in a 00 0 new tuple hCIIDi , P kIDi , RIDi , RIDi , ci and returns c. 0 3) H2 -Query (m, k1 P, U, H1 (CIIDi , P kIDi , RIDi , 00 RIDi )). Algorithm B2 maintains a list LH2 of tuples hmi , (k1 P )i , Ui , ci , ctri , w2,i,hi i. In this instance 0 (mi , k1 P, U, c), where c = H1 (CIIDi , P kIDi , RIDi , 00 RIDi ) is the query sent to H2 -Query with h being the corresponding output. B2 runs H2 -Query 0 00 (CIIDi , P kIDi , RIDi , RIDi ) and requests hash value c. Upon receiving a query on (m, k1 P, U, c), algorithm B2 returns hi directly when LH2 contains tuple hmi , (k1 P )i , Ui , ci , ctri , w2,i,hi i. Otherwise, B2 returns h = hctr as the output, adds a new tuple hmi , k1 P, U, c, ctr, ⊥, hi to LH2 and increments ctr by one. 0 4) Public-Key-Replacement-Query (ID, P kID , P kID ). For a public key replacement query: a) B2 tries to find a tuple hIDi , sIDi , P kIDi , coini i from list LU list such that IDi = ID and P kIDi = P kID . If one does not exist, B2 outputs ⊥. b) otherwise, B2 replaces hIDi , sIDi , P kIDi , coini i with 0 hIDi , ⊥, P kIDi , coini i. Here, the secret value corre-

11

sponding to the new public key is not needed to replace the public key, c) otherwise, B2 outputs failure (denoted by E11 and aborts. 5) Corruption-Query (ID). For corruption query ID, B2 checks for tuples hIDi , sIDi , P kIDi ,coini i in list LU . If such a tuple exits (i.e., ID = IDi ) and when coin = 1, B2 outputs failure (denoted by E11 ) and terminates the simulation. Otherwise, B2 returns sID to A2 . When a user with identity ID is not registered, B2 runs CreateUser-Query (params, ID) and outputs failure (coin = 1) or sID to A2 . 0 00 6) Super-Sign-Query (m, CIID , P kID , RID , RID ). On a sign query, B2 outputs ⊥ when a user with CI.ID has not been created. Otherwise: 0 00 a) if there is no tuple hCIIDj , P kIDj , RIDj , RIDj , cj i in LH1 such that CIIDj = CIID , P kIDj = P kID , 0 0 00 00 RIDj = RID and RIDj = RID , B2 runs H1 -Query 00 0 (CIID , P kID ,RID , RID ); b) next, B2 calculates the signature as follows: i) it sets c = cj , Cert = CertIDj ; ii) it selects w1 , w2 ∈R Zp∗ and E ∈R G1 at random and sets h = hctr ; 0 iii) it computes U = eˆ(cRID + P0 , E)w2 eˆ(Cert, 00 cRID + Q0 )h and k1 P = w1 P + hP kID ; c) B2 tries to find tuple (m, k1 P, U, c) in the LH2 list; when such a tuple appears in tuples hm, (k1 P )i , Ui , cj , ctri , w2,i , hi i of the LH2 list, i.e., m = mi , k1 P = (k1 P )i , U = Ui and c = cj , B2 increments index ctr by one and repeats from step (b) point (ii); d) B2 adds tuple hm, k1 P , U, c, ctr, w2 , hi to LH2 and increments ctr by one; 0 e) B2 returns tuple (m, σ = (h, w1 , w2 , E), P kID , RID , 00 RID , Cert) to A2 where σ denotes the signature given on a message m. Output. At the end of the simulation, successful adversary ˆ wˆ1 , wˆ2 , E), ˆ P kID , A2 outputs valid forgery (m, ˆ σ ˆ = (h, 00 0 00 0 ˆ CIID , P kID , RID , RID ), where RID , RID , CertID ) for (m, P kID is user ID original public key, as A2 is not allowed to replace the user’s public key. Let hID, ⊥, P kID , coini, 0 00 ˆ kID , U, ctrj , hi ˆ hCIID , P kID , RID , RID )i and hm, ˆ wˆ1 P +hP be respective tuples of LU , LH1 and LH2 that correspond to target valid forgery σ ˆ . Hence, wrapper B2 returns (ctrj , (coin, 0 ˆ ˆ ˆ 00 )) as its output. Note, that sideh, cˆ, U , E, P kID , RID , R ID ˆ cˆ, U , E, ˆ wˆ1 , P kID , R ˆ0 , R ˆ 00 ). output σ includes (coin, h, ID ID Remark. When an adversary outputs an invalid forgery, B2 outputs failure (denoted by E2 ) and aborts. End of Algorithm B2 (4) Reduction algorithm R2 Let 4 = (G1 , p, P , αP for αP ∈ P kcert be a given DL problem. Reduction algorithm R2 invokes general-forking algorithm FB2 to solve a DL problem. It runs FB2 on master public key P0 and on 4 with H1 -Query and H2 -Query involved in the replay attack. When FB2 fails, R2 aborts outputs failure (denoted by E4 ) and halts. Conversely, when FB2 is successful, R2 returns a set of two valid side-outputs

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

12

into two unknowns and solves for α. It can be verified that R2 indeed returns the correct solution to the DL problem. Algorithm R2 (4) (b, {σ0 , σ1 }) $ FB2 (4) ← − if (b == 0) then return 0 // Event E3 0 00 ˆ i , cˆi , U ˆi , E ˆi , w parse σi as (βˆi , h ˆ1,i , P k, R , R ) ˆ0 = U ˆ1 and cˆ0 = cˆ1 let βˆ = βˆ0 = βˆ1 , U ˆ if β == 1 then ˆ0 − h ˆ 1 )−1 (w return α = (h ˆ1,0 − w ˆ1,1 ) otherwise return 0 // Event E4 End of Algorithm R2 (4) Correctness of the solution to the DL problem When general forking is successful, R2 obtains two (related) sets of side outputs σ0 and σ1 where σi (for i = 0, 1) is 0 00 ˆ i , cˆi , U ˆi , E ˆi , w written as (βˆi , h ˆ1,i , P k, R , R ). To measure this, compare output σ to wrapper B2 . Additionally, we ˆ0 = U ˆ1 ∧ βˆ0 = βˆ1 ) and P k = αP . R2 outputs assume that (U failure (denoted by E4 ) and stops if βˆ is equal to 0. Based on side outputs σ0 and σ1 , we can build a system of two congruences for unknowns α and k1 : w ˆ1,0 w ˆ1,1

ˆ 0α = kˆ1 + h ˆ 1α = kˆ1 + h

(mod p)

w ˆ1,0 − w ˆ1,1 ˆ0 − h ˆ1 h

(mod p)

(mod p)

(37)

Note that equation (37) is precisely what we obtain as an output of algorithm R2 . Probability analysis According to the simulation, algorithm R2 can calculate value α when and only when the following main events occur: ¬E1 : B2 does not fail during the simulation, ¬E2 : A2 outputs a valid forgery, ¬E3 : FB2 does not fail, ¬E4 : R2 does not fail, i.e., in interaction with adversary ˆ which is A2 outputs two valid forgeries with coin value β, equal to 1. Hence, FB2 is successful during the first run when it is not stopped in the query phase (event E1 does not occur), and adversary A2 produces a valid forgery (event E2 does not occur). The advantage of FB2 is written as: acc2 ≥ P r[¬E1 ∧ ¬E2 ] = P r[¬E1 ]P r[¬E2 , ¬E1 ]

P r[¬E3 ∧ ¬E4 ] = P r[¬E3 ]P r[¬E4 , ¬E3 ]

(40)

Let gf rk be the probability with which FB2 is successful. As event E3 occurs when FB2 fails, we have: P r[¬E3 ] = gf rk

(41)

From the general-forking lemma (see Eq. (22)) for γ = qH2 and |H| = p, we have: 1 acc2 − ≥ (42) gf rk ≥ acc2 γ p 1 (1 − ζ)qR +qC ε− ≥ (1 − ζ)qR +qC ε γ p The probability that event E4 does not occur, when event E3 has not occurred, is the same as the probability with which the coin value βˆ of valid forgeries is not equal to 0. Thus: P r[¬E4 |¬E3 ] = ζ 2

(43)

(36)

From the above equations, α can be solved using the expression given below: α=

Now, the advantage of algorithm R2 in solving DL problem is:

(38)

Event E1 occurs only when: 1) B2 does not output failure E11 during the simulation of Public-Key-Replacement-Query; this occurs for probability (1 − ζ)qR ; 2) B2 does not output failure E12 during the simulation of Corruption-Query; this occurs for probability (1 − ζ)qC ; Therefore: (39) P r[¬E1 ] = (1 − ζ)qR +qC In addition, the probability that of adversary A2 producing a valid forgery when events E1 do not occur is equal to P r[¬E2 |¬E1 ] = ε.

Therefore, chance of R2 being successful in solving the DL problem can be calculated as follows: (1 − ζ)qR +qC 1 2 qR +qC 2 εR ≥ ζ (1 − ζ) ε ε − (44) DL γ p Assuming p >> 1, the above expression is maximized at ζ = 1/(1 + qR + qC ). Therefore: (1 − ζ)2(qR +qC ) ε2 = (45) γ 2qE 2 1 1 ε = ≥ 1− ((qR + qC ) + 1)2 (qR + qC ) + 1 γ ε2 ≥ γe((qR + qC ) + 1)2

2 2 εR DL ≥ ζ

where e is the base of the natural logarithm. This ends the proof. VI. P ERFORMANCE EVALUATION In this section, we compare IE-CBS-kCAA scheme to other existing schemes with similar constructions. Our comparison is based on results presented in [31]. Operations such as those involving: hashing, Zp∗ (inversion, addition, multiplication), multiplication with GT and addition with G1 or G2 are omitted from our efficiency comparison, as these are several orders of magnitude more efficient than pairings, scalar multiplications of G1 or G2 and exponentiations of GT . In Tables I and II, the proposed scheme is compared to other schemes (|G1 | and |Zp | are the bit lengths of an element in G1 and Zp , MG denotes scalar multiplication with G1 or G2 , eˆ is a bilinear pairing on G1 × G1 and PGT denotes exponentiation in GT ). The proposed scheme offers the same level of security as WMSH Scheme II and the IE-CBHS scheme (Table III). The scheme involves employing a comparable number of time-intensive operations when compared to other schemes and is slightly more efficient than the IE-CBHS scheme.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

13

TABLE I P ERFORMANCE COMPARISON 1/2 ( BASED ON [31]) Scheme

Type

Public Key Size

Signature Size

LHMSW J. Li et al. [23] LHZX J. Li et al. [26] CBSa Kang et al. [21] WMSH Scheme II W. Wu et al. [24] IE-CBHS scheme T. Hyla et al. [31] Proposed IE-CBS-kCAA

I-CBS

|G1 |

2|G1 |

I-CBS

2|G1 |

|G1 |

I-CBS

|G1 |

3|G1 |

I-CBS

|G1 |

|G1 | + 2|Zp |

IE-CBS

|G1 |

|G1 | + 2|Zp |

IE-CBS

|G1 |

|G2 | + 3|Zp |

TABLE II P ERFORMANCE COMPARISON 2/2 ( BASED ON [31]) Scheme

Sign

Verify

LHMSW J. Li et al. [23] LHZX J. Li et al. [26] CBSa Kang et al. [21] WMSH Scheme II W. Wu et al. [24] IE-CBHS scheme T. Hyla et al. [31] Proposed IE-CBS-kCAA

3MG

3ˆ e

MG

eˆ + MG

3MG

3ˆ e + 2MG

eˆ + 4MG

2ˆ e + 3MG

eˆ + 3MG

2ˆ e + 7MG

2MG + PGT

2ˆ e + 6MG

The execution time of the Sign and Verification algorithms was tested using three test computers (1 - Intel Core i7 [email protected],20 GHz, 32GB RAM; 2 - Intel Core i7 [email protected],50 GHz, 12 GB RAM; and 3 - Intel Xeon [email protected],67 GHz, 8GB RAM) using a single thread. The scheme was implemented using a MIRACL library [40] using and Type 3 asymmetric pairing (ate pairing) (MIRACL library: MR PAIRING BLS k=24 curve, AES-256 SECURITY). Time was measured using a C++ chrono library and results are presented as the average of five repetitions. Execution times required for the Sign and Verification algorithms (Table IV) are less than one second when using computers that are several years old; thus, the scheme is suitable for practical use.

TABLE III A DVERSARY TYPES ( BASED ON [31]) Scheme

Security level

LHMSW J. Li et al. [23] LHZX J. Li et al. [26] CBSa Kang et al. [21] WMSH Scheme II W. Wu et al. [24] IE-CBHS scheme T. Hyla et al. [31] Proposed IE-CBS-kCAA

Normal A1 and Normal A2 Normal A1 and Super A2 Strong A1 and Strong A2 Super A1 and Super A2 Super A1 and Super A2 Super A1 and Super A2

TABLE IV S IGN AND

VERIFICATION ALGORITHM EXECUTION TIME

No. of test computer

Sign [ms]

Verify [ms]

1 2 3

120 184 263

381 580 832

VII. C ONCLUSIONS AND FUTURE WORKS The use of the difficult computational k-CAA problem and its various variants to design new cryptographic schemes (including digital signature schemes) has been of interest to many researchers. Most of the proposed schemes have been compromised, which means that designing an encryption scheme based on the k-CAA problem or its variant is still an important research challenge. The IE-CBS-kCAA signature scheme presented in the paper is resistant to the strongest attacks performed by Super Type I/II adversaries (Tab. III). Hence, the adversary following the rules of the game conducted with the challenger in the random oracle model is unable to create a valid signature for any message. It was shown in the paper that such a case is possible only if the challenger with the help of the adversary would be able to solve both the modified Collusion Attack Algorithm with k traitors (k-mCAA), as well as the discrete logarithm problem (DL). In comparison to the analysed signature schemes, the proposed scheme is also computationally effective (Tab. I and II). In particular, the generation of a signature is effective (Tab. IV), which results from the lack of necessity to calculate the value of a bilinear pairing. Computational experiments have also shown that the actual times of signature calculation and verification are acceptable to potential users. The IE-CBS-kCAA signature scheme has interesting property giving users the opportunity to work with an explicit and implicit certificate or with an implicit one only (see: section V.B). We are convinced that this property can be used to extend the scheme by the possibility of effective revocation of the explicit certificate and the implicit one as well. In such a case, the explicit certificate will play the role of a long-term certificate, while the implicit certificate acts as a short-term certificate. This should allow for the solution of a significant practical problem of the validity of an explicit and/or implicit certificate at the time of signing (H. Baier et al. [41]). This problem occurs in traditional PKI infrastructures, but it also appears in non-standard infrastructures with many trusted authorities TA. The solution to this problem will be the subject of our further work. R EFERENCES [1] T. Hyla and J. Peja´s, “A signature scheme based on implicit and explicit certificates against k-traitors collusion attack,” in Computer Information Systems and Industrial Management: 16th IFIP TC8 International Conference, CISIM 2017, Bialystok, Poland, June 16-18, 2017, Proceedings, K. Saeed, W. Homenda, and R. Chaki, Eds. Cham: Springer International Publishing, 2017, pp. 638–651. [2] S. Mitsunari, R. Sakai, and M. Kasahara, “A new traitor tracing,” IEICE Trans., A, vol. 85, no. 2, pp. 481–484, feb 2002. [Online]. Available: http://ci.nii.ac.jp/naid/110003216755/en/

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

[3] L. Chen and Z. Cheng, “Security proof of sakai-kasahara’s identitybased encryption scheme,” in Cryptography and Coding: 10th IMA International Conference, Cirencester, UK, December 19-21, 2005. Proceedings, N. P. Smart, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 442–459. [4] N. E. Mrabet and M. Joye, Guide to Pairing-Based Cryptography. Chapman & Hall/CRC, 2016. [5] R. Sakai and M. Kasahara, “Id based cryptosystems with pairing on elliptic curve,” IACR Cryptology ePrint Archive, vol. 2003, 2003. [Online]. Available: http://eprint.iacr.org/2003/054 [6] F. Zhang, R. Safavi-Naini, and W. Susilo, “An efficient signature scheme from bilinear pairings and its applications,” in Public Key Cryptography – PKC 2004: 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1-4, 2004. Proceedings, F. Bao, R. Deng, and J. Zhou, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 277–290. [7] M. Scott, “Computing the tate pairing,” in Topics in Cryptology – CTRSA 2005: The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005. Proceedings, A. Menezes, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 293–304. [8] B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, “Certificateless signature: a new security model and an improved generic construction,” Designs, Codes and Cryptography, vol. 42, no. 2, pp. 109–126, Feb 2007. [9] P. S. L. M. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater, “Efficient and provably-secure identity-based signatures and signcryption from bilinear maps,” in Advances in Cryptology - ASIACRYPT 2005: 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, December 4-8, 2005. Proceedings, B. Roy, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 515–532. [10] H. Du and Q. Wen, “An efficient identity-based short signature scheme from bilinear pairings,” in 2007 International Conference on Computational Intelligence and Security (CIS 2007), Dec 2007, pp. 725–729. [11] M. Girault, “Self-certified public keys,” in Advances in Cryptology — EUROCRYPT ’91: Workshop on the Theory and Application of Cryptographic Techniques Brighton, UK, April 8–11, 1991 Proceedings, D. W. Davies, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1991, pp. 490–497. [12] S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in 9th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, November 30 December 4, 2003, Proceedings, C. S. Laih, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 452–473. [13] H. Du and Q. Wen, “Efficient and provably-secure certificateless short signature scheme from bilinear pairings,” Computer Standards and Interfaces, vol. 31, no. 2, pp. 390 – 394, 2009. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0920548908000664 [14] C.-I. Fan, R.-H. Hsu, and P.-H. Ho, “Truly non-repudiation certificateless short signature scheme from bilinear pairings,” JOURNAL OF INFORMATION SCIENCE AND ENGINEERING, vol. 27, pp. 969–982, 2011. [15] K. Y. Choi, J. H. Park, and D. H. Lee, “A new provably secure certificateless short signature scheme,” Computers & Mathematics with Applications, vol. 61, no. 7, pp. 1760 – 1768, 2011. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0898122111000897 [16] Y. C. Chen and G. Horng, “On the security models for certificateless signature schemes achieving level 3 security,” IACR Cryptology ePrint Archive 554, vol. 2011. [17] G. Sharma, S. Bala, and A. K. Verma, “On the security of certificateless signature schemes,” International Journal of Distributed Sensor Networks, vol. 9, no. 6, p. 102508, 2013. [18] Y.-C. Chen, R. Tso, G. Horng, C.-I. Fan, and R.-H. Hsu, “Strongly secure certificateless signature: Cryptanalysis and improvement of two schemes.” J. Inf. Sci. Eng., vol. 31, no. 1, pp. 297–314, 2015. [Online]. Available: http://dblp.uni-trier.de/db/journals/jise/jise31.html [19] X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the security of certificateless signature schemes from asiacrypt 2003,” in Cryptology and Network Security: 4th International Conference, CANS 2005, Xiamen, China, December 14-16, 2005. Proceedings, Y. G. Desmedt, H. Wang, Y. Mu, and Y. Li, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 13–25. [20] C. Gentry, “Certificate-based encryption and the certificate revocation problem,” in Advances in Cryptology — EUROCRYPT 2003: International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4–8, 2003 Proceedings, E. Biham, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 272– 293.

14

[21] B. G. Kang, J. H. Park, and S. G. Hahn, “A certificate-based signature scheme,” in Topics in Cryptology – CT-RSA 2004: The Cryptographers’ Track at the RSA Conference 2004, San Francisco, CA, USA, February 23-27, 2004, Proceedings, T. Okamoto, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 99–111. [22] J. Li, L. Xu, and Y. Zhang, “Provably secure certificate-based proxy signature schemes,” Journal of Computers, pp. 444–452, 2009. [23] J. Li, X. Huang, Y. Mu, W. Susilo, and Q. Wu, “Certificate-based signature: Security model and efficient construction,” in Public Key Infrastructure: 4th European PKI Workshop: Theory and Practice, EuroPKI 2007, Palma de Mallorca, Spain, June 28-30, 2007. Proceedings, J. Lopez, P. Samarati, and J. L. Ferrer, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007, pp. 110–125. [24] W. Wu, Y. Mu, W. Susilo, and X. Huang, “Certificate-based signatures revisited,” Journal of Universal Computer Science, vol. 15, no. 8, pp. 1659–1684, 2009. [25] J. K. Liu, F. Bao, and J. Zhou, “Short and efficient certificate-based signature,” in NETWORKING 2011 Workshops: International IFIP TC 6 Workshops, PE-CRN, NC-Pro, WCNS, and SUNSET 2011, Held at NETWORKING 2011, Valencia, Spain, May 13, 2011, Revised Selected Papers, V. Casares-Giner, P. Manzoni, and A. Pont, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 167–178. [26] J. Li, X. Huang, Y. Zhang, and L. Xu, “An efficient short certificatebased signature scheme,” J. Syst. Softw., vol. 85, no. 2, pp. 314–322, Feb. 2012. [Online]. Available: http://dx.doi.org/10.1016/j.jss.2011.08.014 [27] L. Cheng, Y. Xiao, and G. Wang, “Cryptanalysis of a certificate-based on signature scheme,” Procedia Engineering, vol. 29, pp. 2821 – 2825, 2012, 2012 International Workshop on Information and Electronics Engineering. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S1877705812004079 [28] Y.-H. Hung, S.-S. Huang, and Y.-M. Tseng, “A short certificate-based signature scheme with provable security,” Information Technology and Control, vol. 45, no. 3, pp. 243–253, 2015. [29] T. Hyla, W. Ma´ck´ow, and J. Peja´s, “Implicit and explicit certificatesbased encryption scheme,” in Computer Information Systems and Industrial Management: 13th IFIP TC8 International Conference, CISIM 2014, Ho Chi Minh City, Vietnam, November 5-7, 2014. Proceedings, K. Saeed and V. Sn´asˇel, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2014, pp. 651–666. [30] T. Hyla and J. Peja´s, “Non-standard certification models for pairing based cryptography,” in Hard and Soft Computing for Artificial Intelligence, Multimedia and Security, S.-y. Kobayashi, A. Piegat, J. Peja´s, I. El Fray, and J. Kacprzyk, Eds. Cham: Springer International Publishing, 2017, pp. 167–181. [31] T. Hyla and J. Peja´s, “A hess-like signature scheme based on implicit and explicit certificates,” The Computer Journal, vol. 60, no. 4, pp. 457–475, March 2017. [32] A. Miyaji, M. Nakabayashi, and S. Takano, “New explicit conditions of elliptic curve traces for fr-reduction,” IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences, vol. 84, no. 5, pp. 1234–1243, may 2001. [Online]. Available: http://ci.nii.ac.jp/naid/110003208926/en/ [33] P. S. L. M. Barreto and M. Naehrig, “Pairing-friendly elliptic curves of prime order,” in Selected Areas in Cryptography: 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papers, B. Preneel and S. Tavares, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 319–331. [34] S. K. H. Islam and G. P. Biswas, “An efficient and provably - secure digital signature scheme based on elliptic curve bilinear pairings,” Theoretical and Applied Informatics, vol. 24, no. 2, pp. 109–118, 2012. [35] X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu, “Certificateless signatures: New schemes and security models,” Comput. J., vol. 55, no. 4, pp. 457–474, Apr. 2012. [Online]. Available: http://dx.doi.org/10.1093/comjnl/bxr097 [36] M. Bellare and G. Neven, “Multi-signatures in the plain public-key model and a general forking lemma,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, ser. CCS ’06. New York, NY, USA: ACM, 2006, pp. 390–399. [Online]. Available: http://doi.acm.org/10.1145/1180405.1180453 [37] S. Chatterjee, C. Kamath, and V. Kumar, “Galindo-garcia identity-based signature revisited,” in Information Security and Cryptology – ICISC 2012: 15th International Conference, Seoul, Korea, November 28-30, 2012, Revised Selected Papers, T. Kwon, M.-K. Lee, and D. Kwon, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 456–471. [38] S. Chatterjee and C. Kamath, “A closer look at multiple forking: Leveraging (in)dependence for a tighter bound,” Algorithmica,

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

15

vol. 74, no. 4, pp. 1321–1362, Apr. 2016. [Online]. Available: http://dx.doi.org/10.1007/s00453-015-9997-6 [39] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil pairing,” Journal of Cryptology, vol. 17, no. 4, pp. 297–319, Sep 2004. [Online]. Available: https://doi.org/10.1007/s00145-004-0314-9 [40] CertiVox/MIRACL, “Miracl cryptographic sdk: Multiprecision integer and rational arithmetic cryptographic library,” 2017-09-01, 7.0.0. [Online]. Available: https://github.com/CertiVox/MIRACL [41] H. Baier and V. Karatsiolis, “Validity models of electronic signatures and their enforcement in practice,” in Public Key Infrastructures, Services and Applications, F. Martinelli and B. Preneel, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 255–270.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

1

Demonstrably Secure Signature Scheme Resistant to k-Traitor Collusion Attack Tomasz Hyla, Jerzy Peja´s

Abstract—The paper presents the proposal of a new implicit and explicit certificate-based signature scheme (IE-CBS-kCAA scheme) using Sakai-Kasahara’s type keys. The scheme security depends on the computational difficulty of solving the modified Collusion Attack Algorithm with k traitors (k-mCAA problem), reducible in particular cases to the known k-CAA problem. The originality of the scheme consists not only in the formulation and application of a new difficult computational problem, but also in its design to meet the paradigm of public key cryptography based on implicit and explicit certificates. Due to such an approach, the proposed signature scheme can be used in the traditional public key infrastructure with revocation of explicit certificates and in non-standard infrastructures without revocation of implicit certificates. In the paper, the security model is formulated and it is shown that the IE-CBS-kCAA signature scheme is existentially unforgeable against adaptively chosen messages in the random oracle model. Moreover, it results from the comparison of the IE-CBS-kCAA scheme with other signature schemes based on implicit and/or explicit certificates that its computational efficiency is at a similar level. Computational tests have also shown that the scheme can be used in practice. Index Terms—signature scheme, implicit and explicit certificates-based public key cryptography, bilinear pairing, security analysis, k-CAA problem

I. I NTRODUCTION The idea of the Collusion Attack Algorithm with k traitors is simple. Let us assume that any group of users is given, who thanks to the knowledge of individual secrets, can use a particular service, e.g. pay-per-view television, creation of a digital signature, or message encryption. The security mechanisms of the service are built in such a way that any user belonging to an authorized set of users can use the service. Moreover, it must be ensured that even when all unauthorized users cooperate with each other, it would still be impossible to use the service illegally. It is obvious that two different situations are possible. In the first, trivial case, unauthorized users may receive a secret from one or more authorized users, referred to as traitors. They can use it until the service provider detects the fraud. In the second case, unauthorized users may try to create a new secret based on received or captured secrets (assigned to any unauthorized user) that can be considered by authorized users as the proper one, and will result in qualifying the fraudster as a valid member of an authorized users’ group. The latter T. Hyla and J. Peja´s are with Faculty of Computer Science and Information Technology, West Pomeranian University of Technology, ul. Zolnierska 52, 71-210 Szczecin, Poland e-mail: [email protected] A preliminary version of this paper [1] appeared in Proceedings of the CISIM 2017 Conference, June 16-18, Bialystok, Poland, LNCS 10244, pp. 638-651. Enhancements over [1] are given in Sect. I-A Manuscript received March xx, 2018; revised January 1, 2001.

situation is particularly dangerous when the generated secret (private key) can be used to create a digital signature or in secret text decryption operations. Collusion Attack Algorithm with k traitors (the k-CAA problem) was formulated in 2002 by S. Mitsunari et al. [2]. This problem and its later variants [3] belong to the group of computationally difficult problems. This is because if a group of traitors with a population of less than k users reveal their private keys, then it is computationally infeasible to recreate or generate another private key for a user from outside of this group. This type of properties of the k-CAA problem and its variants contributed to the fact that the problems of k traitors cooperation have become very useful in pairing based cryptography for the construction of new encryption or signature schemes (El Mrabet et al. [4]). One of the first practical examples of using the k-CAA problem is the encryption scheme proposed in 2003 by Sakai and Kasahara [5] and simplified later by Zhang et al. [6] and Scott [7]. These schemes belong to the group of IDbased encryption (IBE) schemes, in which specific algorithms for generating private keys were used, guaranteeing that the schemes are afforded adaptive chosen ciphertext security in the random oracle model, as long as an effective algorithm for solving the k-CAA problem does not exist. This mentioned keys generation feature is so characteristic that such schemes and other similar schemes are recognized as schemes based on Sakai-Kasahara key construction. The Sakai-Kasahara key construction is also used in signature schemes. One of the first schemes of this type is the ID-based short signature scheme (ZSS), proposed in 2004 by Zhang et al. [6]. B. C. Hu et al. [8] demonstrated that the scheme is vulnerable to message-and-key replacement attacks. Nevertheless, this scheme is a basic element of many new signature schemes (e.g.: P. Barreto et al. [9], Du and Wen [10]) and, moreover, it allows simplifying proof of their security. The main disadvantage of ID-based schemes is the inability to achieve in many cases Girault’s level-3 security specifications [11]. This is due to the fact that the Trusted Authority (TA) knows the private keys of all users. What’s worse, TA can restore any user’s private key at any time. This property of ID-based schemes would be difficult to eliminate even when using hardware means of generating keys, e.g. smart cards with cryptoprocessors, and forwarding them to users later. The solution to this problem were supposed to be the certificateless signature schemes (CLS scheme), whose idea was proposed in the paper published by S. Al-Riyami and K. Paterson [12]. One of the first certificateless signature schemes based on the k-CAA problem was the scheme proposed by Du and Wen

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

[13] . However, in 2011, Fan et al. [14] and Choi et al. [15] independently showed that the scheme cannot be protected from Super Type I adversaries and hence does not allow Girault’s level-3 security specifications to be achieved. The improved version of the Du and Wen scheme [13], proposed by Fan et al. [14], also does not allow to achieve this level of security. Examples of cryptanalysis of the signature scheme proposed by Fan et al. can be found in the works [16], [17] and [18]. The Du-Wen’s short CLS scheme is vulnerable to Type-I adversaries because this signature scheme is not randomized, i.e. multiple queries of the signature algorithm for the same message always generates a signature with the same value. This situation allows the adversary to easily obtain a partial private key used by the signer when signing. Key replacement attacks are effective when applied to certain certificateless cryptosystems (Huang, X., et al. [19]) because no explicit authentication is required to obtain public keys. Of course, it is possible to construct a certificateless cryptosystem that defends against such attacks, but a less complex solution was proposed by C. Gentry [20]. This solution is primary used for encryption purposes and is referred to as certificate-based encryption, but it has been quickly generalized for use in certificate-based signature schemes (B. G. Kang et al. [21], J. Li et al. [22], J. Li et al. [23] and W. Wu et al. [24]). The solution proposed by Gentry does not automatically denote that all certificate-based schemes can resist key replacement attacks (e.g., in J. Li et al. [23]). Many of the certificate-based signature schemes designed in recent years are also based on the k-CAA problem or its variants. Two examples of such schemes are the proposals presented in the works of J. K. Liu et al. [25] and J. Li et al. [26]. Although the authors of both schemes declared that they are secure in the random oracle model, Cheng et al. [27] and Hung [28] showed, respectively, that both schemes cannot protect against a Type I adversary that can obtain a partially private key of an uncertified targeted user. The paper [29] proposes the encryption scheme IE-CBE belonging to the new category of public key cryptography schemes based on an implicit and explicit certificates. Schemes belonging to this schema category are confirmation of the observation [30] that the collision of ID-based, certificateless and certificate-based schemes with practice inevitably leads us to or at least close to the proven traditional public key infrastructure (PKI) mechanisms. The IE-CBE scheme has been designed based on the k-CAA problem. To the best of our knowledge, there is no corresponding signature scheme based on both implicit and explicit certificates, as well as computational difficulty of the k-CAA problem or its variants. Hence, the problem of designing such secure signature schemes remains still a challenging open problem. The above mentioned attacks on signature schemes occur for several reasons and especially because signature schemes are not randomized and are not properly secured against adversaries who can attempt to obtain full or partial user private keys.

2

A. Contributions The present work is the full version of our paper. In comparison to the conference version [1], it provides a full formal security proof, an extended introduction, the syntax of the scheme, the results of performance tests, and other additional information. The basic result presented in the paper is the proposal of the first signature scheme based on implicit and explicit certificates using Sakai-Kasahara’s key construction. Its security depends on the computational difficulty of solving k-mCAA problem, reducible in particular cases to the known k-CAA problem. The main property of the schema is that the public availability of the explicit certificate prevents the recovery of the implicit certificate. This feature of both certificates is of great practical importance and allows to verify the signature in the IE-CBS-kCAA scheme directly on the basis of an explicit certificate or indirectly on the basis of an implict certificate. In the first case, the verification can be ensured as for PKI certificates. In turn, in the second one the verification of the signature is performed similarly to the certificate-based signature schemes, without the need to refer to an explicit certificate. The signature scheme IE-CBS-kCAA is an existentially unforgeable against adaptive chosen-message and identity attacks (EUF-CMA) in the random oracle model. The sketch of proof presented in paper [1] indicates that the security problem of IE-CBS-kCAA scheme can be reduced to the computational difficulty of k-mCAA problem (the variant of the collusion at-tack algorithm with k-traitors) and discrete logarithm (DL) problem. In this full version of the paper, the complete proof of the IE-CBS-kCAA scheme security is presented. For the purposes of the proof, two games were defined, and then based on General Forking Lemma [39], two wrappers and related reduction algorithms were developed allowing to solve the problems of k-mCAA and discrete logarithm. Such a possibility, however, openly contradicts the assumption of the difficulty of solving both problems, which shows that the proposed scheme is secure. Finally, we show that although the proposed scheme does not belong to a short signature scheme category, it is computationally more efficient and has a similar signature length as other (implicit) certificate-based signature schemes described in [24] and [31] with a similar level of security.

B. Paper Organisation The rest of this paper is organized as follows. In the following section, we briefly review background information. Before presenting our results, we first present the syntax of the signature scheme based on implicit and explicit certificates (Section III) and our security model that protects against two different types of attacks (see Section IV). In Section V, the IE-CBS-kCAA randomized signature scheme from pairings is proposed, and its security proof in the random oracle is presented in Section V-C. The efficiency of our scheme is discussed in Section VI. Finally, we present the study’s conclusions.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

3

II. P RELIMINARIES In this section, we briefly review the definition for groups equipped with an asymmetric bilinear map and precisely state hardness assumptions.

Here we briefly review the definition for groups equipped with an asymmetric bilinear map and precisely state the hardness assumptions. Definition 1: (Asymmetric bilinear map groups). Let G1 and G2 be two cyclic groups of some prime order p > 2k for some security parameter k ∈ N , and let GT be a multiplicative group. We say that (G1 , G2 , GT ) are asymmetric bilinear map groups when a bilinear map satisfies the following properties: 1) Bilinearity: for (P, Q) ∈ G1 × G2 and a, b ∈ Zp∗ , eˆ(aP, bQ) = eˆ(P, Q)ab . 2) Non-degeneracy: for each P ∈ G1 such that P 6= 1G1 , Q ∈ G2 holds for eˆ(P, Q) 6= 1G2 ; in other words, when P and Q are two generators of respectively G1 and G2 , then eˆ(P, Q) is a generator of GT ; 3) Computability: given (P, Q) ∈ G1 × G2 , an efficient algorithm for computing eˆ(P, Q) exists; 4) An efficient and publicly computable (but not invertible) isomorphism ψ : G2 → G1 such that ψ(Q) = P exists. Such bilinear map groups are instantiable with ordinary elliptic curves such as MNT curves [32] or with curves studied by Barreto and Naehrig [33]. B. Security Assumptions In this section, we present mathematical problems used in this paper and define corresponding assumptions. Definition 2: (Discrete Logarithm (DL) problem [1]). Given generator P ∈ G1 and T ∈ G∗1 compute a ∈ Zp∗ such that T = aP . The DL is (t, ε) hard when the probability of any probabilistic t-polynomial-time algorithm ADL solving the DL problem in G1 is defined as: (1)

A The DL assumption denotes the probability of AdvDL being negligible for every probabilistic polynomial time algorithm A.

Definition 3: (k-CAA problem, Mitsunari et al. [2]). For a positive integer k and s ∈ Zp∗ , Q ∈ G2 , given:

Q, Q0 = sQ, h∗ , h1 , ..., hk ∈ Zp∗ , h∗ ∈ / {h1 , ..., hk }, 1 1 Q, ..., Q h1 +s hk +s n o compute a new pair h∗ , h∗1+s Q . The k-CAA is (t, εk−CAA )-hard when for all t-time adversaries Ak−CAA , we have:

(2)

(3)

= P r Ak−CAA Q, Q0 , =

A. Bilinear Groups

A AdvDL = P r{ADL (P, aP ) = a|a ∈ Zp∗ } < εDL

A Advk−CAA = (

1 1 Q, ..., h1 + s hk + s

Q =

1 Q|s ∈ Zp∗ , Q ∈ G2 , h∗ , h1 , ..., hk ∈ Zp∗ , h∗ + s ) h∗ ∈ / {h1 , ..., hk }

< εk−CAA

The k-CAA problem is believed to be hard, i.e., no polynomial time algorithm can solve it with non-negligible probability. We define a new variant of the k-CAA problem hereinafter referred to as the k-mCAA problem (compare [2]). Definition 4: (k-mCAA problem [1]). For randomly selected values s, r∗ , h∗ , r1 , ..., rk , hk ∈ Zp∗ , and Q ∈ G2 , given: / {h1 , ..., hk }, Q, Q0 = sQ, h∗ , h1 , ..., hk ∈ Zp∗ , h∗ ∈ r∗ Q, r1 Q, ..., rk Q, r∗ Q ∈ / {r1 Q, ..., rk Q}, 1 1 Q, ..., r1 h1 +s rk hk +s Q (4) n o compute a new pair h∗ , r∗ h1∗ +s Q . We say that the k-mCAA is (t, εk−mCAA )-hard when for all ttime adversaries Ak−mCAA , we have:

A Advk−mCAA = Q, Q0 , r1 Q, ..., rk Q, Ak−mCAA = 1 1 r1 h1 +s Q, ..., rk hk +s Q 1 = r∗ h∗ +s Q = Pr ∗ , Q ∈ G2 , h∗ , h1 , ..., hk ∈ Zp∗ , |s ∈ Z p |h∗ ∈ / {h1 , ..., hk }, r∗ Q ∈ / {r1 Q, ..., rk Q} < εk−mCAA

(5)

The k-mCAA assumption denotes the probability that A Advk−mCAA is negligible for every probabilistic polynomialtime algorithm A. The k-mCAA is difficult to break because even when h∗ is known, the probability of finding a number x ∈ Zp∗ such that x = (s + r∗ h∗ )−1 (mod p) with two unknowns s and r∗ is negligible and equal to (p(p − 1))−1 . Definition 4 is derived from the definition for the k-CAA3 problem, formulated by S. H. Islam et al. [34]. In contrast to the original definition, it is assumed that additional values r1 Q, ..., rk Q are input into the k-mCAA problem. Let us assume that r∗ = 1 and ri = 1, (i = 1, ..., k). Then the k-mCAA problem is transformed into a k-CAA problem. Thus, this k-CAA problem can be understood as a special case of the k-mCAA problem. Similarly, if ri = r∗ , (i = 1, ..., k), then the k-mCAA problem is equivalent to the original kCAA3 problem from [34]. III. S YNTAX OF AN IMPLICIT AND EXPLICIT CERTIFICATE - BASED SIGNATURE SCHEME The IE-CBS-kCAA scheme is defined by seven polynomialtime algorithms (compare also W. Wu et al. [24], L. Chen et

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

al. [3] , F. Zhang et al. [6], T. Hyla et al. [31]). With a security parameter 1k , these algorithms function as follows: Definition 5: (IE-CBS-kCAA scheme). An implicit and explicit certificate-based signature scheme includes the following seven polynomial-time algorithms: •

•

•

•

•

•

•

Setup (1k ) → (s, params). This algorithm takes a security parameter 1k as input and returns the certifier’s master private key s and system parameters params, which are shared in the system. A TA runs the algorithm and after completion keeps the master private key s secret, while params are publicly accessible to all users of the system. Create-User (params, IDS ) → (sIDs , P kIDs ). The user runs the algorithm, which takes as input system parameters params and the signer’s identity IDs . It outputs the user’s secret key value sIDs and corresponding public key P kIDs . Implicit-Cert-Gen (params, s, IDs , P kIDs ) → 0 00 (CIIDs , Sk IDs , RIDs , RIDs ). This algorithm takes as input the system parameter params, master private key s, the identity IDs of a user and its public key P kIDs . It outputs the user’s certificate information CIIDs , an implicit certificate Sk IDs and two components 00 0 (RIDs , RIDs ) with the secret key rIDs of the user’s implicit and explicit certificates. TA runs the algorithm once for each user and the corresponding implicit certificate is distributed to the user secretly. Explicit-Cert-Gen (params, CIIDs , s, rIDs , qIDs ) → CertIDs . This algorithm takes as input the system parameter params, master private key s, the user’s certificate information CIIDs , and the secret key rIDs related to the user’s implicit and explicit certificates. It outputs an explicit certificate CertIDs that is sent to the user through a public channel. A TA runs this algorithm once for each user. 0 Set-Private-Key (params, CIIDs , sIDs , P kIDs , RIDs , 00 RIDs , Sk IDs ) → Sk IDs . The user runs this algorithm. The algorithm takes as input system parameters params, the user’s certificate information CIIDs , a secret key sIDs , its respective public key P kIDs , an implicit certifi0 00 cate Sk IDs and two components (RIDs , RIDs ) related to it, and it returns the corresponding full user’s private key SkIDs = (sIDs , Sk IDs ). 0 Sign (params, m, CIIDs , (SkIDs , P kIDs ), RIDs , 00 RIDs ) → σ. The signer runs algorithm Sign to generate signature σ by taking as input: the params, a message m, the user’s certificate information CIIDs , its key pair 0 00 (SkIDs , P kIDs ) and two components (RIDs , RIDs ) of the user’s implicit and explicit certificates. 0 00 Verify (params, m, σ, CIIDs , P kIDs , RIDs , RIDs , CertIDs ) → {true, f alse}. Anyone can run algorithm Verify to check the signature validity. Taking as input 0 a message-signature pair (m, σ), CIIDs , P kIDs , RIDs , 00 RIDs , CertIDs , this algorithm outputs true if σ is a valid signature on m created by IDs . Otherwise, it outputs f alse.

For the sake of correctness, when σ = Sign (params,

4

0

00

m, CIIDs , (SkIDs , P kIDs ), RIDs , RIDs ) then Verify 0 00 (params, m, σ, CIIDs , P kIDs , RIDs , RIDs , CertIDs ) = 1, where public parameters params and, the signer’s private/public key pair (SkIDs , P kIDs ) and certificate CertIDs are respectively generated according to specifications of algorithms: Setup, Create-User, Implicit-Cert-Gen and ExplicitCert-Gen. Remark. Algorithms Implicit-Cert-Gen and Explicit-CertGen end successfully when the TA positively verifies the identity and certificate information CIIDs related to a given identity. In addition, when a user requests a certificate of a public key P kIDs , he must demonstrate to the certifier his possession of the corresponding SkIDs , which can be performed in the same way that it is undertaken in the traditional PKI. IV. S ECURITY MODEL In this paper, we consider only one type of security notion involving existential unforgeability (EUF) under a chosenmessage attack (CMA) in the random oracle model (EUFCMA). In this attack, an adversary who is allowed to ask the signer to sign any message of his choice adaptively according to previous answers, should not be able to generate a new valid message-signature pair. A. Adversaries and oracles The security model of the proposed IE-CBS-kCAA scheme, hereinafter referred to as EUF-IECBS-kCAA-CMA, is defined by two games played by the challenger C and adversary A assuming that the adversary chooses which game to play. In both cases, adversary A = (A1 , A2 ) is trying to pass EUF-CMA security barriers of the IE-CBS-kCAA scheme, i.e., the formal model describing existential unforgeability. To describe these games, we use the widely accepted two types of adversaries with different capabilities: the Type I Adversary and Type II Adversary (e.g., T. Hyla, et al. [31]). The Type I Adversary (A1 ) is able to compromise the user’s secret key or replace the user’s public key, but he is unable to acquire the TA’s master secret key and the user’s partial private key issued by the TA. We assume that adversary A1 models the security against non-certified users and eavesdroppers, i.e., against users, who are not registered and who do not have certificates issued by the TA. The Type II Adversary (A2 ) can obtain the TA’s master secret key and the user’s implicit certificate, but he cannot compromise the user’s secret key or replace her/his target public key. In this case it is reasonable to consider attack scenarios that target certified users, i.e., users who come into possession of a private/public key pair and of explicit certificates before the master key s is known to the adversary. The formal security model of the implicit and explicit certificate-based signature schemes divides potential adversaries by level of attack power and classifies the Type I/II adversary into three types (see Li, J., et al. [23] and Huang, X., et al. [35]): a Normal Adversary, Strong Adversary and Super Adversary. The adversaries are differentiated by the information they must have to obtain valid signatures. A

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

Normal Type I/II Adversary must have the original public key, a Strong Type I/II Adversary must have a public key replaced by himself if he additionally submits the secret value corresponding to the replaced public key and a Super Type I/II Adversary must only have the replaced public key. The most powerful attacks are made by the Super Type I/II Adversary, who may issue the following queries: • Create-User-Query. This oracle takes as input query ID. When user identity ID has already been created, nothing is carried out by the oracle. Otherwise, challenger C runs algorithms Create-User used to obtain secret value sID and public key P kID . Next, the oracle adds hID, sID , P kID i to the LU list, which is initially empty. In this case, the user with identity ID is said to be created. In both cases the oracle returns P kID . • Public-Key-Replacement-Query. When ID is created, 0 the oracle takes as input query (CIID , P kID , P kID ), finds user ID in list LU and replaces original user’s 0 public key P kID with P kID . Otherwise, no action is taken. Note that the adversary is not required to provide 0 secret value sID . • Corruption-Query. This oracle takes as input query ID. It browses list LU and when ID denotes the identity that has been created, the oracle outputs secret key sID . • Implicit-Cert-Gen-Query. With the input of identity index (CIID , P kID ), this oracle returns implicit certificate Sk ID whenever a user with identity index (CIID , P kID ) has been created. Otherwise, symbol ⊥ is returned. • Explicit-Cert-Gen-Query. For a certificate request for a user with identity index (CIID , P kID ), this oracle returns explicit certificate CertID and two additional 00 0 components (RID , RID ). When a user with CIID .ID is not created (this notation denotes field ID of the user’s certificate information CI), symbol ⊥ is returned. • Super-Sign-Query. When ID has not been created, the oracle returns ⊥. Otherwise, it takes as input query 00 0 (m, CIID , P kID , RID , RID ) where m denotes the message to be signed, and then it returns valid signature σID such that Verify (params, m, σID , CIID , P kID , 0 00 RID , RID , CertID ) → true. In this instance, P kID is a current public key of user ID in list LU and it can be replaced by the adversary or returned from oracle CreateUser-Query. B. Games played against a Super Type I/II Adversary To investigate the existential unforgeability of the IE-CBSkCAA scheme when subjected to a Super Type I/II Adversary (A1 / A2 ) we can now define two games (Game I and Game II) played between challenger C and the two types of adversaries (A1 and A2 , respectively). Game I. This game is played between challenger C and adversary A1 under an adaptively chosen message and user identity ID. Setup. Challenger C executes algorithm Setup (1k ) → (s, params) in the IE-CBS-kCAA scheme to obtain public parameter params and master secret key s. Adversary A1 is given params, challenger C keeps master secret key s secret.

5

Queries. In this phase, A1 can adaptively submit queries to the following oracles defined in Section IV-A: CreateUser-Query, Implicit-Cert-Gen-Query, Explicit-CertGen-Query, Public-Key-Replacement-Query, CorruptionQuery and Super-Sign-Query. Forgery. Eventually, after some or all queries are made, ˆ wˆ1 , wˆ2 , E), ˆ ID, adversary A1 outputs forgery (m, ˆ σ ˆ = (h, 0 00 ˆ ˆ CIID , m, P kID , RID , RID , CertID ). Constrains. Adversary A1 wins the game when the forgery satisfies the following requirements: (a) σ ˆ is a valid signature given with message m ˆ under public key P kID and explicit certificate CertID , i.e., Verify ˆ0 , R ˆ 00 , CertID ) → (params, m, ˆ σ ˆ , CIID , P kID , R ID ID true. Here, P kID is chosen by A1 and may not be the one returned by the Create-User-Query oracle. (b) (ID, P kID ) has never been submitted to Implicit-CertGen-Query and Explicit-Cert-Gen-Query oracles. ˆ0 , R ˆ 00 ) has never been submitted (c) (m, ˆ CIID , P kID , R ID ID to oracle Super-Sign-Query. The chance of an adaptive chosen message and adversary A1 with chosen identity index (ID, P kID ) wins the above A1 game is defined as AdvIE−CBS−kCAA . Game II. In this Game adversary A2 with chosen identity index (ID, P kID ) interacts with its challenger C under an adaptively chosen message. Setup. Challenger C executes algorithm Setup (1k ) → (s, params) in the IE-CBS-kCAA scheme to obtain public parameter params and master secret key s. C then sends (params, s) to adversary A2 . Queries. In this phase, adversary A2 and can adaptively access the following oracles: Create-User-Query, Public -Key-Replacement-Query, Corruption-Query and SuperSign-Query. Oracles Implicit-Cert-Gen-Query and ExplicitCert-Gen-Query are not accessible and are no longer needed because adversary A2 , which holds master key s, can generate all user partial keys and certificates. Forgery. At the end of this phase, after some or all queries are made, adversary A2 outputs forgery (m, ˆ σ ˆ = ˆ wˆ1 , wˆ2 , E), ˆ 00 , CertID ). ˆ ID, CIID , m, P kID , R ˆ0 , R (h, ID ID Constrains. Adversary A2 wins the game when the forgery satisfies the following requirements: (a) σ ˆ is a valid signature sent with message m ˆ under public key P kID and explicit certificate CertID , i.e., Verify ˆ0 , R ˆ 00 , CertID ) → (params, m, ˆ σ ˆ , CIID , P kID , R ID ID true. Here, P kID is the output returned by the CreateUser-Query oracle for ID. (b) ID has never appeared as a Corruption-Query. ˆ0 , R ˆ 00 ) has never been submitted (c) (m, ˆ CIID , P kID , R ID ID to oracle Super-Sign-Query In this game, adversary A2 may call the Public-KeyReplacement-Query oracle and obtain all secrets corresponding to identity indices other than (ID, P kID ). The success probability of an adaptive chosen message and adversary A2 with chosen identity index (ID, P kID ) wining A2 the above game is defined as AdvIE−CBS−kCAA . Definition 6: An implicit and explicit certificate signature scheme IE-CBS-kCAA offers existential unforgeability against

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

6

chosen message attacks (EUF-IECBS-kCAA-CMA) when no probabilistic polynomial-time adversary has a non-negligible probability of winning Games I and II. V. N EW IMPLICIT AND EXPLICIT CERTIFICATE - BASED SIGNATURE SCHEME IE-CBS- K CAA The IE-CBS-kCAA scheme contains seven polynomial time algorithms: Setup, Create-User, Implicit-Cert-Gen, Explicit-Cert-Gen, Set-Private-Key, Sign and Verify. A detailed description of all algorithms of the IE-CBS-kCAA scheme is presented below: 1) Setup: the system parameters are params = {G1 , G2 , GT , eˆ, P, P0 , Q, Q0 , H1 , H2 } where |G1 | = |G2 | = |GT | = p for some prime number p ≥ 2k (k is the system security number), where (P, Q) are generators of respectively G1 and G2 such that eˆ(P, Q) = g, P0 = sP and where Q0 = sQ for system master public keys with master secret key s ∈ Zp∗ , H1 , H2 : Γ × {0, 1}∗ → Zp are two secure cryptographic hash functions. Γ × {0, 1}∗ is a string space that can be used to define a user with identity ID. In the cases discussed, when ID includes more information than the identity, we denote it as CI (Certificate Information). 2) Create-User (params, IDs ): user IDs chooses a random number sIDs ∈ Zp∗ , sets sIDs as the secret key and produces corresponding public key P kIDs = sIDs P ; the resulting public key is widely and freely distributed, e.g., the TA publishes it in its public repository. 3) Implicit-Cert-Gen (params, s, IDs , P kIDs ): for IDs , with an S identity, his public key is P kIDs , and trusted authority TA: a) composes the user’s certificate information CIIDs , including the TA’s public keys (P0 , Q0 ), identifiers IDs and IDT A of user S and the TA, respectively, and the time period τ for which information CIIDs is valid; 0 b) randomly selects rIDs ∈ Zp∗ and computes (RIDs , 00 RIDs ) = (rIDs P, rIDs Q); 0 00 c) for P kIDs and (RIDs , RIDs ) generates S partial private key (an implicit certificate) as: Sk IDs =

1 Q s + rIDs qIDs

(6)

0

” where qIDs = H1 (CIIDs , P kIDs , RIDs , RID ) and s transmits it to user S secretly; in addition, TA sends 0 00 (RIDs , RIDs , CIIDs ). 4) Explicit-Cert-Gen (params, s, IDs , rIDs ,qIDs ): TA generates explicit certificate CertIDs for signer S using parameters received from S and values calculated during the execution of the Implicit-Cert-Gen algorithm: a) TA generates the explicit certificate for entity S, which binds its identity to public key components:

CertIDs =

1 s + rIDs qIDs

b) TA sends CertIDs to entity S.

P

(7)

5) Set-Private-Key (params, CIIDs ,sIDs , P kIDs , 0 00 RIDs , RIDs , Sk IDs ): user S checks whether 0 eˆ(qIDs RID + P0 , Sk IDs ) = eˆ(P, Q) = g and then s formulates his private key in as SkIDs = (sIDs , Sk IDs ) . 00 00 6) Sign (params, m, CIIDs , SkIDs , P kIDs , RIDs , RIDs ): to sign message m ∈ {0, 1}∗ , signer S follows the following steps: a) selects two random numbers k1 , k2 ∈R Zp∗ ; b) computes hash value: 0

” ) qIDs = H1 (CIIDs , P kIDs , RIDs , RID s

(8)

then generates signature σ = (h, w1 , w2 , E) where: h = H2 (m, k1 P, U, qIDs )

E=

k1 − k2−1 h Sk IDs k1 h + sIDs

w1 = k1 − hsIDs

(mod p)

w2 = k2 (k1 h + sIDs ) (mod p)

(9)

(10)

(11) (12)

while U = g k1 k2 . c) if in (10) k1 h + sIDs = 0, then steps (a) and (b) are repeated. 00 0 7) Verify (params, m, σ, CIIDs , P kIDs , RIDs , RIDs , CertIDs ): to verify the message-signature-certificate triple, i.e., (m, σ = (h, w1 , w2 , E), CertIDs ), V completes the following steps: a) computes hash qIDs using (8) and values: w2 0 U 0 =ˆ e qIDs RID + P0 , E · s h 00 · eˆ CertIDs , qIDs RIDs + Q0

(13)

k1 P = w1 P + hP kIDs

(14)

b) if (15, 16) are true, then return accept; otherwise, reject. h ≡ H2 (m, k1 P , U 0 , qIDs )

(15)

00 g ≡ eˆ CertIDs , qIDs RIDs + Q0

(16)

A. Correctness of the IE-CBS-kCAA scheme Assume that digital signature σ and explicit certificate CertIDd have been generated using the Sign and ExplicitCert-Gen algorithms, respectively. Therefore, σ is a valid

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

7

signature sent with message m because it is accepted by verification algorithm Verify: w2 0 U 0 = eˆ qIDs RIDs + P0 , E · (17) h 00 · eˆ CertIDs , qIDs RIDs + Q0 = k2 (k1 h+sIDs ) 0 k1 − k2−1 h · Sk IDs = eˆ qIDs RIDs + P0 , k1 h + sIDs h 00 · eˆ CertIDs , qIDs RIDs + Q0 = 0 = eˆ qIDs RIDs + P0 , (k1 k2 − h)Sk IDs · h 00 · eˆ CertIDs , qIDs RIDs + Q0 = 1 = eˆ (s + rIDs qIDs )P, (k1 k2 − h) Q · s + rIDs qIDs 1 · eˆ P, h(s + rIDs qIDs )Q = s + rIDs qIDs = eˆ (P, Q)

k1 k2

=U

Hence, 0

0

h = H2 (m, k1 P , U , qIDs ) = = H2 (m, w1 P + hP kIDs , U, qIDs ) = h

(18)

Moreover, it is now easy to demonstrate the correctness of the explicit certificate: 0

00

g = eˆ(CertIDs , qIDs RID + Q0 ) = 1 P, (s + rIDs qIDs )Q = = eˆ s + rIDs qIDs = eˆ (P, Q) = g

(19)

B. IE-CBS-kCAA scheme modification Any certificate-based signature scheme contains an implicit certificate that is a part of a user’s private key. Hence, it seems natural to modify any particular signature scheme based on both explicit and implicit certificates and to reduce it to an implicit certificate-based signature scheme Assume that in our case we remove the Explicit-CertGen algorithm from the IE-CBS-kCAA scheme. The resulting scheme is a new scheme based on an implicit certificate (ICBS-kCAA scheme in short). The introduced change requires one to remove certificate verification from algorithm Verify and to modify equation (13) as follows: w 2 0 h U 0 = eˆ qIDs RIDs + P0 , E eˆ (P, Q) (20) These changes simplify signature verification. Moreover, when users use a full version of the IE-CBS-kCAA scheme, in some cases (when acceptable, e.g., in a closed trust zone), the signature verification can be performed as follows: 0

h ≡H2 (m, w1 P + hP kIDs , eˆ(qIDs )RIDs + h

+ P0 , E)w2 eˆ (P, Q) , qIDs ) where qIDs is defined in (8).

(21)

C. Security analysis We prove the security of the IE-CBS-kCAA scheme by reducing the security level from higher-level construction to lower-level primitive. More precisely, we remove the adversary by breaking the protocol into an algorithm that can solve the respective k-mCAA or a discrete logarithm (DL) problem with non-negligible probability. In our reductions, we use the general forking lemma, proposed by Bellare and Neven [36], similar to [31]. We briefly recall this using Lemma 1 (see also [37], [38]). Lemma 1 (General Forking Lemma [37]). Fix integer γ ≥ 1 and set H of size |H| ≥ 2. Let B (Algorithm B is simply a wrapper that takes as explicit input answers to the random oracles) be a randomized algorithm that on input x, h1 , ..., hγ returns pair (J, σ) where J ∈ {0, 1, ..., γ} and σ are referred to as the side output. Let IG be a randomized algorithm refereed to as the input generator. Let acc = P rbJ ≥ 1 : x ∈R IG h1 , ..., hγ ∈R H; (J, σ) $ B(x, h1 , ..., hγ )c be the ← − accepting probability of B. Forking game FB associated with B proceeds as follows: Algorithm FB (x) selects random coins ρ for B h1 , ..., hγ ∈R H; (J, σ) $ B(x, h1 , ..., hγ ; ρ)//Run_0 ← − if (J = 0) then return (0, ⊥, ⊥) 0 0 0 0 hJ , ..., hγ ∈R H; (J , σ ) $ ← − 0 0 B(x, h1 , ..., hJ−1 , hJ , ..., hγ ; ρ) //Run_1 0 0 if (J = J and hJ 6= hJ ) then 0 return (1, σ, σ ) else return (0, ⊥, ⊥) End of Algorithm FB (x) 0 Let gfrk = P rbb = 1 : x ∈R IG; (b, σ, σ ) $ FB (x)c. Then: ← − 1 acc − (22) gf rk ≥ acc γ |H| At the end of Run 0, randomized algorithm B returns σ, the forgery produced by the adversary and J, and the index to the oracle query used by the adversary to forge. In Run 1 algorithm FB launches oracle replay attack by rewinding the input tape to the J-th oracle query and then rerunning adversary A using a different random oracle. Lemma 2. Suppose that hash functions H1 and H2 are random oracles, and that in Game 1 against the IE-CBS-kCAA scheme, adversary A1 facts as an uncertified user. When TypeI adversary A1 has a non-negligible advantage against our IECBS-kCAA scheme, then a reduction R1 solves the k-mCAA problem over group G2 with non-negligible probability: 1 R k−mCAA ≥

2 γ 2 e(qE + 1)2

(23)

where e denotes the base of the natural logarithm, where qE is the upper bound on the number of queries sent to the Implicit-Cert-Gen-Query oracle and where γ = qH2 is the upper bound on the number of queries sent to the H2 -Query oracle.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

Proof. Similarly, to approach the case given in [31], our reduction proceeds over two phases. First we describe intermediate algorithm B1 (i.e., the wrapper) that interacts with adversary A1 and returns a side output. Second, we show how to build reduction algorithm R1 that launches general forking game FB1 with wrapper B1 . As a result, algorithm R1 is obtained, which includes one pairing equation with one unknown and which returns the correct solution to the k-mCAA problem. The Wrapper Assume that the algorithm B1 is given a random instance 4 = (G2 , p, P, sP, Q, sQ, (r1 q1 +s)−1 Q, ..., (rk qk +s)−1 Q) of k-mCAA problem. The goal is to compute (r∗ q ∗ + s)−1 Q for some q ∗ ∈ / {q1 , ..., qk }, r∗ Q ∈ / {r1 Q, ...,rk Q}, and given q1 , ..., qk ∈ Zp∗ , r1 Q, ...,rk Q, (r1 q1 + s)−1 )P , ..., (rk qk + s)−1 )P . We show that Type I adversary A1 can be converted to algorithm B1 , which can solve a random instance 4 of the kmCAA problem (see Definition 4). Assume also that γ = qH2 and H = Zp . Wrapper B1 takes as arguments a description of group (G1 , G2 , p, P, Q), a challenge (r1 q1 + s)−1 )Q , ..., (rk qk + s)−1 )Q with a set of random elements q1 , ..., qk ∈ Zp∗ and h1 , ..., hγ ∈ Zp∗ , for which B1 responds to the series of queries sent to the H2 -Query hash oracle. It returns a triple (J, σ) where J refers to indices of the target H2 query and where σ is the side output. In addition, adversary A1 ˆ = H2 (m, ˆ kID , U, cˆ) always requests H2 hash of h ˆ w ˆ1 P + hP 00 0 ˆ ˆ ˆ ˆ where U = eˆ(ˆ cRID + P0 , E) eˆ(Cert, cˆRID + Q0 )h , cˆ = 0 00 0 ˆ ˆ ), P kID = sˆID P , R ˆ ,R ˆP H1 (CIID , P kID , R ID = r ID ID 00 ˆ and RID = rˆQ, which outputs as its forgery. To track the index of the current random oracle query, B1 maintains counter ctr, which is initially set to 1, and two tables LH1 and LH2 , manage random oracles H1 and H2 . Wrapper B1 interacts with adversary A1 as described below. Algorithm B1 (4) Initialize. ctr = 0, lists LH1 and LH2 are empty. Setup. B1 sets P and Q as the generators of groups G1 and G2 , respectively and sets master public keys P0 = sP andQ0 = sP (master secret key s is unknown to everyone, including B1 ). Then, B1 defines system parameters params = {G1 , G2 , GT , eˆ, P, P0 , Q, Q0 , H1 , H2 } and sends them to the adversary A1 . Queries: A1 can query the following oracles polynomial number of times. 1) Create-User-Query (params, ID). Suppose a query is made on identity ID and that B1 responds as follows: a) B1 scans list LU with tuples in form hIDi , sIDi , P kIDi i to check whether IDi = ID. If this is the case, the previously defined value P kIDi is returned. b) Otherwise, B1 selects sID ∈R Zp at random and calculates public key P kID = sID P . B1 returns P kID and stores a tuple hIDi , sID , P kID i in the LU list. 0 00 2) H1 -Query (CIIDi , P kIDi , RIDi , RIDi ) Algorithm B1 0 maintains a list LH1 of tuples hCIIDi , P kIDi , RIDi , 00 RIDi , coini , ci , Ci , CertIDi i. On receiving such a query 0 00 on (CIIDi , P kIDi , RIDi , RIDi ), algorithm B1 returns

8

ci directly when LH1 contains a tuple hCIIDi , P kIDi , 0 00 RIDi , RIDi , coini , ci , Ci , CertIDi i. Otherwise: a) if the query is made explicitly by A1 , B1 randomly selects c ∈R Zp∗ and sets coin = Ci = CertIDi =⊥, where ⊥ denotes that these fields are unknown to B1 ; b) otherwise, B1 flips a biased coin that outputs value coin = 1 with a probability of ς and coin = 0 with a probability of 1 − ς (the value of ς will be optimized later); then: i) if coin = 0, it randomly selects a value qj ∈ {q1 , ..., qk } and sets c = qj , C = (rj c + s)−1 Q, 0 CertID = (rj c + s)−1 P , RIDi = rj P and 00 RIDi = rj Q; ii) otherwise, if coin = 1: A) it randomly selects c ∈R Zp∗ and (ri c + s) = t ∈R Zp∗ such that c ∈ / {q1 , ..., qk } and calcu00 −1 lates RIDi = c (tQ − Q0 ); 00 B) if RIDi ∈ {r1 Q, ..., rk Q}, then BI repeats step 0 A and otherwise calculates RIDi = c−1 (tP − −1 P0 ), C = t Q, and CertIDi = t−1 P . 00 0 c) hCIIDi , P kIDi , RIDi , RIDi , coini , ci , Ci , CertIDi i is stored in LH1 and c is output as the answer. 0 3) H2 -Query (m, k1 P, U, H1 (CIIDi , P kIDi , RIDi , 00 RIDi )). Algorithm B1 maintains a list LH2 of tuples hmi , (k1 P )i , Ui , ci , ctri , w2,i , hi i. In this instance (mi , k1 P, U, c) where c = 00 0 H1 (CIIDi , P kIDi , RIDi , RIDi ). This is the query to H1 -Query with h being the corresponding output. 00 0 B1 runs H1 -Query (CIIDi , P kIDi , RIDi , RIDi ) and obtains requested hash value c. For each request made on (m, k1 P, U, c), algorithm B1 returns hi directly when LH2 contains tuple hmi , (k1 P )i , Ui , ci , ctri , w2,i,hi i. Otherwise, B1 returns h = hctr as the output, adds tuple hmi , k1 P, U , c, ctr, ⊥, hi to LH2 and increments ctr by one. 0 4) Public-Key-Replacement-Query (ID, P kID , P kID ). For a public key replacement query: a) B1 tries to find a tuple hIDi , sIDi , P kIDi i in the LU list such that IDi = ID and P kIDi = P kID . When this does not exist, B1 outputs ⊥. b) Otherwise, B1 replaces hIDi , sIDi , P kIDi i with 0 hIDi , ⊥, P kIDi i. Here, the secret value related to the new public key is not needed to replace the public key. 5) Corruption-Query (ID). For corruption query ID, B1 will check list LU . When the user with identity ID is registered, B1 tries to find a tuple hIDi , sIDi , P kIDi i and returns sIDs i to A1 . If this is not the case, B1 selects a random number sID ∈R Zp , sets P kID = sID P , adds hID, sID , P kID i to the LU list and returns sIDi to A1 . 6) Implicit-Cert-Gen-Query (ID, P kID ). At any time, A1 or B1 (see Super-Sign-Query and Explicit-Cert-Gen-Query) can query this oracle based on identity ID and public key P kID . a) On the Implicit-Cert-Gen-Query for ID, B1 first checks list LU . When a user with ID is not created, B1 returns ⊥.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

9

0

b) Now, B1 tries to find tuple hCIIDi , P kIDi , RIDi , 00 RIDi , coini , ci , Ci , CertIDi i in LH1 that fulfils the following conditions: CIIDi .ID = ID, P kIDi = P kID and coini 6= ⊥. If such a tuple exists, then BI : i) if coin = 1, failure (denoted by E1 ) is output and stops, because it is not allowed to answer the query; 0 00 ii) otherwise, it outputs (Ci , RIDi , RIDi , CIIDi ); c) Otherwise, B1 i) composes ID user’s certificate information CIID ; ii) runs H1 -Query (CIID , P kID , ⊥, ⊥) and repeats step (b). 7) Explicit-Cert-Gen-Quer (CIID , P kID ). Upon receiving such a query on identity ID with certificate information CIID and public key P kID : a) B1 first checks list LU . If a user with CIID .ID is not created, B1 returns ⊥. 0 00 b) If there is a tuple hCIIDi , P kIDi , RIDi , RIDi , coini , ci , Ci , CertIDi i in LH1 such that CIIDi .ID = ID, P kIDi = P kID and coini 6= ⊥, and B1 outputs 00 0 a tuple (CertIDi , RIDi , RIDi , CIIDi ). c) Otherwise, B1 runs H1 -Query (CIID , P kID , ⊥, ⊥) and repeats step (b). 8) Super-Sign-Query (m, CIID , P kI D). For a sign query, B1 outputs ⊥ if a user with CI.ID has not been created. Otherwise: 00 0 a) if there is no a tuple hCIIDj , P kIDj , RIDj , RIDj , coinj , cj , Cj , CertIDj i in LH1 such that CIIDi .ID = ID, P kIDi = P kID and coinj 6= ⊥, B1 runs H1 Query (CIID , P kID , ⊥, ⊥); b) next, B1 calculates the signature as follows: i) it sets c = cj , Cert = CertIDj ; ii) it selects w1 , w2 ∈R Zp∗ and E ∈R G1 at random and sets h = hctr ; 0 iii) and it then computes U = eˆ(cRIDj + 00 P0 , E)w2 eˆ(Cert, cRIDj +Q0 )h and k1 P = w1 P + hP kID ; c) B1 tries to find tuple (m, k1 P, U, c) in the LH2 list; if such a tuple appears in tuple hm, (k1 P )i , Ui , cj , ctri , ww,i , hi i of the LH2 list, i.e., m = mi , k1 P = (k1 P )i , U = Ui and c = cj , B1 increment index ctr by one and repeats from step (b) and point (ii); d) B1 adds tuple hm, k1 P , U, c, ctr, w2 , hi to LH2 and increments ctr by one; 0 e) B1 returns tuple (m, σ = (h, w1 , w2 , E), P kID , RIDj , 00 RIDj , Cert) to A1 , where σ denotes the signature given on message m. Note that the user’s secret value is not used by the sign query oracle, rendering it a Super-Sign oracle. Output. At the end of the game, a successful adversary ˆ wˆ1 , wˆ2 , E), ˆ P kID , R0 , outputs a valid forgery (m, ˆ σ ˆ = (h, ID 00 0 00 RID , CertID ) for (m, ˆ CIID , P kID , RID , RID ). Hence, ˆ = H2 (m, ˆ kID , U, cˆ), where U = we have h ˆ wˆ1 P + hP 0 00 ˆ ˆ ˆ ˆ eˆ(ˆ cRID + P0 , E) eˆ(Cert, cˆRID + Q0 )h , cˆ = H1 (CIID , 0 00 0 ˆ ˆ ˆ ˆ 00 = P kID , RID , RID ), P kID = sˆID P , RID = rˆP and R ID

rˆQ. In this instance, P kID is chosen by A1 and may not be the one returned by the oracle Create-User-Query. In addition, (ID, P kID ) and (m, ˆ CIID , P kID ) have never appeared as Implicit-Cert-Gen-Query, Explicit-Cert-Gen-Query or SuperSign-Query queries, respectively. Let hCIID , P kID , Rˆ0 , Rˆ00 , ctri , coin, cˆ, ⊥, ⊥i and hm, ˆ ˆ kID , U, cˆ, ctrj , wˆ2 , hi ˆ be the respective tuples of wˆ1 P + hP LH1 and LH2 that correspond to the target valid forgery σ ˆ. ˆ cˆ, U , E, ˆ P kID , Hence, wrapper B1 returns (ctrj , coin, h, ˆ0 , R ˆ 00 , CertID )) as its output. R ID ID ˆ wˆ2 , cˆ, U , Note that side-output σ consists of (coin, h, 0 00 ˆ ˆ ˆ E, P kID , RID , RID , CertID ). If tuple (m, ˆ wˆ1 P + ˆ kID , U, cˆ) has not been queried to random oracle H2 hP Query, B1 will issue this query itself to ensure that tuples hCIID , P kID , Rˆ0 , Rˆ00 , ctri , coin, cˆ, ⊥, ⊥i and hm, ˆ wˆ1 P + ˆ kID , U, cˆ, ctrj , wˆ2 , hi ˆ are listed on respective lists LH and hP 1 LH2 (here we use an approach similar to that used in [35], [39]). Remark. When an adversary outputs an invalid forgery, B1 outputs failure (denoted by E2 ) and aborts. End of Algorithm B1 (4) Reduction algorithm R1 Now we can show how to build reduction algorithm R1 that can exploit the general-forking algorithm associated with the above wrapper B1 . Let 4 = (G2 , p, Q, sQ, (r1 q1 + s)−1 Q, ..., (rk qk + s)−1 Q) be the given k-mCAA problem. Reduction algorithm R1 invoke general-forking algorithm FB1 to solve the k-mCAA problem. It runs FB1 on challenge 4, with H2 -Query involved in the replay attack. If FB1 fails, R1 aborts outputs failure (denoted by E2 ) and stops. On the other hand, if FB1 is successful, R1 returns a set of two valid sideoutputs as two unknowns and solves it Sk = (r∗ q ∗ + s)−1 Q, where q ∗ ∈ / {q1 , ..., qk } and r∗ Q ∈ / {r1 Q, ..., rk Q}. It can be verified that R1 really returns the correct solution to the k-mCAA problem. Algorithm R1 (4) (b, {σ0 , σ1 }) $ FB1 (4) ← − if (b == 0) then return 0 // Event E3 ˆ i , wˆ2i , cˆi , U ˆi , E ˆi , P k, Rˆ0 , Rˆ00 , Cert) parse σi as (βˆi , h ˆ ˆ ˆ ˆ0 = U ˆ1 and cˆ0 = cˆ1 let β = β0 = β1 , U if βˆ == 1 then ˆ0 − h ˆ 1 )−1 (wˆ2,0 E ˆ0 − wˆ2,1 E ˆ1 ) return Sk = (h otherwise return 0 // Event E4 End of Algorithm R1 (4) Correctness of the solution to the k-mCAA problem If the multiple-forking algorithm FB1 does not fail, R1 obtains two sets of side-outputs σ0 and σ1 where σi (for ˆ i , wˆ2,i , cˆi , U ˆi , E ˆi , P k, R ˆ0 , R ˆ 00 , i = 0, 1) is written as (βˆi , h ID ID Cert). To measure this phenomenon, compare output σ from ˆ0 = U ˆ1 , βˆ0 = βˆ1 , wrapper B1 . Additionally, we assume that U 0 ˆ cˆ0 = cˆ1 , P k = sˆID P , R = rˆQ P . R1 outputs failure (denoted by E4 ) and stops, if βˆ is equal to 0. Algorithm R1 obtains two valid signature forgeries σˆi = ˆ i , wˆ1,i , wˆ2,i , E ˆi , P k, R ˆ0 , R ˆ 00 , Cert), (i = 0, 1) for (m, ˆ h ID ID the same message m, ˆ public key P k, explicit certificate Cert 0 00 ˆ , R ˆ ). Based on two sets of side-outputs σ0 and and (R ID ID σ1 the following equation is applied:

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

wˆ2,0 hˆ 0 ˆ 0 + P0 , E ˆ0 ˆ 00 + Q0 eˆ cˆR eˆ Cert, cˆR = 0 wˆ2,1 hˆ 1 ˆ + P0 , E ˆ1 ˆ 00 + Q0 = eˆ cˆR eˆ Cert, cˆR

10

(24)

P r[¬E4 |¬E3 ] = ζ 2

By making suitable arrangements, the equation (24) can be converted into the following form: 0 ˆ 0 Sk = ˆ + P0 , w ˆ0 + h eˆ cˆR ˆ2,0 E 0 ˆ 1 Sk ˆ + P0 , w ˆ1 + h = eˆ cˆR ˆ2,1 E

(25)

1 (r∗ cˆ +

s)

Q=

ˆ0 − w ˆ1 ) (w ˆ2,0 E ˆ2,1 E ˆ ˆ (h0 − h1 )

(26)

where cˆ ∈ / {q1 , ..., gk } and rˆQ ∈ / {r1 Q, ..., rk Q} Probability analysis The probability that algorithm R1 solves the k-mCAA problem remains to be computed. According to the simulation, algorithm R1 can calculate value Sk when and only when the following events occur: ¬E1 : B1 does not fail during the simulation, ¬E2 : A1 outputs a valid forgery, ¬E3 : FB1 does not fail, ¬E4 : R1 does not fail, i.e., in interaction with adversary A1 outputs two valid forgeries with a coin value βˆ of 1. We denote the probability at which FB is successful during the first run as acc1 . As FB1 is successful during the first run when no aborting occurs during the query phase (event E1 does not occur) and as adversary A1 produces a valid forgery (event E2 does not occur), we have: acc1 ≥ P r[¬E1 ∧ ¬E2 ] = P r[¬E1 ]P r[¬E2 , ¬E1 ]

(27)

Event E1 occurs only when A1 makes an implicit certificate extract query using an identity with coin = 1 (see ImplicitCert-Gen-Query). Therefore, P r[¬E1 ] = (1 − ζ)qE

(28)

In addition, the probability of adversary A1 producing a valid forgery when event E1 does not occur is equal to P r[¬E2 |¬E1 ] = ε. Now, if events E3 and E4 do not occur, then the advantage of the algorithm R1 in solving k-mCAA problem is: P r[¬E3 ∧ ¬E4 ] = P r[¬E3 ]P r[¬E4 , ¬E3 ]

(29)

Let gf rk be the probability at which FB1 is successful. As event E4 occurs when FB1 fails, we have: P r[¬E3 ] = gf rk

(32)

Finally, derived from R1 being successful in solving the k-mCAA problem can be calculated as follows: (1 − ζ)qE ε 1 R1 2 qE − (33) εk−mCAA ≥ ζ (1 − ζ) ε γ p Assuming that p >> 1, the above expression is maximized at ζ = 1/(1 + qE ). Therefore:

Finally, we obtain the solution to the k-mCAA problem (see Definition 4): Sk =

The probability that event E4 does not occur, when event E3 has not occurred, is the same as the probability at which coin value βˆ of valid forgeries is not equal to 0. Thus:

(30)

From the general-forking lemma (see Lemma 1) for γ = qH2 and |H| = p, we have: 1 (1 − ζ)qE ε 1 acc1 qE − ≥ (1 − ζ) ε − gf rk ≥ acc1 γ p γ p (31)

2qE 2 ε 2 (1 − ζ) 1 εR ≥ ζ = (34) k−mCAA γ 2qE 2 1 ε 1 ε2 1 − = ≥ (qE + 1)2 qE + 1 γ γe(qE + 1)2 )

where e is the base of the natural logarithm. This ends the proof. Now, for Game 2 applied to the Super Type 2 adversary where the adversary models the certified entities, we demand that signers are honest and that their tuples (ID, P kID , CertID ) have been registered with the TA. For this assumption, the following lemma can be demonstrated using the random oracle model: Lemma 3. Suppose that hash functions H1 and H2 are random oracles and that in Game 2 against the IE-CBS-kCAA scheme, adversary A2 models the certified users. If Type-II adversary A2 has a non-negligible advantage ε against our IE-CBS-kCAA scheme, then reduction R2 solves the DL problem for group G1 with non-negligible probability: εk−mCAA ≥

ε2 γe((qR + qC ) + 1)2

(35)

where e denotes the base of the natural logarithm where qR and qC denote the upper bound on the number of respective queries sent to Public-Key-Replacement-Query and Corruption-Query oracles where γ = qH2 is the upper bound on the number of queries sent to the H2 -Query oracle. Proof. As shown in algorithm R1 (see Lemma 2), we first describe wrapper B2 and then show how the reduction R2 involves invoking the FB2 algorithm on wrapper B2 to solve the DL problem. Algorithm R2 is given a random instance of the DL problem 4 = (G1 , p, P, αP ) for αP ∈ P kcert where P kcert is a set of users’ public keys P kID that were certified before the TA’s master secret key was compromised. The Wrapper Suppose that γ = qH2 and H = Zp . Wrapper B2 takes as arguments as challenge Pα = αP with α ∈ Zp and a set of random elements h1 , ..., hγ ∈ Zp . It returns a pair (J, σ) where J refers to the target H2 query and where σ is the side output. Algorithm B2 maintains counter ctr initially set to 1 and two tables LH1 and LH2 to manage the respective random H1 and H2 oracles. Algorithm B2 simulates the oracles and interacts with forger A2 as described below. In addition, adversary A2 ˆ = H2 (m, ˆ kID , U, cˆ), always requests a H2 hash of h ˆ wˆ1 + hP which it outputs as its forgery (see wrapper B1 ).

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

All oracles are simulated by wrapper B2 . However, unlike wrapper B1 for the Super Type 1 adversary, there are no Implicit-Cert-Gen-Query and Explicit-Cert-Gen-Query oracles. Algorithm B2 (4) Initialize. ctr = 0; lists LH1 and LH2 are empty. Setup. B2 sets P and Q as generators of groups G1 and G2 , respectively, and sets master public keys P0 = sP and Q0 = sP where s is a random number in Zp∗ . Next, B2 defines system parameters params = {G1 , G2 , GT , eˆ, P, P0 , Q, Q0 , H1 , H2 } and sends them to adversary A2 . Queries: A2 can query the following oracles over polynomial number of times. 1) Create-User-Query (params, ID). Suppose that a query is made on identity ID, B2 responds as follows: a) B2 scans list LU containing tuples hIDi , sIDi , P kIDi , coini i to check whether IDi = ID. when this is the case, the previously defined value P kIDi is returned. b) Otherwise, B2 flips a biased coin that outputs value coin = 1 with a probability of ζ or coin = 0 with a probability of 1 − ζ (a value of ζ is optimized later), and then: i) if coin = 0, sID ∈R Zp is selected at random and public key P kID = sID P is calculated; ii) otherwise, if coin = 1, value P kID ∈ P Kcert is randomly selected; iii) P kID is returned to A2 and tuple hIDi , ⊥, P kIDi , coini i is stored in the LU list. 00 0 2) H1 -Query (CIIDi , P kIDi , RIDi , RIDi ) Algorithm B2 0 maintains a list LH1 of tuples hCIIDi , P kIDi , RIDi , 00 RIDi , ci i. Upon receiving a query on (CIIDi , P kIDi , 00 0 RIDi , RIDi ), algorithm B2 returns ci directly, when 0 00 LH1 contains a tuple hCIIDi , P kIDi , RIDi , RIDi , ci i. Otherwise B2 randomly selects c ∈R Zp∗ , stores it in a 00 0 new tuple hCIIDi , P kIDi , RIDi , RIDi , ci and returns c. 0 3) H2 -Query (m, k1 P, U, H1 (CIIDi , P kIDi , RIDi , 00 RIDi )). Algorithm B2 maintains a list LH2 of tuples hmi , (k1 P )i , Ui , ci , ctri , w2,i,hi i. In this instance 0 (mi , k1 P, U, c), where c = H1 (CIIDi , P kIDi , RIDi , 00 RIDi ) is the query sent to H2 -Query with h being the corresponding output. B2 runs H2 -Query 0 00 (CIIDi , P kIDi , RIDi , RIDi ) and requests hash value c. Upon receiving a query on (m, k1 P, U, c), algorithm B2 returns hi directly when LH2 contains tuple hmi , (k1 P )i , Ui , ci , ctri , w2,i,hi i. Otherwise, B2 returns h = hctr as the output, adds a new tuple hmi , k1 P, U, c, ctr, ⊥, hi to LH2 and increments ctr by one. 0 4) Public-Key-Replacement-Query (ID, P kID , P kID ). For a public key replacement query: a) B2 tries to find a tuple hIDi , sIDi , P kIDi , coini i from list LU list such that IDi = ID and P kIDi = P kID . If one does not exist, B2 outputs ⊥. b) otherwise, B2 replaces hIDi , sIDi , P kIDi , coini i with 0 hIDi , ⊥, P kIDi , coini i. Here, the secret value corre-

11

sponding to the new public key is not needed to replace the public key, c) otherwise, B2 outputs failure (denoted by E11 and aborts. 5) Corruption-Query (ID). For corruption query ID, B2 checks for tuples hIDi , sIDi , P kIDi ,coini i in list LU . If such a tuple exits (i.e., ID = IDi ) and when coin = 1, B2 outputs failure (denoted by E11 ) and terminates the simulation. Otherwise, B2 returns sID to A2 . When a user with identity ID is not registered, B2 runs CreateUser-Query (params, ID) and outputs failure (coin = 1) or sID to A2 . 0 00 6) Super-Sign-Query (m, CIID , P kID , RID , RID ). On a sign query, B2 outputs ⊥ when a user with CI.ID has not been created. Otherwise: 0 00 a) if there is no tuple hCIIDj , P kIDj , RIDj , RIDj , cj i in LH1 such that CIIDj = CIID , P kIDj = P kID , 0 0 00 00 RIDj = RID and RIDj = RID , B2 runs H1 -Query 00 0 (CIID , P kID ,RID , RID ); b) next, B2 calculates the signature as follows: i) it sets c = cj , Cert = CertIDj ; ii) it selects w1 , w2 ∈R Zp∗ and E ∈R G1 at random and sets h = hctr ; 0 iii) it computes U = eˆ(cRID + P0 , E)w2 eˆ(Cert, 00 cRID + Q0 )h and k1 P = w1 P + hP kID ; c) B2 tries to find tuple (m, k1 P, U, c) in the LH2 list; when such a tuple appears in tuples hm, (k1 P )i , Ui , cj , ctri , w2,i , hi i of the LH2 list, i.e., m = mi , k1 P = (k1 P )i , U = Ui and c = cj , B2 increments index ctr by one and repeats from step (b) point (ii); d) B2 adds tuple hm, k1 P , U, c, ctr, w2 , hi to LH2 and increments ctr by one; 0 e) B2 returns tuple (m, σ = (h, w1 , w2 , E), P kID , RID , 00 RID , Cert) to A2 where σ denotes the signature given on a message m. Output. At the end of the simulation, successful adversary ˆ wˆ1 , wˆ2 , E), ˆ P kID , A2 outputs valid forgery (m, ˆ σ ˆ = (h, 00 0 00 0 ˆ CIID , P kID , RID , RID ), where RID , RID , CertID ) for (m, P kID is user ID original public key, as A2 is not allowed to replace the user’s public key. Let hID, ⊥, P kID , coini, 0 00 ˆ kID , U, ctrj , hi ˆ hCIID , P kID , RID , RID )i and hm, ˆ wˆ1 P +hP be respective tuples of LU , LH1 and LH2 that correspond to target valid forgery σ ˆ . Hence, wrapper B2 returns (ctrj , (coin, 0 ˆ ˆ ˆ 00 )) as its output. Note, that sideh, cˆ, U , E, P kID , RID , R ID ˆ cˆ, U , E, ˆ wˆ1 , P kID , R ˆ0 , R ˆ 00 ). output σ includes (coin, h, ID ID Remark. When an adversary outputs an invalid forgery, B2 outputs failure (denoted by E2 ) and aborts. End of Algorithm B2 (4) Reduction algorithm R2 Let 4 = (G1 , p, P , αP for αP ∈ P kcert be a given DL problem. Reduction algorithm R2 invokes general-forking algorithm FB2 to solve a DL problem. It runs FB2 on master public key P0 and on 4 with H1 -Query and H2 -Query involved in the replay attack. When FB2 fails, R2 aborts outputs failure (denoted by E4 ) and halts. Conversely, when FB2 is successful, R2 returns a set of two valid side-outputs

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

12

into two unknowns and solves for α. It can be verified that R2 indeed returns the correct solution to the DL problem. Algorithm R2 (4) (b, {σ0 , σ1 }) $ FB2 (4) ← − if (b == 0) then return 0 // Event E3 0 00 ˆ i , cˆi , U ˆi , E ˆi , w parse σi as (βˆi , h ˆ1,i , P k, R , R ) ˆ0 = U ˆ1 and cˆ0 = cˆ1 let βˆ = βˆ0 = βˆ1 , U ˆ if β == 1 then ˆ0 − h ˆ 1 )−1 (w return α = (h ˆ1,0 − w ˆ1,1 ) otherwise return 0 // Event E4 End of Algorithm R2 (4) Correctness of the solution to the DL problem When general forking is successful, R2 obtains two (related) sets of side outputs σ0 and σ1 where σi (for i = 0, 1) is 0 00 ˆ i , cˆi , U ˆi , E ˆi , w written as (βˆi , h ˆ1,i , P k, R , R ). To measure this, compare output σ to wrapper B2 . Additionally, we ˆ0 = U ˆ1 ∧ βˆ0 = βˆ1 ) and P k = αP . R2 outputs assume that (U failure (denoted by E4 ) and stops if βˆ is equal to 0. Based on side outputs σ0 and σ1 , we can build a system of two congruences for unknowns α and k1 : w ˆ1,0 w ˆ1,1

ˆ 0α = kˆ1 + h ˆ 1α = kˆ1 + h

(mod p)

w ˆ1,0 − w ˆ1,1 ˆ0 − h ˆ1 h

(mod p)

(mod p)

(37)

Note that equation (37) is precisely what we obtain as an output of algorithm R2 . Probability analysis According to the simulation, algorithm R2 can calculate value α when and only when the following main events occur: ¬E1 : B2 does not fail during the simulation, ¬E2 : A2 outputs a valid forgery, ¬E3 : FB2 does not fail, ¬E4 : R2 does not fail, i.e., in interaction with adversary ˆ which is A2 outputs two valid forgeries with coin value β, equal to 1. Hence, FB2 is successful during the first run when it is not stopped in the query phase (event E1 does not occur), and adversary A2 produces a valid forgery (event E2 does not occur). The advantage of FB2 is written as: acc2 ≥ P r[¬E1 ∧ ¬E2 ] = P r[¬E1 ]P r[¬E2 , ¬E1 ]

P r[¬E3 ∧ ¬E4 ] = P r[¬E3 ]P r[¬E4 , ¬E3 ]

(40)

Let gf rk be the probability with which FB2 is successful. As event E3 occurs when FB2 fails, we have: P r[¬E3 ] = gf rk

(41)

From the general-forking lemma (see Eq. (22)) for γ = qH2 and |H| = p, we have: 1 acc2 − ≥ (42) gf rk ≥ acc2 γ p 1 (1 − ζ)qR +qC ε− ≥ (1 − ζ)qR +qC ε γ p The probability that event E4 does not occur, when event E3 has not occurred, is the same as the probability with which the coin value βˆ of valid forgeries is not equal to 0. Thus: P r[¬E4 |¬E3 ] = ζ 2

(43)

(36)

From the above equations, α can be solved using the expression given below: α=

Now, the advantage of algorithm R2 in solving DL problem is:

(38)

Event E1 occurs only when: 1) B2 does not output failure E11 during the simulation of Public-Key-Replacement-Query; this occurs for probability (1 − ζ)qR ; 2) B2 does not output failure E12 during the simulation of Corruption-Query; this occurs for probability (1 − ζ)qC ; Therefore: (39) P r[¬E1 ] = (1 − ζ)qR +qC In addition, the probability that of adversary A2 producing a valid forgery when events E1 do not occur is equal to P r[¬E2 |¬E1 ] = ε.

Therefore, chance of R2 being successful in solving the DL problem can be calculated as follows: (1 − ζ)qR +qC 1 2 qR +qC 2 εR ≥ ζ (1 − ζ) ε ε − (44) DL γ p Assuming p >> 1, the above expression is maximized at ζ = 1/(1 + qR + qC ). Therefore: (1 − ζ)2(qR +qC ) ε2 = (45) γ 2qE 2 1 1 ε = ≥ 1− ((qR + qC ) + 1)2 (qR + qC ) + 1 γ ε2 ≥ γe((qR + qC ) + 1)2

2 2 εR DL ≥ ζ

where e is the base of the natural logarithm. This ends the proof. VI. P ERFORMANCE EVALUATION In this section, we compare IE-CBS-kCAA scheme to other existing schemes with similar constructions. Our comparison is based on results presented in [31]. Operations such as those involving: hashing, Zp∗ (inversion, addition, multiplication), multiplication with GT and addition with G1 or G2 are omitted from our efficiency comparison, as these are several orders of magnitude more efficient than pairings, scalar multiplications of G1 or G2 and exponentiations of GT . In Tables I and II, the proposed scheme is compared to other schemes (|G1 | and |Zp | are the bit lengths of an element in G1 and Zp , MG denotes scalar multiplication with G1 or G2 , eˆ is a bilinear pairing on G1 × G1 and PGT denotes exponentiation in GT ). The proposed scheme offers the same level of security as WMSH Scheme II and the IE-CBHS scheme (Table III). The scheme involves employing a comparable number of time-intensive operations when compared to other schemes and is slightly more efficient than the IE-CBHS scheme.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

13

TABLE I P ERFORMANCE COMPARISON 1/2 ( BASED ON [31]) Scheme

Type

Public Key Size

Signature Size

LHMSW J. Li et al. [23] LHZX J. Li et al. [26] CBSa Kang et al. [21] WMSH Scheme II W. Wu et al. [24] IE-CBHS scheme T. Hyla et al. [31] Proposed IE-CBS-kCAA

I-CBS

|G1 |

2|G1 |

I-CBS

2|G1 |

|G1 |

I-CBS

|G1 |

3|G1 |

I-CBS

|G1 |

|G1 | + 2|Zp |

IE-CBS

|G1 |

|G1 | + 2|Zp |

IE-CBS

|G1 |

|G2 | + 3|Zp |

TABLE II P ERFORMANCE COMPARISON 2/2 ( BASED ON [31]) Scheme

Sign

Verify

LHMSW J. Li et al. [23] LHZX J. Li et al. [26] CBSa Kang et al. [21] WMSH Scheme II W. Wu et al. [24] IE-CBHS scheme T. Hyla et al. [31] Proposed IE-CBS-kCAA

3MG

3ˆ e

MG

eˆ + MG

3MG

3ˆ e + 2MG

eˆ + 4MG

2ˆ e + 3MG

eˆ + 3MG

2ˆ e + 7MG

2MG + PGT

2ˆ e + 6MG

The execution time of the Sign and Verification algorithms was tested using three test computers (1 - Intel Core i7 [email protected],20 GHz, 32GB RAM; 2 - Intel Core i7 [email protected],50 GHz, 12 GB RAM; and 3 - Intel Xeon [email protected],67 GHz, 8GB RAM) using a single thread. The scheme was implemented using a MIRACL library [40] using and Type 3 asymmetric pairing (ate pairing) (MIRACL library: MR PAIRING BLS k=24 curve, AES-256 SECURITY). Time was measured using a C++ chrono library and results are presented as the average of five repetitions. Execution times required for the Sign and Verification algorithms (Table IV) are less than one second when using computers that are several years old; thus, the scheme is suitable for practical use.

TABLE III A DVERSARY TYPES ( BASED ON [31]) Scheme

Security level

LHMSW J. Li et al. [23] LHZX J. Li et al. [26] CBSa Kang et al. [21] WMSH Scheme II W. Wu et al. [24] IE-CBHS scheme T. Hyla et al. [31] Proposed IE-CBS-kCAA

Normal A1 and Normal A2 Normal A1 and Super A2 Strong A1 and Strong A2 Super A1 and Super A2 Super A1 and Super A2 Super A1 and Super A2

TABLE IV S IGN AND

VERIFICATION ALGORITHM EXECUTION TIME

No. of test computer

Sign [ms]

Verify [ms]

1 2 3

120 184 263

381 580 832

VII. C ONCLUSIONS AND FUTURE WORKS The use of the difficult computational k-CAA problem and its various variants to design new cryptographic schemes (including digital signature schemes) has been of interest to many researchers. Most of the proposed schemes have been compromised, which means that designing an encryption scheme based on the k-CAA problem or its variant is still an important research challenge. The IE-CBS-kCAA signature scheme presented in the paper is resistant to the strongest attacks performed by Super Type I/II adversaries (Tab. III). Hence, the adversary following the rules of the game conducted with the challenger in the random oracle model is unable to create a valid signature for any message. It was shown in the paper that such a case is possible only if the challenger with the help of the adversary would be able to solve both the modified Collusion Attack Algorithm with k traitors (k-mCAA), as well as the discrete logarithm problem (DL). In comparison to the analysed signature schemes, the proposed scheme is also computationally effective (Tab. I and II). In particular, the generation of a signature is effective (Tab. IV), which results from the lack of necessity to calculate the value of a bilinear pairing. Computational experiments have also shown that the actual times of signature calculation and verification are acceptable to potential users. The IE-CBS-kCAA signature scheme has interesting property giving users the opportunity to work with an explicit and implicit certificate or with an implicit one only (see: section V.B). We are convinced that this property can be used to extend the scheme by the possibility of effective revocation of the explicit certificate and the implicit one as well. In such a case, the explicit certificate will play the role of a long-term certificate, while the implicit certificate acts as a short-term certificate. This should allow for the solution of a significant practical problem of the validity of an explicit and/or implicit certificate at the time of signing (H. Baier et al. [41]). This problem occurs in traditional PKI infrastructures, but it also appears in non-standard infrastructures with many trusted authorities TA. The solution to this problem will be the subject of our further work. R EFERENCES [1] T. Hyla and J. Peja´s, “A signature scheme based on implicit and explicit certificates against k-traitors collusion attack,” in Computer Information Systems and Industrial Management: 16th IFIP TC8 International Conference, CISIM 2017, Bialystok, Poland, June 16-18, 2017, Proceedings, K. Saeed, W. Homenda, and R. Chaki, Eds. Cham: Springer International Publishing, 2017, pp. 638–651. [2] S. Mitsunari, R. Sakai, and M. Kasahara, “A new traitor tracing,” IEICE Trans., A, vol. 85, no. 2, pp. 481–484, feb 2002. [Online]. Available: http://ci.nii.ac.jp/naid/110003216755/en/

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

[3] L. Chen and Z. Cheng, “Security proof of sakai-kasahara’s identitybased encryption scheme,” in Cryptography and Coding: 10th IMA International Conference, Cirencester, UK, December 19-21, 2005. Proceedings, N. P. Smart, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 442–459. [4] N. E. Mrabet and M. Joye, Guide to Pairing-Based Cryptography. Chapman & Hall/CRC, 2016. [5] R. Sakai and M. Kasahara, “Id based cryptosystems with pairing on elliptic curve,” IACR Cryptology ePrint Archive, vol. 2003, 2003. [Online]. Available: http://eprint.iacr.org/2003/054 [6] F. Zhang, R. Safavi-Naini, and W. Susilo, “An efficient signature scheme from bilinear pairings and its applications,” in Public Key Cryptography – PKC 2004: 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1-4, 2004. Proceedings, F. Bao, R. Deng, and J. Zhou, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 277–290. [7] M. Scott, “Computing the tate pairing,” in Topics in Cryptology – CTRSA 2005: The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005. Proceedings, A. Menezes, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 293–304. [8] B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, “Certificateless signature: a new security model and an improved generic construction,” Designs, Codes and Cryptography, vol. 42, no. 2, pp. 109–126, Feb 2007. [9] P. S. L. M. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater, “Efficient and provably-secure identity-based signatures and signcryption from bilinear maps,” in Advances in Cryptology - ASIACRYPT 2005: 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, December 4-8, 2005. Proceedings, B. Roy, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 515–532. [10] H. Du and Q. Wen, “An efficient identity-based short signature scheme from bilinear pairings,” in 2007 International Conference on Computational Intelligence and Security (CIS 2007), Dec 2007, pp. 725–729. [11] M. Girault, “Self-certified public keys,” in Advances in Cryptology — EUROCRYPT ’91: Workshop on the Theory and Application of Cryptographic Techniques Brighton, UK, April 8–11, 1991 Proceedings, D. W. Davies, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1991, pp. 490–497. [12] S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in 9th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, November 30 December 4, 2003, Proceedings, C. S. Laih, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 452–473. [13] H. Du and Q. Wen, “Efficient and provably-secure certificateless short signature scheme from bilinear pairings,” Computer Standards and Interfaces, vol. 31, no. 2, pp. 390 – 394, 2009. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0920548908000664 [14] C.-I. Fan, R.-H. Hsu, and P.-H. Ho, “Truly non-repudiation certificateless short signature scheme from bilinear pairings,” JOURNAL OF INFORMATION SCIENCE AND ENGINEERING, vol. 27, pp. 969–982, 2011. [15] K. Y. Choi, J. H. Park, and D. H. Lee, “A new provably secure certificateless short signature scheme,” Computers & Mathematics with Applications, vol. 61, no. 7, pp. 1760 – 1768, 2011. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0898122111000897 [16] Y. C. Chen and G. Horng, “On the security models for certificateless signature schemes achieving level 3 security,” IACR Cryptology ePrint Archive 554, vol. 2011. [17] G. Sharma, S. Bala, and A. K. Verma, “On the security of certificateless signature schemes,” International Journal of Distributed Sensor Networks, vol. 9, no. 6, p. 102508, 2013. [18] Y.-C. Chen, R. Tso, G. Horng, C.-I. Fan, and R.-H. Hsu, “Strongly secure certificateless signature: Cryptanalysis and improvement of two schemes.” J. Inf. Sci. Eng., vol. 31, no. 1, pp. 297–314, 2015. [Online]. Available: http://dblp.uni-trier.de/db/journals/jise/jise31.html [19] X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the security of certificateless signature schemes from asiacrypt 2003,” in Cryptology and Network Security: 4th International Conference, CANS 2005, Xiamen, China, December 14-16, 2005. Proceedings, Y. G. Desmedt, H. Wang, Y. Mu, and Y. Li, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 13–25. [20] C. Gentry, “Certificate-based encryption and the certificate revocation problem,” in Advances in Cryptology — EUROCRYPT 2003: International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4–8, 2003 Proceedings, E. Biham, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 272– 293.

14

[21] B. G. Kang, J. H. Park, and S. G. Hahn, “A certificate-based signature scheme,” in Topics in Cryptology – CT-RSA 2004: The Cryptographers’ Track at the RSA Conference 2004, San Francisco, CA, USA, February 23-27, 2004, Proceedings, T. Okamoto, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 99–111. [22] J. Li, L. Xu, and Y. Zhang, “Provably secure certificate-based proxy signature schemes,” Journal of Computers, pp. 444–452, 2009. [23] J. Li, X. Huang, Y. Mu, W. Susilo, and Q. Wu, “Certificate-based signature: Security model and efficient construction,” in Public Key Infrastructure: 4th European PKI Workshop: Theory and Practice, EuroPKI 2007, Palma de Mallorca, Spain, June 28-30, 2007. Proceedings, J. Lopez, P. Samarati, and J. L. Ferrer, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007, pp. 110–125. [24] W. Wu, Y. Mu, W. Susilo, and X. Huang, “Certificate-based signatures revisited,” Journal of Universal Computer Science, vol. 15, no. 8, pp. 1659–1684, 2009. [25] J. K. Liu, F. Bao, and J. Zhou, “Short and efficient certificate-based signature,” in NETWORKING 2011 Workshops: International IFIP TC 6 Workshops, PE-CRN, NC-Pro, WCNS, and SUNSET 2011, Held at NETWORKING 2011, Valencia, Spain, May 13, 2011, Revised Selected Papers, V. Casares-Giner, P. Manzoni, and A. Pont, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 167–178. [26] J. Li, X. Huang, Y. Zhang, and L. Xu, “An efficient short certificatebased signature scheme,” J. Syst. Softw., vol. 85, no. 2, pp. 314–322, Feb. 2012. [Online]. Available: http://dx.doi.org/10.1016/j.jss.2011.08.014 [27] L. Cheng, Y. Xiao, and G. Wang, “Cryptanalysis of a certificate-based on signature scheme,” Procedia Engineering, vol. 29, pp. 2821 – 2825, 2012, 2012 International Workshop on Information and Electronics Engineering. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S1877705812004079 [28] Y.-H. Hung, S.-S. Huang, and Y.-M. Tseng, “A short certificate-based signature scheme with provable security,” Information Technology and Control, vol. 45, no. 3, pp. 243–253, 2015. [29] T. Hyla, W. Ma´ck´ow, and J. Peja´s, “Implicit and explicit certificatesbased encryption scheme,” in Computer Information Systems and Industrial Management: 13th IFIP TC8 International Conference, CISIM 2014, Ho Chi Minh City, Vietnam, November 5-7, 2014. Proceedings, K. Saeed and V. Sn´asˇel, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2014, pp. 651–666. [30] T. Hyla and J. Peja´s, “Non-standard certification models for pairing based cryptography,” in Hard and Soft Computing for Artificial Intelligence, Multimedia and Security, S.-y. Kobayashi, A. Piegat, J. Peja´s, I. El Fray, and J. Kacprzyk, Eds. Cham: Springer International Publishing, 2017, pp. 167–181. [31] T. Hyla and J. Peja´s, “A hess-like signature scheme based on implicit and explicit certificates,” The Computer Journal, vol. 60, no. 4, pp. 457–475, March 2017. [32] A. Miyaji, M. Nakabayashi, and S. Takano, “New explicit conditions of elliptic curve traces for fr-reduction,” IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences, vol. 84, no. 5, pp. 1234–1243, may 2001. [Online]. Available: http://ci.nii.ac.jp/naid/110003208926/en/ [33] P. S. L. M. Barreto and M. Naehrig, “Pairing-friendly elliptic curves of prime order,” in Selected Areas in Cryptography: 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papers, B. Preneel and S. Tavares, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 319–331. [34] S. K. H. Islam and G. P. Biswas, “An efficient and provably - secure digital signature scheme based on elliptic curve bilinear pairings,” Theoretical and Applied Informatics, vol. 24, no. 2, pp. 109–118, 2012. [35] X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu, “Certificateless signatures: New schemes and security models,” Comput. J., vol. 55, no. 4, pp. 457–474, Apr. 2012. [Online]. Available: http://dx.doi.org/10.1093/comjnl/bxr097 [36] M. Bellare and G. Neven, “Multi-signatures in the plain public-key model and a general forking lemma,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, ser. CCS ’06. New York, NY, USA: ACM, 2006, pp. 390–399. [Online]. Available: http://doi.acm.org/10.1145/1180405.1180453 [37] S. Chatterjee, C. Kamath, and V. Kumar, “Galindo-garcia identity-based signature revisited,” in Information Security and Cryptology – ICISC 2012: 15th International Conference, Seoul, Korea, November 28-30, 2012, Revised Selected Papers, T. Kwon, M.-K. Lee, and D. Kwon, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 456–471. [38] S. Chatterjee and C. Kamath, “A closer look at multiple forking: Leveraging (in)dependence for a tighter bound,” Algorithmica,

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2868512, IEEE Access IEEE ACCESS , VOL. X, NO. X, XXX 2018

15

vol. 74, no. 4, pp. 1321–1362, Apr. 2016. [Online]. Available: http://dx.doi.org/10.1007/s00453-015-9997-6 [39] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil pairing,” Journal of Cryptology, vol. 17, no. 4, pp. 297–319, Sep 2004. [Online]. Available: https://doi.org/10.1007/s00145-004-0314-9 [40] CertiVox/MIRACL, “Miracl cryptographic sdk: Multiprecision integer and rational arithmetic cryptographic library,” 2017-09-01, 7.0.0. [Online]. Available: https://github.com/CertiVox/MIRACL [41] H. Baier and V. Karatsiolis, “Validity models of electronic signatures and their enforcement in practice,” in Public Key Infrastructures, Services and Applications, F. Martinelli and B. Preneel, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 255–270.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.