Strongly Secure Certificateless Signature Scheme Supporting Batch Verification

Fan, Chun-I; Ho, Pei-Hsiu; Tseng, Yi-Feng

doi:https://doi.org/10.1155/2014/854135

Mathematical Problems in Engineering

On this page

Abstract Introduction Preliminaries Conclusions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2014 | Article ID 854135 | https://doi.org/10.1155/2014/854135

Strongly Secure Certificateless Signature Scheme Supporting Batch Verification

Chun-I Fan,¹Pei-Hsiu Ho,²and Yi-Feng Tseng¹

Academic Editor: Jian Guo Zhou

Received14 Nov 2013

Revised07 Mar 2014

Accepted13 Mar 2014

Published16 Apr 2014

Abstract

We propose a strongly secure certificateless signature scheme supporting batch verification, which makes it possible for a verifier to verify a set of signatures more efficiently than verifying them one by one. In an identity-based digital signature scheme, private key generator (PKG) knows each user's signing key, so it can generate a signature which is indistinguishable from the signature generated by the user. This is a serious problem because the property of signature nonrepudiation will not be achieved. In our proposed scheme, it is impossible for PKG to produce a signature which is indistinguishable from any signature produced by a user. Compared with existing signature schemes with batch verification, although our proposed scheme is not the most efficient one, it achieves Girault's level-3 security, while the others have Girault's level-1 or level-2 security only. We also formally prove that the proposed scheme is unforgeable and satisfies Girault's level-3 security based on hard problems.

1. Introduction

In traditional certificate-based public-key cryptosystems, a user’s public key is produced and is not related to her/his identity. Therefore, the key needs to be certificated by some certification authority (CA) with respect to the user’s identity. Anyone who wants to use the public key must verify the validity of the corresponding certificate for the key first. Considering implementation, the management of public key certificates requires a large amount of computation cost and storage.

To reduce the cost of certificate management, Shamir [1] proposed identity based public key cryptography (ID-PKC) in 1984. In ID-PKC, a user’s public key can be an arbitrary bit string which can represent the user’s identity, such as her/his email address or telephone number. And the user’s corresponding private key is computed by a trusted party, called private key generator (PKG) [2].

An inherent problem of ID-PKC is the key escrow problem. That is, the private key of a user is known to PKG. PKG can act as any user to decrypt any ciphertext or generate a signature on any message. To solve this problem, Al-Riyami and Paterson [3] proposed certificateless public key cryptography (CL-PKC) in 2003. In CL-PKC, a user’s secret key is a combination of the secret key, computed by PKG using its master secret key, and a user-chosen secret. Thus, PKG cannot know the complete secret key of the user.

In 2003, a certificateless public-key signature scheme [3] was proposed, but it suffered from the key replacement attack [4]. After that, several certificateless signature schemes [5–18] were introduced recently. In 2007, Hu et al. [19] proposed a new security model and an improved generic construction for certificateless signatures. It showed that certificateless signatures should satisfy the property of Girault’s level-3 security [20]. If a certificateless signature scheme meets the above property, the framework of CL-PKC will be with the same security level as that of the traditional certificate-based public key cryptosystems.

In 1989, batch cryptography was first introduced by Fiat [21]. In a signature scheme with batch verification, the cost for verifying signatures is less than verifying them one by one. After [21], some results [22–24] about batch verification based on RSA or DLP have been proposed. In 2004, Yoon et al. proposed an ID-based signature scheme with batch verification [25], but their security proof does not meet the definition of batch verification [26]. After that, some ID-based and group signature schemes with batch verification were proposed in [27–34], respectively, but only [29] is a certificateless signature scheme. Besides, the randomization technique [26, 35–39] for the security of signatures with batch verification was introduced. The technique can withstand the attack that an attacker cheats a verifier to accept invalid signatures.

In this paper, we will design a certificateless signature scheme with efficient batch verification. The computation cost of our scheme in batch verification is only three pairings and it is independent of the number of individual signatures which will be verified. Furthermore, our scheme satisfies Girault’s level-3 security. Compared to certificateless, ID-based, and group signature schemes with batch verification [7, 11, 14, 16, 27–34], our scheme achieves Girault’s level-3 security, while [27–34] meet Girault’s level-1 security and [7, 11, 14, 16, 29] satisfy Girault’s level-2 security only. Compared to [5, 13], which also achieve Girault’s level-3 security, our scheme is more efficient in verification because of the batch property.

The rest of this paper is organized as follows. In Section 2, we introduce some preliminaries about mathematical backgrounds and definitions. In Section 3, we present the proposed scheme. In Section 4, we provide formal security proofs for our scheme. We compare the proposed scheme with [5, 7, 11, 13, 14, 16, 27–34] in Section 5. Finally, a concluding remark is given in Section 6.

2. Preliminaries

In this section, we review the properties of bilinear groups and some related hard problems.

Let and be two cyclic groups of prime order . Let be a randomly chosen generator of and let be a bilinear mapping such that : , which satisfies the following properties.(1)Bilinearity: for all , and .(2)Nondegeneracy: there exists such that .(3)Computability: there exists an efficient algorithm to compute for any .

Definition 1 (batch verification of signatures [35]). Let be the security parameter. Suppose that is a signature scheme, polynomial(), and are generated independently according to () where and are a user ’s public key and secret key, respectively. Then, we call probabilistic a batch verification algorithm when the following conditions hold.(i)If for all , then where and are a message and a signature, respectively.(ii)If for some , then with probability negligible in , taken over the randomness of .

Definition 2 (a certificateless signature scheme with batch verification). A certificateless signature scheme with batch verification consists of the following algorithms.(i): PKG randomly chooses a secret key and computes the public key by using the secret key. Then, it publishes and other system parameters.(ii): a user first randomly chooses a secret key , computes corresponding public key and then sends to PKG. After receiving , PKG outputs a partial private key to a legal user with identity .(iii): this algorithm gets a user’s public key , the user’s partial private key , the user’s secret key , and a message and then it outputs a signature on .(iv): this algorithm gets a signature on a message , a signer’s identity , and a signer’s public key . It then outputs True or False.(v): this algorithm gets signatures on message , the signers’ identities , and the signers’ public keys , respectively. This algorithm outputs True or False.

Definition 3 (Girault’s security [19, 20]). Girault proposed three security levels to classify the levels of trust to PKG. The three levels are described as follows.(i)Level 1: PKG knows the secret of any user.(ii)Level 2: PKG cannot find out all the information of a user’s secret. However, PKG can generate a contradictory public key (or a contradictory certificate) and impersonate the user to generate signatures with respect to the contradictory public key.(iii)Level 3: PKG cannot find out all the information of a user’s secret nor generate a contradictory public key. PKG can only generate a valid public key (or a valid certificate).

Definition 4 (the computational Diffie-Hellman (CDH) problem). Let be a cyclic group of order and let be a generator of . Given for some , compute .

3. Our Proposed Scheme

In this section, we propose an efficient certificateless signature scheme with batch verification based on [15]. is an additive group and is a multiplicative group. Let and be two cyclic groups of prime order . Let be a randomly chosen generator of and a bilinear mapping such that . The details of our scheme are described as follows.

Setup. PKG performs the following operations.(1)Choose an integer and randomly, and set .(2)Choose four cryptographic one-way hash functions, , , , , and .(3)Publish the system parameters and keep the master key secret.

Key Generating Phase(1)A user with identity randomly chooses and computes , where and are called the secret key and the public key, respectively, of user .(2)The user sends to PKG.(3)PKG gets and .(4)PKG computes and and sends to the user via a secret channel. The pair is called the partial private key of user . The private key of user consists of and .

Signing Phase. Assume that a signer wants to sign a message . The signer does the following works.(1)Choose and randomly.(2)Compute and .(3)Compute , , and .(4)Compute .(5)The signature on is .

Verifying Phase. To verify a signature on message , a verifier should do the following works.(1)Compute , , , , and .(2)Verify if . If it is true, the verifier accepts the signature; otherwise, the verifier rejects it.

Batch Verifying Phase. To verify signatures of the signers on message , respectively, a verifier performs the following works.(1)Choose randomly.(2)Compute , , , for , and .(3)Verify if . If it is true, the verifier accepts the signatures.

Correctness. Consider

4. Security Models and Formal Proofs

4.1. Security Models

A simulator simulates an environment such that an adversary can query signatures from . If can forge a signature, can use the output from to solve a hard problem.

We classify adversary into three types. The adversary of type I cannot access the master secret key and query the partial private key of target ID. The adversary of type II can access the master secret key but cannot query target ID’s secret key nor replace her/his public key. The adversary of type III is to simulate the environment for the proof of that a user cannot produce a signature with a new public-secret key pair, which is different from his own one, without the corresponding partial private key generated from the master secret key.

We define the capability of which can be captured by the following queries.(i): if inputs a user’s identity to , will output a randomly chosen as the user’s public key.(ii): when inputs a public key to , outputs a randomly chosen .(iii): if inputs a message and , will output an integer randomly chosen in .(iv): if inputs a message , , and , will output a random integer in .(v): if inputs a string , will output an element randomly chosen in .(vi): if inputs a user’s identity, , then will output the user’s public key .(vii): if inputs a user’s identity and the user’s public key , will output the partial private key .(viii): if inputs a user’s identity, , will output the secret key of user to .(ix): when inputs a user’s identity and the user’s new public key , will replace with . The new partial private key can be obtained by querying .(x): if inputs a user’s identity and a message , will output a user ’s signature on to .

Definition 5 (the CDH assumption). We say that the -CDH assumption holds in if no polynomial-time algorithm within running time can solve the CDH problem with probability at least .

Definition 6 (the unforgeability game I). Let be a polynomial-time attacker of type I. interacts with a challenger in the following game.(i)Step 1: runs the setup algorithm of a certificateless signature scheme with batch verification. publishes the public parameters.(ii)Step 2: queries , , , , , , , , , and in an arbitrary sequence.(iii)Step 3: outputs signatures on corresponding to the signers with the public keys , respectively.
wins the game if (1) = True;(2)there exists whose has not been queried to oracle;(3) has never been queried.
The scheme is (, I)-unforgeable if no polynomial-time attacker , with running time at most , can win the unforgeability game I with probability at least .

Definition 7 (the unforgeability game II). Let be a polynomial-time attacker of type II. interacts with a challenger in the following game.(i)Step 1: runs the setup algorithm of a certificateless signature scheme with batch verification. publishes the public parameters and sends the master secret key to .(ii)Step 2: queries , , , , , , , , , and in an arbitrary sequence.(iii)Step 3: outputs signatures on corresponding to the signers with the public keys , respectively.
wins the game if (1) = True;(2)there exists whose has not been queried to oracle;(3)Neither nor has been queried.
The scheme is (, II)-unforgeable if no polynomial-time attacker , with running time at most , can win the unforgeability game II with probability at least .

Definition 8 (the unforgeability game III [19]). Let be a polynomial-time attacker of type III. interacts with a challenger in the following game.(I)Step 1: runs the setup algorithm of a certificateless signature scheme with batch verification. publishes the public parameters.(II)Step 2: queries , , , , , , , , and in an arbitrary sequence.(III)Step 3: outputs a signature on a message for the user .
wins the game if(1) True;(2)User has been created, that is, , , and have been queried;(3) is different from all of the public keys ’s returned by or used to query .
The scheme is (, III)-unforgeable if no polynomial-time attacker , with running time at most , can win the unforgeability game III with probability at least .

4.2. Formal Proofs

In this section, we will prove that our scheme is unforgeable based on the CDH assumption.

Lemma 9 (the forking lemma [40]). Let be a valid signature-message triple of a signature scheme and the hashed value of where is a plaintext message, is a string, and is called the signature part of the triple. Let be a probabilistic polynomial-time Turning machine. Given only the public data of the signature scheme as input, if can find, with nonnegligible probability, a valid signature-message triple with , then, with nonnegligible probability, a replay of this machine, with the same random tape and a different value returned by the random oracle, outputs two valid signature-message triples with and with such that .

Lemma 10 (the splitting lemma [40]). Let such that . For any , define and then the following statements hold: (1) ,(2) ,(3) .

Theorem 11. Given 5-tuples ’s, if where is randomly chosen in , , and for each , the probability of that for some is .

Proof. The proof is based on [35, 37]. If for some , we have that for some . Thus, there exists (mod ) such that for some .
Let and , . As , (mod ) and thus mod . Since is randomly chosen in , the probability of mod is , which is negligible.

Theorem 12. The proposed scheme is ()-unforgeable assuming that the -CDH assumption holds in where , (1), , , , , , , , , , and being the numbers of queries to , , , , , , , , , and , respectively, and , , , , , , , , , and being the computing time of the queries to , , , , , , , , , and , respectively.

Proof. Assume that a polynomial-time attacker wins the game of Definition 6 with probability being at least within running time . A simulator is given an instance of the CDH problem , and ’s goal is to output the value of . We will construct which plays the game in Definition 6 with and outputs the value of .
Setup. sets and chooses randomly. Then, publishes , , , , , , , , }.
can respond to the queries from as follows.(i) query: constructs a list, -list, and chooses an identity randomly. When queries to , checks whether is in -list or not. If does not exist in -list, then there are the following two cases. Case 1: if , sets and stores in -list. Case 2: if , sets where is randomly chosen in and stores in -list. However, if exists in -list, gets its mapping value, or . Finally, returns .(ii) query: constructs a list, -list. If queries to where , checks whether is in -list or not. If it does not exist in -list, randomly chooses and records in -list; else, gets its mapping value, , from -list. Then, returns to .(iii) query: constructs -list. If queries to , checks whether is in -list or not. If not, randomly chooses and records in -list; else, gets its mapping value, , from -list. Then, returns to .(iv) query: constructs -list. When queries to , checks whether is in -list or not. If not, randomly chooses and records in -list; otherwise, gets its mapping value, , from -list. Then, responds to .(v) query: constructs -list. If queries with a string to , checks whether is in -list or not. If does not exist in -list, then there are the following two conditions. Condition 1: if , sets where is randomly chosen in and stores in -list. Condition 2: if , sets where is randomly chosen in and stores in -list. However, if exists in -list, gets its mapping value, or . Finally, returns .(vi) query: constructs a list, -list. When queries to , looks up -list. If is not found in -list, randomly chooses , computes , and stores in -list; otherwise, gets from -list. Finally, returns .(vii) query: if queries to , looks up -list, -list, and -list. If , returns “failure.” If is not found in -list, queries and gets from -list; else, retrieves from -list. If is not in -list, queries and obtains ; otherwise, catches from -list. If , returns “failure.” Then, if is not found in -list, queries and gets ; else, retrieves from -list. Finally, returns .(viii) query: if queries to , looks up -list. If is not found in -list, queries and gets ; if there is a record , then retrieves from -list and returns .(ix) query: when queries (, ) to , looks up -list. If is not found in -list, queries . Then, replaces the record with in -list.(x) query: when queries to , if , does the following works.(1)Choose , , and randomly;(2)compute and ;(3)set ;(4)compute and ;(5)compute ;(6)form .Thus, the signature on is and it satisfies the verifying formula in Section 3.
If , can return a signature on to because can compute all secrets of user . Finally, suppose that outputs, with probability at least , signatures on of the signers , respectively, such that (1) = True;(2)there exists which is not the output from ;(3) has never been queried.
From Lemma 9, we fork the sequence of signatures one time and get on by setting . Thus, we randomly choose ’s and obtain the following two equations: with probability being at least by Lemma 10, where , , , , and .
We assume that . By Theorem 11, we have that with probability being at least . Thus, we can compute , which is , to solve the CDH problem with and .

Theorem 13. The proposed scheme is (, , , II)-unforgeable assuming that the -CDH assumption holds in where (1), , , , , , , , , , and are the numbers of queries to , , , , , , , , , and , respectively, and , , , , , , , , , and are the computing time of the queries to , , , , , , , , , and , respectively.

Proof. Assume that a polynomial-time attacker wins the game of Definition 7 with probability at least within running time . A simulator is given an instance of the CDH problem , and ’s goal is to output the value of . We will construct which plays the game in Definition 7 with and outputs the value of .
Setup. sets where is randomly chosen in and chooses randomly. Then, publishes , , , , , , , , and sends to . can respond to the queries from as follows.(i) query: constructs a list, -list. When queries to , checks whether is in -list or not. If does not exist in -list, sets where is a random integer in and records (, , ) in -list; else, gets its mapping value, , from -list. Then, returns to .(ii) query: constructs -list. If queries with a string to , checks whether is in -list or not. If does not exist in -list, then there are the following two conditions. Condition 1: if , sets and stores in -list. Condition 2: if , sets where is randomly chosen in and stores in -list. However, if exists in -list, gets its mapping value, or . Finally, returns .(iii)The simulations for , , , and are the same as those in the proof of Theorem 12.(iv) query: constructs a list, -list, and chooses an identity randomly. When queries to , looks up -list. If does not exist in -list, then there are the following two conditions. Condition 1: if , sets and stores in -list. Condition 2: if , sets where is randomly chosen in and stores in -list. However, if exists in -list, gets its mapping value, or . Finally, returns .(v) query: when queries to , looks up -list, -list, and -list. If is not found in -list, queries and gets from -list; else, retrieves from -list. If is not in -list, queries and obtains ; otherwise, catches from -list. If , returns “failure.” Then, if is not found in -list, queries and gets ; else, retrieves from -list. Finally, returns .(vi) query: when queries to , looks up -list. If , returns “failure.” If is not found in -list, queries and gets from -list; else, retrieves from -list. Finally, returns .(vii) query: when queries to , if , performs the following works.(1)choose , , and randomly;(2)compute and ;(3)compute and ;(4)set ;(5)compute ;(6)form .
Therefore, the signature on is and it meets the verifying formula in Section 3.
If , can return a signature on to since knows all secrets of user . Finally, outputs, with probability being at least , signatures on of the signers , respectively, such that (1) = True;(2)there exists which is not the output from ;(3)neither nor has been queried.
From Lemma 9, we fork the sequence of signatures one time and get on by setting . Thus, we randomly choose ’s and obtain the following two equations: with probability being at least by Lemma 10, where , , , , and .
We assume that . By Theorem 11, we have that with probability being at least . Thus, we can compute , which is , to solve the CDH problem with and + .

Theorem 14. The proposed scheme is (, , , III)-unforgeable assuming that the -CDH assumption holds in with being the possibly maximal number of queries to , , , , , , , , , and being the numbers of queries to , , , , , , , , and , respectively, and , , , , , , , , , and being the computing time of the queries to , , , , , , , , , and , respectively.

Proof. Assume that a polynomial-time attacker wins the game of Definition 8 with probability being at least within running time . A simulator is given an instance of the CDH problem , and ’s goal is to output . We will construct which plays the game in Definition 8 with and outputs .
Setup. sets and chooses randomly. Then, publishes , , , , , , , , . can respond to the queries from as follows.
The simulation for is identical to that in the proof of Theorem 13. Consider the following.(i) query: constructs a list, -list, and then chooses at random and sets an index . When queries to , checks whether is in -list or not. If does not exist in -list, computes and there are the following two cases. Case 1: if , sets and stores in -list. Case 2: if , sets where is randomly chosen in and stores in -list. Besides, if exists in -list, gets its mapping value, or . Finally, returns or .(ii) query: constructs -list. If queries with a string to , checks whether is in -list or not. If does not exist in -list, then there are the following two conditions. Condition 1: if , sets where is randomly chosen in and stores in -list. Condition 2: if , sets where is randomly chosen in and stores in -list. However, if exists in -list, gets its mapping value, or . Finally, returns .(iii) query: constructs a list, -list. When queries to , looks up -list. If is not found in -list, does the following works. computes where is randomly chosen in . queries with . If , returns “failure”; otherwise, stores in -list. Besides, if is found in -list, gets from -list. Finally, returns to .(iv) query: when queries to , looks up -list, -list, and -list. If is not found in -list, queries and gets from -list; else, retrieves from -list. If is not found in -list, queries with and obtains from -list; otherwise, catches from -list. If , returns “failure.” Then, gets from -list. Finally, returns .(v), , , and queries are the same as those in the proof of Theorem 12. Finally, outputs, with probability at least , a signature on a message for the user such that(1) True;(2)user has been created;(3) is different from all of the public keys ’s returned by or used to query .
From Lemma 9, we fork the sequence of signatures one time and get on by setting . Thus, we obtain the following two equations: with a probability at least by Lemma 10, where , , , , and .
If , can get and solve the CDH problem.
The success probability is with the computing time .
By Theorem 14, a user cannot produce a signature with a new public-secret key pair, which is different from his own one, without the corresponding partial private key being generated from the master secret key. Therefore, if there exist two valid signatures of a user with different public key, the user can prove to anyone that PKG is misbehaving, which means that our scheme achieves Girault’s level-3 security.

5. Discussions

The comparisons between our scheme and [5, 7, 11, 13, 14, 16, 27–34] are shown in Table 1. Although our proposed scheme is not the most efficient, it satisfies the property of Girault’s level-3 security with formal proofs.

6. Conclusions

In this paper, we have proposed a certificateless signature scheme with fast batch verification and it satisfies Girault’s level-3 security, where almost all existing signatures for batch verification reach Girault’s level-1 security and only one reaches Girault's level-2 security. Finally, we have formally demonstrated that the proposed scheme is unforgeable and achieves Girault’s level-3 security based on the CDH problem.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work was partially supported by the National Science Council of Taiwan under Grant NSC 102-2219-E-110-002, NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001), and Aim for the Top University Plan of the National Sun Yat-sen University and Ministry of Education, Taiwan. A partial result of this research has been presented at the Eighth Asia Joint Conference on Information Security, Seoul, Republic of Korea, July 25-26, 2013.

References

A. Shamir, “Identity-based cryptosystems and signature schemes,” in Advances in Cryptology-CRYPTO, pp. 47–53, 1985.
View at: Publisher Site | Google Scholar | MathSciNet
B. Libert and J. Quisquater, “What is possible with identity based cryptography for PKIs and what still must be improved,” in Proceedings of the European PKI Workshop (EuroPKI '04), pp. 57–70, 2004.
View at: Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Advances in Cryptology-ASIACRYPT, pp. 452–473, 2003.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the Security of Certificateless Signature Schemes from Asiacrypt 2003,” in Proceedings of the International Conference on Cryptology and Network Security (CANS '05), pp. 13–25, 2005.
View at: Google Scholar
Y. Chen, G. Horng, and C. Liu, “Strong non-repudiation based on certificateless short signatures,” IET Infomation Security, vol. 7, no. 3, pp. 253–263, 2012.
View at: Google Scholar
K. Y. Choi, J. H. Park, and D. H. Lee, “A new provably secure certificateless short signature scheme,” Computers and Mathematics with Applications, vol. 61, no. 7, pp. 1760–1768, 2011.
View at: Publisher Site | Google Scholar
L. Cheng and Q. Wen, “A secure and efficient certificateless short signature scheme,” Journal of Engineering Science and Technology Review, vol. 6, no. 2, pp. 35–44, 2011.
View at: Google Scholar
H. Du and Q. Wen, “Efficient and provably-secure certificateless short signature scheme from bilinear pairings,” Computer Standards and Interfaces, vol. 31, no. 2, pp. 390–394, 2009.
View at: Publisher Site | Google Scholar
M. Gorantla and A. Saxena, “An efficient certificateless signature scheme,” in Proceedings of International Conference on Computational Intelligence and Security (CIS '05), pp. 110–116, 2005.
View at: Google Scholar
X. Li, K. Chen, and L. Sun, “Certificateless signature and proxy signature schemes from bilinear pairings,” Lithuanian Mathematical Journal, vol. 45, no. 1, pp. 76–83, 2005.
View at: Publisher Site | Google Scholar
F. Li and P. Liu, “An efficient certificateless signature scheme from bilinear parings,” in Proceedings of the International Conference on Network Computing and Information Security (NCIS '11), pp. 35–37, May 2011.
View at: Publisher Site | Google Scholar
R. Tso, X. Huang, and W. Susilo, “Strongly secure certificateless short signatures,” Journal of Systems and Software, vol. 85, no. 6, pp. 1409–1417, 2012.
View at: Publisher Site | Google Scholar
R. Tso, C. Kim, and X. Yi, “Certificateless message recovery signatures providing Girault's level-3 security,” Journal of Shanghai Jiaotong University (Science), vol. 16, no. 5, pp. 577–585, 2011.
View at: Publisher Site | Google Scholar
Z. Wan, “Certificateless directed signature scheme,” in Proceedings of the 7th International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM '11), pp. 1–4, September 2011.
View at: Publisher Site | Google Scholar
W. Yap, S. Heng, and B. Goi, “An efficient certificateless signature scheme,” in Proceedings of International Conference on Emerging Directions in Embedded and Ubiquitous Computing (EUC '06), pp. 322–331, 2006.
View at: Google Scholar
Y. Yuan and C. Wang, “A secure certificateless signature scheme in the standard model,” Journal of Computational Information Systems, vol. 9, no. 11, pp. 4353–4362, 2013.
View at: Google Scholar
Z. Zhang, D. Wong, J. Xu, and D. Feng, “Certificateless public-key signature: security model and efficient construction,” in Proceedings of International Conference on Applied Cryptography and Network Securit (ACNS '06), pp. 293–308, 2006.
View at: Google Scholar
L. Zhang, Q. Wu, J. Domingo-Ferrer, and B. Qin, “New efficient certificateless signature scheme,” in Proceedings of International Conference on Emerging Directions in Embedded and Ubiquitous Computing (EUC '07), pp. 692–703, 2007.
View at: Publisher Site | Google Scholar
B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, “Certificateless signature: a new security model and an improved generic construction,” Designs, Codes, and Cryptography, vol. 42, no. 2, pp. 109–126, 2007.
View at: Publisher Site | Google Scholar
M. Girault, “Self-certified public keys,” in Advances in Cryptology-EUROCRYPT, pp. 490–497, 1991.
View at: Google Scholar
A. Fiat, “Batch RSA,” in Advances in cryptology-CRYPTO, pp. 175–185, 1990.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
C. Boyd and C. Pavlovski, “Attacking and repairing batch verification schemes,” in Advances in cryptology-ASIACRYPT, pp. 58–71, 2000.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
L. Harn, “Batch verifying multiple RSA digital signatures,” Electronics Letters, vol. 34, no. 12, pp. 1219–1220, 1998.
View at: Google Scholar
D. Naccache, D. M’Raihi, S. Vaudenay, and D. Raphaeli, “Can D. S. A. be improved? Complexity trade-offs with the digital signature standard,” in Advances in Cryptology-EUROCRYPT, pp. 77–85, 1994.
View at: Google Scholar
H. Yoon, J. H. Cheon, and Y. Kim, “Batch verifications with ID-based signatures,” in Proceedings of International Conference on Information Security and Cryptology (ICISC '04), pp. 233–248, 2004.
View at: Google Scholar
M. Bellare and J. Garay, “Fast batch verification for modular exponentiation and digital signatures,” in Advances In Cryptology-EUROCRYPT, pp. 236–250, 1998.
View at: Google Scholar
C. Shi, D. Pu, and W. C. Choong, “An efficient identity-based signature scheme with batch verifications,” in Proceedings of the 1st International Conference on Scalable information systems (INFOSCALE '06), vol. 22, pp. 1–6, June 2006.
View at: Publisher Site | Google Scholar
A. Ferrara, M. Green, S. Hobenberger, and M. Pedersen, “Practical short signature batch verification,” in Proceedings of the The Cryptographers’ Track at the RSA Conference on Topics in Cryptology (CT-RSA '09), pp. 309–324, 2009.
View at: Google Scholar
M. Geng and F. Zhang, “Batch verification for certificateless signature schemes,” in Proceedings of the International Conference on Computational Intelligence and Security (CIS '09), pp. 288–292, December 2009.
View at: Publisher Site | Google Scholar
X. Qin, S. Zhang, and L. Jia, “Research on pairing-based batch verification,” in Proceedings of the International Conference on Communications and Mobile Computing (CMC '10), pp. 46–50, April 2010.
View at: Publisher Site | Google Scholar
C. Zhang, P. Ho, and J. Tapolcai, “On batch verification with group testing for vehicular communications,” Wireless Networks, vol. 17, no. 8, pp. 1851–1865, 2011.
View at: Publisher Site | Google Scholar
K. Kim, I. Yie, S. Lim, and D. Nyang, “Batch verification and finding invalid signatures in a group signature scheme,” International Journal of Network Security, vol. 13, no. 2, pp. 61–70, 2011.
View at: Google Scholar
A. Wasef and X. Shen, “Efficient group signature scheme supporting batch verification for securing vehicular networks,” in Proceedings of the IEEE International Conference on Communications (ICC '10), pp. 1–5, May 2010.
View at: Publisher Site | Google Scholar
L. Wei, J. Liu, and T. Zhu, “On a group signature scheme supporting batch verification for vehicular networks,” in Proceedings of the 3rd International Conference on Multimedia Information Networking and Security (MINES '11), pp. 436–440, November 2011.
View at: Publisher Site | Google Scholar
J. Camenisch, S. Hohenberger, and M. Pedersen, “Batch verification of short signature,” in Proceedings of the Advances in Cryptology-(EUROCRYPT '07), pp. 246–263, 2007.
View at: Google Scholar
T. Cao, D. Lin, and R. Xue, “Security analysis of some batch verifying signatures from pairings,” International Journal of Network Security, vol. 3, no. 2, pp. 138–143, 2006.
View at: Google Scholar
F. Guo, Y. Mu, and Z. Chen, “Efficient batch verification of short signatures for a single-signer setting without random oracles,” in Proceedings of the International Workshop on Security (IWSEC '08), pp. 49–63, 2008.
View at: Google Scholar
M. Hwang, C. Lee, and Y. Tang, “Two simple batch verifying multiple digital signatures,” in Proceedings of International Conference on Information and Communications Security (ICICS '01), pp. 233–237, 2001.
View at: Google Scholar
S. Yen and C. Laih, “Improved digital signature suitable for batch verification,” IEEE Transactions on Computers, vol. 44, no. 7, pp. 957–959, 1995.
View at: Publisher Site | Google Scholar
D. Pointcheval and J. Stern, “Security proofs for signature schemes,” in Advances in Cryptology-EUROCRYPT, pp. 387–398, 1996.
View at: Publisher Site | Google Scholar | MathSciNet
N. Koblitz, A. Menezes, and S. Vanstone, “The state of elliptic curve cryptography,” Designs, Codes, and Cryptography, vol. 19, no. 2-3, pp. 173–193, 2000.
View at: Google Scholar
A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, LLC, Boca Raton, Fla, USA, 1997.
View at: MathSciNet
Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing mobile ad hoc networks with certificateless public keys,” IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 4, pp. 386–399, 2006.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2014 Chun-I Fan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1166

Downloads

984

Citations