Journal of Computer Networks and Communications

Volume 2014, Article ID 792063, 6 pages

http://dx.doi.org/10.1155/2014/792063

## Pairing-Free Certificateless Signature with Security Proof

Hangzhou Key Laboratory of Cryptography and Network Security, Hangzhou Normal University, Hangzhou, Zhejiang 311121, China

Received 30 May 2014; Revised 6 November 2014; Accepted 6 November 2014; Published 26 November 2014

Academic Editor: Tzonelih Hwang

Copyright © 2014 Wenhao Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Since certificateless public key cryptosystem can solve the complex certificate management problem in the traditional public key cryptosystem and the key escrow problem in identity-based cryptosystem and the pairing computation is slower than scalar multiplication over the elliptic curve, how to design certificateless signature (CLS) scheme without bilinear pairings is a challenge. In this paper, we first propose a new pairing-free CLS scheme, and then the security proof is presented in the random oracle model (ROM) under the discrete logarithm assumption. The proposed scheme is more efficient than the previous CLS schemes in terms of computation and communication costs and is more suitable for the applications of low-bandwidth environments.

#### 1. Introduction

In 2003, Al-Riyami and Paterson [1] first introduced the concept of certificateless public key cryptosystem (CL-PKC). The basic idea of CL-PKC is to construct the user’s public/private key pair by combining a master key of the key generation center (KGC) with a random secret value generated by the user. Hence, the KGC is unable to compute the user’s private key, and each user has one additional random public key and this public key does not need to be certified by a trusted third party in CL-PKC. Thus, CL-PKC not only eliminates the certificates in PKC but also solves the key escrow problem in identity-based public key cryptosystem (ID-PKC). As a classical signature scheme, it should provide existential unforgeability, which ensures that the adversary cannot forge a valid signature. In the formal security model of CLS scheme, two types of adversaries should be considered. Type I adversary is allowed to replace user’s public key; however, it cannot access the master key of KGC, while Type II adversary is allowed to know the master key of KGC but cannot replace the target user’s public key.

The first CLS scheme was proposed by Al-Riyami and Paterson [1]. Following their works, Huang et al. [2] pointed out that Al-Riyami et al.’s scheme is insecure against Type I adversary. Later, Yum and Lee [3] presented a generic construction of CLS scheme. Hu et al. [4] demonstrated that their scheme is also insecure against Type I adversary. Gorantla and Saxena [5] proposed an efficient CLS scheme, but Cao et al. [6] showed that their scheme is insecure against Type I adversary. Since then, many CLS schemes [7–15] have been proposed. However, only few of them, for example, [10–12], are secure against these two types of adversaries; others are vulnerable to the key replacement attack.

With the rapid development of wireless network technology, more and more users use their mobile devices to deal with the transactions. However, almost all of the above-mentioned schemes cannot be used in the low-bandwidth communication and low-storage and less computation environments. Therefore, many researchers tried to design short CLS schemes. In 2007, Huang et al. [16] proposed the first CLSS scheme. After that, Du and Wen [17] and Choi et al. [18] proposed CLSS schemes, respectively. Unfortunately, all of them are vulnerable to the key replacement attack launched by a Type I adversary; what is more, they still need bilinear pairing computations. As we know, the computation cost of a pairing is approximately 20 times higher than that of the scalar multiplication over an elliptic curve group [19, 20]. Therefore, how to design a pairing-free CLSS scheme is an attractive topic.

Recently, He et al. [21] proposed an efficient certificateless signature scheme without pairings; Tian and Huang [22] and Tsai et al. [23] pointed out that the scheme cannot withstand a Type II adversary’s attack. Tsai et al. [23] also proposed an improved new scheme in order to enhance security. Gong and Li [24] pointed out the new scheme is insecure against the super adversary in the random oracle model, and they proposed a real CLS scheme and demonstrated that their scheme is secure against the supper adversary. Yeh et al. [25] proposed a secure certificateless signature scheme without pairings in 2014. In this paper, we propose a new CLS scheme without bilinear pairings, and is provable secure in the random oracle model (ROM) under the discrete logarithm assumption.

The rest of this paper is organized as follows. In Section 2, we present the preliminaries including the elliptic curve, bilinear pairings, some hard problems, and complexity assumptions. A new CLS scheme and the security proof are presented in Sections 3 and 4, respectively. After that, we show the performance comparison among our scheme and other related schemes in Section 5. Finally, we conclude the paper in Section 6.

#### 2. Preliminaries

In this section, we present some definitions and assumptions which are needed in the rest of the paper.

##### 2.1. Elliptic Curve

Let the symbol be an elliptic curve over a prime finite field ; an equation , with the discriminant . The point on together with an extra point , called the point at infinity, forms a group . We define ( times) as scalar multiplication. Let be the order of .

##### 2.2. Bilinear Pairings

Let be a cyclic additive group of prime order and let be a cyclic multiplicative group with the same order ; is a generator. A bilinear pairing is a map with the following properties.(1)Bilinearity: if , then .(2)Nondegeneracy: there exists a such that , where is the identity element of .(3)Computability: there exists an efficient algorithm to compute for all .

##### 2.3. Hard Problems and Complexity Assumptions

Discrete logarithm problem (DLP): let be a generator of group . Given a tuple for , it is hard to compute .

*DL Assumption.* There exists no algorithm running in expected polynomial time, which can solve the DLP with nonnegligible probability.

##### 2.4. Security Model

The security model of CLS can be referred to [3, 7, 8]. There are two types of adversaries for a CLS scheme, a* Type I* adversary and a* Type II* adversary . represents an attacker who is not allowed access to the master key of KGC but he may replace public keys. represents an attacker who is allowed access to the master key of KGC but he cannot replace public keys.

In general, we use two games to define the existential unforgeability of a CLS scheme against a* Type I* adversary and a* Type II* adversary .

*Game 1.* A challenger takes a security parameter and generates a master private key and public parameter* params* and then sends* params* to and keeps secret. executes the game according to the following steps.

*Create(ID).* On input an identity , if ID has already been created, nothing is to be carried out. Otherwise, generates the public/private key pair .

*Public-Key(ID).* On input an identity ID, outputs the public key to .

*Partial-Private-Key-Extract.* On input an identity ID, outputs the partial key .

*Set-Secret-Key.* On input a user’s identity ID, outputs the private key .

*Public-Key-Replacement(ID,**).* For a participant whose identity is , chooses a new public key and then sets as the new public key of this participant. will record this replacement, which will be used later.

*Sign(ID,**)*. On input , uses the private key to compute the signature and returns it to . If the public key has been replaced by , then cannot find ; the answer of the signing oracle may be incorrect. In this situation, we assume that submits a secret value corresponding to the replaced public key to the signing oracle.

At the end, outputs a signature on the message corresponding to the public key for an identity , which is the challenge identity. wins the game if the following conditions hold.(1)Verify.(2) has never been submitted to the oracle* Sign*.(3) has never been submitted to the* Partial-Private-Key-Extract* query or* Set-Secret-Key* query.

If has the advantage at least in the above game, runs in time at most , and makes at most * Create* queries, * Sign* queries, and * hash* queries, respectively, then is said to be an -forger. If there exists no such forger, then a signature scheme is said to be -secure against Type I adversary.

*Game 2*. A challenger is playing the game with Type II adversary .

A challenger takes a security parameter , generates a master private key and public parameter* params*, and then sends* params* and to . answers* Create*,* Public-Key*,* Set-Secret-Key*,* Partial-Private-Key-Extract,* and* Sign* queries from , like does in* Game 1*.

At the end, outputs a signature on the message corresponding to the public key for an identity , which is the challenge identity. wins the game if the following conditions hold.(1)Verify.(2) has never been submitted to the oracle* Sign*.(3) has never been submitted to the* Set-Secret-Key* query.

If has the advantage at least in the above game, runs in time at most , and makes at most * Create* queries, * Sign* queries, and * hash* queries, respectively, then is said to be an -forger. If there exists no such forger, then a signature scheme is said to be -secure against Type II adversary.

#### 3. The Proposed CLS Scheme

In this section, we propose a new CLS scheme, which consists of seven algorithms:* Setup*,* Partial-Private-Key-Extract*,* Set-Secret-Key*,* Set-Private-Key*,* Set-Public-Key*,* Sign*, and* Verify*. The details are described as follows.

*Setup.* On input a security parameter , and return system parameters and master key:(1)KGC generates a cyclic additive group and a cyclic multiplicative group with the same order ;(2)KGC chooses a generator and two cryptographic secure hash functions and ;(3)KGC picks a random master private key and computes ;(4)KGC publishes system parameters and keeps secret.

*Partial-Private-Key-Extract.* On input* params*, system master key and a random value , user ’s identity , compute , , and , output through a secret channel, and publish .

*Set-Secret-Key.* On input the security parameter and a user’s identity , compute and set as his secret value.

*Set-Private-Key.* On input and a user’s identity , output the user’s private key .

*Set-Public-Key.* On input a user’s identity , output the user’s public key .

*Sign.* On input , , , and message , perform the following steps.(1)Choose a random number to compute .(2)Compute .(3)Compute .(4)Return as the signature on the message .

*Verify.* On input* params*, , , , , , and , compute and . Check whether holds or not. If the equation holds, output 1, otherwise 0.

We can easily see that the following equation is correct:

Therefore, our CLS scheme is correct.

#### 4. Security Analysis

In this section, we will show that the proposed scheme is secure in the random oracle model under the discrete logarithm assumption.

Theorem 1. *If Type I and Type II adversaries can forge a CLS scheme in probabilistic polynomial time with nonnegligible probability , then the discrete logarithm problem can be solved with nonnegligible probability , where () are denoted by the times of accessing () oracles, respectively.*

*Proof. *Firstly, we consider* Type I* attack.

Suppose that there exists a* Type I* adversary which has a nonnegligible probability in attacking our CLS scheme; we construct a challenger that uses to solve the DLP. Challenger receives a DL instance for randomly chosen and and wants to compute . runs as a subroutine and simulates its attack situations. sets , where is the master key, which is unknown to , and returns system parameters to . maintains initially empty lists , , , , , , , and in order to simulate the oracle queries of as follows.*Create(**).* maintains list of tuple . responds with if is on . Otherwise, it chooses three random values , sets , , , , and , responds with , and inserts into . It is known that satisfies the equation in the* Partial-Private-Key-Extract* algorithm. * Queries.* Suppose that makes at most queries to the oracle . chooses a random number . When it makes a query on where , if (we let at this point), randomly chooses and returns and then adds to . Otherwise, picks a random number , returns to , and adds to . * Queries.* Suppose that makes at most queries to the oracle . If the list contains , returns . Otherwise, picks a random number , returns , and adds to . *Request-Public-Key(**) Queries*. Suppose that makes this query to the* Public-Key-Request* oracle. looks up the list. randomly chooses and then adds to . Otherwise, picks a random number , computes , and adds to . *Partial-Private-Key-Extract(**) Queries*. When makes this query, does the following steps.

If , terminates the session. Otherwise, looks up for the tuple . If there exists such a tuple, returns to . Otherwise, makes* Replace-Public-Key queries* on itself and returns as the response. *Extract-Secret-Key(**) Queries*. picks a random , computes , returns to , and adds to . *Replace-Public-Key(**) Queries*. If the list contains , sets , . Otherwise, makes* Extract-Secret-Key** query* on and then sets , , and returns to . *Sign(**) Queries.* If the list contains and the list contains , does the following.

If , then picks three random numbers , computes , , , , , and , returns to , and adds and to and , respectively. The public key may be replaced by . The following equation holds because the signature is valid:
computes .

Note that can solve the DL problem because he knows . Thus, we have .

Then, we consider* Type II* attack.

Suppose that there exists a* Type II* adversary which has a nonnegligible probability in attacking our CLS scheme; we construct a challenger that uses to solve the DLP. Challenger receives a DL instance for randomly chosen and and wants to compute . runs as a subroutine and simulates its attack situation. sets , where is the master key, and returns system parameters and to . maintains initially empty lists , , , , , , , and in order to simulate the oracle queries of as follows.*Create(**)*. maintains list of tuple . responds with if is on . Otherwise, if , chooses three random values and sets , , , , and , . If , chooses three random values and sets , , , , , and ; responds with and inserts into . * Queries*. Suppose that makes at most queries to the oracle . chooses a random . When it makes a query on where , if (we let at this point), randomly chooses and returns and then adds to . Otherwise, picks a random number , returns to , and adds to .* Queries.* Suppose that makes at most queries to the oracle . If the list contains , returns . Otherwise, picks a random number , returns , and adds to .*Request-Public-Key(**) Queries.* Suppose that makes at most queries to the* Public-Key-Request* oracle. chooses a random . If (we let at this point), randomly chooses and then adds to . Otherwise, picks a random number , computes , and adds to .*Partial-Private-Key-Extract(**) Queries.* When makes this query, looks up the tuple ; if there is the tuple, then returns to . Otherwise, makes the* Request-Public-Key* queries and returns to . *Extract-Secret-Key(**) Queries. * picks a random , computes , returns to , and adds to . Otherwise, aborts the simulation.*Sign(**) Queries.* If the list contains and the list contains , does the following.

If , then picks three random , computes , , , , and , returns to , and adds and to and , respectively. The public key may be replaced by . The following equation holds because the signature is valid:
computes .

Note that can solve the DL problems because he knows . Thus, we have .

#### 5. Performance Comparison

In order to achieve 1024-bit RSA level security, we used the Tate pairing defined over the supersingular elliptic curve with embedding degree 2. is a 160-bit Solinas prime and is a 512-bit prime such as . The signature of Chen et al. [20] consists of a point of elliptic curve ; then, the signature size is 512/8 = 64 bytes. In order to achieve the same security level, we use the ECC group on Koblitz elliptic curve defined on with bit random prime. The signature size of our scheme is bytes. The performance comparison among the proposed scheme and some related CLS schemes is given in Table 1. A pairing operation is denoted by , scalar multiplication in the group by , a modular exponentiation in by , and pairing-based scalar multiplication by PM. Sign and Ver denote the computational costs required for signing and verification processes of CLS scheme. According to Table 1, it is known that our scheme is more efficient than the other CLS schemes.

#### 6. Conclusion

In this paper, we proposed a new CLS scheme without pairings and also showed that the proposed scheme is secure in the random oracle model under the DL assumption. The proposed scheme is more efficient than the previous CLS schemes in terms of computation and communication costs and is more suitable for the applications of low-bandwidth environments.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This work is partially supported by the Major State Basic Research Development (973) Program of China (no. 2013CB834205), the National Natural Science Foundation of China (nos. 61070153 and 61103209), Natural Science Foundation of Zhejiang Province (no. LZ12F02005), and Education Department Foundation of Zhejiang Province (no. Y201222977).

#### References

- S. S. Al-Riyami and K. Paterson, “Certificateless public key cryptography,” in
*Advances in Cryptology-ASIACRYPT 2003*, vol. 2894 of*Lecture Notes in Computer Science*, pp. 452–473, Springer, Berlin, Germany, 2003. View at Publisher · View at Google Scholar - X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the security of certificateless signature schemes from Asiacrypt 2003,” in
*Cryptology and Network Security*, vol. 3810 of*Lecture Notes in Computer Science*, pp. 13–25, 2005. View at Publisher · View at Google Scholar - D. H. Yum and P. J. Lee, “Generic construction of certificateless signature,” in
*Information Security and Privacy: 9th Australasian Conference (ACISP '04)*, vol. 3108 of*Lecture Notes in Computer Science*, pp. 200–211, Springer, 2004. View at Google Scholar - B. Hu, D. Wong, Z. Zhang, and X. Deng, “Key replacement attack against a generic construction of certificateless signature,” in
*Proceedings of the 11th Australasian Conference on Information Security and Privacy*, pp. 235–246, Melbourne, Australia, 2006. - M. C. Gorantla and A. Saxena, “An efficient certificateless signature scheme,” in
*Computational Intelligence and Security (CIS '05)*, vol. 3802 of*Lecture Notes in Computer Science*, pp. 110–116, Springer, 3802, 2005. View at Google Scholar - X. Cao, K. G. Paterson, and W. Kou, “An attack on a certificateless signature scheme,”
*Cryptology ePrint Archive: Report*2006/367, 2006. View at Google Scholar - W. Yap, S. Heng, and B. Goi, “An efficient certificateless signature scheme,” in
*Proceedings of Emerging Directions in Embedded and Ubiquitious Computing*, pp. 322–331, 2006. - J. Park and B. Kang, “Security analysis of the certificateless signature scheme proposed at Sec Ubiq 2006,” in
*Emerging Directions in Embedded and Ubiquitous Computing*, vol. 4809 of*Lecture Notes in Computer Science*, pp. 686–691, Springer, Berlin, Germany, 2007. View at Google Scholar - L. Zhang, F. Zhang, and F. Zhang, “New efficient certificateless signature scheme,” in
*Emerging Directions in Embedded and Ubiquitous Computing*, vol. 4809 of*Lecture Notes in Computer Science*, pp. 692–703, Springer, Berlin, Germany, 2007. View at Publisher · View at Google Scholar - Z. Zhang, D. Wong, J. Xu, and D. Feng, “Certificateless public-key signature: security model and efficient construction,” in
*Applied Cryptography and Network Security*, vol. 3989 of*Lecture Notes in Computer Science*, pp. 293–308, Springer, Berlin, Germany, 2006. View at Google Scholar - K. Y. Choi, J. H. Park, J. Y. Hwang, and D. H. Lee, “Efficient certificateless signature schemes,” in
*Applied Cryptography and Network Security*, vol. 4521 of*Lecture Notes in Computer Science*, pp. 443–458, Springer, New York, NY, USA, 2007. View at Publisher · View at Google Scholar - S. Duan, “Certificateless undeniable signature scheme,”
*Information Sciences*, vol. 178, no. 3, pp. 742–755, 2008. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - J. K. Liu, M. H. Au, and W. Susilo, “Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model,” in
*Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS '07)*, pp. 273–283, Singapore, March 2007. View at Publisher · View at Google Scholar · View at Scopus - H. Xiong, Z. Qin, and F. Li, “An improved certificateless signature scheme secure in the standard model,”
*Fundamenta Informaticae*, vol. 88, no. 1-2, pp. 193–206, 2008. View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet · View at Scopus - Y. Yuan, D. Li, L. Tian, and H. Zhu, “Certificateless signature scheme without random oracles,” in
*Advances in Information Security and Assurance: Proceedings of the 3rd International Conference and Workshops, ISA 2009, Seoul, Korea, June 25–27, 2009*, vol. 5576 of*Lecture Notes in Computer Science*, pp. 31–40, Springer, Berlin, Germany, 2009. View at Publisher · View at Google Scholar - X. Huang, W. Susilo, and D. Wong, “Certificateless signature revisited,” in
*Information Security and Privacy*, vol. 4586 of*Lecture Notes in Computer Science*, pp. 308–322, Springer, Berlin, Germany, 2007. View at Publisher · View at Google Scholar - H. Du and Q. Wen, “Efficient and provably-secure certificateless short signature scheme from bilinear pairings,”
*Computer Standards and Interfaces*, vol. 31, no. 2, pp. 390–394, 2009. View at Publisher · View at Google Scholar · View at Scopus - K. Y. Choi, J. H. Park, and D. H. Lee, “A new provably secure certificateless short signature scheme,”
*Computers & Mathematics with Applications*, vol. 61, no. 7, pp. 1760–1768, 2011. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - K.-A. Shim, “Breaking the short certificateless signature scheme,”
*Information Sciences*, vol. 179, no. 3, pp. 303–306, 2009. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - L. Chen, Z. Cheng, and N. P. Smart, “Identity-based key agreement protocols from pairings,”
*International Journal of Information Security*, vol. 6, no. 4, pp. 213–241, 2007. View at Publisher · View at Google Scholar · View at Scopus - D. He, J. Chen, and R. Zhang, “An efficient and provably-secure certificateless signature scheme without bilinear pairings,”
*International Journal of Communication Systems*, vol. 25, no. 11, pp. 1432–1442, 2012. View at Publisher · View at Google Scholar · View at Scopus - M. Tian and L. Huang, “Cryptanalysis of a certificateless signature scheme without pairings,”
*International Journal of Communication Systems*, vol. 26, no. 11, pp. 1375–1381, 2013. View at Publisher · View at Google Scholar - J. L. Tsai, N. W. Lo, and T. C. Wu, “Weaknesses and improvements of an efficient certificateless signature scheme without using bilinear pairings,”
*International Journal of Communication Systems*, vol. 27, no. 7, pp. 1083–1090, 2014. View at Publisher · View at Google Scholar · View at Scopus - P. Gong and P. Li, “Further improvement of a certificateless signature scheme without pairing,”
*International Journal of Communication Systems*, vol. 27, no. 10, pp. 2083–2091, 2014. View at Publisher · View at Google Scholar · View at Scopus - K.-H. Yeh, K.-Y. Tsai, and C.-Y. Fan, “An efficient certificateless signature scheme without bilinear pairings,”
*Multimedia Tools and Applications*, 2014. View at Publisher · View at Google Scholar