Abstract

Since certificateless public key cryptosystem can solve the complex certificate management problem in the traditional public key cryptosystem and the key escrow problem in identity-based cryptosystem and the pairing computation is slower than scalar multiplication over the elliptic curve, how to design certificateless signature (CLS) scheme without bilinear pairings is a challenge. In this paper, we first propose a new pairing-free CLS scheme, and then the security proof is presented in the random oracle model (ROM) under the discrete logarithm assumption. The proposed scheme is more efficient than the previous CLS schemes in terms of computation and communication costs and is more suitable for the applications of low-bandwidth environments.

1. Introduction

In 2003, Al-Riyami and Paterson [1] first introduced the concept of certificateless public key cryptosystem (CL-PKC). The basic idea of CL-PKC is to construct the user’s public/private key pair by combining a master key of the key generation center (KGC) with a random secret value generated by the user. Hence, the KGC is unable to compute the user’s private key, and each user has one additional random public key and this public key does not need to be certified by a trusted third party in CL-PKC. Thus, CL-PKC not only eliminates the certificates in PKC but also solves the key escrow problem in identity-based public key cryptosystem (ID-PKC). As a classical signature scheme, it should provide existential unforgeability, which ensures that the adversary cannot forge a valid signature. In the formal security model of CLS scheme, two types of adversaries should be considered. Type I adversary is allowed to replace user’s public key; however, it cannot access the master key of KGC, while Type II adversary is allowed to know the master key of KGC but cannot replace the target user’s public key.

The first CLS scheme was proposed by Al-Riyami and Paterson [1]. Following their works, Huang et al. [2] pointed out that Al-Riyami et al.’s scheme is insecure against Type I adversary. Later, Yum and Lee [3] presented a generic construction of CLS scheme. Hu et al. [4] demonstrated that their scheme is also insecure against Type I adversary. Gorantla and Saxena [5] proposed an efficient CLS scheme, but Cao et al. [6] showed that their scheme is insecure against Type I adversary. Since then, many CLS schemes [715] have been proposed. However, only few of them, for example, [1012], are secure against these two types of adversaries; others are vulnerable to the key replacement attack.

With the rapid development of wireless network technology, more and more users use their mobile devices to deal with the transactions. However, almost all of the above-mentioned schemes cannot be used in the low-bandwidth communication and low-storage and less computation environments. Therefore, many researchers tried to design short CLS schemes. In 2007, Huang et al. [16] proposed the first CLSS scheme. After that, Du and Wen [17] and Choi et al. [18] proposed CLSS schemes, respectively. Unfortunately, all of them are vulnerable to the key replacement attack launched by a Type I adversary; what is more, they still need bilinear pairing computations. As we know, the computation cost of a pairing is approximately 20 times higher than that of the scalar multiplication over an elliptic curve group [19, 20]. Therefore, how to design a pairing-free CLSS scheme is an attractive topic.

Recently, He et al. [21] proposed an efficient certificateless signature scheme without pairings; Tian and Huang [22] and Tsai et al. [23] pointed out that the scheme cannot withstand a Type II adversary’s attack. Tsai et al. [23] also proposed an improved new scheme in order to enhance security. Gong and Li [24] pointed out the new scheme is insecure against the super adversary in the random oracle model, and they proposed a real CLS scheme and demonstrated that their scheme is secure against the supper adversary. Yeh et al. [25] proposed a secure certificateless signature scheme without pairings in 2014. In this paper, we propose a new CLS scheme without bilinear pairings, and is provable secure in the random oracle model (ROM) under the discrete logarithm assumption.

The rest of this paper is organized as follows. In Section 2, we present the preliminaries including the elliptic curve, bilinear pairings, some hard problems, and complexity assumptions. A new CLS scheme and the security proof are presented in Sections 3 and 4, respectively. After that, we show the performance comparison among our scheme and other related schemes in Section 5. Finally, we conclude the paper in Section 6.

2. Preliminaries

In this section, we present some definitions and assumptions which are needed in the rest of the paper.

2.1. Elliptic Curve

Let the symbol be an elliptic curve over a prime finite field ; an equation , with the discriminant .  The point on together with an extra point , called the point at infinity, forms a group . We define ( times) as scalar multiplication. Let be the order of .

2.2. Bilinear Pairings

Let be a cyclic additive group of prime order and let be a cyclic multiplicative group with the same order ; is a generator. A bilinear pairing is a map with the following properties.(1)Bilinearity: if , then .(2)Nondegeneracy: there exists a such that , where is the identity element of .(3)Computability: there exists an efficient algorithm to compute for all .

2.3. Hard Problems and Complexity Assumptions

Discrete logarithm problem (DLP): let be a generator of group . Given a tuple for , it is hard to compute .

DL Assumption. There exists no algorithm running in expected polynomial time, which can solve the DLP with nonnegligible probability.

2.4. Security Model

The security model of CLS can be referred to [3, 7, 8]. There are two types of adversaries for a CLS scheme, a Type I adversary and a Type II adversary . represents an attacker who is not allowed access to the master key of KGC but he may replace public keys. represents an attacker who is allowed access to the master key of KGC but he cannot replace public keys.

In general, we use two games to define the existential unforgeability of a CLS scheme against a Type I adversary and a Type II adversary .

Game 1. A challenger takes a security parameter and generates a master private key and public parameter params and then sends params to and keeps secret. executes the game according to the following steps.

Create(ID). On input an identity , if ID has already been created, nothing is to be carried out. Otherwise, generates the public/private key pair .

Public-Key(ID). On input an identity ID,   outputs the public key to .

Partial-Private-Key-Extract. On input an identity ID,   outputs the partial key .

Set-Secret-Key. On input a user’s identity ID,   outputs the private key .

Public-Key-Replacement(ID,). For a participant whose identity is , chooses a new public key and then sets as the new public key of this participant. will record this replacement, which will be used later.

Sign(ID,). On input ,   uses the private key to compute the signature and returns it to . If the public key has been replaced by , then cannot find ; the answer of the signing oracle may be incorrect. In this situation, we assume that submits a secret value corresponding to the replaced public key to the signing oracle.

At the end, outputs a signature on the message corresponding to the public key for an identity , which is the challenge identity. wins the game if the following conditions hold.(1)Verify.(2) has never been submitted to the oracle Sign.(3) has never been submitted to the Partial-Private-Key-Extract query or Set-Secret-Key query.

If has the advantage at least in the above game, runs in time at most , and makes at most Create queries, Sign queries, and hash queries, respectively, then is said to be an -forger. If there exists no such forger, then a signature scheme is said to be -secure against Type I adversary.

Game 2. A challenger is playing the game with Type II adversary .

A challenger takes a security parameter , generates a master private key and public parameter params, and then sends params and to . answers Create, Public-Key, Set-Secret-Key, Partial-Private-Key-Extract, and Sign queries from , like does in Game 1.

At the end, outputs a signature on the message corresponding to the public key for an identity , which is the challenge identity. wins the game if the following conditions hold.(1)Verify.(2) has never been submitted to the oracle Sign.(3) has never been submitted to the Set-Secret-Key query.

If has the advantage at least in the above game, runs in time at most , and makes at most Create queries, Sign queries, and hash queries, respectively, then is said to be an -forger. If there exists no such forger, then a signature scheme is said to be -secure against Type II adversary.

3. The Proposed CLS Scheme

In this section, we propose a new CLS scheme, which consists of seven algorithms: Setup, Partial-Private-Key-Extract, Set-Secret-Key, Set-Private-Key, Set-Public-Key, Sign, and Verify. The details are described as follows.

Setup. On input a security parameter , and return system parameters and master key:(1)KGC generates a cyclic additive group and a cyclic multiplicative group with the same order ;(2)KGC chooses a generator and two cryptographic secure hash functions and ;(3)KGC picks a random master private key and computes ;(4)KGC publishes system parameters and keeps secret.

Partial-Private-Key-Extract. On input params, system master key and a random value , user ’s identity , compute , , and , output through a secret channel, and publish .

Set-Secret-Key. On input the security parameter and a user’s identity , compute and set as his secret value.

Set-Private-Key. On input and a user’s identity , output the user’s private key .

Set-Public-Key. On input a user’s identity , output the user’s public key .

Sign. On input , , , and message ,  perform the following steps.(1)Choose a random number to compute .(2)Compute .(3)Compute .(4)Return as the signature on the message .

Verify. On input params, , , , , , and ,  compute and . Check whether holds or not. If the equation holds, output 1, otherwise 0.

We can easily see that the following equation is correct:

Therefore, our CLS scheme is correct.

4. Security Analysis

In this section, we will show that the proposed scheme is secure in the random oracle model under the discrete logarithm assumption.

Theorem 1. If Type I and Type II adversaries can forge a CLS scheme in probabilistic polynomial time with nonnegligible probability , then the discrete logarithm problem can be solved with nonnegligible probability , where () are denoted by the times of accessing () oracles, respectively.

Proof. Firstly, we consider Type I attack.
Suppose that there exists a Type I adversary which has a nonnegligible probability in attacking our CLS scheme; we construct a challenger that uses to solve the DLP. Challenger receives a DL instance for randomly chosen and and wants to compute . runs as a subroutine and simulates its attack situations. sets , where is the master key, which is unknown to , and returns system parameters to . maintains initially empty lists , , , , , , , and in order to simulate the oracle queries of as follows.
Create().   maintains list of tuple . responds with if is on . Otherwise, it chooses three random values , sets , , , , and , responds with , and inserts into . It is known that satisfies the equation in the Partial-Private-Key-Extract algorithm.
Queries. Suppose that makes at most queries to the oracle . chooses a random number . When it makes a query on where , if (we let at this point),   randomly chooses and returns and then adds to . Otherwise, picks a random number , returns to , and adds to .
Queries. Suppose that makes at most queries to the oracle . If the list contains , returns . Otherwise, picks a random number , returns , and adds to .
Request-Public-Key() Queries. Suppose that makes this query to the Public-Key-Request oracle. looks up the list. randomly chooses and then adds to . Otherwise, picks a random number , computes , and adds to .
Partial-Private-Key-Extract() Queries. When makes this query, does the following steps.
If , terminates the session. Otherwise, looks up for the tuple . If there exists such a tuple, returns to . Otherwise, makes Replace-Public-Key queries on itself and returns as the response.
Extract-Secret-Key() Queries. picks a random , computes , returns to , and adds to .
Replace-Public-Key() Queries. If the list contains , sets , . Otherwise, makes Extract-Secret-Key query on and then sets , , and returns to .
Sign() Queries. If the list contains and the list contains , does the following.
If , then picks three random numbers , computes , , , , , and , returns to , and adds and to and , respectively. The public key may be replaced by . The following equation holds because the signature is valid: computes .
Note that can solve the DL problem because he knows . Thus, we have .
Then, we consider Type II attack.
Suppose that there exists a Type II adversary which has a nonnegligible probability in attacking our CLS scheme; we construct a challenger that uses to solve the DLP. Challenger receives a DL instance for randomly chosen and and wants to compute . runs as a subroutine and simulates its attack situation. sets , where is the master key, and returns system parameters and to . maintains initially empty lists , , , , , , , and in order to simulate the oracle queries of as follows.
Create(). maintains list of tuple . responds with if is on . Otherwise, if , chooses three random values and sets , , , , and , . If , chooses three random values and sets , , , , , and ; responds with and inserts into .
Queries. Suppose that makes at most queries to the oracle . chooses a random . When it makes a query on where , if (we let at this point),   randomly chooses and returns and then adds to . Otherwise, picks a random number , returns to , and adds to .
Queries. Suppose that makes at most queries to the oracle . If the list contains , returns . Otherwise, picks a random number , returns , and adds to .
Request-Public-Key() Queries. Suppose that makes at most queries to the Public-Key-Request oracle. chooses a random . If (we let at this point), randomly chooses and then adds to . Otherwise, picks a random number , computes , and adds to .
Partial-Private-Key-Extract() Queries. When makes this query, looks up the tuple ; if there is the tuple, then returns to . Otherwise, makes the Request-Public-Key queries and returns to .
Extract-Secret-Key() Queries. picks a random , computes , returns to , and adds to . Otherwise, aborts the simulation.
Sign() Queries. If the list contains and the list contains , does the following.
If , then picks three random , computes , , , , and , returns to , and adds and to and , respectively. The public key may be replaced by . The following equation holds because the signature is valid: computes .
Note that can solve the DL problems because he knows . Thus, we have .

5. Performance Comparison

In order to achieve 1024-bit RSA level security, we used the Tate pairing defined over the supersingular elliptic curve with embedding degree 2. is a 160-bit Solinas prime and is a 512-bit prime such as . The signature of Chen et al. [20] consists of a point of elliptic curve ; then, the signature size is 512/8 = 64 bytes. In order to achieve the same security level, we use the ECC group on Koblitz elliptic curve defined on with  bit random prime. The signature size of our scheme is bytes. The performance comparison among the proposed scheme and some related CLS schemes is given in Table 1. A pairing operation is denoted by , scalar multiplication in the group by , a modular exponentiation in by , and pairing-based scalar multiplication by PM. Sign and Ver denote the computational costs required for signing and verification processes of CLS scheme. According to Table 1, it is known that our scheme is more efficient than the other CLS schemes.

6. Conclusion

In this paper, we proposed a new CLS scheme without pairings and also showed that the proposed scheme is secure in the random oracle model under the DL assumption. The proposed scheme is more efficient than the previous CLS schemes in terms of computation and communication costs and is more suitable for the applications of low-bandwidth environments.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work is partially supported by the Major State Basic Research Development (973) Program of China (no. 2013CB834205), the National Natural Science Foundation of China (nos. 61070153 and 61103209), Natural Science Foundation of Zhejiang Province (no. LZ12F02005), and Education Department Foundation of Zhejiang Province (no. Y201222977).