Mathematical Problems in Engineering

Volume 2014, Article ID 373690, 10 pages

http://dx.doi.org/10.1155/2014/373690

## Certificateless Proxy Signature from RSA

^{1}School of Mathematics and Computer Science, Guizhou Normal University, Guiyang 550001, China^{2}School of Mathematical Sciences, Xiamen University, Fujian 361005, China

Received 31 January 2014; Revised 28 May 2014; Accepted 29 May 2014; Published 23 June 2014

Academic Editor: Kwok-Wo Wong

Copyright © 2014 Lunzhi Deng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Although some good results were achieved in speeding up the computation of pairing function in recent years, it is still interesting to design efficient cryptosystems with less bilinear pairing operation. A proxy signature scheme allows a proxy signer to sign messages on behalf of an original signer within a given context. We propose a certificateless proxy signature (CLPS) scheme from RSA and prove its security under the strongest security model where the Type I/II adversary is a super Type I/II adversary.

#### 1. Introduction

Public key cryptography is an important technique to realize network and information security. Traditional public key infrastructure requires a trusted certification authority to issue a certificate binding the identity and the public key of an entity. Hence, the problem of certificate management arises. To solve the problem, Shamir defined a new public key paradigm called identity-based public key cryptography [1]. However, identity-based public key cryptography needs a trusted PKG to generate a private key for an entity according to its identity. So we are confronted with the key escrow problem. Fortunately, the two problems in traditional public key infrastructure and identity-based public key cryptography can be prohibited by introducing certificateless public key cryptography (CLPKC) [2], which can be conceived as an intermediate between traditional public key infrastructure and identity-based cryptography.

##### 1.1. Certificateless Cryptography

In 2003, Al-Riyami and Paterson [2] introduced the notion of certificateless public key cryptography. Its goal is to remove the key escrow property from identity-based cryptography and has attracted a great extent of attention lately [3–11]. Certificateless cryptography not only eliminates the key escrow property but also removes certificates. It lets a semitrusted KGC issue a user partial key to a user with respect to his/her identity. By possessing both the user partial key and a self-generated user secret key, the user is able to carry out predefined cryptographic operations. Typically there are two types of attacks to consider in certificateless cryptography. One is called KGC Attack in which the KGC is malicious and targets forge signatures from its knowledge about the user’s partial key. The other one is called Key Replacement Attack in which the user’s public/secret key pair could be replaced by a third party but this user’s partial key issued by the KGC is not revealed. Au et al. [12] further investigated the types of malicious activities that the semitrusted KGC may be allowed to perform in practice and proposed a new strong security model called Malicious-but-Passive KGC Attack to replace original KGC Attack. A Malicious-but-Passive KGC may generate system parameters and the master key pair without following the scheme specification. Several certificateless signature schemes have been found vulnerable to this attack.

##### 1.2. Cryptography from RSA

In 1985, Shamir [1] proposed the first identity-based signature scheme from the RSA primitive. In 1990, Guillou and Quisquater [13] proposed a similar RSA identity-based signature scheme, which is constructed from a zero-knowledge identification protocol. Herranz [14] proposed identity-based ring signatures from RSA whose security is based on the hardness of the RSA problem. After initial schemes, the following breakthrough result in the area of identity-based cryptography came in 2003, when Boneh and Franklin [15] designed an efficient identity-based public key encryption scheme. In the design, they used as a tool bilinear pairings, a kind of maps which can be constructed on some elliptic curves. Since the appearance of this work, a lot of cryptography schemes have been proposed for encryption, signature, key agreement, and so forth and they all employ such bilinear pairings. However, it is still desirable to find cryptography schemes which do not need to employ bilinear pairings.

##### 1.3. Proxy Signature

The concept of proxy signatures was first introduced by Mambo et al. [16]. Based on the delegation type, they classified proxy signature schemes into three types: full delegation, partial delegation, and delegation by warrant. In a full delegation scheme, the original signer’s private key is given to the proxy signer. Hence, the proxy signer has the same signing right as the original signer. Obviously, such schemes are impractical and insecure for most of real-world settings. In a partial delegation scheme, a proxy signer has a new key, called proxy private key, which is different from the original’s private key. Although proxy signatures generated by using proxy private key are different from the original signers standard signatures, the proxy signer is not limited on the range of messages he can sign. This weakness is eliminated in delegation by warrant schemes. One of the main advantages of the use of warrants is that it is possible to include any type of security policy (that specifies what kinds of messages are delegated and may contain other information, such as the identities of the original signer, the proxy signer, the delegation period, etc.) in the warrant to describe the restrictions under which the delegation is valid. Therefore, proxy signature scheme which uses the method of this approach attracts a great interest, and it is often expected that new proxy signature schemes will implement the functionality of warrants.

In order to adapt different situations, many proxy signature variants are produced, such as one-time proxy signature, proxy blind signature, and multiproxy signature. Since the proxy signature appears, it attracts many researchers’ great attention. Using bilinear pairings, people proposed many new ID-based proxy signature (IBPS) schemes [17–31] and certificateless proxy signature (CLPS) [32–38] schemes. All the above schemes are very practical, but they are based on bilinear pairings and the pairing is regarded as the most expensive cryptography primitive. The relative computation cost of a pairing is much higher than that of the scalar multiplication over elliptic curve group. Therefore, CLPS scheme without less bilinear pairing operations would be more appealing in terms of efficiency.

##### 1.4. Motivations and Our Contributions

Although some good results were achieved in speeding up the computation of pairing function in recent years, it is still interesting to design cryptographic scheme without pairing operations.

In this paper, we propose a certificateless proxy signature (CLPS) scheme, which has the following features.(i)The proposed scheme is security under the strongest security model. Namely, in the scheme, the super Type I/II adversary can obtain the valid signatures for the replaced public key, without additional submission.(ii)The proposed scheme not only enjoys a high security level but is also very efficient. The scheme does not need pairing operation. To the best of authors’ knowledge, our scheme is the first certificateless proxy signature scheme from RSA.

#### 2. Preliminaries

*Definition 1. *Let , where and are two -bit prime numbers. Let be a random prime number, greater than for some fixed parameter , such that gcd. Let be a random element in . We say that an algorithm solves the RSA problem if it receives as input the tuple and outputs an element such that mod .

*Definition 2. *Given a generator of a group of prime order , and an element , the discrete logarithm problem (DLP) is to compute .

##### 2.1. Model of Certificateless Proxy Signature Scheme

A certificateless proxy signature scheme consists of the following eight algorithms: setup, partial private key extraction, secret value setting, user public key generation, delegate, delegation verify, proxy sign, and proxy signature verify:(i)*Setup*. This algorithm takes as input a security parameter and returns (system parameters) and a randomly chosen master secret key . After the algorithm is performed, the KGC publishes the system parameters and keeps the master key secret.(ii)*Partial Private Key Extract*. This algorithm takes as input , , and an identity of an entity and returns a partial private key . The KGC carries out the algorithm to generate the partial private key and sends to the corresponding owner via a secure channel.(iii)*Secret Value Set.* This algorithm takes the , an identity , as input and outputs a secret value . This algorithm is run by the identity for itself.(iv)*User Public Key Generate*. This algorithm takes the , an identity and the identity’s secret value as input. It outputs the public key PK_{ID} for the identity . This algorithm is run by the identity for itself.(v)*Delegate.* This algorithm takes as input the , original signer’s full private key , a warrant , and outputs the delegation .(vi)*Delegation Verify.* This algorithm takes as input , , and verifies whether is a valid delegation from the original signer.(vii)*Proxy Sign.* This algorithm takes as input the , proxy signer’s full private key , delegation , a message , and outputs the proxy signature .(viii)*Proxy Signature Verify.* This algorithm takes as input the , original signer’s identity/public key /, proxy signer’s identity/public key /, a proxy signature , and outputs 1 if the proxy signature is valid or 0 otherwise.

*Definition 3. *A certificateless proxy signature scheme (CLPS) is said to be existentially unforgeable against adaptive chosen message attacks (EUF-CLPS-CMA) if no polynomially bounded adversary has a nonnegligible advantage in the following two games against Type I and Type II adversaries.

*Game I*. Now we illustrate the first game performed between a challenger and a Type I adversary for a certificateless proxy signature scheme.

*Initialization*. runs the setup algorithm to generate a master secret key and the public system parameters . keeps secret and gives to . We should bear in mind that does not know .

*Queries*. performs a polynomially bounded number of queries. These queries may be made adaptively; that is, each query may depend on the answers to the previous queries.(i)Create user: on inputting an identity , if has already been created, nothing is to be carried out. Otherwise, runs the algorithms partial private key extract, secret value set, and user public key generate to obtain the partial private key , secret value , and public key PK_{ID}. In this case, is said to be created and PK_{ID} is returned.(ii)Partial private key extract: on inputting an identity , it returns the partial private key if has been created. Otherwise, returns 0.(iii)Public key replace: on inputting an identity and a user public key PK_{ID}, the original user public key of is replaced with PK_{ID} if has been created. Otherwise, no action will be taken.(iv)Secret value set: on inputting an identity , it returns the corresponding user secret key if has been created. Otherwise, returns 0. Note that is the secret value associated with the original public key PK_{ID}. cannot query the secret value for whose public key has been replaced.(v)Delegate: when submits original signer’s identity/public key / and a warrant to the challenger, responds by running the delegate algorithm on the warrant and the original signer’s full private key .(vi)Proxy sign: when submits a delegation and a message to the challenger, responds by running the proxy sign algorithm on the delegation , message , and the proxy signer’s full private key .

*Forge*. outputs a tuple
wins the game, if one of the following cases is satisfied:(i)Case 1: The final output is and it satisfies(1) is a valid delegation.(2) is not generated from the delegation query on .(3) does not query the original signer ’s partial private key.(4) cannot query the secret value for any identity if the corresponding public key has already been replaced.(ii)Case 2: The final output is and it satisfies(1) is a valid proxy signature.(2) is not generated from the proxy signature query.(3)The tuple () does not appear in delegation query.(4) does not query the original signer ’s partial private key.(5) cannot query the secret value for any identity if the corresponding public key has already been replaced.(iii)Case 3: The final output is and it satisfies(1) is a valid proxy signature.(2) is not generated from the proxy signature query.(3) does not query the proxy signer ’s partial private key.(4) cannot query the secret value for any identity if the corresponding public key has already been replaced. The advantage of is defined as .

*Game II*. A Type II adversary plays the second game with a challenger as follows.

*Initialization*. runs the setup algorithm to obtain a master secret key and public system parameters . gives and to . We should bear in mind that know .

*Queries*. may adaptively make a polynomially bounded number of queries as in Game I.

*Forge*. outputs a tuple wins the game, if one of the following cases is satisfied(i)Case 1: The final output is and it satisfies(1) is a valid delegation.(2) is not generated from the delegation query on .(3) does not replace the original signer ’s public key.(4) does not query the original signer ’s secret value.(5) cannot query the secret value for any identity if the corresponding public key has already been replaced.(ii)Case 2: The final output is and it satisfies(1) is a valid proxy signature.(2) is not generated from the proxy signature query.(3) The tuple () does not appear in delegation query.(4) does not replace the original signer ’s public key.(5) does not query the original signer ’s secret value.(6) cannot query the secret value for any identity if the corresponding public key has already been replaced.(iii)Case 3: The final output is and it satisfies(1) is a valid proxy signature.(2) is not generated from the proxy signature query.(3) does not replace the proxy signer ’s public key.(4) does not query the proxy signer ’s secret value.(5) cannot query the secret value for any identity if the corresponding public key has already been replaced.The advantage of is defined as .

#### 3. Our Certificateless Proxy Signature Scheme

(i) Setup: given the security parameter of the system , the KGC generates two random -bit prime numbers and . Then it computes . For some fixed parameter (for example ), it chooses at random a prime number satisfying and gcd. Then it chooses group of prime order , a generator of , and computes mod . Furthermore, KGC chooses five cryptographic hash functions described as follows: , . Finally, KGC outputs the set of public parameters: params = ; the master secret key is .(ii) Partial private key extract: for an identity his private key is , . The KGC sends to the user ID via a secure channel.(iii) Set secret value: the user with identity randomly chooses .(iv) User public key generation: the user with identity computes his public key .(v) Delegate: is the warrant consisting of the identities/public keys of original signer and proxy signer, the delegation duration, and so on. On inputting the warrant , the original signer, whose identity/public key is /, performs the following steps.(vi) Randomly selects , , computes , , , .(vii) Computes mod , mod .(viii) Outputs as the delegation.(ix) Delegation verify: to verify a delegation for an identity/public key /, the verifier performs the following steps. Computes , . Checking whether , , if both of equalities hold, accept the delegation. Otherwise, reject.(x) Proxy sign: for a message , the proxy signer (whose identity/public key is ) who owns the delegation does the following.(1) Randomly selects , , computes , , , .(2) Computes , mod .(3) Outputs the signature .(xi) Proxy signature verify: to verify the validity of a proxy signature (where the original singer’s identity/public key is /, the proxy singer’s identity/public key is /), a verifier first checks whether the original signer and proxy signer conform to and then performs the following steps.(1) Computes , .(2) Computes , .(3) Checking whether , mod , if both of equalities hold, outputs 1. Otherwise, outputs 0.(xii) On correctness, we have

#### 4. Security Results of Scheme 1

Theorem 4. *In the random oracle model, if there is an adversary that can win the EUF-CLPS-CMA Game I with advantage and within time , after making at most queries, queries, queries, queries, queries, create user queries, partial private key extraction queries, set secret value queries, user public key replacement queries, delegation queries, and proxy signature queries, the RSA problem can be solved with probability within time , where denotes the time for a modular operation and denotes the time for a exponentiation in .*

*Proof. *Suppose the challenger receives a random instance of the RSA problem and has to find an element such that . will run as a subroutine and act as ’s challenger in the EUF-CLPS-CMA game I.

*Setup*. At the beginning of the game, runs the setup program with the parameter and gives the system parameters: params = .

*Queries*. Without loss of generality, we assume that all the queries are distinct and will make query and create user query for before is used in any other queries.(i) queries: maintains the list of tuple . The list is initially empty. When makes a query , responds as follows. At the th query, sets . For , randomly picks a value and sets . Then, the query and the answer will be stored in the list .(ii) queries: maintains the list of tuple . The list is initially empty. When makes a query , randomly picks a value and sets ; the query and the answer will then be stored in the list .(iii) queries: maintains the list of tuple . The list is initially empty. When makes a query , randomly picks a value and sets ; the query and the answer will then be stored in the list .(iv) queries: maintains the list of tuple . The list is initially empty. When makes a query , randomly picks a value and sets ; the query and the answer will then be stored in the list .(v) queries: maintains the list of tuple . The list is initially empty. When makes a query , randomly picks a value and sets ; the query and the answer will then be stored in the list .(vi) Create user queries: maintains the list of tuple . makes creating user query for identity and first makes query and gets from list , then randomly chooses , sets . If , sets , otherwise sets . Then it sends the to ; the will be stored in the list .(vii) Partial private key extract: maintains the list of tuple . makes partial private key extraction query for identity . If , fails and stops. Otherwise, finds the tuple in list and responds with the partial private key ; the will be stored in the list .(viii) User public key replace: maintains the list of tuple . makes user public key replacement request for identity with a new valid public key value . replaces the current public key value with the value and tuple will be stored in the list .(ix) Set secret value: maintains the list of tuple . makes setting secret value query for identity . finds the tuple in list and responds with the secret value ; the will be stored in the list . (Note: cannot query the secret value for ID whose public key has been replaced.)(x) Delegate: submits , , and to challenger. outputs a delegation as follows. If and , gives a delegation by calling the delegate algorithm. Otherwise, does as follows.(1) Randomly selects and .(2) Computes , and .(3) Stores the relations and . If collision occurs, repeats the step .(4) Outputs as the delegation.(xi) Proxy sign: submits a delegation message to the challenger. outputs a certificateless proxy signature as follows (where original signer’s identity/public key is /, proxy signer’s identity/public key is /). If and , gives a signature by calling the proxy sign algorithm. Otherwise, does as follows.(1) Randomly selects and .(2) Computes , , , and .(3) Stores the relations and . If collision occurs, repeats the step .(4) Outputs the proxy signature .

*Forge*. outputs a tuple
If ’s output satisfies none of the three cases in EUF-CLPS-CMA game I, aborts; Otherwise, can solve the RSA problem as follows.

*Case **1*. The final output is and the output satisfies the requirement of Case 1 as defined in EUF-CLPS-CMA game I. In fact, is the signature for by . By the forking lemma for generic signature scheme, for the resemble construction we can get two delegations: and , where , , , and . If , we can solve RSA problem as follows. The relation becomes mod . Since , we have that . By the element is a prime number. So gcd. This means that there exist two integers and such that . Finally, the value mod is the solution of the given instance of the RSA problem. In effect, we have .

*Probability of Success*. The probability that does not fail during the queries is . The probability that is . So the combined probability is . Therefore, the probability of to solve the RSA problem is .

*Case **2*. The final output is and the output satisfies the requirement of Case 2 as defined in EUF-IBPS-CMA game I. By the forking lemma for generic signature scheme, for the resemble construction we can get two proxy signatures: and , where
If , we can solve RSA problem as follows. The relation becomes mod . Since , we have that . By the element is a prime number. So it holds gcd. This means that there exist two integers and such that . Finally, the value mod is the solution of the given instance of the RSA problem. In effect, we have

Probability of success is the same as the probability in Case 1.

*Case **3*. The final output is and the output satisfies the requirement of Case 3 as defined in EUF-IBPS-CMA game I. By the forking lemma for generic signature scheme, for the resemble construction we can get two proxy signatures: and , where
If , we can solve RSA problem as follows. The relation becomes mod . Since , we have that . By the element is a prime number. So it holds gcd. This means that there exist two integers and such that . Finally, the value mod is the solution of the given instance of the RSA problem. In effect, we have
Probability of success is the same as the probability in Case 1.

Theorem 5. *In the random oracle model, if there is an adversary that can win the EUF-CLPS-CMA game II with advantage and within time , after making at most queries, queries, queries, queries, queries, create user queries, partial private key extraction queries, set secret value queries, user public key replacement queries, delegate queries, proxy signature queries, the discrete logarithm problem DLP can be solved with probability within time , where denote the time for a modular operation and denote the time for an exponentiation in .*

*Proof. *Suppose the challenger receives a random instance of the DLP and has to compute the value of . will run as a subroutine and act as ’s challenger in the EUF-CLPS-CMA game II.

*Setup*. At the beginning of the game, runs the setup program with the parameter and gives the system parameters: params = and master secret key .

*Queries*. Without loss of generality, we assume that all the queries are distinct and will make query and create user query for before is used in any other queries.(i) queries: maintains the list of tuple . The list is initially empty. When makes a query , randomly picks a value and sets . Then, will be stored in the list .(ii) queries: same as that in the proof of Theorem 4.(iii)Create user: maintains the list of tuple . The list is initially empty. When makes creating user query for , responds as follows. At the th create user query, first makes query , gets from list , sets and . , first makes query , gets from list , sets , then, randomly chooses , sets , then sends to the ; the query and the answer will be stored in the list .(iv)Partial private key extract: Since knows master secret key , he can compute partial private key for any identity by himself. Hence, does not need making partial private key query.(v)User public key replace: maintains the list of tuple . makes user public key replacement request for identity with a new valid public key value . replaces the current public key value with the value and tuple will be stored in the list .(vi)Set secret value: maintains the list of tuple . makes partial private key query for identity . If , fails and stops. Otherwise, finds the tuple in list and responds with the secret value ; the will be stored in the list . (Note: cannot query the secret value for ID whose public key has been replaced.)(vii)Delegate and proxy sign: Same as that in the proof of Theorem 4.

*Forge*. outputs a tuple

If ’s output satisfies none of the three cases in EUF-CLPS-CMA game II, aborts; otherwise, can solve the DLP in as follows.

*Case **1*. The final output is and the output satisfies the requirement of Case 1 as defined in EUF-CLPS-CMA game II. In fact, is the signature for by . By the forking lemma for generic signature scheme, for the resemble construction we can get two delegations: and , where
If , we can solve DLP as follows: mod .

*Probability of Success*. The probability that does not fail during the queries is . The probability that is . So the combined probability is . Therefore, the probability of to solve the DLP is .

*Case **2*. The final output is and the output satisfies the requirement of Case 2 as defined in EUF-CLPS-CMA game II. By the forking lemma for generic signature scheme, for the resemble construction we can get two proxy signatures: and , where
If , we can solve DLP as follows: mod .

Probability of success is same as the probability in Case 1.

*Case **3*. The final output is and the output satisfies the requirement of Case 3 as defined in EUF-CLPS-CMA game II. By the forking lemma for generic signature scheme, for the resemble construction we can get two proxy signatures: and , where
If , we can solve DLP as follows: mod .

Probability of success is same as the probability in Case 1.

#### 5. Efficiency

Although some good results were achieved in speeding up the computation of pairing function in recent years, it is still desirable to find cryptography schemes which do not need to employ bilinear pairings. In this section, we compare the performance of our scheme with several CLPS schemes in Table 2; we define some notations as follows. : a pairing operation. a pairing-based scalar multiplication operation. : a scalar multiplication operation. : modular exponent in .

Cao et al. [39] obtained the running time for cryptographic operations through a PIV 3 GHZ processor with 512 M bytes memory and the Windows XP operating system. For the pairing-based scheme, to achieve the 1024-bit RSA level security, a supersingular curve over a finite field , with bits and a large prime order bits, was used. For the ECC-based schemes, to achieve the same security level, the ECC group on Koblitz elliptic curve was used which is defined on with and is a 163-bit random prime. The running times are listed in Table 1.

To evaluate the computation efficiency of different schemes, we use the simple method from [39]. For example, in Li et al. [35] scheme, eleven pairing operations and seven pairing-based scalar multiplication operation are needed. So the resulting computation time is . The detailed comparison results of several different CLPS schemes are illustrated in Table 2.

#### 6. Conclusion

We proposed a certificateless proxy signature scheme and prove that our scheme is unforgeable under the strongest security model where the Type I/II adversary is a super Type I/II adversary. The analysis shows our scheme is more efficient than the related schemes. To the best of authors’ knowledge, our scheme is the first certificateless proxy signature scheme from RSA. Due to the good properties of our schemes, it is very useful for practical application.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

The authors are grateful to the anonymous referees for their helpful comments and suggestions. This research is supported by the National Natural Science Foundation of China (no. 11261060), the Dr. Research Foundation of Guizhou Normal University of Guizhou Province, China, under Grant 2013, and the Science and Technology Foundation of Guizhou Province, China, under Grant LKS02.

#### References

- A. Shamir, “Identity-based cryptosystem and signature scheme,” in
*Advances in Cryptology*, vol. 196 of*Lecture Notes in Computer Science*, pp. 47–53, Springer, Berlin, Germany, 1985. View at Publisher · View at Google Scholar - S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in
*Advances in Cryptology—Asiacrypt 2003*, C. S. Laih, Ed., vol. 2894 of*Lecture Notes in Computer Science*, pp. 452–473, Springer, Berlin, Germany, 2003. View at Google Scholar - H. Du and Q. Wen, “Efficient and provably-secure certificateless short signature scheme from bilinear pairings,”
*Computer Standards and Interfaces*, vol. 31, no. 2, pp. 390–394, 2009. View at Publisher · View at Google Scholar · View at Scopus - S. Duan, “Certificateless undeniable signature scheme,”
*Information Sciences*, vol. 178, no. 3, pp. 742–755, 2008. View at Publisher · View at Google Scholar · View at Scopus - B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, “Key replacement attack against a generic construction of certificateless signature,” in
*Proceedings of the 11th Australasian Conference on Information Security and Privacy (ACISP '06)*, vol. 4058 of*Lecture Notes in Computer Science*, pp. 235–246, Springer, Melbourne, Australia, July 2006. - X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the security of certificateless signature schemes from Asiacrypt 2003,” in
*Proceedings of the 4th International Conference on Cryptology and Network Security (CANS '05)*, vol. 3810 of*Lecture Notes in Computer Science*, pp. 13–25, Springer, Xiamen, China, December 2005. View at Publisher · View at Google Scholar - Y. Long and K. Chen, “Certificateless threshold cryptosystem secure against chosen-ciphertext attack,”
*Information Sciences*, vol. 177, no. 24, pp. 5620–5637, 2007. View at Publisher · View at Google Scholar · View at Scopus - K. A. Shim, “Breaking the short certificateless signature scheme,”
*Information Sciences*, vol. 179, no. 3, pp. 303–306, 2009. View at Publisher · View at Google Scholar · View at Scopus - F. Wang and Y. Zhang, “A new provably secure authentication and key agreement mechanism for SIP using certificateless public-key cryptography,”
*Computer Communications*, vol. 31, no. 10, pp. 2142–2149, 2008. View at Publisher · View at Google Scholar · View at Scopus - L. Wang, Z. Cao, X. Lia, and H. Qian, “Simulatability and security of certificateless threshold signatures,”
*Information Sciences*, vol. 177, no. 6, pp. 1382–1394, 2007. View at Publisher · View at Google Scholar · View at Scopus - Z. Zhang, D. S. Wong, J. Xu, and D. Feng, “Certificateless public-key signature: security model and efficient construction,” in
*Proceedings of the 4th International Conference on Applied Cryptography and Network Security (ACNS '06)*, vol. 3989 of*Lecture Notes in Computer Science*, pp. 293–308, Springer, Singapore, June 2006. View at Publisher · View at Google Scholar - M. H. Au, J. Chen, J. K. Liu, Y. Mu, D. S. Wong, and G. Yang, “Malicious KGC attacks in certificateless cryptography,” in
*Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS '07)*, pp. 302–311, Singapore, March 2007. View at Scopus - L. C. Guillou and J. J. Quisquater, “A paradoxical identity-based signature scheme resulting from zero-knowledge,” in
*Advances in Cryptology—CRYPTO' 88*, vol. 403 of*Lecture Notes in Computer Science*, pp. 216–231, Springer, New York, NY, USA, 1990. View at Publisher · View at Google Scholar - J. Herranz, “Identity-based ring signatures from RSA,”
*Theoretical Computer Science*, vol. 389, no. 1-2, pp. 100–117, 2007. View at Publisher · View at Google Scholar · View at Scopus - D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,”
*SIAM Journal on Computing*, vol. 32, no. 3, pp. 586–615, 2003. View at Publisher · View at Google Scholar · View at Scopus - M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: delegation of the power to sign messages,”
*IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*, vol. 79, no. 9, pp. 1338–1353, 1996. View at Google Scholar · View at Scopus - A. Boldyreva, A. Palacio, and B. Warinschi, “Secure proxy signature schemes for delegation of signing rights,”
*Journal of Cryptology*, vol. 25, no. 1, pp. 57–115, 2012. View at Publisher · View at Google Scholar · View at Scopus - C. Gu and Y. Zhu, “Provable security of ID-based proxy signature schemes,” in
*Proceedings of the 3rd International Conference on Computer Network and Mobile Computing (ICCNMC '05)*, X. Lu and W. Zhao, Eds., vol. 3619 of*Lecture Notes in Computer Science*, pp. 1277–1286, Springer, Zhangjiajie, China, August 2005. View at Publisher · View at Google Scholar · View at Scopus - C. Gu and Y. Zhu, “An efficient ID-based proxy signature scheme from pairings,” in
*Proceedings of the 3rd SKLOIS Conference on Information Security and Cryptology (INSCRYPT '07)*, vol. 4990 of*Lecture Notes in Computer Science*, pp. 40–50, Springler, Xining, China, September 2007. View at Publisher · View at Google Scholar - D. B. He, J. H. Chen, and J. Hu, “An ID-based proxy signature schemes without bilinear pairings,”
*Annales des Télécommunications*, vol. 66, no. 11-12, pp. 657–662, 2011. View at Publisher · View at Google Scholar · View at Scopus - H. Ji, W. Han, L. Zhao, and Y. Wang, “An identity-based proxy signature from bilinear pairings,” in
*Proceedings of the WASE International Conference on Information Engineering (ICIE '09)*, pp. 14–17, Shanxi, China, July 2009. View at Publisher · View at Google Scholar · View at Scopus - S. Kim, S. Park, and D. Won, “Proxy signatures, revisited,” in
*Proceedings of the 1st International Conference on Information and Communication Security (ICICS '97)*, Y. Han and S. Quing, Eds., vol. 1334 of*Lecture Notes in Computer Science*, pp. 223–232, Springer, Heidelberg, Germany, 1997. View at Google Scholar - B. Lee, H. Kim, and K. Kim, “Strong proxy signature and its applications,” in
*Proceedings of the Symposium on Cryptography and Information Security (SCIS '01)*, pp. 603–608, Oiso, Japan, January 2001. - B. Lee, H. Kim, and K. Kim, “Secure mobile agent using strong non designated proxy signature,” in
*Proceedings of the 6th Australasian Conference on Information Security and Privacy (ACISP '01)*, V. Varadharajan and Y. Mu, Eds., vol. 2119 of*Lecture Notes in Computer Science*, pp. 474–486, Springer, Sydney, Australia, July 2001. - J. Y. Lee, J. H. Cheon, and M. Kim SJoye, “An analysis of proxy signatures: is a secure channel necessary?” in
*Proceedings of the RSA Conference on the Cryptographers' Track (CT-RSA '03)*, vol. 2612 of*Lecture Notes in Computer Science*, pp. 68–79, Springer, San Francisco, Calif, USA, April 2003. View at Publisher · View at Google Scholar - T. Malkin, S. Obana, and M. Yung, “The hierarchy of key evolving signatures and a characterization of proxy signatures,” in
*Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT '04)*, C. Cachin and J. L. Camenisch, Eds., vol. 3027 of*Lecture Notes in Computer Science*, pp. 306–322, Springer, Interlaken, Switzerland, May 2004. View at Publisher · View at Google Scholar - T. Okamoto, A. Inomata, and E. Okamoto, “A proposal of short proxy signature using pairing,” in
*Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC '05)*, pp. 631–635, IEEE Computer Society Press, Los Alamitos, Calif, USA, April 2005. View at Scopus - T. Okamoto, M. Tada, and E. Okamoto, “Extended proxy signatures for smart cards,” in
*Proceedings of the 2nd International Workshop on Information Security (ISW '99)*, Y. Zheng and M. Mambo, Eds., vol. 1729 of*Lecture Notes in Computer Science*, pp. 247–258, Springer, Kuala Lumpur, Malaysia, November 1999. View at Publisher · View at Google Scholar - G. Wang, F. Bao, J. Zhou, and R. H. Deng, “Security analysis of some proxy signatures,” in
*Proceedings of the 6th International Conference on Information Security and Cryptology (ICISC '03)*, J.-I. Lim and D.-H. Lee, Eds., vol. 2971 of*Lecture Notes in Computer Science*, pp. 305–319, Springer, Seoul, Republic of Korea, November 2004. View at Publisher · View at Google Scholar - W. Wu, Y. Mu, W. Susilo, J. Seberry, and X. Y. Huang, “Identity-based proxy signature from pairings,” in
*Proceedings of the 4th International Conference on Autonomic and Trusted Computing (ATC '07)*, vol. 4610 of*Lecture Notes in Computer Science*, pp. 22–31, Springer, Hong Kong, July 2007. View at Publisher · View at Google Scholar - J. Xu, Z. Zhang, and D. Feng, “ID-based proxy signature using bilinear pairings,” in
*Parallel and Distributed Processing and Applications—ISPA 2005 Workshops*, G. Chen, Y. Pan, M. Guo, and J. Lu, Eds., vol. 3759 of*Lecture Notes in Computer Science*, pp. 359–367, Springer, Heidelberg, Germany, 2005. View at Publisher · View at Google Scholar - K. Choi and D. Lee, “Certificateless proxy signature scheme,” in
*Proceedings of the 3rd International Conference on Multimedia, Information Technology and Its Applications (MITA '07)*, pp. 437–440, Manila, Philippines, August 2007. - Y. C. Chen, C. L. Liu, G. Horng, and K. C. Chen, “A provably secure certificateless proxy signature scheme,”
*International Journal of Innovative Computing, Information & Control*, vol. 7, no. 9, pp. 5557–5569, 2011. View at Google Scholar · View at Scopus - R. Lu, D. He, and C. Wang, “Cryptanalysis and improvement of a certificateless proxy signature scheme from bilinear pairings,” in
*Proceedings of the 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD '07)*, pp. 285–290, IEEE Computer Society, Qingdao, China, August 2007. View at Publisher · View at Google Scholar - X. Li, K. Chen, and L. Sun, “Certificateless signature and proxy signature schemes from bilinear pairings,”
*Lithuanian Mathematical Journal*, vol. 45, no. 1, pp. 76–83, 2005. View at Publisher · View at Google Scholar · View at Scopus - S. H. Seo, K. Y. Choi, J. Y. Hwang, and S. Kim, “Efficient certificateless proxy signature scheme with provable security,”
*Information Sciences*, vol. 188, pp. 322–337, 2012. View at Publisher · View at Google Scholar · View at Scopus - H. Xiong, F. G. Li, and Z. G. Qin, “A provably secure proxy signature scheme in certificateless cryptography,”
*Informatica*, vol. 21, no. 2, pp. 277–294, 2010. View at Google Scholar · View at Scopus - L. Zhang, F. T. Zhang, and Q. H. Wu, “Delegation of signing rights using certificateless proxy signatures,”
*Information Sciences*, vol. 184, no. 1, pp. 298–309, 2012. View at Publisher · View at Google Scholar · View at Scopus - X. Cao, W. Kou, and X. Du, “A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges,”
*Information Sciences*, vol. 180, no. 15, pp. 2895–2903, 2010. View at Publisher · View at Google Scholar · View at Scopus