#### Abstract

We propose a strongly secure certificateless signature scheme supporting batch verification, which makes it possible for a verifier to verify a set of signatures more efficiently than verifying them one by one. In an identity-based digital signature scheme, private key generator (PKG) knows each user's signing key, so it can generate a signature which is indistinguishable from the signature generated by the user. This is a serious problem because the property of signature nonrepudiation will not be achieved. In our proposed scheme, it is impossible for PKG to produce a signature which is indistinguishable from any signature produced by a user. Compared with existing signature schemes with batch verification, although our proposed scheme is not the most efficient one, it achieves Girault's level-3 security, while the others have Girault's level-1 or level-2 security only. We also formally prove that the proposed scheme is unforgeable and satisfies Girault's level-3 security based on hard problems.

#### 1. Introduction

In traditional certificate-based public-key cryptosystems, a user’s public key is produced and is not related to her/his identity. Therefore, the key needs to be certificated by some certification authority (CA) with respect to the user’s identity. Anyone who wants to use the public key must verify the validity of the corresponding certificate for the key first. Considering implementation, the management of public key certificates requires a large amount of computation cost and storage.

To reduce the cost of certificate management, Shamir [1] proposed identity based public key cryptography (ID-PKC) in 1984. In ID-PKC, a user’s public key can be an arbitrary bit string which can represent the user’s identity, such as her/his email address or telephone number. And the user’s corresponding private key is computed by a trusted party, called private key generator (PKG) [2].

An inherent problem of ID-PKC is the key escrow problem. That is, the private key of a user is known to PKG. PKG can act as any user to decrypt any ciphertext or generate a signature on any message. To solve this problem, Al-Riyami and Paterson [3] proposed certificateless public key cryptography (CL-PKC) in 2003. In CL-PKC, a user’s secret key is a combination of the secret key, computed by PKG using its master secret key, and a user-chosen secret. Thus, PKG cannot know the complete secret key of the user.

In 2003, a certificateless public-key signature scheme [3] was proposed, but it suffered from the key replacement attack [4]. After that, several certificateless signature schemes [5–18] were introduced recently. In 2007, Hu et al. [19] proposed a new security model and an improved generic construction for certificateless signatures. It showed that certificateless signatures should satisfy the property of Girault’s level-3 security [20]. If a certificateless signature scheme meets the above property, the framework of CL-PKC will be with the same security level as that of the traditional certificate-based public key cryptosystems.

In 1989, batch cryptography was first introduced by Fiat [21]. In a signature scheme with batch verification, the cost for verifying signatures is less than verifying them one by one. After [21], some results [22–24] about batch verification based on RSA or DLP have been proposed. In 2004, Yoon et al. proposed an ID-based signature scheme with batch verification [25], but their security proof does not meet the definition of batch verification [26]. After that, some ID-based and group signature schemes with batch verification were proposed in [27–34], respectively, but only [29] is a certificateless signature scheme. Besides, the randomization technique [26, 35–39] for the security of signatures with batch verification was introduced. The technique can withstand the attack that an attacker cheats a verifier to accept invalid signatures.

In this paper, we will design a certificateless signature scheme with efficient batch verification. The computation cost of our scheme in batch verification is only three pairings and it is independent of the number of individual signatures which will be verified. Furthermore, our scheme satisfies Girault’s level-3 security. Compared to certificateless, ID-based, and group signature schemes with batch verification [7, 11, 14, 16, 27–34], our scheme achieves Girault’s level-3 security, while [27–34] meet Girault’s level-1 security and [7, 11, 14, 16, 29] satisfy Girault’s level-2 security only. Compared to [5, 13], which also achieve Girault’s level-3 security, our scheme is more efficient in verification because of the batch property.

The rest of this paper is organized as follows. In Section 2, we introduce some preliminaries about mathematical backgrounds and definitions. In Section 3, we present the proposed scheme. In Section 4, we provide formal security proofs for our scheme. We compare the proposed scheme with [5, 7, 11, 13, 14, 16, 27–34] in Section 5. Finally, a concluding remark is given in Section 6.

#### 2. Preliminaries

In this section, we review the properties of bilinear groups and some related hard problems.

Let and be two cyclic groups of prime order . Let be a randomly chosen generator of and let be a bilinear mapping such that : , which satisfies the following properties.(1)Bilinearity: for all , and .(2)Nondegeneracy: there exists such that .(3)Computability: there exists an efficient algorithm to compute for any .

*Definition 1 (batch verification of signatures [35]). *Let be the security parameter. Suppose that is a signature scheme, polynomial(), and are generated independently according to () where and are a user ’s public key and secret key, respectively. Then, we call probabilistic a batch verification algorithm when the following conditions hold.(i)If for all , then where and are a message and a signature, respectively.(ii)If for some , then with probability negligible in , taken over the randomness of .

*Definition 2 (a certificateless signature scheme with batch verification). *A certificateless signature scheme with batch verification consists of the following algorithms.(i): PKG randomly chooses a secret key and computes the public key by using the secret key. Then, it publishes and other system parameters.(ii): a user first randomly chooses a secret key , computes corresponding public key and then sends to PKG. After receiving , PKG outputs a partial private key to a legal user with identity .(iii): this algorithm gets a user’s public key , the user’s partial private key , the user’s secret key , and a message and then it outputs a signature on .(iv): this algorithm gets a signature on a message , a signer’s identity , and a signer’s public key . It then outputs True or False.(v): this algorithm gets signatures on message , the signers’ identities , and the signers’ public keys , respectively. This algorithm outputs True or False.

*Definition 3 (Girault’s security [19, 20]). *Girault proposed three security levels to classify the levels of trust to PKG. The three levels are described as follows.(i)Level 1: PKG knows the secret of any user.(ii)Level 2: PKG cannot find out all the information of a user’s secret. However, PKG can generate a contradictory public key (or a contradictory certificate) and impersonate the user to generate signatures with respect to the contradictory public key.(iii)Level 3: PKG cannot find out all the information of a user’s secret nor generate a contradictory public key. PKG can only generate a valid public key (or a valid certificate).

*Definition 4 (the computational Diffie-Hellman (CDH) problem). *Let be a cyclic group of order and let be a generator of . Given for some , compute .

#### 3. Our Proposed Scheme

In this section, we propose an efficient certificateless signature scheme with batch verification based on [15]. is an additive group and is a multiplicative group. Let and be two cyclic groups of prime order . Let be a randomly chosen generator of and a bilinear mapping such that . The details of our scheme are described as follows.

*Setup*. PKG performs the following operations.(1)Choose an integer and randomly, and set .(2)Choose four cryptographic one-way hash functions, , , , , and .(3)Publish the system parameters and keep the master key secret.

*Key Generating Phase*(1)A user with identity randomly chooses and computes , where and are called the secret key and the public key, respectively, of user .(2)The user sends to PKG.(3)PKG gets and .(4)PKG computes and and sends to the user via a secret channel. The pair is called the partial private key of user . The private key of user consists of and .

*Signing Phase*. Assume that a signer wants to sign a message . The signer does the following works.(1)Choose and randomly.(2)Compute and .(3)Compute , , and .(4)Compute .(5)The signature on is .

*Verifying Phase*. To verify a signature on message , a verifier should do the following works.(1)Compute , , , , and .(2)Verify if . If it is true, the verifier accepts the signature; otherwise, the verifier rejects it.

*Batch Verifying Phase*. To verify signatures of the signers on message , respectively, a verifier performs the following works.(1)Choose randomly.(2)Compute , , , for , and .(3)Verify if . If it is true, the verifier accepts the signatures.

*Correctness*. Consider

#### 4. Security Models and Formal Proofs

##### 4.1. Security Models

A simulator simulates an environment such that an adversary can query signatures from . If can forge a signature, can use the output from to solve a hard problem.

We classify adversary into three types. The adversary of type I cannot access the master secret key and query the partial private key of target ID. The adversary of type II can access the master secret key but cannot query target ID’s secret key nor replace her/his public key. The adversary of type III is to simulate the environment for the proof of that a user cannot produce a signature with a new public-secret key pair, which is different from his own one, without the corresponding partial private key generated from the master secret key.

We define the capability of which can be captured by the following queries.(i): if inputs a user’s identity to , will output a randomly chosen as the user’s public key.(ii): when inputs a public key to , outputs a randomly chosen .(iii): if inputs a message and , will output an integer randomly chosen in .(iv): if inputs a message , , and , will output a random integer in .(v): if inputs a string , will output an element randomly chosen in .(vi): if inputs a user’s identity, , then will output the user’s public key .(vii): if inputs a user’s identity and the user’s public key , will output the partial private key .(viii): if inputs a user’s identity, , will output the secret key of user to .(ix): when inputs a user’s identity and the user’s new public key , will replace with . The new partial private key can be obtained by querying .(x): if inputs a user’s identity and a message , will output a user ’s signature on to .

*Definition 5 (the CDH assumption). *We say that the -CDH assumption holds in if no polynomial-time algorithm within running time can solve the CDH problem with probability at least .

*Definition 6 (the unforgeability game I). *Let be a polynomial-time attacker of type I. interacts with a challenger in the following game.(i)Step 1: runs the setup algorithm of a certificateless signature scheme with batch verification. publishes the public parameters.(ii)Step 2: queries , , , , , , , , , and in an arbitrary sequence.(iii)Step 3: outputs signatures on corresponding to the signers with the public keys , respectively.

wins the game if (1) = True;(2)there exists whose has not been queried to oracle;(3) has never been queried.

The scheme is (, I)-unforgeable if no polynomial-time attacker , with running time at most , can win the unforgeability game I with probability at least .

*Definition 7 (the unforgeability game II). *Let be a polynomial-time attacker of type II. interacts with a challenger in the following game.(i)Step 1: runs the setup algorithm of a certificateless signature scheme with batch verification. publishes the public parameters and sends the master secret key to .(ii)Step 2: queries , , , , , , , , , and in an arbitrary sequence.(iii)Step 3: outputs signatures on corresponding to the signers with the public keys , respectively.

wins the game if (1) = True;(2)there exists whose has not been queried to oracle;(3)Neither nor has been queried.

The scheme is (, II)-unforgeable if no polynomial-time attacker , with running time at most , can win the unforgeability game II with probability at least .

*Definition 8 (the unforgeability game III [19]). *Let be a polynomial-time attacker of type III. interacts with a challenger in the following game.(I)Step 1: runs the setup algorithm of a certificateless signature scheme with batch verification. publishes the public parameters.(II)Step 2: queries , , , , , , , , and in an arbitrary sequence.(III)Step 3: outputs a signature on a message for the user .

wins the game if(1) True;(2)User has been created, that is, , , and have been queried;(3) is different from all of the public keys ’s returned by or used to query .

The scheme is (, III)-unforgeable if no polynomial-time attacker , with running time at most , can win the unforgeability game III with probability at least .

##### 4.2. Formal Proofs

In this section, we will prove that our scheme is unforgeable based on the CDH assumption.

Lemma 9 (the forking lemma [40]). *Let be a valid signature-message triple of a signature scheme and the hashed value of where is a plaintext message, is a string, and is called the signature part of the triple. Let be a probabilistic polynomial-time Turning machine. Given only the public data of the signature scheme as input, if can find, with nonnegligible probability, a valid signature-message triple with , then, with nonnegligible probability, a replay of this machine, with the same random tape and a different value returned by the random oracle, outputs two valid signature-message triples with and with such that .*

Lemma 10 (the splitting lemma [40]). *Let such that . For any , define and then the following statements hold: *(1)* ,*(2)

*(3)*

*,*

*.*Theorem 11. *Given 5-tuples ’s, if where is randomly chosen in , , and for each , the probability of that for some is .*

*Proof. *The proof is based on [35, 37]. If for some , we have that for some . Thus, there exists (mod ) such that for some .

Let and , . As , (mod ) and thus mod . Since is randomly chosen in , the probability of mod is , which is negligible.

Theorem 12. *The proposed scheme is ()-unforgeable assuming that the -CDH assumption holds in where , (1), , , , , , , , , , and being the numbers of queries to , , , , , , , , , and , respectively, and , , , , , , , , , and being the computing time of the queries to , , , , , , , , , and , respectively.*

*Proof. *Assume that a polynomial-time attacker wins the game of Definition 6 with probability being at least within running time . A simulator is given an instance of the CDH problem , and ’s goal is to output the value of . We will construct which plays the game in Definition 6 with and outputs the value of .*Setup*. sets and chooses randomly. Then, publishes , , , , , , , , }.

can respond to the queries from as follows.(i) query: constructs a list, -list, and chooses an identity randomly. When queries to , checks whether is in -list or not. If does not exist in -list, then there are the following two cases. Case 1: if , sets and stores in -list. Case 2: if , sets where is randomly chosen in and stores in -list. However, if exists in -list, gets its mapping value, or . Finally, returns .(ii) query: constructs a list, -list. If queries to where , checks whether is in -list or not. If it does not exist in -list, randomly chooses and records in -list; else, gets its mapping value, , from -list. Then, returns to .(iii) query: constructs -list. If queries to , checks whether is in -list or not. If not, randomly chooses and records in -list; else, gets its mapping value, , from -list. Then, returns to .(iv) query: constructs -list. When queries to , checks whether is in -list or not. If not, randomly chooses and records in -list; otherwise, gets its mapping value, , from -list. Then, responds to .(v) query: constructs -list. If queries with a string to , checks whether is in -list or not. If does not exist in -list, then there are the following two conditions. Condition 1: if , sets where is randomly chosen in and stores in -list. Condition 2: if , sets where is randomly chosen in and stores in -list. However, if exists in -list, gets its mapping value, or . Finally, returns .(vi) query: constructs a list, -list. When queries to , looks up -list. If is not found in -list, randomly chooses , computes , and stores in -list; otherwise, gets from -list. Finally, returns .(vii) query: if queries to , looks up -list, -list, and -list. If , returns “failure.” If is not found in -list, queries and gets from -list; else, retrieves from -list. If is not in -list, queries and obtains ; otherwise, catches from -list. If , returns “failure.” Then, if is not found in -list, queries and gets ; else, retrieves from -list. Finally, returns .(viii) query: if queries to , looks up -list. If is not found in -list, queries and gets ; if there is a record , then retrieves from -list and returns .(ix) query: when queries (, ) to , looks up -list. If is not found in -list, queries . Then, replaces the record with in -list.(x) query: when queries to , if , does the following works.(1)Choose , , and randomly;(2)compute and ;(3)set ;(4)compute and ;(5)compute ;(6)form .Thus, the signature on is and it satisfies the verifying formula in Section 3.

If , can return a signature on to because can compute all secrets of user . Finally, suppose that outputs, with probability at least , signatures on of the signers , respectively, such that (1) = True;(2)there exists which is not the output from ;(3) has never been queried.

From Lemma 9, we fork the sequence of signatures one time and get on by setting . Thus, we randomly choose ’s and obtain the following two equations:
with probability being at least by Lemma 10, where , , , , and .

We assume that . By Theorem 11, we have that
with probability being at least . Thus, we can compute , which is , to solve the CDH problem with and .

Theorem 13. *The proposed scheme is (, , , II)-unforgeable assuming that the -CDH assumption holds in where (1), , , , , , , , , , and are the numbers of queries to , , , , , , , , , and , respectively, and , , , , , , , , , and are the computing time of the queries to , , , , , , , , , and , respectively.*

*Proof. *Assume that a polynomial-time attacker wins the game of Definition 7 with probability at least within running time . A simulator is given an instance of the CDH problem , and ’s goal is to output the value of . We will construct which plays the game in Definition 7 with and outputs the value of .*Setup*. sets where is randomly chosen in and chooses randomly. Then, publishes , , , , , , , , and sends to . can respond to the queries from as follows.(i) query: constructs a list, -list. When queries to , checks whether is in -list or not. If does not exist in -list, sets where is a random integer in and records (, , ) in -list; else, gets its mapping value, , from -list. Then, returns to .(ii) query: constructs -list. If queries with a string to , checks whether is in -list or not. If does not exist in -list, then there are the following two conditions. Condition 1: if , sets and stores in -list. Condition 2: if , sets where is randomly chosen in and stores in -list. However, if exists in -list, gets its mapping value, or . Finally, returns .(iii)The simulations for , , , and are the same as those in the proof of Theorem 12.(iv) query: constructs a list, -list, and chooses an identity randomly. When queries to , looks up -list. If does not exist in -list, then there are the following two conditions. Condition 1: if , sets and stores in -list. Condition 2: if , sets where is randomly chosen in and stores in -list. However, if exists in -list, gets its mapping value, or . Finally, returns .(v) query: when queries to , looks up -list, -list, and -list. If is not found in -list, queries and gets from -list; else, retrieves from -list. If is not in -list, queries and obtains ; otherwise, catches from -list. If , returns “failure.” Then, if is not found in -list, queries and gets ; else, retrieves from -list. Finally, returns .(vi) query: when queries to , looks up -list. If , returns “failure.” If is not found in -list, queries and gets from -list; else, retrieves from -list. Finally, returns .(vii) query: when queries to , if , performs the following works.(1)choose , , and randomly;(2)compute and ;(3)compute and ;(4)set ;(5)compute ;(6)form .

Therefore, the signature on is and it meets the verifying formula in Section 3.

If , can return a signature on to since knows all secrets of user . Finally, outputs, with probability being at least , signatures on of the signers , respectively, such that (1) = True;(2)there exists which is not the output from ;(3)neither nor has been queried.

From Lemma 9, we fork the sequence of signatures one time and get on by setting . Thus, we randomly choose ’s and obtain the following two equations:
with probability being at least by Lemma 10, where , , , , and .

We assume that . By Theorem 11, we have that
with probability being at least . Thus, we can compute , which is , to solve the CDH problem with and + .

Theorem 14. *The proposed scheme is (, , , III)-unforgeable assuming that the -CDH assumption holds in with being the possibly maximal number of queries to , , , , , , , , , and being the numbers of queries to , , , , , , , , and , respectively, and , , , , , , , , , and being the computing time of the queries to , , , , , , , , , and , respectively.*

*Proof. *Assume that a polynomial-time attacker wins the game of Definition 8 with probability being at least within running time . A simulator is given an instance of the CDH problem , and ’s goal is to output . We will construct which plays the game in Definition 8 with and outputs .*Setup*. sets and chooses randomly. Then, publishes , , , , , , , , . can respond to the queries from as follows.

The simulation for is identical to that in the proof of Theorem 13. Consider the following.(i) query: constructs a list, -list, and then chooses at random and sets an index . When queries to , checks whether is in -list or not. If does not exist in -list, computes and there are the following two cases. Case 1: if , sets and stores in -list. Case 2: if , sets where is randomly chosen in and stores in -list. Besides, if exists in -list, gets its mapping value, or . Finally, returns or .(ii) query: constructs -list. If queries with a string to , checks whether is in -list or not. If does not exist in -list, then there are the following two conditions. Condition 1: if , sets where