Mathematical Problems in Engineering

Volume 2017, Article ID 7696858, 9 pages

https://doi.org/10.1155/2017/7696858

## A Certificateless Ring Signature Scheme with High Efficiency in the Random Oracle Model

^{1}School of Mathematical Sciences, Xiamen University, Fujian 361005, China^{2}School of Mathematical Science, Xinjiang Normal University, Xinjiang, China

Correspondence should be addressed to Jiwen Zeng; nc.ude.umx@gnezwj

Received 14 December 2016; Accepted 27 April 2017; Published 21 June 2017

Academic Editor: Haipeng Peng

Copyright © 2017 Yingying Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Ring signature is a kind of digital signature which can protect the identity of the signer. Certificateless public key cryptography not only overcomes key escrow problem but also does not lose some advantages of identity-based cryptography. Certificateless ring signature integrates ring signature with certificateless public key cryptography. In this paper, we propose an efficient certificateless ring signature; it has only three bilinear pairing operations in the verify algorithm. The scheme is proved to be unforgeable in the random oracle model.

#### 1. Introduction

In the traditional cryptography, the communicating parties distribute a private key by sending the key in advance over some secure channels. But there is a major barrier that the key distribution will cost and delay large teleprocessing networks. In 1976, Diffie and Hellman [1] first introduced the concept of public key cryptography (PKC) and proposed some techniques to solve this longstanding problem in traditional cryptography. But the traditional public key infrastructure confronted with the problem of certificate management. In order to solve this problem, Shamir [2] proposed an identity-based cryptography scheme based on public key cryptography (ID-PKC) in 1995. In his scheme, every user chooses his fundamental information as his public key and the user’s private key is generated directly by a private key generation (PKG) referred as master key. But there is a problem that the third party PKG has the private keys of all users and must be fully trusted; we call it the key escrow problem.

In 2003, Al-Riyami and Paterson [3] introduced the concept of certificateless public key cryptography (CL-PKC). CL-PKC not only overcomes key escrow problem but also does not lose some advantages of ID-PKC. Key generation cryptography (KGC) in CL-PKC only issues the partial private key to a user. Then, the user combines the private key from KGC with a self-generated secret key to generate his actual private key, so that the KGC does not access user’s private key fully like in ID-PKC. Moreover, the public key of a user is generated by user himself by computing the KGC’s public parameters and the secret values of the user. Over last years, the certificateless signature (CLS) has been investigated successfully and attracted great attention [4–8].

In 2001, Rivest et al. [9] first proposed the concept of ring signature (RS). Ring signature is designed for the situation that a member in a group wants to sign messages on behalf of the group while keeping his identity anonymous. Therefore, ring signature can protect the identity of the signer. In a ring signature, the signer forms a group (called a ring) only by collecting the public keys of all the group members including himself to keep the singer’s identity anonymous. In addition, ring signature is characterized with spontaneity; it means that the singer can generate a valid signature without help of any other members of the ring. Due to above two characteristics of ring signature, it is now widely used in electronic voting.

A ring signature should meet the following three properties:(i)*Verifiability*. The verifier can be convinced of the signer’s agreement on the signed message.(ii)*Unforgeability*. No one, even any member of the ring, can forge other ring members to generate a valid ring signature.(iii)*Unconditional Anonymity*. No one can determine the identity of the signer through the final ring signature.

After ring signature given by Rivest et al. [9], many researchers have been proposing ring signature schemes and their variants such as threshold ring signatures [10–12] and constant-size ring signatures [13–16]. Ring signature schemes based on standard assumptions without random oracles were proposed in [17–20].

As we know ring signature has been studied greatly in traditional PKC [18, 21, 22] and ID-PKC [17, 23–27]. But the applications of ring signature in traditional PKC and ID-PKC are restricted since there are some flaws in them. In fact, in a ring signature based on PKC, the verifier must check the validity of certificates of some group members, which will make the signature scheme inefficient since the computational cost will increase with the group size. Moreover, the ring signature based on ID-PKC has the key escrow problem. As described before, certificateless cryptography can make up the drawbacks in traditional PKC and ID-PKC. Therefore, several certificateless ring signatures (CLRS) integrating ring signature with certificateless cryptography have been proposed [28–30].

Over the last few decades, certificateless signature and ring signature have been studied extensively; however there is little work on certificateless ring signatures [28, 31–33]. Chow and Yap [32] presented a CLRS scheme based on a security model they proposed, but their scheme requires pairing operations and 2 exponentiation operations. Later, a CLRS scheme only requiring 5 pairing operations and exponentiation operations was proposed by Zhang et al. (see [33]). Two years later Chang et al. [31] constructed a concrete CLRS scheme, which reduces the pairing operations to 4 while it needs exponentiation operations.

We know that it is always interesting to design a cryptographic scheme with less pairing operations to speed up the computation of pairing function in recent years. To the best of our knowledge, the most efficient certificateless ring signature scheme based on bilinear pairings requires at least four bilinear maps. In this paper, we will propose a certificateless ring signature. Our scheme only needs 3 bilinear maps in the verification phase. By the analysis in Section 6, we know that our scheme is more efficient compared with other certificateless ring signature schemes [31–33].

The rest of the paper is organized as follows. Section 2 presents the basic concepts of bilinear pairings and some related mathematical problems. Section 3 presents a formal definition and security model of a certificateless ring signature scheme. Section 4 presents our certificateless ring signature scheme. We prove its security in Section 5. Schemes comparison will be given in Section 6. Finally, we give some conclusions in Section 7.

#### 2. Preliminaries

##### 2.1. Bilinear Pairing

Let be a cyclic additive group of prime order and be a cyclic multiplicative group of the same order.

We call a bilinear pairing if is a map with the following three properties:(1)Bilinearity: , and .(2)Nondegeneracy: there exist such that .(3)Computability: there is an efficient algorithm to compute for any two random elements .

Security of the proposed scheme relies on the following questions and assumptions.

*Definition 1 (computational Diffie-Hellman (CDH) problem). *Let , where is an elliptic curve over a finite field and is a point having prime order . Let , the computational Diffie-Hellman (CDH) Problem is that given two random elements for unknown , to compute .

*Definition 2 (computational Diffie-Hellman (CDH) assumption). *Let be a CDH parameter generator. We say that an algorithm has advantage in solving the CDH problem for if, for a sufficiently large , Given an upper limitation time , we say that satisfies the CDH assumption if for any randomized polynomial-time algorithm , we have that is a negligible function. When satisfies the CDH assumption, we say that the CDH problem is hard in generated by .

*Definition 3 (computational co-Diffie-Hellman (co-CDH) problem). *Let , where is an elliptic curve over a finite field and is a point having prime order . Let ; the Computational co-Diffie-Hellman (co-CDH) Problem is that given two random elements for unknown , to compute .

*Definition 4 (computational co-Diffie-Hellman (co-CDH) assumption). *Let be a co-CDH parameter generator. We say that an algorithm has advantage in solving the co-CDH problem for if, for a sufficiently large , Given an upper limitation time , we say that satisfies the (co-CDH) assumption if for any randomized polynomial-time algorithm , we have that is a negligible function. When satisfies the (co-CDH) assumption, we say that the (co-CDH) problem is hard in generated by .

#### 3. Formal Definition and Security Model

##### 3.1. Formal Definition of a Certificateless Ring Signature Scheme

A certificateless ring signature scheme (CLRS) can be specified by seven algorithms: Setup, Partial Private Key Extract, Set Secret Value, Set Private Key, Set Public Key, CLRS Generation, and CLRS Verification. Every algorithm is depicted as follows.(i)*Setup*. Given a security parameter, it outputs a list of system parameters.(ii)*Partial Private Key Extract*. On input a master key, a user’s identity , and system parameters, it generates the user’s partial private key .(iii)*Set Secret Value*. Given a user’s identity , it outputs the user’s secret value and computes .(iv)*Set Private Key*. The user takes the pair as its private key.(v)*Set Public Key*. The user with identity constructs his public key pair (, ) responding to and , respectively.(vi)*CLRS Generation*. Given a message , signer chooses other users to form a ring ; then it outputs a ring signature on behalf of the ring .(vii)*CLRS Verification*. Given a message , a ring signature , and the public keys of the signers, it outputs “accept” if is a valid ring signature and “reject” otherwise.

##### 3.2. Security Model of Certificateless Ring Signature Scheme

In our certificateless ring signature scheme, we consider the following two attackers.

*Type I Adversary*. Adversary does not have access to the master key, but can replace the public keys of any entity with a value of his choice, because there is no certificate involved in CLRS.

*Type II Adversary*. This type of adversary is a malicious KGC. Adversary is allowed to have access to the master key but does not replace any user’s public key. A type II adversary should also be allowed to change a user’s partial private key.

*Game 1 for Type I Adversary*. Type I adversary advantage is defined as its probability of success in the following game between a challenger and a type I adversary .(i)*Setup*. Given a security parameter, challenger runs the setup algorithm to obtain a list of system parameters. And challenger sends system parameters to type I adversary .(ii)*Hash Queries*. submits any value he chooses, and challenger returns the corresponding hash value to him.(iii)*User Public Key Queries*. requests any public key of a user whom he chooses, and challenger returns the corresponding public key to him.(iv)*Partial Private Key Queries*. requests any partial private key of a user whom he chooses, and challenger returns the corresponding partial private key to him.(v)*User Public Key Replacements*. submits a new public key value with respect to a user . Challenger replaces the current public key with the value .(vi)*Secret Value Queries*. requests any secret value of a user whose public key was not replaced, and challenger returns the corresponding secret value to . If a user’s public key was replaced, cannot query the corresponding secret value.(vii)*Ring Signature Queries*. submits any message he chooses, and challenger returns a ring signature to him.(viii)*Forge*. Eventually, outputs a certificateless ring signature on a message such that(1) is a valid certificateless ring signature;(2) can not query the partial private key of anyone in ;(3) has never been submitted to the ring signature queries.

*Definition 5. *A forger breaks a certificateless ring signature scheme (CLRS) meaning that if runs in time at most , makes at most Hash queries, at most Hash queries, at most partial private key queries, at most user public key queries, and ring signature queries; then is at least . A certificateless ring signature scheme is -existentially unforgeable under an adaptively chosen-message attack if no forger breaks it.

*Game 2 for Type II Adversary*. Type II adversary advantage is defined as its probability of success in the following game between a challenger and a type II adversary .(i)*Setup*. Given a security parameter, challenger runs the setup algorithm to obtain a list of system parameters. And challenger sends system parameters and the master key to type II adversary .(ii)*Hash Queries*. submits any value he chooses, and challenger returns the corresponding hash value to him.(iii)*User Public Key Queries*. requests any public key of a user whom he chooses, and challenger returns the corresponding public key to him.(iv)*Partial Private Key Queries*. Because has the system master key , so can compute the partial private key of any user by himself.(v)*User Public Key Replacements*. submits a new public key value with respect to a user . Challenger replaces the current public key with the value .(vi)*Secret Value Queries*. requests any secret value of a user whose public key was not replaced, and challenger returns the corresponding secret value to . If a user’s public key was replaced, cannot query the corresponding secret value.(vii)*Ring Signature Queries*. submits any message he chooses, and challenger returns a ring signature to .(viii)*Forge*. Eventually, outputs a certificateless ring signature on a message such that(1) is a valid certificateless ring signature;(2) can not query the secret value of anyone in ;(3) can not replace the user public key of anyone in ;(4) has never been submitted to the ring signature queries.

*Definition 6. *A forger breaks a certificateless ring signature scheme (CLRS) means that if runs in time at most , makes at most Hash queries, at most Hash queries, at most secret value queries, at most user public key replacement queries, at most user public key queries, and ring signature queries; then is at least . A certificateless ring signature scheme is -existentially unforgeable under an adaptively chosen-message attack if no forger breaks it.

*Game 3 Anonymity of a Certificateless Ring Signature Scheme*. Let be signers and be the signers’ identities. be an adversary and be a challenger whom are all involved in the game 3.(i)The challenger runs the setup algorithm to obtain a list of system parameters. And challenger sends system parameters to adversary .(ii)The adversary adaptively make a polynomially bounded number of queries.(iii)In the challenge phase, the adversary outputs a message , a group of users’ identities , and two different members to the challenger . The challenger randomly chooses a bit and sends to a ring signature .(iv)The adversary can make a polynomially bounded number of queries.(v)Finally, adversary outputs a bit .The adversary wins the above game if and only if .

*Definition 7. *Define the probability of success in the game of adversary as . A certificateless ring signature scheme is said to have unconditional anonymity if no adversary has no nonnegligible advantage in winning the above game. That is to say, A certificateless ring signature scheme is said to have unconditional anonymity if .

#### 4. Our Scheme

In this section, we propose a certificateless ring signature scheme. Participants in the program include signers and a verifier . Our scheme is described as follows:(i) *Setup*. Given a security parameter , KGC outputs a large prime . Let be a cyclic additive group of prime order . Let be a cyclic multiplicative group of the same order. Let be two generators of . KGC chooses the master private key randomly and computes the master public key . Let be a bilinear map. Let , , and be three secure cryptographic hash functions. KGC publishes system parameters and secretly keeps the master key .(ii) *Partial Private Key Extract*. Given a user’s identity , KGC computes and . Then KGC sends the user’s partial private key to him. The user can check its correctness by checking whether .(iii) *Set Secret Value*. User selects randomly as her secret value. Then User computes the corresponding value .(iv) *Set Private Key*. User takes the pair as its private key.(v) *Set Public Key*. User takes the pair as its public key.(vi) *CLRS Generation*. Given a message , is a set of users’ identities. An actual signer can propose a certificateless ring signature . The signer operates as follows:(1) Choose randomly and compute(2) Select and compute then compute:(3) Compute .(4) Output .(vii) *CLRS Verification*. Given public keys of the signer, a verifier can verify a certificateless ring signature by checking if the following equation holds: If it holds, the verifier “accepts” the signature and “rejects” otherwise.

#### 5. Security Analysis

In this section, we mainly focus on the unforgeability of the proposed certificateless ring signature scheme. Now, we give the following three theorems.

##### 5.1. Unforgeability against Type I Adversary

Theorem 8. *The scheme is unforgeable against a type I adversary in the random oracle model if the CDH problem is hard.*

*Proof. *Suppose challenger receives a random instance of the CDH problem and has to compute the value of . Challenger sets the system public key . will run as a subroutine and act as ’s challenger in game 1. Without loss of generality, we assume that all the queries are distinct. Now, we will show how challenger answers a type I adversary ’s queries in the following.

*Initialization*. At the beginning of the game, challenger runs the setup algorithm with the parameter and then gives adversary the system parameters: .(i)* Queries*. Challenger maintains the list of tuple . The list is initially empty. When adversary makes a query , challenger responds as follows. Challenger chooses a random integer in firstly. At the th query, if , challenger randomly selects a value , and sets ; otherwise, challenger sets .(ii)* Queries.* Challenger maintains the list of tuple . The list is initially empty. When makes a query , challenger selects a value randomly, and sets . Then challenger adds to the list and returns to .(iii)* Queries.* Challenger maintains the list of tuple . The list is initially empty. When makes a query , challenger selects a value randomly and sets . Then challenger adds to the list and returns to .(iv)*User Public Key Queries*. Challenger maintains the list of tuple . The list is initially empty. When adversary makes a user public key query for , challenger selects a value , and sets . Then challenger adds to the list and returns to .(v)*Partial Private Key Queries*. Challenger maintains the list of tuple . The list is initially empty. When adversary makes a user partial private key query for , if , fails and stops. Otherwise challenger computes . Then challenger adds to the list and returns to .(vi)*User Public Key Replacements*. Challenger maintains the list of tuple . The list is initially empty. When makes a user public key replacement request for with other public value , replaces with and adds to the list.(vii)*Secret Value Queries*. Challenger maintains the list of tuple . The list is initially empty. When adversary makes a user secret value query for , checks the lists firstly. If the tuple is found in the list , returns to . Otherwise challenger randomly chooses , returns to , and adds to the list.(viii)*Ring Signature Queries*. submits a message and a set of users’ identities . outputs a ring signature as follows. If there exists a user such that and , then challenger returns the ring signature by calling the signing algorithm, where is the actual signer. Otherwise, challenger does as follows:(1)Selects randomly for all and .(2)For all , selects randomly.(3)Chooses two values randomly and computes (4)Computes .(5)Outputs .

*Forge*. Adversary outputs a ring signature on a message that fulfills the following conditions:(1) is a valid ring signature.(2) cannot query the partial private key of anyone in .(3)The forged signature is not from signature query.

*Output*. It follows from the forking lemma that if , adversary can give a valid forged signature within time in the above interaction; then we can construct another algorithm that outputs two signed messages within time with probability at least . For the resemble construction, can get two valid ring signature and satisfying

So we haveChallenger outputs

*Probability*. Let , , , , , and be times of queries, queries, queries, partial private key queries, user public key queries, and ring signature queries, respectively. The probability that ’s partial private key was not queried by during the queries is . The probability that belongs to the groups is . The probability that is the actual signer is . So the combined probability is .

Therefore, according to the forking lemma, if the attacker can succeed in making a valid ring signature with a probability , the advantage of challenger solving an instance of CDH problem in game 1 is at least .

##### 5.2. Unforgeability against Type II Adversary

Theorem 9. *The scheme is unforgeable against a type II adversary in the random oracle model if the co-CDH problem is hard.*

*Proof. *Suppose challenger receives a random instance of the co-CDH and has to compute the value of . Challenger sets . Challenger will run adversary as a subroutine and act as ’s challenger in the game 2. Without loss of generality, we assume that all the queries are distinct. Now, we will show how challenger answers type II adversary ’s queries in the following.*Initialization*. At the beginning of the game, challenger runs the setup algorithm with the parameter and gives adversary the system parameters: and the system master secret key .(i) * Queries*. Challenger maintains the list of tuple . The list is initially empty. When adversary makes a query , challenger selects a value randomly and computes . Then challenger adds to the list and returns to .(ii) * Queries*. Same as that in the proof of Theorem 8.(iii) * Queries*. Same as that in the proof of Theorem 8.(iv)*User Public Key Queries*. Challenger maintains the list of tuple . The list is initially empty. When adversary makes a user public key query for , challenger responds as follows. Challenger chooses a random integer in firstly. At the th query, if , challenger selects a value randomly and sets . Otherwise, challenger sets and .(v)*Partial Private Key Queries*. Adversary can compute the partial private keys of any identities by himself with the master secret key.(vi)*User Public Key Replacements*. Same as that in the proof of Theorem 8.(vii)*Secret Value Queries*. Challenger maintains the list of tuple . The list is initially empty. When adversary makes a user partial private key query for , if , fails and stops. Otherwise challenger finds the tuple in the list . Then challenger adds to the list and returns to .(viii)*Ring Signature Queries*. Same as that in the proof of Theorem 8.*Forge*. Eventually, outputs a ring signature fulfilling the following conditions:(1) is a valid ring signature.(2) cannot query the secret value of anyone in .(3) cannot replace any users’ public key in .(4)The forged signature is not from signature query.*Output*. It follows from the forking lemma that if , adversary can give a valid forged signature within time in the above interaction; then we can construct another algorithm that outputs two signed messages within time with probability at least . For the resemble construction, can get two valid ring signature and satisfyingSo we haveChallenger outputs*Probability*. Let , , , , , , and be the times of queries, queries, queries, secret value queries, user public key replacement requests, user public key queries, and ring signature queries, respectively.

For simplification, we may assume that . The probability that ’s secret value was not queried and ’s public key was not replaced by during the queries is . The probability that belongs to the groups is . The probability that is the actual signer is . So the combined probability is: .

Therefore, according to the forking lemma, if the attacker can succeed in making a valid ring signature with a probability , the advantage of challenger solving an instance of co-CDH problem in the game 2 is at least .

##### 5.3. Unconditional Anonymity

Theorem 10. *Our certificateless ring signature scheme has the property of unconditional anonymity. For any algorithm , any set of signers and a random , the probability , where is a ring signature on generated by .*

*Proof. *(i) The challenger runs the setup algorithm to obtain a list of system parameters. And challenger sends system parameters to adversary .

(ii) The adversary adaptively makes a polynomially bounded number of queries.

(iii) The adversary outputs a message , two different members to the challenger . The challenger randomly chooses a bit and sends to a ring signature .

(iv) The adversary can make a polynomially bounded number of queries.

(v) Finally, adversary outputs a bit .

In our scheme, since are chosen randomly from , are also random elements from . Moreover, are chosen randomly from , so is also a random element from . For anyone of a set of signers , message , the distribution of is independently and uniformly distributed no matter who the actual signer is. The fact illustrates that anyone has no advantage to know who signs the certificateless ring signature. Hence, ; the anonymity holds.

#### 6. Comparison

##### 6.1. Comparison of the Efficiency

We will compare the performance of our scheme with several certificateless ring signature schemes; see Table 2. The running times are listed in Table 1. We define some notations as follows:(i): a pairing operation.(ii): a pairing-based scalar multiplication operation.(iii): an ECC-based scalar multiplication operation.(iv): a modular exponent operation in .