Cryptanalysis and Improvement of Three Certificateless Aggregate Signature Schemes

Yang, Xiaodong; Li, Yutong; Chen, Chunlin; Xiao, Likun; Wang, Caifen

doi:https://doi.org/10.1155/2018/1908632

Mathematical Problems in Engineering

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2018 | Article ID 1908632 | https://doi.org/10.1155/2018/1908632

Cryptanalysis and Improvement of Three Certificateless Aggregate Signature Schemes

Xiaodong Yang,^1,2Yutong Li,¹Chunlin Chen,¹Likun Xiao,¹and Caifen Wang¹

Academic Editor: Nazrul Islam

Received14 Mar 2018

Revised13 Jul 2018

Accepted24 Jul 2018

Published23 Aug 2018

Abstract

The certificateless aggregate signature (CLAS) scheme is a very important data aggregation technique that compresses a large number of signatures from different users into a short signature. CLAS can reduce the total length of a signature and the computational overhead of signature verification and is therefore highly suitable for resource-constrained network environments. Many CLAS schemes have been proposed in recent years, but the construction of a secure and efficient CLAS scheme remains important. In 2018, Li et al. found that the CLAS scheme proposed by He et al. could not resist malicious-but-passive KGC attacks, and they presented an improved CLAS scheme. Du et al. proposed a CLAS scheme with the constant aggregate signature length and claimed that their scheme was resistant to forgery attacks. Chen et al. designed a CLAS scheme with efficient verification and proved that their CLAS scheme was secure in the random oracle model. In this paper, we demonstrate that Li et al.’s CLAS scheme, Du et al.’s CLAS scheme, and Chen et al.’s CLAS scheme are insecure against coalition attacks and present concrete examples. That is, an attacker can forge a valid aggregate signature using some illegal single signatures. To withstand suck attacks, we propose an improved CLAS scheme based on Chen et al.’s CLAS scheme.

1. Introduction

The traditional signature scheme provides security services such as integrity of the message, nonrepudiation of the signer, and user authentication. However, the scheme relies on the public key infrastructure (PKI) and needs to store and verify many certificates [1]. To solve this problem, Shamir [2] proposed the concept of identity-based signature (IBS), where the user’s public key is replaced with an email address or other unique identity information of the user, and a fully trusted key generation center (KGC) produces the user’s private key. Nevertheless, IBS suffers from the key escrow problem since the KGC knows the private keys of all users and can do anything on behalf of the user without being detected. To eliminate the use of certificates and to avoid the key escrow problem, certificateless signature (CLS) was introduced by Al-Riyami and Paterson [3]. In CLS, the user’s public key is self-generated, and the user’s private key consists of two parts: a secret value selected by the user and a partial private key generated by a semitrusted KGC. Consequently, CLS can avoid the security flaws of IBS without requiring certificates. Although some efficient CLS schemes have been presented [4–8], more secure CLS schemes are desired for practical applications.

An aggregate signature scheme [9] can aggregate multiple signatures of different messages into a short signature, and the verifier is able to determine the validity of each signature participating in the aggregation by verifying the validity of the aggregate signature. Aggregate signatures reduce storage and bandwidth overhead and are thus highly useful in wireless communication environments. Because of the advantages of CLS and aggregate signatures, some researchers have focused on certificateless aggregate signature (CLAS) schemes [10–12].

In 2013, Xiong et al. [13] presented an efficient CLS scheme and used it to design a CLAS scheme with constant pairing computations. However, He et al. [14] found that Xiong et al.’s CLS and CLAS schemes [13] were not secure against malicious KGC attacks, and they proposed an improved CLAS scheme. Very recently, Li et al. [15] showed that He et al.’s CLAS scheme [14] still could not resist malicious-but-passive KGC attacks. Later, Li et al. [15] designed an improved CLAS scheme and claimed that their CLAS scheme was resistant to forgery attacks. Ming et al. [16] gave a CLAS scheme in which the length of aggregate signature is constant. However, Du et al. [17] pointed out that Ming et al.’s CLAS scheme [16] could not resist malicious KGC attacks and proposed a new CLAS scheme. Chen et al. [18] presented a CLAS scheme with efficient verification, but their CLAS scheme was shown to be insecure against Type I and Type II adversaries [19–21].

However, most CLAS schemes do not consider coalition attacks [22], which are a type of practical and powerful attack in which an attacker attempts to generate a valid aggregate signature by using illegal individual signatures. Once such an attack is successful, the validity of an aggregate signature cannot guarantee that each individual signature participating in the aggregation is valid. This requires that a secure CLAS scheme should be able to resist coalition attacks. Unfortunately, we note that Li et al.’s CLAS scheme [15], Du et al.’s CLAS scheme [17], and Chen et al.’s CLAS scheme [18] are insecure against coalition attacks since the attacker can forge a valid aggregate signature through illegal single signatures generated by conspiracy from two or more internal signers.

1.1. Contributions

In this paper, we provide a cryptanalysis of three CLAS schemes. We first present an attack against Li et al.’s CLAS scheme [15] to show that their CLAS scheme is insecure under practical coalition attacks. Then, we point out that Du et al.’s CLAS scheme [17] cannot resist coalition attacks by giving a concrete attack. Furthermore, we demonstrate the security weakness of Chen et al.’s CLAS scheme [18] by presenting a forgery attack from a coalition of insider signers. Based on Chen et al.’s CLAS scheme, we construct a new CLAS scheme that is secure against coalition attacks.

1.2. Paper Organization

The remainder of this paper is organized as follows. Section 2 reviews some preliminaries. Section 3 analyses the security of Li et al.’s CLAS scheme. Section 4 gives cryptanalysis of Du et al.’s CLAS scheme. Section 5 analyses the security of Chen et al.’s CLAS scheme. Section 6 presents an improved CLAS scheme. Finally, Section 7 concludes the paper.

2. Preliminaries

In this section, we briefly review bilinear pairing and the definitions of CLS and CLAS.

2.1. Bilinear Pairing

Suppose that and are two multiplicative cyclic groups of prime order and that is a generator of . An efficiently computable map is said to be a bilinear pairing if it satisfies the following conditions [18]:(i)Bilinearity: for any .(ii)Nondegeneracy: .

2.2. Definition of Certificateless Signature

A CLS scheme is defined by the following five algorithms:(i)Setup: Upon input of a security parameter , this algorithm outputs the public parameters and the PKG’s master secret key .(ii)PartialKeyGen: Upon input of , , and a user identity , this algorithm outputs a partial private key corresponding to .(iii)UserKeyGen: Upon input of and , this algorithm outputs ’s secret value , public key , and private key .(iv)Sign: Upon input of , an identity ’s private key , and a message , this algorithm outputs a signature on .(v)Verify: Given an identity , a public key , a message , and a signature , a verifier accepts if is a valid signature on with respect to and ; otherwise, the verifier rejects .

In general, two types of attackers exist in a CLS scheme, i.e., Type I and Type II adversaries [3]. A Type I adversary models an outside attacker who is able to determine the user’s secret value or replace the user’s public key at will but who does not have access to the KGC’s master secret key and the user’s partial private key. A Type II adversary models a malicious KGC who knows the KGC’s master secret key and generates the user’s partial private key but who is unable to access the user’s secret value or replace the user’s public key. In the original security model for a CLS scheme [3], a Type II adversary represents an honest-but-curious KGC who always honestly generates the system parameters and the user’s partial private key according to the specifications of the CLS scheme. In the stronger security model proposed by Au et al. [23], a Type II adversary represents a malicious-but-passive KGC who is dishonest from the beginning of the system setup. The malicious-but-passive KGC adversary sets some trapdoors in the system parameters and the master secret key and then uses these trapdoors to launch malicious attacks to compromise the security of the CLS scheme. However, some existing CLS schemes [6–8] have been shown to be insecure against malicious-but-passive KGC attacks.

2.3. Definition of Certificateless Aggregate Signature

A CLAS scheme is defined by the following seven algorithms:(i)The Setup, PartialKeyGen, UserKeyGen, Sign, and Verify algorithms are the same as those in CLS described in Section 2.(ii)Aggregate: Upon input of message-signature pairs from users, this algorithm outputs an aggregate signature on messages .(iii)AggregateVerify: Given identities , public keys , and an aggregate signature on messages , a verifier accepts if is valid; otherwise, the verifier rejects .

The security model for the CLAS scheme is almost the same as the security model for the CLS scheme, except that an adversary is unable to forge a valid aggregate signature if at least one of the signatures involved in the aggregation is invalid. To save space, we omit the detailed description. Please refer to [1, 3, 23] for the security model of the CLS scheme or the CLAS scheme.

3. Cryptanalysis of Li et al.’s CLAS Scheme

3.1. Review of Li et al.’s Scheme

In 2018, Li et al. [15] presented a CLAS scheme that consists of the following seven algorithms:(i)Setup: Given a security parameter , the KGC generates the public parameters and the master secret key by performing the following steps:(a)Choose two cyclic groups and of prime order , a generator of and a bilinear pairing .(b)Select a random integer and compute .(c)Pick four cryptographic hash functions and .(d)Keep the master secret key secret and publish public parameters .(ii)PartialKeyGen: Given a user’s identity , the KGC computes and . Then, the KGC sends ’s partial private key to the user.(iii)UserKeyGen: The user with identity generates a public/private key pair according to the following steps:(a)Select a random integer and compute the public key .(b)Set the secret value and the private key .(iv)Sign: To sign a message , a signer with identity performs the following:(a)Select a random integer and compute .(b)Compute , , and .(c)Output a signature on .(v)Verify: Given an identity , a public key , a message , and a signature , a verifier first computes , , and . Then, the verifier checks the following equation: If the above equation holds, then the verifier accepts ; otherwise, the verifier rejects .(vi)Aggregate: Given message-signature pairs from users, the aggregator calculates an aggregate signature on , where .(vii)AggregateVerify: Given identities , public keys , and an aggregate signature on messages , a verifier first computes , , and for . Then, the verifier checks the following equation: If this equation holds, then the verifier accepts ; otherwise, the verifier rejects .

3.2. Attack on Li et al.’s Scheme

Li et al. [15] proved that their CLAS scheme is existentially unforgeable in the random oracle model. In this subsection, we show that Li et al.’s CLAS scheme [15] is insecure against coalition attacks from internal signers. That is, two or more internal signers who generate multiple illegal single signatures can collude to generate a valid aggregate signature. Without loss of generality, suppose that and are two internal signers. Let and be the identity and public key of , respectively. and are the identity and public key of , respectively. generates an invalid signature of message , and generates an invalid signature of message . Then, colludes with to generate a valid aggregate signature for . The detailed attack process is described as follows.(1) randomly selects and calculates , , , and . Then, sends to .(2) randomly selects and calculates , , , and . Then, sends to .(3) calculates and outputs an individual signature on , where is the secret value of .(4) uses its secret value to calculate and outputs an individual signature on .(5) cooperates with to forge an aggregate signature on , where .

can easily be verified to be an invalid single signature for under and since does not satisfy the individual signature verification equation, . However, the forged aggregate signature on under and is valid since

The above analysis shows that the forged aggregate signature satisfies the aggregate signature verification equation. Therefore, can collude with to produce a valid aggregate signature with some illegal single signatures. Therefore, Li et al.’s CLAS scheme [15] is vulnerable to coalition attacks.

4. Cryptanalysis of Du et al.’s CLAS Scheme

4.1. Review of Du et al.’s Scheme

In 2017, Du et al. [17] designed a CLAS scheme which is composed of the following seven algorithms:(i)Setup: Given a security parameter , the KGC selects two cyclic groups and of prime order , a generator of and a bilinear pairing . Then, the KGC randomly selects and compute . Next, the KGC picks four hash functions and . Finally, the KGC stores the master secret key secret and publish public parameters .(ii)PartialKeyGen: Given a user’s identity , the KGC calculates and . Then, the KGC sends ’s partial private key to the user.(iii)UserKeyGen: The user with identity randomly selects and calculates the public key . Then, the user sets the secret value and the private key .(iv)Sign: Given a message , a signer with identity executes the following steps:(a)Randomly select and compute .(b)Compute , and .(c)Compute .(d)Output a signature on .(v)Verify: Given a signature = on a message under an identity and public key , a verifier first calculates , , and . Then, the verifier verifies whether the following equation holds or not. If it holds, then the verifier accepts ; otherwise, the verifier rejects .(vi)Aggregate: Given message-signature pairs from users, the aggregator calculates an aggregate signature on , where and .(vii)AggregateVerify: Given an aggregate signature on under identities and public keys , a verifier first calculates , , and for . Then, the verifier verifies whether the following equation holds or not. If it holds, then the verifier accepts ; otherwise, the verifier rejects .

4.2. Attack on Du et al.’s Scheme

Du et al. [17] claimed that their CLAS scheme is existentially unforgeable against the Type I and Type II adversaries in the random oracle model. However, we show that Du et al.’s CLAS scheme [17] is vulnerable to coalition attacks. Similarly, assuming and are two internal signers, they perform the following steps to generate two illegal single signatures, but the corresponding aggregate signature is legal.(1)The signer with identity and public key first selects a random value and calculates . Then, randomly picks a message , and calculates , and . Finally, sends to .(2)The signer with identity and public key first selects a random value and calculates . Then, randomly picks a message , and calculates , and . Finally, sends to .(3) calculates using the secret value and partial private key and outputs an individual signature on .(4) calculates using the secret value and partial private key and outputs an individual signature on .(5) cooperates with to forge an aggregate signature on , where and .

Obviously, is not a legal signature on message under identity and public key , . However, the forged aggregate signature on under and is valid since satisfies the following aggregate signature verification equation:

From the above analysis, we can see that produces an illegal signature on message , and produces an illegal signature on message , but the resulting aggregate signature on is valid. Hence, Du et al.’s CLAS scheme [17] is unable to withstand coalition attacks.

5. Cryptanalysis of Chen et al.’s CLAS Scheme

5.1. Review of Chen et al.’s Scheme

Chen et al.’s CLAS scheme [18] is described as follows:(i)Setup: Given a security parameter , the KGC performs the following steps to generate the public parameters and the master secret key :(a)Choose two cyclic groups and of prime order , a generator of and a bilinear pairing .(b)Select a random integer and compute .(c)Pick six cryptographic hash functions , and : .(d)Keep the master secret key secret and publish public parameters .(ii)PartialKeyGen: Given a user’s identity , the KGC computes and . Then, the KGC computes and sends ’s partial private key to the user through a secure channel.(iii)UserKeyGen: The user with identity generates a public/private key pair according to the following steps:(a)Select two random integers and compute the public key .(b)Set the secret value and the corresponding private key .(iv)Sign: Given a message and state information , a signer with identity performs the following:(a)Select a random integer and compute .(b)Compute , , , , and(c)Output a signature on .(v)Verify: Given an identity , a public key , state information , a message , and a signature = , a verifier first computes , , , , and , . Then, the verifier checks the following equation: If this equation holds, then the verifier accepts ; otherwise, the verifier rejects .(vi)Aggregate: Given message-signature pairs from users, the aggregator outputs an aggregate signature on messages , where and .(vii)AggregateVerify: Given identities , public keys , state information , and an aggregate signature on messages , a verifier first computes , , , , , , and , for . Then, the verifier checks the following equation: If the equation holds, then the verifier accepts ; otherwise, the verifier rejects .

5.2. Attack on Chen et al.’s CLAS Scheme

Chen et al. [18] demonstrated that their CLAS scheme was provably secure in the random oracle model. In this section, we present an attack on Chen et al.’s CLAS scheme [18] to demonstrate that their scheme cannot withstand an attack from a coalition of insider signers. Without loss of generality, we assume that are two signers with identities and corresponding public keys , respectively. A message is signed by with the private key , and another message is signed by with the private key . In the following attack, cooperates with to generate invalid signatures on , while the corresponding aggregate signature on satisfies the aggregate signature verification equation. Let be the state information, and .(1) chooses a random integer and computes , , and , . Then, sends to .(2) chooses a random integer and computes , , and , . Then, sends to .(3) computes and sets as a signature on .(4) computes and sets as a signature on .(5) cooperates with to generate a forged aggregate signature on , where and .

Clearly, is an invalid single signature on since it does not satisfy the verification equation as follows:Similarly, the single signature on is also invalid. However, is a valid aggregate signature on . The correctness of can be verified as follows:Hence, in Chen et al.’s CLAS scheme [18], dishonest insider signers can cooperate to forge valid aggregate signatures of arbitrary messages by combining invalid individual signatures. This result also shows that the validity of an aggregate signature does not guarantee the validity of every signature involved in the aggregation. Therefore, our attack is successful; that is, Chen et al.’s CLAS scheme [18] is insecure against coalition attacks.

6. Improved Certificateless Aggregate Signature Scheme

In Chen et al.’s CLAS scheme [18], Du et al.’s CLAS scheme [17], and Li et al.’s CLAS scheme [15], the main reason that the abovementioned coalition attacks can occur is that insider signers can exchange some information involved in the individual signature generation, such as and . To overcome these security weaknesses, we propose an improved CLAS scheme based on Chen et al.’s CLAS scheme [18]. Our CLAS scheme is described as follows:(i)The Setup, PartialKeyGen, and UserKeyGen algorithms are the same as those of Chen et al.’s CLAS scheme described in Section 4. The only difference is that the Setup algorithm adds a collision-resistant hash function , where is the length of the output message of .(ii)Sign: Given a message and state information , a signer with identity executes the following steps:(a)Randomly select and compute .(b)Compute , , , , and(c)Output as a signature on .(iii)Verify: This algorithm is the same as the Verify algorithm in Chen et al.’s CLAS scheme, except that the signature verification equation is modified as follows: where and , .(iv)Aggregate: Given message-signature pairs from signers, the aggregator first computes and then outputs an aggregate signature on messages .(v)AggregateVerify: Given identities , public keys , state information and an aggregate signature on messages , a verifier first computes , , , , and , for . Then, the verifier checks whether holds. If it holds, then the verifier accepts ; otherwise, the verifier rejects .

If is a collision-resistant hash function, then it is difficult to find and such that [24]. In our improved CLAS scheme, if the KGC selects and computes and , then the KGC is unable to find a unique to satisfy and due to the collision resistance of and . However, if the KGC computes and , then the difficulty of the KGC calculating from and is equivalent to solving the discrete logarithm problem. Therefore, the improved CLAS scheme can resist malicious-but-passive KGC attacks unless the adversary can break the collision resistance of and .

The part in every individual signature is embedded in hash values and , , which makes it impossible for an attacker to modify at will. Hence, our improved CLAS scheme is resistant to the universal forgery attacks in [19–21].

The unforgeability of the proposed CLAS scheme is almost the same as that of Chen et al.’s CLAS scheme. Since Chen et al. [18] demonstrated that their CLAS scheme is existentially unforgeable in the random oracle model, our improved CLAS scheme can be similarly proven to be existentially unforgeable in the random oracle model. The security proofs of the two schemes are basically the same, so we omit the detailed description. Here, we prove only that the proposed CLAS scheme can resist the coalition attack described in Section 4.

Theorem 1. If the hash function is collision-resistant, then the proposed CLAS scheme can withstand attacks from the coalition of insider signers.

Proof. If each signature = involved in the aggregation is valid, we have thatThus, we can obtainTherefore, the corresponding aggregate signature is also valid.
Meanwhile, if an aggregate signature is valid, we have Since the hash function is collision-resistant, is not equal to for any two values and . From the above aggregate signature verification equation, we derive the following equations:This derivation implies that an aggregate signature is valid if and only if each signature = involved in the aggregation is valid. Therefore, the proposed CLAS scheme can withstand forgery attacks from a coalition of insider signers.

7. Conclusion

In this paper, we present a cryptanalysis of three CLAS schemes. The analysis shows that Li et al.’s CLAS scheme [15], Du et al.’s CLAS scheme [17], and Chen et al.’s CLAS scheme [18] are insecure against attacks from a coalition of insider signers. To overcome these attacks, we propose an improved CLAS scheme. Compared with Chen et al.’s CLAS scheme [18], our improved scheme has large computational overhead in generating and verifying aggregate signatures. How to construct a secure CLAS scheme without bilinear pairing is a challenging issue, which we leave as an open problem.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was partially supported by the National Natural Science Foundation of China (61662069), the China Postdoctoral Science Foundation (2017M610817), the Natural Science Foundation of Gansu Province of China (1506RJZA130), the Science and Technology Project of Lanzhou City of China (2013-4-22), and the Foundation for Excellent Young Teachers by Northwest Normal University (NWNU-LKQN-14-7).

References

L. Cheng, Q. Wen, Z. Jin, H. Zhang, and L. Zhou, “Cryptanalysis and improvement of a certificateless aggregate signature scheme,” Information Sciences, vol. 295, pp. 337–346, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
A. Shamir, “Identity-based cryptosystems and signature schemes,” in Advances in Cryptology: Proceedings of (CRYPTO '84), vol. 196 of Lecture Notes in Computer Science, pp. 47–53, Springer, Berlin, Germany, 1985.
View at: Publisher Site | Google Scholar | MathSciNet
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Advances in Cryptology-ASIACRYPT, vol. 2894 of Lecture Notes in Computer Science, pp. 452–473, Springer, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
X. Huang, Y. Mu, W. Susilo et al., “Certificateless signature revisited,” Information Security and Privacy, pp. 308–322, November 2007.
View at: Google Scholar
H. Du and Q. Wen, “Efficient and provably-secure certificateless short signature scheme from bilinear pairings,” Computer Standards & Interfaces, vol. 31, no. 2, pp. 390–394, 2009.
View at: Publisher Site | Google Scholar
S. K. H. Islam and G. P. Biswas, “Provably secure and pairing-free certificateless digital signature scheme using elliptic curve cryptography,” International Journal of Computer Mathematics, vol. 90, no. 11, pp. 2244–2258, 2013.
View at: Publisher Site | Google Scholar
L. Wang, K. Chen, Y. Long, X. Mao, and H. Wang, “A Modified Efficient Certificateless Signature Scheme without Bilinear Pairings,” in Proceedings of the 2015 International Conference on Intelligent Networking and Collaborative Systems (INCOS), pp. 82–85, Taipei, Taiwan, September 2015.
View at: Publisher Site | Google Scholar
K. Yeh, “Cryptanalysis of Wang et al.'s certificateless signature scheme without bilinear pairings,” in IACR Cryptology ePrint Archive, p. 217, 2017.
View at: Google Scholar
D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in Advances in Cryptology (EUROCRYPT), pp. 416–432, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
F. Zhang, L. Shen, and G. Wu, “Notes on the security of certificateless aggregate signature schemes,” Information Sciences, vol. 287, pp. 32–37, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
H. Liu, S. Wang, M. Liang, and Y. Chen, “New construction of efficient certificateless aggregate signatures,” International Journal of Security and Its Applications, vol. 8, no. 1, pp. 411–422, 2014.
View at: Publisher Site | Google Scholar
H. Liu, M. Liang, and H. Sun, “A secure and efficient certificateless aggregate signature scheme,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E97-A, no. 4, pp. 991–995, 2014.
View at: Publisher Site | Google Scholar
H. Xiong, Z. Guan, Z. Chen, and F. Li, “An efficient certificateless aggregate signature with constant pairing computations,” Information Sciences, vol. 219, pp. 225–235, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
D. He, M. Tian, and J. Chen, “Insecurity of an efficient certificateless aggregate signature with constant pairing computations,” Information Sciences, vol. 268, pp. 458–462, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
J. Li, H. Yuan, and Y. Zhang, “Cryptanalysis and improvement for certificateless aggregate signature,” Fundamenta Informaticae, vol. 157, no. 1-2, pp. 111–123, 2018.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Ming, X. Zhao, and Y. Wang, “Certificateless aggregate signature scheme,” Journal of University of Electronic Science and Technology of China, vol. 43, no. 2, pp. 188–193, 2014.
View at: Google Scholar
H. Z. Du and Q. Y. Wen, “Attack and improvement of a certificateless aggregate signature scheme,” Acta Scientiarum Naturalium Universitatis Sunyatseni. Zhongshan Daxue Xuebao. Ziran Kexue Ban, vol. 56, no. 1, pp. 77–84, 2017.
View at: Google Scholar | MathSciNet
Y.-C. Chen, R. Tso, M. Mambo, K. Huang, and G. Horng, “Certificateless aggregate signature with efficient verification,” Security and Communication Networks, vol. 8, no. 13, pp. 2232–2243, 2015.
View at: Publisher Site | Google Scholar
H. Chen, S. M. Wei, C. J. Zhu, and Y. Yang, “Secure certificateless aggregate signature scheme,” Journal of Software. Ruanjian Xuebao, vol. 26, no. 5, pp. 1173–1180, 2015.
View at: Google Scholar | MathSciNet
H. Zhang, “Insecurity of a certificateless aggregate signature scheme,” Security and Communication Networks, vol. 9, no. 11, pp. 1547–1552, 2016.
View at: Publisher Site | Google Scholar
H. Shen, J. Chen, J. Shen et al., “Cryptanalysis of a certificateless aggregate signature scheme with efficient verification,” Security and Communication Networks, vol. 9, no. 13, pp. 2217–2221, 2016.
View at: Google Scholar
L. Shen, J. Ma, X. Liu, F. Wei, and M. Miao, “A Secure and Efficient ID-Based Aggregate Signature Scheme for Wireless Sensor Networks,” IEEE Internet of Things Journal, vol. 4, no. 2, pp. 546–554, 2017.
View at: Publisher Site | Google Scholar
M. H. Au, J. Chen, J. K. Liu, Y. Mu, D. S. Wong, and G. Yang, “Malicious KGC attacks in certificateless cryptography,” in Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07, pp. 302–311, March 2007.
View at: Publisher Site | Google Scholar
P. Rogaway and T. Shrimpton, “Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 3017, pp. 371–388, 2004.
View at: Google Scholar

Copyright

Copyright © 2018 Xiaodong Yang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

709

Downloads

678

Citations