#### Abstract

A new attack against a novel certificateless aggregate signature scheme with constant pairing computations is presented. To enhance security, a new certificateless signature scheme is proposed first. Then a new certificateless aggregate signature scheme with constant pairing computations based on the new certificateless signature scheme is presented. Security analysis shows that the proposed certificateless aggregate signature scheme is provably secured in the random oracle.

#### 1. Introduction

The concept of aggregate signature (AS) scheme was first introduced by Boneh et al. [1] in 2003. Such a scheme greatly reduces the computational and communication overhead since it could aggregate signatures on distinct messages from distinct users into a single signature and check the correctness through a verification operation. The AS scheme is very useful in real-world applications. For example, in the scenario of the secure Border Gateway Protocol (BGP) [2], each router successively signs its own segment of a path in the network and then forwards the collection of signatures associated with the path to the next router. The AS scheme can be used to compress these signatures into a single one and hence reduce the overheads of both bandwidth and computation required in the original secure BGP. Similarly, in the scenario of the Vehicular Ad Hoc Networks (VANETs) [3], each vehicle or roadside unit (RSU) has to verify around 500–2000 messages per second. The AS scheme can be used to compress these messages into a single one and check the correctness through a verification operation. To satisfy different applications, many AS schemes based on the traditional public key cryptography (TPKC) and identity-based public key cryptography (ID-based PKC) have been proposed.

It is well known that a certificate, generated by a trusted third party, is needed to bind a user’s identity and its public key in the TPKC. However, the management of these certificates becomes more and more difficult with the growth of users’ number. To solve the problem, Shamir [4] introduced the concept of the ID-based PKC. In such cryptography, the user’s identity, such as name, email address, and telephone number, is his public key and his private key is generated by the key generation centre (KGC) using his identity. However, the key escrow problem exists in the ID-based PKC since the KGC know the user’s private key. In 2003, Al-Riyami and Paterson [5] developed the concept of the CLPKC to solve the key escrow problem in the ID-PKC. In CLPKC, the KGC only generates a partial private key for a user and the full private key of the user is a combination of his partial private key and some secret value chosen by the user himself. Recently, CLPKC attracted much attention and many certificateless encryption (CLE) schemes [6–8], certificateless key agreement (CLKA) schemes [9–11], certificateless signcryption (CLSC) schemes [12, 13], and certificateless signature (CLS) schemes [14–16] were proposed.

To satisfy the applications in certificateless environment, the certificateless aggregate signature (CLAS) scheme has attracted much attention. Several CLAS schemes [17–23] have been proposed by different researchers. However, most of these schemes [17–20, 23] have computational complexity for pairing computations that grows linearly with the number of signers, which deviates from the main goals of aggregate signatures. Besides, both of the schemes [20, 22] of Zhang et al. require certain synchronization; that is, all signers must share the same synchronized clocks to generate aggregate signature. It is easy to say that it is difficult to achieve synchronization in many communication scenarios. Shim [24] pointed out that L. Zhang and F. Zhang’s scheme [20] is vulnerable to the coalition attack. Xiong et al. [25] found that Hu et al.’s scheme [21] cannot provide unforgeability. Very recently, Xiong et al. [25] proposed a certificateless signature (CLS) scheme and constructed a new CLAS scheme using that CLS scheme. Compared to previous CLAS schemes, Xiong et al.’s CLAS scheme is very efficient in computation, and the verification procedure needs only a very small constant number of pairing operations, independent of the number of aggregated signatures. Besides, their scheme does not require synchronization for aggregating randomness. Unfortunately, He et al. [26] pointed out that Xiong et al.’s CLAS scheme is insecure against a Type II adversary by giving concrete attack. However, He et al. did not give countermeasure to enhance security. In this paper, we propose a new attack against Xiong et al.’s CLAS scheme; that is, a Type II adversary could forge legal signature for any message. To improve security, we also propose an improved CLAS scheme.

The organization of the paper is sketched as follows. Section 2 gives some preliminaries of the paper. Sections 3 and 4 review and analyze Xiong et al.’s scheme. Section 5 gives our improved scheme. Sections 6 and 7 discuss security and performance analysis of our scheme. At last, we give some conclusion in Section 8.

#### 2. Preliminaries

##### 2.1. Bilinear Pairing

Let be a cyclic additive group of prime order and a cyclic multiplicative group of the same order . We let denote the generator of . A bilinear pairing is a map which satisfies the following properties.(1)Bilinearity where , .(2)Nondegeneracy (3)Computability: there is an efficient algorithm to compute for all .

The Weil and Tate pairings associated with supersingular elliptic curves or abelian varieties can be modified to create such admissible pairings. The following problems are assumed to be intractable within polynomial time.

*Computational Diffie-Hellman (CDH) Problem.* Given , the task of CDH problem is to compute , where denotes the generator of .

##### 2.2. Formal Model of CLS and CLAS

In this subsection, we will review the definition and security notions specified in [25], only with slight notational differences. There are two kinds of adversaries in the CLS scheme and the CLAS scheme, that is, the Type I adversary and the Type II adversary . The adversary is not able to access the master key but he could replace public keys at his will. The adversary represents a malicious KGC who generates partial private key of users. could have access to the master key of KGC, but he is not able to replace public keys. The following are five oracles which can be accessed by the adversaries.(i)*CreateUser*: Given an identity , if has already been created, nothing is to be carried out. Otherwise, the oracle generates the partial private key , the secret key , and the public key . It then stores the tuple () into a list . In both cases, is returned.(ii)*RevealPartialKey*: On input of an identity , the oracle searches for a corresponding entry to . If it is not found, ⊥ is returned; otherwise, the corresponding is returned.(iii)*RevealSecertKey*: On input of an identity , the oracle searches for a corresponding entry to . If it is not found, ⊥ is returned; otherwise, the corresponding is returned.(iv)*ReplaceKey*: On input of an identity and a user public/secret key pair (), the oracle searches for the entry of . If it is not found, nothing will be carried out. Otherwise, the oracle updates () to ().(v)*Sign*: On input of a message for , the signing oracle proceeds in one of the three cases below.(a)A valid signature returned if has been created but the user public/secret key pair () has not been replaced.(b)If has not been created, a symbol ⊥ is returned.(c)If the user public/secret key pair of has been replaced with say (), then the oracle returns the result of .

The security for a CLS scheme and a CLAS scheme is defined via the following two games separately.

*Game 1. *The first game is performed between a challenger and an adversary for a CLS scheme as follows.(i) executes* MasterKeyGen* to get master private/public key pair ().(ii) can adaptively issue the* CreateUser*,* RevealPartialKey*,* RevealSecertKey*,* ReplaceKey*, and queries to .(iii) is to output a message and a signature corresponding to a target identity and a public key .

We say that wins Game 1, if and only if the following three conditions hold.(1) is a valid signature on messages under identities and the corresponding public key .(2)If is , the identity has not submitted to* RevealPartialKey* queries to get the partial private key . If is , has not submitted to* RevealSecertKey* queries or* ReplaceKey* queries to get the secret key .(3)The oracle has never been queried with ().

*Definition 1. *A CLS scheme is said to be secure if there is no probabilistic polynomial-time adversary , which wins Game 1 with nonnegligible advantage.

*Game 2. *The second game is performed between a challenger and an adversary for a CLAS scheme as follows.(i) executes* MasterKeyGen* to get master private/public key pair ().(ii) can adaptively issue the* CreateUser*,* RevealPartialKey*,* RevealSecertKey*,* ReplaceKey*, and* Sign* queries to .(iii) outputs a set of users whose identities are from the set and corresponding public keys from the set , messages , and an aggregate signature .

We say that wins Game 2, if and only if the following three conditions hold.(1) is a valid aggregate signature on messages under identities and the corresponding public key .(2)If is , at least one of the identities has not submitted to* RevealPartialKey* queries to get the partial private key . If is , at least one of has not been submitted to* RevealSecertKey* queries or* ReplaceKey* queries to get the secret key .(3)The oracle* Sign* has never been queried with ().

*Definition 2. *A CLAS scheme is said to be secure if there is no probabilistic polynomial-time adversary , which wins Game 2 with nonnegligible advantage.

#### 3. Review of Xiong et al.’s Schemes

##### 3.1. Xiong et al.’s CLS Scheme

In this subsection, we will briefly review Xiong et al.’s CLS scheme. Their CLS scheme consists of five algorithms:* MasterKeyGen*,* PartialKeyGen, UserKeyGen, Sign*, and* Verify*. The detail of these algorithms is described as follows.

*MasterKeyGen.* Given a security parameter , KGC runs the algorithm as follows.(1)Generate a cyclic additive group and a cyclic multiplicative group with prime order .(2)Generate two generators , of and an admissible pairing .(3)Generate a random number and compute .(4)Choose cryptographic hash functions and .(5)KGC publishes the system parameters and key the master key secretly.

*PartialKeyGen*. Given a user’s identity , KGC computes the user’s partial private key and transmits it to the user secretly, where .

*UserKeyGen*. The user with identity selects a random number as his secret key and computes his public key as .

*Sign*. Given a message , the partial private key , the secret key , the user with identity , and the corresponding public key , perform the following steps to generate a signature.(1)Generate a random number and compute .(2)Compute , .(3)Output () as the signature on .

*Verify*. Given a signature of message on identity and corresponding public key : (1)Compute and .(2)Verify holds or not. If it holds, accept the signature.

##### 3.2. Xiong et al.’s CLAS Scheme

In this subsection, we will briefly review Xiong et al.’s CLAS scheme. Their CLAS scheme consists of six algorithms:* MasterKeyGen, PartialKeyGen, UserKeyGen, Sign, Aggregate*, and* AggregateVerify*. The first four algorithms are the same as those in their CLS scheme. The detail of the other two algorithms is described as follows.

*Aggregate*. For an aggregating set of users with identities , corresponding public keys , and message-signature pairs from , respectively, the aggregate signature generator computes and outputs as an aggregate signature.

*AggregateVerify*. To verify an aggregate signature signed by users with identities and the corresponding public keys on messages , the verifier performs the following steps.(1)Compute and for .(2)Verify holds or not. If it holds, accept the signature.

#### 4. Cryptanalysis of Xiong et al.’s Scheme

Shim [24] claimed that both of their schemes are provably secure against two types of adversary in the random oracle model. However, in this section, we will disprove their claims by giving two concrete attacks.

##### 4.1. Attack against Xiong et al.’s CLS Scheme

Shim [24] claimed their CLS scheme is semantically secure against Type II adversary. Unfortunately, it is not true, since there is a polynomial time Type II adversary who can always win Game 1 through either of the following two attacks.

In Xiong et al.’s CLS scheme, the system parameters are generated by KGC. Let a Type II adversary be a malicious KGC. Then could choose a random and compute , when he generates the system parameters. After that, could forge a legal signature of any message.(1)The Type II adversary has the master key . Then, he could compute a user ’s partial private key , where .(2)For any message , generates a random number and computes , and .(3) outputs as the signature on .

Since , , and , we could have

Then, we know that () is a legal signature on . Besides, has not been submitted to* RevealSecertKey* queries or* ReplaceKey* queries to get the secret key and the oracle has never been queried with (). So the Type II adversary wins Game 1.

Therefore, Xiong et al.’s CLS scheme is not secure against attacks of the Type II adversary.

##### 4.2. Attack against Xiong et al.’s CLAS Scheme

Shim [24] claimed their CLAS scheme is semantically secure against Type II adversary. Unfortunately, it is not true, since there exists a polynomial time Type II adversary , who can always win Game 2 through either of the following two attacks.

In Xiong et al.’s CLAS scheme, the system parameters are generated by KGC. Let a Type II adversary be a malicious KGC. Then could choose a random and compute , when he generates the system parameters. After that, could forge an aggregate signature.

Let be an aggregating set of users with identities and the corresponding public keys .(1)For , does the following five substeps to generate a legal signature () on a message .(i)The Type II adversary has the master key . Then, he could compute a user ’s partial private key , where .(ii)For any message , generates a random number and computes , , and .(iii) outputs () as the signature on .(2) computes .(3) outputs as an aggregate signature.

From the analysis in the above subsection, we know that satisfies the equation , where and . Then we could have that

Thus, we know that is a legal aggregate signature on messages . Besides, for any has not been submitted to* RevealSecertKey* queries or* ReplaceKey* queries to get the secret key and the oracle* Sign* has never been queried with (). So the Type II adversary wins Game 2.

Therefore, Xiong et al.’s CLAS scheme is not secure against attacks of the Type II adversary.

#### 5. Our CLS Scheme and CLAS Scheme

##### 5.1. Our CLS Scheme

Like Xiong et al.’s CLS scheme does, our CLS scheme also consists of five algorithms:* MasterKeyGen, PartialKeyGen, UserKeyGen, Sign*, and* Verify*. The detail of these algorithms is described as follows.

*MasterKeyGen*. Given a security parameter , KGC runs the algorithm as follows.(1)Generate a cyclic additive group and a cyclic multiplicative group with prime order .(2)Generate a generator of and an admissible pairing .(3)Generate a random number and compute .(4)Choose cryptographic hash functions and .(5)KGC publishes the system parameters and key the master key secretly.

*PartialKeyGen*. Given a user’s identity , KGC computes the user’s partial private key and transmits it to the user secretly, where .

*UserKeyGen*. The user with identity selects a random number as his secret key and computes his public key as .

*Sign*. Given a message , the partial private key , the secret key , the user with identity , and the corresponding public key , perform the following steps to generate a signature.(1)Generate a random number and compute .(2)Compute , , , and .(3)Compute, .(4)Output () as the signature on .

*Verify*. Given a signature () of message on identity and corresponding public key , consider the following.(1)Compute , , , , and .(2)Verify holds or not. If it holds, accept the signature.

##### 5.2. Our CLAS Scheme

Like Xiong et al.’s CLAS scheme does, our CLAS scheme also consists of six algorithms:* MasterKeyGen, PartialKeyGen, UserKeyGen, Sign, Aggregate*, and* AggregateVerify*. The first four algorithms are the same as those in our CLS scheme. The detail of other two algorithms is described as follows.

*Aggregate*. For an aggregating set of users with identities , corresponding public keys , and message-signature pairs from , respectively, the aggregate signature generator computes and outputs as an aggregate signature.

*AggregateVerify*. To verify an aggregate signature signed by users with identities and the corresponding public keys on messages , the verifier performs the following steps.(1)Compute , , , , and for .(2)Verify holds or not. If it holds, accept the signature.

#### 6. Security Analysis

##### 6.1. Security Analysis of Our CLS Scheme

In this section, we analyze the security of our CLS scheme. The following lemmas and theorem are proposed.

Lemma 3. *If Type I adversary wins Game 1 with nonnegligible probability , then one could construct an algorithm to solve the CDH problem in with nonnegligible probability.*

*Proof. *Given an instance of the CDH problem in , we will construct an algorithm to compute , where and they are unknown to . At first, picks an identity at random as the challenged identity in this game, sets the master public key , selects the system parameters , and returns the parameters to . Then answers ’s query as follows. (i)* query*: maintains a list of form . When makes this query on , does as follows.(a)If the list contains a tuple , returns to .(b)Otherwise, if , picks a random , computes , adds to , and returns to .(c)Otherwise (), picks a random , computes , adds to , and returns to .(ii)* query*: maintains a list of form . When makes this query on , does as follows.(a)If the list contains a tuple , returns to .(b)Otherwise, picks a random , computes , adds to , and returns to .(iii)* query*: maintains a list of form . When makes this query on , does as follows. (a)If the list contains a tuple , returns to .(b)Otherwise, picks a random , computes , adds to , and returns to .(iv)* query*: maintains a list of form . When makes this query on , does as follows. (a)If the list contains a tuple , returns to .(b)Otherwise, picks a random , returns to , and adds to .(v)* query*: maintains a list of form . When makes this query on , does as follows.(a)If the list contains a tuple , returns to .(b)Otherwise, picks a random , returns to , and adds to .(vi)* CreateUser*: maintains a list of form . When makes this query on , does as follows.(a)If the list contains a tuple , returns to .(b)Otherwise, if , gets by making query with and sets . selects a random number as his secret key and computes his public key as . At last, adds to and returns to .(c)Otherwise (), gets by making query with and sets . selects a random number as his secret key and computes his public key as . At last, adds to and returns to .(vii)* RevealPartialKey*: when makes this query on , does as follows. (a)If , stops the simulation.(b)Otherwise (), looks up the list for the tuple and returns to .(viii)* RevealSecertKey*: when makes this query on , looks up the list for the tuple and returns to .(ix)* ReplaceKey*: when makes this query on , looks up the list for the tuple . sets and replaces with .(x)* Sign*: when makes this query on , does as follows.(a)If , looks up lists and and for tuples and separately, where and may have been replaced by . makes query and query with and gets tuples and , where and . generates three random numbers , computes , , and sets , . At last, adds tuples and to and separately and returns to . It is easy to say satisfies the equation .(b)Otherwise (), looks up lists and and for tuples and separately, where and may have been replaced by . makes query and query with and gets tuples and , where and . generates a random number and computes , , , and . At last, returns to . It is easy to say satisfies the equation .

Finally, outputs a tuple as its forgery, where . If , stops the simulation. From the forgery lemma [27], if we have a replay of with the same random tape but different choice of and , will output another three signatures. The following two equations hold since both of the two signatures are valid:

looks up lists and and for tuples and separately, where and may have been replaced by . makes query and query with and gets tuples and , where and . At last, returns as the solution of CDH problem.

*Analysis*. We show that solves the given instance of the CDH problem with the probability . To do so, we analyze the three events that result in ’s success. : does not abort in all the queries of . : can forge a legal signature . : the outputted tuple satisfies .

From the simulation we know that , , , where and denote the numbers of queries and queries separately. Then, the probability that solves the CDH problem is

Then could solve the CDH problem with a nonnegligible probability since is nonnegligible. This contradicts the hardness of the CDH problem. Therefore, our CLS scheme is existentially unforgeable against Type I adversary in random oracle model under the assumption that the CDH problem is hard.

Lemma 4. *If there is a Type I adversary wins Game 1 with nonnegligible probability . Then we could construct an algorithm to solve the CDH problem in with nonnegligible probability.*

*Proof. *Given an instance of the CDH problem in , we will construct an algorithm to compute , where and they are unknown to . At first, picks an identity at random as the challenged identity in this game, generates a random number as the master key, sets the master public key , selects the system parameters , and returns the master key and the parameters to . Then answers ’s query as follows. (i)* query*: maintains a list of form . When makes this query on , does as follows.(a)If the list contains a tuple , returns to .(b)Otherwise, picks a random , computes , adds to , and returns to .(ii)* query: * maintains a list of form . When makes this query on , does as follows.(a)If the list contains a tuple , returns to .(b)Otherwise, picks a random , computes , adds to , and returns to .(iii)* query*: maintains a list of form . When makes this query on , does as follows. (a)If the list contains a tuple , returns to .(b)Otherwise, picks a random , computes , adds to , and returns to .(iv)* query*: maintains a list of form . When makes this query on , does as follows.(a)If the list contains a tuple , returns to .(b)Otherwise, picks a random , returns to , and adds to .(v)* query*: maintains a list of form . When makes this query on , does as follows. (a)If the list contains a tuple , returns to .(b)Otherwise, picks a random , returns to , and adds to .(vi)* CreateUser*: maintains a list of form . When makes this query on , does as follows.(a)If the list contains a tuple , returns to .(b)Otherwise, if , gets by making query with and computes . sets and . At last, adds to and returns to .(c)Otherwise (), gets by making query with and computes . selects a random number as his secret key and computes his public key as . At last, adds to and returns to .(vii)* RevealPartialKey*: when makes this query on , looks up the list for the tuple and returns to .(viii)* RevealSecertKey:* when makes this query on , does as follows. (a)If , stops the simulation.(b)Otherwise (), looks up the list for the tuple and returns to .(ix)* Sign*: when makes this query on , does as follows. (a)If , looks up lists and and for tuples and separately, where and may have been replaced by . makes query and query with and gets tuples and , where and . generates three random numbers , computes , , and sets , . At last, adds tuples and to and separately and returns to . It is easy to say satisfies the equation .(b)Otherwise (), acts according to the description of the algorithm since he knows both of and .

Finally, outputs a tuple as its forgery, where . If , stops the simulation. From the forgery lemma [27], if we have a replay of with the same random tape but different choice of and , will output another signatures. The following two equations hold since both of the two signatures are valid:

looks up lists and and for tuples and separately, where . makes query and query with and gets tuples and , where and . At last, returns as the solution of CDH problem.

*Analysis*. We show that solves the given instance of the CDH problem with the probability . To do so, we analyze the three events that result in ’s success. : does not abort in all the queries of . : can forge a legal signature . : the outputted tuple satisfies .

From the simulation we know that , , , where and denote the numbers of queries and queries separately. Then, the probability that solves the CDH problem is

Then could solve the CDH problem with a nonnegligible probability since is nonnegligible. This contradicts the hardness of the CDH problem. Therefore, our CLS scheme is existentially unforgeable against a Type II adversary in random oracle model under the assumption that the CDH problem is hard.

From the above two lemmas, we could get the following theorem.

Theorem 5. *The CLS scheme is secure against adaptively chosen warrant attacks and chosen message and identity attacks in the random oracle model if the CDH problem in is intractable.*

##### 6.2. Security Analysis of Our CLAS Scheme

For the security of our CLAS scheme, we have the following theorem.

Theorem 6. *The CLAS scheme is secure against adaptively chosen warrant attacks and chosen message and identity attacks in the random oracle model if the CDH problem in is intractable.*

*Proof. *Suppose there is an adversary who could win Game 2 with nonnegligible probability. We could construct another adversary, who could win Game 1 with nonnegligible probability, through the method described in Theorem 2 of Xiong et al.’s work [25]. We have shown that no adversary could win Game 1 with nonnegligible probability in the above theorem. Therefore, our CLAS scheme is secure against adaptively chosen warrant attacks and chosen message and identity attacks in the random oracle model if the CDH problem in is intractable.

#### 7. Performance Analysis

In this section, we compare our scheme with two latest CLAS schemes, that is, Zhang et al.’s scheme [22] and Xiong et al.’s scheme [25]. For convenience, some notations are defined as follows:(i): the time for executing a pairing operation;(ii): the time for executing a scalar multiplications in .

The comparisons are listed in Table 1. From the table, we know that Xiong et al.’s scheme and our scheme have better performance than Zhang et al.’s scheme. Xiong et al.’s scheme has better performance than our scheme. However, Xiong et al.’s scheme cannot withstand attacks of Type II adversary. It is well known that security is a top priority in network communications. It is acceptable to enhance security at the cost of increasing computational time slightly. Therefore, our scheme is more suitable for practical applications.

#### 8. Conclusion

Recently, Xiong et al. proposed an efficient CLAS scheme. They claimed that both of their schemes are provably secure in the random oracle model. In this paper, we propose a new attack against their scheme. To overcome weakness, we also propose an improved CLAS scheme and show our scheme is provable in the random oracle model.

#### Conflict of Interests

The authors declare that they have no conflict of interests.