An Efficient Certificate-Based Signature Scheme in the Standard Model

Abstract

Certificate-based cryptography optimizes certificate management of the traditional public key infrastructure (PKI) and overcomes the problems of the key escrow and the key distribution in identity-based cryptography (IBC). Currently, many certificate-based signature (CBS) schemes have been proposed in the random oracle model or standard model. However, all existing schemes in the standard model are quietly inefficient. In this paper, we propose an efficient certificate-based signature over bilinear groups in the standard model. Compared with the state-of-the-art constructions in the standard model, the proposed scheme is superior in both communication cost and computational overhead.

A Appendix

Theorem 3

The EPS assumption holds in the general bilinear group model: after q \(\mathcal {O}PS\) oracle queries, k \(\mathcal {O}EPS\) oracle queries and \(q_{G}\) group-oracle queries, no adversary can generate a valid tuple for a new pair with probability greater than \( 2( 6+2q+3k+q_{G} )^{2}/p \).

Let \( ( \mathbb {G}, \mathbb {\hat{G}},\mathbb {T},e, p,G,\hat{G}) \) be a Type 3 bilinear group, where G and \( \hat{G} \) are generators of \( \mathbb {G} \) and \( \mathbb {\hat{G}} \), respectively. Let \( O= G^{o}, \hat{O}= \hat{G}^{o},\) \( X= G^{x},\) \( \hat{X}= \hat{G}^{x}\), \( \hat{Y}= \hat{G}^{y} \), \( \hat{Z}= \hat{G}^{z} \) for some random scalars \( o,x,y,z \in \mathbb {Z}_{p} \). Let \( r_{1,i}\in \mathbb {Z}_{p}^{*} \) be the scalar such that the \(i^{th}\) oracle answer from \( \mathcal {O}PS(\cdot ) \) on scalar \( l_{i} \) is answered by \( (\alpha _{1,i}=G^{r_{1,i}},\alpha _{2,i}=G^{r_{1,i}(y+l_{i}z)}) \). Let \( r_{2,j}, r_{3,j}\in \mathbb {Z}_{p}^{*}\) be the scalars such that the \(j^{th}\) oracle answer from \( \mathcal {O}EPS(\cdot ) \) on pair \( (l^{*},m_{j}) \) is answered by \( (\beta _{1,j}=G^{r_{2,j}}, \beta _{2,j}=G^{r_{2,j}r_{3,j}}, \beta _{3,j}=G^{r_{2,j}((y+l^{*}z)r_{3,j}+o+xm_{j})}) \). Note that \(l^{*}\) is not allowed to access the oracle \( \mathcal {O}PS(\cdot ) \).

In the following, we associate group elements with polynomials whose formal variables are the above unknown scalars: \( o,x,y,z,r_{1,1},...,r_{1,q},r_{2,1},...,r_{2,k},r_{3,1},...,\) \(r_{3,k}\), with first all the inputs available to the adversary: \(\hat{O}= \hat{G}^{o}\), \( \hat{X}= \hat{G}^{x}\), \( \hat{Y}= \hat{G}^{y} \), \( \hat{Z}= \hat{G}^{z} \) in \( \mathbb {\hat{G}} \), \( O=G^{o} \) \( X=G^{x} \) in \( \mathbb {G} \), \((\alpha _{1,i},\alpha _{2,i} )=(G^{r_{1,i}},G^{r_{1,i}(y+l_{i}z)})\) for \( i=1,...,q\), and \( (\beta _{1,j}, \beta _{2,j}, \beta _{3,j})=(G^{r_{2,j}}, G^{r_{2,j}r_{3,j}}, G^{r_{2,j}((y+l^{*}z)r_{3,j}+o+xm_{j})}) \) for \( j=1,...,k\) in \( \mathbb {G} \). We must first prove that an adversary \( \mathcal {A} \) is unable to symbolically produce a new valid tuple, and then that an accidental validity is quite unlikely.

For the output tuple \( (\beta _{1}^{*},\beta _{2}^{*},\beta _{3}^{*})=(G^{r_{2}^{*}}, G^{r_{2}^{*}r_{3}^{*}}, G^{r_{2}^{*}((y+l^{*}z)r_{3}^{*}+o+xm^{*})})\) on a new pair \((l^{*},m^{*})\), since \( (G^{r_{2}^{*}}, G^{r_{2}^{*}r_{3}^{*}}, G^{r_{2}^{*}((y+l^{*}z)r_{3}^{*}+o+xm^{*})}) \) are elements in \( \mathbb {G} \), they can just be combinations of previous tuples \((\alpha _{1,i},\alpha _{2,i})\),\( (\beta _{1,j}, \beta _{2,j}, \beta _{3,j})\), G, O and X (without any help from elements in \( \mathbb {\hat{G}} \)): they have been built with queries to the oracle of internal law in \(\mathbb {G}\), and so we know \(((u_{1,i},v_{1,i},u_{2,i},v_{2,i},v_{3,i},u_{3,i})_{i},\) \((a_{1,j},b_{1,j},c_{1,j},a_{2,j},b_{2,j},c_{2,j},a_{3,j},\, b_{3,j},c_{3,j})_{j},(w_{1},w_{2},w_{3}),(w'_{1},w'_{2},w'_{3}),(w''_{1},w''_{2},w''_{3}))\) \(\in \mathbb {Z}_{p}^{6q+9k+9}\) such that:

$$\begin{aligned} G^{r_{2}^{*}}=\beta _{1}^{*}=G^{w_{1}}O^{w'_{1}}X^{w''_{1}}\prod \limits _{i=1}^{q}\alpha _{1,i}^{u_{1,i}}\alpha _{2,i}^{v_{1,i}}\prod \limits _{j=1}^{k}\beta _{1,j}^{a_{1,j}}\beta _{2,j}^{b_{1,j}}\beta _{3,j}^{c_{1,j}},\\ G^{r_{2}^{*}r_{3}^{*}}=\beta _{2}^{*}=G^{w_{2}}O^{w'_{2}}X^{w''_{2}}\prod \limits _{i=1}^{q}\alpha _{1,i}^{u_{2,i}}\alpha _{2,i}^{v_{2,i}}\prod \limits _{j=1}^{k}\beta _{1,j}^{a_{2,j}}\beta _{2,j}^{b_{2,j}}\beta _{3,j}^{c_{2,j}}, \\ G^{s^{*}}=\beta _{3}^{*}=G^{w_{3}}O^{w'_{3}}X^{w''_{3}}\prod \limits _{i=1}^{q}\alpha _{1,i}^{u_{3,i}}\alpha _{2,i}^{v_{3,i}}\prod \limits _{j=1}^{k}\beta _{1,j}^{a_{3,j}}\beta _{2,j}^{b_{3,j}}\beta _{3,j}^{c_{3,j}}, \end{aligned}$$

and thus

$$\begin{aligned} \begin{aligned} r_{2}^{*}&=w_{1}+ow'_{1}+xw''_{1}+\sum \limits _{i=1}^{q}(u_{1,i}r_{1,i}+v_{1,i}(r_{1,i}(y+l_{i}z)))\\&+\sum \limits _{j=1}^{k}(a_{1,j}r_{2,j}+b_{1,j}r_{2,j}r_{3,j}+c_{1,j}(r_{2,j}r_{3,j}(y+l^{*}z)+r_{2,j}(o+m_{j}x)))\\ \end{aligned} \end{aligned}$$

$$\begin{aligned} \begin{aligned} r_{2}^{*}r_{3}^{*}&=w_{2}+ow'_{2}+xw''_{2}+\sum \limits _{i=1}^{q}(u_{2,i}r_{1,i}+v_{2,i}(r_{1,i}(y+l_{i}z)))\\&+\sum \limits _{j=1}^{k}(a_{2,j}r_{2,j}+b_{2,j}r_{2,j}r_{3,j}+c_{2,j}(r_{2,j}r_{3,j}(y+l^{*}z)+r_{2,j}(o+m_{j}x)))\\ \end{aligned} \end{aligned}$$

$$\begin{aligned} \begin{aligned} s^{*}&=w_{3}+ow'_{3}+xw''_{3}+\sum \limits _{i=1}^{q}(u_{3,i}r_{1,i}+v_{3,i}(r_{1,i}(y+l_{i}z)))\\&+\sum \limits _{j=1}^{k}(a_{3,j}r_{2,j}+b_{3,j}r_{2,j}r_{3,j}+c_{3,j}(r_{2,j}r_{3,j}(y+l^{*}z)+r_{2,j}(o+m_{j}x)))\\ \end{aligned} \end{aligned}$$

The validity of the new tuple implies that \( s^{*}=r_{2}^{*}r_{3}^{*}(y+l^{*}z)+r_{2}^{*}(o+m^{*}x) \), which leads to:

$$\begin{aligned} \begin{aligned}&w_{3}+ow'_{3}+xw''_{3}+\sum \limits _{i=1}^{q}(u_{3,i}r_{1,i}+v_{3,i}(r_{1,i}(y+l_{i}z)))\\&+\sum \limits _{j=1}^{k}(a_{3,j}r_{2,j}+b_{3,j}r_{2,j}r_{3,j}+c_{3,j}(r_{2,j}r_{3,j}(y+l^{*}z)+r_{2,j}(o+m_{j}x)))\\&=y(w_{2}+ow'_{2}+xw''_{2}+\sum \limits _{i=1}^{q}(u_{2,i}r_{1,i}+v_{2,i}(r_{1,i}(y+l_{i}z)))\\&+\sum \limits _{j=1}^{k}(a_{2,j}r_{2,j}+b_{2,j}r_{2,j}r_{3,j}+c_{2,j}(r_{2,j}r_{3,j}(y+l^{*}z)+r_{2,j}(o+m_{j}x))))\\&+l^{*}z(w_{2}+ow'_{2}+xw''_{2}+\sum \limits _{i=1}^{q}(u_{2,i}r_{1,i}+v_{2,i}(r_{1,i}(y+l_{i}z)))\\&+\sum \limits _{j=1}^{k}(a_{2,j}r_{2,j}+b_{2,j}r_{2,j}r_{3,j}+c_{2,j}(r_{2,j}r_{3,j}(y+l^{*}z)+r_{2,j}(o+m_{j}x))))\\&+(o+m^{*}x)(w_{1}+ow'_{1}+xw''_{1}+\sum \limits _{i=1}^{q}(u_{1,i}r_{1,i}+v_{1,i}(r_{1,i}(y+l_{i}z)))\\&+\sum \limits _{j=1}^{k}(a_{1,j}r_{2,j}+b_{1,j}r_{2,j}r_{3,j}+c_{1,j}(r_{2,j}r_{3,j}(y+l^{*}z)+r_{2,j}(o+m_{j}x)))) \end{aligned} \end{aligned}$$

For the two multivariable polynomials to be equal, the same monomials should appear on both sides:

• no constant term on the right, so \(w_{3}=0 \);

• no term in \( r_{1,i} \) on the right, \(u_{3,i}=0 \) for all i;

• no term in \( r_{2,j} \) nor \( r_{2,j}r_{3,j} \) on the right, \(a_{3,j}=b_{3,j}=0 \) for all j;

• no monomials of degree 4 on the left, so \(c_{1,j}=c_{2,j}=0\) for all j;

• no term in y, yo, yx, \(y^{2}r_{1,i}\) and \(yr_{2,j}\) on the left, so \(w_2=w'_2=w''_2=0\), \(v_{2,i}=0\) for all i, \(a_{2,j}=0\) for all j;

• no term in \(o^{2}\), ox, \(or_{1,i}\), \(or_{1,i}y\) and \(or_{2,j}r_{3,j}\) on the left, so \(w'_1=w''_1=0\), \(u_{1,i}=v_{1,i}=0\) for all i, \(b_{1,j}=0\) for all j:

$$\begin{aligned} \begin{aligned}&w'_{3}o+w''_{3}x+\sum \limits _{i=1}^{q}(v_{3,i}r_{1,i}(y+l_{i}z))+\sum \limits _{j=1}^{k}(c_{3,j}(r_{2,j}r_{3,j}(y+l^{*}z)+r_{2,j}(o+m_{j}x)))\\&=w_{1}o+w_{1}xm^{*}+\sum \limits _{i=1}^{q}(u_{2,i}(r_{1,i}(y+l^{*}z))) +\sum \limits _{j=1}^{k}(b_{2,j}(r_{2,j}r_{3,j}(y+l^{*}z))\\&+a_{1,j}r_{2,j}(o+m^{*}x)). \end{aligned} \end{aligned}$$

The monomial o implies \(w'_3=w_1\), the monomial x implies \(w''_{3}=w_1m^{*}\). The monomials \( r_{1,i}y \) imply \( v_{3,i}=u_{2,i} \) for all i, and the monomials \( r_{1,i}z \) imply \(v_{3,i}l_{i}=u_{2,i}l^{*}\) for all i. Since \(l_{i}\ne l^{*}\) for all i, so \( v_{3,i}=u_{2,i}=0 \) for all i. The monomials \( r_{2,j}r_{3,j}y \) imply \( c_{3,j}=b_{2,j} \) for all j, the monomials \( r_{2,j}o \) imply \( c_{3,j}=a_{1,j} \) for all j, and the monomials \( r_{2,j}x \) imply \( c_{3,j}m_j=a_{1,j}m^{*} \) for all j. Since \( r_{2}^{*}r_{3}^{*}\ne 0 \), so there is at least one \( b_{2,j}=c_{3,j}=a_{1,j}\ne 0 \), and then \( m^{*}=m_{i}\). Therefore, the tuple is not for a new pair which means that an adversary is unable to symbolically produce a valid tuple for a new pair.

Now, we evaluate the probability for an accidental validity: the same value is output by two different polynomials involved in the answers to the oracle. Note that the elements generated by the oracle and the public elements are associated with polynomials of degree at most 3 and 1, thus polynomials generated by querying to the different group oracle are of degree at most 4. We denote the maximum number of group-oracle queries by \( q_{G} \). There are at most \( 2q+6+3k+q_{G} \) polynomials and at most \( (2q+6+3k+q_{G} )^{2}/2 \) pairs of distinct polynomials could evaluate to the same value. By the Schwartz-Zippel lemma, the probability of such an event occurs is \(\le 2( 6+2q+3k+q_{G} )^{2}/p \) which is negligible.