Abstract
Certificate-based cryptography optimizes certificate management of the traditional public key infrastructure (PKI) and overcomes the problems of the key escrow and the key distribution in identity-based cryptography (IBC). Currently, many certificate-based signature (CBS) schemes have been proposed in the random oracle model or standard model. However, all existing schemes in the standard model are quietly inefficient. In this paper, we propose an efficient certificate-based signature over bilinear groups in the standard model. Compared with the state-of-the-art constructions in the standard model, the proposed scheme is superior in both communication cost and computational overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_29
Batten, L.M.: Public Key Cryptography. Applications and Attacks. Wiley-Blackwell, Hoboken (2016)
Chatterjee, S., Menezes, A.: On cryptographic protocols employing asymmetric pairings - the role of \( \psi \) revisited. Discret. Appl. Math. 159(13), 1311–1322 (2011)
Cheng, L., Xiao, Y., Wang, G.: Cryptanalysis of a certificate-based on signature scheme. Procedia Eng. 29, 2821–2825 (2012)
Fuchsbauer, G., Hanser, C., Slamanig, D.: Structure-preserving signatures on equivalence classes and constant-size anonymous credentials. J. Cryptol. 32(2), 498–546 (2019)
Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discret. Appl. Math. 156(16), 3113–3121 (2008)
Gentry, C.: Certificate-based encryption and the certificate revocation problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 272–293. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_17
Ghadafi, E.: Efficient round-optimal blind signatures in the standard model. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 455–473. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_26
Ghadafi, E.: More efficient structure-preserving signatures - or: bypassing the type-III lower bounds. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 43–61. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_3
Huang, R., Huang, Z., Chen, Q.: A generic conversion from proxy signatures to certificate-based signatures. J. Internet Technol. 22(1), 209–217 (2021)
Hung, Y., Huang, S., Tsen, Y.: A short certificate-based signature scheme with provable security. Inf. Technol. Control. 45(3), 243–253 (2016)
Kang, B.G., Park, J.H., Hahn, S.G.: A certificate-based signature scheme. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 99–111. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24660-2_8
Kumar, P., Sharma, V.: Insecurity of a secure certificate-based signature scheme. In: ICACCCN 2018, pp. 371–373. IEEE (2018). https://doi.org/10.1109/ICACCCN.2018.8748312
Li, J., Huang, X., Mu, Y., Susilo, W., Wu, Q.: Certificate-based signature: security model and efficient construction. In: Lopez, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 110–125. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73408-6_8
Li, J., Huang, X., Mu, Y., Susilo, W., Wu, Q.: Constructions of certificate-based signature secure against key replacement attacks. J. Comput. Secur. 18(3), 421–449 (2010)
Li, J., Huang, X., Zhang, Y., Xu, L.: An efficient short certificate-based signature scheme. J. Syst. Softw. 85(2), 314–322 (2012)
Liu, D., Alahmadi, A., Ni, J., Lin, X., Shen, X.: Anonymous reputation system for IIoT-enabled retail marketing atop PoS blockchain. IEEE Trans. Ind. Inform. 15(6), 3527–3537 (2019)
Liu, J.K., Baek, J., Susilo, W., Zhou, J.: Certificate-based signature schemes without pairings or random oracles. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 285–297. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85886-7_20
Liu, J.K., Bao, F., Zhou, J.: Short and efficient certificate-based signature. In: Casares-Giner, V., Manzoni, P., Pont, A. (eds.) NETWORKING 2011. LNCS, vol. 6827, pp. 167–178. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23041-7_17
Lu, Y., Li, J.: Improved certificate-based signature scheme without random oracles. Inf. Secur. 10(2), 80–86 (2016)
Ma, X., Shao, J., Zuo, C., Meng, R.: Efficient certificate-based signature and its aggregation. In: Liu, J.K., Samarati, P. (eds.) ISPEC 2017. LNCS, vol. 10701, pp. 391–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72359-4_23
Ni, J., Lin, X., Zhang, K., Shen, X.: Privacy-preserving real-time navigation system using vehicular crowdsourcing. In: VTC Fall 2016, pp. 1–5. IEEE (2016). https://doi.org/10.1109/VTCFall.2016.7881177
Ni, J., Zhang, K., Yu, Y., Lin, X., Shen, X.S.: Privacy-preserving smart parking navigation supporting efficient driving guidance retrieval. IEEE Trans. Veh. Technol. 67(7), 6504–6517 (2018)
Pointcheval, D., Sanders, O.: Short randomizable signatures. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 111–126. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_7
Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Wu, L., Zhang, Y., Ren, Y., He, D.: Efficient certificate-based signature scheme for electronic commerce security using bilinear pairing. J. Internet Technol. 18(5), 1159–1166 (2017)
Wu, W., Mu, Y., Susilo, W., Huang, X.: Certificate-based signatures: new definitions and a generic construction from certificateless signatures. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 99–114. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_8
Yu, Y., Zhao, Y., Li, Y., Du, X., Wang, L., Guizani, M.: Blockchain-based anonymous authentication with selective revocation for smart industrial applications. IEEE Trans. Ind. Inform. 16(5), 3290–3300 (2020)
Zhang, J.: On the security of a certificate-based signature scheme and its improvement with pairings. In: Bao, F., Li, H., Wang, G. (eds.) ISPEC 2009. LNCS, vol. 5451, pp. 47–58. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00843-6_5
Zhang, Y., Li, J., Wang, Z., Yao, W.: A new efficient certificate-based signature scheme. Chin. J. Electron. 24(4), 776–782 (2015)
Zhou, C., Cui, Z.: Certificate-based signature scheme in the standard model. Inf. Secur. 11(5), 256–260 (2017)
Zhu, L., Li, M., Zhang, Z., Qin, Z.: ASAP: an anonymous smart-parking and payment scheme in vehicular networks. IEEE Trans. Dependable Secur. Comput. 17(4), 703–715 (2020)
Acknowledgment
This work is supposed by the National Cryptography Development Fund (No. MMJJ20180110).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
Theorem 3
The EPS assumption holds in the general bilinear group model: after q \(\mathcal {O}PS\) oracle queries, k \(\mathcal {O}EPS\) oracle queries and \(q_{G}\) group-oracle queries, no adversary can generate a valid tuple for a new pair with probability greater than \( 2( 6+2q+3k+q_{G} )^{2}/p \).
Let \( ( \mathbb {G}, \mathbb {\hat{G}},\mathbb {T},e, p,G,\hat{G}) \) be a Type 3 bilinear group, where G and \( \hat{G} \) are generators of \( \mathbb {G} \) and \( \mathbb {\hat{G}} \), respectively. Let \( O= G^{o}, \hat{O}= \hat{G}^{o},\) \( X= G^{x},\) \( \hat{X}= \hat{G}^{x}\), \( \hat{Y}= \hat{G}^{y} \), \( \hat{Z}= \hat{G}^{z} \) for some random scalars \( o,x,y,z \in \mathbb {Z}_{p} \). Let \( r_{1,i}\in \mathbb {Z}_{p}^{*} \) be the scalar such that the \(i^{th}\) oracle answer from \( \mathcal {O}PS(\cdot ) \) on scalar \( l_{i} \) is answered by \( (\alpha _{1,i}=G^{r_{1,i}},\alpha _{2,i}=G^{r_{1,i}(y+l_{i}z)}) \). Let \( r_{2,j}, r_{3,j}\in \mathbb {Z}_{p}^{*}\) be the scalars such that the \(j^{th}\) oracle answer from \( \mathcal {O}EPS(\cdot ) \) on pair \( (l^{*},m_{j}) \) is answered by \( (\beta _{1,j}=G^{r_{2,j}}, \beta _{2,j}=G^{r_{2,j}r_{3,j}}, \beta _{3,j}=G^{r_{2,j}((y+l^{*}z)r_{3,j}+o+xm_{j})}) \). Note that \(l^{*}\) is not allowed to access the oracle \( \mathcal {O}PS(\cdot ) \).
In the following, we associate group elements with polynomials whose formal variables are the above unknown scalars: \( o,x,y,z,r_{1,1},...,r_{1,q},r_{2,1},...,r_{2,k},r_{3,1},...,\) \(r_{3,k}\), with first all the inputs available to the adversary: \(\hat{O}= \hat{G}^{o}\), \( \hat{X}= \hat{G}^{x}\), \( \hat{Y}= \hat{G}^{y} \), \( \hat{Z}= \hat{G}^{z} \) in \( \mathbb {\hat{G}} \), \( O=G^{o} \) \( X=G^{x} \) in \( \mathbb {G} \), \((\alpha _{1,i},\alpha _{2,i} )=(G^{r_{1,i}},G^{r_{1,i}(y+l_{i}z)})\) for \( i=1,...,q\), and \( (\beta _{1,j}, \beta _{2,j}, \beta _{3,j})=(G^{r_{2,j}}, G^{r_{2,j}r_{3,j}}, G^{r_{2,j}((y+l^{*}z)r_{3,j}+o+xm_{j})}) \) for \( j=1,...,k\) in \( \mathbb {G} \). We must first prove that an adversary \( \mathcal {A} \) is unable to symbolically produce a new valid tuple, and then that an accidental validity is quite unlikely.
For the output tuple \( (\beta _{1}^{*},\beta _{2}^{*},\beta _{3}^{*})=(G^{r_{2}^{*}}, G^{r_{2}^{*}r_{3}^{*}}, G^{r_{2}^{*}((y+l^{*}z)r_{3}^{*}+o+xm^{*})})\) on a new pair \((l^{*},m^{*})\), since \( (G^{r_{2}^{*}}, G^{r_{2}^{*}r_{3}^{*}}, G^{r_{2}^{*}((y+l^{*}z)r_{3}^{*}+o+xm^{*})}) \) are elements in \( \mathbb {G} \), they can just be combinations of previous tuples \((\alpha _{1,i},\alpha _{2,i})\),\( (\beta _{1,j}, \beta _{2,j}, \beta _{3,j})\), G, O and X (without any help from elements in \( \mathbb {\hat{G}} \)): they have been built with queries to the oracle of internal law in \(\mathbb {G}\), and so we know \(((u_{1,i},v_{1,i},u_{2,i},v_{2,i},v_{3,i},u_{3,i})_{i},\) \((a_{1,j},b_{1,j},c_{1,j},a_{2,j},b_{2,j},c_{2,j},a_{3,j},\, b_{3,j},c_{3,j})_{j},(w_{1},w_{2},w_{3}),(w'_{1},w'_{2},w'_{3}),(w''_{1},w''_{2},w''_{3}))\) \(\in \mathbb {Z}_{p}^{6q+9k+9}\) such that:
and thus
The validity of the new tuple implies that \( s^{*}=r_{2}^{*}r_{3}^{*}(y+l^{*}z)+r_{2}^{*}(o+m^{*}x) \), which leads to:
For the two multivariable polynomials to be equal, the same monomials should appear on both sides:
-
no constant term on the right, so \(w_{3}=0 \);
-
no term in \( r_{1,i} \) on the right, \(u_{3,i}=0 \) for all i;
-
no term in \( r_{2,j} \) nor \( r_{2,j}r_{3,j} \) on the right, \(a_{3,j}=b_{3,j}=0 \) for all j;
-
no monomials of degree 4 on the left, so \(c_{1,j}=c_{2,j}=0\) for all j;
-
no term in y, yo, yx, \(y^{2}r_{1,i}\) and \(yr_{2,j}\) on the left, so \(w_2=w'_2=w''_2=0\), \(v_{2,i}=0\) for all i, \(a_{2,j}=0\) for all j;
-
no term in \(o^{2}\), ox, \(or_{1,i}\), \(or_{1,i}y\) and \(or_{2,j}r_{3,j}\) on the left, so \(w'_1=w''_1=0\), \(u_{1,i}=v_{1,i}=0\) for all i, \(b_{1,j}=0\) for all j:
The monomial o implies \(w'_3=w_1\), the monomial x implies \(w''_{3}=w_1m^{*}\). The monomials \( r_{1,i}y \) imply \( v_{3,i}=u_{2,i} \) for all i, and the monomials \( r_{1,i}z \) imply \(v_{3,i}l_{i}=u_{2,i}l^{*}\) for all i. Since \(l_{i}\ne l^{*}\) for all i, so \( v_{3,i}=u_{2,i}=0 \) for all i. The monomials \( r_{2,j}r_{3,j}y \) imply \( c_{3,j}=b_{2,j} \) for all j, the monomials \( r_{2,j}o \) imply \( c_{3,j}=a_{1,j} \) for all j, and the monomials \( r_{2,j}x \) imply \( c_{3,j}m_j=a_{1,j}m^{*} \) for all j. Since \( r_{2}^{*}r_{3}^{*}\ne 0 \), so there is at least one \( b_{2,j}=c_{3,j}=a_{1,j}\ne 0 \), and then \( m^{*}=m_{i}\). Therefore, the tuple is not for a new pair which means that an adversary is unable to symbolically produce a valid tuple for a new pair.
Now, we evaluate the probability for an accidental validity: the same value is output by two different polynomials involved in the answers to the oracle. Note that the elements generated by the oracle and the public elements are associated with polynomials of degree at most 3 and 1, thus polynomials generated by querying to the different group oracle are of degree at most 4. We denote the maximum number of group-oracle queries by \( q_{G} \). There are at most \( 2q+6+3k+q_{G} \) polynomials and at most \( (2q+6+3k+q_{G} )^{2}/2 \) pairs of distinct polynomials could evaluate to the same value. By the Schwartz-Zippel lemma, the probability of such an event occurs is \(\le 2( 6+2q+3k+q_{G} )^{2}/p \) which is negligible.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, G., Cao, Y. (2021). An Efficient Certificate-Based Signature Scheme in the Standard Model. In: Sako, K., Tippenhauer, N.O. (eds) Applied Cryptography and Network Security. ACNS 2021. Lecture Notes in Computer Science(), vol 12726. Springer, Cham. https://doi.org/10.1007/978-3-030-78372-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-78372-3_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78371-6
Online ISBN: 978-3-030-78372-3
eBook Packages: Computer ScienceComputer Science (R0)