Certificateless signature scheme with security enhanced in the standard model

https://doi.org/10.1016/j.ipl.2014.04.004Get rights and content

Highlights

  • Yu et al.'s scheme suffers from key replacement and malicious-but-passive KGC attacks.

  • Figure out what is wrong with this scheme.

  • An improvement on Yu et al.'s scheme is proposed to remedy these security flaws.

  • The proposed scheme is proven secure in the standard model.

  • The proposed scheme achieves lower computational cost and shorter system parameters.

Abstract

Certificateless cryptography is an attractive paradigm, which combines the advantages of identity-based cryptography (without certificate) and traditional public key cryptography (no escrow). Recently, to solve the drawbacks of the existing certificateless signature (CL-S) schemes without random oracles, Yu et al. proposed a new CL-S scheme, which possesses several merits including shorter system parameters and higher computational efficiency than the previous schemes. However, in this work, we will point out that their CL-S scheme is insecure against key replacement attack and malicious-but-passive KGC attack. We further propose an improved scheme that overcomes the security flaws without affecting the merits of the original scheme. We prove that our scheme is existentially unforgeable against adaptive chosen message attacks under the computational Diffie–Hellman assumption in the standard model.

Introduction

In a traditional public key cryptography (PKC), a user selects a public/private key pair and publishes public key. This leads to a problem of how the public key is associated with the user. In these cryptosystems the binding between public key and identity of the user is obtained via a digital certificate. Therefore, a conventional public key infrastructure (PKI) requires heavy management and communication cost to achieve authenticity of the public keys of users.

To reduce this burden, Shamir [9] proposed the concept of ID-based cryptography (ID-PKC) wherein, a user's public key can be obtained directly from his unique identifier information, while the user's private key is generated by a trusted third party called Private Key Generator (PKG). However, an inherent problem of such ID-PKC is key escrow, i.e., the PKG knows all user's private key.

To solve the key escrow problem in ID-PKC and eliminate the use of certificates in PKC, Al Riyami and Paterson [1] introduced the concept of certificateless public key cryptography (CL-PKC). In CL-PKC, a semi-trusted third party called Key Generation Center (KGC) is also involved, which is responsible for generating user's partial private key psk based on his identity. In such certificateless cryptosystem, a user's actual key consists of partial private key psk for the user identity ID generated by the KGC and public/secret key pair (upk, usk) generated by the user himself. In CL-PKC, to generate valid signatures of a user with the identity ID under the public key upk, one needs to know both the partial private key of ID and the corresponding secret key usk of upk. While verifier can directly use the user's public key upk to verify signatures, without checking the certificate of the user's public key.

The concept of certificateless signature (CL-S) scheme was initially introduced by Al Riyami and Paterson [1], who also proposed the first CL-S scheme in the same literature. Following the work of Al Riyami and Paterson [1], many researchers have done a lot of work in this field. However, most of the existing schemes in the certificateless setting were proven secure in the random oracle model proposed by Bellare and Rogaway [4]. Although the random oracle methodology leads to the construction of efficient and provably-secure schemes, it has received a lot of criticism. It has been shown that when random oracles are instantiated with concrete hash functions, the resulting scheme may not be secure [3], [5].

To make up for this, based on the identity-based signature scheme proposed by Paterson and Schuldt [8], the first CL-S scheme without random oracles was proposed by Liu et al. [7]. After that, Xiong et al. [13] and Huang et al. [6] independently pointed out that Liu et al.'s CL-S scheme cannot achieve unforgeable against malicious-but-passive KGC [2] attack. To eliminate the security problems in Liu et al.'s scheme, Xiong et al. provided a countermeasure in [13]. However, Shim et al. [10] pointed out that their scheme is in fact still insecure in the face of a malicious-but-passive KGC attack. In addition, Xia et al. [12] demonstrated that the existing CL-S schemes in the standard model [7], [13], [15] share a common flaw, i.e., given a signer's signature on a message, an adversary can replace the public key of the signer and forge valid signatures on the same message under the replaced public key. To overcome the common flaw of those schemes, Yu et al. [14] further proposed an improved certificateless signature scheme, which has several merits including shorter system parameters and higher computational efficiency than the previous schemes. Although they claimed that their scheme was stronger security than the previous schemes, in this work, we will point out that their scheme is not secure against the key replacement attack. Moreover, Yu et al.'s CL-S scheme is insecure against a malicious-but-passive KGC attack (note that our malicious-but-passive KGC attack does not refute the security claims made in [14], since their security model does not consider this attack).

To remedy these security flaws, we further propose an improved scheme, which is shown to be existentially unforgeable against adaptive chosen message attacks under the computational Diffie–Hellman assumption in the standard model. It not only preserves the advantages of Yu et al.'s scheme such as shorter system parameters and higher computational efficiency than the existing related works, but also improves the efficiency of [14] by reducing the signature size.

Section snippets

Bilinear maps and complexity assumption

Let G and GT be two cyclic multiplicative groups of prime order p. A map e:G×GGT is called a bilinear map if it satisfies the following properties:

  • 1.

    Bilinear: e(g1a,g2b)=e(g1,g2)ab for all g1,g2G and all a,bZp.

  • 2.

    Non-degeneracy: There exist g1,g2G such that e(g1,g2)1.

  • 3.

    Computable: There is an efficient algorithm to compute e(g1,g2) for any g1,g2G.

The security of our scheme relies on the hardness of the following problems.

Definition 1

Computational Diffie–Hellman (CDH) Problem is that given three elements g,ga

Review of Yu et al.'s certificateless signature scheme and its security weaknesses

In this section, we first review Yu et al.'s certificateless signature scheme [14]. Then we show that the scheme is insecure by giving two concrete attacks.

Proposed scheme

In this section, we present a CL-S scheme based on Waters' identity-based encryption scheme [11] and its variants [14], [15]. Our CL-S scheme is consists of six algorithms: Setup, Partial-secret-key-extract, Set-user-key, Private-key-extract, Sign, Verify.

Setup. The KGC chooses two cyclic groups G and GT of prime order p, a random generator g of G and a bilinear map e:G×GGT. It also randomly chooses sZp and sets g1=gs. Furthermore, it chooses four random elements u,m0,m1,vG, and a random

Security analysis

In this section, we first propose the security model for CL-S scheme. Then, we prove that our CL-S scheme constructed in the previous section achieves existential unforgeability.

Conclusions

In this paper, we presented a security analysis on the recently proposed Yu et al.'s certificateless signature scheme. We pointed out that the scheme suffers from a key replacement attack and a malicious-but-passive KGC attack. We also figured out what is wrong with this protocol. Furthermore, we constructed an efficient CL-S scheme with stronger security, lower computational cost, shorter system parameters than the previous CL-S schemes without random oracles. Additionally, in the standard

Acknowledgements

The authors would like to thank anonymous reviewers for their constructive suggestions. This work was supported by the Science Foundation of Education Department of Fujian Province of China (Grant No. JB12187).

References (16)

  • S.S. Al-Riyami et al.

    Certificateless public key cryptography

  • M.H. Au et al.

    Malicious KGC attack in certificateless cryptography

  • M. Bellare et al.

    An uninstantiable random-oracle-model scheme for a hybrid-encryption problem

  • M. Bellare et al.

    The exact security of digital signatures – how to sign with RSA and Rabin

  • R. Canetti et al.

    The random oracle methodology revised

    J. ACM

    (2004)
  • X. Huang et al.

    Certificateless signature revisited

  • J.K. Liu et al.

    Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model

  • K. Paterson et al.

    Efficient identity-based signatures secure in the standard model

There are more references available in the full text version of this article.

Cited by (37)

  • A secure and efficient certificateless signature scheme for Internet of Things

    2022, Ad Hoc Networks
    Citation Excerpt :

    Liu et al. [13] designed the first CLS scheme in the standard model, but the scheme is vulnerable to the attacks of Type II adversaries explained in Huang et al. [14]. Yuan et al. [15] proved their scheme secure under the computational Diffie–Hellman assumption in the standard model. After that, a large number of CLS schemes in the standard model were proposed [16–19].

  • A new provably secure certificateless signature scheme for Internet of Things

    2020, Ad Hoc Networks
    Citation Excerpt :

    Liu et al. [11] put forward the first CLS scheme in the standard model, but the scheme suffers from the attacks of a Type II adversary. Yuan et al. [12] also designed a CLS scheme in the standard model. Hu et al. [13] gave a simplified definition of CLS scheme.

View all citing articles on Scopus
View full text