Certificateless signature scheme with security enhanced in the standard model
Introduction
In a traditional public key cryptography (PKC), a user selects a public/private key pair and publishes public key. This leads to a problem of how the public key is associated with the user. In these cryptosystems the binding between public key and identity of the user is obtained via a digital certificate. Therefore, a conventional public key infrastructure (PKI) requires heavy management and communication cost to achieve authenticity of the public keys of users.
To reduce this burden, Shamir [9] proposed the concept of ID-based cryptography (ID-PKC) wherein, a user's public key can be obtained directly from his unique identifier information, while the user's private key is generated by a trusted third party called Private Key Generator (PKG). However, an inherent problem of such ID-PKC is key escrow, i.e., the PKG knows all user's private key.
To solve the key escrow problem in ID-PKC and eliminate the use of certificates in PKC, Al Riyami and Paterson [1] introduced the concept of certificateless public key cryptography (CL-PKC). In CL-PKC, a semi-trusted third party called Key Generation Center (KGC) is also involved, which is responsible for generating user's partial private key psk based on his identity. In such certificateless cryptosystem, a user's actual key consists of partial private key psk for the user identity ID generated by the KGC and public/secret key pair (upk, usk) generated by the user himself. In CL-PKC, to generate valid signatures of a user with the identity ID under the public key upk, one needs to know both the partial private key of ID and the corresponding secret key usk of upk. While verifier can directly use the user's public key upk to verify signatures, without checking the certificate of the user's public key.
The concept of certificateless signature (CL-S) scheme was initially introduced by Al Riyami and Paterson [1], who also proposed the first CL-S scheme in the same literature. Following the work of Al Riyami and Paterson [1], many researchers have done a lot of work in this field. However, most of the existing schemes in the certificateless setting were proven secure in the random oracle model proposed by Bellare and Rogaway [4]. Although the random oracle methodology leads to the construction of efficient and provably-secure schemes, it has received a lot of criticism. It has been shown that when random oracles are instantiated with concrete hash functions, the resulting scheme may not be secure [3], [5].
To make up for this, based on the identity-based signature scheme proposed by Paterson and Schuldt [8], the first CL-S scheme without random oracles was proposed by Liu et al. [7]. After that, Xiong et al. [13] and Huang et al. [6] independently pointed out that Liu et al.'s CL-S scheme cannot achieve unforgeable against malicious-but-passive KGC [2] attack. To eliminate the security problems in Liu et al.'s scheme, Xiong et al. provided a countermeasure in [13]. However, Shim et al. [10] pointed out that their scheme is in fact still insecure in the face of a malicious-but-passive KGC attack. In addition, Xia et al. [12] demonstrated that the existing CL-S schemes in the standard model [7], [13], [15] share a common flaw, i.e., given a signer's signature on a message, an adversary can replace the public key of the signer and forge valid signatures on the same message under the replaced public key. To overcome the common flaw of those schemes, Yu et al. [14] further proposed an improved certificateless signature scheme, which has several merits including shorter system parameters and higher computational efficiency than the previous schemes. Although they claimed that their scheme was stronger security than the previous schemes, in this work, we will point out that their scheme is not secure against the key replacement attack. Moreover, Yu et al.'s CL-S scheme is insecure against a malicious-but-passive KGC attack (note that our malicious-but-passive KGC attack does not refute the security claims made in [14], since their security model does not consider this attack).
To remedy these security flaws, we further propose an improved scheme, which is shown to be existentially unforgeable against adaptive chosen message attacks under the computational Diffie–Hellman assumption in the standard model. It not only preserves the advantages of Yu et al.'s scheme such as shorter system parameters and higher computational efficiency than the existing related works, but also improves the efficiency of [14] by reducing the signature size.
Section snippets
Bilinear maps and complexity assumption
Let and be two cyclic multiplicative groups of prime order p. A map is called a bilinear map if it satisfies the following properties:
- 1.
Bilinear: for all and all .
- 2.
Non-degeneracy: There exist such that .
- 3.
Computable: There is an efficient algorithm to compute for any .
The security of our scheme relies on the hardness of the following problems.
Definition 1 Computational Diffie–Hellman (CDH) Problem is that given three elements
Review of Yu et al.'s certificateless signature scheme and its security weaknesses
In this section, we first review Yu et al.'s certificateless signature scheme [14]. Then we show that the scheme is insecure by giving two concrete attacks.
Proposed scheme
In this section, we present a CL-S scheme based on Waters' identity-based encryption scheme [11] and its variants [14], [15]. Our CL-S scheme is consists of six algorithms: Setup, Partial-secret-key-extract, Set-user-key, Private-key-extract, Sign, Verify.
Setup. The KGC chooses two cyclic groups and of prime order p, a random generator g of and a bilinear map . It also randomly chooses and sets . Furthermore, it chooses four random elements , and a random
Security analysis
In this section, we first propose the security model for CL-S scheme. Then, we prove that our CL-S scheme constructed in the previous section achieves existential unforgeability.
Conclusions
In this paper, we presented a security analysis on the recently proposed Yu et al.'s certificateless signature scheme. We pointed out that the scheme suffers from a key replacement attack and a malicious-but-passive KGC attack. We also figured out what is wrong with this protocol. Furthermore, we constructed an efficient CL-S scheme with stronger security, lower computational cost, shorter system parameters than the previous CL-S schemes without random oracles. Additionally, in the standard
Acknowledgements
The authors would like to thank anonymous reviewers for their constructive suggestions. This work was supported by the Science Foundation of Education Department of Fujian Province of China (Grant No. JB12187).
References (16)
- et al.
Certificateless public key cryptography
- et al.
Malicious KGC attack in certificateless cryptography
- et al.
An uninstantiable random-oracle-model scheme for a hybrid-encryption problem
- et al.
The exact security of digital signatures – how to sign with RSA and Rabin
- et al.
The random oracle methodology revised
J. ACM
(2004) - et al.
Certificateless signature revisited
- et al.
Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model
- et al.
Efficient identity-based signatures secure in the standard model
Cited by (37)
DS-Chain: A secure and auditable multi-cloud assisted EHR storage model on efficient deletable blockchain
2022, Journal of Industrial Information IntegrationA secure and efficient certificateless signature scheme for Internet of Things
2022, Ad Hoc NetworksCitation Excerpt :Liu et al. [13] designed the first CLS scheme in the standard model, but the scheme is vulnerable to the attacks of Type II adversaries explained in Huang et al. [14]. Yuan et al. [15] proved their scheme secure under the computational Diffie–Hellman assumption in the standard model. After that, a large number of CLS schemes in the standard model were proposed [16–19].
A new provably secure certificateless signature scheme for Internet of Things
2020, Ad Hoc NetworksCitation Excerpt :Liu et al. [11] put forward the first CLS scheme in the standard model, but the scheme suffers from the attacks of a Type II adversary. Yuan et al. [12] also designed a CLS scheme in the standard model. Hu et al. [13] gave a simplified definition of CLS scheme.
Traceable and Privacy-Preserving Authentication Scheme for Energy Trading in V2G Networks
2024, IEEE Internet of Things JournalLightweight Certificateless Signature Scheme for Resource-Constrained IoT Environment
2024, Signals and Communication TechnologyPSCLS: provably secure certificateless signature scheme for IoT device on cloud
2023, Journal of Supercomputing