AN IMPROVED CERTIFICATELESS STRONG ... - Semantic Scholar

doi:10.3934/amc.2015.9.353

Advances in Mathematics of Communications Volume 9, No. 3, 2015, 353–373

AN IMPROVED CERTIFICATELESS STRONG KEY-INSULATED SIGNATURE SCHEME IN THE STANDARD MODEL

Yang Lu, Quanling Zhang and Jiguo Li College of Computer and Information Engineering Hohai University 8 Focheng Xilu, Nanjing, Jiangsu 211100, China

(Communicated by Renate Scheidler) Abstract. Exposure of secret keys may be the most devastating attack on a public key cryptographic scheme since such that security is entirely lost. The key-insulated security provides a promising approach to deal with this threat since it can effectively mitigate the damage caused by the secret key exposure. To eliminate the cumbersome certificate management in traditional PKIsupported key-insulated signature while overcoming the key escrow problem in identity-based key-insulated signature, two certificateless key-insulated signature schemes without random oracles have been proposed so far. However, both of them suffer from some security drawbacks and do not achieve existential unforgeability. In this paper, we propose a new certificateless strong key-insulated signature scheme that is proven secure in the standard model. Compared with the previous certificateless strong proxy signature scheme, the proposed scheme offers stronger security and enjoys higher computational efficiency and shorter public parameters.

1. Introduction Public key cryptography is an important technique to realize network security. In public key cryptography, each user has a public key and a private key. The public key is published and publicly accessible while the corresponding private key is kept secret by its owner. However, the public key in traditional public key cryptography is generated with no connection to its owner’s identity. Therefore, a public key infrastructure (PKI) is employed for vouching the relationship between an identity and a public key by the public key certificates. But, the traditional PKI technology is faced with many challenges in practice, especially the complicated certificate management problem. In 1984, Shamir [17] introduced the concept of identity-based cryptography to solve the certificate management problem in traditional public key cryptography. In identity-based cryptography, a user’s public key could be an arbitrary string related to his identity and his private key is computed from his identity by a trusted authority called private key generator (PKG). The merit of identity-based cryptography lies in that it eliminates the need for public key certificates. However, identity-based cryptography inevitably suffers from the key escrow problem since all users’ private keys are known to the PKG. To solve 2010 Mathematics Subject Classification: Primary: 94A60; Secondary: 11T71. Key words and phrases: Certificateless strong key-insulated signature, secret key exposure, key replacement attack, malicious KGC attack, standard model. The first author is supported by National Natural Science Foundation of China grant 61272542, a Project Funded by the Priority Academic Program Development of Jiangsu Higher Education Institutions and the Fundamental Research Funds for the Central Universities. 353

c

2015 AIMS

354

Yang Lu, Quanling Zhang and Jiguo Li

the key escrow problem in identity-based cryptography while eliminating the use of public key certificates in traditional public key cryptography, Al-Riyami and Paterson [1] introduced the notion of certificateless public key cryptography in 2003. In certificateless public key cryptography, a trusted third party called key generation center (KGC) is employed for generating a partial private key for every user. Each user independently generates a pair of secret key and public key, and then combines his secret key with the partial private key from the KGC to form his full private key. As KGC does not know any user’s private key, certificateless public key cryptography overcomes the key escrow problem inherent in identitybased cryptography. Furthermore, certificateless public key cryptography provides an effective implicit authentication mechanism so that each user does not need to obtain a certificate from the certificate authority for the authenticity of his public key. Since its advent, certificateless public key cryptography has attracted much attention in the research community and numerous schemes have been proposed, including many encryption schemes (e.g. [2, 5, 13, 14, 18, 27]) and signature schemes (e.g. [4, 12, 14, 19, 20, 29, 30]). The security of public key cryptography depends on the assumption that the private keys are kept perfectly secure. However, as cryptographic operations are performed more frequently on the unprotected and insecure devices, key exposure seems to be inevitable. Actually, it is much easier for an adversary to intrude a naive user’s device to obtain his private key than to break the computational assumption(s) on which a public key cryptosystem is based. Undoubtedly, key exposure has become the most devastating attack on public key cryptography, since it means all security guarantees are lost. To fight against key exposure, Dodis et al. [6] proposed the notion of key-insulated security in 2002. Instead of trying to eliminate key exposure entirely, their approach assumes that key exposure will occur and seek to minimize the resulting damage. In the model of key-insulated public key cryptosystems proposed by Dodis et al., a user can periodically update his private key with the help of a physically-secure device called helper while maintaining a same public key. The basic idea is that the whole lifetime of the system (e.g., one year) is divided into N time periods (e.g., one day). Each user begins by generating a public key, a long-time helper key and an initial temporary secret key. He publishes the public key and then respectively stores the helper key in a helper and the initial temporary secret key in a user device where the cryptographic computations are actually carried out. At the beginning of each time period, the user device interacts with the helper to derive a new temporary secret key which will be used in that time period. Meanwhile, the public key remains unchanged throughout the lifetime of the system. It is clear that the helper plays a key role in protecting the user device against key exposure. As the helper is physically secure and resistant to compromise, exposure of the temporary secret keys at some time periods will not enable an adversary to derive the temporary secret keys for the remaining time periods. Thus, the damage caused by temporary secret key exposure can be effectively mitigated. In 2003, Dodis et al. [7] further proposed the notion of strong key-insulated security. This security notion guarantees that the helper is unable to compromise the corresponding user’s temporary secret key for any time period. Obviously, it is an important property for the environments where the helper serves several different users or the helper is untrustworthy. Following Dodis et al.’s pioneering works [6, 7], a number of key-insulated encryption schemes (e.g. [3, 9, 10, 11, 16, 26]) and key-insulated signature schemes Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

355

(e.g. [8, 15, 21, 25, 28, 31]) have been proposed. However, most of the prior keyinsulated cryptographic schemes are constructed based on either traditional public key cryptography or identity-based cryptography. So, they inevitably suffer from either the cumbersome certificate management problem or the key escrow problem. To alleviate these problems, Wan et al. [22] introduced key-insulated security into certificateless public key cryptography and proposed a certificateless key-insulated signature scheme without random oracles. Subsequently, Wan et al. [23] proposed a certificateless strong key-insulated signature scheme without random oracles. To the best of our knowledge, there exist only two certificateless key-insulated signature schemes in the literature so far. Our Contributions. In this paper, we first show that the existing two certificateless key-insulated signature schemes [22, 23] do not achieve the existential unforgeability. More concretely, both of them are insecure under the attacks from either a key replacement adversary or a malicious KGC. So, it is fair to say that devising a secure certificateless (strong) key-insulated signature scheme remains an unsolved problem until now. To overcome the security flaws in the existing certificateless key-insulated signature schemes, we propose a new certificateless strong key-insulated signature scheme which is proven to be existentially unforgeable under the square computational Diffie-Hellman assumption in the standard model. Compared with the certificateless strong key-insulated signature scheme proposed by Wan et al. in [23], our new scheme has three advantages. Firstly, it remedies the security flaws existing in Wan et al.’s scheme due to the redesigned user key generation and signature algorithms. Secondly, it is proven secure under a harder computational assumption. Finally, it enjoys shorter public system parameters and lower computational cost. 2. Preliminaries 2.1. Bilinear pairing and computational assumption. Let G1 and G2 denote two cyclic groups of the same prime order p and g be a generator of G1 . A map e : G1 × G1 → G2 is said to be a bilinear paring if it satisfies the following properties: - Bilinearity: e(g a , g b ) = e(g, g)ab for all a, b ∈ Z∗p ; - Non-degeneracy: e(g, g) 6= 1G2 ; - Computablity: e(u, v) can be efficiently computed for all u, v ∈ G1 . The security of the scheme proposed in this paper relies on the following square computational Diffie-Hellman (Squ-CDH) assumption [29]. Definition 2.1. Given a group G1 of prime order p with generator g and g a ∈ G1 2 for unknown a ∈ Z∗p , the Squ-CDH problem in G1 is to compute g a ∈ G1 . The advantage of a probabilistic polynomial time (PPT) algorithm A in solving the 2 Squ−CDH Squ-CDH problem is defined to be AdvA (k) = Pr[A(g, g a ) = g a ]. We say that the Squ-CDH assumption holds in G1 if for any PPT algorithm A, Squ−CDH the advantage AdvA (k) is negligible. In [29], the Squ-CDH assumption has been proved to be equivalent to the standard computational Diffie-Hellman (CDH) assumption. 2.2. Formal model of certificateless key-insulated signature. A certificateless key-insulated signature scheme can be specified by the following eight polynomial time algorithms [22, 23]: Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

356

Yang Lu, Quanling Zhang and Jiguo Li

(1) Setup(k, N ): This algorithm, performed by KGC, takes a security parameter k and the total number of time periods N as input to generate a master secret key msk and a list of public parameters params. (2)PartialKeyGen(params, msk, ID): This algorithm, performed by KGC, takes the public parameters params, the master key msk and a user’s identity ID as input to generate a partial private key pskID . (3) UserKeyGen(params, ID): This algorithm, performed by a user, takes the public parameters params and a user’s identity ID as input to generate a public key upkID and a private key uskID . (4) KeyInitialize(params, pskID , uskID ): This algorithm, performed by a user, takes the public parameters params, a user’s partial private key pskID and private key uskID as input to generate a user’s initial temporary signing key T SKID,0 and a helper’s key HKID . (5) KeyUpdateH(params, ID, HKID , tnew , told ): This algorithm, performed by a helper, takes the public parameters params, a user’s identity ID, a helper’s key HKID and two time period indices tnew and told (0 ≤ told ≤ tnew ≤ N − 1) as input to generate an update key U KID,told ,tnew . The update key U KID,told ,tnew is sent to the user with identity ID via a secure channel and used to update this user’s temporary signing key from the time period told to the time period tnew . (6) KeyUpdateU(params, ID, T SKID,told , U KID,told ,tnew ): This algorithm, performed by a user, takes the public parameters params, a user’s identity ID, a temporary signing key T SKID,told and an update key U KID,told ,tnew as input to generate a temporary signing key T SKID,tnew for the time period tnew . (7) Sign(params, t, m, ID, T SKID,t ): This algorithm, performed by a singer, takes the public parameters params, a time period index t (0 ≤ t ≤ N − 1), a message m, a signer’s identity ID and temporary signing key T SKID,t as input and returns a pair (t, σ) composed of the time period index t and a signature σ of the message m. (8) Verify(params, m, (t, σ), ID, upkID ): This algorithm, performed by a verifier, takes the public parameters params, a message m, a candidate pair of time period index and signature (t, σ) and the signer’s identity ID and public key upkID as input and returns 1 if (t, σ) is a valid signature for the message m under the identity ID and the public key upkID or 0 otherwise. For correctness, it is required that if (t, σ) = Sign(params, t, m, ID, T SKID,t ), then Verify(params, m, (t, σ), ID, upkID ) = 1. As introduced by Al-Riyami and Paterson in [1], a certificateless cryptographic scheme should be secure against two different types of adversaries, i.e. Type-I adversary (denoted by A1 ) and Type-II adversary (denoted by A2 ). The adversary A1 simulates an outsider adversary who does not know the master key, but can replace public keys at its will. The adversary A2 simulates a malicious KGC who knows the master key and controls the generation of partial private keys for users, but is not allowed to replace public keys. To formalize the security notions of key-insulation and strong key-insulation for certificateless key-insulated signature schemes, we first describe the following seven oracles which are used to simulate potential attacking actions. A Type-I or TypeII adversary can adaptively make requests to some of these oracles. We assume that the challenger keeps a history of “query-answer” when interacting with the adversary.

Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

357

(1) OCreateU ser : On input an identity ID, the challenger responds with a public key upkID . If the identity ID has not been created, then the challenger generates a public key upkID and a private key uskID respectively and returns upkID . In this case, the identity ID is said to be created. Note that other oracles defined below only respond to an identity which has been created. (2) OP rivateKey : On receiving a private key query on an identity ID, the challenger responds with a private key uskID . (3) OP artialP rivateKey : On receiving a partial private key query on an identity ID, the challenger responds with a partial private key pskID . Note that such an oracle is only queried by Type-I adversary A1 since Type-II adversary A2 can generate any user’s partial private key by itself. 0 (4) ORepalceP ublicKey : On input an identity ID and a pair of values (upkID , 0 uskID ), the challenger replaces the current public key and private key (upkID , 0 0 uskID ) associated with the identity ID with (upkID , uskID ). Note that such an oracle is only queried by Type-I adversary A1 since Type-II adversary A2 is disallowed to replace any user’s public key. (5) OHelperKey : On receiving a helper key query on an identity ID, the challenger responds with a helper key HKID . (6) OT empSigningKey : On receiving a temporary signing key query on an identity ID and a period time index t (0 ≤ t ≤ N − 1), the challenger responds with a temporary signing key T SKID,t . (7) OSign : On receiving a signing query on an identity ID, a period time index t (0 ≤ t ≤ N − 1) and a message m, the challenger responds with a signature (t, σ). The security of certificateless key-insulated signature schemes can be formally defined through two adversarial games Game-A and Game-B, which are played between a challenger and a Type-I or Type-II adversary A. The former is used to define the key-insulated security while the latter is used to define the strong keyinsulated security. Game-A models the normal key exposure attacking scenario, in which the adversary A does not know any user’s helper key, but can compromise any user’s temporary signing key at some time periods. Game-B simulates the scenario that the helper is untrustworthy, in which the adversary A can access any user’s helper key, but does not know the target user’s temporary signing key at any time period. Let ID∗ and t∗ (0 ≤ t∗ ≤ N − 1) denote the adversary’s target identity and target time period respectively. These two games are formally described as follows: Game-A: In this game, the adversary A is disallowed to query the oracle OHelperKey , but can adaptively query the oracle OT empSigningKey on any (ID, t) except (ID∗ , t∗ ). (1) Setup. On input a security parameter k and a total number of the time periods N , the challenger runs the algorithm Setup(k, N ) to generate a master secret key msk and a list of public parameters params. Then, the challenger sends params to the adversary A. If A is a Type-II adversary, the challenger also sends the master secret key msk to it. (2) Queries. In this phase, the adversary A can adaptively make requests to the oracles {OCreateU ser , OP rivateKey , OP artialP rivateKey , ORepalceP ublicKey , OT empSigningKey , OSign } if it is a Type-I adversary or the oracles {OCreateU ser , OP rivateKey , OT empSigningKey , OSign } if it is a Type-II adversary. The challenger responds as described above. (3) Forgery. Finally, the adversary A outputs a forgery (ID∗ ,m∗ , (t∗ , σ ∗ )) and wins the game if the following conditions are satisfied: Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

358

Yang Lu, Quanling Zhang and Jiguo Li

- Verify(params, m∗ , (t∗ , σ ∗ ), ID∗ , upkID∗ ) = 1, that is, (t∗ , σ ∗ ) is a valid signature for the message m∗ under the target identity ID∗ and public key upkID∗ ; - A has never queried OT empSigningKey on (ID∗ , t∗ ); - A has never queried OSign on (ID∗ , t∗ , m∗ ); - If A is a Type-I adversary, it has never queried OP artialP rivateKey on ID∗ ; - If A is a Type-II adversary, it has never queried OP rivateKey on ID∗ . Game-B: In this game, the adversary A can adaptively query OHelperKey on any identity ID (including the target identity ID∗ ), but is disallowed to query OT empSigningKey on the target identity ID∗ and any time period t (0 ≤ t ≤ N − 1). (1) Setup. This phase is same as Game-A. (2) Queries. This phase is same as Game-A except that the adversary A can adaptively query OHelperKey on any identity ID. (3) Forgery. Finally, the adversary A outputs a forgery (ID∗ ,m∗ , (t∗ , σ ∗ )) and wins the game if the following conditions are satisfied: - Verify(params, m∗ , (t∗ , σ ∗ ), ID∗ , upkID∗ ) = 1, that is, (t∗ , σ ∗ ) is a valid signature for the message m∗ under the target identity ID∗ and public key upkID∗ ; - A has never queried OT empSigningKey on ID∗ and any time period t (0 ≤ t ≤ N − 1); - A has never queried OSign on (ID∗ , t∗ , m∗ ); - If A is a Type-I adversary, it has never queried OP artialP rivateKey on ID∗ ; - If A is a Type-II adversary, it has never queried OP rivateKey on ID∗ . In both above two games, the advantage of the adversary A is defined to be the probability of producing a valid forgery. Definition 2.2. A certificateless key-insulated signature scheme is said to be keyinsulated and existentially unforgeable under chosen-message attacks (or KI&EUFCMA secure) if the advantage of any PPT adversary A to win the game Game-A is negligible. Definition 2.3. If a certificateless key-insulated signature scheme is KI&EUFCMA secure, then it is said to be strong key-insulated and existentially unforgeable under chosen-message attacks (or SKI&EUF-CMA secure) if the advantage of any PPT adversary A to win the game Game-B is negligible. As in [7], we consider attacks in which an adversary A compromises the user ID’s storage while a temporary signing key is being updated from T SKID,told to T SKID,tnew . We call this a key-update exposure at (ID, told , tnew ). When this occurs, the adversary A receives T SKID,told , U KID,told ,tnew and T SKID,tnew (actually, the latter can be derived from the former). We say that a certificateless (strong) key-insulated signature scheme has secure key updates if a key-update exposure at (ID, told , tnew ) is of no more help to the adversary A than the temporary signing key exposures at both (ID, told ) and (ID, tnew ). Definition 2.4. A certificateless key-insulated signature scheme has secure key updates if the view of any adversary A making a key-update exposure at (ID, told , tnew ) can be perfectly simulated by the adversary A’s queries to the oracle OT empSigningKey on both (ID, told ) and (ID, tnew ). Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

359

3. Cryptanalysis of the previous certificateless key-insulated signature schemes In this section, we show that the previous certificateless key-insulated signature schemes [22, 23] do not achieve the existential unforgeability. Considering that both of them were essentially constructed from Waters’ identity-based signature scheme [24] and share similarities in the signature algorithm, we present our attacks using the certificateless strong key-insulated signature scheme proposed by Wan et al. in [23] as an example. We show that it is not existentially unforgeable under either key replacement attack or malicious KGC attack. In addition, we briefly illustrate that the certificateless key-insulated signature scheme proposed by Wan et al. in [22] is insecure under our presented malicious KGC attack too. 3.1. Review of Wan et al.’s certificateless strong key-insulated signature scheme. Wan et al.’s certificateless strong key-insulated signature scheme [23] is described as follows: (1) Setup(k, N ): Let G1 and G2 be two cyclic groups of k-bit prime order p, g be a generator of G1 and e : G1 × G1 → G2 be a bilinear map. Also let H1 : {0, 1}∗ → {0, 1}nu , H2 : {0, 1}∗ → {0, 1}nm and F : {0, 1}∗ → Z∗p be three hash functions, where nu , nm ∈ Z+ . The KGC randomly chooses an integer α ∈ Z∗p and computes g1 = g α . Moreover, it randomly chooses an element g2 ∈ G1 , two vectors nm +1 U = (u0 , u1 , · · · , unu ) Q ∈ Gn1 u +1 and M = (m0 , m . Define two Q1 , · · · , mnm ) ∈ G1 functions f1 (W ) = u0 i∈W ui and f2 (T ) = m0 i∈T mi , where W ⊆ {1, 2, · · · , nu } and T ⊆ {1, 2, · · · , nm }. The public parameters params are {N , G1 , G2 , e, p, g, g1 , g2 , U, M, f1 , f2 , H1 , H2 , F } and the master key msk is g2α . (2) PartialKeyGen(params, msk, ID): The KGC randomly picks ru ∈ Z∗p and computes a partial private key for the user with identity ID as pskID = (pskID,1 , pskID,2 ) = (g2α · f1ru (PID ), g ru ), where PID = {i|w2 [i] = 1, w2 = H1 (ID)}. (3) UserKeyGen(params, ID): A user with identity ID randomly chooses x ∈ Z∗p as his private key uskID and computes his public key upkID = e(g1 , g2 )x . (4) KeyInitialize(params, pskID , uskID ): A user with identity ID randomly chooses his helper’s key HKID ∈ {0, 1}k and computes r0 = F (ID, HKID , 0). He then randomly chooses r ∈ Z∗p and computes his initial temporary signing key as T SKID,0 =(TID,0 , RID,0 , R) =((pskID,1 )x · f1r (PID ) · f1r0 (PID,0 ), g r0 , (pskID,2 )x · g r ), where PID = {i|w2 [i] = 1, w2 = H1 (ID)}, PID,0 = {i|w1 [i] = 1, w1 = H1 (ID, 0)}. (5) KeyUpdateH(params, ID, HKID , told , tnew ): The helper first computes rold = F (ID, HKID , told ) and rnew = F (ID, HKID , tnew ). It then computes an update key as rnew
eID,t ,t ) = f1 r (PID,tnew ) , g rnew −rold , U KID,told ,tnew = (TeID,told ,tnew , R old new old f1 (PID,told )

where PID,told = {i|w1 [i] = 1, w1 = H1 (ID, told )}, PID,tnew = {i|w1 [i] = 1, w1 = H1 (ID, tnew )}. (6) KeyUpdateU(params, ID, T SKID,told , U KID,told ,tnew ): The user first respectively parses the temporary signing key T SKID,told as (TID,told , RID,told , R) Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

360

Yang Lu, Quanling Zhang and Jiguo Li

eID,t ,t ). It then computes and the update key U KID,told ,tnew as (TeID,told ,tnew , R old new a temporary signing key for the time period tnew as T SKID,tnew =(TID,tnew , RID,tnew , R) eID,t ,t =(TeID,told ,tnew · TID,told , R · RID,told , R). old new (7) Sign(params, t, m, ID, T SKID,t ): A signer with identity ID first parses the temporary signing key T SKID,t as (TID,t , RID,t , R), then randomly chooses r˜t , rm ∈ Z∗p and sets the signature for the message m as (t, (Vm , Wm , R, Rm )) = (t, (TID,t · f1r˜t (PID,t ) · f2rm (Mm ), RID,t · g r˜t , R, g rm )), where PID,t = {i|w1 [i] = 1, w1 = H1 (ID, t)}, Mm = {i|w3 [i] = 1, w3 = H2 (m)}. (8) Verify(params, m, (t, σ), ID, upkID ): To verify a signature (t, σ) = (t, (Vm , Wm , R, Rm )), a verifier checks whether the following equality holds: e(Vm , g) = upkID · e(f1 (PID ), R) · e(f1 (PID,t ), Wm ) · e(f2 (Mm ), Rm ), where PID = {i|w2 [i] = 1, w2 = H1 (ID)},PID,t = {i|w1 [i] = 1, w1 = H1 (ID, t)} and Mm = {i|w3 [i] = 1, w3 = H2 (m)}. If it holds, output 1. Otherwise, output 0. 3.2. Public key replacement attack. In this subsection, we show that Wan et al.’s certificateless strong key-insulated signature scheme does not achieve existential unforgeability under key replacement attack from a Type-I adversary A1 . A Type-I adversary A1 can forge a signature for any message m∗ and any time period t∗ on behalf of a user with identity ID through the following steps: (1) The adversary A1 randomly chooses x0 ∈ Z∗p and replaces the user’s public 0 0 key with upkID = e(g, g2 )x ; (2) For any message m∗ and time period t∗ , the adversary A1 randomly chooses r1 , r2 , r3 ∈ Z∗p and forges a signature as (t∗ , (Vm∗ , Wm∗ , R∗ , Rm∗ )) 0

=(t∗ , (g2x · f1r1 (PID ) · f1r2 (PID,t∗ ) · f2r3 (Mm∗ ), g r2 , g r1 , g r3 )), where PID = {i|w2 [i] = 1, w2 = H1 (ID)}, PID,t∗ = {i|w1 [i] = 1, w1 = H1 (ID, t∗ )} and Mm∗ = {i|w3 [i] = 1, w3 = H2 (m∗ )}. Obviously, the forged signature (t∗ , (Vm∗ , Wm∗ , R∗ , Rm∗ )) is valid under the iden0 since it satisfies the verification equation tity ID and the false public key upkID 0 e(Vm∗ , g) = upkID · e(f1 (PID ), R∗ ) · e(f1 (PID,t∗ ), Wm∗ ) · e(f2 (Mm∗ ), Rm∗ ).

3.3. Malicious KGC attack. In this subsection, we show that Wan et al.’s certificateless strong key-insulated signature scheme is not existentially unforgeable against a malicious KGC. A malicious KGC can forge a signature on any message on behalf of a user with identity ID in the following way. (1) In the system setup phase, the KGC randomly selects γ0 , γ1 , · · · , γnm ∈ Z∗p and sets the vector M = (g γ0 , g γ1 , · · · , g γnm ). The master key and other public parameters are generated normally. (2) After seeing a signature (t, (Vm , Wm , R, Rm )) on a message m issued by the user with identity ID, the KGC chooses a random value rm∗ ∈ Z∗p and defines a new signature on any message m∗ as (t, (Vm∗ , Wm∗ , R∗ , Rm∗ )) Pnm

=(t, (Vm · (Rm )−(γ0 +

i=1 (γi ·wi ))

Advances in Mathematics of Communications

· f2rm∗ (Mm∗ ), Wm , R, g rm∗ )), Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

361

where Mm∗ = {i|w3 [i] = 1, w3 = H2 (m∗ )} and wi denotes the i-th bit of H2 (m). Obviously, the forged signature (t, (Vm∗ , Wm∗ , R∗ , Rm∗ )) is valid under the identity ID and the public key upkID since it satisfies the verification equation e(Vm∗ , g) = upkID · e(f1 (PID ), R∗ ) · e(f1 (PID,t∗ ), Wm∗ ) · e(f2 (Mm∗ ), Rm∗ ). Remark 1. The above malicious KGC attack also can act on the certificateless keyinsulated signature scheme proposed by Wan et al. in [22]. We skip the description of the scheme and briefly illustrate the concrete attack. Assume that a malicious KGC randomly selects γ0 , γ1 , · · · , γn ∈ Z∗p and defines the vector in the public parameters V = (v0 , v1 , · · · , vn ) = (g γ0 , g γ1 , · · · , g γn ). After obtaining a signature (t, (D, B, aID , cID,t )) issued by a user ID, the KGC chooses a random value dm∗ ∈ Z∗p and defines a new signature on any message m∗ as (t, (D∗ , B ∗ , a∗ID , c∗ID,t )) = Pn (g dm∗ , B · (D)−(γ0 + i=1 (γi ·wi )) · f dm∗ (M∗ ), aID , cID,t ), where M∗ = {i|M ∗ [i] = 1, M ∗ = H(m∗ )} and wi denote the i-th bit of H(m). It is easy to verify that the above forgery is valid. 4. The proposed scheme To overcome the security weaknesses in the previous certificateless key-insulated signature schemes [22, 23], we propose a new certificateless strong key-insulated signature scheme and prove it to be SKI&EUF-CMA secure under the Squ-CDH assumption in the standard model. We also make a comparison between our new scheme and Wan et al.’s certificateless strong key-insulated signature scheme [23]. 4.1. Description of the proposed scheme. A formal description of the proposed scheme is as follows: (1) Setup(k, N ): Let G1 and G2 be two cyclic groups of same prime order p, g be a generator of G1 and e : G1 × G1 → G2 be a bilinear map. The KGC randomly chooses α ∈ Z∗p and computes g1 = g α . It also randomly chooses g2 , u0 , u1 , · · · , unu , v0 , v1 ∈ G1 . Furthermore, it chooses three collision-resistant hash functions H1 : {0, 1}∗ → {0, 1}nu , H2 : {0, 1}∗ → Z∗p and H3 : {0, 1}∗ → Z∗p . Let Q be a point in G1 . Define a function f (Q) as follows. If the x-coordinate of Q is odd, then f (Q) = 1; else, f (Q) = 0. The public parameters are params = {N, G1 , G2 , e, p, g, g1 , g2 , u0 , u1 , · · · , unu , v0 , v1 , H1 , H2 , H3 , f } and the master key is msk = g1α . (2) PartialKeyGen(params, msk, ID): The KGC randomly picks r ∈ Z∗p and computes a partial private key for the user with identity ID as (1)

(2)

pskID = (pskID , pskID ) = (g1α · (u0

nu Y

(i)

λ

ui ID )r , g r ),

i=1 (i) λID

where denotes the i-th bit of λID = H1 (ID). (3) UserKeyGen(params, ID): A user with identity ID randomly chooses xID ∈ Z∗p as his private key uskID and computes his public key as (1)

(2)

1

(3)

2

upkID = (upkID , upkID , upkID ) = (g1xID , g2 ID , e(g1 , g1 )xID ). (1)

(2)

x

(3)

The public key upkID = (upkID , upkID , upkID ) can be validated by checking (1) (2) (1) (1) (3) whether the equations e(upkID , upkID ) = e(g1 , g2 ) and e(upkID , upkID ) = upkID hold. Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

362

Yang Lu, Quanling Zhang and Jiguo Li

(4) KeyInitialize(params, pskID , uskID ): A user with identity ID randomly chooses his helper’s key HKID ∈ {0, 1}k . He then randomly chooses r0 ∈ Z∗p and computes an initial temporary signing key as (1)

(2)

(3)

T SKID,0 =(T SKID,0 , T SKID,0 , T SKID,0 ) nu Y

2

(1)

= (pskID )uskID · (u0

λ

(i)

0

ui ID )r · (u0

·g

r0




(i)

λ

ui ID,0 )r0 , g r0 ,

i=1

i=1 2 (2) (pskID )uskID

nu Y

,

(i)

(i)

where r0 = H2 (ID, HKID , 0), λID and λID,0 denote the i-th bit of of λID = H1 (ID) and λID,0 = H1 (ID, 0) respectively. Qnu λ(i) α·x2 ui ID )r˜ · Obviously, if let r˜ = r · x2ID + r0 , then T SKID,0 = (g1 ID · (u0 i=1 Qnu λ(i) (u0 i=1 ui ID,0 )r0 , g r0 , g r˜). (5) KeyUpdateH(params, ID, HKID , told , tnew ): The helper first computes rold = H2 (ID, HKID , told ) and rnew = H2 (ID, HKID , tnew ). It then computes an update key as (1)

(2)

U KID,told ,tnew =(U KID,told ,tnew , U KID,told ,tnew ) = (u0

nu Y

(i)

λ

ui ID,tnew )rnew /(u0

i=1 (i) λID,told

nu Y

(i)

λID,t

ui

old


)rold , g rnew −rold ,

i=1

(i) λID,tnew

where and denote the i-th bit of of λID,told = H1 (ID, told ) and λID,tnew = H1 (ID, tnew ) respectively. (6) KeyUpdateU(params, ID, T SKID,told , U KID,told ,tnew ): On receiving an (1) (2) update key U KID,told ,tnew = (U KID,told ,tnew , U KID,told ,tnew ), the user uses his old (1)

(2)

(3)

temporary signing key T SKID,told = (T SKID,told , T SKID,told , T SKID,told ) to compute a new temporary signing key for the time period tnew as (1)

(2)

(3)

T SKID,tnew =(T SKID,tnew , T SKID,tnew , T SKID,tnew ) (1)

(2)

(1)

(2)

=(U KID,told ,tnew · T SKID,told , U KID,told ,tnew · T SKID,told , (3)

T SKID,told ). It is not difficult to deduce that nu nu (i) Y Y (i)
λ λID r˜ α·x2ID T SKID,tnew = g1 · (u0 ui ) · (u0 ui ID,tnew )rnew , g rnew , g r˜ . i=1

i=1

(7) Sign(params, t, m, ID, T SKID,t ): To sign a message m in the time period t, a singer with identity ID first randomly chooses rt0 , s ∈ Z∗p and uses his temporary (1)

(2)

(3)

signing key T SKID,t = (T SKID,t , T SKID,t , T SKID,t ) to compute (2)

0

(3)

σ =(σ1 , σ2 , σ3 , σ4 ) = g s , T SKID,t · g rt , T SKID,t , (1)

T SKID,t · (u0

nu Y

λ

(i)

0

(2)

ui ID,t )rt · (upkID )γ · vβ


s


,

i=1 (i)

where β = f (σ2 ), γ = H3 (σ1 , σ2 , σ3 , ID, upkID , m, vβ ) and λID,t denotes the i-th bit of λID,t = H1 (ID, t). It then sets the signature for the message m as (t, σ). Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

363

If let r˜t = rt + rt0 , then we have that s

r˜t

σ = g ,g ,g

r˜

α·x2 , g1 ID

· (u0

nu Y

(i)

λ ui ID )r˜

· (u0

i=1

nu Y

(i)

λ

(2)

ui ID,t )r˜t · (upkID )γ · vβ


s


.

i=1

(8) Verify(params, m, (t, σ), ID, upkID ): To verify a signature (t, (σ1 , σ2 , σ3 , σ4 )), a verifier checks whether the following equality holds: (3)

e(σ4 , g) = upkID · e u0

nu Y

nu (i) Y (i)


λ λ (2) ui ID , σ3 · e u0 ui ID,t , σ2 · e (upkID )γ · vβ , σ1 ,

i=1 (i)

i=1

(i)

where λID and λID,t denote the i-th bit of λID = H1 (ID) and λID,t = H1 (ID, t) respectively, β = f (σ2 ) and γ = H3 (σ1 , σ2 , σ3 , ID, upkID , m, vβ ). If it holds, output 1. Otherwise, output 0. The correctness of the proposed scheme can be verified by the following equation: e(σ4 , g) (1)

=e T SKID,t · (u0

nu Y

(i)
s
0 λ (2) ui ID,t )rt · (upkID )γ · vβ , g

i=1 α·x2ID

=e g1

· (u0

nu Y

(i)

λ

ui ID )r˜ · (u0

i=1

·

(2) (upkID )γ α·x2ID

=e g1


s

· vβ , g

nu Y

λ

(i)

ui ID,t )rt · (u0

i=1

nu Y

λ

(i)

0

ui ID,t )rt

i=1




nu nu (i) Y Y (i)


0 λ λ , g · e (u0 ui ID )r˜, g · e (u0 ui ID,t )rt +rt , g

i=1
s
(2) γ · e (upkID ) · vβ , g nu Y (i)
λ (3) ui ID , σ3 =upkID · e u0 i=1

i=1

· e u0

nu Y

(i)

λ (2) ui ID,t , σ2 · e (upkID )γ · vβ , σ1 .

i=1

Remark 2. The public key replacement attack presented in Section 3.2 is based on the fact that there is no public key validity checking mechanism in Wan et al.’s certificateless strong key-insulated signature scheme [23]. To avoid this attack, we redesign the public key generation algorithm. In our new scheme, a (1) (2) (3) user’s public key upkID = (upkID , upkID , upkID ) is composed of three components (1) (2) and can be validated by checking the equations e(upkID , upkID ) = e(g1 , g2 ) and (1) (1) (3) e(upkID , upkID ) = upkID . These two equations guarantee that a public key has 2 a correct relation and its third component is always under the form of e(g1 , g1 )x 2 or e(g2 , g2 )x for some random value x ∈ Z∗p even if it has been replaced. Thus, a Type-I adversary can not forge a signature as in Section 3.2 unless it knows the master key or the corresponding partial private key. Remark 3. The basic reason of the malicious KGC attack presented in Section 3.3 is that in both the previous two certificateless key-insulated signature schemes [22, 23], the part of signatures including the messages is irrelevant to the singer’s private key. More specifically, a malicious KGC can add or remove f2rm (Mm ) or f dm (M) in a signature without affecting the validity of the signature. To fight against this attack, our scheme refines the signature algorithm by embedding the (2) second component of the singer’s public key upkID in the signatures. Thus, a Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

364

Yang Lu, Quanling Zhang and Jiguo Li

malicious KGC can not forge a new signature (t, σ ∗ ) from an existing one (t, σ) as (2) in Section 3.3 unless it can remove (upkID )γ·s from σ. 4.2. Security analysis. Theorem 4.1. If the Squ-CDH assumption holds in G1 , then the proposed scheme is KI & EUF-CMA secure in the standard model. This theorem can be proved by combining the following two lemmas. Lemma 4.2. If A1 is a Type-I adversary against the proposed scheme that has advantage at least  to win the game Game-A, then there exists an algorithm B to solve the Squ-CDH problem with advantage 0 ≥ 16(nu +1)2 (q psk +qtsk )2 , where qpsk and qtsk respectively denote the number of A1 ’s queries to OP artialP rivateKey and OT empSigningKey . Proof. We show how to construct an algorithm B to solve the Squ-CDH problem from the adversary A1 . Assume that the algorithm B is given a random instance 2 (g, A = g a ) of the Squ-CDH problem in G1 and asked to compute g a . In order to use the adversary A1 to solve the given Squ-CDH problem, the algorithm B needs to simulate a challenger and all oracles for the adversary A1 . Setup. Let l = 2(qpsk + qtsk ). We assume that p is sufficiently bigger than l(nu + 1). The algorithm B randomly chooses x0 , x1 , · · · , xnu ∈ Zl ,y0 , y1 , · · · , ynu ∈ Zp and x, z, e0 , e1 ∈ Z∗p . It also chooses a random integer k ∈ [0, nu ]. Then it assigns the public parameters as g1 = A, g2 = g x , u0 = Ap−lk+x0 · g y0 , ui = Axi · g yi (1 ≤ i ≤ nu ), v0 = g e0 and v1 = Az · g e1 . 2 Note that the above assignment implies that the master key will be g1a = g a which is unknown to the algorithm B. The algorithm B gives the public system parameters params to the adversary A1 . For the convenience of analysis, we respectively define two functions J(ζ) = Pnv Pnv (p−lk)+x0 + i=1 ζi · xi and K(ζ) = y0 + i=1 ζi · yi for an nu -length binary string Qnu ζi ζ = ζ1 · · · ζnu . It is not difficult to deduce that F (ζ) = u0 i=1 ui = AJ(ζ) · g K(ζ) . Queries. Given the public parameters, the adversary A1 asks a series of polynomially bounded number of queries in an adaptive fashion. The algorithm B maintains a list KeyList of tuples (ID, upkID , uskID , HKID ) which is initially empty and simulates all oracles as follows: (1) OCreateU ser : On receiving such a query on an identity ID, the algorithm B looks up the list KeyList to find a tuple (ID, upkID , uskID , HKID ) associated with the identity ID. If such a tuple exists, the algorithm B returns upkID to the adversary A1 . Otherwise, it performs the algorithm UserKeyGen to generate a public key and private key pair (upkID , uskID ), randomly chooses a helper key HKID ∈ {0, 1}k , stores a new tuple (ID, upkID , uskID , HKID ) in the list KeyList and returns upkID to the adversary A1 . (2) OP rivateKey : On receiving a private key query on an identity ID, the algorithm B looks up the list KeyList to find a tuple (ID, upkID , uskID , HKID ) associated with the identity ID and returns uskID to the adversary A1 . 0 (3) ORepalceP ublicKey : On input an identity ID and a pair of values (upkID , 0 uskID ), the algorithm B looks up the list KeyList to find a tuple (ID, upkID , uskID , 0 HKID ) associated with the identity ID and replaces the tuple with (ID, upkID , 0 uskID , HKID ). (4) OP artialP rivateKey : On receiving a partial private key query on an identity ID, the algorithm B does the following: Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

365

- If J(λID ) = 0 mod p where λID = H1 (ID), then it aborts the simulation. - Otherwise, it randomly chooses r ∈ Z∗p and computes a partial private key for the identity ID as pskID = (A−K(λID )/J(λID ) · F (λID )r , A−1/J(λID ) · g r ). Note that the algorithm B can generate such a partial private key if and only if J(λID ) 6= 0 mod l, which suffices to have J(λID ) = 6 0 mod p. If let rID = r − a/J(λID ), we get pskID =(Aa · (AJ(λID ) · g K(λID ) )−a/J(λID ) · F (λID )r , g rID ) 2

=(g a · F (λID )rID , g rID ). Then, the algorithm B returns the key pskID to the adversary A1 . (5) OT empSigningKey : On receiving a temporary signing key query on an identity ID and a period time index t(0 ≤ t ≤ N − 1), the algorithm B does the following: - If J(λID ) = 0 mod p where λID = H1 (ID), then it aborts the simulation. - Otherwise, it randomly chooses r, r0 ∈ Z∗p , looks up the list KeyList to find a tuple (ID, upkID , uskID , HKID ) associated with the identity ID to retrieve uskID and HKID , and then computes a temporary signing key T SKID,t for the identity ID in the time period t as 2

0

T SKID,t = (A−K(λID )/J(λID ) · F (λID )r )uskID · F (λID )r · F (λID,t )rt , 2 0
g rt , (A−1/J(λID ) · g r )uskID · g r , where rt = H2 (ID, HKID , t), λID = H1 (ID) and λID,t = H1 (ID, t) respectively. Note that the algorithm B can generate such a temporary signing key if and only if J(λID ) 6= 0 mod l, which suffices to have J(λID ) 6= 0 mod p. If 2 let r˜ = (r − a/J(λID )) · uskID + r0 , we get
2 2 T SKID,t = g a ·uskID · F (λID )r˜ · F (λID,t )rt , g rt , g r˜ . Then, the algorithm B returns the key T SKID,t to the adversary A1 . (6) OSign : On receiving a signing query on an identity ID, a period time index t(0 ≤ t ≤ N − 1) and a message m, the algorithm B does the following: - If J(λID ) 6= 0 mod p where λID = H1 (ID), it first makes a query to the oracle OT empSigningKey on (ID, t) to obtain a temporary signing key T SKID,t . Then it runs the algorithm Sign(params, t, m, ID, T SKID,t ) to generate a signature (t, σ) and returns it to the adversary A1 . - Otherwise, it first randomly chooses r˜t ∈ Z∗p such that f (g r˜t ) = 1 (if f (g r˜t ) = 0, it can choose another value r˜t ∈ Z∗p such that f (g r˜t ) = 1). Then it randomly chooses s, r˜ ∈ Z∗p and generates a signature (t, σ) = (t, (σ1 , σ2 , σ3 , σ4 )) for the message m as follows: 2

2

σ1 =A−uskID /z · g s = g s−a·uskID /z , σ2 = g r˜t , σ3 = g r˜,
s (1)
−(x·γ+e1 ·uskID )/z (2) σ4 = upkID · F (λID )r˜ · F (λID,t )r˜t · (upkID )γ · v1
−(x·γ+e1 ·uskID )/z
s (2) = g1uskID · F (λID )r˜ · F (λID,t )r˜t · (upkID )γ · v1 2 a·x·γ·uskID +a·e1 ·uskID
s (2) z =g − · F (λID )r˜ · F (λID,t )r˜t · (upkID )γ · v1 

= g

x·γ uskID

·g

a·z

·g

e1

2 ID − a·usk z

Advances in Mathematics of Communications

2

· ga

2 ·uskID

· F (λID )r˜ · F (λID,t )r˜t Volume 9, No. 3 (2015), 353–373

366

Yang Lu, Quanling Zhang and Jiguo Li



·

(2)

upkID

γ

· v1

s 2

ID  γ − a·usk z 2 2 (2) = upkID · v1 · g a ·uskID · F (λID )r˜ · F (λID,t )r˜t  γ s (2) · upkID · v1 2

=g

2 a2 ·uskID

r˜

r˜t

· F (λID ) · F (λID,t ) ·



(2) upkID

γ

· v1

ID s− a·usk z

,

where λID = H1 (ID), λID,t = H1 (ID, t) and γ = H3 (σ1 , σ2 , σ3 , ID, upkID , 2 m, v1 ). If let s˜ = s − a · uskID /z, then we get
s˜
2 2 (2) σ = g s˜, g r˜t , g r˜, g a ·uskID · F (λID )r˜ · F (λID,t )r˜t · (upkID )γ · v1 . The algorithm B returns the signature (t, σ) to the adversary A1 . Forgery. Finally, the adversary A1 outputs a forgery (ID∗ , m∗ , (t∗ , σ ∗ )), where ∗ σ = (σ1∗ , σ2∗ , σ3∗ , σ4∗ ). If J(λID∗ ) 6= 0 mod p or J(λID∗ ,t∗ ) 6= 0 mod p or f (σ2∗ ) = 1 where λID∗ = H1 (ID∗ ) and λID∗ ,t∗ = H1 (ID∗ , t∗ ), then the algorithm B aborts the simulation. Otherwise, it retrieves the private key uskID∗ associated with ID∗ and computes  12  σ4∗ usk ID ∗ , T = ∗ (σ1∗ )xγ /uskID∗ +e0 · (σ2∗ )K(λID∗ ,t∗ ) · (σ3∗ )K(λID∗ ) where γ ∗ = H3 (σ1∗ , σ2∗ , σ3∗ , ID∗ , upkID∗ , m∗ , v0 ). If (t∗ , σ ∗ ) is a valid signature for the message m∗ under the target signer’s identity ID∗ and public key upkID∗ , then we have that σ ∗ =(σ1∗ , σ2∗ , σ3∗ , σ4∗ ) ∗

(2)

∗


s∗


∗

(2)

∗


s∗


∗

∗

2

2 uskID∗

· F (λID∗ )r˜ · F (λID∗ ,t∗ )r˜t∗ · (upkID∗ )γ · v0

∗

∗

2

2 uskID∗

· g K(λID∗ )˜r · g K(λID∗ ,t∗ )˜rt∗ · (upkID∗ )γ · v0

= g s , g r˜t∗ , g r˜ , g a

= g s , g r˜t∗ , g r˜ , g a

for some random values s∗ , r˜∗ , r˜t∗ ∈ Z∗p . Hence, we get ∗


s 2 ∗ ∗ (2)  g a2 ·uskID∗ · g K(λID∗ )˜r · g K(λID∗ ,t∗ )˜rt∗ · (upkID∗ )γ · v0  usk12 ∗ ID T = (g s∗ )xγ ∗ /uskID∗ +e0 · (g r˜t∗ )K(λID∗ ,t∗ ) · (g r˜∗ )K(λID∗ ) 2

=g a . Thus, the algorithm B can output T as the solution to the given Squ-CDH problem instance. Now we assess the advantage of the algorithm B. From the above construction, we can see that the algorithm B will not abort during the simulation if the following conditions hold simultaneously: (1) All A1 ’s queries to the oracle OP artialP rivateKey on ID have J(λID ) 6= 0 mod p; (2) All A1 ’s queries to the oracle OT empSigningKey on (ID, t) have J(λID ) 6= 0 mod p; (3) A1 ’s forgery (ID∗ , m∗ , (t∗ , σ ∗ )) satisfies J(λID∗ ) = 0 mod p, J(λID∗ ,t∗ ) = 0 mod p and f (σ2∗ ) = 0. Let λ1 , λ2 , · · · , λh be the hash values appearing in these queries not involving λID∗ and λID∗ ,t∗ . Clearly, we have h ≤ qpsk + qtsk . Define the events Ai , A∗ , B ∗ and C ∗ as follows: Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

367

- Ai : J(λi ) 6= 0 mod p, where i = 1, 2, · · · , h; - A∗ : J(λID∗ ) = 0 mod p; - B ∗ : J(λID∗ ,t∗ ) = 0 mod p; - C ∗ : f (σ2∗ ) = 0. Thus, the probability of the algorithm B not aborting is P r[¬abort] ≥ P r

h ^

 Ai ∧ A∗ ∧ B ∗ ∧ C ∗ .

i=1

The assumption l(nu + 1) < p implies that if J(λID∗ ) = 0 mod p then J(λID∗ ) = 0 mod l. Furthermore, this assumption also implies that if J(λID∗ ) = 0 mod l, then there is a unique integer θ(0 ≤ θ ≤ nu ) such that J(λID∗ ) = 0 mod p. Therefore, we have P r[A∗ ] =P r[J(λID∗ ) = 0 mod p] =P r[J(λID∗ ) = 0 mod p ∧ J(λID∗ ) = 0 mod l] =P r[J(λID∗ ) = 0 mod p | J(λID∗ ) = 0 mod l] · P r[J(λID∗ ) = 0 mod l] 1 . = (nu + 1)l Similarly, we have P r[B ∗ ] = independent for any i, we get Pr

h ^

1 (nu +1)l .

Because the events Ai , A∗ and B ∗ are

h   ^ Ai | A∗ ∧ B ∗ · P r[A∗ ∧ B ∗ ] Ai ∧ A∗ ∧ B ∗ =P r i=1

i=1

≥ 1 − Pr

h _

¬Ai | A∗ ∧ B ∗




· P r[A∗ ] · P r[B ∗ ]

i=1

h
1 = 1− · l (nu + 1)2 · l2 1 ≥ . 2 8(nu + 1) (qpsk + qtsk )2 Vh Furthermore, the events i=1 Ai ∧A∗ ∧B ∗ and C ∗ are independent and P r[C ∗ ] = 1/2 since with probability the x-coordinate of g r is odd for a random value r ∈ Z∗p . Therefore, we get P r[¬abort] ≥ P r

h ^

 Ai ∧ A∗ ∧ B ∗ · P r[C ∗ ] =

i=1

1 . 16(nu + 1)2 (qpsk + qtsk )2

If the simulation does not abort, the adversary A1 will win the game with probability at least . Thus, the algorithm B can solve the given Squ-CDH problem with probability  0 ≥ . 2 16(nu + 1) (qpsk + qtsk )2 Lemma 4.3. If A2 is a Type-II adversary against the proposed scheme that has advantage at least  to win the game Game-A, then there exists an algorithm B to  solve the Squ-CDH problem with advantage 0 ≥ 16(nu +1) , where qtsk denotes 2 q2 the number of A2 ’s queries to OT empSigningKey . Advances in Mathematics of Communications

tsk

Volume 9, No. 3 (2015), 353–373

368

Yang Lu, Quanling Zhang and Jiguo Li

Proof. We show how to construct an algorithm B to solve the Squ-CDH problem from the adversary A2 . Assume that the algorithm B is given a random instance 2 (g, A = g a ) of the Squ-CDH problem in G1 and asked to compute g a . In order to use the adversary A2 to solve the given Squ-CDH problem, the algorithm B needs to simulate a challenger and all oracles for the adversary A2 . Setup. Let l = 2qtsk . We assume that p is sufficiently bigger than l(nu + 1). The algorithm B randomly chooses x0 , x1 , · · · , xnu ∈ Zl ,y0 , y1 , · · · , ynu ∈ Zp and α, x, z, e0 , e1 ∈ Z∗p . It also chooses a random integer k ∈ [0, nu ]. Then it assigns the public parameters as g1 = g α , g2 = Ax , u0 = Ap−lk+x0 · g y0 , ui = Axi · g yi (1 ≤ i ≤ nu ), v0 = g e0 and v1 = Az · g e1 . The algorithm B gives the public system parameters params and the master key 2 g α to the adversary A2 . For the convenience of analysis, we respectively Pnv Pnv define two functions J(ζ) = (p − lk) + x0 + i=1 ζi · xi and K(ζ) = y0 + i=1 ζi · yi for an nu -length binary string ζ = ζ1 · · · ζnu . It is not difficult to deduce that Qnu ζi F (ζ) = u0 i=1 ui = AJ(ζ) · g K(ζ) . Queries. Given the public parameters and the master key, the adversary A2 asks a series of polynomially bounded number of queries in an adaptive fashion. The algorithm B maintains a list KeyList of tuples (ID, upkID , uskID , HKID ) which is initially empty and simulates all oracles as follows: (1) OCreateU ser : On input an identity ID, the algorithm B looks up the list KeyList to find a tuple (ID, upkID , uskID , HKID ) associated with the identity ID. If such a tuple exists, the algorithm B returns upkID to the adversary A2 . Otherwise, it randomly chooses uskID ∈ Z∗p and HKID ∈ {0, 1}k , computes upkID = (Aα·uskID , g x/uskID , e(Aα·uskID , Aα·uskID )), stores (ID, upkID , uskID , HKID ) in the list KeyList and returns upkID to the adversary A2 . (2) OP rivateKey : On receiving a private key query on an identity ID, the algorithm B looks up the list KeyList to find a tuple (ID, upkID , uskID , HKID ) associated with the identity ID and returns uskID to the adversary A2 . (3) OT empSigningKey : On receiving a temporary signing key query on an identity ID and a period time index t (0 ≤ t ≤ N − 1), the algorithm B does the following: - If J(λID ) = 0 mod p where λID = H1 (ID), then it aborts the simulation. - Otherwise, it randomly chooses r ∈ Z∗p , looks up the list KeyList to find a tuple (ID, upkID , uskID , HKID ) associated with the identity ID to retrieve uskID and HKID , and then computes a temporary signing key T SKID,t for the identity ID in the time period t as K(λ

T SKID,t = A

)

− J(λ ID) ·(α·uskID )2 ID

(α·usk )2 − J(λ ID) ID

g rt , A

· F (λID )r · F (λID,t )rt ,
· gr ,

where rt = H2 (ID, HKID , t), λID = H1 (ID) and λID,t = H1 (ID, t) respectively. Note that the algorithm B can generate such a temporary signing key if and only if J(λID ) 6= 0 mod l, which suffices to have J(λID ) 6= 0 mod p. If let r˜ = r − a · (α · uskID )2 /J(λID ), we get
2 T SKID,t = g (a·α·uskID ) · F (λID )r˜ · F (λID,t )rt , g rt , g r˜ . Then, the algorithm B returns the key T SKID,t to the adversary A2 . (4) OSign : On receiving a signing query on an identity ID, a period time index t (0 ≤ t ≤ N − 1) and a message m, the algorithm B does the following: Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

369

- If J(λID ) 6= 0 mod p where λID = H1 (ID), it first makes a query to the oracle OT empSigningKey on (ID, t) to obtain a temporary signing key T SKID,t . Then it runs the algorithm Sign(params, t, m, ID, T SKID,t ) to generate a signature (t, σ) and returns it to the adversary A2 . - Otherwise, it first randomly chooses r˜t ∈ Z∗p such that f (g r˜t ) = 1. Then it randomly chooses s, r˜ ∈ Z∗p and generates a signature (t, σ) = (t, (σ1 , σ2 , σ3 , σ4 )) for the message m as follows: a·(α·uskID )2

(α·uskID )2

z z · g s = g s− , σ2 = g r˜t , σ3 = g r˜, σ1 =A−  − α·(x·γ+ez1 ·uskID )  γ s (1) (2) σ4 = upkID · F (λID )r˜ · F (λID,t )r˜t · upkID · v1  γ s
− α·(x·γ+ez1 ·uskID ) (2) = Aα·uskID · F (λID )r˜ · F (λID,t )r˜t · upkID · v1  γ s 2 ) a·α2 ·(x·γ·uskID +e1 ·uskID (2) z · F (λID )r˜ · F (λID,t )r˜t · upkID · v1 =g − 2 ID )  x·γ − a·(α·usk 2 z = g uskID · g a·z · g e1 · g (a·α·uskID ) · F (λID )r˜ · F (λID,t )r˜t  γ s (2) · upkID · v1

=g

(a·α·uskID )2

r˜

r˜t

· F (λID ) · F (λID,t ) ·



(2) upkID

γ

· v1

2 ID ) s− a·(α·usk z

,

where λID = H1 (ID), λID,t = H1 (ID, t) and γ = H3 (σ1 , σ2 , σ3 , ID, upkID , m, v1 ). If let s˜ = s − a · (α · uskID )2 /z, then we get
s˜
2 (2) σ = g s˜, g r˜t , g r˜, g (a·α·uskID ) · F (λID )r˜ · F (λID,t )r˜t · (upkID )γ · v1 . The algorithm B returns the signature (t, σ) to the adversary A2 . Forgery. Finally, the adversary A2 outputs a forgery (ID∗ , m∗ , (t∗ , σ ∗ )), where ∗ σ = (σ1∗ , σ2∗ , σ3∗ , σ4∗ ). If J(λID∗ ) 6= 0 mod p or J(λID∗ ,t∗ ) 6= 0 mod p or f (σ2∗ ) = 1 where λID∗ = H1 (ID∗ ) and λID∗ ,t∗ = H1 (ID∗ , t∗ ), then the algorithm B aborts the simulation. Otherwise, it retrieves the private key uskID∗ associated with ID∗ and computes 1   σ4∗ (α·uskID ∗ )2 T = , ∗ (σ1∗ )xγ /uskID∗ +e0 · (σ2∗ )K(λID∗ ,t∗ ) · (σ3∗ )K(λID∗ ) where γ ∗ = H3 (σ1∗ , σ2∗ , σ3∗ , ID∗ , upkID∗ , m∗ , v0 ). If (t∗ , σ ∗ ) is a valid signature for the message m∗ under the target signer’s identity ID∗ and public key upkID∗ , then we have that σ ∗ =(σ1∗ , σ2∗ , σ3∗ , σ4∗ ) ∗

∗

2

∗

(2)

∗


s∗


∗

∗

2

∗

(2)

∗


s∗


= g s , g r˜t∗ , g r˜ , g (a·α·uskID∗ ) · F (λID∗ )r˜ · F (λID∗ ,t∗ )r˜t∗ · (upkID∗ )γ · v0 = g s , g r˜t∗ , g r˜ , g (a·α·uskID∗ ) · g K(λID∗ )˜r · g K(λID∗ ,t∗ )˜rt∗ · (upkID∗ )γ · v0 for some random values s∗ , r˜∗ , r˜t∗ ∈ Z∗p . Hence, we get ∗

1  g (a·α·uskID∗ )2 · g K(λID∗ )˜r∗ · g K(λID∗ ,t∗ )˜rt∗ · (upk (2)∗ )γ ∗ · v
s  0 (α·uskID ∗ )2 ID T = (g s∗ )xγ ∗ /uskID∗ +e0 · (g r˜t∗ )K(λID∗ ,t∗ ) · (g r˜∗ )K(λID∗ ) 2

=g a . Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

370

Yang Lu, Quanling Zhang and Jiguo Li

Thus, the algorithm B can output T as the solution to the given Squ-CDH problem. Now we assess the advantage of the algorithm B. From the above construction, we can see that the algorithm B will not abort during the simulation if the following conditions hold simultaneously: (1) All A2 ’s queries to the oracle OT empSigningKey on (ID, t) have J(λID ) 6= 0 mod p; (2) A2 ’s forgery (ID∗ , m∗ , (t∗ , σ ∗ )) satisfies J(λID∗ ) = 0 mod p, J(λID∗ ,t∗ ) = 0 mod p and f (σ2∗ ) = 0. Let λ1 , λ2 , · · · , λh be the hash values appearing in these queries not involving λID∗ and λID∗ ,t∗ . Clearly, we have h ≤ qtsk . Define the events Ai , A∗ , B ∗ and C ∗ as follows: -

Ai : J(λi ) 6= 0 mod p, where i = 1, 2, · · · , h; A∗ : J(λID∗ ) = 0 mod p; B ∗ : J(λID∗ ,t∗ ) = 0 mod p; C ∗ : f (σ2∗ ) = 0.

Thus, the probability of the algorithm B not aborting is P r[¬abort] ≥ P r

h ^

 Ai ∧ A∗ ∧ B ∗ ∧ C ∗ .

i=1

Analogously to the proof of Lemma 4.2, we can deduce that P r[¬abort] ≥

1 2 . 16(nu + 1)2 qtsk

Hence, the algorithm B can solve the given Squ-CDH problem with probability  0 ≥ 2 . 16(nu + 1)2 qtsk Theorem 4.4. If the Squ-CDH assumption holds in G1 , then the proposed scheme is SKI & EUF-CMA secure in the standard model. This theorem can be proved by combining Theorem 4.1 and the following two lemmas. Lemma 4.5. If A1 is a Type-I adversary against the proposed scheme that has advantage at least  to win the game Game-B, then there exists an algorithm B to solve the Squ-CDH problem with advantage 0 ≥ 16(nu +1)2 (q psk +qtsk )2 , where qpsk and qtsk respectively denote the number of A1 ’s queries to OP artialP rivateKey and OT empSigningKey . Proof. The proof of this lemma is almost as same as that of Lemma 4.2. The only difference is that the adversary A1 can adaptively query the oracle OHelperKey on any identity ID. When receiving such a query on an identity ID, the algorithm B looks up the list KeyList to find the corresponding tuple (ID, upkID , uskID , HKID ) and returns HKID to the adversary A1 . Lemma 4.6. If A2 is a Type-II adversary against the proposed scheme that has advantage at least  to win the game Game-B, then there exists an algorithm B to  solve the Squ-CDH problem with advantage 0 ≥ 16(nu +1) , where qtsk denotes 2 q2 the number of A2 ’s queries to OT empSigningKey . Advances in Mathematics of Communications

tsk

Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

371

Proof. The proof of this lemma is almost as same as that of Lemma 4.3. The only difference is that the adversary A2 can adaptively query the oracle OHelperKey on any identity ID. When receiving such a query on an identity ID, the algorithm B looks up the list KeyList to find the corresponding tuple (ID, upkID , uskID , HKID ) and returns HKID to the adversary A2 . Theorem 4.7. The proposed scheme has secure key updates. Proof. This theorem follows from the fact that for any identity ID and any two time period indices told and tnew (0 ≤ told < tnew ≤ N − 1), the update key U KID,told ,tnew can be derived from T SKID,told and T SKID,tnew . 4.3. Comparison. To evaluate the performance of our scheme, we make a comparison between our scheme and Wan et al.’s certificateless strong key-insulated signature scheme [23]. The comparison result is summarized in Table 1. In the computational cost comparison, we consider four operations: pairing, exponentiation in G1 , multiplication in G1 and multiplication in G2 . For simplicity, we denote these operations by P , E, M1 and M2 respectively. Note that computing f1 (·) and f2 (·) in Wan et al.’s scheme requires computing nu /2 and nm /2 multiplications in G1 on the average respectively. In the communicational cost comparison, the sizes of the public parameters, public keys and signatures are measured in terms of the number of group elements. In addition, the “Attacks” row indicates that whether the scheme can resist both the key replacement attack and malicious KGC attack presented in Section 3.

Sign cost Verify cost Public parameters size Public key size Signature size Complexity assumption Attacks

Wan et al.’s scheme [23] 4E + (nu /2 + nm /2 + 3)M1 4P + (nu + nm /2)M1 + 3M2 (nu + nm + 5)G1 1G2 4G1 NGBDH+Many-DH no

Our scheme 5E + (nu /2 + 4)M1 4P + 1E + (nu + 1)M1 + 3M2 (nu + 6)G1 2G1 + 1G2 4G1 Squ-CDH (⇔CDH) yes

Table 1. Comparison of the certificateless strong key-insulated signature schemes

From the table, we can see that nu + nm + 5 group elements are needed as public parameters in Wan et al.’s scheme while only nu + 6 group elements are required in our scheme. Therefore, our scheme enjoys a smaller public parameters size, which makes it be more suitable for the low-bandwidth or low-storage applications. Regarding the public key size, a public key in our scheme consists of two additional elements in the group G1 (which are about 342 bits when instantiated in MNT curves with 80 bits security) and thus is a bit longer than the one in Wan et al.’s scheme. However, our scheme provides an effective mechanism to check the public key validity so that it can fight against the public key replacement attack. Our scheme is more efficient than Wan et al.’s scheme in the computation efficiency since nm /2 multiplications in G1 on the average are less needed in both the algorithms Sign and Verify. Furthermore, our scheme is proven secure under the Squ-CDH assumption which is strictly harder than both the NGBDH assumption and the Many-DH assumption on which Wan et al.’s scheme is based. Most importantly, Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

372

Yang Lu, Quanling Zhang and Jiguo Li

our scheme can resist both the attacks presented in Section 3 while Wan et al.’s scheme can not. 5. Conclusions In this paper, we have shown that the previous two certificateless key-insulated signature schemes without random oracles are not secure under either key replacement attack or malicious KGC attack. We propose a new certificateless strong key-insulated signature scheme which can be proven to be strong key-insulated and existentially unforgeable under the Squ-CDH assumption in the standard model. The new scheme overcomes the security weaknesses in previous certificateless keyinsulated signature schemes and enjoys higher computational efficiency and shorter public parameters. Acknowledgements We would like to thank the anonymous referees for their helpful comments. This work is supported by the National Natural Science Foundation of China grant 61272542, a Project Funded by the Priority Academic Program Development of Jiangsu Higher Education Institutions and the Fundamental Research Funds for the Central Universities. References [1] S. S. Al-Riyami and K. G. Paterson, Certificateless public key cryptography, in Proc. ASIACRYPT 2003 , Springer-Verlag, 2003, 452–473. [2] J. Baek, R. Safavi-Naini and W. Susilo, Certificateless public key encryption without pairing, in Proc. ISC 2005, Springer-Verlag, 2005, 134–148. [3] M. Bellare and A. Palacio, Protecting against key exposure: strongly key-insulated encryption with optimal threshold, in Proc. AAECC 2006 , Springer-Verlag, 2006, 379–396. [4] K. Y. Choi, J. H. Park, J. Y. Hwang and D. H. Lee, Efficient certificateless signature schemes, in Proc. ACNS 2007 , Springer-Verlag, 2007, 443–458. [5] A. W. Dent, B. Libert and K. G. Paterson, Certificateless encryption schemes strongly secure in the standard model, in Proc. PKC 2008 , Springer-Verlag, 2008, 344–359. [6] Y. Dodis, J. Katz, S. Xu and M. Yung, Key-insulated public-key cryptosystems, in Proc. EUROCRYPT 2002 , Springer-Verlag, 2002, 65–82. [7] Y. Dodis, J. Katz, S. Xu and M. Yung, Strong key-insulated signature schemes, in Proc. PKC 2003 , Springer-Verlag, 2003, 130–144. [8] N. Gonzalez-Deleito, O. Markowitch and E. Dall’Olio, A new key-insulated signature scheme, in Proc. ICICS 2004, Springer-Verlag, 2004, 465–479. [9] G. Hanaoka, Y. Hanaoka and H. Imai, Parallel key-insulated public key encryption, in Proc. PKC 2006 , Springer-Verlag, 2006, 105–122. [10] Y. Hanaoka, G. Hanaoka, J. Shikata and H. Imai, Unconditionally secure key insulated cryptosystems: models, bounds and constructions, in Proc. ICICS 2002 , Springer-Verlag, 2002, 85–96. [11] Y. Hanaoka, G. Hanaoka, J. Shikata and H. Imai, Identity-based hierarchical strongly keyinsulated encryption and its application, in Proc. ASIACRYPT 2005 , Springer-Verlag, 2005, 495–514. [12] D. He, B. Huang and J. Chen, New certificateless short signature scheme, IET – Information Security, 7 (2013), 113–117. [13] B. Libert and J. Quisquater, On constructing certificateless cryptosystems from identity based encryption, in Proc. PKC 2006 , Springer-Verlag, 2006, 474–490. [14] J. K. Liu, M. H. Au and W. Susilo, Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model, in Proc. ASIACCS 2007, ACM, 2007, 302–311. [15] J. K. Liu and D. S. Wong, Solutions to key exposure problem in ring signature, Int. J. Network Sec., 6 (2008), 170–180. Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373

Certificateless key-insulated signature

373

[16] W. Qiu, Y. Zhou, B. Zhu, Y. Zheng, M. Wen and Z. Gong, Key-insulated encryption based key pre-distribution scheme for WSN, in Proc. ISA 2009, Springer-Verlag, 2009, 200–209. [17] A. Shamir, Identity-based cryptosystems and signature schemes, in Proc. CRYPTO 1984 , Springer-Verlag, 1984, 47–53. [18] Y. Sun and H. Li, Short-ciphertext and BDH-based CCA2 secure certificateless encryption, Sci. China Inf. Sci., 53 (2010) 2005–2015. [19] R. Tso, X. Huang and W. Susilo, Strongly secure certificateless short signatures, J. Syst. Software, 85 (2012) 1409–1417. [20] R. Tso, X. Yi and X. Huang, Efficient and short certificateless signature, in Proc. CANS 2008, Springer-Verlag, 2008, 64–79. [21] Z. Wan, X. Lai, J. Weng, S. Liu and X. Hong, Identity-based key-insulated proxy signature, J. Electronics (China), 26 (2009) 853–858. [22] Z. Wan, X. Lai, J. Weng, S. Liu, Y. Long and X. Hong, Certificateless key-insulated signature without random oracles, J. Zhejiang Univ. Sci. A, 10 (2009), 1790–1800. [23] Z. Wan, X. Meng and X. Hong, Certificateless strong key-insulated signature without random oracles, J. Shanghai Jiaotong Univ. (Sci), 16 (2011), 571–576. [24] B. Waters, Efficient identity-based encryption without random oracles, in Proc. EUROCRYPT 2005 , Springer-Verlag, 2005, 114–127. [25] J. Weng, S. Liu, K. Chen and C. Ma, Identity-based key-insulated signature without random oracles, in Proc. CIS 2006 , Springer-Verlag, 2007, 470–480. [26] J. Weng, S. Liu, K. Chen, D. Zheng and W. Qiu, Identity-based Threshold key-insulated encryption without random oracles, in Proc. CT-RSA 2008 , Springer-Verlag, 2008, 203–220. [27] W. Yang, F. Zhang and L. Shen, Efficient certificateless encryption withstanding attacks from malicious KGC without using random oracles, Secur. Commun. Networks, 7 (2014) 445–454. [28] D. H. Yum and P. J. Lee, Efficient key updating signature schemes based on IBS, in Proc. Crypt. Coding 2003 , Springer-Verlag, 2003, 16–18. [29] F. Zhang, R. Safavi-Naini and W. Susilo, An efficient signature scheme from bilinear parings and its applications, in Proc. PKC 2004 , Springer-Verlag, 2004, 277–290. [30] Z. Zhang, D. Wong, J. Xu and D. Feng, Certificateless public-key signature: security model and efficient construction, in Proc. ACNS 2006, Springer-Verlag, 2006, 293–308. [31] Y. Zhou, Z. Cao and Z. Chai, Identity based key insulated signature, in Proc. ISPEC 2006, Springer-Verlag, 2006, 226–234.

Received August 2014; revised March 2015. E-mail address: [email protected] E-mail address: [email protected] E-mail address: [email protected]

Advances in Mathematics of Communications

Volume 9, No. 3 (2015), 353–373