Computer Networks. Efficient many-to-one authentication with certificateless aggregate signatures

Transcription

1 Computer Networks 4 (21) Contents lists available at ScienceDirect Computer Networks journal homepage: Efficient many-to-one authentication with certificateless aggregate signatures Lei Zhang a, *, Bo Qin a,b, Qianhong Wu a,c, Futai Zhang d,e a Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili, Av. Països Catalans 26, E-437 Tarragona, Catalonia, Spain b Department of Maths, School of Science, Xi an University of Technology, China c School of Computer, Key Lab. of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan University, China d School of Computer Science and Technology, Nanjing Normal University, Nanjing, China e Jiangsu Engineering Research Center on Information Security and Privacy Protection Technology, Nanjing, China article info abstract Article history: Received 1 March 29 Received in revised form 2 November 29 Accepted 6 April 21 Available online 11 April 21 Responsible Editor: R. Molva Keywords: Information security Message authentication Digital signature Certificateless cryptography Aggregate signatures allow an efficient algorithm to aggregate n signatures of n distinct messages from n different users into one single signature. The resulting aggregate signature can convince a verifier that the n users did indeed sign the n messages. This feature is very attractive for authentications in bandwidth-limited applications such as reverse multicasts and senor networks. Certificateless public key cryptography enables a similar functionality of public key infrastructure (PKI) and identity (ID) based cryptography without suffering from complicated certificate management in PKI or secret key escrow problem in ID-based cryptography. In this paper, we present a new efficient certificateless aggregate signature scheme which has the advantages of both aggregate signatures and certificateless cryptography. The scheme is proven existentially unforgeable against adaptive chosen-message attacks under the standard computational Diffie Hellman assumption. Our scheme is also very efficient in both communication and computation and the proposal is practical for many-to-one authentication. Ó 21 Elsevier B.V. All rights reserved. 1. Introduction Digital signature is one of the most important primitives in public key cryptography. Knowing the public key of a signer, anyone can verify whether a signature of this signer is valid or not. This feature enables signatures to be efficiently applied to one-to-one (unicast) and one-tomany (multicast) applications. Some multicast applications may require the root node to collect data from leaf nodes (e.g., real-time fee collection, user preferences) which results into a many-to-one communication. In these applications, the root node is very likely to be swamped when too many leaves transmit simultaneously. Hence, to provide the usual authenticity, integrity and non-repudiation, signatures have to be elegantly designed to avoid * Corresponding author. Tel.: ; fax: addresses: lei.zhang@urv.cat (L. Zhang), bo.qin@urv.cat (B. Qin), qianhong.wu@urv.cat (Q. Wu), zhangfutai@njnu.edu.cn (F. Zhang). the known implosion problem in many-to-one communications [1] Related work Recently, the concept of aggregate signatures [4] was introduced by Boneh et al. at Eurocrypt 23. This notion allows an efficient algorithm to aggregate n signatures of n distinct messages from n different users into one single signature. The resulting aggregate signature can convince a verifier that the n users did indeed sign the n original messages. These properties greatly reduce the length of the resulting signature to be verified. Hence, aggregate signatures can be applied to the above applications. To let a signature scheme function, the public key has to be bound with the identity of the owner of the public key. Traditionally, this is provided by the public key infrastructure (PKI) in which one or more third parties, known as /$ - see front matter Ó 21 Elsevier B.V. All rights reserved. doi:1.116/j.comnet

2 L. Zhang et al. / Computer Networks 4 (21) certificate authorities (CAs), issue digital certificates to bind a user and his public key. In this paradigm, before using the public key of a user, the participant must first verify the certificate of the user, which implies a large amount of computing and storage cost to manage certificates. Observing these shortcomings, Shamir put forward identity-based public key cryptography (ID-PKC) [16] to simplify certificate management in PKI systems. In an IDbased cryptosystem, the identity, for instance, the telephone number, or IP address, of a user functions as the public key of the user. However, in ID-PKC a trusted third party called Private Key Generator (PKG) must be employed to generate the private key for each user. The user s private key is computed from his public known identity and PKG s master secret key. Hence, ID-PKC suffers from a key escrow problem which implies that all the users have to fully trust PKG. This might be a too strong assumption in some applications. To address the key escrow problem of ID-PKC, Al-Riyami and Paterson [2] invented a new paradigm called certificateless public key cryptography (CL-PKC). CL-PKC also exploits a third party called Key Generation Center (KGC) to help a user to generate his private key. However, the KGC can merely determine part of the private key for each user, rather than the whole private key of each user in ID- PKC systems. In CL-PKC, the user computes the resulting private key with the partial private key obtained from the KGC and the secret information chosen by the user. As for the public key of the user, it is computed from the KGC s public parameters and the user s secret information. As a result, CL-PKC systems avoid the key escrow problem in ID-PKC systems and the complicated certificate management problem in traditional PKI systems. The above advantages in CL-PKC motivate a lot of further studies [11,14,18,22]. In[2], Al-Riyami and Paterson presented the first Certificateless Signature (CLS) scheme, however, no formal proof is given. Huang et al. [12] pointed out a security drawback of the primal CLS scheme in [2] and defined the first security model of CLS schemes. But the model in [12] did not fully catch the ability of the adversaries in CL-PKC. A CLS scheme proved secure in this model may be insecure in practice. A recent example is Yap et al. s scheme [18], which was broken by Park [1] and Zhang and Feng [19] independently. Later, Zhang et al. [2] improved the security model of CLS schemes and presented a more efficient CLS scheme. The security model of CLS schemes was further developed in [11,13]. It is natural to investigate the notion of aggregate signatures in ID-based or certificateless cryptographic contexts. By far, several Identity-based Aggregate Signature (IDAS) schemes have been presented [6 8,1,17]. But most of them only achieve partial aggregation [7,1,17]. In [6], Cheng et al. proposed an aggregate signature scheme whose output has the same size as an individual signature. However, it needs that the signers are pre-determined, and without the individual signature from each pre-determined signer, all individual signatures cannot be aggregated. At present, in ID-PKC, the only instance that can aggregate n individual signatures into a single aggregate signature (whose length is as short as an individual signature) is Gentry and Ramzan s IDAS scheme. In addition, their scheme requires only three pairing operations and is proven secure under the standard computational Diffie Hellman (CDH) assumption. As to the aggregate signatures in the certificateless public key setting, Gong et al. [9] presented two certificateless aggregate signature (CLAS) schemes which are provably secure in a relatively weak model similar to that in [12]. Later, Zhang and Zhang [21] presented a CLAS scheme which is provably secure in a stronger model. However, as for efficiency, all the previous CLAS schemes require a relatively large amount of paring computation in the process of verification and have long outputs and may be further improved Our contribution In this paper, we present a novel certificateless aggregate signature (CLAS) scheme. By exploiting the random oracle model [3], our CLAS scheme is proven existentially unforgeable against adaptive chosen-message attacks under the standard CDH assumption. It allows multiple signers to sign multiple documents in an efficient way and the total verification information (the length of the signature), consists only two group elements. Our scheme is also very efficient in computation, and the verification procedure needs only a very small constant number of pairing computations, independent of the number of aggregated signatures. With our CLAS scheme, one can aggregate many different certificateless signatures into a single certificateless aggregate signature, and hence effectively reduce the signature size and verification cost. This implies that our scheme is very applicable to secure many-to-one communications. The rest of the paper is organized as follows. Section 2 reviews the notion and the security model of CLAS schemes. We propose our new CLAS scheme in Section 3, and prove its security in Section 4. In Section, we compare our scheme with three existing proposals, followed by some concluding remarks in the last section. 2. Preliminaries 2.1. Modeling certificateless aggregate signature schemes A CLAS scheme involves a KGC, an aggregating set U of n users U 1 ; ; U n, and an aggregate signature generater. It consists of following six algorithms. Setup: This algorithm is performed by KGC that accepts a security parameter to generate a master-key and a list of system parameters params. Partial-Private-Key-Extract: This algorithm is performed by KGC that accepts a user s identity ID i, a parameter list params and a master-key to produce the user s partial private key D i. UserKeyGen: An algorithm which is run by a user that takes as input the user s identity ID i, and selects a random x i 2 Z q and outputs the user s secret/public key x i/p i. Sign: This algorithm is run by each user U i in an aggregating set U. U i s inputs are the parameter list params, some state information D, 1 a message M i 2 M ðm is 1 Depending on the instantiation, the state information D can be empty.

3 2484 L. Zhang et al. / Computer Networks 4 (21) the message space), his identity ID i, his corresponding public key P i, and his signing key (x i,d i ). The output of U i is a signature r i on message M i which is valid under his identity ID i and the corresponding public key P i. Aggregate: This algorithm is run by an aggregate signature generater that takes as inputs a state information D, an aggregating set U of n users fu 1 ;...; U n g, the identity ID i of each user U i, the corresponding public key P i of U i, and a signature r i on a message M i with state information D under identity ID i and public key P i for each user U i 2 U. The output of this algorithm is an aggregate signature r on messages {M 1,...,M n }. Aggregate Verify: This algorithm takes as input D, an aggregating set U of n users fu 1 ;...; U n g, the identity ID i and the corresponding public key P i of each user U i, an aggregate signature r on messages {M 1,...,M n }. It outputs true if the aggregate signature is valid, or \otherwise Security definitions Two types of adversaries are considered in CL-PKC Type I adversary and Type II adversary. 2 A Type I adversary A I does not have access to the master-key, but he has the ability to replace the public key of any entity with a value of his choice. While a Type II Adversary A II has access to the master-key but cannot perform public key replacement. More details can be found in [2]. The security of a CLAS scheme is modeled via the following two games 3 between a challenger C and an adversary A I or A I. Game 1 (for Type I Adversary). Setup: C runs the Setup algorithm, takes as input a security parameter to obtain a master-key and the system parameter list params. C then sends params to the adversary A I while keeping the master-key secret. Attack: The adversary A I can perform a polynomially bounded number of the following types of queries in an adaptive manner. Partial-Private-Key queries PPK(ID i ): A I can request the partial private key of any user with identity ID i. In response, C outputs the partial private key D i of the user. Public-Key queries PK(ID i ): A I can request the public key P i of a user whose identity is ID i. In response, C outputs the public key for identity ID i. Secret-Key queries SK(ID i ): A I can request the secret key of a user whose identity is ID i. In response, C outputs the secret key x i for identity ID i (It outputs \, if the user s public key has been replaced). Public-Key-Replacement queries PKRðID i ; Þ: For any user whose identity is ID i, A I can choose a new public key. A I then sets as the new public key of this user. C will record this replacement. 2 In this paper, the ability of our Type I/II Adversary follows the original definition which is introduced by Al-Riyami and Paterson [2]. 3 Note in Game 1, when a type I adversary A I submits a Public-Key- Replacement query PKRðID i ; Þ to C; A I needs not submit the corresponding secret key which is used to generate to C [2]. Sign queries S(D i,m i,id i,p i ): A I can request a user s (whose identity is ID i ) signature on a message M i under a state information D i. On receiving a query S(D i,m i,i- D i,p i ), C generates a signature r i on message M i under identity ID i and public key P i using D i as the state information, and replies with r i. Forgery: A I outputs a set of n users whose identities form the set L ID ¼fID 1 ;...; ID ng and corresponding public keys form the set L PK ¼fP 1 ;...; P ng, n messages form the set L M ¼fM 1 ;...; M n g, a state information D* and an aggregate signature r *. We say that A I wins Game 1, iff. (1) r * is a valid aggregate signature on messages fm 1 ;...; M n g with state information D* under identities fid 1 ;...; ID ng and the corresponding public keys fp 1 ;...; P n g. (2) At least one of the identities, without loss of generality, say ID 1 2 L ID has not submitted during the Partial-Private-Key queries. And SðD ; M 1 ; ID 1 ; Þ has never been queried during the Sign queries. Game 2 (for Type II Adversary). Setup: C runs the Setup algorithm, takes as input a security parameter to obtain the system parameter list params and also the system s master-key. C then sends params and master-key to the adversary A II. Attack: The adversary A II can perform a polynomially bounded number of the following types of queries in an adaptive manner. Public-Key queries PK(ID i ): A II can request the public key of a user (whose identity is ID i ) of his choice. In response, C outputs the public key P i for identity ID i. Secret-Key queries SK(ID i ): A II can choose a user whose identity is ID i, and request this user s secret key. In response, C outputs the secret key x i for identity ID i. Sign queries S(D i,m i,id i,p i ): A II can request a user s (whose identity is ID i ) signature on a message M i with a state information D i. On receiving a query S(D i,m i, ID i,p i ), C replies with a signature r i on message M i with state information D i under identity ID i and public key P i. Forgery: A II outputs a set of n users whose identities form the set L ID ¼fID 1 ;...; ID ng and corresponding public keys form the set L PK ¼fP 1 ;...; P ng, n messages form the set L M ¼fM 1 ;...; M n g, a state information D* and an aggregate signature r *. We say that A II wins Game 2, iff. (1) r * is a valid aggregate signature on messages fm 1 ;...; M n g with state information D* under identities fid 1 ;...; ID ng and corresponding public keys fp 1 ;...; P n g. (2) One of the identities, without loss of generality, say ID 1 2 L ID has not submitted during the Secret-Key queries. And SðD ; M 1 ; ID 1 ; Þ has never been queried during the Sign queries.

4 L. Zhang et al. / Computer Networks 4 (21) Definition 1. A CLAS scheme is existentially unforgeable under adaptively chosen-message attack iff the success probability of any polynomially bounded adversary in any of the above two games is negligible. 3. Our certificateless aggregate signature scheme 3.1. Bilinear maps Our scheme is realized in groups which allowing efficient bilinear maps []. Let G 1 be an additive group of prime order q and G 2 be a multiplicative group of the same order. A map e:g 1 G 1? G 2 is called a bilinear map if it satisfies the following properties: (1) Bilinearity: e(ap,bq)=e(p,q) ab for all P; Q 2 G 1 ; a; b 2 Z q. (2) Non-degeneracy: there exists P, Q 2 G 1 such that e(p,q) 1. (3) Computability: there exists an efficient algorithm to compute e(p,q) for any P, Q 2 G 1. Computational Diffie Hellman (CDH) problem in G 1 : given a generator P of the group G 1 whose order is q, and given (ap,bp) for unknown a; b 2 Z q ; compute abp Our certificateless aggregate signature scheme The specification of the scheme is as follows. Setup: Given a parameter, the KGC chooses a cyclic additive group G 1 which is generated by P with prime order q, chooses a cyclic multiplicative group G 2 of the same order and a bilinear map e:g 1 G 1? G 2. The KGC also chooses a random k 2 Z q as the master-key and sets P T = kp, chooses cryptographic hash functions H 1 H 4 : f; 1g G 1 ; H : f; 1g Z q. The system parameter list is params = (G 1,G 2,e,P,P T,H 1 H ). The message space is M ¼f; 1g. Partial-Private-Key-Extract: This algorithm accepts params, master-key k and a user s identity ID i 2 {,1} *, and generates the partial private key for the user as follows. (1) Compute Q i, = H 1 (ID i,), Q i,1 = H 1 (ID i,1). (2) Output the partial private key (D i,,d i,1 )=(kq i,, kq i,1 ). UserKeyGen: This algorithm takes as input params, a user s identity ID i, selects a random x i 2 Z q and sets his secret/public key as x i /P i = x i P. Sign: To sign a message M i 2 M using the signing key (x i,d i,,d i,1 ), the signer, whose identity is ID i and the corresponding public key is P i, first chooses a one-time-use state information D then performs the following steps. (1) Choose a random r i 2 Z q, compute R i = r i P. (2) Compute h i = H (M i kdkid i kp i ), T = H 2 (D), V = H 3 (D), W = H 4 (D). (3) Compute S i = D i, + x i V + h i (D i,1 + x i W)+r i T. (4) Output r i =(R i,s i ) as the signature on M i. Aggregation: Anyone can act as an aggregate signature generater who can aggregate a collection of individual signatures that use the same state information D. For an aggregating set (which has the same state information D) ofn users fu 1 ;...; U n g with identities {ID 1,..., ID n } and the corresponding public keys {P 1,...,P n }, and message-signature pairs (M 1,r 1 =(R 1,S 1 )),...,(M n,r n = (R n,s n )) from fu 1 ;...; U n g respectively, the aggregate signature generater computes R ¼ P n R i; S ¼ P n S i and outputs the aggregate signature r =(R, S). Aggregate Verify: To verify an aggregate signature r =(R,S) signed by n user fu 1 ;...; U n g with identities {ID 1,...,ID n } and corresponding public keys {P 1,...,P n } on messages {M 1,...,M n } with the same state information D, the verifier performs the following steps. (1) Compute T = H 2 (D),V = H 3 (D), W = H 4 (D), and for all i, 16 i 6 n compute h i = H (M i kdkid i kp i ), Q i, = H 1 (ID i,),q i,1 = H 1 (ID i,1). (2) Verify eðs; PÞ¼? e P T ; Xn Q i; þ Xn h i Q i;1 e V; Xn P i e W; Xn h i P i eðt; RÞ: If the equation holds, output true. Otherwise, output \. In our scheme, each user in an aggregating set should use the same one-time-use state information D when signing. As mentioned in [8], it is straightforward to choose such a D in certain settings. For example, if the signers have access to some loosely synchronized clocks, D can be chosen based on the current time. Furthermore, if D is sufficiently long, then it will be statistically unique. And to remove the one-time-use restriction of D, Gentry and Ramzan also provided a method. For details, please refer to [8]. We notice that, in this paper, we follow the original definition of certificateless cryptography in [2]. In this setting, the KGC can choose a secret key x i 2 Z q and compute ¼ x ip as the new public key of the user with ID i. By this replacement, the KGC can know both the partial private key and secret key of the user. This implies that KGC can generate signatures on behalf of that user. It seems that both the KGC and a user may deny having generated a signature. However, in [2], the authors introduced a binding technique 4 which ensures that users can only create one public key for which they know the corresponding private key. This way, the systems in certificateless cryptography can enjoy the same trust level as the systems in a traditional PKI. In other words, if the KGC replaces a public key, then the KGC necessarily leaves evidence of its bad behavior; and such an action can be easily detected, as the KGC is the only entity having that capability. Note that this scenario is equivalent to a CA forging a certificate in a traditional PKI system: the existence of two valid certificates for a single identity would implicate the CA behaved maliciously. 4. Security proof Assuming that the CDH problem is hard, we now show the security of our CLAS scheme. 4 This technique can also be applied to our scheme

5 2486 L. Zhang et al. / Computer Networks 4 (21) Theorem 1. In the random oracle model, if there exists a type I adversary A who has an advantage e in forging a signature of our CLAS scheme in an attack modeled by Game 1, within a time span t for a security parameter ; then the CDH problem in G 1 can be solved within time t þ 41 þ 2 þ 3 þ 4 þ 2q K þ q P þ 6q S Þs G1 and with probability e P q H1 1 e; 2 where s G1 is the time to compute a scalar multiplication in G 1, n is the aggregating set s scale. Proof. Let C be a CDH attacker who receives a random instance (P,aP,bP) of the CDH problem in G 1 and has to compute the value of abp. A is a type I adversary who interacts with C as modeled in Game 1. We show how C can use A to solve the CDH problem, i.e. to compute abp. To make the proof easy to read, we first briefly show where the reduction is. When the game begins, C sets P T = ap which is an instance of the CDH problem, and simulates hash functions as random oracles. During the simulation, C needs to guess A s target identity (without loss of generality, say ID 1 ), message (without loss of generality, say M 1 ) and state information D*. C will set Q 1; ¼ H 1 ðid 1 ; Þ ¼a i; P þ a i; bp; Q 1;1 ¼ H 1ðID 1 ; 1Þ ¼ a 1;1 P þ a 1;1 bp; T ¼ H 2 ðd Þ¼ b P; V ¼ H 3 ðd Þ¼c P; W ¼ H 4 ðd Þ¼p P and H ðm 1 ; D ; ID 1 ; P 1 Þ¼h 1. (For the other settings, please refer to our proof.) At the end of the game, A needs to output a set of n users whose identities form the set L ID ¼fID 1 ;...; ID ng and corresponding public keys form the set L PK ¼fP 1 ;...; P ng; n messages form the set L M ¼fM 1 ;...; M n g, a state information D* and an aggregate signature r *. Since r ast is valid, we have eðs ; PÞ ¼e P T ; Xn Q i; þ Xn e V ; Xn e W ; Xn eðt ; R Þ; h i P i where Q i;j ¼ H 1ðID i ; jþ; j 2f; 1g. We note that e P T ; Q 1; þ h 1 Q 1;1 ¼ e ap; a i; P þ a : i; bp þ h 1a 1;1 P þ h 1a 1;1 bp It is easy to have eðap; bpþ ¼ e P T ; Q 1; þ h 1 Q 1;1 ða ap; P Furthermore e a i; h 1a 1;1 e P T ;Q 1; þ h 1 Q 1;1 ¼ es ð ;PÞ e P T ; Xn Q i; þ Xn e V ; Xn e W ; Xn 1; þh 1 a 1;1 Þ 1 : h i P i 1 et ð ;R Þ : By our setting, for 2 6 i 6 n; Q i;j ¼ a i;jp, where j 2 {,1}; C can get the solution of the CDH problem abp ¼ ða 1; þ h 1a 1;1 Þ 1 ðs P n a 1; P T P n a 1;1 h i P T c P n P i p P n h i P i b R ða 1; þ h 1a 1;1 ÞP TÞ. Next, we begin to propose the concrete proof. Setup: Firstly, C sets P T = ap and selects params =(G 1,G 2,e,P,P T,H 1 H ) then he sends params to A. Attack: We consider hash functions H 1 H as random oracles. And we assume A can ask at most i times H i (i =1,...,) queries, q K times Partial-Private-Key queries, q P times Public-Key queries, q S times Sign queries. A can perform the following types of queries in an adaptive manner. H 1 queries: C maintains a list H 1 of tuples ðid i ; a i; ; a i; ; a i;1; a i;1 ; Q i;; Q i;1 Þ which is initially empty. C picks I 2½1; 1 Š uniformly at random. Whenever C receives an H 1 query on (ID i,j) for j 2 {,1}, C does the following: (1) If there is a tuple ðid k ; a k; ; a k; ; a k;1; a k;1 ; Q k;; Q k;1 Þ on H 1 such that ID i = ID k, return Q k,j as answer. (2) Else if i = I, randomly choose a i; ; a i; ; a i;1; a i;1 2 Z q, set Q i; ¼ a i; P þ a i; bp; Q i;1 ¼ a i;1 P þ a i;1 bp, add ðid i; a i; ; a i; ; a i;1; a i;1 ; Q i;; Q i;1 Þ to H 1 and return Q i,j as answer. (3) Else set a i; ¼ ; a i;1 ¼, randomly choose a i;; a i;1 2 Z q, set Q i, = a i, P, Q i,1 = a i,1 P, add ðid i ; a i; ; a i; ; a i;1; a i;1 ; Q i;; Q i;1 Þ to H 1 and return Q i,j as answer. H 2 queries: C keeps a initially empty list H 2 of tuples (D i,t i,b i ), picks J 2½1; 2 Š uniformly at random. Whenever A issues a query H 2 (D i ), the same answer from the list H 2 will be given if the request has been asked before. Otherwise, C selects a random b i 2 Z q ;ifi = J, computes T i = b i P, else sets T i = b i ap. Finally, C adds (D i,t i,b i )toh 2 and returns T i as answer. H 3 queries: C keeps a list H 3 of tuples (D j,v j,c j ). This list is initially empty. Whenever A issues a query D i to H 3, the same answer from the list H 3 will be given if the request has been asked before. Otherwise, C first selects a random c i 2 Z q, then computes V i = c i P, adds (D i,v i,c i )toh 3 and returns V i as answer. H 4 queries: C keeps a list H 4 of tuples (D j,w j,p j ). This list is initially empty. Whenever A issues a query D i to H 4, the same answer from the list H 4 will be given if the request has been asked before. Otherwise, C first selects a random p i 2 Z q, then computes W i = p i P, adds (D i,w i,p i )toh 4 and returns W i as answer. H queries: C keeps a list H of tuples (M i,d i,id i,p i,h i ). This list is initially empty. Whenever A issues a query (M i kd i kid i kp i )toh, the same answer from the list H will be given if the request has been asked before. Otherwise, C first submits (ID i,) to H 1 oracle, then finds the tuple ðid i ; a i; ; a i; ; a i;1; a i;1 ; Q i;; Q i;1 Þ on H 1, finally does the following: (1) If ID i = ID I and D i = D J (we assume that A can ask at most < times such kind of queries), randomly choose K 2½1; Š. (a) If it is K-th query, set h i ¼ a i; =a i;1, add (M i, D i,id i,p i,h i )toh and return h i. (b) Else select a random h i 2 Z q, add (M i,d i,id i, P i,h i )toh and return h i as answer.

6 L. Zhang et al. / Computer Networks 4 (21) (2) Else, select a random h i 2 Z q, add (M i,d i,id i, P i,h i )toh and return h i as answer. Partial-Private-Key queries: C keeps a list K of tuples (ID i,x i,d i,,d i,1,p i ). This list is initially empty. When A issues a query PPK(ID i ), the same answer from the list K will be given if the request has been asked before. Otherwise, C checks whether there is a tuple ðid i ; a i; ; a i; ; a i;1; a i;1 ; Q i,, Q i,1,c i )onh 1, if no, C makes an H 1 query on (ID i,j) (j = or 1) to generate such a tuple, finally does as follows. (1) If ID i = ID I, abort. (2) Else if there s a tuple (ID i,x i,d i,,d i,1,p i ) on K, set D i, = a i, P T,D i,1 = a i,1 P T and return (D i,,d i,1 ) as answer. (3) Else, first compute D i, = a i, P T,D i,1 = a i,1 P T, set x i = P i = \, then return (D i,,d i,1 ) as answer and add (ID i,x i,d i,,d i,1,p i )tok. Public-Key queries: On receiving a query PK(ID i ), if the request has been asked before, the current public key from the list K will be given. Otherwise, C does as follows. (1) If there is a tuple (ID i,x i,d i,,d i,1,p i )onk (in this case, the public key P i of ID i is \), choose x i 2 Z q, compute ¼ x i P, return P i as answer and update (ID i,x i,d i,, D i,1,p i )toðid i ; x i ; D i;; D i;1 ; Þ. (2) Otherwise, choose x i 2 Z q, compute P i = x i P, return P i as answer, set D i, = D i,1 = \ and add (ID i,x i,d i,, D i,1,p i )tok. Secret-Key queries: On receiving a query SK(ID i ), C first makes PK(ID i ) then finds the tuple (ID i,x i,d i,,d i,1,p i )onk and returns x i as answer (note that the value of x i maybe \). Public-Key-Replacement queries: A can choose a new public key for the user whose identity is ID i. On receiving a query PKRðID i ; Þ, C first finds the tuple (ID i,x i,d i,,d i,1,p i ) on K (if such a tuple does not exists on K or P i = \, C first makes PK(ID i )), then C updates P i to. Sign queries: On receiving a Sign query S(D i,m i,id i,p i ), C first makes H 1 (ID i,),h 1 (ID i,1), H 2 (D i ), H 3 (D i ), H 4 (D i ) and H (M i kd i kid i kp i ) queries if they are not queried before, then recovers ðid i ; a i; ; a i; ; a i;1; a i;1 ; Q i;; Q i;1 Þ from H 1,(D i, T i,b i ) from H 2,(D i,v i,c i ) from H 3,(D i,w i,p i ) from H 4,(M i, D i,id i,p i,h i ) from H and generates the signature as follows. (1) If ID i = ID I, D i = D J, and h i ¼ a i; =a i;1, choose R i 2 G 1, compute S i = b i R i + c i P i + p i h i P i + a i, P T + a i,1 h i P T, output r i =(R i,s i ). (2) Else if ID i = ID I, D i = D J, abort. (3) Else if ID i = ID I, choose r i 2 Z q, set R i ¼ r i P b 1 i ðq i; þ h i Q i;1 Þ compute S i = c i P i + p i h i P i + r i T i, output r i =(R i, S i ). (4) Else, randomly choose r i 2 Z q, compute R i = r i P, set S i = a i, P T + h i a i,1 P T + c i P i + h i p i P i + r i T i, output r i =(R i, S i ). Note that in our CLAS scheme D i is only for one-time use. Hence, it is reasonable for C to abort when ID i = ID I, D i = D J and h i a i; =a i;1. Forgery: Eventually, A returns a set of n users, whose identities form the set L ID ¼fID 1 ;...; ID ng and corresponding public keys form the set L PK ¼fP 1 ;...; P ng; n messages form the set L M ¼fM 1 ;...; M n g; a state information D* and a forged aggregate signature r * =(R *,V * ). C recovers (D *,T *,b * ) from H 2, (D *,V *,c * ) from H 3, (D *,W *,p * ) from H 4 and the tuples ðid i ; a i; ; a i; ; a i;1 ; a i;1 ; Q i; ; Q i;1 Þ from H 1, ðm i ; D ; ID i ; P i ; h i Þ from H for all i,1 6 i 6 n. It requires that D ast = D J and there exists i 2 {1,...,n} such that ID i ¼ ID I, h i a i; =a i;1 and A has not made a SðM i ; D ; ID i ; Þ query. Without loss of generality, we let i = 1. In addition, the forged aggregate signature must satisfy eðs ; PÞ ¼e P T ; Xn Q i; þ Xn e V ; Xn e W ; Xn h i P i ÞeðT ; R : Otherwise, C aborts. If C does not abort, from the above equation, we have e P T ;Q 1; þ h 1 Q 1;1 ¼ es ð ;PÞ e P T ; Xn Q i; þ Xn 1 e V ; Xn e W ; Xn et ð ;R Þ : h i P i And by our setting, Q 1; ¼ a 1; P þ a 1; bp, Q 1;1 ¼ a 1;1 Pþ a 1;1 bp, T* = b * P, V * = c * P, W * = p * P; and for i, 26 i 6 n, Q i;j ¼ a i;jp, where j 2 {,1}; hence, C can compute 1 abp ¼ a 1; þ h 1a 1;1 S Xn a 1; P T Xn a 1;1 h i P T c Xn p Xn h i P i b R a 1; þ h 1a 1;1 P T : To complete the proof, we shall show that C solves the given instance of CDH problem with probability at least e. First, we analyze the four events needed for C to succeed: R1: C does not abort as a result of any of A s Partial-Private-Key queries. R2: C does not abort as a result of any of A s signature queries. R3: A generates a valid and nontrivial aggregate signature forgery. R4: Event R3 occurs, D * = D J and there exists i 2 {1,...,n} such that ID i ¼ ID I, h i a i; =a i;1 (as mentioned previously, we assume i = 1). C succeeds if all of these events happen. The probability Pr[R1 ^ R2 ^ R3 ^ R4] can be decomposed as Pr½R1 ^ R2 ^ R3 ^ R4Š ¼ Pr½R1ŠPr½R2jR1ŠPr½R3jR1 ^ R2ŠPr½R4jR1 ^ R2 ^ R3Š: Claim 1. The probability that C does not abort as a result of A s key extraction queries is at least ð q Þ q K. Hence we H1 have

7 2488 L. Zhang et al. / Computer Networks 4 (21) Pr½R1Š P : 1 Proof. For a Partial-Private-Key query, C will abort iff the query is on ID 1 ¼ ID I. It is easy to see that the probability C does not abort for a Partial-Private-Key query is. 1 Since A can make at most q K times Partial-Private-Key queries, the probability that C does not abort as a result of A s Partial-Private-Key queries is at least. h 1 Claim 2. The probability that C does not abort as a result of A s signature queries is at least Thus there hold Pr½R2jR1Š P 1 : 1 2 Proof. When C receives a Sign query, he will abort iff ID i = ID I,D i = D J and h i a i; =a i;1 happens. So for a Sign query, the probability that C does not abort is Since A makes at most q S times Sign queries, the probability that C does not abort as a result ofa s Sign queries is at least h Claim 3. Pr[R3jR1 ^ R2] P e. Proof. If algorithm C does not abort as a result of A s signature queries and key extraction queries then algorithm A s view is identical to its view in the real attack. Hence, Pr[R3jR1 ^ R2] P e. h Claim 4. The probability that C does not abort after A outputting a valid and nontrivial forgery is at least Hence Pr½R4jR1 ^ R2 ^ R3Š P : Proof. Events R1, R2 and R3 have occurred, C will abort unless A generates a forgery such that ID 1 ¼ ID I; D ¼ D J and h 1 a 1; =a 1;1. Therefore, Pr½R3jR1 ^ R2Š P h Totally, we have e ¼ Pr½R1 ^ R2 ^ R3 ^ R4Š P e: 2 1 Theorem 2. In the random oracle model, if there exists a type II adversary A has an advantage e in forging a signature of our CLAS scheme in an attack modeled by Game 2, within a time span t for a security parameter ; then the CDH problem in G 1 can be solved within time t þð2 þ 23 þ 24 þ q P þ 6q S Þs G1 and with probability e P e: P q P 2 q P 2 Proof. Let C be a CDH attacker who receives a random instance (P,aP,bP) of the CDH problem in G 1 and has to compute the value of abp. A is a type II adversary who interacts with C as defined in Game 2. We show how C can use A to solve the CDH problem, i.e. to compute abp. Setup: Firstly, C selects a random k 2 Z q as the masterkey, computes P T = kp, then selects the system parameters params =(G 1,G 2,e,P,P T,H 1 H ). When the simulation is started, A is provided with params and the master-key k. Since A has access to the master-key, he can do Partial- Private-Key-Extract himself. Attack: We assume A asking at most i times H i (i =2,...,) queries, q P times Public-Key queries, q K times Secret-Key queries, q S times Sign queries. A can perform the following types of queries in an adaptive manner. Note that we need not model the hash function H 1 as a random oracle in this case. H 2 queries: C keeps a initially empty list H 2 of tuples (D i,t i,b i ), randomly selects I 2½1; 2 Š. Whenever A issues a query H 2 (D i ), the same answer from the list H 2 will be given if the request has been asked before. Otherwise, C selects a random b i 2 Z q,ifi = I, computes T i = b i P, else sets T i = b i ap. Finally, C adds (D i,t i,b i )toh 2 and returns T i as answer. H 3 queries: C keeps a list H 3 of tuples ðd i ; V i ; c i ; c iþ. This list is initially empty. Whenever A issues a query D i to H 3, the same answer from the list H 3 will be given if the request has been asked before. Otherwise, C randomly selects c i ; c i 2 Z q, computes V i ¼ c i P þ c iap, adds ðd i ; V i ; c i ; c i Þ to H 3 and returns V i as answer. H 4 queries: C keeps a list H 4 of tuples ðd i ; W i ; p i ; p iþ. This list is initially empty. Whenever A issues a query D i to H 3, the same answer from the list H 4 will be given if the request has been asked before. Otherwise, C randomly selects p i ; p i 2 Z q, computes W i ¼ p i P þ p iap, adds ðd i ; W i ; p i ; p i Þ to H 4 and returns W i as answer. Public-Key queries: C keeps a initially empty list K of tuples (ID i,x i,p i ), chooses J 2 [1,q P ]. On receiving a query PK(ID i ), the same answer from the list K will be given if the request has been asked before. Otherwise, C selects x i 2 Z q and dose the following. (1) If i = J, set P i = x i bp, add (ID i,x i,p i )tok and return P i as answer. (2) Else, compute P i = x i P, add (ID i,x i,p i )tokand return P i as answer. H queries: C keeps a list H of tuples (M i,d i,id i,p i,h i ). This list is initially empty. Whenever A issues a query (M i kd i kid i kp i )toh, the same answer from the list H will

8 L. Zhang et al. / Computer Networks 4 (21) be given if the request has been asked before. Otherwise, C first makes H 2 (D i ), PK(ID i ) then finds (D i,t i,b i,c i ) on H 2, ðid i ; x i ; P i ; c iþ on K; finally does the following: (1) If D i = D I and P i = P J (we assume that A can ask at most < times such kind of queries), randomly choose K 2½1; Š. (a) If it is the K-th query, set h i ¼ c i =p i, add (M i,di,id i,p i,h i )toh and return h i as answer. (b) Else select a random h i 2 Z q, add (M i,d i,id i,p i,h i ) to H and return h i as answer. (2) Else select a random h i 2 Z q, add (M i,d i,id i,p i,h i )to H and return h i as answer. Secret-Key queries: On receiving a query SK(ID i ), C first makes PK(ID i ) then recovers the tuple (ID i,x i,p i ) from K. If ID i = ID J, C aborts; otherwise, returns x i as answer. Sign queries: On receiving a Sign query S(M i,d i,id i,p i ), C first makes H 2 (D i ), H 3 (D i ), H 4 (D i ), H (M i kd i kid i kp i ) and PK(ID i ) queries if they are not queried before, then finds the tuples (D i,t i,b i )onh 2, ðd i ; V i ; c i ; c i Þ on H 3, ðd i ; W i ; p i ; p i Þ on H 4,(M i,d i,id i,p i,h i )onh,(id i,x i,p i )onk and generates the signature as follows: (1) If D i = D I,P i = P J and h i ¼ c i =p i, randomly choose R i 2 G 1, compute S i = k (H 1 (ID i,) +h i H 1 (ID i,1)) + c i P i + p i h i P i + b i R. (2) Else if D i = D I, P i = P J, abort. (3) Else if P i = P J, choose r i 2 Z q, set R i ¼ r i P b 1 i ðc i þ p i h iþp i, compute S i = r i T i +(c i + p i h i )P i + k(h 1 (ID i, ) + h i H 1 (ID i,1)), output r i =(R i,s i ). (4) Else randomly choose r i 2 Z q, compute R i = r i P, compute S i = k(h 1 (ID i,)+h i H 1 (ID i,1)) + x i V + h i x i W + r i T i, output r i =(R i,s i ). Forgery: Finally, A returns a set of n users, whose identities form the set L ID ¼fID 1 ;...; ID ng and corresponding public keys form the set L PK ¼fP 1 ;...; P ng; n messages form the set L M ¼fM 1 ;...; M n g; a state information D* and a forged aggregate signature r * = (R *,S * ). C recovers (D *,T *,b * ) from H 2,(D *,V *,c ast,c * ) from H 3, (D *,W *,p ast,p * ) from H 4 and the tuples ðm i ; D ; ID i ; P i ; h i Þ from H, ðid i ; x i ; P i Þ from K for all i,1 6 i 6 n. It requires that D ast = D I and there exists i 2 {1,...,n} such that ¼ P J, h i c i =p i and SðD ; M i ; ID i ; Þ has never been queried. Without loss of generality, we let i =1. In addition, the forged aggregate signature must satisfy eðs ; PÞ ¼e P T ; Xn Q i; þ Xn e V ; Xn e W ; Xn et ð ; R Þ; h i P i where Q i;j ¼ H 1ðID i ; jþ; j 2f; 1g. Otherwise, C aborts. If C does not aborts, we have abp ¼ c x 1 þ p h 1 1 x 1 S k Xn Q i; þ Xn Xn x i V Xn h i x i W b R c P 1 p h 1 P 1 : Now we determine the probability e for C to solve the given instance of CDH problem. We analyze the four events needed for C to succeed: R: C does not abort as a result of any of A s Secret-Key queries. R6: C does not abort as a result of any of A s signature queries. R7: A generates a valid and nontrivial aggregate signature forgery. R8: Event R7 occurs, D ¼ D I ; P 1 ¼ P J; ðh 1 c 1 =p 1. C succeeds if all of these events happen. The probability Pr[R ^ R6 ^ R7 ^ R8] can be decomposed as Pr½R ^ R6 ^ R7 ^ R8Š ¼Pr½RŠPr½R6jRŠPr½R7jR ^ R6ŠPr½R8jR ^ R6 ^ R7Š: Similar to Theorem 1, we have 8 Pr½RŠ P q P >< Pr½R6jRŠ P 1 ð1 q q P 2 H Þ Pr½R7jR ^ R6Š P e >: Pr½R8jR ^ R6 ^ R7Š P 1 1 q P 2 ð1 Þ Finally, we have e ¼ Pr½R ^ R6 ^ R7 ^ R8Š P 1 1 P q P 2 q P 1 e: 2. Comparison In this section we compare our scheme with the schemes in [9,21]. Firstly, we list some costly operations, i.e. Pairing Operation ðpþ, Scalar Multiplication in G 1 ðsþ and MapToPoint Hash ðhþ. Among those operations, Pairing Operation is the most time consuming one. We use the notation SL meaning signature length, PKL meaning public key length, P 1 meaning the length of a point in G 1. And we omit the cost of the operations which can be pre-computed by the signer such as H 1 (ID i,j) etc (see Table 1). From the table, the Sign procedure of our scheme is slightly less efficient than that of the schemes in [9,21]. However, our Aggregate Verify procedure is much more effi- Table 1 Comparison of three CLS schemes. Schemes Sign Aggregate Verify SL PKL First scheme in 2S; H ð4n þ 1ÞP; 2nH ðn þ 1ÞP 1 2P 1 [9] Second scheme 3S; H ð3n þ 2ÞP; ns; 3nH 2P 1 2P 1 in [9] Scheme in [21] 3S; 2H ðn þ 3ÞP; ð2n þ 1ÞH ðn þ 1ÞP 1 1P 1 Our scheme S; 3H P; 2nS; ð2n þ 3ÞH 2P 1 1P 1

9 249 L. Zhang et al. / Computer Networks 4 (21) cient than those of the schemes in [9,21]. For application purposes the practicality of an aggregate signature scheme is mainly dominated by Aggregate Verify algorithm. This is due to the fact that the verifier must verify n different signatures distributively generated by each users. This implies that our scheme may enjoy better practicality. As for the signature size, our signature requires only two elements in G 1 and approximately 32 bits. Note that in CL-PKC a signer has to send the signature together with the corresponding public key to a verifier for a verification. One can see that our scheme is the most bandwidth-saving one among the three schemes, observing that the public key of a user in our scheme is only one element in G Conclusion We presented an efficient certificateless aggregate signature scheme. The proposal is proven existentially unforgeable against adaptively chosen-message attack in the random oracle model assuming that the CDH problem is hard. Our CLAS scheme can be applied to authentications in bandwidth-limited scenarios such as many-to-one communications. Acknowledgments This work is supported by the Spanish Government through Projects TSI C3-1 E-AEGIS and CONSOLIDER INGENIO 21 CSD27-4 ARES, and by the Government of Catalonia under Grant 29 SGR 113, and by the Chinese NSF Projects 66737, , and The views of the author with the UNESCO Chair in Data Privacy do not necessarily reflect the position of UNESCO nor commit that organization. References [1] C.K. Miller, Multicast Networking and Applications, Addison Wesley, Reading, MA, [2] S. Al-Riyami, K. Paterson, Certificateless public key cryptography, in: ASIACRYPT 23, LNCS, vol. 2894, 23, pp [3] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in: ACM CCCS 93, 1993, pp [4] D. Boneh, C. Gentry, B. Lynn, H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps, in: EUROCRYPT 23, LNCS, vol. 266, 23, pp [] D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in: Asiacrypt 21, LNCS, vol. 2248, 21, pp [6] X. Cheng, J. Liu, X. Wang. Identity-based aggregate and verifiably encrypted signatures from bilinear pairing, in: ICCSA 2, LNCS, vol. 3483, 2, pp [7] J. Cheon, Y. Kim, H. Yoon, A new id-based signature with batch verification, Cryptology eprint Archive, Report 24/ [8] C. Gentry, Z. Ramzan, Identity-based aggregate signatures, in: PKC 26, LNCS, vol. 398, 26, pp [9] Z. Gong, Y. Long, X. Hong, K. Chen, Two certificateless aggregate signatures from bilinear maps, in: IEEE SNPD 27, vol. 3, 27, pp , < Certificateless_Aggregate_Signatures_From_Bilinear_Maps.pdf>. [1] J. Herranz, Deterministic identity-based aggregate signatures for partial aggregation, The Computer Journal 49 (3) (26) [11] B. Hu, D. Wong, Z. Zhang, X. Deng, Key replacement attack against a generic construction of certificateless signature, in: ACISP 26, LNCS, vol. 48, 26, pp [12] X. Huang, W. Susilo, Y. Mu, F. Zhang, On the security of a certificateless signature scheme, in: CANS 2, LNCS, vol. 381, 2, pp [13] X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless signature revisited. ACISP 27, LNCS 486, 27, pp [14] J. Liu, M. Au, W. Susilo, Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model, in: ACM ASIACCS 7, 27. [1] J. Park, An attack on the certificateless signature scheme from EUC Workshops 26, Cryptology eprint Archive, Report 26/442, 26. [16] A. Shamir, Identity based cryptosystems and signature schemes, in: Crypto 84, LNCS, vol. 196, 1984, pp [17] J. Xu, Z. Zhang, D. Feng, ID-based aggregate signatures from bilinear pairings, in: CANS 2, LNCS, vol. 381, 2, pp [18] W. Yap, S. Heng, B. Goi, An efficient certificateless signature scheme, in: EUC Workshops 26, LNCS, vol. 497, 26, pp [19] Z. Zhang, D. Feng, Key replacement attack on a certificateless signature scheme, Cryptology eprint Archive, Report 26/43, 26. [2] Z. Zhang, D. Wong, J. Xu, D. Feng, Certificateless public-key signature: security model and efficient construction, in: ACNS 26, LNCS, vol. 3989, 26, pp [21] L. Zhang, F. Zhang, A New Certificateless Aggregate Signature Scheme, Computer Communications (29), doi:1.116/j.comcom [22] L. Zhang, F. Zhang, A new provably secure certificateless signature scheme, in: IEEE ICC 8, 28, pp Lei Zhang is currently a PhD candidate in the Department of Computer Engineering and Mathematics at Universitat Rovira i Virgili of Tarragona, Catalonia. His research interests include public key cryptography, network security and information security. He is authored/coauthored over 2 publications. Bo Qin obtained her PhD from Xidian University in 28. She is now with Universitat Rovira i Virgili as postdoctoral researcher in Catalonia. Her research interests include cryptography, data privacy, and network security. She has been a holder/coholder of five R+D funds from Spanish/Chinese government, and authored/coauthored over 3 publications in information security. Qianhong Wu has been with University of Wollongong as associate research fellow in Australia, Wuhan University as associate professor in China, and now with Universitat Rovira i Virgili as senior researcher in Catalonia. His research interests include cryptography, information security and privacy, and ad hoc networks security. He has been a holder/ coholder of six R+D funds from Spanish/Chinese/Australian government, and authored over 6 publications. He served in the program committee of several international conferences on information security and privacy. Dr. Qianhong Wu is a member of the International Association for Cryptologic Research (IACR).

10 L. Zhang et al. / Computer Networks 4 (21) Futai Zhang is a professor in School of Computer Science and Technology at Nanjing Normal University, Nanjing, China. His research interests include information security, network security and cryptography.