CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction



Similar documents
New Efficient Searchable Encryption Schemes from Bilinear Pairings

A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

A New and Efficient Signature on Commitment Values

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings

Certificate Based Signature Schemes without Pairings or Random Oracles

Identity-Based Encryption from the Weil Pairing

Efficient Unlinkable Secret Handshakes for Anonymous Communications

A Strong RSA-based and Certificateless-based Signature Scheme

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

SECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

Introduction. Digital Signature

Lecture 25: Pairing-Based Cryptography

Improved Online/Offline Signature Schemes

An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Comments on "public integrity auditing for dynamic data sharing with multi-user modification"

Lecture 9 - Message Authentication Codes

DEVELOPMENT OF CERTIFICATE LESS DIGITAL SIGNATURE SCHEME & ITS APPLICATION IN E-CASH SYSTEM

Capture Resilient ElGamal Signature Protocols

Signature Amortization Technique for Authenticating Delay Sensitive Stream

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

A Survey on Optimistic Fair Digital Signature Exchange Protocols

Performance Evaluation Panda for Data Storage and Sharing Services in Cloud Computing

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

A novel deniable authentication protocol using generalized ElGamal signature scheme

1 Signatures vs. MACs

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

1 Message Authentication

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Lecture 2: Complexity Theory Review and Interactive Proofs

A Factoring and Discrete Logarithm based Cryptosystem

Chosen-Ciphertext Security from Identity-Based Encryption

Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography

DIGITAL SIGNATURES 1/1

Digital Signatures. Prof. Zeph Grunschlag

Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves

RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACY-PRESERVING MECHANISM

Keywords: - Ring Signature, Homomorphic Authenticable Ring Signature (HARS), Privacy Preserving, Public Auditing, Cloud Computing.

Anonymous Network Information Acquirement Protocol for Mobile Users in Heterogeneous Wireless Networks

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES


Lecture 15 - Digital Signatures

Secure Large-Scale Bingo

Signature Schemes. CSG 252 Fall Riccardo Pucella

A More Robust Authentication Scheme for Roaming Service in Global Mobility Networks Using ECC

Digital Signatures. What are Signature Schemes?

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10

Group Security Model in Wireless Sensor Network using Identity Based Cryptographic Scheme

CIS 5371 Cryptography. 8. Encryption --

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Enhancing Data Security in Cloud Storage Auditing With Key Abstraction

The Exact Security of Digital Signatures How to Sign with RSA and Rabin

Message Authentication Code

Victor Shoup Avi Rubin. Abstract

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones

Strengthen RFID Tags Security Using New Data Structure

Security Arguments for Digital Signatures and Blind Signatures

An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method

Security in Electronic Payment Systems

Efficient ID-based authentication and key agreement protocols for the session initiation protocol

The Feasibility of SET-IBS and SET-IBOOS Protocols in Cluster-Based Wireless Sensor Network

MACs Message authentication and integrity. Table of contents

A Secure and Efficient Conference Key Distribution System

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Chosen-Ciphertext Security from Identity-Based Encryption

How To Ensure Data Integrity In Clouds

Transcription:

International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 174 CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction Min Zhou 1, Mingwu Zhang 2, Chunzhi Wang 2, and Bo Yang 3 (Corresponding author: Min Zhou) College of Information, South China Agricultural University 1 College of Computer Science and Engineering, Hubei University of Technology 2 School of Computer Sciences, Shaanxi Normal University 3 (Received June 29, 2012; revised and accepted Jan. 12 & Feb. 21, 2013) Abstract Aggregate signatures are useful compact cryptographic schemes for reducing the size multiple individual signatures, which can be used in message size compactness and certificate chains reduction. Certificateless signature is a paradigm in overcoming the key escrow problem of identity-based cryptography schemes. In this paper, we construct a compact aggregate signature in the certificateless public key settings, which performs a full aggregation needs that the aggregate signature length is the same as that of any individual signature. Furthermore, the proposed scheme can aggregate and extract an individual signature expansively, and it also keeps the integrity of the remained aggregate signature. The security models, under two adversary models such as malicious KGC and malicious user, are also analyzed in the random oracle model. The proposed scheme is existentially unforgeable under adaptive chosen-message attacks and chosen-identity attacks assuming the computational Diffie-Hellman problem is hard. Keywords: Aggregate signature, certificateless cryptographic, unforgeability 1 Introduction 1.1 Aggregate Signature and Related Works An aggregate signature scheme [2, 7, 8, 9] is a digital signature that supports multiple individual signatures aggregate into one single signature. It allows a collection of signatures to be compressed into one short signature, where this single signature along with a given original message m i (i [1, n]) and the list of signer identities will convince the verifier that user ID i indeed has signed message m i. The concept of aggregation can be considered almost everywhere in cryptographic protocols where a large or moderate group is involved, which is a useful technique in cryptography for reducing the communication and computation complexity. The first aggregate signature scheme was proposed by Boneh et al. [2] that is based on BLS short signature scheme in the groups with efficiently computable bilinear maps. Their scheme is called general aggregation scheme since aggregation can be done by anyone and without the cooperation of the signers, but it rejects if the messages m 1,..., m n are not distinct. Subsequently, Lysyanskaya et al. [9] proposed a RSA-based sequential aggregate signature scheme. In a sequential aggregation scheme, signature aggregation can only be done during the signing process. Each signer sequentially modifies the aggregate signature in turn by adding his signature to the current aggregate. Recently, Lu et al. [8] proposed a sequential aggregate signature scheme without random oracle. The security of their scheme relies on the hardness of the Computational Diffie-Hellman (CDH) problem in bilinear groups. The total information needed to verify the aggregate signature must include individual signers public keys, whose lengths depend on the security parameters of the scheme. Since the verifier cannot be expected to know all n signers public keys, practically, the length of an aggregate signature is not significantly shorter than the length of n traditional signatures. Hence, for large value of n, it is preferable to specify the signers by their identities. To solve the public key certificate issues, the identitybased cryptography was first introduced by Shamir in [13], which simplifies key management and avoid the use of digital certificates. A Private Key Generator (PKG) computes keys from a master key and distributes these to the users participating in the scheme, which eliminates the need for certificates as used in a traditional public key infrastructure. In [3], Gentry and Ramzan introduced an identitybased aggregate signature which is secure in the random oracle model. They use of an identity-based scheme that the signer does not need to send an individual public key and certificate with its signature. Moreover, the scheme

International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 175 of Gentry and Ramzan produces short signatures and is efficiently computational. Verification requires only three pairings computations, regardless of the number of signers. Wang et al. [14] proposed a novel identity-based aggregate signature scheme with efficient computing time, but Selvi et al. [12] pointed that the Wang et al. s scheme is not secure against universal forgery. Certificateless public key cryptography (CL-PKC), was first proposed by Al-Riyami and Paterson [1], is a new paradigm to overcome the key escrow problem of identitybased cryptography schemes. Certificateless cryptography involves a Key Generator Center (KGC), which issues a partial key to a user and the user also independently generates an additional public/secret key pair in such a way that the KGC only knows the partial key but he does the additional secret key is unable to do any cryptographic operation on behalf of the user, and a third party who replaces the public/secret pair but does not know the partial key and cannot do any cryptographic operation as the user either [22]. Huang et al. [6] formatted the security model of certificateless signature scheme. Gong et al. [4] defined the security model of certificateless aggregate signature schemes for the first time, however, Zhang et al. [21] pointed out some drawbacks of the security model of Gong et al. s model. In [5], Huang et al. presented a generic way to construct certificateless signature (CLS) schemes. There is little attention has been paid to aggregate signatures in certificateless public key settings. Zhang et al. [19] described security models for certificateless aggregate signature schemes. Wen et al. [15] constructed an aggregate signature scheme that required constant pairing operations in the verification algorithm and the size of aggregate signature is independent of the number of signers, but Selvi et al. [12] pointed that Wen et al. s scheme is not secure in individual signature forgery. An aggregate signature supporting many-to-one authentication deploying in the certificateless signature environment is proposed in [18]. Recently, Zhang et al. [20] proposed a certificateless aggregate signature scheme, but their scheme only support partial aggregation. Wen et al. [16] proposed an aggregate signature with specified designated verifier. In order to improve the computing efficiency and reduce the signature size, Yu et al. [17] presented an aggregate signature without any bilinear pairing operation, and Mu et al. [11] constructed a compact sequential aggregate signature, respectively. Recently, Marc et al. [10] constructed a sequential aggregate scheme that supports history-free property. Aggregating signatures of different messages can be very helpful in many situations, in order to save both memory space and cost of verification. Informally, the length of the aggregate signature should be constant, independent of the number of signed messages. The length of the aggregate signature σ = (R 1,..., R n, T ) is half the length of n initial signatures, but it s linear with respect to the number of signatures for that R cannot be compacted even if all the signatures come from the same signers. 1.2 Our Contribution and Roadmap In this paper, we propose a compact certificateless aggregate signature scheme (CCLAS) that supports full aggregate model. With the aggregation of multiple signatures, the length of aggregate signature will not be increased. The CCLAS scheme is provably secure in the random oracle model. It adapts the notion of security of two adversary models to describe the malicious forger and malicious-but-passive KGC for certificateless aggregate signature scheme. The result of this aggregation is an aggregate signature whose length is the same as that of any of an individual signatures. This scheme has the property that a verifier given along with the identities of the parties involved and their respective messages is convinced that each user signed his respective message. The rest of the paper is organized as follows: Section 2 gives some preliminaries including bilinear pairing and security assumption; The formal model of compact certificateless aggregate signature scheme and its security notions are described in Section 3 and the detail algorithms are proposed in Section 4; The security analysis of the CCLAS scheme is demonstrated in Section 5 and the conclusion is drawn in Section 6. 2 Preliminaries 2.1 Pairings The CCLAS scheme uses a bilinear map, which is often called a pairing. Typically, the pairing used is a modified Weil or Tate pairing on a supersingular elliptic curve or abelian variety. Throughout the paper we use the following notation to provide the bilinear map requirements: 1) (G 1, +) and (G 2, ) be cyclic groups of the same large prime order q; 2) P be a generator of G 1, and e(p, P ) be a generator of G 2 ; 3) e is a computable bilinear map: e : G 1 G 1 G 2. 2.2 Security Assumption In this paper, we base our security reductions on the Computational Diffie-Hellman assumption (CDH problem) that is widely regarded as a hard problem and is often used as the basis of cryptographic schemes listed as defined below: Definition 1. CDH assumption: Consider a cyclic group G of order q, the CDH assumption states that given tuples (P, ap, bp ) for a randomly chosen generator P and random integer a, b Z/qZ, it s computational intractable to compute the value of abp. More precisely, the CDH problem is said to be secure if the advantage function AdvA CDH (λ) is a negligible function in λ for all polynomial time adversaries A CDH, where AdvA CDH (λ) = P r[a(p, ap, bp ) abp ].

International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 176 3 Models and Security Notations 3.1 The CCLAS Model The CCLAS scheme is an efficient certificateless signature scheme defined by eight probabilistic-polynomial time algorithms: Setup, PartialKeyGen, UserKeyGen, IndiSign, IndiVeri, SignAggr, SignVeri and ExtAggr. Setup: This algorithm is performed by KGC that accepts a security parameter λ to generate a master-key s and a list of system parameters params. PartialKeyGen: This algorithm is performed by KGC that accepts a users identity ID i, a parameter list params and a master-key s to produce the user s partial secret key D i. UserKeyGen: This algorithm is run by a user that takes the users identity ID i as input, and outputs the users secret value x i and public key P i. IndiSign: This algorithm accepts a message m M, the signer s identity ID i together with corresponding public key P i, a parameter list params and the signing key (D i, x i ) to generate a individual signature σ i on message m. IndiVeri: This algorithm accepts a message m, a signature σ i, public list params, the signer s identity ID i and corresponding public key P i to output true if the signature is valid, or otherwise. SignAggr: This algorithm is run by the aggregate signature generator such as any user or a third party that takes as inputs a state information ω, an aggregating users set U i U(i = 1,..., n) whose identity is ID i and the corresponding public key P i, and signatures σ i on a message m i with state information ω under identity ID i and public key P i for each user U i U. It outputs an aggregate signature σ on messages m 1,..., m n. SignVeri: This algorithm takes as input state information string ω, a set U of n users U 1,..., U n, each with identity ID i and public key P i, an aggregate signature σ on messages m 1,..., m n. It outputs true if the aggregate signature is valid, or otherwise. ExtAggr: This algorithm can extract and decomposite an individual signature σ from aggregate signature σ. After extracted a valid signature σ from aggregate signature σ, the new aggregate signature σ (σ = σ σ ) is also a valid aggregate signature. Remark 1. For the first time, our CCLAS scheme introduces a ExtAggr algorithm to extract a valid individual signature. It is also a valid aggregate signature if an individual signature is be extracted from the aggregate signature. 3.2 Security Notations The CCLAS scheme should be secure against existential forgery under adaptive-chosen-message attacks and adaptive-chosen-identity attacks. Informally, existential forgery means that the adversary attempts to forge an identity-based individual signature or aggregate signature on identities and messages of his choice. There are two types of security in a certificateless aggregate signature scheme, Type-I security and Type-II security [1], along with two types of adversaries, A I and A II, respectively. Type-I adversary. Type-I adversary A I models a malicious adversary that he can compromise the user private key or replace the user public key. However, he can not compromise the master-key nor access the user partial key. Type-II adversary. Type-II adversary A II models the malicious-but-passive KGC that he knows the masterkey but cannot perform public key replacement of the user being attacked. Type-I game. The type-i game is performed between a challenger C and the Type-I forger A I for a CCLAS signature scheme as follows: Initialization. C runs Setup algorithm to generate the master key and public parameters to forger A I. Note that A I does not know the master key. Queries. Forger A I may require the following queries to C by an adaptive manner. PartialKeyGen queries: When A I requests the partial private key for a user with identity ID, C responds the user s private key D ID by running PartialKeyGen algorithm. UserKeyGen queries: When A I requests the secret key for a user with identity ID, C responds the user s full secret key x ID by running UserKeyGen algorithm. UserPublicKey queries: When A I requests the public key of a user with identity ID, C answers the corresponding public key P ID. PublicKeyReplacement queries (ID, P ID ): This query is to replace the public key P ID for an identity ID with a new value P ID. On receiving such a query, C updates the public key to the new value P ID. IndiSign queries: When A I requests a signature on a message m for a user with identity ID, C responds a valid signature σ for m by running IndiSign algorithm. SignAggr queries: When A I requests a serial of signature aggregate queries for multiple signatures, C returns an aggregate signature σ by SignAggr algorithm. ExtAggr queries: When A I performs a signature extract query, C returns a new signature that extracts the subset signature σ by ExtAggr algorithm. Forgery. Finally, A I outputs an aggregate signature σ = (R, S ) and wins the game if

International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 177 σ can pass the SignVeri algorithm and return result is not ; A I has never asked all the partial private keys or private keys of the user ID 1,...ID n who participates the aggregate signature σ ; σ has never been queried by the IndiSign and SignAggr oracles. Definition 2. Type-I unforgeability. The CCLAS scheme is existentially unforgeable against Type-I adversary under adaptively chosen-identity and chosenmessage attacks if the success probability of any polynomially bounded Type-I adversary in the Type-I game is negligible. Type-II game. Initialization. C runs the Setup algorithm and sends params and master-key to the adversary A II. Note that adversary A II knows the master key and can obtain anyone s partial private key, so he need not perform PartialKeyGen oracles. Queries. Forger A II may perform the following queries by an adaptive manner. UserKeyGen queries. When A II requests the private key of a user with identity ID, C outputs the secret key x ID by running UserKeyGen algorithm. UserPublicKey queries. When A II requests the public key of a user with identity ID, C outputs the corresponding public key P ID. IndiSign queries. When A II requests an identity ID s signature on a message m together with a public key P ID, C answers with a signature σ on message m for the user ID. SignAggr queries: When A II requests a serial of signatures aggregate queries for multiple signatures, C returns an aggregate signature σ by running SignAggr algorithm. ExtAggr queries: When A II performs a individual signature extract query, C returns a new signature that extracts the subset signature. F orgery. Adversary A II outputs a tuple σ = (R, S, m 1, ID1,..., m n, IDn). A II will win the game if: σ can pass the SignVeri algorithm and return result is not ; A II has never asked all the private keys of the users ID 1,...ID n ; σ has never been queried by the IndiSign and SignAggr oracles. Definition 3. Type-II unforgeability. The CCLAS scheme is existentially unforgeable against Type-II adversary under adaptively chosen-identity and chosenmessage attacks if the success probability of any polynomially bounded Type-II adversary in the Type-II game is negligible. Remark 2. The CCLAS scheme is existentially unforgeable under adaptively chosen-identity and chosen-message attacks if it is existentially unforgeable against Type-I adversaries in Type-I game, and Type-II adversaries in Type-II game, respectively. 4 The CCLAS Scheme In this section, we describe the proposed CCLAS scheme which consists of eight probability polynomial time algorithms. Setup: On input a security parameter λ, the KGC generates parameters by this algorithm as follows: - Generates groups G 1 and G 2 of prime order q and an admissible pairing e : G 1 G 1 G 2 ; - Chooses an arbitrary generator P G 1 ; - Picks s Z/qZ randomly, and sets P pub = sp ; - Chooses two cryptographic hash functions, H 1, H 2 : {0, 1} G 1, H 3 : {0, 1} l {0, 1} G 1 ; - KGC publishes the params=< G 1, G 2, e,q, P, P pub, H 1, H 2, H 3 >, and keeps the master key s. The message space is M {0, 1} l. PartialKeyGen: KGC generates the partial private key for the user U i with identity ID i as follows: - Computes Q i = H 1 (ID i ) G 1 ; - Outputs the partial private key D i = sq i. UserKeyGen: On input the params and a user s identity ID i {0, 1}, it generates the partial secret key for the user as follows: - Picks a random x i Z/qZ and outputs x i as the user s secret value. Note that the user s full secret key SK i =< x i, D i >; - Computes and sets user s public key P i = x i P ; IndiSign: The first signer picks a random string ω {0, 1} that it has never used before. Each subsequent signer checks that it has not used the string ω chosen by the first signer. To sign a message m i M using the signing key < x i, D i >, the signer ID i with corresponding public key P i does as following steps: - Computes P ω = H 2 (ω) G 1 ; - Picks r i Z/qZ randomly, computes R i = r i P G 1 ;

International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 178 - Computes h i = H 3 (m i, ID i, ω) G 1 ; - Computes S i = r i P ω + D i + x i h i ; - Outputs σ =< R i, S i > as the signature on m i by the user ID i. IndiVeri: On received the signature σ =< R i, S i > on the state string ω and message m i, anyone can verify the origin of the sender: - Computes P ω = H 2 (ω); - Computes h i = H 3 (m i, ID i, ω); - Accepts the message m i iff e(p, S i ) = e(r i, P ω )e(p pub, Q i )e(p i, h i ). SignAggr: Anyone can aggregate a collection of individual signatures σ 1 =< R 1, S 1 >,..., σ n =< R n, S n > by n different users ID 1,..., ID n respectively, which uses the same state string ω. It does as follows - Computes S = n i=1 S i, R = n i=1 R i; - Outputs the aggregate signature σ =< R, S > under the state string ω on messages m 1,..., m n. Remark 3. The CCLAS scheme is a full aggregate signature scheme that supports the compact of R i and S i (1 i n). In many aggregate signature schemes such as [20, 21], they only provides partial aggregation that compacts the S i by S = n i=1 S i. Remark 4. The purpose of the one-time-use state string ω in CCLAS scheme is to disturb this linearity, which provides a manner where all the signers can reach a common randomness. The CCLAS scheme does not provide the aggregation of individual signatures that use different ω s. If an individual signature will be extracted from an aggregate signature, it also needs the same state string. SignVeri: To verify an aggregate signature σ =< R, S > with the same state string ω on message m 1,..., m n for identity ID 1,..., ID n under public key P 1,..., P n, respectively, the verifier performs the following steps: - Computes P ω = H 2 (ω); - For i = 1 to n, computes Q i = H 1 (ID i ), and h i = H 3 (m i, ID i, ω); - Checks whether the following equation holds e(p, S) = e(r, P ω )e(p pub, n i=1 Q i)( n i=1 e(p i, h i )); - If above equation holds, outputs true as success, otherwise outputs. Remark 5. In [2], to ensure the security of the aggregate signature scheme, it is required that the messages m 1,..., m n to be signed are distinct. However, in our proposed scheme this restriction can be removed for that all individual signature can be aggregated by a same state string. ExtAggr: To extract an individual signature σ = (R, S ) that aggregated in a signature σ, it does - Computes R = R R, S = S S ; - Outputs σ = (R, S ). Remark 6. It easy sees that σ = (R, S ) is a valid aggregate signature if σ = (R, S ) is be extracted from σ. The check equation is: e(p, S ) = e(r, P ω)e(p pub, n i=1,i Qi)( n i=1,i e(pi, hi)); In CCLAS scheme, it is possible to aggregate individual identity-based signatures even if the signers have different KGCs, and the security proof goes through. However, to verify such a multiple-kgc aggregate signature, the verifier only needs the public key of every KGC. 5 Security Analysis We show that the CCLAS scheme is existentially unforgeable under adaptively chosen-identity and chosen-message attacks if it is existentially unforgeable against Type-I adversaries in Type-I game, and Type-II adversaries in Type-II game, respectively. Theorem 1. In the random oracle model, if there exists a type-i adversary A I who has an advantage to break the Game-I with non-negligible probability ɛ for a security parameter λ, after asking at most q K times partial private key queries, q P times public key queries, q Hi times H i (i=1,2,3) queries, q S times IndiSign queries, q A times SignAggr queries and q E extract signature queries, then the CDH problem in G 1 can be solved with non-negligible the advantage ɛ ɛ (q K +n)e. Proof. Algorithm B is given an instance (P, ap, bp ) of CDH problem, and will interact with algorithm A I as follows in an attempt to compute abp. First, B sets P pub = ap, and chooses the system parameters params = (G 1, G 2, e, P, P pub, H 1, H 2, H 3 ). Here the H i s are random oracles controlled by B. A I can perform the following types of queries in an adaptive manner. B maintains lists relating to its previous hash query responses for consistency that the responding lists are initially empty. - H 1 queries: B keeps a list of tuples (ID j, coin j, Q j, b j ). If ID i was in a previous H 1 -query, B answers with Q i in H 1 -list; otherwise, B generates a random coin i {0, 1} so that P r[coin i = 1] = δ. It picks b i R Z/qZ randomly, if coin i = 1, B sets Q i = b j bp ; else, Q j = b j P, and stores (ID i, coin i, Q i, b i ) to H 1 -list and answers with Q i. - H 2 queries: B keeps a list of tuples (ω j, P ωj, c j ). Whenever A I issues a query H 2 (ω i ) to H 2 oracle, the same answer P ωi from the H 2 -list will be given if the request has been asked before. Otherwise, B selects a random c i Z/qZ, computes P ωi = c i P, adds (ω i, P ωi, c i ) to H 2 -list and answers with P i.

International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 179 - H 3 queries: B keeps a list H 3 -list of tuples (ω j, m j, ID j, h j, d j ). Whenever A I issues a query H 3 (m i, ID i, ω i ) to H 3 oracle, the same answer h i from the H 3 -list will be given if the request has been asked before. Otherwise, B selects a random d i Z/qZ, computes h i = d i P, adds (ω i, m i, ID i, h i, d i ) to H 3 -list and answers with h i. - PartialKeyGen queries: When A requests the partial private key corresponding to ID i, B finds in H 1 - list, if H 1 -coin i =0, answers with Q i = b i P, else B abort. - Public key queries: B keeps a list PK-list of tuples (ID j, x j, P j, e j ). On receiving a Public Key query, the same answer from the list PK-list will be given if the request has been asked before. Otherwise, B aborts and returns as answer. - Secret value queries: On receiving a secret value query, B first makes P K(ID i ) and recovers the tuple (ID i, x i, P i, e i ) from PK-list and answers with x i. If it cannot find in the list, it returns as answer. - Sign queries: On receive an individual sign query IndiSign(ω i, m i, ID i, P i ), where P i denotes the public key chosen by A I, B first makes H 2 (ω) and P K(ID i ) queries, then finds the tuple ω i, P ωi, c i ) on H 2 -list, the tuple (ID i, x i, P i, e i ) on PK-list and generates the signature σ as following steps: 1) If H 1.coin i = 0, B randomly chooses R i G 1, computes S i = c i R i +b i P pub +d i P i, and outputs (R i, S i ) as answer. 2) If H 1.coin i = 1, B randomly picks r i, d i Z/qZ, computes R i = r i P d 1 i Q i, and then stores (ω i, m i, ID i, h i, d i ) to H 3 -list. B computes S i = c i P i + r i d i P pub, and outputs σ i = (R i, S i ) as answer. Forgery. Finally, A I returns a set U of n users, whose identities is ID1,..., IDn and corresponding public keys is P1,..., Pn, a state string ω and a forged aggregate signature σ = (R, S ). It requires that there exists π [1, n] such that A I has neither asked the partial private for ID π nor queried IndiSign for ID π and message m π. In addition, the aggregate signature σ satisfies the following equation n n e(p, S ) = e(r, P ω )e(p pub, Q i )( e(pi, h i )) (1) i=1 i=1 where h i = H 3 (m i, ID i, ω ), P ω = H 2 (ω ). The above equation holds if b π = 0 and b i = 1 for all i [1,..., π 1, π + 1,...n]; otherwise, B aborts. By our setting, Q π = b π bp, P ω = c π P, h π = d π P. For all i = 1,..., π 1, π + 1,..., n, Q i = b ip, h i = d ip. It has abp = (S n i=1,i π (d i P i +b j P pub +c i R i ) c π R π d π P π ) (2) Now we determine the probability ɛ for B to solve the given instance of CDH problem. We analyze the following events needed for B to succeed: E1: B does not abort as a result of any of A I s secret value queries. For a key extract query, the probability does not abort is δ. Under the q K times key extract queries, the probability that B does not failure is at least δ q K. E2: A I generates a valid and nontrivial aggregate signature forgery. It easy sees that Pr[E2-E1] ɛ. E3: Event E2 occurs, c π = 0 and c i = 1 for all i = 1,..., π 1, π + 1,..., n. The probability that B does not abort is at least (1 δ)δ n 1. B succeeds if all of these events happen. The probability P r[e1 E2 E3] can be decomposed as P r[e1 E2 E3] = P r[e1][e2 E1][E3 E1 E2] = (1 δ)δ (qk+n 1) ɛ ɛ (q K +n)e Theorem 2. In the random oracle model, if there exists a type-ii adversary A II who has an advantage ɛ in forging an aggregate signature of the proposed CCLAS scheme in an attack modeled by Game-II running for a security parameter λ and asking at most q P times public key queries, q K times secret key queries, q H2 times H 2 queries, q H3 times H 3 queries, q S times Sign queries, q A times SignAggr queries and q E extract signature queries, then the CDH problem in G 1 can be solved with probability advantage ɛ 1 (q P +n)e ɛ. Proof. Let C receives a random instance (P, ap, bp ) of the CDH problem and has to compute the value of abp. A II is a type-ii adversary who interacts with C as defined in Game-II. We show that it can use A II to compute abp. At first, C selects a random s Z/qZ as the masterkey, computes P pub = sp, and selects the system parameters params = (G 1, G 2, e, P, P pub, H 1, H 2, H 3 ). A II has the ability to access to the master-key s, and obtain the anyone s secret key by PartialKeyGen oracle. A II can perform the following queries in an adaptive manner. The responding lists are initially empty. - H 2 queries: Whenever A II requests query H 2 (ω i ) to H 2 oracle, the same answer P ωi from the H 2 -list will be given if the request has been asked before. Otherwise, C selects a random c i Z/qZ, computes P ωi = c i ap, adds (ω i, P ωi, c i ) to H 2 -list and answers with P ωi. - H 3 queries: Whenever A II issues a query H 3 (m i, ID i, ω i ) to H 3 oracle, the same answer h i from the H 3 -list will be given if the request has been asked before. Otherwise, C selects a random d i Z/qZ, computes h i = d i P, adds (ω i, m i, ID i, h i, d i ) to H 3 -list and returns h i as answer.

International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 180 - Public key queries(pk-queries): On receiving a public key query, the same answer from the list PK-list will be given if the request has been asked before. Otherwise, C first selects x j Z/qZ, and flips a coin coin i {0, 1} that yields 1 with probability δ and 0 with probability 1-δ. If coin i = 1 returns P i = x i bp and adds (ID i, x i, P i, coin i ) to PK-list; otherwise, C computes P i = x i P, returns P i as answer and adds (ID i, x i, P i, coin i ) to PK-list. - Secret value queries: On receiving a secret value query, C first makes P K(ID i ) and searches the tuple (ID i, x i, P i, coin i ) from PK-list. If coin i = 1 then C aborts; otherwise, C returns x i as answer. - Sign queries: On receive a sign query IndiSign(ω i, m i, ID i, P i ), where P i denotes the public key chosen by A II, C first makes H 2 (ω i ) and P K(ID i ) queries, then searches the tuple (ω i, P ωi, c i ) on H 2 -list, the tuple (ID i, x i, P i, coin i ) on PK-list. C generates the signature σ as following steps: 1) If coin i = 0, C generate individual signature σ i = (R i, S i ) by IndiSign oracle because he knows the anyone s full signing key, and outputs σ i = (R i, S i ) as answer. 2) If coin i = 1, C randomly picks r i Z/qZ, computes R i = r i P (c i x i /d i )bp, and h i = d i ap, computes S i = r i P ωi + sh 1 (ID i ), outputs the signature σ i = (R i, S i ) as answer. Forgery. Finally, A II returns a set U of n users, whose identities is ID1,..., IDn and corresponding public keys is P1,..., Pn, a state string ω and a forged aggregate signature σ = (R, S ). It requires that there exists π [1, n] such that A II has not asked the partial private for ID π. In addition, the aggregate signature σ should satisfies the verification equation: e(p, S ) = e(r, P ω )e(p pub, n n Q i )( e(pi, h i )) (3) i=1 i=1 where h i = H 3 (m i, ID i, ω ), P ω = H 2 (ω ). C sets Pπ = x πbp, P ω = c i ap, for all i [1,..., n], i π, sets h i = d i P. Hence, C can computes abp = S i=1,i π (dipω + sq i + x ir i ) sq π x πr π d πc i (4) Now we determine the probability ɛ for C to solve the given instance of CDH problem. We analyze the following events needed for C to succeed: E1: C does not abort as a result of any of A II secret value queries. E2: A II generates a valid and nontrivial aggregate signature forgery. E3: Event E2 occurs, c π = 1 and c i = 0 for all i = 1,..., π 1, π + 1,..., n. C succeeds if all of these events happen. The probability of C will succeed is P r[e1 E2 E3] P r[e1 E2 E3] = P r[e1][e2 E1][E3 E1 E2] = (1 δ)δ (q P +n 1) ɛ 1 (q P +n)e ɛ 6 Conclusion We proposed a certificateless aggregate signature scheme that supports compacted full aggregation, whose signature size is the same as that of any of an individual signature. We have presented the security model about unforgeability under two adversaries model. The proposed scheme has been proven to be existentially unforgeable under adaptive chosen-message attack in the random oracle model. It s an interesting issue to implement fixed size and constant pairing operator in certificateless aggregate signature scheme. Acknowledgments This work was supported by the National Natural Science Foundation of China under Grant 61272404, 61173164 and 61170135, and Guangdong Natural Science Foundation under Grant S2012010010383. References [1] S. Al-Riyami and K. Paterson, Certificateless public key cryptography, in ASIACRYPT 03, LNCS 2894, pp. 452 473, Springer-Verlag, 2003. [2] D. Boneh, D. Gentry, B. Lynn, and H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps, in Eurocrypt 03, LNCS 2656, pp. 416 432, Springer-Verlag, 2003. [3] C. Gentry and Z. Ramzan, Identity-based aggregate signatures, in PKC 06, LNCS 3958, pp. 257 273, Springer-Verlag, 2006. [4] Z. Gong, Y. Long, X. Hong, and K. Chen, Two certificateless aggregate signatures from bilinear maps, in SNPD 07, pp. 188 193, 2007. [5] X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu, Certificateless signature revisited, in ACISP 07, LNCS 4586, pp. 308 322, Springer-Verlag, 2007. [6] X. Huang, W. Susilo, Y. Mu, and F. Zhang, On the security of a certificateless signature scheme, in CANS 05, LNCS 3810, pp. 13 25, Springer-Verlag, 2005. [7] J. Y. Hwang, D. H. Lee, and H. Yung, Universial forgery of the identity-based sequential aggregate signature scheme, in ASIACCS 09, 2009.

International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 181 [8] D. Lu, R. Ostrovsky, A. Sahai, H. Shacham, and B. Waters, Sequential aggregate signatures and multisignatures without random oracles, in Advances in Cryptology - Eurocrypt 06, pp. 465 485, 2006. [9] A. Lysyanskaya, S. Micali, L. Reyzin, and H. Shacham, Sequential aggregate signatures from trapdoor permutations, in Advances in Cryptology - Eurocrypt 04, LNCS 3027, pp. 74 90, Springer- Verlag, 2004. [10] F. Marc, L. Anja, and S. Dominique, History-free sequential aggregate signatures, in SCN 12, LNCS 7845, pp. 113 130, Springer-Verlag, 2012. [11] Y. Mu, W. Susilo, and H. Zhu, Compact sequential aggregate signatures, in SAC 07, pp. 249 253, ACM, 2007. [12] S. S. D. Selvi, S. S. Vivek, J. Shriram, S. Kalaivani, and C. P. Rangan, Security analysis of aggregate signature and batch verification signature schemes, 2009. http://eprint.iacr.org/2009/290.pdf. [13] A. Shamir, Identity-based cryptosystems and signature schemes, in Advances in Cryptology - Crypto 84, LNCS 196, pp. 47 53, Springer-Verlag, 1984. [14] Z. Wang, H. Chen, D. Ye, and Q. Wu, Practical identity-based aggregate signature scheme from bilinear maps, Journal of Shanghai Jiaotong University, vol. 13, no. 6, pp. 684 687, 2008. [15] Y. Wen and J. Ma, An aggregate signature scheme with constant pairing operations, in CSSE 08, pp. 830 833, 2008. [16] Y. Wen, J. Ma, and H. Huang, An aggregate signature scheme with specified verifier, Chinese Journal of Electrnics, vol. 20, no. 2, pp. 333 336, 2011. [17] Y. Yu, X. Zheng, and H. Sun, An identity based aggregate signature scheme with pairing, Journal of Networks, vol. 6, no. 4, pp. 631 637, 2011. [18] L. Zhang, B. Qin, Q. Wu, and F. Zhang, Efficient many-to-one authentication with certificateless aggregate signature, Computer Network, vol. 54, no. 14, pp. 2482 2491, 2010. [19] L. Zhang and F. Zhang, Security model for certificateless aggregate signature schemes, in CIS 08, pp. 364 368, 2008. [20] L. Zhang and F. Zhang, A new certificateless aggregate signature scheme, Computer Communications, vol. 32, no. 1, pp. 1079 1085, 2009. [21] L. Zhang, F. Zhang, and F. Zhang, New efficient certificateless signature scheme, in EUC 07, LNCS 4809, pp. 692 703, Springer-Verlag, 2007. [22] M. Zhang, J. Yao, C. Wang, and T. Takagi, Public key replacement and universal forgery of a scls scheme, International Journal of Network Security, vol. 15, no. 1, pp. 115 120, 2013. Min Zhou is an associate professor at College of Information, South China Agriculutral University. Her research interests focus on Security Multiparty Computation and Network Security. Mingwu Zhang is now working at Hubei University of Technology. He is a senior member of Chinese Computer Federation, a senior member of Chinese Association for Cryptologic Research(CACR), and a member of IEEE Computer Society. His research interests include Network and Information Security. Chunzhi Wang, Ph.D, professor, and is currently working at School of Computer Science and Engineering, Hubei University of Technology. Her research interests focus on Network Protocol and System Security. Bo Yang received his B. S. degree from Peking University in 1986, and the M. S. and Ph. D. degrees from Xidian University in 1993 and 1999, respectively. He is currently a professor and supervisor of Ph.D. at School of Computer Science, Shaanxi Normal University. He is a senior member of Chinese Institute of Electronics (CIE), a member of specialist group on information security in Ministry of Information Industry of China and a member of specialist group on computer network and information security in Shanxi Province. His research interests include Information Theory and Cryptography.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information