1 Introduction
In Asiacrypt 2001, Rivest, Shamir and Tauman [22] introduced the concept of ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. As pointed in [22], ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a special way that can only be verified by its intended recipient, anonymous membership authentication for ad hoc groups [5], etc. In addition, ring signatures can also be served as the building block of concurrent signatures and solve some other problems in multiparty computations.
Ring signatures can be regarded as the simplified group signatures
that have only users and no managers. Group signatures are useful in
the situation where the members want to cooperate, while ring
signatures are useful when the members do not want to cooperate.
Both group signatures and ring signatures are
signerambiguous. However, group signatures have the
additional feature that the anonymity of a signer can be revoked
(i.e., the signer can be traced) by a designated group manager. Ring
signatures allow greater flexibility: no centralized group manager
or coordination among the various users is required (indeed, users
may be unaware of each other at the time they generate their public
keys); rings may be formed completely in an adhoc manner, do not
require any coordination among the various users (indeed, users do
not even need to be aware of each other) and full anonymity (unless
the actual signer decides to expose himself). To produce a ring
signature, the actual signer declares an arbitrary set of possible
signers that must include himself, and computes the signature
entirely by himself using only his private key and the others’
public keys.
In traditional public key cryptosystem (PKC), each user
has a pair of cryptographic keys–a public key and a private key.
The private key is kept secret by the user himself, while the public
key may be widely distributed. Anyone can encrypt messages with
’s public key and obtain the ciphertexts which can only be
decrypted with ’s private key. Similarly, one can use ’s
public key to verify if a signature is generated by . Therefore,
there is no need for the sender and receiver to share secret
information before the communication. The biggest challenge in PKC
is ensuring the authenticity of public key, that is how to bind a
user and his public key. Suppose Alice wants to encrypt a message to
send to Bob, and Bob is someone who Alice does not know personally,
how can Alice be sure that Bob’s purported public key really is
Bob’s key (and not Charlie’s, for example). If Alice uses a “false”
public key to encrypt the message and send the ciphertext to Bob, it
will result that the intended receiver Bob can not obtain the
message, and even worse, someone else can decrypt the ciphertext and
read the message. The usual approach to solve this problem is to use
a public key infrastructure (PKI), in which one or more third
parties, known as certificate authorities, issue certificates to
bind a user and his public key. In traditional PKC, one must first
check the authenticity of the pair by verifying the
validity of its certificate before any operation regarding the user
. History has shown that certificates in traditional PKC are
generally considered to be costly to use and manage. It is even more
problematic for a ring signature scheme in traditional PKC, where
the signer must first verify all the certificates of group members
before generating the ring signature on behalf of that group,
otherwise his anonymity is jeopardized under the extreme case that
all other ring members’ certificates are indeed invalid. Given a
ring signature, the verifier must perform the same verification as
well before checking the validity of the ring signature. This will
lead to the inefficiency of the whole scheme because the computation
cost will
increase linearly with the group size.
In 1984, Shamir [23] first proposed the
IdentityBased public key cryptography (IDPKC), in which the public
key of a user is some unique public information about the identity
of the user (e.g. a user’s email address) [9, 17]. Therefore, the need of
certification can be eliminated. A Trusted Third Party, called the
Private Key Generator (PKG), generates the corresponding private
keys for the users in IDPKC. To operate, the PKG first publishes a
“master” public key, and keeps the corresponding master private key
as secret. Given the master public key, any party can compute a
public key corresponding to an identity by combining the master
public key with the identity value. To obtain a corresponding
private key, the party authorized to use the identity contacts
the PKG, which uses the master private key to generate the private
key for the identity . However, this approach creates a new
inherent problem, namely the key escrow of a user’s private
key, since PKG must be completely trusted. This is due to the
knowledge of the PKG on the user’s private key. For a ring signature
scheme in IDPKC, a malicious PKG can forge a ring
signature on behalf of any group without being detected.
In order to enjoy the implicit certification property of
IDPKC while without suffering from its inherent key escrow problem,
AlRiyami and Paterson [2] proposed a new paradigm
called certificateless public key cryptography (CLPKC). Different
from IDPKC, a third party which we call Key Generation Center (KGC)
in CLPKC does not have the access to a user’s private key. Instead,
the KGC supplies a user with a partial private key, which derives
from the user’s identity. Then the user combines the partial private
key with some secret information chosen by himself to generate his
actual private key. The corresponding public key is computed from
the system’s public parameters and the secret information chosen by
the user, which is finally published in the system. Hence, it is no
longer an identitybased cryptography, since the public key needs to
be provided (but in contrast to the traditional public key
cryptography, the public key does not require any certificate).
Due to the lack of certification in CLPKC, it is conceivable that the adversary can replace anyone’s public key of his choice. This key replacement attack is also called Type I adversary in [2]. Obviously, a secure signature signature scheme in CLPKC must has the property that it is infeasible for Type I adversary to create a valid signature under the false public key chosen by the adversary himself. An assumption that must be made is that KGC does not mount a public key replacement attack to a target user since he is armed with this user’s partial private key. However, KGC might engage in other adversarial activities: eavesdropping on signatures and making signing queries, which is also known as Type II Adversary. In this way, the level of trust is similar to the trust in a CA in a traditional PKI.
1.1 Motivations
Certificateless cryptography have some advantages over traditional PKC and IDPKC in some aspects [28, 29]. As a useful primitive, ring signatures have been studied in traditional PKC and IDPKC for more than five years. Even in a theoretic point of view, ring signatures should be studied in CLPKC to rich the theories and techniques of CLPKC. In practice, to generate a ring signature on behalf of a group in traditional PKC, the signer must first verify all the certificates of the group members, otherwise his anonymity is jeopardized and the ring signature will be rejected if he uses invalid certificates of some group members. Given a ring signature, the verifier must perform the same verification as well before checking the validity of the ring signature. These verifications inevitably lead to the inefficiency of the whole scheme since the computational cost increases linearly with the group size. Although Identitybased ring signatures eliminate such costly verifications, they suffer from a security drawback induced by the inherent key escrow problem of IDPKC. Namely, a malicious PKG can always issue valid ring signatures on behalf of any group. As CLPKC does not use public key certificates, and in the meantime, it removes the key escrow problem of IDPKC, we think it supplies an appropriate environment for implementing ring signatures. So it is necessary to extend the notion and security model of ring signatures to CLPKC. Compared with ring signature schemes in traditional PKC, in a CLRing scheme, both the signer and the verifier can avoid the costly verification of group members’ certificates. On the other hand, in contrast to IDbased ring signatures, the KGC can no longer forge a ring signature on behalf of a group without being detected.
In application aspects, like ring signatures in traditional PKC and IDPKC, certificateless ring signatures can also be used in leaking authoritative secrets in an anonymous way, anonymous membership authentication for ad hoc groups [5], reports to the authorities embezzlement and corruption, certificateless designated signatures and concurrent signatures, etc.
1.2 Our Contributions
In this paper, we introduce the notion of ring signature into certificateless cryptography and propose a concrete certificateless ring signature scheme.
Firstly, we provide the security models of certificateless ring signatures. Two types of adversaries: Type I adversary and Type II adversary have been formally defined. The above two adversaries in our definition are “super adversaries” [33]. That is, the adversary can get valid ring signatures of the group whose public keys have been replaced, without supplying the secret values that are used to generate those public keys. In addition, our models also capture the groupchanging attack [18] in the notion of ring signatures.
Secondly, we give an analysis of a “seemsecure” generic construction of certificateless ring signatures. The generic construction of certificateless signatures was first proposed by Yum and Lee [26], which has been shown insecure in [14]. Hu et al. also presented a secure construction of certificateless signatures [14]. Using the similar methods in [14], one can also get a generic construction of certificateless ring signatures. However, as we will show later, the resulting generic construction of certificateless ring signatures is totally insecure against the key replacement attack.
Lastly, we present a concrete construction of certificateless ring signatures. The new scheme uses the bilinear pairing on elliptic curves and concretely, the signing phase requires 2 pairings and the verification requires 3 pairings. We prove its security in the random oracles, with the assumption that Computational DiffieHellman problem is intractable.
Organization.
The rest of the paper is
organized as follows. In the next section, we review some
preliminaries which are required in this paper.
Section 4 defines the security models in the
notion of certificateless ring signatures. We analyze a generic
construction of certificateless ring signatures and show its
insecurity in Section 5. The
concrete construction of certificateless ring signature is proposed
in Section 6. Its security proofs are given in
Section 7. Finally, Section 8 comes
our conclusion.
2 Related Work
Following the prior work of Rivest, Shamir and Tauman [22], a number of constructions of ring signature in traditional PKC and IDPKC have been presented. Abe, Ohkubo, and Suzuki [1] provided a construction applicable for several categories of public keys (e.g., integer factoring based and discretelog based). A simple ring signature using bilinear maps was given in [4]. Herranz and Saez [12] generalized the forking lemma to the ring signatures. In [27], Zhang and Kim extended the concept to IdentityBased ring signature (IDRS) schemes. Some ring signature schemes with constantsize were also presented in [10, 21].
In terms of security models for provably secure ring
signature schemes, there are three models commonly used. They
provide different security levels. The first and the weakest model
was introduced by Rivest et al. [22]. Later Abe et al.
[1] proposed a very strong model. Finally, Liu and Wong
[18] presented a model whose security level is considered
to be lying in between the two foregoing models. We mainly use the
ideas of constructing IDRS schemes in [13], and the
security models of ring signatures in [18] in this paper.
CLPKC has got fruitful achievements since its introduction
in [2, 6, 7, 11, 25, 30, 31]. AlRiyami and Paterson presented
[2] the first certificateless signature (CLS) scheme.
Since then, several CLS schemes [14, 16, 19, 20, 24, 26, 32, 35] were proposed. In [15], Huang et
al. defined the security model of CLS schemes. Zhang et al. [35] improved the security model of CLS schemes, and presented a
secure CLS scheme. Generic ways to construct CLS schemes were
investigated in [26], [14]. In [16], a
certificateless proxy signature scheme was proposed.
An work about certificateless ring signature was done by
Chow and Yap [8]. The security of their scheme is based
on the hardness of the CAA problem and Modified Inverse
Computational DiffieHellman problem and is proved in a weak model
that requires a type I adversary to submit the secret values
corresponding to the replaced public keys to the challenger in the
sign queries. The computional cost of their scheme involves a large
amount of paring operations which linearly increase with the number
of group members.
3 Preliminaries
In this section, we will review some fundamental backgrounds required in this paper.
3.1 Bilinear Pairings and Computational Problems
Let be an additive group of prime order and be a multiplicative group of the same order. Let P denote a generator of . A mapping is called a bilinear mapping if it satisfies the following properties:

Bilinear: for all .

Nondegeneracy: There exists such that .

Computable: There exists an efficient algorithm to compute for any .
For a group G of prime order, we denote the set , where is the identity element of the group.
Discrete Logarithm (DL) Problem: Given a generator of a cyclic additive group with order , and to find an integer such that .
Computational DiffieHellman (CDH) Problem: Given a generator of a cyclic additive group with order , and given for unknown ; to compute .
3.2 The Concept of Certificateless Ring Signature Schemes
A CLRing scheme is defined by seven algorithms: Setup, PartialPrivateKeyExtract, SetSecretValue, SetPrivateKey, SetPublicKey, RingSign and Verify. The description of each algorithm is as follows.

Setup: This algorithm runs by the KGC that takes as input a security parameter to produce a masterkey and a list of system parameters param.

PartialPrivateKeyExtract: This algorithm runs by the KGC that takes as input a user’s identity , a parameter list param and a masterkey to produce the user’s partial private key .

SetSecretValue: This algorithm takes as input a parameter list param and a user’s identity to produce the user’s secret value .

SetPrivateKey: This algorithm takes as input a parameter list param, a user’s identity , the user’s partial private key and secret value to produce a private signing key for this user.

SetPublicKey: This algorithm takes as input a parameter list param, a user’s identity and secret value to produce a public key for the user.

RingSign: This algorithm takes as input a message is the message space, a set of n group members whose identities form the set and their corresponding public keys form the set , a parameter list param and a singer’s signing key to produce a ring signature . Here is the th group member’s private key.

Verify: This algorithm takes as input a message , a ring signature , a parameter list param, the set of the group members’ identities and the set of the corresponding public keys of the group members to output if the signature is correct, or otherwise.
4 Security Models of Certificateless Ring Signature Schemes
There are two types of adversaries in the certificateless system: namely Type I Adversary and Type II Adversary. A Type I Adversary simulates attacks when the adversary (anyone except the KGC) replaces the user’s public key with a value of his/her choice. However, is not given this user’s partial private key (and system’s masterkey). On the other hand, a Type II Adversary has access to the masterkey but cannot perform public key replacement.
Combining the security notions of certificateless public key cryptography and traditional ring signature schemes, we define the security of a CLRing scheme via the following two games between a challenger and an adversary or .
Game 1: Unforgeability of CLRing against Type I Adversary
Setup: runs the Setup algorithm, takes as input a security parameter to obtain a masterkey and the system parameter param. then sends param to the adversary while keeping the masterkey as secret. In addition, will maintain three lists where

is used to record the identities which have been chosen by in the PartialPrivateKey Queries.

is used to record the identities whose public keys have been replaced by .

is used to record the identities which have been chosen by in the PrivateKey Queries.
All these three lists are the empty set at the beginning of the game.
Training: The adversary can adaptively issue a polynomially bounded number of queries as defined below:

PartialPrivateKey Queries : can request the partial private key of any user whose identity is . In respond,

first resets .

then runs the algorithm PartialPrivateKeyExtract and outputs the partial private key .


PublicKey Queries : can request the public key of a user whose identity is . In respond,

first runs the algorithm SetSecretValue and obtains the secret value .

then runs the algorithm SetPublicKey and obtains the public key . outputs the public key as the answer.


PublicKeyReplacement Queries : For any user whose identity is , can choose a new public key . then sets as the new public key of this user and submits () to . On receiving a query , resets and updates the public key of this user to the new value .

PrivateKey Queries : can request the private key of a user whose identity is . In respond,

first checks the set . If (that is, the public key of the user has been replaced), will return the symbol which means cannot output the private key of an identity whose public key has been replaced.

Otherwise, and resets . then runs the algorithm SetPrivateKey and outputs the private key .


RingSign Queries : can request the ring signature of a message on behalf of a group whose identities are listed in the set and the corresponding public keys are in the set . In respond, outputs a ring signature for the message . It is required that the algorithm Verify will output for the input .
Forgery: Finally, outputs a tuple as the forgery. We say wins the game if the forgery satisfies all the following requirements:

The algorithm Verify outputs for the input .

and .

has never been queried during the RingSign Queries.
Game 2: Unforgeability of CLRing against Type II Adversary
Setup: runs the Setup algorithm, takes as input a security parameter to obtain the system parameter list param and also the system’s masterkey. then sends param and masterkey to the adversary . will maintain two lists where

is used to record the identities whose public keys have been replaced by .

is used to record the identities which have been chosen by in the PrivateKey Queries.
Both two lists are empty at the beginning of the game.
Training: As defined in Game 1, the type II adversary can issue a polynomially bounded number of Public Key Queries, PrivateKey Queries, PublicKeyReplacement Queries and RingSign Queries. will answer those queries as same in Game 1. Note that does not need to issue PartialPrivateKey queries because he has already known the system’s masterkey.
Forgery: Finally, outputs a tuple as the forgery. We say wins the game if the forgery satisfies all the following requirements:

The algorithm Verify outputs for the input .

and .

has never been queried during the RingSign Queries.
Definition 4.1
A CLRing scheme is existentially unforgeable under adaptively chosenmessage attack iff
the success probability of any polynomially bounded adversary in the above two games is negligible.
Definition 4.2
A CLRing scheme is said to have the unconditional signer anonymity if for any group of users whose identities form the set and their corresponding public keys form the set , any message and any ring signature , any verifier cannot identify the actual signer with probability better than a random guess. That is, can only output the actual signer with probability no better than ( when is in the signers’ ring).
5 Analysis of A Generic Construction of CLRing
In [26], Yum and Lee presented a generic way to construct a certificateless signature scheme. However, Hu et al. [14] pointed out that their construction is flawed and proposed a new one. It seems at first glance that the methods in [14] can also be used to obtain a generic construction of CLRing signatures. However, as we will show later, the resulting scheme is not secure in our security model defined in Section 4.
5.1 A Generic Construction of CLRing
Let  be a traditional public keybased ring signature scheme which is existentially unforgeable under adaptively chosenmessage attack. takes a security parameter as input and generates a public/secret pair ;  takes a private signing key, a set of public keys and a message as inputs, and generates a ring signature ; and is the corresponding ring signature verification algorithm.
Let  be an identitybased ring signature scheme that is existentially unforgeable under adaptively chosenmessage and identities attacks. takes a security parameter as input and generates a master secret key masterkey and a list of system parameters param; is an identitybased secret key generation algorithm which takes masterkey and an identity and generates a secret key denoted by ;  takes a private signing key, a set of identities and a message as inputs, and generates an identitybased ring signature denoted by ; and is the corresponding ring signature verification algorithm.
5.2 Security Analysis of the Generic Construction
In this section, we will show that the generic construction described in Fig 1 is not secure under the definition in Section 4.
We firstly show that a type I adversary can forge a valid ring signature of any message . The attack algorithm is described as below:

first chooses identities and sets

As defined in the Game 1 in Section 4, then issues PublicKey queries to obtain the corresponding public keys .

runs the algorithm SetSecretValue to generate a secret value for the user . It also runs the algorithm SetPublicKey to obtain a public key . Finally, it replaces ’s public key with and sets

then submits a partial private key query for an identity and obtains the partial private key , with the only requirement that .

For any message , sets and uses to compute

It then sets and uses to compute

outputs as the forgery.
As we can see, is a valid ring signature of under and . This is because runs all the algorithms as same as defined in the generic construction in Section 4. We note that this attack is a strong attack that belongs to the nomessage attack classes, where no signing oracle is required.
The generic construction given in Section 4 only guarantees that the singer of a valid ring signature possesses a secret value of a user and a partial private key of a user , instead of proving that the signer must know the private key of one user (i.e., ). This is the reason why a Type I adversary can forge a valid signature for any message. How to give a provably secure generic construction of certificateless ring signature is still an open problem.
6 A Concrete Certificateless Ring Signatures Scheme
In this section, we will give the concrete construction of certificateless ring signature.
6.1 Description of Our CLRing Scheme
Our CLRing scheme consists of the following concrete algorithms:

Setup: Given a security parameter , the algorithm works as follows.

Specify , as described in Section 3.1.

Arbitrarily choose a generator and set .

Choose a random masterkey and set .

Choose cryptographic hash functions , and .
The system parameters param=(). The message space is .


PartialPrivateKeyExtract: This algorithm accepts param, masterkey and a user’s identity to output the user’s partial private key . Where .

SetSecretValue: Given param, this algorithm selects a random as the user’s (whose identity is ) secret value.

SetPrivateKey: This algorithm takes as input param, a user’s identity , the user’s partial private key and the user’s secret value . The output of the algorithm is the user’s private key .

SetPublicKey: This algorithm accepts param, a user’s identity and his secret value to produce the user’s public key .

RingSign: Suppose there’s a group of n users whose identities form the set , and their corresponding public keys form the set . To sign a message on behalf of the group, the actual signer, indexed by s using the private key , performs the following steps.

For each , select uniformly at random, compute .

Compute for all .

Choose random , compute , . If or for some , then redo this step.

Compute .

Compute .

Output the ring signature on as .


Verify: To verify a ring signature on a message with identities in and corresponding public keys in , the verifier performs the following steps.

Compute for all , compute .

Verify holds with equality.

Accept the ring signature as valid and output if the above equation holds, otherwise, output .

6.2 Efficiency
We only consider the costly operations including the pairing operation (Pairing), scalar multiplication in ( SM), exponentiation in ( E) and MapToPoint hash operation [31] (Hash). The numbers of these operations in our scheme are shown in Table 1.
Table 1. Efficiency
Pairing  SM  E  Hash  

Sign  2  2n+3  n  n+1 
Verify  3  2n  0  n+1 
Total  5  4n+3  n  2n+2 
Pairing operation is the most time consuming operation. Our CLRing scheme only requires 5 pairing operations which is independent of the group size.
7 Analysis of the Proposed CLRing Scheme
In this section, we will analyze our proposed scheme in detail.
7.1 Correctness
The correctness of the proposed scheme can be easily verified with the following:
7.2 Unconditional Anonymity
Let be a valid ring signature of a message on behalf of a group of members specified by identities in and public keys in . Since all the are randomly generated, hence all
are also uniformly distributed. The randomness of
chosen by the signer implies is also uniformly distributed. So in the signature reveals no information about the signer.It remains to consider whether leaks information about the actual signer. From the construction of , it is obvious to see that . To identify whether is the identity of the actual signer, the only way is to check . Namely, . If is the identity of the actual signer, it should hold
It remains to check
However,we have for each
where , and is the identity of the actual signer. This fact shows that in the signature does not leak any information about the identity of the actual signer. And hence, the unconditional anonymity of our CLRing scheme is proved.
7.3 Unforgeability
Assuming that the CDH problem is hard, we now show the unforgeability of our CLRing scheme.
Theorem 7.1
In the random oracle model [3], if can win the Game 1, with an advantage within a time span for a security parameter ; and asking at most PartialPrivateKey queries, at most PublicKey queries, at most PrivateKey queries, at most queries, at most queries, at most queries, RingSign queries. Then the CDH problem in can be solved within time and with probability where n is the ring scale, is defined as the number of permutations of elements i.e. , (resp. and ) is the time cost of an (resp. , PartialPrivateKey, PublicKey, PrivateKey and RingSign) query.
Please refer to Appendix A.
Theorem 7.2
In the random oracle model, if can win the Game 2, with an advantage within a time span for a security parameter ; and asking at most PublicKey queries, at most PrivateKey queries, at most queries, at most queries, at most queries, at most RingSign queries. Then the CDH problem in can be solved within time and with probability .
Please refer to Appendix B.
8 Conclusion
In this paper, we proposed a concrete construction of certificateless ring signature scheme from the bilinear pairing. The security models of certificateless ring signatures are also formalized. The models capture the essence of the possible adversaries in the notion of certificateless system and ring signatures. In the random oracle models, the unforgeability of our scheme is based on the hardness of Computational DiffieHellman problem. We note that the number of pairing computation in our scheme is constant and does not grow with the number of group members.
References
 [1] M. Abe, M. Ohkubo, and K. Suzuki. 1outofn signatures from a variety of keys. ASIACRYPT 2002, Lecture Notes in Computer Science, vol. 2501, pages 415432, SpringerVerlag, 2002.
 [2] S. AlRiyami and K. Paterson. Certificateless public key cryptography. Asiacrypt 2003, Lecture Notes in Computer Science, vol. 2894, pages 452473, SpringerVerlag, 2003.
 [3] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. ACM CCS 1993, pages 6273, 1993.
 [4] D. Boneh, C. Gentry, B. Lynn and H. Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. EUROCRPYT 2003, Lecture Notes in Computer Science, vol. 2656, pp. 416432, SpringerVerlag, 2003.
 [5] E. Bresson, J. Stern, and M. Szydlo. Threshold ring signature and applications to adhoc groups. Crypto 2002, Lecture Notes in Computer Science, vol. 2442, pages 465480, SpringerVerlag, 2002.
 [6] W. Chen, L. Zhang, B. Qin, Q. Wu, H. Zhang. Certificateless OneWay Authenticated TwoParty Key Agreement Protocol, Fifth International Conference on Information Assurance and Security (IAS 09), IEEE, pp. 483486, 2009.
 [7] L. Chen, L. Zhang, B. Qin, Q. Wu, H. Zhang. Cryptanalysis of a Certificateless Encryption Scheme, 2010 International Conference on Computer Design and Applications (ICCDA 2010), IEEE, pp. V5536  V5539, 2010.
 [8] S. Chow and W. Yap. Certificateless Ring Signatures. Cryptology ePrint Archive, Report 2007/236.
 [9] F. Dai, M. Luo, Y. Zhang, L. Zhang and Y. Sun. A FaultTolerant Batch Verification Scheme for Cloud Assisted VANETs, 2nd International Conference on Applied Mechanics, Electronics and Mechatronics Engineering (AMEME 2017), pages 337342, 2017.
 [10] Y. Dodis, A. Kiayias, A. Nicolosi, and V. Shoup. Anonymous identification in ad hoc groups. EUROCRYPT 2004, SpringerVerlag, Lecture Notes in Computer Science, vol. 3027, pages 609626, SpringerVerlag, 2004.
 [11] Z. Dong, L. Zhang, J. Li, Security Enhanced Anonymous Remote User Authentication and Key Agreement for Cloud Computing, 17th International Conference on Computational Science and Engineering (CSE 2014), IEEE, pp. 17461751, 2014.
 [12] J. Herranz and G. Saez. Forking lemmas for ring signature schemes. INDOCRYPT 2003, Lecture Notes in Computer Science, vol. 2904, pp. 266279, SpringerVerlag, 2003.
 [13] J. Herranz and G. Saez. New identitybased ring signature schemes. ICICS 2004, Lecture Notes in Computer Science, vol. 3269, pages 2739, SpringerVerlag, 2004.
 [14] B. Hu, D. Wong, Z. Zhang and X. Deng. Key replacement attack against a generic construction of certificateless signature. ACISP 2006, Lecture Notes in Computer Science, vol. 4058, pages 235346, SpringerVerlag, 2006.
 [15] X. Huang, W. Susilo, Y. Mu and F. Zhang. On the security of a certificateless signature scheme. CANS 2005, Lecture Notes in Computer Science, vol. 3810, pages 1325, SpringerVerlag, 2005.
 [16] X. Li, K. Chen and L. Sun. Certificateless signature and proxy signature schemes from bilinear pairings. Lithuanian Mathematical Journal, vol. 45, pages 7683, SpringerVerlag, 2005.
 [17] B. Liu, L. Zhang. An Improved Identitybased Batch Verification Scheme for VANETs, 5th International Conference on Intelligent Networking and Collaborative Systems (INCos 2013), IEEE, pp. 809814, 2013.
 [18] J. Liu and D. Wong. On the security models of (threshold) ring signature schemes. ICISC 2004, Lecture Notes in Computer Science, vol. 3506, pages 204217, SpringerVerlag, 2005.
 [19] S. Miao, F. Zhang, L. Zhang. On the Security of a Certificateless Signature Scheme, 2nd International Conference on Signal Processing Systems (ICSPS 2010), IEEE, pp. V2457  V2461, 2010.
 [20] S. Miao, F. Zhang, L. Zhang. Cryptanalysis of a Certificateless Multireceiver Signcryption Scheme, 2010 International Conference on Multimedia Information Networking and Security (MINES 2010), IEEE, pp. 593597, 2010.
 [21] L. Nguyen. Accumulators from bilinear pairings and applications. CTRSA 2005, Lecture Notes in Computer Science, vol. 3376, pages 275292, SpringerVerlag, 2005.
 [22] R. Rivest, A. Shamir and Y. Tauman. How to leak a secret. Asiacrypt’01, Lecture Notes in Computer Science, vol. 2248, pages 552565, SpringerVerlag, 2001.
 [23] A. Shamir. Identity based cryptosystems and signature schemes. Crypto’84, Lecture Notes in Computer Science, vol. 196, pages 4753, SpringerVerlag, 1984.
 [24] W. Yap, S. Heng, and B. Goi. An efficient certificateless signature scheme. EUC Workshops 2006, Lecture Notes in Computer Science, vol. 4097, pages 322331, SpringerVerlag, 2006.
 [25] H. Yuan, F. Zhang, X. Huang, Y. Mu, W. Susilo, L. Zhang. Certificateless Threshold Signature Scheme from Bilinear Pairings, Information Sciences, 180(23), 47144728, 2010.
 [26] D. Yum and P. Lee. Generic construction of certificateless signature. ACISP 2004, Lecture Notes in Computer Science, vol. 3108, pages 200211, SpringerVerlag, 2004.
 [27] F. Zhang and K. Kim. IDBased blind signature and ring signature from pairings. ASIACRYPT 2002, Lecture Notes in Computer Science volume, vol. 2501, pages 533547, SpringerVerlag, 2002.
 [28] L. Zhang, F. Zhang. Security Model for Certificateless Aggregate Signature Schemes. 2008 International Conference on Computational Intelligence and Security (CIS 2008), IEEE, pp. 364368, 2008.
 [29] L. Zhang, B. Qin, Q. Wu, F. Zhang. Novel Efficient Certificateless Aggregate Signatures, The 18th Symposium on Applied algebra, Algebraic algorithms, and Error Correcting Codes (AAECC 2009), Lecture Notes in Computer Science volume, vol. 5527, pp. 235238, SpringerVerlag, 2009.
 [30] L. Zhang, F. Zhang. A New Certificateless Aggregate Signature Scheme, Computer Communications, 32(6), 10791085, 2009.
 [31] L. Zhang, B. Qin, Q. Wu, F. Zhang. Efficient ManytoOne Authentication with Certificateless Aggregate Signatures, Computer Networks, 54(14), 24822491, 2010.
 [32] L. Zhang, Q. Wu, J. DomingoFerrer, B. Qin. Hierarchical Certificateless Signatures, 2010 IEEE/IFIP 8th International Conference on Embedded and Ubiquitous Computing (EUC), IEEE, pp. 572577, 2010.
 [33] L. Zhang, F. Zhang. A New Provably Secure Certificateless Signature Scheme, 2008 IEEE International Conference on Communications (ICC 2008), pp. 16851689, IEEE, 2008.
 [34] L. Zhang, F. Zhang, W. Wu. A Provably Secure Ring Signature Scheme in Certificateless Cryptography. ProvSec 2007, Lecture Notes in Computer Science, vol. 4784, pages 103121, SpringerVerlag, 2007.
 [35] Z. Zhang, D. Wong, J. Xu and D. Feng. Certificateless publickey signature: security model and efficient construction. ACNS 2006, Lecture Notes in Computer Science, vol. 3989, pages 293308, SpringerVerlag, 2006.
Appendix A Proof of Theorem 7.1
Proof. Let be a CDH attacker, be a type I adversary of our CLRing scheme who interacts with following Game 1 and can forge a valid ring signature. Suppose receives a random instance of the CDH problem in . We show how can use to solve the CDH problem, i.e. to compute .
Setup: first sets and selects param=, then sends param to . We take hash functions and as random oracles.
Training: can ask , PartialPrivateKey, PublicKey, PrivateKey, PublicKeyReplacement and RingSign queries. In order to maintain consistency and avoid conflict, keeps four lists , , , and K to store the answers used, where includes items of the form , includes items of the form , includes items of the form , and K includes items of the form . All of these four lists are initially empty. also maintains three lists , the function of these three lists are the same as mentioned in Game 1 Section 4.
Queries: On receiving a query , does as follows.

If there exists an item in , then returns as answer.

Otherwise, first flips a coin that yields 0 with probability and 1 with probability ( will be determined later), then picks a random element (has not been used before) in . If , computes ; otherwise , it computes . then adds to and returns as answer.
Queries: On receiving a query , first checks if there exists an item in , if so, returns as answer. Otherwise, picks a random which has not been used in the answers of the former Queries, then returns as answer and adds to .
Queries: On receiving a query , first checks if there exists an item in , if so, returns as answer. Otherwise, first flips a coin that yields 0 with probability and 1 with probability then picks a random which has not been used in the answers of the former Queries. If , compute ; while , compute . In both cases, will add to and return as answer.
PartialPrivateKey Queries: Whenever receives a query

If there exists an item in K, does the following:

If , returns as answer.

Else, if there’s an item exists in , sets , and returns as answer when ; while , aborts.

Otherwise, first makes an query to obtain an item . If , aborts; while , sets , and returns as answer.


Otherwise does the following:

If there exists an item in , sets , computes , sets , adds to K and returns as answer when ; while aborts.

Otherwise, first makes an query to obtain an item in , then proceeds as in (a).

PublicKey Queries: Whenever receives a query

If there exists an item in K, does the following:

If , returns as answer;

Otherwise, first flips a coin that yields 0 with probability and 1 with probability , then picks a random . If , sets ; otherwise , it computes . then updates with new values and returns as answer.


Otherwise, first flips a coin that yields 0 with probability and 1 with probability , then picks a random . If , sets ; otherwise , it computes . then sets , returns as answer and adds to K.
PublicKeyReplacement Queries: On receiving a query ( sets ), first makes a query to obtain an item , then sets , , and updates the item
Comments
There are no comments yet.