A Provably Secure Ring Signature Scheme in Certificateless Cryptography

12/25/2017
by   Lei Zhang, et al.
East China Normal University
0

Ring signature is a kind of group-oriented signature. It allows a member of a group to sign messages on behalf of the group without revealing his/her identity. Certificateless public key cryptography was first introduced by Al-Riyami and Paterson in Asiacrypt 2003. In certificateless cryptography, it does not require the use of certificates to guarantee the authenticity of users' public keys. Meanwhile, certificateless cryptography does not have the key escrow problem, which seems to be inherent in the Identity-based cryptography. In this paper, we propose a concrete certificateless ring signature scheme. The security models of certificateless ring signature are also formalized. Our new scheme is provably secure in the random oracle model, with the assumption that the Computational Diffie-Hellman problem is hard. In addition, we also show that a generic construction of certificateless ring signature is insecure against the key replacement attack defined in our security models.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

09/10/2019

Provably Secure Group Signature Schemes from Code-Based Assumptions

We solve an open question in code-based cryptography by introducing two ...
07/20/2018

Multivariate Public Key Cryptography and Digital Signature

In this paper, algorithms for multivariate public key cryptography and d...
09/24/2019

Security analysis of two lightweight certificateless signature schemes

Certificateless cryptography can be considered as an intermediate soluti...
11/04/2018

Design of Anonymous Endorsement System in Hyperledger Fabric

Permissioned Blockchain has become quite popular with enterprises formin...
09/05/2018

Fail-Stop Group Signature Scheme

In this paper, we propose a Fail-Stop Group Signature Scheme (FSGSS). FS...
11/16/2020

Cryptanalysis of a code-based full-time signature

We present an attack against a code-based signature scheme based on the ...
08/04/2020

Non-Commutative Ring Learning With Errors From Cyclic Algebras

The Learning with Errors (LWE) problem is the fundamental backbone of mo...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In Asiacrypt 2001, Rivest, Shamir and Tauman [22] introduced the concept of ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. As pointed in [22], ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a special way that can only be verified by its intended recipient, anonymous membership authentication for ad hoc groups [5], etc. In addition, ring signatures can also be served as the building block of concurrent signatures and solve some other problems in multiparty computations.

Ring signatures can be regarded as the simplified group signatures that have only users and no managers. Group signatures are useful in the situation where the members want to cooperate, while ring signatures are useful when the members do not want to cooperate. Both group signatures and ring signatures are signer-ambiguous. However, group signatures have the additional feature that the anonymity of a signer can be revoked (i.e., the signer can be traced) by a designated group manager. Ring signatures allow greater flexibility: no centralized group manager or coordination among the various users is required (indeed, users may be unaware of each other at the time they generate their public keys); rings may be formed completely in an ad-hoc manner, do not require any coordination among the various users (indeed, users do not even need to be aware of each other) and full anonymity (unless the actual signer decides to expose himself). To produce a ring signature, the actual signer declares an arbitrary set of possible signers that must include himself, and computes the signature entirely by himself using only his private key and the others’ public keys.
In traditional public key cryptosystem (PKC), each user has a pair of cryptographic keys–a public key and a private key. The private key is kept secret by the user himself, while the public key may be widely distributed. Anyone can encrypt messages with ’s public key and obtain the ciphertexts which can only be decrypted with ’s private key. Similarly, one can use ’s public key to verify if a signature is generated by . Therefore, there is no need for the sender and receiver to share secret information before the communication. The biggest challenge in PKC is ensuring the authenticity of public key, that is how to bind a user and his public key. Suppose Alice wants to encrypt a message to send to Bob, and Bob is someone who Alice does not know personally, how can Alice be sure that Bob’s purported public key really is Bob’s key (and not Charlie’s, for example). If Alice uses a “false” public key to encrypt the message and send the ciphertext to Bob, it will result that the intended receiver Bob can not obtain the message, and even worse, someone else can decrypt the ciphertext and read the message. The usual approach to solve this problem is to use a public key infrastructure (PKI), in which one or more third parties, known as certificate authorities, issue certificates to bind a user and his public key. In traditional PKC, one must first check the authenticity of the pair by verifying the validity of its certificate before any operation regarding the user . History has shown that certificates in traditional PKC are generally considered to be costly to use and manage. It is even more problematic for a ring signature scheme in traditional PKC, where the signer must first verify all the certificates of group members before generating the ring signature on behalf of that group, otherwise his anonymity is jeopardized under the extreme case that all other ring members’ certificates are indeed invalid. Given a ring signature, the verifier must perform the same verification as well before checking the validity of the ring signature. This will lead to the inefficiency of the whole scheme because the computation cost will increase linearly with the group size.
In 1984, Shamir [23] first proposed the Identity-Based public key cryptography (ID-PKC), in which the public key of a user is some unique public information about the identity of the user (e.g. a user’s email address) [9, 17]. Therefore, the need of certification can be eliminated. A Trusted Third Party, called the Private Key Generator (PKG), generates the corresponding private keys for the users in ID-PKC. To operate, the PKG first publishes a “master” public key, and keeps the corresponding master private key as secret. Given the master public key, any party can compute a public key corresponding to an identity by combining the master public key with the identity value. To obtain a corresponding private key, the party authorized to use the identity contacts the PKG, which uses the master private key to generate the private key for the identity . However, this approach creates a new inherent problem, namely the key escrow of a user’s private key, since PKG must be completely trusted. This is due to the knowledge of the PKG on the user’s private key. For a ring signature scheme in ID-PKC, a malicious PKG can forge a ring signature on behalf of any group without being detected.
In order to enjoy the implicit certification property of ID-PKC while without suffering from its inherent key escrow problem, Al-Riyami and Paterson [2] proposed a new paradigm called certificateless public key cryptography (CL-PKC). Different from ID-PKC, a third party which we call Key Generation Center (KGC) in CL-PKC does not have the access to a user’s private key. Instead, the KGC supplies a user with a partial private key, which derives from the user’s identity. Then the user combines the partial private key with some secret information chosen by himself to generate his actual private key. The corresponding public key is computed from the system’s public parameters and the secret information chosen by the user, which is finally published in the system. Hence, it is no longer an identity-based cryptography, since the public key needs to be provided (but in contrast to the traditional public key cryptography, the public key does not require any certificate).

Due to the lack of certification in CL-PKC, it is conceivable that the adversary can replace anyone’s public key of his choice. This key replacement attack is also called Type I adversary in [2]. Obviously, a secure signature signature scheme in CL-PKC must has the property that it is infeasible for Type I adversary to create a valid signature under the false public key chosen by the adversary himself. An assumption that must be made is that KGC does not mount a public key replacement attack to a target user since he is armed with this user’s partial private key. However, KGC might engage in other adversarial activities: eavesdropping on signatures and making signing queries, which is also known as Type II Adversary. In this way, the level of trust is similar to the trust in a CA in a traditional PKI.

1.1 Motivations

Certificateless cryptography have some advantages over traditional PKC and ID-PKC in some aspects [28, 29]. As a useful primitive, ring signatures have been studied in traditional PKC and ID-PKC for more than five years. Even in a theoretic point of view, ring signatures should be studied in CL-PKC to rich the theories and techniques of CL-PKC. In practice, to generate a ring signature on behalf of a group in traditional PKC, the signer must first verify all the certificates of the group members, otherwise his anonymity is jeopardized and the ring signature will be rejected if he uses invalid certificates of some group members. Given a ring signature, the verifier must perform the same verification as well before checking the validity of the ring signature. These verifications inevitably lead to the inefficiency of the whole scheme since the computational cost increases linearly with the group size. Although Identity-based ring signatures eliminate such costly verifications, they suffer from a security drawback induced by the inherent key escrow problem of ID-PKC. Namely, a malicious PKG can always issue valid ring signatures on behalf of any group. As CL-PKC does not use public key certificates, and in the meantime, it removes the key escrow problem of ID-PKC, we think it supplies an appropriate environment for implementing ring signatures. So it is necessary to extend the notion and security model of ring signatures to CL-PKC. Compared with ring signature schemes in traditional PKC, in a CL-Ring scheme, both the signer and the verifier can avoid the costly verification of group members’ certificates. On the other hand, in contrast to ID-based ring signatures, the KGC can no longer forge a ring signature on behalf of a group without being detected.

In application aspects, like ring signatures in traditional PKC and ID-PKC, certificateless ring signatures can also be used in leaking authoritative secrets in an anonymous way, anonymous membership authentication for ad hoc groups [5], reports to the authorities embezzlement and corruption, certificateless designated signatures and concurrent signatures, etc.

1.2 Our Contributions

In this paper, we introduce the notion of ring signature into certificateless cryptography and propose a concrete certificateless ring signature scheme.

Firstly, we provide the security models of certificateless ring signatures. Two types of adversaries: Type I adversary and Type II adversary have been formally defined. The above two adversaries in our definition are “super adversaries” [33]. That is, the adversary can get valid ring signatures of the group whose public keys have been replaced, without supplying the secret values that are used to generate those public keys. In addition, our models also capture the group-changing attack [18] in the notion of ring signatures.

Secondly, we give an analysis of a “seem-secure” generic construction of certificateless ring signatures. The generic construction of certificateless signatures was first proposed by Yum and Lee [26], which has been shown insecure in [14]. Hu et al. also presented a secure construction of certificateless signatures [14]. Using the similar methods in [14], one can also get a generic construction of certificateless ring signatures. However, as we will show later, the resulting generic construction of certificateless ring signatures is totally insecure against the key replacement attack.

Lastly, we present a concrete construction of certificateless ring signatures. The new scheme uses the bilinear pairing on elliptic curves and concretely, the signing phase requires 2 pairings and the verification requires 3 pairings. We prove its security in the random oracles, with the assumption that Computational Diffie-Hellman problem is intractable.

Organization.
The rest of the paper is organized as follows. In the next section, we review some preliminaries which are required in this paper. Section 4 defines the security models in the notion of certificateless ring signatures. We analyze a generic construction of certificateless ring signatures and show its insecurity in Section 5. The concrete construction of certificateless ring signature is proposed in Section 6. Its security proofs are given in Section 7. Finally, Section 8 comes our conclusion.

2 Related Work

Following the prior work of Rivest, Shamir and Tauman [22], a number of constructions of ring signature in traditional PKC and ID-PKC have been presented. Abe, Ohkubo, and Suzuki [1] provided a construction applicable for several categories of public keys (e.g., integer factoring based and discrete-log based). A simple ring signature using bilinear maps was given in [4]. Herranz and Saez [12] generalized the forking lemma to the ring signatures. In [27], Zhang and Kim extended the concept to Identity-Based ring signature (IDRS) schemes. Some ring signature schemes with constant-size were also presented in [10, 21].

In terms of security models for provably secure ring signature schemes, there are three models commonly used. They provide different security levels. The first and the weakest model was introduced by Rivest et al. [22]. Later Abe et al. [1] proposed a very strong model. Finally, Liu and Wong [18] presented a model whose security level is considered to be lying in between the two foregoing models. We mainly use the ideas of constructing IDRS schemes in [13], and the security models of ring signatures in [18] in this paper.
CL-PKC has got fruitful achievements since its introduction in [2, 6, 7, 11, 25, 30, 31]. Al-Riyami and Paterson presented [2] the first certificateless signature (CLS) scheme. Since then, several CLS schemes [14, 16, 19, 20, 24, 26, 32, 35] were proposed. In [15], Huang et al. defined the security model of CLS schemes. Zhang et al. [35] improved the security model of CLS schemes, and presented a secure CLS scheme. Generic ways to construct CLS schemes were investigated in [26], [14]. In [16], a certificateless proxy signature scheme was proposed. An work about certificateless ring signature was done by Chow and Yap [8]. The security of their scheme is based on the hardness of the -CAA problem and Modified Inverse Computational Diffie-Hellman problem and is proved in a weak model that requires a type I adversary to submit the secret values corresponding to the replaced public keys to the challenger in the sign queries. The computional cost of their scheme involves a large amount of paring operations which linearly increase with the number of group members.

3 Preliminaries

In this section, we will review some fundamental backgrounds required in this paper.

3.1 Bilinear Pairings and Computational Problems

Let be an additive group of prime order and be a multiplicative group of the same order. Let P denote a generator of . A mapping is called a bilinear mapping if it satisfies the following properties:

  1. Bilinear: for all .

  2. Non-degeneracy: There exists such that .

  3. Computable: There exists an efficient algorithm to compute for any .

For a group G of prime order, we denote the set , where is the identity element of the group.

Discrete Logarithm (DL) Problem: Given a generator of a cyclic additive group with order , and to find an integer such that .

Computational Diffie-Hellman (CDH) Problem: Given a generator of a cyclic additive group with order , and given for unknown ; to compute .

3.2 The Concept of Certificateless Ring Signature Schemes

A CL-Ring scheme is defined by seven algorithms: Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key, Ring-Sign and Verify. The description of each algorithm is as follows.

  • Setup: This algorithm runs by the KGC that takes as input a security parameter to produce a masterkey and a list of system parameters param.

  • Partial-Private-Key-Extract: This algorithm runs by the KGC that takes as input a user’s identity , a parameter list param and a masterkey to produce the user’s partial private key .

  • Set-Secret-Value: This algorithm takes as input a parameter list param and a user’s identity to produce the user’s secret value .

  • Set-Private-Key: This algorithm takes as input a parameter list param, a user’s identity , the user’s partial private key and secret value to produce a private signing key for this user.

  • Set-Public-Key: This algorithm takes as input a parameter list param, a user’s identity and secret value to produce a public key for the user.

  • Ring-Sign: This algorithm takes as input a message is the message space, a set of n group members whose identities form the set and their corresponding public keys form the set , a parameter list param and a singer’s signing key to produce a ring signature . Here is the -th group member’s private key.

  • Verify: This algorithm takes as input a message , a ring signature , a parameter list param, the set of the group members’ identities and the set of the corresponding public keys of the group members to output if the signature is correct, or otherwise.

4 Security Models of Certificateless Ring Signature Schemes

There are two types of adversaries in the certificateless system: namely Type I Adversary and Type II Adversary. A Type I Adversary simulates attacks when the adversary (anyone except the KGC) replaces the user’s public key with a value of his/her choice. However, is not given this user’s partial private key (and system’s masterkey). On the other hand, a Type II Adversary has access to the masterkey but cannot perform public key replacement.

Combining the security notions of certificateless public key cryptography and traditional ring signature schemes, we define the security of a CL-Ring scheme via the following two games between a challenger and an adversary or .

Game 1: Unforgeability of CL-Ring against Type I Adversary

Setup: runs the Setup algorithm, takes as input a security parameter to obtain a masterkey and the system parameter param. then sends param to the adversary while keeping the masterkey as secret. In addition, will maintain three lists where

  • is used to record the identities which have been chosen by in the Partial-Private-Key Queries.

  • is used to record the identities whose public keys have been replaced by .

  • is used to record the identities which have been chosen by in the Private-Key Queries.

All these three lists are the empty set at the beginning of the game.

Training: The adversary can adaptively issue a polynomially bounded number of queries as defined below:

  • Partial-Private-Key Queries : can request the partial private key of any user whose identity is . In respond,

    1. first resets .

    2. then runs the algorithm Partial-Private-Key-Extract and outputs the partial private key .

  • Public-Key Queries : can request the public key of a user whose identity is . In respond,

    1. first runs the algorithm Set-Secret-Value and obtains the secret value .

    2. then runs the algorithm Set-Public-Key and obtains the public key . outputs the public key as the answer.

  • Public-Key-Replacement Queries : For any user whose identity is , can choose a new public key . then sets as the new public key of this user and submits () to . On receiving a query , resets and updates the public key of this user to the new value .

  • Private-Key Queries : can request the private key of a user whose identity is . In respond,

    1. first checks the set . If (that is, the public key of the user has been replaced), will return the symbol which means cannot output the private key of an identity whose public key has been replaced.

    2. Otherwise, and resets . then runs the algorithm Set-Private-Key and outputs the private key .

  • Ring-Sign Queries : can request the ring signature of a message on behalf of a group whose identities are listed in the set and the corresponding public keys are in the set . In respond, outputs a ring signature for the message . It is required that the algorithm Verify will output for the input .

Forgery: Finally, outputs a tuple as the forgery. We say wins the game if the forgery satisfies all the following requirements:

  1. The algorithm Verify outputs for the input .

  2. and .

  3. has never been queried during the Ring-Sign Queries.

Game 2: Unforgeability of CL-Ring against Type II Adversary

Setup: runs the Setup algorithm, takes as input a security parameter to obtain the system parameter list param and also the system’s masterkey. then sends param and masterkey to the adversary . will maintain two lists where

  • is used to record the identities whose public keys have been replaced by .

  • is used to record the identities which have been chosen by in the Private-Key Queries.

Both two lists are empty at the beginning of the game.

Training: As defined in Game 1, the type II adversary can issue a polynomially bounded number of Public Key Queries, Private-Key Queries, Public-Key-Replacement Queries and Ring-Sign Queries. will answer those queries as same in Game 1. Note that does not need to issue Partial-Private-Key queries because he has already known the system’s masterkey.

Forgery: Finally, outputs a tuple as the forgery. We say wins the game if the forgery satisfies all the following requirements:

  1. The algorithm Verify outputs for the input .

  2. and .

  3. has never been queried during the Ring-Sign Queries.

Definition 4.1

A CL-Ring scheme is existentially unforgeable under adaptively chosen-message attack iff

the success probability of any polynomially bounded adversary in the above two games is negligible.

Definition 4.2

A CL-Ring scheme is said to have the unconditional signer anonymity if for any group of users whose identities form the set and their corresponding public keys form the set , any message and any ring signature -, any verifier cannot identify the actual signer with probability better than a random guess. That is, can only output the actual signer with probability no better than ( when is in the signers’ ring).

5 Analysis of A Generic Construction of CL-Ring

In [26], Yum and Lee presented a generic way to construct a certificateless signature scheme. However, Hu et al. [14] pointed out that their construction is flawed and proposed a new one. It seems at first glance that the methods in [14] can also be used to obtain a generic construction of CL-Ring signatures. However, as we will show later, the resulting scheme is not secure in our security model defined in Section 4.

5.1 A Generic Construction of CL-Ring

Let - be a traditional public key-based ring signature scheme which is existentially unforgeable under adaptively chosen-message attack. takes a security parameter as input and generates a public/secret pair ; - takes a private signing key, a set of public keys and a message as inputs, and generates a ring signature ; and is the corresponding ring signature verification algorithm.

Let - be an identity-based ring signature scheme that is existentially unforgeable under adaptively chosen-message and identities attacks. takes a security parameter as input and generates a master secret key masterkey and a list of system parameters param; is an identity-based secret key generation algorithm which takes masterkey and an identity and generates a secret key denoted by ; - takes a private signing key, a set of identities and a message as inputs, and generates an identity-based ring signature denoted by ; and is the corresponding ring signature verification algorithm.

As defined in Section 4, a CL-Ring signature scheme consists of seven algorithms. Using the similar methods in [14], we can obtain a generic construction of CL-Ring as described in Fig 1.

Figure 1: A Generic Construction of CL-Ring

5.2 Security Analysis of the Generic Construction

In this section, we will show that the generic construction described in Fig 1 is not secure under the definition in Section 4.

We firstly show that a type I adversary can forge a valid ring signature of any message . The attack algorithm is described as below:

  • first chooses identities and sets

  • As defined in the Game 1 in Section 4, then issues Public-Key queries to obtain the corresponding public keys .

  • runs the algorithm Set-Secret-Value to generate a secret value for the user . It also runs the algorithm Set-Public-Key to obtain a public key . Finally, it replaces ’s public key with and sets

  • then submits a partial private key query for an identity and obtains the partial private key , with the only requirement that .

  • For any message , sets and uses to compute

  • It then sets and uses to compute

  • outputs as the forgery.

As we can see, is a valid ring signature of under and . This is because runs all the algorithms as same as defined in the generic construction in Section 4. We note that this attack is a strong attack that belongs to the no-message attack classes, where no signing oracle is required.

The generic construction given in Section 4 only guarantees that the singer of a valid ring signature possesses a secret value of a user and a partial private key of a user , instead of proving that the signer must know the private key of one user (i.e., ). This is the reason why a Type I adversary can forge a valid signature for any message. How to give a provably secure generic construction of certificateless ring signature is still an open problem.

6 A Concrete Certificateless Ring Signatures Scheme

In this section, we will give the concrete construction of certificateless ring signature.

6.1 Description of Our CL-Ring Scheme

Our CL-Ring scheme consists of the following concrete algorithms:

  • Setup: Given a security parameter , the algorithm works as follows.

    1. Specify , as described in Section 3.1.

    2. Arbitrarily choose a generator and set .

    3. Choose a random masterkey and set .

    4. Choose cryptographic hash functions , and .

    The system parameters param=(). The message space is .

  • Partial-Private-Key-Extract: This algorithm accepts param, masterkey and a user’s identity to output the user’s partial private key . Where .

  • Set-Secret-Value: Given param, this algorithm selects a random as the user’s (whose identity is ) secret value.

  • Set-Private-Key: This algorithm takes as input param, a user’s identity , the user’s partial private key and the user’s secret value . The output of the algorithm is the user’s private key .

  • Set-Public-Key: This algorithm accepts param, a user’s identity and his secret value to produce the user’s public key .

  • Ring-Sign: Suppose there’s a group of n users whose identities form the set , and their corresponding public keys form the set . To sign a message on behalf of the group, the actual signer, indexed by s using the private key , performs the following steps.

    1. For each , select uniformly at random, compute .

    2. Compute for all .

    3. Choose random , compute , . If or for some , then redo this step.

    4. Compute .

    5. Compute .

    6. Output the ring signature on as .

  • Verify: To verify a ring signature on a message with identities in and corresponding public keys in , the verifier performs the following steps.

    1. Compute for all , compute .

    2. Verify holds with equality.

    3. Accept the ring signature as valid and output if the above equation holds, otherwise, output .

6.2 Efficiency

We only consider the costly operations including the pairing operation (Pairing), scalar multiplication in ( SM), exponentiation in ( E) and MapToPoint hash operation [31] (Hash). The numbers of these operations in our scheme are shown in Table 1.

Table 1. Efficiency

Pairing SM E Hash
Sign 2 2n+3 n n+1
Verify 3 2n 0 n+1
Total 5 4n+3 n 2n+2

Pairing operation is the most time consuming operation. Our CL-Ring scheme only requires 5 pairing operations which is independent of the group size.

7 Analysis of the Proposed CL-Ring Scheme

In this section, we will analyze our proposed scheme in detail.

7.1 Correctness

The correctness of the proposed scheme can be easily verified with the following:

7.2 Unconditional Anonymity

Let be a valid ring signature of a message on behalf of a group of members specified by identities in and public keys in . Since all the are randomly generated, hence all

are also uniformly distributed. The randomness of

chosen by the signer implies is also uniformly distributed. So in the signature reveals no information about the signer.
It remains to consider whether leaks information about the actual signer. From the construction of , it is obvious to see that . To identify whether is the identity of the actual signer, the only way is to check . Namely, . If is the identity of the actual signer, it should hold

It remains to check

However,we have for each

where , and is the identity of the actual signer. This fact shows that in the signature does not leak any information about the identity of the actual signer. And hence, the unconditional anonymity of our CL-Ring scheme is proved.

7.3 Unforgeability

Assuming that the CDH problem is hard, we now show the unforgeability of our CL-Ring scheme.

Theorem 7.1

In the random oracle model [3], if can win the Game 1, with an advantage within a time span for a security parameter ; and asking at most Partial-Private-Key queries, at most Public-Key queries, at most Private-Key queries, at most queries, at most queries, at most queries, Ring-Sign queries. Then the CDH problem in can be solved within time and with probability where n is the ring scale, is defined as the number of -permutations of elements i.e. , (resp. and ) is the time cost of an (resp. , Partial-Private-Key, Public-Key, Private-Key and Ring-Sign) query.

Please refer to Appendix A.

Theorem 7.2

In the random oracle model, if can win the Game 2, with an advantage within a time span for a security parameter ; and asking at most Public-Key queries, at most Private-Key queries, at most queries, at most queries, at most queries, at most Ring-Sign queries. Then the CDH problem in can be solved within time and with probability .

Please refer to Appendix B.

8 Conclusion

In this paper, we proposed a concrete construction of certificateless ring signature scheme from the bilinear pairing. The security models of certificateless ring signatures are also formalized. The models capture the essence of the possible adversaries in the notion of certificateless system and ring signatures. In the random oracle models, the unforgeability of our scheme is based on the hardness of Computational Diffie-Hellman problem. We note that the number of pairing computation in our scheme is constant and does not grow with the number of group members.

References

  • [1] M. Abe, M. Ohkubo, and K. Suzuki. 1-out-of-n signatures from a variety of keys. ASIACRYPT 2002, Lecture Notes in Computer Science, vol. 2501, pages 415-432, Springer-Verlag, 2002.
  • [2] S. Al-Riyami and K. Paterson. Certificateless public key cryptography. Asiacrypt 2003, Lecture Notes in Computer Science, vol. 2894, pages 452-473, Springer-Verlag, 2003.
  • [3] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. ACM CCS 1993, pages 62-73, 1993.
  • [4] D. Boneh, C. Gentry, B. Lynn and H. Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. EUROCRPYT 2003, Lecture Notes in Computer Science, vol. 2656, pp. 416-432, Springer-Verlag, 2003.
  • [5] E. Bresson, J. Stern, and M. Szydlo. Threshold ring signature and applications to ad-hoc groups. Crypto 2002, Lecture Notes in Computer Science, vol. 2442, pages 465-480, Springer-Verlag, 2002.
  • [6] W. Chen, L. Zhang, B. Qin, Q. Wu, H. Zhang. Certificateless One-Way Authenticated Two-Party Key Agreement Protocol, Fifth International Conference on Information Assurance and Security (IAS 09), IEEE, pp. 483-486, 2009.
  • [7] L. Chen, L. Zhang, B. Qin, Q. Wu, H. Zhang. Cryptanalysis of a Certificateless Encryption Scheme, 2010 International Conference on Computer Design and Applications (ICCDA 2010), IEEE, pp. V5-536 - V5-539, 2010.
  • [8] S. Chow and W. Yap. Certificateless Ring Signatures. Cryptology ePrint Archive, Report 2007/236.
  • [9] F. Dai, M. Luo, Y. Zhang, L. Zhang and Y. Sun. A Fault-Tolerant Batch Verification Scheme for Cloud Assisted VANETs, 2nd International Conference on Applied Mechanics, Electronics and Mechatronics Engineering (AMEME 2017), pages 337-342, 2017.
  • [10] Y. Dodis, A. Kiayias, A. Nicolosi, and V. Shoup. Anonymous identification in ad hoc groups. EUROCRYPT 2004, Springer-Verlag, Lecture Notes in Computer Science, vol. 3027, pages 609-626, Springer-Verlag, 2004.
  • [11] Z. Dong, L. Zhang, J. Li, Security Enhanced Anonymous Remote User Authentication and Key Agreement for Cloud Computing, 17th International Conference on Computational Science and Engineering (CSE 2014), IEEE, pp. 1746-1751, 2014.
  • [12] J. Herranz and G. Saez. Forking lemmas for ring signature schemes. INDOCRYPT 2003, Lecture Notes in Computer Science, vol. 2904, pp. 266-279, Springer-Verlag, 2003.
  • [13] J. Herranz and G. Saez. New identity-based ring signature schemes. ICICS 2004, Lecture Notes in Computer Science, vol. 3269, pages 27-39, Springer-Verlag, 2004.
  • [14] B. Hu, D. Wong, Z. Zhang and X. Deng. Key replacement attack against a generic construction of certificateless signature. ACISP 2006, Lecture Notes in Computer Science, vol. 4058, pages 235-346, Springer-Verlag, 2006.
  • [15] X. Huang, W. Susilo, Y. Mu and F. Zhang. On the security of a certificateless signature scheme. CANS 2005, Lecture Notes in Computer Science, vol. 3810, pages 13-25, Springer-Verlag, 2005.
  • [16] X. Li, K. Chen and L. Sun. Certificateless signature and proxy signature schemes from bilinear pairings. Lithuanian Mathematical Journal, vol. 45, pages 76-83, Springer-Verlag, 2005.
  • [17] B. Liu, L. Zhang. An Improved Identity-based Batch Verification Scheme for VANETs, 5th International Conference on Intelligent Networking and Collaborative Systems (INCos 2013), IEEE, pp. 809-814, 2013.
  • [18] J. Liu and D. Wong. On the security models of (threshold) ring signature schemes. ICISC 2004, Lecture Notes in Computer Science, vol. 3506, pages 204-217, Springer-Verlag, 2005.
  • [19] S. Miao, F. Zhang, L. Zhang. On the Security of a Certificateless Signature Scheme, 2nd International Conference on Signal Processing Systems (ICSPS 2010), IEEE, pp. V2-457 - V2-461, 2010.
  • [20] S. Miao, F. Zhang, L. Zhang. Cryptanalysis of a Certificateless Multi-receiver Signcryption Scheme, 2010 International Conference on Multimedia Information Networking and Security (MINES 2010), IEEE, pp. 593-597, 2010.
  • [21] L. Nguyen. Accumulators from bilinear pairings and applications. CT-RSA 2005, Lecture Notes in Computer Science, vol. 3376, pages 275-292, Springer-Verlag, 2005.
  • [22] R. Rivest, A. Shamir and Y. Tauman. How to leak a secret. Asiacrypt’01, Lecture Notes in Computer Science, vol. 2248, pages 552-565, Springer-Verlag, 2001.
  • [23] A. Shamir. Identity based cryptosystems and signature schemes. Crypto’84, Lecture Notes in Computer Science, vol. 196, pages 47-53, Springer-Verlag, 1984.
  • [24] W. Yap, S. Heng, and B. Goi. An efficient certificateless signature scheme. EUC Workshops 2006, Lecture Notes in Computer Science, vol. 4097, pages 322-331, Springer-Verlag, 2006.
  • [25] H. Yuan, F. Zhang, X. Huang, Y. Mu, W. Susilo, L. Zhang. Certificateless Threshold Signature Scheme from Bilinear Pairings, Information Sciences, 180(23), 4714-4728, 2010.
  • [26] D. Yum and P. Lee. Generic construction of certificateless signature. ACISP 2004, Lecture Notes in Computer Science, vol. 3108, pages 200-211, Springer-Verlag, 2004.
  • [27] F. Zhang and K. Kim. ID-Based blind signature and ring signature from pairings. ASIACRYPT 2002, Lecture Notes in Computer Science volume, vol. 2501, pages 533-547, Springer-Verlag, 2002.
  • [28] L. Zhang, F. Zhang. Security Model for Certificateless Aggregate Signature Schemes. 2008 International Conference on Computational Intelligence and Security (CIS 2008), IEEE, pp. 364-368, 2008.
  • [29] L. Zhang, B. Qin, Q. Wu, F. Zhang. Novel Efficient Certificateless Aggregate Signatures, The 18th Symposium on Applied algebra, Algebraic algorithms, and Error Correcting Codes (AAECC 2009), Lecture Notes in Computer Science volume, vol. 5527, pp. 235-238, Springer-Verlag, 2009.
  • [30] L. Zhang, F. Zhang. A New Certificateless Aggregate Signature Scheme, Computer Communications, 32(6), 1079-1085, 2009.
  • [31] L. Zhang, B. Qin, Q. Wu, F. Zhang. Efficient Many-to-One Authentication with Certificateless Aggregate Signatures, Computer Networks, 54(14), 2482-2491, 2010.
  • [32] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin. Hierarchical Certificateless Signatures, 2010 IEEE/IFIP 8th International Conference on Embedded and Ubiquitous Computing (EUC), IEEE, pp. 572-577, 2010.
  • [33] L. Zhang, F. Zhang. A New Provably Secure Certificateless Signature Scheme, 2008 IEEE International Conference on Communications (ICC 2008), pp. 1685-1689, IEEE, 2008.
  • [34] L. Zhang, F. Zhang, W. Wu. A Provably Secure Ring Signature Scheme in Certificateless Cryptography. ProvSec 2007, Lecture Notes in Computer Science, vol. 4784, pages 103-121, Springer-Verlag, 2007.
  • [35] Z. Zhang, D. Wong, J. Xu and D. Feng. Certificateless public-key signature: security model and efficient construction. ACNS 2006, Lecture Notes in Computer Science, vol. 3989, pages 293-308, Springer-Verlag, 2006.

Appendix A Proof of Theorem 7.1

Proof. Let be a CDH attacker, be a type I adversary of our CL-Ring scheme who interacts with following Game 1 and can forge a valid ring signature. Suppose receives a random instance of the CDH problem in . We show how can use to solve the CDH problem, i.e. to compute .

Setup: first sets and selects param=, then sends param to . We take hash functions and as random oracles.

Training: can ask , Partial-Private-Key, Public-Key, Private-Key, Public-Key-Replacement and Ring-Sign queries. In order to maintain consistency and avoid conflict, keeps four lists , , , and K to store the answers used, where includes items of the form , includes items of the form , includes items of the form , and K includes items of the form . All of these four lists are initially empty. also maintains three lists , the function of these three lists are the same as mentioned in Game 1 Section 4.

Queries: On receiving a query , does as follows.

  1. If there exists an item in , then returns as answer.

  2. Otherwise, first flips a coin that yields 0 with probability and 1 with probability ( will be determined later), then picks a random element (has not been used before) in . If , computes ; otherwise , it computes . then adds to and returns as answer.

Queries: On receiving a query , first checks if there exists an item in , if so, returns as answer. Otherwise, picks a random which has not been used in the answers of the former Queries, then returns as answer and adds to .

Queries: On receiving a query , first checks if there exists an item in , if so, returns as answer. Otherwise, first flips a coin that yields 0 with probability and 1 with probability then picks a random which has not been used in the answers of the former Queries. If , compute ; while , compute . In both cases, will add to and return as answer.

Partial-Private-Key Queries: Whenever receives a query

  1. If there exists an item in K, does the following:

    1. If , returns as answer.

    2. Else, if there’s an item exists in , sets , and returns as answer when ; while , aborts.

    3. Otherwise, first makes an query to obtain an item . If , aborts; while , sets , and returns as answer.

  2. Otherwise does the following:

    1. If there exists an item in , sets , computes , sets , adds to K and returns as answer when ; while aborts.

    2. Otherwise, first makes an query to obtain an item in , then proceeds as in (a).

Public-Key Queries: Whenever receives a query

  1. If there exists an item in K, does the following:

    1. If , returns as answer;

    2. Otherwise, first flips a coin that yields 0 with probability and 1 with probability , then picks a random . If , sets ; otherwise , it computes . then updates with new values and returns as answer.

  2. Otherwise, first flips a coin that yields 0 with probability and 1 with probability , then picks a random . If , sets ; otherwise , it computes . then sets , returns as answer and adds to K.

Public-Key-Replacement Queries: On receiving a query ( sets ), first makes a query to obtain an item , then sets , , and updates the item