1 Introduction
Certificateless cryptography, introduced in 2003 by Alriyami and Paterson [1], can be considered as an intermediate solution to overcome the issues in traditional public key infrastructure (PKI) and identitybased public key cryptography (IDPKC) [2]. Whereas a trusted authority is needed in traditional PKI to bind the identity of an entity to his public key, IDPKC requires a trusted private key generator to generate the private keys of users based on their identities. Therefore, the certificate management problem in the publickey setting is actually replaced by the key escrow problem. In certificateless cryptography, the users’ private keys are still generated with the help of a third party, called the key generation center (KGC). However, the KGC doesn’t have access to the final private keys generated by the users themselves (based on some private information obtained from the KGC and some secret values chosen by the users). The public key of a user is computed from the KGC’s public parameters and some information, private to the user, and is published by the user himself.
Regarding the security of a certificateless cryptographic scheme, two types of adversaries are considered in the literature: a Type 1 adversary who simulates malicious ordinary users and a Type 2 Adversary who simulates a malicious KGC in a certificateless cryptographic scheme. To perform these simulations, is allowed to replace the public key of entities with other values of its choice and is allowed to get access to the master secret key.
The first certificateless signature (CLS) scheme was proposed in [1] by AlRiyami and Paterson. After this seminal work, a vast number of certificateless signature schemes were proposed such as ordinary CLS schemes [1, 3, 4, 5, 6, 7, 8, 9, 10], certificateless proxy signature schemes [11, 12, 13, 14], certificateless aggregate signature schemes [4, 15, 16, 17, 18, 19, 20], certificateless signature schemes with designated tester [21, 22], certificateless threshold signature schemes [23, 24, 25], certificateless ring signature schemes [26, 27], and etc. However, due to their heavy computational costs, most of these schemes can not be applied in limited resources environments such as Internet of Things (IoT) and Healthcare Wireless Sensor Networks (HWSN). As a consequence, new efforts have been put forth to construct lightweight cryptographic schemes in certificateless setting in order to be applicable in limited resources environments. In this regard, recently, two lightweight certificateless signature schemes have been proposed by Karati et al. [3] and Kumar et al. [4]. The authors of both papers claimed that their proposed CLS schemes are existentially unforgeable. However, in this paper, we disprove their claims and show that the CLS schemes of [3] and [4] are both insecure. This is done by showing that:

In Karati et al.’s CLS scheme, a type 1 adversary of certificateless cryptography is able to generate a valid partial private key corresponding to any identity of its choice and then uses this generated partial private key to forge the signature of the corresponding user on any message of its choice.

In Kumar et al.’s CLS scheme, both types of adversaries, considered in certificateless cryptography, are able to violate the unforgeability of the scheme. More precisely, 1) a type 1 adversary is able to forge any signer’s signature on any message in this scheme as soon as it gets access to a pair of message and its corresponding signature of that signer, and 2) a type 2 adversary is able to forge each user’s signature on any message in this scheme (without even requiring to see a signature of that signer).
The rest of this paper is organized as follows. In Section 2, we provide the framework and the security definition of CLS schemes. In Section 3, after reviewing the CLS scheme of [3], we provide the proof of its insecurity. Then, the CLS scheme of Kumar et al. [4] and analysis of its security are reviewed in Section 4. Finally, the conclusions are provided in Section 5.
2 Certificateless signature schemes
In this section, we provide the framework and the security definition of Certificateless signature schemes.
2.1 The framework
There exist three entities in a CLS scheme: a key generation center (KGC) which helps users to generate their private keys, a signer, and a verifier. A CLS scheme consists of six algorithms: Setup, SetPartialPrivateKey, SetSecretValue, SetPublicKey, CLSSign and CLSVerify. The details of these algorithms are described in the following:
Setup: Performed by .

Input: The security parameter .

Process:

Generates the master secret key , and the public parameters .


Output: The master secret key which will be secured by KGC and the public parameters which are published.
SetPartialPrivateKey: Performed by .

Input: , and a user’s identity .

Process:

Computes a partial private key corresponding to this user.


Output: Partial private key which will be sent securely to the user with identity .
SetPrivateKey: Performed by a user .

Input: and ’s partial private key .

Process:

Generates a secret value and computes the private key by using it and .


Output: which will be secured by the user .
SetPublicKey: Performed by a user .

Input: and ’s private key .

Process:

Computes the public key .


Output: which will be published.
CLSSign: Performed by the user .

Input: , the user’s identity and his private key , and a message .

Process:

Generates a signature on the message .


Output: as the signature on .
CLSVerify: Performed by the verifier.

Input: , signer’s identity and his public key , message and a signature .

Process:

Checks the validity of .


Output: VALID if is a valid signature on and INVALID otherwise.
2.2 Security model
To call a CLS scheme secure, it should provide existentially unforgeability against adaptive chosenmessage and identity attacks in the adversarial model of certificateless cryptography which consists of the following two types of adversaries:

A type1 adversary (), that has not access to the master secret key but can replace any signer’s public key with any value of its choice.

A type2 Adversary (), that has access to the master secret key but cannot replace public keys.
The security of a CLS scheme is modeled through the following two games played between a challenger and adversaries or .
Game 1: This game, played between and , consists of the following phases:

Setup: In this phase, generates the master secret key and the public parameters . It keeps secure and sends to .

Queries: In this phase, can perform a polynomially bounded number of the following queries and ’s answers to these queries are as follows:

RequestPartialPrivateKey (): inputting to this query, will get ’s partial private key as the output.

RequestSecretValue (): inputting to this query, will get ’s secret value as the output.

RequestPublicKey (): inputting to this query, will get ’s public key as the output.

ReplacePublicKey (): inputting and to this query, will be set as the public key corresponding to the user .

CLSign (): inputting and to this query, will get as the output which is a valid signature of on .


Output: Finally, when decides to end the queries phase, it outputs a signature on a message on behalf of a targeted user with identity . It wins the game if the following conditions are fulfilled:

The algorithm CLSVerify outputs VALID on inputs , , , , and where, is the public key corresponding to the user with identity .

The queries RequestPartialPrivateKey() and CLSign() weren’t queried in the queries phase.

Definition 1
A CLS scheme is Type1 secure against the adaptively chosenmessage and identity attack if the advantage of any polynomially bounded adversary in winning Game 1 be negligible.
Game 2: This game, played between and , consists of the following phases:

Setup: In this phase, generates the master secret key and the public parameters and sends them to .

Queries: In this phase, can perform a polynomially bounded number of queries as in Game 1 and answers them in the same way. The only constraint here is that is not allowed to replace any public keys. Note that knows and can compute the partial private key of any identity by itself.

Output: Finally, when decides to end the queries phase, it outputs a signature on a message on behalf of a targeted user with identity . It wins the game if the following conditions are fulfilled:

The algorithm CLSVerify outputs VALID on inputs , , , , and where, is the public key corresponding to the user with identity .

The queries RequestSecretValue() and CLSign() weren’t queried in the queries phase.

Definition 2
A CLS scheme is Type2 secure against the adaptively chosenmessage and identity attack if the advantage of any polynomially bounded adversary in winning Game 2 be negligible.
3 Karati et al.’s CLS scheme
In this section, we first review Karati et al.’s CLS scheme and then prove that it is completely insecure.
3.1 Review of the scheme
The CLS scheme of Karati et al. [3] consists of the following algorithms:
Setup: Performed by .

Input: The security parameter .

Process:

Generates two groups and with the same prime order and an efficient bilinear pairing .

Chooses a generator .

Chooses a cryptographic hash function .

Chooses a random as his master secret key.

Computes and .


Output: The master secret key which will be secured by KGC and the public parameters which will be published.
SetPartialPrivateKey: Performed by .

Input: , master secret key and a user’s identity .

Process:

Computes .

Chooses randomly and computes and .


Output: Partial private key which will be sent securely to the user with identity . After receiving from , the user considers genuine if:
(1)
SetPrivateKey: Performed by a user .

Input: and ’s partial private key .

Process:

Chooses randomly and sets .


Output: which will be secured by the user .
SetPublicKey: Performed by a user .

Input: , ’s partial private key and his private key .

Process:

Computes as the user’s public key.


Output: which will be published.
CLSSign: Performed by a user .

Input: , the user’s identity and his private key and a message .

Process:

Computes .

Chooses a random value and computes
(2) (3)


Output: as the signature on .
CLSVerify: Performed by the verifier.

Input: , ’s identity and his public key , message and a signature .

Process:

Computes .

Checks whether .


Output: VALID if the above equation holds and INVALID otherwise.
3.2 Cryptanalysis of the scheme
The authors of [3] claimed that their proposed scheme is a secure certificateless signature scheme. However, in this section, we disprove their claim. More specifically, we show that by accessing to a valid partial private key corresponding to any user, a valid partial private key corresponding to any other user can be generated. Thereupon, each user of this scheme can forge the signature of other users on any arbitrary message of his choice. This is formally stated and proved in the following theorem.
Theorem 1
Let with identity be an arbitrary user of Karati et al.’s scheme. Suppose that has access to a valid partial private key corresponding to . Then, is able to generate a valid partial private key corresponding to any other user with arbitrary identity and as a consequence, he is able to forge ’s signature on any message of his choice.
Proof. According to SetPartialPrivateKey algorithm of Karati et al.’s CLS scheme, the partial private key corresponding to with identity is a pair where, and in which is an unknown randomly chosen value, is the master secret key and . In the following, we show how is able to use ’s partial private key to generate a valid partial private key corresponding to any other user with arbitrary identity . To this end, :

Computes .

Computes . Note that the output of is a member of and therefore, exists in .

Computes and .

Sets as the partial private key corresponding to the user with identity .
Using the following relation, it can easily be verified that is a valid partial private key corresponding to the user with identity :
(4)  
(5)  
(6)  
(7)  
(8)  
(9)  
(10) 
where, equality (9) is obtained from the fact that is a valid partial private key generated by the and therefore,
(11) 
After computing ’s partial private key, can perform SetPrivateKey and SetPublickey (as explained in Katari et al.’s CLS scheme) instead of to compute a valid pair of private and public keys corresponding to . Now, using the private key of , can forge ’s signature through CLSSign algorithm on any message of its choice.
4 Kumar et al.’s CLS scheme
In this section, we first review Kumar et al.’s CLS scheme and then prove that their scheme is forgeable.
4.1 Review of the scheme
The CLS scheme of Kumar et al. [4] consists of the following algorithms:
Setup: Performed by .

Input: The security parameter .

Process:

Chooses two groups and with the same prime order and a generator in .

Chooses a bilinear map .

Chooses a random as the master secret key and sets .

Chooses cryptographic hash functions and .


Output: The master secret key which will be secured by and the system parameters which will be published.
SetPartialPrivateKey: Performed by .

Input: , master secret key and a user’s identity .

Process:

Computes .

Computes .


Output: Partial private key which will be sent securely to the user with identity .
SetPrivateKey: Performed by a user .

Input: and ’s identity .

Process:

Selects a random value as the ’s secret key.

Sets .


Output: which will be secured by the user .
SetPublicKey: Performed by a user .

Input: and ’s private key .

Process:

Computes as ’s public key.


Output: which will be published.
CLSSign: Performed by a user .

Input: , the signer’s identity , his public key , his private key , some state information and a message .

Process:

Chooses a random value and computes .

Computes and .

Computes .


Output: as the signature on under the state information .
CLSVerify: Performed by the verifier.

Input: , signer’s identity and his public key , message , some state information and a signature .

Process:

Computes , and .

Verifies .


Output: VALID if the above equation holds and INVALID otherwise.
4.2 Cryptanalysis of the scheme
Kumar et al. claimed that their scheme is existentially unforgeable against adaptive chosen message attacks. However, in this section, we disprove their claim. We prove the insecurity of Kumar et al.’s CLS scheme by the following theorems:
Theorem 2
Let be a signer with identity who uses Kumar et al.’s CLS scheme. Suppose that a type 1 adversary has access to a tuple , where is ’s signature on message under the state information . Then, is able to forge ’s signature on any new message under the same state information .
Proof. According to Kumar et al.’s CLSSign algorithm, the signature is as follows:
(12) 
where and is a random value that is unknown to . Now, in order to forge ’s signature on a new massage , :

Issues a RequestSecretValue query on the input of and obtains as the result.

Computes .

Uses , and to forge ’s signature on as follows:

Computes and .

Outputs as ’s signature on message .
It can be easily verified that the forged signature is valid.

Theorem 3
Let be a signer with identity who uses Kumar et al.’s CLS scheme. Then, a type 2 adversary is able to forge ’s signature on any message of its choice under any arbitrary state information .
Proof. To forge ’s signature on any arbitrary message , :

Chooses a random value and computes .

Computes and .

Outputs as ’s signature on message .
Note that acts as the malicious key generation center and has access to partial private keys. It can be easily verified that the forged signature is valid.
5 Conclusion
In this paper, the security of two recently proposed lightweight certificateless signature schemes is considered. We prove that in one of them, a type 1 adversary of certificateless cryptography can forge the signature of any user on any arbitrary message of his choice and in the other one, both considered types of adversaries in certificateless cryptography can forge valid signatures on behalf of any user on any message of their choices.
References
 [1] S. S. AlRiyami, K. G. Paterson, Certificateless public key cryptography, in: C.S. Laih (Ed.), Advances in Cryptology  ASIACRYPT 2003, Springer Berlin Heidelberg, Berlin, Heidelberg, 2003, pp. 452473.
 [2] A. Shamir, Identitybased cryptosystems and signature schemes, in: G. R. Blakley, D. Chaum (Eds.), Advances in Cryptology, Springer Berlin Heidelberg, Berlin, Heidelberg, 1985, pp. 4753.
 [3] A. Karati, S. H. Islam, M. Karuppiah, Provably secure and lightweight certificateless signature scheme for iiot environments, IEEE Transactions on Industrial Informatics PP (99) (2018) in press.
 [4] P. Kumar, S. Kumari, V. Sharma, A. K. Sangaiah, J.Wei, X. Li, A certificateless aggregate signature scheme for healthcare wireless sensor network, Sustainable Computing: Informatics and Systems, (2017) in press.
 [5] L. Pang, Y. Hu, Y. Liu, K. Xu, H. Li, Efficient and secure certificateless signature scheme in the standard model, International Journal of Communication Systems 30 (5) (2017) e3041n/a.
 [6] L. Wang, K. Chen, Y. Long, H. Wang, An efficient pairingfree certificateless signature scheme for resourcelimited systems, Science China Information Sciences 60 (11) (2016) 119102.
 [7] Y. Yuan, C. Wang, Certificateless signature scheme with security enhanced in the standard model, Information Processing Letters 114 (9) (2014) 492  499.
 [8] J. Zhang, J. Mao, An efficient rsabased certificateless signature scheme, Journal of Systems and Software 85 (3) (2012) 638  642.
 [9] X. Huang, Y. Mu, W. Susilo, D. S. Wong, W. Wu, Certificateless signature revisited, in: Information Security and Privacy, Springer Berlin Heidelberg, Berlin, Heidelberg, 2007, pp. 308322.
 [10] N. Pakniat, B. A. Vanda, Cryptanalysis and improvement of a pairingfree certificateless signature scheme, in: 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC), 2018, pp. 15.
 [11] Y. Lu, J. Li, Provably secure certificateless proxy signature scheme in the standard model, Theoretical Computer Science 639 (2016) 42  59.
 [12] Z. Eslami, N. Pakniat, A certificateless proxy signature scheme secure in standard model, in: International Conference on Latest Computational TechnologiesICLCT 2012, Planetary Scientific Research Center: Bangkok, 2012, pp. 8184.
 [13] S.H. Seo, K. Y. Choi, J. Y. Hwang, S. Kim, Efficient certificateless proxy signature scheme with provable security, Information Sciences 188 (2012) 322  337.

[14]
C. Hu, D. Li, A new type of proxy ring signature scheme with revocable anonymity, in: Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007), Vol. 1, 2007, pp. 866868.
 [15] L. Cheng, Q. Wen, Z. Jin, H. Zhang, L. Zhou, Cryptanalysis and improvement of a certificateless aggregate signature scheme, Information Sciences 295 (2015) 337  346.
 [16] Y.C. Chen, R. Tso, M. Mambo, K. Huang, G. Horng, Certificateless aggregate signature with efficient verification, Security and Communication Networks 8 (13) (2015) 22322243.
 [17] S.J. Horng, S.F. Tzeng, P.H. Huang, X. Wang, T. Li, M. K. Khan, An efficient certificateless aggregate signature with conditional privacypreserving for vehicular sensor networks, Information Sciences 317 (2015) 48  66.
 [18] H. Xiong, Z. Guan, Z. Chen, F. Li, An efficient certificateless aggregate signature with constant pairing computations, Information Sciences 219 (2013) 225235.
 [19] Z. Eslami, N. Pakniat, Certificateless aggregate signcryption: Security model and a concrete construction secure in the random oracle model, Journal of King Saud University  Computer and Information Sciences 26 (3) (2014) 276  286.
 [20] N. Pakniat, M. Noroozi, Cryptanalysis of a certificateless aggregate signature scheme, in: the 9th Conference of Command, Control, Communications and Computer Intelligence, 2016, pp. 15.
 [21] Y. Chen, Y. Zhao, H. Xiong, F. Yue, A certificateless strong designated verifier signature scheme with nondelegatability, International Journal of Network Security 19 (4) (2017) 573582.
 [22] X. Huang, W. Susilo, Y. Mu, F. Zhang, Certificateless designated verifier signature schemes, in: 20th International Conference on Advanced Information Networking and Applications  Volume 1 (AINA’06), Vol. 2, 2006, pp. 1519.
 [23] H. Yuan, F. Zhang, X. Huang, Y. Mu, W. Susilo, L. Zhang, Certificateless threshold signature scheme from bilinear maps, Information Sciences 180 (23) (2010) 4714  4728.
 [24] L. Wang, Z. Cao, X. Li, H. Qian, Simulatability and security of certificateless threshold signatures, Information Sciences 177 (6) (2007) 1382  1394.
 [25] L. Wang, Z. Cao, X. Li, H. Qian, Certificateless threshold signature schemes, in: Y. Hao, J. Liu, Y.P. Wang, Y.m. Cheung, H. Yin, L. Jiao, J. Ma, Y.C. Jiao (Eds.), Computational Intelligence and Security, Springer Berlin Heidelberg, Berlin, Heidelberg, 2005, pp. 104109.
 [26] Deng, Lunzhi, Certificateless ring signature based on RSA problem and DL problem, RAIROTheor. Inf. Appl. 49 (4) (2015) 307318.
 [27] L. Zhu, F. Zhang, An efficient certificateless ring signature scheme, Wuhan University Journal of Natural Sciences 13 (5) (2008) 567.