An efficient certificateless signature scheme without bilinear pairings

Abstract

During these years, the research field of certificateless signature (CLS) scheme is promptly investigated as the key escrow problem in identity-based cryptography can be solved via CLS concept. However, due to the bandwidth limitation of mobile communication and the resource-constraint property of handheld mobile devices, most CLS schemes cannot fulfill the requirement of computation efficiency for mobile communication architecture. Hence, the design of lightweight CLS protocol refined from traditional cryptosystem technologies for existing mobile communication environment becomes one of the most important research trends. In this paper, we demonstrate a novel CLS scheme which is immune against bilinear pairings. Without the heavy computation of bilinear pairings, our proposed scheme is efficient and practical for mobile communication. Meanwhile, the proposed CLS scheme possesses strong security density owing to the adoption of point addition of elliptic curve cryptography. A formal security analysis is presented to guarantee the security robustness of our CLS protocol under the hardness of breaking elliptic curve discrete logarithm problem.

1 Introduction

In traditional public key cryptography, signature schemes allow a singer to sign a message with his/her private key to guarantee non-repudiation property (and more). However, each signature activity must accompany with corresponding certificates to complete. To solve the certificate management problem, Shamir [11] introduced the concept of identity-based cryptosystem, where every user does not have an explicit public key as before. The public key is replaced by his/her publicly available identity information, which can uniquely identify him/her and can be undeniably associated with him/her. The corresponding private key is computed from a one-way trapdoor function of privileged information known only to the system authority, such as key generation center (KGC). Compared to certificate-based cryptosystem, identity-based cryptosystem does not require extra effort and information for users to validate the authenticity of public keys.

Based on the idea of self-certified cryptosystem, Al-Riyami and Paterson [1] proposed an approach in 2003, namely certificateless public key cryptography (CL-PKC). In this approach, KGC generates partial private key, each user then generates his/her private key and public key using user’s secret value and partial private key. This concept was to oppose to KGC having access to each user’s private key in identity-based approach, and was the absence of digital certificates and the important management overhead. However, CL-PKC approach is insecure against to type I adversary [8]. In 2004, Yum and Lee [15] proposed another CLS scheme. Nevertheless, Hu et al. [6] pointed out that Yum and Lee’s CLS protocol cannot resist to type I adversary. Later, Li et al. [10] and Gorantla et al. [3] presented CLS schemes using bilinear pairings, respectively. Unfortunately, these schemes require heavy operation of bilinear pairing on signature verification. As a result, the development of CLS scheme without bilinear pairings is promptly proposed and investigated in recent years.

In 2011, He et al. [5] demonstrated a CLS scheme which does not adopt the technique of bilinear pairings. Without the heavy computation cost from bilinear pairings, the efficiency of He et al.’s CLS scheme is better than previous CLS protocols. Later, a variant of such CLS concept is adopted in the authors’ another study involved with authenticated key agreement [4]. In 2012, however, Tian and Huang [12] and Tsai et al. [13] both presented that He et al.’s CLS scheme is vulnerable to a type II adversary who is able to access the master secret key of KGC. Recently, Gong and Li [2] proposed a CLS scheme without bilinear pairings. The authors claimed that their proposed scheme is secure against the super adversary. Nevertheless, the security claim is not solid. Yeh et al.’s [14] demonstrated that Gong and Li’s CLS scheme cannot fulfill the claimed security robustness, i.e. resistance to the super adversary. Based on these observations, we can know that most of existing CLS schemes still have room for security enhancement.

In recent years, with the popularity of mobile communication, industries yearn for an efficient and robust signature scheme to support the enormous needs from on-line services for mobile commerce. Nevertheless, due to the bandwidth limitation of mobile communication architecture and the resource-constraint property of handheld mobile devices, most signature schemes cannot fulfill the requirement of computation efficiency for mobile communication environment. Hence, the design of lightweight and robust CLS protocols refined from traditional cryptosystem technologies for mobile communication becomes one of the most important research areas. Hence, in this paper we will introduce a secure and efficient CLS scheme without bilinear pairings to efficiently and effectively satisfy all the needs from existing mobile communication environment.

2 Preliminary

2.1 Elliptic curve

Let the notation E/F _p denote an elliptic curve E over a prime finite field F _p, defined by an equation y ² = x ³ + ax + b, where a _i , b _i  ∈ F _p are constants such that Δ = 4a ³ + 27b ² ≠ 0. All points P _i  = (x _i , y _i ) on E and the infinity point O forms a cyclic group G under the operation of point addition R = P + Q defined according to a chord-and-tangent rule. In particular, we define t·P = P + P + … + P (t times) as scalar multiplication. Note that P is a generator of G with order n.

2.2 The overview of certificateless signature scheme

According to the study [1], two types of CLS scheme, denoted as CLS and CLS^*, exist. A normal CLS scheme consists of seven phases, i.e. Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key, Sign and Verify. We briefly review each phase as follows.

• Setup: With the security parameter k, KGC generates a master secret key mk, a corresponding master public key P _pub and the public parameters params.

• Partial-Private-Key-Extract: With the master secret key mk, the public parameters params and the user i’s identity ID _i , KGC generates a partial secret key D _i for the user i.

• Set-Secret-Value: The user i randomly selects a value x _i  ∈ Z ^* _n as his/her secret.

• Set-Private-Key: With the public parameters params, the user i’s partial private key D _i and his/her chosen secret value x _i , the user i generates a full private key. Note that in some studies, Set-Private-Key phase may be integrated with Set-Secret-Value phase.

• Set-Public-Key: With the public parameters params and the user i’s secret value x _i ,, the user i outputs his/her public key PK _i.

• Sign: With any target message m, this phase outputs a signature σ _i  = (R _i , T _i , τ _i ) on m.

• Verify: With the signature σ _i  = (R _i , T _i , τ _i ) of the message m, this phase returns 1 if σ _i  = (R _i , T _i , τ _i ) is valid. Otherwise, it returns 0.

Furthermore, the other kind of certificateless signature scheme CLS^* also possesses seven phases: Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key, Sign and Verify. The main difference between CLS and CLS^* is in the procedure of Partial-Private-Key-Extract phase which additionally requires the user i’s public key as an input.

3 Adversaries against certificateless signature scheme

In general, there exist two categories of adversaries against certificateless signature scheme, i.e. type I and type II Adversaries [1]. The type I adversary models an outside adversary who does not know the master secret key of KGC; however, the type I adversary is able to replace any entity’s public key with specific values chosen by the adversary itself. The type II adversary models a malicious KGC who is allowed to access to the master secret key of KGC. Nevertheless, the type II adversary cannot replace the public keys of other entities. In addition, based on the security model defined by Huang et al. [7], type I and II adversaries against CLS schemes can further be classified into three categories: normal, strong and super levels. A normal-level type I (and II) adversary only has the ability to learn valid signatures. A strong-level type I (and II) adversary is able to replace a public key to forge a valid signature when the adversary possesses a corresponding secret value. A super-level type I (and II) adversary is able to learn valid signatures for a replaced public key without any submission. Here, we only present the definition of the super-level type I adversary j which will mainly be involved with the cryptanalysis of Gong-Li’s CLS scheme [2]. The game is performed between a challenger C and a super-level type I adversary j for a CLS scheme as follows.

Initialization

C runs the Setup algorithm and generates a master secret key mk, public system parameters params. Next, C keeps mk and gives params to the adversary j.

Queries

The adversary j can adaptively issue the following oracle queries [2, 5], i.e. ExtractPartialPrivateKey(i), ExtractSecretValue(i), RequestPublicKey(i), ReplacePublicKey(i), and Sign(i, m), to C.

Output

Eventually, the adversary j outputs (ID _t , m _t , σ _t ). The adversary j wins the game if

1. (1)

   ExtractPartialPrivateKey (t) and Sign(t, m _t ) queries have never been queried.

2. (2)

   1 ← Verify(params, m _t , PK _t , P _pub , σ _t ). Note that PK _t and P _pub may be replaced by the adversary j.

Definition 1

A CLS scheme is existentially unforgeable against a super-level type I adversary, if for any polynomially bounded super-level Type I adversary j, Succ _j is negligible, where Succ _j is the success probability that j wins in the above game.

4 The proposed CLS scheme

In this section, we propose a new CLS scheme which is extended from Gong and Li’s protocol [2]. In our proposed CLS scheme, we mainly strengthen the connection among values h _i , k _i and l _i with public values such as T _i , PK _i , R _i and P _pub . This design makes the adversary hard to eliminate the connection among the values T _i ,  l _i k _i PK _i ,  R _i and h _i P _pub in the signature σ _i  = (R _i , T _i , τ _i ) at each session. In general, our CLS scheme consists of six algorithms, i.e. Setup, PartialPrivateKeyExtract, SetSecretValue, SetPublicKey, Sign and Verify.

Setup

Given k, KGC generates a group G of elliptic curve points with prime order n and determines a generator P of G. Then, KGC chooses the master key mk = s ∈ Z ^* _n , and three secure hash functions H ₁ : {0,  1}* × G × G → Z ^* _q , H ₂ : {0,  1}* × G × G × G × G → Z ^* _q and H ₃ : {0,  1}* × {0,  1}* × G × G × G × G → Z ^* _q . Next, KGC creates the master public key P _pub  = s ⋅ P. Finally, KGC publishes params = {G, P, P _pub , H ₁, H ₂, H ₃}, and keeps mk secretly.

PartialPrivateKeyExtract

Given params, mk, and user i ’s identity ID _i , KGC generates a random number r _i  ∈ Z ^* _n , and calculates R _i  = r _i  ⋅ P, h _i  = H ₁(ID _i , R _i , P _pub ), and s _i  = r _i  + h _i s  mod  n. Next, KGC returns the partial private key D _i  = (s _i , R _i ) to the user. The validity of D _i is based on if s _i  ⋅ P = R _i  + h _i  ⋅ P _pub holds.

SetSecretValue

Given params, the user i with identity ID _i picks a random number x _i  ∈ Z ^* _n as his/her secret value.

SetPublicKey

Given params and x _i , the user i computes PK _i  = x _i  ⋅ P as his/her public key.

Sign

Given params, D _i , x _i and a message m, the user i computes

T _i  = t _i  ⋅ P with a random number t _i  ∈ Z ^* _n and

$$ \begin{array}{l}{k}_i={H}_2\left({T}_i, I{D}_i, P{K}_i,{R}_i,{P}_{pub}\right),\hfill \\ {}{l}_i={H}_3\left( m,{T}_i, I{D}_i, P{K}_i,{R}_i,{P}_{pub}\right)\hfill \end{array} $$

And

$$ {\tau}_i={t}_i+{l}_i\left({k}_i{x}_i+{s}_i\right)\kern0.5em \mod \kern0.5em n. $$

Now, σ _i  = (R _i , T _i , τ _i ) is the signature of the message m.

Verify

Given params, ID _i , PK _i , m and σ _i  = (R _i , T _i , τ _i ), the verifier examines the validity of σ _i .

Compute

$$ \begin{array}{l}{h}_i={H}_1\left( I{D}_i,{R}_i,{P}_{pub}\right),\hfill \\ {}{k}_i={H}_2\left({T}_i, I{D}_i, P{K}_i,{R}_i,{P}_{pub}\right),\hfill \end{array} $$

and

$$ {l}_i={H}_3\left( m,{T}_i, I{D}_i, P{K}_i,{R}_i,{P}_{pub}\right). $$

Verify whether the equation τ _i  ⋅ P = T _i  + l _i (k _i  ⋅ PK _i  + R _i  + h _i  ⋅ P _pub ) holds.

Correctness:

$$ \begin{array}{l}{\tau}_i\cdot P=\left[{t}_i+{l}_i\left({k}_i{x}_i+{s}_i\right)\right]\cdot P\hfill \\ {}={t}_i\cdot P+{l}_i\left({k}_i{x}_i\cdot P+{r}_i\cdot P+{h}_i s\cdot P\right)\hfill \\ {}={T}_i+{l}_i\left({k}_i\cdot P{K}_i+{R}_i+{h}_i\cdot {P}_{pub}\right)\hfill \end{array} $$

5 Security analysis

Based on the hardness of solving the elliptic curve discrete logarithm problem (ECDLP for short), we prove that our proposed certificateless signature scheme without bilinear pairings is existentially unforgeabe against a super-level type I adversary and the super-level type I adversary defined in Section 2.

Definition 2. Elliptic Curve Discrete Logarithm Problem (ECDLP)

Given a group G of elliptic curve points with prime order n, a generator P of G, and a point x ⋅ P, it is computational infeasible to derive x, where x ∈ Z ^* _n .

Theorem 1

The proposed certificateless signature scheme without bilinear pairings can achieve existential unforgeability against a super-level type I adversary in the random oracle model, assuming the hardness of solving the ECDLP.

Proof

Let α ₁ be a polynomial-time algorithm that breaks the certificateless signature scheme with non-negligible advantage ε ₁, and H ₁, H ₂, H ₃ are three random oracles. The goal is to the algorithm α ₁ for building a polynomial-time algorithm β that solves the ECDLP. That is, given a random instance (P, x ⋅ P), the goal is to derive x.

In the initialization phase, β runs the Setup algorithm and generates a master secret key mk = s ∈ Z ^* _n , public system parameters params = {G, P, P _pub }. Next, β keeps mk and gives params to α ₁.

In the Query phase, α ₁ can adaptively issue the following oracle queries to β [2, 5], and each query is unique.

H ₁: For responding to α ₁’s queries, β maintains a list \( lis{t}_{H_1} \) storing (ID _i , R _i , P _pub , h _i ). Upon receiving an H ₁ query for some (ID _i , R _i , P _pub ) from α ₁, β checks the \( lis{t}_{H_1} \) and returns h _i to α ₁. Detailed steps are as follows.

If (ID _i , R _i , P _pub , h _i ) exists in \( lis{t}_{H_1} \), β directly returns h _i to α ₁ and terminates the step.

Randomly choose an h _i  ∈ Z ^* _n .

Add (ID _i , R _i , P _pub , h _i ) into \( lis{t}_{H_1} \).

Return h _i to α ₁.

H ₂: β maintains a list \( lis{t}_{H_2} \) storing (T _i , ID _i , PK _i , R _i , P _pub , k _i ) for responding to α ₁’s queries,. Upon receiving an H ₂ query for some (T _i , ID _i , PK _i , R _i , P _pub ) from α ₁, β checks the \( lis{t}_{H_2} \) and returns \( {h}_{2_i} \) to α ₁. Detailed steps are as follows.

If (T _i , ID _i , PK _i , R _i , P _pub , k _i ) exists in \( lis{t}_{H_2} \), β directly returns k _i to α ₁ and terminates the step.

Randomly choose an k _i  ∈ Z ^* _n .

Add (T _i , ID _i , PK _i , R _i , P _pub , k _i ) into \( lis{t}_{H_1} \).

Return k _i to α ₁.

H ₃: For responding to α ₁’s queries, β maintains a list \( lis{t}_{H_3} \) storing (m, T _i , ID _i , PK _i , R _i , P _pub , l _i ). Upon receiving an H ₃ query for some (m, T _i , ID _i , PK _i , R _i , P _pub ) from α ₁, β checks the \( lis{t}_{H_3} \) and returns h _i to α ₁. Detailed steps are as follows.

If (m, T _i , ID _i , PK _i , R _i , P _pub , l _i ) exists in \( lis{t}_{H_3} \), β directly returns l _i to α ₁ and terminates the step.

Randomly choose an l _i  ∈ Z ^* _n .

Add (m, T _i , ID _i , PK _i , R _i , P _pub , l _i ) into \( lis{t}_{H_1} \).

Return l _i to α ₁.

ExtractPartialPrivateKey(i)

Upon receiving such a query for some identity ID _i from α ₁, β performs the following steps. Note that ID _i cannot be the target identity ID _i *.

Randomly choose two numbers a _i , b _i  ∈ Z _q *.

Set s _i  = a _i , h _i  = b _i , and R _i  = a _i  ⋅ P − b _i  ⋅ P _pub .

Return (ID _i , s _i , R _i ) to α ₁.

RequestPublicKey(i)

Upon receiving such a query for some identity ID _i from α ₁, β performs the following steps.

If ID _i  ≠ ID _i *, β fist simulates the ExtractPartialPrivateKey query for ID _i , where ID _i * is the target identity. Then, β randomly chooses a number x _i  ∈ Z _q * and computes PK _i  = x _i  ⋅ P. Finally, β returns PK _i to α ₁.

If ID _i is the target identity, β randomly chooses three numbers a _i , b _i , x _i  ∈ Z _q *, computes R _i  = a _i  ⋅ P and PK _i  = x _i  ⋅ P, sets h _i  = b _i . After that, β returns PK _i to α ₁.

ExtractSecretValue(i)

Upon receiving such a query for some identity ID _i from α ₁, β simulates the RequestPublicKey query for the identity ID _i and returns x _i as a response.

ReplacePublicKey(i)

Upon receiving such a query for some identity (ID _i , PK ^′ _i ) from α ₁, β performs the following steps.

Simulate the RequestPublicKey query for the identity ID _i .

Set PK _i  = PK ^′ _i .

Sign(i, m)

Upon receiving such a query for (i, m) from α ₁, β performs the following steps.

β simulates the ExtractPartialPrivateKey query to obtain (ID _i , s _i , R _i ).

β randomly chooses a number x _i  ∈ Z _q * and computes PK _i  = x _i  ⋅ P.

β chooses two random numbers a _i , b _i  ∈ Z _q * sets τ _i  = a _i , l _i  = b _i , and computes T _i  = τ _i  ⋅ P − l _i (k _i  ⋅ PK _i  + s _i  ⋅ P), where s _i  ⋅ P = R _i  + h _i  ⋅ P _pub . After that, β returns σ _i  = (R _i , T _i , τ _i ) to α ₁.

At the final phase, α ₁ successfully outputs σ ^∗ _i  = (R ^∗ _i , T ^∗ _i , τ ^∗ _i ) for the target ID _i * with non-negligible advantage ε ₁. Hence, the algorithm β can solve the ECDLP with the at least advantage \( \frac{1}{q_{H_1}}{\left(1-\frac{1}{q_{H_1}}\right)}^{q_n}{\varepsilon}_1 \), where \( {q}_{H_1} \) denotes the maximum number of queries to H ₁, and q _n denotes the maximum number of ExtractPartialPrivateKey queries. That contradicts the hardness of solving the ECDLP.

Theorem 2

The proposed certificateless signature scheme without bilinear pairings is can achieve existential unforgeability against a super-level type II adversary in the random oracle model, assuming the hardness of solving the ECDLP.

Proof

Let α ₂ be a polynomial-time algorithm that breaks the certificateless signature scheme with non-negligible advantage ε ₂, and H ₁, H ₂, H ₃ are three random oracles. The goal is to the algorithm α ₂ for building a polynomial-time algorithm β that solves the ECDLP. That is, given a random instance (P, x ⋅ P), the goal is to derive x.

In the initialization phase and the Query phase, α ₂ and β performs the same tasks as described in Theorem 1. At the final phase, α ₂ successfully outputs σ ^∗ _i  = (R ^∗ _i , T ^∗ _i , τ ^∗ _i ) for the target ID _i * with non-negligible advantage ε ₁. Hence, the algorithm β can solve the ECDLP with the at least advantage \( \frac{1}{q_{H_1}}{\left(1-\frac{1}{q_{H_1}}\right)}^{q_m}{\varepsilon}_1 \), where \( {q}_{H_1} \) denotes the maximum number of queries to H ₁, and q _m denotes the maximum number of ExtractSecretValue queries. That also contradicts the hardness of solving the ECDLP.

6 Prototype implementation

To evaluate the practicability and feasibility of the proposed CLS scheme, we implement our scheme on a resource-constrained mobile device embedded with one of the most popular linux-based operating systems: Android. In this section, we introduce the environment setup followed by the implementation results of the proposed CLS scheme. The basic implementation environment is shown in Table 1, where an HTC ONE X, JDK and Java Elliptic Curve Cryptography (JECC) [9] are adopted in the prototype system implementation. Next, we will report the implementation results.

Table 1 Environment description

Figure 1 shows the main input-pages of the proposed CLS scheme in which an ID _i = “M10109121” and a message m = “testecc signature” are adopted as the inputs for signature creation and verification (i.e., Fig. 1a and b). In Fig. 2, a simple simulation result for the signature creation and verification processes of our proposed CLS scheme is presented. Figure 2(a) shows the creation and verification processes are ongoing, and Fig. 2(b) soon demonstrates the verification is successfully done with a total computation time 2.199 s. Our prototype system further presents the computation cost of each parameter in Fig. 2(c) which concludes a result that the major overhead of our proposed CLS scheme is based on the computation of parameters P _pub , T _i , R _i and PK _i involving with the addition operation of Elliptic Curve Cryptography. Moreover, we can click each parameter to obtain a corresponding value, such as Fig. 3(a and b). Note that in ECC the x and y coordinates is computed, respectively, and this will result in two values for each parameter (e.g., Fig. 3a). After evaluating the feasibility of our proposed CLS scheme on Android-based mobile phone, we test the average overhead of the proposed CLS scheme. In Table 2, we obtained an average total computation time 1.916 s from 30 runs of our proposed CLS scheme. As mentioned before, the four parameters PK _i , P _pub , R _i and T _i are essential overheads for total computation cost as the addition operation of ECC is exploited. The corresponding overhead percentage is 11.74 %, 10.69 %, 11.64 % and 11.87 %, respectively. In the future, these parameters could be the main re-design target when establishing a new and more efficient CLS scheme. With the above results, we believe that our implementation reflects the practicability and feasibility of our proposed CLS scheme for existing mobile communication environments involving with common handheld devices.

Fig. 1

The main pages of the implementation of our proposed CLS scheme, where ID _i  = “M10109121” and a message m = “testecc signature” are the inputs for signature creation and verification

Fig. 2

The snapshots of signature verification of the proposed CLS scheme, where the green bar below the each item in (c) represents the computation time for the parameter

Fig. 3

The functionality for detail showing of each parameter

Table 2 The evaluation of computation cost of the proposed CLS scheme

7 Conclusion

In this paper, we have demonstrated a novel CLS scheme which is secure against super-level adversaries (type I and type II). Our proposed CLS scheme is superior to most CLS protocols [2, 3, 5, 6, 8, 10, 15] with either lower computation cost or better security robustness. That is, without the heavy computation of bilinear pairings, our proposed scheme is efficient to support the secure communication among mobile entities. Meanwhile, with the strong robustness property of elliptic curve cryptography, the proposed CLS protocol preserves high system security. We additionally implement a prototype system of our proposed CLS scheme and the corresponding results show the practicability and feasibility of the CLS scheme. In conclusion, we believe that our CLS scheme is more practical and suitable for securing existing mobile network environment.