Certificateless ordered sequential aggregate signature scheme

Scheme Secure against Super Adversaries

Naoto Yanai∗

Graduate School of Systems and Information Engineering

University of Tsukuba Tsukuba, Japan

[email protected]

Raylin Tso

Department of Computer Science National Chengchi University

Taipei, Taiwan [email protected]

Masahiro Mambo

Institute of Science and Engineering Kanazawa University

Kanazawa, Japan [email protected]

Eiji Okamoto, Graduate School of Systems and Information Engineering

University of Tsukuba Tsukuba, Japan [email protected]

Abstract

Certificateless cryptosystem is a hybrid scheme of traditional PKI and ID-based scheme and has positive aspects of both of PKI and ID-based cryptosystem, i.e. solving key escrow problem and cer-tificate management problem simultaneously. Cryptographic schemes constructed in such a hybrid setting, generally called certificateless setting, retain these positive aspects and have been extensively studied recently. To the best of our knowledge, an ordered sequential aggregate signature (OSAS) scheme, which is a signature scheme verifying both the validity of a document and a signing order of a group of signers, has never been proposed in the certificateless setting. Therefore we propose an OSAS scheme in a certificateless setting called certificateless ordered sequential aggregate signature (CLOSAS) scheme. Our proposed scheme has advantages in its communication cost and the security proof. In particular, its signature size is fixed with respect to the number of signers, and the security is proven in the random oracle model against super adversaries that are the strongest adversary in certificateless signature scheme. Our scheme resists KGC’s malicious activities associated with key escrow and forgery of signatures as long as both of each user and KGC involve directly in a key generation.

Keywords: Key escrow problem, certificateless setting, ordered sequential aggregate signature scheme, super adversary, random oracle model, full aggregation

1

Introduction

1.1 Motivation

One of the main problems in public key cryptosystem is to guarantee a relation between a user and its own public key. In general, a public key in traditional public key cryptography such as RSA encryption[1] is a random value, and we need a method to bind the user with the public key. A general way to solve this problem is to utilize a public key infrastructure (PKI) in which a trusted third party called certifi-cation authority (CA) issues a certificate to bind the user with the public key. However, in the PKI the

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, volume: 3, number: 1/2, pp. 30-54

∗_{Corresponding author: SB822, Third Area, University of Tsukuba, Tennoudai 1-1-1, Tsukuba-city, Ibaraki, Japan, Phone:}

management cost for certificates is expensive in that it involves certificate revocation, distribution and verification of public keys. This problem in the PKI is called certificate management problem.

As an approach to overcome the problem in the PKI, identity-based (ID-based) cryptosystem[2] has been studied in recent year. In an ID-based cryptosystem, each user has ID information such as an e-mail address and can use the ID as his/her own public key. In general, ID is unique information for each user and is publicly known. In contrast to PKI, users in ID-based cryptosystem do not need a certificate to relate a user to his/her public key, ID. However, ID-based cryptosystem has an inherent problem, called key escrow problem, in which a key generation center (KGC) knows secret keys for all users in the system. This problem occurs because secret keys of all the users are computed from KGC’s master secret key and users’ ID. This implies that the KGC must be trusted in ID-based cryptosystem. In other words, malicious KGC’s can easily read contents of encrypted communications and ID-based systems intrinsically contain such an insider’s threat. In fact, users cannot always trust KGC’s since malicious KGC’s who does not honestly run the algorithm exist[3].

In order to overcome this problem, Al-Riyami et al. proposed the certificateless cryptosystem[4] which is a hybrid cryptosystem of PKI and ID-based cryptosystem. In the certificateless cryptosystem, the key of each user consists of a pair of secret key and public key depending upon both PKI and ID-based cryptosystem. In particular, after given the secret value in ID-ID-based cryptosystem called partial private key, each user generates a secret value which is a random number in PKI. Then the user sets the secret value and the partial private key as a full secret key of him/her, and a value computed from the secret value in PKI and his/her ID as a corresponding public key. 1 _{A sender/verifier uses the}

public key for the encryption/verification of data, and a receiver/signer uses the full secret key for the decryption/signing of data. The certificateless cryptosystem has positive aspects of both PKI and ID-based system. In particular, the confidentiality or the validity of the data of users are guaranteed even if the KGC is malicious, because the KGC does not know the secret value generated by the user in PKI. In addition, the user can implicitly confirm an owner of the public key without the certificate since the user needs ID as the part of the public key to encrypt/verify the data. Therefore, constructing certificateless cryptographic schemes such as signature schemes is a meaningful work.

As one of main applications in cryptography, digital signature scheme which guarantees the validity of an electronic document is a famous tool and has been studied by many researchers[5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37]. Multisignature scheme by Itakura et al.[14] is suitable for a situation in which the validity of the document should be guaranteed by all associated persons, and its communication cost has an advantage in which the data size of a signature is smaller than an individual signing which is just to collect signatures of all the associated signers. After many multisignature schemes were proposed[8, 22, 25, 28], Boneh et al. proposed aggregate signature (AS) scheme as a generalized scheme of multisignature scheme in 2003[6]. Each signer in an AS scheme can sign an individual document, and hence aggregate signature scheme has been focused as one of main topics in digital signature scheme in recent work[5, 9, 10, 11, 12, 18, 20, 21, 24, 26, 27, 29, 31, 35].

Among them, ordered sequential aggregate signature (OSAS) scheme by Lysyanskaya et al.[20] is an AS scheme which verifies both the validity of the document and a signing order and, as described in section 1.4, is adopted to some application such as secure-border gateway protocol (S-BGP)[38]. However, to the best of our knowledge, the existing OSAS schemes have been proposed in either PKI or ID-based scheme, and such a scheme in a certificateless setting has never been proposed. Certificateless cryptosystem is the advanced scheme in contrast to PKI and ID-based scheme as described above, and

1_{Several researchers avoid to view ID as public key in ID-based system since ID is not a randomly generated value as set in the}

traditional PKI. Even so, ID-based system can be judged as an answer to the question, ”Is it possible to construct a public-key system with a fixed-value public key?” and we describe ID as a part of the public key.

thus in this paper we propose an OSAS scheme in the certificateless setting, i.e. certificateless ordered sequential aggregate signature (CLOSAS) scheme.

In addition to constructing the first CLOSAS scheme, we also discuss the security against the super adversaries[39] who are the strongest adversary known in the certificateless cryptosystem. As described in section 1.2.5, the super adversaries can implicitly access a black box knowledge extractor which ex-tracts a secret key from a corresponding public key without being detected by a target signer, and several schemes[40, 12] secure against non-super adversaries become insecure against the super adversary. To avoid any unexpected security degradation, one should guarantee the highest security level and proving the security against the super adversaries is meaningful work. Note that we do not discuss a malicious activity such that KGC impersonates target users by generating pairs of full secret key and public key. To the author’s knowledge, no existing certificateless scheme prevents this type of KGC’s impersonation and it still remains open to construct CLOSAS scheme guaranteeing the validity of both of documents and the signing order even under the KGC’s impersonation. In our discussion framework, the validity of both of documents and the signing order is guaranteed as long as either the secret values in PKI or the partial private keys are kept secret. Further note that this paper is an extended version of the paper [33]. While the super adversaries were not considered in the previous work, we discuss security against the super adversaries in this paper. We show a rigorous proof that the proposed scheme is secure against the super adversary in the random oracle model if and only if solving CDH problem is difficult.

1.2 Achievement for Our Construction

Our newly proposed scheme has the following features.

1.2.1 Certificateless Property

Certificateless cryptosystem does not need a certificate generated by CA to verify a user’s public key, so it does not have the certificate management problem suffered in traditional PKI-based public key cryp-tosystem. On the other hand, it also solves the key escrow problem suffered in ID-based cryptosystems since a secret key generated by each user in PKI is an unknown value for a malicious KGC. Therefore, we propose our OSAS scheme in the certificateless setting.

In a security notion in public key cryptosystems, Girault[41] defined three security levels for a trusted authority as follows:

level-1 KGC knows a secret key for any user, and can impersonate the user with the secret key without being detected.

level-2 KGC does not know a secret key for any user, but can impersonate the user with the secret key without being detected by generating a fake secret key.

level-3 KGC does not know a secret key for any user. In addition, KGC cannot impersonate the user with the secret key even by generating a fake secret key since its impersonation can be detected. The security model used for the analysis of our scheme does not capture an actively malicious KGC who generates a pair of a secret key and its corresponding public key for any user. Namely, our proposed scheme achieves level-2 security. However, based on the idea of [30] proposed by Wu et. al. in 2009, it is easy to modify our certificateless signature into a new kind of signature scheme named certificate-based signature scheme[42, 43, 30] in which the Girault’s Level-3 security can be achieved. But, with this modification, the public key PKID of an entity ID will not be able to update at any time without

any assistance from KGC whereas this is possible in our scheme. Therefore, here we only discuss how to protect a certificateless signature scheme under the assumption that a secret value in either PKI or

ID-based cryptosystem is kept secret and that malicious activities of KGC are restricted not to fake a pair of secret and public keys described above, i.e. security level-2. In other words, our scheme can resist signature forgery unless KGC impersonates a target signer by generating a key of the target signer.

1.2.2 Ordered Sequential Aggregate Signature Scheme

According to Selvi et al.[26], three types exist as AS scheme, i.e. general aggregate signature (GAS) scheme, sequential aggregate signature (SAS) scheme and ordered sequential aggregate signature (OSAS) scheme. GAS scheme is an aggregate signature scheme that each signer’s signature is generated in par-allel, and then aggregates these signatures into one signature with an interactive process. On the other hand, SAS scheme and OSAS scheme have no aggregate phase described in [6] and its signature is gen-erated by executing both signing and aggregation for each signer in turn. However, while the signing order in SAS scheme has no meaning, the signing order can be verified in OSAS scheme. Our proposed scheme is the OSAS scheme.

1.2.3 Full Aggregation

For signature size, Selvi et al. described the notion of full aggregation and partial aggregation in [27]. The former means that the signature size in the scheme is fixed with respect to the number of signers, and the latter means the signature is linear. Hence, achieving the full aggregation means an efficient scheme for the communication cost. Our proposed scheme achieves the full aggregation.

1.2.4 Order Flexibility

Mitomi et al. described an order flexibility in [22]. This notion is intuitively that the signing order should not be included in public information. Achieving this property means that the signers can easily change the signing order. Our proposed scheme achieves this property.

1.2.5 Security against Super Adversary

Since public keys in certificateless cryptosystems are not certified by certificates, these public keys can be replaced by an adversary[39, 19]. According to Huang et al.[39], there are three types of the adversary, normal, strong and super. The normal adversary cannot obtain signatures of a target signer once he/she replaces the public key of the target signer. The strong adversary can obtain signatures of the target signer by providing a secret value corresponding to the replaced public key for a challenger in the security model described in section 3.2. The super adversary can also obtain signatures of the target signer but without providing the secret value for the challenger. During the attack, the super adversary can replace a public key pkAof a target signer Alice with a public key pkBof another target signer Bob while such an attack

cannot be performed by the strong adversary that cannot compute a secret key corresponding to pkB.

This means that the super adversary can access Alice as a black box knowledge extractor for the secret value of Bob without being detected by Bob, because in this scenario signatures, which are output of Alice, are computed from the secret value of Bob. Namely, the adversary trying to forge a signature of the target signer can obtain secret-key related information without being detected by the target signer. In this sense, the super adversary can be judged as the strongest adversary among three types of adversaries.

1.2.6 Rigorous Proof in Random Oracle Model

In a security proof, we adopt to prove in the random oracle model[44]. In general the construction in the standard model is more rigorous than security analysis in the random oracle model([45]), but it is also

true that the construction in the random oracle model is more efficient than those in the standard model. Therefore, we prove the security in the random oracle model.

1.3 Contribution

In addition to propose the first CLOSAS scheme, our contribution is to prove the security against the super adversaries in CLOSAS scheme. The security model discussed in this paper is a newly formalized security model by applying the notion of the super adversary in [39] to the security model for OSAS scheme in [20]. As described in more detail in section 3.2, this model captures cryptographic insider threats that dishonest users in the signing group collude with malicious KGC’s which know partial private keys. Although the existing security models in the certificateless setting represent malicious entities, their models do not capture a security requirement in OSAS scheme, which is the validity of documents and the signing order, because the existing schemes are not CLOSAS scheme. In contrast, the model in this paper is an advanced model that guarantees the validity of both messages and the signing order even if the malicious entities exist.

1.4 Application

We sketch an example of applications using CLOSAS scheme. S-BGP which is one of the application as described in section 1.1 is a routing protocol to overcome a vulnerability in border gateway proto-col (BGP)[46]. BGP is a routing protoproto-col that establishes Internet traffic between autonomous systems (ASes), but has no guarantee about the validity of the path information. To overcome this problem, S-BGP enforces ASes to send the data via only the authorized AS path. In particular, ASes generate a digital signature to guarantee a relation of each autonomous system and its IP prefix, and the S-BGP router generates a digital signature to guarantee a neighbor AS. Several papers such as [5, 20] have pointed out that OSAS scheme is suitable tool for S-BGP in which it allows ASes to verify and then forward a propagated data via the authenticated path.

In addition to the advantage described above, we can obtain another advantage by implementing CLOSAS scheme in S-BGP. Main problems for an implementation of S-BGP are a storage of routers and its traffic of the data[47]. In particular, when routers send the data packets in S-BGP, they require to share the public key certificates in advance to verify the signature. Since the packet space is a limited size, attending the certificates with the data to be signed is difficult. In addition, each router also requires large amount of memory to store the certificates and the digital signature sent in S-BGP. Here, we note that the certificateless cryptosystem does not need the public key certificate since the user’s ID is bound with its own public key. S-BGP with CLOSAS scheme requires neither sharing the certificates in advance nor large amounts of memory to store the certificates.

S-BGP with CLOSAS scheme is also elegant in the sense of the security against insider threats in contrast to ID-based OSAS scheme. Although S-BGP becomes faster by utilizing ID-based OSAS scheme, this system has some vulnerability in terms of insider threats. In particular, as described in section 1.1 since all the secret keys in ID-based scheme are given by KGC, an adversary such as a malicious KGC who knows a master secret key is able to generate signatures for all signers. This means that authorization of AS path in S-BGP with ID-based OSAS are no longer effective. On the other hand, thanks to the property of the certificateless setting S-BGP with CLOSAS scheme is resistant to the malicious KGC.

1.5 Paper Construction

The rest parts of this paper consist as follows. We describe some knowledges to understand this paper in section 2, a general construction of CLOSAS scheme and its security model discussed in this paper in section 3. In section 4 we propose our CLOSAS scheme, and in section 5 we prove the security of the proposed scheme and show an example of more extending application. We evaluate the performance of the proposed scheme in section 6, and conclude about the scheme in section 7.

2

Preliminaries

In this section, we introduce some knowledges which are necessary for understanding our paper.

2.1 Notations

Let the number of signers be n. We denote by IDi the i-th signer if the notation does not cause any

confusion. We also denote by mia message to be signed by a signer with identity IDi, by σithe signature

generated by IDi, by msk a master secret key, by mpk a master public key, by skia secret key of IDiand

by pki its corresponding public key. We define ψi:= ID1k · · · k IDi as the signing order from the first

signer to i-th signer for a group of signers. Let a k b be a concatenation of a and b for all a, b, where the concatenation can be easily divided into original elements a and b. For simplicity, we denote by Li:= m1k ID1k · · · k mik IDian information including both messages and its signing order to verify the

signature.

2.2 Bilinear Maps

Our scheme uses bilinear maps. Let G and GT be groups of the same prime order p. We assume that the

Discrete-Logarithm Problem (DLP) in both G and GT are hard.

Definition 1 (pairing). A pairing e : G × G → GT is a maps such that the following conditions hold:

• Bilinearity : For all u, v ∈ G and a, b ∈ Z, e(ua_{, v}b_{) = e(u, v)}ab_.

• Non-degeneracy : For any generator g ∈ G, e(g, g) 6= 1GT.

• Computable : There is an efficient algorithm to compute e(u, v) for any u, v ∈ G.

Through this paper, we denote by (p, G, GT, e) parameters holding the above conditions as a paring

parameter.

2.3 Security Assumption

In this paper, we use computational Diffie-Hellman (CDH) assumption. CDH assumption is defined as follows.

Definition 2 (CDH problem). Given (g, ga, gb) for all a, b ∈ Zpas input, compute gab∈ G.

Definition 3 ((t, ε)-CDH assumption). there is no adversary who, given (g, ga, gb) for all a, b ∈ Zpas

2.4 Related Work

As described in the previous section, many ordered sequential aggregate signature schemes, which in-clude multisignature schemes, have been proposed so far[5, 7, 8, 9, 10, 13, 15, 16, 17, 18, 20, 22, 23, 24, 25, 27, 28, 29, 31, 32, 34, 36, 37]. Although CLOSAS has never been proposed, we sketch the existing OSAS schemes in PKI and ID-based scheme.

The schemes achieving the full aggregation are in [5, 8, 10, 16, 17, 18, 20, 24, 27, 31, 34] and [36]. However, the schemes in [8, 16, 17, 20, 24, 34] and [36] has no order flexibility, and the scheme in [18] is based on M-LRSW problem[5] which has been shown to be false in [48]. In addition, due to the our analysis based on the claim in the Remark 3 of [11], the scheme in [27] seems to be insecure in that an adversary obtaining multiple signatures in the scheme [27] may be able to recover its corresponding secret key by solving simultaneous equations obtained from these signatures. Hence, we compare the performance of our scheme with rest of the papers [5, 10, 31] in section 6.

On the other hand, several certificateless aggregate signature schemes have been proposed so far[40, 12, 49, 35]. However, the security of the schemes in [40, 12] have never been proven against the super adversary. Although Xiong et al. alleged that their scheme is secure against the super adversary, unfor-tunately, similarly as the paper [27], it seems that the proof is wrong in the sense that the super adversary may be able to recover the signer’s secret key from the reason described on Remark 3 in paper [11]. Hence, to the best of our knowledge, the scheme secure against the super adversary is only the scheme in [35]. Here, the scheme is different from our proposed scheme in that the scheme is not OSAS scheme. In section 6, we also compare the performance of our scheme with the scheme in [35] as the existing certificateless aggregate signature scheme.

3

Certificateless Ordered Sequential Aggregate Signature Scheme

3.1 General Construction

A CLOSAS scheme consists of following six algorithms. As described above, ordered sequential aggre-gate signature scheme has no aggreaggre-gate phase to aggreaggre-gate signatures, in that the signature is implicitly aggregated in Signing phase by each signer.

Setup This algorithm is run by KGC. Given a security parameter 1k _{as input, generate a public}

pa-rameter param, a master secret key msk and its corresponding public key mpk. Output param, mpk and msk.

Partial-Private-Key-Extract This algorithm is run by KGC. Given param, msk and an identity IDias

input, generate a partial private key di. Output di.

User-Key-Gen This algorithm is run by each user. Given param and his/her identity IDi as input,

generate a secret key xi and its corresponding public key yi. output xiand yi.

Set-Key This algorithm is run by each user. Given IDi, di, xiand yi, set diand xias a full secret key ski,

and (IDi, yi) as a corresponding public key pki. Output ski and pki.

Signing This algorithm is run by each user in turn. Given param, IDi, ski, {mj}j=1,··· ,i−1, {IDj}j=1,··· ,i−1,

input, check that σi−1 is a valid signature on {mj}j=1,··· ,i−1in ψi−1 by using Verification algorithm

de-scribed below. If not, abort the process. Otherwise, set ψi= ψi−1k IDi. Compute a signature σion miin

ψiwith σi−1and s, then output σiand s.

Verification This algorithm is run by a verifier V . Given param, mpk, {IDj}j=1,··· ,i, {pkj}j=1,··· ,i,

{mj}j=1,··· ,i, σi and s as input, check that σi is a valid signature on {mj}j=1,··· ,i in ψi. If not, output

re ject. Otherwise, output accept.

3.2 Security Model

In this section, we define a security model in this paper. Our security model is constructed by applying a notion of super-adversary in [39] to the security model for sequential aggregate signature scheme in [20].

For certificateless signature scheme, we have to discuss two following types of adversaries with different ability. In the security games in this paper, a challengerC and each adversary who can access a random oracle exist as entities.

Type 1 This type of adversary,A1, is a dishonest user who does not have the master secret key msk but

can replace a public key yiof any user IDiwith a value chosen by him/her.

Type 2 This type of adversary, A2, is a malicious KGC who has msk but cannot replace a public key

of a target signer.

3.2.1 Definition of Oracles

In the security game in this paper, we define the following oracles. We denote by x( j) j-th query to access the oracles for all x. Here,C has a certificate list L to register users’ informations.

Create-User Given an identity IDi, if IDihas already been queried, nothing will be output. Otherwise,

run the algorithms Partial-Private-Key-Extract and User-Key-Gen, and generate a partial private keydi,

a secret key xiand a corresponding public key yi. Register (IDi, yi) inL and output yi. In this case, we

say that IDi is created.

Public-Key-Replace Given IDi and y0i chosen by an adversary, if IDi has already been created, the

original public key for IDiis replaced with y0i and re-register (IDi, y0i) inL . Otherwise, nothing will be

output.

Secret-Value-Extract Given IDi, if IDihas already been created, output a secret value xi

correspond-ing to an original public key yi. Otherwise, nothing will be output. This oracle does not output the secret

value corresponding to the replaced public key y0_i.

Partial-Private-Key-Extract Given IDi, if IDihas already been created, output a partial private value

Sign Given IDi, {mj}j=1,··· ,i, σi−1, ψi, s and a public key yi of IDi, if IDi has already been created,

output a valid signature σi on {mj}j=1,··· ,i in ψi. Otherwise, nothing will be output. Here yi may be

either the original public key generated by IDior a public key replaced by the adversary2.

3.2.2 Game 1

This game is executed betweenC and A1.

Setup C runs the setup algorithm described in the previous section to obtain param,msk and mpk. C gives param and mpk toA1but keeps msk to be secret.

Queries A1can access all the oracles described in section 3.2.1 and obtains the outputs fromC .

Forgery A1outputs a forgery ({ID∗j}j=1,··· ,n, {m∗j}j=1,··· ,n, ψn∗, σn∗) and checks that the following

con-ditions hold.

• σn∗is a valid signature on {m∗j}j=1,··· ,nin ψn∗under {pk∗j}j=1,··· ,n.

• Exactly one ID∗_i∗ who has never been queried for partial-private-key-extract oracle exists.

• Each ID∗i in {ID∗j}j=1,··· ,ndoes not appear more than once in ψn∗.

• For ID∗_i∗, m∗_i∗ ∈ {m/ (1) i∗ , · · · , m (qs) i∗ } or ψ_i∗∗ ∈ {ψ/ (1) i∗ , · · · , ψ (qs)

i∗ } holds, where qswill be defined later.

C outputs accept if all the conditions hold. Otherwise, C outputs re ject.

Definition 4. A1 breaks a CLOSAS scheme with (ε, qc, qr, qs, qp, qh, qsig, n,t) if and only ifC outputs

acceptin the above game with a success probability greater than ε within the execution time t, where A1 who does not know msk can generate at most qc create-user queries, qr public-key-replace queries,

qssecret-value-extract queries, qppartial-private-key-extract queries, qhrandom oracle queries and qsig

signing queries, and n is an upper bound for the number of signers included in the forgery output byA1.

Definition 5. A CLOSAS scheme is secure with (ε, qc, qr, qs, qp, qh, qsig, n,t) if and only if there is no

adversaryA1who breaks the CLOSAS scheme with (ε, qc, qr, qs, qp, qh, qsig, n,t).

3.2.3 Game 2

This game is executed betweenC and A2.

Setup C runs the setup algorithm described in the previous section to obtain param,msk and mpk. C gives param, mpk and msk toA2.

Queries A2can access all the oracles described in section 3.2.1 and obtains the outputs.

2_{In the normal adversary, y}

iis required to be the original pubic key by IDi. On the other hand, in the strong adversary, if yi

is replaced, then the corresponding secret value xiis required as the additional input. In this paper, by the ability of the super

Forgery A2 outputs a forgery ({ID∗j}j=1,··· ,n, {m∗j}j=1,··· ,n, ψn∗, σn∗) and check that the following

con-ditions hold.

• σn∗is a valid signature on {m∗j}j=1,··· ,nin ψ ∗

n under {pk∗j}j=1,··· ,n.

• Exactly one ID∗_i∗ who has never been queried for secret-value-extract oracle and public-key-replace

oracle.

• Each ID∗_i does not appear more than once in {ID∗_j}j=1,··· ,n.

• For ID∗i∗, m∗_i∗ ∈ {m/ (1)_i∗ , · · · , m_i(q∗s)} or ψ_i∗∗ ∈ {ψ/ _i(1)∗ , · · · , ψ_i(q∗s)} holds.

C outputs accept if all the conditions hold. Otherwise, C outputs re ject.

Definition 6.A2breaks a CLOSAS scheme with (ε, qc, qr, qs, qh, qsig, n,t) if and only ifC outputs accept

in the above game with a success probability greater than ε within the execution time t, whereA2can

generate at most qccreate-user queries, qrpublic-key-replace queries, qssecret-value-extract queries, qh

random oracle queries and qsigsigning queries, and n is an upper bound for the number of signers.

Definition 7. A CLOSAS scheme is secure with (ε, qc, qr, qs, qh, qsig, n,t) if and only if there is no

ad-versaryA2who breaks the CLOSAS scheme with (ε, qc, qr, qs, qh, qsig, n,t).

4

Proposed Scheme

In this section, we propose our CLOSAS scheme. In our scheme, we use state information s similarly with the paper [11]. The state information is one-time information such as time-stamp, and is used to efficiently aggregate the data size of signatures according to [11]. In our scheme, Signing phase is run by each signer in turn, and the signature is implicitly aggregated in Signing phase instead of an aggregate phase in papers [6, 11, 35].

4.1 Construction

Setup A KGC generates a pairing parameter (p, G, GT, e). The KGC generates a generator g ← G and

a random number a ← Z∗p. Then sets A = ga, and chooses hash functions H1: {0, 1}∗× {0, 1} → G,

H2, H3, : {0, 1}∗ → G and H4: {0, 1} → Z∗p. Finally, KGC outputs (p, G, GT, e, g, H1, H2, H3, H4) as

paramand A as mpk, and keeps a to be secret as msk.

Partial-Private-Key-Extract Given signer’s identity IDi, KGC computes gi, j= H1(IDi, j) for j = 0, 1

and then computes ga_{i, j}. KGC sends ga_{i, j}, j = 0, 1, to IDias his/her partial private key.

User-Key-Gen IDigenerates a random number ti← Z∗pand computes Ti= gti. Then IDioutputs Tias

his/her public key and keeps tito be secret as his/her secret key.

Set-Key Given ga_{i, j} for j = 0, 1 by KGC, IDisets (ga_i,0, ga_i,1,ti) as his/her secret key ski and (IDi, Ti) as

Signing Given {mj}j=1,··· ,i−1, {IDj}j=1,··· ,i−1, ψi−1, σi−1, s by the previous signer, IDifirst parses σi−1

as (Si−1, Ri−1) and verifies that σi−1 is a valid signature on {mj}j=1,··· ,i in ψi−1 for {IDj}j=1,··· ,i−1 by

using verification algorithm with n = i − 1 in this case. If not, IDiaborts the process. For the first signer

(i.e. IDi= ID1), the above verification step is skipped and he/she sets ψ0= /0, S0= 1, R0= 1 as the initial

values. Then, ID1executes the following step similarly with the other signers.

For IDi, 1 ≤ i ≤ n, if the signature is valid, he/she sets Li = m1k ID1k · · · k mik IDi. Then IDi

computes V = H2(s), Wi= H3(s k Li), ci= H4(s k Li), and generates a random number ri← Z∗p and

computes the following values:

Si = Vriga_i,0 ga_i,1

ci

Wti

i · Si−1, (1)

Ri = gri· Ri−1. (2)

He/She sets σi= (Si, Ri) and sends {mj}j=1,··· ,i, {IDj}j=1,··· ,i, ψi, σi, s to the next signer IDi+1.

Verification Given {mj}j=1,··· ,n, {IDj}j=1,··· ,n, ψn, σn, s, A verifier parses σnas (Sn, Rn, s) and sets Lj=

m1k ID1k · · · k mjk IDj for all j. Then he/she verifies that the following equation holds:

e(Sn, g)= e(V, R? n) · e n

∏

j=1 gj,0g cj j,1, A ! · n

∏

j=1 e (Wj, Tj) , (3)

where, for all j, gj,l= H1(IDj, l) for l = 0, 1, V = H2(s), Wj= H3(s k Lj), cj= H4(s k Lj).

4.2 Correctness

From the equations (1,2), the equation (3) can be written as follows:

e(Sn, g) = e n

∏

j=1  Vrj_ga j,0(gaj,1)cjW tj j  , g ! = e  V, g∑nj=1rj  · e n

∏

j=1 gj,0(gj,1)cj, ga ! n

∏

j=1 e Wj, gtj
= e (V, R) · e n

∏

j=1 gj,0(gj,1)cj, A ! n

∏

j=1 e (Wj, Tj) .

5

Discussion

5.1 Security Analysis

In this section, we discuss the security of the proposed scheme against adversaries described on sec-tion 3.2. In particular, when the adversary breaks the proposed scheme in each game, we construct an algorithmB to solve CDH problem by using the adversary.

Theorem 8. The proposed scheme is secure against type 1 of the adversary with (ε, qc, qr, qs, qp, qh1, qh2, qh3,

qh4, qsig, n,t) if and only if (t

0_{, ε}0_{)-CDH assumption holds, where}

ε0 =  ε −qsig(qsig− 1) 2p  27 (qp+ qh1+ qh4+ (qh1+ qh2+ qh4)qsig) 3· 1 e3, (4) t0 = t +O(qsig+ n(qc+ qr+ qp+ qs+ qh1+ qh2+ qh3+ qh4)) + Ψ, (5)

Proof (Sketch). The proof is given in appendix A.

Theorem 9. The proposed scheme is secure against type 2 of the adversary with (ε, qc, qs, qh1, qh2, qh3, qh4,

qsig, n,t) if and only if (t0, ε0)-CDH assumption holds, where

ε0 =  ε −qsig(qsig− 1) 2p  27 (qs+ (qh1+ qh2+ qh3)qsig) 3· 1 e3, (6) t0 = t +O(qsig+ n(qc+ qr+ qs+ qh1+ qh2+ qh3+ qh4)) + Ψ, (7)

and Ψ is the computational time for the final result. Proof (Sketch). The proof is given in appendix B.

5.2 Construction Resisting the DoD Attack

Liu et al.[19] have pointed out a problem in distributing public keys in a certificateless setting. Suppose an adversary replace a public key of any user with other faked public key. Then an encryptor who cannot detect the replacement, certificateless property, performs the encryption under the faked public key. Such data encrypted under the faked public key cannot be decrypted by the user correctly because the user does not know a secret value corresponding to the replaced faked public key. This attack is called Denial of Decryption (DoD) attack. In order to prevent this attack, they have proposed a method to guarantee the validity of a public key without the interaction with any trusted authority, i.e. self-generated-certificate. In this method, each user guarantees the validity of a public key by generating a certificate, signature, under a secret key corresponding to the public key.

DoD attack may also occur in digital signature scheme in that a digital signature generated by any user is maliciously rejected by the replacement of its own public key. In this approach, Wu proposed a digital signature scheme with self-generated-certificate[50]. Since the user can detect the replacement of the public key by the verification with the self-generated-certificate, it can resist against malicious rejection of signature. However, the construction with the self-generated-certificate cannot achieve level-3 security. In particular, the malicious KGC can still impersonate any user by generating a pair of a secret key and a public key and its corresponding self-generated-certificate by him-/herself.

The notion of self-generated-certificate can be applied to our scheme. In paper [33], which is a previous version of this work, we proposed a CLOSAS scheme with self-generated-certificate. In this section, we give the detail of the construction. Although the following construction cannot be achieved level-3 security, the proposed scheme becomes more secure in the sense that the scheme resist DoD attack.

5.2.1 Construction

Setup This algorithm is same as the proposed scheme in section 4.1.

Partial-Private-Key-Extract Given signer’s identity IDi, KGC computes gi, j= H1(IDi, j) for j = 0, 1

and then computes ga_{i, j}. KGC sends ga_{i, j} for j = 0, 1 to IDias his/her partial private key.

User-Key-Gen A signer IDi generates random numbers ti,0,ti,1← Z∗p and computes Ti,0= gti,0, Ti,1=

gti,1_{. Then ID}

Set-Key Given ga

i, jand ti, j for j = 0, 1 by KGC, IDisets (ga_i,0, ga_i,1,ti,0,ti,1) as his/her secret key ski, and

generates a random number ri0and state information si. Then IDi sets m0i:= IDik Ti,1 and computes as

follows: S0_i = Vr 0 i i g a i,0 g a i,1
c0_i W_i0ti,0, (8) R0_i = gri0_{, (9)}

where Vi= H2(si), Wi= H3(sik m0i) and c0i= H4(sik mi0). IDi sets σi0= (S0i, R0i, si) and (IDi, Ti,0, Ti,1, σi0)

as its corresponding public key pki.

Signing Given {mj}j=1,··· ,i−1, {IDj}j=1,··· ,i−1, ψi−1, σi−1 by the previous signer, IDi first parses σi−1

as (Si−1, Ri−1, s) and verifies that σi−1 is a valid signature on {mj}j=1,··· ,i in ψi−1 for {IDj}j=1,··· ,i by

using verification algorithm with n = i − 1 in this case. If not, IDiaborts the process. For the first signer

(i.e. IDi= ID1), the above verification step is skipped and he/she sets ψ0= /0, S0= 1, R0= 1 as the initial

values. Then, ID1executes the following step similarly with the other signers.

For IDi, 1 ≤ i ≤ n, if the signature is valid, he/she sets Li = m1k ID1k · · · k mik IDi. Then IDi

computes V = H2(s), Wi= H3(s k Li), ci= H4(s k Li), and generates a random number ri← Z∗p and

computes the following values:

Si = Vriga_i,0 ga_i,1

ci

W_iti,1· Si−1, (10)

Ri = gri· Ri−1. (11)

He/She sets σi= (Si, Ri, s) and ψi= ψi−1k IDi, and sends {mj}j=1,··· ,i, {IDj}j=1,··· ,i, ψi, σi to the next

signer IDi+1.

Verification Given {mj}j=1,··· ,n, {IDj}j=1,··· ,n, ψn, σn, A verifier verifies that, for {IDj}j=1,··· ,n, the

public key pkj is correct. In particular, the verifier parses the signers’ self-generated-certificates σ0j in

pkj as (S0j, R0j, sj) for j = 1, · · · , n, and set m0j:= IDjk Tj,1. Then, he/she computes as follows:

e(S0j, g) ? = e(Vj, R0j) · e  gj,0g c0_j j,1, A  · e Wj0, Tj,0
, (12)

where, for all j, gj,l= H1(IDj, l) for l = 0, 1, Vj = H2(sj), Wj0= H3(sj k m0j) and c0j= H4(sjk m0j). If

the above equation holds for all signers, then the verifier parses σnas (Sn, Rn, s) and sets Lj= m1k ID1k

· · · k mjk IDjfor all j. Then he/she verifies that the following equation holds:

e(Sn, g) ? = e(V, Rn) · e n

∏

j=1 gj,0g cj j,1, A ! · n

∏

j=1 e (Wj, Tj,1) , (13)

where, for all j, V = H2(s), Wj= H3(s k Lj), and cj= H4(s k Lj). If the above equation holds, the verifier

outputs accept. Otherwise, he/she outputs re ject.

Theorem 10. A signature in the proposed scheme described in section 4 is existentially unforgeable if and only if a self-generated-certificate in the scheme in [33] is existentially unforgeable.

Proof (Sketch). Intuitively, if an adversary who can forge a self-generated-certificate exists, then the ad-versary can also forge an aggregate signature in the proposed scheme in this paper by using the forged self-generated-certificate as a signature of the target signer. This result conflicts with the theorems de-scribed in the previous section.

Table 1: Evaluation of the schemes

Signing Cost Verification Signature Type of Certificateless

for i-th Signer Cost Size Scheme Property

Boldyreva et al.[5] H + 3E(1) 3P + H 2l(p) Ordered No

+E(2(i − 1)) + 3 +E(n) + E(2n)

Fischlin et al.[10] P + 2H + E(1) + 1 nH + n2P 3l(p) Ordered No

Wang et al.[29] 2H + R + E(2) + 1 (n + 1)P + nE(2) (n + 1)l(p) Ordered No +3nH + 2(n − 1)

Yamamoto et al.[31] H + E(1) + i (n + 1)P + nH l(p) Ordered No

Zhang et al.[35] 4H + E(1) + E(5) 5P + 4E(n) 2l(p) General Yes

+(4n + 3)H

Our Scheme 3H + E(1) (3 + n)P + E(n) 2l(p) Ordered Yes

+E(4) + 2 +(4n + 1)H

6

Evaluation

We compare the performance of the proposed scheme with some existing schemes with respect to the signing cost, the verification cost, the signature size, type of the scheme and certificateless property. The result is shown in table 1. For the evaluation of the signing cost and the verification cost, we adopt the same method with [28]. We denote byP the computational cost of pairing, by H the computational cost of hash functions, byR the ratio of the computational cost of multiplication in Z∗pto that of multiplication

in Fp and by E(n) := (n₂+ 1)l(p) − 1 the required number of modulo-p multiplication for computing

ga1 1 · · · g

an

n with gi ∈ Z∗p and ai ∈ Zp, where l(p) denotes the binary length of p. For the type of the

scheme, Ordered means ordered sequential type and General means general type as described in section 1.2.2. Finally, for certificateless property, Yes means a certificateless scheme.

As shown in Table 1, our scheme has the same signature size as those in [5, 35], and the verification cost is similar to that in [29]. In comparison to the scheme in [35], our proposed scheme is efficient in the signing cost and hence the scheme is suitable for devices of low computational power such as mobile phone. In addition, to the best of our knowledge, our proposed scheme is the only ordered sequential aggregate signature scheme in the certificateless setting.

7

Conclusion

Certificateless cryptosystem is a cryptosystem that overcomes abuses of key escrow of KGC, and we proposed a certificateless ordered sequential aggregate signature scheme. To the best of our knowledge, our proposed scheme is the first OSAS scheme in a certificateless setting. Although the computational cost for pairing computation in our scheme is linear with respect to the number of signers, our scheme achieved the full aggregation with the security proof against the strongest adversary, super adversary, in the random oracle model. On the subject of the security proof, the super adversaries are adversaries who can access a black box knowledge extractor which extracts a secret key from a corresponding public key without detecting by a target signer, and we have also given a security model that captures both the super adversaries and the security requirements in CLOSAS scheme. Namely, our defined model takes into account the cryptographically strongest insider threats about the security in CLOSAS scheme, and

through the security analysis based on this model, we proved that our scheme can resist a forgery of signatures as long as at least one value in full secret key is kept secret.

In future work, we plan to extend our scheme so as to achieve a fixed number of pairing computa-tion with respect to the number of signers and to prove the security against an actively malicious KGC described in section 1.2.1, i.e. achieving Girault’s level-3 security[41].

Acknowledgments

This research has been supported by Interchange Association Japan and Support Center for Advanced Telecommunications Technology Research. We would like to thank for their great support. We would like to thank anonymous reviewers for their invaluable comments also.

References

[1] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public key cryptosys-tems,” Communications of the ACM, vol. 21, no. 2, pp. 120–126, February 1978.

[2] A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proc. of International Cryptograpy Conference (CRYPTO’84), Santa Barbara, USA, vol. 196. Springer-Verlag, August 1987, pp. 47–53. [3] A. K. Lenstra, J. P. Hughes, M. Augier, J. W. Bos, T. Kleinjung, and C. Wachter, “Ron was rong, whit is right,”

Cryptology ePrint Archive: Listing for 2012, pp. 1–17, February 2012, http://eprint.iacr.org/2012/064. [4] S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Proc. of the 9th

Interna-tional Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’03), Taipei, Taiwan, vol. 2894. Spirnger-Verlag, November-December 2003, pp. 452–473.

[5] A. Boldyreva, C. Gentry, A. O’Neill, and D. H. Yum, “Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing,” in Proc. of the 14th ACM Conference on Computer and Communication Security (CCS’07), Alexandria, USA. ACM, October-November 2007, pp. 276–285. [6] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from

bilin-ear maps,” in Proc. of the 22th Theory and Applications of Cryptographic Techniques (EUROCRYPT’03), Warsaw, Poland, vol. 2656. Springer-Verlag, May 2003, pp. 416–432.

[7] K. Brogle, S. Goldberg, and L. Reyzin, “Sequential aggregate signatures with lazy verification,” Cryptology ePrint Archive: Listing for 2011, pp. 1–30, May 2011, http://eprint.iacr.org/2011/222.

[8] M. Burmester, Y. Desmedt, H. Doi, M. Mambo, E. Okamoto, M. Tada, and Y. Yoshifuji, “A structured elgamal-type multisignature scheme,” in Proc. of the 9th International Conference on Theory and Practice of Public-Key Cryptography (PKC’00), Melbourne, Australia, vol. 1751. Springer-Verlag, January 2000, pp. 466–483.

[9] B. Dou, H. Zhang, C. Xu, and M. Han, “Identity-based sequential aggregate signature from rsa,” in Proc. of the 4th ChinaGrid Annual Conference (ChinaGrid’09), Yantai, China. IEEE, August 2009, pp. 123–127. [10] M. Fischlin, A. Lehmann, and D. Schr¯oder, “History-free sequential aggregate signatures,” Cryptology ePrint

Archive: Listing for 2011, pp. 1–18, May 2012, http://eprint.iacr.org/2011/231.

[11] C. Gentry and Z. Ramzan, “Identity-based aggregate signatures,” in Proc. of the 9th International Conference on Theory and Practice of Public-Key Cryptography (PKC’06) New York, USA, vol. 3958. Springer-Verlag, April 2006, pp. 257–273.

[12] Z. Gong, Y. Long, X. Hong, and K. Ghen, “Practical certificateless aggregate signatures from bilinear maps,” Journal of Information Science and Engineering, vol. 26, no. 6, pp. 2093–2106, 2010.

[13] C. Han, H. Zhang, B. Zhang, and Y. Yang, “A structured multi-signature scheme and its security proof,” in Proc. of IEEE International Conference on Information Theory and Information Security (ICITIS’10), Beijing, China. IEEE, December 2010, pp. 345–348.

[14] K. Itakura and K. Nakamura, “A public-key cryptosystem suitable for digital multi-signatures,” NEC Re-search and Development, vol. 71, pp. 1–8, 1983.

[15] K. Kawauchi and M. Tada, “On the security and the efficiency of multi-signature schemes based on a trapdoor one-way permutation,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E88-A, no. 5, pp. 1274–1282, May 2005.

[16] X. Li, L. Zhang, and S. Li, “Proxy structured multisignature scheme from bilinear pairing,” in Proc. of the 2nd International Symposium on Parallel and Distributed Processing and Applications (ISPA’04), Hong Kong, China, vol. 3358. Springer-Verlag, December 2004, pp. 705–714.

[17] C.-Y. Lin, T.-C. Wu, and F. Zhang, “A structured multisignature scheme from the gap diffie-hellman group,” Cryptology ePrint Archive: Listing for 2003, pp. 1–5, May 2003, http://eprint.iacr.org/2003/090.

[18] J. K. Liu, J. Baek, and J. Zhou, “Certificate-based sequential aggregate signature,” in Proc. of the 2nd ACM Conference on Wireless Network Security (WiSec’09), Zurich, Switzerland. ACM, March 2009, pp. 21–28. [19] J. K. Liu, M. H. Au, and W. Susilo, “Self-generated certificate public key cryptography and certificateless signature / encryption scheme,” in Proc. of the 2nd ACM symposium on Informatoin, Computer and Commu-nications Security (ASIACCS’07), Singapole. ACM, March 2007, pp. 273–283.

[20] A. Lysyanskaya, S. Micali, L. Reyzin, and H. Shacham, “Sequential aggregate signatures from trapdoor permutations,” in Proc. of the 23th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’04), Interlaken, Switzerland, vol. 3027. Springer-Verlag, May 2004, pp. 74–90.

[21] S. Lu, R. Ostrovsky, A. Sahai, H. Shacham, and B. Waters, “Sequential aggregate signatures and multisig-natures without random oracle,” in Proc. of the 25th Theory and Applications of Cryptographic Techniques (EUROCRYPT’06), Petersburg, Russia, vol. 4004. Springer-Verlag, May 2006, pp. 465–485.

[22] S. Mitomi and A. Miyaji, “A general model of multisignature schemes with message flexibility,,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E84-A, no. 10, pp. 2488–2499, October 2001.

[23] Y. Muxiang, S. Li, L. Jun, and H. Fan, “Secure order-specified multisignature scheme based on dsa,” Wuhan University Journal of Natural Sciences, vol. 11, no. 6, pp. 1613–1616, November 2006.

[24] G. Neven, “Efficient sequential aggregate signed data,” IEEE Transactions on Information Theory, vol. 57, no. 3, pp. 1803–1815, March 2011.

[25] K. Ohta and T. Okamoto, “Multi-signature schemes secure against active insider attacks,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E82-A, no. 1, pp. 21–31, January 1999.

[26] S. S. D. Selvi, S. S. Vivek, and C. P. Rangan, “A suite of identity based aggregate signatures and a multi-signature scheme from rsa,” Cryptology ePrint Archive: Listing for 2010, pp. 1–12, September 2010, http://eprint.iacr.org/2010/493.

[27] ——, “Efficient and provably secure identity based aggregate signature schemes,” Cryptology ePrint Archive: Listing for 2010, pp. 1–12, 2010, http://eprint.iacr.org/2010/461.

[28] M. Tada, “A secure multisignature scheme with signing order verifiability,” IEICE Transactions on Fun-damentals of Electronics, Communications and Computer Sciences, vol. E86-A, no. 1, pp. 73–88, January 2003.

[29] L. Wang, E. Okamoto, Y. Miao, T. Okamoto, and H. Doi, “An id-sp-m4m scheme and its security analysis,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E90-A, no. 1, pp. 91–100, January 2007.

[30] W. Wu, Y. Mu, W. Susilo, and X. Huang, “Certificate-based signatures revisited,” Journal of Universal Computer Science, vol. 15, no. 8, pp. 1659–1684, August 2009.

[31] D. Yamamoto and W. Ogata, “A general model of structured multisignatures with message flexibility,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E90-A, no. 1, pp. 83–90, January 2007.

[32] N. Yanai, E. Chida, and M. Mambo, “A secure structured multisignature scheme based on a non-commutative ring homomorphism,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E94-A, no. 6, pp. 1346–1355, June 2011.

[33] N. Yanai, R. Tso, M. Mambo, and E. Okamoto, “Certificateless ordered sequential aggregate signature scheme,” in Proc. of the 3rd International Conference on Intelligent Networking and Collaborative Systems

(INCoS’11), Fukuoka, Japan. IEEE, November-December 2011, pp. 662–667.

[34] J. Zhang, “An improved structured multi-signature scheme,” in Proc. of the 2nd International Conference on Information Management and Engineering (ICIME’10), Chengdu, China. IEEE, April 2010, pp. 54–58. [35] L. Zhang, B. Qin, Q. Wu, and F. Zhang, “Efficient many-to-one authentication with certificateless aggregate

signatures,” Computer Networks, vol. 54, no. 14, pp. 2482–2491, October 2010.

[36] M. Zhao, S. Smith, and D. Nicol, “Aggregated path authentication for efficient bgp security,” in Proc. of the 12th ACM Conference on Computer and Communications Security (CCS’05), Alexandria, USA. ACM, November 2005, pp. 128–138.

[37] H. Zhu, F. Bao, and R. H. Deng, “Sequential aggregate signatures working over independent homomorphic trapdoor,” in Proc. of the 7th International Conference (ICICS’05), Beijing, China, vol. 3783. Springer-Verlag, December 2005, pp. 207–219.

[38] S. Kent, C. Lynn, and K. Seo, “Secure border gateway protocol,” IEEE Journal of Selected Areas in Commu-nications, vol. 18, no. 4, pp. 582–592, 2000.

[39] X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu, “Certificateless signature revisited,” in Proc. of the 12th Australasian Conference on Information Security and Privacy (ACISP’07), Townsville, Australia,, vol. 4586. Springer-Verlag, July 2007, pp. 308–322.

[40] R. Castro and R. Dahab, “Efficient certificateless signatures suitable for aggregation,” Cryptology ePrint Archive: Listing for 2007, pp. 1–24, December 2007, http://eprint.iacr.org/2007/454.

[41] M. Girault, “Self-certified public keys,” in Proc. of the 10th Theory and Applications of Cryptographic Tech-niques (EUROCRYPT’91), Brighton, UK, vol. 547. Spriger-Verlag, April 1991, pp. 490–497.

[42] B. G. Kang, J. H. Park, and S. G. Hahn, “A certificate-based signature scheme,” in Proc. of the Cryptogra-phers’ Track at the RSA Conference (CT-RSA’04), San Francisco, USA, vol. 2964. Springer-Verlag, February 2004, pp. 99–111.

[43] J. Li, X. Huang, Y. Mu, W. Susilo, and Q. Wu, “Certificate-based signature: Security model and efficient construction,” in Proc. of the 4th European Workshop on Public Key Infrastructure (EuroPKI’07), Palma de Mallorca, vol. 4582. Springer-Verlag, June 2007, pp. 110–125.

[44] M. Bellare and P. Rogaway, “Random oracle are practical: A paradigm for designing efficient protocols,” in Proc. of the 1st ACM Conference on Computer and Communications Security (CCS’93), Fairfax, USA. ACM, November 1993, pp. 62–73.

[45] R. Canetti, O. Goldreich, and S. Halevi, “The random oracle methodology, revisited,” Journal of the ACM, vol. 51, no. 4, pp. 557–594, July 2004.

[46] Y. Rekhter and T. Li, “A border gateway protocol 4 (bgp-4),” RFC 1771, March 1995, http://www.ietf.org/rfc/rfc1771.txt.

[47] S. Kent, “Securing the border gateway protocol: A status update,” in Proc. of the 7th IFIP TC-6 TC-11 Conference on Communications and Multimedia Security (CMS’03), Torino, Italy, vol. 2828. Springer-Verlag, October 2003, pp. 40–53.

[48] J. Y. Hwang, D. H. Lee, and M. Yung, “Universal forgery of the identity-based sequential aggregate signature scheme,” in Proc. of the 4th ACM Conference on Computer and Communications Security (ASIACCS’09), Sydney, Australia. ACM, March 2009, pp. 157–160.

[49] H. Xiong, Q. Wu, and Z. Chen, “Strong security enabled certificateless aggregate signatures applicable to mo-bile computation,” in Proc. of the 3rd International Conference on Intelligent Networking and Collaborative Systems (INCoS’11), Fukuoka, Japan. IEEE, November-December 2011, pp. 92–99.

[50] C. Wu, “Self-generated-certificate digital signature,” in Proc. of the 4th International Conference on Generic and Evolutionary Computing (ICGEC’10), Shenzhen, China. IEEE, December 2010, pp. 379–382.

Naoto Yanai received B.Eng. degree in electrical engineering from Ichinoseki Na-tional College of Technology, Japan, in 2009 and M.S. Eng. in graduate school of systems and information engineering from Univerisity of Tsukuba, Japan, in 2011. He has recently joined Dr. course in systems and information engineering in Univer-sity of Tsukuba, Japan.

Rayling Tso is an assistant professor of Computer Science at National Chengchi Uni-versity, Taiwan. He received his PhD degree in Systems and Information Engineering from University of Tsukuba, Japan in 2006. His research interests are mainly in cryp-tography including secret sharing, key agreement, digital signatures, certificateless cryptosystems, etc. Recently, his research activities are focused on certificateless sig-natures and digital sigsig-natures that providing privacy protection.

Masahiro Mambo received a B.Eng. degree from Kanazawa University, Japan, in 1988 and M.S.Eng. and Dr.Eng. degrees in electronic engineering from Tokyo In-stitute of Technology, Japan in 1990 and 1993, respectively. After working at Japan Advanced Institute of Science and Technology, JAIST, Tohoku University and Univer-sity of Tsukuba, he joined Kanazawa UniverUniver-sity in 2011. He is currently a professor of Faculty of Electrical and Computer Engineering, Institute of Science and Engi-neering. His research interests include information security, software protection and privacy protection.

Eiji Okamoto received his B.S., M.S. and Ph.D degrees in electronics engineering from the Tokyo Institute of Technology in 1973, 1975 and 1978, respectively. He worked and studied communication theory and cryptography for NEC central research laboratories since 1978. In 1991 he became a professor at Japan Advanced Institute of Science and Technology, then at Toho University. Now he is a professor at Faculty of Engineering, Information and Systems, University of Tsukuba. His research interests are cryptography and information security. He is a member of IEEE and a coeditor-in-chief of Internatinal Journal of Information Security.

A

Proof of Theorem 8

This proof is based on the security proof in paper [11], and we define a probability δ to set 1 for tossing a coin. To complete the proof, we finally determine a concrete value of δ .

Given a CDH challenge (g, ga_{, g}0_{),B who tries to solve CDH problem generates a pairing parameter}

(p, G, GT, e), and sets mpk = ga and a certification listL = /0. This means that B implicitly sets a as

msk. ThenB sets ID-list [·,·] H1-list [·, ·, ·, ·, ·, ·], H2-list [·, ·, ·], H3-list [·, ·, ·, ·, ·] and H4-list [·, ·, ·, ·, ·, ·] as

empty, and runA with g,gaas input. Here, without loss of generality, we assume thatB executes H1

-query and H2-query before executing H3-query and H4-query, H1-query before executing the create-user

query and each random oracle query before executing the signing oracle query.

H1-query Given IDigenerated byA , check that H1-list includes IDi. If so, return H1(IDi, j) from H1

-list, where j = 0, 1. Otherwise, toss a coin H1-coini← {0, 1} with probability δ . If H1-coini= 0, generate

αi,0, αi,1 ← Zp and set α_i,00 = α_i,10 = 0. Otherwise, generate αi,0, αi,1, α_i,00 , α_i,10 ← Zp. Set H1(IDi, j) =

(gαi, j_g0αi, j0 _{), and register (ID}

i, H1-coini, αi,0, αi,1, αi,00 , αi,10 ) on H1-list. Return H1(IDi, j), j = 0, 1.

H₂-query Given s generated byA , check that H2-list includes s. If so, return H2(s) from H2-list.

Otherwise, toss a coin H2-coink← {0, 1} and generate β ← Z∗p. If H2-coink= 0, set V = g0β as H2(s).

Otherwise, set V = gβ _{as (H}

2(s). Register (s, H2-coink, β ) on H2-list and return H2(s).

H3-query Given s k Ligenerated byA , check that H3-list includes s k Li. If so, return H3(s k Li) from

H_{3-list. Otherwise, generate γ ← Z}∗_p and set H3(s k Li) = gγ. Register (s, IDi, mi, Li, γ) on H3-list and

return H3(s k ψi).

H4-query Given s k Ligenerated byA , check that H4-list includes s k Li. If so, return H4(s k Li) from

H₄-list. Otherwise, toss a coin H4-coinl← {0, 1}. If H4-coinl= 0, check that H1-coini= H2-coink= 1

for s k Li. If so, check that s k Li6= s k L0iexists with IDi= ID0i. If so, aborts. Otherwise, set H4(s k ψi) =

−α

0 i,0

α_i,10 . If H1-coini= H2-coink= H4-coinl= 1, check that (s, mi, IDi) = (s 0_{, m}0

i, ID 0

i) and ψi6= ψi0exists. If

so, aborts. Otherwise, set d(i,k,l)= 0. If none of the above, generate d(i,k,l)← Z∗p. Set H4(s k ψi) = d(i,k,l).

Register (s, IDi, mi, Li, H4-coinl, d(i,k,l)) on H4-list and return H4(s k ψi).

Create-User Given IDi generated byA , check that L includes IDi. If so, return (IDi, Ti) from L .

Otherwise, retrieve H1(IDi, j) for j = 0, 1 from H1-list as gi, j, and generate ti← Zp. Set Ti = gti, and

register (IDi, Ti) inL , (IDi,ti) in ID-list. Return H1(IDi, j) for j = 0, 1 and Ti.

Partial-Private-Key-Extract Given IDi generated byA , check that L includes IDi. If not, nothing

will be output. Otherwise, check that H1-coini= 1 holds. If so, abort. Otherwise, set ga_{i, j} = (ga)αi, j and

return ga_{i, j} where j = 0, 1.

Public-Key-Replace Given IDiand Ti0generated byA , re-register (IDi, Ti0) inL and (IDi, nil), where

nilmeans an unknown value forB.

Secret-Value-Extract Given IDigenerated byA , check that L includes IDi. If not, nothing will be

output. Otherwise, return tifromL . Here, if the secret value corresponding to IDiin ID-list is nil, then

Signing Given {mj}j=1,··· ,i, {IDj}j=1,··· ,i, ψi, σi, s generated byA , check that H1-coini, H2-coink and

H4-coinl. If H1-coini= H2-coink = H4-coinl = 1, abort. Otherwise, compute a signature as follows. In

the case that H1-coini = 0, generate a random number r ← Z∗p and pick the latest public key Ti of IDI

fromL , which may be the original public key generated from Create-User or a false public key replaced by the adversary. Then, compute as follows:

Si = Vr(ga)αi,0(ga)αi,1ci(Ti)γ· Si−1, (14)

Ri = gr· Ri−1, (15)

where V, γ and ci are retrieved from H2-list, H3-list and H4-list. These values become a valid signature

on {mj}j=1,··· ,iin ψi for {IDj}j=1,··· ,i. In the case that H1-coini= 1 ∧ H2-coini= 0, compute as follows:

Si =  g0β r (ga)αi,0_(ga₎αi,1ci_(T i)γ· Si−1, (16) Ri = gr(ga) −α 0 i,0+α0i,1ci β · R i−1, (17)

where β , γ and ciare retrieved from H2-list, H3-list and H4-list. These values become a valid signature

since they can be written as follows:

Si =  g0β r (ga)αi,0_(ga₎αi,1ci_(T i)γ· Si−1 (g0a)αi,00 +αi,10 ci (g0a₎α_i,00 +α_i,10 ci = g0β r−a α_i,00 +α0_i,1ci β  gαi,0_g0αi,00 a gαi,1_g0αi,10 aci Wti i Si−1, (18) Ri = g r−aα 0 i,0+α0i,1ci β · R i−1. (19)

In the case that H1-coini= H2-coini= 1 ∧ H4-coini= 0, compute as follows:

Si =  gβr_(ga )αi,0_(ga₎αi,1(− α_i,00 α_i,10 ) (Ti)γ· Si−1, (20) Ri = gr· Ri−1. (21)

These values become a valid signature since they can be written as follows:

Si =  gβr_(ga₎αi,0_(ga₎αi,1(− α0_i,0 α0_i,1) (Ti)γ· Si−1  g0αi,00 a  g0α 0 i,1(− α_i,00 α_i,10 )   a = Vr  gαi,0_g0αi,00 a gαi,1_g0αi,10 a(− α_i,00 α_i,10 ) Wti i · Si−1, (22) Ri = gr· Ri−1. (23)

Output Given a forgery ({ID∗j}j=1,··· ,n, {m∗j}j=1,··· ,n, ψn∗, σn∗) output byA after qsiterations, check that

H1-coini= H2-coini= H4-coini= 1 holds. If not, abort. Otherwise, check that the following conditions

hold.

1. σn∗is a valid signature on {m∗j}j=1,··· ,nin ψ ∗

n under {pk∗j}j=1,··· ,n.

2. Exactly one ID∗i∗who has never been queried for both partial-private-key-extract and

3. Each ID∗_i in {ID∗_j}_{j=1,··· ,n}does not appear more than once in ψn∗.

4. For ID∗i∗, m∗_i∗ ∈ {m/ (1)_i∗ , · · · , m_i(q∗s)} or ψ_i∗∗ ∈ {ψ/ _i(1)∗ , · · · , ψ_i(q∗s)} holds.

Condition 4 described above means that either case 1 that m∗_i∗ ∈ {m/ (1)_i∗ , · · · , m(q_i∗s)} or case 2 that

m_i∗∗ ∈ {m(1)_i∗ , · · · , m(q_i∗s)} ∧ ψ_i∗∗∈ {ψ/ _i(1)∗ , · · · , ψ_i(q∗s)} holds.

Here, the forgery can be written as S∗= Vr

∏ni=1  ga_i,0(ga i,1)ci  ∏ni=1W ti

i , R∗= grsince this is a valid

signature. The forgery belongs to either case 1 or case 2 described below from the condition 4, andB can extract the solution of CDH problem as follows:

case 1 ) m∗i∗∈ {m/ (1)_i∗ , · · · , m(q_i∗s)} holds:B can extract g0aas follows:

g0a=   S∗ (R∗₎β(_∏n j=1∧ j6=i∗T γ i) ∏nj=1(ga)αi,0(ga)αi,1ci
  1 α_i,00 +α0_i,1ci (24)

case 2) m∗i∗∈ {m(1)_i∗ , · · · , m(q_i∗s)} but ψ_i∗∗ ∈ {ψ/ _i(1)∗ , · · · , ψ_i(q∗s)} holds: B can extract g0aas follows:

g0a=   S∗ (R∗₎β_(∏n j=1∧ j6=i∗T γ i)

∏nj=1(ga)αi,0(ga)αi,1ci
(ga)αi,0

 

1/αi,00

(25)

SinceB knows all the values, B can compute the above equation. The probability ε0thatB solves can be obtained as follows:

ε0 = Pr[ f orge ∧ abort ∧ collide] = Pr[abort] · Pr[ f orge|abort] − Pr[collide|abort]
, where f orge means an event thatA succeeds in breaking the scheme, collide means an event that A outputs ({m∗j}j,··· ,n, ψn∗, σn∗) such that it has previously been queried to Signing oracle and abort means

an event thatB aborts the simulation with A . Pr[ f orge|abort] = ε holds from definition of the adversary and, from birthday paradox, Pr[collide|abort] can be obtained as follows:

Pr[collide|abort] = qsig(qsig− 1)

2p (26)

In addition, Pr[abort] can be written as follows:

Pr[abort] = Pr[abortp∧ aborth4∧ abortsig∧ a f ter], (27)

where abortpmeans the event thatB aborts the simulation with A for partial-private-key-extract query.

Similarly, We denote by aborth4an event for H4query and by abortsigone for signing query. Here abortx

means the event thatB aborts the simulation with A during the x-query, where x ∈ {p,h4, sig} and each

p, h4, sig stands for partial-private-key-extract, H4and signing, respectively. a f ter means thatB aborts

afterA output the forgery. Each event can be written as follows:

Pr[abortp] = (1 − δ )qp, (28)

Pr[aborth4] = (1 − δ ) q_h1+q_h2

, (29)

Pr[abortsig] = (1 − δ )(qh1+qh2+qh4)qsig, (30)

Pr[a f ter] = δ3  1 +1 n  , (31)

where δ is a probability thatB tosses 1 for the coin tosses. To complete the proof, we give the maximum value for δ . Let f (δ ) be the following function.

f(δ ) = (1 − δ )qp_{(1 − δ )}q_h1+q_{h2(1 − δ )}(q_h1+q_h2+q_h4)qsig

δ3 = (1 − δ )qp+q_h1+q_h2+(q_h1+q_h2+q_h4)qsig

δ3. (32)

To be easily written, we denote a = qp+ qh1+ qh2+ (qh1+ qh2+ qh4)qsig. From the derived function, f

is maximized at δmax=3_a. Here, f (δmax) can be written as follows:

f(δmax) = 27 a3  1 −3 a a . (33)

From definition of base of natural logarithm, we can compute as follows:

lim a→∞  1 −3 a a = 1 e3, (34) ∴ ε0 =  ε −qsig(qsig− 1) 2p  f₁(δopt) =  ε −qsig(qsig− 1) 2p  ·27 a3 · 1 e3. (35)

The execution time ofB is the execution time of A plus the computation time for qccreate-user queries,

qrpublic-key-replace queries, qppartial-private-key-extract queries, qssecret-value-extract queries, qsig

signing queries, random oracle queries for each hash function and the computational time for the final step. Therefore,

t0= t +O(qsig+ n(qc+ qr+ qp+ qs+ qh1+ qh2+ qh3+ qh4)) + Ψ, (36)

where Ψ is a computational time in the final step.

B

Proof of Theorem 9

This proof is based on the security proof in paper [31], and we also define a probability δ to set 1 for tossing a coin. To complete the proof, we finally determine a concrete value of δ .

In this proof, we assume thatB executes H1-query and H2-query before executing H3-query and H4

-query, H1-query before executing the create-user query and each random oracle query before executing

the signing oracle query.

Given a CDH challenge value (g, ga, g0), B who tries to solve CDH problem generates a pairing parameter (p, G, GT, e) and g ∈ G. Then B generates b ← Z∗pas msk, and sets mpk = gband a

certifica-tion listL = /0. Then B sets ID-list [·,·,·] H1-list [·, ·, ·, ·, ·], H2-list [·, ·, ·], H3-list [·, ·, ·, ·, ·, ·] and H4-list

[·, ·, ·, ·, ·] as empty, and runA with g,b,gbas input.

H1-query Given IDi generated byA , check that H1-list includes IDi. If so, return H1(IDi, j) from

H1-list, where j = 0, 1. Otherwise, toss a coin ID-coini ← {0, 1} with probability δ . and generate

αi,0, αi,1 ← Zp. If ID-coini= 0, set H1(IDi, j) = gαi, j for j = 0, 1. Otherwise, set H1(IDi, j) = (ga)αi, j.

Register (IDi, ID-coini, ·) on ID-list and (IDi, αi,0, αi,1, αi,00 , αi,10 ) on H1-list, and return H1(IDi, j), j =

0, 1.

H3-query Given s k Li generated by A , check that H3-list includes s k Li. If so, return H3(s k Li)

from H3-list. Otherwise, generate γ ← Z∗p and toss a coin H3-coinl ← {0, 1} with the probability δ . If

H3-coinl= 0, set H3(s k Li) = gγ. Otherwise, H3(s k Li) = (g · g0)γ. Register (s, IDi, mi, Li, H3-coinl, γ)

on H3-list and return H3(s k Li).

H₄-query Given s k Ligenerated byA , check that H4-list includes s k Li. If so, return H4(s k Li) from

H4-list. Otherwise, check that Li6= L0i exists with (mi, IDi) = (m0i, ID0i). If not, set H4(s k Li) = −d(i,k,l)

such that γti+ (αi,0+ αi,1d(i,k,l))b = 0. Otherwise, generate d(i,k,l)← Z∗p and set H4(s k Li) = d(i,k,l).

Register (s, IDi, mi, Li, d(i,k,l)) on H4-list and return H4(s k Li).

Create-User Given IDi generated byA , check that L includes IDi. If so, return (IDi, Ti) from L .

Otherwise, retrieve ID-coini from ID-list and Hi(IDi, j) for j = 0, 1 from H1-list as gi, j, and generate

ti← Zp. If ID-coini= 0, set gb_{i, j} as a partial private key and Ti= gti. Otherwise, set gb_{i, j} and Ti= (ga)ti.

Register (IDi, Ti) inL and re-register (IDi, ID-coini,ti) in ID-list. Return H1(IDi, j), Ti as IDi’s public

key pki.

Secret-Value-Extract Given IDi generated byA , check that L include IDi. If not, nothing will be

output. Otherwise, check that ID-coini= 1 holds. If so, abort. Otherwise, return ti.

Signing Given a signing query ({mj}j=1,··· ,i, {IDj}j=1,··· ,i, ψi, σi−1, s) generated byA , check that ID-coini,

H2-coinkand H3-coinl in the query with each list. If ID-coini= H2-coink= H3-coinl= 1, abort.

Other-wise, generate a random number r ← Z∗pand generate a signature as follows. In the case that H3-coinl=

0, compute as follows: Si = Vrgbi,0  gb_i,1 ci (Ti)γ· Si−1, (37) Ri = gr· Ri−1, (38)

where V, γ and ci are retrieved from H2-list, H3-list and H4-list. These values become a valid signature

on {mj}j=1,··· ,iin ψi for {IDj}j=1,··· ,isince the following equation holds:

Si = Vrgbi,0  gb_i,1 ci (Ti)γ· Si−1= Vrgbi,0  gb_i,1 ci (gxi₎γ_{· S} i−1 = Vrgb_i,0  gb_i,1 ci (Wi)xi· Si−1, (39)

where xi is a secret key corresponding to a public key Ti. In the case that H3-coini= 1 ∧ H2-coini= 0,

compute as follows: Si =  g0β r gb_i,0  gb_i,1 ci (Ti)γ· Si−1, (40) Ri = gr(Ti) −γ β · R i−1, (41)

These values also become a valid signature on {mj}j=1,··· ,i in ψi for {IDj}j=1,··· ,i since the following

equation holds: Si =  g0β r gb_i,0  gb_i,1 ci (Ti)γ· Si−1=  g0β r gb_i,0  gb_i,1 ci (gxi₎γ_(g0₎xiγ −xiγ_{· S} i−1 = g0β r gb_i,0  gb_i,1 ci gxi_g0xi
γ_(g0₎−xiγ_{· S} i−1=  g0β r−xiγ_β gb_i,0  gb_i,1 ci g· g0
xiγ · S_i−1 =  g0β r−xiγ β gb_i,0  gb_i,1 ci (Wi)xi· Si−1, (42) Ri = gr· (gxi)− γ β · R_i−1= gr− xiγ β · R_i−1. (43)