A PROVABLY SECURE CERTIFICATELESS PROXY SIGNATURE ...

International Journal of Innovative Computing, Information and Control Volume 7, Number 9, September 2011

c ICIC International ⃝2011 ISSN 1349-4198 pp. 5557–5569

A PROVABLY SECURE CERTIFICATELESS PROXY SIGNATURE SCHEME Yu-Chi Chen1 , Chao-Liang Liu2 , Gwoboa Horng1 and Kuo-Chang Chen1 1

Department of Computer Science and Engineering National Chung Hsing University No. 250, Kuo Kuang Rd., Taichung 40227, Taiwan { s9756034; gbhorng; s9756013 }@cs.nchu.edu.tw

2

Department of Information Science and Applications Asia University No. 500, Lioufeng Rd., Wufeng, Taichung 41354, Taiwan [email protected]

Received July 2010; revised November 2010 Abstract. Proxy signature, a variant of digital signature, is in the limelight in recent years for secure communication. For instance, when a manager is occupied with business matters, or travelling on business, he has to delegate an agent to deal with his day-today office concerns. Therefore, a proxy signature scheme is necessary in this scenario. Although identity-based proxy signature schemes have been proposed in many studies, certificateless public key cryptography (CL-PKC), first proposed by Al-Riyami and Paterson, has been widely used to avoid the key escrow problem in identity-based public key cryptography. In this paper, we combine the concepts of certificateless cryptography and proxy signature to propose a certificateless proxy signature scheme from bilinear pairings, and we also present its security model. This scheme is provably secure and existentially unforgeable under the chosen message attack in the random oracle model. Keywords: Proxy signature, Certificateless cryptography, Certificate signature, Pairing

1. Introduction. Digital signature is able to provide authenticity, integrity and nonrepudiation on a message. A conventional digital signature scheme is composed of a signer and a verifier, where a signer generates a signature with his private key and the verifier checks this signature with the signer’s public key. In certain scenarios such that the signer is unavailable, a delegate agent is definitely needed to impersonate the proxy signer with the ability to sign messages. In these cases, a proxy signature scheme which consists of original signer, proxy signer and verifier is completely suitable, which means the proxy signer can sign a message and that the verifier must verify the signature with both the original singer and the proxy signer’s. We also can refer to many studies related to signature schemes [1, 2, 3]. Certificates of public keys, identifications, and other information are all under the management of the certificate authority (CA) in traditional public key cryptography, but it wastes communication cost to obtain certificates. Compared with the traditional public key infrastructure (PKI), identity-based public key cryptography (ID-PKC) [4, 5, 6] and certificateless cryptography (CL-PKC) [7] do not rely on the extra trusted party to manage certificates. Unfortunately, key escrow is a problem suffered by ID-PKC since the private key generator (PKG) can generate any user’s full private key. Differing from ID-PKC, the key generation center (KGC) in CL-PKC cannot derive any user’s full private key, but only the user’s partial-private-key. Most CL-PKC schemes [8, 9, 10, 11, 12] are proposed based on Al-Riyami and Paterson’s CL-PKC scheme [7]. 5557

5558

Y.-C. CHEN, C.-L. LIU, G. HORNG AND K.-C. CHEN

In this paper, we combine the concepts of certificateless cryptography and proxy signature to propose a certificateless proxy signature scheme with the delegation by a warrant (CLPS, for short) and give the security model for CLPS. The proposed scheme is provably secure and existentially unforgeable under the chosen message attack in the random oracle model assuming some problems are interactive. The remainder of this paper is organized as follows: in Section 2, we briefly introduce preliminaries of CLPS scheme; the proposed CLPS scheme, the security analysis, and the performance analysis are presented in Section 3; finally, we will give the conclusions to this paper in Section 4. 2. Preliminaries. 2.1. Notations. First, in Table 1, we list the notations recounted in this paper. Table 1. Notations and definitions Notation CLPS KGC IDi Xi Di M mw S ⊥

Definition Certificateless proxy signature Key Generation Center The i-th user’s identity The i-th user’s public key The i-th user’s partial private key A message A warrant (as a message) A proxy signature on a message Denotes that the value is empty

2.2. Bilinear maps and hardness assumptions. There is a bilinear map (bilinear pairing) eˆ : G1 × G1 → G2 , where G1 is an additive cyclic group of prime order q, and G2 is a multiplicative cyclic group of the same order q. The bilinear map has the following properties: (1) Computable: given P , Q ∈ G1 , there exists a polynomial time algorithm to compute eˆ(P, Q) ∈ G2 . (2) Bilinear: for any x, y ∈ Z∗q we have eˆ(xP, yQ) = eˆ(P, Q)xy where P, Q ∈ G1 . (3) Non-degenerate: if P is a generator of G1 , then eˆ(P, P ) ̸= 1. Computational Diffie-Hellman (CDH) Problem: given aP , bP then compute abP , where P is a generator of G1 and a, b ∈ Z∗q are unknown. Inverse Computational Diffie-Hellman (Inv-CDH) Problem: given P, aP then compute a1 P , where P is a generator of G1 and a ∈ Z∗q is unknown. Remark 2.1. The Inv-CDH problem is intractable, since it is a polynomial time equivalent to the CDH problem. { 1 1 k-CAA problem: For an integer k, given P, sP, u1 , u2 , . . . , uk ∈ Z∗q , s+u P, s+u P, . . . , 1 2 } ( ) 1 1 ∗ ∗ P then find a pair u , s+u∗ , where P as a generator of G1 , s ∈ Zq is unknown, and s+uk ∗ u ∈ / {u1 , u2 , . . . , uk } [18]. Remark 2.2. The k-CAA problem is intractable to be solve, because it is based on the Inv-CDH problem.

CERTIFICATELESS PROXY SIGNATURE SCHEME

5559

2.3. Framework of CLPS. There are many studies that discuss proxy signature schemes which are formally classified into four types: full delegation, partial delegation, delegation by warrant and partial delegation with warrant. Even the threshold proxy signature scheme [13, 14, 15] is proposed to apply to some environments, in this paper we only discuss the partial delegation with warrant, since it can provide more security and efficiency [13]. A CLPS scheme based on partial delegation with warrant is composed of the following entities: the KGC, original signer (namely, Alice), proxy signer (namely, Bob) and verifier, for more details can found in [16]. It consists of the following polynomial algorithms: Setup: Taking security parameter l as input, this algorithm, run by the KGC, returns the system parameters, param and the master-key. Ori-Partial-Private-Key: This algorithm, run by the KGC, takes param, master-key and Alice’s identity IDA as inputs. It returns Alice’s partial private key DA . Ori-Set-Secret-Value: Taking param and IDA as inputs, this algorithm, run by Alice, generates a secret value xA . Ori-Set-Private-Key: The algorithm, run by Alice, takes param, her partial private key DA and her secret value xA as inputs, and returns her full private key skA . Ori-Set-Public-Key: This algorithm, run by Alice, takes as inputs param and her secret value xA , and returns her public key pkA for Alice. Ori-ProxyGen: Given param, a warrant mw , and her private key skA , the algorithm run by Alice outputs a delegation σ to Bob. Pro-Partial-Private-Key: This algorithm, run by the KGC, takes as inputs param, master-key, Bob’s identity IDB and a hidden delegation σ ′ which is computed by Bob. It ′ returns Bob’s hidden partial private key DB . Bob can recover his partial private key DB . Pro-Set-Secret-Value: This algorithm, run by Bob, takes param and IDB as inputs, then generates a secret value xB . Pro-Set-Private-Key: This algorithm, run by Bob, takes as inputs param, his partial private key DB and his secret value xB , and outputs his full private key skB . Pro-Set-Public-Key: This algorithm, run by Bob, takes param and his secret value xB as inputs, and returns his public key pkB . Pro-CLP-Sign: Given param, a warrant mw , a message M and Bob’s private key skB , the algorithm returns a proxy signature S on the message M . CLP-Verify: Taking param, IDA , IDB , a warrant mw , a message M , Alice’s public key pkA , Bob’s public key pkB and a signature S as inputs, this algorithm returns 1 if the signature is accepted; otherwise, returns 0. 2.4. Security model of CLPS. In typical CL-PKC [7], two types of adversaries (namely Type 1 adversary and Type 2 adversary) are defined in practical. Usually, it is assumed that Type 1 adversary plays a role of the dishonest user and Type 2 adversary plays a role of the malicious KGC. And the two adversaries have different abilities: • CL-PKC Type 1 Adversary cannot to access the master-key, but it can replace any user’s public key. • CL-PKC Type 2 Adversary can access the master-key, but it cannot replace the public keys of any users. Unlike typical CL-PKC, we extend the above assumption to define three types of adversaries for CLPS, since we must consider all entities in CLPS. • CLPS Type 1 Adversary A1 , acting as the original signer, cannot access the masterkey, but it can replace any user’s public key. • CLPS Type 2 Adversary A2 , acting as the proxy signer, cannot to access the masterkey, but it can replace any user’s public key.

5560


• CLPS Type 3 Adversary A3 , acting as the KGC, can access the master-key, but it cannot replace the public keys of any users. Definition 2.1. Let A1 , A2 and A3 be adversaries which act as original signer, proxy signer and the KGC, respectively. We create three interactive security games in order to simulate the chosen message attack for A1 , A2 and A3 . The security of a CLPS scheme is modeled via the following three games between a challenger B and A1 , A2 or A3 , respectively. Hereafter, we will use A and B to represent the original signer and the proxy signer respectively in these games. Game 1 (for an adversary as the original signer): Setup: B performs Setup, inputs a security parameter. This algorithm returns the master-key and system parameter param. B sends param to A1 and keeps the masterkey secret. Attack : A1 can adaptively perform the following polynomially bounded queries. • Pro-Partial-Private-Key query: A1 can query the partial private key of any proxy signer with identity ID with its secret σ. B returns the partial private key D to A1 . • Pro-Public-Key query: A1 can query the public key of any proxy signer with identity ID. B outputs the public key pk. • Pro-Secret-Value query: A1 can query the secret value of any proxy signer with identity ID. B returns the secret value x to A. • Pro-Public-Key-Replacement: For any identity ID with public key pk, A1 has the ability to set a new secret value x′ and the corresponding public key pk ′ , then replaces pk with pk ′ . • Sign query: A1 queries a signature for the proxy signer’s identity ID, a warrant mw , and a message M . B generates a proxy signature S with (ID, M, mw ) and the corresponding public key pk, then returns S to A1 . Forgery: A1 outputs a forged proxy signature S ∗ . We say that A1 wins the game if and only if the forged signature S ∗ with a specific warrant is accepted by the verifier, S ∗ has not been queried in Sign query, the partial private key of the proxy signer has not been queried in Pro-Partial-Private-Key query, and the public key of the proxy signer has not been replaced. Game 2 (for an adversary as the proxy signer): Setup: B performs Setup, inputs a security parameter. This algorithm returns the master-key and system parameter param. B sends param to A2 and keeps the masterkey secret. Attack : A2 can adaptively perform the following polynomially bounded queries. • Ori-Partial-Private-Key query: A2 can query the partial private key of any original signer with identity ID. B returns the partial private key D to A2 . • Ori-Public-Key query: A2 can query the public key of any original signer with identity ID. B outputs the public key pk. • Ori-Secret-Value query: A2 can query the secret value of any original signer with identity ID. B returns the secret value x to A2 . • Ori-Public-Key-Replacement: For any identity ID with public key pk, A2 has ability to set a new secret value x′ and the corresponding public key pk ′ , then replaces pk with pk ′ . • Ori-ProxyGen query: A2 can query the original signer’s identity ID to require a delegation.


5561

• Sign query: A2 queries a signature for the original signer’s identity ID, a warrant mw and a message M . B generates a proxy signature S with (ID, M, mw ) and is corresponding public key pk, then returns S to A2 . Forgery: A2 outputs a forged proxy signature S ∗ . We say that A2 wins the game if and only if the forged signature S ∗ with a specific warrant is accepted by the verifier, S ∗ has not been queried in Sign query, the partial private key and the delegation of the original signer have never been queried in Ori-Partial-Private-Key query and Ori-ProxyGen query, and the public key of the original signer has not been replaced. Game 3 (for a malicious KGC): Setup: B performs Setup, inputs a security parameter. This algorithm returns the master-key and the system parameter param, then sends param and master-key to A3 . Attack : A3 can adaptively perform the following polynomially bounded queries. • Public-Key query: A3 can query the public key of any original signer or proxy signer with identity ID. B outputs the public key pk. • Secret-Value query: A3 can query the secret value of any original signer or proxy signer with identity ID. B returns the secret value x to A3 . • Sign query: A3 can query a signature for any original signer with identity IDA and proxy signer with identity IDB , a warrant mw and message M . B generates a proxy signature S with (IDA , IDB , M, mw ) and the corresponding public key pkA , pkB , then returns S to A3 . Forgery: A3 outputs a forged proxy signature S ∗ with IDA , IDB . We say that A3 wins the game if and only if the forged signature S ∗ with a specific warrant is accepted by the verifier, S ∗ has not been queried in Sign query, and a secret value of one of IDA , IDB have not been queried in Secret-Value query. Remark 2.3. In the above games, a warrant seems to be a fixed value. If the adversary has difficulty in winning games with a fixed warrant, then it is also difficult to win games with a unfixed warrant. For convenience, a fixed warrant is used to prove in the security analysis in Section 3. More formally, we define the security of CLPS as follows. Definition 2.2. A CLPS scheme is existentially unforgeable (provably secure) under the chosen message attack if and only if no PPT algorithm has non-negligible probability to win the above games. 3. The Proposed CLPS Scheme. We propose a new CLPS scheme in Section 3.1. The security analysis and the estimation of efficiency are described in Sections 3.2 and 3.3, respectively. 3.1. The construction. The proposed scheme works with the following algorithms, where Alice is the original signer and Bob is the proxy signer. Setup: Giving security parameter l, the KGC determines two groups G1 , G2 of the same order q and a bilinear map eˆ : G1 × G1 → G2 defined in Section 2. The KGC randomly picks two numbers s1 , s2 ∈ Z∗q as system master-keys and computes their public keys Ppub1 = s1 P, Ppub2 = s2 P where P is a generator of G1 , then chooses four hash functions H1 : {0, 1}∗ → G1 , H2 : {0, 1}∗ → G1 , h1 : {0, 1}∗ → Z∗q , h2 : {0, 1}∗ → Z∗q . Subsequently, the system parameter param = {G1 , G2 , eˆ, q, P, Ppub1 , Ppub2 , H1 , H2 , h1 , h2 } is published and the master-keys keep secret. Ori-Partial-Private-Key: Given param, master-key s1 and Alice’s identity IDA , this algorithm computes QA = H1 (IDA ) is computed and returns Alice’s partial private key DA = s1 QA via a secure channel.

5562


Ori-Set-Secret-Value: Alice with her identity IDA picks random xA ∈ Z∗q as her secret value. Ori-Set-Private-Key: Given param, Alice’s partial private key DA and her secret value xA , this algorithm outputs her full private key skA = (xA , DA ). Ori-Set-Public-Key: Taking param and Alice’s private key skA as inputs, this algorithm returns her public key pkA = xA P . Ori-ProxyGen: In order to generate a delegation for Bob, Alice with her identity IDA and a warrant mw works as follows: (1) sets RA = H2 (mw , pkA , IDA ); (2) computes a delegation σ = xA RA + DA , and sends (σ, mw ) to Bob. When Bob receives σ, he can check if σ is valid or not via the equation: eˆ(σ, P ) = ?ˆ e(pkA , H2 (mw , pkA , IDA ))ˆ e(Ppub1 , H1 (IDA )). Pro-Partial-Private-Key: Bob randomly chooses a number α ∈ Z∗q as a blind factor and computes a hidden delegation σ ′ = ασ. This algorithm is given param, master-key s2 , hidden delegation σ ′ , and Bob’s identity IDB , then works as follows: (1) sets uB = h1 (IDB ); 1 ′ = s2 +u (2) returns DB σ ′ to Bob. B ′ Bob is able to recover his partial private key DB = α−1 DB via a secure channel. Pro-Set-Secret-Value: Bob with his identity IDB picks random xB ∈ Z∗q as his secret value. Pro-Set-Private-Key: Given param, Bob’s partial private key DB , and his secret value xB , this algorithm outputs his full private key skB = (xB , DB ). Pro-Set-Public-Key: Taking param and Bob’s private key skB as inputs, this algorithm returns his public key pkB = xB (Ppub2 + h1 (IDB )P ). Pro-CLP-Sign: For generating a proxy signature on a message M , this algorithm takes param, a warrant mw , a message M and Bob’s private key skB as inputs, then 1 computes vB = h2 (M, mw , pkB , IDB ) and outputs a proxy signature S = xB +v DB . He B sends (S, mw , M ) to the verifier. CLP-Verify: Taking param, IDA , IDB , a warrant mw , a message M , Alice’s public key pkA , Bob’s public key pkB and a signature S, the verifier checks the proxy signature as follows:

(1) computes R = H2 (mw , pkA , IDA ) and v = h2 (M, mw , pkB , IDB ); (2) returns 1 and accepts this signature if the following equation is hold; otherwise, returns 0 and rejects. eˆ(S, pkB + v(Ppub2 + h1 (IDB )P ) = eˆ(pkA , R)ˆ e(Ppub1 , H1 (IDA )). Correctness proof is shown as follows:

= = = = = =

eˆ(S, pkB + v(Ppub2 + h1 (IDB )P ) eˆ(S, (xB + v)(Ppub2 + h1 (IDB )P )) ( ) 1 eˆ σ, (xB + v)(s2 + h1 (IDB ))P (xB + v)(s2 + h1 (IDB )) eˆ(σ, P ) eˆ(xA R + DA , P ) eˆ(xA P, R)ˆ e(s1 P, QA ) eˆ(pkA , R)ˆ e(Ppub1 , H1 (IDA ))


5563

Here, we omit to consider the original signer to sign a message, since we can look the algorithm Ori-ProxyGen on the original signer signing which is the same as Huang et al.’s certificateless short signature scheme [17]. 3.2. Security analysis. The security analysis of our scheme refers Boneh et al.’s IDbased encryption scheme [19] and public key encryption with keyword search [20]. In the random oracle model, we will prove the proposed scheme is existentially unforgeable in the above security models assuming the CDH problem, Inv-CDH problem and k-CAA problem are intractable. Conveniently, the original signer is denoted by A, and the proxy signer is denoted by B. Theorem 3.1. Let A1 be an adversary with probability ϵ to win Game 1 assuming that A1 makes qh1 h1 queries. Then, there exists an algorithm B with probability ϵ′ ≥ qh1e3 ϵ to 1 solve the k-CAA problem where e is the natural logarithm. Proof: Given P , T = s2 P ∈ G1 , u1 , u2 , . . . , uk ∈ Z∗q and

1 1 1 P, s2 +u P, . . . , s2 +u P s( 2 +u1 2) k 1 u∗ , s2 +u where u∗ ∈ / ∗P

as the k-CAA problem, while B’s goal is to output a pair {u1 , u2 , . . . , uk }. A1 interacts B via Game 1 as follows. Setup: B selects a random s1 ∈ Z∗q and sets Ppub1 = s1 P, Ppub2 = T and param = (G1 , G2 , eˆ, Ppub1 , Ppub2 , P, H1 , H2 , h1 , h2 ), then gives param to A1 . Attack : A1 can adaptively perform the following polynomially bounded queries. h1 queries: B holds an h1 -list ⟨IDj , uj , cj ⟩, where h1 -list initially is empty. A1 can query any identity IDi . B responds as follows: (1) If IDi has been queried, B returns ui from h1 -list; (2) If IDi has never been queried before, B generates a random coin ci ∈ {0, 1}, where Pr[ci = 0] = 1/qh1 . If ci = 0, B returns a random u∗i ∈ / {u1 , u2 , . . . , uk } to A1 and adds ⟨IDi , ui , ci ⟩ into h1 -list; otherwise, B returns ui ∈ {u1 , u2 , . . . , uk } to A1 and adds ⟨IDi , ui , ci ⟩ into h1 -list. h2 queries: B holds an h2 -list ⟨Mj , mw , pkj , IDj , vj ⟩, while h2 -list initially is empty. A1 can query (Mj , mw , pkj , IDj ). B responds as follows: (1) If (Mi , mw , pki , IDi ) has been queried, B returns vi from h2 -list; (2) If (Mi , mw , pki , IDi ) has never been queried before, B chooses a random vi ∈ Z∗q and returns vi to A1 , then adds ⟨Mi , mw , pki , IDi , vi ⟩ into h2 -list; H1 queries: B holds an H1 -list ⟨IDj , Qj , βj ⟩, while H1 -list initially is empty. A1 can query IDi and B responds as follows: (1) If IDi has been queried, B returns Qi from H1 -list; (2) If IDi has never been queried before, B randomly chooses βi ∈ Z∗q and computes Qi = βi P , then returns Qi to A1 and adds ⟨IDi , Qi , βi ⟩ into H1 -list; H2 queries: B holds an H2 -list ⟨mw , pkj , IDj , Rj , rj ⟩, while H2 -list initially is empty. A1 can query (mw , pki , IDi ). B responds as follows: (1) If (mw , pki , IDi ) has been queried, B returns Ri from H2 -list; (2) If (mw , pki , IDi ) has never been queried before, B selects a random ri ∈ Z∗q and returns Ri = ri P to A1 , then adds ⟨mw , pki , IDi , Ri , ri ⟩ into H2 -list. Ori-Partial-Private-Key queries: A1 is able to request B to give a partial private key. B will send A1 ’s partial private key DA = s1 H1 (ID) to A1 . Ori-ProxyGen: A1 generates a delegation σ = xA RA + DA itself where σ is a fixed value. Pro-Partial-Private-Key queries: B holds a K-list ⟨σ, IDj , xj , Dj , pkj ⟩, while K-list initially is empty. A1 can query (σ, IDi ) where σ is a delegation generated by A1 . If IDi has

5564


been queried for Pro-Partial-Private-Key before, B returns Di from K-list. Otherwise, B goes back to perform h1 query, then responds Pro-Partial-Private-Key queries as follows. (1) If ci = 0 in h1 -list, B aborts and terminates; ( ) 1 (2) If ci = 1 and Di does not exist in K-list, B returns Di = (xA rA + s1 βA ) s2 +ui P and adds ⟨σ, IDi , Di ⟩ into K-list where

1 P s2 +ui

is from the k-CAA problem.

Pro-Secret-Value queries: A1 can query IDi for the private key. B returns xi from K-list. Note, it is possibly that xi is ⊥ which denotes that it has not been queried. Pro-Public-Key queries: A1 can query IDi to acquire the public key. If IDi has been queried before, B returns pki from K-list; otherwise, B goes back to perform h1 query, then responds Pro-Public-Key queries as follows. (1) If xi is not ⊥, B sets pki = xi (T + ui P ) to A1 and inserts pki into K-list; (2) If xi is ⊥, B randomly chooses xi ∈ Z∗q and computes pki = xi (T + ui P ) to A1 . Finally, B inserts ⟨IDi , xi , pki ⟩ to K-list; Pro-Public-Key-Replacement: For any IDi whose public key pki , A1 has the ability to set a new secret value x′i and the corresponding public key pki′ , then replaces pki with pki′ as follows. If IDi corresponds to ci = 0 in h1 -list, B aborts and terminates; otherwise, A1 randomly chooses x′i ∈ Z∗q and computes pki′ = x′i (T + ui P ). Then, A1 sends (IDi , x′i , pki′ ) to B to replace pki with pki′ . Sign queries: Receiving a sign query (σ, mw , Mi , IDi , pki ) from A1 , B must perform the following steps based on h1 -list, h2 -list and K-list. (1) If IDi corresponds to ci = 0 in h1 -list, B aborts and terminates; 1 (2) If ci = 1 and (pki , xi ) exists in K-list, B returns S = (xi +vi )(s σ; 2 +ui ) (3) If ci = 1 and (pki , xi ) does not exist in K-list, B chooses a random value xi ∈ Z∗q and sets pki = xi (T + ui P ), then adds (xi , pki ) into K-list. Finally, B still returns 1 S = (xi +vi )(s σ to A1 . 2 +ui ) Forgery: A1 forges a proxy signature S ∗ for the original signer A1 , a warrant mw , a proxy signer’s ID∗ , corresponding public key pk ∗ and a message M ∗ . This forged signature must satisfy the following equation. eˆ(S ∗ , pk ∗ + v(T + h1 (ID∗ )P )) = eˆ(pkA , RA )ˆ e(Ppub1 , H1 (IDA )) If ID∗ corresponds to c∗ ̸= 0, B aborts and terminates. If A1 successfully forges a valid proxy signature, B must be capable of computing. ( ) 1 x∗ + v ∗ P = S ∗. s2 + u∗ xA rA + s1 βA We show that B solves the k-CAA problem with probability ϵ′ ≥ qh1e3 ϵ when B does 1 not abort in any queries and forgery. For more details must refer the following proof. E1 : B does not abort in any A1 ’s query with least probability 1/(e3 ). Proof: Since Pr[ci = 0] = 1/qh1 in Sign queries, Pro-Partial-Private-Key queries and public-key-replacement, B does not abort with probability (1−1/qh1 )qh1 ≥ 1/e respectively. Thus, Pr[E1 ] ≥ 1/e3 . E2 : B does not abort to respond in Forgery with probability 1/qh1 . Proof: A1 outputs a forged signature, while this signature corresponds to ci = 0. B does not abort with Pr[c1 = 0] = 1/qh1 , then Pr[E2 ] = 1/qh1 . Because of ϵ′ = Pr[E1 ]Pr[E2 ]ϵ, we can say B solves the k-CAA problem with probability ′ ϵ ≥ qh1e3 ϵ. Hence, B solves the k-CAA problem is equivalent to A1 wins Game 1. 1


5565

Theorem 3.2. Let A2 be an adversary with probability ϵ to win Game 2 assuming that A2 makes qH1 H1 queries. Then, there exists an algorithm B with probability ϵ′ ≥ qH1 e3 ϵ 1 to solve the CDH problem where e is the natural logarithm. Proof: Given P, aP, bP as the CDH problem, while B’s goal is to output abP . A2 interacts B via Game 2 as follows. Setup: B selects a random s2 ∈ Z∗q and sets Ppub1 = aP, Ppub2 = s2 P and param = (G1 , G2 , eˆ, Ppub1 , Ppub2 , P, H1 , H2 , h1 , h2 ), then gives param to A2 . Attack : A2 can adaptively perform the following polynomially bounded queries. h1 queries: B holds an h1 -list ⟨IDj , uj ⟩, where h1 -list initially is empty. A2 can query any identity IDi . B responds as follows: (1) If IDi has been queried, B returns ui from h1 -list; (2) If IDi has never been queried before, B generates a random ui ∈ Z∗q to A2 and adds ⟨IDi , ui ⟩ into h1 -list; h2 queries: B holds an h2 -list ⟨Mj , mw , pkj , IDj , vj ⟩, while h2 -list initially is empty. A2 can query (Mj , mw , pkj , IDj ). B responds as follows: (1) If (Mi , mw , pki , IDi ) has been queried, B returns vi from h2 -list; (2) If (Mi , mw , pki , IDi ) has never been queried before, B generates a random value vi ∈ Z∗q and returns vi to A2 , then adds ⟨Mi , mw , pki , IDi , vi ⟩ into h2 -list; H1 queries: B holds an H1 -list ⟨IDj , Qj , βj , ci ⟩, while H1 -list initially is empty. A2 can query IDi . B responds as follows: (1) If IDi has been queried, B returns Qi from H1 -list; (2) If IDi has never been queried before, B picks a random βi ∈ Z∗q and generates a random coin ci ∈ {0, 1}, where Pr[ci = 0] = 1/qH1 . If ci = 0, B returns Qi = βi (bP ) to A2 , then inserts ⟨IDi , Qi , βi , ci ⟩ into H1 -list; otherwise, B returns Qi = βi P to A2 , then adds ⟨IDi , Qi , βi , ci ⟩ into H1 -list. H2 queries: B holds an H2 -list ⟨mw , pkj , IDj , Rj , rj ⟩, while H2 -list initially is empty. A2 can query (mw , pki , IDi ). B responds as follows: (1) If (mw , pki , IDi ) has been queried, B returns Ri from H2 -list; (2) If (mw , pki , IDi ) has never been queried before, B chooses a random ri ∈ Z∗q and returns Ri = ri P to A2 , then adds ⟨mw , pki , IDi , Ri , ri ⟩ into H2 -list; Ori-Partial-Private-Key queries: B holds a K-list ⟨IDj , xj , Dj , pkj ⟩, while K-list initially is empty. A2 can query IDi . If IDi has been queried for Ori-Partial-Private-Key before, B returns Di from K-list; otherwise, B goes back to perform H1 query, then responds Ori-Partial-Private-Key queries as follows. (1) If ci = 0 in H1 -list, B aborts and terminates; (2) If ci = 1 and Di does not exist in K-list, B returns Di = βi (aP ) and adds ⟨IDi , Di ⟩ into K-list. Ori-Secret-Value queries: A2 is able to query IDi for the private key. B returns xi from K-list. Note, it is possibly that xi is ⊥ which denotes that it has never been queried. Ori-Public-Key queries: A2 can query IDi to acquire the public key. If IDi has been queried before, B returns pki from K-list; otherwise, B responds Pro-Public-Key queries as follows. (1) If xi is not ⊥, B sets pki = xi P to A2 and inserts pki into K-list; (2) If xi is ⊥, B randomly chooses xi ∈ Z∗q and computes pki = xi P to A2 . Finally, B inserts ⟨IDi , xi , pki ⟩ to K-list; Ori-Public-Key-Replacement: For any IDi whose public key pki , A2 has the ability to set a new secret value x′i and the corresponding public key pki′ , then replaces pki with pki′

5566


as follows. If IDi corresponds to ci = 0 in H1 -list, B aborts and terminates; otherwise, A2 randomly chooses x′i ∈ Z∗q and computes pki′ = x′i P . Then, A2 sends (IDi , x′i , pki′ ) to B to replace pki with pki′ . Ori-ProxyGen queries: A2 can query IDi as the original signer’s identity for a delegation. B bases on H1 -list and H2 -list, then responds as follows. If ci = 0 in H1 -list, B aborts and terminates; otherwise, B returns σ = xi R + Di . Sign queries: Receiving a sign query (mw , Mi , IDi , pki ) from A2 , B must perform the following steps based on H1 -list, H2 -list and K-list. (1) If IDi corresponds to ci = 0 in H1 -list, B aborts and terminates; 1 (2) If ci = 1 and (pki , xi ) exists in H1 -list, B returns S = (xi +vi )(s (xi Ri + βi aP ); 2 +ui ) (3) If ci = 1 and (pki , xi ) does not exist in K-list, B chooses a random value xi ∈ Z∗q and sets pki = xi P , then adds (xi , pki ) into K-list. Finally, B still returns S = 1 (xi R + βi aP ) to A2 . (xi +vi )(s2 +ui ) Forgery: A2 forges a proxy signature S ∗ for the proxy signer A2 , a warrant mw , an original signer’s ID∗ , corresponding public key pk ∗ , and a message M ∗ . This forged signature must satisfy the following equation. eˆ(S ∗ , pkB + vB (Ppub2 + h1 (IDB )P )) = eˆ(pk ∗ , R∗ )ˆ e(Ppub1 , H1 (ID∗ )) If ID∗ corresponds to c∗ ̸= 0, B aborts and terminates. If A2 successfully forges a valid proxy signature, B must have the ability to compute abP = ((xB + vB )(s2 + u)S ∗ − x∗ R∗ ) β −1 . We show that B solves the CDH problem with probability ϵ′ ≥ qH1 e3 ϵ when B does not 1 abort in any queries and forgery. For more details must refer the following proof. E1 : B does not abort in any A2 ’s query with least probability 1/(e4 ). Proof: Since Pr[ci = 0] = 1/qh1 in Sign queries, Ori-ProxyGen queries, Ori-PartialPrivate-Key queries and Ori-Public-Key-Replacement, B does not abort with probability (1 − 1/qH1 )qH1 ≥ 1/e respectively. Thus, Pr[E1 ] ≥ 1/e4 . E2 : B does not abort to respond in Forgery with probability 1/qH1 . Proof: A2 outputs a forged signature, while this signature corresponds to ci = 0. B does not abort with Pr[c1 = 0] = 1/qH1 , then Pr[E2 ] = 1/qH1 . Because of ϵ′ = Pr[E1 ]Pr[E2 ]ϵ, we can say B solves the CDH problem with probability ϵ′ ≥ qH1 e4 ϵ. Hence, B solves the CDH problem is equivalent to A2 wins Game 2. 1

Theorem 3.3. Let A3 be an adversary with probability ϵ to win Game 3 assuming that A3 makes qK public key queries. Then, there exists an algorithm B with probability ϵ′ ≥ qK1e2 ϵ to solve the Inv-CDH problem where e is the natural logarithm. Proof: Given P , aP as the Inv-CDH problem, while B’s goal is to output a1 P . A3 interacts B via Game 3 as follows. Setup: B randomly selects s1 , s2 ∈ Z∗q and sets Ppub1 = s1 P, Ppub2 = s2 P , and param = (G1 , G2 , eˆ, Ppub1 , Ppub2 , P, H1 , H2 , h1 , h2 ), then gives param and master-keys s1 , s2 to A3 . Attack : A3 can adaptively perform the following polynomially bounded queries. h1 queries: B holds an h1 -list ⟨IDj , uj ⟩, where h1 -list initially is empty. A3 can query any identity IDi . B responds as follows: (1) If IDi has been queried, B returns ui from h1 -list; (2) If IDi has never been queried before, B generates a random ui ∈ Z∗q to A3 and adds ⟨IDi , ui ⟩ into h1 -list; h2 queries: B holds an h2 -list ⟨Mj , mw , pkj , IDj , vj ⟩, while h2 -list initially is empty. A3 can query (Mj , mw , pkj , IDj ). B responds as follows:


5567

(1) If (Mi , mw , pki , IDi ) has been queried, B returns vi from h2 -list; (2) If (Mi , mw , pki , IDi ) has never been queried before, B generates a random vi ∈ Z∗q and returns vi to A3 , then adds ⟨Mi , mw , pki , IDi , vi ⟩ into h2 -list; H1 queries: B holds an H1 -list ⟨IDj , Qj , βj ⟩, while H1 -list initially is empty. A3 is capable of querying IDi , while B responds as follows: (1) If IDi has been queried, B returns Qi from H1 -list; (2) If IDi has never been queried before, B picks a random βi ∈ Z∗q and returns Qi = βi P to A3 ; H2 queries: B holds an H2 -list ⟨mw , pkj , IDj , Rj , rj ⟩, while H2 -list initially is empty. A3 can query (mw , pki , IDi ). B responds as follows: (1) If (mw , pki , IDi ) has been queried, B returns Ri from H2 -list; (2) If (mw , pki , IDi ) has never been queried before, B picks a random ri ∈ Z∗q and returns Ri = ri P to A3 , then inserts ⟨mw , pki , IDi , Ri , ri ⟩ into H2 -list; Public-Key queries: A3 can ask for the public key of any original signer or proxy signer with ID. B maintains a K-list ⟨ρi , pkj , xj , ci ⟩, where ρi ∈ {0, 1}, ρi = 0 denotes the original signer, and ρi = 1 denotes the proxy signer. K-list initially is empty. B responds as follows: (1) If (ρi , IDi ) has been queried, B returns pki from K-list; (2) If ρi = 0 and IDi has never been queried before, B picks a random xi ∈ Z∗q and computes the public key pki = xi P to A3 , then sets ci = ⊥ and inserts ⟨ρi , IDi , pki , xi , ci ⟩ into K-list; (3) If ρi = 1, B picks a random coin ci ∈ {0, 1} where P r[ci = 0] = 1/qK . If ρi = 1 and ci = 0, B returns pki = (s2 + ui )(aP − vi P ) to A3 and insets ⟨ρi , IDi , pki , ci ⟩ into K-list. If ρi = 1 and ci = 1, B randomly chooses xi ∈ Z∗q , then returns pki = xi (s2 P + ui P ) to A3 and inserts ⟨ρi , IDi , pki , xi , ci ⟩ into K-list; Secret-Value queries: A3 can query any identity IDi for the secret value of any original signer or proxy signer. B bases on K-list to respond. If IDi corresponds to ci = 0, then B aborts and terminates; otherwise, B returns xi to A3 . Sign queries: A3 sends any original signer IDA and proxy signer identity IDB , a warrant mw , and message M to request a proxy signature. B must perform the following steps based on h1 -list, h2 -list, H1 -list, H2 -list and K-list. (1) If IDi corresponds to ci = 0 in K-list, B aborts and terminates; (2) Otherwise, B returns S = (xB +vB1)(s+uB ) (xA RA + βA sB P ); (3) If ci = 1 or ⊥ and (pki , xi ) does not exist in K-list, B will go back to perform 1 (xA RA + βA s1 P ) to A3 . Public-Key query. Then, B still returns S = (xB +vB )(s 2 +uB ) ∗ Forgery: A3 forges a proxy signature S ∗ for a warrant mw , a original signer’s IDA , ∗ ∗ ∗ ∗ a proxy signer’s IDB , corresponding public key pkA , pkB and a message M , where this signature S ∗ is never queried. This forged signature must satisfy the following equation. ∗ ∗ )P ) = eˆ(pkA , RA )ˆ e(Ppub1 , H1 (IDA )) + vB∗ (Ppub2 + h1 (IDB eˆ(S ∗ , pkB ∗ ∗ Without loss of generality, we assume one of identities IDA , IDB has not been queried ∗ ∗ in Sign queries, while the one of identities is IDB . If IDB corresponds to c∗B ̸= 0, B aborts and terminates. If A3 successfully forges a valid proxy signature, B must be able to compute

s2 + u∗B 1 P = S ∗. a xA rA + s1 βA

5568


We show that B solves the Inv-CDH problem with probability ϵ′ ≥ qK1e2 ϵ when B does not abort in any queries and forgery. For more details must refer the following proof. E1 : B does not abort in any A3 ’s query with least probability 1/e. Proof: Since Pr[ci = 0] = 1/qK in Sign queries and Secret-Value queries, B does not abort with probability (1 − 1/qK )qK ≥ 1/e respectively. Thus, Pr[E1 ] ≥ 1/e2 . E2 : B does not abort to respond in Forgery with probability 1/qK . Proof: A3 outputs a forged signature, while this signature corresponds to ci = 0. B does not abort with Pr[c1 = 0] = 1/qK . Thus, Pr[E2 ] = 1/qK . Due to ϵ′ = Pr[E1 ]Pr[E2 ]ϵ, we can say B solves the Inv-CDH problem with probability ϵ′ ≥ qK1e2 ϵ. Hence, B solves the Inv-CDH problem is equivalent to A3 wins Game 3. In the above proof for an adversary A3 , we assume that A3 can know the original signer’s secret value but cannot know the the proxy signer’s secret value. We omit to analyze that A3 can know the proxy signer’s secret value but cannot know the the original signer’s secret value, since this proof is based on Huang et al.’s proof for their certificateless short signature scheme [17]. Ultimately, we do not consider the security analysis from the viewpoint of a dishonest user, nor the original signer or the proxy signer, because the dishonest user’s ability is impossibly more powerful than the original signer and the proxy signer. The following corollary is followed from Theorems 3.1-3.3. Corollary 3.1. The proposed CLPS scheme is existentially unforgeable under the chosen message attack of Type 1-3 adversaries in the random oracle model assuming the k-CAA, CDH, Inv-CDH problems are intractable. 3.3. Efficiency. The comparison of efficiency of our scheme and Chen et al.’s is offered in Table 2. The relative operations are defined as follows: • P: pairing. • S: scalar. multiplication in G1 . • M: the MapToPoint hash function. • L: the bit length of a point over the elliptic curve G1 such as 160 bits. • D-G: the computational cost of generating a delegation. • CLP-Sign: the computational cost of generating the proxy signature. • CLP-Verify : the computational cost of the verification. • |Sign|: the proxy signature length. The pre-computed cost is also considered. According to Table 2, our scheme is more efficient than Chen et al.’s in many algorithms (D-G, CLP-Sign, CLP-Verify ). And it also requires less communication cost (|Sign|). Table 2. The comparison of efficiency of our scheme and Chen et al.’s D-G CLP-Sign CLP-Verify |Sign| Chen et al. 1M + 2S 2S 6P 3L Proposed 1M + 1S 1S 3P L 4. Conclusions. Identity-based cryptography suffers from the key escrow problem that PKG has the perfect ability to derive a user’s private key. However, certificateless cryptography is a new technique aiming to solve the key escrow problem which is in the spotlight for a decade. In this paper, we have proposed a new certificateless proxy signature scheme and its practical security model. The proposed scheme is efficient and provably secure in the random oracle model against existential forgery under the chosen message attack


5569

assuming the CDH, Inv-CDH, k-CAA problems are intractable. Moreover, the length of a proxy signature is short in our scheme, which is more appropriate for low-bandwidth and low-power devices such as mobile devices. In the future work, we tend to discuss the trusted level in CLPKC and certificateless multi-proxy signature. Acknowledgement. We would like to thank the anonymous reviewers for their numerous suggestions and remarks which have enables us to substantially improve the paper. This work was partially supported by the National Science Council of Taiwan under contract NSC 99-2221-E-005-078 and NSC 99-2221-E-468-012. REFERENCES [1] Y.-F. Chang and C.-C. Chang, Robust t-out-of-n proxy signature based on RSA cryptosystems, International Journal of Innovative Computing, Information and Control, vol.4, no.2, pp.425-431, 2008. [2] C.-I. Fan, C.-I. Wang and W.-Z. Sun, Fast randomization schemes for Chaum blind signatures, International Journal of Innovative Computing, Information and Control, vol.5, no.11(A), pp.38873900, 2009. [3] L. J. Wang and J. J. R. Chen, Novel digital multisignature scheme, ICIC Express Letters, vol.4, no.4, pp.1251-1256, 2010. [4] A. Shamir, Identity based cryptosystems and signature schemes, Crypto’84, LNCS, Santa Barbara, CA, vol.196, pp.47-53, 1984. [5] Y.-M. Tseng, T.-Y. Wu and J.-D. Wu, An efficient and provably secure Id-based signature scheme with batch verifications, International Journal of Innovative Computing, Information and Control, vol.5, no.11(A), pp.3911-3922, 2009. [6] M. Wang, H. Hu and G. Dai, An identity-based signature scheme for mobile business, ICIC Express Letters, vol.4, no.2, pp.565-570, 2010. [7] S. Al-Riyami and K. Paterson, Certificateless public key cryptography, ASIACRYPT’03, LNCS, Taipei, vol.2894, pp.452-473, 2003. [8] D. H. Yum and P. J. Lee, Generic construction of certificateless signature, ACISP’04, LNCS, Sydney, Australia, vol.3108, pp.200-211, 2004. [9] L. C. Wang, Z. F. Cao, X. X. Li and H. F. Qian, Simulatability and security of certificateless threshold signatures, Information Sciences, vol.177, no.6, pp.1382-1394, 2007. [10] H. Du and Q. Wen, Efficient and provably-secure certificateless short signature scheme from bilinear pairings, Computer Standards and Interfaces, vol.31, no.2, pp.390-394, 2009. [11] K. A. Shim, Breaking the short certificateless signature scheme, Information Sciences, vol.179, no.3, pp.303-306, 2009. [12] Z. Liu, Y. Hub, X. Zhang and H. Ma, Certificateless signcryption scheme in the standard model, Information Sciences, vol.180, no.3, pp.452-464, 2010. [13] S. Kim, S. Park and D. Won, Proxy signatures, revisited, ICICS’97, LNCS, vol.1334, pp.223-232, 1997. [14] H. M. Sun, N. Y. Lee and T. Hwang, Threshold proxy signatures, IEE Proc. of Computers and Digital Techniques, vol.146, pp.259-263, 1999. [15] H. M. Sun, An efficient nonrepudiable threshold proxy signature scheme with known signers, Computer Communications, vol.22, no.8, pp.717-722, 1999. [16] H. Chen, F. T. Zhang and R. S. Song, Certificateless proxy signature scheme with provable security, Journal of Software, vol.20, no.3, pp.692-701, 2009. [17] X. Huang, Y. Mu, W. Susilo, D. S. Wong and W. Wu, Certificateless signature revisited, ACISP’07, LNCS, vol.4586, pp.308-322, 2007. [18] S. Mitsunari, R. Sakai and M. Kasahara, A new traitor tracing, IEICE Trans. on E85-A, vol.2, pp.481-484, 2002. [19] D. Boneh and M. Franklin, Identity-based encryption from the weil pairing, SIAM Journal on Computing, vol.32, no.3, pp.586-615, 2003. [20] D. Boneh, G. Crescenzo, R. Ostrovsky and G. Persiano, Public key encryption with keyword search, EUROCRYPT’04, LNCS, Interlaken, Switzerland, vol.3027, pp.506-522, 2004.