No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
On Random-Oracle-Free Top-Level Secure Certificateless Signature Schemes
Abstract
Certificateless public key cryptography (CL-PKC) overcomes the difficulties of the certificate managements in traditional public key infrastructure (PKI) and the key escrow problem in ID-Based public key cryptography (ID-PKC), concurrently. In 2018, Tseng et al. proposed a certificateless signature (CLS) scheme and claimed that their proposal is the first scheme which satisfies the security against the level-3 KGC (according to Girault’s three categorizations of the honesty level of a trusted third party (TTP) which is proposed in 1991), in the standard model. However, we will show that unfortunately their scheme is even vulnerable against a malicious KGC. Afterwards, we will improve their scheme to be robust against the proposed attack. Finally, we will propose a CLS scheme secure against the level-3 KGC in the standard model, based on Yuan and Wang’s CLS scheme. We will show that our proposal not only satisfies the level-3 security as well as the basic security requirements of a CLS scheme in the standard model, but also is more efficient than the previous works in the sense of computation and communication costs.
... This independent security definition had since been further elaborated and applied by Chen et al. [25] in 2015 and Tseng et al. [26] in 2019. In 2021, Rastegari and Susilo [27] updated the victory condition of this independent security definition to be that the legitimate user whose signature is forged cannot repudiate the forged signature. The security definition in this paper is mainly based on literature [26] and literature [27]. ...
... In 2021, Rastegari and Susilo [27] updated the victory condition of this independent security definition to be that the legitimate user whose signature is forged cannot repudiate the forged signature. The security definition in this paper is mainly based on literature [26] and literature [27]. ...
... Based on the definition of the security model in [27], if the KGC trust level 3 security needs to be achieved, there exist three types of adversaries: A I , A II , and A III . We utilize the following three games to signify that a CLS scheme is existentially unforgeable against adaptively chosen message and identity attacks (EUF-CMA) against three types of adversaries: A I , A II , and A III . ...
With the widespread adoption of wireless sensor networks (WSN), the security of the WSN has been a wide concern. Certificateless signature eliminates the certificate management problem and key escrow problem and is considered a feasible solution to solve the data integrity and authentication of WSN. Recently, Thumbur et al. proposed an efficient pairing-free certificateless signature scheme, and Xu et al. pointed out that their scheme is not resistant to signature forgery attacks and proposed an improved scheme. Based on the trust hierarchy defined by Girault, we find that Xu et al.’s scheme is still only able to achieve security under KGC trust level 2. Moreover, Thumbur et al.’s scheme uses the Schnorr signature algorithm form, which makes it favorable for scaling, while Xu et al.’s scheme breaks this advantage. Therefore, we propose a pairing-free certificateless scheme capable of reaching KGC trust level 3, still using the Schnorr signature algorithm form, and prove the security of the new scheme under the random oracle model. The final efficiency analysis shows that the new scheme has shorter public key length and higher computational efficiency.
Certificateless signature (CLS) has no need of public key certificates and also avoids excessive dependence to a third party like that in identity-based setting. Recently, Shim (IEEE Systems Journal, doi:10.1109/JSYST.2018.2844809) came up with a CLS scheme independent of random oracles and asserted that the construction can be immune to the public key replacement attacks and the malicious-but-passive key generation center (KGC) attacks. In this paper, we analyze the security of Shim’s scheme and point out that his conclusions are incorrect by giving two concrete counter-examples. We repair the scheme and put forward a CLS scheme secure against public key replacement attacks and malicious-but-passive KGC attacks without relying on random oracles. Compared with Shim’s scheme, our construction has lower execution cost for signing and verification, and achieves Girault’s top-level security, which means that a victim can repudiate the forgeries based on a false secret key generated by the KGC.
In a designated verifier signature (DVS) scheme, the signer (Alice) creates a signature which is only verifiable by a designated verifier (Bob). Furthermore, Bob cannot convince any third party that the signature was produced by Alice. A DVS scheme is applicable in scenarios where Alice must be authenticated to Bob without disturbing her privacy. The de-facto construction of DVS scheme is achieved in a traditional public key infrastructure (PKI) setting, which unfortunately requires a high-cost certificate management. A variant of identity-based (ID-based) setting DVS eliminates the need of certificates, but it introduces a new inherent key escrow problem, which makes it impractical. Certificateless public key cryptography (CL-PKC) is empowered to overcome the problems of PKI and ID-based settings, where it does not suffer from any of the aforementioned problems. However, only a few number of certificateless DVS (CL-DVS) schemes have been proposed in the literature to date. Moreover, all existing CL-DVS schemes are only proven secure in the random oracle model, while some of them are already known to be insecure. We provide three contributions in this paper. First, we revisit the security proofs of existing CL-DVS schemes in the literature and show that unfortunately there are some drawbacks in the proofs of all of those schemes. Second, we concentrate on the recently proposed CL-DVS scheme (IEEE Access 2018) and show a drawback in its security proof which makes it unreliable. Furthermore, we show that this scheme is delegatable in contrast to the author’s claim. Finally, we propose a CL-DVS scheme and prove its security requirements in the standard model. Our scheme is not only the first scheme with a complete and correct security proofs, but also the only scheme in the standard model.
To achieve source authentication, message integrity and non-repudiation, a number of authentication protocols adopt several types of digital signatures: public-key signatures, identity-based signatures and certificateless signatures. In this paper, we show that a anonymous remote authentication scheme for wireless body area network, an anonymous handover authentication scheme, an authentication scheme for emergency mobile cyber-physical system, and authenticated key agreement protocol based on the three types of signatures schemes are insecure against various impersonation attacks due to insecurity of the underlying signature schemes. These results show that using cryptographic primitives without security proofs causes serious security vulnerabilities on the security protocol itself. Our results give strong evidences that security of adopted cryptographic primitives should be proved in appropriate formal security models as well as proof of the security protocol itself.
The certificateless aggregate signature (CLAS) scheme is a very important data aggregation technique that compresses a large number of signatures from different users into a short signature. CLAS can reduce the total length of a signature and the computational overhead of signature verification and is therefore highly suitable for resource-constrained network environments. Many CLAS schemes have been proposed in recent years, but the construction of a secure and efficient CLAS scheme remains important. In 2018, Li et al. found that the CLAS scheme proposed by He et al. could not resist malicious-but-passive KGC attacks, and they presented an improved CLAS scheme. Du et al. proposed a CLAS scheme with the constant aggregate signature length and claimed that their scheme was resistant to forgery attacks. Chen et al . designed a CLAS scheme with efficient verification and proved that their CLAS scheme was secure in the random oracle model. In this paper, we demonstrate that Li et al.’s CLAS scheme, Du et al.’s CLAS scheme, and Chen et al.’s CLAS scheme are insecure against coalition attacks and present concrete examples. That is, an attacker can forge a valid aggregate signature using some illegal single signatures. To withstand suck attacks, we propose an improved CLAS scheme based on Chen et al.’s CLAS scheme.
In digital signature, strong unforgeability requires that an attacker cannot forge a new signature on any previously signed/new messages, which is attractive in both theory and practice. Recently, a strongly unforgeable certificateless signature (CLS) scheme without random oracles was presented. In this paper, we firstly show that the scheme fails to achieve strong unforgeability by forging a new signature on a previously signed message under its adversarial model. Then, we point out that the scheme is also vulnerable to the malicious-but-passive key generation center (MKGC) attacks. Finally, we propose an improved strongly unforgeable CLS scheme in the standard model. The improved scheme not only meets the requirement of strong unforgeability but also withstands the MKGC attacks. To the best of our knowledge, we are the first to prove a CLS scheme to be strongly unforgeable against the MKGC attacks without using random oracles.
Certificateless public key cryptography is very attractive in solving the key escrow problem which is inherent in identity- (ID-) based public key cryptography. In the past, a large number of certificateless cryptographic schemes and protocols were presented, but a secure certificateless signature in the standard model (without random oracles) is still not accessible until now. To the best of our knowledge, all the
previously proposed certificateless signature schemes were insecure under a considerably strong security model in the sense that they suffered from outsiders’ key replacement attacks or the attacks from the key generation center (KGC). In this paper, we propose a certificateless signature scheme without random oracles. Moreover, our scheme is secure under the strong security model and provides a public revocation mechanism, called revocable certificateless signature (RCLS). Under the standard computational Diffie-Hellman assumption, we formally demonstrate that our scheme possesses existential unforgeability against adaptive chosen-message attacks.
We propose a strongly secure certificateless signature scheme supporting batch verification, which makes it possible for a verifier to verify a set of signatures more efficiently than verifying them one by one. In an identity-based digital signature scheme, private key generator (PKG) knows each user’s signing key, so it can generate a signature which is indistinguishable from the signature generated by the user. This is a serious problem because the property of signature nonrepudiation will not be achieved. In our proposed scheme, it is impossible for PKG to produce a signature which is indistinguishable from any signature produced by a user. Compared with existing signature schemes with batch verification, although our proposed scheme is not the most efficient one, it achieves Girault’s level-3 security, while the others have Girault’s level-1 or level-2 security only.We also formally prove that the proposed scheme is unforgeable and satisfies Girault’s level-3 security based on hard problems.
Liu et al. proposed the first certificateless signature scheme without random oracles in 2007. However, Xiong et al. showed that Liu et al.'s scheme is insecure against a malicious-but-passive KGC attack and proposed an improved scheme. In ISA 2009, Yuan et al. also proposed a new certificateless signature scheme without random oracles. Although they claimed that the two schemes are secure in the standard model, this paper shows that both Xiong et al.'s improved scheme and Yuan et al.'s new scheme are vulnerable to key replacement attack, where an adversary, obtaining a signature on a message and replacing the public key of a signer, can forge valid signatures on the same message under the replaced public key. We also give the corresponding modifications of the two schemes to resist key replacement attack.
In this paper we revisit the security models of certificateless signatures and propose two new constructions which are provably
secure in the random oracle model. We divide the potential adversaries according to their attack power, and for the first
time, three new kinds of adversaries are introduced into certificateless signatures. They are Normal Adversary, Strong Adversary
and Super Adversary (ordered by their attack power). Combined with the known Type I Adversary and Type II Adversary in certificateless
system, we then define the security of certificateless signatures in different attack scenarios. Our new models, together
with the others in the literature, will enable us to better understand the security of certificateless signatures. Two concrete
schemes with different security levels are also proposed in this paper. The first scheme, which is proved secure against Normal
Type I and Super Type II Adversary, enjoys the shortest signature length among all the known certificateless signature schemes.
The second scheme is secure against Super Type I and Type II adversary. Compared with the scheme in ACNS 2006 which has a
similar security level, our second scheme requires lower operation cost but a little longer signature length.
“Certificateless public-key cryptosystem” is a new and attractive paradigm, which avoids the inherent key escrow property
in identity-based public-key cryptosystems, and does not need expensive certificates as in the public key infrastructure.
A strong security model for certificateless public key encryption was established by Al-Riyami and Paterson in 2003. In this
paper, we first present a security model for certificateless public-key signature schemes, and then propose an efficient construction
based on bilinear pairings. The security of the proposed scheme can be proved to be equivalent to the computational Diffie-Hellman
problem in the random oracle model with a tight reduction.
We introduce the notion, and give two examples, of self-certified public keys, i.e. public keys which need not be accompanied
with a separate certificate to be authenticated by other users. The trick is that the public key is computed by both the authority
and the user, so that the certificate is “embedded” in the public key itself, and therefore does not take the form of a separate
value.
Self-certified public keys contribute to reduce the amount of storage and computations in public key schemes, while secret
keys are still chosen by the user himself and remain unknown to the authority. This makes the difference with identity-based
schemes, in which there are no more certificates at all, but at the cost that secret keys are computed (and therefore known
to) the authority.
The only known construction of certificateless signature sche-mes that can be proven secure against a malicious Key Generation
Center (KGC) requires the random oracle model to prove the security. In this paper, we present a certificateless signa ure
scheme which is secure against malicious-but-passive KGC attack without random oracle. The security of our scheme based on
our proposed complexity assumptions we call the Augmented Computational Diffie-Hellman (ACDH) assumption and 2-Many Diffie-Hellman
(2-Many-DH) assumption. At the same time, we discuss the relationship between the new assumptions and some related problems.
Certificateless signature scheme is a practical solution to confront the drawback, Key Generation Center (KGC) being able to forge the signature of a user, of an identity based (ID-based) signature scheme. Lots of previous research results have shown the security models and the generic constructions for certificateless signatures. However, most of them did not satisfy Girault’s level-3 security which the conventional public key infrastructure (PKI) can achieve. Until 2007, Hu et al. introduced a generic construction and security model that can fulfill the requirement of Girault’s level-3 security. Recently, Du and Wen proposed a certificateless short signature scheme which is more computation efficient than the previous ones. But a flaw in security proofs and lack of Girault’s level-3 security can be still found in their scheme. In this paper, a cryptanalysis on Du-Wen scheme and an im- proved scheme will be presented, and we also provide formal proofs to demonstrate the security of the proposed scheme.
In this paper, we propose two new certificate-based signature (CBS) schemes with new features and advantages. The first one
is very efficient as it does not require any pairing computation and its security can be proven using Discrete Logarithm assumption
in the random oracle model. We also propose another scheme whose security can be proven in the standard model without random
oracles. To the best of our knowledge, these are the first CBS schemes in the literature that have such kind of features.
Certificateless Public Key Cryptography (CL-PKC) enjoys a number of features of Identity-Based Cryptography (IBC) while without having the problem of key escrow. However, it does suffer from an attack where the adversary, Carol, replaces Alice's public key by someone's public key so that Bob, who wants to send an encrypted message to Alice, uses Alice's identity and other's public key as the inputs to the encryption function. As a result, Alice cannot decrypt the message while Bob is unaware of this. We call it Denial-of-Decryption (DoD) Attack as its nature is similar to the well known Denial-of-Service (DoS) Attack. Based on CL-PKC, we propose a new paradigm called Self-Generated-Certificate Public Key Cryptography (SGC-PKC) that captures the DoD Attack. We also provide a generic construction of a self-generated-certificate public key encryption scheme in the standard model. Our generic construction uses certificateless signature and certificateless encryption as the building block. In addition, we further propose a certificateless signature and a certificateless encryption scheme with concrete implementation that are all provably secure in the standard model, which are the first in the literature regardless of the generic constructions by Yum and Lee which may contain security weaknesses as pointed out by others. We believe these concrete implementations are of independent interest.
Comparison with traditional network routing technology, multi-source network coding allows the routers to encode the received data and has the merits of large throughput, strong robustness and fast speed. In addition, certificateless public key cryptosystem (CL-PKC) is both certificate-free and key escrow-free. From now, there is no certificateless signature suitable for multi-source network coding (MSNC-CLS). In view of its wide application in practice, we construct an MSNC-CLS by applying the technique of certificateless signature to the environments of multi-source network coding. In MSNC-CLS, the use of generation can defend the replay attacks and the homomorphism of hash function can simplify the verification process of intermediate nodes. Generation identifier can make the intermediate nodes judge the generation property of message, thus the intermediate nodes can decide whether they encode the message. Analysis shows MSNC-CLS can resist the pollution and forgery attacks; moreover, it has better computation performance than the existing schemes.
Certificateless public key cryptography (CL-PKC) promises a practical resolution in establishing practical schemes, since it addresses two fundamental issues, namely the necessity of requiring certificate managements in traditional public key infrastructure (PKI) and the key escrow problem in identity-based (ID-based) setting concurrently. Signcryption is an important primitive that provides the goals of both encryption and signature schemes as it is more efficient than encrypting and signing messages consecutively. Since the concept of certificateless signcryption (CL-SC) scheme was put forth by Barbosa and Farshim in 2008, many schemes have been proposed where most of them are provable in the random oracle model (ROM) and only a few number of them are provable in the standard model. Very recently, Luo and Wan (Wireless Personal Communication, 2018) proposed a very efficient CL-SC scheme in the standard model. Furthermore, they claimed that their scheme is not only more efficient than the previously proposed schemes in the standard model, but also it is the only scheme which benefits from known session-specific temporary information security (KSSTIS). Therefore, this scheme would indeed be very practical. The contributions of this paper are 2-fold. First, in contrast to the claim made by Luo and Wan, we show that unfortunately Luo and Wan made a significant error in the construction of their proposed scheme. While their main intention is indeed interesting and useful, the failure of their construction has indeed left a gap in the research literature. Hence, the second contribution of this paper is to fill this gap by proposing a CL-SC scheme with KSSTIS, which is provably secure in the standard model.
With the rapid popularization of Internet of Things (IoT) in various fields, the security of the IoT has been widely concerned. Security authentication technology is the foundation of the security of the IoT. Certificateless signature, which removes the intricate certificate management and key escrow, is one of the practical methods to provide data integrity and identity authentication for the IoT. At present, many certificateless signature schemes have been put forward, but few of them are secure and suitable for the IoT. Recently, Jia et al. designed a certificateless signature scheme for the IoT deployment. The authors demonstrated that their scheme can withstand attacks of two types of super adversaries. However, we prove that Jia et al.'s scheme cannot resist attacks from a normal Type I adversary, not to mention a super Type I adversary. Then, we put forward a certificateless signature scheme on the basis of elliptic curve cryptosystem, and prove the scheme cannot be forged by two types of super adversaries. Our certificateless signature scheme performs better than the existing certificateless signature schemes, and it is the best combination of high security and efficiency so far and is more appropriate for the resource-constrained IoT environment.
In order to overcome the key escrow problem, Al- Riyami and Paterson introduced the concept of certificateless public key cryptography (CL-PKC) in 2003. CL-PKC requires neither public key certification nor the key escrow problem. After that, CL-PKC has been widely applied. In 1991, Girault defined three security levels of the key generation center (KGC), where the higher level of KGC means the stronger security of the system. Recently, lots of certificateless signature schemes and their security models have been presented. However, there is no certificateless signature scheme proposed in the literature that achieves the property of Girault’s level-3 security without random oracles. In view of aforementioned issues, we propose a new construction of certificateless signature scheme. The proposed certificateless signature scheme is provably secure in the standard model and satisfies Girault’s level-3 security. The security of the proposed scheme is based on the hardness of generalized computational Diffie-Hellman and many Diffie-Hellman problems.
Digital signature is an important cryptographic tool in the security and privacy of smart city. Certificateless signature has not only simplified certificate management of traditional public-key signature, but also solved the private key escrow problem of ID-based signature. Recently, Pang et al.’s proposed a certificateless signature scheme in the standard model. We find that their scheme is vulnerable to the attack of malicious-but-passive KGC adversary. From the analysis of Pang et al.’s secure proof, we give a suggestion for the proof of certificateless signature, i.e., we cannot remain some possible trapdoor information for KGC. Then we propose a strongly secure certificateless signature scheme, and give the secure proof in standard model. Compared with Pang et al.’s and other certificateless signature scheme in standard model, our proposed scheme can resist attack of malicious-but-passive KGC adversary.
Certificateless cryptography eliminates the need of certificates from public-key cryptography and solves the key escrow problem in identity-based cryptography. Since Al-Riyami and Paterson introduced the concept of certificateless cryptography, there have been several proposals for certificateless encryption schemes and signature schemes provably secure in the random oracle model. In the random oracle paradigm, the schemes make use of cryptographic hash functions that are modeled as random oracles in the security proof. However, it has been shown that when random oracles are instantiated with concrete hash functions, the schemes may not be secure. Afterward, several certificateless signature (CLS) schemes provably secure without random oracles have been proposed. However, it turned out that all the schemes are insecure against type I or II adversaries. In this paper, we propose a new CLS scheme secure in the standard model under the computational Diffie–Hellman assumption. We then investigate the practical feasibility of our scheme.
Certificateless Signature (CLS) scheme is a notable cryptographic technique for solving the key escrow problem in identity-based cryptosystem (IBC). In the CLS, the private key is computed collectively by both the key generation center (KGC) and the signer which ensures that no vindictive KGC masquerades the actual signer. Recently, a number of CLS schemes have been proposed using bilinear pairing and show their immunity under standard security model. It is well known that one such pairing operation requires significantly more computational cost than the other cryptographic operations. In this paper, we propose a new CLS scheme using elliptic curve cryptography (ECC), which does not require bilinear pairing operation. Our CLS scheme is analyzed formally and found to be provably secure against both the Type-I and Type-II attacks based on the intractability of elliptic curve discrete logarithm problem (ECDLP) under the random oracle model. Performance evaluation demonstrates that the proposed CLS scheme outperforms than other competitive CLS schemes.
In this paper, an efficient certificateless signature scheme which is recently proposed by Fengyin LI and Peiyu LIU, is analyzed but the scheme turns out to be insecure. Concretely, the proposed certificateless signature scheme can suffer from the public key replacement attack so that any one can forge a valid signature on any message. Then, to overcome this flaw, a comprehensive and improved scheme is proposed, whose security is based on the CDH assumption. Furthermore, the improved scheme can achieve the same trust level (Level 3) as that of the traditional PKI. In considering the precomputation, the efficiency of the improved scheme is almost the same as the original scheme.
Certificateless cryptography is a well-known system to avoid the key escrow problem of identity-based cryptography. Since it was introduced by Al-Riyami and Paterson in 2003, plenty of schemes and security models had been presented and discussed. Particularly, certificateless signature (CLS) is the most lightened to attract research attention. In the literature works, Hu et al. introduced generic construction and security model that can satisfy non-repudiation. On the other hand, Huang et al. simulated possible attacks and defined more complete security models of CLS for existential unforgeability, and they sorted adversaries into normal, strong, and super adversaries (ordered by their attack powers). In this paper, we consider the security of CLS schemes regarding both of existential unforgeability and non-repudiation. We not only show the weaknesses of two CLS schemes of Fan et al. [5] and Xiong et al. [13], but also point out the loopholes of their security proofs. Hence, we improve the weaknesses and loopholes by proposing a new certificateless short signature with low bandwidth. The proposed scheme is provably secure against the super adversaries and reaches the highest security level.
Certificateless cryptography not only enjoys many advantages of identity-based cryptography (IBC) but also eliminates the fatal drawback, which is called the key escrow in IBC. Most of the early certificateless signature schemes are secure based on the random oracle model, and nowadays, more and more researchers put emphasis on the scheme based on the standard model. In 2010, Xia et al. demonstrated that the previous schemes in the standard model cannot resist the public-key-replace attack. In 2012, for the purpose of overcoming the common drawback, Yu et al. presented a new certificateless signature scheme. However, under the public-key-replace attack and malicious-but-passive key generation center attack, this scheme is proven to be vulnerable. Moreover, there are too many bilinear pairings used in this scheme, which lead to its low computation efficiency. Aiming at the weakness of the scheme byYu et al., we propose a new certificateless signature scheme, which provides stronger security and higher computational efficiency than the existing schemes. In addition, according to the concept of Girault's trust level, the new scheme can reach trust level 3. Copyright © 2015 John Wiley & Sons, Ltd.
Certificateless cryptography is an attractive paradigm, which combines the advantages of identity-based cryptography (without certificate) and traditional public key cryptography (no escrow). Recently, to solve the drawbacks of the existing certificateless signature (CL-S) schemes without random oracles, Yu et al. proposed a new CL-S scheme, which possesses several merits including shorter system parameters and higher computational efficiency than the previous schemes. However, in this work, we will point out that their CL-S scheme is insecure against key replacement attack and malicious-but-passive KGC attack. We further propose an improved scheme that overcomes the security flaws without affecting the merits of the original scheme. We prove that our scheme is existentially unforgeable against adaptive chosen message attacks under the computational Diffie-Hellman assumption in the standard model.
Certificateless cryptography shares many features of identity-based cryptography and partially solves the problem of key escrow. Three certificateless signature schemes without random oracles were found in the literature. However, all the schemes suffer from some common drawbacks. First, by obtaining a signature on a message and replacing the public key of a signer, an adversary can forge valid signatures on the same message under the replaced public key. Secondly, all the schemes require a relatively large size of public parameters. The authors propose a new certificateless signature scheme, which exhibits an improvement on the existing schemes. Compared with the previous schemes, the proposed scheme offers stronger security, shorter system parameters and higher computational efficiency.
We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen ciphertext security in the random
oracle model assuming an elliptic curve variant of the computational Diffie-Hellman problem. Our system is based on the Weil
pairing. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.
A certificateless signature (CLS) scheme with short signature size is proposed in this paper. Our scheme is as efficient as
BLS short signature scheme in both communication and computation, and therefore turns out to be more efficient than other
CLS schemes proposed so far. We provide a rigorous security proof of our scheme in the random oracle model. The security of
our scheme is based on the k-CAA hard problem and a new discovered hard problem, namely, modified k-CAA problem. Our scheme can be applied to systems where signatures are typed in by human or systems with low-bandwidth channels
and/or low-computation power, such as PDAs or cell phones.
Certificateless public key cryptography is a recently proposed attractive paradigm which combines advantages of both certificate-based and ID-based public key cryptosystems as it avoids usage of certificates and does not suffer from key escrow. In this paper, we present a certificateless signature (CLS) scheme that is proved to be secure in the random oracle model under the hardness assumptions of k-CAA and Inv-CDHP. Our scheme upholds all desirable properties of previously proposed CLS schemes, and requires general cryptographic hash functions instead of the MapToPoint hash function which is inefficient. Furthermore, our scheme is significantly more efficient than all known CLS schemes, and the size of signatures generated by our scheme is approximate 160 bits, which is the shortest certificateless signatures so far. So it can be used widely, especially in low-bandwidth communication environments.
In ASIACCS 2007, Liu et al proposed a certificateless signature scheme which is provably secure in the standard model. However, as we will show in this paper, the proposed scheme is insecure against a malicious-but-passive KGC attack. This implies that the malicious-but-passive KGC, which generates system parameters based on the information of the target user, can forge valid signatures for that signer without being detected. Furthermore, we propose an improved scheme that remedies the weakness of Liu et al's scheme. The improved scheme can be proven secure against malicious-but-passive KGC attack in the standard model.
An Efficient Certificateless Signcryption Scheme in the Standard Model
- Rastegari