An Efficient Certificateless Signature Scheme in the Standard Model

Abstract

Identity-based cryptography has been introduced by Shamir at Crypto’84 to avoid the use of expensive certificates in certified public key cryptography. In such system, the identity becomes the public key and each user needs to interact with a designated authority to obtain the related private key. It however suffers the key escrow problem since the authority knows the private keys of all users. To deal with this problem, Riyami and Paterson have introduced, at Asiacrypt’03, the notion of certificateless public key cryptography. In this case, there is no need to use the certificate to certify the public key, and neither the user nor the authority can derive the full private key by himself. There have been several efforts to propose a certificateless signature (\(\mathsf {CLS}\)) scheme in the standard model, but all of them either make use of the Waters’ technique or of the generic conversion technique (proposed by Yum and Lee at ACISP’04 and later modified by Hu et al. at ACISP’06) which both lead to inefficient schemes. In this paper, we introduce a new and direct approach to construct a \(\mathsf {CLS}\) scheme, secure in the standard model, with constant-size of all parameters and having efficient computing time. Our scheme is therefore very efficient when comparing to existing \(\mathsf {CLS}\) schemes in the standard model.

A Proof of Assumption 2 in Bilinear Generic Group

Assume that \(q\in \mathbb {Z}\) is the maximum number of queries the adversary can make to the oracle \(\mathcal {O}_1\) or \(\mathcal {O}_2\). The adversary then will get the inputs from the group \(\mathbb {G}\) and \(\tilde{\mathbb {G}}\). For the group \(\widetilde{\mathbb {G}}\), the adversary has:

$$P = \left( 1, x, y,s, \Big \{\frac{y}{r_{i,j}}\Big \}_{i,j\in [\sqrt{q}]}\right) $$

For the group \(\mathbb {G}\), the adversary has:

$$\begin{aligned} Q= & {} \Big ( 1, x, y, \Big \{\frac{x}{s+\mathsf {ID}_i}, \frac{y}{s+\mathsf {ID}_i}, \frac{1}{s+\mathsf {ID}_i}\Big \}_{i\in [q] \atop i \ne t},\\&\quad \Big \{\frac{(x+m_j.y).r_{i,j}}{s+\mathsf {ID}_i}, \frac{r_{i,j}}{s+\mathsf {ID}_i}, r_{i,j}\Big \}_{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\Big ) \end{aligned}$$

where \(\mathsf {ID}^* = \mathsf {ID}_t, m^* = m_t\). We need to prove that simultaneously from P, the adversary cannot lead to \(\frac{y}{r^*}\) and from Q the adversary cannot lead to the triplet

$$\frac{(x+m^*.y).r^*}{s+\mathsf {ID}^*}, \frac{r^*}{s+\mathsf {ID}^*}, r^*$$

Assume that \(B_1, B_2, B_3\) are linear combinations of elements in Q which lead to the triplet

$$\frac{(x+m^*.y).r^*}{s+\mathsf {ID}^*}, \frac{r^*}{s+\mathsf {ID}^*}, r^*$$

therefore, we have equations

$$\begin{aligned} B_1 = (x+m^*.y).B_2 \end{aligned}$$

(1)

$$\begin{aligned} B_3 = (s+\mathsf {ID}^*).B_2 \end{aligned}$$

(2)

From the first equation, it is easy to realize that in \(B_2\) we cannot have elements

$$x,y, \frac{x}{s+\mathsf {ID}_i}, \frac{y}{s+\mathsf {ID}_i}, \frac{(x+m_j.y).r_{i,j}}{s+\mathsf {ID}_i}, r_{i,j},$$

since in \(B_1\) the highest degree of variables x, y are 1 and \(r_{i,j}\) are unknown random constants.

From the second equation, we cannot have element 1 in \(B_2\), since the highest degree of variable s in \(B_3\) is \(-1\). Overall, the adversary should find constants \(\{c_i\}_{i\in [q]\atop i \ne t}, \{d_{i,j}\}_{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\) to produce \(B_2\). This means that:

$$B_2 = \sum _{i\in [q] \atop i \ne t}\frac{c_i}{s+\mathsf {ID}_i}+\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\frac{ d_{i,j}.r_{i,j}}{s+\mathsf {ID}_i}.$$

On the other hand, assume that A is a linear combination of elements in P which leads to \(\frac{y}{r^*}\), which means that

$$\begin{aligned} A = \frac{y}{r^*}\Leftrightarrow & {} y = A.(s+\mathsf {ID}^*).B_2 \\\Leftrightarrow & {} y = A.(s+\mathsf {ID}^*).\left( \sum _{i\in [q]\atop i \ne t}\frac{c_i}{s+\mathsf {ID}_i}+\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\frac{ d_{i,j}.r_{i,j}}{s+\mathsf {ID}_i}\right) \end{aligned}$$

The main point is that we cannot have the elements x, s and 1 and the above equation hold for all x, y, s and unknown random constants \(r_{i,j}\). We thus transform it as

$$y = A.(s+\mathsf {ID}^*).B_2 \Leftrightarrow $$

$$y = (a.y+\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\frac{b_{i,j}.y}{r_{i,j}}).(s+\mathsf {ID}^*).\left( \sum _{i\in [q]\atop i \ne t}\frac{c_i}{s+\mathsf {ID}_i}+\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\frac{ d_{i,j}.r_{i,j}}{s+\mathsf {ID}_i}\right) $$

and then

$$1 = (a+\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\frac{b_{i,j}}{r_{i,j}}).\left( \sum _{i\in [q]\atop i \ne t}\frac{c_i.(s+\mathsf {ID}^*)}{s+\mathsf {ID}_i}+\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\frac{ d_{i,j}.r_{i,j}.(s+\mathsf {ID}^*)}{s+\mathsf {ID}_i}\right) $$

where \(a, \{b_{i,j}\}_{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\) are constants. From the equation above we see that to make the equation hold for all s and unknown random constants \(r_{i,j}\), the constants a and \(c_i\) must be equal 0. So, the Eq. (1) is rewritten as follows

$$(x+m^*.y).B_2 = B_1 \Leftrightarrow (x+m^*.y).\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\frac{ d_{i,j}.r_{i,j}}{s+\mathsf {ID}_i} = B_1$$

$$\Leftrightarrow \sum _{j\in [\sqrt{q}]\atop j\ne t}\frac{ d_{t,j}.r_{t,j}.(x+m^*.y)}{s+\mathsf {ID}^*} = B_1 - (x+m^*.y).\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop i\ne t}\frac{ d_{i,j}.r_{i,j}}{s+\mathsf {ID}_i}$$

Since \(r_{i,j}\) are unknown random constants, \(B_1\) must contain the elements related to \(r_{i,j}\), or the above equation should be rewritten with \(d'_{i,j}, k_{i,j}\) as constants.

$$\begin{aligned}&\sum _{j\in [\sqrt{q}]\atop j\ne t}\frac{ d_{t,j}.r_{t,j}.(x+m^*.y)}{s+\mathsf {ID}^*} = \sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop (i,j)\ne (t,t)}\frac{ d'_{i,j}.r_{i,j}.(x+m_j.y)+k_{i,j}.r_{i,j}}{s+\mathsf {ID}_i}\\&\qquad \qquad \qquad \qquad -(x+m^*.y).\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop i\ne t}\frac{d_{i,j}.r_{i,j}}{s+\mathsf {ID}_i}\\&\quad \quad \quad \Leftrightarrow \sum _{j\in [\sqrt{q}]\atop j\ne t}\frac{ d_{t,j}.r_{t,j}.(x+m^*.y)-d'_{t,j}.r_{t,j}.(x+m_j.y)+k_{t,j}.r_{t,j}}{s+\mathsf {ID}^*}\\&=\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop i\ne t}\frac{ d'_{i,j}.r_{i,j}.(x+m_j.y)+k_{i,j}.r_{i,j}}{s+\mathsf {ID}_i} - (x+m^*.y).\sum _{(i,j)\in [\sqrt{q}]\times [\sqrt{q}]\atop i\ne t}\frac{ d_{i,j}.r_{i,j}}{s+\mathsf {ID}_i} \end{aligned}$$

Since in the left side of the equation \(j \ne t\), that means the adversary cannot find \(d_{t,j}, d'_{t,j}, k_{t,j}\) such that \(d_{t,j}.r_{t,j}.(x+m^*.y)-d'_{t,j}.r_{t,j}.(x+m_j.y)+k_{t,j}.r_{t,j} = 0\) for all \(x,y, r_{t,j}\). On the other hand, the elements \(r_{t,j}\) do not appear in the right side of the equation, that means one cannot find the constants \(d_{t,j}, d'_{t,j}, k_{t,j}\) such that the above equation hold for all unknown random elements \(r_{t,j}\), or simultaneously from P the adversary cannot lead to \(\frac{y}{r^*}\) and from Q the adversary cannot lead to the triplet

$$\frac{(x+m^*.y).r^*}{s+\mathsf {ID}^*}, \frac{r^*}{s+\mathsf {ID}^*}, r^*,$$

which concludes our proof.    \(\square \)