Computer Networks 54 (2010) 2482–2491
Contents lists available at ScienceDirect
Computer Networks
journal homepage: www.elsevier.com/locate/comnet
Efficient many-to-one authentication with certificateless
aggregate signatures
Lei Zhang a,*, Bo Qin a,b, Qianhong Wu a,c, Futai Zhang d,e
a
Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili, Av. Països Catalans 26, E-43007 Tarragona, Catalonia, Spain
Department of Maths, School of Science, Xi’an University of Technology, China
c
School of Computer, Key Lab. of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan University, China
d
School of Computer Science and Technology, Nanjing Normal University, Nanjing, China
e
Jiangsu Engineering Research Center on Information Security and Privacy Protection Technology, Nanjing, China
b
a r t i c l e
i n f o
Article history:
Received 1 March 2009
Received in revised form 20 November 2009
Accepted 6 April 2010
Available online 11 April 2010
Responsible Editor: R. Molva
Keywords:
Information security
Message authentication
Digital signature
Certificateless cryptography
a b s t r a c t
Aggregate signatures allow an efficient algorithm to aggregate n signatures of n distinct
messages from n different users into one single signature. The resulting aggregate signature can convince a verifier that the n users did indeed sign the n messages. This feature
is very attractive for authentications in bandwidth-limited applications such as reverse
multicasts and senor networks. Certificateless public key cryptography enables a similar
functionality of public key infrastructure (PKI) and identity (ID) based cryptography without suffering from complicated certificate management in PKI or secret key escrow problem in ID-based cryptography. In this paper, we present a new efficient certificateless
aggregate signature scheme which has the advantages of both aggregate signatures and
certificateless cryptography. The scheme is proven existentially unforgeable against adaptive chosen-message attacks under the standard computational Diffie–Hellman assumption. Our scheme is also very efficient in both communication and computation and the
proposal is practical for many-to-one authentication.
Ó 2010 Elsevier B.V. All rights reserved.
1. Introduction
Digital signature is one of the most important primitives in public key cryptography. Knowing the public key
of a signer, anyone can verify whether a signature of this
signer is valid or not. This feature enables signatures to
be efficiently applied to one-to-one (unicast) and one-tomany (multicast) applications. Some multicast applications may require the root node to collect data from leaf
nodes (e.g., real-time fee collection, user preferences)
which results into a many-to-one communication. In these
applications, the root node is very likely to be swamped
when too many leaves transmit simultaneously. Hence,
to provide the usual authenticity, integrity and non-repudiation, signatures have to be elegantly designed to avoid
* Corresponding author. Tel.: +34 977558270; fax: +34 977559710.
E-mail addresses: lei.zhang@urv.cat (L. Zhang), bo.qin@urv.cat (B. Qin),
qianhong.wu@urv.cat (Q. Wu), zhangfutai@njnu.edu.cn (F. Zhang).
1389-1286/$ - see front matter Ó 2010 Elsevier B.V. All rights reserved.
doi:10.1016/j.comnet.2010.04.008
the known implosion problem in many-to-one communications [1].
1.1. Related work
Recently, the concept of aggregate signatures [4] was
introduced by Boneh et al. at Eurocrypt 2003. This notion
allows an efficient algorithm to aggregate n signatures of
n distinct messages from n different users into one single
signature. The resulting aggregate signature can convince
a verifier that the n users did indeed sign the n original
messages. These properties greatly reduce the length of
the resulting signature to be verified. Hence, aggregate signatures can be applied to the above applications.
To let a signature scheme function, the public key has to
be bound with the identity of the owner of the public key.
Traditionally, this is provided by the public key infrastructure (PKI) in which one or more third parties, known as
L. Zhang et al. / Computer Networks 54 (2010) 2482–2491
certificate authorities (CAs), issue digital certificates to
bind a user and his public key. In this paradigm, before
using the public key of a user, the participant must first
verify the certificate of the user, which implies a large
amount of computing and storage cost to manage certificates. Observing these shortcomings, Shamir put forward
identity-based public key cryptography (ID-PKC) [16] to
simplify certificate management in PKI systems. In an IDbased cryptosystem, the identity, for instance, the telephone number, email or IP address, of a user functions as
the public key of the user. However, in ID-PKC a trusted
third party called Private Key Generator (PKG) must be employed to generate the private key for each user. The user’s
private key is computed from his public known identity
and PKG’s master secret key. Hence, ID-PKC suffers from
a key escrow problem which implies that all the users have
to fully trust PKG. This might be a too strong assumption in
some applications.
To address the key escrow problem of ID-PKC, Al-Riyami and Paterson [2] invented a new paradigm called certificateless public key cryptography (CL-PKC). CL-PKC also
exploits a third party called Key Generation Center (KGC)
to help a user to generate his private key. However, the
KGC can merely determine part of the private key for each
user, rather than the whole private key of each user in IDPKC systems. In CL-PKC, the user computes the resulting
private key with the partial private key obtained from
the KGC and the secret information chosen by the user.
As for the public key of the user, it is computed from the
KGC’s public parameters and the user’s secret information.
As a result, CL-PKC systems avoid the key escrow problem
in ID-PKC systems and the complicated certificate management problem in traditional PKI systems.
The above advantages in CL-PKC motivate a lot of further studies [11,14,18,22]. In [2], Al-Riyami and Paterson
presented the first Certificateless Signature (CLS) scheme,
however, no formal proof is given. Huang et al. [12]
pointed out a security drawback of the primal CLS scheme
in [2] and defined the first security model of CLS schemes.
But the model in [12] did not fully catch the ability of the
adversaries in CL-PKC. A CLS scheme proved secure in this
model may be insecure in practice. A recent example is Yap
et al.’s scheme [18], which was broken by Park [15] and
Zhang and Feng [19] independently. Later, Zhang et al.
[20] improved the security model of CLS schemes and presented a more efficient CLS scheme. The security model of
CLS schemes was further developed in [11,13].
It is natural to investigate the notion of aggregate signatures in ID-based or certificateless cryptographic contexts.
By far, several Identity-based Aggregate Signature (IDAS)
schemes have been presented [6–8,10,17]. But most of
them only achieve partial aggregation [7,10,17]. In [6],
Cheng et al. proposed an aggregate signature scheme
whose output has the same size as an individual signature.
However, it needs that the signers are pre-determined, and
without the individual signature from each pre-determined signer, all individual signatures cannot be aggregated. At present, in ID-PKC, the only instance that can
aggregate n individual signatures into a single aggregate
signature (whose length is as short as an individual signature) is Gentry and Ramzan’s IDAS scheme. In addition,
2483
their scheme requires only three pairing operations and
is proven secure under the standard computational Diffie–Hellman (CDH) assumption. As to the aggregate signatures in the certificateless public key setting, Gong et al. [9]
presented two certificateless aggregate signature (CLAS)
schemes which are provably secure in a relatively weak
model similar to that in [12]. Later, Zhang and Zhang [21]
presented a CLAS scheme which is provably secure in a
stronger model. However, as for efficiency, all the previous
CLAS schemes require a relatively large amount of paring
computation in the process of verification and have long
outputs and may be further improved.
1.2. Our contribution
In this paper, we present a novel certificateless aggregate
signature (CLAS) scheme. By exploiting the random oracle
model [3], our CLAS scheme is proven existentially unforgeable against adaptive chosen-message attacks under the
standard CDH assumption. It allows multiple signers to sign
multiple documents in an efficient way and the total verification information (the length of the signature), consists
only two group elements. Our scheme is also very efficient
in computation, and the verification procedure needs only
a very small constant number of pairing computations,
independent of the number of aggregated signatures. With
our CLAS scheme, one can aggregate many different certificateless signatures into a single certificateless aggregate
signature, and hence effectively reduce the signature size
and verification cost. This implies that our scheme is very
applicable to secure many-to-one communications.
The rest of the paper is organized as follows. Section 2
reviews the notion and the security model of CLAS
schemes. We propose our new CLAS scheme in Section 3,
and prove its security in Section 4. In Section 5, we compare our scheme with three existing proposals, followed
by some concluding remarks in the last section.
2. Preliminaries
2.1. Modeling certificateless aggregate signature schemes
A CLAS scheme involves a KGC, an aggregating set U of n
users U1 ; ; Un , and an aggregate signature generater. It
consists of following six algorithms.
Setup: This algorithm is performed by KGC that accepts
a security parameter ‘to generate a master-key and a list
of system parameters params.
Partial-Private-Key-Extract: This algorithm is performed
by KGC that accepts a user’s identity IDi, a parameter list
params and a master-key to produce the user’s partial private key Di.
UserKeyGen: An algorithm which is run by a user that
takes as input the user’s identity IDi, and selects a random xi 2 Z q and outputs the user’s secret/public key xi/Pi.
Sign: This algorithm is run by each user Ui in an aggregating set U. Ui ’s inputs are the parameter list params,
some state information D,1 a message M i 2 M ðM is
1
Depending on the instantiation, the state information D can be empty.
2484
L. Zhang et al. / Computer Networks 54 (2010) 2482–2491
the message space), his identity IDi, his corresponding
public key Pi, and his signing key (xi, Di). The output of
Ui is a signature ri on message Mi which is valid under
his identity IDi and the corresponding public key Pi.
Aggregate: This algorithm is run by an aggregate signature generater that takes as inputs a state information
D, an aggregating set U of n users fU1 ; . . . ; Un g, the identity IDi of each user Ui , the corresponding public key Pi
of Ui , and a signature ri on a message Mi with state
information D under identity IDi and public key Pi for
each user Ui 2 U. The output of this algorithm is an
aggregate signature r on messages {M1, . . . , Mn}.
Aggregate Verify: This algorithm takes as input D, an
aggregating set U of n users fU1 ; . . . ; Un g, the identity
IDi and the corresponding public key Pi of each user
Ui , an aggregate signature r on messages {M1, . . . , Mn}.
It outputs true if the aggregate signature is valid, or
\otherwise.
2.2. Security definitions
Two types of adversaries are considered in CL-PKC –
Type I adversary and Type II adversary.2 A Type I adversary
AI does not have access to the master-key, but he has the
ability to replace the public key of any entity with a value
of his choice. While a Type II Adversary AII has access to
the master-key but cannot perform public key replacement.
More details can be found in [2].
The security of a CLAS scheme is modeled via the following two games3 between a challenger C and an adversary AI or AI .
Game 1 (for Type I Adversary).
Setup: C runs the Setup algorithm, takes as input a security parameter ‘to obtain a master-key and the system
parameter list params. C then sends params to the adversary
AI while keeping the master-key secret.
Attack: The adversary AI can perform a polynomially
bounded number of the following types of queries in an
adaptive manner.
Partial-Private-Key queries PPK(IDi): AI can request the
partial private key of any user with identity IDi. In
response, C outputs the partial private key Di of the
user.
Public-Key queries PK(IDi): AI can request the public key
Pi of a user whose identity is IDi. In response, C outputs
the public key for identity IDi.
Secret-Key queries SK(IDi): AI can request the secret key
of a user whose identity is IDi. In response, C outputs
the secret key xi for identity IDi (It outputs \, if the
user’s public key has been replaced).
Public-Key-Replacement queries PKRðIDi ; P 0i Þ: For any user
whose identity is IDi, AI can choose a new public key
P0i . AI then sets P 0i as the new public key of this user. C
will record this replacement.
2
In this paper, the ability of our Type I/II Adversary follows the original
definition which is introduced by Al-Riyami and Paterson [2].
3
Note in Game 1, when a type I adversary AI submits a Public-KeyReplacement query PKRðIDi ; P0i Þ to C; AI needs not submit the corresponding
secret key which is used to generate P0i to C [20].
Sign queries S(Di,Mi,IDi,Pi): AI can request a user’s
(whose identity is IDi) signature on a message Mi under
a state information Di. On receiving a query S(Di, Mi, IDi, Pi), C generates a signature ri on message Mi under
identity IDi and public key Pi using Di as the state information, and replies with ri.
Forgery: AI outputs a set of n users whose identities
form the set LID ¼ fID1 ; . . . ; IDn g and corresponding public
keys form the set LPK ¼ fP1 ; . . . ; Pn g, n messages form the
set LM ¼ fM1 ; . . . ; M n g, a state information D* and an aggregate signature r*.
We say that AI wins Game 1, iff.
(1) r* is a valid aggregate signature on messages
fM1 ; . . . ; M n g with state information D* under identities fID1 ; . . . ; IDn g and the corresponding public keys
fP1 ; . . . ; Pn g.
(2) At least one of the identities, without loss of generality, say ID1 2 LID has not submitted during the Partial-Private-Key queries. And SðD ; M 1 ; ID1 ; Þ has
never been queried during the Sign queries.
Game 2 (for Type II Adversary).
Setup: C runs the Setup algorithm, takes as input a security parameter ‘to obtain the system parameter list params
and also the system’s master-key. C then sends params and
master-key to the adversary AII .
Attack: The adversary AII can perform a polynomially
bounded number of the following types of queries in an
adaptive manner.
Public-Key queries PK(IDi): AII can request the public
key of a user (whose identity is IDi) of his choice.
In response, C outputs the public key Pi for identity
IDi.
Secret-Key queries SK(IDi): AII can choose a user whose
identity is IDi, and request this user’s secret key. In
response, C outputs the secret key xi for identity IDi.
Sign queries S(Di, Mi, IDi, Pi): AII can request a user’s
(whose identity is IDi) signature on a message Mi with
a state information Di. On receiving a query S(Di, Mi,
IDi, Pi), C replies with a signature ri on message Mi with
state information Di under identity IDi and public key
Pi.
Forgery: AII outputs a set of n users whose identities
form the set LID ¼ fID1 ; . . . ; IDn g and corresponding public
keys form the set LPK ¼ fP1 ; . . . ; Pn g, n messages form the
set LM ¼ fM1 ; . . . ; M n g, a state information D* and an aggregate signature r*.
We say that AII wins Game 2, iff.
(1) r* is a valid aggregate signature on messages
fM1 ; . . . ; M n g with state information D* under identities fID1 ; . . . ; IDn g and corresponding public keys
fP1 ; . . . ; Pn g.
(2) One of the identities, without loss of generality, say
ID1 2 LID has not submitted during the Secret-Key
queries. And SðD ; M 1 ; ID1 ; Þ has never been queried
during the Sign queries.
2485
L. Zhang et al. / Computer Networks 54 (2010) 2482–2491
Definition 1. A CLAS scheme is existentially unforgeable
under adaptively chosen-message attack iff the success
probability of any polynomially bounded adversary in
any of the above two games is negligible.
3. Our certificateless aggregate signature scheme
3.1. Bilinear maps
Our scheme is realized in groups which allowing efficient bilinear maps [5]. Let G1 be an additive group of
prime order q and G2 be a multiplicative group of the same
order. A map e:G1 G1 ? G2 is called a bilinear map if it
satisfies the following properties:
tion D) of n users fU1 ; . . . ; Un g with identities {ID1, . . . ,
IDn} and the corresponding public keys {P1, . . . , Pn}, and
message-signature pairs (M1, r1 = (R1, S1)), . . . , (Mn, rn =
(Rn, Sn)) from fU1 ; . . . ; Un g respectively, the aggregate
P
P
signature generater computes R ¼ ni¼1 Ri ; S ¼ ni¼1 Si
and outputs the aggregate signature r = (R, S).
Aggregate Verify: To verify an aggregate signature
r = (R, S) signed by n user fU1 ; . . . ; Un g with identities
{ID1, . . . , IDn} and corresponding public keys {P1, . . . , Pn}
on messages {M1, . . . , Mn} with the same state information D, the verifier performs the following steps.
(1) Compute T = H2(D),V = H3(D), W = H4(D), and for all
i, 1 6 i 6 n compute hi = H5(MikDkIDikPi), Qi,0 =
H1(IDi,0),Qi,1 = H1(IDi, 1).
(2) Verify
(1) Bilinearity: e(aP, bQ) = e(P, Q)ab for all P; Q 2 G1 ; a; b 2
Z q .
(2) Non-degeneracy: there exists P, Q 2 G1 such that
e(P, Q) – 1.
(3) Computability: there exists an efficient algorithm to
compute e(P, Q) for any P, Q 2 G1.
Computational Diffie–Hellman (CDH) problem in G1: given a generator P of the group G1 whose order is q, and given (aP,bP) for unknown a; b 2 Z q ; compute abP.
3.2. Our certificateless aggregate signature scheme
The specification of the scheme is as follows.
Setup: Given a parameter ‘, the KGC chooses a cyclic
additive group G1 which is generated by P with prime
order q, chooses a cyclic multiplicative group G2 of the
same order and a bilinear map e:G1 G1 ? G2. The
KGC also chooses a random k 2 Z q as the master-key
and sets PT = kP, chooses cryptographic hash functions
H1 H4 : f0; 1g ! G1 ; H5 : f0; 1g ! Z q . The system
parameter list is params = (G1, G2, e, P, PT, H1 H5). The
message space is M ¼ f0; 1g .
Partial-Private-Key-Extract: This algorithm accepts params,
master-key k and a user’s identity IDi 2 {0,1}*, and generates the partial private key for the user as follows.
(1) Compute Qi,0 = H1(IDi, 0), Qi,1 = H1(IDi, 1).
(2) Output the partial private key (Di,0, Di,1) = ( kQi,0,
kQi,1).
UserKeyGen: This algorithm takes as input params, a
user’s identity IDi, selects a random xi 2 Z q and sets
his secret/public key as xi/Pi = xiP.
Sign: To sign a message M i 2 M using the signing key
(xi, Di,0, Di,1), the signer, whose identity is IDi and the corresponding public key is Pi, first chooses a one-time-use
state information D then performs the following steps.
(1) Choose a random ri 2 Z q , compute Ri = riP.
(2) Compute hi = H5(MikDkIDikPi), T = H2(D), V = H3(D),
W = H4(D).
(3) Compute Si = Di,0 + xiV + hi(Di,1 + xiW) + riT.
(4) Output ri = (Ri, Si) as the signature on Mi.
Aggregation: Anyone can act as an aggregate signature
generater who can aggregate a collection of individual
signatures that use the same state information D. For
an aggregating set (which has the same state informa-
?
eðS; PÞ ¼ e P T ;
n
X
Q i;0 þ
i¼1
e W;
n
X
i¼1
n
X
!
hi Q i;1 e V;
i¼1
!
n
X
i¼1
Pi
!
hi P i eðT; RÞ:
If the equation holds, output true. Otherwise, output \.
In our scheme, each user in an aggregating set should
use the same one-time-use state information D when signing. As mentioned in [8], it is straightforward to choose
such a D in certain settings. For example, if the signers
have access to some loosely synchronized clocks, D can
be chosen based on the current time. Furthermore, if D is
sufficiently long, then it will be statistically unique. And
to remove the one-time-use restriction of D, Gentry and
Ramzan also provided a method. For details, please refer
to [8].
We notice that, in this paper, we follow the original definition of certificateless cryptography in [2]. In this setting,
the KGC can choose a secret key x0i 2 Z q and compute
P0i ¼ xi P as the new public key of the user with IDi. By this
replacement, the KGC can know both the partial private
key and secret key of the user. This implies that KGC can
generate signatures on behalf of that user. It seems that
both the KGC and a user may deny having generated a signature. However, in [2], the authors introduced a binding
technique4 which ensures that users can only create one
public key for which they know the corresponding private
key. This way, the systems in certificateless cryptography
can enjoy the same trust level as the systems in a traditional
PKI. In other words, if the KGC replaces a public key, then the
KGC necessarily leaves evidence of its bad behavior; and
such an action can be easily detected, as the KGC is the only
entity having that capability. Note that this scenario is
equivalent to a CA forging a certificate in a traditional PKI
system: the existence of two valid certificates for a single
identity would implicate the CA behaved maliciously.
4. Security proof
Assuming that the CDH problem is hard, we now show
the security of our CLAS scheme.
4
This technique can also be applied to our scheme
2486
L. Zhang et al. / Computer Networks 54 (2010) 2482–2491
Theorem 1. In the random oracle model, if there exists a type
I adversary A who has an advantage e in forging a signature
of our CLAS scheme in an attack modeled by Game 1, within a
time span t for a security parameter ‘; then the CDH problem
in G1 can be solved within time t þ 4qH1 þ qH2 þ qH3 þ qH4 þ
2qK þ qP þ 6qS ÞsG1 and with probability
1
1
qH1
0
e P
1
qH2
!q K
1
1 1
1
qH1 qH2
!
1
qH05
1
1
qH05
!!qS
1
qH 1
e;
where sG1 is the time to compute a scalar multiplication in G1,
n is the aggregating set’s scale.
Proof. Let C be a CDH attacker who receives a random
instance (P, aP, bP) of the CDH problem in G1 and has to
compute the value of abP. A is a type I adversary who
interacts with C as modeled in Game 1. We show how C
can use A to solve the CDH problem, i.e. to compute abP.
To make the proof easy to read, we first briefly show
where the reduction is. When the game begins, C sets
PT = aP which is an instance of the CDH problem, and simulates hash functions as random oracles. During the simulation, C needs to guess A’s target identity (without loss of
generality, say ID1 ), message (without loss of generality,
say M1 ) and state information D*. C will set Q 1;0 ¼
0
H1 ðID1 ; 0Þ ¼ ai;0 P þ a0
i;0 bP; Q 1;1 ¼ H 1 ðID1 ; 1Þ ¼ a1;1 P þ a1;1 bP;
b P; V ¼ H3 ðD Þ ¼ c P; W ¼ H4 ðD Þ ¼ p P
T ¼ H2 ðD Þ ¼
and H5 ðM 1 ; D ; ID1 ; P1 Þ ¼ h1 . (For the other settings, please
refer to our proof.) At the end of the game, A needs to output a set of n users whose identities form the set
LID ¼ fID1 ; . . . ; IDn g and corresponding public keys form
the set LPK ¼ fP1 ; . . . ; Pn g; n messages form the set
LM ¼ fM 1 ; . . . ; Mn g, a state information D* and an aggregate
signature r*. Since rast is valid, we have
eðS ; PÞ ¼ e PT ;
n
X
Q i;0 þ
i¼1
e W ;
n
X
!
hi Q i;1 e V ;
i¼1
n
X
hi Pi
i¼1
!
n
X
Pi
i¼1
!
eðT ; R Þ;
where Q i;j ¼ H1 ðIDi ; jÞ; j 2 f0; 1g. We note that
e PT ; Q 1;0 þ h1 Q 1;1
¼ e aP; ai;0 P þ a0i;0 bP þ h1 a1;1 P þ h1 a01;1 bP :
It is easy to have
eðaP; bPÞ ¼ e PT ; Q 1;0 þ h1 Q 1;1
ða0 þh1 a0 Þ1
1;0
1;1
e ai;0 h1 a1;1 aP; P
:
Furthermore
n
n
X
X
e P T ; Q 1;0 þ h1 Q 1;1 ¼ eðS ;P Þ e P T ;
Q i;0 þ
hi Q i;1
i¼2
e V ;
n
X
i¼1
!
P i e W ;
i¼2
n
X
i¼1
!
!
hi P i eðT ; R Þ
!1
:
By our setting, for 2 6 i 6 n; Q i;j ¼ ai;j P, where j 2 {0,1};
C can get the solution of the CDH problem abP ¼
Pn
Pn
Pn
1
ða0
þ h1 a0
1;0
1;1 Þ ðS
i¼2 a1;0 P T
i¼2 a1;1 hi P T c
i¼1 P i
P
n
p i¼1 hi Pi b R ða1;0 þ h1 a1;1 ÞPT Þ.
Next, we begin to propose the concrete proof.
Setup: Firstly, C sets PT = aP and selects params = (G1, G2, e, P, PT, H1 H5) then he sends params to A.
Attack: We consider hash functions H1 H5 as random
oracles. And we assume A can ask at most qHi times Hi
(i = 1, . . . , 5) queries, qK times Partial-Private-Key queries, qP
times Public-Key queries, qS times Sign queries. A can
perform the following types of queries in an adaptive
manner.
H1 queries: C maintains a list H1 of tuples ðIDi ; ai;0 ;
a0i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ which is initially empty. C picks
I 2 ½1; qH1 uniformly at random. Whenever C receives an
H1 query on (IDi,j) for j 2 {0,1}, C does the following:
(1) If there is a tuple ðIDk ; ak;0 ; a0k;0 ; ak;1 ; a0k;1 ; Q k;0 ; Q k;1 Þ on
H1 such that IDi = IDk, return Qk,j as answer.
(2) Else if i = I, randomly choose ai;0 ; a0i;0 ; ai;1 ; a0i;1 2 Z q , set
Q i;0 ¼ ai;0 P þ a0i;0 bP; Q i;1 ¼ ai;1 P þ a0i;1 bP, add ðIDi ; ai;0 ;
a0i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ to H1 and return Qi,j as answer.
(3) Else set a0i;0 ¼ 0; a0i;1 ¼ 0, randomly choose ai;0 ; ai;1 2
Z q , set Qi,0 = ai,0P, Qi,1 = ai,1P, add ðIDi ; ai;0 ; a0i;0 ; ai;1 ;
a0i;1 ; Q i;0 ; Q i;1 Þ to H1 and return Qi,j as answer.
H2 queries: C keeps a initially empty list H2 of tuples
(Di, Ti, bi), picks J 2 ½1; qH2 uniformly at random. Whenever
A issues a query H2(Di), the same answer from the list H2
will be given if the request has been asked before. Otherwise, C selects a random bi 2 Z q ; if i = J, computes Ti = biP,
else sets Ti = biaP. Finally, C adds (Di, Ti, bi) to H2 and returns
Ti as answer.
H3 queries: C keeps a list H3 of tuples (Dj, Vj, cj). This list
is initially empty. Whenever A issues a query Di to H3, the
same answer from the list H3 will be given if the request
has been asked before. Otherwise, C first selects a random
ci 2 Z q , then computes Vi = ciP, adds (Di, Vi, ci) to H3 and returns Vi as answer.
H4 queries: C keeps a list H4 of tuples (Dj, Wj, pj). This list
is initially empty. Whenever A issues a query Di to H4, the
same answer from the list H4 will be given if the request
has been asked before. Otherwise, C first selects a random
pi 2 Z q , then computes Wi = piP, adds (Di, Wi, pi) to H4 and
returns Wi as answer.
H5 queries: C keeps a list H5 of tuples (Mi, Di, IDi, Pi, hi).
This list is initially empty. Whenever A issues a query
(MikDikIDikPi) to H5, the same answer from the list H5 will
be given if the request has been asked before. Otherwise, C
first submits (IDi,0) to H1 oracle, then finds the tuple
ðIDi ; ai;0 ; a0i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ on H1, finally does the
following:
(1) If IDi = IDI and Di = DJ (we assume that A can ask at
most qH05 < qH5 times such kind of queries), randomly choose K 2 ½1; qH05 .
(a) If it is K-th query, set hi ¼ a0i;0 =a0i;1 , add (Mi,
Di, IDi, Pi, hi) to H5 and return hi.
(b) Else select a random hi 2 Z q , add (Mi, Di, IDi,
Pi, hi) to H5 and return hi as answer.
2487
L. Zhang et al. / Computer Networks 54 (2010) 2482–2491
(2) Else, select a random hi 2 Z q , add (Mi, Di, IDi,
Pi, hi) to H5 and return hi as answer.
Partial-Private-Key queries: C keeps a list K of tuples
(IDi, xi, Di,0, Di,1, Pi). This list is initially empty. When A issues a query PPK(IDi), the same answer from the list K will
be given if the request has been asked before. Otherwise, C
checks whether there is a tuple ðIDi ; ai;0 ; a0i;0 ; ai;1 ; a0i;1 ; Qi,0,
Qi,1, ci) on H1, if no, C makes an H1 query on (IDi,j) (j = 0
or 1) to generate such a tuple, finally does as follows.
(1) If IDi = IDI, abort.
(2) Else if there’s a tuple (IDi, xi, Di,0, Di,1, Pi) on K, set
Di,0 = ai,0PT, Di,1 = ai,1PT and return (Di,0, Di,1) as
answer.
(3) Else, first compute Di,0 = ai,0PT, Di,1 = ai,1PT, set
xi = Pi = \, then return (Di,0, Di,1) as answer and add
(IDi, xi,Di,0, Di,1, Pi) to K.
Public-Key queries: On receiving a query PK(IDi), if the request has been asked before, the current public key from
the list K will be given. Otherwise, C does as follows.
(1) If there is a tuple (IDi, xi, Di,0, Di,1, Pi) on K (in this case,
the public key Pi of IDi is \), choose x0i 2 Z q , compute
P0i ¼ x0i P, return P 0i as answer and update (IDi, xi, Di,0,
Di,1, Pi) to ðIDi ; x0i ; Di;0 ; Di;1 ; P 0i Þ.
(2) Otherwise, choose xi 2 Z q , compute Pi = xiP, return Pi
as answer, set Di,0 = Di,1 = \ and add (IDi, xi, Di,0,
Di,1, Pi) to K.
Secret-Key queries: On receiving a query SK(IDi), C first
makes PK(IDi) then finds the tuple (IDi, xi, Di,0, Di,1, Pi) on K
and returns xi as answer (note that the value of xi maybe
\).
Public-Key-Replacement queries: A can choose a new
public key for the user whose identity is IDi. On receiving
a query PKRðIDi ; P 0i Þ, C first finds the tuple (IDi, xi, Di,0, Di,1, Pi)
on K (if such a tuple does not exists on K or Pi = \, C first
makes PK(IDi)), then C updates Pi to P 0i .
Sign queries: On receiving a Sign query S(Di, Mi, IDi, Pi), C
first makes H1(IDi, 0),H1(IDi, 1), H2(Di), H3(Di), H4(Di) and
H5(MikDikIDikPi) queries if they are not queried before,
then recovers ðIDi ; ai;0 ; a0i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ from H1, (Di,
Ti, bi) from H2, (Di, Vi, ci) from H3, (Di, Wi, pi) from H4, (Mi,
Di, IDi, Pi, hi) from H5 and generates the signature as follows.
(1) If IDi = IDI, Di = DJ, and hi ¼ a0i;0 =a0i;1 , choose Ri 2 G1 ,
compute Si = biRi + ciPi + pihiPi + ai,0PT + ai,1hiPT, output ri = (Ri,Si).
(2) Else if IDi = IDI, Di = DJ, abort.
(3) Else if IDi = IDI, choose ri 2 Z q , set Ri ¼ ri P b1
i ðQ i;0 þ
hi Q i;1 Þ compute Si = ciPi + pihiPi + riTi, output ri = (Ri,
Si).
(4) Else, randomly choose r i 2 Z q , compute Ri = riP, set
Si = ai,0PT + hiai, 1PT + ciPi + hipiPi + riTi, output ri = (Ri,
Si).
Note that in our CLAS scheme Di is only for one-time
use. Hence, it is reasonable for C to abort when IDi = IDI,
Di = DJ and hi – a0i;0 =a0i;1 .
Forgery: Eventually, A returns a set of n users, whose
identities form the set LID ¼ fID1 ; . . . ; IDn g and corresponding public keys form the set LPK ¼ fP 1 ; . . . ; P n g; n messages
form the set LM ¼ fM 1 ; . . . ; M n g; a state information D* and
a forged aggregate signature r* = (R*,V*).
C recovers (D*, T*, b*) from H2, (D*, V*, c*) from H3,
(D*, W*, p*) from H4 and the tuples ðIDi ; ai;0 ; a0
i;0 ; ai;1 ;
a0i;1 ; Q i;0 ; Q i;1 Þ from H1, ðMi ; D ; IDi ; Pi ; hi Þ from H5 for all
i,1 6 i 6 n.
It requires that Dast = DJ and there exists i 2 {1, . . . , n}
0
such that IDi ¼ IDI , hi – a0
i;0 =ai;1 and A has not made a
SðM i ; D ; IDi ; Þ query. Without loss of generality, we let
i = 1. In addition, the forged aggregate signature must
satisfy
eðS ; PÞ ¼ e PT ;
n
X
n
X
Q i;0 þ
i¼1
e W ;
!
hi Q i;1 e V ;
i¼1
n
X
hi Pi ÞeðT ; R
i¼1
!
n
X
Pi
i¼1
!
:
Otherwise, C aborts.
If C does not abort, from the above equation, we have
!
n
n
X
X
e P T ; Q 1;0 þ h1 Q 1;1 ¼ eðS ;P Þ e P T ;
Q i;0 þ
hi Q i;1
i¼2
e V ;
n
X
i¼1
Pi
!
i¼2
e W ;
n
X
hi P i
i¼1
!
eðT ; R Þ
!1
:
And by our setting, Q 1;0 ¼ a1;0 P þ a0
1;0 bP, Q 1;1 ¼ a1;1 Pþ
*
*
*
*
*
*
0
a1;1 bP, T = b P, V = c P, W = p P; and for i, 2 6 i 6 n,
Q i;j ¼ ai;j P, where j 2 {0,1}; hence, C can compute
n
n
1
X
X
abP ¼ a01;0 þ h1 a01;1
S
a1;0 PT
a1;1 hi P T
i¼2
c
n
X
i¼1
Pi
p
n
X
i¼1
hi Pi
i¼2
1;0
b R a
þ
h1
!
a PT :
1;1
To complete the proof, we shall show that C solves the
given instance of CDH problem with probability at least
0
e . First, we analyze the four events needed for C to
succeed:
R1: C does not abort as a result of any of A’s Partial-Private-Key queries.
R2: C does not abort as a result of any of A’s signature
queries.
R3: A generates a valid and nontrivial aggregate signature forgery.
R4: Event R3 occurs, D* = DJ and there exists
0
i 2 {1, . . . , n} such that IDi ¼ IDI , hi – a0
i;0 =ai;1 (as mentioned previously, we assume i = 1).
C succeeds if all of these events happen. The probability
Pr[R1 ^ R2 ^ R3 ^ R4] can be decomposed as
Pr½R1 ^ R2 ^ R3 ^ R4 ¼ Pr½R1Pr½R2jR1Pr½R3jR1
^ R2Pr½R4jR1 ^ R2 ^ R3:
Claim 1. The probability that C does not abort as a result of
A’s key extraction queries is at least ð1 q1 ÞqK . Hence we
H1
have
2488
L. Zhang et al. / Computer Networks 54 (2010) 2482–2491
Pr½R1 P
1
1
qH 1
!q K
:
Proof. For a Partial-Private-Key query, C will abort iff the
query is on ID1 ¼ IDI . It is easy to see that the probability
C does not abort for a Partial-Private-Key query is 1 q1 .
H1
Since A can make at most qK times Partial-Private-Key
queries, the probability that C does not abort as a result
qK
of A’s Partial-Private-Key queries is at least 1 q1
. h
Theorem 2. In the random oracle model, if there exists a type
II adversary A has an advantage e in forging a signature of
our CLAS scheme in an attack modeled by Game 2, within a
time span t for a security parameter ‘; then the CDH problem
in G1 can be solved within time t þ ðqH2 þ 2qH3 þ 2qH4 þ
qP þ 6qS ÞsG1 and with probability
0
e
1
P 1
qHP
!qK
1 1
1
1
1
qP qH2
qH05
!!qS
1 1
1
1
qP qH2
qH05
!
e:
H1
Claim 2. The probability that C does not abort as a result of
qS
.
A’s signature queries is at least 1 qH1 qH1 1 q10
1
H
2
5
Thus there hold
1 1
1
qH1 qH2
Pr½R2jR1 P
1
1
qH05
!!qS
:
Proof. When C receives a Sign query, he will abort iff
IDi = IDI,Di = DJ and hi – a0i;0 =a0i;1 happens. So for a Sign
query, the probability that C does not abort is
1 qH1 qH1 1 q10 . Since A makes at most qS times Sign
1
H
2
5
queries, the probability that C does not abort as a result
qS
. h
ofA’s Sign queries is at least 1 qH1 qH1 1 q 10
1
H
2
5
Claim 3. Pr[R3jR1 ^ R2] P e.
Proof. If algorithm C does not abort as a result of A’s signature queries and key extraction queries then algorithm
A’s view is identical to its view in the real attack. Hence,
Pr[R3jR1 ^ R2] P e. h
Claim 4. The probability that C does not abort after A outputting a valid and nontrivial forgery is at least
1
1
1
1
. Hence
qH qH
q 0
1
H
2
5
1 1
Pr½R4jR1 ^ R2 ^ R3 P
qH 1 qH 2
!
1
:
1
qH05
Proof. Events R1, R2 and R3 have occurred, C will abort
unless A generates a forgery such that ID1 ¼ IDI ; D ¼ DJ
and
h – a0
=a0 .
Therefore,
Pr½R3jR1 ^ R2 P
1
1;0 1;1
1
1
1 q 10 . h
qH qH
1
H
2
5
Proof. Let C be a CDH attacker who receives a random
instance (P, aP, bP) of the CDH problem in G1 and has to
compute the value of abP. A is a type II adversary who
interacts with C as defined in Game 2. We show how C
can use A to solve the CDH problem, i.e. to compute abP.
Setup: Firstly, C selects a random k 2 Z q as the masterkey, computes PT = kP, then selects the system parameters
params = (G1, G2, e, P, PT, H1 H5). When the simulation is
started, A is provided with params and the master-key k.
Since A has access to the master-key, he can do PartialPrivate-Key-Extract himself.
Attack: We assume A asking at most qHi times Hi
(i = 2, . . . , 5) queries, qP times Public-Key queries, qK times
Secret-Key queries, qS times Sign queries. A can perform the
following types of queries in an adaptive manner. Note
that we need not model the hash function H1 as a random
oracle in this case.
H2 queries: C keeps a initially empty list H2 of tuples
(Di, Ti, bi), randomly selects I 2 ½1; qH2 . Whenever A issues
a query H2(Di), the same answer from the list H2 will be
given if the request has been asked before. Otherwise, C
selects a random bi 2 Z q , if i = I, computes Ti = biP, else sets
Ti = biaP. Finally, C adds (Di, Ti, bi) to H2 and returns Ti as
answer.
H3 queries: C keeps a list H3 of tuples ðDi ; V i ; ci ; c0i Þ. This
list is initially empty. Whenever A issues a query Di to H3,
the same answer from the list H3 will be given if the
request has been asked before. Otherwise, C randomly
selects
ci ; c0i 2 Z q , computes V i ¼ ci P þ c0i aP, adds
ðDi ; V i ; ci ; c0i Þ to H3 and returns Vi as answer.
H4 queries: C keeps a list H4 of tuples ðDi ; W i ; pi ; p0i Þ. This
list is initially empty. Whenever A issues a query Di to H3,
the same answer from the list H4 will be given if the
request has been asked before. Otherwise, C randomly
selects pi ; p0i 2 Z q , computes W i ¼ pi P þ p0i aP, adds
ðDi ; W i ; pi ; p0i Þ to H4 and returns Wi as answer.
Public-Key queries: C keeps a initially empty list K of
tuples (IDi, xi, Pi), chooses J 2 [1, qP]. On receiving a query
PK(IDi), the same answer from the list K will be given if the
request has been asked before. Otherwise, C selects xi 2 Z q
and dose the following.
Totally, we have
e0 ¼ Pr½R1 ^ R2 ^ R3 ^ R4
1
P
1
qH2
1
qH1
!q K
1
1
1
qH05
!
1 1
qH1 qH2
e:
1
1
qH05
!!qS
1
qH 1
(1) If i = J, set Pi = xibP, add (IDi, xi, Pi) to K and return Pi as
answer.
(2) Else, compute Pi = xiP, add (IDi, xi, Pi) to K and return
Pi as answer.
H5 queries: C keeps a list H5 of tuples (Mi, Di, IDi, Pi, hi).
This list is initially empty. Whenever A issues a query
(MikDikIDikPi) to H5, the same answer from the list H5 will
2489
L. Zhang et al. / Computer Networks 54 (2010) 2482–2491
be given if the request has been asked before. Otherwise, C
first makes H2(Di), PK(IDi) then finds (Di, Ti, bi, ci) on H2,
ðIDi ; xi ; Pi ; c0i Þ on K; finally does the following:
Now we determine the probability e0 for C to solve the given instance of CDH problem. We analyze the four events
needed for C to succeed:
(1) If Di = DI and Pi = PJ (we assume that A can ask at
most qH05 < qH5 times such kind of queries), randomly choose K 2 ½1; qH05 .
(a) If it is the K-th query, set hi ¼ c0i =p0i , add (Mi, Di, IDi, Pi, hi) to H5 and return hi as answer.
(b) Else select a random hi 2 Z q , add (Mi, Di, IDi, Pi, hi)
to H5 and return hi as answer.
(2) Else select a random hi 2 Z q , add (Mi, Di, IDi, Pi, hi) to
H5 and return hi as answer.
R5: C does not abort as a result of any of A’s Secret-Key
queries.
R6: C does not abort as a result of any of A’s signature
queries.
R7: A generates a valid and nontrivial aggregate signature forgery.
0
R8: Event R7 occurs, D ¼ DI ; P1 ¼ PJ ; ðh1 – c0
1 =p1 .
Secret-Key queries: On receiving a query SK(IDi), C first
makes PK(IDi) then recovers the tuple (IDi, xi, Pi) from K. If
IDi = IDJ, C aborts; otherwise, returns xi as answer.
Sign queries: On receiving a Sign query S(Mi, Di, IDi, Pi), C
first makes H2(Di), H3(Di), H4(Di), H5(MikDikIDikPi) and
PK(IDi) queries if they are not queried before, then finds the
tuples (Di, Ti, bi) on H2, ðDi ; V i ; ci ; c0i Þ on H3, ðDi ; W i ; pi ; p0i Þ on
H4, (Mi, Di, IDi, Pi, hi) on H5, (IDi, xi, Pi) on K and generates the
signature as follows:
(1) If Di = DI, Pi = PJ and hi ¼ c0i =p0i , randomly choose
Ri 2 G1 , compute Si = k (H1(IDi, 0) + hiH1(IDi, 1)) +
ciPi + pihiPi + biR.
(2) Else if Di = DI, Pi = PJ, abort.
(3) Else if Pi = PJ, choose ri 2 Z q , set Ri ¼ ri P b1
i
ðc0i þ p0i hi ÞPi , compute Si = riTi + (ci + pihi)Pi + k(H1(IDi,
0) + hiH1(IDi, 1)), output ri = (Ri, Si).
(4) Else randomly choose ri 2 Z q , compute Ri = riP, compute Si = k(H1(IDi, 0) + hi H1(IDi, 1)) + xiV + hixiW + riTi,
output ri = (Ri, Si).
Forgery: Finally, A returns a set of n users, whose
identities form the set LID ¼ fID1 ; . . . ; IDn g and corresponding public keys form the set LPK ¼ fP 1 ; . . . ; Pn g; n messages
form the set LM ¼ fM 1 ; . . . ; M n g; a state information D* and
a forged aggregate signature r* = (R*,S*).
0
C recovers (D*, T*, b*) from H2, (D*, V*, cast, c *) from H3,
0
ast
*
*
*
(D , W , p , p ) from H4 and the tuples ðM i ; D ; IDi ; Pi ; hi Þ
from H5, ðIDi ; xi ; P i Þ from K for all i,1 6 i 6 n.
It requires that Dast = DI and there exists i 2 {1, . . . , n}
0
such that P i ¼ P J , hi – c0
i =pi and SðD ; M i ; IDi ; Þ has
never been queried. Without loss of generality, we let i = 1.
In addition, the forged aggregate signature must satisfy
eðS ; PÞ ¼ e PT ;
n
X
Q i;0
þ
i¼1
e W ;
hi Q i;1
i¼1
n
X
!
e V ;
!
n
X
Pi
i¼1
!
H1 ðIDi ; jÞ; j
where
¼
2 f0; 1g. Otherwise, C aborts.
If C does not aborts, we have
abP ¼ c0 x1 þ p h1 x1
n
X
i¼2
xi V
1
n
X
i¼2
Pr½R5 ^ R6 ^ R7 ^ R8 ¼ Pr½R5Pr½R6jR5Pr½R7jR5
^ R6Pr½R8jR5 ^ R6 ^ R7:
Similar to Theorem 1, we have
8
qK
>
1
>
> Pr½R5 P 1 qP
>
>
>
qS
>
<
Pr½R6jR5 P 1 q1 q1 ð1 qH05 Þ
P
H2
>
>
> Pr½R7jR5 ^ R6 P e
>
>
>
>
: Pr½R8jR5 ^ R6 ^ R7 P q1 q1 ð1 qH0 Þ
5
P
H
2
Finally, we have
e0 ¼ Pr½R5 ^ R6 ^ R7 ^ R8
1
1
qHP
P
1
qH2
!qK
1
1 1
1
qP qH2
!
1
qH05
e:
1
1
qH05
!!qS
1
qP
5. Comparison
In this section we compare our scheme with the
schemes in [9,21]. Firstly, we list some costly operations,
i.e. Pairing Operation ðPÞ, Scalar Multiplication in G1 ðSÞ
and MapToPoint Hash ðHÞ. Among those operations, Pairing Operation is the most time consuming one. We use
the notation SL meaning signature length, PKL meaning
public key length, P1 meaning the length of a point in G1.
And we omit the cost of the operations which can be
pre-computed by the signer such as H1(IDi,j) etc (see
Table 1).
From the table, the Sign procedure of our scheme is
slightly less efficient than that of the schemes in [9,21].
However, our Aggregate Verify procedure is much more effi-
hi Pi eðT ; R Þ;
i¼1
Q i;j
n
X
C succeeds if all of these events happen. The probability
Pr[R5 ^ R6 ^ R7 ^ R8] can be decomposed as
S k
n
X
i¼1
Q i;0 þ
n
X
hi Q i;1
i¼1
!
!
hi xi W b R c P1 p h1 P1 :
Table 1
Comparison of three CLS schemes.
Schemes
Sign
Aggregate Verify
SL
PKL
First scheme in
[9]
Second scheme
in [9]
Scheme in [21]
Our scheme
2S; H
ð4n þ 1ÞP; 2nH
ðn þ 1ÞP1
2P1
3S; H
ð3n þ 2ÞP; nS; 3nH
2P1
2P1
3S; 2H
5S; 3H
ðn þ 3ÞP; ð2n þ 1ÞH
5P; 2nS; ð2n þ 3ÞH
ðn þ 1ÞP1
2P1
1P1
1P1
2490
L. Zhang et al. / Computer Networks 54 (2010) 2482–2491
cient than those of the schemes in [9,21]. For application
purposes the practicality of an aggregate signature scheme
is mainly dominated by Aggregate Verify algorithm. This is
due to the fact that the verifier must verify n different signatures distributively generated by each users. This implies that our scheme may enjoy better practicality.
As for the signature size, our signature requires only
two elements in G1 and approximately 320 bits. Note that
in CL-PKC a signer has to send the signature together with
the corresponding public key to a verifier for a verification.
One can see that our scheme is the most bandwidth-saving
one among the three schemes, observing that the public
key of a user in our scheme is only one element in G1.
6. Conclusion
We presented an efficient certificateless aggregate signature scheme. The proposal is proven existentially
unforgeable against adaptively chosen-message attack in
the random oracle model assuming that the CDH problem
is hard. Our CLAS scheme can be applied to authentications
in bandwidth-limited scenarios such as many-to-one
communications.
Acknowledgments
This work is supported by the Spanish Government
through Projects TSI2007-65406-C03-01 ‘‘E-AEGIS” and
CONSOLIDER INGENIO 2010 CSD2007-00004 ‘‘ARES”, and
by the Government of Catalonia under Grant 2009 SGR
1135, and by the Chinese NSF Projects 60673070,
60970114, 60970115 and 60970116. The views of the
author with the UNESCO Chair in Data Privacy do not necessarily reflect the position of UNESCO nor commit that
organization.
References
[1] C.K. Miller, Multicast Networking and Applications, Addison Wesley,
Reading, MA, 1999.
[2] S. Al-Riyami, K. Paterson, Certificateless public key cryptography, in:
ASIACRYPT 2003, LNCS, vol. 2894, 2003, pp. 452–473.
[3] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for
designing efficient protocols, in: ACM CCCS ’93, 1993, pp. 62–73.
[4] D. Boneh, C. Gentry, B. Lynn, H. Shacham, Aggregate and verifiably
encrypted signatures from bilinear maps, in: EUROCRYPT 2003,
LNCS, vol. 2656, 2003, pp. 416–432.
[5] D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil
pairing, in: Asiacrypt 2001, LNCS, vol. 2248, 2001, pp. 514–532.
[6] X. Cheng, J. Liu, X. Wang. Identity-based aggregate and verifiably
encrypted signatures from bilinear pairing, in: ICCSA 2005, LNCS, vol.
3483, 2005, pp. 1046–1054.
[7] J. Cheon, Y. Kim, H. Yoon, A new id-based signature with batch
verification, Cryptology ePrint Archive, Report 2004/131 2006.
[8] C. Gentry, Z. Ramzan, Identity-based aggregate signatures, in: PKC
2006, LNCS, vol. 3958, 2006, pp. 257–273.
[9] Z. Gong, Y. Long, X. Hong, K. Chen, Two certificateless aggregate
signatures from bilinear maps, in: IEEE SNPD 2007, vol. 3, 2007,
pp. 188–193, <http://eprints.eemcs.utwente.nl/14802/02/Practical_
Certificateless_Aggregate_Signatures_From_Bilinear_Maps.pdf>.
[10] J. Herranz, Deterministic identity-based aggregate signatures for
partial aggregation, The Computer Journal 49 (3) (2006) 322–330.
[11] B. Hu, D. Wong, Z. Zhang, X. Deng, Key replacement attack against a
generic construction of certificateless signature, in: ACISP 2006,
LNCS, vol. 4058, 2006, pp. 235–346.
[12] X. Huang, W. Susilo, Y. Mu, F. Zhang, On the security of a
certificateless signature scheme, in: CANS 2005, LNCS, vol. 3810,
2005, pp. 13–25.
[13] X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless
signature revisited. ACISP 2007, LNCS 4586, 2007, pp. 308–322.
[14] J. Liu, M. Au, W. Susilo, Self-generated-certificate public key
cryptography and certificateless signature/encryption scheme in
the standard model, in: ACM ASIACCS’07, 2007.
[15] J. Park, An attack on the certificateless signature scheme from EUC
Workshops 2006, Cryptology ePrint Archive, Report 2006/442,
2006.
[16] A. Shamir, Identity based cryptosystems and signature schemes, in:
Crypto’84, LNCS, vol. 196, 1984, pp. 47–53.
[17] J. Xu, Z. Zhang, D. Feng, ID-based aggregate signatures from bilinear
pairings, in: CANS 2005, LNCS, vol. 3810, 2005, pp. 110–119.
[18] W. Yap, S. Heng, B. Goi, An efficient certificateless signature
scheme, in: EUC Workshops 2006, LNCS, vol. 4097, 2006, pp. 322–
331.
[19] Z. Zhang, D. Feng, Key replacement attack on a certificateless
signature scheme, Cryptology ePrint Archive, Report 2006/453,
2006.
[20] Z. Zhang, D. Wong, J. Xu, D. Feng, Certificateless public-key
signature: security model and efficient construction, in: ACNS
2006, LNCS, vol. 3989, 2006, pp. 293–308.
[21] L. Zhang, F. Zhang, A New Certificateless Aggregate Signature
Scheme, Computer Communications (2009), doi:10.1016/j.comcom.
2008.12.042.
[22] L. Zhang, F. Zhang, A new provably secure certificateless signature
scheme, in: IEEE ICC’08, 2008, pp. 1685–1689.
Lei Zhang is currently a PhD candidate in the
Department of Computer Engineering and
Mathematics at Universitat Rovira i Virgili of
Tarragona, Catalonia. His research interests
include public key cryptography, network
security and information security. He is
authored/coauthored over 20 publications.
Bo Qin obtained her PhD from Xidian University in 2008. She is now with Universitat
Rovira i Virgili as postdoctoral researcher in
Catalonia. Her research interests include
cryptography, data privacy, and network
security. She has been a holder/coholder of
five R+D funds from Spanish/Chinese government, and authored/coauthored over 30 publications in information security.
Qianhong Wu has been with University of
Wollongong as associate research fellow in
Australia, Wuhan University as associate
professor in China, and now with Universitat
Rovira i Virgili as senior researcher in Catalonia. His research interests include cryptography, information security and privacy, and ad
hoc networks security. He has been a holder/
coholder of six R+D funds from Spanish/Chinese/Australian government, and authored
over 60 publications. He served in the program committee of several international
conferences on information security and privacy. Dr. Qianhong Wu is a
member of the International Association for Cryptologic Research (IACR).
L. Zhang et al. / Computer Networks 54 (2010) 2482–2491
Futai Zhang is a professor in School of Computer Science and Technology at Nanjing
Normal University, Nanjing, China. His
research interests include information security, network security and cryptography.
2491