Computer Networks 54 (2010) 2482–2491 Contents lists available at ScienceDirect Computer Networks journal homepage: www.elsevier.com/locate/comnet Efficient many-to-one authentication with certificateless aggregate signatures Lei Zhang a,*, Bo Qin a,b, Qianhong Wu a,c, Futai Zhang d,e a Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili, Av. Països Catalans 26, E-43007 Tarragona, Catalonia, Spain Department of Maths, School of Science, Xi’an University of Technology, China c School of Computer, Key Lab. of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan University, China d School of Computer Science and Technology, Nanjing Normal University, Nanjing, China e Jiangsu Engineering Research Center on Information Security and Privacy Protection Technology, Nanjing, China b a r t i c l e i n f o Article history: Received 1 March 2009 Received in revised form 20 November 2009 Accepted 6 April 2010 Available online 11 April 2010 Responsible Editor: R. Molva Keywords: Information security Message authentication Digital signature Certificateless cryptography a b s t r a c t Aggregate signatures allow an efficient algorithm to aggregate n signatures of n distinct messages from n different users into one single signature. The resulting aggregate signature can convince a verifier that the n users did indeed sign the n messages. This feature is very attractive for authentications in bandwidth-limited applications such as reverse multicasts and senor networks. Certificateless public key cryptography enables a similar functionality of public key infrastructure (PKI) and identity (ID) based cryptography without suffering from complicated certificate management in PKI or secret key escrow problem in ID-based cryptography. In this paper, we present a new efficient certificateless aggregate signature scheme which has the advantages of both aggregate signatures and certificateless cryptography. The scheme is proven existentially unforgeable against adaptive chosen-message attacks under the standard computational Diffie–Hellman assumption. Our scheme is also very efficient in both communication and computation and the proposal is practical for many-to-one authentication. Ó 2010 Elsevier B.V. All rights reserved. 1. Introduction Digital signature is one of the most important primitives in public key cryptography. Knowing the public key of a signer, anyone can verify whether a signature of this signer is valid or not. This feature enables signatures to be efficiently applied to one-to-one (unicast) and one-tomany (multicast) applications. Some multicast applications may require the root node to collect data from leaf nodes (e.g., real-time fee collection, user preferences) which results into a many-to-one communication. In these applications, the root node is very likely to be swamped when too many leaves transmit simultaneously. Hence, to provide the usual authenticity, integrity and non-repudiation, signatures have to be elegantly designed to avoid * Corresponding author. Tel.: +34 977558270; fax: +34 977559710. E-mail addresses: lei.zhang@urv.cat (L. Zhang), bo.qin@urv.cat (B. Qin), qianhong.wu@urv.cat (Q. Wu), zhangfutai@njnu.edu.cn (F. Zhang). 1389-1286/$ - see front matter Ó 2010 Elsevier B.V. All rights reserved. doi:10.1016/j.comnet.2010.04.008 the known implosion problem in many-to-one communications [1]. 1.1. Related work Recently, the concept of aggregate signatures [4] was introduced by Boneh et al. at Eurocrypt 2003. This notion allows an efficient algorithm to aggregate n signatures of n distinct messages from n different users into one single signature. The resulting aggregate signature can convince a verifier that the n users did indeed sign the n original messages. These properties greatly reduce the length of the resulting signature to be verified. Hence, aggregate signatures can be applied to the above applications. To let a signature scheme function, the public key has to be bound with the identity of the owner of the public key. Traditionally, this is provided by the public key infrastructure (PKI) in which one or more third parties, known as L. Zhang et al. / Computer Networks 54 (2010) 2482–2491 certificate authorities (CAs), issue digital certificates to bind a user and his public key. In this paradigm, before using the public key of a user, the participant must first verify the certificate of the user, which implies a large amount of computing and storage cost to manage certificates. Observing these shortcomings, Shamir put forward identity-based public key cryptography (ID-PKC) [16] to simplify certificate management in PKI systems. In an IDbased cryptosystem, the identity, for instance, the telephone number, email or IP address, of a user functions as the public key of the user. However, in ID-PKC a trusted third party called Private Key Generator (PKG) must be employed to generate the private key for each user. The user’s private key is computed from his public known identity and PKG’s master secret key. Hence, ID-PKC suffers from a key escrow problem which implies that all the users have to fully trust PKG. This might be a too strong assumption in some applications. To address the key escrow problem of ID-PKC, Al-Riyami and Paterson [2] invented a new paradigm called certificateless public key cryptography (CL-PKC). CL-PKC also exploits a third party called Key Generation Center (KGC) to help a user to generate his private key. However, the KGC can merely determine part of the private key for each user, rather than the whole private key of each user in IDPKC systems. In CL-PKC, the user computes the resulting private key with the partial private key obtained from the KGC and the secret information chosen by the user. As for the public key of the user, it is computed from the KGC’s public parameters and the user’s secret information. As a result, CL-PKC systems avoid the key escrow problem in ID-PKC systems and the complicated certificate management problem in traditional PKI systems. The above advantages in CL-PKC motivate a lot of further studies [11,14,18,22]. In [2], Al-Riyami and Paterson presented the first Certificateless Signature (CLS) scheme, however, no formal proof is given. Huang et al. [12] pointed out a security drawback of the primal CLS scheme in [2] and defined the first security model of CLS schemes. But the model in [12] did not fully catch the ability of the adversaries in CL-PKC. A CLS scheme proved secure in this model may be insecure in practice. A recent example is Yap et al.’s scheme [18], which was broken by Park [15] and Zhang and Feng [19] independently. Later, Zhang et al. [20] improved the security model of CLS schemes and presented a more efficient CLS scheme. The security model of CLS schemes was further developed in [11,13]. It is natural to investigate the notion of aggregate signatures in ID-based or certificateless cryptographic contexts. By far, several Identity-based Aggregate Signature (IDAS) schemes have been presented [6–8,10,17]. But most of them only achieve partial aggregation [7,10,17]. In [6], Cheng et al. proposed an aggregate signature scheme whose output has the same size as an individual signature. However, it needs that the signers are pre-determined, and without the individual signature from each pre-determined signer, all individual signatures cannot be aggregated. At present, in ID-PKC, the only instance that can aggregate n individual signatures into a single aggregate signature (whose length is as short as an individual signature) is Gentry and Ramzan’s IDAS scheme. In addition, 2483 their scheme requires only three pairing operations and is proven secure under the standard computational Diffie–Hellman (CDH) assumption. As to the aggregate signatures in the certificateless public key setting, Gong et al. [9] presented two certificateless aggregate signature (CLAS) schemes which are provably secure in a relatively weak model similar to that in [12]. Later, Zhang and Zhang [21] presented a CLAS scheme which is provably secure in a stronger model. However, as for efficiency, all the previous CLAS schemes require a relatively large amount of paring computation in the process of verification and have long outputs and may be further improved. 1.2. Our contribution In this paper, we present a novel certificateless aggregate signature (CLAS) scheme. By exploiting the random oracle model [3], our CLAS scheme is proven existentially unforgeable against adaptive chosen-message attacks under the standard CDH assumption. It allows multiple signers to sign multiple documents in an efficient way and the total verification information (the length of the signature), consists only two group elements. Our scheme is also very efficient in computation, and the verification procedure needs only a very small constant number of pairing computations, independent of the number of aggregated signatures. With our CLAS scheme, one can aggregate many different certificateless signatures into a single certificateless aggregate signature, and hence effectively reduce the signature size and verification cost. This implies that our scheme is very applicable to secure many-to-one communications. The rest of the paper is organized as follows. Section 2 reviews the notion and the security model of CLAS schemes. We propose our new CLAS scheme in Section 3, and prove its security in Section 4. In Section 5, we compare our scheme with three existing proposals, followed by some concluding remarks in the last section. 2. Preliminaries 2.1. Modeling certificateless aggregate signature schemes A CLAS scheme involves a KGC, an aggregating set U of n users U1 ;    ; Un , and an aggregate signature generater. It consists of following six algorithms.  Setup: This algorithm is performed by KGC that accepts a security parameter ‘to generate a master-key and a list of system parameters params.  Partial-Private-Key-Extract: This algorithm is performed by KGC that accepts a user’s identity IDi, a parameter list params and a master-key to produce the user’s partial private key Di.  UserKeyGen: An algorithm which is run by a user that takes as input the user’s identity IDi, and selects a random xi 2 Z q and outputs the user’s secret/public key xi/Pi.  Sign: This algorithm is run by each user Ui in an aggregating set U. Ui ’s inputs are the parameter list params, some state information D,1 a message M i 2 M ðM is 1 Depending on the instantiation, the state information D can be empty. 2484 L. Zhang et al. / Computer Networks 54 (2010) 2482–2491 the message space), his identity IDi, his corresponding public key Pi, and his signing key (xi, Di). The output of Ui is a signature ri on message Mi which is valid under his identity IDi and the corresponding public key Pi.  Aggregate: This algorithm is run by an aggregate signature generater that takes as inputs a state information D, an aggregating set U of n users fU1 ; . . . ; Un g, the identity IDi of each user Ui , the corresponding public key Pi of Ui , and a signature ri on a message Mi with state information D under identity IDi and public key Pi for each user Ui 2 U. The output of this algorithm is an aggregate signature r on messages {M1, . . . , Mn}.  Aggregate Verify: This algorithm takes as input D, an aggregating set U of n users fU1 ; . . . ; Un g, the identity IDi and the corresponding public key Pi of each user Ui , an aggregate signature r on messages {M1, . . . , Mn}. It outputs true if the aggregate signature is valid, or \otherwise. 2.2. Security definitions Two types of adversaries are considered in CL-PKC – Type I adversary and Type II adversary.2 A Type I adversary AI does not have access to the master-key, but he has the ability to replace the public key of any entity with a value of his choice. While a Type II Adversary AII has access to the master-key but cannot perform public key replacement. More details can be found in [2]. The security of a CLAS scheme is modeled via the following two games3 between a challenger C and an adversary AI or AI . Game 1 (for Type I Adversary). Setup: C runs the Setup algorithm, takes as input a security parameter ‘to obtain a master-key and the system parameter list params. C then sends params to the adversary AI while keeping the master-key secret. Attack: The adversary AI can perform a polynomially bounded number of the following types of queries in an adaptive manner.  Partial-Private-Key queries PPK(IDi): AI can request the partial private key of any user with identity IDi. In response, C outputs the partial private key Di of the user.  Public-Key queries PK(IDi): AI can request the public key Pi of a user whose identity is IDi. In response, C outputs the public key for identity IDi.  Secret-Key queries SK(IDi): AI can request the secret key of a user whose identity is IDi. In response, C outputs the secret key xi for identity IDi (It outputs \, if the user’s public key has been replaced).  Public-Key-Replacement queries PKRðIDi ; P 0i Þ: For any user whose identity is IDi, AI can choose a new public key P0i . AI then sets P 0i as the new public key of this user. C will record this replacement. 2 In this paper, the ability of our Type I/II Adversary follows the original definition which is introduced by Al-Riyami and Paterson [2]. 3 Note in Game 1, when a type I adversary AI submits a Public-KeyReplacement query PKRðIDi ; P0i Þ to C; AI needs not submit the corresponding secret key which is used to generate P0i to C [20].  Sign queries S(Di,Mi,IDi,Pi): AI can request a user’s (whose identity is IDi) signature on a message Mi under a state information Di. On receiving a query S(Di, Mi, IDi, Pi), C generates a signature ri on message Mi under identity IDi and public key Pi using Di as the state information, and replies with ri. Forgery: AI outputs a set of n users whose identities form the set LID ¼ fID1 ; . . . ; IDn g and corresponding public keys form the set LPK ¼ fP1 ; . . . ; Pn g, n messages form the set LM ¼ fM1 ; . . . ; M n g, a state information D* and an aggregate signature r*. We say that AI wins Game 1, iff. (1) r* is a valid aggregate signature on messages fM1 ; . . . ; M n g with state information D* under identities fID1 ; . . . ; IDn g and the corresponding public keys fP1 ; . . . ; Pn g. (2) At least one of the identities, without loss of generality, say ID1 2 LID has not submitted during the Partial-Private-Key queries. And SðD ; M 1 ; ID1 ; Þ has never been queried during the Sign queries. Game 2 (for Type II Adversary). Setup: C runs the Setup algorithm, takes as input a security parameter ‘to obtain the system parameter list params and also the system’s master-key. C then sends params and master-key to the adversary AII . Attack: The adversary AII can perform a polynomially bounded number of the following types of queries in an adaptive manner.  Public-Key queries PK(IDi): AII can request the public key of a user (whose identity is IDi) of his choice. In response, C outputs the public key Pi for identity IDi.  Secret-Key queries SK(IDi): AII can choose a user whose identity is IDi, and request this user’s secret key. In response, C outputs the secret key xi for identity IDi.  Sign queries S(Di, Mi, IDi, Pi): AII can request a user’s (whose identity is IDi) signature on a message Mi with a state information Di. On receiving a query S(Di, Mi, IDi, Pi), C replies with a signature ri on message Mi with state information Di under identity IDi and public key Pi. Forgery: AII outputs a set of n users whose identities form the set LID ¼ fID1 ; . . . ; IDn g and corresponding public keys form the set LPK ¼ fP1 ; . . . ; Pn g, n messages form the set LM ¼ fM1 ; . . . ; M n g, a state information D* and an aggregate signature r*. We say that AII wins Game 2, iff. (1) r* is a valid aggregate signature on messages fM1 ; . . . ; M n g with state information D* under identities fID1 ; . . . ; IDn g and corresponding public keys fP1 ; . . . ; Pn g. (2) One of the identities, without loss of generality, say ID1 2 LID has not submitted during the Secret-Key queries. And SðD ; M 1 ; ID1 ; Þ has never been queried during the Sign queries. 2485 L. Zhang et al. / Computer Networks 54 (2010) 2482–2491 Definition 1. A CLAS scheme is existentially unforgeable under adaptively chosen-message attack iff the success probability of any polynomially bounded adversary in any of the above two games is negligible. 3. Our certificateless aggregate signature scheme 3.1. Bilinear maps Our scheme is realized in groups which allowing efficient bilinear maps [5]. Let G1 be an additive group of prime order q and G2 be a multiplicative group of the same order. A map e:G1  G1 ? G2 is called a bilinear map if it satisfies the following properties: tion D) of n users fU1 ; . . . ; Un g with identities {ID1, . . . , IDn} and the corresponding public keys {P1, . . . , Pn}, and message-signature pairs (M1, r1 = (R1, S1)), . . . , (Mn, rn = (Rn, Sn)) from fU1 ; . . . ; Un g respectively, the aggregate P P signature generater computes R ¼ ni¼1 Ri ; S ¼ ni¼1 Si and outputs the aggregate signature r = (R, S).  Aggregate Verify: To verify an aggregate signature r = (R, S) signed by n user fU1 ; . . . ; Un g with identities {ID1, . . . , IDn} and corresponding public keys {P1, . . . , Pn} on messages {M1, . . . , Mn} with the same state information D, the verifier performs the following steps. (1) Compute T = H2(D),V = H3(D), W = H4(D), and for all i, 1 6 i 6 n compute hi = H5(MikDkIDikPi), Qi,0 = H1(IDi,0),Qi,1 = H1(IDi, 1). (2) Verify (1) Bilinearity: e(aP, bQ) = e(P, Q)ab for all P; Q 2 G1 ; a; b 2 Z q . (2) Non-degeneracy: there exists P, Q 2 G1 such that e(P, Q) – 1. (3) Computability: there exists an efficient algorithm to compute e(P, Q) for any P, Q 2 G1. Computational Diffie–Hellman (CDH) problem in G1: given a generator P of the group G1 whose order is q, and given (aP,bP) for unknown a; b 2 Z q ; compute abP. 3.2. Our certificateless aggregate signature scheme The specification of the scheme is as follows.  Setup: Given a parameter ‘, the KGC chooses a cyclic additive group G1 which is generated by P with prime order q, chooses a cyclic multiplicative group G2 of the same order and a bilinear map e:G1  G1 ? G2. The KGC also chooses a random k 2 Z q as the master-key and sets PT = kP, chooses cryptographic hash functions H1  H4 : f0; 1g ! G1 ; H5 : f0; 1g ! Z q . The system parameter list is params = (G1, G2, e, P, PT, H1  H5). The message space is M ¼ f0; 1g .  Partial-Private-Key-Extract: This algorithm accepts params, master-key k and a user’s identity IDi 2 {0,1}*, and generates the partial private key for the user as follows. (1) Compute Qi,0 = H1(IDi, 0), Qi,1 = H1(IDi, 1). (2) Output the partial private key (Di,0, Di,1) = ( kQi,0, kQi,1).  UserKeyGen: This algorithm takes as input params, a user’s identity IDi, selects a random xi 2 Z q and sets his secret/public key as xi/Pi = xiP.  Sign: To sign a message M i 2 M using the signing key (xi, Di,0, Di,1), the signer, whose identity is IDi and the corresponding public key is Pi, first chooses a one-time-use state information D then performs the following steps. (1) Choose a random ri 2 Z q , compute Ri = riP. (2) Compute hi = H5(MikDkIDikPi), T = H2(D), V = H3(D), W = H4(D). (3) Compute Si = Di,0 + xiV + hi(Di,1 + xiW) + riT. (4) Output ri = (Ri, Si) as the signature on Mi.  Aggregation: Anyone can act as an aggregate signature generater who can aggregate a collection of individual signatures that use the same state information D. For an aggregating set (which has the same state informa- ? eðS; PÞ ¼ e P T ; n X Q i;0 þ i¼1  e W; n X i¼1 n X ! hi Q i;1 e V; i¼1 ! n X i¼1 Pi ! hi P i eðT; RÞ: If the equation holds, output true. Otherwise, output \. In our scheme, each user in an aggregating set should use the same one-time-use state information D when signing. As mentioned in [8], it is straightforward to choose such a D in certain settings. For example, if the signers have access to some loosely synchronized clocks, D can be chosen based on the current time. Furthermore, if D is sufficiently long, then it will be statistically unique. And to remove the one-time-use restriction of D, Gentry and Ramzan also provided a method. For details, please refer to [8]. We notice that, in this paper, we follow the original definition of certificateless cryptography in [2]. In this setting, the KGC can choose a secret key x0i 2 Z q and compute P0i ¼ xi P as the new public key of the user with IDi. By this replacement, the KGC can know both the partial private key and secret key of the user. This implies that KGC can generate signatures on behalf of that user. It seems that both the KGC and a user may deny having generated a signature. However, in [2], the authors introduced a binding technique4 which ensures that users can only create one public key for which they know the corresponding private key. This way, the systems in certificateless cryptography can enjoy the same trust level as the systems in a traditional PKI. In other words, if the KGC replaces a public key, then the KGC necessarily leaves evidence of its bad behavior; and such an action can be easily detected, as the KGC is the only entity having that capability. Note that this scenario is equivalent to a CA forging a certificate in a traditional PKI system: the existence of two valid certificates for a single identity would implicate the CA behaved maliciously. 4. Security proof Assuming that the CDH problem is hard, we now show the security of our CLAS scheme. 4 This technique can also be applied to our scheme 2486 L. Zhang et al. / Computer Networks 54 (2010) 2482–2491 Theorem 1. In the random oracle model, if there exists a type I adversary A who has an advantage e in forging a signature of our CLAS scheme in an attack modeled by Game 1, within a time span t for a security parameter ‘; then the CDH problem in G1 can be solved within time t þ 4qH1 þ qH2 þ qH3 þ qH4 þ 2qK þ qP þ 6qS ÞsG1 and with probability 1 1 qH1 0 e P  1 qH2 !q K 1 1 1 1 qH1 qH2 ! 1 qH05 1 1 qH05 !!qS 1 qH 1 e; where sG1 is the time to compute a scalar multiplication in G1, n is the aggregating set’s scale. Proof. Let C be a CDH attacker who receives a random instance (P, aP, bP) of the CDH problem in G1 and has to compute the value of abP. A is a type I adversary who interacts with C as modeled in Game 1. We show how C can use A to solve the CDH problem, i.e. to compute abP. To make the proof easy to read, we first briefly show where the reduction is. When the game begins, C sets PT = aP which is an instance of the CDH problem, and simulates hash functions as random oracles. During the simulation, C needs to guess A’s target identity (without loss of generality, say ID1 ), message (without loss of generality, say M1 ) and state information D*. C will set Q 1;0 ¼    0 H1 ðID1 ; 0Þ ¼ ai;0 P þ a0 i;0 bP; Q 1;1 ¼ H 1 ðID1 ; 1Þ ¼ a1;1 P þ a1;1 bP; b P; V  ¼ H3 ðD Þ ¼ c P; W  ¼ H4 ðD Þ ¼ p P T  ¼ H2 ðD Þ ¼  and H5 ðM 1 ; D ; ID1 ; P1 Þ ¼ h1 . (For the other settings, please refer to our proof.) At the end of the game, A needs to output a set of n users whose identities form the set LID ¼ fID1 ; . . . ; IDn g and corresponding public keys form the set LPK ¼ fP1 ; . . . ; Pn g; n messages form the set LM ¼ fM 1 ; . . . ; Mn g, a state information D* and an aggregate signature r*. Since rast is valid, we have eðS ; PÞ ¼ e PT ; n X Q i;0 þ i¼1  e W ; n X !  hi Q i;1 e V  ; i¼1 n X  hi Pi i¼1 !  n X Pi i¼1 !  eðT ; R Þ; where Q i;j ¼ H1 ðIDi ; jÞ; j 2 f0; 1g. We note that    e PT ; Q 1;0 þ h1 Q 1;1     ¼ e aP; ai;0 P þ a0i;0 bP þ h1 a1;1 P þ h1 a01;1 bP : It is easy to have     eðaP; bPÞ ¼ e PT ; Q 1;0 þ h1 Q 1;1   ða0 þh1 a0 Þ1 1;0 1;1  e ai;0  h1 a1;1 aP; P : Furthermore n n   X X   e P T ; Q 1;0 þ h1 Q 1;1 ¼ eðS ;P Þ e P T ; Q i;0 þ hi Q i;1 i¼2 e V  ; n X i¼1 ! P i e W  ; i¼2 n X i¼1  ! ! hi P i eðT  ; R Þ !1 : By our setting, for 2 6 i 6 n; Q i;j ¼ ai;j P, where j 2 {0,1}; C can get the solution of the CDH problem abP ¼ Pn  Pn  Pn    1   ða0 þ h1 a0 1;0 1;1 Þ ðS  i¼2 a1;0 P T  i¼2 a1;1 hi P T  c i¼1 P i  P   n p i¼1 hi Pi  b R  ða1;0 þ h1 a1;1 ÞPT Þ. Next, we begin to propose the concrete proof. Setup: Firstly, C sets PT = aP and selects params = (G1, G2, e, P, PT, H1  H5) then he sends params to A. Attack: We consider hash functions H1  H5 as random oracles. And we assume A can ask at most qHi times Hi (i = 1, . . . , 5) queries, qK times Partial-Private-Key queries, qP times Public-Key queries, qS times Sign queries. A can perform the following types of queries in an adaptive manner. H1 queries: C maintains a list H1 of tuples ðIDi ; ai;0 ; a0i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ which is initially empty. C picks I 2 ½1; qH1  uniformly at random. Whenever C receives an H1 query on (IDi,j) for j 2 {0,1}, C does the following: (1) If there is a tuple ðIDk ; ak;0 ; a0k;0 ; ak;1 ; a0k;1 ; Q k;0 ; Q k;1 Þ on H1 such that IDi = IDk, return Qk,j as answer. (2) Else if i = I, randomly choose ai;0 ; a0i;0 ; ai;1 ; a0i;1 2 Z q , set Q i;0 ¼ ai;0 P þ a0i;0 bP; Q i;1 ¼ ai;1 P þ a0i;1 bP, add ðIDi ; ai;0 ; a0i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ to H1 and return Qi,j as answer. (3) Else set a0i;0 ¼ 0; a0i;1 ¼ 0, randomly choose ai;0 ; ai;1 2 Z q , set Qi,0 = ai,0P, Qi,1 = ai,1P, add ðIDi ; ai;0 ; a0i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ to H1 and return Qi,j as answer. H2 queries: C keeps a initially empty list H2 of tuples (Di, Ti, bi), picks J 2 ½1; qH2  uniformly at random. Whenever A issues a query H2(Di), the same answer from the list H2 will be given if the request has been asked before. Otherwise, C selects a random bi 2 Z q ; if i = J, computes Ti = biP, else sets Ti = biaP. Finally, C adds (Di, Ti, bi) to H2 and returns Ti as answer. H3 queries: C keeps a list H3 of tuples (Dj, Vj, cj). This list is initially empty. Whenever A issues a query Di to H3, the same answer from the list H3 will be given if the request has been asked before. Otherwise, C first selects a random ci 2 Z q , then computes Vi = ciP, adds (Di, Vi, ci) to H3 and returns Vi as answer. H4 queries: C keeps a list H4 of tuples (Dj, Wj, pj). This list is initially empty. Whenever A issues a query Di to H4, the same answer from the list H4 will be given if the request has been asked before. Otherwise, C first selects a random pi 2 Z q , then computes Wi = piP, adds (Di, Wi, pi) to H4 and returns Wi as answer. H5 queries: C keeps a list H5 of tuples (Mi, Di, IDi, Pi, hi). This list is initially empty. Whenever A issues a query (MikDikIDikPi) to H5, the same answer from the list H5 will be given if the request has been asked before. Otherwise, C first submits (IDi,0) to H1 oracle, then finds the tuple ðIDi ; ai;0 ; a0i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ on H1, finally does the following: (1) If IDi = IDI and Di = DJ (we assume that A can ask at most qH05 < qH5 times such kind of queries), randomly choose K 2 ½1; qH05 . (a) If it is K-th query, set hi ¼ a0i;0 =a0i;1 , add (Mi, Di, IDi, Pi, hi) to H5 and return hi. (b) Else select a random hi 2 Z q , add (Mi, Di, IDi, Pi, hi) to H5 and return hi as answer. 2487 L. Zhang et al. / Computer Networks 54 (2010) 2482–2491 (2) Else, select a random hi 2 Z q , add (Mi, Di, IDi, Pi, hi) to H5 and return hi as answer. Partial-Private-Key queries: C keeps a list K of tuples (IDi, xi, Di,0, Di,1, Pi). This list is initially empty. When A issues a query PPK(IDi), the same answer from the list K will be given if the request has been asked before. Otherwise, C checks whether there is a tuple ðIDi ; ai;0 ; a0i;0 ; ai;1 ; a0i;1 ; Qi,0, Qi,1, ci) on H1, if no, C makes an H1 query on (IDi,j) (j = 0 or 1) to generate such a tuple, finally does as follows. (1) If IDi = IDI, abort. (2) Else if there’s a tuple (IDi, xi, Di,0, Di,1, Pi) on K, set Di,0 = ai,0PT, Di,1 = ai,1PT and return (Di,0, Di,1) as answer. (3) Else, first compute Di,0 = ai,0PT, Di,1 = ai,1PT, set xi = Pi = \, then return (Di,0, Di,1) as answer and add (IDi, xi,Di,0, Di,1, Pi) to K. Public-Key queries: On receiving a query PK(IDi), if the request has been asked before, the current public key from the list K will be given. Otherwise, C does as follows. (1) If there is a tuple (IDi, xi, Di,0, Di,1, Pi) on K (in this case, the public key Pi of IDi is \), choose x0i 2 Z q , compute P0i ¼ x0i P, return P 0i as answer and update (IDi, xi, Di,0, Di,1, Pi) to ðIDi ; x0i ; Di;0 ; Di;1 ; P 0i Þ. (2) Otherwise, choose xi 2 Z q , compute Pi = xiP, return Pi as answer, set Di,0 = Di,1 = \ and add (IDi, xi, Di,0, Di,1, Pi) to K. Secret-Key queries: On receiving a query SK(IDi), C first makes PK(IDi) then finds the tuple (IDi, xi, Di,0, Di,1, Pi) on K and returns xi as answer (note that the value of xi maybe \). Public-Key-Replacement queries: A can choose a new public key for the user whose identity is IDi. On receiving a query PKRðIDi ; P 0i Þ, C first finds the tuple (IDi, xi, Di,0, Di,1, Pi) on K (if such a tuple does not exists on K or Pi = \, C first makes PK(IDi)), then C updates Pi to P 0i . Sign queries: On receiving a Sign query S(Di, Mi, IDi, Pi), C first makes H1(IDi, 0),H1(IDi, 1), H2(Di), H3(Di), H4(Di) and H5(MikDikIDikPi) queries if they are not queried before, then recovers ðIDi ; ai;0 ; a0i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ from H1, (Di, Ti, bi) from H2, (Di, Vi, ci) from H3, (Di, Wi, pi) from H4, (Mi, Di, IDi, Pi, hi) from H5 and generates the signature as follows. (1) If IDi = IDI, Di = DJ, and hi ¼ a0i;0 =a0i;1 , choose Ri 2 G1 , compute Si = biRi + ciPi + pihiPi + ai,0PT + ai,1hiPT, output ri = (Ri,Si). (2) Else if IDi = IDI, Di = DJ, abort. (3) Else if IDi = IDI, choose ri 2 Z q , set Ri ¼ ri P  b1 i ðQ i;0 þ hi Q i;1 Þ compute Si = ciPi + pihiPi + riTi, output ri = (Ri, Si). (4) Else, randomly choose r i 2 Z q , compute Ri = riP, set Si = ai,0PT + hiai, 1PT + ciPi + hipiPi + riTi, output ri = (Ri, Si). Note that in our CLAS scheme Di is only for one-time use. Hence, it is reasonable for C to abort when IDi = IDI, Di = DJ and hi –  a0i;0 =a0i;1 . Forgery: Eventually, A returns a set of n users, whose identities form the set LID ¼ fID1 ; . . . ; IDn g and corresponding public keys form the set LPK ¼ fP 1 ; . . . ; P n g; n messages form the set LM ¼ fM 1 ; . . . ; M n g; a state information D* and a forged aggregate signature r* = (R*,V*). C recovers (D*, T*, b*) from H2, (D*, V*, c*) from H3,  (D*, W*, p*) from H4 and the tuples ðIDi ; ai;0 ; a0 i;0 ; ai;1 ; a0i;1 ; Q i;0 ; Q i;1 Þ from H1, ðMi ; D ; IDi ; Pi ; hi Þ from H5 for all i,1 6 i 6 n. It requires that Dast = DJ and there exists i 2 {1, . . . , n}  0 such that IDi ¼ IDI , hi –  a0 i;0 =ai;1 and A has not made a SðM i ; D ; IDi ; Þ query. Without loss of generality, we let i = 1. In addition, the forged aggregate signature must satisfy eðS ; PÞ ¼ e PT ; n X n X Q i;0 þ i¼1  e W ; !  hi Q i;1 e V  ; i¼1 n X  hi Pi ÞeðT  ; R i¼1 ! n X Pi i¼1 ! : Otherwise, C aborts. If C does not abort, from the above equation, we have ! n n   X X        e P T ; Q 1;0 þ h1 Q 1;1 ¼ eðS ;P Þ e P T ; Q i;0 þ hi Q i;1 i¼2  e V ; n X i¼1 Pi ! i¼2  e W ; n X  hi P i i¼1 !   eðT ; R Þ !1 :   And by our setting, Q 1;0 ¼ a1;0 P þ a0 1;0 bP, Q 1;1 ¼ a1;1 Pþ * * * * * * 0 a1;1 bP, T = b P, V = c P, W = p P; and for i, 2 6 i 6 n, Q i;j ¼ ai;j P, where j 2 {0,1}; hence, C can compute n n  1 X X  abP ¼ a01;0 þ h1 a01;1 S  a1;0 PT  a1;1 hi P T i¼2  c n X i¼1 Pi  p n X i¼1  hi Pi i¼2     1;0 b R  a þ  h1 !  a PT :  1;1 To complete the proof, we shall show that C solves the given instance of CDH problem with probability at least 0 e . First, we analyze the four events needed for C to succeed:  R1: C does not abort as a result of any of A’s Partial-Private-Key queries.  R2: C does not abort as a result of any of A’s signature queries.  R3: A generates a valid and nontrivial aggregate signature forgery.  R4: Event R3 occurs, D* = DJ and there exists  0 i 2 {1, . . . , n} such that IDi ¼ IDI , hi –  a0 i;0 =ai;1 (as mentioned previously, we assume i = 1). C succeeds if all of these events happen. The probability Pr[R1 ^ R2 ^ R3 ^ R4] can be decomposed as Pr½R1 ^ R2 ^ R3 ^ R4 ¼ Pr½R1Pr½R2jR1Pr½R3jR1 ^ R2Pr½R4jR1 ^ R2 ^ R3: Claim 1. The probability that C does not abort as a result of A’s key extraction queries is at least ð1  q1 ÞqK . Hence we H1 have 2488 L. Zhang et al. / Computer Networks 54 (2010) 2482–2491 Pr½R1 P 1 1 qH 1 !q K : Proof. For a Partial-Private-Key query, C will abort iff the query is on ID1 ¼ IDI . It is easy to see that the probability C does not abort for a Partial-Private-Key query is 1  q1 . H1 Since A can make at most qK times Partial-Private-Key queries, the probability that C does not abort as a result  qK of A’s Partial-Private-Key queries is at least 1  q1 . h Theorem 2. In the random oracle model, if there exists a type II adversary A has an advantage e in forging a signature of our CLAS scheme in an attack modeled by Game 2, within a time span t for a security parameter ‘; then the CDH problem in G1 can be solved within time t þ ðqH2 þ 2qH3 þ 2qH4 þ qP þ 6qS ÞsG1 and with probability 0 e 1 P 1 qHP !qK 1 1 1 1 1 qP qH2 qH05 !!qS 1 1 1 1 qP qH2 qH05 ! e: H1 Claim 2. The probability that C does not abort as a result of   qS . A’s signature queries is at least 1  qH1 qH1 1  q10 1 H 2 5 Thus there hold 1 1 1 qH1 qH2 Pr½R2jR1 P 1 1 qH05 !!qS : Proof. When C receives a Sign query, he will abort iff IDi = IDI,Di = DJ and hi –  a0i;0 =a0i;1 happens. So for a Sign query, the probability that C does not abort is   1  qH1 qH1 1  q10 . Since A makes at most qS times Sign 1 H 2 5 queries, the probability that C does not abort as a result   qS . h ofA’s Sign queries is at least 1  qH1 qH1 1  q 10 1 H 2 5 Claim 3. Pr[R3jR1 ^ R2] P e. Proof. If algorithm C does not abort as a result of A’s signature queries and key extraction queries then algorithm A’s view is identical to its view in the real attack. Hence, Pr[R3jR1 ^ R2] P e. h Claim 4. The probability that C does not abort after A outputting a valid and nontrivial forgery is at least   1 1 1 1  . Hence qH qH q 0 1 H 2 5 1 1 Pr½R4jR1 ^ R2 ^ R3 P qH 1 qH 2 ! 1 : 1 qH05 Proof. Events R1, R2 and R3 have occurred, C will abort unless A generates a forgery such that ID1 ¼ IDI ; D ¼ DJ  and h –  a0 =a0 . Therefore, Pr½R3jR1 ^ R2 P  1  1;0 1;1 1 1 1  q 10 . h qH qH 1 H 2 5 Proof. Let C be a CDH attacker who receives a random instance (P, aP, bP) of the CDH problem in G1 and has to compute the value of abP. A is a type II adversary who interacts with C as defined in Game 2. We show how C can use A to solve the CDH problem, i.e. to compute abP. Setup: Firstly, C selects a random k 2 Z q as the masterkey, computes PT = kP, then selects the system parameters params = (G1, G2, e, P, PT, H1  H5). When the simulation is started, A is provided with params and the master-key k. Since A has access to the master-key, he can do PartialPrivate-Key-Extract himself. Attack: We assume A asking at most qHi times Hi (i = 2, . . . , 5) queries, qP times Public-Key queries, qK times Secret-Key queries, qS times Sign queries. A can perform the following types of queries in an adaptive manner. Note that we need not model the hash function H1 as a random oracle in this case. H2 queries: C keeps a initially empty list H2 of tuples (Di, Ti, bi), randomly selects I 2 ½1; qH2 . Whenever A issues a query H2(Di), the same answer from the list H2 will be given if the request has been asked before. Otherwise, C selects a random bi 2 Z q , if i = I, computes Ti = biP, else sets Ti = biaP. Finally, C adds (Di, Ti, bi) to H2 and returns Ti as answer. H3 queries: C keeps a list H3 of tuples ðDi ; V i ; ci ; c0i Þ. This list is initially empty. Whenever A issues a query Di to H3, the same answer from the list H3 will be given if the request has been asked before. Otherwise, C randomly selects ci ; c0i 2 Z q , computes V i ¼ ci P þ c0i aP, adds ðDi ; V i ; ci ; c0i Þ to H3 and returns Vi as answer. H4 queries: C keeps a list H4 of tuples ðDi ; W i ; pi ; p0i Þ. This list is initially empty. Whenever A issues a query Di to H3, the same answer from the list H4 will be given if the request has been asked before. Otherwise, C randomly selects pi ; p0i 2 Z q , computes W i ¼ pi P þ p0i aP, adds ðDi ; W i ; pi ; p0i Þ to H4 and returns Wi as answer. Public-Key queries: C keeps a initially empty list K of tuples (IDi, xi, Pi), chooses J 2 [1, qP]. On receiving a query PK(IDi), the same answer from the list K will be given if the request has been asked before. Otherwise, C selects xi 2 Z q and dose the following. Totally, we have e0 ¼ Pr½R1 ^ R2 ^ R3 ^ R4 1 P  1 qH2 1 qH1 !q K 1 1 1 qH05 ! 1 1 qH1 qH2 e:  1 1 qH05 !!qS 1 qH 1 (1) If i = J, set Pi = xibP, add (IDi, xi, Pi) to K and return Pi as answer. (2) Else, compute Pi = xiP, add (IDi, xi, Pi) to K and return Pi as answer. H5 queries: C keeps a list H5 of tuples (Mi, Di, IDi, Pi, hi). This list is initially empty. Whenever A issues a query (MikDikIDikPi) to H5, the same answer from the list H5 will 2489 L. Zhang et al. / Computer Networks 54 (2010) 2482–2491 be given if the request has been asked before. Otherwise, C first makes H2(Di), PK(IDi) then finds (Di, Ti, bi, ci) on H2, ðIDi ; xi ; Pi ; c0i Þ on K; finally does the following: Now we determine the probability e0 for C to solve the given instance of CDH problem. We analyze the four events needed for C to succeed: (1) If Di = DI and Pi = PJ (we assume that A can ask at most qH05 < qH5 times such kind of queries), randomly choose K 2 ½1; qH05 . (a) If it is the K-th query, set hi ¼ c0i =p0i , add (Mi, Di, IDi, Pi, hi) to H5 and return hi as answer. (b) Else select a random hi 2 Z q , add (Mi, Di, IDi, Pi, hi) to H5 and return hi as answer. (2) Else select a random hi 2 Z q , add (Mi, Di, IDi, Pi, hi) to H5 and return hi as answer.  R5: C does not abort as a result of any of A’s Secret-Key queries.  R6: C does not abort as a result of any of A’s signature queries.  R7: A generates a valid and nontrivial aggregate signature forgery.  0  R8: Event R7 occurs, D ¼ DI ; P1 ¼ PJ ; ðh1 –  c0 1 =p1 . Secret-Key queries: On receiving a query SK(IDi), C first makes PK(IDi) then recovers the tuple (IDi, xi, Pi) from K. If IDi = IDJ, C aborts; otherwise, returns xi as answer. Sign queries: On receiving a Sign query S(Mi, Di, IDi, Pi), C first makes H2(Di), H3(Di), H4(Di), H5(MikDikIDikPi) and PK(IDi) queries if they are not queried before, then finds the tuples (Di, Ti, bi) on H2, ðDi ; V i ; ci ; c0i Þ on H3, ðDi ; W i ; pi ; p0i Þ on H4, (Mi, Di, IDi, Pi, hi) on H5, (IDi, xi, Pi) on K and generates the signature as follows: (1) If Di = DI, Pi = PJ and hi ¼ c0i =p0i , randomly choose Ri 2 G1 , compute Si = k (H1(IDi, 0) + hiH1(IDi, 1)) + ciPi + pihiPi + biR. (2) Else if Di = DI, Pi = PJ, abort. (3) Else if Pi = PJ, choose ri 2 Z q , set Ri ¼ ri P  b1 i ðc0i þ p0i hi ÞPi , compute Si = riTi + (ci + pihi)Pi + k(H1(IDi, 0) + hiH1(IDi, 1)), output ri = (Ri, Si). (4) Else randomly choose ri 2 Z q , compute Ri = riP, compute Si = k(H1(IDi, 0) + hi H1(IDi, 1)) + xiV + hixiW + riTi, output ri = (Ri, Si). Forgery: Finally, A returns a set of n users, whose identities form the set LID ¼ fID1 ; . . . ; IDn g and corresponding public keys form the set LPK ¼ fP 1 ; . . . ; Pn g; n messages form the set LM ¼ fM 1 ; . . . ; M n g; a state information D* and a forged aggregate signature r* = (R*,S*). 0 C recovers (D*, T*, b*) from H2, (D*, V*, cast, c *) from H3, 0   ast  * * * (D , W , p , p ) from H4 and the tuples ðM i ; D ; IDi ; Pi ; hi Þ from H5, ðIDi ; xi ; P i Þ from K for all i,1 6 i 6 n. It requires that Dast = DI and there exists i 2 {1, . . . , n}     0 such that P i ¼ P J , hi –  c0 i =pi and SðD ; M i ; IDi ; Þ has never been queried. Without loss of generality, we let i = 1. In addition, the forged aggregate signature must satisfy  eðS ; PÞ ¼ e PT ; n X Q i;0 þ i¼1  e W ;  hi Q i;1 i¼1 n X  !  e V ; ! n X Pi i¼1 ! H1 ðIDi ; jÞ; j where ¼ 2 f0; 1g. Otherwise, C aborts. If C does not aborts, we have  abP ¼ c0 x1 þ p h1 x1  n X i¼2 xi V  
1 n X i¼2 Pr½R5 ^ R6 ^ R7 ^ R8 ¼ Pr½R5Pr½R6jR5Pr½R7jR5 ^ R6Pr½R8jR5 ^ R6 ^ R7: Similar to Theorem 1, we have 8  qK > 1 > > Pr½R5 P 1  qP > > >  qS > < Pr½R6jR5 P 1  q1 q1 ð1  qH05 Þ P H2 > > > Pr½R7jR5 ^ R6 P e > > > > : Pr½R8jR5 ^ R6 ^ R7 P q1 q1 ð1  qH0 Þ 5 P H 2 Finally, we have e0 ¼ Pr½R5 ^ R6 ^ R7 ^ R8 1 1 qHP P  1 qH2 !qK 1 1 1 1 qP qH2 ! 1 qH05 e: 1 1 qH05 !!qS 1 qP  5. Comparison In this section we compare our scheme with the schemes in [9,21]. Firstly, we list some costly operations, i.e. Pairing Operation ðPÞ, Scalar Multiplication in G1 ðSÞ and MapToPoint Hash ðHÞ. Among those operations, Pairing Operation is the most time consuming one. We use the notation SL meaning signature length, PKL meaning public key length, P1 meaning the length of a point in G1. And we omit the cost of the operations which can be pre-computed by the signer such as H1(IDi,j) etc (see Table 1). From the table, the Sign procedure of our scheme is slightly less efficient than that of the schemes in [9,21]. However, our Aggregate Verify procedure is much more effi- hi Pi eðT  ; R Þ; i¼1 Q i;j n X C succeeds if all of these events happen. The probability Pr[R5 ^ R6 ^ R7 ^ R8] can be decomposed as  S  k n X i¼1 Q i;0 þ n X  hi Q i;1 i¼1  ! ! hi xi W   b R  c P1  p h1 P1 : Table 1 Comparison of three CLS schemes. Schemes Sign Aggregate Verify SL PKL First scheme in [9] Second scheme in [9] Scheme in [21] Our scheme 2S; H ð4n þ 1ÞP; 2nH ðn þ 1ÞP1 2P1 3S; H ð3n þ 2ÞP; nS; 3nH 2P1 2P1 3S; 2H 5S; 3H ðn þ 3ÞP; ð2n þ 1ÞH 5P; 2nS; ð2n þ 3ÞH ðn þ 1ÞP1 2P1 1P1 1P1 2490 L. Zhang et al. / Computer Networks 54 (2010) 2482–2491 cient than those of the schemes in [9,21]. For application purposes the practicality of an aggregate signature scheme is mainly dominated by Aggregate Verify algorithm. This is due to the fact that the verifier must verify n different signatures distributively generated by each users. This implies that our scheme may enjoy better practicality. As for the signature size, our signature requires only two elements in G1 and approximately 320 bits. Note that in CL-PKC a signer has to send the signature together with the corresponding public key to a verifier for a verification. One can see that our scheme is the most bandwidth-saving one among the three schemes, observing that the public key of a user in our scheme is only one element in G1. 6. Conclusion We presented an efficient certificateless aggregate signature scheme. The proposal is proven existentially unforgeable against adaptively chosen-message attack in the random oracle model assuming that the CDH problem is hard. Our CLAS scheme can be applied to authentications in bandwidth-limited scenarios such as many-to-one communications. Acknowledgments This work is supported by the Spanish Government through Projects TSI2007-65406-C03-01 ‘‘E-AEGIS” and CONSOLIDER INGENIO 2010 CSD2007-00004 ‘‘ARES”, and by the Government of Catalonia under Grant 2009 SGR 1135, and by the Chinese NSF Projects 60673070, 60970114, 60970115 and 60970116. The views of the author with the UNESCO Chair in Data Privacy do not necessarily reflect the position of UNESCO nor commit that organization. References [1] C.K. Miller, Multicast Networking and Applications, Addison Wesley, Reading, MA, 1999. [2] S. Al-Riyami, K. Paterson, Certificateless public key cryptography, in: ASIACRYPT 2003, LNCS, vol. 2894, 2003, pp. 452–473. [3] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in: ACM CCCS ’93, 1993, pp. 62–73. [4] D. Boneh, C. Gentry, B. Lynn, H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps, in: EUROCRYPT 2003, LNCS, vol. 2656, 2003, pp. 416–432. [5] D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in: Asiacrypt 2001, LNCS, vol. 2248, 2001, pp. 514–532. [6] X. Cheng, J. Liu, X. Wang. Identity-based aggregate and verifiably encrypted signatures from bilinear pairing, in: ICCSA 2005, LNCS, vol. 3483, 2005, pp. 1046–1054. [7] J. Cheon, Y. Kim, H. Yoon, A new id-based signature with batch verification, Cryptology ePrint Archive, Report 2004/131 2006. [8] C. Gentry, Z. Ramzan, Identity-based aggregate signatures, in: PKC 2006, LNCS, vol. 3958, 2006, pp. 257–273. [9] Z. Gong, Y. Long, X. Hong, K. Chen, Two certificateless aggregate signatures from bilinear maps, in: IEEE SNPD 2007, vol. 3, 2007, pp. 188–193, <http://eprints.eemcs.utwente.nl/14802/02/Practical_ Certificateless_Aggregate_Signatures_From_Bilinear_Maps.pdf>. [10] J. Herranz, Deterministic identity-based aggregate signatures for partial aggregation, The Computer Journal 49 (3) (2006) 322–330. [11] B. Hu, D. Wong, Z. Zhang, X. Deng, Key replacement attack against a generic construction of certificateless signature, in: ACISP 2006, LNCS, vol. 4058, 2006, pp. 235–346. [12] X. Huang, W. Susilo, Y. Mu, F. Zhang, On the security of a certificateless signature scheme, in: CANS 2005, LNCS, vol. 3810, 2005, pp. 13–25. [13] X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless signature revisited. ACISP 2007, LNCS 4586, 2007, pp. 308–322. [14] J. Liu, M. Au, W. Susilo, Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model, in: ACM ASIACCS’07, 2007. [15] J. Park, An attack on the certificateless signature scheme from EUC Workshops 2006, Cryptology ePrint Archive, Report 2006/442, 2006. [16] A. Shamir, Identity based cryptosystems and signature schemes, in: Crypto’84, LNCS, vol. 196, 1984, pp. 47–53. [17] J. Xu, Z. Zhang, D. Feng, ID-based aggregate signatures from bilinear pairings, in: CANS 2005, LNCS, vol. 3810, 2005, pp. 110–119. [18] W. Yap, S. Heng, B. Goi, An efficient certificateless signature scheme, in: EUC Workshops 2006, LNCS, vol. 4097, 2006, pp. 322– 331. [19] Z. Zhang, D. Feng, Key replacement attack on a certificateless signature scheme, Cryptology ePrint Archive, Report 2006/453, 2006. [20] Z. Zhang, D. Wong, J. Xu, D. Feng, Certificateless public-key signature: security model and efficient construction, in: ACNS 2006, LNCS, vol. 3989, 2006, pp. 293–308. [21] L. Zhang, F. Zhang, A New Certificateless Aggregate Signature Scheme, Computer Communications (2009), doi:10.1016/j.comcom. 2008.12.042. [22] L. Zhang, F. Zhang, A new provably secure certificateless signature scheme, in: IEEE ICC’08, 2008, pp. 1685–1689. Lei Zhang is currently a PhD candidate in the Department of Computer Engineering and Mathematics at Universitat Rovira i Virgili of Tarragona, Catalonia. His research interests include public key cryptography, network security and information security. He is authored/coauthored over 20 publications. Bo Qin obtained her PhD from Xidian University in 2008. She is now with Universitat Rovira i Virgili as postdoctoral researcher in Catalonia. Her research interests include cryptography, data privacy, and network security. She has been a holder/coholder of five R+D funds from Spanish/Chinese government, and authored/coauthored over 30 publications in information security. Qianhong Wu has been with University of Wollongong as associate research fellow in Australia, Wuhan University as associate professor in China, and now with Universitat Rovira i Virgili as senior researcher in Catalonia. His research interests include cryptography, information security and privacy, and ad hoc networks security. He has been a holder/ coholder of six R+D funds from Spanish/Chinese/Australian government, and authored over 60 publications. He served in the program committee of several international conferences on information security and privacy. Dr. Qianhong Wu is a member of the International Association for Cryptologic Research (IACR). L. Zhang et al. / Computer Networks 54 (2010) 2482–2491 Futai Zhang is a professor in School of Computer Science and Technology at Nanjing Normal University, Nanjing, China. His research interests include information security, network security and cryptography. 2491