A certificateless signature scheme with strong unforgeability in the random oracle model

Abstract

Certificateless public key cryptography (CL-PKC) was introduced to solve two important problems in public key cryptography. One was the presence of certificates in traditional public-key cryptography (TPKC), the other was the key escrow problem in ID-based public-key cryptography (ID-PKC). In recent years, several certificateless signature schemes (CLS) have been proposed in the random oracle model (ROM) and the standard model. However, many implementations of the random oracle may result in insecure schemes. Some CLS schemes in the standard model were insecure against key replacement attack and were not strongly unforgeable. In order to solve these problems, we construct a CLS scheme in the ROM in this paper. Based on the Computational Diffie-Hellman (CDH) assumption and collision-resistant hash (CRH) assumption and partially depending on the ROM, we prove that the scheme has strong unforgeability. In addition, we show that the proposed scheme enjoys higher computational efficiency.

Keywords

Certificateless signature random oracle model strong unforgeability CDH assumption CRH assumption

1. Introduction

A user’s pubic key requires the digital certificate authentication in TPKC, therefore TPKC has to face with the certificate management problem. To eliminate the need for pubic key certificates, ID-PKC is introduced. In ID-PKC, a user’s pubic key may be an arbitrary string related to his personal information. However, since the private key generator (PKG) generates each user’s private key, ID-PKC has to face with the key escrow problem. To solve these problems, Al-Riyami and Paterson [1] introduced the notion of the CL-PKC. In CL-PKC, a user’s private key is generated by the cooperation of the key generation center (KGC) and the user. The KGC generates the user’s partial private key which eliminates the use of the public key certificate. On the other hand, the user generates the secret value and secret key which the KGC don’t acquire; therefore, CL-PKC solves the key escrow problem. In recent years, many scholars have concerned with the CL-PKC and have proposed related signature schemes in succession (e.g. [2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19]). Huang et al. [2] presented the security notions for CLS schemes in 2005 and pointed out that Al-Riyami et al.’s scheme was insecure. Hu et al. [3] enhanced the security notions and security models for CL-PKC in 2006. Huang et al. [4] proposed a certificateless short signature scheme in 2007, but Shim [5] proved their scheme insecure against the key replacement attack. Tso et al. [6] constructed a safe and efficient certificateless short signature scheme in 2008. To reduce the computational cost, Wang et al. [7] proposed a CLS scheme without bilinear pairing in 2012, but Wang and Zhang [8] pointed out that their scheme was insecure. Moreover, Wang improved their scheme and proved that the modified scheme was secure. The schemes above are all designed in the ROM, but Bellare et al. [9] proved that the realization of ROM might cause insecurity. To overcome this problem, Liu et al. [10] proposed the first CLS scheme in the standard model (SM) in 2007. However, Xiong et al. [11] proved their scheme was insecure against the malicious KGC’s attack. Yuan et al. [12] proposed a CLS scheme in the SM which was secure against malicious KGC’s attack, but it suffered from low computational efficiency with seven bilinear pairs operations in the verifying algorithm. In addition, Xia et al. [13] proved that Yuan et al.’s scheme was insure against the public key replacement attack in 2012. Li et al. [14] constructed a secure CLS scheme in the SM which enjoyed high computational efficiency with three bilinear pairings operations. However, this scheme had low security property under the existential unforgeability. Cheng et al. [15] pointed out that strong unforegeability should be included in more secure models for CLS scheme when they analyzed existing secure models. Therefore, based on the security models in Hu et al. [3], Cheng et al. [15], we construct a CLS scheme with strong unforgeability in the ROM. In addition, we prove it secure against both Type1 and Type2 adversaries, under the CDH and CRH assumptions and partially depending on the ROM.

2. Preliminaries

2.1 Required definition

.

Assume that a signature scheme is existentially unforgeable against adaptive chosen-message attack. Given a signature on some message $m$ , if an adversary can’t generate a new signature on $m$ , then we say that this signature scheme is strongly unforgeable.

.

(CDH assumption) Given a group $G$ of prime order $p$ with generator $g$ and $g^{a},g^{b}\in G$ for unknown $a,b\in Z_{p}^{\ast}$ . If no probabilistic polynomial-time (PPT) adversary $A$ can compute $g^{ab}$ running within time $t$ with probability at least $\varepsilon$ , then we say that CDH assumption holds in $G$ for ( $t,\varepsilon$ ).

.

(CRH assumption) Let $H_{k}:\{0,1\}^{\ast}\to\{0,1\}^{n}$ be a family of CRH functions, where $k$ is an index and $n$ is a fixed bit length. If no PPT adversary $A$ running within time $t$ can break the collision resistance of $H_{k}$ with probability at least $\varepsilon$ , then we say that CRH assumption holds for ( $t,\varepsilon$ ).

2.2 Composition of a strongly unforgeable CLS scheme

A strongly unforgeable CLS scheme consists of two kinds of entities, namely, users and a KGC, which includes five algorithms as follows [1].

Setup: On inputting a security parameter $k$ , the KGC generates the master secret key msk and public parameters params. Master secret key msk is conserved secretly by the KGC.

Extract-Partial-Private-Key-Extract: Given a user’s identity $\textit{ID},\textit{params}$ and msk, the KGC generates the user’s partial key $D_{\textit{ID}}$ which is sent to the user secretly.

Set-User-Key: Given a user’s ID and params, the user generates his secret value $x_{\textit{ID}}$ , private key $S_{\textit{ID}}$ and public key $P_{\textit{ID}}$ .

Sign: Given a user’s $\textit{ID},\textit{params},D_{\textit{ID}},S_{\textit{ID}}$ and a message $M$ , the user generates a signature $\sigma$ on ( $\textit{ID},M$ ).

Verify: Given params, a user’s $\textit{ID},P_{\textit{ID}}$ and a signature $\sigma$ on $(\textit{ID},M)$ , the verifier outputs either “accept” or “reject”.

2.3 Adversarial model

Based on the security models in Hu et al. [3], Cheng et al. [15], we present two kinds of adversaries, namely, Type1 adversary $A_{1}$ and Type 2 adversary $A_{2}$ . Type1 adversary $A_{1}$ acts as a dishonest user. Except for the target user’s partial private key query, Type1 adversary $A_{1}$ can make queries for the public key, secret value, private key, signing, partial private key and the replacement of the public key of any user. However, $A_{1}$ doesn’t know the master secret key. Finally, the aim of $A_{1}$ is to construct a signature, namely, ( $\textit{ID}^{\ast},M^{\ast},\sigma^{\ast}$ ) which satisfies the following conditions:

(1)
( $\textit{ID}^{\ast},M^{\ast},\sigma^{\ast}$ ) is valid;
(2)
Type1 adversary $A_{1}$ doesn’t successfully make the query for the partial private key of $\textit{ID}^{\ast}$ ;
(3)
( $\textit{ID}^{\ast},M^{\ast},\sigma^{\ast}$ ) has never appeared during the signing queries.

On the other hand, Type2 adversary $A_{2}$ acts as an honest-but-curious KGC. Type2 adversary $A_{2}$ knows the master secret key but cannot perform public key replacement. Except for the target user’s secret value and private key query, the Type2 adversary $A_{2}$ can make queries for the public key, signing, secret value and private key of any user. Similarly, the aim of $A_{2}$ is to construct a signature, namely, ( $\textit{ID}^{\ast},M^{\ast},\sigma^{\ast}$ ) which satisfies the following conditions:

(1)
( $\textit{ID}^{\ast},M^{\ast},\sigma^{\ast}$ ) is valid;
(2)
Type2 adversary $A_{2}$ doesn’t successfully make the query for the secret value and private key of $\textit{ID}^{\ast}$ ;
(3)
( $\textit{ID}^{\ast},M^{\ast},\sigma^{\ast}$ ) has never appeared during the signing queries.

3. A CLS scheme with strong unforgeability in the ROM

Based on the security models in Hu et al. [3], Cheng et al. [15], we construct a CLS scheme in the ROM and prove its strong unforgeability.

3.1 The construction of our CLS scheme

Setup: The KGC chooses two cyclic multiplicative groups $G$ and $G_{1}$ of prime order $p$ , a bilinear map $e:G\times G\to G_{1}$ . Let $g$ be a generator of $G$ . The KGC randomly selects $\alpha\in Z_{p}^{\ast}$ , $g_{2}\in G$ and sets $g_{1}=g^{\alpha}$ , where the master key is $g_{2}^{\alpha}$ . Moreover, the KGC randomly chooses four hash functions as follows.

$\displaystyle H_{1}:\{0,1\}^{\ast}\to\{0,1\}^{m},H_{2}:\{0,1\}^{\ast}\to\{0,1% \}^{n},H_{3}:\{0,1\}^{\ast}\to\{0,1\}^{l},H_{4}:\{0,1\}^{\ast}\to Z_{p}^{\ast}.$

Additionally, the KGC randomly selects ${u}^{\prime}$ , $u_{i}\in Z_{p}^{\ast}$ , $s_{j}$ , $t_{k}$ , $s^{\prime}$ , $t^{\prime}\in G$ and three vectors $\vec{u}=(u_{i})$ , $\vec{s}=(s_{j})$ , $\vec{t}=(t_{k})$ of length $m$ , $n$ and $l$ , respectively. Finally, the KGC publishes the parameters and secretly conserves the master key $\textit{msk}=g_{2}^{\alpha}$ , where

$\displaystyle\textit{params}=\{G,G_{1},g,g_{1},g_{2},u^{\prime},s^{\prime},t^{% \prime},\vec{u}=(u_{i}),\vec{s}=(s_{j}),\vec{t}=(t_{k}),H_{1},H_{2},H_{3},H_{4% }\}.$

Partial-Private-Key-Extract: Given a user’s identity ID, the KGC inquires Random Oracle on ID and gets its answer $\vec{v}=H_{1}(\textit{ID})=(v_{1},v_{2},\ldots,v_{m})$ . Moreover, the KGC randomly selects $r_{v}\in Z_{p}^{\ast}$ and computes the user’s partial private key $D_{\textit{ID}}=(D_{1},D_{2})=(g_{2}^{\alpha+r_{v}U},g^{r_{v}})$ , where $U=u^{\prime}+\sum_{i=1}^{m}v_{i}u_{i}$ . Then, the KGC secretly sends $D_{\textit{ID}}$ to the user.

Set-User-Key: The user selects $x\in Z_{p}^{\ast}$ at random as his secret value and computes his public key $P_{\textit{ID}}=g^{x}$ . Moreover, the user inquires Random Oracle on $P_{\textit{ID}}$ and gets its answer $\overrightarrow{vs}=H_{2}(P_{\textit{ID}})=(vs_{1},vs_{2},\ldots,vs_{n})$ . Then, the user computes his private key $S_{\textit{ID}}=S^{x}$ , where $S=s^{\prime}\prod\nolimits_{j=1}^{n}s_{j}^{vs_{j}}$ .

Sign: Given a user’s identity ID, partial private key $D_{\textit{ID}}$ , private key $S_{\textit{ID}}$ and a message $M$ , the user randomly selects $r_{m}\in Z_{p}^{\ast}$ , the user inquires Random Oracle on $M$ and gets its answer $\overrightarrow{vm}=H_{3}(M)=(vm_{1},vm_{2},\ldots,vm_{l})$ . Similarly, the user gets $h=H_{4}(M,g^{r_{m}})$ and creates a signature $\sigma$ on $(\textit{ID},M)$ , where

$\displaystyle\sigma=(\sigma_{1},\sigma_{2},\sigma_{3})=(D_{1}^{h}S_{\textit{ID% }}T^{r_{m}},D_{2}^{h},g^{r_{m}}),\quad T=t^{\prime}\prod\nolimits_{k=1}^{l}t_{% k}^{vm_{k}}.$

Verify: Given a user’s public key $P_{\textit{ID}}$ and a signature $\sigma$ on ( $\textit{ID},M$ ), the verifier checks whether the following equality holds:

$\displaystyle e(\sigma_{1},g)=e(g_{2},g_{1})^{h}e(g_{2},\sigma_{2})^{U}e(S,P_{% \textit{ID}})e(T,\sigma_{3}),$

where $h=H_{4}(M,\sigma_{3})$ . Output accept, if it holds, otherwise, output reject.

Note that the equality in the verifying algorithm is correct as follows:

$\displaystyle e(\sigma_{1},g)=e(g_{2},g^{\alpha})^{h}e(g_{2},g^{r_{v}h})^{U}e(% S,g^{x})e(T,g^{r_{m}})=e(g_{2},g_{1})^{h}e(g_{2},\sigma_{2})^{U}e(S,P_{\textit% {ID}})e(T,\sigma_{3}).$

3.2 Security analysis

.

Let the CDH assumption hold in $G$ for ( $t^{\prime},\varepsilon^{\prime}$ ) and the CRH assumption hold for ( $t^{\prime\prime},\varepsilon^{\prime\prime}$ ). Then, our CLS scheme in the ROM is strongly unforgeable against Type1 adversary $A_{1}$ for $(t,\varepsilon,q_{E},q_{S},q_{K})$ . Concretely, if $A_{1}$ can break our scheme with an advantage $\varepsilon$ , within running time $t$ , who makes at most $q_{E}$ partial private key queries, $q_{S}$ signing queries and $q_{K}$ user key queries, then we have

$\displaystyle\varepsilon^{\prime}\geqslant\frac{1}{16(q_{E}+q_{S})q_{S}q_{K}(m% +1)(n+1)(l+1)}\varepsilon,\varepsilon^{\prime\prime}\geqslant\frac{1}{4}\varepsilon;$ $\displaystyle t^{\prime\prime}=t^{\prime}=t+O(q_{E}+nq_{K}+nq_{S}+lq_{S})\tau_% {1}+O(q_{E}+q_{K}+q_{S})\tau_{2}.$

Here $\tau_{1}$ and $\tau_{2}$ are the computational costs of a scalar multiplication operation and an exponentiation operation in $G$ , respectively.

Proof. It is enough to prove that if Type1 adversary $A_{1}$ can forge a valid signature, then there is an algorithm $B$ to solve the CDH problem or to find a collision of hash functions. Given a random instance ( $g,g^{a},g^{b}$ ) of the CDH problem, the algorithm $B$ is asked to compute $g^{ab}$ . In order to use Type1 adversary $A_{1}$ to solve the problem above, the algorithm $B$ should simulate the KGC to answer all queries of $A_{1}$ as follows.

Setup: Firstly, $B$ randomly chooses four hash functions:

$\displaystyle H_{1}:\{0,1\}^{\ast}\to\{0,1\}^{m},H_{2}:\{0,1\}^{\ast}\to\{0,1% \}^{n},H_{3}:\{0,1\}^{\ast}\to\{0,1\}^{l}\text{ and }H_{4}:\{0,1\}^{\ast}\to Z% _{p}^{\ast}.$

It sets $l_{v}=2(q_{E}+q_{S})$ , $l_{s}=q_{K}$ , $l_{m}=2q_{S}$ , where $l_{v}(m+1)<p$ , $l_{s}(n+1)<p$ , $l_{m}(l+1)<p$ . It selects three integers $k_{v}$ , $k_{s}$ and $k_{m}$ at random, where $0\leqslant k_{v}\leqslant m$ , $0\leqslant k_{s}\leqslant n$ , $0\leqslant k_{m}\leqslant l$ . $B$ selects the following random integers: $x^{\prime},x_{1},\ldots,x_{m}\in Z_{l_{v}}$ , $y^{\prime},y_{1},\ldots,y_{n}\in Z_{l_{s}}$ , $z^{\prime},z_{1},\ldots,z_{l}\in Z_{l_{m}}$ , $a^{\prime},a_{1},\ldots,a_{n}\in Z_{p}$ , $b^{\prime},b_{1},\ldots,b_{l}\in Z_{p}$ . $B$ inquires Random Oracle on ID and gets its answer $\vec{v}=H_{1}(\textit{ID})=(v_{1},v_{2},\ldots,v_{m})$ . Similarly, it gets $\overrightarrow{vs}=H_{2}(P_{\textit{ID}})=(vs_{1},vs_{2},\ldots,vs_{n})$ , $\overrightarrow{vm}=H_{3}(M)=(vm_{1},vm_{2},\ldots,vm_{l})$ . Next, $B$ constructs the following functions:

$\displaystyle F(\vec{v})=x^{\prime}-k_{v}l_{v}+\sum_{i=1}^{m}v_{i}x_{i};Q\left% (\overrightarrow{vs}\right)=y^{\prime}-k_{s}l_{s}+\sum_{j=1}^{n}vs_{j}y_{j};$ $\displaystyle R\left(\overrightarrow{vs}\right)=a^{\prime}+\sum_{j=1}^{n}vs_{j% }a_{j};K\left(\overrightarrow{vm}\right)=z^{\prime}-k_{m}l_{m}+\sum_{k=1}^{l}% vm_{k}z_{k};L\left(\overrightarrow{vm}\right)=b^{\prime}+\sum_{k=1}^{l}vm_{k}b% _{k}.$

Afterwards, $B$ sets $g_{1}=g^{a}$ , $g_{2}=g^{b}$ and $B$ pretends to know the master key $\textit{msk}=g^{ab}$ . $B$ also sets $u^{\prime}=x^{\prime}-k_{v}l_{v}$ , $u_{i}=x_{i}s^{\prime}=g_{2}^{y^{\prime}-k_{s}l_{s}}g^{a^{\prime}}$ , $s_{j}=g_{2}^{y_{j}}g^{a_{j}}$ , $t^{\prime}=g_{2}^{z^{\prime}-k_{m}l_{m}}g^{b^{\prime}}$ , $t_{k}=g^{z_{k}}g^{b_{k}}$ . Moreover, $B$ sets three vectors $\vec{u}=(u_{i})$ , $\vec{s}=(s_{j})$ and $\vec{t}=(t_{k})$ of length $m$ , $n$ and $l$ , respectively. Note that the following equalities are frequently used:

$\displaystyle U=u^{\prime}+\sum_{i=1}^{m}v_{i}u_{i}=F(\vec{v});S=s^{\prime}% \prod_{j=1}^{n}s_{j}^{vs_{j}}=g_{2}^{Q\left(\overrightarrow{vs}\right)}g^{R% \left(\overrightarrow{vs}\right)};$ $\displaystyle T=t^{\prime}\prod_{k=1}^{l}t_{k}^{vm_{k}}=g_{2}^{K\left(% \overrightarrow{vm}\right)}g^{L\left(\overrightarrow{vm}\right)}.$

Finally, $B$ publishes the parameters:

$\displaystyle\textit{params}=\{G,G_{1},e,g,g_{1},g_{2},u^{\prime},s^{\prime},t% ^{\prime},\vec{u}=(u_{i}),\vec{s}=(s_{j}),\vec{t}=(t_{k}),H_{1},H_{2},H_{3},H_% {4}\}.$

Query-Partial-Private-Key: $B$ maintains a list $L_{0}$ of tuples $(\textit{ID},D_{\textit{ID}})$ , which is initially empty. When $A_{1}$ makes this query on ID, $B$ inquires Random Oracle on ID and gets its answer $\vec{v}=H_{1}(\textit{ID})$ . $B$ computes $F(\vec{v})$ . If $F(\vec{v})=0\text{ mod }p$ , $B$ aborts. Otherwise, $B$ selects random integer $r_{v}\in Z_{p}^{\ast}$ and computes partial private key $D_{\textit{ID}}=(D_{1},D_{2})=(g_{2}^{r_{v}F(\vec{v})},g^{r_{v}}g_{1}^{-\frac{% 1}{F(\vec{v})}})$ . Then, $B$ returns it to $A_{1}$ and adds to it in the list $L_{0}$ . Let $r^{\prime}_{v}=r_{v}-g_{1}^{-\frac{a}{F(\vec{v})}}$ .

It ensures that $D_{\textit{ID}}$ is valid, since

$\displaystyle D_{1}=g_{2}^{r_{v}F(\vec{v})}=g_{2}^{\left(r^{\prime}_{v}+\frac{% a}{F(\vec{v})}\right)F(\vec{v})}=g_{2}^{a+r^{\prime}_{v}U},D_{2}=g^{r_{v}}g_{1% }^{-\frac{1}{F(\vec{v})}}=g^{r^{\prime}_{v}+\frac{a}{F(\vec{v})}}g^{-\frac{a}{% F(\vec{v})}}=g^{r^{\prime}_{v}}.$

Query-User-Key: $B$ maintains a list $L_{1}$ of tuples $(\textit{ID},x,P_{\textit{ID}},S_{\textit{ID}})$ , which is initially empty. When $A_{1}$ makes this query on the public key of ID, $B$ looks up the list $L_{1}$ . If the list $L_{1}$ contains ID, $B$ returns $P_{\textit{ID}}$ to $A_{1}$ . Otherwise, $B$ randomly selects $x\in Z_{p}^{\ast}$ and computes $P_{\textit{ID}}=g^{x}$ . $B$ inquires Random Oracle on $P_{\textit{ID}}$ and gets its answer $\overrightarrow{vs}=H_{2}(P_{\textit{ID}})=(vs_{1},vs_{2},\ldots vs_{n})$ . $B$ computes $S_{\textit{ID}}=S^{x}=(s^{\prime}\prod\nolimits_{j=1}^{n}s_{j}^{vs_{j}})^{x}$ . $B$ returns $P_{\textit{ID}}$ to $A_{1}$ and adds to the tuple $(\textit{ID},x,P_{\textit{ID}},S_{\textit{ID}})$ in the list $L_{1}$ . Similarly, $B$ can answer queries for the secret value and private key of ID.

Replace-Public-Key: When $A_{1}$ submits $(\textit{ID},P^{\prime}_{\textit{ID}})$ to $B$ , $B$ looks up the list $L_{1}$ . If the list $L_{1}$ contains ID, $B$ replaces the original tuple for the new tuple $(\textit{ID},\perp P^{\prime}_{\textit{ID}},\perp)$ . Otherwise, $B$ adds to the tuple $(\textit{ID},\perp P^{\prime}_{\textit{ID}},\perp)$ in the list $L_{1}$ directly.

Query-Signature: When $A_{1}$ makes this query on $(\textit{ID},M)$ , $B$ looks up the list $L_{1}$ . If ID isn’t in the list $L_{1}$ , $B$ creates the tuple $(\textit{ID},x,P_{\textit{ID}},S_{\textit{ID}})$ as in the user key queries and adds to it in the list $L_{1}$ and extracts $P_{\textit{ID}}$ . Otherwise, $B$ gets $P_{\textit{ID}}$ directly. Then $B$ randomly selects $r_{m}\in Z_{p}^{\ast}$ . $B$ inquires Random Oracle on ID and gets its answer $\vec{v}=H_{1}(\textit{ID})$ . Similarly, $B$ gets $\overrightarrow{vs}=H_{2}(P_{\textit{ID}})$ , $\overrightarrow{vm}=H_{3}(M)$ , $h=H_{4}(M,g^{r_{m}})$ . $B$ computes $F(\vec{v}),Q\left(\overrightarrow{vs}\right)$ , $R\left(\overrightarrow{vs}\right)$ , $K\left(\overrightarrow{vm}\right)$ , $L\left(\overrightarrow{vm}\right)$ . If $K\left(\overrightarrow{vm}\right)=0\text{ mod }l_{m}$ , $B$ aborts. Otherwise, $B$ considers the following two cases.

(1)
Assume that the public key of ID is replaced with $P^{\prime}_{\textit{ID}}=g^{x}$ . If $F(\vec{v})\neq 0\text{ mod }p$ , $B$ looks up the list $L_{0}$ . If ID is not in the list $L_{0}$ , $B$ creates the tuple $(\textit{ID},D_{\textit{ID}})$ as in the partial private key queries, adds to it in the list $L_{0}$ , and extracts $D_{\textit{ID}}$ . Otherwise, $B$ gets $D_{\textit{ID}}$ directly. Then, $B$ can create the signature $\sigma$ on $(\textit{ID},M)$ and returns it to $A_{1}$ , where

$\displaystyle\sigma=(\sigma_{1},\sigma_{2},\sigma_{3})=\left(D_{1}^{h}\left(P^% {\prime}_{\textit{ID}}\right)^{R\left(\overrightarrow{vs}\right)-\frac{L\left(% \overrightarrow{vm}\right)Q\left(\overrightarrow{vs}\right)}{K\left(% \overrightarrow{vm}\right)}}T^{r_{m}},D_{2}^{h},g^{r_{m}}(P^{\prime}_{\textit{% ID}})^{-\frac{Q\left(\overrightarrow{vs}\right)}{K\left(\overrightarrow{vm}% \right)}}\right).$

Let $r^{\prime}_{m}=r_{m}-\frac{xQ\left(\overrightarrow{vs}\right)}{K\left(% \overrightarrow{vm}\right)}$ . Since

$\displaystyle\sigma_{1}=D_{1}^{h}\left(P^{\prime}_{\textit{ID}}\right)^{R\left% (\overrightarrow{vs}\right)-\frac{L\left(\overrightarrow{vm}\right)Q\left(% \overrightarrow{vs}\right)}{K\left(\overrightarrow{vm}\right)}}T^{r_{m}}=D_{1}% ^{h}g^{xR\left(\overrightarrow{vs}\right)-\frac{xL\left(\overrightarrow{vm}% \right)Q\left(\overrightarrow{vs}\right)}{K\left(\overrightarrow{vm}\right)}}% \left(g_{2}^{K\left(\overrightarrow{vm}\right)}g^{L\left(\overrightarrow{vm}% \right)}\right)^{r^{\prime}_{m}+\frac{xQ\left(\overrightarrow{vs}\right)}{K% \left(\overrightarrow{vm}\right)}}=D_{1}^{h}\left(g_{2}^{Q\left(% \overrightarrow{vs}\right)}g^{R\left(\overrightarrow{vs}\right)}\right)^{x}T^{% r^{\prime}_{m}}=D_{1}^{h}S^{x}T^{r^{\prime}_{m}};$ $\displaystyle\sigma_{3}=g^{r_{m}}(P^{\prime}_{\textit{ID}})^{-\frac{Q\left(% \overrightarrow{vs}\right)}{K\left(\overrightarrow{vm}\right)}}=g^{r^{\prime}_% {m}+\frac{xQ\left(\overrightarrow{vs}\right)}{K\left(\overrightarrow{vm}\right% )}}g^{-\frac{xQ\left(\overrightarrow{vs}\right)}{K\left(\overrightarrow{vm}% \right)}}=g^{r^{\prime}_{m}}.$

It ensures that $\sigma$ is valid.

On the other hand, if $F(\vec{v})=0\text{ mod }p$ , $B$ randomly chooses $r_{v}\in Z_{p}^{\ast}$ and creates the signature $\sigma$ on $(\textit{ID},M)$ and returns it to $A_{1}$ , where

$\displaystyle\sigma=(\sigma_{1},\sigma_{2},\sigma_{3})=\left(\left(P^{\prime}_% {\textit{ID}}\right)^{R\left(\overrightarrow{vs}\right)-\frac{L\left(% \overrightarrow{vm}\right)Q\left(\overrightarrow{vs}\right)}{K\left(% \overrightarrow{vm}\right)}}T^{r_{m}}g_{1}^{-\frac{hL\left(\overrightarrow{vm}% \right)}{K\left(\overrightarrow{vm}\right)}},g^{r_{v}h},g^{r_{m}}g_{1}^{-\frac% {h}{K\left(\overrightarrow{vm}\right)}}(P^{\prime}_{\textit{ID}})^{\frac{Q% \left(\overrightarrow{vs}\right)}{K\left(\overrightarrow{vm}\right)}}\right).$

As above, it ensures that $\sigma$ is valid.
(2)
Assume that the public key of ID is not replaced. The algorithm $B$ finds the list $L_{1}$ to get $S_{\textit{ID}}$ . If $F(\vec{v})\neq 0\text{ mod }p$ , it looks up the list $L_{0}$ . If ID isn’t in the list $L_{0}$ , it creates the tuple $D_{\textit{ID}}=(D_{1},D_{2})$ as in the partial private key queries and adds to it in the list $L_{0}$ . It can create the signature $\sigma$ on $(\textit{ID},M)$ regularly and returns it to $A_{1}$ . If $F(\vec{v})=0\text{ mod }p$ , $B$ can create the signature $\sigma$ on $(\textit{ID},M)$ and returns it to $A_{1}$ , where

$\displaystyle\sigma=(\sigma_{1},\sigma_{2},\sigma_{3})=\left(g_{1}^{-\frac{hL% \left(\overrightarrow{vm}\right)}{K\left(\overrightarrow{vm}\right)}}S_{% \textit{ID}}T^{r_{m}},g^{r_{v}h},g^{r_{m}}g_{1}^{-\frac{h}{K\left(% \overrightarrow{vm}\right)}}\right).$

It can be verified that $\sigma$ is valid.

Forge: Finally, when $A_{1}$ forges a valid signature $(\textit{ID}^{\ast},M^{\ast},\sigma^{\ast})$ , $B$ should consider two cases.

Case 1. When $(\textit{ID}^{\ast},M^{\ast})$ did not appear in the signing queries, $B$ looks up the list $L_{1}$ to get the public key $P_{\textit{ID}^{\ast}}$ of $\textit{ID}^{\ast}$ . $B$ inquires Random Oracle onID and gets its answer $\vec{v}^{\ast}=H_{1}(\textit{ID}^{\ast})$ Similarly, $B$ gets $\vec{v}^{\ast}=H_{1}(\textit{ID}^{\ast})$ , $\overrightarrow{vs}^{\ast}=H_{2}(P_{ID^{\ast}})$ , $\overrightarrow{vm}^{\ast}=H_{3}(M^{\ast})$ , $h^{\ast}=H_{4}(M^{\ast},\sigma_{3}^{\ast})$ . $B$ computes $F(\vec{v}^{\ast})$ , $Q\left(\overrightarrow{vs}^{\ast}\right)$ , $R\left(\overrightarrow{vs}^{\ast}\right)$ , $K\left(\overrightarrow{vm}^{\ast}\right)$ , $L\left(\overrightarrow{vm}^{\ast}\right)$ . If $F(\vec{v}^{\ast})=Q\left(\overrightarrow{vs}^{\ast}\right)=K\left(% \overrightarrow{vm}^{\ast}\right)=0\text{ mod }p$ , $B$ can compute $g^{ab}$ as follows.

$\displaystyle\frac{\sigma_{1}^{\ast h^{\ast-1}}}{P_{ID^{\ast}}^{R\left(% \overrightarrow{vs}^{\ast}\right)h^{\ast-1}}(\sigma_{3}^{\ast})^{L\left(% \overrightarrow{vm}^{\ast}\right)h^{\ast-1}}}$ $\displaystyle=\frac{g_{2}^{a+r_{v}F(\vec{v}^{\ast})}g_{2}^{xQ\left(% \overrightarrow{vs}^{\ast}\right)h^{\ast-1}}g^{xR\left(\overrightarrow{vs}^{% \ast}\right)h^{\ast-1}}g_{2}^{K\left(\overrightarrow{vm}^{\ast}\right)r_{m}^{% \ast}h^{\ast-1}}g^{L\left(\overrightarrow{vm}^{\ast}\right)r_{m}^{\ast}h^{\ast% -1}}}{g^{xR\left(\overrightarrow{vs}^{\ast}\right)h^{\ast-1}}g^{L\left(% \overrightarrow{vm}^{\ast}\right)r_{m}^{\ast}h^{\ast-1}}}=g_{2}^{a}=g^{ab}.$

Otherwise, $B$ aborts.

Case 2. When $(\textit{ID}^{\ast},M^{\ast})$ has appeared in the signing queries. Namely, $A_{1}$ has gotten a signature $\sigma$ on $(\textit{ID}^{\ast},M^{\ast})$ , but $\sigma\neq\sigma^{\ast}$ . If $\sigma_{2}\neq\sigma_{2}^{\ast}$ , namely, $g^{r_{v}h}\neq g^{r_{v}h^{\ast}}$ , then $B$ can compute $g^{ab}$ as in Case 1. Otherwise, if $\sigma_{2}=\sigma_{2}^{\ast}$ , then $h=h^{\ast}$ . Namely, $H_{4}(M^{\ast},\sigma_{3})=H_{4}(M^{\ast},\sigma_{3}^{\ast})$ , where $\sigma_{3}=g^{r_{m}}$ , $\sigma_{3}^{\ast}=g^{r_{m}^{\ast}}$ . However, $r_{m}\neq r_{m}^{\ast}$ , $B$ can get a collision of $H_{4}$ .

In the following, we analyze the probabilities of events that the algorithm $B$ does not abort. Let

$\displaystyle X_{i}:F(\vec{v})\neq 0\text{ mod }l_{v},1\leqslant i\leqslant q_% {I};Y_{j}:K\left(\overrightarrow{vm}\right)\neq 0\text{ mod }l_{m},1\leqslant j% \leqslant q_{M};$ $\displaystyle X^{\ast}:F(\vec{v}^{\ast})=0\text{ mod }p;Y^{\ast}:K\left(% \overrightarrow{vm}^{\ast}\right)=0\text{ mod }p;Z^{\ast}:Q\left(% \overrightarrow{vs}^{\ast}\right)=0\text{ mod }p.$

Let $P_{1},P_{2}$ denote the probabilities which $B$ doesn’t abort in Case 1 and Case 2, respectively. Combining with the literature [14], we conclude that

$\displaystyle P_{1}=P\left(\wedge_{i=1}^{q_{I}}X_{i}\wedge\wedge_{j=1}^{q_{M}}% Y_{j}\wedge X^{\ast}\wedge Y^{\ast}\wedge Z^{\ast}\right)\geqslant\left(1-% \frac{q_{E}+q_{S}}{l_{v}}\right)\left(1-\frac{q_{S}}{l_{m}}\right)\frac{1}{l_{% v}(m+1)}\frac{1}{l_{m}(l+1)}\frac{1}{l_{S}(n+1)}\geqslant\frac{1}{16(q_{E}+q_{% S})q_{S}q_{K}(m+1)(l+1)(n+1)};$ $\displaystyle P_{2}=P\left(\wedge_{i=1}^{q_{I}}X_{i}\wedge\wedge_{j=1}^{q_{M}}% Y_{j}\right)\geqslant\left(1-\frac{q_{E}+q_{S}}{l_{v}}\right)\left(1-\frac{q_{% S}}{l_{m}}\right)=\frac{1}{4}.$

Namely, $\varepsilon^{\prime}\geqslant\frac{1}{16(q_{E}+q_{S})q_{S}q_{K}(m+1)(l+1)(n+1)}\varepsilon$ , $\varepsilon^{\prime\prime}\geqslant\frac{1}{4}\varepsilon$ .

From the description above, $B$ requires $O(1)$ scalar multiplication operations and $O(1)$ exponentiation operations in each partial private key query. In each user key query, $B$ requires $O(n)$ scalar multiplication operations and $O(1)$ exponentiation operations. $B$ requires $O(n+l)$ scalar multiplication operations an $O(1)$ exponentiation operations in each signing query. Therefore, the total running time required for $B$ is

$\displaystyle t^{\prime}=t^{\prime\prime}=t+O(q_{E}+nq_{K}+nq_{S}+lq_{S})\tau_% {1}+O(q_{E}+q_{K}+q_{S})\tau_{2}.$

Here, $\tau_{1}$ and $\tau_{2}$ are the computational costs of a scalar multiplication operation and an exponentiation operation, respectively.

.

Let the CDH assumption hold in $G$ for $(t^{\prime},\varepsilon^{\prime})$ and the CRH assumption hold for $(t^{\prime\prime},\varepsilon^{\prime\prime})$ . Then, our CLS scheme in the ROM is strongly unforgeable against Type2 adversary $A_{2}$ for $(t,\varepsilon,q_{K},q_{S})$ . Concretely, if $A_{2}$ can break our scheme with an advantage $\varepsilon$ , within running time $t$ , who makes at most $q_{K}$ user key queries and $q_{S}$ signing queries, then we have

$\displaystyle\varepsilon^{\prime}\geqslant\frac{1}{8q_{K}q_{S}(l+1)}% \varepsilon,\varepsilon^{\prime\prime}\geqslant\frac{1}{2}\varepsilon;$ $\displaystyle t^{\prime\prime}=t^{\prime}=t+O(q_{E}+nq_{K}+nq_{S}+lq_{S})\tau_% {1}+O(q_{E}+q_{K}+q_{S})\tau_{2}.$

Here, $\tau_{1}$ and $\tau_{2}$ are the computational costs of a scalar multiplication operation and an exponentiation operation in $G$ , respectively.

Proof. It is enough to prove that if Type2 adversary $A_{2}$ can forge a valid signature, then there is an algorithm $B$ to solve the CDH problem or to find a collision of hash functions. Given a random instance $(g,g^{a},g^{b})$ of the CDH problem, the algorithm $B$ is asked to compute $g^{ab}$ . In order to use Type2 adversary $A_{2}$ to solve the problem above, the algorithm $B$ should simulate the KGC and all queries of Type2 adversary $A_{2}$ as follows.

Setup: The algorithm $B$ randomly chooses $\alpha\in Z_{p}^{\ast}$ and sets $g_{1}=g^{\alpha}$ , $g_{2}=g^{b}$ . It computes the master key $\textit{msk}=g_{2}^{\alpha}$ and sends it to $A_{2}$ secretly. Since $A_{2}$ knows the master key, the settings of parameters $x^{\prime},x_{i},k_{i},l_{v}$ are omissible and the computation of $F(\vec{v})$ is omissible. The rest of parameters and functions settings are accord with settings in Theorem 1. The algorithm $B$ publishes the parameters.

Query-User-Key: $B$ maintains two list $L_{0},L_{1}$ with tuples $(\textit{ID},D_{\textit{ID}})$ and $(\textit{ID},x,P_{\textit{ID}},S_{\textit{ID}})$ , respectively, which is initially empty. It randomly selects a target user $\textit{ID}^{\prime}$ , set $P_{\textit{ID}^{\prime}}=g^{a}$ and adds to $(\textit{ID},\perp,P_{\textit{ID}^{\prime}},\perp)$ in the list $L_{1}$ . When $A_{2}$ makes this query for the private key of ID, if $\textit{ID}=\textit{ID}^{\prime}$ , $B$ aborts. Otherwise, $B$ looks up the list $L_{1}$ . $B$ returns $S_{\textit{ID}}$ to $A_{2}$ , if the list $L_{1}$ contains ID. Otherwise, $B$ creates $(\textit{ID},x,P_{\textit{ID}},S_{\textit{ID}})$ . It returns $S_{\textit{ID}}$ to $A_{2}$ and adds to the tuples $(\textit{ID},x,P_{\textit{ID}},S_{\textit{ID}})$ in the list $L_{1}$ . When $A_{2}$ makes this query for the public key of ID, if $\textit{ID}=\textit{ID}^{\prime}$ , $B$ returns $P_{\textit{ID}^{\prime}}$ to $A_{2}$ . Otherwise, $B$ answers queries Similar to the answer for the private key of ID.

Query-Signature: When $A_{2}$ makes this query on $(\textit{ID},M)$ , $B$ randomly selects $r_{m}\in Z_{p}^{\ast}$ . $B$ inquires Random Oracle on ID and gets its answer $\vec{v}=H_{1}(\textit{ID})$ . Similarly, $B$ gets $\overrightarrow{vs}=H_{2}(P_{\textit{ID}})$ , $\overrightarrow{vm}=H_{3}(M)$ , $h=H_{4}(M,g^{r_{m}})$ .

It computes $Q\left(\overrightarrow{vs}\right)$ , $R\left(\overrightarrow{vs}\right)$ , $K\left(\overrightarrow{vm}\right)$ , $L\left(\overrightarrow{vm}\right)$ . If $K\left(\overrightarrow{vm}\right)=0\text{ mod }l_{m}$ , $B$ aborts. Otherwise, $B$ considers the following cases.

(1)
When $\textit{ID}=\textit{ID}^{\prime}$ , $B$ runs the partial private key generation algorithm to get $D_{\textit{ID}}=(D_{1},D_{2})$ , and adds to it in the list $L_{0}$ . Then, $B$ can create a signature $\sigma$ on $(\textit{ID},M)$ and returns it to $A_{2}$ , where

$\displaystyle\sigma=(\sigma_{1},\sigma_{2},\sigma_{3})=\left(D_{1}^{h}\left(P_% {\textit{ID}^{\prime}}\right)^{R\left(\overrightarrow{vs}\right)-\frac{L\left(% \overrightarrow{vm}\right)Q\left(\overrightarrow{vs}\right)}{K\left(% \overrightarrow{vm}\right)}}T^{r_{m}},D_{2}^{h},g^{r_{m}}g_{1}^{-\frac{h}{K% \left(\overrightarrow{vm}\right)}}\left(P_{\textit{ID}^{\prime}}\right)^{-% \frac{Q\left(\overrightarrow{vs}\right)}{K\left(\overrightarrow{vm}\right)}}% \right).$

It can be verified that $\sigma$ is valid.
(2)
When $\textit{ID}\neq\textit{ID}^{\prime}$ , $B$ can creates a signature $\sigma$ on $(\textit{ID},M)$ regularly and returns it to $A_{2}$ .

Forge: Finally, when $A_{2}$ forges a valid signature $(\textit{ID}^{\ast},M^{\ast},\sigma^{\ast})$ , $B$ should consider two cases.

Case 1. When $(\textit{ID}^{\ast},M^{\ast})$ has not appeared in the signing queries, if $\textit{ID}^{\ast}\neq\textit{ID}^{\prime}$ , $B$ aborts. Otherwise, $B$ looks up the list $L_{1}$ to get the public key $P_{\textit{ID}^{\ast}}=P_{\textit{ID}^{\prime}}=g^{a}$ of $\textit{ID}^{\ast}$ . $B$ inquires Random Oracle on ID and gets its answer $\vec{v}^{\ast}=H_{1}(\textit{ID}^{\ast})$ . Similarly, $B$ gets $\vec{v}^{\ast}=H_{1}(\textit{ID}^{\ast})$ , $\overrightarrow{vs}^{\ast}=H_{2}(P_{\textit{ID}^{\ast}})$ , $\overrightarrow{vm}^{\ast}=H_{3}(M^{\ast})$ . $B$ computes $Q\left(\overrightarrow{vs}^{\ast}\right)$ , $K\left(\overrightarrow{vm}^{\ast}\right)$ , $L\left(\overrightarrow{vm}^{\ast}\right)$ . If $K\left(\overrightarrow{vm}^{\ast}\right)=0\text{ mod }p$ , $Q\left(\overrightarrow{vs}^{\ast}\right)\neq 0\text{ mod }p$ , $B$ can compute $g^{ab}$ as follows.

$\displaystyle\left(\frac{\sigma_{1}^{\ast}}{g_{2}^{\alpha h^{\ast}}\sigma_{2}^% {U}P_{\textit{ID}^{\ast}}^{R\left(\overrightarrow{vs}^{\ast}\right)}(\sigma_{3% }^{\ast})^{L\left(\overrightarrow{vm}^{\ast}\right)}}\right)^{Q\left(% \overrightarrow{vs}^{\ast}\right)^{-1}}$ $\displaystyle=\left(\frac{g_{2}^{\alpha h^{\ast}+r_{v}Uh^{\ast}}g_{2}^{aQ\left% (\overrightarrow{vs}^{\ast}\right)}g^{aR\left(\overrightarrow{vs}^{\ast}\right% )}g_{2}^{K\left(\overrightarrow{vm}^{\ast}\right)r_{m}^{\ast}}g^{L\left(% \overrightarrow{vm}^{\ast}\right)r_{m}^{\ast}}}{g_{2}^{\alpha h^{\ast}+r_{v}h^% {\ast}U}g^{aR\left(\overrightarrow{vs}^{\ast}\right)}g^{L\left(\overrightarrow% {vm}^{\ast}\right)r_{m}^{\ast}}}\right)^{Q\left(\overrightarrow{vs}^{\ast}% \right)^{-1}}=g_{2}^{a}=g^{ab}.$

Otherwise, $B$ aborts.

Case 2. When $(\textit{ID}^{\ast},M^{\ast})$ has appeared in the signing queries, we can consider the situation similar to Theorem 1. Similar to the proof of Theorem 1, we can conclude that

$\displaystyle\varepsilon^{\prime}\geqslant\left(1-\frac{q_{S}}{l_{m}}\right)% \left(1-\frac{1}{l_{S}(n+1)}\right)\frac{1}{l_{m}(l+1)}\frac{1}{q_{K}}% \varepsilon\geqslant\frac{1}{8q_{K}q_{S}(l+1)}\varepsilon;\varepsilon^{\prime% \prime}=P\left(\wedge_{j=1}^{q_{M}}Y_{j}\right)\varepsilon\geqslant\left(1-% \frac{q_{S}}{l_{m}}\right)\varepsilon=\frac{1}{2}\varepsilon.$ $\displaystyle t^{\prime}=t^{\prime\prime}=t+O(nq_{K}+nq_{S}+lq_{S})\tau_{1}+O(% q_{K}+q_{S})\tau_{2}.$

Table 1
Properties comparing of several CLS schemes

Yuan et al.’s Li et al.’s Ours

Signing algorithm $9\tau_{e}$ $4\tau_{e}$ $4\tau_{e}$

Verifying algorithm $7\tau_{\rho}$ $3\tau_{\rho}+\tau_{e}$ $3\tau_{\rho}+2\tau_{e}$

Against Type1 adversary No No Yes

Against Type2 adversary Yes No Yes

Security properties existential unforgeability existential unforgeability strong unforgeability

4. Conclusions

	Yuan et al.’s	Li et al.’s	Ours
Signing algorithm	$9\tau_{e}$	$4\tau_{e}$	$4\tau_{e}$
Verifying algorithm	$7\tau_{\rho}$	$3\tau_{\rho}+\tau_{e}$	$3\tau_{\rho}+2\tau_{e}$
Against Type1 adversary	No	No	Yes
Against Type2 adversary	Yes	No	Yes
Security properties	existential unforgeability	existential unforgeability	strong unforgeability

We construct a CLS scheme in the ROM, which is strongly unforgeable against both Type1 and Type2 adversaries. To demonstrate the advantage of our scheme, we compare with the scheme of Yuan et al. and Li et al. Since $e(g_{1},g_{2}),e(S,P_{\textit{ID}})$ can be computed in advance, the computational costs of this part in verifying algorithm is ignored. Let $\tau_{e}$ denote the computational cost of an exponentiation operation in $G$ or $G_{1}$ . Let $\tau_{\rho}$ denote the computational cost of a bilinear pairing operation. From Table 1, compared with the scheme of Yuan et al., we conclude that our scheme enjoys higher computational efficiency because of less exponentiation operations in signing algorithm and less bilinear pairing operations in verifying algorithm. Since our scheme is strongly unforgeable, compared with the scheme of Yuan et al. and Li et al., we conclude that our scheme enjoys better security property. Moreover, the scheme of Li et al. and our scheme have $3|G|$ signature length. However, compared with the scheme of Li et al. which requires $5\tau_{e}$ in key generation algorithm, our scheme requires $3\tau_{e}$ in key generation algorithm which has better performance.

Footnotes

Acknowledgments

The authors would like to thank the Provincial Nature Science Research Project (KJ2015A161; 2014KJ004) and Provincial Quality Project (2015GXK041; 2015JYXM25) for financial support.

References

Al-Riymi

S.S.

and Paterson

K.G.

, Certificateless public key cryptography, in: Proceedings of the Asiacypt’2003, 2003, pp. 452–473.

Huang

X.Y.

Susilo

et al., On the security of certificateless signature schemes from Asiacypt 2003, in: Proceedings of the CANS’2005, 2005, pp. 13–45.

B.C.

Wong

D.S.

Zhang

Z.F.

et al., Key replacement attack against a generic construction of certificateless signature, in: Proceedings of the ACISP’2006, 2006, pp. 235–246.

Huang

X.Y.

Susilo

et al., Certificateless signature revisited, in: Proceedings of the ACISP’2007, 2007, pp. 308–322.

Shim

, Breaking the certificateless signature scheme, Information Science 179 (2009), 303–306.

Tso

and Huang

X.Y.

, Efficient and short certificateless signature scheme, in: Proceedings of the CANS’2008, 2008, pp. 64–79.

Wang

S.B.

Liu

W.H.

and Xie

, Certificateless signature scheme without bilinear pairing, Journal on Communications 33 (2012), 93–98.

Wang

Y.F.

and Zhang

R.Z.

, Strongly secure certificateless signature scheme without bilinear pairing, Chinese Journal of Journal on Communications 34 (2013), 94–99.

Bellare

Boldyreva

and Palacio

, A uninstantiable random oracle-model scheme for a hybrid-encryption problem, in: Proceedings of the Eurocrypt’2004, 2004, pp. 171–188.

10.

Liu

J.K.

M.H.

and Susilo

, Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model, in: Proceedings of the ASIACCS’2007, 2007, pp. 273–283.

11.

Xiong

Qin

and Li

, An improved certificateless signature scheme in the standard model, Fundamental Informaticae 88 (2008), 193–206.

12.

Yuan

Tian

et al., Certificateless signature scheme without random oracle, in: Proceedings of ISA’2009, 2009, pp. 31–40.

13.

Xia

C.X.

and Yu

, Key replacement attack on two certificateless signature scheme without random oracles, Key Engineering Materials (2012), 439–440.

14.

Y.Q.

J.G.

and Zhang

Y.C.

, Certificateless signature scheme without random oracles, Journal on Communications 36 (2015), 1–10.

15.

Cheng

Wen

Jin

Z.P.

et al., On the security of a certificateless signature scheme in the standard model, Cryptology ePrint Archieve, Report 2013, 153.

16.

Zhang

J.H.

, A verifiably encypted signature scheme with strong unforgeability, in: INFOSCALE2007, 2007, pp. 935–938.

17.

Wang

et al., Improved certificateless signature scheme provably secure in the standard model, IET Information Security 6 (2012), 102–110.

18.

Kumbhakar

, Condensed matrix method for implicit type scheme in imaginary distance beam propagation method, J Comput Methods Sci Eng 8 (2008), 139–146.

19.

Mukhopadhyay

Ghosh

and Debnath

, A new framework for an efficient ticket booking scheme based on mechanism design, J Comput Methods Sci Eng 12(Suppl 1) (2012), S13–S27.