Efficient and secure pairing-free certificateless strong key-insulated signature scheme

Abstract

Public Key Cryptosystem (PKC) is playing an important role in providing security services in many applications and hence gained a wide reorganization. The security of this cryptosystem completely relies on the user’s secret key. However, leakage of secret key makes the system insecure. To avoid the damage caused by the leakage of secret key, Key-insulation mechanism was introduced. This technique works with the help of a secure device by updating the secret key in regular time intervals. Certificateless cryptosystem alleviates the heavy certificate management problems in traditional Public Key Infrastructure and eliminates the key escrow problem in Identity based cryptosystem. To integrate the advantages of both certificateless cryptosystem and key insulation technique, certificateless key insulated cryptosystems have been introduced. Recently many certificateless key insulated signature (CLSKIS) schemes have been proposed in literature; however, majority of the CLSKIS schemes are designed in pairing based background, where heavy bilinear pairing operations are involved. This heavy pairing operation causes the schemes to be insignificant in practice. In order to reduce the computational and communication costs and to handle the secret key leakage problems in certificateless signature schemes, we propose a new strong key insulated certificateless signature scheme in pairing free environment. Efficiency analysis confirms that the proposed scheme is more efficient than the existing schemes.

Keywords

Certificateless signature scheme key insulation mechanism random oracle security model and elliptic curve discrete logarithm problem

1. Introduction

Digital signatures are the most important cryptographic primitive enabled by Public Key Cryptography (PKC) and are building blocks of many applications like, e-commerce, e-auction, e-voting, web browsing etc, by providing the authentication and integrity of data. Many signature schemes and their variants have been proposed in traditional and other cryptographic settings. The concept of PKC was proposed by Diffe and Hellman [8] in 1976, in which the user’s public key independent of the user’s identity. A certificate authority (CA) is needed to bind the public key and the user’s identity. But certificate management leads to additional storage and requires more computation and communication costs due to transmitting and verifying of certificates. To overcome such difficulties in traditional PKC, in 1984, Shamir introduced the concept of Identity-based PKC (ID-PKC) which avoids the problems in traditional PKC. In ID-PKC, the user’s private key is derived from the user’s identity and is generated by a trusted third party called Private Key Generator (PKG). However, the key escrow problem is inherent in ID-PKC. i.e. the trusted third party who knows user’s secret key can impersonate the user. To overcome afore mentioned difficulties in PKC and ID-PKC, in 2003, Al-Riyami and Paterson [1] proposed a new setting known as Certificateless base Public Key Cryptography (CL-PKC). In this system, the full private key of a user is divided into two parts. The first part, called partial private key, is controlled by a Key Generator Centre (KGC). The second part is chosen by the user himself and remains secret to the KGC. Therefore, to discuss the security issues of CL-PKC, there are two types of attacks, depending on which part of the private key is compromised.

The security of PKC lies on the assumption that the private keys in the system are secure. The leakage or exposure of the private key is the most devastating problem against the security of PKC and leads to the failure of the cryptographic scheme. To deal with the key exposure problem, the most common methods are secret sharing, threshold cryptography, proactive cryptography, key-evolving mechanism, forward security, intrusion resilience etc. However, key insulation mechanism introduced by Dodis et al. [10] (2002, Amsterdam) is efficient to minimize the damage caused by private key exposure. In Key-Insulated Signature (KIS) schemes, the lifetime of temporary signing key is divided in to discrete time periods. For each time period, a user can periodically update his private key by interacting with the helper and maintains the same public key for the entire life period. Clearly, the helper plays an important role in protecting the user device against key exposure. The exposure of the user’s temporary secret keys at some time periods will not allow an adversary to derive the temporary secret keys for the remaining time periods. Thus, the problem of private key leakages can be effectively mitigated. A KIS scheme is secure if the master key is stored in helper device. However, in identity based setting, it is important to consider that the helper key exposure i.e., an adversary can forge a signature on behalf of the user whose helper is untrustworthy. To deal this problem, Dodis et al. [9] (2002) presented a strong key insulation mechanism to provide a security against the leakage of signing key or the leakage of master key. So that strong KIS is more secure than a KIS scheme. Many KIS schemes based on various cryptosystems have been proposed in the literature. In this paper, to integrate the advantage of CL-PKC and KIS, we propose a novel cerrtificateless key insulated signature (CLKIS) scheme.

1.1 Related work

After the introduction of the first KIS scheme by Dodis et al. [9] (2002, Miami), a number of KIS schemes were proposed on PKI and Identity-based setting in the literature [2, 5, 6, 11, 19, 21, 22, 25, 27, 28, 30]. But these schemes are suffering with certificate management and/or key escrow problems. To overcome these problems, in 2009, Wan et al. [20] proposed a first pairing based cerrtificateless key insulated signature (CLKIS) scheme. Since than many variants of certificateless schemes were proposed in the literature [7, 12, 13, 14, 17, 23, 24, 26, 29]. In 2011, Wan et al. [23] proposed a strong CLSKIS scheme. In the same year, Wan et al. [24] proposed another strong CLSKIS scheme using pairings in random oracle security model. In 2014, Sun et al. [17] proposed a pairing free and revocable certificateless signature against signing key exposure. In 2015, Chen et al. [7] proposed a strongly secure CLSKIS scheme in standard model. However, in the same year Wang et al. [26] presented a security analysis on Chen et al. [7] scheme. In 2015, Lu et al. [14] presented the cryptanalysis of Wan et al.’s schemes [20, 23] by pointing some security drawbacks and proposed an improved CLSKIS scheme in standard model. But most of these schemes are based on an expensive cryptographic operation called bilinear pairing. This leads to high computational cost. To improve the computational efficiency, it is desirable to construct CLSKIS schemes in pairing free environment.

1.2 Motivation

In any PKC, the level of security is directly related to key length. Larger key size provides more security for PKC. However, larger key size needs more computational power and bandwidth which decreases the performance of system. Thus cryptographic schemes with smaller key size are desirable. To meet this requirement, Elliptic Curve Cryptography (ECC) has been developed with advantages over PKC. For example, key size of 160-bit ECC has equivalent security level with 1024-bit RSA. But, the implementation of cryptographic schemes with pairings over elliptic curves is more expensive and hence it is difficult to adopt the cryptographic schemes in recourse constrained devices. In view of this, ECC based schemes without pairings operations would be more attractive for resource constrained devices.

1.3 Our contributions

This paper presents a Pairing Free Certificateless Key Insulated Signature (PF-CLSKIS) scheme over elliptic curves. To the best of our knowledge, this is the first PF-CLSKIS scheme on elliptic curves without using bilinear pairings. The proposed PF-CLSKIS scheme solves the key exposure problem in pairing free CLS scheme. This scheme achieves strong key insulation property and updates the key securely. The proposed scheme is unforgeable in the ROM model under the assumption of ECDLP is hard to solve. The comparative analysis of our scheme with related CLSKIS schemes shows that the proposed PF-CLSKIS scheme enjoys computational efficiency and less bandwidth. Due to the computational and communicational efficiency, our scheme can be easily adoptable for resource constrained devices.

1.4 Organization

The rest of the paper is arranged as follows. In Section 2 we presented some preliminaries. We presented the frame work and security model for our PF-CLSKIS scheme in Section 3. The proposed PF-CLSKIS scheme and its security analysis are presented in Section 4. Efficiency analysis and some potential applications of our PF-CLSKIS scheme are discussed in Section 5. Conclusions of the paper are presented in Section 6.

Figure 1.

Principle of key insulated mechanism.

2. Preliminaries

In this section, first we briefly describe the fundamental back ground on elliptic curve and mathematical assumption on which the proposed scheme is designed.

2.1 Preliminaries

2.1.1 Elliptic Curve Group

ECC plays a very important role in modern cryptography. In the following we present some facts about elliptic curves and ECDLP.

Let $E_{q}(a,b)$ be a set of elliptic curve points over the prime field $F_{q}$ , defined by the non-singular elliptic curve equation: $y^{2}\bmod q=(x^{3}+ax+b)\bmod q$ with $a,b\in F_{q}$ and $(4a^{3}+27b^{2})\bmod q\neq$ 0. The set $G_{q}=\{(x,y):x,y\in F_{q}\}$ and $(x,y)\in E_{q}(a,b)\cup\{O\}$ is additive cyclic group, where the point $O$ is known as “point at infinity”. The order of the elliptic curve over $F_{q}$ is $O(E(F_{q}))$ satisfies the relation $1-2\sqrt{q}\leqslant O(E(F_{q}))\leqslant q+1$ . The scalar multiplication in $G_{q}$ is defined as $kP=P+P+\ldots P$ ( $k$ times). Here $P\in G_{q}$ is the generator of order $n$ .

2.1.2 Elliptic Curve Discrete Logarithm Problem (ECDLP)

For a given tuple $P,Q\in G$ , ECDLP is to find the value $a\in Z_{q}^{*}$ such that $Q=aP$ .

The notations and their meanings which we used in this paper are presented in Table 1.

Table 1
Notations and their meanings

Notation	Meaning
$n,s,v_{\textit{ID}}$	Security parameter, master secret key and helper secret key of the system generated by KGC
Params	System Parameter
Msk	Master secret key
Hsk	Helper secret key
$P_{\textit{Pub}},V_{\textit{ID}}$	Master public key and Master helper key of the system
$G$	Additive cyclic group of prime order $q$
$H_{1},H_{2},H_{3},H_{4},H_{5}$	Cryptographic one way hash functions
$\textit{TSK}_{\textit{ID},0},\textit{TSK}_{\textit{ID},t}$	Initial signing key and temporary signing key respectively
$\textit{UHK}_{\textit{ID},t,t-1}$	Updated helper key
$t,t-1$	Time period indices
KGC	Key Generation Centre
$\textit{Adv}_{1}$	Type-I adversary of PF-CLSKIS scheme
$\textit{Adv}_{2}$	Type-II adversary of PF-CLSKIS scheme
$\xi$	Challenger
$\sigma_{\textit{ID}}$	Signature on a message
ECDLP	Elliptic Curve Discrete Logarithm Problem
NGBDHP	Non pairing-based generalized bilinear Diffie-Hellman Problem
Squ-CDHP	Square Computational Diffie-Hellman Problem
CDHP	Computational Diffie-Hellman Problem

3. Framework and security model of PF-CLSKIS scheme

3.1 Scheme framework

A CLSKIS scheme consists of the following eight polynomial time algorithms.

1)
Setup: On input a security parameter $n\in Z^{+}$ , total time periods; KGC run this algorithm and outputs the system parameters params and master secret key (Msk) $s$ . KGC publishes params and keeps $s$ secretly.
2)
Partial secret key generation: On input the params, Msk and a users identity ID, KGC run this algorithm to generate partial secret key $d_{\textit{ID}}$ .
3)
User key generation: User run this algorithm by taking params, identity ID as input and outputs the users public and private key pair ( $\textit{PK}_{\textit{ID}}$ , $\textit{SK}_{\textit{ID}}$ ).
4)
Initial key generation: On input the params, identity ID, users public and private key pair $(\textit{PK}_{\textit{ID}},\textit{SK}_{\textit{ID}})$ , user run this algorithm to generate the initial signing key $\textit{TSK}_{\textit{ID},0}$ and helper secret key (Hsk) $v_{\textit{ID}}$ .
5)
Helper key update: On input the params, identity of the user ID, Hsk, time period indices $t,t-1$ , this algorithm run by the helper and produces an updated helper key $\textit{UHK}_{\textit{ID},t,t-1}$ .
6)
User key update: On input the initial signing key $\textit{TSK}_{\textit{ID},t-1}$ for $t-1$ , updated helper key $\textit{UHK}_{\textit{ID},t,t-1}$ for the time period indices $t,t-1$ , user run this algorithm and produces a users temporary signing key $\textit{TSK}_{\textit{ID},t}$ for the time period $t$ .
7)
Signature generation: On input the params, message $m\in\{0,1\}^{}$ , time period $t$ , Signer/user identity ID, temporary signing key $\textit{TSK}_{\textit{ID},t}$ ; signer/ user run this algorithm and produce a signature $\Omega_{\textit{ID}}$ for the time period $t$ .
8)
Signature verification: This algorithm is run by any verifier with the inputs $(m,t,\Omega_{\textit{ID}})$ , prams* and the signers’ identity ID; and returns 1 if the signature $\Omega_{\textit{ID}}$ is valid; otherwise it returns 0.

3.2 Security model of CLSKIS scheme

For any CLS scheme, depending on the adversary’s behaviour, we classify the adversary in to two types, namely Type I and Type II [1].

1)
Type I adversary: Public Key Replacement Attack: The adversary cannot access master secret key but can compromise user’s secret value or capable to replace the public key of any user with a value of his choice.
2)
Type II adversary: Malicious KGC Attack: The adversary can access master secret key but cannot replace the public key of any user.

Similar to Dodis et al. (2002) [9] and Wan et al. (2011) [24], we formalize the security notions for our PF-CLSKIS scheme by the following Game 1 and Game 2. Here $\textit{Adv}_{1}$ is a Type-I adversary and $\textit{Adv}_{2}$ is a Type-II adversary.

Game 1 is the adversarial game used to define the key insulation security. This is played between the Challenger and adversary and simulates the normal key exposure attacking model, in which an adversary does not know any user’s helper key, but can compromise any user’s temporary signing key at some time periods.

Game 2 describes the Strong key insulated security and is played between Challenger and adversary ( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ). In Game 1, adversary compromises any users temporary signing key at some time period but not users helper key. In Game 2, we consider case that the helper is malicious; that is adversary can access any user’s helper key including target identity but not compromise the user’s temporary signing key for any time period.

In the following, the key insulation security with existential unforgeability of our PF-CLSKIS scheme is defined by the two adversarial games Game 1 and Game 2.
3.2.1 Game 1: Perfect key insulation (for the adversary Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ))

Setup: The challenger $\xi$ executes this algorithm to produce params, Msk and gives params to the Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ). The Msk will be kept secretly by the challenger $\xi$ itself in case of Type-I adversary $\textit{Adv}_{1}$ . Otherwise, $\xi$ gives Msk to $\textit{Adv}_{2}$ .

Queries phase: During this phase, Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) makes the following queries adaptively.

$O^{\textit{Partial Secret Key}}$ : When $\textit{Adv}_{1}$ makes this query on ID, $\xi$ runs the Partial Secret Key Generation algorithm and produce the partial secret key and returns to $\textit{Adv}_{1}$ (Note that this oracle is only for Type-I adversary).

$O^{\textit{Create User}}$ : When Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) performs this query on ID, $\xi$ runs the User key generation algorithm and produce the public key $\textit{PK}_{\textit{ID}}$ and returns the same to Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ).

$O^{\textit{Secret Key}}$ : When Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) makes this query on ID, $\xi$ runs the User key generation algorithm and produce the users secret key $x_{\textit{ID}}$ and sends to Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ). In case of Type-I adversary, if users public key is replaced then $\xi$ aborts this oracle.

$O^{\textit{Rplc Public Key}}$ : $\textit{Adv}_{1}$ can replace current $\textit{PK}_{\textit{ID}}$ with other $\textit{PK}^{\prime}_{\textit{ID}}$ by giving ID and valid $\textit{PK}^{\prime}_{\textit{ID}}$ (Note that this oracle is only for Type-I adversary).

$O^{\textit{Temp Sign Key}}$ : When Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) makes this query on (ID, $t$ ), $\xi$ runs the User key update algorithm and produce the temporary signing key $\textit{TSK}_{\textit{ID},t}$ for the time period t and sends it to Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ).

$O^{\textit{Sign}}$ : When Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) makes this query on (ID, $m$ , $t$ ), $\xi$ produce and the valid signature $\Omega_{\textit{ID}}$ on message $m$ by ID as answer by executing the Signature generation algorithm.

Forgery phase: Once Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) completes the “Query-Answer” phase, it produces a forgery ( $\textit{ID}^{*}$ , $m^{*}$ , $t^{*}$ , $\Omega_{\textit{ID}}^{*}$ ) and the following conditions hold.

(i)
$\textit{Adv}_{1}$ can never make $O^{\textit{Partial Secret Key}}$ queries on $\textit{ID}^{}$ (For Type-I adversary)
(ii)
$\textit{Adv}_{2}$ can never make $O^{\textit{Secret Key}}$ queries on $\textit{ID}^{}$ (For Type-II adversary)
(iii)
Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) can never make $O^{\textit{Temp Sign Key}}$ queries on ( $\textit{ID}^{}$ , $t^{}$ ), and $O^{\textit{Sign}}$ queries on ( $\textit{ID}^{}$ , $m^{}$ , $t^{}$ )
(iv)
$\Omega_{\textit{ID}}^{}$ is a valid signature.

Definition 1. A PF-CLSKIS scheme is perfectly key insulated and existential unforgeable if thereexists no PPT adversary with non-negligible advantage in Game 1.
3.2.2 Game 2: Strong key insulation (For the adversary Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ))

Setup phase: This algorithm is run by the challenger $\xi$ to generate params, Msk and gives params to the Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ). The Msk will be kept secretly by the challenger $\xi$ itself in case of Type-I adversary $\textit{Adv}_{1}$ . Otherwise, $\xi$ gives Msk to $\textit{Adv}_{2}$ .

Queries phase: In this phase, challenger will answer the following adaptive queries issued by Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) as follows.

In this phase, oracles $O^{\textit{Partial Secret Key}}$ , $O^{\textit{Create User}}$ , $O^{\textit{Secret Key}}$ , $O^{\textit{Rplc Public Key}}$ , $O^{\textit{Sign}}$ are same as in Game 1. The only difference is the adversary Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) cannot make any $O^{\textit{Temp Sign Key}}$ Query in Game 2 but can adaptively ask the $O^{\textit{Helper Key}}$ Query as follows.

$O^{\textit{Helper Key}}$ : When Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) asks this query on ID, $\xi$ runs the Partial secret key generation algorithm and User key generation algorithm followed by Initial key generation algorithm and generates the helper secret key (Hsk) on ID and returns this value to Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ).

Forgery phase: Finally Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) out puts a forgery $\textit{ID}^{*}$ , $m^{*}$ , $t^{*}$ , $\Omega_{\textit{ID}}^{*}$ ) for a time period $t^{*}$ and win the game if the following conditions are satisfied simultaneously.

(i)
$\textit{Adv}_{1}$ has never queried $O^{\textit{Partial Secret Key}}$ on $\textit{ID}^{}$ (For Type-I adversary)
(ii)
$\textit{Adv}_{2}$ has never queried $O^{\textit{Secret Key}}$ on $\textit{ID}^{}$ (For Type-II adversary)
(iii)
Adv( $\textit{Adv}_{1}$ or $\textit{Adv}_{2}$ ) can never make $O^{\textit{Sign}}$ queries on ( $\textit{ID}^{}$ , $m^{}$ , $t^{}$ )
(iv)
$\Omega_{\textit{ID}}^{}$ is a valid signature.

Definition 2. A PF-CLSKIS scheme is strong key insulated and existential unforgeable if no polynomial time adversary has a non-negligible advantage in Game 2.

As in Dodis et al. [9, 10], we present the following definition 3 for the security notion of secure key updates in KIS schemes.

Definition 3. A PF-CLSKIS scheme has secure key-updates if the view of any adversary Adv making a key update exposure at $(t,t-1)$ can be perfectly simulated by an adversary $\textit{Adv}^{\prime}$ making Key Extraction Oracle queries of Game 1 at periods $t-1$ and $t$ .
4. Proposed PF-CLSKIS Scheme

In this section, we present our efficient PF-CLSKIS scheme and its security.

4.1 Proposed Scheme

The proposed PF-CLSKIS scheme consists of the following 8 algorithms.

1)
Setup: On input the security parameter $n\in Z^{+}$ , KGC run this algorithm by selecting an elliptic curve group $G$ of prime order $q$ , with a generator $P$ , and hash functions $H_{i}$ : $\{0,1\}^{}\to Z_{q}^{}$ for $i=1,2,3,4,5$ . KGC selects a random $s\in Z_{q}^{}$ as the Msk, sets $P_{\textit{pub}}=sP$ and publishes the system parameters as $\textit{Params}=\{q,G,P,P_{\textit{pub}},H_{1},H_{2},H_{3},H_{4},H_{5}\}$ and keeps ‘ $s$ ’ secretly.
2)
Partial secret key generation: For a given identity $\textit{ID}_{i}$ , and params, the KGC selects $r_{\textit{ID}}\in Z_{q}^{}$ randomly, computes $R_{\textit{ID}}=r_{\textit{ID}}P$ , $h_{1\textit{ID}}=H_{1}(\textit{ID},R_{\textit{ID}},P_{\textit{pub}}$ ) and $d_{\textit{ID}}=r_{\textit{ID}}+sh_{1\textit{ID}}\bmod q$ . KGC returns the partial secret key $D_{\textit{ID}}=(d_{\textit{ID}},R_{\textit{ID}})$ securely to the user. The user verifies the equation $d_{\textit{ID}}P=R_{\textit{ID}}+h_{1\textit{ID}}P_{\textit{pub}}$ to check the validity of $D_{\textit{ID}}$ .
3)
User key generation: A user with identity ID, chooses a secret value $x_{\textit{ID}}\in Z_{q}^{}$ randomly and computes $X_{\textit{ID}}=x_{\textit{ID}}P$ . Set $\textit{PK}_{\textit{ID}}=(X_{\textit{ID}},R_{\textit{ID}})$ as public key and $\textit{SK}_{\textit{ID}}=(d_{\textit{ID}},x_{\textit{ID}})$ as its secret key.
4)
Initial key generation: User runs this algorithm by taking user’s identity ID, with public key $\textit{PK}_{\textit{ID}}$ and secret key $\textit{SK}_{\textit{ID}}$ and generates the initial signing key as follows.

(i)
User chooses $v_{\textit{ID}}\in Z_{q}^{}$ , and computes $V_{\textit{ID}}=v_{\textit{ID}}P$ , $h_{2}=H_{2}(\textit{ID},\textit{PK}_{\textit{ID}},V_{\textit{ID}})$ and $h_{3}=H_{3}(\textit{ID},V_{\textit{ID}},0)$ and $\textit{ISK}_{\textit{ID},0}=d_{\textit{ID}}+x_{\textit{ID}}H_{2}(\textit{ID},% \textit{PK}_{\textit{ID}},V_{\textit{ID}})+v_{\textit{ID}}H_{3}(\textit{ID},V_% {\textit{ID}},0)$ .
(ii)
User returns the initial signing key as $\textit{TSK}_{\textit{ID},0}=[\textit{ISK}_{\textit{ID},0},V_{\textit{ID}}]$ and the helper secret key $v_{\textit{ID}}$ to physically secure device (securely).

5)
Helper key update: Given a user identity ID, time periods incises $t,t-1$ ; Helper’s physically secure device updates the helper key as follows.

(i)
Compute $V_{\textit{ID}}=v_{\textit{ID}}P$ , and $\textit{UHK}_{\textit{ID},t,t-1}=v_{\textit{ID}}[H_{3}(\textit{ID},V_{\textit{% ID}},t)-H_{3}(\textit{ID},V_{\textit{ID}},t-1)]$ .
(ii)
The device returns the updated Helper key as $\textit{UHK}_{\textit{ID},t,t-1}$ to the user.

6)
User key update: Given a time period ‘ $t$ ’, updated helper key $\textit{UHK}_{\textit{ID},t,t-1}$ and the previous time periods temporary signing key i.e., $\textit{TSK}_{\textit{ID},t-1}=[\textit{ISK}_{\textit{ID},t-1},V_{\textit{ID}}]$ ; the user computes the temporary signing key for the time period ‘ $t$ ’, as follows.

(i)
Set $\textit{ISK}_{\textit{ID},t}=\textit{ISK}_{\textit{ID},t-1}+\textit{UHK}_{% \textit{ID},t,t-1}$
(ii)
User returns the temporary signing key for the time period ‘ $t$ ’, as $\textit{TSK}_{\textit{ID},t}=[\textit{ISK}_{\textit{ID},t},V_{\textit{ID}}]$ .

Note: At the time period ‘ $t$ ’, $\textit{ISK}_{\textit{ID},t}$ is always set to be $d_{\textit{ID}}+x_{\textit{ID}}\cdot H_{2}(\textit{ID},\textit{PK}_{\textit{ID% }},V_{\textit{ID}})+v_{\textit{ID}}\cdot H_{3}(\textit{ID},V_{\textit{ID}},t)$ .
7)
Signature generation: To sign a message $m\in\{0,1\}^{}$ , for a time period ‘ $t$ ’, the signer with temporary signing key $\textit{TSK}_{\textit{ID},t}$ , generates the signature as follows.

(i)
Choose $u_{\textit{ID}}\in Z_{q}^{}$ and compute $U_{\textit{ID}}=u_{\textit{ID}}P$
(ii)
Compute $h_{4}=H_{4}(t$ , $m$ , ID, $\textit{PK}_{\textit{ID}}$ , $V_{\textit{ID}}$ , $U_{\textit{ID}})$ , $h_{5}=H_{5}(t,m,\textit{ID},\textit{PK}_{\textit{ID}},V_{\textit{ID}},U_{% \textit{ID}})$ and $z_{\textit{ID}}=h_{4}\textit{ISK}_{\textit{ID},t}+uh_{5}\bmod q$ .

$\therefore$ The signature on a message ‘ $m$ ’, for an identity ID with time period ‘ $t$ ’ is $\sigma_{\textit{ID}}=(V_{\textit{ID}},U_{\textit{ID}},z_{\textit{ID}})$ , returns $(m,t,\sigma_{\textit{ID}})$ .

8)
Signature verification: Given a user’s identity ID, public key $\textit{PK}_{\textit{ID}}$ and the corresponding signature tuple $(m,t,\sigma_{\textit{ID}})$ ; any verifier can verify the signature as follows.

(i)
Compute $h_{1\textit{ID}}=H_{1}(\textit{ID},R_{\textit{ID}},P_{\textit{pub}})$ , $h_{2}=H_{2}(\textit{ID},\textit{PK}_{\textit{ID}},V_{\textit{ID}})$ , $h_{3}=H_{3}(\textit{ID},V_{\textit{ID}},0)$ , $h_{4}=H_{4}(t,m,\textit{ID},\textit{PK}_{\textit{ID}},V_{\textit{ID}},U_{% \textit{ID}})$ and $h_{5}=H_{5}(t,m,\textit{ID},\textit{PK}_{\textit{ID}},V_{\textit{ID}},U_{% \textit{ID}})$ .
(ii)
Check whether

$\displaystyle\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!z_{\textit{ID}}P-h_{5}U_{% \textit{ID}}=h_{4}[R_{\textit{ID}}+h_{1\textit{ID}}P_{\textit{pub}}+h_{2}X_{% \textit{ID}}+h_{3}V_{\textit{ID}}].$ (1)

4.2 Proof of correctness of the proposed scheme

The correctness of the scheme can be verified as follows.

$\displaystyle z_{\textit{ID}}P-h_{5}U_{\textit{ID}}$ $\displaystyle\quad=[h_{4}\textit{ISK}_{\textit{ID},t}+uh_{5}]P-h_{5}U_{\textit% {ID}}$ $\displaystyle\quad=h_{4}[d_{\textit{ID}}+x_{\textit{ID}}H_{2}(\textit{ID},% \textit{PK}_{\textit{ID}})+$ $\displaystyle\quad\quad v_{\textit{ID}}H_{3}(\textit{ID},V_{\textit{ID}},t)]P-% uPh_{5}-h_{5}U_{\textit{ID}}$ $\displaystyle\quad=h_{4}[R_{\textit{ID}}+h_{1\textit{ID}}P_{\textit{pub}}+h_{2% }X_{\textit{ID}}+h_{3}V_{\textit{ID}}].$

4.3 Security analysis

Theorem 1. The proposed PF-CLKIS scheme is perfectly key insulated and unforgeable against Type 1 adversary $\textit{Adv}_{1}$ in the ROM under ECDLP assumption.

Proof..

Let $\textit{Adv}_{1}$ be a Type-I adversary against the proposed scheme and assume that it can forge a valid signature with non-negligible probability. In the following, we will show how to produce another algorithm $\xi$ which can solve the ECDLP with the help of the adversary $\textit{Adv}_{1}$ , as defined in Game 1. For a given random instance tuple $(P,Q=sP)$ of the ECDLP, the challenger $\xi$ compute $s\in Z_{q}^{*}$ . For the simulation process, $\xi$ takes $\textit{ID}^{*}$ as target identity of $\textit{Adv}_{1}$ on a message $m^{*}$ .

Setup: Challenger $\xi$ sets $P_{\textit{pub}}=Q=sP$ and generates params, and sends params and master public key to $\textit{Adv}_{1}$ and keeps ‘ $s$ ’ secretly.

Queries phase: $\textit{Adv}_{1}$ performs the following queries in an adaptive manner and the algorithm $\xi$ will answer to these queries. To avoid the conflict of simulation, $\xi$ need to maintain the initially empty lists $L_{1}$ , $L_{2}$ , $L_{3}$ , $L_{4}$ , $L_{5}$ , $L_{\textit{PSK}}$ , $L_{\textit{Cuser}}$ , $L_{\textit{TSK}}$ and are used to maintain the track of answers to the queries $H_{1},H_{2},H_{3},H_{4},H_{5}$ and $O^{\textit{Partial Secret Key}},O^{\textit{Create User}}$ , $O^{\textit{Temp Signing Key}}$ respectively.

Queries on oracle $H_{1}$ : $H_{1}(\textit{ID}_{i},R_{i},P_{\textit{pub}})$ : When $\textit{Adv}_{1}$ makes a $H_{1}$ query on the tuple $(\textit{ID}_{i},R_{i},P_{\textit{pub}})$ , $\xi$ will search whether the tuple $(\textit{ID}_{i},R_{i},P_{\textit{pub}},l_{1i})\in L_{1}$ . If such tuple belongs to $L_{1}$ , then $\xi$ returns $l_{1i}$ . Otherwise, $\xi$ chooses a random $l_{1i}\in Z_{q}^{*}$ and adds to $L_{1}$ . Finally, $\xi$ returns $l_{1i}$ .

Queries on oracle $H_{2}$ : $H_{2}(\textit{ID}_{i},\textit{PK}_{i},V_{i})$ : When $\textit{Adv}_{1}$ makes a $H_{2}$ query on the tuple $(\textit{ID}_{i},\textit{PK}_{i},V_{i})$ , $\xi$ will search whether the tuple $(\textit{ID}_{i},\textit{PK}_{i},V_{i},l_{2i})\in L_{2}$ . If such a tuple belongs to $L_{2}$ , then $\xi$ returns $l_{2i}$ . Otherwise, $\xi$ chooses a random $l_{2i}\in Z_{q}^{*}$ and returns $l_{2i}$ . $\xi$ adds $(\textit{ID}_{i},\textit{PK}_{i},V_{i},l_{2i})$ to the list $L_{2}$ .

Queries on oracle $H_{3}$ : $H_{3}(\textit{ID}_{i},V_{i},t_{i})$ : When $\textit{Adv}_{1}$ makes a $H_{3}$ query on the tuple $(\textit{ID}_{i},V_{i},t_{i})$ , $\xi$ will search whether the tuple $(\textit{ID}_{i},V_{i},t_{i},l_{3i})\in L_{3}$ . If such a tuple belongs to $L_{3}$ , $\xi$ returns $l_{3i}$ .Otherwise, $\xi$ chooses a random $l_{3i}\in Z_{q}^{*}$ and returns $l_{3i}$ . $\xi$ adds $(\textit{ID}_{i},V_{i},t_{i},l_{3i})$ to the list $L_{3}$ .

Queries on oracle $H_{4}$ : $H_{4}(t_{i},m_{i},\textit{ID}_{i},\textit{PK}_{i},V_{i},U_{i})$ : When $\textit{Adv}_{1}$ makes a $H_{4}$ query on the tuple ( $t_{i}$ , $m_{i}$ , $\textit{ID}_{i}$ , $\textit{PK}_{i}$ , $V_{i}$ , $U_{i}$ ), $\xi$ will search whether the tuple $(t_{i},m_{i},\textit{ID}_{i},\textit{PK}_{i},V_{i},U_{i},l_{4i})\in L_{4}$ . If such tuple belongs to $L_{4}$ , then $\xi$ gives $l_{4i}$ . Otherwise, $\xi$ chooses a random $l_{4i}\in Z_{q}^{*}$ and returns $l_{4i}$ . Finally, $\xi$ adds $(t_{i},m_{i},\textit{ID}_{i},\textit{PK}_{i},V_{i},U_{i},l_{4i})$ to the list $L_{4}$ .

Queries on oracle $H_{5}$ : $H_{5}(t_{i},m_{i},\textit{ID}_{i},\textit{PK}_{i},V_{i},U_{i})$ : When $\textit{Adv}_{1}$ makes a $H_{5}$ query on the tuple ( $t_{i}$ , $m_{i}$ , $\textit{ID}_{i}$ , $\textit{PK}_{i}$ , $V_{i}$ , $U_{i}$ ), $\xi$ will search whether the tuple ( $t_{i}$ , $m_{i}$ , $\textit{ID}_{i}$ , $\textit{PK}_{i}$ , $V_{i}$ , $U_{i}$ , $l_{5i}$ ) $\in L_{5}$ . If such tuple belongs to $L_{5}$ , then $\xi$ gives $l_{5i}$ . Otherwise, $\xi$ chooses a random $l_{5i}\in Z_{q}^{*}$ and sends $l_{5i}$ to $\textit{Adv}_{1}$ . Finally, $\xi$ adds $(t_{i},m_{i},\textit{ID}_{i},\textit{PK}_{i},V_{i},U_{i},l_{5i})$ to the list $L_{5}$ .

$O^{\textit{Partial Secret Key}}(\textit{ID}_{i})$ : When $\textit{Adv}_{1}$ makes a query on $O^{\textit{Partial Secret Key}}(\textit{ID}_{i})$ , $\xi$ will search whether the tuple $(\textit{ID}_{i},d_{i},\textit{PK}_{i})\in L_{\textit{PSK}}$ . If such tuple belongs to $L_{\textit{PSK}}$ , then $\xi$ returns $d_{i}$ . Otherwise, if $\textit{ID}_{i}\neq\textit{ID}^{*}$ , $\xi$ chooses $a_{i}\in Z_{q}^{*}$ and sets $d_{i}=a_{i}$ and add $(\textit{ID}_{i},d_{i},\textit{PK}_{i})$ to $L_{\textit{PSK}}$ and returns $d_{i}$ , If $\textit{ID}_{i}=\textit{ID}^{*}$ , $\xi$ aborts.

$O^{\textit{Create User}}(\textit{ID}_{i})$ : When $\textit{Adv}_{1}$ makes a query on $O^{\textit{Create User}}(\textit{ID}_{i})$ , the algorithm $\xi$ searches the tuple $(\textit{ID}_{i},x_{i},\textit{PK}_{i})\in L_{\textit{Cuser}}$ . If such tuple belongs to $L_{\textit{Cuser}}$ , then $\xi$ outputs $\textit{PK}_{i}$ . Otherwise, $\xi$ performs the following.

(i)
If $\textit{ID}_{i}\neq\textit{ID}^{}$ , $\xi$ chooses $a_{i},b_{i},x_{i}\in\mathbb{Z}_{q}^{}$ randomly and sets $R_{i}=a_{i}P-b_{i}P_{\textit{pub}}$ , $H_{1}(\textit{ID}_{i}$ , $R_{i}$ , $P_{\textit{pub}})=b_{i}$ and $X_{i}=x_{i}P$ . $\xi$ sets $\textit{PK}_{i}=(X_{i},R_{i})$ and adds $(\textit{ID}_{i},R_{i},P_{\textit{pub}},b_{i})$ to $L_{1}$ and $(\textit{ID}_{i},x_{i},\textit{PK}_{i})$ to $L_{\textit{Cuser}}$ . $\xi$ sends $\textit{PK}_{i}$ to $\textit{Adv}_{1}$ as a response. Clearly the generated tuple $(R_{i},X_{i},h_{1i})$ satisfies the equation $d_{i}P=R_{i}+h_{1i}P_{\textit{pub}}$ .
(ii)
If $\textit{ID}_{i}=\textit{ID}^{}$ , $\xi$ generates three numbers $a_{i},b_{i},x_{i}\in Z_{q}^{}$ and sets $R_{i}=a_{i}P$ , $H_{1}(\textit{ID}_{i}$ , $R_{i}$ , $P_{\textit{pub}})=b_{i}$ and $X_{i}=x_{i}P$ . $\xi$ sets $\textit{PK}_{i}=(X_{i},R_{i})$ and adds $(\textit{ID}_{i},R_{i},P_{\textit{pub}},b_{i})$ to $L_{1}$ and $(\textit{ID}_{i},x_{i},\textit{PK}_{i})$ to $L_{\textit{Cuser}}$ . $\xi$ returns $\textit{PK}_{i}$ to $\textit{Adv}_{1}$ .

$O^{\textit{Secret Key}}(\textit{ID}_{i})$ : When $\textit{Adv}_{1}$ make a query on $O^{\textit{Secret Key}}(\textit{ID}_{i})$ , if $\textit{ID}_{i}=\textit{ID}^{}$ , $\xi$ aborts. Otherwise, if $\textit{ID}_{i}\neq\textit{ID}^{}$ , $\xi$ finds the tuples $(\textit{ID}_{i},x_{i},\textit{PK}_{i})$ , $(\textit{ID}_{i},d_{i},\textit{PK}_{i})$ from $L_{\textit{Cuser}}$ , $L_{\textit{PSK}}$ and returns $SK_{i}=(d_{i},x_{i})$ to $\textit{Adv}_{1}$ . If there is no such tuple in $L_{\textit{Cuser}}$ , $L_{\textit{PSK}}$ , then $\xi$ asks queries on $O^{\textit{Create User}}(\textit{ID}_{i})$ , $O^{\textit{Secret Key}}(\textit{ID}_{i})$ for $x_{i}$ , $d_{i}$ . Finally $\xi$ adds these values to the lists $L_{\textit{Cuser}}$ , $L_{\textit{PSK}}$ respectively and $\xi$ returns $SK_{i}$ to $\textit{Adv}_{1}$ .

$O^{\textit{Rplc Public Key}}(\textit{ID}_{i})$ : When $\textit{Adv}_{1}$ makes a query on $O^{\textit{Rplc Public Key}}(\textit{ID}_{i})$ , $\xi$ finds $(\textit{ID}_{i},x_{i},\textit{PK}_{i})$ in $L_{\textit{Cuser}}$ . $\xi$ replaces $\textit{PK}_{i}=PK^{\prime}_{i}$ and $x_{i}=\bot$ .

$O^{\textit{Temp Sign Key}}(\textit{ID}_{i})$ : When $\textit{Adv}_{1}$ makes a query on $O^{\textit{Temp Sign Key}}(\textit{ID}_{i})$ for the time period $t_{i}$ , $\xi$ searches in the list $L_{\textit{TSK}}$ and returns $\textit{TSK}_{\textit{ID}_{i},t_{i}}$ if the query has been made earlier. Otherwise, $\xi$ performs the following.

(i)
If $\textit{ID}_{i}=\textit{ID}^{}$ , $\xi$ aborts the simulation.
(ii)
If $\textit{ID}_{i}\neq\textit{ID}^{}$ , $\xi$ chooses a random number $v_{i}\in\mathbb{Z}_{q}^{}$ and sets $V_{i}=v_{i}P$ and computes $\textit{ISK}_{\textit{ID}_{i},t_{i}}=h_{4i}[h_{3i}v_{i}+h_{2i}x_{i}]$ where $h_{2i}=H_{2}(\textit{ID}_{i},\textit{PK}_{i},V_{i})$ , $h_{3i}=H_{3}(\textit{ID}_{i},V_{i},t_{1i})$ , $h_{4i}=H_{4}(t_{i},m_{i},\textit{ID}_{i},\textit{PK}_{i},V_{i},U_{i})$ .

$\therefore\textit{TSK}_{\textit{ID}_{i},t_{i}}=[\textit{ISK}_{\textit{ID}_{i},% t_{i}},V_{i}]$ , $\xi$ outputs $\textit{TSK}_{\textit{ID}_{i},t_{i}}$ as the temporary signing key and sends to $\textit{Adv}_{1}$ .

$O^{\textit{Sign}}(\textit{ID}_{i})$ : When $\textit{Adv}_{1}$ makes a query on $(t_{i}$ , $m_{i}$ , $\textit{ID}_{i})$ , $\xi$ does as follows.

(i)
If $\textit{ID}_{i}\neq\textit{ID}^{}$ , $\xi$ recovers $\textit{TSK}_{\textit{ID}_{i},t_{i}},v_{i}$ from $L_{\textit{TSK}}$ list and set $z_{i}=\textit{ISK}_{\textit{ID}_{i},t_{i}}$ and compute $V_{i}=v_{i}P$ and $U_{i}=l_{4i}[R_{i}+l_{1i}P_{\textit{pub}}](-l_{5i})^{-1}$ by recovering $l_{1i},l_{4i}$ and $l_{5i}$ from $L_{1},L_{4}$ and $L_{5}$ lists respectively.

$\therefore$ $\xi$ outputs $\sigma_{i}=(V_{i},U_{i},z_{i})$ as the signature on $m_{i}$ for time period $t_{i}$ .
(ii)
If $\textit{ID}_{i}=\textit{ID}^{}$ , $\xi$ chooses a random $v_{i}\in Z_{q}^{}$ and computes $V_{i}=v_{i}P$ and then $\xi$ (makes $H_{i}$ for $i=$ 1 to 5 oracles with this $V_{i}$ ) recovers $l_{1i},l_{2i},l_{3i},l_{4i}$ and $l_{5i}$ from $L_{1},L_{2},L_{3},L_{4}$ and $L_{5}$ lists respectively.

Now $\xi$ computes $z_{i}=l_{3i}l_{4i}v_{i}$ and $U_{i}=l_{4i}[R_{i}+l_{1i}P_{\textit{pub}}+l_{2i}X_{i}](-l_{5i})^{-1}$ .

Now $\xi$ outputs $\sigma_{i}=(V_{i},U_{i},z_{i})$ as a valid signature on ‘ $m$ ’.

Finally $\xi$ outputs $(t_{i},m_{i},\sigma_{i})$ the valid signature as it satisfies Eq. (1). ∎

Forgery/Output: Finally $\textit{Adv}_{1}$ outputs $(t_{i}^{},m_{i}^{},\sigma_{i}^{})$ as its forgery where $\sigma_{i}^{}=[V_{i}^{},U_{i}^{},z_{i}^{}]$ .

If $ID_{i}^{}\neq\textit{ID}^{}$ , $\xi$ stops simulation. Otherwise, $\xi$ do the following.

Let $\sigma_{i}^{(1)}=(V_{i},U_{i},z_{i}^{(1)})$ denote $\sigma_{i}=(V_{i},U_{i},z_{i})$ .

From forking lemma, if we replay $\xi$ with same random type but different choice of hash functions $H_{1}$ to $H_{5}$ , $\textit{Adv}_{1}$ will output another Four $\sigma_{i}^{(j)}=(V_{i},U_{i},z_{i}^{(j)})$ for $j=2,3,4,5$ and the following equation holds.

$\displaystyle[z_{i}^{(j)}P-h_{5i}^{(j)}U_{i}]=h_{4i}^{(j)}[R_{i}+h_{1i}^{(j)}P% _{\textit{pub}}+$ (2) $\displaystyle\quad h_{2i}^{(j)}X_{i}+h_{3i}^{(j)}V_{i}]\text{ for }j=1,2,3,4,5.$

By $u_{i},r_{i},s,x_{i},v_{i}$ , we denote the discrete logarithms of $U_{i},R_{i},P_{\textit{pub}},X_{i}$ and $V_{i}$ respectively.

i.e., $U_{i}=u_{i}P,R_{i}=r_{i}P,P_{\textit{pub}}=sP,X_{i}=x_{i}P$ and $V_{i}=v_{i}P$ . From the above Eq. (2), we get

$\displaystyle[z_{i}^{(j)}-h_{5i}^{(j)}u_{i}]=h_{4i}^{(j)}[r_{i}+h_{1i}^{(j)}s+$ (3) $\displaystyle\quad h_{2i}^{(j)}x_{i}+h_{3i}^{(j)}v_{i}],\text{ for }j=1,2,3,4,5.$

$\xi$ solves the unknown values $r_{i},u_{i},v_{i},x_{i},s$ by solving these linearly independent Eq. (3) and outputs $s$ as the solution of ECDLP.

Theorem 2. The proposed PF-CLSKIS scheme satisfies perfect key insulation and unforgeable against Type-II adversary $\textit{Adv}_{2}$ in the ROM under the ECDL assumption.

Proof..

Let $\textit{Adv}_{2}$ is a Type-II adversary against the proposed scheme and assume that it can forge a valid signature with non-negligible probability. In the following, we will show how to produce another algorithm which can solve the ECDLP with the interaction of the adversary $\textit{Adv}_{2}$ , as defined in Game 2. For a given random instance tuple $(P,Q=\alpha P)$ of the ECDLP, the task of $\xi$ is to compute $\alpha\in Z_{q}^{}$ . For the simulation process, $\xi$ takes $\textit{ID}^{}$ as target identity of $\textit{Adv}_{2}$ on a message $m^{}$ .

Setup: Challenger $\xi$ sets $P_{\textit{pub}}=sP$ and generates params. $\xi$ sends params and master secret key to $\textit{Adv}_{2}$ .

Queries phase: In the following, the algorithm $\xi$ will answer the queries posed by the $\textit{Adv}_{2}$ in an adaptive manner. For this $\xi$ maintains the initially empty lists $L_{1}$ , $L_{2}$ , $L_{3}$ , $L_{4}$ , $L_{5}$ , $L_{\textit{PSK}}$ , $L_{\textit{Cuser}}$ , $L_{\textit{TSK}}$ . These lists are used to keep track of answers to the queries $H_{1},H_{2},H_{3},H_{4},H_{5}$ and $O^{\textit{Partial Secret Key}}$ , $O^{\textit{Create User}}$ , $O^{\textit{Temp Signing Key}}$ respectively. $H_{1}$ to $H_{5}$ Oracles are same as in the Theorem 1.

$O^{\textit{Create User}}(\textit{ID}_{i})$ : When $\textit{Adv}_{2}$ asks a query on $O^{\textit{Create User}}(\textit{ID}_{i})$ , $\xi$ searches in the list $L_{\textit{Cuser}}$ for the tuple $(\textit{ID}_{i},x_{i},\textit{PK}_{i})$ . If such tuple exists, $\xi$ returns $\textit{PK}_{i}$ . Otherwise, $\xi$ performs the following.

(i)
If $\textit{ID}_{i}\neq\textit{ID}^{}$ , $\xi$ chooses $r_{i},x_{i}\in Z_{q}^{}$ randomly and computes $R_{i}=r_{i}P$ , $H_{1}(\textit{ID}_{i},R_{i},P_{\textit{pub}})=h_{1i}$ and $X_{i}=x_{i}P$ . $\xi$ sets $\textit{PK}_{i}=(X_{i},R_{i})$ and adds $(\textit{ID}_{i},R_{i},P_{\textit{pub}},h_{1i})$ to $L_{1}$ and $(\textit{ID}_{i}$ , $x_{i}$ , $\textit{PK}_{i})$ to $L_{\textit{Cuser}}$ , $\xi$ returns $\textit{PK}_{i}$ to $\textit{Adv}_{2}$ as a response.
(ii)
If $\textit{ID}_{i}=\textit{ID}^{}$ , $\xi$ generates a random number $r_{i}\in Z_{q}^{}$ and sets $R_{i}=r_{i}P$ , $H_{1}(\textit{ID}_{i},R_{i},P_{\textit{pub}})=h_{1i}$ and $X_{i}=Q=\alpha P$ . $\xi$ sets $\textit{PK}_{i}=(X_{i},R_{i})$ and adds $(\textit{ID}_{i},R_{i},P_{\textit{pub}},h_{1i})$ to $L_{1}$ and $(\textit{ID}_{i},\bot,\textit{PK}_{i})$ to $L_{\textit{Cuser}}$ . $\xi$ sends $X_{i}$ to $\textit{Adv}_{2}$ as a response.

$O^{\textit{Secret Key}}(\textit{ID}_{i})$ : When $\textit{Adv}_{2}$ makes this query on $O^{\textit{Secret Key}}(\textit{ID}_{i})$ if $\textit{ID}_{i}=\textit{ID}^{}$ , $\xi$ aborts. Otherwise, (if $\textit{ID}_{i}\neq\textit{ID}^{}$ ), $\xi$ finds the tuples $(\textit{ID}_{i},x_{i},\textit{PK}_{i})$ , from the list $L_{\textit{Cuser}}$ and recovers $x_{i}$ . Set $SK_{i}=(d_{i},x_{i})$ and returns $SK_{i}$ to $\textit{Adv}_{2}$ . If there is no corresponding tuple in $L_{\textit{Cuser}}$ , $\xi$ makes a query on $\textit{Cuser}(\textit{ID}_{i})$ to generate $x_{i}$ , $\xi$ saves this value in $L_{\textit{Cuser}}$ . Finally $\xi$ returns $SK_{i}$ .

$O^{\textit{Temp Sign Key}}(\textit{ID}_{i})$ : When $\textit{Adv}_{2}$ asks a query on $O^{\textit{Temp Sign Key}}(\textit{ID}_{i})$ for time period $t_{i}$ , $\xi$ searches in the list $L_{\textit{TSK}}$ and returns $\textit{TSK}_{\textit{ID}_{i},t_{i}}$ , if the query has been made earlier. Otherwise, $\xi$ performs the following.

(i)
If $\textit{ID}_{i}=\textit{ID}^{}$ , $\xi$ aborts the simulation.
(ii)
If $\textit{ID}_{i}\neq\textit{ID}^{}$ , $\xi$ chooses a random number $v_{i}\in Z_{q}^{}$ , and sets $V_{i}=v_{i}P$ and $\textit{ISK}_{\textit{ID}_{i},t_{i}}=d_{i}+x_{i}h_{2i}+v_{i}h_{3i}$ , where $h_{2i}=H_{2}(\textit{ID}_{i},\textit{PK}_{i},V_{i})$ , $h_{3i}=H_{3}(\textit{ID}_{i},V_{i},t_{i})$ and sets $\textit{TSK}_{\textit{ID}_{i},t_{i}}=[\textit{ISK}_{\textit{ID}_{i},t_{i}},V_{% i}]$ .

$\xi$ outputs $\textit{TSK}_{\textit{ID}_{i},t_{i}}$ as the temporary signing key and sends to $\textit{Adv}_{2}$ .

$O^{\textit{Sign}}(\textit{ID}_{i})$ : When $\textit{Adv}_{2}$ asks a query on $(t_{i}$ , $m_{i}$ , $\textit{ID}_{i})$ , $\xi$ do the following.

(i)
If $\textit{ID}_{i}\neq\textit{ID}^{}$ , $\xi$ do the same as in scheme.
(ii)
If $\textit{ID}_{i}=\textit{ID}^{}$ , $\xi$ chooses $u_{i},v_{i}\in Z_{q}^{}$ and sets $V_{i}=v_{i}P$ and $z=l_{4i}d_{i}+l_{5i}u_{i}$ and $U_{i}=[u_{i}P-[l_{2i}X_{i}+l_{3i}V_{i}]l_{4i}(l_{5i})^{-1}]$ and hence $\xi$ outputs $\sigma_{i}=(V_{i},U_{i},z_{i})$ as the valid signature on $m_{i}$ for the time period ‘ $t_{i}$ ’. ∎

Forgery/Output: Finally $\textit{Adv}_{2}$ outputs $(t_{i}^{},m_{i}^{},\sigma_{i}^{})$ as its forgery, where $\sigma_{i}^{}=(V_{i}^{},U_{i}^{},z_{i}^{})$ .

If $\textit{ID}_{i}\neq\textit{ID}^{}$ , $\xi$ stops simulation. Otherwise, $\xi$ do the following.

Let $\sigma_{i}^{(1)}=[V_{i},U_{i},z_{i}^{(1)}]$ denote $\sigma_{i}=(V_{i},U_{i},z_{i})$ .

From Forking lemma, if we replay $\xi$ with same random tape but different choice of hash functions $H_{1}$ to $H_{5}$ , $\textit{Adv}_{2}$ will output another three signatures $\sigma_{i}^{(j)}=[V_{i},U_{i},z_{i}^{(j)}]$ for $j=2,3,4$ .

$\displaystyle[z_{i}^{(j)}P-h_{5i}^{(j)}U_{i}]=h_{4i}^{(j)}[R_{i}+h_{1i}^{(j)}P% _{\textit{pub}}+$ $\displaystyle\quad h_{2i}^{(j)}X_{i}+h_{3i}^{(j)}V_{i}]\text{ for }j=1,2,3,4.$

By $u_{i},r_{i},s,x_{i},v_{i}$ , we denote the discrete logarithms of $U_{i},R_{i},P_{\textit{pub}},X_{i},V_{i}$ respectively, i.e., $U_{i}=u_{i}P$ , $R_{i}=r_{i}P$ , $P_{\textit{pub}}=sP$ , $X_{i}=\alpha P$ and $V_{i}=v_{i}P$ .

From the above equation, we get $[z_{i}^{(j)}-h_{5i}^{(j)}u_{i}]=h_{4i}^{(j)}[r_{i}+h_{1i}^{(j)}s+h_{2i}^{(j)}% \alpha+h_{3i}^{(j)}v_{i}]$ for $j=1,2,3,4$ . Here $z, s$ are known values.

$\xi$ solves the unknown values $r_{i},u_{i},v_{i}$ and $\alpha$ by solving these linearly independent equations and outputs as the solution of ECDLP.

Theorem 3. The proposed PF-CLKIS scheme is strong key insulated and unforgeable against Type I adversary $\textit{Adv}_{1}$ in the ROM under ECDLP assumption.

Proof..

The proof is similar to that of Theorem 1. The difference is that $\textit{Adv}_{1}$ cannot make a User Temporary Signing Key query but can adaptively ask the Helper-Key query.

Helper key query: When $\textit{Adv}_{1}$ queries a helper key for $\textit{ID}_{i}$ and a time period $t_{i}$ , $\xi$ returns the user’s helper key $v_{i}\in Z_{q}^{}$ to $\textit{Adv}_{1}$ .

Signing oracle: When $\textit{Adv}_{1}$ makes a query on $(t_{i},m_{i},\textit{ID}_{i})$ , $\xi$ does the following.

(i)
If $\textit{ID}_{i}\neq\textit{ID}^{}$ , $\xi$ recovers $v_{i}$ and compute $V_{i}=v_{i}P$ . Then $\xi$ makes $H_{i}$ query for $i=1,2,3,4,5$ and obtains the responses $l_{1i}$ to $l_{5i}$ Now $\xi$ computes $z_{i}=h_{4i}[h_{3i}v_{i}+h_{2i}x_{i}]$ and $U_{i}=h_{4i}[R_{i}+h_{1i}P_{\textit{pub}}](-h_{5i})^{-1}$ and outputs $\sigma_{i}=(V_{i},U_{i},z_{i})$ as the signature.
(ii)
If $\textit{ID}_{i}=\textit{ID}^{*}$ , $\xi$ recovers the helper key $v_{i}$ for target identity and do the same as in Theorem 1.

∎

Theorem 4. The proposed PF-CLKIS scheme is strong key insulated against Type II adversary $\textit{Adv}_{2}$ in the ROM under ECDL assumption.

Proof..

The proof is similar to that of Theorem 2. The difference is that $\textit{Adv}_{2}$ cannot make a User Temporary Signing Key query but can adaptively ask the Helper-Key query as mentioned in Theorem 3. ∎

Theorem 5. The proposed scheme has secure key updates against Type I and Type II adversary.

Proof..

This Theorem follows from the fact that for any time period indices $t,t-1$ and any identity ID, the updated secret key $\textit{UHK}_{\textit{ID},t,t-1}$ can be derived from $\textit{TSK}_{ID,t}$ and $\textit{TSK}_{ID,t-1}$ . ∎
5. Performance analysis

This section describes the performance analysis of our PF-CLSKIS scheme. We compare our scheme with the existing relevant schemes [7, 14, 17, 20, 23, 24] in terms of signing cost, verification cost, total computation cost, signing length, under lying hard problem, security of the scheme and its model. We consider the experimental results [3, 4, 15, 18] for different cryptographic operations and their conversions to calculate the computational cost and the same is presented in Table 2. Also we consider Table 3 to achieve 80 bit security for evaluating the total communication cost. The comprehensive evaluation of our PF-CLSKIS scheme is presented in Table 4 and the same is compared with other existing schemes [7, 14, 17, 20, 23, 24]. In the following we present the comparative analysis of our PF-CLSKIS scheme with the related schemes [7, 14, 17, 20, 23, 24] in view of computation and communication costs.

Table 2
Different cryptographic operations and their conversions

Notations	Description (in terms of time complexity
	to execute the following operation)
$T_{\textit{MM}}$	Modular multiplication
$T_{\textit{SM}}$	Scalar multiplication in elliptic curve group $T_{\textit{SM}}=29T_{\textit{MM}}$
$T_{\textit{BP}}$	Bilinear pairing $T_{\textit{BP}}=87T_{\textit{MM}}$
$T_{\textit{PEX}}$	Pairing-based exponentiation $T_{\textit{PEX}}=43.5T_{\textit{MM}}$
$T_{\textit{MTPH}}$	Map to point hash function $1T_{\textit{MTPH}}=1T_{\textit{SM}}=29T_{\textit{MM}}$
$T_{\textit{MX}}$	Modular exponentiation operation $T_{\textit{MX}}=240T_{\textit{MM}}$
$T_{\textit{PA}}$	Elliptic curve point addition $T_{\textit{PA}}=0.12T_{\textit{MM}}$

Table 3

Length of the group in bilinear pairing and ECC

System/type	Type of the curve	Pairing	Cyclic group	Length of $\|\hat{p}\|,\|p\|$	Group of	Length of
					order	the group
Bilinear pairing	$\hat{E}$ : $y^{2}\!=\!x^{3}\!+\!x\bmod\hat{p}$	$\hat{e}$ : $G_{1}\!\times\!G_{1}\rightarrow G_{T}$	$G_{1}$ with generator $\hat{P}$	$\|\hat{p}\|=$ 512 bits	$\hat{q}=$ 160 bits	$\|G_{1}\|=$ 1024 bits
				(64 bytes)
ECC	$E$ : $y^{2}\!=\!x^{3}\!+\!ax\!+\!b\bmod p$	Without pairing	$G$ with generator $P$	$\|p\|=$ 160 bits	$q=$ 160 bits	$\|G\|=$ 320 bits
	where $a,b\in Z_{q}^{*}$ .			(20 bytes)

Table 4

Comparison of our PF-CLSKIS scheme

Scheme	Sign. cost	Verf. cost	Total cost	Sign. length	Complexity problem	Secure
Wan et al. (2009) [20]	$2T_{\textit{MX}}$	$7T_{\textit{BP}}$	$1089T_{\textit{MM}}$	$4\|G_{1}\|=$ 4096 bits	NGBDHP, Many-DHP	No
Wan et al. (2011) [23]	$3T_{\textit{MX}}$	$4T_{\textit{BP}}$	$1068T_{\textit{MM}}$	$4\|G_{1}\|=$ 4096 bits	NGBDHP	No
Wan et al. (2011) [24]	$2T_{\textit{SM}}+1T_{\textit{MTPH}}+1T_{\textit{PA}}$	$5T_{\textit{BP}}$	$522.12T_{\textit{MM}}$	$3\|G_{1}\|=$ 3072 bits	CDHP	Yes
Sun et al. (2014) [17]	$1T_{\textit{MX}}$	$5T_{\textit{MX}}$	$1440T_{\textit{MM}}$	$4\|G_{1}\|+\|Z_{q}^{*}\|=$ 4608 bits	CDHP	Yes
Chen et al. (2015) [7]	$3T_{\textit{MX}}$	$7T_{\textit{BP}}$	$1329T_{\textit{MM}}$	$4\|G_{1}\|=$ 4096 bits	CDHP	No
Lu et al. (2015) [14]	$5T_{\textit{MX}}$	$4T_{\textit{BP}}$	$1548T_{\textit{MM}}$	$4\|G_{1}\|=$ 4096 bits	Squ-CDHP	Yes
Our scheme	$1T_{\textit{SM}}$	$6T_{\textit{SM}}+4T_{\textit{PA}}$	$203.48T_{\textit{MM}}$	$2\|G\|+\|Z_{q}^{*}\|=$ 800 bits	ECDLP	Yes

In Wan et al. scheme [20], $2T_{\textit{MX}}=480T_{\textit{MM}}$ for signature generation and $7T_{\textit{BP}}=609T_{\textit{MM}}$ for signature verification. Thus, Wan et al. scheme [20] requires the total computational cost as 1089 $T_{\textit{MM}}$ .

In Wan et al. scheme [23], signer needs to execute three modular exponentiation operations and verifier needs to execute four bilinear pairing operations i.e. $3T_{\textit{MX}}=720T_{\textit{MM}}$ for signature generation and $4T_{\textit{BP}}=348T_{\textit{MM}}$ for signature verification. Thus, Wan et al. scheme requires the total computational cost as $1068T_{\textit{MM}}$ .

In Wan et al. scheme [24], signer needs to execute two scalar multiplications, one map to point hash function and one point addition operation and verifier needs to execute five bilinear pairing operations i.e. $2T_{\textit{SM}}+1T_{\textit{MTPH}}+1T_{\textit{PA}}=87.12T_{\textit{MM}}$ for signing and $5T_{\textit{BP}}=435T_{\textit{MM}}$ for verification. Thus Wan et al. scheme [23] requires the total computation cost as $522.12T_{\textit{MM}}$ .

In Sun et al. scheme [17], signer needs to execute one modular exponentiation operation and verifier needs to execute five modular exponentiation operations i.e. $1T_{\textit{MX}}=240T_{\textit{MM}}$ for signing and $5T_{\textit{MX}}=1200T_{\textit{MM}}$ for verification. Thus the Sun et al. scheme [17] requires the total computation cost as $1440T_{\textit{MM}}$ .

In Chen et al. scheme [7], signer needs to execute three modular exponentiation operations and verifier needs to execute seven bilinear pairing operations i.e. $3T_{\textit{MX}}=720T_{\textit{MM}}$ for signing and $7T_{\textit{BP}}=609T_{\textit{MM}}$ for verification. Thus, Chen et al. scheme [7] requires the total computation cost as $1329T_{\textit{MM}}$ .

To generate a signature in Lu et al. scheme [14], signer need to execute five modular exponentiation operations and verifier need to execute four bilinear pairing operations i.e. $5T_{\textit{MX}}=1200T_{\textit{MM}}$ for signature generation and $4T_{\textit{BP}}=348T_{\textit{MM}}$ for signature verification. Hence the total computation cost of Wan et al. scheme is $1548T_{\textit{MM}}$ .

In our proposed scheme, signer needs to compute one scalar multiplication and verifier needs to compute six scalar multiplications and four point addition operations i.e. $1T_{\textit{SM}}=29T_{\textit{MM}}$ for signing and $6T_{\textit{SM}}+4T_{\textit{PA}}=174.48T_{\textit{MM}}$ for verification. Thus, the total computation cost of our scheme is $203.48T_{\textit{MM}}$ .

The communication cost (signature length) of our scheme requires 800 bits where the schemes [7, 14, 20, 23] require 4096 bits, scheme [24] require 3072 bits and scheme [17] require 4608 bits. From Table 4 it is clear that our PF-CLSKIS scheme more efficient than all existing schemes in terms of communication and computational cost. Moreover most of these schemes are based on bilinear pairings. The computation cost of our PF-CLSKIS scheme is $203.48T_{\textit{MM}}$ and is 78.83% less than Wan et al. scheme (2009) [20], 80.94% less than Wan et al. scheme (2011) [23], 61.02% less than Wan et al. scheme (2011) [24], 85.86% less than Sun et al. scheme (2014) [17], 84.68% less than Chen et al. scheme (2015) [7] and 86.85% less than Lu et al. Scheme (2015) [14]. It is also clear from the Table 4 that, the signature length of our PF-CLSKIS scheme need 800 bits only and is 80.46% less than Wan et al. scheme (2009) [20], Wan et al. scheme (2011) [23], Chen et al. scheme (2015) [7] and Lu et al. Scheme (2015) [14] and 73.95% less than Wan et al. scheme (2011) [24], 82.63% less than Sun et al. scheme (2014) [17]. The following bar graphs clearly show that our proposed PF-CLSKIS scheme is more efficient than all existing related schemes in terms of computation and communication complexity.

5.1 Potential applications

In view of the desirable merits, namely free from certificate authority, free from key escrow problem and costly computational operations, key insulation, the proposed PF-CLSKIS scheme can be applied to a range of practical environments which are troubled by the private key exposure problem.

Wireless Sensor Networks (Vehicular Ad-hoc Networks): Rapid development in the field of wireless communication technology provides intelligent and efficient transportation system through VANETS to mitigate the traffic jams and road fatalities. A Vehicular Ad-hoc Network (VANET) infrastructure consists of three major elements called On Board Unit (OBU), Road Side Units (RSU) and Trusted Authority (TA). Each vehicle is equipped with OBU and a tamper proof device, which allows vehicles to communicate with other vehicles (V2V) as well as with RSU, which are located on the road. The trusted authority (TA) generates a partial secret key for each vehicle and sends it to the OBU (in the case of V2V Communication) or RSU (in case of V2I communication) through a secure channel. The vehicle OBU generates the full secret key with a combination of partial secret key. But exposure of this full secret key (signing key) is inevitable due to the openness of VANET environment. To avoid the key exposure in V2V or V2I communication, the proposed key insulation mechanism can be adopted. Vehicle’s OBU updates its full secret key in regular intervals of time period. And uses this updated secret key to sign the message.

6. Conclusions

In this paper, we proposed a new certificateless key-insulated signature scheme without pairings (PF-CLSKIS scheme). This scheme did not use any complex bilinear pairing operations, which enormously improves the computational efficiency. To the best of our knowledge, this is the first PF-CLSKIS scheme on elliptic curves. The security of the proposed scheme is proved in the random oracle model under the assumption that the ECDLP is intractable. In addition to the unforgeability and key insulation, our scheme supports secure key updates and strong key insulation. Efficiency analysis of our scheme shows that the proposed scheme has less computation and communication costs with other schemes. Due to high efficiency, our scheme is more suitable for some practical applications where the computational resources are limited in trust worthy environments such as Wireless communication devices, Smart cards, Vehicular Ad-hoc Networks.

References

Al-Riyami

S.S.

and Paterson

K.G.

, Certificateless public key cryptography, in: International Conference on the Theory and Application of Cryptology and Information Security, Asiacrypt 2003 Laih

C.S.

, ed., Taipei, Taiwan 2003. Lecture Notes in Computer Science, Advances in Cryptology, Vol. 2894, Springer, Berlin, Heidelberg, 2003, pp. 452–473.

Amarapu

R.B.

and Reddy

P.V.

, Efficient identity based parallel key insulated signature scheme using pairings over elliptic curves, J of Sci and Indu Res 77 (2018), 24–28.

Barreto

P.S.L.M.

Kim

H.Y.

Lynn

and Scott

, Efficient algorithms for pairing based cryptosystems, in: Annual International Cryptology Conference, Crypto 2002 Yung

, ed., Santa Barbara, CA, USA, 2002. Lecture Notes in Computer Science, Advances in Cryptology, Vol. 2442, Springer, Berlin, Heidelberg, 2002, pp. 354–368.

Cao

Kou

and Du

, A pairing-free identity based authenticated key agreement protocol with minimal message exchanges, Inf Sci 180(15) (2010), 2895–2903.

Chen

Wang

Long

and Wan

, Identity-based key insulated signcryption, Informatica 23(1) (2012), 27–45.

Chen

Cheng

and Smart

N.P.

, Identity-based key agreement protocols from pairings, Int J of Inf Sec 6(4) (2007), 213–241.

Chen

and Xiong

, Strongly secure certificateless key-insulated signature secure in the standard model, Ann Telecomm 70 (2015), 395–405.

Diffe

and Hellman

M.E.

, New directions in cryptography, IEEE Trans in Inf The 22 (1976), 644–654.

Dodis

Katz

J.J.

and Yung

, Strong key-insulated signature schemes, in: Proc of the 6th Int Workshop on Practice and Theory in Public Key Cryptography, Miami, 2002, pp. 130–144.

10.

Dodis

Katz

J.J.

and Yung

, Key-insulated public key cryptosystems, in: Porc of Int Conf on the Theory and Applications of Cryptographic Techniques, Amsterdam, 2002, pp. 65–82.

11.

Gopal

P.V.S.S.N.

and Reddy

P.V.

, Efficient ID-Based Key-Insulated Signature scheme with batch verifications using bilinear pairings over elliptic curves, J of Disc Math Sci and Crypt 18(4) (2015), 385–402.

12.

Yuan

Xiong

and Qin

, An efficient and provably secure certificateless key insulated encryption with applications to mobile internet, Int J of Net Sec 19(6) (2017), 940–949.

13.

L.B.

Yan

D.J.

Xiong

and Qin

Z.G.

, A pairing-free certificateless key insulated encryption with provable security, J of Elec Sci and Tech (2018), 1–7.

14.

Zhang

and Li

, An improved certificateless strong key-insulated signature scheme in the standard model, Adv in Math of Comm 9(3) (2015), 353–373.

15.

MIRACL Library. Available at http://certivox.org/display/EXT/MIRACL.

16.

Shamir

, Identity-based cryptosystems and signature schemes advances in cryptology, in: Workshop on the Theory and Application of Cryptographic Techniques, Crypto 1984 Blakley

G.R.

and Chaum

, eds, Santa Barbara, CA, USA 1984. Lecture Notes in Computer Science, Advances in Cryptology, Vol. 196, Springer, Berlin, Heidelberg, 1984, pp. 47–53.

17.

Sun

and Shen

, Pairing-free and revocable certificateless signature against signing key exposure, J of Emer Trends in Comp and Inf Sci 5(11) (2014), 845–849.

18.

Tan

S.Y.

Heng

S.H.

and Goi

B.M.

, Java Implementation for Pairing-based cryptosystems, in: International Conference on Computational Science and its Applications, Computational Science and its Application ICCSA-2010 Taniar

Gervasi

Murgante

Pardede

and Apduhan

B.O.

, eds, Fukuoka, Japan, 2010. Lecture Notes in Computer Science, ICCSA-2010, Vol. 6019, Springer, Berlin, Heidelberg, 2010, pp. 188–198.

19.

Reddy

P.V.

and Gopal

P.V.S.S.N.

, Identity-based key-insulated aggregate signature scheme, J of King Saud Uni – Com and Inf Sci 29(3) (2017), 303–310.

20.

Wan

Lai

Weng

Liu

Long

and Hong

, Certificateless key-insulated signature without random oracles, J of Zhejiang Uni Sci A 10(12) (2009), 1790–1800.

21.

Wan

Lai

Weng

and Wang

, Identity-based key-insulated proxy signature, J of Elec (China) 26(6) (2009), 853–858.

22.

Wan

and Hong

, Parallel key-insulated signature scheme without random oracles, J of Comm and Net 15(3) (2013), 252–257.

23.

Wan

Meng

and Hong

, Certificateless strong key-insulated signature without random oracles, J of Shanghai Jiaotong Uni (Sciences) 16(5) (2011), 571–576.

24.

Wan

Lai

Weng

and Li

, Certificateless strong key insulated signature, in: Proc of Int Conf on Inf Sci and Tech, IEEE, China, 2011, pp. 270–276.

25.

Wang

and Zhang

, Identity-based strong key-insulated ring signature scheme in the standard model, in: Proc of the 7th Int Conf on Mobile Ad-hoc and Sensor Networks, Beijing, 2011, pp. 451–455.

26.

Wang

and Pan

J.S.

, Security analysis on “Strongly secure certificateless key-insulated signature secure in the standard model”, in: Proc Int Conf on Intel Inf Hiding and Mult Signal Proc IEEE, 2015.

27.

Weng

Liu

Chen

and Ma

, Identity-based key-insulated signature without random oracles, in: International Conference on Computational and Information Sciences, Computational Intelligence and Security 2006 Wang

Cheung

and Liu

, eds, Guangzhou, China, 2006. Lecture Notes in Computer Science, CIS 2006, Vol. 4456, Springer, Berlin, Heidelberg, 2006, pp. 470–480.

28.

T.Y.

Tseng

Y.M.

and Yu

C.W.

, ID-based key-insulated signature scheme with batch verification and its novel application, Int J of Inno Comp, Inf and Control 8(7) (2012), 4797–4810.

29.

Zhou

Zhao

Zhou

and Mei

, Certificateless key-insulated generalized signcryption scheme without bilinear pairings, Sec and Commu Net 2017 (2017).

30.

Zhu

G.B.

Xiong

and Qin

Z.G.

, Pairing-free ID-based key-insulated signature scheme, J of Elec Sci and Tech 13(1) (2015), 33–38.

Efficient and secure pairing-free certificateless strong key-insulated signature scheme

Abstract

Keywords

1. Introduction

1.1 Related work

1.2 Motivation

1.3 Our contributions

1.4 Organization

2.1 Preliminaries

2.1.1 Elliptic Curve Group

2.1.2 Elliptic Curve Discrete Logarithm Problem (ECDLP)

Table 1 Notations and their meanings

3.1 Scheme framework

4.1 Proposed Scheme

4.3 Security analysis

Proof..

Proof..

Proof..

Proof..

Proof..

Table 2 Different cryptographic operations and their conversions

6. Conclusions

References

Table 1
Notations and their meanings

Table 2
Different cryptographic operations and their conversions