An Effective Certiﬁcateless Signature Scheme Based on

Bilinear Pairings

⋆

M. Choudary Gorantla, Raju Gangishetti, Manik Lal Das and Ashutosh Saxena

Institute for Development and Research in Banking Technology

Castle Hills, Masab Tank, Hyderabad 500057, INDIA.

Abstract. In this paper we propose a certiﬁcateless signature scheme based on

bilinear pairings. The scheme effectively removes secure channel for key issuance

between trusted authority and users and avoids key escrow problem, which is an

inherent drawback in ID-based cryptosystems. The scheme uses a simple blinding

technique to eliminate the need of secure channel and user chosen secret value to

avoid the key escrow problem. The signature scheme is secure against adaptive

chosen message attack in the random oracle model.

1 Introduction

In traditional public key cryptosystems (PKC), the public key of a signer is essentially a

random bit string picked from a given set. This leads to a problem of how the public key

is associated with the signer (for signature schemes). In these cryptosystems the binding

between public key and identity of the signer is obtained via a digital certiﬁcate. The

trusted third party veriﬁes the credentials of the entity before issuing a digital certiﬁcate.

The traditional PKC also requires huge efforts in terms of computing time and storage

to manage the certiﬁcates.

To simplify this tedious certiﬁcate management process, Shamir [20] introduced

the concept of ID-based cryptosystem wherein, a user’s public key is his identity or

derived from his identity. The user’s private key is generated by a trusted third party

called Private Key Generator (PKG). Unlike traditional PKCs, ID-based cryptosystems

require no public key directories. The encryption and veriﬁcation processes require only

user’s identity along with some system parameters which are one-time computed and

available publicly. These features make ID-based cryptosystems advantageous over the

traditional PKCs, as key distribution and revocation are not required. Moreover, the

signer’s public key need not be published or sent along with the message. A veriﬁer

can verify a signature just by using the signer’s identity. But an inherent problem of ID-

based cryptosystems is key escrow, i.e., the PKG knows the user’s private key. There-

fore, the PKG can decrypt any ciphertext or forge signature for any message and thus

there is no user privacy and authenticity in the system. After Shamir’s proposal, several

ID-based cryptosystems [6,13,14,17,19] have been proposed. However, most of the

⋆

This work is supported in part by the Ministry of Communications and Information Technol-

ogy, Govt. of India, under the grant no. 12(35)/05-IRSD.

Choudary Gorantla M., Gangishetti R., Lal Das M. and Saxena A. (2005).

An Effective Certiﬁcateless Signature Scheme Based on Bilinear Pairings.

In Proceedings of the 3rd International Workshop on Security in Information Systems, pages 31-39

DOI: 10.5220/0002572500310039

Copyright

c

SciTePress

schemes require a secure channel between users and the PKG to deliver private keys.

Due to these inherent problems, ID-based cryptosystems are considered to be suitable

for private networks [20]. Thus, eliminating these problems in ID-based cryptosystems

is essential to make them more applicable in the real world.

Recently, Al Riyami and Paterson [1] introduced the concept of certiﬁcateless cryp-

tosystem, which is intermediate between traditional PKC and ID-based cryptosystem.

Like the ID-based cryptosystem, certiﬁcateless cryptosystem does not require the use

of certiﬁcates to guarantee the authenticity of public keys. In this paper, we propose a

certiﬁcateless signature scheme based on bilinear pairings. We use a simple blinding

technique and user chosen secret value to eliminate secure channel and the key escrow

problem respectively. The trusted authority (TA) issues a partial private key to the user

in a blinded manner through which the user creates his own private key. Thus, the TA

neither knows the user’s private key nor uses secure channel for key issuance. The sig-

nature scheme is secure against adaptive chosen message attack in the random oracle

model assuming that the CDHP is computationally hard.

1.1 Previous Work

In 1984, Shamir[20] proposed an ID-based signature scheme based on the difﬁculty of

factoring integers. Hess [14] proposed an efﬁcient ID-based signature scheme based on

pairings and Cha et.al [6] proposed an ID-based signature from Gap Difﬁe-Hellman

groups. But, all these schemes [6,14, 20] suffer from key escrow problem and require a

secure channel for key issuance.

Boneh and Franklin [5] proposed a solution for the key escrow problem in ID-based

cryptosystem, where a user’s private key is computed in a threshold manner by multi-

ple authorities. But, multiple identity veriﬁcations of a user by multiple authorities are

quite a burden. Generating a new private key by adding multiple private keys is an-

other approach [7], but in this scheme the key generation centers have no countermea-

sure against the user’s illegal usage of his private key. Gentry [11] proposed a scheme

that eliminates the key escrow and secure channel requirement using some user chosen

secret information, but it is certiﬁcate-based. Later, Al-Riyami and Paterson [1] intro-

duced the concept of certiﬁcateless PKC to eliminate the key escrow problem. Their

original scheme requires a secure channel between the users and the trusted author-

ity to transmit partial private keys. Recently, a secure key issuing protocol in ID-based

cryptosystem was proposed by Lee et al [15], wherein private key is issued by a key gen-

eration center and its privacy is protected by multiple key privacy authorities. However,

its computational complexity is high and efﬁciency is poor in terms of communication

requirements.

1.2 Organization

The rest of the paper is organized as follows: Section 2 gives the background concepts

on bilinear pairings and some related mathematical problems. Section 3 presents the

model of our scheme. Section 4 presents the signature scheme and its security analysis.

We conclude the paper in Section 5.

32

2 Background Concepts

In this section, we brieﬂy review the basic concepts on bilinear pairings and some re-

lated mathematical problems.

2.1 Bilinear Pairings

Let G

1

be an additive cyclic group of prime order q, G

2

be a multiplicative cyclic

group of the same order and P be a generator of G

1

. A bilinear map is deﬁned as

e : G

1

× G

1

→ G

2

with the following properties:

Bilinear: e(aR, bS) = e(R, S)

ab

∀R, S ∈ G

1

and a, b ∈ Z

∗

q

. This can be restated as ∀

R, S, T ∈ G

1

, e(R + S, T ) = e(R, T )e(S, T ) and e(R, S + T ) = e(R, S)e(R, T ).

Non-degenerate: There exists R, S ∈ G

1

such that e(R, S) 6= I

G

2

where I

G

2

denotes

the identity element of the group G

2

.

Computable: There exists an efﬁcient algorithm to compute e(R, S) ∀R, S ∈ G

1

.

In general implementation, G

1

will be a group of points on an elliptic curve and G

2

will denote a multiplicative subgroup of a ﬁnite ﬁeld. Typically, the mapping e will be

derived from either the Weil or the Tate pairing on an elliptic curve over a ﬁnite ﬁeld.

We refer to [5] for more comprehensive description on how these groups, pairings and

other parameters are deﬁned.

2.2 Mathematical Problems

Here we discuss some mathematical problems, which form the basis of security for our

scheme.

Discrete Logarithm Problem (DLP): Given q, P and Q ∈ G

∗

1

, ﬁnd an integer x ∈ Z

∗

q

such that Q = xP .

Computational Difﬁe-Hellman Problem (CDHP): For any a, b ∈ Z

∗

q

, given

< P, aP, bP >, compute abP .

Decisional Difﬁe-Hellman Problem(DDHP): For any a, b, c ∈ Z

∗

q

, given

< P, aP, bP, cP >, decide whether c ≡ ab mod q.

Bilinear Difﬁe-Hellman Problem (BDHP): For any a, b, c ∈ Z

∗

q

, given

< P, aP, bP, cP >, compute e(P, P )

abc

.

Gap Difﬁe-Hellman Problem(GDHP): A class of problems where CDHP is hard while

DDHP is easy.

Weak Difﬁe-Hellman Problem(WDHP): For S ∈ G

1

and for some a ∈ Z

∗

q

, given

< P, S, aP > compute aS.

3 The Model for the Proposed Scheme

We assume that the public keys of the users are placed in a public directory maintained

by a trusted authority (TA) that issues partial private keys to the users. We put no further

33

security on the public key directory and allow an active adversary to replace any public

key with a public key of his own choice. We say that even though an adversary replaces

a public key, the innocent user can not be framed of repudiating his signature. Hence the

users have the same level of trust in the TA as they would in a CA in the traditional PKC.

The trust assumptions made in our scheme are greatly reduced compared to ID-based

schemes where the PKG knows the private keys of every user.

There are two types of adversaries who can replace the public keys kept in the

directory. The adversaries who do not have access to the master key and the adversaries

with the master key. We discuss the adversarial actions in the security analysis part.

The proposed signature scheme consists of four algorithms, namely Setup, Key

Generation, Sign and Verify.

Setup: The TA selects a master-key and keeps it secret. It then speciﬁes the system

parameters params, which include description of the bilinear map, hash functions,

the TA’s public key, message space M and signature space S. The TA publishes the

params.

Key Generation: This algorithm generates the public key and private key of the user

as follows:

- The user A chooses two secret values, calculates the user parameters user-params

and sends them to the TA over a public channel along with his identity.

- The TA veriﬁes A’s identity and checks the validity of user-params.

- On successful veriﬁcation, the TA calculates user’s public key P

A

and partial pri-

vate key D

A

.

- The TA publishes P

A

and sends D

A

to the user A over a public channel.

- The user checks the validity of D

A

and extracts his private key S

A

from it.

Sign: The user A signs on a message M using his private key S

A

and produces a signa-

ture Sig ∈ S.

Verify: To verify a signed message from a user A, a recipient performs the operation

using A’s identiﬁer ID

A

and public key P

A

after checking P

A

’s correctness.

3.1 Chosen Message Attack

Here, we present the formal security model for our signature scheme. Security against

chosen message attack is the standard notion of security for a signature scheme. It is

deﬁned through the following game between a challenger and an adversary A.

Setup: The challenger takes a security parameter k and runs the Setup algorithm. It

gives to A the resulting system parameters params and keeps master-key with it-

self.

Query Phase: A issues signing queries M

1

, ..., M

n

where M

i

∈ {0, 1}

∗

. These

queries can be made adaptively. The challenger responds by ﬁrst running the Key Gen-

eration algorithm to generate the private key. It then works through the Sign algorithm

with the private key and returns the resulting signature to A.

Guess: A outputs a message-signature pair hM, Sigi where M is the one that did not

appear in the query phase. The adversary wins if Sig is a valid signature on M . The

34

advantage of an adversary A against a signature scheme is deﬁned to be the probability

that A produces a valid message-signature pair in the game.

We say that our signature scheme is secure against adaptive chosen message attack if

no polynomially bounded adversary has non-negligible advantage in this game.

4 Proposed Scheme

In this section, we present a signature scheme, which is based on the ID-based signa-

ture scheme of [14]. The proposed signature scheme involves three entities the trusted

authority (TA), the signer and the veriﬁer.

4.1 The Signature Scheme

Setup: The TA performs the following steps.

1. Speciﬁes hG

1

, G

2

, ei where G

1

and G

2

are groups of some prime order q and

e : G

1

× G

1

→ G

2

is a bilinear pairing.

2. Chooses an arbitrary generator P ∈ G

1

.

3. Selects a master-key t uniformly at random from Z

∗

q

and sets TA’s public key

Q

T A

as Q

T A

= tP .

4. Chooses two cryptographic hash functions H : {0, 1}

∗

× G

2

→ Z

∗

q

and H

1

:

{0, 1}

∗

→ G

∗

1

.

The system parameters are params = {G

1

,G

2

,q, e,n,P ,Q

T A

,H, H

1

}, the message

space is M = {0, 1}

∗

and the signature space is S = G

1

× Z

∗

q

.

Key Generation: In this algorithm the user A ﬁrst calculates his parameters user-par

ams and sends them to the TA along with his identiﬁer ID

A

. The TA veriﬁes ID

A

and

user-params, calculates partial private key D

A

and public key P

A

for A, sends D

A

to A and publishes P

A

. Then the user A calculates his private key S

A

on his own from

the received D

A

. The algorithm is described in the following steps.

1. A chooses two secret values s

1

, s

2

∈ Z

∗

q

, calculates his user parameters as user-p

arams = {s

1

s

2

Q

A

, s

1

Q

A

, s

2

P, s

1

s

2

P } where Q

A

= H

1

(ID

A

) and sends them

to the TA. A also sends his identiﬁer ID

A

along with the user-params.

2. TA veriﬁes ID

A

, calculates Q

A

and checks whether the equalities

e(P, s

1

s

2

Q

A

) = e(s

1

s

2

P, Q

A

) = e(X

A

, s

1

Q

A

)

hold good, where X

A

= s

2

P . If not it aborts the process.

3. TA calculates D

A

as D

A

= ts

1

s

2

Q

A

and P

A

as P

A

= hX

A

, Y

A

i where Y

A

=

tX

A

= ts

2

P .

4. TA sends D

A

to A and publishes P

A

.

5. A veriﬁes the correctness of D

A

by checking e(D

A

, P ) = e(s

1

s

2

Q

A

, Q

T A

). A

also veriﬁes whether the published public key component X

A

is equal to s

2

P and

calculates S

A

as S

A

= s

−1

1

D

A

after successful veriﬁcation.

35

Note that the step 2 is performed by the TA to see whether the user-params are

associated with the identity of the user.

In our scheme the secret value s

1

serves as a blinding factor and has been used to

avoid the secure channel between the user and the TA. The user A extracts his private

key S

A

by unblinding the partial private key D

A

. The user’s chosen secret value s

2

,

which has been used to eliminate the key escrow problem, binds the private key S

A

and

the public key P

A

.

Sign: To sign a message M ∈ M using the private key S

A

, the signer A performs the

following steps.

1. Chooses a random l ∈ Z

∗

q

.

2. Computes r = e(lP, P ) ∈ G

2

.

3. Sets v = H(M, r) ∈ Z

∗

q

.

4. Computes U = vS

A

+ lP .

Then A sends hU, vi ∈ S as the signature along with the message M to the veriﬁer.

Verify: On receiving a signature Sig =< U, v >∈ S on a message M from user A with

identiﬁer ID

A

and public key P

A

, the veriﬁer performs the following steps.

1. Checks that the equality e(X

A

, Q

T A

) = e(Y

A

, P ) holds good. If not aborts the

veriﬁcation.

2. Computes r

′

= e(U, P )e(Q

A

, −Y

A

)

v

.

3. Checks if v = H(M, r

′

) holds. Accepts the signature if it does and rejects other-

wise.

4.2 Security Analysis

As given in the security model in previous section, the adversary’s goal is to produce an

existential forgery of a signature scheme by a signer’s ID and public key of its choice.

For a target identity ID

t

, we allow the adversary to query four oracles.

Identity Hash Oracle: For any given identity ID this oracle will produce correspond-

ing hash value H

1

(ID).

Extraction Oracle: For any given identity ID and public key, this oracle will produce

the corresponding secret key.

Message Hash Oracle: For any given message M and r ∈ Z

∗

q

, this oracle will produce

the corresponding hash value H(M, r).

Signature Oracle: For any given message M, identity ID and public key this oracle

will produce a signature of user with identity ID on the message M.

As stated in the security model, the output of the adversary A should not be a signature

such that the secret key or signature of the target identity ID

t

have been asked of the

oracles.

Chosen Message Security: In the random oracle model, suppose that an adaptive ad-

versary A exists which makes at most n

1

≥ 1 queries of the identity hash and the

36

extraction oracle, at most n

2

≥ 1 queries of the message hash and signature oracle and

which succeeds within the time T

A

of making an existential forgery with probability

ε

A

≥

an

1

n

2

2

q

for some constant a ∈ Z

≥1

. Then there is another probabilistic algorithm C and a

constant c ∈ Z

≥1

such that C solves the CDHP with respect to

(P, Y

A

, R)

on input of any given R ∈ G

∗

1

, in expected time

T

C

≤

cn

1

n

2

T

A

ε

A

.

The detailed proof of the above statement can be found in [14].

Apart from formal security, we now discuss some possible attacks during the Key Gen-

eration phase. we show that our scheme can successfully resist following attacks.

User Private Key Forgery: An attacker trying to forge the signature by calculating

the private key of a participating user in the scheme is computationally infeasible be-

cause given params and the publicly transmitted information Q

A

, user-params

{s

1

s

2

Q

A

, s

1

Q

A

, s

2

P , s

1

s

2

P } and P

A

, calculating the private key S

A

(i.e. ts

2

Q

A

) is

as hard as WDHP, which is assumed to be computationally hard. Forgery attacks can

also be performed by replacing the public keys in the directory as discussed earlier.

But, the adversaries who replace public keys and do not have access to the master key

can not calculate the corresponding private key. Thus, assuming that the TA does not

involve in such type of actions, our scheme achieves trust level 2 as per the terminology

describe in [12]. By applying the alternate key generation technique given in [1], where

Q

A

is calculated as H

1

(ID

A

||P

A

), even the TA can not perform forgery by replacing

the public keys without being detected. Thus, our scheme enjoys trust level 3 which is

the same for conventional PKC.

Man-in-the-middle Attack: An attacker can eavesdrop on the communication be-

tween the user and the TA and alter the user-params which are communicated

through a public channel. A possible attack might be changing the user-params

{s

1

s

2

Q

A

, s

1

Q

A

, s

2

P, s

1

s

2

P } to {s

1

s

2

Q

A

, s

1

Q

A

, as

2

P, a

−1

s

1

Q

A

}. As the user checks

the X

A

component before calculating his private key, such an attack can always be de-

tected.

Collusion Attack: Another possible attack can be the collusion attack where the users

collude among themselves to extract the TA’s master key or collude with the TA to forge

a valid signature. Calculating the TA’s master key by collusion among users is as hard as

the DLP and forging a valid signature by colluding with the TA is equivalent to WDHP,

which are assumed to be computationally hard.

5 Conclusions

In this paper, we presented a certiﬁcateless signature scheme based on bilinear pair-

ings. We used a simple blinding technique to avoid the necessity of a secure channel for

37

key issuance between the participating entities and the trusted authority. Moreover, we

eliminated the key escrow problem, which is an inherent drawback of ID-based cryp-

tosystems, by using user chosen secret value. We showed that the scheme is secure in

random oracle model against adaptive chosen message attack assuming that the CDHP

is computationally hard.

References

1. Al-Riyami, S., and Paterson, K.: Certiﬁcateless Public Key Cryptography. In: Advances in

Cryptology-ASIACRYPT 2003, Lecture Notes in Computer Science, Vol. 2894, Springer-

Verlag, (2003) 452-473.

2. Barreto, P.S.L.M., Kim, H.Y., Lynn, B., and Scott, M.: Efﬁcient algorithms for pairing-based

cryptosystems. In: Advances in Cryptology-CRYPTO 2002, Lecture Notes in Computer Sci-

ence, Vol. 2442, Springer-Verlag, (2002) 354-368.

3. Bellare, M., Desai, A., Pointcheval, D., and Rogaway, P.: Relations among notions of security

for public-key encryption schemes. In: Advances in Cryptology-CRYPTO 98, Lecture Notes

in Computer Science, Vol. 1462, Springer-Verlag, (1998) 26-45.

4. Boldyreva, A.: Efﬁcient Threshold Signature, Multisignature and Blind Signature Schemes

Based on the Gap-Difﬁe-Hellman-Group Signature Scheme. In: Proceedings of PKC 2003,

Lecture Notes in Computer Science, Vol. 2567, Springer-Verlag, (2003) 31-46.

5. Boneh, D., and Franklin, M.: Identity-based Encryption from the Weil pairing. SIAM J. of

Computing, 32(3), (2003) 586-615. Extended abstract in Proceedings of CRYPTO 2001,

Lecture Notes in Computer Science, Vol. 2139, Springer-Verlag, (2001) 213-229.

6. Cha, J., and Cheon, J.H.: An Identity-Based Signature from Gap Difﬁe-Hellman Groups. In:

Proceedings of Public Key Cryptography-PKC 2003, Lecture Notes in Computer Science,

Vol. 2567, Springer-Verlag, (2003) 18-30.

7. Chen, L., Harrison, K., Smart, N. P., and Soldera, D.: Application of multiple trust authori-

ties in pairing based cryptosystems. In: Proceedings of INFRASEC 2002, Lecture Notes in

Computer Science, Vol. 2437, Springer-Verlag, (2002) 260-275.

8. Dolev, D., Dwork, C., and Naor, M.: Non-malleable cryptography. SIAM J. of Computing,

30(2), (2000) 391-437.

9. Dutta, R., Barua R., and Sarkar, P.: Pairing-Based Cryptographic Protocols: A Survey. In:

Cryptology ePrint Archive, Report 2004/064, (2004). http://eprint.iacr.org/2004/064/.

10. Fiat, A., and Shamir, A.: How to Prove Yourself: Practical Solutions to Identiﬁcation and

Signature Problems. In: Advances in Cryptology-CRYPTO 86, Lecture Notes in Computer

Science, Vol. 0263, Springer, (1986) 186-194.

11. Gentry, C.: Certiﬁcate-Based Encryption and the Certiﬁcate Revocation Problem. In: Ad-

vances in Cryptology-EUROCRYPT 2003, Lecture Notes in Computer Science, Vol. 2656,

Springer-Verlag, (2003) 272-293.

12. Girault, M.: Self-certiﬁed public keys. In: Advances in Cryptology-EUROCRYPT’91, Lec-

ture Notes in Computer Science, Vol. 0547, Springer-Verlag, (1991) 490-497.

13. Guillou, L., and Quisquater, J.-J.: A ”Paradoxical” Identity-Based Signature Scheme Re-

sulting From Zero-Knowledge. In: Advances in Cryptology-CRYPTO 88, Lecture Notes in

Computer Science, Vol. 0403, Springer, (1988) 216-231.

14. Hess, F.: Efﬁcient Identity Based Signature Schemes Based on Pairings. In: Selected Areas in

Cryptography-SAC 2002, Lecture Notes in Computer Science, Vol. 2595, Springer- Verlag,

(2003) 310-324.

38

15. Lee, B., Boyd, C., Dawson, E., Kim, K., Yang, J., and Yoo, S.: Secure Key Issuing in

ID-based Cryptography. In: Proceedings of the Second Australian Information Security

Workshop-AISW 2004, ACSW Frontiers 2004, ACS Conferences in Research and Practice

in Information Technology, Vol. 32, (2004) 69-74.

16. Libert, B., and Quisquater, J.-J.: What is Possible with Identity Based Cryptography for

PKIs and What Still Must Be Improved. In: Proceedings of EUROPKI 2004, Lecture Notes

in Computer Science, Vol. 3093, Springer-Verlag, (2004) 57-70.

17. Paterson, K.G.: ID-based signatures from pairings on elliptic curves, In: Cryptology ePrint

Archive, Report 2002/004, (2002). http://eprint.iacr.org/2002/004/

18. Pointcheval, D., and Stern, J.: Security Arguments for Digital Signatures and Blind Signa-

tures. Journal of Cryptology, 13(3), Springer-Verlag (2000) 361-396.

19. Sakai, R., Ohgishi, K., and Kasahara, M.: Cryptosysytems based on pairing. In: Proceedings

of Symposium on Cryptography and Information Security, SCIS 2000, 2000.

20. Shamir, A.: Identity-based Cryptosystems and Signature Schemes. In: Advances in

Cryptology-CRYPTO 84, Lecture Notes in Computer Science, Vol. 0196, Springer-Verlag,

(1984) 47-53.

21. Yum, D.H., and Lee, P.J.: Identity-Based Cryptography in Public Key Management. PKI

2004, Lecture Notes in Computer Science, Vol. 3093, Springer-Verlag, (2004) 71-84.

39