An efficient certificateless blind signature scheme without bilinear pairing

Recently, the certificateless public key cryptography (CLPKC) has been studied widely since it could solve both of the certificate management problem in traditional public key cryptography (TPKC) and the key escrow problem in the identity-based public key cryptography (ID-based PKC). To satisfy requirements of different applications, many certificateless blind signature (CLBS) schemes using bilinear pairing for the CLPKC setting have been proposed. However, the bilinear pairing operation is very complicated. Therefore, the performance of those CLBS schemes is not very satisfactory. To solve the problem, we propose an efficient CLBS scheme without bilinear pairing. Performance analysis shows that the proposed scheme could reduce costs of computation and storage. Security analysis shows the proposed scheme is provably secure against both of two types of adversaries.


INTRODUCTION
The blind signature (BS) scheme is a variation of digital signature scheme, which was first proposed by Chaum (1983).In the BS scheme, a user could get a signature for any message but the signer does not know the content of the message.Due to such properties, BS schemes are widely used in electronic voting, electronic payment and electronic cash.
After Chaum's work, many BS schemes in the traditional public key cryptography (TPKC) were proposed for different applications.However, the TPKC faces with the certificate management problem since a certificate generated by a trusted third party is needed to bind the user's identity and his public key.To solve the problem, Shamir (1984) introduced the concept of the identitybased public key cryptography (ID-based PKC).In the ID-based PKC, no certificate is required since the user's identity is his public key.However, the ID-based PKC faces with the key escrow problem since the user's private key is generated by the key generation centre (KGC) and the KGC knows all users' private keys.To solve the certificate management problem in the TPKC and the key escrow problem in ID-based PKC, Al-Riyami and Paterson (2003) proposed http://dx.doi.org/10.1590/0001-3765201420130199

1004
GUOFAGN DONG, FEI GAO, WENBO SHI and PENG GONG the concept of the certificateless public key cryptosystem (CLPKC).In the CLPKC, a user's private key consists of two parties, i.e. a partial secret key generated by the KGC and a secret value generated by the user.
Since groundbreaking work of Al-Riyami and Paterson (2003), many certificateless encryption (CLE) schemes (Sun and Zhang 2010) (Yang and Tan 2011), certificateless signature (CLS) schemes (Tian and Huang 2012) (Tsai et al. 2012) (Gong and Li 2012) (He et al. 2012c(He et al. , 2013a, b) , b) and certificateless key agreement schemes (HE et al. 2011c(HE et al. , 2012a, d) , d) have been proposed for applications in CLPKC setting.Several certificatless blind signature (CLBS) schemes (Zhang and Zhang 2008) (Wang and Lu 2008) (Yang et al. 2009) (Sun and Wen 2009) (Zhang and Gao 2010) (Zhang et al. 2011) also were proposed.Zhang and Zhang (2008) proposed the fist CLBS scheme using bilinear pairing.Then several other CLBS schemes (Wang and Lu 2008) (Yang et al. 2009) (Sun and Wen 2009) (Zhang and Gao 2010) (Zhang et al. 2011) using bilinear pairing were proposed to improve performance or security of Zhang et al.'s scheme.However, the bilinear pairing operation is very complicated.Theoretical analysis (Chen et al. 2007) (Hankerson et al. 2004) and experimental results (Cao and Kou 2010) (He et al. 2011a(He et al. , 2012b) ) demonstrate that the computation cost of a bilinear pairing operation is similar to that of a dozen or so elliptic curve scalar multiplication operations.Therefore, the performance of those CLBS schemes is not very satisfactory and CLBS scheme without bilinear pairing is required for practical applications.
In this paper, we propose an efficient CLBS scheme without bilinear pairing operation and show it is secure against both of two kinds of various attacks.Section 2 gives some background about CLBS schemes.Section 3 proposes a new CLBS scheme without bilinear paring.Security analysis and performance analysis are proposed in Section 4 and Section 5 separately.Some conclusions are given in Section 6.

NOTATIONS
For convenience, some notations used in the paper are described as follows.
• p, n: two large prime numbers; • F p : a finite field; • E(F p ): an elliptic curve defined by the equation y 2 = x 3 + ax + b over F p , where a, b 2 F p and Δ = 4a 3 + 27b 2 ≠ 0 (Koblitz 1987); • G: the group with order n consisting of points on E(F p ) and the point at infinity O; • P: a generator of the group G; • DLP: the discrete logarithm problem (DLP), whose task is to compute x for given Q = xP;

CLBS SCHEME
There are six polynomial time algorithms (Zhang et al. 2011) in a CLBS scheme, i.e.Setup, PartialPrivateKeyExtract, SetSecretValue, SetPublicKey, Sign and Verify.Setup: Taking a security parameter k as input, this algorithm is executed by the KGC to generate the system parameters params and the master key mk.
PartialPrivateKeyExtract: Taking the system parameters params, the master key mk and a users identity ID as inputs, this algorithm is executed by the KGC to generate the users partial private key ID D .
SetSecretValue: Taking the system parameters params as input, this algorithm is executed by a user to generate his secret value x ID .
SetPublicKey: Taking the system parameters params and a users secret value x ID as inputs, this algorithm is executed by the user to generate his public key PK ID .
Sign: Taking the system parameters params, the partial private key D ID , the secret value x ID and a message m as inputs, this algorithm is executed by the user to generate a signature.There are three sub-algorithms in the algorithm, i.e.Blind, BSign and Unblind.AN EFFICIENT CERTIFICATELESS BLIND SIGNATURE SCHEME (1) Blind.Taking message m and a random string r as inputs, the sub-algorithm is executed by the user to generate a blinded message m′.
(2) BSign.Taking a blind message m′, the signers private signing key sk ID A and the system parameters params as inputs, the sub-algorithm is executed by the signer to generate a blind signature σ′.
(3) Unblind.Taking a blind signature σ′, the previously generated random string r and the system parameters params as inputs, the sub-algorithm is executed by the user to generate an unblinded signature σ.
Verify: Taking the system parameters params, a signer's identity ID , a signer's public key PK ID , a message m and a signature σ as inputs, this algorithm is executed by the verifier to verify the legality of σ.If σ is legal, 1 will be outputted; otherwise, 0 will be outputted.

SECURITY MODEL FOR CLBS SCHEME
There are two kinds of adversaries in the CLBS scheme, i.e. the Type I adversary A 1 and the Type II adversary A 2 .A 1 could replace user's public keys with some value he chooses, but he cannot get the master key.A 2 represents a malicious KGC, who cannot replace users' public keys but he could use the master key to generate users' partial private keys.The type adversaries in CLBS could be divided into normal adversary, strong adversary, and super adversary according to their attacks power (Huang et al. 2007).In the security analysis of the proposed CLBS scheme, we just need to consider two strongest types of adversaries, i.e. the super Type I adversary and the super Type II adversary.The abilities of an adversary A 2 {A 1 , A 2 } are formally modeled by queries issued by adversaries.

ExtractPartialPrivateKey(ID):
The adversary A could get the partial private key D ID through the query.

ExtractSecretValue(ID):
The adversary A could get the secret value x ID through the query.

RequestPublicKey(ID):
The adversary A could get the public key PK ID through the query.

ReplacePublicKey(ID, PK′ ID ):
The adversary A could replace the public key PK ID with a new public key PK′ ID through the query.
SuperSign(ID, m): The adversary A could get a signature σ through the query such that 1 ← Verify (params, ID, PK′ ID , m, σ), where PK′ ID is the current public key and it may be replaced by A.
We consider the following games against the super Type I and the super Type II adversaries.
Game 1: The first game is performed between a challenger C and a super Type I adversary A 1 for a CLBS scheme as follows.
Initialization.C runs Setup algorithm and generates a master secret key mk, public system parameters params.C keeps mk secret and then gives params to A 1 .
(2) 1 ← Verify(params, ID t , PK′ ID t , m, σ), where PK ID t is the original public key of ID t Definition 1 (Blindness) (Zhang et al. 2011).Suppose two honest users U 0 and U 1 engage in the blind signature issuing protocol with a probabilistic polynomial-time adversary A on two messages m b and m 1-b , and output two signatures σ and σ′ respectively, where b 2 {0; 1} is a random bit chosen uniformly.At last, (m 0 , m 1 , σ b , σ 1-b ) are sent to A and then A outputs b′ 2 {0, 1}.We call a signature scheme is blind if the inequation |Pr[b = b′] -1/2| < n -c holds for all such adversaries A, any constant c, and sufficiently large n.
Definition 2. We say that a certicateless blind signature scheme is secure against the super Type I adversary if for any polynomially bounded super Type I adversary A 1 , Succ A 1 is negligible, where Succ A 1 denote the success probability that A wins in Game 1. Definition 3. We say that a certicateless blind signature scheme is secure against the super Type II adversary if for any polynomially bounded super Type II adversary A 2 , Succ A 2 is negligible, where Succ A 2 denote the success probability that A 1 wins in the Game 2.
We say a certificateless blind signature scheme is secure if it is blind and secure against two types of adversaries.

THE PROPOSED CLBS SCHEME
Based on He et al. work (He et al. 2011a, b), we propose a new CLBS scheme without bilinear pairing.The proposed scheme consists of six algorithms, i.e.Setup, PartialPrivateKeyExtract, SetSecretValue, SetPublicKey, Sign and Verify.The details of these algorithms are described as follows: Setup: Given a security parameters k, KGC does the following steps to generate the system parameters and the mast key.
(1) KGC chooses a k-bit prime p, generates an elliptic curve E(Fp) over finite feld F p .KGC chooses a group G) with order n over E(F p ) and chooses a generator P) of the group G).
(2) KGC chooses a random s 2 Z * n as the master mk and computes public key P pub = sP.
PartialPrivateKeyExtract: Given the system parameter params, the master key mk, and a user's identity ID, KGC generates a random number r ID 2 Z * n , computes R ID = r ID P, h ID = H 1 (ID, R ID ) and s ID = r ID + h ID s mod n.Then KGC returns the partial private key D ID = (s ID , R ID ) to the user.
SetSecretValue: Given the system parameter params, the user with identity ID generates a random number x ID 2 Z * n , computes P ID = x ID P and sets x ID as his secret value.
SetPublicKey: Given the system parameter params and the user's secret value x ID , the user computes his public key P ID = x ID P.
Sign: Given a message m, the following three sub-algorithms are executed to generate a legal signature.First of all, the signer generates a random number k 2 Z * n , computes R = kP and sends R and R ID to the user.
(1) Blind: Upon receiving the message R and R ID , the user generates three random numbers α, β, γ 2 At last, the user sends h to the signer.
(2) BSign: Upon receiving the message h, the signer computes h ^ = H 3 (ID, R ID , PK ID , P pub ) and z = h(h ^xID + s ID ) + k mod n.At last, the signer sends z to the user.AN EFFICIENT CERTIFICATELESS BLIND SIGNATURE SCHEME (3) Unblind: Upon receiving the message z, the user computes z = αz + β mod n and outputs the signature σ = (R ID , R, z).
Verify: To verify the legality of the signature σ = (R ID , R, z) for message m and the signer with identity ID, the verifier computes h = H 2 (m, R, ID, R ID , PK ID , P pub ), h ID = H 1 (ID, R ID ) and h ^ = H 3 (ID, R ID , PK ID , P pub ).The verifier checks whether zP and h(h ^PK ID +R ID +h ID P pub )+R are equal.If they are equal, 1 is returned; otherwise, 0 is returned.

SECURITY ANALYSIS
In this section, we will analyze the security of the proposed CLBS scheme.We will show the proposed scheme is provably secure in the random oracle model (Bellare and Rogaway 1993).The following theorems are proposed for the security.
Theorem 1.The proposed CLBS scheme is blind.
Proof.Let (R ID , R, z) be one of the two signatures given to the adversary A. Let (R ID , R, h, z) be the message transmitted between the user and the signer.We just need to show that there are three random factors (α, β, γ) that could map (R ID , R, h, z) to (R ID , R, z).From the description of the proposed CLBS scheme, we could get that Through equations ( 2) and (3), we could get that β = z -αz mod n and γ = αh -h mod n.With the two above equations and equation (1), we could get that only a unique element α 2 Z * n exists.Then we could get β and γ also exist uniquely since β = z -αz mod n and γ = αh -h mod n.
Then, we could conclude that three random factors (α, β, γ) always exist between (R ID , R, z) and (R ID , R, h, z).Therefore, A outputs a correct value b′ with probability exactly 1/2 and the proposed CLBS scheme is blind.
Theorem 2. The proposed CLBS scheme is secure against the super Type I adversary in random oracle model if the DLP is hard.
Proof.Suppose there is a super Type I adversary A 1 has non-negligible ε advantage in attacking the proposed CLBS scheme.We will show that an algorithm C could solve the DLP running A 1 as a subroutine.
Given a DLP instance Q = αP for randomly chosen α 2 Z * n , C picks an identity ID * at random as the challenged ID, sets P pub = Q, chooses three secure functions and gives system parameters to A 1 .C answers A 1 's queries as follows.
• H 1 query: • RequestPublicKey(ID) query.Upon receiving a query with the user's identity ID , C returns PK ID to A 1 .
• ExtractSecretValue(ID) query.Upon receiving a query with the user's identity ID, C picks a random number x ID 2 Z * n , computes PK ID = x ID P, adds < ID, x ID , PK ID > to L K 2 and returns x ID to A 1 .• SuperSign(ID, m) query.Upon receiving a query with the message (ID, m), C looks up L K 1 and L K 2 for the tuples< ID, s ID , R ID > and < ID, x ID , PK ID > and performs as follows:

• ReplacePublicKey(ID, PK′
1) If x ID ≠ ⊥, then C performs according to the description of the scheme, and returns the generated (R ID , R, z) to A 1 .
2) Otherwise, C generates two random a; b 2 where Eventually, A 1 outputs a valid signature (ID, mt, σ t ), where σ t = (R ID t , R, z).If ID t ≠ ID * , C stops the simulation; otherwise, C finds < ID t , s IDt , R IDt > and < ID t , x ID t , PK ID t > in L K 1 and L K 2 respectively.From the forgery lemma (David and Jacque 2000), we know that A 1 could output another legal signature σ′ t = (R ID t , R, z′) if the same random number replayed but with different choice of the random oracle H 2 .
The following equation holds because the signature is valid and Let l, x ID t , r ID t and α denote discrete logarithms of R; PK ID t , R ID t and P pub respectively, i.e.R = lP, PK ID t = x ID t P, R ID t = r ID t P and P pub = P. Then we could get the following two equations.
Because only l and α are unknown to C in the above two equations, he could solve those equations and outputs α as the solution of the DLP.Since ID * is randomly chosen, then we have Pr[ID * = ID t ] = 1/q H 1 , where q H 1 is the number of H 1 query A 1 has made.C could solve the DLP with a non-negligible probability ε/q H 1 .This contradicts the hardness of the DLP.Therefore, the proposed scheme is secure against the super Type I adversary.
Theorem 3. The proposed CLBS scheme is secure against the super Type II adversary in random oracle model if the DLP is hard.
Proof.Suppose there is a super Type II adversary A 2 has non-negligible advantage ε in attacking the proposed CLBS scheme.We will show that there is an algorithm C could solve the DLP running A 2 as a subroutine.
Given a DLP instance Q = αP for randomly chosen α 2 Z * n , C picks an identity ID * at random as Because only l and α are unknown to C in the above two equations, he could solve those equations and outputs as the solution of the DLP.Since ID * is randomly chosen, then we have Pr[ID * = ID t ] = 1=q H 1 , where q H 1 is the number of H 1 query A 2 has made.C could solve the DLP with a non-negligible probability ε =q H 1 .This contradicts the hardness of the DLP.Therefore, the proposed scheme is secure against the super Type II adversary.

PERFORMANCE ANALYSES
In this section, we will compare the efficiency of the proposed CLBS scheme with the three latest CLBS schemes, i.e.Sun et al.'s CLBS scheme (Sun and Wen 2009), Zhang et al.'s scheme (Zhang and Gao 2009) and Zhang et al.'s CLBS scheme (Zhang et al. 2011).
To achieve the security level of 1024 bits RSA, bilinear pairing-based CLBS scheme and ECC-based CLBS scheme, we have to use the Tate pairing defined over a supersingular elliptic curve on a finite field F q and a secure elliptic curve on a finite field F p separately, where the length of q and p are 512 bits and 160 bits respectively.We also assume the output of the hash function is 160 bits.Some notations are defined as follows.It is well known that the computational cost of a hash function operation could be ignored when it is compared with that of a bilinear pairing operation, a modular exponentiation operation, a ECC-based ID = x′ ID P) query.Upon receiving a query with the message (ID; PK′ ID = x′ ID P), C sets PK ID = PK′ ID , and x ID = x′ ID if the list L K 2 contains < ID, x ID , PK ID >, otherwise, C makes a ExtractSecretV alue query with ID, sets PK ID = PK′ ID , and x ID = x′ ID .
ID t , PK′ ID t , m, σ), where PK′ ID t which may be replaced by A 1 is the current public key of ID t The second game is performed between a challenger C and a super Type II adversary A 2 for a CLBS scheme as follows:Initialization.C runs Setup algorithm and generates a master secret key mk, public system parameters params.C gives mk and params to A 2 .Queries.A 2 can adaptively issue the Extract PartialPrivateKey, ExtractSecretValue, Request PublicKey, and SuperSign queries to C.
. A 1 can adaptively issue the Extract PartialPrivateKey, ExtractSecretValue, Request PublicKey, ReplacePublicKey, and SuperSign queries to C. Output.Eventually, A 1 outputs (ID t , m t , σ t ).A 1 wins the game if (1) ExtractPartialPrivateKey(IDt) and SuperSign (ID t , m t ) queries have never been queried.(2) 1 ← Verify(params, Output.Eventually, A 2 outputs (ID t , m t , σ t ).A 1 wins the game if 1006 GUOFAGN DONG, FEI GAO, WENBO SHI and PENG GONG PK ID , P pub , h > to L H 2 and returns h to A 1 .• H 3 query: A 1 maintains a list L H 3 of tuples < ID, R ID , PK ID , P pub , h >.Upon receiving a query on a message < ID, R ID , PK ID , P pub >, C returns h to A 1 if L H 3 contains a tuple < ID, R ID , PK ID , P pub , h >, otherwise, C picks a random number h 2 Z * n , adds < ID, R ID , PK ID , P pub , h >to L H 3 and returns h to A 1 .ID P pub , h ID = H 1 (ID, R ID ) b ID and s ID ← a ID .C adds < ID, R ID , h ID > and < ID, s ID • H 2 query: A 1 maintains a list L H 2 of tuples < m, R, ID, R ID , PK ID , P pub , h >.Upon receiving a query on a message < m, R, ID, R ID , PK ID , P pub >, C returns h to A 1 if L H 2 contains a tuple < m, R, ID, R ID , PK ID , P pub , h >; otherwise, C picks a random number h 2 Z * n , adds < m, R, ID, R ID , 1) If ID ≠ ID * , C generates two random numbers a ID , b ID 2 Z * n , sets R ID ← a ID P -b AN EFFICIENT CERTIFICATELESS BLIND SIGNATURE SCHEME the challenged ID, chooses a random number s 2 Z * n , sets P pub = sP, and chooses three secure functions.C give the master key s and system parameters to A 2 .C answer H 1 query, H 2 query, H 3 query, ExtractPartialPrivateKey query, ReplacePublicKey query and SuperSign(ID, m) query like he does in the above theorem.C simulates other oracle queries of A 2 as follows: • ExtractPartialPrivateKey(ID) query.Upon receiving a query with the user's identity ID, C generates a random number r ID 2 Z * n , computes R ID = r ID P, h ID = H 1 (ID, R ID ) and s ID = r ID + h ID s mod n.C adds < ID, R ID , h ID > and < ID, s ID , R ID > to L H 1 and L H 2 separately.Then, C returns < s ID , R ID > to A 2 .n and computes PK ID = x ID P, returns x ID to A 2 and adds < ID, x ID , PK ID > to L K 2 ; otherwise, C sets PK ID = Q, adds < ID, ⊥, PK ID > to L K 2 .Eventually, A 2 outputs a valid signature (ID, m t , σ t ), where σ t = (R ID t , R, z).If ID t ≠ ID * , C stops the simulation; otherwise, C finds < ID t , s ID t , R ID t > and ID t , x ID t , PK ID t in L K 1 and L K 2 respectively.The public key PK ID t is the original pub key is ID t .From the forgery lemma (David and Jacque 2000), we know that A 2 could output another legal signature σ′ t = (RI ID t , R, z′) if the same random number replayed but with different choice of the random oracle H 2 .The following equation holds because the signature is valid.Let l, α, r ID t and s denote discrete logarithms of R, PK ID t , R ID t and P pub respectively, i.e.R = lP, PK ID t = P, R ID t = r ID t P and P pub = sP.Then we z = h(h ^α + r ID t + h ID t s) + l • ExtractSecretValue(ID) query.Upon receiving a query with the user's identity ID, C does as follows.If ID ≠ ID * , C picks a random number x ID 2 Z *