Mobile Sensoring Data Verification via a Pairing-Free Certificateless Signature Secure Approach against Novel Public Key Replacement Attacks

Abstract

To achieve flexible sensing coverage with low deployment costs, mobile users need to contribute their equipment as sensors. Data integrity is one of the most fundamental security requirements and can be verified by digital signature techniques. In the mobile crowdsensing (MCS) environment, most sensors, such as smartphones, are resource-limited. Therefore, many traditional cryptographic algorithms that require complex computations cannot be efficiently implemented on these sensors. In this paper, we study the security of certificateless signatures, in particular, some constructions without pairing. We notice that there is no secure pairing-free certificateless signature scheme against the super adversary. We also find a potential attack that has not been fully addressed in previous studies. To handle these two issues, we propose a concrete secure construction that can withstand this attack. Our scheme does not rely on pairing operations and can be applied in scenarios where the devices’ resources are limited.

1. Introduction

Various mobile sensors are utilized in IoT devices to perform real-time data detection. These sensors capture sensitive information such as vehicle status, power system data, and personal health information, among others. Once collected, the data are transmitted to a central server for processing, making data security a critical consideration. To ensure data credibility and reliability, the use of digital signatures for integrity verification and message tracing is imperative for these sensing devices. Given the limited hardware resources of these devices, signature schemes with less complex pairing computations are preferred. Over the last few decades, the public key infrastructure/certificate authority (PKI/CA) system has been extensively employed. Within this system, upper layers issue certificates for lower layers, constructing a chain of trust from the trusted root to individual entities. However, many signature schemes reliant on the PKI/CA system introduce complex certificate management challenges, including distribution, update, and revocation, which are often financially burdensome for sensor devices.

Shamir [1] proposed identity-based cryptography (IBC) as a solution to eliminate the need for certificates. This approach allows users to directly generate their public keys from identity information, such as the IP. The private key generator (PKG) is responsible for holding the system master key and using it to generate all user’s private keys. By bypassing the need for certificates, IBC ensures the correctness of public key generation directly from identity information. Despite this advantage, the system’s security heavily relies on the PKG. Consequently, a key escrow problem arises, as every private key is generated by the PKG, who then has the capability to arbitrarily compromise the security of the scheme. Consequently, if the PKG is breached or lacks full trust, the safety of the entire system is compromised, leaving no user immune to potential security breaches.

Al-Riyami and Paterson [2] introduced certificateless public key cryptography (CLPKC) as a solution to the shortcomings of existing systems. In CLPKC, the key generation center (KGC) is responsible for controlling the master private key and differs from traditional PKI/CA systems in that it only generates a portion of the private key for users. Users must independently select and safeguard a secret value, using it to calculate both the complete private key and public key. As a result, the explicit binding of public keys and identity information through certificates is eliminated. Instead, the implicit binding of identity and public key occurs through the use of partial private keys, ensuring that only a valid user can generate a valid private key. Although KGC has ownership of the master private key, the secret values remain unknown. Consequently, CLPKC resolves the issue of key escrow in the IBC and eliminates the need for certificates in PKI/CA systems. Yet, the complexity and power of adversaries increase, posing new challenges. Consequently, there is ongoing research to comprehensively evaluate adversary capabilities and develop a fully secure CLPKC scheme.

1.1. Related Works

In 2003, Al-Riyami and Paterson [2] introduced the CLPKC system, which was based on the IBE scheme proposed by Boneh and Franklin [3] in 2001, and included an adversary model and security definition. However, their signature scheme was compromised by Huang et al. in 2005 [4]. Meanwhile, Yum and Lee developed general secure constructions for signature schemes (CLS) [5] and encryption schemes (CLE) [6] in 2004, which were constructed on a PKI/CA scheme and an IBC scheme. Despite this, subsequent work by Hu et al. [7] and Libert et al. [8] in 2006 demonstrated the insecurity of Yum and Lee’s general construction. In response to the threat posed by malicious KGC, Au et al. further fortified the security model of CLPKC in 2006 and determined that a class of schemes with the same key structure may be vulnerable under malicious KGC and unable to address key escrow issues [9]. Building on this, Huang et al. revisited the CLPKC security model in 2007, categorizing adversaries into three levels: Normal, Strong, and Super adversaries. In addition, they proposed a secure CLS scheme specifically designed to withstand super adversaries [10].

A number of CLPKC schemes have been proposed; they aim to address the limitations of pairing operations, which can be expensive and inefficient in lightweight equipment like mobile sensors. Baek et al. [11] introduced the first CLPKC scheme without pairing operations, using the Schnorr signature [12]. However, Sun et al. [13] identified some drawbacks in Baek’s approach and subsequently developed a new CLE scheme. Notably, Zhang and Mao [14] also devised a CLS scheme using the RSA signature. Despite this, Xu et al. [15] highlighted a flaw in the CLS scheme proposed by Gowri et al. [16], revealing that their signatures were susceptible to forgery. In response, Xu et al. [15] proposed a secure CLS scheme designed to withstand normal adversaries. Additionally, Karati et al. [17] developed a highly efficient CLS scheme by eliminating the map-to-point hash function, although Zhang et al. [18] later discovered that this scheme was vulnerable to breach through the replacement of the public key. Several other CLS schemes [19,20,21,22,23,24] were also proposed but were ultimately proven to be weak. More recently, Du et al. [25] and Xiang et al. [26] put forth two super-secure CLS schemes, but their security proofs were found to be incorrect, particularly with regard to the divisor always being calculated as zero when addressing underlying difficulties.

1.2. Motivations

In the CLS secure model, adversaries are categorized into two types. Type I adversaries have the capability to replace the public key with any string. In the security proof, the simulator must provide the correct signature in response to a signature inquiry, irrespective of whether the public key has been replaced. Not only that, the question arises of whether this signature should be valid before or after the replacement. Different levels of adversaries are defined by Huang based on this distinction, namely normal, strong, and super. The primary differentiator among these levels is the validity of the signatures they are able to obtain. A normal adversary may obtain a signature that is valid before the replacement, while a strong adversary may obtain a signature that is valid after the replacement, only if it supplies the corresponding secret values. On the other hand, a super adversary has the ability to replace the public key with a new key and receive a valid signature under the new key. In 2011, Huang introduced the first super security certificateless signature scheme using pairing. Subsequent works attempted to propose a secure CLS scheme without pairing, but the majority failed to achieve security against the super adversary.

Among the proposed pairing-free CLS schemes, the partial private key is typically calculated through Schnorr signature [12], which includes a random number R. It is important to note that this random number should be publicly available in the public key. Consequently, a $TypeI$ adversary has the ability to query for a partial private key and replace the public key, and the order of these two operations is not limited. Furthermore, the presence of super adversaries introduces the potential for them to substitute the private key without providing the new secret value. This vulnerability becomes even more pronounced when the adversary first replaces the random number with a new one and then requests the new partial private key under the new number, rendering existing schemes unable to respond correctly without a new secret value. It is essential to recognize that this vulnerability has been previously overlooked in CLS schemes that do not involve pairing.

1.3. Contributions

• Under the ECDLP assumption, this paper proposes a secure CLS scheme without pairing. Our work includes completing the security proof against super adversaries in the ROM, as shown by [10].
• We fix the weakness that the simulator of the CLS scheme using Schnorr signatures could not answer partial private key queries after replacing the public key. Specifically, we adjusted the structure of the public key to partially restrict these queries
• Our signature scheme breaks away from pairing operations and the signature length is only two group elements, achieving a balance between computational efficiency and transmission costs.

1.4. Structure

In Section 2, we present the outline of CLS schemes and the security model. In Section 3, we introduce our secure CLS scheme without pairing, and in Section 4, we demonstrate its security. Section 5 analyzes the efficiency of our scheme, while Section 6 provides a summary of this paper.

2. Certificateless Signature Schemes

2.1. Construction

A CLS scheme usually involves three parties: the KGC, one user who signs a message, and another user who verifies the signature and consists of six algorithms:

• Setup(λ). KGC runs this algorithm with inputting security parameter $\lambda$. The final output is the system public parameters $PP$ and the system master secret key $msk$. KGC publishes $PP$ and keeps $msk$ private.
• PartialPrivateKey($\mathit{PP},\mathit{msk},\mathit{ID}$). KGC runs this algorithm with inputting $PP$, $msk$ and a user identity $ID$. Then KGC must distribute the output as user partial private key $D_{ID}$ securely.
• SecretValue($\mathit{PP},\mathit{ID}$). A user runs this algorithm by inputting $PP$ and $ID$. The final output serves as the secret value $x_{ID}$.
• PublicKey($\mathit{PP},\mathit{ID},{\mathit{x}}_{\mathit{ID}},{\mathit{D}}_{\mathit{ID}}$). A user runs this algorithm with inputting $PP$, $ID$, $x_{ID}$ and $D_{ID}$. The output serves as its public key $P{K}_{ID}$ and should be published.
• Sign($\mathit{PP},\mathit{m},\mathit{ID},{\mathit{x}}_{\mathit{ID}},{\mathit{D}}_{\mathit{ID}}$). A user runs this algorithm with inputting $PP$, a message m, ID, $x_{ID}$ and $D_{ID}$. The output serves as the signature $\sigma$.
• Verify($\mathit{PP},\mathit{\sigma },\mathit{m},\mathit{ID},{\mathit{PK}}_{\mathit{ID}}$). A user runs this algorithm with inputting $PP$, $ID$, $P{K}_{ID}$, m and $\sigma$. Then it outputs “1” when validation is successful and otherwise outputs 0.

2.2. Security Models

We consider two types of super adversaries. The $TypeI$ adversaries simulate external attackers who are allowed to replace public keys arbitrarily and get partial private keys and secret values by corrupting some users. The $TypeII$ adversaries simulate the malicious KGC. They own the system master key but are not allowed to replace public keys. In this paper, we prove the security through two games, and the attack ability of adversaries is described by the access to the oracles. Specifically, the following five oracles will be considered.

• CreateUser(ID). This oracle will reply with a public key. When the ID is queried for the first time, the oracle generates a partial private key, a secret value, and a public key and records all information. It will reply according to records.
• PartialPrivateKeyExtract(ID). This oracle will reply with a partial private key. When the ID is queried for the first time, the oracle call Createuser(ID). It will reply according to the records.
• SecretValueExtract(ID). This oracle will reply with a secret value. When the ID is queried for the first time, the oracle calls Createuser(ID). It will reply according to the records.
• ReplacePublicKey(ID,PK’). This oracle will change the public key of $ID$ in records. When the ID is queried for the first time, the oracle calls Createuser(ID). Then it changes the public key to $P{K}^{\prime }$ in records.
• SuperSign(ID,m). The oracle will reply with a legal signature of a message m under the $PK$ and $ID$ in records. Note that the $PK$ may have been replaced and there may be no secret value in records.

Game I: A challenger C interacts with a super $TypeI$ adversary $A_1$ through Game I. C controls all the oracle and records the interactive information. The complete game processes are as follows:

Init. C runs $Setup$ and transmits $PP$ to $A_1$.

Query.  $A_1$ can query for the above five oracles adaptively and C must respond correctly.

Forgery. $A_1$ finally outputs a signature $\sigma \ast$, a message $m\ast$, $PK\ast$ and $ID\ast$.

If the following equations hold, $A_1$ wins in Game I.

• $A_1$ has not asked for the partial private key of $ID\ast$,
• $A_1$ has not asked for a signature of the message $m\ast$ under $ID\ast$ and $PK\ast$,
• The signature $\sigma \ast$ is valid, i.e.,

  $$Verify(PP,ID\ast ,PK\ast ,m\ast ,\sigma \ast )=1$$

  (1)

Game II: The challenger C interacts with a super $TypeII$ adversary $A_2$ through game II. C controls all the oracle and records the interactive information. The complete game processes are as follows:

Init. C runs the $Setup$ algorithm and transmits both $PP$ and $msk$ to $A_2$.

Query. $A_2$ can query for four oracles except for $PartialPrivateKeyExtract\left(ID\right)$ adaptively and C must respond correctly. $A_2$ does not need to ask $PartialPrivateKeyExtract\left(ID\right)$ as it knows $msk$.

Forgery. $A_2$ finally outputs a signature $\sigma \ast$, a message $m\ast$, $PK\ast$ and $ID\ast$.

If the following equations hold, $A_2$ wins in Game II.

• $A_2$ has not asked for the secret value of $ID\ast$,
• $A_2$ has not replaced the public key of $ID\ast$,
• $A_2$ has not asked for a signature of $m\ast$ under $ID\ast$ and $PK\ast$,
• The signature $\sigma \ast$ is valid, i.e.,

  $$Verify(PP,ID\ast ,PK\ast ,m\ast ,\sigma \ast )=1$$

  (2)

3. Our CLS Scheme

3.1. Security Assumptions

Given an elliptic curve group G of a prime order q, a point P is a generator and another point Q is a random element. The Elliptic Curve Discrete Logarithm Problem (ECDLP) is to calculate $a\in Z_q\ast$ which satisfies the equation $Q=aP$. Our scheme is secure if the probability of solving the ECDLP is negligible for any probabilistic polynomial-time adversary.

3.2. Scheme Construction

There are six algorithms in our construction.

1. Setup(λ): Inputting a security parameters $\lambda$, KGC generates public parameters $PP$ and master secret key $msk$. First, it randomly generates a prime number q of $\lambda$-bits and an elliptic curve group G of order q. It randomly picks a generator $P\in G$, a number $s\in Z_q$ and sets $P_{pub}=sP$. It also selects the cryptography hash functions $<H_0,H_1,H_2,H_3,H_4>:{\{0,1\}}^{\ast }\to Z_q$. Finally, KGC publishes $PP=\{G,P_{pub},H_0,H_1,H_2,H_3,H_4\}$ and sets $msk=s$.

2. PartialPrivateKey($\mathit{PP},\mathit{msk},\mathit{ID}$): When generating the partial private key for $ID$, KGC inputs $PP$, $msk$ and $ID$. Then KGC randomly selects $r,y_{ID}\in Z_q$ and calculates

$$\begin{array}{cc}\hfill R_{ID}& \hfill =rP\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill d_{ID}& \hfill =r+s{H}_1(ID,R_{ID},P_{pub})\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill Y_{ID}& \hfill =y_{ID}P\hfill \end{array}$$

(5)

$$\begin{array}{cc}\hfill {\pi }_{ID}& \hfill =y_{ID}+s{H}_0(ID,Y_{ID},R_{ID},P_{pub})\hfill \end{array}$$

(6)

The partial private key $D_{ID}=<R_{ID},d_{ID},Y_{ID},{\pi }_{ID}>$ must be securely transmitted to the user, and its legality can be verified by calculating $h_0=H_0(ID,Y_{ID},R_{ID},P_{pub})$, $h_1=H_1(ID,R_{ID},P_{pub})$ and checking whether the equations $d_{ID}P=R_{ID}+h_1{P}_{pub}$, ${\pi }_{ID}P=Y_{ID}+h_0{P}_{pub}$ hold.

3. SecretValue($\mathit{PP},\mathit{ID}$): With inputting $PP$ and $ID$, the user randomly selects $x_{ID}\in Z_q$ as the secret value.

4. PublicKey($\mathit{PP},\mathit{ID},{\mathit{x}}_{\mathit{ID}},{\mathit{D}}_{\mathit{ID}}$): When generating the public key, the user inputs $PP$, $ID$, $x_{ID}$ and $D_{ID}$. Then it calculates $X_{ID}=x_{ID}P$ and sets public key $P{K}_{ID}=<R_{ID},Y_{ID},X_{ID},{\pi }_{ID}>$.

5. Sign($\mathit{PP},\mathit{m},\mathit{ID},{\mathit{x}}_{\mathit{ID}},{\mathit{D}}_{\mathit{ID}},{\mathit{PK}}_{\mathit{ID}}$): When signing a message m, the user inputs $PP$, m, $ID$, $x_{ID}$ and $D_{ID}=<R_{ID},d_{ID},Y_{ID},{\pi }_{ID}>$. Then it selects random $t\in Z_q$ and calculates

$$\begin{array}{cc}\hfill T& \hfill =tP\hfill \end{array}$$

(7)

$$\begin{array}{cc}\hfill h_2& \hfill =H_2(ID,m,P{K}_{ID},T)\hfill \end{array}$$

(8)

$$\begin{array}{cc}\hfill h_3& \hfill =H_3(ID,m,P{K}_{ID},T)\hfill \end{array}$$

(9)

$$\begin{array}{cc}\hfill h_4& \hfill =H_4(ID,m,T,P{K}_{ID},P_{pub})\hfill \end{array}$$

(10)

$$\begin{array}{cc}\hfill \tau & \hfill =t·h_2+x·h_3+d_{ID}·h_4\hfill \end{array}$$

(11)

The user sets $\sigma =<T,\tau >$ as the signature.

6. Verify($\mathit{PP},\mathit{m},\sigma ,\mathit{ID},{\mathit{PK}}_{\mathit{ID}}$): When verifying the legitimacy of a message-signature pair, the user inputs $PP$, m, $\sigma$, $ID$ and $P{K}_{ID}$. Then it calculates

$$\begin{array}{cc}\hfill h_1& \hfill =H_1(ID,R_{ID},P_{pub})\hfill \end{array}$$

(12)

$$\begin{array}{cc}\hfill h_2& \hfill =H_2(ID,m,P{K}_{ID},T)\hfill \end{array}$$

(13)

$$\begin{array}{cc}\hfill h_3& \hfill =H_3(ID,m,P{K}_{ID},T)\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill h_4& \hfill =H_4(ID,m,T,P{K}_{ID},P_{pub})\hfill \end{array}$$

(15)

and checks $\tau P=h_{2}T+h_3{X}_{ID}+h_4(R_{ID}+h_1{P}_{pub})$. Finally, it outputs “1” when validation is successful and otherwise outputs “0”.

4. Security Proof

Next, we demonstrate the security of our scheme against two super adversaries.

Theorem 1.

In the Random Oracle Model, assuming that ECDLP is difficult in the selected group G, our scheme is existentially unforgeable against super adversaries. This theorem can be obtained from the Lemmas 1 and 2.

Lemma 1.

Assuming that there exists a super Type-I adversary $A_1$ who can ($ϵ,t$)-win $GameI$, then the ECDLP in G must be (${ϵ}^{\prime },t^{\prime }$)-solved.

Proof. 

Given a ECDLP instance $<G,P,Q>$, we construct an algorithm $C_1$ to (${ϵ}^{\prime },t^{\prime }$)-calculate a solution by interacting with the adversary $A_1$. □

$H_i$ are simulated as random oracle and $C_1$ maintains the tables $L_i$ to record the input $val$ and output $res$ corresponding to $H_i$. The $GameI$ runs as follows.

Setup.  $C_1$ randomly selects $ID\ast$ as the challenge identity, sets $P_{pub}=Q$ and publishes $PP=\{G,P_{pub},H_0,H_1,H_2,H_3,H_4\}$.

Query.  $A_1$ can adaptively query to $C_1$ at any time and $C_1$ will response as follows.

• $Has{h}_i\left(val\right).$ $C_1$ first checks whether $val$ exists in $L_i$. If there is a record, $C_1$ returns $<val,res>$. Otherwise $C_1$ randomly selects $h_i\in Z_q$, returns $res=h_i$ and insert $<val,res>$ into $L_i$.
• $CreateUser\left(I{D}_i\right).$ Suppose $C_1$ queries $CreateUser\left(I{D}_i\right)$ for at most $q_u$ times. It maintains a list $L_u$ and sets a $tag$ in $L_u$ to record whether the $<R,Y,\sigma >$ in the public key has been replaced. $C_1$ returns the public key according to the record if $I{D}_i$ is found in the list $L_u$. Otherwise,

  –

  If $I{D}_i=ID\ast$, $C_1$ randomly selects $r,x,h_1,\pi ,h_0\in Z_q$, calculates $R=rP$, $X=xP$ and sets $H_1(ID,R,P_{pub})=h_1$, calculates $Y=\pi P-h_0{P}_{pub}$ and sets $H_0(ID,Y_{ID}$, $P_{pub},R)=h_0$. Then it returns $PK=<R,X,Y,\pi >$ and inserts $<ID\ast ,r,x,h_1,\pi ,h_0,R,X,Y,tag=0>$ into the table $L_u$.

  –

  If $I{D}_i\ne ID\ast$, $C_1$ randomly selects $d,x,h_1,\pi ,h_0\in Z_q$, calculates $R=dP-h_1{P}_{pub},X=xP,Y=\pi P-h_0{P}_{pub}$ and sets $H_1(ID,R,P_{pub})=h_1,H_0(ID,Y,P_{pub},R)=h_0$. Then return $PK=<R,X,Y,\pi >$ and insert $(I{D}_i,d,x,y,h_1,\pi ,h_0,R,X,Y,tag=0)$ into the table $L_u$.

• $PartialPrivateKeyExtract\left(I{D}_i\right)$. Suppose $C_1$ queries this oracle for at most $q_{ppk}$ times.

  –

  If $I{D}_i=ID\ast$, abort the game.

  –

  Otherwise, $C_1$ searches the table $L_u$ for $I{D}_i$. If $I{D}_i$ is found and $tag=0$, return d according to the record directly. If $I{D}_i$ is found while the $tag=1$, $C_1$ checks whether the public key $PK=<R,X,Y,\pi >$ is legal by $h_0=H_0(I{D}_i,Y,R,P_{pub})$, $\pi P=Y+h_0{P}_{pub}$. If the public key is still valid, we use the forking lemma on $h_0^{\prime }=H_0(I{D}_i,Y,R,P_{pub})$ to get a new $<R_1,Y_1,{\pi }_1>$ that satisfies ${\pi }_{1}P=Y_1+h_0^{\prime }{P}_{pub}$. Then we can get $\pi =y+h_{0}s$, ${\pi }_1=y+h_0^{\prime }s$ and $s=\frac{\pi -{\pi }_1}{h_0-h_0^{\prime }}$ is the solution to the ECDLP instance. If the public key is invalid, we return nothing. In addition, if $I{D}_i$ is not found, call $CreateUser\left(I{D}_i\right)$ and then return $d_{ID}$.

• $SecretValueExtract\left(I{D}_i\right).$

  –

  If $I{D}_i=ID\ast$, abort the game.

  –

  Otherwise, $C_1$ searches the table $L_u$ for $I{D}_i$. If $I{D}_i$ is found $tag=0$, $C_1$ returns $x_{I{D}_i}$ according to the record directly. If $I{D}_i$ is found while the public key has been replaced without providing $x_{I{D}_i}$, $C_1$ returns nothing. If $I{D}_i$ is not found, $C_1$ calls $CreateUser\left(I{D}_i\right)$ and returns $x_{I{D}_i}$.

• $ReplacePublicKey(I{D}_i,P{K}^{\prime }).$ $C_1$ searches the table $L_u$ to find $I{D}_i$. If $I{D}_i$ is found, it replaces $<R,Y,X,\pi >$ with $P{K}^{\prime }$. Otherwise, $C_1$ calls $CreateUser\left(I{D}_i\right)$ and replaces $<R,Y,X,\pi >$ with $P{K}^{\prime }$. $C_1$ sets $tag=1$.
• $SuperSign(I{D}_i,m).$

  –

  If $ID=I{D}^{\ast }$ or $tag=1$, $C_1$ randomly selects $\tau ,h_3,h_4,h_2\in Z_q$ and calculates $T=h_2^{-1}(\tau P-h_{3}X-h_{4}R-h_4{h}_1{P}_{pub}).$ Then $C_1$ set $h_2=H_2(I{D}_i,m,PK,T)$, $h_3=H_3(I{D}_i,m,PK,T)$, $h_4=H_4(I{D}_i,m,T,PK,P_{pub})$ in $L_2,L_3,L_4$. $<T,\tau >$ is valid signature for

  $$h_{2}T+h_{3}X+h_4(R+h_1{P}_{pub})=\tau P$$

  (16)

  and note that $C_1$ does not need to know x,

  –

  If $ID\ne I{D}^{\ast }$ and $tag=0$, $C_1$ searches the table $L_u$ to find $I{D}_i$. If $I{D}_i$ is found, $C_1$ get $<d,x>$. Then $C_1$ randomly selects $t,h_2,h_3,h_4\in Z_q$ and sets $h_2=H_2(I{D}_i,m,PK,T)$, $h_3=H_3(I{D}_i,m,PK,T)$, $h_4=H_4(I{D}_i,m,T,PK,P_{pub})$ in $L_i$. Finally $C_1$ calculates $\tau =h_{2}t+h_{3}x+h_{4}d$. $<T,\tau >$ is a valid signature.

Forgery. In the end, $A_1$ outputs $<T,\tau ,m,ID>$. If $ID\ne ID\ast$, aborts. Otherwise, $C_1$ searches the table $L_u$ to find $ID$ and verifies the signature:

$$\begin{array}{cc}\hfill h_1& \hfill =H_1(ID,R,P_{pub})\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill h_2& \hfill =H_2(ID,m,PK,T)\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill h_3& \hfill =H_3(ID,m,PK,T)\hfill \end{array}$$

(19)

$$\begin{array}{cc}\hfill h_4& \hfill =H_4(ID,m,T,PK,P_{pub})\hfill \end{array}$$

(20)

$$\begin{array}{cc}\hfill \tau P& \hfill =h_{2}T+h_{3}X+h_4(R+h_0{P}_{pub})\hfill \end{array}$$

(21)

If $tag=0$, we use the forking lemma on $H_4$ to get a new output $<T,{\tau }^{\prime },m,ID>$. These outputs satisfy $\tau =h_{2}t+h_{3}x+h_{4}d,{\tau }^{\prime }=h_{2}t+h_{3}x+h_4^{\prime }d$ so that $C_1$ can calculate $d=\frac{\tau -{\tau }^{\prime }}{h_4-h_4^{\prime }}$. If R is not replaced, $C_1$ owns r and calculates $s=(d-r)/h_1$. s is the solution to the ECDLP instance. If $tag=1$, we do the same as in $PartialPrivateKeyExtract\left(I{D}_i\right)$ to get s.

$C_1$ will solve the ECDLP if the following events occur:

• ${ϵ}_1$: $C_1$ never aborts in $GameI$,
• ${ϵ}_2$: $A_1$ generates a valid forgery $<T,\tau ,m,ID>$,
• ${ϵ}_3$: In the forgery, $ID=I{D}^{\ast }$

So the probability of $C_1$ is $Pr[{ϵ}_1\wedge {ϵ}_2\wedge {ϵ}_3]=Pr\left[{ϵ}_1\right]·Pr\left[{ϵ}_2\right|{ϵ}_1]·Pr\left[{ϵ}_3\right|{ϵ}_1\wedge {ϵ}_2]$.

$C_1$ will abort in the $GameI$ if $A_1$ extracts the partial private key for any user$I{D}^{\ast }$. So $Pr\left[{ϵ}_1\right]={(1-1/q_u)}^{q_{ppk}}$. If $C_1$ does not abort in the $GameI$, $A_1$ generates a valid forgery with $ϵ$. So $Pr\left[{ϵ}_2\right|{ϵ}_1]=ϵ$. As the $I{D}^{\ast }$ is selected randomly, $Pr\left[{ϵ}_3\right|{ϵ}_1\wedge {ϵ}_2]=1/q_u$. So the probability is ${ϵ}^{\prime }=Pr[{ϵ}_1\wedge {ϵ}_2\wedge {ϵ}_3]=Pr\left[{ϵ}_1\right]·Pr\left[{ϵ}_2\right|{ϵ}_1]·Pr\left[{ϵ}_3\right|{ϵ}_1\wedge {ϵ}_2]={(1-1/q_u)}^{q_{ppk}}·1/q_u·ϵ$.

Lemma 2.

Assuming that there exists a super Type-II adversary $A_2$ who can ($ϵ,t$)-win $GameII$, then the ECDLP must be ($ϵ,t$)-solved.

Proof. 

Given a ECDLP instance $<G,P,Q>$, we construct an algorithm $C_2$ to (${ϵ}^{\prime },t^{\prime }$)-calculate a solution by interacting with the adversary $A_2$. □

$H_i$ are simulated as random oracle and $C_2$ maintains the tables $L_i$ to record the input $val$ and output $res$ corresponding to $H_i$. The $GameII$ runs as follows.

Setup.  $C_2$ randomly selects $ID\ast$ as the challenge identity and $s\in Z_q$ as the $msk$. Then calculate $P_{pub}=sP$ and public $PP=\{G,P_{pub},H_0,H_1,H_2,H_3,H_4\}$.

Query. $A_2$ can adaptively query to $C_2$ at any time and $C_2$ will response as follows.

• $Has{h}_i\left(val\right)$. $C_2$ first checks whether $val$ exists in $L_i$. If there is a record, $C_2$ returns $<val,res>$. Otherwise $C_2$ randomly selects $h_i\in Z_q$, returns $res=h_i$ and inserts $<val,res>$ into $L_i$
• $CreateUser\left(I{D}_i\right)$. Suppose it queries $CreateUser\left(I{D}_i\right)$ for at most $q_u$ times. $C_2$ maintains a list $L_u$ and sets a $tag$ in $L_u$ to record whether the public key has been replaced. $C_2$ returns the public key if $I{D}_i$ is in the list. Otherwise,

  –

  If $I{D}_i=I{D}^{\ast }$, $C_2$ randomly selects $r,y_{ID},h_1,h_0\in Z_q$, calculates $R=rP,Y=yP,d=r+s{h}_1,\sigma =y_{ID}+d_{ID}{h}_0$ and sets $H_1(ID,R,P_{pub})=h_1,H_0(ID,Y_{ID},mp,R)=h_0,X=Q$. Then it publishes the public key $P{K}_{I{D}_i}=<R,X,Y,\sigma >$ and inserts $<ID\ast ,d,r,y_{ID},0,h_1,\sigma ,h_0,R,X,Y,tag=0>$ into the table $L_u$.

  –

  If $I{D}_i\ne I{D}^{\ast }$, $C_2$ randomly selects $r,x_{ID},y_{ID},h_1,h_0\in Z_q$, calculates $R=rP,Y=yP,X=xP,d_{ID}=r+s{H}_1,\sigma =y_{ID}+d_{ID}{H}_0$ and sets $H_1(ID,R,P_{pub})=h_1,H_0(ID,Y,P_{pub},R)=h_0$. Then it publishes the public key $P{K}_{I{D}_i}=<R,X,Y,\sigma >$ and inserts $<I{D}_i,d,x,y,h_1,\sigma ,h_0,X,Y,R,tag=0>$ into the table $L_u$.

• $PartialPrivateKeyExtract\left(I{D}_i\right)$. Owning the $msk$, $A_2$ can arbitrarily finish this query for any $I{D}_i$.
• $SecretValueExtract\left(I{D}_i\right)$. Suppose it queries $ExtractSecretValue\left(I{D}_i\right)$ for at most $q_{sv}$ times.

  –

  If $I{D}_i=ID\ast$, abort the game.

  –

  Otherwise, $C_2$ searches the table $L_u$ for $I{D}_i$.If $I{D}_i$ is found, it returns x directly. Otherwise, it calls $CreateUser\left(I{D}_i\right)$ and returns x.

• $ReplacePublicKey(I{D}_i,P{K}^{\prime })$. Suppose it queries $ReplacePublicKey(I{D}_i,P{K}^{\prime })$ for at most $q_{rp}$ times.

  –

  If $I{D}_i=ID\ast$, abort the game.

  –

  Otherwise, $C_2$ searches the table $L_u$ for $I{D}_i$. If $I{D}_i$ is found, it replaces $<R,Y,X,\sigma >$ with $P{K}^{\prime }$. Otherwise, $C_2$ calls $CreateUser\left(I{D}_i\right)$, replaces $<R,Y,X,\sigma >$ with $P{K}^{\prime }$ and sets $tag=1$.

• $SuperSign(I{D}_i,m)$.

  –

  If $ID=I{D}^{\ast }$ or $tag=1$, $C_2$ randomly selects $\tau ,h_3,h_4,h_2\in Z_q$ and calculates $T=(\tau P-h_{3}X-h_{4}R-h_4{h}_1{P}_{pub})h_2^{-1}$. Then $C_2$ sets $h_2=H_2(I{D}_i,m,PK,T)$, $h_3=H_3(I{D}_i,m,PK,T)$, $h_4=H_4(I{D}_i,m,T,PK,P_{pub})$ in $L_i$. $<T,\tau >$ is a valid signature and note that $C_2$ does not need to know x.

  –

  If $ID\ne I{D}^{\ast }$ and $tag=0$, $C_2$ searches the table $L_u$ to find $I{D}_i$. If $I{D}_i$ is found, $C_2$ knows $<d,x>$. Otherwise, $C_2$ calls $CreateUser\left(I{D}_i\right)$ and gets $<d,x>$ for $I{D}_i$. Then $C_2$ randomly selects $t,h_2,h_3,h_4\in Z_q$ and sets $h_2=H_2(I{D}_i,m,PK,T)$, $h_3=H_3(I{D}_i,m,PK,T)$, $h_4=H_4(I{D}_i,m,T,PK,P_{pub})$ in $L_i$. Finally $C_2$ calculates $\tau =h_{2}t+h_{3}x+h_{4}d$. $<T,\tau >$ is valid signature.

• $Forgery$. In the end, $A_2$ outputs $<T,\tau ,m,ID>$. If $ID\ne ID\ast$, aborts. Otherwise, $C_2$ searches the table $L_u$ to find $ID$ and verifies the signature as follows:

  $$\begin{array}{cc}\hfill h_1& \hfill =H_1(ID,R,P_{pub})\hfill \end{array}$$

  (22)

  $$\begin{array}{cc}\hfill h_2& \hfill =H_2(ID,m,PK,T)\hfill \end{array}$$

  (23)

  $$\begin{array}{cc}\hfill h_3& \hfill =H_3(ID,m,PK,T)\hfill \end{array}$$

  (24)

  $$\begin{array}{cc}\hfill h_4& \hfill =H_4(ID,m,T,PK,P_{pub})\hfill \end{array}$$

  (25)

  $$\begin{array}{cc}\hfill \tau P& \hfill =h_{2}T+h_{3}X+h_4(R+h_0{P}_{pub})\hfill \end{array}$$

  (26)

Use forking lemma on $H_3$ to get a new $<T,{\tau }^{\prime }>$ so that ${\tau }^{\prime }=t·h_2+x·h_3^{\prime }+d_{ID}·h_4$. Then calculate $x=\frac{\tau -{\tau }^{\prime }}{h_3-h_3^{\prime }}$ is the solution to the ECDLP.

$C_2$ will solve the ECDLP if the following events occur:

• ${ϵ}_1$: $C_2$ never aborts in the $GameI$,
• ${ϵ}_2$: $A_2$ generates a valid forgery $<T,\tau ,m,ID>$,
• ${ϵ}_3$: In the forgery, $ID=I{D}^{\ast }$

So the probability of $C_2$ is $Pr[{ϵ}_1\wedge {ϵ}_2\wedge {ϵ}_3]=Pr\left[{ϵ}_1\right]·Pr\left[{ϵ}_2\right|{ϵ}_1]·Pr\left[{ϵ}_3\right|{ϵ}_1\wedge {ϵ}_2]$.

$C_2$ will abort in the $GameII$ if $A_2$ extracts the secret value or replaces the public key for the user $I{D}^{\ast }$. So $Pr\left[{ϵ}_1\right]={(1-1/q_u)}^{q_{sv}}{(1-1/q_u)}^{q_{rp}}$. If $C_2$ does not abort in the $GameII$, $A_2$ generates a valid forgery with $ϵ$. So $Pr\left[{ϵ}_2\right|{ϵ}_1]=ϵ$. As the $I{D}^{\ast }$ is selected randomly, $Pr\left[{ϵ}_3\right|{ϵ}_1\wedge {ϵ}_2]=1/q_u$. So the probability is ${ϵ}^{\prime }=Pr[{ϵ}_1\wedge {ϵ}_2\wedge {ϵ}_3]=Pr\left[{ϵ}_1\right]·Pr\left[{ϵ}_2\right|{ϵ}_1]·Pr\left[{ϵ}_3\right|{ϵ}_1\wedge {ϵ}_2]={(1-1/q_u)}^{q_{ppk}+q_{rp}}·1/q_uϵ$.

5. Efficiency Analysis

We analyze the efficiency and security of our CLS scheme and compare it with a series of schemes. Among these schemes, Huang et al. [10] designed a secure CLS scheme against super adversaries but relies on pairing. All other solutions do not require pairing and can not be proven to be safe against the super adversary. We conduct simulation experiments in the environment in Table 1 and choose a type-D pairing which is discovered by [27] and constructed on the curve $y^2=x^3+ax+b$ over the field $F_q$ for a 160-bit prime q. So the length of a point x-coordinate in $G_1$ is roughly the same as 160-bit. The embedding degree is 6 so that the size of finite field in $G_2$ and $G_t$ is 960-bit. The notations and time of different operations are shown in Table 2. The theoretical analysis of all schemes is shown in Table 3. Here $|G_1|,|G_2|$ and $|Z_q|$ denote the element size in $G_1,G_2$ and $Z_q$. To make Table 3 clearer, we ignore the insignificant time of $A_1,M_t,I_q,A_q$ and $M_q$. The time of different schemes is shown in the Figure 1.

Table 1. Experiment Environment.

CPU	OS	RAM	Compiler&Library
Inter i7-12700 @4.9 GHz	Ubuntu 20.04.1	32GB DDR5	PBC 0.5.14 & GCC 9.4.0

Table 2. Notation and time of the group operation.

Notation	Operation	Time (ms)
$A_1$	a point addition in $G_1$	0.0029
$M_1$	a scalar multiplication in $G_1$	0.3552
$A_2$	a point addition in $G_2$	0.0145
$M_2$	a scalar multiplication in $G_2$	2.8250
$M_t$	a multiplication in $G_t$	0.0045
$E{x}_t$	a exponential operation in $G_t$	0.6497
P	a pairing operation: $G_1\times G_2\to G_t$	2.2532
$I_q$	a inversion operation in $Z_q$	0.0028
$A_q$	a addition in $Z_q$	0.0007
$M_q$	a multiplication in $Z_{q}1$	0.0006

Table 3. Theoretical Analysis.

Scheme	Sign	Verify	PPK	|Sign|	|PK|	|PPK|	Security
[10]	$M_2+P+2M_1$	$2M_2+A_2+2P+E{x}_t$	$M_1$	$|G_1|+2|Zq|$	$|G_2|$	$|G_1|$	Super typeI&II
[26]	$M_1$	$4M_1$	$M_1$	$|G_1|+|Zq|$	$2|G_1|$	$|G_1|+|Zq|$	Strong typeI&II
[24]	$M_1$	$3M_1$	$2M_1$	$|G_1|+|Zq|$	$|G_1|$	$|G_1|+|Zq|$	Insecure
[28]	$M_1$	$3M_1$	$M_1$	$|G_1|+|Zq|$	$|G_1|$	$|G_1|+|Zq|$	Insecure
[17]	$2M_1+M_2$	$2E{x}_t+P$	$M_1$	$|G_2|+|G_1|$	$|G_2|+|G_1|$	$2|G_1|$	Insecure
[16]	$M_1$	$3M_1$	$M_1$	$|G_1|+|Zq|$	$2|G_1|$	$|G_1|+|Zq|$	Insecure
[25]	$M_1$	$4M_1$	$M_1$	$|G_1|+|Zq|$	$2|G_1|$	$|G_1|+|Zq|$	Strong typeI&II
Ours	$M_1$	$5M_1$	$2M_1$	$|G_1|+|Zq|$	$3|G_1|+|Zq|$	$2|G_1|+2|Zq|$	Super typeI&II

* The Sign, Verify and PPK denote the operations in $Sign$,$Verify$ and $PartialPrivateKey$ algorithms. |Sign|,|PK|, and |PPK| represent the length of the signature, public key, and partial private key. The Security represents the level of adversary that these schemes can resist.

Figure 1. The time of $Sign$,$Verify$ and $PartialPrivateKey$ algorithms [10,16,17,24,25,26,28].

It has been observed that several secure certificateless signature schemes have been introduced without utilizing pairing, yet none of them were able to be proven secure against super adversaries. Some of the schemes, which are based on the Schnorr signature, are unable to respond to the super adversary’s query when requesting specific private keys after the replacement of the public key. Our proposed solution not only attains security against super adversaries but also rectifies this minor issue, all the while maintaining a reasonable level of efficiency in signing and verifying. While Huang’s scheme also achieves security against super adversaries, it relies on pairing operations, leading to increased computational time and signature size compared to our scheme. Consequently, our scheme effectively enhances both security and efficiency, while also addressing a slight deficiency in the security model.

6. Conclusions

We find that existing secure CLS schemes against super adversaries often require expensive pairing operations, making them unsuitable for lightweight equipment. Some pairing-free schemes are unable to resist super adversaries and suffer from the issue where the challenger cannot answer partial private key inquiries after replacing the public key. To address these limitations, we have developed a secure CLS scheme against super adversaries without relying on pairing operations, and we have provided comprehensive proof of its security. Experimental testing has demonstrated that our scheme exhibits superior computational efficiency and a smaller signature size compared to schemes offering similar security guarantees.