49319390 Yuan 2010 Information Sciences

8/2/2019 49319390 Yuan 2010 Information Sciences

1/15

Certificateless threshold signature scheme from bilinear maps

Hong Yuan a, Futai Zhang a,b,*, Xinyi Huang c, Yi Mu d, Willy Susilo d, Lei Zhang e

a School of Computer Science and Technology, Nanjing Normal University, PR ChinabJiangsu Engineering Research Center on Information Security and Privacy Protection Technology, Nanjing, PR Chinac School of Information Systems, Singapore Management University, Singapored Center for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Australiae UNESCO Chair in Data Privacy, Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili, Catalonia, Spain

a r t i c l e i n f o

Article history:

Received 28 October 2009

Received in revised form 20 May 2010

Accepted 26 July 2010

Keywords:

Certificateless threshold signature

Bilinear map

Verifiable secret sharing

CDH problem

Simulatability

a b s t r a c t

A (t, n) threshold signature scheme allows tor more group members to generate signatures

on behalf of a group with n members. In contrast to the traditional public key cryptography

based on public key infrastructure (PKI) and identity-based public key cryptography (ID-

PKC), certificateless public key cryptography (CL-PKC) offers useful properties as it does

not require any certificates to ensure the authenticity of public keys and the key escrow

problem is eliminated. In this paper, we investigate the notion of threshold signature

schemes in CL-PKC. We start by pointing out the drawbacks in the two existing certificate-

less threshold signature schemes. Subsequently, we present an elaborate description of a

generic certificateless (t, n) threshold signature scheme with a new security model. The

adversaries captured in the new model are more powerful than those considered in the

existing schemes. Furthermore, we establish the simulatability for certificateless threshold

signature schemes and prove the relationship between the security of certificateless

threshold signature schemes and that of the underlying non-threshold certificateless sig-

nature schemes. As an instantiation, we present a concrete certificateless threshold signa-

ture scheme based on bilinear maps using the techniques of verifiable secret sharing and

distributed key generation. The proposed scheme is shown to be existentially unforgeable

against adaptively chosen message attacks assuming the hardness of Computational Diffie

Hellman (CDH) problem.

2010 Elsevier Inc. All rights reserved.

1. Introduction

1.1. Background

In practical applications, traditional public key cryptography (PKC for short) requires the support of public key infrastruc-

ture (PKI for short) which introduces the costly and cumbersome certificate management problem. Although this disadvan-

tage is removed in identity-based public key cryptography (ID-PKC for short) [18], it gives rise to the drawback of key

escrow. As a new paradigm of public key cryptography, certificateless public key cryptography (CL-PKC for short) [1] not only

gets rid of the certificate management problem in traditional PKC but also eliminates the key escrow problem in ID-PKC.

Hence, it has received considerable attention from the security research community since its invention. In a certificateless

cryptosystem, each entity has two secrets: a secret value and a partial private key. The secret value is generated by the entity

0020-0255/$ - see front matter 2010 Elsevier Inc. All rights reserved.doi:10.1016/j.ins.2010.07.021

* Corresponding author at: School of Computer Science and Technology, Nanjing Normal University, PR China.

E-mail addresses: [email protected] (H. Yuan), [email protected], [email protected] (F. Zhang), [email protected] (X. Huang), ymu@uow.

edu.au (Y. Mu), [email protected] (L. Zhang).

Information Sciences 180 (2010) 47144728

Contents lists available at ScienceDirect

Information Sciences

j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / i n s
http://dx.doi.org/10.1016/j.ins.2010.07.021mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:ymu@uow.%20edu.aumailto:ymu@uow.%20edu.aumailto:[email protected]://dx.doi.org/10.1016/j.ins.2010.07.021http://www.sciencedirect.com/science/journal/00200255http://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.sciencedirect.com/science/journal/00200255http://dx.doi.org/10.1016/j.ins.2010.07.021mailto:[email protected]:ymu@uow.%20edu.aumailto:ymu@uow.%20edu.aumailto:[email protected]:[email protected]:[email protected]:[email protected]://dx.doi.org/10.1016/j.ins.2010.07.021


2/15

himself, while a third party-key generation center (KGC), who holds a master key, generates the partial private key from the

users identity information. The entitys private key is the output of a function that requires the secret value and the partial

private key as input. KGC does not have the actual private key of an entity and the key escrow problem in ID-PKC is elim-

inated. The entity can use the actual private key to generate the public key, which could be available to other entities by

transmitting it along with signatures or by placing it in a public directory. In particular, there is no certificate in CL-PKC,

which avoids the costly certificate management issues in PKI based traditional PKC. The idea of threshold cryptography is

to distribute the secret information (e.g., a private key) and the computation (e.g., decryption or signature signing) amongst

a group of participants in order to prevent a single point of failure or abuse. As an important primitive in group security and

distributed settings, threshold signatures have been extensively studied in traditional PKC and ID-PKC. We believe that it is

also worthwhile to investigate the application of this primitive in CL-PKC. The focus of this paper is on employing the advan-

tages of CL-PKC to provide secure and efficient solutions of threshold signatures for a practical use.

1.2. Related work

In the following, we provide a brief review of some related work on threshold signatures with respect to traditional PKC,

ID-PKC and CL-PKC. We will point out some shortcomings in two existing certificateless threshold signature schemes [21,22].

1.2.1. Threshold signatures in traditional PKC

Threshold signatures in traditional PKC have been extensively studied in [4,5,9,20]. The authors of [5] formalized the

notion of unforgeability for threshold signatures and described a concrete scheme based on ElGamal signature. Gennaro

et al. [9] provided a complete solution on threshold implementation of digital signature standard (DSS). They designedvarious distributed verifiable secret-sharing schemes as building blocks to construct robust and secure threshold DSS sig-

nature schemes. In threshold signature schemes in traditional PKC, the transmission and verification of group members

certificates have to involve a considerably amount of communication and computation cost. This may greatly offset the

efficiency.

1.2.2. ID-based threshold signature

ID-PKC was introduced by Shamir [18], whose original motivation is to ease the certificate management in the e-mail

system. In ID-PKC, an users public key can be derived directly from certain aspects of his/her identity information (e.g.,

email-address), while the associate private key is computed and issued secretly to the user by a trusted third party PKG

(private key generation center). This property avoids the necessity of certificates, and associates an implicit public key to

each user. However, it makes key escrow an inherent problem which is undesirable from the users point of view. Baek

and Zheng [3] proposed the first identity-based threshold signature scheme from bilinear map in 2004. To alleviate the

key escrow problem, Chen et al. [7] proposed an identity-based threshold signature scheme without trusted PKG. (Moreprecisely, Chen et al.s scheme is essentially a threshold signature scheme in CL-PKC but its security analysis is made in

the framework of ID-PKC).

1.2.3. Certificateless threshold signature

CL-PKC [1] was introduced by Al-Riyami and Paterson in 2003 to overcome the key escrow problem in ID-PKC. Recently,

certificateless signature (CLS) schemes have been well investigated [12,13,19]. Several CLS schemes were proposed [6,11

16,2327]. In [13], Huang et al. revisited the security models of certificateless signature schemes and further classified

the Type I/II adversaries into three types, namely normal, strong and super Type I/II adversaries, among which super Type

I/II adversaries have the strongest attacking power.

Wang et al. [21] proposed the first certificateless threshold signature scheme (CLTHS for short) in the random oracle

model. To exhibit the security of the proposal, they developed the theory of simulatability and relationship between the

certificateless threshold signature scheme and the underlying (non-threshold) ID-based signature scheme. Their scheme

requires a PKG clerk and several distributed PKGs to compute the partial private key for an user. To do so, the PKG clerk firstgenerates the master key and then shares it among several distributed PKGs using a ( u, m)-secret-sharing scheme. With the

share of the master key, each distributed PKG can generate a sub-partial private key for the user, which will be sent back to

the PKG clerk. Upon receiving valid sub-partial private keys from at least u distributed PKGs, the PKG clerk can calculate the

partial private key of the user. As one can see, while their scheme does use distributed PKGs, partial private keys are still

generated by a single party (PKG clerk), which makes the use of distributed PKGs cumbersome and inefficient. We believe

in the scenario of distributed PKGs it is desirable that the generation of the master key is conducted by all distributed PKGs in

a cooperative manner, rather than by a single party (which is the case in [21]). In generating an users partial private key,

each member of the distributed PKGs calculates and sends a sub-partial private key (using his share of the master key) to

the corresponding user directly. The user can then derive the partial private key by itself from at least t (t is the threshold)

valid sub-partial private keys.

A further observation shows that Wang et al.s scheme cannot detect any misbehavior of dishonest participants. In the

sharing of the master key s, PKG clerk could cheat by sending si Ri; Pi

pub siP to some PKGi (where R(x) is the sharingpolynomial selected by the PKG clerk), which is undetectable. Similarly, PKGi could cheat by using a false master key share s

0i

H. Yuan et al. / Information Sciences 180 (2010) 47144728 4715
http://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/inshttp://www.elsevier.com/locate/ins


3/15

(different from his actual master key share si) to generate Pi

pub s0iP. It then uses the fake s

0i to generate the sub-partial private

key for an user. No one can find these kinds of cheating. Similar problems also exist in the sharing of users secret value if

playerj publishes a falsefvkj = cjPf(j)P. This may cause serious security problems. As an example, playerj may use this fake

fskj = cj instead of the true fskj to sign messages, and other players may be totally unaware of this kind of cheating. In this

case, no one but the cheating player j is able to calculate a valid threshold signature of the group. The sharing of partial pri-

vate keys is also spoiled by similar problems. Another drawback of Wang et al.s scheme is the long signature length. In their

scheme, a signature (T, a, b, c, W) consists of two elements of G1 and three elements of G2, where (G1, G2) are groups with

bilinear mapping e : G1 G1 ! G2. This leads to a signature length of more than 3400 bits for a 160-bit prime q (the orderof group G1), which is apparently too long as most existing secure certificateless signature schemes produce signatures con-

sisting of only two elements of G1 or one element of G2 and one element of Zq.

Recently, Xiong et al. [22] presented a certificateless threshold signature scheme which was proven secure in the standard

model. They introduced new security definitions and notations for their scheme and utilized the simulatability of certificate-

less threshold signature schemes to prove the scheme to be secure. However, the security model defined in [22] is very weak.

As an obvious drawback, their signing oracle cannot provide any valid signatures if the users public key has been replaced.

There are also some security flaws in their construction of threshold signature scheme. In the step ofComplete-Key-Gen-and-

Share, their method of sharing the complete secret signing key may lead to the decrease of the threshold since the sharing

polynomial is in fact determined by Lagrange interpolation using tpoints (0, ax), (1, a1x), . . . , (t 1,at1x). This interpolationmay result in a polynomial of degree less than t 1, which means less than tplayers can collude to reveal the complete sign-

ing key or generate a valid signature on any message. Also, the verification shares for checking the validity of complete key

shares only commit to one of the random secrets, which could also make the cheating behavior of some dishonest players

undetectable (as we have shown previously in Wang et al.s scheme).

1.3. Motivation and our contribution

Like threshold signature schemes based on traditional PKI and ID-PKC, certificateless threshold signature schemes have

wide applications where a group of members need to cooperatively sign a message on behalf of the whole group, and are

especially useful when there is a need to distinguish a threshold signature from a signature generated by a single party

who possesses the secret signing key of the group. For example, let Bob be the Board chairman of a company. He has

the secret signing key SK of the board in certificateless public key setting. With this secret signing key, he is able to sign

any document on behalf of the board. A threshold signature scheme is necessary when the chairman is unavailable but

some very important documents need to be signed by the majority of the board. While it is useful to know who is respon-

sible for a signature, in some cases we need to distinguish the chairmans signature and the board members threshold sig-

nature. In certificateless public key cryptography, the chairman can share the partial private key of the board among theboard members, and let the board members generate the secret value of the board using an information theoretically se-

cure distributed key generation protocol. In this way, the board members can produce signatures that are distinguishable

from those generated by the chairman alone. We believe this is a distinctive property of certificateless threshold

signatures.

As we have shown in Section 1.2, the two existing certificateless threshold signature schemes [21,22] are far from satis-

factory (both in security and in efficiency). Thus, as an indispensible component of CL-PKC, certificateless threshold signature

deserves further investigations, especially on reasonable security notions and on efficient constructions of certificateless

threshold signature schemes. The contribution of this paper is as follows.

A new security model for CLTHS is proposed. In the new model, we capture the security notions via two games, which

simulate two types of adversaries respectively. The adversaries we are concerned about are super (Type I/II) adversaries de-

fined in [13], and are stronger than those considered in [21,22]. Our security model allows the adversary to obtain partial

private keys and secret values of any users under natural restrictions. The sign oracles provide the adversary with all signa-

ture shares generated by signature generation servers. We believe that the new model is more natural and more reasonablethan those in [21,22]. In order to prove the security, we define the notion of simulatability of a certificateless threshold sig-

nature scheme, and establish the simulatability theorem which depicts the security relationship between a certificateless

threshold signature scheme and its underlying (non-threshold) certificateless signature scheme. It is necessary to construct

certificateless threshold signature systems from existing secure and efficient certificateless signature schemes. As an exam-

ple, we present a concrete construction from an existing secure and efficient certificateless signature scheme by employing

techniques of verifiable secret sharing and distributed key generation. The security of our construction is proven under CDH

assumptions.

2. Preliminaries

To keep this paper self-contained, we briefly review the basic facts about the admissible bilinear map. We then present

the complexity assumptions on which the secret sharing, distributed key generation and our certificateless threshold signa-

ture scheme are based.

4716 H. Yuan et al. / Information Sciences 180 (2010) 47144728
http://-/?-http://-/?-


4/15

2.1. Bilinear map

The admissible bilinear map e is defined as follows. Let G1 be an additive group of prime order q, and let G2 be a multi-

plicative group of the same order. Let Pdenote a generator ofG1. A map e : G1 G1 ! G2 is called a bilinear map if it satisfies

the following properties:

Bilinear: eaP; bQ eP; Qab for all P, Q2 G1, a; b 2 Zq.

Non-degeneracy: There exist P, Q2 G1

such that eP; Q 1 .

Computable: There exists an efficient algorithm to compute eP; Q for any P, Q2 G1.

2.2. Complexity assumptions

We now describe some complexity assumptions in groups G1 and G2. Note that throughout this paper, the groups G1 and

G2 are those described in the above definition of bilinear map.

Discrete logarithm problem (DLP): The DLP in G1 is described as follows. Given two group elements Pand Q, find an integer

x 2 Zq, such that Q=xP whenever such an integer exists.

Computational DiffieHellman problem (CDHP): The CDHP in G1 is that given (P, aP, bP), for random unknown a; b 2 Zq, com-

pute abP.

Modified generalized bilinear inversion problem (mGBIP): The mGBIP proposed in [3] is defined as follows. Given h 2 G2 and

P2 G1, compute S2 G1 such that eS; P h. (Readers can refer to [3] for a detailed description.)

We assume that the above mentioned complexity problems are hard in groups G1

and G2

with pairing e.

Notice that the mGBI assumption (that is, the mGBI problem is intractable) can be implied by the CDH assumption. The

proof is sketched as below: assume that an attacker ACDH of the CDH problem is given a random instance (P, aP, bP), where

a; b 2 Zq and P is a generator of G1. Suppose there is another algorithm AmGBI which can solve the mGBI problem with non-

negligible success probability. In the reduction, ACDH runs AmGBI with the input (h = e(aP, bP), P). Let S be the output of

AmGBI, and ACDH will set S as its output. Clearly, S is a correct solution of the given CDH instance (P, aP, bP) as long as S

is a correct solution of the mGBI instance (h = e(aP, bP), P). Thus, the mGBI problem can be directly reduced to the CDH

problem.

2.3. Outline of certificateless threshold signature schemes

Definition 1 (Certificateless threshold signatures). A certificateless (t, n) threshold signature scheme CLTHS consists of the

following algorithms or protocols.

A probabilistic key system parameter generation algorithm GC(k): Given a security parameter k 2 N, this algorithm generates

the master secret key msk and a list of system parametersparams. Note that the parameter listparams is given to all inter-

ested parties while the matching master key msk is kept secret.

A probabilistic partial private key extraction algorithm EX(params, msk, ID): Given an identity ID, a parameter listparams and

a master key msk, this algorithm generates a partial private key associated with ID, denoted by ppkID.

A probabilistic partial private key distribution protocol DK(params, ppkID, n, t): Given a partial private key ppkID associated

with an identity ID, n signature generation servers and a threshold parameter t, this protocol generates n shares ofppkIDand securely provides each signature generation server Ci(16 i6 n) with a corresponding share. It also generates and

publishes a set of verification keys that can be used to check the validity of each partial private key share. We denote

the partial private key shares and the matching verification keys by ppki

ID

n oi 1; . . . ; n and vsk

i

ID

n oi 1; . . . ; n, respec-

tively. For each i, 16 i 6 n, Ci keeps ppk

i

ID secret, while vsk

i

ID is publicly known to all including the adversary. A probabilistic distributed secret value generation protocol GS(params, ID, n, t): Given an identity ID, a parameter listparams,

the number n of signature generation servers, and a threshold t, this protocol generates a distributed secret value for iden-

tity ID. It implies that n signature generation servers without a dealer jointly generate a secret value xID and its corre-

sponding public value pkID. As a result, xID is shared among n signature generation servers using a verifiable (t, n)

threshold secret-sharing scheme. Each signature generation serverCi holds a secret share xiID and the corresponding pub-

lic verification share pkiID is known to all signature generation servers.

A deterministic public key extraction protocol PK (params, ID, xID): Given a parameter list params, an identity ID and the

secret value xID, this protocol generates the public key PID related to ID. Particularly, the public key in our scheme is just

the value pkID obtained in the previous protocol, which is the corresponding public value of the secret value.

A probabilistic signature generation protocol S (params, ppkiID ;x

iID ; M): Given a parameter list params, a message M, a share

ppkiID of the partial private key ppkID and a share x

iID of the secret value xID associated with ID each signature generation

server Ci computes a signature shareri for M. After that, a dealer (selected at random from the current servers) combines

at least t valid shares together and output a valid signature (r).



5/15

A deterministic signature verification algorithm V(params, ID, pkID, M) (r): Given a signers identity (ID), a public key pkID, amessage Mand its signature (r), this algorithm checks the validity of (r). The output of this algorithm is either Valid orInvalid.

Remark. The key system parameter generation algorithm GC and the partial private key extraction algorithm EXare both

run by the trusted KGC. The partial private key distribution protocol DK makes use of an appropriate secret-sharing tech-

nique to distribute the partial private key among n signature generation servers. This process depends on the cryptographic

services that the KGC can offer-KGC could execute protocol DK if it is capable of organizing threshold signature, or a trusted

normal user (for example a selected leader of the group) could run DK if KGC only has the functionality of issuing partial

private keys for users.

3. Security notions for certificateless threshold signatures

3.1. Existential unforgeability for certificateless threshold signatures against adaptive chosen message attacks

Similarly to the adversaries against CLS defined in [13], there are basically two types of super adversaries in CLTHS: BI and

BII. BI simulates attacks when the adversary (anyone except the KGC) replaces the public key of any entity with a value of his

choice. However, BI does not have access to the master secret key. Adversary BII simulates attacks when the adversary has

the master secret key but cannot replace the target users public key.

Due to the security requirement of (t, n) threshold signatures [9], we further assume that super adversaries ( BI and BII)

against CLTHS can corrupt up to t 1 signature generation servers. Also we consider the malicious adversaries that maycause corrupted servers to divert from the specified protocol in any way. We assume that the computational power of adver-

saries is adequately modeled by a probabilistic polynomial time Turing machine. The adversaries we consider here are static,

i.e., they choose corrupted servers at the beginning of the protocol.

Now we define the security of a CLTHS scheme via the following two games between a challenger Cand a super adversary

BIBII.

Game 1. (for Super Type I Adversary).

Setup: C runs the key/system parameter generation algorithm GC to obtain a master secret key msk and the system

parameter list params. Then C sends params to the adversary BI while keeping msk secret.

Phase 1: BI corrupts t 1 signature generation servers. For convenience, we assume that the corrupted signature gener-

ation servers are C1, . . .,Ct1.

Phase 2: BI can make following queries in an adaptive manner.

Partial-private-key queries PPK(ID): BI can request the partial private key of any user with identity ID. On receiving ID, Cruns the partial private key extraction algorithm EXofCLTHSby taking ID as input and obtains a corresponding partial

private key ppkID, which is given to BI.

Secret value queries SV(ID): BI can request the secret value of any user with identity ID. In response, Cruns secret value

generation protocol GS ofCLTHS by taking ID as input and obtains a secret value xID, the corresponding public value

pkID, the secret value share xiID and the matching verification share pk

i

ID for every signature generation server. Then,

C sends xID to BI. Note that C outputs \ if the users public key has been replaced.

Public key-replacement queries PKR ID;pk0ID

: For any user with identity ID, BI can choose a new public keypk

0ID and then

sets pk0ID as the new public key of this user. C will keep a record of this replacement.

Sign queries S(ID, M, pkID): BI can request a users (whose identity is ID) signature on a message M. On receiving M, C

runs the signature generation protocol S ofCLTHSand responds to BI with ri for i = 1,. . ., n output by S. It is requiredthat ri for i = 1, . . ., n are valid signature shares on message Munder identity ID and the public keypk

iID. It is evident that

BI is able to calculate a full signature of M with enough signature shares.

Phase 3: BI submits the target identity ID*. On receiving ID*, C first runs the algorithm EX of CLTHS to obtain a partialprivate key ppkID , and then runs the partial private key distribution protocol DK of CLTHS by taking ppkID as input to

share it among n signature generation servers. We denote the partial private key shares by ppkiID for i = 1, . . . , n. C gives

ppkiID for i = 1, . . . , t 1 to BI. Then, BI issues a sequence of requests as in Phase 2 except the Partial-Private-Key request

on the challenge identity ID*.

Forgery: Finally, BI outputs ID

; M ;r ;pkID. We say that BI wins Game 1, if1. r* is a valid signature of a message M* under identity ID* and the corresponding public key pkID.2. ID ; M ; pk

ID never appears as one of sign queries.

We define BIs success probability by

SuccEUFCLTHSCMACLTHS;BI k PrVparams; ID; M;r valid:

An attackerBI

is said to (tCMA

,qPPK

,qPK

,qSV

,qPKR

,qS

,e

)-break a certificateless threshold signature scheme ifBI

runs in time

at most tCMA, and can make at most qPPK partial private key queries, qPK public-key queries, qSV secret-value queries, qPKR



6/15

public-key-replacement queries, qS sign queries, and the success probability SuccEUFCLTHSCMACLTHS;BI

k is at least e. Note that therunning time and the number of queries are all polynomials in the security parameter k.

Game 2. (for Super Type II Adversary).

Setup: Cruns the key/system parameter generation protocol GC to obtain a master secret key msk and the system param-

eter list params. C then sends params and msk to the adversary BII.

Phase 1: BII corrupts t 1 signature generation servers which we denote as C1, . . .,Ct1.

Phase 2: BII adaptively makes secret-value queries, public-key-replacement queries and sign queries as described inGame 1.

Phase 3: BII submits the target identity ID*, and then issues a sequence of requests as in Phase 2.

Notice that for BIIs signature query SID

; M;pkID ; Cresponds with a valid signature as described before. Note also that no

secret-value queries or public-key-replacement queries on ID* are allowed.

Forgery: Finally, BII outputs ID

; M ;r ;pkID. We say that BII wins Game 2, if1. r* is a valid signature of a message M* under identity ID* and the corresponding public key pkID.2. ID ; M ;pk

ID never appears as one of sign queries.

We define BIIs success probability by

SuccEUFCLTHSCMACLTHS;BII k PrVparams; ID; M;r valid:

An attacker BII is said to (tCMA, qSV, qPKR, qS, e)-break a certificateless threshold signature scheme if it runs in time at most

tCMA, and can make at most qSV secret-value queries, qPKR public-key-replacement queries, qS sign queries, and the successprobability SuccEUFCLTHSCMACLTHS;BII k is at least e. Note that the running time and the number of queries are all polynomials inthe security parameter k.

We now define the existential unforgeability of CLTHS against adaptively chosen message attacks, which we call

EUFCLTHSCMA.

Definition 2 (EUFCLTHSCMA). A certificateless threshold signature scheme CLTHS is said to be EUFCLTHSCMA secure if

the success probability of any polynomially bounded adversary in the above two games is negligible. Accordingly, we use

EUFCLSCMA to mean the existential unforgeability of a CLS against adaptively chosen message attacks.

3.2. Relationship between EUFCLTHSCMA and EUFCLSCMA

In order to prove the unforgeability of a CLTHS scheme, we use the concept of simulatable adversary view. Intuitively,

this means that for every adversary, there is a simulator, on input the public value and all information of corrupted

players, can produce an output distribution which is computationally indistinguishable from the view of the adversary

that interacts with honest players in a regular run of the protocol which ends with the public value as its public output.

In other words, the run of the protocol provides no useful information to the adversary other than the public

information.

Motivated by Gennaro et al.s [9] methodology for proving the security of threshold signature schemes, we define the sim-

ulatability of CLTHSas follows.

Definition 3 (Simulatability of CLTHS). Let CLTHS = (GC, EX, DK, GS, PK, S, V) be a certificateless (t, n) threshold signature

scheme. The scheme CLTHS is said to be simulatable if the following properties hold.

1. The protocol DK is simulatable. That is, there exists a simulator SIMDK

that, on input the public output by GC ofCLTHS, an

identityID, t 1 (partial private key shares that matches to ID held by the corrupted signature generation servers and the

public information fvskiIDg i 1; . . . ; n associated with the partial private key ppkID, can simulate the view of the attacker

on an execution of DK ofCLTHSthat ends with fvski

IDg i 1; . . . ; n as the public output.

2. The protocol GS is simulatable. That is, there exists a simulator SIMGS that, on input the public output by GC ofCLTHS, an

identity ID t 1 secret value shares that matches to ID held by the corrupted signature generation servers and the public

value pkID associated with the secret value xID can simulate the view of the attacker on an execution of GS of CLTHS that

generates the given pkID as the public output.

3. The protocol S is simulatable. That is, there exists a simulator SIMS that, on input the public output by GC of CLTHS, an

identity ID, a message M, and a signature r on M, t 1 partial private key shares and t 1 secret value shares thatmatches to ID held by the corrupted signature generation servers, and the public output ofDK and GS of CLTHS, can sim-

ulate the view of the attacker on an execution of S of CLTHS that generates r as output.

We state and prove the following theorem regarding the relationship between the security of CLTHS and that of the

underlying CLS. The theorem shows that an EUFCLSCMA secure certificateless signature scheme can be used as a building



7/15

block to construct an EUFCLTHSCMA secure certificateless threshold signature scheme as long as the simulatability is

ensured.

Theorem 1. If the CLTHS scheme is simulatable and the underlying CLS scheme is EUFCLSCMA secure, then the CLTHS is EUF

CLTHSCMA secure. More precisely,

SuccEUFCLTHSCMACLTHS tCMA 6 SuccEUFCLSCMACLS t

0CMA;

where t0CMA tCMA TSIMDK TSIMGS TSIMS. Here, TSIMDK

;

TSIMGSTSIMS denote the running time of the simulator SIMDK, SIMGSSIMS,respectively.

Proof. Let BI and BII denote two types of attackers wish to break the EUFCLTHSCMA security of the CLTHS scheme. Let AIand AII denote two types of attackers against the underlying (non-threshold) CLS scheme.

The proof consists of two parts, depending on the types of attackers. h

Part 1 (for Type I Attacker).

Our aim is to show that if there exists an attacker BI that can break the EUFCLTHSCMA security of the CLTHS scheme,

then there will inevitably be an attacker AI that can break the EUFCLSCMA security of the underlying CLS scheme. To prove

this, we show how the view ofBI in the real attack Game 1 ofEUFCLTHSCMA defined in Section 3.1, which we denote by GB,

can be simulated to obtain a new game GA which is related to the ability of the attacker AI to defeat the EUFCLSCMA secu-

rity of the underlying CLS scheme, under the assumption that CLTHS is simulatable (note that the security model for type I

adversary of CLS scheme can be found in [25]). To achieve this, we regard AI as the challenger in game GB, and queries issuedby BI will be directly sent to AI who will use BI to attack the underlying CLS scheme.

Game GB: As mentioned before, this game is identical to the real attack Game 1 described in Section 3.1. We denote by EBthe event that BI outputs a valid message/signature pair as a forgery. We use a similar notion EA for Game GA. Since Game

GB is the same as the real attack game, we have

PrEB SuccEUFCLTHSCMACLTHS;BI

k

Game GA: First, we replace the system parameters params in GB by the corresponding system parameters in GA. Note that

neither AI nor BI has the knowledge of the master secret key msk. We then enter into the following query in Phase 2 of the

attack Game 1.

Whenever BI issues a partial private key query PPK(ID)/secret-value query SV ID, AI sends the query to his challenger.

On receiving ID, the challenger runs the partial private key-extract/set-secret-value protocol of CLS by taking ID as

input and responds with the resulting partial private key ppkID/secret value xID. Then AI sends the value ppkID/xIDto

BI. (Note that it outputs \ for the secret-value query, if the users public key has been replaced).

IfBI issues a public-key-replacement query PKRID;pk0ID AI sends the query to his challenger and then updates pkID to

pk0ID .

IfBI issues a sign query S(ID, M, pkID), AI sends the query to his challenger to get a corresponding signature r. Havingobtained r, AI runs SIMS taking params, the outputs generated by SIMDK and SIMGS, which includes t 1 corrupted par-tial private key shares, secret value shares, the identity ID, and the message/signature pair (M,r) as input. AI thensends SIMSs outputs to BI.

IfBI submits a target identity ID*, AI runs SIMDK by takingparams and ID*as input) to simulate the view ofBI and forwards

ID* as the target identity to his challenger. (Note that during the execution of SIMDK, BI is given t 1 partial private key

shares of corrupted signature generation severs. Note also that AI does not make a partial private key request of ID* and

hence does not know the value ppkID . Then BI issues public-key-replacement and sign queries on ID*. There is no need

for BI to issue secret-value query because he may have chosen a secret value to generate a new public key. For such queries,

AI will respond as defined in Section 3.1.

If BI outputs (ID*, M*, r ;pkID) in Forgery Phase, AI then sets ID

; M ;r;pkID as its own forgery.

Note that BIs view in the real attack game is identical to its view in Game GA as long as the CLTHS is simulatable. Hence

we have

PrEB 6 PrEA:

Due to the definition of Pr[EB] and Pr[EA], we have

SuccEUFCLTHSCMACLTHS;BI k 6 SuccEUFCLSCMACLS;AI

k:

Part 2 (for Type II Attacker).

Similar to the case of Type I Attacker, we show how the view ofBII in the real attack (Game 2 of EUFCLTHSCMA defined

in Section 3.1), which we denote byG

0

B, can be simulated to obtain a new game

G

0

Awhere the attacker

AIIcan break the

EUFCLSCMA security of the CLS scheme, under the assumption that CLTHS is simulatable (the security model for type II

http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


8/15

adversary of CLS scheme can be found in [25]). To achieve this, we regard the attacker AII as a challenger in game G0B. Queries

issued by BII will be directly sent to AII who can make use of his challenger in game G0

A to generate correct responses.

Game G0B: As mentioned before, this game is identical to the real attack Game 2 described in Section 3.1. We denote by E0B the

event thatBII outputs a valid message/signature pair as a forgery. We use a similar notion E0

A for Game G0

A. Since Game G0B is the

same as the real attack game, we have

PrE0B SuccEUFCLTHSCMACLTHS;BII

k:

Game G0A: First, we replace the system parameters params and master secret key msk in G0B by the corresponding system param-

eters and master secret key in G 0A. We then enter into the following query in Phase 2 of the attack Game 2.

Whenever BII issues a secret-value query SV(ID), AII sends the query to his challenger. On receiving ID, the challenger

runs the set-secret-value algorithm of CLS taking ID as input and returns the resulting secret value xID. Then AII sends

the value xID to BII. Note that it outputs \, if the users public key has been replaced.

IfBII issues a public-key-replacement query PKRID;pk0ID; AII sends the query to his challenger and then updatespkID to

pk0ID.

IfBII issues a Sign query S(ID,M,pkID), AII sends the query to his challenger to get a corresponding signature r. Havingobtained r, AII runs SIMS by taking params, the outputs generated by SIMDK and SIMGS, which includes t 1 corruptedpartial private key shares and secret value shares, an identity ID, and the message/signature pair (M,r) as input. AIIthen sends SIMSs outputs to BII.

Once BII submits a target identity ID*, it can issue Sign queries on ID* which are answered in same way as described above.Note that BII is not allowed to issue public-key-replacement query or secret-value query on ID* since BII can get the full sign-

ing key of ID* as long as any one of them is allowed.

If BII outputs ID

; M ;r;pkID in Forgery Phase, AII then sets it as his own forgery.Note from the simulation that BIIs view in the real attack game is identical to its view in Game G

0A as long as the CLTHS is

simulatable. Hence we have

PrE0B 6 PrE0A:

Due to the definition of Pr[E0B] and Pr[E0A], we have

SuccEUFCLTHSCMACLTHS;BII k 6 SuccEUFCLSCMACLS;AII

k:

4. Building blocks

4.1. ZhangZhang certificateless signature scheme

We first review ZhangZhang certificateless signature scheme [25], which we denote by ZZCLS. We will use this as a

basic certificateless signature scheme to construct our certificateless threshold signature scheme in Section 5. Note that

the ZZCLS scheme was proven secure in the strongest security model of CLS schemes assuming the hardness of the CDH

problem over groups with bilinear maps.

Key/system parameter generation algorithm GC(k): This algorithm is run by the KGC to generate its master secret key msk

and a list of system parameters params.

Choose a cyclic additive group G1 which is generated by Pwith prime order q, choose a cyclic multiplicative group G2 of

the same order and a bilinear map e : G1 G1 ! G2.

Pick a random k 2 Zq as the master secret key and set Ppub = kP.

Choose three cryptographic hash functions H1: {0,1}*? G1, H2 : f0; 1g ! Zq, H3 : f0; 1g

! Zq.

Keep k as secret and publish params G1; G2; e; P; Ppub ; H1; H2; H3.

Partial private key extraction algorithm EX(params, msk, ID): This algorithm is run by the KGC to generate a partial private

key associated with ID.

Compute QID H1IDkP.

Output the partial private key DID = kQID.

Secret value setting algorithm GS(params, ID): This algorithm takes as in putparams and a users identity ID. It thenselects a

random xID 2 Zq and outputs xID as the users secret value.

Public key extraction algorithm PK(params, ID,xID ): This algorithmacceptsparams, a users identity ID and this users secret

value xID as input. It produces the users public key PID =xIDP.

Signature generation algorithm S(params, DID, xID, M): To sign a message Musing the partial private key DID and the secret

value xID, the signer, whose identity is ID and the corresponding public key is PID, performs the following steps.

http://-/?-http://-/?-http://-/?-http://-/?-


9/15

Choose a random r 2 Zp, compute R = rP.

Compute u H2RkPIDkM; v H3RkPIDkM.

Compute V= (uxID + r)QID + vDID.

Output r = (R, V) as the signature on M. Signature verification algorithm V(params, ID, PID, M, r): To verify a signature r on a message Mfor an identity ID and the

public key PID, the verifier performs the following steps.

Compute QID H1IDkP; u H2RkPIDkM; v H3RkPIDkM.

Verify eV; P euPID

vPpub

R; QID

. If the equation holds output Valid. Otherwise, output Invalid.

4.2. Review of secret-sharing over a group G1

In order to construct a certificateless threshold signature scheme from the above ZZCLS scheme, we need to share the

partial private key DID among signature generation servers. This can be achieved by using a (t, n)-secret-sharing scheme over

group G1 presented in [2]. Due to space limitation, we omit the details of this technique. Readers can be referred to [2] for a

detailed explication.

4.3. Review of computationally secure verifiable secret-sharing protocol based on the bilinear map

In cryptography, a secret-sharing scheme is known as verifiable if auxiliary information is included that allows players to

verify their shares as consistent. More formally, verifiable secret-sharing (VSS) ensures that even if the dealer is malicious

there is a well-defined secret that the players can later reconstruct. With regard to the threshold signature scheme, verifiable

secret sharing is a useful tool for preventing malicious attacks. In other words, VSS gives threshold signature schemes robust-

ness. Various solutions to the verifiable secret sharing have been known and used for a long time. However, taking into ac-

count that our certificateless threshold signature scheme is based on the bilinear maps, here we make use of a new scheme

proposed by Baek and Zheng [3], which we call computationally secure verifiable secret-sharing protocol based on the bilin-

ear map (Comp-Secure-VSSBP), motivated by Feldmans VSS scheme [8]. This protocol will be used to distribute a users

partial private key DID in the ZZCLS scheme among a number of signature generation servers. We describe the Comp-

Secure-VSSBP in Fig. 1.

The following lemma shows the correctness of the protocol Comp-Secure-VSSBP.

Lemma 1. In Comp-Secure-VSSBP, shares held by all uncorrupted participants can be interpolated to a unique PLF of degree t 1,

and t or more of these shares can reconstruct the secret S.

The protocol Comp-Secure-VSSBP is computationally secure in that the value a0 eS; P is revealed during the execution

of the protocol and hence the secrecy Sof depends on the computational assumption that it is hard for an attacker to obtain Sfrom eS; P, which is actually the mGBI assumption. As mentioned in Section 2.2, the mGBI assumption is implied by the

CDH assumption, so the security of protocol Comp-Secure-VSSBP can be regarded as based on the hardness of the CDH

problem.

Lemma 2. In Comp-Secure-VSSBP, the attacker that learns less than t shares of the secret S obtains no information about S

assuming that CDH problem is computationally intractable.

Please refer to [3] for detailed proofs of the two lemmas.

Fig. 1. Computationally secure verifiable secret-sharing protocol based on the bilinear map.

http://-/?-http://-/?-


10/15

4.4. Distributed secret value generation protocol for our scheme

Distributed secret key generation is a main component of threshold cryptosystems. It allows a set of n servers to jointly

generate a pair of public and secret keys according to the distribution defined by the underlying cryptosystem without

having to ever compute, reconstruct, or store the secret key in any single location and without assuming any trusted party

Fig. 2. Distributed secret-value generation protocol for the CLTHS scheme.



11/15

(dealer). While the public key is output in the clear, the secret key is maintained as a (virtual) secret shared via a threshold

scheme. Solutions to the distributed generation of private keys for discrete-log based cryptosystems have been studied in

[5,10]. Here we construct a protocol distributed secret-value generation protocol for the CLTHS Scheme ( DSG), which is

very similar to Gennaro et al.s [10] distributed key generation protocol for discrete-logarithm based cryptographic schemes.

Differences between them are as follows. Firstly, the domain of the public value is changed fromZp to G1. For example, while

our protocol allows a set of n servers to jointly generate a secret s 2 Zq and its corresponding public value is c sP2 G1, a

predetermined set of parties in Gennaro et al.s protocol jointly generate a secret k 2 Zq and its corresponding public value is

y gk 2 Zp

. Secondly, the broadcasting information and the verification equation are also changed from Zp

to G1

. Lastly, the

computation of Ank is different in the simulator constructed to prove the security of the DSG.

We use a variant of the non-interactive and information-theoretic secure VSS protocol due to Perdersen [17] as a building

block in our solution, which can tolerate up to t 1 malicious faults without revealing any information on the secret, and we

denote it by Perdersen-VSS. Due to the lack of space, we do not explicitly describe Perdersen-VSS here, as its description is

implicitly contained in Step 1 of our DSG protocol.

Suppose that the threshold tand the number n of parties satisfy 16 t6 n < q. Let (G1, q, P) be the common parameters, as

defined in Section 2.1. Our protocol DSG is depicted in details in Fig. 2.

Fig. 3. Simulator for the distributed secret value generation protocol DSG.

http://-/?-http://-/?-


12/15

The correctness and security (please refer to [10] for detailed definitions) of DSG can be proven in a similar way as that of

the protocol in [10]. For simplicity, we only present the correctness statement (Lemma 3) and a modified simulator SIM-DSG

in Fig. 3, while the concrete proof procedure is omitted.

From the protocol we know that the generated secret is s 2 Zq, and its corresponding public value is c sP2 G1. Finally,Ci

holds secret shares xi, x0i, i = 1, . . ., n. Public information Cik, Aik, Ak, i = 1, . . ., n, k = 0, . . ., t 1, are known to all parties. It is easy

to see that xiPPt1

k0ikAk. In our threshold signature scheme in Section 5, this protocol is employed by n signature gener-

ation servers to generate the secret value xID of an Identity ID as well as the random number r used in signing phase.

Lemma 3 (Correctness). In the above protocol DSG, all subsets of t shares provided by honest parties define the same unique

secret key s, and all honest parties have the same value of public key c = sP, where s is uniformly distributed in Zq.

Lemma 4 (Secrecy). In the above protocol DSG, no information on s can be learned by the adversary except for that implied by

the value c = sP.

From the above lemmas we derive the following theorem.

Theorem 2. Protocol DSG in Fig. 2 is a secure protocol for distributed secret value generation, namely it satisfies the above

correctness and secrecy requirements with threshold t.

5. Our certificateless threshold signature scheme

With the building blocks presented in the previous section, we now construct a certificateless threshold signature scheme

based on the bilinear map, which is called CLTHSBP. CLTHSBP consists of the following algorithms or protocols. For sim-

plicity, we omit the details of sub-protocols Comp-Secure-VSSBP and DSG, and only describe the significant information re-

sulted from them.

Key/system parameter generation algorithm GC(k): Given a security parameter k, the KGC performs the following:

Choose a cyclic additive group G1 which is generated by Pwith prime order q, choose a cyclic multiplicative group G2 of

the same order and a bilinear map e : G1 G1 ! G2.

Pick a random k 2 Zq as the master secret key and set Ppub = kP.

Choose three cryptographic hash functions H1:{0,1}*? G1, H2 : f0; 1g ! Zq, H3 : f0; 1g

! Zq.

Keep k as secret and publish params G1; G2; e; P; Ppub ; H1; H2; H3.

Partial private key extraction algorithm EX(params, msk, ID): This algorithm is run by the KGC to generate a partial private

key associated with ID. Compute QID H1IDkP.

Output the partial private key DID = kQID.

Partial private key distribution protocol DK(params, msk, ID, n, t): A trusted user (as discussed in Section 2.3, this

user could be the KGC itself) who possesses a partial private key DID associated with an identity ID performs the

following:

Run Comp-Secure-VSSBP with the input G1; q; ;e; P; Ppub ; H1; t; n; DID to share DID among n signature generation serv-

ers, denoted by C1, C2, . . .,Cn.

Denote the partial private key share ofCi by DiID for i = 1,. . ., n.

Denote the public verification information output at the end of the execution of Comp-Secure-VSSBP by a0, a1, . . .,at1, where t is a threshold.

Distributed secret value generation protocol GS(params, ID, n, t): Each signature generation serverCi performs the following

steps to jointly generate a secret value xID for an identity ID: Taking (G1, q, P, t, n) as input, all signature generation servers execute DSG to jointly generate a secret value xID and a

public value PID =xIDP. (Note that the public value PID is exactly the public key we want to generate in the next

protocol.)

Denote the resulting share held by server Ci by xiID for i = 1, . . ., n.

Denote the public verification information output at the end of the execution of DSG by pkkID

Pi2JAik for

k = 0,. . ., t 1. Note that pk0

ID PID.

Public key extraction protocol PK(params, ID, xID): The users public key PID corresponding to the users secret value xID can

be directly obtained from the above protocol without any additional computation. As shown in the protocol DSG, the pub-

lic information of the secret value is the public key PID, which is exactly we need.

Signature generation protocol S params; DiID ;xID ; M

: Each signature generation server Ci performs the following to jointly

generate a signature on a given message M:

http://-/?-http://-/?-http://-/?-http://-/?-


13/15

Run DSG to jointly generate a secret random value r2 Zq and a public value R = rP.

Denote by ri the resulting share held by server Ci, where i = 1, . . . , n.

Denote the public verification information output at the end of the execution of DSG by Rk P

i2JAik for

k = 0,. . ., t 1. Note that R0 = R.

Compute u H2RkPIDkM; v H3RkPIDkM.

Broadcast Vi uxiID ri

QID vD

iID. Any one can verify the validity ofCis signature share by checking

eVi; P Yt1

j0

aij

j

!ve uXt1

j0

!ijPjID

Xt1

j0

ijRj; QID

!

Construct V by computing V P

i2UpU0;jVi, where

pU0;j

Yj2U;ji

j=j i modq

is the Lagrange coefficient for jUjP t.

Output r = (R,V) as the whole signature on M. Signature verification algorithm V(params, ID, PID, M, r): One can verify ifr = (R,V) is a valid signature of an entity with

identity ID and public key PID on message M by performing the following steps:

Compute QID H1IDkP; u H2RkPIDkM; v H3RkPIDkM.

Verify eV; P euPID vPpub R; QID. If the equation holds output Valid. Otherwise, output Invalid.

Note that the protocols GC, EX, PK and V of CLTHSBP are the same as those of ZZCLS scheme described in Section 4.1.

6. Security analysis of the proposed scheme

In this section, we prove the security of the proposed CLTHSBP. According to Theorem 1 we only need to show that the

underlying certificateless signature scheme ZZCLS is EUFCLSCMA secure and CLTHSBP is simulatable. As mentioned before,

the ZZCLS scheme has been proven to be EUFCLSCMA secure against the super adversaries assuming that the CDH problem

is intractable [25]. Thus, we only need to prove the following lemma.

Lemma 5. The proposed CLTHSBP is simulatable.

Proof. We describe the following three simulators SIMDK, SIMGS, SIMS of CLTHSBP to ensure the simulatability of our scheme.The simulator SIMDK for the partial private key distribution protocol DK of CLTHSBP can be constructed in the same way

as that in [3] for the proof of verifiable secret-sharing scheme (CVSSBM), which ensures the security of the Comp-Secure-

VSSBP. Similarly, the simulator SIMGS for the distributed secret value generation protocol GS of CLTHSBP can be constructed

in the same way as that in the proof of Theorem 2, which ensures the security of the DSG.

Now we present the simulator SIMS for the signature generation protocol S of CLTHSBP. As described in Fig. 4, the

simulator SIMS takes as input the public output of protocol GC of CLTHSBP, an identity ID, a signature (R, V) on a message M,

t 1 partial private key shares D1ID ; . . . ; Dt1ID and t 1 shares x

1ID; . . . ;x

t1ID of the secret value held by the corrupted signature

generation servers, and the public outputsa0;a1; . . . ;at1;pk0ID;pk

1ID ; . . . ;pk

t1ID ; ofDK and GS, can generate valid transcripts of

the signature generation protocol S of CLTHSBP. From the adversarys view, these transcripts are computationally

indistinguishable from the actual transcripts generated during the execution of the protocol.

We exhibit the proof by analyzing the information generated by the signature generation protocol S and the simulator

SIMS in each step (the numbering of steps corresponds to that in the signature generation protocol S).

For Step 1, both the protocol and the simulator execute a distributed generation of a random secret value using uncon-

ditionally secure verifiable secret sharing. The simulatability of this step follows from the simulatability of DSG, which

has been proved previously.

For Steps 2 and 5, it is evident that their outputs are identically distributed since they have identical operations.

For Steps 3 and 4, the broadcast values V1, . . ., Vn generated by protocol S interpolate to some randomly and uniformly

distributed value in G1. The signature shares V1; . . . ; V

n output by SIMS interpolate to a value V which is randomly and

uniformly distributed in G1. We also have Vi ux

iID r

i

QID vD

iID for i = 1, . . ., t 1, and hence each V

i is generated

in the same manner as that of Vi (Step 3 in SIMS). h

Due to Theorem 1, Lemma 5 and the unforgeability of ZZCLS (as proved in [25]), we obtain the following theorem.

Theorem 3. The CLTHSBP is existentially unforgeable against adaptively chosen message attacks, under the assumptions that the

CDH problem on G1 is intractable.

http://-/?-http://-/?-


14/15

7. Conclusion

In this paper, we discuss the issues related to threshold signatures in certificateless public key cryptography. A stronger

security model for certificateless threshold signatures is presented. In our new model, adversaries are more powerful than

those considered in other security models of certificateless threshold signature schemes. To make the security proof easy and

convenient, we establish the simulatability theorem for certificateless threshold signature schemes. We also propose a new

certificateless threshold signature scheme from bilinear maps. The new scheme contains several improvements when com-

pared with the existing ones [21,22]. We use a secure verifiable secret-sharing protocol to share the partial private key

among signature generation servers. This can help to detect the misbehaviors during the sharing phase. To share the secret

value, we employ the technique of information-theoretic secure distributed key generation, and thus no single party can

have the groups secret value. Such techniques not only greatly enhance the robustness of our scheme, but also ensure

the simulatability. Three simulators (especially the simulator for the signature generation protocol) for our scheme are con-

structed to show the simulatability of the proposed certificateless threshold signature scheme. The simulatability demon-strates that our threshold signature scheme is provably secure against the strongest adversaries in the random oracle

model provided that the CDH problem is hard. Our scheme is efficient and only has a signature length of two elements of

G1, which is much shorter than other certificateless threshold signature schemes. Thus, the proposed scheme is practical

and can be applied in real applications where threshold signature is needed in certificateless settings.

Acknowledgments

The authors are very grateful to the anonymous reviewers for their valuable comments and suggestions. This research is

supported by the Natural Science Foundation of China under Grant No. 60673070 and Natural Science Foundation of Jiangsu

Province under Grant No. BK2006217.

References

[1] S. Al-Riyami, K. Paterson, Certificateless public key cryptography, in: Proceedings of the Asiacrypt 2003, Taipei, Taiwan, 2003, pp. 452473.

Fig. 4. Simulator for the signature generation protocol S of CLTHSBP.



15/15

[2] J. Baek, Y. Zheng, Identity-based threshold decryption, in: Proceedings of 7th International Workshop on Theory and Practice in Public Key

Cryptography, Singapore, 2004, pp. 262276.

[3] J. Baek, Y. Zheng, Identity-based threshold signature scheme from the bilinear pairings, in: Proceedings of the international Conference on Information

and Technology: Coding and Computing, Las Vegas, USA, 2004, pp. 124128.

[4] A. Boldyreva, Efficient threshold signatures: multisignatures and blind signatures based on the GapDiffieHellman-group signature scheme, in:

Proceedings of 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, 2003, pp. 3146.

[5] M. Cerecedo, M. Matsumoto, H. Imai, Efficient and secure multiparty generation of digital signatures based on discrete logarithms, IEICE Transactions

on Fundamentals of Electronics, Communications and Computer Sciences E76-A (1993) 532545.

[6] S. Chang, D.S. Wong, Y. Mu, Z. Zhang, Certificateless threshold ring signatures, Information Sciences 179 (20) (2009) 36853696.

[7] X. Chen, F. Zhang, D.M. Konidala, K. Kim, New ID-based threshold signature scheme from bilinear pairings, in: Proceedings of 5th International

Conference on Cryptology in India, Chennai, India, 2004, pp. 371383.[8] P. Feldman, A practical scheme for non-interactive verifiable secret sharing, in: Proceedings of IEEE 28th Annual Symposium on the Foundations of

Computer Science, Los Angeles, California, USA, 1987, pp. 427437.

[9] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Robust threshold DSS signatures, Information and Computation 164 (1) (2001) 5484.

[10] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Secure distributed key generation for discrete-log based cryptosystem, Journal of Cryptology 20 (1) (2007)

5183.

[11] B. Hu, D. Wong, Z. Zhang, X. Deng, Key replacement attack against a generic construction of certificateless signature, in: Proceedings of 11th

Australasian Conference on Information Security and Privacy, Melbourne, Australia, 2006, pp. 235246.

[12] X. Huang, W. Susilo, Y. Mu, F. Zhang, On the security of a certificateless signature scheme, in: Proceedings of 4th International Conference on

Cryptology and Network Security, Xiamen, China, 2005, pp. 1325.

[13] X. Huang, Y. Mu, W. Susilo, D. Wong, W. Wu, Certificateless signature revisited, in: Proceedings of 12th Australasian Conference on. Information

Security and Privacy, Townsville, Australia, 2007, pp. 308322.

[14] J. Liu, M. Au, W. Susilo, Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model, in:

Proceedings of ACM 2007 ACM Symposium on Information, Computer and Communications Security, Singapore, 2007, pp. 273283.

[15] Z. Liu, Y. Hu, X. Zhang, H. Ma, Certificateless signcryption scheme in the standard model, Information Sciences 180 (3) (2010) 452464.

[16] Y. Long, K. Chen, Efficient chosen-ciphertext secure certificateless threshold key encapsulation mechanism, Information Sciences 180 (7) (2010) 1167

1181.

[17] T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in: Proceedings of 11th Annual International CryptologyConference, Santa Barbara, CA, USA, 1991, pp. 129140.

[18] A. Shamir, Identity-Based cryptosystems and signature schemes, in: Proceedings of 4th Annual International Cryptology Conference, Santa Barbara, CA,

USA, 1984, pp. 4753.

[19] K.A. Shim, Breaking the short certificateless signature scheme, Information Sciences 179 (3) (2009) 303306.

[20] D. Stinson, R. Strobl, Provably secure distributed Schnorr signatures and a (t, n) threshold scheme for implicit certificates, in: Proceedings of 6th

Australasian Conference on Information Security and Privacy, Sydney, Australia, 2001, pp. 417434.

[21] L. Wang, Z. Cao, X. Li, H. Qian, Simulatability and security of certificateless threshold signatures, Information Science 177 (2007) 13821394.

[22] H. Xiong, Z. Qin, F. Li, Simulatability and security of certificateless threshold signature without random oracles, in: Proceedings of 2008 International

Conference Computational Intelligence and Security, Suzhou, China, 2008, pp. 308313.

[23] D. Yum, P. Lee Generic construction of certificateless signature, in: Proceedings of 9th Australasian Conference on Information Security and Privacy

Sydney Australia, 2004, pp. 200211.

[24] Z. Zhang, D. Wong, J. Xu, D. Feng, Certificateless public-key signature: security model and efficient construction, in: Proceedings of International

Conference on Applied Cryptography and Network Security 2006, Singapore, 2006, pp. 293308.

[25] L. Zhang, F. Zhang, A new provably secure certificateless signature scheme, in: Proceedings of IEEE International Conference on Communications,

Beijing, China, 2008, pp. 1685-1689.

[26] L. Zhang, F. Zhang, A new certificateless aggregate signature scheme, Computer Communications 32 (2009) 10791085.

[27] L. Zhang, F. Zhang, Q. Wu, J. Domingo-Ferrer, Simulatable certificateless two-party authenticated key agreement protocol, Information Sciences 180 (6)(2010) 10201030.


49319390 Yuan 2010 Information Sciences

Documents

Transcript of 49319390 Yuan 2010 Information Sciences