Leakage-Resilient Certificateless Short Signature Scheme

: For a certificateless short signature scheme to be applied in practical applications, it should without various leakage attacks. In this paper, we present a new leakage-resilient certificateless short signature scheme whose security is based on the classical decisional Diffie-Hellman (DDH) assumption. Our scheme is leakage-resilient signature scheme, and leaked information is a maximum value (upper bound). What is more, our scheme also enjoys a higher relative leaked information rate and still semantically secure against adaptive chosen message attack. Besides these good performance features, we have formally proved the security of our scheme in the random oracle model under the hardness of the DDH problem. With these import features, our proposal may have some significant value in the practical applications. Compared to existing schemes, our new scheme has two advantages: (1) Our scheme is leakage-resilient certificateless short signature scheme; (2) Our Scheme is leakage-resilient signature scheme, and leaked information is a maximum value (upper bound).


Introduction
Digital signatures, one of the most important components of cryptography, are the basic theory for protecting the integrity and authenticity of information. The digital signature is benefit from the development of the public key cryptography. The security of these schemes is based on factorization and discrete logarithms. It can provide many applications with all kinds of security service, such as authentication, confidentiality, information integrity and non-repudiation of transaction. The signature scheme has played an important role in the electronic commerce, electronic vote etc.
Digital signature is one of the important tools in information integrity and identity authentication. By the way of encryption, message authentication, the digital signature can defense the attacks and achieves security. On the one hand, digital signatures are used to verify that the message was actually sent by the sender. This includes identification and authentication, authorization, access control, and encryption. On the other hand, the signature information use in the process in the memory which and transmits, all has the possibility to interrupt, the interception, tampers with and fabricates. Therefore, digital signatures are very important means to guarantee authenticity of information.
In 1976, Diffie and Hellman [1] based on the ideas of public key cryptography, a digital signature is given. In the literature [1], although Diffie and Hellman proposed the digital signature, it is based on the public key cryptosystem. But they did not give the specific digital signature scheme. In 1978, the first digital signature scheme by Rivest, Shamir and Adleman is proposed [2]. The security is based on factoring representation problem. Then, early digital signature scheme is also proposed by Lamport [3], Merkle [4] and Rabin [5].
After the yearly development, Scholars have offered various efficient and secure digital signature schemes. Among them, there is a classic has based on elliptic curve discrete logarithm problem. Such as: ElGamal [6] digital signature scheme, Schnorr [7] digital signature scheme, DSA [8] digital signature scheme, Okamoto [9] digital signature scheme, Fiat-Shamir [10] signature scheme, and Nyberg-Ruppel [11] signature scheme, etc.
Then, Miller [12] and Koblitz [13] respectively independently establish the elliptic curve cryptosystem (ECC). Elliptic curve cryptosystem is a hot topic in public key cryptosystems. The security of the elliptic curve cryptography is built upon the difficulty of solving the elliptic curve discrete logarithm problem. Actually, Elliptic Curve Digital Signature is a simulation of the digital signature on the elliptic curve under this cryptosystem. Public Key Cryptosystems based on the Elliptic Curve theory are divided into two types: elliptic curve digital signature and Hyperelliptic curve digital signature. Many previous signature algorithm based on discrete logarithm can be translated to elliptic curve cryptosystem. Such as, one of the most famous algorithm ECDSA signature schemes [14], that efficiency is superior to DSA signature scheme.
At present, public key cryptography system is based on public key cryptography infrastructure (PKI). PKI is a set of services that make use of public key cryptography to meet the needs of data confidentiality, integrity and non-repudiation function. However, with the extensive application of PKI, it reliability, security have been an obvious problem. Such as, in PKI system, people have to spend a lot of time and energy for certificate issuing and management work, especially management certificate authority (CA).
In order to simplify the traditional PKI system cost a lot of time in the transmission and validating the user public key certificate, Shamir [15] proposed the identity-based cryptography (IBC) by 1984. Soon, a large number of schemes [16][17][18][19] of identity-based signature are proposed based on identity-based cryptography. But these schemes are inefficient, thus cause to be not practical. Until 2000, Joux [20] proposed an identity-based of Diffie-Hellman key agreement protocol, using the characteristics of bilinear pairings on a super-elliptic curve. Bilinear pairings construct identity-based signature scheme [21][22][23][24] to become mainstream.
Since the appearance of identity-based signature scheme, much attention has been paid to identity-based public key cryptosystems to decrease the cost of certificates management. But it requires a trusted private key generator (PKG). PKG generate the private key of all users. However, there are some problems in identity-based signature scheme such as key escrow. Because PKG know the user's private key, a dishonest PKG can forge a warrant signature and proxy signing key, then the PKG can successfully counterfeit original signer, and make the proxy signer to sign message for him, and know how to decryption ciphertext by a certain user. Once the PKG security problems, the entire identity-based public key cryptosystems will be paralyzed. It will give business, society and even the whole country a huge economic loss. Therefore, solve the key escrow problem is urgent problems.
Threshold cryptography provides in which the secret key generation method [25][26][27]. It can resolve the key escrow problem. But none of the solutions was entirely satisfactory. In 2003, Al-Riyami and Paterson [28] has proposed a new cryptosystem ----certificateless PKG, CLPKG). Similar to the identity-based cryptography, CLPKC also need a master key of Key Generation Center (KGC). In the certificateless public key cryptography, the user's private key is jointly produced by the user and KGC. Certificateless signature scheme solve the certificate management in traditional public key cryptography, and the key escrow in identity-based public key cryptography. Since CLPKG is invented, the research of CLPKG has been become one of the hotspots. Now, many CLPKG schemes had been provided [29][30][31].
A certificateless signature scheme is CLPKG's important cryptology primitive. The earliest certificateless signature scheme is given by scholars Al-Riyami and Paterson [28]. It consists of seven algorithms. It includes Setup, Extract-Partial-Private-key, Set-Secret-Value, Set-Private-Key, Set-Public-Key, Certificateless-Sign, and Certificateless-Verify. Then, Hu [32] also proposed certificateless signature scheme. It consists of five algorithms. It includes Setup, Extract-Partial-Private-key, Set-Private-Key, Certificateless-Sign, and Certificateless-Verify. In essence, Hu's scheme and Al-Riyami, Paterson is equivalent.
So it becomes a key problem how to build a better security protection scheme and key management system by making use of the cryptography algorithm in practice. Because of the large amount of calculation for pairing, a leakage resilient certificateless short signature scheme without pairing was proposed, which combined the new certificateless public key cryptosystem. In the new scheme, the digital signature can't be denied or forged, and the secret key update algorithm is fast, and the sizes of key and signature are small.

Our Motivation
In this paper, we mainly focus on constructing more efficient leakage resilient certificateless short signature scheme with a higher information leakage ration. As is known to all, both the leakage information length is significant elements that affect applications of signature scheme. When leakage-resilient attacks are taken into consideration, the relative information leakage ration is also an important concern in real applications. Hence, it is interesting and challenging to design leakage-resilient certificateless short signature scheme which enjoy a low computational cost, a short key length, as well as a high relative information leakage ratio.

Our Contribution
We pay close attention to leakage-resilient certificateless short signature scheme in this paper. To reach our goal, we simplify some parameters in our scheme which is based on random oracle model under the hardness of the DDH problem. The certificateless short signature is a special digital signature. Certificateless short signature scheme solves the certificate management in the tradition public key cryptography, and the key escrow in the identity-based public key cryptography. So, it is widely used in the certificateless short signature scheme.
As a result, we get a leakage-resilient certificateless short signature scheme, which can not only proves secure with leakage-resilient attacks under the hardness of the DDH problem but also enjoys a lower computational cost, shorter public key and secret key length, and a higher relative information leakage ratio. Nevertheless, our work gets a new way to obtain new and efficient leakage-resilient certificateless short signature scheme from non-homogeneous linear equation. We think it is interesting to show new ways of constructing more efficient leakage-resilient certificateless short signature scheme without sacrificing security.
Our scheme shows that the scheme is provably secure and leakage-resilient. We show that it is secure against existential forgeable on adaptively chosen message in the random oracle model under the DDH assumption. Compared to existing schemes, our new scheme has two advantages: (1) Our scheme is leakage-resilient certificateless short signature scheme; (2) Our Scheme is leakage-resilient signature scheme, and leaked information is a maximum value (upper bound).

Organization
We organize the rest of the paper as follows. Firstly, i section 2, we review some preliminary knowledge that is non-homogeneous linear equations. We also give the security model for leakage-resilient certificateless short signature scheme against leakage attacks. Then, in Section 3, we present a new leakage-resilient certificateless short signature scheme. We prove the security and leakage-resilient of our scheme in Section 4. To demonstrate performances of scheme, a comparison with the existing scheme is made in Section 5. Finally, we give a conclusion in Section 6.

Preliminary
In this section, we firstly introduce some preliminary knowledge that is non-homogeneous linear equations. Then, we introduce the DDH assumption on which the security of our scheme is mainly based. Finally, we present the definitions which are important tools that will be used in our constructions and security analysis. For the security model under the DDH assumption is presented formally.

Computational Assumptions and Notations
Denote PPT as probability polynomial time. If ( ) A ← ⋅ denotes running the algorithm

( )
A ⋅ and getting a as an output, which is distributed according to the internal randomness of ( ) , , , If the advantage of any adversary A is negligible in n , we say that the DDH assumption holds. Next, we state the definition of traceable identity-based signature scheme used in the paper. A signature scheme with a plaintext space M is divided into five PPT algorithm. (1) Setup : This is an algorithm run by KGC which takes as input a security parameter l , and outputs system parameter params , and a master key s . Finally, KGC exposes system parameter params , and secrets master key s . x , and outputs user ID 's public key ID pk . Finally, the user ID exposes public key This is an algorithm run by the user which takes an input a system parameter params , message m , user's identity ID , private key ID sk and public key ID pk , outputs signature S .
This is a deterministic algorithm which takes as input user's identity ID , public key ID pk , system parameter params , message m and signature S . It outputs "1 " if signature S is a valid signature on message m for the identity ID , otherwise outputs " 0 ".

Security Model
When there is certificateless short signature scheme, the user's public key didn't get the authentication. In the security model, this article allows adversary have the right to use his own choice of illegal public key instead of the user's public key. On the side, KGC knows system's master key s , so that KGC can calculate all user's part of the private key. Therefore, in the security model, we also consider a malicious-but-passive KGC. We define that this adversary can't the user's public key. Now we define the adversary model of certificateless short signature.
In the certificateless short signature scheme, adversaries can be divided into 2 categories based on PKG's behavior.
1. A certificateless short signature scheme is existentially unforgeable under selective message and ID attacks if no probabilistic polynomial-time adversary A (type I or type II) can with the following game with non-negligible advantage ε .
Game I: The game is given below: The challenger C randomly selects safety parameters l . The challenger C runs algorithm Setup , gets system parameter params and master key s . Then, the challenger C sends system parameter params to adversary 1 A Game II: The game is given below: The challenger C randomly selects safety parameters l . The challenger C runs algorithm Setup , gets system parameter params and master key s . Then, the challenger C sends system parameter params and master key s to adversary 2 A . The adversary 2 A adaptively queries as And in general, it defines the certificateless short signature scheme's security, always gives the attacker's strongest attack ability, and minimum target of protection. In this model, if there is no any attacker can successfully complete the attack on the signature scheme, the scheme has the strongest security. In this article, we show that it is secure against existential forgeable on adaptively chosen message attack under the random oracle. In order to better describe the concept, related definition is given below. Definition 2.4 (adaptive chosen-message attack [14]) We say that a signature scheme is ε -existentially forgeable if it is existentially forgeable with probability ε where the probability space include the random choices of the adaptive chosen-message attack, the random choices made by the legal signer in the creation of the public key, and the random choice made by the legal signer in producing signatures. Definition 2.5 (Existentially unforgeable under chosen-message attack, EUF-CMA) Adversary 1 A and Adversary 2 A succeed in the above game if the following two conditions. Then, an existential unforgeable under chosen-message attack (EUF-CMA) is a security notion under a scenario of attack towards a signature scheme, where the forger can dynamically obtain signatures of message of his choice with a condition that is does not make any signature queries of the message it is going to output the valid forgery of. A valid forgery is a pair of a message and a valid signature of the message, where the signature was never retrieved by the forger. Definition 2.6 (Existentially unforgeable under adaptive chosen-message attack, EUF-ACMA [15]) An existential unforgeability under an adaptive chosen message attack (EUF-ACMA) is a security notion under a scenario of attack towards a signature scheme, where the forger can dynamically obtain signatures of messages of his choice with a condition that is does not make any signature queries of the message it is going to output the valid forgery of. A valid forgery is a pair of a message and a valid signature of the message, where the signature was never retrieved by the forger.
Informally speaking, a certificateless short signature scheme is said resilient to leakage attacks if it is still semantically secure even when adversary A obtains some sensitive leakage information about the secret value. In the security model, leakage attacks are modeled by providing the adversary the chance to access a leakage oracle: the adversary could submit any efficient leakage function f to the oracle and receive the output of ( ) f s , where s denotes the input value.
We allow the when adversary A to query the leakage function f adaptively, with only one limitation: the total amount of output length of all the leakage functions f submitted to the leakage function f has to be bounded by a predetermined leakage parameter total λ . Once leakage function output ( ) f s more than total λ , then the signature scheme is no longer safe, it need to update the related key parameters of signature scheme. Otherwise, the adversary A can decrypt the signature scheme. Now, we give the following definition.
In addition, define leakage function f , leaked information amount no more than total λ every time. The related literature [23][24][25][26][27][28]. Definition 2.8 (Security Model of Certificateless Short Signature Scheme): A certificateless short signature scheme is existentially unforgeable under selective message attacks if no probabilistic polynomial-time adversary (type I or type II) can win the game with a non-negligible advantage .
Here, this paper generalized this concept; get the definition of leakage-resilient certificateless short signature scheme. Definition 2.9 (Security Model of Leakage-Resilient Certificateless Short Signature Scheme) The adversary A gets a powerful oracle, it can output after choice message signature, and it can act as a leakage function. But, the adversary A can't forge a signature of any message. Definition 3.0 By using oracle the adversary A gets the probability of correct results: Among them, α is the type I error probability; β is the type II error probability. Notice: If one uses the signature scheme to sign a lot of messages, that is, leaked information amount will exceed total λ . Then, this signature scheme updates its internal state information.
The leakage-resilient traceable identity-based signature scheme security is defined using the following interactive game between the adversary A and the challenger B : 1. Setup: The challenger B runs the key generation algorithm Setup and Key-Extract with a security parameter s as input and generates the public key pk and the secret key sk .
Then, the challenger B gives the public key pk to the adversary A and keeps the secret key sk private to himself. We say the adversary A succeeds if ' v v = .

Leakage-Resilient Certificateless Short Signature Scheme
Based on the solution structure of the non-homogeneous linear equation system, this paper presents an efficient leakage-resilient certificateless short signature scheme. The signature scheme consists of eight primary algorithms, which is explained next.
(1) Setup : KGC randomly selects a random number on the right. The right is equal to the left. Over.

Type I and Type II Adversary A of Security Proof
Nowadays, many certificateless signature schemes depend on the honesty of Key Generation Center (KGC) excessively, so they also lose security guarantees when the KGC is dishonest.
The formal security proof of this scheme is provided in the random oracle model (type I and type II adversary A ).
Theorem 4.1 Under the assumption that the DDH problem is hard, and the underlying hash function H is target collision-resistant, then our proposed leakage-resilient certificateless short signature scheme is semantically secure against adaptive chosen message attack for leakage message amount total λ λ ≺ , where λ denotes the signature scheme security parameter, total λ denotes all leakage message amount.
And we have adversary A the probability of winning. And we have the advantage that the algorithm C wins in game. ' 1 16 The algorithm C 's running time ' t accords with ( ) ' 2 pk S e t t q q t < + + , where e t is computation time of The security of our scheme follows by Theorem 4.1 which indicates that the above signature scheme is secure under the classical DDH assumption. To prove the Theorem 4.1, we show that any efficient adversary (type I and type II adversary A ) that breaks the security of the scheme can be used to break the security of the universal one-way hash function H .
Notation: the time of adversary A 's access to ( ) ". Now we are calculating the probability of these events. There are clearly: In the end, we can calculate the algorithm win in game advantage:

Efficiency Comparisons
Now we compare our scheme with other signature schemes in the following Table 1. denotes one exponential in multiplicative group.
denotes one pairing operation. By and , denotes one add operation. denotes one multiplication operation in additive group. We denote a hash function which mapping to a point by .
denotes the computing time of non-homogeneous linear equations . This Table 1 shows that our certificateless short signature scheme is the most efficient. Since we remove the complicated pairing operation in our scheme, we acquire a secure scheme with small computation cost. Moreover, our signature scheme is leakage resilient signature scheme, and leaked information is a maximum value (upper bound).

Conclusion
In this paper we have introduced a new efficient leakage-resilient certificateless short signature scheme by simplifying some parameters of the certificateless short signature scheme. Our scheme is leakage-resilient signature scheme, and leaked information is a maximum value (upper bound). What is more, our scheme also enjoys a higher relative leaked information rate and still semantically secure against adaptive chosen message attack. Besides these good performance features, we have formally proved the security of our scheme in the random oracle model under the hardness of the decisional Diffie-Hellman problem. With these import features, our proposal may have some significant value in the practical applications.
In the process of scheme proof, the security model assumes tightly that the adversary does not know any of intermediate value which is produced during the signature generation. However, it is not always the case in real application environment. Therefore, it is an interesting and valuable future work that how to construct an efficient leakage-resilient certificateless short signature scheme in the standard model under the hardness of the computational Diffie-Hellman (CDH) problem.