Sage Journals: Discover world-class research

Abstract

Wireless Sensor Network (WSN) has proved its presence in various real time applications and hence the security of such embedded devices is a vital issue. Certificateless cryptography is one of the recent paradigms to provide security. Certificateless public key cryptography (CL-PKC) deals effectively with the twin issues of certificate management in traditional public key cryptography and key escrow problem in identity-based cryptography. CL-PKC has attracted special attention in the field of information security as it has opened new avenues for improvement in the present security architecture. Recently, Tsai et al. proposed an improved certificateless signature scheme without pairing and claimed that their new construction is secure against different kinds of attacks. In this paper, we present a security analysis of their scheme and our results show that scheme does not have resistance against malicious-KGC attack. In addition, we have found some security flaws in the certificateless signature scheme of Fan et al. and proved the scheme vulnerable to Strong Type I attack.

1. Introduction

The validation of public keys by a trusted third party, also known as Certificate Authority (CA), makes traditional Public Key Infrastructure (PKI) uneconomical. The user selects a public key and then CA provides a digital certificate to associate the public key with the user's identity. The management of these certificates is a complex issue and increases the computation and storage cost manifold. To resolve the issues of PKC a revolutionary ID-based infrastructure was introduced by Shamir [1] in 1984. This seminal concept of Identity Based Cryptography (IBC) allows the user to choose a public key of its own choice such as email ID, phone number, and name. In IBC, users do not generate their own private keys as in traditional PKC. Private keys are generated by Key Generation Centre (KGC), maintains the private keys of all the users, but there is always a possibility of the misuse of these private keys as they can be used to decrypt any ciphertext and forge the signature of user on any message for signature generation. Eventually, this new paradigm solved the problem of certificate management but gave birth to inherent problem of key escrow.

In 2003, Al-riyami and Paterson [2] proposed a novel approach to eliminate the inherent key escrow problem of IBC as well as the use of certificates in traditional PKC. This approach is known as CL-PKC, where KGC generates a partial-private key for the user while user's secret key and partial-private key are used to generate the public key of the user. In other words, CL-PKC differs from IBC in terms of arbitrary public key, and when a signature is transmitted, user's public key is attached with it but not certified by any of the trusted authority. Moreover, KGC is not aware of the secret key of the user.

However, Al-riyami and Paterson's [2] scheme has been proved insecure against Type I adversary by Huang et al. [3] and proposed an improved scheme. A generic construction has been proposed by Yum and Lee [4] in 2004 which is based on identity based signature. Later, Hu et al. [5] found it insecure against key replacement attack and proposed an improved version. Meanwhile Libert and Quisquater [6] proposed another generic construction without precomputations, which is based on Al-riyami and Paterson's work. In 2005, Gorantla and Saxena [7] proposed an efficient CLS scheme but it was found to be insecure against the key replacement attack by Cao et al. [8]. Li et al. [9] and Zhang et al. [10] proposed CLS schemes based on elliptic curve but verification algorithms in their schemes require four pairing computations. To improve the performance, Yap et al. [11] proposed an efficient CLS scheme which required only two bilinear pairings. However, Park and Kang [12] found that the scheme [11] is insecure against a key replacement attack. Recently, Au et al. [13] suggested a new kind of malicious-but-passive-KGC attack where adversary may get access to the secret/public key of KGC and then modified Hu et al.'s model [5] for capturing the attack. In 2007, Huang et al. [14] proposed two new short CLS schemes and claimed their first scheme is provably secure against a Normal Type I adversary as well as Super Type II adversary and the second scheme is secure against Super Type I and Type II adversaries. Unfortunately, Shim [15] claimed that the first scheme in [14] is universally forgeable by the Type I adversary. Later, Tso et al. [16–18] presented efficient short CLS schemes. Recently two CLS schemes were proposed by Xu et al. in [19, 20] for mobile wireless cyber-physical systems, and emergency mobile wireless cyber-physical systems respectively. They were claimed to provide high efficiency and provable security. However, Zhang et al. [21] has shown that these two schemes are universally forgeable against public key replacement attack. Wang et al. [22] proposed a scheme which need not compute the pairing $e (P, P) = g$ at the sign stage, rather it precomputes and publishes the system parameters.

Recently, Du and Wen [23] presented a short CLS scheme and claimed that it is secure against Strong adversaries. However, Fan et al. [24] and Choi et al. [25] independently showed it to be insecure against Strong Type I adversary. Further, Fan et al. [24] proposed a CLS scheme from bilinear pairing with additional property of nonrepudiation but later it was found in [26] that the scheme does not acheive Girault's level 3 security. Later, Tian et al. [27] claimed that the scheme [25] didnot withstand against Strong Type II adversary.

In certificateless infrastructure, the majority of the schemes lacks in some common security issue. To attack a CLS scheme broadly two types of adversaries have been defined: Type I and Type II. A Type I adversary can replace a user's public key but is not able to obtain KGC's master secret key and a Type II adversary is a malicious KGC who knows the master secret key but cannot replace user's public key. Although Huang et al. [28] divide the potential adversaries according to their attack power and enrich the CL-PKC with three more categories. A clear definition of all the three categories of adversaries, Normal, Strong, and Super, has been provided together with the security models. On association with the existing categorization of Type I and Type II adversaries, six types of adversaries can be obtained. These are Normal Type I, Strong Type I, Super Type I, Normal Type II, Strong Type II, and Super Type II. In fact, if a scheme is secure against a Super Type I (II) adversary, it will guarantee the security against Normal and Strong Type I (II) adversaries but the reverse may not be true.

In any certificateless scheme, it is always a good idea to avoid pairing operation as it leads to the increase in computation cost manifold as compared to any other operation. An interesting attempt has been made by He et al. [29] in 2011. He et al. developed an efficient short CLS scheme without pairing. The advantage of the scheme is that it does not use any pairing operation and the length of signature is short. However, in 2012, Tian and Huang [30] proved that the scheme cannot resist against Strong Type II adversary having an access to the master secret key of the KGC. Later Tsai et al. [31] discovered that the short CLS scheme [29] cannot withstand against Type II adversary and proposed an improved scheme to overcome the weaknesses of He et al.'s [29] scheme. In this paper, we provide a cryptanalysis on the Tsai et al. [31] scheme by using two Type II attacks.

As all the schemes based on ID-based cryptography have been implemented on sensor network, so these schemes are similarly applicable to Wireless Sensor Network [32]. Mica2, Micaz, Tmote sky, and TelosB are the commonly available motes and can be used for implementation. Evaluation of these schemes can be on the basis of various factors like energy consumption, computation time, and security provided. The schemes discussed here in this papers are very much of interest because they are free from pairing, so easily applicable to WSN. But with less resource consumption scheme should not compromise with security. These schemes are found to be vulnerable and few flaws have been reported. In this paper few attacks have been given which will help to improve the scheme.

The rest of the paper is organized as follows. Section 2 presents some preliminaries and complexity assumptions. Section 3 reviews the Tsai et al.'s scheme [31]. In Section 4, we discuss the security analysis of Tsai et al.'s scheme and prove that the scheme is insecure against Strong Type II attack. Section 5 reviews the Fan et al.'s scheme [24]. In Section 6, we discuss the security analysis of Fan et al.'s scheme and proved in insecure against Strong Type I attack followed by the concluding remarks on the presented work.

2. Preliminaries

This section revisits the fundamentals used in the CLS scheme.

2.1. Overview of Elliptic Curve Cryptography

An elliptic curve [33, 34] is a set of points over a finite field $G F (p)$ , a Galois Field of order p, which satisfies the Weierstra ℬ equation [35]

\begin{matrix} y^{2} + a_{1} x y + a_{3} y = x^{3} + a_{2} x^{2} + a_{4} x + a_{6} \end{matrix}

(1)

but for simplification of computations, cryptographic applications prefer the simple form of Weierstra ℬ equation as

\begin{matrix} y^{2} = x^{3} + a x + b, \end{matrix}

(2)

where

a, b \in G F (p)

2.2. Complexity Assumptions

The security of elliptic curve based cryptosystem is based on the assumption that the Elliptic Curve Discrete Logarithm Problem (ECDLP) is hard, which can be defined as follows.

Let E be an elliptic curve over a finite field $F_{p}$ . Suppose, there are points P, Q on the curve $E (F_{p})$ for given generator P. Determine k such that $Q = [k] P$ .

3. Review of Tsai et al.'s Short CLS Scheme

In this section, we briefly review the short certificateless signature scheme based on ECDLP [31]. The scheme works as follows.

Setup. Let G be a cyclic additive group, let $E / F_{p}$ be an elliptic curve E over a prime finite field $F_{p}$ defined by an equation $y^{2} = x^{3} + a x + b$ , and let p be k-bit prime number, where $p \in G$ . Initially, the KGC computes its master public key $P_{pub} = x P$ and chooses two secure one-way hash functions: $H_{1} : {0,1}^{*} \times G \times G \to Z_{n}^{*}$ and $H_{2} : {0,1}^{*} \times G \times G \times G \to Z_{n}^{*}$ , where $x \in Z_{n}^{*}$ is the master key chosen by KGC. The KGC then publishes public parameters ${F_{p}, E / F_{p}, G, P, P_{pub}, H_{1}, H_{2}}$ and keeps master key x secret.

Set-Secret Value. A signer chooses his/her identity $ID$ and his/her secret value $x_{ID}$ . The signer then computes $P_{ID} = x_{ID} P$ and keeps master key x secret $x_{ID}$ .

Partial-Private-Key Extract. The KGC computes $R_{ID} = r_{ID} P$ and $h_{ID} = H_{1} (ID, R_{ID}, P_{ID})$ for each signer with his/her identity $ID \in {0,1}^{*}$ , where $r_{ID} \in Z_{n}^{*}$ is a random number. The KGC then computes $s_{ID} = r_{ID} + h_{ID} x$ mod n and sends $(s_{ID}, R_{ID})$ to the user via a secure channel. Notably, the tuple $(s_{ID}, R_{ID})$ is the partial-private key of the user and the user can confirm its validity by checking the following equation: $s_{ID} P = R_{ID} + h_{ID} \cdot P_{pub}$ . If the equation holds, the partial-private key $(s_{ID}, R_{ID})$ is valid; otherwise, the signer rejects the partial-private key $(s_{ID}, R_{ID})$ .

Set-Private Key. The signer uses $s k_{ID} = (x_{ID}, s_{ID})$ as his/her private key.

Set-Public Key. The signer adopts $p k_{ID} = (P_{ID}, R_{ID})$ as his/her public key.

Sign. Assume a signer wants to sign a message m, he/she performs the following steps to generate signature $(R, s)$ on chosen message m. (i)

The signer computes $R = l \cdot P$ , $h_{1} = H_{2} (m, R, P_{ID}, R_{ID})$ , $h_{2} = H_{2} (m, R, P_{ID}, R_{ID}, P_{pub})$ , where r_ID is a random number.

(ii)

The signer checks whether $g c d (l + h_{1}, n)$ equals 1. If it does not hold, the signer returns to step (i).

(iii)

The signer computes $s = (l + h_{1})^{- 1} (h_{2} \cdot x_{ID} + s_{ID})$ mod n and then sends $(R, s)$ to the verifier.

Verify. Upon receiving the signature $(R, s)$ on message m from the signer, the verifier can confirm the validity of signature $(R, s)$ using the following equation:

\begin{matrix} s \cdot (R + h_{1} \cdot P) = h_{2} \cdot P_{ID} + R_{ID} + h_{ID} \cdot P_{pub}, \end{matrix}

(3)

where

h_{1} = H_{2} (m, R, P_{ID}, R_{ID})

h_{2} = H_{2} (m, R, P_{ID}, R_{ID}, P_{pub})

, and

h_{ID} = H_{1} (ID, R_{ID}, P_{ID})

If the above equation holds, signature $(R, s)$ is valid; otherwise, the verifier rejects the signature.

4. Cryptanalysis of Tsai et al.'s Short CLS Scheme

In this section, we prove that the He et al. [29] CLS scheme is forgeable by the Strong Type II adversary; that is, the adversary can forge users certificateless signatures by using malicious-KGC attack. Tsai et al. proposed an improvement in the He et al.'s [29] scheme and claimed that the scheme is secure under discrete logarithm assumption in random oracle model. Unfortunately, the scheme was found to be insecure against the malicious-KGC attack.

4.1. Attack 1

The adversary $𝒜_{II}$ will perform the following steps. (i)

The adversary $𝒜_{II}$ choose random numbers $t, l^{'} \in Z_{n}^{*}$ and a message $m^{'}$ and computes

\begin{matrix} R^{'} = l^{'} P . \end{matrix}

(4)

The adversary $𝒜_{II}$ replaces the KGC's master public key $P_{pub}$ with

\begin{matrix} P_{pub}^{'} = \frac{t - R_{ID}}{h_{ID}^{'}}, \end{matrix}

(5)

where, $h_{ID}^{'} = H_{1} (ID, P_{ID}, R_{ID})$ .

And, the adversary generates the signature as

\begin{matrix} s^{'} = \frac{t + h_{2}^{'} P_{ID}}{(l^{'} + h_{1}^{'}) P} \mod n, \end{matrix}

(6)

where $h_{1}^{'} = H_{2} (m^{'}, R^{'}, P_{ID}, R_{ID})$ , $h_{2}^{'} = H_{2} (m^{'}, R^{'}, P_{ID}, R_{ID}, P_{pub}^{'})$ . Clearly, $(R^{'}, s^{'})$ is the forged signature on the message $m^{'}$ .

(ii)

To check the validity of the signature, the verifier can perform the following verification by using the following equation:

\begin{array}{l} s^{'} \cdot (R^{'} + h_{1}^{'} \cdot P) = \frac{t + h_{2}^{'} P_{ID}}{(l^{'} + h_{1}^{'}) P} \cdot (l^{'} P + h_{1}^{'} P) \\ = t + h_{2}^{'} P_{ID} \\ = h_{2}^{'} \cdot P_{ID} + [\frac{t - R_{ID}}{h_{ID}^{'}} \cdot h_{ID}^{'} + R_{ID}] \\ = h_{2}^{'} \cdot P_{ID} + R_{ID} + h_{ID}^{'} \cdot P_{pub}^{'} . \end{array}

(7)

4.2. Attack 2

The adversary $𝒜_{II}$ will perform the following steps to forge a signature. (i)

The adversary $𝒜_{II}$ selects a random number $t^{'} \in Z_{n}^{*}$ and computes $R^{'} = t^{'} \cdot P$ .

(ii)

$𝒜_{II}$ chooses a random number $r_{ID}^{'} \in Z_{n}^{*}$ and computes $R_{ID}^{'} = r_{ID}^{'} \cdot P$ .

(iii)

The adversary obtains the hash values $h_{1}^{'} = H_{2} (m^{'}, R^{'}, P_{ID}, R_{ID}^{'})$ , $h_{2}^{'} = H_{2} (m^{'}, R^{'}, P_{ID}, R_{ID}^{'}, P_{pub})$ , and $h_{ID}^{'} = H_{1} (ID, P_{ID}, R_{ID}^{'})$ .

(iv)

$𝒜_{II}$ assesses whether $g c d (l + h_{1}, n)$ equals 1. If it does not hold, the signer returns to step (i).

(v)

As the the adversary is of Type II, the value of x is known. Then, $𝒜_{II}$ computes

\begin{matrix} s^{'} = {(t^{'} + h_{1}^{'})}^{- 1} (r_{ID}^{'} + h_{ID}^{'} \cdot x + \frac{h_{2}^{'} \cdot P_{ID}}{P}) \mod n . \end{matrix}

(8)

The signature is $(R^{'}, s^{'})$ on message $m^{'}$ .

(vi)

To check the validity of the signature, the verifier can perform the following verification as follows:

\begin{matrix} s^{'} \cdot (R^{'} + h_{1}^{'} \cdot P) = h_{2}^{'} \cdot P_{ID} + R_{ID} + h_{ID}^{'} \cdot P_{pub}, \end{matrix}

(9)

where $h_{1}^{'} = H_{2} (m^{'}, R^{'}, P_{ID}, R_{ID}^{'})$ , $h_{2}^{'} = H_{2} (m^{'}, R^{'}, P_{ID}, R_{ID}^{'}, P_{pub})$ , and $h_{ID}^{'} = H_{1} (ID, P_{ID}, R_{ID}^{'})$

\begin{array}{l} s^{'} \cdot (R^{'} + h_{1}^{'} \cdot P) \\ = {(t^{'} + h_{1}^{'})}^{- 1} (r_{ID}^{'} + h_{ID}^{'} \cdot x + \frac{h_{2}^{'} \cdot P_{ID}}{P}) \\ \times (t^{'} \cdot P + h_{1}^{'} \cdot P) \\ = {(t^{'} + h_{1}^{'})}^{- 1} (r_{ID}^{'} + h_{ID}^{'} \cdot x + \frac{h_{2}^{'} \cdot P_{ID}}{P}) (t^{'} + h_{1}^{'}) \cdot P \\ = (r_{ID}^{'} + h_{ID}^{'} \cdot x + \frac{h_{2}^{'} \cdot P_{ID}}{P}) \cdot P \\ = (r_{ID}^{'} \cdot P + h_{ID}^{'} \cdot x \cdot P + h_{2}^{'} \cdot P_{ID}) \\ = R_{ID}^{'} + h_{2}^{'} P_{ID} + h_{ID}^{'} \cdot P_{pub} . \end{array}

(10)

5. Review of Fan et al.'s Short CLS Scheme

In this section, we briefly review the short certificateless signature scheme based on ECDLP [24]. The scheme works as follows.

Setup. Let $G_{1}, G_{2}$ , and $G_{T}$ be three cyclic additive groups of prime order $q \leq 2^{k}$ where k is a security parameter, and let e be an efficiently computable bilinear pairing $e : G_{1} \times G_{2} \to G_{T}$ , which satisfies the properties of bilinearity and nondegeneracy. Suppose that a message m which will be signed is an element in $Z_{q}^{*}$ . KGC chooses two random generators $P_{1} \in G_{1}$ and $P_{2} \in G_{2}$ and a random integer $s \in Z_{q}^{*}$ . It then computes $P_{pub} = s P_{2} \in G_{2}$ and $g = e (P_{1}, P_{2}) \in G_{T}$ . It then selects two distinct cryptographic hash functions $H_{1} : {0,1}^{*} \to Z_{q}^{*}$ and $H_{2} : {0,1}^{*} \times G_{2} \to Z_{q}^{*}$ . KGC publishes the system parameters, $params = {k, G_{1}, G_{2}, e, q, P, g, P_{pub}, H_{1}, H_{2}}$ , and keeps its master key s secret.

User-Key Gen. A user with identity $ID$ randomly chooses $r \in Z_{q}^{*}$ and then computes $p k_{ID} = r P_{2}$ and $p k_{ID}^{'} = r (P_{pub} + Q_{ID} P_{2})$ where $Q_{ID} = H_{1} (ID)$ . The user keeps r secretly and sets $(p k_{ID}, p k_{ID}^{'})$ as its public key.

Partial-Private-Key Gen. KGC takes $params$ , the user's partial public information $(Q_{ID}, p k_{ID})$ as inputs, and then generates the user's partial-private key $d_{ID} = 1 / (s + Q_{ID} + H_{1} (ID ∥ p k_{ID})) P_{1}$ . Then KGC returns $d_{ID}$ to the user via a secure manner. After receiving $d_{ID}$ , the user checks the correctness of $d_{ID}$ by examining if $e (d_{ID}, P_{pub} + Q_{ID} P_{2} + H_{1} (ID ∥ p k_{ID}) P_{2}) = g$ . The private key of the user is $(d_{ID}, r)$ .

CL Sign. To produce the signature on message $m \in {0,1}^{*}$ , the user with identity $ID$ performs the following steps: (i)

set $h = H_{2} (m, p k_{ID})$ ,

(ii)

compute $S = (1 / (r + h)) d_{ID}$ , where S is the signature on message m of the user.

CL Verify. Given $params$ , message m, $p k_{ID}$ , $p k_{ID}^{'}$ , and the signature S on message m of the user with identity $ID$ , the signature can be verified as follows: (i)

let $h = H_{2} (m, p k_{ID})$ ;

(ii)

if the following formula holds, the signature S is valid:

\begin{array}{l} e (S, p k_{ID}^{'} + H_{1} (ID ∥ p k_{ID}) p k_{ID} \\ + h (P_{pub} + Q_{ID} P_{2} + H_{1} (ID ∥ p k_{ID}) P_{2})) = g . \end{array}

(11)

6. Cryptanalysis of Fan et al.'s Short CLS Scheme

In this section, we demonstrate that the Fan et al. [24] CLS scheme is forgeable by the Strong Type I adversary; that is, adversary can replace a user's public key but is not able to obtain KGCs master secret key. $𝒜_{I}$ is able to retrieve the partial-private key of the user.

6.1. Attack

The $𝒜_{I}$ will perform the following steps. (i)

The adversary $𝒜_{I}$ chooses a random number $r^{'} \in Z_{n}^{*}$ and replaces a user's public key $P K_{ID}$ with $P K_{ID}^{*} = r^{'} P_{2}$ and $P K_{ID}^{'}$ with $P K_{ID}^{' *} = r^{'} (P_{pub} + Q_{ID} P_{2})$ .

(ii)

$𝒜_{I}$ makes a strong sign query with $ID, m$ , and $r^{'}$ as input and then the challenger returns a valid signature $S^{'} = (1 / (r^{'} + h^{'})) d_{ID}$ where $h^{'} = H_{2} (m, P K_{ID}^{*})$ .

(iii)

$𝒜_{I}$ obtains the hash value $h^{'}$ on m, $P K_{ID}^{*}$ by making a hash query.

(iv)

$𝒜_{I}$ can then compute the user's partial-private key $d_{ID} = (r^{'} + h^{'}) S^{'}$ as he knows the value of $r^{'}$ and $h^{'}$ .

7. Conclusion

The schemes discussed here are of much interest because they are free from pairing and hence can easily be applicable to WSN. But less resource consumption is not enough reason to compromise security. In this paper, security attacks have been applied on two different schemes. Tsai et al. proposed the CLS scheme without pairing which is claimed to be more efficient than the existing schemes (since pairing is always an expensive operation). An exhaustive cryptanalysis has been shown in Section 4 and the results indicate that the improved scheme by Tsai et al. does not resist against the Strong Type II attacks and hence is forgeable. Moreover, we have found that Fan et al's. CLS scheme is forgeable by the Strong Type I adversary. Therefore, to construct a secure certificateless signature scheme without bilinear pairing needs more attention.

References

Shamir

Identity-based cryptosystems and signature schemes

Advances in Cryptology 1984 196

Berlin, Germany

Springer

47 53 Lecture Notes in Computer Science

Al-riyami

S. S.

Paterson

K. G.

Certificateless public key cryptography

Advances in Cryptology-ASIACRYPT 2003 2003 2894

Berlin, Germany

Springer

452 473 Lecture Notes in Computer Science

Huang

Susilo

Zhang

On the security of certificateless signature schemes from asiacrypt2003

Cryptology and Network Security 2005 3810

Berlin, Germany

Springer

13 25 Lecture Notes in Computer Science

Yum

D. H.

Lee

P. J.

Generic constructin of certificateless signature

Information Security and Privacy 2004 3108

Berlin, Germany

Springer

200 211 Lecture Notes in Computer Science

B. C.

Wong

D. S.

Zhang

Deng

Key replacement attack against a generic construction of certificateless signature

Information Security and Privacy 2006 4058

Berlin, Germany

Springer

235 246 Lecture Notes in Computer Science

Libert

Quisquater

J. J.

On constructing certificateless cryptosystems from identity based encryption

3958

Proceedings of the 9th International Conference on Theory and Practice of Public-Key Cryptography (PKC '06)

2006

Berlin, Germany

Springer

474 490 Lecture Notes in Computer Science

Gorantla

Saxena

An efficient certificateless signature scheme

Computational Intelligence and Security 2005 3802

Berlin, Germany

Springer

110 116 Lecture Notes in Computer Science

Cao

Paterson

K. G.

Kou

An attack on a certificateless signature scheme

Cryptology EPrint Archive 2006 2006/367 http://eprint.iacr.org/

Chen

Sun

Certificateless signature and proxy signature schemes from bilinear pairings

Lithuanian Mathematical Journal 2005 45 1 76 83

2-s2.0-18244396341

10.1007/s10986-005-0008-5

10.

Zhang

Wong

D. S.

Feng

Certificateless public-key signature: security model and efficientconstruction

Applied Cryptography and Network Security 2006 3989

Berlin, Germany

Springer

293 308 Lecture Notes in Computer Science

11.

Yap

W. S.

Heng

S. H.

Goi

B. M.

An efficient certificateless signature scheme

Emerging Directions in Embedded and Ubiquitous Computing 2006 4097

Berlin, Germany

Springer

322 331 Lecture Notes in Computer Science

12.

Park

Kang

Security analysis of the certificateless signature scheme proposed at Sec Ubiq 2006

Emerging Directions in Embedded and Ubiquitous Computing 2007 4809

Berlin, Germany

Springer

686 691 Lecture Notes in Computer Science

13.

M. H.

Chen

Liu

J. K.

Wong

D. S.

Yang

Malicious KGC attacks in certificateless cryptography

4586

Proceedings of the 12th Australasian Conference on Information Security and Privacy (ACISP '07)

2007

Springer

308 322 Lecture Notes in Computer Science

14.

Huang

Susilo

Wong

D. S.

Certificateless signature revisited

Information Security and Privacy 2007 4586

Berlin, Germany

Springer

308 322 Lecture Notes in Computer Science

15.

Shim

Breaking the short certificateless signature scheme

Information Sciences 2009 179 3 303 306

2-s2.0-56149108570

10.1016/j.ins.2008.08.024

16.

Tso

Huang

Efficient and short certificateless signature

Cryptology and Network Security 2008 5339

Berlin, Germany

Springer

64 79 Lecture Notes in Computer Science

17.

Tso

Huang

Efficient and short certificateless signatures secure against realistic adversaries

Journal of Supercomputing 2011 55 2 173 191

2-s2.0-79951510781

10.1007/s11227-010-0427-x

18.

Tso

Huang

Susilo

Strongly secure certificateless short signatures

Journal of Systems and Software 2012 85 6 1409 1417

2-s2.0-84859548489

10.1016/j.jss.2012.01.016

19.

Liu

Zhang

Dai

Shu

A certificateless signature scheme for mobile wireless cyber-physical systems

28th International Conference on Distributed Computing Systems Workshops, ICDCS Workshops 2008

June 2008

chn

489 494

2-s2.0-51849152399

10.1109/ICDCS.Workshops.2008.84

20.

Liu

Zhang

McCLS: certificateless signature scheme for emergency mobile wireless cyber-physical systems

International Journal of Computers, Communications and Control 2008 3 4 395 411

2-s2.0-56549109737

21.

Zhang

Miao

Susilo

Huang

Cryptanalysis on two certificateless signature schemes

International Journal of Computers, Communications and Control 2010 5 4 586 591

2-s2.0-77957805002

22.

Wang

Long

Tang

An efficient certificateless signature from pairings

Journal of Information Science and Engineering 2009 8 1 96 100

23.

Wen

Efficient and provably-secure certificateless short signature scheme from bilinear pairings

Computer Standards and Interfaces 2009 31 2 390 394

2-s2.0-55749090987

10.1016/j.csi.2008.05.013

24.

Fan

Hsu

Truly non-repudiation certificateless short signature scheme from bilinear pairings

Journal of Information Science and Engineering 2011 27 3 969 982

2-s2.0-79958178318

25.

Choi

K. Y.

Park

J. H.

Lee

D. H.

A new provably secure certificateless short signature scheme

Computers and Mathematics with Applications 2011 61 7 1760 1768

2-s2.0-79952987257

10.1016/j.camwa.2011.02.003

26.

Chen

Y. C.

Horng

On the security models for certificateless signature schemes achieving level 3 security

IACR Cryptology EPrint Archive 2011 554

27.

Tian

Huang

Yang

On the security of a certificateless short signature scheme

Cryptology EPrint Archive 2011 http://eprint.iacr.org/2011/419

28.

Huang

Susilo

Wong

D. S.

Certificateless signatures: new schemes and security models

Computer Journal 2012 55 4 457 474

2-s2.0-84859346464

10.1093/comjnl/bxr097

29.

Chen

Zhang

An efficient and provably-secure certificateless signature scheme without bilinear pairings

International Journal of Communication Systems 2011 25 11 1432 1442

2-s2.0-80053436815

10.1002/dac.1330

30.

Tian

Huang

Cryptanalysis of a certificateless signature scheme without pairings

International Journal of Communication Systems 2012

2-s2.0-84857134950

10.1002/dac.2310

31.

Tsai

Weaknesses and improvements of an efficient certificateless signature scheme without using bilinear pairings

International Journal of Communications Systems 2012 25 11 1432 1442 Wiley-Blackwell

10.1002/dac.1330

32.

Akyildiz

I. F.

Sankarasubramaniam

Cayirci

Wireless sensor networks: a survey

Computer Networks 2002 38 4 393 422

2-s2.0-0037086890

10.1016/S1389-1286(01)00302-4

33.

2000. Standards for efficient cryptography SEC 1: Elliptic curve cryptography

Certicom Research, http://www.secg.org/collateral/sec1_final.pdf

34.

2000. Standards for efficient cryptography SEC 2: Recommended Elliptic Curve Domain Parameters. Standards for Efficient Cryptography

Version 1.0. Certicom Research, http://www.secg.org/collateral/sec2_final.pdf

35.

Hankerson

Menezes

A. J.

Vanstone

Guide to Elliptic Curve Cryptography 2004

New York, NY, USA

Springer

On the Security of Certificateless Signature Schemes

Abstract

1. Introduction

2. Preliminaries

2.1. Overview of Elliptic Curve Cryptography

2.2. Complexity Assumptions

3. Review of Tsai et al.'s Short CLS Scheme

4. Cryptanalysis of Tsai et al.'s Short CLS Scheme

4.1. Attack 1

4.2. Attack 2

5. Review of Fan et al.'s Short CLS Scheme

6. Cryptanalysis of Fan et al.'s Short CLS Scheme

6.1. Attack

7. Conclusion

References