efficient certificateless proxy signature scheme with provable security

Information Sciences 188 (2012) 322–337

Contents lists available at SciVerse ScienceDirect

Information Sciences

journal homepage: www.elsevier .com/locate / ins

Efficient certificateless proxy signature scheme with provable security q

Seung-Hyun Seo a, Kyu Young Choi b, Jung Yeon Hwang c, Seungjoo Kim b,⇑a Korea Information and Security Agency (KISA), IT Venture Tower, Garak-dong 78, Songpa-gu, Seoul 138-950, Republic of Koreab Center for Information Security Technologies (CIST), Korea University, Anam-dong, Seongbuk-gu, Seoul 136-713, Republic of Koreac Electronics and Telecommunications Research Institute (ETRI), Daejeon 305-700, Republic of Korea

a r t i c l e i n f o

Article history:Received 7 April 2008Received in revised form 15 June 2011Accepted 7 November 2011Available online 18 November 2011

Keywords:Proxy signatureCertificateless signatureCertificateless proxy signatureDelegationProvable security

0020-0255/$ - see front matter � 2011 Elsevier Incdoi:10.1016/j.ins.2011.11.005

q This research was supported by the MKE (The(National IT Industry Promotion Agency)’’ (NIPA-201MKE, Korea (Development of Privacy Enhancing Cry⇑ Corresponding author.

E-mail addresses: [email protected] (S.-H. Seo),

a b s t r a c t

In this paper we propose a very efficient and provably secure proxy signature scheme withimplicit certificate (called ‘‘certificateless proxy signature scheme’’), where a receiver doesnot have to verify a certificate before verifying a signed message, yet only the originalsigner or the proxy signer who properly registered its public key and identity informationis able to sign. Unlike traditional approaches which assume a PKI where the original signerand the proxy signer already hold their public keys and digital certificates, our scheme doesnot need for each user to have a public key and a certificate, thus we can save the time forverifying the original signer’s and the proxy signer’s certificates in the proxy signature ver-ification phase. Furthermore, we present a formal security model for our scheme under theintractability of the computational Diffie–Hellman problem in the random oracle model.

� 2011 Elsevier Inc. All rights reserved.

1. Introduction

PROXY SIGNATURES. In 1996, Mambo, Usuda, and Okamoto introduced the concept of a proxy signature scheme [21]. The proxysignature scheme allows a designated person, called a proxy signer, to sign on behalf of an original signer, in case of say,temporal absence, lack of time or computational power, etc. According to the authorization degree, the shapes of proxy sig-nature are differentiated into the following three types: ‘‘full delegation’’, ‘‘partial delegation’’ and ‘‘delegation by warrant’’[17,19,21]. In 1997, Kim et al. introduced new notion of ‘‘partial delegation with warrant’’ that combines the benefit of thepartial delegation and the delegation by warrant. It has fast processing speed and can eliminate the security weaknesses offull delegation and partial delegation by adding an explicit warrant [17]. So, most of works on proxy signature schemes havefocused on the type of the partial delegation with warrant. So far, proxy signatures have found a lot of practical applicationsfor grid computing, mobile agent applications, global distribution networks, mobile communications, and so on [8,12,15].The proxy signatures may be also combined with other special signatures to obtain new property, such as multi-proxy sig-nature, threshold proxy signature, proxy blind signature, proxy ring signature, etc. [1,5,10,11,17,19,20,29].

TRADITIONAL PROXY SIGNATURES. Even if there have been a lot of researches for proxy signatures, most of works have been basedon a traditional certificate-based PKI (Public Key Infrastructure). In the certificate-based public key cryptosystems, user’spublic key is essentially a random bit string and is uncorrelated to his identity. This problem leads to a problem of howthe public key is associated with the user. In these kinds of cryptosystems, the binding between public-key and user’s

. All rights reserved.

Ministry of Knowledge Economy), Korea, under the ‘‘ITRC’’ support program supervised by the NIPA1-C1090-1001-0004). This work was also supported by the IT Research and Development program ofptography on Ubiquitous Computing Environment).

[email protected] (K.Y. Choi), [email protected] (J.Y. Hwang), [email protected] (S. Kim).

http://dx.doi.org/10.1016/j.ins.2011.11.005

mailto:[email protected]




http://dx.doi.org/10.1016/j.ins.2011.11.005

http://www.sciencedirect.com/science/journal/00200255

http://www.elsevier.com/locate/ins

S.-H. Seo et al. / Information Sciences 188 (2012) 322–337 323

identity is obtained via a digital certificate, issued by a trusted CA (Certification Authority). The user should obtain a certif-icate of his public key from CA and a correspondent must firstly verify the user’s certificate before his public key is used.Therefore, most proxy signature schemes based on a traditional PKI require huge efforts to verify an original signer’s anda proxy signer’s certificates and to store their certificates.

IDENTITY-BASED PROXY SIGNATURES. To simplify the certificate management process, Shamir [24] introduced the concept of ID-based cryptosystem. In such cryptosystems, user’s public key is derived from his identity information such as email address,IP address, etc., and his private key is generated by a trusted third party called Key Generation Center (KGC). Compared tocertificate-based cryptosystems, ID-based cryptosystems simplify the heavy key management process [3]. So far, a few of ID-based proxy signature schemes have been proposed [23,28,29]. However, these ID-based cryptosystems inherently have thekey escrow problem, i.e., user’s private key is known to the KGC. So the KGC can decrypt any ciphertext and forge signatureon any message. Thus, these ID-based proxy signature schemes cannot satisfy the security requirements such as strongunforgeability and strong undeniability.

CERTIFICATELESS PROXY SIGNATURES. In 2003, Al Riyami and Paterson [2] introduced the concept of certificateless public-key cryp-tosystem (CL-PKC), which is intermediate between traditional PKC and ID-based cryptosystem. Unlike ID-based cryptosys-tems, CL-PKC makes use of a KGC which issues partial private keys to users. That is, the user’s private key is not generated byKGC alone. Instead, The user’s full private key is a combination of partial private key and user chosen secret, in such a waythat the key escrow problem can be solved. The CL-PKC is not purely ID-based as the public key is no longer computable fromidentity information alone. To verify a signature or to encrypt a message, one has to know both the user’s additional publickey and identity information. More importantly, this additional public key does not need to be certified by any CA, due to thestructure of CL-PKC. Thus, CL-PKC has less overhead compared to the traditional certificate-based PKC as there is no need ofcertificate management [7,9,14,25–27]. Hence, if the concept of certificateless public-key cryptosystem is applied to con-struct the proxy signature, we can propose very efficient proxy signature scheme without the additional verification andmanagement of the original signer’s and the proxy signer’s certificates in the proxy signature generation/verification phase.Recently, Li et al. [18] first proposed a certificateless proxy signature scheme, however, they did not present security modelfor their scheme. Moreover, their scheme is inefficient because of much pairing operations during verification phase, and it isnot secure against proxy signature forgery attack [6]. Choi and Lee [6] analyzed the security weakness of Li et al.’s scheme,and proposed new certificateless proxy signature scheme. But, they also did not prove the security of their scheme.

CONTRIBUTIONS. In this paper, we first develop a formal security model for certificateless public-key proxy signature (CL-PKPS) scheme. We then propose an efficient certificateless public key proxy signature and prove its security in our model.To achieve this goal, we first construct a certificateless public-key signature (CL-PKS) scheme, and then show that our CL-PKS is existentially unforgeable against Type I and Type II adversaries in the random oracle model under the computationalDiffie–Hellman (CDH) assumption. Next, extending this CL-PKS scheme, we propose a certificateless public-key proxy signa-ture (CL-PKPS) scheme. Our CL-PKPS scheme is more efficient than Li et al.’s scheme [18] and Choi–Lee scheme [6]. We alsoprove that our CL-PKPS scheme is existentially unforgeable in the random oracle model under the CDH assumption.

ORGANIZATION. The remainder of this paper is organized as follows: In Section 2, we review some definitions and crypto-graphic hard problems that our schemes rely on. In Section 3, we present a security model for certificateless public-key proxysignature (CL-PKPS) scheme. In Section 4, we present a certificateless public-key signature (CL-PKS) scheme and prove itssecurity. In Section 5, we propose a certificateless public-key proxy signature (CL-PKPS) scheme and prove its security,and then analyze the efficiency of our scheme. We conclude in Section 6.

2. Preliminaries

In this section, we review the basic concept of bilinear maps and some assumptions related to our schemes. Through thepaper, we assume that G1 is a cyclic additive group of prime order q and G2 is a cyclic multiplicative group of same order q,and the discrete logarithm problem (DLP) in both G1 and G2 are intractable. Firstly, we briefly review the necessary factsabout bilinear maps and bilinear map groups. We use the following standard notation:

Definition 1 (Admissible Bilinear Map). We call e : G1 �G1 ! G2 an admissible bilinear map if it satisfies the followingproperties:

(1) Bilinear: e(aP,bQ) = e(P,Q)ab for all P;Q 2 G1 and a; b 2 Z�q.(2) Non-degenerate: There exists a P 2 G1 such that e(P,P) – 1.(3) Computable: There exists an efficient algorithm to compute e(P,Q) for all P;Q 2 G1.

In our setting of prime order groups, the non-degenerate property is equivalent to e(P,Q) – 1 for all P;Q 2 G1. So, when Pis a generator of G1; eðP; PÞ is a generator of G2.

Definition 2. Computational Diffie–Hellman (CDH) Problem). A CDH parameter generator IGCDH is a probabilistic polyno-mial time (PPT) algorithm that takes as an input security parameter 1k, runs in polynomial time, and outputs an additivegroup G of prime order q. Informally the CDH problem is to compute abP when given a generator P of G and aP, bP for ran-dom numbers a; b 2 Z�q. More formally, the advantage of A with respect to IGCDH is defined to be

324 S.-H. Seo et al. / Information Sciences 188 (2012) 322–337

Pr abP AðG; P; aP; bPÞjG IGCDHð1kÞ;P RG; a; b RZ

�q

" #

IGCDH is said to satisfy the CDH assumption if any PPT adversary A has negligible advantage in solving CDH problem.

3. Security model for ceritificateless public-key proxy signature

In this section, we formally define a notion of certificateless public-key proxy signature (CL-PKPS) scheme and a securitymodel for a CL-PKPS scheme. The type of CL-PKPS is a partial delegation with warrant. So, we present a formal model for thetype of partial delegation with warrant based on the certificateless public-key cryptosystem.

3.1. A notion of certificateless public-key proxy signature scheme

A certificateless public-key proxy signature scheme essentially consists of three parts, a certificateless public-key signa-ture for generation of a delegation-certificate by an original signer (designator), proxy designation between an original signerand a proxy signer, a certificateless public-key proxy signature for generation of a CL-proxy signature.

Definition 3 (certificateless public-key proxy signature scheme). A certificateless public-key proxy signature scheme is a tupleCL-PKPS=(SetUp, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key, CL-Sign, CL-Vrfy, Proxy-Desig,

Proxy-KeyGen, CL-PSign, CL-PVrfy, ID-CL-Pxy) of the following polynomial time algorithms.

� SetUp: This algorithm takes a security parameter k as input and returns system parameters params and a secret masterkey master-key. We assume that params are publicly available to all users.� Partial-Private-Key-Extract: This algorithm takes params, master-key and a user’s identity ID as input and returns a par-

tial private key DID corresponding to ID.� Set-Secret-Value: This algorithm takes a security parameter k and a user’s identity ID as input and returns the user’s secret

value sID.� Set-Private-Key: This algorithm takes a user’s partial private key DID and his secret value sID as input, returns the user’s

(full) private key SKCLID .

� Set-Public-Key: This algorithm takes a user’s secret value sID as input and then returns the user’s public key PKID. We definea full public key PKCL

ID , hID; PKIDi.� CL-Sign: This algorithm takes params, a user’s (full) public key PKCL

ID , a user’s (full) private key SKCLID , and a message

m 2 {0,1}⁄ as input, and then returns a CL-signature rCL. We write rCL CL� Sign params; PKCLID ; SKCL

ID ;m� �

.

� CL-Vrfy: This algorithm takes params, a user’s (full) public key PKCLID ¼ hID; PKIDi, a message m, and a signature rCL for m as

input. It returns b 2 {0,1}. If b = 1, we say that r is a valid CL-signature for a message m. Otherwise, the signature is invalid.We write b CL� Vrfyðparams; PKCL

ID ;m;rCLÞ.� Proxy-Desig: This algorithm takes PKCL

IDi; PKCL

IDjand a full private key SKCL

IDiof an original signer, generate a warrant message

mx in Mx and run CL� Sign params; PKCLID ; SKCL

ID ;mw

� �, and then output a delegation certificate DC = (mx,rCL).

� Proxy-KeyGen: This algorithm takes PKCLIDi; PKCL

IDjand a full private key SKIDj

of a proxy signer, a delegation certificate DC asinput, and then outputs a proxy signing key SKCL�Pxy

mx ;i;jthat is used to sign messages on behalf of the user IDi. We assume

that the proxy signing key contains the warrant message mx in the delegation certificate.� CL-PSign: This algorithm takes params, PKCL

IDiof an original signer IDi; PKCL

IDjof a proxy signer IDj, private key SKCL�Pxy

mx ;i;jof the

proxy signer and a message m 2 {0,1}⁄ as input, and then outputs a CL-proxy signature rCL�Pxyi;j for m. We write

rCL�Pxyi;j CL� PSign params; PKCL

IDi; PKCL

IDj;m; SKCL�Pxy

mx ;i;j

� �.

� CL-PVrfy: This algorithm takes params, PKCLIDi

of an original signer IDi; PKCLIDj

of a proxy signer IDj, a message m, a CL-proxysignature rCL�Pxy

i;j for m as input, and then returns b 2 {0,1}. If b = 1, we say that r is a valid CL-proxy signature for a mes-

sage m. Otherwise, the signature is invalid. We write b CL� PVrfy params; PKCLIDi; PKCL

IDj;m;rCL�Pxy

i;j

� �.

� ID-CL-Pxy: It is the identification algorithm, which takes a valid CL-proxy signature as input, outputs the identity of theproxy signer and original signer.

In the above description, a tuple of (Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key, CL-Sign, CL-

Vrfy) is a normal certificateless public-key signature (CL-PKS) scheme [30]. A tuple of (Proxy-Desig,Proxy-KeyGen) is a proxydesignation part, where an original signer with IDi delegates his signing capabilities to a proxy signer with IDj by generatinga delegation certificate, i.e., rCL on a warrant message mx. In the proxy designation part a user can designates himself as aproxy signer.


We require that a properly formed certificateless public-key proxy signature must be accepted by the verification algo-rithm CL-Vrfy. That is, CL-PKPS scheme should satisfy the following property:

� (params,master � key) SetUp(1k), "IDt {0,1}⁄,� DIDt Partial� Private� Key� Extractðparams;master� key; IDtÞ,� sIDt Set� Secret� Valueð1k; IDtÞ,� SKCL

IDt Set� Private� Keyðparams;DIDt ; sIDt Þ,

� PKIDt Set� Public� Keyðparams; sIDt Þ,� PKCL

IDt ðIDt ; PKIDt Þ,

� mx;rCLIDi

� � Proxy� Desig PKCL

IDi; PKCL

IDj;mx Mx;rCL

IDi CL� Sign params; PKCL

IDi; SKCL

IDi;mx

� �� ,

� 1 CL� Vrfy params; PKCLIDi;mx;rCL

IDi

� �,

� SKCL�Pxymx ;i;j

Proxy� KeyGen params;mx;rCLIDi; SKCL

IDj

� �,

� 8m f0;1g�;rCL�Pxyi;j CL� PSign params; PKCL

IDi; PKCL

IDj;m; SKCL�Pxy

mx ;i;j

� �,

� 1 CL� PVrfy params; PKCLIDi; PKCL

IDj;m;rCL�Pxy

i;j

� �.

3.2. Security model for certificateless public-key proxy signature scheme

Now we describe our adversarial model for a certificateless public-key proxy signature scheme. First, as in a normalcertificateless cryptography [2,13], we consider two types of forger for a CL-PKPS scheme, Type I forger F I and Type IIforger F II: the forger F I represents a normal adversary (against a certificateless scheme) who is not allowed to accessto a master key but may request to replace public keys with values of its choice, possibly without knowing the corre-sponding secret key. The forger F II models a malicious KGC who generates partial private key of users by using a masterkey. F II is allowed to have access to the master-key but not to replace a public key of a user.

In our model, we consider the active adversary who can adaptively choose identities IDi for a designator (i.e., an originalsigner) and IDj for a proxy signer, and play the role of user with IDi in executions of the CL-PKPS with user with IDj, as a des-ignator or a proxy signer. In addition, an adversary is allowed to request a user to run the proxy-designation algorithm withhimself. We also do not assume that the existence of a secure channel between a designator and a proxy signer. By providingthe adversary with access to a certificateless public key signing oracle and a certificateless public-key proxy signing oracle,we model chosen message and ID attack.

To capture the security notions systematically we define five games Game i (i = 1, . . . ,5) between a challenger C andType I or Type II forger. In Game 1 and Game 2, the goal of the adversary is to produce a forgery against a CL-PKS underType I and Type II attacks, respectively. Note that Game 1 and Game 2 captures a security notion for a normal CL-PKSscheme [2]. In Game 3, the goal of the adversary playing the role of a designator is to produce a forgery against a CL-PKPS.In Game 4 and Game 5, the goal of the adversary neither playing the role of a designator nor a proxy signer is to produce aforgery against a CL-PKPS under Type I and Type II attacks, respectively. Note that Game 4 and Game 5 include the case ofself-delegation and so are different from Game 3.

Definition 4 (Initialization). On input 1k, the challenger C runs SetUp algorithm and generates a master secret key master-

key, public system parameters params. C keeps master-key secret and publishes params to all users including adversaries.In the games master-key is only given to Type II forger F II .

Definition 5 (Queries). A Type I or Type II forger F may adaptively make some of the following requests or queries in thegames. Note that Type II forger does not need additional extraction query to obtain partial private keys since the masterkey master-key is given to Type II forger.

� ExtrPartSK(ID): When F requests the partial private key for a user with identity ID; C responds the user’s partial privatekey DID running Partial-Private-Key-Extract algorithm.� ExtrFullSK(ID): When F requests the full private key for a user with identity ID; C computes the user’s partial private

key DID running Partial-Private-Key-Extract algorithm and user’s secret value sID running Set-Secret-Value algorithm. Cresponds SKID running Set-Private-Key algorithm.� ReqPK(ID): When F requests the public key for a user with identity ID, the challenger C responds the user’s public key

PKID running Set-Secret-Value and Set-Public-Key algorithms.� Designation(IDi, IDj): When F requests that a user with identity IDi designates a user with identity IDj as a proxy signer,

C generates a warrant message mx and runs Proxy-Desig PKCLIDi; PKCL

IDj; SKCL

IDi;mx

� �algorithm to generate a delegation

certificate DC ¼ mx;rCLi

� �.


� CL-SIGN(m, ID): When F requests a signature on a message m for a user with identity ID, the challenger C responds avalid signature r for m running CL-Sign algorithm with matching public key PKID for ID. We consider a weak (but morereasonable) security definition where matching public key PKID for ID has not been replaced.� CL-ProxySIGN(m, IDi, IDj): When F requests a proxy signature on a message m by a user with identity IDj on behalf of a

user with identity IDi, the challenger C responds a valid proxy signature rCL�Pxyi;j for m running CL-PSign algorithm with

matching public key PKID for ID. We consider a weak (but more reasonable) security definition where matching publickey PKID for ID has not been replaced.

Definition 6 (Game 1). This game considers a normal forger F I for a CL-PKS scheme. The game is performed between a chal-lenger C and a Type I forger F I .

� Queries: F I may adaptively issue the ExtrPartSK (ID), ExtrFullSK(ID), ReqPK(ID), and CL-SIGN (m, ID) queries to C.� Output: Eventually, F I outputs IDt ; PKt ;mt ;rCL

t

� �, where IDt is the identity of a target user, PKt is a public key selected by

F I , mt is a message, and rCLt is a signature for mt. F I wins the game if

– ExtrPartSK(IDt), ExtrFullSK(IDt) and CL- SIGN(mt,IDt) queries have never been issued.– CL-Vrfyðparams;mt ; IDt ; PKt ;rCL

t Þ outputs 1, that is, the signature rCLt for a message mt is valid under IDt and PKt.

We define SuccEUF�Game1F I ;CL�PKS to be the success probability that F I wins in Game 1. We say that a CL-PKPS is existentially

unforgeable under Type I chosen message and ID attacks in Game 1 if, for any polynomially bounded Type I forger F I , thesuccess probability SuccEUF�Game1

F I ;CL�PKPS is negligible.

Definition 7 (Game 2). This game considers a malicious KGC F II who knows the master key for a CL-PKS scheme. The gameis performed between a challenger C and a Type II forger F II.

� Queries: F II may adaptively issue the ReqPK(ID), ExtrFullSK(ID) and CL-SIGN(m, ID) queries to C.� Output: Eventually, F II outputs IDt ;mt ;rCL

t

� �, where IDt is the identity of a target user, mt is a message, and rCL

t is a sig-nature for mt. F II wins the game if– ReqPK(IDt) query has been issued and the matching public key PKt for IDt has been defined.– CL-SIGN(mt, IDt) query has never been issued.– CL-Vrfy params;mt ; IDt ; PKt ;rCL

t

� �outputs 1, that is, the signature rCL

t for a message mt is valid under IDt and PKt.

We define SuccEUF�Game2F II ;CL�PKPS to be the success probability that F II wins in Game 2. We say that a CL-PKPS is existentially

unforgeable under Type II chosen message and ID attacks in Game 2 if, for any polynomially bounded Type II forger F II , thesuccess probability SuccEUF�Game2

F II ;CL�PKPS is negligible.

Definition 8 (Game 3). This game considers a malicious original signer or delegator F I who knows the private key of originalsigner. The game is performed between a challenger C and a Type I forger F I for a CL-PKPS scheme.

� Queries: F I may adaptively issue the ExtrPartSK (ID), ExtrFullSK(ID), ReqPK(ID), Designation (IDi, IDj), CL-SIGN(-m, ID), and CL-ProxySIGN (m, IDi, IDj) queries to C.– Output: Eventually, F I outputs ðIDo; PKo; IDt ; PKt ;mt ;rCL�Pxy

o;t Þ, where IDo is the identity of original signer, PKo is the pub-lic key of original signer, IDt is the identity of a target user, PKt is a public key selected by F I;mt is a message, and rP is aproxy signature for mt. F I wins the game if
– ExtrPartSK(IDt), ExtrFullSK(IDt) and CL-ProxySIGN(mt, IDo, IDt) queries have never been issued.– CL-PVrfy params;mt ; IDo; PKo; IDt ; PKt ;rCL�Pxy
o;t

� �outputs 1, that is, the proxy signature rCL�Pxy

o;t for a message mt isvalid under IDt and PKt.

We define SuccEUF�Game3F I ;CL�PKPS to be the success probability that F I wins in Game 3. We say that a CL-PKPS is existentially



Definition 9 (Game 4). This game considers a normal forger F I who cannot access the private key of an original signer for aCL-PKPS scheme. The game is performed between a challenger C and a Type I forger F I .

� Queries: F I may adaptively issue the ExtrPartSK (ID), ExtrFullSK(ID), ReqPK(ID), Designation (IDi, IDj), CL-SIGN(-m, ID), and CL-ProxySIGN (m, IDi, IDj) queries to C.


� Output: Eventually, F I outputs IDo; PKo; IDt ; PKt ;mt ;rCL�Pxyo;t

� �, where IDo is the identity of original signer, PKo is the public

key of original signer, IDt is the identity of a target user, PKt is a public key selected by F I;mt is a message, and rCL�Pxyo;t is a

proxy signature for mt. F I wins the game if– ExtrPartSK(IDo), ExtrPartSK(IDt), ExtrFullSK(IDo), ExtrFullSK(IDt), and CL-ProxySIGN(mt, IDt, IDo) queries

have never been queried.– CL-PVrfy params;mt; IDo; PKo; IDt ; PKt ;rCL�Pxy

o;t


o;t for a message mt is validunder IDt and PKt.

We define SuccEUF�Game3F I ;CL�PKPS to be the success probability that F I wins in Game 4. We say that a CL-PKPS is existentially



Definition 10 (Game 5). This game considers a malicious KGC F II for a CL-PKPS scheme. The game is performed between achallenger C and Type II forger F II.

� Queries: F II may adaptively issue the ExtrFullSK(ID), ReqPK(ID), Desig nation(IDi, IDj), CL-SIGN(m, ID), and CL-Proxy-

SIGN(m, IDi, IDj) queries to C.� Output: Eventually, F II outputs IDo; PKo; IDt ; PKt ;mt ;rCL�Pxy

o;t

� �, where IDo is the identity of original signer, PKo is the public

key of original signer, IDt is the identity of a target user, PKt is a public key selected by F II;mt is a message, and rCL�Pxyo;t is a

proxy signature for mt. F II wins the game if– ReqPK(IDt) query has been issued and the matching public key RIDt for IDt has been defined.– ExtrFullSK(IDo), ExtrFullSK(IDt), CL-SIGN (mt,IDt), and CL-ProxySIGN (mt, IDt, IDj) queries have never been queried.– CL-PVrfy params;mt; IDo; PKo; IDt ; PKt ;rCL�Pxy

o;t


o;t for a message mt is validunder IDt and PKt.

We define SuccEUF�Game5F II ;CL�PKPS to be the success probability that F II wins in Game 5. We say that a CL-PKPS is existentially

unforgeable under Type II chosen message and ID attacks in Game 5 if, for any polynomially bounded Type II forger F II , thesuccess probability SuccEUF�Game3


We say that a certificateless public key proxy signature scheme CL-PKPS is secure if, for any polynomially bounded Type Iforger F I; SuccEUF�Gamei

F I ;CL�PKPS (i = 1,3,4) and for any polynomially bounded Type II forger F II; SuccEUF�GameiF II ;CL�PKPS (i = 2,5) are negligible.

4. Our proposed certificateless public-key signature scheme

In this section we propose an efficient and provably secure certificateless public-key signature scheme CL-PKS which isused for our certificateless public-key proxy signature scheme later.

SetUp. Given a security parameter 1k, generate an admissible bilinear map e : G1 �G1 ! G2, a random generator P of G1.Select s 2 Z�p at random and compute Ppub = sP. Return a secret master secret key s and system parametersparams ¼ fe;G1;G2; q; P; Ppub;H1;H2;H3g, where H1 : f0;1g� ! G1;H2 : f0;1g� ! Z�q and H3 : f0;1g� ! G1 are crypto-graphic hash functions. We assume that public params is available to all users.Partial-Private-Key-Extract. Given params, an identity IDA 2 {0,1}k of user A, compute QA = H1(IDA), DA = sQA, and returnthe partial private key DA for user A. Upon receiving DA, user A checks if e(DA,P) = e(H1(IDA), Ppub). If the equality holdsthen A keeps DA = sQA secret as a partial private keySet-Private/Public-Key. Given params, A’s partial private key DA and A’s secret random value xA, compute PKA = xAP andoutput a full private key SKCL

A ¼ hDA; xAi and a full public key PKCLA ¼ hIDA; PKAi for A.

CL-Sign. Given params, a full public key PKCLA , a full private key SKCL

A , and a message m 2 {0,1}⁄, generate a random num-ber r2RZ�q and compute

U ¼ rP; yA ¼ H2ðPKA;UÞ;V ¼ DA þ ðr þ yAxAÞH3ðm; IDA; PKA;UÞ:

Output a CL-signature rCL = (U,V).CL-Vrfy. Given params, a signer’s public key PKCL

A ¼ hIDA; PKAi, a CL-signature rCL = (U,V) and a message m, computeH1(IDA), yA = H2(PKA,U), H3(m, IDA,PKA,U), and check if

eðV ; PÞ ¼ eðH1ðIDAÞ; PpubÞ � eðH3ðm; IDA; PKA;UÞ;U þ yAPKAÞ

If the equality holds then output 1, which means ‘‘valid’’. Otherwise, output 0.

In the Partial-Private-Key-Extract algorithm, a partial private key DA is actually a signature on the message ID under ashort signature scheme for the verification/signing key pair (Ppub,s) [4].


4.1. Correctness

In this section, we shall prove that the proposed certificateless public-key signature (CL-PKS) scheme can work correctlyby the following theorem.

Theorem 1 (Correctness). In the certificateless signature verification CL � Vrfy phase, anyone can verify the validity of rCL, whereparams, PKCL

A ¼ hIDA; PKAi; ðU;VÞ and m are given.

Proof. Since U = rP, V = DA + (r + yAxA)H3(m, IDA,PKA,U) and DA = sQA = sH1(IDA), the correctness of the CL � Vrfy phase is justi-fied as follows:

eðV ; PÞ ¼ eðsH1ðIDAÞ þ ðr þ xAyAÞH3ðm; IDA; PKA;UÞ; PÞ ¼ eðH1ðIDAÞ; PpubÞeððr þ xAyAÞH3ðm; IDA; PKA;UÞ; PÞ¼ eðH1ðIDAÞ; PpubÞeðH3ðm; IDA; PKA;UÞ;U þ yAPKAÞ: �

4.2. Security analysis

The following theorem asserts that our certificateless public-key signature scheme CL-PKS is secure in the random oraclemodel.

Theorem 2 (Unforgeability). Our certificateless public-key signature scheme CL-PKS is existentially unforgeable againstadaptively chosen message and ID attacks in the random oracle model under the CDH assumption in a group G1.

Proof. We should prove that CL-PKS is existential unforgeable against both Type I and Type II adversaries. See Appendix Afor the proof of Theorem 2. h

5. Our proposed certificateless public-key proxy signature scheme

In this section we propose a certificateless public-key proxy signature scheme CL-PKPS using the CL-PKS constructed inthe previous section.

SetUp. Given security parameter 1k, generate an admissible bilinear map e : G1 �G1 ! G2, a random generator P of G1.Select s 2 Z�q at random and compute Ppub = sP. Return a secret master secret key s and system parametersparams ¼ fe;G1;G2; q; P; Ppub;H1;H2;0;H2;1;H3;0;H3;1g, where H1 : f0;1g� ! G1;H2;0 : f0;1g� ! Z�q;H2;1 : f0;1g� ! Z�q;

H3;0 : f0;1g� ! G1, and H3;1 : f0;1g� ! G1 are cryptographic hash functions. We assume that the public params isavailable to all users.Partial-Private-Key-Extract. Given params, an identity IDA 2 {0,1}k of user A, compute QA = H1(IDA) and DA = sQA, returnDA. If e(DA,P) = e(H1(IDA), Ppub) holds then user A keeps the partial private key DA = sQA secret.Set-Private/Public-Key. Given params, a partial private key DA and a secret random value xA for user A, compute PKA = xAPand output a full private key SKCL

A ¼ hDA; xAi and a full public-key PKCLA ¼ hIDA; PKAi for A.

CL-Sign/CL-Vrfy. These are same to the algorithms defined in Section 4.Proxy-Desig. Given params, an original signer A’s full private key SKCL

A , and a warrant message mx, generate a randomnumber rA2RZ

�q, and compute UA = rAP, yA = H2,0(PKA,UA), VA = DA + (rA + yAxA)H3,0(mx, IDA,PKA,UA). The information on the

delegation is described in the warrant message mx, e.g., its valid period, the full public keys of an original signer and aproxy signer.Proxy-KeyGen. Given params, a warrant mx, a CL-signature rCL

A ¼ ðUA;VAÞ of an original signer A on the warrant mx, anda secret key DB = sH1(IDB) of a proxy signer B, check if

eðVA; PÞ ¼ eðQ A; PpubÞ � eðH3;0ðmx; IDA; PKA;UAÞ;UA þ yAPKAÞ:

If the CL-signature rCLA on mx is valid, namely, 1 bsansCL� Vrfy params; PKCL

A ;mx;rCLA

� �then compute DCL�Pxy

mx ;A;B¼ VA þ DB

and output SKCL�Pxymx ;A;B ¼ ðxB;D

CL�Pxymx ;A;B

;mx;UAÞ; where PKCLA ¼ hIDA; PKAi is a full public key of the original signer. A CL-proxy public

verification key of the proxy signer B is defined by

PKCL�PxyA;B ¼ PKCL

A ; PKCLB

� �¼ ðIDA; PKA; IDB; PKBÞ;

where PKCLB ¼ hIDB; PKBi is a full public key of the proxy signer.

CL-PSign. Given params, a full public key PKCLB ¼ hIDB; PKBi, a secret proxy signing key SKCL�Pxy

mx ;A;B, and a message m 2 {0,1}⁄,

perform as follows:(1) Generate a random number rB 2 Z�q.(2) Compute UB = rBP, yB = H2,1(PKB,UA,UB).


(3) Compute VB ¼ DCL�Pxymx ;A;B

þ ðrB þ xByBÞH3;1ðm; IDB; PKB;UA;UBÞ.Output a CL-proxy signature rCL�Pxy

A;B ¼ ðmx;UA;UB;VBÞ for m.CL-PVrfy. Given params, a CL-proxy verification key PKCL�Pxy

A;B ¼ ðIDA; PKA; IDB; PKBÞ, a message m, and a CL-proxy signaturerCL�Pxy

A;B ¼ ðmx;UA;UB;VBÞ for m, compute hash values QA = H1(IDA), QB = H1(IDB), yA = H2,0(PKA, UA), yB = H2,1(PKB,UA,UB),ZA = H3,0(mx, IDA,PKA,UA), and ZB = H3,1(m, IDB,PKB,UA,UB), and then check if

eðVB; PÞ ¼ eðQ A þ Q B; PpubÞeðZA;UA þ yAPKAÞ � eðZB;UB þ yBPKBÞ:

If the equality holds then output 1, which means ‘‘valid’’. Otherwise, output 0.

Note that the previous CL proxy signature scheme do not require any secure channel for an original signer A to send a CL-signature rCL

A on a warrant mw to designate a proxy signer, that is, an original signer publicly transmits rCLA for mw to a proxy

signer.

5.1. Correctness

In this section, we shall prove that the proposed certificateless public-key proxy signature (CL-PKPS) scheme can workcorrectly by the following theorem.

Theorem 3. Correctness In the certificateless proxy signature verification CL-PVrfy phase, anyone can verify the validity ofrCL�Pxy

A;B , where params, PKCL�PxyA;B ¼ ðIDA; PKA; IDB; PKBÞ; ðmx;UA;UB;VBÞ and m are given.

Proof. Since VB ¼ DCL�Pxymx ;A;B

þ ðrB þ xByBÞZB; DCL�Pxymx ;A;B

¼ VA þ DB; VA ¼ DA þ ðrA þ yAxAÞZA; DA ¼ sQ A ¼ sH1ðIDAÞ and DB = sQB

= sH1(IDB), the correctness of the CL-PVrfy phase is justified as follows:

eðVB; PÞ ¼ e DCL�Pxy;A;Bmx

þ ðrB þ xByBÞZB; P� �

¼ eðVA þ DB þ ðrB þ xByBÞZB; PÞ

¼ eðsH1ðIDAÞ þ ðrA þ xAyAÞZA þ sH1ðIDBÞ þ ðrB þ xByBÞZB; PÞ¼ eðH1ðIDAÞ þ H1ðIDBÞ; PpubÞeðZA;UA þ yAPKAÞeðZB;UB þ yBPKBÞ;

where ZA = H3,0(mx, IDA,PKA,UA) and ZB = H3,1(m, IDB,PKB,UA,UB). h

5.2. Security analysis

The following theorem asserts that our certificateless proxy signature scheme CL-PKPS is secure in the random oraclemodel.

Theorem 4 (Unforgeability). If the CDH assumption in G1 holds then our certificateless public-key proxy signature scheme CL-PKPS is secure under adaptively chosen message and ID attacks in the random oracle model.

Proof. We should prove that CL-PKPS is secure in the sense of security model, that is, for five games, any Type I or Type IIforger has negligible advantage. See Appendix B for the proof of Theorem 4. h

5.3. Efficiency analysis

In this section, we firstly, compare our certificateless public-key proxy signature (CL-PKPS) scheme with a traditional cer-tificate-based public-key proxy signature (PKPS) scheme and ID-based proxy signature (ID-PS) scheme. In the traditional cer-tificate-based public-key proxy signature scheme, original signer’s certificate and the proxy signer’s certificate must be

Table 1Comparisons between Certificated-based public key proxy signature (PKPS), ID-based proxysignature (ID-PS), and Certificateless public key proxy signature (CL-PKPS).

CERTO Verification CERTP Verification Key Escrow problem

PKPS s s �ID-PS � � s

CL-PKPS � � �

CERTO: original signer’s certificateCERTP: Proxy signer’s certificate


verified; Besides, the storage to manage the signers’ certificates should be needed. So, PKPS requires much efforts to verify theoriginal signer’s and proxy signer’s certificates and to manage their certificates. ID-based proxy signature scheme solvesthese problem, i.e., certificate management and verification, however, it has the key escrow problem. So, the KGC can forgethe signature (including proxy signature) on any message, because it knows the signer’s private key. Thus, all ID-based proxysignature schemes cannot satisfy strong unforgeability and strong undeniability. Compared to PKPS and ID-PS, certificatelesspublic-key proxy signature scheme removes the above weaknesses, i.e., it does not require computing time to verify the sign-ers’ certificate and the additional management of the certificates. Thus, the concept of certificateless public-key cryptosys-tem can be used to construct more efficient proxy signature scheme than others. Table 1 presents comparisons among CL-PKPS, PKPS, and ID-PS.

Next, we evaluate the computational complexity of our certificateless public-key proxy signature scheme. We comparethe efficiency of our scheme with other ceritifcateless public-key proxy signature schemes.

Table 2 shows the performance of our scheme, Li et al.’s scheme [18] and Choi–Lee scheme [6]. We compute the amountsof operations from three kinds, including pairing computing, point multiplication and modular multiplication. Among theseoperations, pairing computing is the most expensive one. Other operations, such as hash computation, point addition etc.,are much faster than pairing computing and point multiplication. Under the conditions in [16], the time complexity associ-ated with the different operations can be roughly combined into multiplication, and MUL � PMUL.

From Table 2, the total computation time in our scheme is 7 � MUL + 6 � PMUL + 7 � PAIR. Obviously, compared with Liet al.’s scheme and Choi-Lee scheme, which cost 9 � MUL + 3 � PMUL + 12 � PAIR and 14 � MUL + PMUL + 7 � PAIR, respec-tively, our scheme is more efficient.

Moreover, Li et al.’s scheme is not secure against proxy signature forgery attack. We prove a formal security for ourscheme, however, Li et al. and Choi–Lee did not provide a security model for their scheme. So, the lack of a formal securityproof can lead to many attacks on their schemes. From the above comparison, we find that our proposed scheme is moreefficient than others.

6. Concluding remarks

In this paper, we have suggested an efficient certificateless proxy signature scheme which works on bilinear groups. Un-like traditional certificate-based approaches, our scheme does not need the computing time to verify the certificates andstorage to manage the certificates. Unlike ID-based approaches, our scheme can solve the key escrow problem. Furthermore,compared with all previous certificateless proxy signature schemes, our scheme is more efficient than others. We also havepresented a formal security model for certificateless public-key proxy signature schemes and proved the security of the pro-posed scheme under the computational Diffie–Hellman problem in the random oracle model.

Appendix A. Proof of Theorem 2

For the proof of the theorem we show that CL-PKS is existential unforgeable against both Type I and Type II adversaries inthe following Lemmas 1 and 2.

Lemma 1. Our certificateless signature scheme is existentially unforgeable against Type I forger (in Game 1) in random oraclemodel under the CDH assumption.

Proof. We reduce the security of the proposed scheme to the hardness of the CDH problem. H1, H2, and H3 are considered asrandom oracles. Let F I be a Type I forger which has advantage in attacking our certificateless signature scheme CL-PKS. Weconstruct a PPT algorithm A to solve the CDH problem in G1 by using the F I algorithm. Let (P,X,Y) be a random instance ofthe CDH problem for G1 given to A. For convenience we write X ¼ aP; Y ¼ bP 2 G1. Without loss of generality, we assumethat any extraction (ExtrPartSK, ReqPK, ExtrFullSK) and signature (CL-SIGN) queries are preceded by H1 query, and theCL-SIGN and ExtrFullSK queries are preceded by ReqPK query. To avoid collision and consistently respond to these que-ries, A maintains four lists LH1 ; LH2 ; LH3 , and LK which are initially empty. The algorithm A first initializes system parameters

params ¼ fe;G1;G2; q; P; Ppub ¼ X;H1;H2;H3g

and gives params to F I , and then starts performing oracle simulation.

� H1 query: Suppose F I makes at most qH1queries to H1 oracle. First, A chooses a 2 ½1; qH1

� randomly. When F I makes an H1

query on IDi where 1 6 i 6 qH1, if i = a (we let IDi = ID⁄ at this point), A returns Y = bP, and adds hIDi,Y,ki = \i to LH1 . Other-

wise A picks a random ki 2 Z�q and returns Qi = kiP, and adds hIDi,Qi,kii to LH1 .� ExtrPartSK(IDi) query: When F I makes this query on IDi, if IDi – ID�;A finds hIDi,Qi,kii in LH1 and returns Di = kiX = kiaP.

Otherwise A outputs FAIL and aborts the simulation.� ReqPK(IDi) query: When F I makes this query on IDi;A picks a random xi 2 Z�q and returns PKi = xiP, and addshIDi,xi,PKii to LK.

Table 2Performance evaluations of Li et al.’s scheme, Choi-Lee scheme and our scheme.

Li et al. Choi-Lee Our scheme

Set-Private/Public-Key 2PMUL, MUL PMUL, 2MUL PMUL, MULProxy-Desig PMUL, MUL, PAIR 5MUL PMUL, MULProxy-KeyGen 4MUL,7PAIR 3MUL,4PAIR 2PMUL,2MUL,3PAIRCL-PSign 2MUL 3MUL PMUL, 2MULCL-PVrfy MUL, 4PAIR MUL, 3PAIR PMUL, MUL, 4PAIR

PAIR: the time for one bilinear pairing computingMUL: the time for one modular multiplicationPMUL: the time for one multiplication of a number and an elliptic curve point


� ExtrFullSK(IDi) query: When F I makes this query on IDi, if IDi – ID�;A finds hIDi,Qi,kii and hIDi,PKi,xii in LH1 and LK,respectively. A returns (xi,Di = kiX). Otherwise A outputs FAIL and aborts the simulation.� H2 query: When F I makes this query on (PKi,Ui), if the list LH2 contains hPKi;Ui; yii;A returns yi. Otherwise, A picks a ran-

dom yi 2 Z�q and returns yi, and adds hPKi,Ui,yii to LH2 .� H3 query: When F I makes this query on (mi, IDi,PKi,Ui), if the list LH3 contains hmi; IDi; PKi;Ui; Zi;v i ¼?i;A returns Zi.

Otherwise A picks a random v i 2 Z�q and returns Zi = viP, and adds hmi, IDi,PKi,Ui,Zi,vii to LH3 .� CL-SIGN(mi, IDi) query: When F I makes this query on ðmi; IDiÞ;A finds hIDi,Qi,kii and hIDi,PKi,xii in LH1 and LK, respectively.A picks random ri; ti; yi 2 Z�q and computes Ui = �tiQi � yiPKi + ritiP = �tiQi � yiPKi + ritiP (if IDi = ID⁄,Qi = Y) andZi ¼ t�1

i X ¼ t�1i aP (if Zi turns out to have already been defined for (mi, IDi,PKi,Ui) in LH3 ;A outputs FAIL and aborts the sim-

ulation). A then computes Vi = riX = riaP and returns (Ui,Vi). A adds hPKi,Ui,yii and hmi, IDi,PKi,Ui,Zi,vi = \i to LH2 and LH3 ,respectively.

Eventually, F I outputs a valid signature tuple {IDt,PKt,mt,rt = (Ut,Vt)} (suppose F I makes a query for H3(mt, IDt,PKt,Ut)). IfIDt – ID�;A outputs FAIL and aborts the simulation. Otherwise, A finds hPKt,Ut,yti and hmt, IDt,PKt,Ut,vtP,vti in LH2 and LH3 ,respectively. A then computes Vt � vtUt � ytvtPKt = abP. More concretely,

Vt ¼ Dt þ ðrt þ ytxtÞH3ðmt ; IDt ; PKt ;UtÞ ¼ Dt þ ðrt þ ytxtÞv tP ¼ abP þ v tUt þ ytv tPKt ;

abP ¼ Vt � v tUt � ytv tPKt :

Note that, A has known the values v t ; yt 2 Z�q. Therefore,A can solve the CDH problems. We can calculate the advantage of A.Suppose the advantage of F I is �. Then,

PrA½CL-VrfyðIDt ; PKt ;mt;rtÞ ¼ 1�P �:

Since H3 is a random oracle and (ri, ti) is independently and randomly chosen, the probability that the simulation in CL-SIGN

queries is aborted is negligible. Let Succ be the event that A does not abort the simulation in CL-SIGN queries. Suppose F I

makes at most qH3and qS queries to H3 and CL � SIGN oracles, respectively. Then,

PrA½Succ�P 1�qH3

q

� �qS

:

Since a is independently and randomly chosen, we have

PrA½IDt ¼ ID�jIDt ¼ IDi for some i�P 1qH1

:

Combining these, the advantage �0 of A is as follows:

�0 ¼ PrA½CL-VrfyðIDt; PKt ;mt ;rtÞ ¼ 1 ^ Succ ^ IDt ¼ ID��P � � 1�qH3

q

� �qS

� 1qH1

:

Therefore, if Type I forger who can break our CL-PKS scheme exists, then an attacker who solves the CDH problem exists.h

Lemma 2. Let the cryptographic hash functions H1, H2 and H3 be random oracles. Suppose there exists a Type II forger F II (in Game2) for an adaptively chosen message and ID attack to our CL-PKS scheme which queries ReqPK, H2 and CL-SIGN at most qPK ; qH2

and qs times, respectively, and has running time t and advantage �P 10qPKðqs þ 1Þðqs þ qH2Þ=q. Then there exists an attacker A

that can solve the CDH problem within expected time t0 6 120686qH2qPK t=�.


Proof. We reduce the security of the proposed scheme to the hardness of the CDH problem. H1, H2 and H3 are considered asrandom oracles. We construct a PPT algorithm A to solve the CDH problem in G1 by using the F II adversary. Let (P,X,Y) be arandom instance of the CDH problem for G1 given to A. For convenience we write X ¼ aP; Y ¼ bP 2 G1. Without loss of gen-erality, we assume that any extraction (ReqPK,ExtrFullSK) and signature (CL-SIGN) queries are preceded by H1 query, andthe CL-SIGN and ExtrFullSK queries are preceded by ReqPK query. To avoid collision and consistently respond to thesequeries, A maintains four lists LH1 ; LH2 ; LH3 , and LK which are initially empty. The algorithm A picks a random s 2 Z�q and setsmaster-key = s, and initializes system parameters

params ¼ fe;G1;G2; q; P; Ppub ¼ sP;H1;H2;H3g

and gives params and master-key s to F II , and then starts performing oracle simulation.

� H1 query: When F II makes an H1 query on IDi;A picks a random ki 2 Z�q and returns Qi = kiP, and adds hIDi,Qi,kii to LH1 .� ReqPK(IDi) query: Suppose F II makes at most qPK queries to ReqPK oracle. First, A chooses a 2 [1,qPK] randomly. When F II

makes a ReqPK query on IDi where 1 6 i 6 qPK, if i = a (we let IDi = ID⁄ at this point), A returns PKi = X = aP. Otherwise Apicks a random xi 2 Z�q and returns PKi = xiP, and adds hIDi,xi,PKii to LK.� ExtrFullSK(IDi) query: When F II makes this query on IDi, if IDi – ID�;A finds hIDi,Qi,kii and hIDi,PKi,xii in LH1 and LK,

respectively. A returns (xi,Di = kisP). Otherwise A outputs FAIL and aborts the simulation.� H2 query: When F II makes this query on (PKi,Ui), if the list LH2 contains hPKi;Ui; yii;A returns yi. Otherwise, A picks a ran-

dom yi 2 Z�q and returns yi, and adds hPKi,Ui,yii to LH2 .� H3 query: When F II makes this query on (mi, IDi,PKi,Ui), if the list LH3 contains hmi; IDi; PKi;Ui; Zi; v ii;A returns Zi. Other-

wise A picks a random v i 2 Z�q and returns Zi = vibP, and adds hmi, IDi,PKi,Ui,Zi,vii to LH3 .� CL-SIGN(mi, IDi) query: When F II makes this query on ðmi; IDiÞ;A finds hIDi,PKi,xii in LK and picks random ri; yi;v i 2 Z�q. A

then computes Zi = viY, Ui = �yiPKi + riP and Vi = Di + riZi = kisP + rivibP, and returns (Ui,Vi). A adds hPKi,Ui,yii andhmi, IDi,PKi,Ui,Zi,vii to LH2 and LH3 , respectively.

Eventually, F II outputs a valid signature tuple {IDt,PKt,mt,rt = (Ut,Vt)}. If IDt – ID�;A outputs FAIL and aborts thesimulation. Otherwise by replays of A with the same random tape but different choices of H2, as done in the forking lemma[22], A gets two valid tuples {IDt,PKt,mt,yt,rt = (Ut,Vt)} and fIDt ; PKt;mt ; y0tr0t ¼ ðUt ;V

0tÞg such that yt – y0t . If both outputs are

expected ones, A finds v t; ðyt; y0tÞ in LH2 and LH3 , respectively. A then computes as follows:

Vt � V 0tv tðyt � y0tÞ

¼ abP:

Note that, A has known the values v t ; yt ; y0t 2 Z�q. Therefore, A can solve the CDH problems. Since a is independently and ran-

domly chosen, we have

PrA½IDt ¼ ID�jIDt ¼ IDi for some i�P 1qPK

:

The total running time t0 of A is equal to the running time of the forking lemma (Theorem 3) [22] which is bounded by120686qH2

qPK t=�, as desired. Therefore, if Type II forger who can break our CL-PKS scheme exists, then an attacker whosolves the CDH problem exists. h

Appendix B. Proof of Theorem 4

For the proof of the theorem we should show that CL-PKPS is existential unforgeable against Type I or Type II adversariesin the five games defined in Section 3. Since our CL-PKPS uses CL-PKS as a underlying certificateless signature scheme andwe proved the security of CL-PKS, actually, against attacks modelled by Game 1 and Game 2, thus we only prove that CL-PKPS is secure against attacks modelled in Game 3,4,5 in the following Lemmas 3–5, respectively.

Lemma 3. Our certificateless public-key signature scheme is existentially unforgeable against Type I forger (in Game 3) in randomoracle model under the CDH assumption.

Proof. We reduce the security of the proposed scheme to the hardness of the CDH problem. H1, H2,0, H2,1, H3,0, and H3,1 areconsidered as random oracles. Let F I be a Type-I forger which has advantage in attacking our certificateless proxy signaturescheme CL-PKPS. We construct a PPT algorithmA to solve the CDH problem in G1 by using the F I algorithm. Let (P,X,Y) be arandom instance of the CDH problem for G1 given to A. For convenience we write X ¼ aP; Y ¼ bP 2 G1. Without loss of gen-erality, we assume that any extraction (ExtrPartSK,ReqPK, ExtrFullSK) and signature (CL-SIGN,CL-ProxySIGN) que-ries are preceded by H1 query, and the CL-SIGN, CL-ProxySIGN and ExtrFullSK queries are preceded by ReqPK query.To avoid collision and consistently respond to these queries, A maintains six lists LH1 ; LH2;0 ; LH2;1 ; LH3;0 ; LH3;1 and LK which areinitially empty. The algorithm A first initializes system parameters


params ¼ fe;G1;G2; q; P; Ppub ¼ X;H1;H2;H3;0;H3;1g




query on IDi where 1 6 i 6 qH1, if i = a (we let IDi = ID⁄ at this point), A returns Y = bP and adds hIDi,Y,ki = \i to LH1 . Other-


Otherwise A outputs FAIL and aborts the simulation.� ReqPK(IDi) query: When F I makes this query on IDi, A picks a random xi 2 Z�q and returns PKi = xiP, and adds hIDi,xi,PKii to

LK.� ExtrFullSK(IDi) query: When F I makes this query on IDi, if IDi – ID�;A finds hIDi,Qi,kii and hIDi,PKi,xii in LH1 and LK,

respectively. A returns (xi,Di = kiX). Otherwise A outputs FAIL and aborts the simulation.� H2,0 query: When F I makes this query on (PKi,Ui), if the list LH2;0 contains hPKi;Ui; yii;A returns yi. Otherwise, A picks a

random yi 2 Z�q and returns yi, and adds hPKi,Ui,yii to LH2;0 .� H3,0 query: When F I makes this query on (mi, IDi,PKi,Ui), if the list LH3;0 contains hmi; IDi; PKi;Ui; Zi;v i ¼?i;A returns Zi.

Otherwise A picks a random v i 2 Z�q and returns Zi = viP, and adds hmi, IDi,PKi,Ui,Zi,vii to LH3 .� CL-SIGN(mi, IDi) query: When F I makes this query on ðmi; IDiÞ;A finds hIDi,Qi,kii and hIDi,PKi,xii in LH1 and LK, respectively.A then computes Ui = �tiQi � yiPKi + ritiP(if IDi = ID⁄,Qi = Y) and Zi ¼ t�1

i X ¼ t�1i aP (if Zi turns out to have already been

defined for (mi, IDi,PKi,Ui) in LH3;0 ;A outputs FAIL and aborts the simulation). A then computes Vi = riX = riaP and returns(Ui,Vi). A adds hPKi,Ui,yii and hmi, IDi,PKi,Ui,Zi,vi = \i to LH2;0 and LH3;0 , respectively.� Designation(IDi, IDj) query: When F I makes this query on ðIDi; IDj – IDiÞ;A performs the above CL-SIGN query on

(mw, IDi), and obtains (Ui,Vi).� H2,1 query: When F I makes this query on (PKj,Ui,Uj), if the list LH2;1 contains hPKj;Ui;Uj; yji;A returns yj. Otherwise,A picks

a random yj 2 Z�q and returns yj, and adds hPKj,Ui,Uj,yji to LH2;1 .� H3,1 query: When F I makes this query on (mj, IDj,PKj,Ui,Uj), if the list LH3;1 contains hmj; IDj; PKj;Ui;Uj; Tj;wj ¼?i;A returns

Tj. Otherwise A picks a random wj 2 Z�q and returns Tj = wjP, and adds hmj, IDj,PKj,Ui,Uj,Tj,wii to LH3;1 .� CL-ProxySIGN(mj, IDi, IDj) query: When F I makes this query on ðmj; IDi; IDj – IDiÞ;A obtains (Ui,Vi) from the above Des-

ignation(IDi, IDj) query, and picks a random rj; tj; yj 2 Z�q. A then computes Uj = �tjQj � yjPKj + rjtjP (if IDj = ID⁄,Qj = Y) andTj ¼ t�1

j X ¼ t�1j aP (if Tj turns out to have already been defined for (mj, IDj,PKj,Ui,Uj) in LH3;1 , A outputs FAIL and aborts

the simulation). Finally, A computes Vj = Vi + rjX = Vi + rjaP, and returns (Ui,Uj,Vj). A then adds hPKj,Ui,Uj,yji andhmj, IDj,PKj,Ui,Uj,Tj,wj = \i to LH2;1 and LH3;1 , respectively.

Eventually, F I outputs a valid proxy signature tuple {IDo,PKo, IDt,PKt,mt,rt = (Uo,Ut,Vt)} (suppose F I makes two queries forH3,0(mw, IDo,PKo,Uo) and H3,1(mt, IDt,PKt,Uo,Ut)). If IDt – ID�;A outputs FAIL and aborts the simulation. Otherwise,A computesVt � Vo � wtUt � ytwtPKt = abP. More concretely,

Vt ¼ Vo þ Dt þ ðrt þ ytxtÞH3;1ðmt; IDt; PKt ;Uo;UtÞ¼ Do þ ðro þ yoxoÞH3;0ðmw; IDo; PKo;UoÞ þ Dt þ ðrt þ ytxtÞH3;1ðmt ; IDt ; PKt;Uo;UtÞ¼ Do þ ðro þ yoxoÞvoP þ Dt þ ðrt þ ytxtÞwtP ¼ koX þ voUo þ yovoPKo þ abP þwtUt þ ytwtPKt

abP ¼ Vt � koX � voUo � yovoPKo �wtUt � ytwtPKt :

Note that, A has known the values ko;vo; yo;wt ; yt ;wt 2 Z�q. Therefore, A can solve the CDH problems. We can calculate theadvantage of A. Suppose the advantage of F I is �. Then,

PrA½CL� VrfyðIDt ; PKt ;mt;rtÞ ¼ 1�P �:

Since H3,0 is a random oracle and (ri, ti) is independently and randomly chosen, the probability that the simulation in CL-

SIGN queries is aborted is negligible. Let Succ1 be the event that A does not abort the simulation in CL-SIGN queries. Sup-pose F I makes at most qH3;0

and qS queries to H3,0 and CL-SIGN oracles, respectively. Then,

PrA½Succ1�P 1�qH3;0

q

� �qS

:

Similarly, the probability that the simulation in CL-ProxySIGN queries is aborted is negligible. Let Succ2 be the event that Adoes not abort the simulation in CL-ProxySIGN queries. Suppose F I makes at most qH3;1

and qPS queries to H3,1 and CL-

ProxySIGN oracles, respectively. Then,

PrA½Succ2�P 1�qH3;1

q2

� �qPS

:

Since a is independently and randomly chosen, we have


PrA½IDt ¼ ID�jIDt ¼ IDi for some i�P 1qH1

:

Combining these, the advantage �0 of A is as follows:

�0 ¼ PrA½CL-VrfyðIDt ; PKt ;mt ;rtÞ ¼ 1 ^ Succ1 ^ Succ2 ^ IDt ¼ ID��P � � 1�qH3;0

q

� �qS

� 1�qH3;1

q2

� �qPS

� 1qH1

:

Therefore, if Type I forger who can break our CL-PKPS scheme exists, then an attacker who solves the CDH problemexists. h

Lemma 4. Our certificateless public-key proxy signature scheme is existentially unforgeable against Type I forger (in Game 4) inrandom oracle model under the CDH assumption.

Proof. We reduce the security of the proposed scheme to the hardness of the CDH problem. H1, H2,0, H2,1, H3,0, and H3,1 areconsidered as random oracles. Let F I be a Type-I forger which has advantage in attacking our certificateless proxy signaturescheme CL-PKPS. We construct a PPT algorithmA to solve the CDH problem in G1 by using the F I algorithm. Let (P,X,Y) be arandom instance of the CDH problem for G1 given to A. For convenience we write X ¼ aP; Y ¼ bP 2 G1. Without loss of gen-erality, we assume that any extraction (ExtrPartSK,ReqPK,ExtrFullSK) and signature (CL-SIGN,CL-ProxySIGN) que-ries are preceded by H1 query, and the CL-SIGN, CL-ProxySIGN and ExtrFullSK queries are preceded by ReqPK query.To avoid collision and consistently respond to these queries, A maintains six lists LH1 ; LH2;0 ; LH2;1 ; LH3;0 ; LH3;1 and LK which areinitially empty. The algorithm A first initializes system parameters

params ¼ fe;G1;G2; q; P; Ppub ¼ X;H1;H2;H3;0;H3;1g


query on IDi where 1 6 i 6 qH1, if i = a (we let IDi = ID⁄ at this point), A returns Y = bP and adds hIDi,Y,ki = \i to LH1 . Other-


Otherwise A outputs FAIL and aborts the simulation.� ReqPK(IDi) query: When F I makes this query on IDi;A picks a random xi 2 Z�q and returns PKi = xiP, and adds hIDi,xi,PKii to

LK.� ExtrFullSK(IDi) query: When F I makes this query on IDi, if IDi – ID�;A finds hIDi,Qi,kii and hIDi,PKi,xii in LH1 and LK,

respectively. A returns (xi,Di = kiX). Otherwise A outputs FAIL and aborts the simulation.� H2,0 query: When F I makes this query on (PKi,Ui), if the list LH2;0 contains hPKi;Ui; yii;A returns yi. Otherwise, A picks a

random yi 2 Z�q and returns yi, and adds hPKi,Ui,yii to LH2;0 .� H3,0 query: When F I makes this query on (mi, IDi,PKi,Ui), if the list LH3;0 contains hmi; IDi; PKi;Ui; Zi;v i ¼?i;A returns Zi.

Otherwise A picks a random v i 2 Z�q and returns Zi = viP, and adds hmi, IDi,PKi,Ui,Zi,vii to LH3 .� CL-SIGN(mi, IDi) query: When F I makes this query on ðmi; IDiÞ;A finds hIDi,Qi,kii and hIDi,PKi,xii in LH1 and LK, respectively.A then computes Ui = �tiQi � yiPKi + ritiP (if IDi = ID⁄,Qi = Y) and Zi ¼ t�1

i X ¼ t�1i aP (if Zi turns out to have already been

defined for (mi, IDi,PKi,Ui) in LH3;0 ;A outputs FAIL and aborts the simulation). A then computes Vi = riX = riaP and returns(Ui,Vi). A adds hPKi,Ui,yii and hmi, IDi,PKi,Ui,Zi,vi = \i to LH2;0 and LH3;0 , respectively.� Designation(IDi, IDj) query: When F I makes this query on ðIDi; IDj – IDiÞ;A performs the above CL-SIGN query on

(mw, IDi), and obtains (Ui,Vi).� H2,1 query: When F I makes this query on (PKj,Ui,Uj), if the list LH2;1 contains hPKj;Ui;Uj; yji;A returns yj. Otherwise,A picks

a random yj 2 Z�q and returns yj, and adds hPKj,Ui,Uj,yji to LH2;1 .� H3,1 query: When F I makes this query on (mj, IDj,PKj,Ui,Uj), if the list LH3;1 contains hmj; IDj; PKj;Ui;Uj; Tj;wj ¼?i;A returns

Tj. Otherwise A picks a random wj 2 Z�q and returns Tj = wjP, and adds hmj, IDj,PKj,Ui,Uj,Tj,wii to LH3;1 .� CL-ProxySIGN(mj, IDi, IDj) query: When F I makes this query on ðmj; IDi; IDj – IDiÞ;A obtains (Ui,Vi) from the above Des-

ignation(IDi, IDj) query, and picks a random rj; tj; yj 2 Z�q. A then computes Uj = �tjQj � yjPKj + rjtjP (if IDj = ID⁄, Qj = Y) andTj ¼ t�1

j X ¼ t�1j aP (if Tj turns out to have already been defined for (mj, IDj,PKj,Ui,Uj) in LH3;1 ;A outputs FAIL and aborts

the simulation). Finally, A computes Vj = Vi + rjX = Vi + rjaP, and returns (Ui,Uj,Vj). A then adds hPKj,Ui,Uj,yji andhmj, IDj,PKj,Ui,Uj,Tj,wj = \i to LH2;1 and LH3;1 , respectively.

Eventually, F I outputs a valid proxy signature tuple {IDo,PKo, IDt,PKt,mt,rt = (Uo,Ut,Vt)}. If IDt – ID�;A outputs FAIL andaborts the simulation. Otherwise, in case of IDt ¼ IDo ¼ ID�;A computes 1=2ðVt � Vo �woU0o � y0owoPKoÞ ¼ abP. Moreconcretely,

Vt ¼ Vo þ Do þ ðr0o þ y0oxoÞH3;1ðmo; IDo; PKo;Uo;U0oÞ

¼ Do þ ðro þ yoxoÞH3;0ðmw; IDo; PKo;UoÞ þ Do þ ðr0o þ y0oxoÞH3;1ðmo; IDo; PKo;Uo;U0oÞ

¼ Do þ ðro þ yoxoÞvoP þ Do þ ðr0o þ y0oxoÞwoP ¼ abP þ voUo þ yovoPKo þ abP þwoU0o þ y0owoPKo


abP ¼ 1=2ðVt � voUo � yovoPKo �woU0o � y0owoPKoÞ:

Note that, A has known the values vo; yo; y0o;wo 2 Z�q. Therefore, A can solve the CDH problems.

In case of IDt – IDo and IDt ¼ ID�;A computes Vt � Vo � wtUt � ytwtPKt = abP. More concretely,

Vt ¼ Vo þ Dt þ ðrt þ ytxtÞH3;1ðmt; IDt; PKt ;Uo;UtÞ¼ Do þ ðro þ yoxoÞH3;0ðmw; IDo; PKo;UoÞ þ Dt þ ðrt þ ytxtÞH3;1ðmt ; IDt ; PKt;Uo;UtÞ¼ Do þ ðro þ yoxoÞvoP þ Dt þ ðrt þ ytxtÞwtP ¼ koX þ voUo þ yovoPKo þ abP þwtUt þ ytwtPKt

abP ¼ Vt � koX � voUo � yovoPKo �wtUt � ytwtPKt :

Note that, A has known the values ko;vo; yo;wt ; yt ;wt 2 Z�q. Therefore,A can solve the CDH problems. The advantage �0 of A isidentical with it of proof in Lemma 3.

�0 ¼ PrA½CL� VrfyðIDt; PKt ;mt ;rtÞ ¼ 1 ^ Succ1 ^ Succ2 ^ IDt ¼ ID��P � � 1�qH3;0

q

� �qS

� 1�qH3;1

q2

� �qPS

� 1qH1

:

Therefore, if Type I forger who can break our CLPK-PS scheme exists, then an attacker who solves the CDH problem exists. h

Lemma 5. Let the cryptographic hash functions H1, H2, H3,0 and H3,1 be random oracles. Suppose there exists a Type II forger F II (inGame 5) for an adaptively chosen message and ID attack to our certificateless public-key proxy signature scheme which queriesReqPK, H2, Designation, CL-SIGN and CL-ProxySIGN at most qPK ; qH2

; qd; qs and qps times, respectively, and has running timet and advantage �P 10qPKðqS þ 1ÞðqS þ qH2

Þ=q, where qS = qd + qs + qps. Then there exists an attacker A that can solve the CDHproblem within expected time t0 6 120686qH2

qPKt=�.

Proof. We reduce the security of the proposed scheme to the hardness of the CDH problem. H1, H2 and H3 are considered asrandom oracles. We construct a PPT algorithm A to solve the CDH problem in G1 by using the F II algorithm. Let (P,X,Y) be arandom instance of the CDH problem for G1 given to A. For convenience we write X ¼ aP; Y ¼ bP 2 G1. Without loss of gen-erality, we assume that any extraction (ReqPK, ExtrFullSK) and signature (CL-SIGN, CL-ProxySIGN) queries are precededby H1 query, and the CL-SIGN, CL-ProxySIGN and ExtrFullSK queries are preceded by ReqPK query. To avoid collisionand consistently respond to these queries, A maintains six lists LH1 ; LH2;0 ; LH2;1 ; LH3;0 ; LH3;1 , and LK which are initially empty.The algorithm A picks a random s 2 Z�q and sets master-key = s, and initializes system parameters

params ¼ fe;G1;G2; q; P; Ppub ¼ sP;H1;H2;H3;0;H3;1g

and gives params and master secret key s to F II , and then starts performing oracle simulation.

� H1 query: When F II makes an H1 query on IDi;A picks a random ki 2 Z�q and returns Qi = kiP, and adds hIDi,Qi,kii to LH1 .� ReqPK(IDi) query: Suppose F II makes at most qPK queries to ReqPK oracle. First, A chooses a 2 [1,qPK] randomly. When F II

makes a ReqPK query on IDi where 1 6 i 6 qPK, if i = a (we let IDi = ID⁄ at this point), A returns PKi = X = aP. Otherwise Apicks a random xi 2 Z�q and returns PKi = xiP, and adds hIDi,xi,PKii to LK.� ExtrFullSK(IDi) query: When F II makes this query on IDi, if IDi – ID�;A finds hIDi,Qi,kii and hIDi,PKi,xii in LH1 and LK,

respectively. A returns (xi,Di = kisP). Otherwise A outputs FAIL and aborts the simulation.� H2,0 query: When F I makes this query on (PKi,Ui), if the list LH2;0 contains hPKi;Ui; yii;A returns yi. Otherwise, A picks a

random yi 2 Z�q and returns yi, and adds hPKi,Ui,yii to LH2;0 .� H3,0 query: When F II makes this query on (mi, IDi,PKi,Ui), if the list LH3;0 contains hmi; IDi; PKi;Ui; Zi;v ii; C returns Zi. Other-

wise A picks a random v i 2 Z�q and returns Zi = vibP, and adds hmi, IDi,PKi,Ui,Zi,vii to LH3;0 .� CL-SIGN(mi, IDi) query: When F II makes this query on ðmi; IDiÞ;A finds hIDi,PKi,xii in LK and picks random ri; yi; v i 2 Z�q. A

then computes Zi = viY, Ui = �yiPKi + riP and Vi = Di + riZi = kisP + rivibP, and returns (Ui,Vi). A adds hPKi,Ui,yii andhmi, IDi,PKi,Ui,Zi,vii to LH2;0 and LH3;0 , respectively.� Designation(IDi, IDj) query: When F II makes this query on ðIDi; IDjÞ;A performs the above CL-SIGN query on (mw, IDi),

and obtains (Ui,Vi).� H2,1 query: When F II makes this query on (PKj,Ui,Uj), if the list LH2;1 contains hPKj;Ui;Uj; yji;A returns yj. Otherwise, A

picks a random yj 2 Z�q and returns yj, and adds hPKj,Ui,Uj,yji to LH2;1 .� H3,1 query: When F II makes this query on (mj, IDj,PKj,Ui,Uj), if the list LH3;1 contains hmj; IDj; PKj;Ui;Uj; Tj;wji;A returns Tj.

Otherwise A picks a random wj 2 Z�q and returns Tj = wjY = wjbP, and adds hmj, IDj,PKj,Ui,Uj,Tj,wii to LH3;1 .� H3,1 query: When F II makes this query on ðmj; IDj; PKj;Ui;UjÞ;A picks a random wj 2 Z�q, and returns H3,1(�) = wjY = wjbP.� CL-ProxySIGN(mi, IDi, IDj) query: When F II makes this query on ðmi; IDi; IDjÞ;A obtains (Ui,Vi) from the above Designa-tion(IDi, IDj) query, and picks a random rj;wj; yj 2 Z�q. A then computes Uj = �yjPKj + rjP and Tj = wjY = wjbP. Finally, Acomputes Vj = Vi + Dj + rjTj = Vi + Dj + rjwjbP, and returns (Ui,Uj,Vj). A then adds hPKj,Ui,Uj,yji and hmj, IDj,PKj,Ui,Uj,Tj,wjito LH2;1 and LH3;1 , respectively.


Eventually, F II outputs a valid proxy signature tuple {IDo,PKo, IDt,PKt,mt,rt = (Uo,Ut,Vt)}. If IDt – ID�;A outputs FAIL andaborts the simulation.

Otherwise, in case of IDt = IDo = ID⁄, by replays of A with the same random tape but different choices of H2, as done in theforking lemma [22], A gets two valid tuples fIDo; PKo;mo; yo;Uo;U

0o;Vog and fIDo; PKo;mo; y0o;Uo;U

0o;V

0og such that yo – y0o. If

both outputs are expected ones, A computes as follows:

Vo � Vo0woðy0o � y0oÞ

¼ abP:

Note that, A has known the values vo; yo; y0o 2 Z�q. Therefore, A can solve the CDH problems.

In case of IDt – IDo and IDt = ID⁄, by replays of A with the same random tape but different choices of H2, as done in theforking lemma [22], B gets two valid tuples {IDo, IDt,PKo,PKt,mt,yt,Uo,Ut,Vt} and fIDo; IDt ; PKo; PKt;mt; y0t;Uo;Ut;Vtg such thatyt – y0t . If both outputs are expected ones, A computes as follows:

Vt � V 0twtðyt � y0tÞ

¼ abP:

Note that, A has known the values v t ; yt ; y0t 2 Z�q. Therefore, A can solve the CDH problems. Since a is independently and ran-domly chosen, we have

PrA½IDt ¼ ID�jIDt ¼ IDi for some i�P 1qPK

:

The total running time t0 of A is equal to the running time of the forking lemma (Theorem 3) [22] which is bounded by120686qH2

qPK t=�, as desired. Therefore, if Type II forger who can break our CL-PKPS scheme exists, then an attacker whosolves the CDH problem exists. h

References

[1] A.K. Awasthi, S. Lal, ID-based ring signature and proxy ring signature schemes from bilinear pairings, International Journal of Network Security 4(2007) 187–192.

[2] S. Al-Riyami, K. Paterson, Certificateless public key cryptography, in: C.S. Laih (Ed.), Proceedings of the Asiacrypt 2003, Taipei, Taiwan, November 2003,LNCS, vol. 2894, pp. 312–323.

[3] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in: J. Kilian (Ed.), Proceedings of Crypto 2001, Santa Barbara, California, USA,August 2001, LNCS, vol. 2139, pp. 213–229.

[4] D. Boneh, B. Lynn, H. Shacham, Short signatures from the weil pairing, in: C. Boyd (Ed.), Proceedings of Asiacrypt 2001, Gold Coast, Australia, December2001, LNCS, vol. 2248, pp. 514–532.

[5] A. Boldyreva, A. Palacio, B. Warinschi, Secure proxy signature schemes for delegation of signing rights. <http://eprint.iacr.org/2003/096/>.[6] K. Choi, D. Lee, Certificateless proxy signature scheme, in: Proceedings of the 3rd International Conference on Multimedia, Information Technology and

its Applications – MITA 2007, Manila, Philippines, August 2007, pp. 437–440.[7] S. Duan, Certificateless undeniable signature scheme, Information Sciences 178 (3) (2008) 742–755.[8] I. Foster, C. Kesselman, G. Tsudik, S. Tuecke, A security architecture for computational grids, in: L. Gong, M. Reiter (Eds.), Proceedings of the Fifth ACM

Conference on Computers and Communications Security, San Francisco, California, USA, November 1998, pp. 83–92.[9] M.C. Gorantla, A. Saxena, An efficient certificateless signature scheme, in: Y. Hao, J. Liu, Y. Wang, Y.-M. Cheung, H. Yin, L. Jiao, J. Ma, Y.-C. Jiao (Eds.),

Proceedings of CIS 2005, Xi’an, China, December 2005, LNAI, vol. 3802, pp. 110–116.[10] H.-F. Huang, C.-C. Chang, A novel efficient (t,n) threshold proxy signature scheme, Information Sciences 176 (10) (2006) 1338–1349.[11] S.J. Hwang, C.H. Shi, A simple multi-proxy signature scheme, in: Proceedings of the 10th National Conference on Information Security, Taiwan, 2000,

pp. 134–138.[12] J. Herranz, G. Sez, Verifiable secret sharing for general access structures with application to fully distributed proxy signatures, in: R.N. Wright (Ed.),

Proceedings of Financial Cryptography 2003, French West Indies, January 2003, LNCS, vol. 2742, pp. 286–302.[13] X. Huang, W. Susilo, Y. Mu, F. Zhang, On the security of certificateless signature schemes from Asiacrypt 2003, in: Y.G. Desmedt, H. Wang, Y. Mu, Y. Li

(Eds.), Proceedings of CANS 2005, Xiamen, China, December 2005, LNCS, vol. 3810, pp. 13–25.[14] Z. Jin, Q. Wen, Certificateless multi-proxy signature, Computer Communications 34 (2011) 344–352.[15] H. Kim, J. Baek, B. Lee, K. Kim, Secret computation with secrets for mobile agent using one-time proxy signature, Proceedings of SCIS 2001, Oiso, Japan,

2001, pp. 845–850.[16] N. Koblitz, A. Menezes, S. Vanstone, The state of elliptic curve cryptography, Designs Codes and Cryptography 19 (2000) 173–193.[17] S. Kim, S. Park, D. Won, Proxy signatures, revisited, in: Y. Han, T. Okamoto, S. Quing (Eds.), Proceedings of ICICS 97, Beijing, China, November 1997,

LNCS, vol. 1334, pp. 223–232.[18] X. Li, K. Chen, L. Sun, Certificateless signature and proxy signature schemes from bilinear pairings, Lithuanian Mathematical Journal 45 (2005) 76–83.[19] B. Lee, H. Kim, K. Kim, Strong proxy signature and its applications, Proceedings of SCIS 2001, Oiso, Japan, 2001, pp. 603–608.[20] Y. Lee, H. Kim, Y. Park, H. Yoon, A new proxy signature scheme providing self-delegation, Proceedings of ICISC 06, LNCS, vol. 4296, pp. 328–342.[21] M. Mambo, K. Usuda, E. Okamoo, Proxy signatures: delegation of the power to sign messages, IEICE Transactions on Fundamentals E79-A (1996) 1338–

1354.[22] D. Pointcheval, J. Stern, Security arguments for digital signature and blind signature, Journal of Cryptology 13 (2000) 361–396.[23] Q. Wang, Z. Cao, Identity based proxy multi-signature, The Journal of Systems and Software 80 (2007) 1023–1029.[24] A. Shamir, Identity based cryptosystems and signature schemes, in: G.R. Blakely, D. Chaum (Eds.), Proceedings of Crypto 1984, California, USA, August

1984, LNCS, vol. 196, pp. 47–53.[25] L. Wang, Z. Cao, X. Li, H. Qian, Simulatability and security of certificateless threshold signatures, Information Sciences 177 (6) (2007) 1382–1394.[26] D.H. Yum, P.J. Lee, Generic construction of certificateless signature, in: H. Wang, J. Pieprzyk, V. Varadharajan (Eds.), Proceedings of ACISP 2004, Sydney,

Australia, LNCS, vol. 3108, pp. 200–211.[27] H. Xiong, F. Li, Z. Qin, A provably secure proxy signature scheme in certificateless cryptography, Informatica, Lithuanian Academy of Sciences 21 (2)

(2010) 277–294.

http://eprint.iacr.org/2003/096/


[28] J. Xu, Z. Zhang, D. Feng, ID-based proxy signature using bilinear pairings, in: G. Chen, Y. Pan, M. Guo, J. Lu (Eds.), Proc. Parallel and DistributedProcessing and Applications – ISPA 2005 Workshops, Nanjing, China, November 2005, LNCS, vol. 3759, pp. 359–367.

[29] F. Zhang, K. Kim, Efficient ID-Based blind signature and proxy singature from bilinear pairings, in: R. Safavi-Naini, J. Seberry (Eds.), Proceedings of ACISP2003, Wollongong, Australia, July 2003, LNCS, vol. 2727, pp. 312–323.

[30] Z. Zhang, D. Wong, J. Xu, D. Feng, Certificateless public-key signature: security model and efficient construction, in: J. Zhou, M. Yung, F. Bao (Eds.),Proceedings ACNS 2006, Singapore, June 2006, LNCS, vol. 3989, pp. 293–308.

efficient certificateless proxy signature scheme with provable security

Documents