Printer Friendly

Security Analysis of a Certificateless Signature from Lattices.

1. Introduction

The notion of certificateless signature (CLS) has been introduced by Al-Riyami and Paterson [1] in 2003 as a variant of identity-based signature (IBS) to eliminate the key escrow problem inherent in IBS and assuage the certificate management of regular signatures. To solve the key escrow problem, a user's private key in a CLS scheme is not generated by the KGC alone. Instead, it is a combination of a secret from the KGC and one chosen by the user. More precisely, each user has two secrets: a secret value generated by the user and a partial private key produced by the KGC, who holds the master key. Signing requires both secrets. Since the KGC does not have access to the secret value generated by the user, the key escrow problem can be solved.

Lattice-based signature schemes are an important alternative for the current number-theoretic signature schemes and are emerging as a promising candidate for postquantum cryptography on the basis of Shor's work [2]. There are many lattice-based cryptosystems, including encryption schemes [3, 4]. There have been various attempts to construct lattice-based CLS schemes.

The first lattice-based signature scheme was proposed by Gentry et al. [5] as a Hash-and-Sign signature scheme and its security is based on the hardness SIS problem on the average case. Lyubashevsky and Micciancio [6] proposed a lattice-based one-time signature scheme in 2008. Lyubashevsky [7] proposed a lattice-based signature by extending the scheme of Lyubashevsky and Micciancio [6] in the framework of Fiat-Shamir. Since then, a number of lattice-based signature schemes have been proposed in the context ofPKI. Tian and Huang [8] proposed a IBS scheme following the framework of Lyubashevsky [7].

In 2015, Tian and Huang [9] proposed a lattice-based CLS scheme and proved under the SIS assumption that the scheme is existentially unforgeable against strong adversaries, in the random oracle. In this paper, we discuss security flaws in the CLS scheme of Tian and Huang by scrutinizing misuses of the hash function in the security arguments. The security proof of the scheme is given in random oracle model and uses the general forking lemma under the assumption that the underlying hash function H is a random oracle. We show that the hash function is neither one-way nor collision-resistant in the view of a strong Type 1 adversary. This means that the hash function defined from H cannot be modelled as a random oracle and this indicates critical flaws in the security argument.

We show that the CLS scheme is insecure against strong Type 1 adversaries by providing effective attack algorithms. The attack algorithms, which are successful in the strong Type 1 adversarial model, are based on the weak properties of the hash function that we have found.

The rest of the paper is organized as follows. In Section 2 we give preliminaries on CLS schemes and review the CLS scheme of Tian and Huang as well as their security proofs. In Section 3, we analyze the security arguments of Tian and Huang and point out security flaws. We show that the scheme is insecure under strong Type 1 attack. We draw our conclusion in Section 4.

2. Review of the Certificateless Signature Scheme of Tian and Huang

In 2015, Tian and Huang proposed a CLS scheme (from hereon in referred to simply as "Tian-Huang scheme") and they claimed that their scheme is provably secure in the strong Type 1 adversarial model by assuming the hardness of the SIS problem [9]. In this section, we review some basics of Tian-Huang scheme and their security proof.

2.1. Some Basics of SIS Problem. The security of Tian-Huang scheme is based on the hardness of the SIS problem. The SIS problem can be stated as follows.

Definition 1. Given a positive integer q, a matrix A [member of] [Z.sup.nxm], and a positive real number y, the (q, m, [gamma])-SIS problem for A is to find a nonzero vector v [member of] [Z.sup.m] such that Av =0 (mod q) and [parallel]v[parallel] [less than or equal to] [gamma].

One of the related problems of the SIS problem is the Inhomogeneous-SIS (ISIS) problem that can be described as follows.

Definition 2. Given a positive integer q, a matrix A [member of] [Z.sup.nxm.sub.q], a vector u [member of] [Z.sup.n], and a positive real number [gamma]', the (q, m, [gamma]')-ISIS problem for (A, u) is to find a nonzero vector v [member of] [Z.sup.m] such that Av = u (mod q) and [parallel]v[parallel] [less than or equal to] [gamma]' .

For any polynomial-bounded m, y and for any prime q > [gamma] x [omega]([square root of n log n]), it is known by Micciancio and Regev [10] that solving SIS on average is hard as approximating some intractable lattice problem.

The polynomial-time algorithms TrapGen and SampleMat are building blocks of Tian-Huang scheme. We skip the details of each algorithms in this paper.

(i) (A, [T.sub.A]) [left arrow] TrapGen(q,n,m,[gamma]) if and only if [T.sub.A] [member of] [Z.sup.mxm] is of full rank and each column vector of [T.sub.A] is a solution of (q, m, [gamma])-SIS problem for the matrix A [member of] [Z.sup.nxm.sub.q].

(ii) For (A, [T.sub.A]) [left arrow] TrapGen(q,n,m,[gamma]), (D [member of] [Z.sup.nxk.sub.q]) [left arrow] SampleMat(A, [T.sub.A], [gamma]', u) if and only if each of the column vectors of D is a solution of (q,m,[gamma]')-ISIS problem for (A, u).

2.2. A Description of Tian-Huang Scheme [9]. In this subsection we give a brief description of Tian-Huang scheme; for the full details, see [9]. Major public parameters of the scheme are the following:

(i) n: security parameter.

(ii) q: prime number.

(iii) M: a positive real number.

(iv) m, [m.sub.1], [m.sub.2], b, k, [lambda], s, [sigma]: positive integers with m = [m.sub.1] + [m.sub.2], [m.sub.1] > 2n log q, [m.sub.2] > 64 + n log q/(2b + 1) and s = [OMEGA]([square root of n log q]), [sigma] = 12s[lambda]m.

The scheme consists of the following seven algorithms:

(i) Setup(n [member of] Z): on input the security parameter n, the KGC

(a) computes (A, [T.sub.A]) [left arrow] TrapGen(q,n,[m.sub.1]),

(b) chooses a random matrix [mathematical expression not reproducible],

(c) chooses two secure hash functions

[mathematical expression not reproducible], (1)

(d) outputs the master secret msk = [T.sub.A] and the public parameters params = {A, B, F, H}.

(ii) PartialPrivateKeyExtract(id, msk, params): on input (id, msk = [T.sub.A], params), the KGC obtains [mathematical expression not reproducible] and sends it to the user with id. Upon receiving [D.sub.id], the user with id checks the correctness of [D.sub.id] by verifying if A[D.sub.id] = F(id) and [parallel] [D.sub.id] [parallel] [less than or equal to] s [square root of [m.sub.1]]. If so, the user sets his partial private key as [psk.sub.id] = [D.sub.id].

(iii) SetSecretValue(id, params): on input (id, params), the user with id selects a random matrix [mathematical expression not reproducible] and outputs his secret value [x.sub.id] = [S.sub.id].

(iv) SetPrivateKey(id, [x.sub.id], [psk.sub.id], params): on input (id, [x.sub.id] = [S.sub.id], [psk.sub.id] = [D.sub.id], params), the user with id outputs his full private key [mathematical expression not reproducible].

(v) SetPublicKey(id, [SK.sub.id], params): on input (id, S[K.sub.id] = ([D.sub.id], [S.sub.id]), params), the user with id outputs his public key [PK.sub.id] = B[S.sub.id].

(vi) CLSign(id, [SK.sub.id], m, params): on input (id, S[K.sub.id] = ([D.sub.id], [S.sub.id]), m, params), the user with id

(a) selects [mathematical expression not reproducible].

(b) sets [mathematical expression not reproducible].

(c) computes z = c + y [member of] [Z.sup.m].

(d) outputs the signature sig = (h, z) on m with probability min (1,[D.sup.m.sub.[sigma]](z)/M[D.sup.m.sub.[sigma],c](z)). If nothing is outputted, repeat this algorithm.

(vii) CLVfy(id, [PK.sub.id], [sigma], m, params): on input (id, P[K.sub.id] = B[S.sub.id], sig = (h, z), m, params), the algorithm outputs 1 only if [mathematical expression not reproducible].

Correctness. The correctness of Tian-Huang scheme is clear from the fact that the following holds for any correctly computed key pairs and a signature (h, z) on m.

[mathematical expression not reproducible]. (2)

2.3. Security Model for CLS Schemes. The most general security notion of regular signature is the existential unforgeability under an adaptively chosen message attack. It is extended to IBS, namely, existential unforgeability under an adaptively chosen message and an adaptively chosen-ID attack, where an adversary can choose its messages and its identities adaptively. The security notion of CLS is similar to that of IBS, but it is more complicated from the following facts:

(i) The KGC should be considered as an adversary because it is not a trusted party.

(ii) There is no way to authenticate the public key [PK.sub.id] of the user id because no certificate of [PK.sub.id] is given. Therefore, replacing the public key [PK.sub.id] of the user id is allowed.

Such issues necessitate considering two types of adversaries in CLS, namely, Type 1 and Type 2 adversaries. The Type 1 adversary models outside attacker which is allowed to replace any user's public key. The Type 2 adversary models a malicious KGC which is allowed to obtain the master secret msk. For each type, the adversary is also given access to the signing oracle for any messages for any identities of its chosen. However, none of Type 1 and Type 2 adversaries are allowed to replace P[K.sub.id] and obtain msk at the same time.

In 2007, Hu et al. [11] defined formal security models and Huang et al. [12, 13] also defined formal security models in which the adversaries can be categorized into normal, strong, super adversaries (ordered based on their attack powers), which are accessed different sign oracles. Because our focus in this paper is the Type 1 security of Tian-Huang scheme against strong adversary, we describe the Type 1 security model of CLS against strong adversary, only. The Type 1 security of a CLS against strong adversary is formalized by using the following security game, CL-EUF game between the challenger C and a Type 1 adversary A.

[CL-EUF-Game 1]

[Initialization] the challenger runs (msk,mpk, params) [left arrow] setup(k) and sends (params, mpk) to A.

[Queries] A can request the following queries adaptively to the challenger C.

CreateUser Query. For the requested identity id [member of] [{0,1}.sup.*], if id has already been created, nothing is to be carried out. Otherwise, the oracle runs the algorithms PartialPrivateKeyExtract(id, params, msk), SetSecretValue(id, params), SetPrivateKey(id, [x.sub.id], ps[k.sub.id], params), and SetPublicKey(id, [x.sub.id], params) to generate ps[k.sub.id], [x.sub.id], S[K.sub.id], and P[K.sub.id]. In both cases, P[K.sub.id] is returned.

RevealSecretValue Query. For the requested identity id [member of] [{0,1}.sup.*], the oracle returns the corresponding secret value [x.sub.id]. ReplacePublicKey Query. For the requested (id, [PK'.sub.id]), the oracle replaces the public key [PK.sub.id] of the original user with [PK'.sub.id] and returns the replaced (id, [PK'.sub.id]). The replacement will be recorded.

RevealPartialPrivateKey Query. For the requested id [member of] [{0,1}.sup.*], the challenger C returns the corresponding partial private key [psk.sub.id]. StrongSign Query. For the requested (id, [x.sub.id], [m.sub.i]) C returns the signature oi such that

CLVfy (id, [PK.sub.id], [sig.sub.i], [m.sub.i], params) = 1. (3)

[Forgery] finally, A outputs [sig.sup.*] on a message [m.sup.*] for an identity [id.sup.*]. We say that the adversary A wins the [CL-EUF-Game 1] if

(1) [id.sup.*] has never been requested to the RevealPartialPrivateKey oracle,

(2) the pair [mathematical expression not reproducible] has never been requested to the StrongSign oracle, where [mathematical expression not reproducible] is the corresponding secret of [mathematical expression not reproducible],

(3) CLVfy [mathematical expression not reproducible].

The security of CLS against strong Type 1 adversaries is defined as follows.

Definition 3. For any polynomial-time strong Type I adversary, if the probability of the adversary win CL-EUF-Game 1 is negligible, then we say the CLS scheme is existentially unforgeable against strong Type 1 adversaries under adaptive chosen message and chosen identity attacks.

Note that, for the security of CLS, one should consider both of Type 1 and Type 2 adversaries. However, we believe that the description of Type 1 security of CLS is enough to read the ideas of this paper and we omit the description of Type 2 security of CLS in this paper.

2.4. Summary of the Security Proof of Tian-Huang Scheme in [9]. The security proof of Tian-Huang scheme in [9] is given in random oracle model where the hash functions F and H are viewed as random oracles and controlled by the challenger C.

Suppose there is a polynomial-time strong Type 1 adversary A that requests CreateUser, RevealPartialPrivateKey, RevealSecretValue, ReplacePublicKey, StrongSign, and F and H queries and outputs a forged signature for Tian-Huang scheme with nonnegligible probability. Tian and Huang proved that the challenger C can solve the (q,[m.sub.1],4[sigma][square root of m] + 2s[lambda][square root of [m.sub.1])-SIS problem with nonnegligible probability using A. Now, we give a brief review of how the challenger C solves a given SIS problem by using the successful strong Type 1 adversary; for the full details, see [9]. Suppose that a specific (q, [m.sub.1],4[sigma] [square root of m] + 2s[lambda] [square root of [m.sub.1]) -SIS problem with matrix A is given to C.

First, the challenger C simulates the security game with the adversary A for params = {A, B, F, H} with a randomly chosen [mathematical expression not reproducible] and two secure hash functions H and F. Even though the challenger C does not know the corresponding trapdoor [T.sub.A], C can respond to Create-User-Oracle query or Extract-Partial-Private-Key-Oracle query correctly by using the hash function F as a random oracle which is controlled and recorded by C. The challenger C also records the list [L.sub.H] = {([v.sub.i], [[mu].sub.i], [h.sub.i])} corresponding to [id.sub.i] of H-oracle query as a random oracle. Finally, A outputs a signature forgery [sig.sup.*] = ([h.sup.*], [z.sup.*]) on a message [m.sup.*] for an identity [mathematical expression not reproducible] with nonnegligible probability.

To solve the given SIS problem for the matrix A, the challenger C reruns the adversary A with the same random tape but different outputting sequence of H-oracle. The general forking lemma assures that A will output a new forgery [sig'.sup.*] on a message [m.sup.*] for an identity [mathematical expression not reproducible] and

[mathematical expression not reproducible], (4)

where [mathematical expression not reproducible].

In particular, we see that [mathematical expression not reproducible], we have

[mathematical expression not reproducible]. (5)

Since [mathematical expression not reproducible] with overwhelming probability, we can see that

[mathematical expression not reproducible]. (6)

The fact [h.sup.*] [not equal to] h' and the nonuniqueness of the solution of ISIS problem for (A, F([id.sup.*])) yields

[mathematical expression not reproducible] (7)

with probability at least 1/2. Therefore, [mathematical expression not reproducible] is a solution of the given SIS problem to C.

Remark 4. The security proof above is based on the forking lemma assuming the underlying hash function H can be modelled as a random oracle. However, as we will see in the next section, for the strong Type I adversary, the specific hash function in the scheme, which is related but has a different property from the given H, is neither one-way nor collision-resistant. This means that the hash function defined from H cannot be modelled as a random oracle. Therefore, we see that there is a critical flaw in their security proof. In fact, we present successful strong Type 1 adversarial algorithms on the scheme in the next section.

3. Main Results

In this section, we discuss the flaws that we have found in the arguments of their security proof against a strong Type 1 adversary. Then we give two successful strong Type 1 attack algorithms.

3.1. Analysis of Cryptographic Usage of Hash Functions in the Tian-Huang Scheme. The Tian-Huang scheme uses a collision-resistant hash function H : [Z.sup.2nb.sub.q] x [{0,1}.sup.*] [right arrow] [{-1,0,1}.sup.k] in an essential way in the security proof. In this section, we discuss the usage of the hash function and analyze how the security arguments utilize its cryptographic properties incorrectly.

Lemma 5. Let [P.sub.id] = [BS.sub.id] and A[D.sub.id] = F(id). Consider a signature sig = (h, z) on a message m, where [mathematical expression not reproducible]. Then sig is valid under (id, [P.sub.id]) if the following holds:

(1) [parallel]z[parallel] [less than or equal to] 2[sigma] [square root of m].

(2) [mathematical expression not reproducible].

Proof. By (2) we have

[mathematical expression not reproducible], (8)

and so

[mathematical expression not reproducible]. (9)

The converse is true with overwhelming probability if the hash function H is collision-resistant:

Lemma 6. Let [P.sub.id] = [BS.sub.id] and [AD.sub.id] = F(id). If a signature sig = (h, z) on a message m is valid under [mathematical expression not reproducible], then with overwhelming probability we have

[mathematical expression not reproducible]. (10)

By Lemmas 5 and 6, we see that the validity of a signature (z, h) on the message m under [mathematical expression not reproducible] is (computationally) equivalent to the following:

(1) [parallel]z[parallel] [less than or equal to] 2[sigma] [square root of m],

(2) [mathematical expression not reproducible].

Now we analyze some cryptographic properties concerning

[mathematical expression not reproducible], (11)

where H : [Z.sup.2n.sub.q] x [{0,1}.sup.*] [right arrow] [{-1, 0, 1}.sup.k] is a collision-resistant hash function.

Theorem 7. Suppose that we have functions

[mathematical expression not reproducible],

such that

[mathematical expression not reproducible]. (12)

For any given [y.sub.1], m, h = H'([y.sub.1], [y.sub.2], m), one can efficiently compute [y.sub.2] if the following data are known:

[mathematical expression not reproducible]. (13)

Proof. Given [mathematical expression not reproducible], one can recover [y.sub.2] by computing and taking the second component of

[mathematical expression not reproducible]. (14)

Theorem 7 can be interpreted as asserting that the function H' cannot acquire one-wayness in the presence of the (additional) data [mathematical expression not reproducible], even though H1 is closely related to a secure hash function H. We note that this additional data is always available to any strong Type 1 adversary against the Tian-Huang scheme by requesting ReplacePublicKey queries and a StrongSign query. In fact, we will use this to design a successful strong Type 1 attack on the Tian-Huang scheme in Section 3.2.1.

Theorem 8. Suppose we have functions

[mathematical expression not reproducible],

such that

[mathematical expression not reproducible]. (15)

For any given preimage ([z.sub.1], [z.sub.2], P, id, m) of h = H"(*), one can efficiently compute a second preimage of h.

Proof. Suppose we are given ([z.sub.1], [z.sub.2], P, id, m) such that H"([z.sub.1], [z.sub.2], P, id, m) = h. Choose [mathematical expression not reproducible]. Then

[mathematical expression not reproducible]. (16)

By Theorem 8, the function H" cannot be collision-resistant even if H is. In Section 3.2.2 we show how to utilize a second preimage of h to design a successful strong Type 1 attack on the Tian-Huang scheme.

Theorems 7 and 8 show that the functions [mathematical expression not reproducible] cannot be a secure hash function even if the underlying function H is a one-way and collision-resistant if some additional data is known. Moreover we see that such additional information is always available to any strong Type 1 adversaries against the Tian-Huang scheme. In other words, none of the functions H' and H" is a secure hash function in the view of strong Type 1 adversaries against the Tian-Huang scheme. Tian and Huang claimed that their CLS scheme is provably secure against strong Type 1 adversaries. The arguments of the proof are based on the fact that H' and H" are cryptographically secure hash functions and they can be modelled as a random oracle, which are assumed by the authors from the secure choice of H. By Theorems 7 and 8, however, we see that this is not correct under the strong Type 1 adversarial model and so are their security proofs. In fact, we present two successful strong Type 1 attacks in the sections that follow.

3.2. Strong Type 1 Attacks on the Tian-Huang Scheme. We present two attack algorithms on the Tian-Huang scheme. The first attack is successful by considering the hash function in the scheme as

[mathematical expression not reproducible]. (17)

The second attack is successful by considering the hash function in the scheme as

[mathematical expression not reproducible]. (18)

3.2.1. Attack Algorithm 1. The idea of the attackis that a strong Type 1 adversary, by requesting ReplacePublicKey queries and a StrongSign query, is always able to obtain the data needed to compute the preimage of h = H,([y.sub.1],[y.sub.2], m) as in Theorem 7.

A strong Type 1 adversary A proceeds as follows.

Step 1. A choose any [mathematical expression not reproducible], to be used as a new secret value for id, and sets [P'.sub.id] = [BS'.sub.id].

Step 2. A submits a query ReplacePublicKey(id, [P'.sub.id]), so that the public key corresponding to id is now [P'.sub.id] = [BS'.sub.id].

Step 3. A submits a query StrongSign(m, id, [S'.sub.id]) to obtain a signature

[mathematical expression not reproducible], (19)

where

(i) [mathematical expression not reproducible]; we may assume that [y.sub.2] [not equal to] 0; that is, there is 1 [less than or equal to] l [less than or equal to] [m.sub.2] such that the Ith component [y.sub.2l] of [y.sub.2] is nonzero. (So there is [epsilon] [member of] {1,-1} such that [parallel] [epsilon][e.sub.l] + [y.sub.2][parallel] [less than or equal to] [parallel] [y.sub.2] [parallel], (20)

where [e.sub.l] is a standard unit vector, with all components zero except for the lth, which is one.)

(ii) h [member of] [{-1,0,1}.sup.k]; we may assume that h [not equal to] 0; that is, [h.sub.s] [not equal to] 0 for some 1 [less than or equal to] s [less than or equal to] k.

(iii) [mathematical expression not reproducible].

Step 4. A computes [mathematical expression not reproducible].

Step 5. A chooses [mathematical expression not reproducible]; for instance, one can simply let [S.sup.*.sub.id] to be the matrixwhose entries are all zero except for the (l, s)-entry, which is set to be [epsilon][h.sub.s] (recall that [h.sub.s] [not equal to] 0 from Step 3). A computes [P.sup.*.sub.id] = B[S.sup.*.sub.id] and submits a query ReplacePublicKey(id, [P.sup.*.sub.id]).

Step 6. A forges a signature [sig.sup.*] = ([h.sup.*], [z.sup.*]) by computing

(i) [h.sup.*] [left arrow] h;

(ii) [mathematical expression not reproducible].

Validity of the Forged Signature. The validity of [sig.sup.*] as a signature on m under (id, [P.sup.*.sub.id]) can be checked using Lemma 5:

(i) Noting [mathematical expression not reproducible], we have

[mathematical expression not reproducible]. (21)

(ii) Since [mathematical expression not reproducible], we have

[mathematical expression not reproducible]. (22)

3.2.2. Attack Algorithm 2. The idea of the attack is that a preimage of h = H"([z.sub.1], [z.sub.2], P, id, m) can be obtained from any (eavesdropped) valid signature and one can compute a second preimage of h as in Theorem 8. The adversary only eavesdrops and makes one ReplacePublicKey query. A strong Type 1 adversary A proceeds as follows.

Step 1. A starts with a(n eavesdropped) valid signature sig = (h, z) on a message m under the public key [P.sub.id] = B[S.sub.id], where

(i) [mathematical expression not reproducible];

(ii) [mathematical expression not reproducible];

(iii) [mathematical expression not reproducible].

We may assume that [z.sub.2] [not equal to] 0; that is, there is 1 [less than or equal to] l [less than or equal to] [m.sub.2] such that [z.sub.2l] is nonzero. So there is [epsilon] [member of] {1,-1} such that

[mathematical expression not reproducible], (23)

where [e.sub.l] is a unit vector, with all zero components except for the 1th, which is one. The adversary A sets [z'.sub.2] = [epsilon][e.sub.l] + [z.sub.2]. We may also assume that h [not equal to] 0, say [h.sub.s] [not equal to] 0 for some 1 [less than or equal to] s [less than or equal to] k.

Step 2. A sets [mathematical expression not reproducible] to be the matrix whose entries are all zeros except for the (l, s)-entry, which is [epsilon][h.sub.s]. A computes

(i) [P.sup.*.sub.id] [left arrow] [P.sub.id] + [BS'.sub.id];

(??) [mathematical expression not reproducible].

Note that [mathematical expression not reproducible] unknown to A.

Step 3. A submits a query ReplacePublicKey(id, [P.sup.*.sub.id]); note that A does not know the secret value [S.sup.*.sub.id] = [S.sub.id] + [S'.sub.id] corresponding to [P.sup.*.sub.id]).

Step 4. A returns forged [sig.sup.*] = (h, [z.sup.*]) as a signature on m under (id, [P.sup.*.sub.id]).

Validity of the Forged Signature. The validity of [sig.sup.*] as a signature on m under (id, [P.sup.*.sub.id]) can be checked using Lemma 5:

(i) Noting that [mathematical expression not reproducible], we have

[mathematical expression not reproducible]. (24)

(ii) Since [mathematical expression not reproducible], we have

[mathematical expression not reproducible]. (25)

4. Conclusion

In this paper, we showed that the hash function used in Tian-Huang's scheme is not a secure hash function in the presence of a strong Type 1 adversary even though the function is defined from a cryptographically secure hash function. Such weakness of the hash function admits successful strong Type 1 attacks on their scheme. The security proof of the Tian-Huang scheme was done under the assumption that the hash function is a random oracle, which requires cryptographically security properties. It seems that to improve security argument one needs to make more careful use of the hash function in the simulation of the security game.

https://doi.org/10.1155/2017/3413567

Competing Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

Hyang-Sook Lee was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (no. 2015R1A2A1A15054564). Juhee Lee was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (no. NRF2012R1A1A3015819).

References

[1] S. S. Al-Riyami and K. G. Paterson, "Certificateless public key cryptography," in Advances in Cryptology--ASIACRYPT 2003, vol. 2894 of Lecture Notes in Computer Science, pp. 452-473, Springer, Berlin, Germany, 2003.

[2] P. W. Shor, "Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer," SIAM Journal on Computing, vol. 26, no. 5, pp. 1484-1509, 1997.

[3] C. Peikert, "Public-key cryptosystems from the worst-case shortest vector problem: extended abstract," in Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC '09), pp. 333-342, Bethesda, Md, USA, June 2009.

[4] O. Regev, "On lattices, learning with errors, random linear codes, and cryptography," Journal of the ACM, vol. 56, no. 6, article no. 34, 2009.

[5] C. Gentry, C. Peikert, and V. Vaikuntanathan, "Trapdoors for hard lattices and new cryptographic constructions," in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 197-206, ACM, Victoria, Canada, May 2008.

[6] V. Lyubashevsky and D. Micciancio, "Asymptotically efficient lattice-based digital signatures," in Proceedings of the 5th IACR Theory of Cryptography Conference (TCC '08), pp. 37-54, New York, NY, USA, March 2008.

[7] V. Lyubashevsky, "Lattice signatures without trapdoors," in Advances in Cryptology--EUROCRYPT 2012, vol. 7237 of Lecture Notes in Computer Science, pp. 738-755, Springer, Berlin, Germany, 2012.

[8] M. Tian and L. Huang, "Efficient identity-based signature from lattices," in ICT Systems Security and Privacy Protection: 29th IFIP TC 11 International Conference, SEC 2014, Marrakech, Morocco, June 2-4, 2014. Proceedings, vol. 428 of IFIP Advances in Information and Communication Technology, pp. 321-329, Springer, Berlin, Germany, 2014.

[9] M. Tian and L. Huang, "Certificateless and certificate-based signatures from lattices," Security and Communication Networks, vol. 8, no. 8, pp. 1575-1586, 2015.

[10] D. Micciancio and O. Regev, "Worst-case to average-case reductions based on Gaussian measures," SIAM Journal on Computing, vol.

37, no. 1, pp. 267-302, 2007.

[11] B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, "Certificateless signature: a new security model and an improved generic construction," Designs, Codes and Cryptography. An International Journal, vol. 42, no. 2, pp. 109-126, 2007.

[12] X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu, "Certificateless signature revisited," in Proceedings of the 12th Australasian Conference on Information Security and Privacy (ACISP '07), pp. 308-322, Townsville, Australia, July 2007.

[13] X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu, "Certificateless signatures: new schemes and security models," The Computer Journal, vol. 55, no. 4, pp. 457-474, 2012.

Seunghwan Chang, (1) Hyang-Sook Lee, (2) Juhee Lee, (1) and Seongan Lim (1)

(1) Institute of Mathematical Sciences, Ewha Womans University, Seoul 120-750, Republic of Korea

(2) Department of Mathematics, Ewha Womans University, Seoul 120-750, Republic of Korea

Correspondence should be addressed to Juhee Lee; juhee1108@gmail.com

Received 1 July 2016; Revised 30 November 2016; Accepted 18 December 2016; Published 26 January 2017

Academic Editor: Pino Caballero-Gil
COPYRIGHT 2017 Hindawi Limited
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2017 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Research Article
Author:Chang, Seunghwan; Lee, Hyang-Sook; Lee, Juhee; Lim, Seongan
Publication:Security and Communication Networks
Article Type:Report
Date:Jan 1, 2017
Words:5113
Previous Article:Quantitative Method for Network Security Situation Based on Attack Prediction.
Next Article:Utilizing the Double-Precision Floating-Point Computing Power of GPUs for RSA Acceleration.
Topics:

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |