1136 IEEE COMMUNICATIONS LETTERS, VOL. 15, NO. 10, OCTOBER 2011

On the Security of a Certificateless Aggregate Signature SchemeKyung-Ah Shim, Member, IEEE

Abstract—Certificateless cryptography eliminates the need ofcertificates in public key cryptosystems and solves the inherentkey escrow problem in identity-based cryptosystems. An ag-gregate signature scheme is a signature scheme which allowsto aggregate 𝑛 signatures on 𝑛 distinct messages from 𝑛 dis-tinct users into a single signature. Recently, Zhang and Zhangproposed a certificateless aggregate signature scheme provablysecure in the random oracle model under the ComputationalDiffie-Hellman assumption. In this paper, we propose a novelfundamental security requirement for certificateless aggregatesignature schemes, called coalition resistance, by presentingcoalition attacks on Zhang-Zhang’s scheme.

Index Terms—Digital signature, identity-based cryptography,certificateless signature, certificateless aggregate signature, coali-tion attack.

I. INTRODUCTION

IN the traditional Public Key Infrastructure (PKI), whenBob wishes to send a message to Alice, first he must obtain

her authenticated public key in public directories. Identity(ID)-based infrastructure [15] makes deployment practical;it allows a user’s public key to be easily derivable fromher known identity information such as an email address ora cellular phone number. Such cryptosystems alleviate thecertificate overhead and solve the problems of PKI technology.The ID-based infrastructure involves users and a Private KeyGenerator (PKG or KGC) which is responsible for generatingprivate keys for users. This feature leads to an inherent keyescrow problem in ID-based cryptography, i.e., the private keyof a user is known to a PKG, therefore, it can decrypt anyciphertext and forge signatures on any message for any user.Al-Riyami and Paterson [1] introduced certificateless publickey cryptography (CL-PKC) that solves the above problem.In the CL-PKC, a user private key is a combination of somecontribution of a KGC (called a partial private key) and someuser-chosen secret, in such a way that the problem can besolved. The CL-PKC is not purely ID-based since a signatureand a ciphertext are transmitted together with additional userpublic keys. In order to encrypt a message and verify a signedmessage, one must know both the user’s identity and thisadditional public key. Certificateless signature (CLS) schemesare more meaningful than certificateless encryption (CLE)schemes because the CLE schemes require the public key ofa receiver before encrypting a message. In that case, it stillfaces certification and distribution problems of the public key.However, in CLS schemes, a signature is transmitted togetherwith a user public key that is not required to be certified by

Manuscript received June 8, 2011. The associate editor coordinating thereview of this letter and approving it for publication was Y.-D. Lin.

The author is with the Division of Fusion and Convergence of MathematicalSciences, National Institute for Mathematical Sciences, KT Daedoek 2ndResearch Center 463-1 Jeonmin-dong, Yuseong-gu, Daejeon, Korea (e-mail:kashim@nims.re.kr).

Digital Object Identifier 10.1109/LCOMM.2011.081011.111214

any trusted authority. If such a public key is invalid or replacedby an adversary then its signature verification fails. Al-Riyamiand Paterson [1] proposed a CLE scheme and a CLS scheme.In [1], unforgeability of CLS schemes was not formally de-fined even though the security model for CLE was established.Since Al-Riyami and Paterson’s CLS scheme, several CLSschemes have been proposed [11], [7], [16]. They providedonly informal analysis and were subsequently found to bevulnerable to key replacement attacks by type I adversaries[18], [5], [2]. Later, proven secure CLS schemes in the randomoracle model [10], [19], [6] have been proposed. Recently,Liu et al. [12] proposed a provably secure CLS scheme inthe standard model. In addition to these direct constructions,there exist generic constructions that convert existing signatureschemes in different infrastructures into CLS schemes. Yumand Lee [17] proposed a generic construction for CLS schemesby combining any standard signature (SS) scheme with anyID-based signature (IBS) scheme. Subsequently, Hu et al.[8], [9] showed that this construction is insecure against keyreplacement attacks and then proposed an improved versionby modifying the input of signing algorithm. In particular, Huet al. [8], [9] established a simplified definition and formalsecurity model for CLS schemes which are shown to be moreversatile than the previous ones [10], [18]. Recently, Au et al.[2] suggested a malicious-but-passive-KGC attack, where aKGC may not generate master public/secret key pair honestlyto mount the attack, they then modified Hu et al.’s modelfor capturing the attack. They also showed that Al-Riyamiand Paterson’s scheme and its variants [1], [10], [11] areinsecure against the malicious-but-passive-KGC attacks andthe security of the CLS scheme converted from the modifiedYum-Lee’s construction is preserved in their new model.

An aggregate signature scheme is a signature scheme whichallows to aggregate 𝑛 signatures on 𝑛 distinct messagesfrom 𝑛 distinct users into a single signature. The validityof an aggregate signature will convince a verifier that the 𝑛users did indeed sign the 𝑛 original messages. Aggregationis useful to reduce bandwidth and storage, and is especiallyattractive for mobile devices like sensors, cell phones, andPDAs where communication is more power-expensive thancomputation and contributes significantly to reducing batterylife. In particular, aggregate signatures are used for reducingthe size of certificate verification chains (by aggregating allcertificates in the chain) and for reducing message size insecure routing protocols such as Secure Border Gateway Pro-tocol (SBGP) [3]. Although the CL-PKC does not require anypublic-key certificates, the aggregation technique in CL-PKCcan easily aggregate many different certificateless signaturesinto a single certificateless aggregate signature (CLAS), andhence effectively reduce the signature size and verificationcost.

1089-7798/11$25.00 c⃝ 2011 IEEE

SHIM: ON THE SECURITY OF A CERTIFICATELESS AGGREGATE SIGNATURE SCHEME 1137

The rest of the paper is organized as follows. In Section2, we review Zhang-Zhang’s CLAS scheme. In Section 3,we introduce a novel fundamental security requirement forCLAS schemes, called coalition resistance and argue why thisis necessary by presenting coalition attacks on Zhang-Zhang’sscheme. Concluding remarks are given in Section 4.

II. AN EFFICIENT CERTIFICATELESS AGGREGATE

SIGNATURE SCHEME

First, we review Zhang-Zhang’s CLAS scheme [20]. Thescheme consists of the following six algorithms.

∙ Setup. Given a security parameter 𝑙, the KGC choosesa cyclic additive group 𝐺1 which is generated by 𝑃with a prime order 𝑞, a cyclic multiplicative group 𝐺2

of the same order and a bilinear map 𝑒 : 𝐺1 × 𝐺1 →𝐺2. The KGC also chooses a random 𝜆 ∈ 𝑍𝑞

∗ as amaster-key, sets 𝑃𝑇 = 𝜆𝑃 and cryptographic hashfunctions 𝐻1 : {0, 1}∗ → 𝐺1, 𝐻2 : {0, 1}∗ → 𝐺1

and 𝐻3 : {0, 1}∗ → 𝐺1. The system parameter listis params =< 𝐺1, 𝐺2, 𝑒, 𝑃, 𝑃𝑇 , 𝐻1, 𝐻2, 𝐻3 >. Themessage space is ℳ = {0, 1}∗.

∙ Partial-Private-Key-Extract. This algorithm takesparams, master-key 𝜆 and a user’s identity 𝐼𝐷𝑖 ∈{0, 1}∗ and outputs a partial private key 𝐷𝑖 correspond-ing to 𝐼𝐷𝑖 as 𝐷𝑖 = 𝜆 ⋅𝑄𝑖, where 𝑄𝑖 = 𝐻1(𝐼𝐷𝑖) ∈ 𝐺1.

∙ UserKeyGen. This algorithm takes a user’s identity 𝐼𝐷𝑖

and outputs a public/secrete key pair (𝑃𝑖 = 𝑥𝑖 ⋅ 𝑃, 𝑥𝑖)for 𝑥𝑖 ∈𝑅 𝑍𝑞

∗.

∙ Sign. To sign a message 𝑀𝑖 ∈ ℳ using a signingkey (𝑥𝑖, 𝐷𝑖) of 𝐼𝐷𝑖 with a public key 𝑃𝑖, the signerchooses a state informationΔ (in the scheme, they choosesome elements of the system parameters as Δ), and thenperforms the following steps:

1) Choose a random number 𝑟𝑖 ∈ 𝑍𝑞∗, and compute

𝑅𝑖 = 𝑟𝑖 ⋅ 𝑃 .2) Compute 𝑊 = 𝐻2(Δ), and 𝑆𝑖 =

𝐻3(Δ∣∣𝑀𝑖∣∣𝐼𝐷𝑖∣∣𝑃𝑖∣∣𝑅𝑖).3) Compute 𝑉𝑖 = 𝐷𝑖 + 𝑥𝑖 ⋅𝑊 + 𝑟𝑖 ⋅ 𝑆𝑖.4) Output 𝜎𝑖 = (𝑅𝑖, 𝑉𝑖) as a certificateless signature

on 𝑀𝑖 for {𝐼𝐷𝑖, 𝑃𝑖}.∙ Aggregate. Anyone can act as an aggregate signature

generator who can aggregate a collection of individ-ual signatures that use the same state information Δ.For an aggregating set 𝒰 (which has the same stateinformation Δ) of 𝑛 users 𝑈1, ⋅ ⋅ ⋅ , 𝑈𝑛 with identities{𝐼𝐷1, ⋅ ⋅ ⋅ , 𝐼𝐷𝑛} and the corresponding public keys{𝑃1, ⋅ ⋅ ⋅ , 𝑃𝑛} and message-signature pairs < 𝑀1, 𝜎1 =(𝑅1, 𝑉1) >, ⋅ ⋅ ⋅ , < 𝑀𝑛, 𝜎𝑛 = (𝑅𝑛, 𝑉𝑛) > from𝑈1, ⋅ ⋅ ⋅ , 𝑈𝑛, respectively, the aggregate signature gener-ator computes

𝑉 =∑𝑛

𝑖=1𝑉𝑖

and outputs 𝜎 = (𝑅1, ⋅ ⋅ ⋅ , 𝑅𝑛, 𝑉 ) as an aggregatesignature on {𝑀1, ⋅ ⋅ ⋅ ,𝑀𝑛} for {𝐼𝐷1, ⋅ ⋅ ⋅ , 𝐼𝐷𝑛}.

∙ Aggregate Verify. To verify an aggregate signa-ture 𝜎 = (𝑅1, ⋅ ⋅ ⋅ , 𝑅𝑛, 𝑉 ) on {𝑀1, ⋅ ⋅ ⋅ ,𝑀𝑛} for{𝐼𝐷1, ⋅ ⋅ ⋅ , 𝐼𝐷𝑛} with the corresponding public keys

{𝑃1, ⋅ ⋅ ⋅ , 𝑃𝑛} and the same state information Δ, a veri-fier performs the following steps:

1) Compute 𝑊 = 𝐻2(Δ), 𝑄𝑖 = 𝐻1(𝐼𝐷𝑖), and 𝑆𝑖 =𝐻3(Δ∣∣𝑀𝑖∣∣𝐼𝐷𝑖∣∣𝑃𝑖∣∣𝑅𝑖) for all 1 ≤ 𝑖 ≤ 𝑛.

2) Verify 𝑒(𝑉, 𝑃 )?= 𝑒(𝑃𝑇 ,

∑𝑛𝑖=1𝑄𝑖) ⋅ 𝑒(𝑊,

∑𝑛𝑖=1𝑃𝑖) ⋅∏𝑛

𝑖=1𝑒(𝑆𝑖, 𝑅𝑖).3) If the equation holds, output true. Otherwise, output

false.

III. COALITION RESISTANCE IN CLAS SCHEME

The models described in [20] do not cover any notionsof security against coalition attacks. The security of CLASschemes against a type II adversary means that a maliciousKGC cannot forge any valid certificateless aggregate sig-natures. In fact, the possibility of coalition attacks in themulti-party setting represents a qualitative difference from thetwo-party (signer-verifier) setting, where coalition attacks aremeaningless. Coalition resistance is the property that no groupof signers containing the KGC together can generate a validaggregate certificateless signature.

Now, we show that Zhang-Zhang’s scheme does not achievecoalition resistance property, i.e., it is insecure against coali-tion attacks. More precisely, the KGC colluding a malicioususer can forge a certificateless aggregate signature on any setof messages for any set of users containing the user. LetCarol be a malicious user with its identity 𝐼𝐷𝑛+1. Thenwe show that the KGC colluding with Carol can forge acertificateless aggregate signature on {𝑚1, ⋅ ⋅ ⋅ ,𝑚𝑛+1} for{𝐼𝐷1, ⋅ ⋅ ⋅ , 𝐼𝐷𝑛+1}. The attack can be mounted as follows;

∙ First, Carol chooses a random number 𝑡 ∈ ℤ∗𝑞 and let 𝑡

be 𝑥1 + ⋅ ⋅ ⋅ + 𝑥𝑛 + 𝛼. Then Carol can obtain 𝛼 ⋅ 𝑃 bycomputing 𝛼 ⋅ 𝑃 = 𝑡 ⋅ 𝑃 −∑𝑛

𝑖=1 𝑃𝑖. Finally, Carol takes𝛼 ⋅ 𝑃 as its public key 𝑃𝑛+1. In this case, Carol cannotknow 𝛼 that is a discrete logarithm of 𝑃𝑛+1 with the basepoint 𝑃 .

∙ Next, the KGC and Carol compute a certificateless ag-gregate signature 𝜎∗ = (𝑅∗

1, ⋅ ⋅ ⋅ , 𝑅∗𝑛+1, 𝑉

∗) as

𝑅∗𝑖 = 𝑟𝑖 ⋅ 𝑃,

𝑉 ∗ =𝑛+1∑

𝑖=1

𝐷𝑖 + 𝑡 ⋅𝑊 +𝑛+1∑

𝑖=1

𝑟𝑖 ⋅ 𝑆𝑖, (𝑖 = 1, ⋅ ⋅ ⋅ , 𝑛+ 1),

where 𝑟𝑖 ∈𝑅 ℤ∗𝑞 , 𝑊 = 𝐻2(Δ) and 𝑆𝑖 =

𝐻3(Δ∣∣𝑀𝑖∣∣𝐼𝐷𝑖∣∣𝑃𝑖∣∣𝑅𝑖). Here, all the users’s partialprivate keys 𝐷𝑖 (𝑖 = 1, ⋅ ⋅ ⋅ , 𝑛 + 1) are known to theKGC.

∙ Finally, 𝜎∗ = (𝑅∗1, ⋅ ⋅ ⋅ , 𝑅∗

𝑛+1, 𝑉∗) is a valid certifi-

cateless aggregate signature on {𝑚1, ⋅ ⋅ ⋅ ,𝑚𝑛+1} for{𝐼𝐷1, ⋅ ⋅ ⋅ , 𝐼𝐷𝑛+1}; the verification equation holds as

𝑒(𝑉 ∗, 𝑃 ) =

𝑒(𝑃𝑇 ,∑𝑛

𝑖=1𝑄𝑖) ⋅ 𝑒(𝑊,

∑𝑛+1

𝑖=1𝑃𝑖) ⋅

∏𝑛+1

𝑖=1𝑒(𝑆𝑖, 𝑅∗

𝑖 )

since 𝑡⋅𝑃 = 𝑥1⋅𝑃+⋅ ⋅ ⋅+𝑥𝑛⋅𝑃+𝛼⋅𝑃 . In other words, theyknow neither Carol’s secret key 𝛼 nor the other users’secret keys 𝑥𝑖 (𝑖 = 1, ⋅ ⋅ ⋅ , 𝑛). But, they know 𝑡 that is thesum of secret keys, i.e., the sum of discrete logarithms of

1138 IEEE COMMUNICATIONS LETTERS, VOL. 15, NO. 10, OCTOBER 2011

{𝑃𝑖}𝑛+1𝑖=1 from the above algebraic relationship. It makes

it possible to forge a certificateless aggregate signature.

In fact, this attack is similar to rogue-key attacks, whichcan be mounted whenever adversaries are allowed to choosetheir public keys arbitrarily, in multisignature schemes [4], [3].Multi-user signature schemes must be secure against rogue-key attacks in which an adversary can choose its public key(s)arbitrarily, previously considered in the contexts of aggregatesignature and multisignature schemes [4], [3], [13], [14]. In theBoldyreva’s multisignature scheme [3], it requires the proof ofknowledge of secret keys during the public key registration.Micali et al. [13] also discussed a series of more sophisticatedapproaches based on zero-knowledge proofs, again with theeffect that the adversary is constrained in his key selection.However, these countermeasures are meaningless in the cer-tificateless setting. Because, a user public key in CL-PKC isnot required to be certified by any trusted authority and so theproof of knowledge of secret keys under a certain CertificationAuthority is impossible. Therefore, a secure CLAS schememust achieve coalition resistance property, i.e., no coalition ofusers (the coalition users may contain the KGC) be able to,in polynomial time, a certificateless aggregate signature for aset of user containing coalition users as a proper subset thatpasses the Aggregate Verify algorithm, i.e., 𝑆 ⫌ 𝑆𝑐, where𝑆 is a set of all signing users and 𝑆𝑐 is a set of coalition usersexcept the KGC.

IV. CONCLUSION

We showed that Zhang-Zhang’s CLAS scheme is insecureagainst coalition attacks. Then we proposed a novel securityproperty, called coalition resistance, that is not covered bythe security models in [20]. Coalition resistance propertyguarantees that colluding users or a malicious user, whocooperates with the KGC, is not able to forge certificatelessaggregate signatures for any set of signers containing thecolluding users.

ACKNOWLEDGEMENT

This work was supported by the National Institute for Math-ematical Sciences grant funded by the Korean Government(No. A21103).

REFERENCES

[1] S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryp-tography,” in Proc. Advances in Cryptography, pp. 452–473, 2003.

[2] M. H. Au, J. Chen, J. K. Liu, Y. Mu, D. S. Wong, and G. Yang,“Malicious KGC attacks in certificateless cryptography,” CryptologyePrint Archive: report 2006/255.

[3] A. Boldyreva, “Efficient threshold signature, multisignature and blindsignature schemes based on the Gap-Diffie-Hellman-group signaturescheme,” in Proc. PKC’03, pp. 31–46.

[4] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate andverifiably encrypted signatures from bilinear maps,” in Proc. Advancesin Cryptology, pp. 416–432, 2003.

[5] X. Cao, K. G. Paterson, and W. Kou, “An attack on a certificatelesssignature scheme,” Cryptology ePrint Archive: report 2006/367.

[6] K. Y. Choi, J. H. Park, J. Y. Hwang, and D. H. Lee, “Efficientcertificateless signature schemes,” in Proc. ACNS’07, pp. 443–458.

[7] M. C. Gorantla and A. Saxena, “An effiient certificateless signaturescheme,” in Proc. CIS’05, pp. 110–116.

[8] B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, “Key replacementattack against a generic construction of certificateless signature,” in Proc.ACISP’06, pp. 235–246.

[9] B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, “Certificateless signature:a new security model and an improved generic construction,” J. Designs,Codes and Cryptography, vol. 42, no. 2, pp. 109–126, 2007.

[10] X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the security of cer-tificateless signature schemes from Asiacrypt 2003,” in Proc. CANS’05,pp. 13–25.

[11] X. Li, K. Chen, and L. Sun, “Certificateless signature and proxysignature schemes from bilinear pairings,” Lithuanian Mathematical J.,vol. 45, no. 1, pp. 76–83, 2005.

[12] J. K. Liu, M. H. Au, and W. Susilo, “Self-generated certificate publickey cryptography and certificateless signature/encryption scheme in thestandard model,” in Proc. ASIAN ACMCCS’07, pp. 273–283.

[13] S. Micali, K. Ohta, and L. Reyzin, “Accountable-subgroup multisigna-tures,” in Proc. ACMCCS’01, pp. 245–254.

[14] T. Ristenpart and S. Yilek, “The power of proofs-of-possession: securingmultiparty signatures against rogue-key attacks,” in Proc. Advances inCryptography-Eurocrypt’07, pp. 228–245.

[15] A. Shamir, “Identity-based cryptosystems and signature schemes,” inProc. Advances in Cryptography-Crypto’84, pp. 47–53.

[16] W. S. Yap, S. H. Heng, and B. M. Goi, “An efficient certificatelesssignature scheme, emerging directions in embedded and ubiquitouscomputing, in Proc. EUCWorkshops 2006, pp. 322–331.

[17] D. H. Yum and P. J. Lee, “Generic construction of certificatelesssignature,” in Proc. ACISP’04, pp. 200–211.

[18] Z. Zhang and D. Feng, “Key replacement attack on a certificatelesssignature scheme,” Cryptology ePrint Archive: report 2006/453.

[19] Z. Zhang, D. Wong, J. Xu, and D. Feng, “Certificateless public-keysignature: security model and efficient construction, in Proc. ACNS’06,pp. 293–308.

[20] L. Zhang and F. Zhang, “A new certificateless aggregate signaturescheme,” Computer Communications, vol. 32, pp. 1079–1085, 2009.