2017 2nd International Conference on Electrical and Electronics: Techniques and Applications (EETA 2017)
ISBN: 978-1-60595-416-5
Identity-based Signature Proven Secure Under the
Computation Linear Assumption
Yu-qiao DENG1, Ge SONG2,* and Ya-min WEN1
1
School of Mathematics and Statistics, Guangdong University of Finance
and Economics, Guangzhou, China
2
College of Mathematics and Informatics, South China Agricultural University, Guangzhou, China
*Corresponding author
Keywords: Identity-based signature, Computation linear assumption, Security, Bilinear pairing,
Cryptography.
Abstract. In this paper, we propose a new assumption, i.e., computation linear assumption, then we
provide a new identity-based signature algorithm based on this assumption, use the bilinear pairings
technique. We proof the security of this scheme based on the computation linear assumption. The
scheme is proposed under the standard model.
Introduction
In wireless sensor network (WSN), there are many so‐called motes that used to monitor the
surrounded environmental data, such as sound, temperature, pressure, and so on [1]. Data collected
by these motes is transmitted through wireless network. Therefore, how to provide authentication
for message and source of message is critical. In some works, identity‐based signature is deemed
to be a proper mechanism to support message authentication, therefore, we concentrate on
constructing new secure identity‐based signature scheme for WSN.
Most proposed Identity-based signatures are proven secure under large integer factorization [2] or
computation Diffie-Hellman assumption [3], [4].In this paper, we propose a new computation
assumption, which is called "Computation Linear Assumption (CLIN)". Intuitively, CLIN can be
interpreted as: given generator  1 , 2 , 3 of group  with prime order p , given values  11 , 22 , 33
as well, the task is to output  11 (2 3 ) .
CLIN can be view as a computation “version” of decisional Linear assumption (DLIN) proposed
by Boneh, Boyen, and Shacham [5]. DLIN can be briefly described as: given g , f , v, g c1 , f c2 , where
g , f , v is a group generator of prime order group  . The task is to distinguish the value v c1  c2 from
a random element in  .
Related Work
Identity-Based Encryption (IBE), which has been firstly presented by Shamir [6], is an influential
paradigm for embedding identity information into the encrypted data. In IBE, a message can be
encrypted in terms of one’s identity, and only the user who retain the private key corresponded to
the very identity the message encrypted on can recover the ciphertext correctly. However, Shamir
did not give out a practical scheme about IBE.
An efficient and secure IBE construction leaves to be an open problem until the emergence of the
work from Boneh and Franklin [2] and Cock [7]. After that, many types of IBEs are proposed to
adapt all kinds of scenarios: such as IBE that without random oracle [8][9].
IBE gives rise to the appearance of a brand new cryptography primitive: which is called identitybased signature (IBS). IBS enables the user, who holds a private key corresponded with a special
identity, to generate a valid signature based on a message that, everyone who knows the public
parameter, can verify the correctness of the signature. Boneh and Franklin proposed the first
374
identity-based signature based on the difficulty of large integer factorization [2], after that, many
IBS are proposed, such as [3],[4].
Preliminaries
Our CP‐RABE scheme adopts the Computation Linear Assumption, we describe it as follows.
Definition 1 [Computation Linear Assumption(CLIN)]: Let  be a group with prime order p ,
R
 1 , 2 , 3 are three group generators. Let 1 ,  2 , 3 
 Z p . Given ( 1 , 2 , 3 , 11 , 22 , 33 ) , the CLIN
assumption is to compute the value  11 (2 3 ) .
Our Construction
In our paper, we describe identities and messages by bit strings, we assume the lengths of identities
and messages are nI and nM , separately. For identities or messages whose lengths exceed the
desired lengths (i.e., the length of information exceed nM ), we will use two collision‐resist hash
function, H I :{0,1}*  {0,1}nI and H M :{0,1}*  {0,1}nM . These two hash function thus can convert
bit string of arbitrary length into desired length.
Given a group description (, T , e)   (1 ) , where , T are groups of order p , e is a map:
    T . Our main construction is defined in detail as follows.
Setup. The algorithm chooses group generators g , v1 , v2   , it then samples three random
exponents x, r1 , r2  Z p , and computes Y  g y , R1  v1r1 , R2  v2r2 .
In addition, the algorithm picks u, m, u'', m''  Z p and vectors:
U  {ui  Z p , i  1, , nI },
U '  {ui '  Z p , i  1, , nI },
M  {mi  Z p , i  1, , nM },
M '  {mi '  Z p , i  1, , nM .}
with lengths nI , nM , respectively. The algorithm issues:
PK  {, T , e, g , Y , R1 , R2 , v1 , v2 , u , m, u'', m'', U, M, U ', M '} as public key. The master secret key is
MSK  { y, r1 , r2 } .
Extract. Assume I is a bit string of length nI , which represents the identity of some user.
Define I (i ) as the i th bit of I . Let the set   {1, , nI } be the subset of indices i such that
I (i )  1 .
The algorithm chooses two integers rI ,1 , rI ,2  Z p and computes:
EI ,1  g yr1 (u  ui ) I ,1 , EI ,2  g yr2 (u''  ui ') I ,2 ,
r
r
i
i
EI ,3  v , EI ,4  v .
rI ,1
1
rI ,2
2
The private key assigned to the user is EI  ( EI ,1 , EI ,2 , EI ,3 , EI ,4 ) .
Sign. Suppose I is the bit string of the user’s identity, m is the very message needed to be signed.
Let   {1, , nI } be the set of indices i such that I (i)  1 ,   {1, , nM } be the set of indices j
such that M ( j )  1 , where M ( j ) denotes the j th bit in the message bit string.
Given the private key pair EI  ( EI ,1 , EI ,2 , EI ,3 , EI ,4 ) , the algorithm chooses rM ,1 , rM ,2  Z p and
computes:
375
S I ,1
 EI ,1 (m mi ) M ,1
r
i
 g yr1 (u  ui ) I ,1 (m mi ) M ,1 ,
r
r
i
S I ,2
i
 EI ,2 (m''  mi ') M ,2
r
i
 g yr2 (u''  ui ') I ,2 (m''  mi ') M ,2 ,
r
i
S I ,3
 EI ,3  v1I ,1 ,
S I ,4
 EI ,4  v2I ,2 ,
S I ,5
 v
S I ,6
 v2M ,2 .
r
i
r
r
rM ,1
1
,
r
The signature about message m is generated as: S I  ( S I ,1 , S I ,2 , S I ,3 , S I ,4 , S I ,5 , S I ,6 ) .
Verify. Given a signature S I  ( S I ,1 , S I ,2 , S I ,3 , S I ,4 , S I ,5 , S I ,6 ) as well as the corresponding message
m and the identity I . Anyone can verify the signature in terms of the public key g , Y , R1 , R2 , v1 , v2
by testing the following equation holds or not:
e( S I ,1 , v1 )e( S I ,2 , v2 )  e(Y , R1 R2 )e( S I ,3 , u  ui )e( S I ,4 , u''  ui ')
i
e( S I ,5 , m mi )e( S I ,6 , m''  mi ').

i
i
i
Security
In this section, we will show that our scheme is secure under the Computation Linear Assumption.
We employ the following theorem to prove the security.
Our identity-based signature scheme is secure, if the Computation Linear Assumption holds.
Proof. Assume there exists a forger  can existentially forge signatures of our scheme, then we
can construct a Probabilistic Polynomial ‐ Time challenge algorithm  to break the CLIN
assumption. Firstly, the challenger  achieves the parameters of CLIN assumption:
( 1 , 2 , 3 , 11 , 22 , 33 ) , its task is to compute the term  11 (2 3 ) . For the purpose of breaking the
CLIN assumption,  must generate the term it cannot obtain itself.
Setup. The challenger  sets lI  2( qe  qs ), lM  2qs , where qe denotes the query times the
forger makes for the extract phase, and the qs denotes the query times the forger makes for the sign
phase. It chooses two integers k I and kM subject to the limitation that 0  k I  nI and 0  kM  nM ,
furthermore, it is required that lI (k I  1)  p and lM (kM  1)  p . Then, it picks four integers
a, b, a'', b''  Z lI as well as four vectors
A  {ai  Z lI , i  1, , nI }, B  {b j  Z lI , j  1, , nI },
A '  {ai '  Z lI , i  1, , nI }, B '  {b j '  Z lI , j  1, , nI }
.
Additionally, it picks four integers c, d , c'', d''  Z lM as well as four vectors
C  {ck  Z lM , k  1, , nM }, D  {d  Z lM ,   1, , nM },
C '  {ck '  Z lM , k  1, , nM }, D '  {d  '  Z lM ,   1, , nM }
To facilitate our following description, we define eight functions employed to encode the identity
and message.
 ( I )  a   at  lI k I ,  ( I )  b   bt ,
t
t
 ( I ) '  a ''  at '  lI k I ,  ( I ) '  b ''  bt ',
t
G ( m )  c 
c
p
G (m)  c ''
t
p
c
p
 lM k M , H ( m)  d  
p
d
p
'  lM kM , H ( m) '  d ''
376
p
.
d
p
p
'.
According to the above construction, B construct the public keys as follows:
g   1 , v1   2 , v2   3 ,
Y  g y   1 , R1  v1r   2 , R2  v2r   3 ,
u   ( 1 )(  l k  a) 2b , m  ( 1 )(  l k  c) 2d  ' ,
u''  ( 1 )(  l k  a ') 3b ' , m '  ( 1 )(  l k  c ') 3d  ' ,
1
1
1
2
1
I I
1
3
2
M M
1
I I
M M
{ui  ( 11 ) ai  2bi }i 1,, nI , {m p  ( 11 ) p  2 p } p 1,,nM ,
c
b
{ui '  ( 11 ) ai ' 3bi ' }i 1,,nI , {m p '  ( 11 ) p  3 p } p 1,,nM .
c '
b '
Notice that,  actually implicitly sets y  1 , r1   2 , r2  3 . Additionally, according to the setting
above, we have the following formulas hold:
u ui  ( 11 ) ( I ) 2 ( I ) , u ''  ui '  ( 11 ) ( I )' 3 ( I )' ,
i
i
m mi  ( 11 )G ( m ) 2H ( m ) , m ''  mi '  ( 11 )G ( m )' 3H ( m )' .
i
i
Finally,  sends all these public keys to the forger  .
Queries. The forger  can adaptively query for private keys or signatures as it needs. We
discuss the responding answers from  to  as follows:
1) Extract Queries. For this type of query, the forger  needs to send an identity, named I , to
 . Let the set   {1, , nI } be the subset of indices i such that I (i)  1 . The challenger  can
answer this query by selecting rI,1 , rI,2 and computes:
EI ,1
r
 ( 22 )(   ( I )/ ( I )) (( 11 ) ( I ) 2 ( I ) ) I ,1
r
  112 (( 11 ) ( I ) 2 ( I ) )( 2 / ( I )) (( 11 ) ( I ) 2 ( I ) ) I ,1
  112 (( 11 ) ( I ) 2 ( I ) )
( rI,1  2 / ( I ))
 g yr1 (u  ui ) I ,1 .
r
i
EI ,2
3 (   ( I )'/ ( I )')
 ( 3 )
r
(( 11 ) ( I )' 3 ( I )' ) I ,2
r
  113 (( 11 ) ( I )' 3 ( I )' )( 3 / ( I )') (( 11 ) ( I )' 3 ( I )' ) I ,2
  113 (( 11 ) ( I )' 3 ( I )' )
( rI,2 3 / ( I )')
 g yr2 (u  '  ui ') I ,2 .
r
i
EI ,3
 v1I ,1
r
r   2 / ( I )
  2I ,1
r
 ( 22 )( 1/ ( I )) 2I ,1
EI ,4
 v2I ,2
r
r  3 / ( I )
  3I ,2
r
 ( 33 ) ( 1/ ( I )) 3I ,2 .
The forger  implicitly sets rI ,1  rI,1   2 /  ( I ) and rI ,2  rI,2  3 /  ( I ) of the above
construction, and these two values are distributed uniformly. We must point out that, the above
construction can be done successfully if and only if the equation  ( I )  0 mod p and
 ( I ) '  0 mod p holds. Furthermore, according to the convention: 0  k I  nI , lI (k I  1)  p , we
can
deduce
that
0  lI k I  p
and
0  a   ai  p .
Thus,
 ( I )  0 mod p
implies
i
 ( I )  0 mod lI , so  ( I )  0 mod lI implies  ( I )  0 mod p . Similarily,  ( I ) '  0 mod lI
implies  ( I ) '  0 mod p .
2) Sign Queries. When the adversary queries for a signature of identity I on m . If it has ever
achieved the private key of identity I through the Extract phase (then it must hold that
377
 ( I )  0 mod lI and  ( I ) '  0 mod lI ), it can generate the signature all by itself. If
 ( I )  0 mod lI or  ( I ) '  0 mod lI ,  will pick rI ,1 , rI ,2 , rM ,1 , rM ,1 then create signature for
message m using the following method:
r
S I ,1  ( 2 )(  H ( m )/ G ( m )) (( 1 )G ( m ) 2H ( m ) )
2
M ,1
1
  112 (u ui ) I ,1 (( 11 )G ( m ) 2H ( m ) )( 2 / G ( m )) (( 11 )G ( m ) 2H ( m ) ) M ,1
r
r
i
( r   / G ( m ))
r
(u ui ) I ,1 (( 11 )G ( m ) 2H ( m ) ) M ,1 2
1 2
 1
i
 g (u  ui ) M ,1 (m mi ) M ,1 ,
r
r
yr1
i
S I ,2
j
3 (  H ( m )'/ G ( m )')
 ( 3 )
 ,2
M
1 G ( m )'
(( 1 )
 3H ( m )' ) r
  113 (u  '  ui ') I ,2 (( 11 )G ( m )' 3G ( m )' )( 3 / G ( m )') (( 11 )G ( m )' 2H ( m )' ) M ,2
r
r
i
  1 (u  '  ui ') I ,2 (( 11 )G ( m )' 3H ( m )' )
13
r
( rM ,2 3 / G ( m )')
i
 g (u  '  ui ') I ,2 (m '  mi ') M ,2 ,
r
yr2
r
i

j
S I ,3
 v
S I ,4
 v
S I ,5
 v1M ,1   2M ,1
S I ,6
 v2M ,2   3M ,2
rI ,1
1
rI ,2
2
r
r
rI ,1
2

,
rI ,2
3
,
r   2 / G ( m )
r
r
 ( 22 )( 1/ G ( m )) 2M ,1 ,
3 / G ( m )'
r
 ( 33 )( 1/ G ( m )') 3M ,2 .
To be similar to the extract phase,  can generate this signature when G (m)  0 mod lM and
G (m) '  0 mod lM .
Forgery. At some point, if the adversary generates a signature of message m* on identity I *
such that  ( I * )  0 and  ( I * ) '  0 and G (m* )  0 and G (m* ) '  0 , then it can leverage this
signature to resolve the assumption, else, it will simply abort.
If it does not abort, given the signature  *  ( S I*,1 , S I*,2 , S I*,3 , S I*,4 , S I*,5 , S I*,6 ) , it can compute the
value  11 (2 3 ) through:
S I*,1
S
*  (I* )
I ,3
S
*  ( I * )'
I ,5

S I*,2
S
* H ( m* )
I ,4
S
* H ( m* )'
I ,6
  11 (2 3 ) .
Conclusion
We propose a new identity‐based signature scheme based on a new assumption, i.e., CLIN. The
CLIN assumption is a computation version of decisional linear assumption and can be viewed as a
difficult assumption. We clarify the construction of this IBS algorithm and prove the secure of it
based on CLIN.
Acknowledgment
This work is supported by the Ministry of education of Humanities and Social Science project (No.
15YJCZH029), the Social science planning project of Guangzhou City (No. 2016gzyb25), the
National Natural Science Foundation of China (No.61300204) and the Natural Science Foundation
of Guangdong (No.S2012040006711).
378
References
[1] Bambang Harjito and Song Han. Wireless multimedia sensor networks. Applications and
Security Challenges. 2010.
[2] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the weil pairing.
CRYPTO, 2139: 213–229, 2001.
[3] Jae Cha Choon and Jung Hee Cheon. An identity-based signature from gap diffie-hellman
groups. In Public key cryptographyPKC 2003, pages 18–30. Springer, 2002.
[4] Kenneth G Paterson. Id-based signatures from pairingson elliptic curves. Electronics Letters,
38(18): 1025–1026, 2002.
[5] Boneh, Boyen, and Shacham. Short group signatures. In CRYPTO: Proceedings of Crypto,
2004.
[6] Adi Shamir. Identity-based cryptosystems and signature schemes. Advances in Cryptology:
Proceedings of CRYPTO 84, 7: 47–53, 1984.
[7] Clifford Cocks. An identity based encryption scheme based on quadratic residues. IMA Int.
Conf., 7: 360–363, 2001.
[8] Boneh and Boyen. Secure identity based encryption without random oracles. In CRYPTO:
Proceedings of Crypto, 2004.
[9] Brent Waters.Dual system encryption: Realizing fully secure IBE and HIBE under simple
assumptions. IACR Cryptology ePrint Archive, 2009: 385,2009.
379