Information Sciences 180 (2010) 47144728

Contents lists available at ScienceDirect

Information Sciences
journal homepage: www.elsevier.com/locate/ins

Certicateless threshold signature scheme from bilinear maps

Hong Yuan a, Futai Zhang a,b,*, Xinyi Huang c, Yi Mu d, Willy Susilo d, Lei Zhang e
a

School of Computer Science and Technology, Nanjing Normal University, PR China Jiangsu Engineering Research Center on Information Security and Privacy Protection Technology, Nanjing, PR China School of Information Systems, Singapore Management University, Singapore d Center for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Australia e UNESCO Chair in Data Privacy, Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili, Catalonia, Spain
b c

a r t i c l e

i n f o

a b s t r a c t
A (t, n) threshold signature scheme allows t or more group members to generate signatures on behalf of a group with n members. In contrast to the traditional public key cryptography based on public key infrastructure (PKI) and identity-based public key cryptography (IDPKC), certicateless public key cryptography (CL-PKC) offers useful properties as it does not require any certicates to ensure the authenticity of public keys and the key escrow problem is eliminated. In this paper, we investigate the notion of threshold signature schemes in CL-PKC. We start by pointing out the drawbacks in the two existing certicateless threshold signature schemes. Subsequently, we present an elaborate description of a generic certicateless (t, n) threshold signature scheme with a new security model. The adversaries captured in the new model are more powerful than those considered in the existing schemes. Furthermore, we establish the simulatability for certicateless threshold signature schemes and prove the relationship between the security of certicateless threshold signature schemes and that of the underlying non-threshold certicateless signature schemes. As an instantiation, we present a concrete certicateless threshold signature scheme based on bilinear maps using the techniques of veriable secret sharing and distributed key generation. The proposed scheme is shown to be existentially unforgeable against adaptively chosen message attacks assuming the hardness of Computational Dife Hellman (CDH) problem. 2010 Elsevier Inc. All rights reserved.

Article history: Received 28 October 2009 Received in revised form 20 May 2010 Accepted 26 July 2010

Keywords: Certicateless threshold signature Bilinear map Veriable secret sharing CDH problem Simulatability

1. Introduction 1.1. Background In practical applications, traditional public key cryptography (PKC for short) requires the support of public key infrastructure (PKI for short) which introduces the costly and cumbersome certicate management problem. Although this disadvantage is removed in identity-based public key cryptography (ID-PKC for short) [18], it gives rise to the drawback of key escrow. As a new paradigm of public key cryptography, certicateless public key cryptography (CL-PKC for short) [1] not only gets rid of the certicate management problem in traditional PKC but also eliminates the key escrow problem in ID-PKC. Hence, it has received considerable attention from the security research community since its invention. In a certicateless cryptosystem, each entity has two secrets: a secret value and a partial private key. The secret value is generated by the entity
* Corresponding author at: School of Computer Science and Technology, Nanjing Normal University, PR China.
E-mail addresses: yh1985@sina.com (H. Yuan), zhangfutai@njnu.edu.cn, ffttzhang@sina.com (F. Zhang), xyhuang@smu.edu.sg (X. Huang), ymu@uow. edu.au (Y. Mu), lei.zhang@urv.cat (L. Zhang). 0020-0255/$ - see front matter 2010 Elsevier Inc. All rights reserved. doi:10.1016/j.ins.2010.07.021

H. Yuan et al. / Information Sciences 180 (2010) 47144728

4715

himself, while a third party-key generation center (KGC), who holds a master key, generates the partial private key from the users identity information. The entitys private key is the output of a function that requires the secret value and the partial private key as input. KGC does not have the actual private key of an entity and the key escrow problem in ID-PKC is eliminated. The entity can use the actual private key to generate the public key, which could be available to other entities by transmitting it along with signatures or by placing it in a public directory. In particular, there is no certicate in CL-PKC, which avoids the costly certicate management issues in PKI based traditional PKC. The idea of threshold cryptography is to distribute the secret information (e.g., a private key) and the computation (e.g., decryption or signature signing) amongst a group of participants in order to prevent a single point of failure or abuse. As an important primitive in group security and distributed settings, threshold signatures have been extensively studied in traditional PKC and ID-PKC. We believe that it is also worthwhile to investigate the application of this primitive in CL-PKC. The focus of this paper is on employing the advantages of CL-PKC to provide secure and efcient solutions of threshold signatures for a practical use. 1.2. Related work In the following, we provide a brief review of some related work on threshold signatures with respect to traditional PKC, ID-PKC and CL-PKC. We will point out some shortcomings in two existing certicateless threshold signature schemes [21,22]. 1.2.1. Threshold signatures in traditional PKC Threshold signatures in traditional PKC have been extensively studied in [4,5,9,20]. The authors of [5] formalized the notion of unforgeability for threshold signatures and described a concrete scheme based on ElGamal signature. Gennaro et al. [9] provided a complete solution on threshold implementation of digital signature standard (DSS). They designed various distributed veriable secret-sharing schemes as building blocks to construct robust and secure threshold DSS signature schemes. In threshold signature schemes in traditional PKC, the transmission and verication of group members certicates have to involve a considerably amount of communication and computation cost. This may greatly offset the efciency. 1.2.2. ID-based threshold signature ID-PKC was introduced by Shamir [18], whose original motivation is to ease the certicate management in the e-mail system. In ID-PKC, an users public key can be derived directly from certain aspects of his/her identity information (e.g., email-address), while the associate private key is computed and issued secretly to the user by a trusted third party PKG (private key generation center). This property avoids the necessity of certicates, and associates an implicit public key to each user. However, it makes key escrow an inherent problem which is undesirable from the users point of view. Baek and Zheng [3] proposed the rst identity-based threshold signature scheme from bilinear map in 2004. To alleviate the key escrow problem, Chen et al. [7] proposed an identity-based threshold signature scheme without trusted PKG. (More precisely, Chen et al.s scheme is essentially a threshold signature scheme in CL-PKC but its security analysis is made in the framework of ID-PKC). 1.2.3. Certicateless threshold signature CL-PKC [1] was introduced by Al-Riyami and Paterson in 2003 to overcome the key escrow problem in ID-PKC. Recently, certicateless signature (CLS) schemes have been well investigated [12,13,19]. Several CLS schemes were proposed [6,11 16,2327]. In [13], Huang et al. revisited the security models of certicateless signature schemes and further classied the Type I/II adversaries into three types, namely normal, strong and super Type I/II adversaries, among which super Type I/II adversaries have the strongest attacking power. Wang et al. [21] proposed the rst certicateless threshold signature scheme (CLTHS for short) in the random oracle model. To exhibit the security of the proposal, they developed the theory of simulatability and relationship between the certicateless threshold signature scheme and the underlying (non-threshold) ID-based signature scheme. Their scheme requires a PKG clerk and several distributed PKGs to compute the partial private key for an user. To do so, the PKG clerk rst generates the master key and then shares it among several distributed PKGs using a (u, m)-secret-sharing scheme. With the share of the master key, each distributed PKG can generate a sub-partial private key for the user, which will be sent back to the PKG clerk. Upon receiving valid sub-partial private keys from at least u distributed PKGs, the PKG clerk can calculate the partial private key of the user. As one can see, while their scheme does use distributed PKGs, partial private keys are still generated by a single party (PKG clerk), which makes the use of distributed PKGs cumbersome and inefcient. We believe in the scenario of distributed PKGs it is desirable that the generation of the master key is conducted by all distributed PKGs in a cooperative manner, rather than by a single party (which is the case in [21]). In generating an users partial private key, each member of the distributed PKGs calculates and sends a sub-partial private key (using his share of the master key) to the corresponding user directly. The user can then derive the partial private key by itself from at least t (t is the threshold) valid sub-partial private keys. A further observation shows that Wang et al.s scheme cannot detect any misbehavior of dishonest participants. In the   sharing of the master key s, PKG clerk could cheat by sending si Ri; Pipub si P to some PKGi (where R(x) is the sharing polynomial selected by the PKG clerk), which is undetectable. Similarly, PKGi could cheat by using a false master key share s0 i

4716

H. Yuan et al. / Information Sciences 180 (2010) 47144728

(different from his actual master key share si) to generate Pipub s0i P. It then uses the fake s0i to generate the sub-partial private key for an user. No one can nd these kinds of cheating. Similar problems also exist in the sharing of users secret value if player j publishes a false fvkj = cjP f(j)P. This may cause serious security problems. As an example, player j may use this fake fskj = cj instead of the true fskj to sign messages, and other players may be totally unaware of this kind of cheating. In this case, no one but the cheating player j is able to calculate a valid threshold signature of the group. The sharing of partial private keys is also spoiled by similar problems. Another drawback of Wang et al.s scheme is the long signature length. In their scheme, a signature (T, a, b, c, W) consists of two elements of G1 and three elements of G2, where (G1, G2) are groups with bilinear mapping ^ : G1 G1 ! G2 . This leads to a signature length of more than 3400 bits for a 160-bit prime q (the order e of group G1), which is apparently too long as most existing secure certicateless signature schemes produce signatures consisting of only two elements of G1 or one element of G2 and one element of Zq. Recently, Xiong et al. [22] presented a certicateless threshold signature scheme which was proven secure in the standard model. They introduced new security denitions and notations for their scheme and utilized the simulatability of certicateless threshold signature schemes to prove the scheme to be secure. However, the security model dened in [22] is very weak. As an obvious drawback, their signing oracle cannot provide any valid signatures if the users public key has been replaced. There are also some security aws in their construction of threshold signature scheme. In the step of Complete-Key-Gen-andShare, their method of sharing the complete secret signing key may lead to the decrease of the threshold since the sharing polynomial is in fact determined by Lagrange interpolation using t points (0, ax), (1, a1x), . . ., (t 1, at1x). This interpolation may result in a polynomial of degree less than t 1, which means less than t players can collude to reveal the complete signing key or generate a valid signature on any message. Also, the verication shares for checking the validity of complete key shares only commit to one of the random secrets, which could also make the cheating behavior of some dishonest players undetectable (as we have shown previously in Wang et al.s scheme).

1.3. Motivation and our contribution Like threshold signature schemes based on traditional PKI and ID-PKC, certicateless threshold signature schemes have wide applications where a group of members need to cooperatively sign a message on behalf of the whole group, and are especially useful when there is a need to distinguish a threshold signature from a signature generated by a single party who possesses the secret signing key of the group. For example, let Bob be the Board chairman of a company. He has the secret signing key SK of the board in certicateless public key setting. With this secret signing key, he is able to sign any document on behalf of the board. A threshold signature scheme is necessary when the chairman is unavailable but some very important documents need to be signed by the majority of the board. While it is useful to know who is responsible for a signature, in some cases we need to distinguish the chairmans signature and the board members threshold signature. In certicateless public key cryptography, the chairman can share the partial private key of the board among the board members, and let the board members generate the secret value of the board using an information theoretically secure distributed key generation protocol. In this way, the board members can produce signatures that are distinguishable from those generated by the chairman alone. We believe this is a distinctive property of certicateless threshold signatures. As we have shown in Section 1.2, the two existing certicateless threshold signature schemes [21,22] are far from satisfactory (both in security and in efciency). Thus, as an indispensible component of CL-PKC, certicateless threshold signature deserves further investigations, especially on reasonable security notions and on efcient constructions of certicateless threshold signature schemes. The contribution of this paper is as follows. A new security model for CLTHS is proposed. In the new model, we capture the security notions via two games, which simulate two types of adversaries respectively. The adversaries we are concerned about are super (Type I/II) adversaries dened in [13], and are stronger than those considered in [21,22]. Our security model allows the adversary to obtain partial private keys and secret values of any users under natural restrictions. The sign oracles provide the adversary with all signature shares generated by signature generation servers. We believe that the new model is more natural and more reasonable than those in [21,22]. In order to prove the security, we dene the notion of simulatability of a certicateless threshold signature scheme, and establish the simulatability theorem which depicts the security relationship between a certicateless threshold signature scheme and its underlying (non-threshold) certicateless signature scheme. It is necessary to construct certicateless threshold signature systems from existing secure and efcient certicateless signature schemes. As an example, we present a concrete construction from an existing secure and efcient certicateless signature scheme by employing techniques of veriable secret sharing and distributed key generation. The security of our construction is proven under CDH assumptions.

2. Preliminaries To keep this paper self-contained, we briey review the basic facts about the admissible bilinear map. We then present the complexity assumptions on which the secret sharing, distributed key generation and our certicateless threshold signature scheme are based.

H. Yuan et al. / Information Sciences 180 (2010) 47144728

4717

2.1. Bilinear map The admissible bilinear map ^ is dened as follows. Let G1 be an additive group of prime order q, and let G2 be a multie plicative group of the same order. Let P denote a generator of G1. A map ^ : G1 G1 ! G2 is called a bilinear map if it satises e the following properties:  Bilinear: ^aP; bQ ^P; Q ab for all P, Q 2 G1, a; b 2 Z . e e q  Non-degeneracy: There exist P, Q 2 G1 such that ^P; Q 1 . e  Computable: There exists an efcient algorithm to compute ^P; Q for any P, Q 2 G1. e 2.2. Complexity assumptions We now describe some complexity assumptions in groups G1 and G2. Note that throughout this paper, the groups G1 and G2 are those described in the above denition of bilinear map. Discrete logarithm problem (DLP): The DLP in G1 is described as follows. Given two group elements P and Q, nd an integer x 2 Z , such that Q = xP whenever such an integer exists. q Computational DifeHellman problem (CDHP): The CDHP in G1 is that given (P, aP, bP), for random unknown a; b 2 Z , comq pute abP. Modied generalized bilinear inversion problem (mGBIP): The mGBIP proposed in [3] is dened as follows. Given h 2 G2 and P 2 G1, compute S 2 G1 such that ^S; P h. (Readers can refer to [3] for a detailed description.) e We assume that the above mentioned complexity problems are hard in groups G1 and G2 with pairing ^. e Notice that the mGBI assumption (that is, the mGBI problem is intractable) can be implied by the CDH assumption. The proof is sketched as below: assume that an attacker ACDH of the CDH problem is given a random instance (P, aP, bP), where a; b 2 Z and P is a generator of G1. Suppose there is another algorithm AmGBI which can solve the mGBI problem with nonq negligible success probability. In the reduction, ACDH runs AmGBI with the input (h = e(aP, bP), P). Let S be the output of AmGBI , and ACDH will set S as its output. Clearly, S is a correct solution of the given CDH instance (P, aP, bP) as long as S is a correct solution of the mGBI instance (h = e(aP, bP), P). Thus, the mGBI problem can be directly reduced to the CDH problem. 2.3. Outline of certicateless threshold signature schemes

Denition 1 (Certicateless threshold signatures). A certicateless (t, n) threshold signature scheme CLTHS consists of the following algorithms or protocols.  A probabilistic key system parameter generation algorithm GC(k): Given a security parameter k 2 N, this algorithm generates the master secret key msk and a list of system parameters params. Note that the parameter list params is given to all interested parties while the matching master key msk is kept secret.  A probabilistic partial private key extraction algorithm EX(params, msk, ID): Given an identity ID, a parameter list params and a master key msk, this algorithm generates a partial private key associated with ID, denoted by ppkID.  A probabilistic partial private key distribution protocol DK(params, ppkID, n, t): Given a partial private key ppkID associated with an identity ID, n signature generation servers and a threshold parameter t, this protocol generates n shares of ppkID and securely provides each signature generation server Ci(1 6 i 6 n) with a corresponding share. It also generates and publishes a set of verication keys that can be used to check the validity of each partial private key share. We denote n o n o i i the partial private key shares and the matching verication keys by ppkID i 1; . . . ; n and v skID i 1; . . . ; n, respectively. For each i, 1 6 i 6 n, Ci keeps ppkID secret, while v skID is publicly known to all including the adversary.  A probabilistic distributed secret value generation protocol GS(params, ID, n, t): Given an identity ID, a parameter list params, the number n of signature generation servers, and a threshold t, this protocol generates a distributed secret value for identity ID. It implies that n signature generation servers without a dealer jointly generate a secret value xID and its corresponding public value pkID. As a result, xID is shared among n signature generation servers using a veriable (t, n) threshold secret-sharing scheme. Each signature generation server Ci holds a secret share xiID and the corresponding pubi lic verication share pkID is known to all signature generation servers.  A deterministic public key extraction protocol PK (params, ID, xID): Given a parameter list params, an identity ID and the secret value xID, this protocol generates the public key PID related to ID. Particularly, the public key in our scheme is just the value pkID obtained in the previous protocol, which is the corresponding public value of the secret value. i  A probabilistic signature generation protocol S (params, ppkID ; xiID ; M): Given a parameter list params, a message M, a share i ppkID of the partial private key ppkID and a share xiID of the secret value xID associated with ID each signature generation server Ci computes a signature share ri for M. After that, a dealer (selected at random from the current servers) combines at least t valid shares together and output a valid signature (r).
i i

4718

H. Yuan et al. / Information Sciences 180 (2010) 47144728

 A deterministic signature verication algorithm V (params, ID, pkID, M) (r): Given a signers identity (ID), a public key pkID, a message M and its signature (r), this algorithm checks the validity of (r). The output of this algorithm is either Valid or Invalid. Remark. The key system parameter generation algorithm GC and the partial private key extraction algorithm EX are both run by the trusted KGC. The partial private key distribution protocol DK makes use of an appropriate secret-sharing technique to distribute the partial private key among n signature generation servers. This process depends on the cryptographic services that the KGC can offer-KGC could execute protocol DK if it is capable of organizing threshold signature, or a trusted normal user (for example a selected leader of the group) could run DK if KGC only has the functionality of issuing partial private keys for users. 3. Security notions for certicateless threshold signatures 3.1. Existential unforgeability for certicateless threshold signatures against adaptive chosen message attacks Similarly to the adversaries against CLS dened in [13], there are basically two types of super adversaries in CLTHS: BI and BII . BI simulates attacks when the adversary (anyone except the KGC) replaces the public key of any entity with a value of his choice. However, BI does not have access to the master secret key. Adversary BII simulates attacks when the adversary has the master secret key but cannot replace the target users public key. Due to the security requirement of (t, n) threshold signatures [9], we further assume that super adversaries ( BI and BII ) against CLTHS can corrupt up to t 1 signature generation servers. Also we consider the malicious adversaries that may cause corrupted servers to divert from the specied protocol in any way. We assume that the computational power of adversaries is adequately modeled by a probabilistic polynomial time Turing machine. The adversaries we consider here are static, i.e., they choose corrupted servers at the beginning of the protocol. Now we dene the security of a CLTHS scheme via the following two games between a challenger C and a super adversary BI BII . Game 1. (for Super Type I Adversary).  Setup: C runs the key/system parameter generation algorithm GC to obtain a master secret key msk and the system parameter list params. Then C sends params to the adversary BI while keeping msk secret.  Phase 1: BI corrupts t 1 signature generation servers. For convenience, we assume that the corrupted signature generation servers are C1, . . ., Ct1.  Phase 2: BI can make following queries in an adaptive manner. Partial-private-key queries PPK(ID): BI can request the partial private key of any user with identity ID. On receiving ID, C runs the partial private key extraction algorithm EX of CLTHS by taking ID as input and obtains a corresponding partial private key ppkID, which is given to BI . Secret value queries SV(ID): BI can request the secret value of any user with identity ID. In response, C runs secret value generation protocol GS of CLTHS by taking ID as input and obtains a secret value xID, the corresponding public value i pkID, the secret value share xiID and the matching verication share pkID for every signature generation server. Then, C sends xID to BI . Note that C outputs \ if the users public key has been replaced. 0 0 Public key-replacement queries PKR ID; pkID : For any user with identity ID, BI can choose a new public key pkID and then 0 sets pkID as the new public key of this user. C will keep a record of this replacement. Sign queries S(ID, M, pkID): BI can request a users (whose identity is ID) signature on a message M. On receiving M, C runs the signature generation protocol S of CLTHS and responds to BI with ri for i = 1, . . ., n output by S. It is required i that ri for i = 1, . . ., n are valid signature shares on message M under identity ID and the public key pkID . It is evident that BI is able to calculate a full signature of M with enough signature shares.  Phase 3: BI submits the target identity ID*. On receiving ID*, C rst runs the algorithm EX of CLTHS to obtain a partial private key ppkID , and then runs the partial private key distribution protocol DK of CLTHS by taking ppkID as input to i share it among n signature generation servers. We denote the partial private key shares by ppkID for i = 1, . . ., n. C gives i ppkID for i = 1, . . ., t 1 to BI . Then, BI issues a sequence of requests as in Phase 2 except the Partial-Private-Key request on the challenge identity ID*.  Forgery: Finally, BI outputs ID ; M ; r ; pkID . We say that BI wins Game 1, if 1. r* is a valid signature of a message M* under identity ID* and the corresponding public key pkID . 2. ID ; M ; pkID never appears as one of sign queries. We dene BI s success probability by

SuccEUFCLTHSCMA k PrVparams; ID ; M ; r v alid: CLTHS;BI

An attacker BI is said to (tCMA, qPPK, qPK, qSV, qPKR, qS, e)-break a certicateless threshold signature scheme if BI runs in time at most tCMA, and can make at most qPPK partial private key queries, qPK public-key queries, qSV secret-value queries, qPKR

H. Yuan et al. / Information Sciences 180 (2010) 47144728

4719

EUFCLTHSCMA public-key-replacement queries, qS sign queries, and the success probability SuccCLTHS;BI k is at least e. Note that the running time and the number of queries are all polynomials in the security parameter k. Game 2. (for Super Type II Adversary).

 Setup: C runs the key/system parameter generation protocol GC to obtain a master secret key msk and the system parameter list params. C then sends params and msk to the adversary BII .  Phase 1: BII corrupts t 1 signature generation servers which we denote as C1, . . ., Ct1.  Phase 2: BII adaptively makes secret-value queries, public-key-replacement queries and sign queries as described in Game 1.  Phase 3: BII submits the target identity ID*, and then issues a sequence of requests as in Phase 2. Notice that for BII s signature query SID ; M; pkID ; C responds with a valid signature as described before. Note also that no secret-value queries or public-key-replacement queries on ID* are allowed.  Forgery: Finally, BII outputs ID ; M ; r ; pkID . We say that BII wins Game 2, if 1. r* is a valid signature of a message M* under identity ID* and the corresponding public key pkID . 2. ID ; M ; pkID never appears as one of sign queries. We dene BII s success probability by

SuccEUFCLTHSCMA k PrVparams; ID ; M ; r v alid: CLTHS;BII

An attacker BII is said to (tCMA, qSV, qPKR, qS, e)-break a certicateless threshold signature scheme if it runs in time at most tCMA, and can make at most qSV secret-value queries, qPKR public-key-replacement queries, qS sign queries, and the success probability SuccEUFCLTHSCMA k is at least e. Note that the running time and the number of queries are all polynomials in CLTHS;BII the security parameter k. We now dene the existential unforgeability of CLTHS against adaptively chosen message attacks, which we call EUFCLTHSCMA. Denition 2 (EUFCLTHSCMA). A certicateless threshold signature scheme CLTHS is said to be EUFCLTHSCMA secure if the success probability of any polynomially bounded adversary in the above two games is negligible. Accordingly, we use EUFCLSCMA to mean the existential unforgeability of a CLS against adaptively chosen message attacks.

3.2. Relationship between EUFCLTHSCMA and EUFCLSCMA In order to prove the unforgeability of a CLTHS scheme, we use the concept of simulatable adversary view. Intuitively, this means that for every adversary, there is a simulator, on input the public value and all information of corrupted players, can produce an output distribution which is computationally indistinguishable from the view of the adversary that interacts with honest players in a regular run of the protocol which ends with the public value as its public output. In other words, the run of the protocol provides no useful information to the adversary other than the public information. Motivated by Gennaro et al.s [9] methodology for proving the security of threshold signature schemes, we dene the simulatability of CLTHS as follows. Denition 3 (Simulatability of CLTHS). Let CLTHS = (GC, EX, DK, GS, PK, S, V) be a certicateless (t, n) threshold signature scheme. The scheme CLTHS is said to be simulatable if the following properties hold.

1. The protocol DK is simulatable. That is, there exists a simulator SIMDK that, on input the public output by GC of CLTHS, an identityID, t 1 (partial private key shares that matches to ID held by the corrupted signature generation servers and the i public information fv skID g i 1; . . . ; n associated with the partial private key ppkID, can simulate the view of the attacker i on an execution of DK of CLTHS that ends with fv skID g i 1; . . . ; n as the public output. 2. The protocol GS is simulatable. That is, there exists a simulator SIMGS that, on input the public output by GC of CLTHS, an identity ID t 1 secret value shares that matches to ID held by the corrupted signature generation servers and the public value pkID associated with the secret value xID can simulate the view of the attacker on an execution of GS of CLTHS that generates the given pkID as the public output. 3. The protocol S is simulatable. That is, there exists a simulator SIMS that, on input the public output by GC of CLTHS, an identity ID, a message M, and a signature r on M, t 1 partial private key shares and t 1 secret value shares that matches to ID held by the corrupted signature generation servers, and the public output of DK and GS of CLTHS, can simulate the view of the attacker on an execution of S of CLTHS that generates r as output. We state and prove the following theorem regarding the relationship between the security of CLTHS and that of the underlying CLS. The theorem shows that an EUFCLSCMA secure certicateless signature scheme can be used as a building

4720

H. Yuan et al. / Information Sciences 180 (2010) 47144728

block to construct an EUFCLTHSCMA secure certicateless threshold signature scheme as long as the simulatability is ensured. Theorem 1. If the CLTHS scheme is simulatable and the underlying CLS scheme is EUFCLSCMA secure, then the CLTHS is EUF CLTHSCMA secure. More precisely,

SuccEUFCLTHSCMA t CMA 6 SuccEUFCLSCMA t 0CMA ; CLTHS CLS

where t 0CMA tCMA T SIMDK T SIMGS T SIMS . Here, T SIMDK ; T SIMGS T SIMS denote the running time of the simulator SIMDK, SIMGSSIMS, respectively. Proof. Let BI and BII denote two types of attackers wish to break the EUFCLTHSCMA security of the CLTHS scheme. Let AI and AII denote two types of attackers against the underlying (non-threshold) CLS scheme. The proof consists of two parts, depending on the types of attackers. h Part 1 (for Type I Attacker). Our aim is to show that if there exists an attacker BI that can break the EUFCLTHSCMA security of the CLTHS scheme, then there will inevitably be an attacker AI that can break the EUFCLSCMA security of the underlying CLS scheme. To prove this, we show how the view of BI in the real attack Game 1 of EUFCLTHSCMA dened in Section 3.1, which we denote by GB, can be simulated to obtain a new game GA which is related to the ability of the attacker AI to defeat the EUFCLSCMA security of the underlying CLS scheme, under the assumption that CLTHS is simulatable (note that the security model for type I adversary of CLS scheme can be found in [25]). To achieve this, we regard AI as the challenger in game GB, and queries issued by BI will be directly sent to AI who will use BI to attack the underlying CLS scheme.  Game GB: As mentioned before, this game is identical to the real attack Game 1 described in Section 3.1. We denote by EB the event that BI outputs a valid message/signature pair as a forgery. We use a similar notion EA for Game GA. Since Game GB is the same as the real attack game, we have

PrEB SuccEUFCLTHSCMA k CLTHS;BI

 Game GA: First, we replace the system parameters params in GB by the corresponding system parameters in GA. Note that neither AI nor BI has the knowledge of the master secret key msk. We then enter into the following query in Phase 2 of the attack Game 1. Whenever BI issues a partial private key query PPK(ID)/secret-value query SV ID, AI sends the query to his challenger. On receiving ID, the challenger runs the partial private key-extract/set-secret-value protocol of CLS by taking ID as input and responds with the resulting partial private key ppkID/secret value xID. Then AI sends the value ppkID/xIDto BI . (Note that it outputs \ for the secret-value query, if the users public key has been replaced). 0 If BI issues a public-key-replacement query PKRID; pkID AI sends the query to his challenger and then updates pkID to 0 pkID . If BI issues a sign query S(ID, M, pkID), AI sends the query to his challenger to get a corresponding signature r. Having obtained r, AI runs SIMS taking params, the outputs generated by SIMDK and SIMGS, which includes t 1 corrupted partial private key shares, secret value shares, the identity ID, and the message/signature pair (M,r) as input. AI then sends SIMSs outputs to BI . If BI submits a target identity ID*, AI runs SIMDK by taking params and ID*as input) to simulate the view of BI and forwards ID* as the target identity to his challenger. (Note that during the execution of SIMDK, BI is given t 1 partial private key shares of corrupted signature generation severs. Note also that AI does not make a partial private key request of ID* and hence does not know the value ppkID . Then BI issues public-key-replacement and sign queries on ID*. There is no need for BI to issue secret-value query because he may have chosen a secret value to generate a new public key. For such queries, AI will respond as dened in Section 3.1. If BI outputs (ID*, M*, r ; pkID ) in Forgery Phase, AI then sets ID ; M ; r ; pkID as its own forgery. Note that BI s view in the real attack game is identical to its view in Game GA as long as the CLTHS is simulatable. Hence we have

PrEB 6 PrEA :
Due to the denition of Pr[EB] and Pr[EA], we have

SuccEUFCLTHSCMA k 6 SuccEUFCLSCMA k: CLTHS;BI CLS;AI

Part 2 (for Type II Attacker). Similar to the case of Type I Attacker, we show how the view of BII in the real attack (Game 2 of EUFCLTHSCMA dened in Section 3.1), which we denote by G0B , can be simulated to obtain a new game G0A where the attacker AII can break the EUFCLSCMA security of the CLS scheme, under the assumption that CLTHS is simulatable (the security model for type II

H. Yuan et al. / Information Sciences 180 (2010) 47144728

4721

adversary of CLS scheme can be found in [25]). To achieve this, we regard the attacker AII as a challenger in game G0B . Queries issued by BII will be directly sent to AII who can make use of his challenger in game G0A to generate correct responses.  Game G0B : As mentioned before, this game is identical to the real attack Game 2 described in Section 3.1. We denote by E0B the event that BII outputs a valid message/signature pair as a forgery. We use a similar notion E0A for Game G0A . Since Game G0 B is the same as the real attack game, we have

PrE0B SuccEUFCLTHSCMA k: CLTHS;BII

 Game G0A : First, we replace the system parameters params and master secret key msk in G0B by the corresponding system parameters and master secret key in G0 A. We then enter into the following query in Phase 2 of the attack Game 2. Whenever BII issues a secret-value query SV(ID), AII sends the query to his challenger. On receiving ID, the challenger runs the set-secret-value algorithm of CLS taking ID as input and returns the resulting secret value xID. Then AII sends the value xID to BII . Note that it outputs \, if the users public key has been replaced. 0 If BII issues a public-key-replacement query PKRID; pkID ; AII sends the query to his challenger and then updates pkID to 0 pkID . If BII issues a Sign query S(ID,M,pkID), AII sends the query to his challenger to get a corresponding signature r. Having obtained r, AII runs SIMS by taking params, the outputs generated by SIMDK and SIMGS, which includes t 1 corrupted partial private key shares and secret value shares, an identity ID, and the message/signature pair (M,r) as input. AII then sends SIMSs outputs to BII . Once BII submits a target identity ID*, it can issue Sign queries on ID* which are answered in same way as described above. Note that BII is not allowed to issue public-key-replacement query or secret-value query on ID* since BII can get the full signing key of ID* as long as any one of them is allowed. If BII outputs ID ; M ; r ; pkID in Forgery Phase, AII then sets it as his own forgery. Note from the simulation that BII s view in the real attack game is identical to its view in Game G0A as long as the CLTHS is simulatable. Hence we have

PrE0B 6 PrE0A :
Due to the denition of Pr[E0 B] and Pr[E0 A], we have

SuccEUFCLTHSCMA k 6 SuccEUFCLSCMA k: CLTHS;BII CLS;AII

4. Building blocks 4.1. ZhangZhang certicateless signature scheme We rst review ZhangZhang certicateless signature scheme [25], which we denote by ZZCLS. We will use this as a basic certicateless signature scheme to construct our certicateless threshold signature scheme in Section 5. Note that the ZZCLS scheme was proven secure in the strongest security model of CLS schemes assuming the hardness of the CDH problem over groups with bilinear maps.  Key/system parameter generation algorithm GC(k): This algorithm is run by the KGC to generate its master secret key msk and a list of system parameters params. Choose a cyclic additive group G1 which is generated by P with prime order q, choose a cyclic multiplicative group G2 of the same order and a bilinear map ^ : G1 G1 ! G2 . e Pick a random k 2 Z as the master secret key and set Ppub = kP. q Choose three cryptographic hash functions H1: {0,1}* ? G1, H2 : f0; 1g ! Z , H3 : f0; 1g ! Z . q q Keep k as secret and publish params G1 ; G2 ; ^; P; Ppub ; H1 ; H2 ; H3 . e  Partial private key extraction algorithm EX(params, msk, ID): This algorithm is run by the KGC to generate a partial private key associated with ID. Compute Q ID H1 IDkP. Output the partial private key DID = kQID.  Secret value setting algorithm GS(params, ID): This algorithm takes as in put params and a users identity ID. It then selects a random xID 2 Z and outputs xID as the users secret value. q  Public key extraction algorithm PK(params, ID, xID ): This algorithm accepts params, a users identity ID and this users secret value xID as input. It produces the users public key PID = xIDP.  Signature generation algorithm S(params, DID, xID, M): To sign a message M using the partial private key DID and the secret value xID, the signer, whose identity is ID and the corresponding public key is PID, performs the following steps.

4722

H. Yuan et al. / Information Sciences 180 (2010) 47144728

Choose a random r 2 Z , compute R = rP. p Compute u H2 RkP ID kM; v H3 RkP ID kM. Compute V = (uxID + r)QID + vDID. Output r = (R, V) as the signature on M.  Signature verication algorithm V(params, ID, PID, M, r): To verify a signature r on a message M for an identity ID and the public key PID, the verier performs the following steps. Compute Q ID H1 IDkP; u H2 RkPID kM; v H3 RkP ID kM. Verify ^V; P ^uP ID v Ppub R; Q ID . If the equation holds output Valid. Otherwise, output Invalid. e e 4.2. Review of secret-sharing over a group G1 In order to construct a certicateless threshold signature scheme from the above ZZCLS scheme, we need to share the partial private key DID among signature generation servers. This can be achieved by using a (t, n)-secret-sharing scheme over group G1 presented in [2]. Due to space limitation, we omit the details of this technique. Readers can be referred to [2] for a detailed explication. 4.3. Review of computationally secure veriable secret-sharing protocol based on the bilinear map In cryptography, a secret-sharing scheme is known as veriable if auxiliary information is included that allows players to verify their shares as consistent. More formally, veriable secret-sharing (VSS) ensures that even if the dealer is malicious there is a well-dened secret that the players can later reconstruct. With regard to the threshold signature scheme, veriable secret sharing is a useful tool for preventing malicious attacks. In other words, VSS gives threshold signature schemes robustness. Various solutions to the veriable secret sharing have been known and used for a long time. However, taking into account that our certicateless threshold signature scheme is based on the bilinear maps, here we make use of a new scheme proposed by Baek and Zheng [3], which we call computationally secure veriable secret-sharing protocol based on the bilinear map (Comp-Secure-VSSBP), motivated by Feldmans VSS scheme [8]. This protocol will be used to distribute a users partial private key DID in the ZZCLS scheme among a number of signature generation servers. We describe the CompSecure-VSSBP in Fig. 1. The following lemma shows the correctness of the protocol Comp-Secure-VSSBP. Lemma 1. In Comp-Secure-VSSBP, shares held by all uncorrupted participants can be interpolated to a unique PLF of degree t 1, and t or more of these shares can reconstruct the secret S. The protocol Comp-Secure-VSSBP is computationally secure in that the value a0 ^S; P is revealed during the execution e of the protocol and hence the secrecy S of depends on the computational assumption that it is hard for an attacker to obtain S from ^S; P, which is actually the mGBI assumption. As mentioned in Section 2.2, the mGBI assumption is implied by the e CDH assumption, so the security of protocol Comp-Secure-VSSBP can be regarded as based on the hardness of the CDH problem. Lemma 2. In Comp-Secure-VSSBP, the attacker that learns less than t shares of the secret S obtains no information about S assuming that CDH problem is computationally intractable. Please refer to [3] for detailed proofs of the two lemmas.

Fig. 1. Computationally secure veriable secret-sharing protocol based on the bilinear map.

H. Yuan et al. / Information Sciences 180 (2010) 47144728

4723

4.4. Distributed secret value generation protocol for our scheme Distributed secret key generation is a main component of threshold cryptosystems. It allows a set of n servers to jointly generate a pair of public and secret keys according to the distribution dened by the underlying cryptosystem without having to ever compute, reconstruct, or store the secret key in any single location and without assuming any trusted party

Fig. 2. Distributed secret-value generation protocol for the CLTHS scheme.

4724

H. Yuan et al. / Information Sciences 180 (2010) 47144728

(dealer). While the public key is output in the clear, the secret key is maintained as a (virtual) secret shared via a threshold scheme. Solutions to the distributed generation of private keys for discrete-log based cryptosystems have been studied in [5,10]. Here we construct a protocol distributed secret-value generation protocol for the CLTHS Scheme (DSG), which is very similar to Gennaro et al.s [10] distributed key generation protocol for discrete-logarithm based cryptographic schemes. Differences between them are as follows. Firstly, the domain of the public value is changed from Z to G . For example, while 1 p our protocol allows a set of n servers to jointly generate a secret s 2 Z and its corresponding public value is c sP 2 G , a 1 q predetermined set of parties in Gennaro et al.s protocol jointly generate a secret k 2 Z q and its corresponding public value is y g k 2 Z . Secondly, the broadcasting information and the verication equation are also changed from Z to G . Lastly, the 1 p p computation of A is different in the simulator constructed to prove the security of the DSG. nk We use a variant of the non-interactive and information-theoretic secure VSS protocol due to Perdersen [17] as a building block in our solution, which can tolerate up to t 1 malicious faults without revealing any information on the secret, and we denote it by Perdersen-VSS. Due to the lack of space, we do not explicitly describe Perdersen-VSS here, as its description is implicitly contained in Step 1 of our DSG protocol. Suppose that the threshold t and the number n of parties satisfy 1 6 t 6 n < q. Let (G1, q, P) be the common parameters, as dened in Section 2.1. Our protocol DSG is depicted in details in Fig. 2.

Fig. 3. Simulator for the distributed secret value generation protocol DSG.

H. Yuan et al. / Information Sciences 180 (2010) 47144728

4725

The correctness and security (please refer to [10] for detailed denitions) of DSG can be proven in a similar way as that of the protocol in [10]. For simplicity, we only present the correctness statement (Lemma 3) and a modied simulator SIM-DSG in Fig. 3, while the concrete proof procedure is omitted. From the protocol we know that the generated secret is s 2 Z , and its corresponding public value is c sP 2 G . Finally, Ci q 1 holds secret shares xi, x0 i, i = 1, . . ., n. Public information Cik, Aik, Ak, i = 1, . . ., n, k = 0, . . ., t 1, are known to all parties. It is easy Pt1 k to see that xi P k0 i Ak . In our threshold signature scheme in Section 5, this protocol is employed by n signature generation servers to generate the secret value xID of an Identity ID as well as the random number r used in signing phase. Lemma 3 (Correctness). In the above protocol DSG, all subsets of t shares provided by honest parties dene the same unique secret key s, and all honest parties have the same value of public key c = sP, where s is uniformly distributed in Zq. Lemma 4 (Secrecy). In the above protocol DSG, no information on s can be learned by the adversary except for that implied by the value c = sP. From the above lemmas we derive the following theorem. Theorem 2. Protocol DSG in Fig. 2 is a secure protocol for distributed secret value generation, namely it satises the above correctness and secrecy requirements with threshold t.

5. Our certicateless threshold signature scheme With the building blocks presented in the previous section, we now construct a certicateless threshold signature scheme based on the bilinear map, which is called CLTHSBP. CLTHSBP consists of the following algorithms or protocols. For simplicity, we omit the details of sub-protocols Comp-Secure-VSSBP and DSG, and only describe the signicant information resulted from them.  Key/system parameter generation algorithm GC(k): Given a security parameter k, the KGC performs the following: Choose a cyclic additive group G1 which is generated by P with prime order q, choose a cyclic multiplicative group G2 of the same order and a bilinear map ^ : G1 G1 ! G2 . e Pick a random k 2 Z as the master secret key and set Ppub = kP. q Choose three cryptographic hash functions H1:{0,1}* ? G1, H2 : f0; 1g ! Z , H3 : f0; 1g ! Z . q q Keep k as secret and publish params G1 ; G2 ; ^; P; Ppub ; H1 ; H2 ; H3 . e  Partial private key extraction algorithm EX(params, msk, ID): This algorithm is run by the KGC to generate a partial private key associated with ID. Compute Q ID H1 IDkP. Output the partial private key DID = kQID.  Partial private key distribution protocol DK(params, msk, ID, n, t): A trusted user (as discussed in Section 2.3, this user could be the KGC itself) who possesses a partial private key DID associated with an identity ID performs the following: Run Comp-Secure-VSSBP with the input G1 ; q; ;^; P; P pub ; H1 ; t; n; DID to share DID among n signature generation serve ers, denoted by C1, C2, . . ., Cn.  Denote the partial private key share of Ci by DiID for i = 1, . . ., n.  Denote the public verication information output at the end of the execution of Comp-Secure-VSSBP by a0, a1, . . ., at1, where t is a threshold.  Distributed secret value generation protocol GS(params, ID, n, t): Each signature generation server Ci performs the following steps to jointly generate a secret value xID for an identity ID: Taking (G1, q, P, t, n) as input, all signature generation servers execute DSG to jointly generate a secret value xID and a public value PID = xIDP. (Note that the public value PID is exactly the public key we want to generate in the next protocol.)  Denote the resulting share held by server Ci by xiID for i = 1, . . ., n. P k  Denote the public verication information output at the end of the execution of DSG by pkID i2J Aik for 0 k = 0, . . ., t 1. Note that pkID PID .  Public key extraction protocol PK(params, ID, xID): The users public key PID corresponding to the users secret value xID can be directly obtained from the above protocol without any additional computation. As shown in the protocol DSG, the public information of the secret value is the public key PID, which is exactly we need.    Signature generation protocol S params; DiID ; xID ; M : Each signature generation server Ci performs the following to jointly generate a signature on a given message M:

4726

H. Yuan et al. / Information Sciences 180 (2010) 47144728

Run DSG to jointly generate a secret random value r 2 Z and a public value R = rP. q  Denote by ri the resulting share held by server Ci, where i = 1, . . ., n. P  Denote the public verication information output at the end of the execution of DSG by Rk i2J Aik for k = 0, . . ., t 1. Note that R0 = R. Compute u H RkP ID kM; v H3 RkP ID kM. 2 Broadcast V i uxiID ri Q ID v DiID . Any one can verify the validity of Cis signature share by checking

^V i ; P e

t1 Y j0

ij j

!v

^ u e

! ! t1 t1 X j j X j i Rj ; Q ID i PID
j0 j0

Construct V by computing V

i2U

pU V i , where 0;j

pU 0;j

Y
j2U;ji

j=j i mod q

is the Lagrange coefcient for jUj P t. Output r = (R,V) as the whole signature on M.  Signature verication algorithm V(params, ID, PID, M, r): One can verify if r = (R,V) is a valid signature of an entity with identity ID and public key PID on message M by performing the following steps: Compute Q ID H1 IDkP; u H2 RkPID kM; v H3 RkP ID kM. Verify ^V; P ^uP ID v Ppub R; Q ID . If the equation holds output Valid. Otherwise, output Invalid. e e Note that the protocols GC, EX, PK and V of CLTHSBP are the same as those of ZZCLS scheme described in Section 4.1. 6. Security analysis of the proposed scheme In this section, we prove the security of the proposed CLTHSBP. According to Theorem 1 we only need to show that the underlying certicateless signature scheme ZZCLS is EUFCLSCMA secure and CLTHSBP is simulatable. As mentioned before, the ZZCLS scheme has been proven to be EUFCLSCMA secure against the super adversaries assuming that the CDH problem is intractable [25]. Thus, we only need to prove the following lemma. Lemma 5. The proposed CLTHSBP is simulatable. Proof. We describe the following three simulators SIMDK, SIMGS, SIMS of CLTHSBP to ensure the simulatability of our scheme. The simulator SIMDK for the partial private key distribution protocol DK of CLTHSBP can be constructed in the same way as that in [3] for the proof of veriable secret-sharing scheme (CVSSBM), which ensures the security of the Comp-SecureVSSBP. Similarly, the simulator SIMGS for the distributed secret value generation protocol GS of CLTHSBP can be constructed in the same way as that in the proof of Theorem 2, which ensures the security of the DSG. Now we present the simulator SIMS for the signature generation protocol S of CLTHSBP. As described in Fig. 4, the simulator SIMS takes as input the public output of protocol GC of CLTHSBP, an identity ID, a signature (R, V) on a message M, t 1 partial private key shares D1 ; . . . ; Dt1 and t 1 shares x1 ; . . . ; xt1 of the secret value held by the corrupted signature ID ID ID ID 0 1 t1 generation servers, and the public outputs a0 ; a1 ; . . . ; at1 ; pkID ; pkID ; . . . ; pkID ; of DK and GS, can generate valid transcripts of the signature generation protocol S of CLTHSBP. From the adversarys view, these transcripts are computationally indistinguishable from the actual transcripts generated during the execution of the protocol. We exhibit the proof by analyzing the information generated by the signature generation protocol S and the simulator SIMS in each step (the numbering of steps corresponds to that in the signature generation protocol S).  For Step 1, both the protocol and the simulator execute a distributed generation of a random secret value using unconditionally secure veriable secret sharing. The simulatability of this step follows from the simulatability of DSG, which has been proved previously.  For Steps 2 and 5, it is evident that their outputs are identically distributed since they have identical operations.  For Steps 3 and 4, the broadcast values V1, . . ., Vn generated by protocol S interpolate to some randomly and uniformly distributed value in G . The signature shares V ; . . . ; V output by SIMS interpolate to a value V which is randomly and 1 1 n uniformly distributed in G . We also have V uxiID r Q ID v DiID for i = 1, . . ., t 1, and hence each V is generated i i 1 i in the same manner as that of Vi (Step 3 in SIMS). h Due to Theorem 1, Lemma 5 and the unforgeability of ZZCLS (as proved in [25]), we obtain the following theorem. Theorem 3. The CLTHSBP is existentially unforgeable against adaptively chosen message attacks, under the assumptions that the CDH problem on G1 is intractable.

H. Yuan et al. / Information Sciences 180 (2010) 47144728

4727

Fig. 4. Simulator for the signature generation protocol S of CLTHSBP.

7. Conclusion In this paper, we discuss the issues related to threshold signatures in certicateless public key cryptography. A stronger security model for certicateless threshold signatures is presented. In our new model, adversaries are more powerful than those considered in other security models of certicateless threshold signature schemes. To make the security proof easy and convenient, we establish the simulatability theorem for certicateless threshold signature schemes. We also propose a new certicateless threshold signature scheme from bilinear maps. The new scheme contains several improvements when compared with the existing ones [21,22]. We use a secure veriable secret-sharing protocol to share the partial private key among signature generation servers. This can help to detect the misbehaviors during the sharing phase. To share the secret value, we employ the technique of information-theoretic secure distributed key generation, and thus no single party can have the groups secret value. Such techniques not only greatly enhance the robustness of our scheme, but also ensure the simulatability. Three simulators (especially the simulator for the signature generation protocol) for our scheme are constructed to show the simulatability of the proposed certicateless threshold signature scheme. The simulatability demonstrates that our threshold signature scheme is provably secure against the strongest adversaries in the random oracle model provided that the CDH problem is hard. Our scheme is efcient and only has a signature length of two elements of G1, which is much shorter than other certicateless threshold signature schemes. Thus, the proposed scheme is practical and can be applied in real applications where threshold signature is needed in certicateless settings. Acknowledgments The authors are very grateful to the anonymous reviewers for their valuable comments and suggestions. This research is supported by the Natural Science Foundation of China under Grant No. 60673070 and Natural Science Foundation of Jiangsu Province under Grant No. BK2006217. References
[1] S. Al-Riyami, K. Paterson, Certicateless public key cryptography, in: Proceedings of the Asiacrypt 2003, Taipei, Taiwan, 2003, pp. 452473.

4728

H. Yuan et al. / Information Sciences 180 (2010) 47144728

[2] J. Baek, Y. Zheng, Identity-based threshold decryption, in: Proceedings of 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 2004, pp. 262276. [3] J. Baek, Y. Zheng, Identity-based threshold signature scheme from the bilinear pairings, in: Proceedings of the international Conference on Information and Technology: Coding and Computing, Las Vegas, USA, 2004, pp. 124128. [4] A. Boldyreva, Efcient threshold signatures: multisignatures and blind signatures based on the GapDifeHellman-group signature scheme, in: Proceedings of 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, 2003, pp. 3146. [5] M. Cerecedo, M. Matsumoto, H. Imai, Efcient and secure multiparty generation of digital signatures based on discrete logarithms, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E76-A (1993) 532545. [6] S. Chang, D.S. Wong, Y. Mu, Z. Zhang, Certicateless threshold ring signatures, Information Sciences 179 (20) (2009) 36853696. [7] X. Chen, F. Zhang, D.M. Konidala, K. Kim, New ID-based threshold signature scheme from bilinear pairings, in: Proceedings of 5th International Conference on Cryptology in India, Chennai, India, 2004, pp. 371383. [8] P. Feldman, A practical scheme for non-interactive veriable secret sharing, in: Proceedings of IEEE 28th Annual Symposium on the Foundations of Computer Science, Los Angeles, California, USA, 1987, pp. 427437. [9] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Robust threshold DSS signatures, Information and Computation 164 (1) (2001) 5484. [10] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Secure distributed key generation for discrete-log based cryptosystem, Journal of Cryptology 20 (1) (2007) 5183. [11] B. Hu, D. Wong, Z. Zhang, X. Deng, Key replacement attack against a generic construction of certicateless signature, in: Proceedings of 11th Australasian Conference on Information Security and Privacy, Melbourne, Australia, 2006, pp. 235246. [12] X. Huang, W. Susilo, Y. Mu, F. Zhang, On the security of a certicateless signature scheme, in: Proceedings of 4th International Conference on Cryptology and Network Security, Xiamen, China, 2005, pp. 1325. [13] X. Huang, Y. Mu, W. Susilo, D. Wong, W. Wu, Certicateless signature revisited, in: Proceedings of 12th Australasian Conference on. Information Security and Privacy, Townsville, Australia, 2007, pp. 308322. [14] J. Liu, M. Au, W. Susilo, Self-generated-certicate public key cryptography and certicateless signature/encryption scheme in the standard model, in: Proceedings of ACM 2007 ACM Symposium on Information, Computer and Communications Security, Singapore, 2007, pp. 273283. [15] Z. Liu, Y. Hu, X. Zhang, H. Ma, Certicateless signcryption scheme in the standard model, Information Sciences 180 (3) (2010) 452464. [16] Y. Long, K. Chen, Efcient chosen-ciphertext secure certicateless threshold key encapsulation mechanism, Information Sciences 180 (7) (2010) 1167 1181. [17] T.P. Pedersen, Non-interactive and information-theoretic secure veriable secret sharing, in: Proceedings of 11th Annual International Cryptology Conference, Santa Barbara, CA, USA, 1991, pp. 129140. [18] A. Shamir, Identity-Based cryptosystems and signature schemes, in: Proceedings of 4th Annual International Cryptology Conference, Santa Barbara, CA, USA, 1984, pp. 4753. [19] K.A. Shim, Breaking the short certicateless signature scheme, Information Sciences 179 (3) (2009) 303306. [20] D. Stinson, R. Strobl, Provably secure distributed Schnorr signatures and a (t, n) threshold scheme for implicit certicates, in: Proceedings of 6th Australasian Conference on Information Security and Privacy, Sydney, Australia, 2001, pp. 417434. [21] L. Wang, Z. Cao, X. Li, H. Qian, Simulatability and security of certicateless threshold signatures, Information Science 177 (2007) 13821394. [22] H. Xiong, Z. Qin, F. Li, Simulatability and security of certicateless threshold signature without random oracles, in: Proceedings of 2008 International Conference Computational Intelligence and Security, Suzhou, China, 2008, pp. 308313. [23] D. Yum, P. Lee Generic construction of certicateless signature, in: Proceedings of 9th Australasian Conference on Information Security and Privacy Sydney Australia, 2004, pp. 200211. [24] Z. Zhang, D. Wong, J. Xu, D. Feng, Certicateless public-key signature: security model and efcient construction, in: Proceedings of International Conference on Applied Cryptography and Network Security 2006, Singapore, 2006, pp. 293308. [25] L. Zhang, F. Zhang, A new provably secure certicateless signature scheme, in: Proceedings of IEEE International Conference on Communications, Beijing, China, 2008, pp. 1685-1689. [26] L. Zhang, F. Zhang, A new certicateless aggregate signature scheme, Computer Communications 32 (2009) 10791085. [27] L. Zhang, F. Zhang, Q. Wu, J. Domingo-Ferrer, Simulatable certicateless two-party authenticated key agreement protocol, Information Sciences 180 (6) (2010) 10201030.