Secure Certificateless Signature with Revocation in the Standard Model

Certificateless public key cryptography is very attractive in solving the key escrow problem which is inherent in identity(ID-) based public key cryptography. In the past, a large number of certificateless cryptographic schemes and protocols were presented, but a secure certificateless signature in the standard model (without random oracles) is still not accessible until now. To the best of our knowledge, all the previously proposed certificateless signature schemes were insecure under a considerably strong security model in the sense that they suffered from outsiders’ key replacement attacks or the attacks from the key generation center (KGC). In this paper, we propose a certificateless signature scheme without random oracles. Moreover, our scheme is secure under the strong security model and provides a public revocation mechanism, called revocable certificateless signature (RCLS). Under the standard computational Diffie-Hellman assumption, we formally demonstrate that our scheme possesses existential unforgeability against adaptive chosen-message attacks.


Introduction
In 2001, Boneh and Franklin [1], led by Shamir's idea [2], realized a practical construction of an identity-(ID-) based public key system (ID-PKS) by using bilinear pairings, such as Weil, Tate, and Ate pairings.Subsequently, the study of IDbased cryptographic mechanisms using bilinear pairings has received a great attention from researchers.A large number of literatures, such as [3][4][5][6][7], have been presented.An ID-based public key system consists of two roles, namely, a trusted private key generator (PKG) and users.A user's identity information, such as social security number, e-mail address, and IP address, is viewed as her/his public key and the corresponding private key is computed and issued secretly by the trusted PKG.Evidently, the PKG owns all the users' private keys so that it can decrypt ciphertexts or sign messages on behalf of any user as it wishes.Hence, an ID-based public key system always inherits an imperfection-the key escrow problem.
To overcome the key escrow problem in ID-based public key systems, Gentry [8] introduced the concept of certificatebased public key system, which contains two roles, namely, a key generation center (KGC) and users.Here, we roughly describe Gentry's system.A user first generates the public key and then sends it to the KGC.The KGC generates a certificate for the user's public key and then sends it to the user.The certificate also acts as a decryption or signing key of the user.
In 2003, Al-Riyami and Paterson [9] proposed a new paradigm for public key cryptography by combining the traditional public key system (PKS) with ID-PKS, termed certificateless public key system.As a result, certificates are no longer needed, but the two roles, namely, a KGC and users, remain in their certificateless public key system.A user's private key consists of two components: a partial private key and a secret key.They are generated by the KGC and the user, independently.In this case, the KGC does not have access to the user's full private key due to the lack of the secret key generated by the user.Hence, this certificateless design resolves the key escrow problem in ID-based public key systems.Subsequently, a numer of certificateless cryptographic schemes and protocols have been studied [10][11][12][13][14][15][16][17][18][19][20][21][22].
Al-Riyami and Paterson [9] presented a security model for certificateless public key cryptography.It consists of two types of adversaries, namely, outsiders (Type I adversary) and the KGC (Type II adversary).They also presented a concrete certificateless signature (CLS) scheme but did not offer security notion for this kind of scheme.Two years later, Huang et al. [11] first provided formal security notion for CLS schemes and pointed out that Al-Riyami and Paterson's scheme above suffers from key replacement attacks from outsiders in the sense that, by replacing a user's public key, an outsider can forge valid signatures without the knowledge of the user's partial private key.In 2004, Yum and Lee [23] gave a generic construction of CLS schemes by combining an ID-based signature scheme with a signature scheme based on traditional public key systems.In 2006, Hu et al. [12] presented a considerably strong security model for CLS schemes and pointed out a security drawback in Yum and Lee's construction.Since then, Hu et al. 's security model is considered promising and is generally adopted to formalize the security of CLS schemes.
To improve the efficiency of CLS schemes, several constructions of CLS were built and discussed such as [24][25][26][27].In addition, for providing relatively short signature, Huang et al. [14] proposed a certificateless short signature scheme, which was shown to suffer from key replacement attacks by Shim [28].Recently, Chen et al. [29] wrote a survey article on CLS schemes, in which they also presented a secure certificateless short signature scheme.
The security of all the CLS schemes mentioned above was based on the random oracle model [30].Although these schemes offer better performance, they could be insecure when random oracles are instantiated with some particular hash functions such as SHA-1.In order to compensate this situation, a secure CLS scheme in the standard model (without random oracles) must be constructed.Based on the ID-based signature scheme presented by Paterson and Schuldt [31], Liu et al. [16] proposed the first CLS scheme in the standard model.However, Xiong et al. [17] pointed out that Liu et al. 's scheme is insecure against KGC attacks.To withstand the KGC attacks, two CLS schemes [18,21] were independently proposed but later shown to be insecure [32,33].To our best knowledge, a secure CLS in the standard model (without random oracles) is still not accessible.All the previously proposed CLS schemes in the standard model were insecure under Hu et al. 's strong security model in [12] in the sense that they suffered from key replacement attacks from outsiders (Type I adversary) or attacks from the key generation center (Type II adversary).
A public key system should provide an efficient revocation mechanism to revoke misbehaving/compromised users.In traditional public key systems, users are able to know the revoked public keys by querying the certificate revocation list (CRL) [34] which contains all the revoked public keys.Evidently, the CRL approach is no longer suited for the certificateless public key system due to the lack of the usage of certificates.So, revoking misbehaving/compromised users in certificateless public key system has received attention from cryptographic researchers.Recently, Tsai and Tseng [22] and Shen et al. [35], independently, used the revocation technique presented by Tseng and Tsai [36] to propose a revocable certificateless public-key encryption (RCL-PKE) scheme.However, there was little work in constructing a revocable CLS scheme without random oracles.
Our Construction.In this paper, we will propose a CLS scheme with revocation in the standard model, called revocable certificateless signature (RCLS).This scheme includes two merits.
(1) Under the standard computational Diffie-Hellman assumption, our scheme is secure under Hu et al. 's strong security model.We will formally demonstrate that our scheme possesses existential unforgeability against adaptive chosen-message attacks under the standard computational Diffie-Hellman assumption.(2) Our CLS scheme provides a public revocation mechanism to revoke misbehaving/compromised users.
The rest of the paper is organized as follows.We give some preliminaries in Section 2. In Section 3, we review the framework and security notion for RCLS schemes.A concrete RCLS scheme in the standard model is proposed in Section 4. We analyze the security of the proposed scheme in Section 5.In Section 6, we present discussions and comparisons between some existing schemes and ours.Finally, a concluding remark is drawn in Section 7.

Preliminaries
In this section, we will review some fundamentals required in this sequel, namely, the concept of bilinear pairings and the related assumption.

Bilinear Pairings.
In the sequel, G 1 and G 2 denote two multiplicative cyclic groups of large prime order .A map ê : G 1 × G 1 → G 2 is called an admissible bilinear map if it satisfies the following properties.
We refer the reader to previous literature, such as [1,9], for a more comprehensive description of groups, maps, and other parameters.

Related Mathematical Assumption.
Here, we introduce the computational Diffie-Hellman (CDH) problem and define its corresponding security assumption (CDH assumption) on which our scheme is based.

Definition 1.
Let  be a generator of G 1 .Given ⟨,   ,   ⟩ with unknown ,  randomly chosen from Z *  , the CDH problem is to compute   .The associated CDH assumption states that there exists no probabilistic polynomial-time adversary A that can solve the CDH problem with nonnegligible probability.The successful probability (advantage) of the adversary A is presented as where the probability is over the random choice consumed by the adversary A.

Framework and Security Notion of Revocable Certificateless Signature
In this section, we will define the framework and security notion for our RCLS scheme.In 2003, Al-Riyami and Paterson [9] presented a concrete certificateless signature (CLS) scheme, but did not give formal security notion for such schemes.Later, Yum and Lee [23] and Huang et al. [11] defined formal security notion for CLS schemes.Furthermore, Hu et al. [12] enhanced the definitions in [11,23] to permit stronger queries. is specified by six algorithms, namely, the system setup, the initial key extract, the time key update, the user key generation, the signing, and the verification.
(i) System setup: this algorithm takes security parameter  and the total number  of periods as input and returns a system secret key, a time secret key, and the public parameters .We assume that  are publicly and authentically available in all the following algorithms.
(ii) Initial key extract: this algorithm takes the system secret key and a user's identity ID as input and returns the user's initial secret key  ID to the user via a secure channel.
(iii) Time key update: this algorithm takes the time secret key, a user's identity ID, and a period  as input and returns the user's time update key  ID, to the user via a public channel.
(iv) User key generation: this algorithm takes the public parameters  and ID as input and outputs the secret key SK ID and public key PK ID .
(v) Signing: this algorithm takes a user's initial secret key  ID , the user's time update key  ID, , the user's secret key SK ID , and a message  as input and returns a signature .
(vi) Verification: taking a signature , a message , a user identity ID, a period , and the user's public key PK ID as input; the algorithm outputs either "accept" or "reject." Remark 3. The system setup, the initial key extract, and the time key update algorithms are run by the KGC, while the user key generation algorithm is run by the user.There are three types of adversaries in our security notion for RCLS schemes.In the following, we will employ a security game to model security notion for RCLS schemes.The security game describes the interaction between a challenger and an adversary.Before introducing the security game, we first describe capabilities of Type I, Type II, and Type III adversaries, respectively.
(i) Type I adversary (outsider): an adversary of this type does not have access to the system secret key and time secret key, but she/he can replace the public key of any entity with another of her/his own choice.(ii) Type II adversary (KGC): an adversary of this type is the KGC who knows the system secret key and time secret key.The KGC can produce the initial secret key and time update key of arbitrary identity, but it is forbidden to replace the public key of any identity at any time.(iii) Type III adversary (revoked user): an adversary of this type used to be a member of the system before being revoked by the system.A revoked user still owns the initial secret key although the system stops issuing the current time update key for her/him.

Concrete Revocable Certificateless Signature Scheme
In this section, we describe a concrete revocable certificateless signature scheme that consists of six algorithms.
(i) System setup: the KGC takes a security parameter  as input and returns ⟨G 1 , G 2 , ê⟩, where ê : is an admissible bilinear map and G 1 and G 2 are two cyclic groups of sufficiently large prime order .Then, the KGC sets five collision-resistant hash functions (ii) Initial key extract: given a user's identity ID ∈ {0, 1} * , the KGC computes a bit string The KGC then chooses a random value  V ∈ Z *  and uses the system secret key to compute the user's initial secret key The KGC transmits  ID to the user via a secure channel.
(iii) Time update key: given a user's identity ID ∈ {0, 1} * and a period , the KGC computes a bit string V =   (ID, ) = (V 1 , V 2 , . . ., V   ).The KGC then chooses a random value   ∈ Z *  and uses the time secret key to compute the user's time update key The KGC transmits  ID, to the user via a public channel.
(iv) User key generation: given a user's identity ID, this algorithm selects two secret values  1 ,  2 ∈ Z *  and computes the user's public key PK ID = (PK 1 , PK 2 ) = (  1 ,   2 ).Then, the algorithm first computes two bit strings Finally, the algorithm uses the selected two secret values to compute the user's secret key SK ID = The signer chooses a random value   ∈ Z *  and computes    .The signer uses her/his initial secret key  ID = ( 1 ,  2 ), time update key  ID, = ( 1 ,  2 ), and secret key SK ID to compute a signature on the message  as follows: (vi) Verification: given a period , a signature  = ( 1 ,  2 ,  3 ,  4 ) on a message  for a signer with an identity ID and the signer's public key PK ID = (PK 1 , PK 2 ), a verifier first computes five bit strings and V =   ().Finally, the verifier checks the following equation: (3)

Security Analysis
In this section, we establish three theorems to demonstrate that, under the CDH assumption, the proposed RCLS scheme offers existential unforgeability against adaptive chosenmessage attacks for Type I, Type II, and Type III adversaries, respectively.
Theorem 6.Under the CDH assumption, the proposed RCLS scheme is secure against Type I adversary (outsider).Concretely, if there is a Type I adversary that has an advantage  against the proposed scheme within a running time , then we can construct an algorithm to solve the CDH problem with an advantage within a running time , in which   ,   , and   are the numbers of queries on initial key extract, time key update, and signing, respectively,   is the sum of the numbers of queries on public key replace and secret key extract, and  1 and  2 denote the executing time of a multiplication and an exponentiation in G 1 , respectively.
Proof.Assume that a Type I adversary A can forge a valid signature for the proposed RCLS scheme.We will construct an algorithm B that solves the CDH problem as follows.
Without loss of generality, we assume that there exists a tuple ⟨G 1 , G 2 , ê⟩, as mentioned in Section 2, and the algorithm B is given ,   ,   ∈ G 1 , where  and  are unknown to B. In order to compute   , the algorithm B simulates a challenger in the following game.
(i) Setup.A challenger (algorithm) B first sets five collision-resistant hash functions Before performing  and  between the adversary A and the challenger B, we define seven functions , , , , , , and  by Here, as before, Finally, for the cumbersome notations defined above, we conclude with five relations to which will be referred frequently in the sequel; namely, (ii) Queries.The challenger B maintains a list  of tuples of the form ⟨ID,  1 ,  2 , PK ID , SK ID ⟩.Initially the list is empty.The adversary A may make a number of queries in an adaptive manner as follows.
(a) Public key retrieve query (): upon receiving a query for the public key of an identity ID, the challenger B responds to the query as follows. ( Here,  ID = ( 1 ,  2 ) is indeed a valid initial secret key since, by the first equality in (6), where (e) Secret key extract query (): upon receiving a query for the secret key of an identity ID, the challenger B accesses the tuple ⟨ID,  Case 1: assume that the identity ID has previously appeared in the public key replace query.
If (V) ̸ = 0, the challenger B can compute the initial secret key  ID = ( 1 ,  2 ) as in the initial key extract query.In addition, the challenger B computes the time update key  ID, = ( 1 ,  2 ) as in the time key update query.The challenger B then chooses a random value   ∈ Z *  and responds whit the signature Note that  is indeed a valid signature since (V) ̸ = 0 and, by the equalities in (6), where    =   −  1 (V)/(V).On the other hand, if (V) = 0, the challenger B first computes the time update key  ID, = ( 1 ,  2 ) as in the time key update query.Then, the challenge B chooses two random values  V ,   ∈ Z *  and responds with the signature Note that  is also a valid signature since, by (6), where    =   − ( +  1 (V))/(V).Case 2: assume that the identity ID has not previously appeared in the public key replace query.The challenger B computes the time update key  ID, = ( 1 ,  2 ) as in the time key update query.If (V) ̸ = 0, the challenger B can compute the initial secret key ( 1 ,  2 ) as in the initial key extract query and accesses the list  to obtain the corresponding secret key SK ID .The challenger B chooses a random value   ∈ Z *  and then responds with the signature If (V) = 0, then B chooses two random values  V ,   ∈ Z *  and responds with the signature (iii) Forgery.Assume that the adversary A generates a valid signature  * = ( 1 ,  2 ,  3 ,  4 ) for ID * on  * in  * , where ID * ,  * , and  * are the target identity, period, and message, respectively.The challenger B first accesses to the list  to obtain PK ID * = (PK 1 , PK 2 ).The challenger B then computes ), (V * ), (V * ), (V * ), (V * ), and (V * ).If (V * ) ̸ = 0, (V * ) ̸ = 0, or (V * ) ̸ = 0, the challenger B aborts.Otherwise, that is, when (V * ) = (V * ) = (V * ) = 0, the challenger B, by using (6), computes   as follows: 1 Thus, the challenger B resolves the computational Diffie-Hellman (CDH) problem.
Next, we proceed to the probability analysis for the simulation above.Note that if the simulation aborts, then the CDH problem will be unable to be computed by the challenger.In Forge phase, the adversary can generate a signature if the challenger can correctly response the adversary's queries in Phase 1 and do not abort in the security game.If the signature is valid, the challenger can use it to solve the CDH problem.Thus, the probability of the challenger not aborting in the security game is equal to the probability of solving the CDH problem.Hence, we list the events that the challenger B does not abort during the simulation process.
(1) In the phase of initial key extract query: if (V) ̸ = 0, the challenger B can correctly answer queries without aborting.
(2) In the phase of signing query: if (V) ̸ = 0, the challenger B can correctly respond queries without aborting.
Let   be the number of identities appearing in either initial key extract queries or signing queries not involving the challenge identity.In addition, let   be the number of identities with the period appearing in the time key update queries and let   be the number of messages in the signing queries involving the challenge identity.Clearly, we will have   <   +   ,   <   and   <   .To simplify the analysis, we define the events   : (V) ̸ = 0 mod  V for the th query (1 ≤  ≤   ),  * : (V * ) = 0 mod ,   : (V) ̸ = 0 mod   for the th query (1 ≤  ≤   ),  * : (V * ) = 0 mod , and  * : (V * ) = 0 mod .From the above analysis, the probability of the challenger B not aborting is Note that, if (V) = 0 mod  V , there will be a unique choice of  V with 0 ≤  V ≤   such that (V) = 0. Since  V ,   ,  1 , . . .,    are chosen randomly, we obtain that By similar arguments, we have We also have that Pr [ and, similarly, Hence, we can obtain that Pr [ We have set  V = 2(  +   ),   =   , and   = 2  in the setup at the beginning of the proof, and so the resulting probability of the challenger B not aborting is 16    (  +   ) (  + 1) (  + 1) (  + 1) . ( Since the adversary A that has an advantage  against the proposed certificateless signature scheme, the challenger B has an advantage to solve the CDH problem. For the queries, we observe that there are (  ) multiplications and (1) exponentiations in the initial key extract queries.There are (  ) multiplications and (1) exponentiations in the time update key queries.There are (  ) multiplications and (1) exponentiations in both the public key retrieve and the secret key extract queries.Moreover Before performing  and  between the adversary A and the challenger B, we define six functions , , , , , and  by Here, as before, Finally, for the cumbersome notations defined above, we conclude with four relations to which will be referred frequently in the sequel; namely, (ii) Queries.The challenger B maintains a list  of tuples of the form ⟨ID,  1 ,  2 , PK ID , SK ID ⟩.Initially the list is empty.First, without loss of generality, the challenger B picks a target identity ID  , selects a secret value  2 ∈ Z *  , and sets the public key PK ID  = (PK 1 , PK 2 ) = (  ,   2 ).Then, the challenger B adds the tuple ⟨ID  , ⊥,  2 , PK ID  , ⊥⟩ in the list .The adversary A may make a number of queries in an adaptive manner as follows.
(a) Public key retrieve query (): upon receiving a query for the public key of an identity ID, the challenger B responds to the query as follows.
(1) If ID appears in the list , the challenger B responds with the corresponding PK ID .(2) If ID does not appear in the list , the challenger B selects two secret values  1 ,  2 ∈ Z *  , sets the public key PK ID = (PK 1 , PK 2 ) = (  1 ,   2 ), and then com- The challenger B adds the tuple ⟨ID,  1 ,  2 , PK ID , SK ID ⟩ in the list  and returns PK ID as the query output.
Next, we proceed to the probability analysis for the simulation above.For convenience, we list the events that the challenger B does not abort during the simulation process.
(1) In the phase of signing query: if (V) ̸ = 0, the challenger B can correctly respond to queries without aborting.
(2) In the phase of forgery: if ID * = ID  and (V * ) = 0, the challenger B can perform the simulation without aborting.
Let   be the number of messages in the signing queries involving the challenge identity.Clearly, we will have   <   .
To simplify the analysis, we define the events   : (V) ̸ = 0 for the th query (1 ≤  ≤   ),  * : (V * ) = 0,  * : ID * = ID  .From the analysis above, the probability of the challenger B not aborting is The analysis of probability above is similar to Theorem 6.Here, we can obtain that Pr [ Since we have set   = 2  , the resulting probability of the challenger B not aborting is by noting that Pr[ * ] = 1/  .Since the adversary A has an advantage  against the proposed certificateless signature scheme, the challenger B has an advantage to solve the CDH problem.
For the queries, we observe that there are (  +   ) multiplications and (1) exponentiations in secret key extract queries.Moreover, there are (  +   +   +   +   ) multiplications and (1) exponentiations in the signing queries.So we have   =  + (((  +   ) ⋅   + (  +   +   +   +   ) ⋅   ) 1 + (  +   ) 2 ), where  1 and  2 denote the executing time of a multiplication and an exponentiation in G 1 , respectively.Theorem 8.Under the CDH assumption, the proposed RCLS scheme is secure against Type III adversary (revoked user).Concretely, if there is a revoked user that has an advantage  against the proposed scheme within a running time , then we can construct an algorithm to solve the CDH problem with an advantage Note that  is indeed a valid signature since (V) ̸ = 0 and, by the equalities in (38), where    =   −  1 (V)/(V).On the other hand, if (V) = 0, the challenger B first computes the initial secret key  ID = ( 1 ,  2 ) as in the initial key extract query.Then, the challenge B chooses two random values   ,   ∈ Z *  and responds with the signature Note that  is also a valid signature since, by , where    =   − ( +  1 (V))/(V).Case 2: assume that the identity ID has not previously appeared in the public key replace query.The challenger B computes the initial secret key  ID = ( 1 ,  2 ) as in the initial key extract query.If (V) ̸ = 0, the challenger B can compute the time update key  ID, = ( 1 ,  2 ) as in the initial key extract query and accesses the list  to obtain the corresponding secret key SK ID .The challenger B chooses a random value   ∈ Z *  and then responds with the signature If (V) = 0, then B chooses two random values   ,   ∈ Z *  and responds with the signature  (48) Thus, the challenger B resolves the computational Diffie-Hellman (CDH) problem.

Discussions and Comparisons
Here, we compare our RCLS scheme with the previously proposed CLS schemes in the standard model [16][17][18]21].Table 1 presents the comparisons between those schemes and ours in terms of computational cost and security property.
In the signature procedure, our scheme requires only 2 exp operations and the other schemes require at least 6 exp operations, where  exp is the time for executing an exponentiation operation in G 1 .In the verification procedure, our scheme requires 7  operations, where   denotes the time for executing a pairing operation ê.Our scheme requires more pairing operations than the others but it provides the security against both Type I and Type II adversaries.As for the security analysis, as mentioned in Section 1, all the existing CLS schemes in the standard model suffer from outsiders' key replacement attacks (Type I adversary) or KGC attacks (Type II adversary).We emphasize that our scheme provides a full security against both Type I and Type II adversaries.
In addition, our scheme provides a public revocation mechanism, while the existing CLS schemes did not.As for security assumptions, our scheme is based on the standard CDH assumption, while the others are based on nonstandard assumptions, such as the non-pairing-based generalized bilinear Diffie-Hellman (NGBDH), many Diffie-Hellman (Many-DH), augmented computational Diffie-Hellman (AC-DH), and 2-many Difffie-Hellman (2-Many-DH) assumptions.
Furthermore, to reduce the KGC's computational cost, one may adopt the technique in [37] by employing a delegated revocation authority (DRA) to generate users' time update keys.In Figure 1, we illustrate how the DRA assists the KGC in revoking misbehaving/compromised users.First, the KGC generates the public parameters params, the system secret key   2 and the time secret key   2 .Secondly, the KGC transmits the time secret key   2 to the DRA by using a secure channel, and then the DRA can use it to generate users' time update keys and send them to users via a public channel.Finally, in order to revoke some misbehaving/compromised users, it only stops issuing the current time update keys to those users.The PKG uses g  2 to compute The DRA uses g  2 to compute the user's time update key T ID,t = (T 1 , T 2 ) Public key PK ID = (PK 1 , PK 2 ) Secret key SK ID

Conclusions
In this article, we proposed the first secure revocable certificateless signature scheme in the standard model under an extended model of Hu et al. 's.We formally demonstrated that our scheme possesses existential unforgeability against adaptive chosen-message attacks from Type I, Type II, and Type III adversaries under the standard computational Diffie-Hellman assumption.Moreover, Table 1 indicates that our scheme owns better security than the others under consideration.Finally, an interesting and nontrivial issue, namely, constructing a strongly unforgeable certificateless signature scheme, is worth studying.We leave it as future work.

( b )
Secret key extract query (): consider such a query along with an identity ID.If ID = ID  , the challenger B aborts.If ID ̸ = ID  and ID appears in the list , the challenger B accesses the tuple ⟨ID,  1 ,  2 , PK ID , SK ID ⟩ in the list  and responds with SK ID .If ID ̸ = ID  and ID does not appear in the list , the challenger B runs the user key generation algorithm to add the tuple ⟨ID,  1 ,  2 , PK ID , SK ID ⟩ in the list  and then responds with SK ID so obtained.(c) Signing query (, , ,   ): consider a query for a message , an identity ID, a period , and a public key PK ID = (PK 1 , PK 2 ).The challenger B first sets V =   (ID), V =   (ID, ), V =   (PK 1 , PK 2 ), V =   (PK 1 , PK 2 ), and V =   ().B then computes (V), (V), (V), (V), (V), and (V).If (V) = 0, the challenger B reports failure and terminates.Otherwise, the challenger B considers the following two cases.Case 1: if ID = ID  , the challenger B runs the initial key extract and time key update algorithms to obtain the initial secret key  ID = ( 1 ,  2 ) and the time update key  ID, = ( 1 ,  2 ).The challenger B chooses a random value   ∈ Z *  and then responds with the signature

Figure 1 :
Figure 1: The generation of a user's full signing key.
[12]e then, Hu et al. 's security model is generally adopted to formalize the security of CLS schemes.By modifying Hu et al. 's framework and security notion for CLS schemes[12], we present a framework of our RCLS scheme by adding time key update algorithm.Under this new framework, a user's partial private key consists of two components, namely, an initial secret key (fixed since being issued) and a time update key (altered every period of time).As a result, the issue on time update key queries must be addressed in the security notion for CLS schemes.
Definition 2. A revocable certificateless signature (RCLS) Signing query (, , ).When A issues this query with (ID, , ), the challenger B uses the initial secret key  ID , the time update key  ID, , and the secret key SK ID to run the signing algorithm to obtain a signature  on the message .The challenger B then returns  to A no matter whether the identity ID appears in the public key replace query or not.Forgery.The adversary A outputs (ID * ,  * ,  * ,  * ). ) is "accept." (2) (ID * ,  * ,  * ) has never been submitted during the signing query process.
1) If ID appears in the list , the challenger B responds with the corresponding PK ID .(2) If ID does not appear in the list , the challenger B selects two secret values  1 ,  2 ∈ Z *  , sets the public key PK The challenger B adds the tuple ⟨ID,  1 ,  2 , PK ID , SK ID ⟩ in the list  and returns PK ID as the query output.(b) Public key replace query (,    ): upon receiving a query to replace the public key of an identity ID, the challenger B accesses the tuple ⟨ID,  1 ,  2 , PK ID , SK ID ⟩ in the list .If ID appears in the list , the challenger B replaces PK ID with PK  ID .If ID does not appear in the list , the challenger adds the tuple ⟨ID, ⊥, ⊥, PK ID , ⊥⟩ in the list .(c) Initial key extract query (): upon receiving a query for the initial secret key of an identity ID, the challenger B first sets V =   (ID), and then computes (V) and (V).If (V) = 0, the challenger B aborts.Otherwise, the challenger B chooses a random value  V ∈ Z  and responds with the initial secret key  ID generated by Time key update query (, ): upon receiving a query for the time update key of an identity ID in a period , the challenger B first sets V =   (ID, ) and then computes (V).The challenger B chooses a random   ∈ Z  and uses the time secret key  to compute the time update key as follows: 1 ,  2 , PK ID , SK ID ⟩ in the list .If ID appears in the list , the challenger B responds with SK ID .If ID does not appear in the list , the challenger B runs user key generation algorithm to add the tuple ⟨ID,  1 ,  2 , PK ID , SK ID ⟩ in the list  and responds with SK ID .

Table 1 :
Comparisons between our scheme and the previously proposed schemes.