Efficient and secure pairing-free certificateless directed signature scheme N.B. Gayathri a , T. Gowri b , R.R.V. Krishna Rao a , P. Vasudeva Reddy a,⇑ a Department of Engineering Mathematics, Andhra University, Visakhapatnam, India b Department of Electronics and Communication Engineering, GITAM University, Visakhapatnam, India article info Article history: Received 17 November 2017 Revised 26 February 2018 Accepted 28 February 2018 Available online xxxx Keywords: Public key cryptography Certificateless signature Directed signatures Random oracle security model Elliptic curve discrete logarithm problem abstract In an ordinary signature scheme any one can verify the validity of a signature produced by the signer. But public verifiability of signatures is not desirable in some applications where the signed message is sen- sitive to the signature receiver, for example signatures on medical records, tax information. To meet this requirement, the concept of directed signature was introduced. A directed signature scheme is a kind of signature scheme in which the verification ability is controlled by the signer. Many directed signature schemes have been proposed in different cryptographic settings and most of the schemes are using bilin- ear pairings over elliptic curves. But the computation of a bilinear pairing is very expensive. Hence the schemes which use pairings are less efficient and are not much applicable in practice. In order to improve the computational and communicational efficiency, in this paper, we propose a pairing- free certificate- less directed signature scheme. The proposed scheme is proven secure in the random oracle model under the assumption that the elliptic curve discrete logarithm problem is hard. We compare our scheme with well known existing schemes and efficiency analysis shows that the proposed scheme is more efficient. Ó 2018 Production and hosting by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). 1. Introduction Digital signature is one of the fundamental and useful crypto- graphic primitive, which provides authentication and non- repudiation for digital communications. To implement the digital signature in the real world applications, it needs to consider differ- ent features and properties to make them adequate and proper for different usages. There are many digital signature schemes with different properties such as Proxy signature, Blind signature, Multi signature, Group signature, Ring signature etc. have been proposed in literature with different cryptographic settings such as tradi- tional public key infrastructure (PKI) (Diffe and Hellman, 1976) and Identity based cryptosystem (Shamir, 1984). The security of the traditional PKI is based on the certificate, signed by a certifica- tion authority (CA), containing the relationship between the key pairs, i.e., a public key and a private key, and the user’s identity and legitimacy. But certificate management leads to extra storage, large computation and communication costs. Contrast to tradi- tional PKI, Identity Based cryptosystem (IBC) (Shamir, 1984) does not need any certificate to ensure the authenticity of public/private key pair. In this system, public key of a user is derived from the user’s identity and the secret key is generated by a trusted third party called Private Key Generator (PKG). Though IBC successively eliminates the necessity of certificates, it suffers from inherent key escrow problem. Later, Al-Riyami and Paterson (2003) introduced a novel system called, certificateless public key cryptography (CL- PKC). This approach neither suffers from the key escrow problem nor requires any certificates, and so it can be viewed as a model between traditional PKI and ID-PKC. 1.1. Related work In an ordinary digital signature scheme any one can verify the validity of a signature using signer’s public key. But public verifi- ability of signatures is not desirable in some applications where the signed message is sensitive to the signature receiver, for example, signatures on medical records, tax information etc. Con- sider the situation: Suppose hospital authority A has issued a medical record of a patient in the form of a digital signature. The patient wants to exclusively verify this signature without others being able to check its validity, because otherwise, his health problems will be exposed. After a period of time, the patient also wants to prove the validity of his medical record to https://doi.org/10.1016/j.jksuci.2018.02.016 1319-1578/Ó 2018 Production and hosting by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). ⇑ Corresponding author. E-mail addresses: gowri.thumbur@gitam.edu (T. Gowri), vasucrypto@andhrau- niversity.edu.in (P. Vasudeva Reddy). Peer review under responsibility of King Saud University. Production and hosting by Elsevier Journal of King Saud University – Computer and Information Sciences xxx (2018) xxx–xxx Contents lists available at ScienceDirect Journal of King Saud University – Computer and Information Sciences journal homepage: www.sciencedirect.com Please cite this article in press as: Gayathri, N.B., et al. Efficient and secure pairing-free certificateless directed signature scheme. Journal of King Saud Uni- versity – Computer and Information Sciences (2018), https://doi.org/10.1016/j.jksuci.2018.02.016