A New Provably Secure Certiﬁcateless Signature with Revocation in the Standard Model

. The primitive of certiﬁcateless signature, since its invention, has become a widely studied paradigm due to the lack of key escrow problem and certiﬁcate management problem. However, this primitive cannot resist catastrophic damage caused by key exposure. Therefore, it is necessary to integrate revocation mechanism into certiﬁcateless signature. In this paper, we propose a new certiﬁ-cateless signature scheme with revocation (RCLS) and prove its security under the standard model. In the meanwhile, our scheme can resist malicious-but-passive Key Generation Center (KGC) attacks that were not possible in previous solutions. The theoretical analysis shows our scheme has high eﬃciency and practicality.


Introduction
In the traditional public key infrastructure (PKI) based signature system (ElGamal, 1985), the user's identity is bound to the corresponding public key through a certificate which is issued by a trusted certificate authority. Obviously, the complex and expensive certificate management has become an obstacle to the development of PKI-based system. Therefore, the notion of identity-based (shorten as ID-based) signature scheme (Shamir, 1984) has been proposed to alleviate this problem. In ID-based signature, users' public keys are their unique identity information that is publicly known, while the user's private key is created by a private key generator (PKG) with a master secret key. In this way, the certificate is eliminated in ID-based signature because the public key is derived from the identity of the user. Since the private key of all users is created by PKG, the signature of any entity can easily be forged by PKG, which results in the notorious key escrow problem. Thankfully, the certificateless signature (CLS) system (Al-Riyami and Paterson, 2003) preserves the advantages of eliminating the required certificates in ID-based signature while avoiding key escrow problem. In a CLS-based system, the private key includes the secret value chosen by the entity itself and the partial private key generated by the Key Generation Center (KGC). It is easy to observe that the key escrow problem was solved successfully.
For any public key system, it is indispensable to have the function of revocation. Imagine a situation in which the employee in charge of confidential documents in the company is leaving. In order to ensure that confidential files are not disclosed, the private key held by the employee must be revoked. Similarly, with the frequent use of signature operations in the signature system, private keys are inevitably leaked. In this case, the user with the compromised key is no longer reliable. In the traditional public key system, the revoked public key can be known by the user through the certificate revocation list (CRL) (Housley et al., 2002). Apparently, this method does not apply to the certificateless cryptosystem due to the lack of certificates. So far, there are two revocation mechanisms in the process of certificateless public key cryptosystem development. One mechanism is to split the partial private key of the user generated by KGC into two parts, one is delivered to the user and the other is sent to the Security Mediator (an online mediator) (Ju et al., 2005;Yap et al., 2007). In this approach, the Security Mediator is required to create each signature which causes expensive burden. Moreover, it is necessary for the Security Mediator to maintain large quantities of secret keys which makes it easier for an attacker to compromise a key. Different from the Security Mediator based revocation approach, another certificateless system with revocation has been introduced where the user's partial private key is updated in period time (Tsai and Tseng, 2015). When the user's private key is compromised or the user leaves, KGC stops updating the partial private key. Nevertheless, most existing schemes in this mechanism prove their security under the random oracle model. This paradigm is to model the hash function as random oracles in the security proof. Unfortunately, when random oracles are instantiated by a concrete hash function, these schemes are vulnerable to be broken (Canetti et al., 2004). Tsai et al. (2014) introduced a CLS scheme with revocation mechanism, whose security was theoretically proven by using the idea of standard model. However, we observed that the proposed scheme is neither efficient nor can resist malicious-but-passive KGC attacks.
For the above reasons, we propose a new certificateless signature scheme with revocation (RCLS) and prove its security under the standard model. In our scheme, the partial private key issued by the KGC is spilt into two independent parts, where the former is associated with the identity of the user and the latter is related to the time period. In the meanwhile, our scheme can resist malicious-but-passive KGC attacks. Specific contributions are as follows: 1. This paper first reveals the insecurity of the scheme in Tsai et al. (2014), and displays the forgery attack as well as the reason why their scheme is easily broken. 2. Next, this paper proposes a new certificateless signature scheme with revocation, whose security proof is provided in the standard model based on the Computational Diffie-Hellman assumption. And the attack mounted by the malicious-but-passive KGC is able to be resisted in our scheme. 3. Finally, by comparing the performance and properties with related works, the RCLS scheme in this paper outperforms the existing works.

Related Work
Al- Riyami and Paterson (2003) first introduced the notion of certificateless signature (CLS) scheme and gave a concrete construction of CLS scheme. In the CLS scheme, users' private key was divided into two parts. One part is chosen by users themselves and another part is generated by a third party called KGC, which successfully avoids the key escrow problem. Thanks to maintaining the advantages of eliminating the required certificates in ID-based signature while avoiding key escrow problem, much attention has been paid to the research of CLS. After Al-Riyami and Paterson (2003) proposed the first CLS scheme, dozens of CLS schemes were proposed in terms of different research lines (Jia et al., 2018;Huang et al., 2005;Karati et al., 2018b;He et al., 2012;Xiong et al., 2019). By considering the criticism of random models, Liu et al. (2007) proposed the first concrete CLS scheme which was proved to be secure in the standard model. Unfortunately, Xiong et al. (2008) (2018a) proposed a CLS scheme which makes it possible to prove security in the standard model. In short, most of the existing schemes proposed in the standard are insecure. The idea of revocation was first proposed by Boneh et al. (2001) and was used in RSA-type cryptosystems. In their scheme, a semi-trusted server called Security Mediator (SEM) is introduced to issue tokens. If a user wants to sign or decrypt a message, he/she must get the token for the message. The scheme revokes the ability of the user to sign or decrypt by stopping issuing tokens to the user. Following the works of Boneh et al. (2001), some well-designed schemes have been constructed in certificateless cryptosystem. Chow et al. (2006) introduced the concept of Security Mediator into the certificateless (SMC) cryptosystem for the first time, and proposed a formal security model. After that, the first pairing-free provable secure SMC scheme as well as a concrete construction was presented by Yap et al. (2007). Unfortunately, SEM is involved in the generation of each signature which causes expensive burden. Furthermore, it is necessary for the Security Mediator to preserve large numbers of secret keys which makes it easier for an attacker to compromise a key. To deal with this problem, Tsai and Tseng (2015) proposed a new RCLS scheme. In their scheme, the user's partial private key is updated in period time. When the user's private key is compromised or the user leaves, KGC stops updating the partial private key. At the same time, Shen et al. (2013) showed an efficient certificateless encryption (CLE) with the function of revocation, which was proved to be CCA2-secure under the standard model. Xiong and Qin (2015) presented an RCLS scheme which can resist signing key exposure and applied it into the wireless body area networks. However, Shim (2018b) pointed out that Xiong et al.'s scheme is vulnerable to the type I adversary. Sun et al. (2014) proposed an RCLS schemes from bilinear pairings that was proved to be secure in the random oracle model. To eliminate the random oracle model, Tsai et al. (2014) introduced an RCLS scheme which was proven in the standard model. However, in this paper, Tsai et al.'s scheme is demonstrated to be neither efficient nor resistant to malicious-but-passive KGC attacks. After that, many CLS or CLE schemes with revocation mechanism were presented in the literature (Zhang et al., 2015;Hung et al., 2016;Sun et al., 2018;Zheng et al., 2017). However, most of the existing schemes cannot resist malicious-but-passive KGC attacks.

Organization
This paper's structure is as follows: some preliminaries including bilinear pairings, complexity assumption, system framework and security notions are introduced in Section 2. Section 3 briefly analyses Tsai et al.' scheme and then displays a forgery attack about their scheme. A concrete RCLS scheme and associated security proof are demonstrated in Section 4. Section 5 provides the performance evaluation. Section 6 summarizes this paper.

Preliminaries
This section describes some mathematical knowledge, formal definition and security model, which are utilized in the proposed revocable certificateless signature scheme.

Bilinear Pairing
Chosen two multiplicative cyclic groups G, G T of prime order p, given two random generators u, v of G, the bilinear mapê : G × G → G T needs to satisfy the following features: 3. Computability: There exists an algorithm to compute bilinear mapê : G × G → G T .

Mathematical Concept and Assumption
• Computational Diffie-Hellman (CDH) Problem: Given a tuple (g, g a , g b ) to calculate g ab where a, b ∈ Z * p , g ∈ G.
• Computational Diffie-Hellman (CDH) Assumption: The CDH assumption in G holds if there does not exist polynomial-time algorithm B to solve the CDH problem with non-negligible advantage formulated as

Outline of RCLS
An RCLS scheme consists of eight algorithms whose details are depicted below.
• Setup: A KGC produces a system master secret key SSK and system public parameters SPP on input the security parameter k. • Partial-Private-Key-Extraction: A KGC produces a partial private key PPK ID on input SPP, SSK and an identity ID. • Time-Key-Update: A KGC produces the time key TK T on input SSK, ID and a time period T . • Secret-Value-Generation: A user with identity ID calculates the secret value sv ID on input SPP. • Public-Key-Generation: A user calculates the public key PK ID on input SPP, ID and the secret value sv ID of this identity ID. • Secret-Key-Generation: A non-revocation user calculates the full secret key SK ID on input SPP, ID, sv ID and the corresponding PPK ID and TK T . • RCL-Sign: A signer produces a signature σ on input SPP, ID, sv ID , SK ID and a message M. • RCL-Verify: A verifier outputs VALID or INVALID to demonstrate signature σ 's validity on input SPP, ID, σ, M, T , PK ID .

Security Model of RCLS
According to the scheme (Al- Riyami and Paterson, 2003), there are two kinds of attackers in the certificateless signature setting, which are usually called the Type-I adversary A I and Type-II adversary A II . A I models a malicious user who has the right to replace a legitimate user's public key without knowing the system master secret key. A II models a malicious-but-passive KGC who has knowledge of the system master secret key while is not allowed to replace any public key. For a RCLS scheme's security, there is one more adversary called a revoked user A ru who cannot obtain the time key but still has the right to replace the public key (Sun et al., 2014). To better explain the attacking ability of these adversaries, we first define six oracles that adversary A ∈ {A I , A II , A ru } can access.
• Public-Key-Extract Query: After receiving an identity ID, this oracle produces the user's public key PK ID . • Partial-Private-Key-Extract Query: After receiving ID, this oracle produces the user ID's partial private key PPK ID . • Time-Key-Update Query: After receiving (ID, T ), this oracle produces the time key TK T . • Secret-Value-Extract Query: After receiving ID, this oracle produces the user ID's secret value sv ID . • Public-Key-Replace Query: After receiving (ID, PK ′ ID ), a user ID's public key is replaced with PK ′ ID through this oracle. • RCL-Sign Query: After receiving ID, T , PK ID and a message M, this oracle produces a valid signature σ .

D
1. An RCLS scheme is existentially unforgeable (EUF) against a (t, q PK , q PPK , q TK , q SV , q PKR , q S ) Type-I adaptively chosen message (CMA) adversary A I if A I runs in polynomial time t, makes at most q PK queries to the oracle Public-Key-Extract Query, q PPK queries to the oracle Partial-Private-Key-Extract Query, q TK queries to the oracle Time-Key-Update Query, q SV queries to the oracle Secret-Value-Extract Query, q PKR queries to the oracle Public-Key-Replace Query, q S queries to the oracle RCL-Sign Query and wins in Game I with a negligible advantage.
Game I. Setup: A challenger B generates the system master secret key SSK and system public parameters SPP by performing the algorithm Setup. After that, B returns SPP to A I .
Query: A I queries onto all oracles defined above adaptively. Forgery: After finishing all queries, A I outputs a forged signature σ * on the message M * .
Game II.
Setup: A challenger B generates the system secret key SSK and system public parameters SPP by performing the algorithm Setup. After that, B returns SPP and SSK to A II .
Query: A II queries onto those oracles defined above adaptively except for the oracle Partial-Private-Key-Extract Query and the oracle Time-Key-Update Query.
Forgery: After finishing all queries, A II outputs a forged signature σ * on the message M * .

D
3. A RCLS scheme is (t, q PK , q PPK , q TK , q SV , q PKR , q S )-EUF-CMA-secure for a revoked user A ru if A ru wins in Game III with a negligible advantage.
Game III. Setup: A challenger B generates the system secret key SSK and system public parameters SPP by performing the algorithm Setup. After that, B returns SPP to A ru .
Query: A ru queries onto all oracles defined above adaptively. Forgery: After finishing all queries, A ru outputs a forged signature σ * on the message M * .
Note that, when the forgery satisfies the following requirements, adversary A ∈ {A I , A II , A ru } will win the above Game I, Game II and Game III: 1. If A ∈ A I , A has never queried the oracle Partial-Private-Key-Extract Query with ID * . 2. If A ∈ A II , A has never queried the oracle Secret-Value-Extract Query with ID * nor queried the oracle Public-Key-Replace Query with PK ID * . 3. If A ∈ A ru , A has never queried the oracle Time-Key-Update Query with (ID * , T * ). 4. A has never queried the oracle RCL-Sign Query with (ID * , M * , T * ). 5. VALID ← RCL-Verify(SPP, ID * , σ * , M * , T * , PK ID * ).

A Brief Analysis of Tsai et al.'s Scheme
This section first sketches out the certificateless signature with revocation scheme of Tsai et al. (2014), and then demonstrates that Tsai et al.'s RCLS scheme cannot resist the malicious-but-passive KGC attacks.

Overview of Tsai et al.'s RCLS Scheme
where n u , n t , n m , n s , n k , are fixed lengths from Z.
• Setup: Taken k as the security parameter, KGC generates a bilinear mapê : G ×G → G T , where G, G T are cyclic groups of order p. Furthermore, KGC picks x, y ∈ Z * p , g, g 1 , g 2 ∈ G and calculates g 1 = g x+y , SSK = g x 2 , where g, SSK denote a generator of G and the system secret key respectively. In addition, let g y 2 denotes the time secret key. After that, KGC randomly selects Finally, KGC issues the system public parameters SPP = G, G T ,ê, g, g 1 , g 2 , U, T, K, S, M, • Partial-Private-Key-Extraction: After receiving SSK, SPP, and a user's identity ID, KGC will first calculate a set as ν = H 0 (ID) = {ν 1 , ν 2 , . . . , ν n u }. Then KGC calculates the user's partial private key PPK ID = (PPK (1) , PPK (2) ) = (g x 2 (u ′ n u i=1 u ν i i ) r ν , g r ν ) where r ν is randomly selected by KGC from Z * p . • Time-Key-Update: Upon receiving SSK, ID and a time period T , KGC calculates a set as νt = H 1 (ID, t) = (νt 1 , νt 2 , . . . , νt n t ), and sets the time key TK T = (TK (1) , TK (2) ) = (g y 2 (t ′ n t i=1 t νt i i ) r t , g r t ) where r t is randomly selected by KGC from Z * p . • Secret-Value-Generation: A user with identity ID randomly picks x 1 , x 2 ∈ Z * p and sets the secret value sv ID = (x 1 , x 2 ).

Forgery Attack of Tsai et al.'s Scheme
Tsai et al. alleged that their scheme (Tsai et al., 2014) was secure against Type-I and Type-II adversaries under the standard model. After a careful investigation, however, we found that their scheme was insecure against a Type-II adversary. Then we show a concrete attack instance to demonstrate that the scheme in Tsai et al. (2014) is so vulnerable that any malicious-but-passive KGC, A II , can forge a valid signature of message M * for identity ID * . The attack is as follows: (1) A II randomly selects α, β, γ ∈ Z * p and calculates g * 2 = g γ , k ′ * = g α , s ′ * = g β .
Other parameters in the system master secret key and system public parameters are generated normally by the KGC. Finally, A II publishes these public parameters.
(2) By making a hash query on (PK (1) , PK (2) ), A II can obtain the hash value vu, vs. Then A II can calculate k (3) A II randomly picks a, b, c ∈ Z * p and calculates σ * 2 = g a , σ * 3 = g b , σ * 4 = g c . (4) A II calculates σ * 1 = g γ 1 · (u ′ n u i=1 u ν i i ) a · (t ′ n t i=1 t νt i i ) b · (PK (1) ) (γ +α+ n k i=1 α i νu i ) · (PK (2) ) (β+ ns i=1 β i νs i ) · (m ′ n m i=1 m νm i i ) c . (5) The signature on the message M * is σ * = (σ * 1 , σ * 2 , σ * 3 , σ * 4 ). Anyone can verify the signature σ * through performing the algorithm RCL-Verify, which is to check whether the equationê(g, σ * 1 ) ? =ê(g 1 , g * 2 ) ·ê(σ * 2 , u ′ n u i=1 u ν i i ) · e(σ * 3 , t ′ n t i=1 t νt i i ) ·ê(PK (1) , g * 2 (k ′ * n k i=1 k νu i i )) ·ê(PK (2) , s ′ * n s i=1 s νs i i ) ·ê(σ * 4 , m ′ n m i=1 m νm i i ) holds. This verification will hold due to the following fact: Notice that A II neither knows sv ID = (x 1 , x 2 ) nor replaces (PK (1) , PK (2) ). Thus, the RCLS scheme of Tsai et al. cannot withstand the forgery attack mounted by a malicious-but-passive KGC. The underlying reason is that the user secret value sv ID is embedded in the signature inappropriately such that the user public key g x 1 , g x 2 can be utilized by the malicious-but-passive KGC to forge the signature with the support of the random numbers associated with the system parameters. Specially, SK ID = g i ) x 2 has been regarded as one factor in the generation of signature σ 1 , and this factor can be easily generated by raising the g x 1 , g x 2 with the exponentiations α, β, γ , α i , β i . Therefore, it is easy to forge the signature σ to make the equation hold in the algorithm RCL-Verify.

Our Proposed RCLS Scheme
This section describes a revocable certificateless signature scheme without random oracles and presents the concrete construction. Afterwards, this section represents the security analysis, which demonstrates that our proposed RCLS scheme is EUF-CMA-secure in the standard model.

Construction
Inspired by a certificateless signature scheme in the standard model that can resist the malicious-but-passive attacks (Shim, 2018a), we construct a certificateless signature scheme with revocation in the standard model. In the proposed scheme, it is possible to construct a RCLS scheme secure against the Type-I and II attackers as well as the malicious-but-passive attacks by using the term (g x 2 3 ) x −1 1 . To be specific, although a malicious KGC calculates g 3 as g ω of its own choice ω to implement the malicious-but-passive attack, the malicious KGC cannot calculate (g x 2 3 ) x −1 1 without the knowledge of x 1 . In other words, if one uses g x 2 3 instead of (g x 2 3 ) x −1 1 , the malicious KGC can calculate g x 2 3 by calculating (g x 2 ) ω from the known user's public key g x 2 . In fact, there does not exist a probabilistic polynomial-time algorithm that can calculate g x 2 3 with non-negligible advantage on inputting g, g ω , g x 2 . Besides, there does not exist a probabilistic polynomial-time algorithm that can calculate (g x 2 3 ) x −1 1 with non-negligible advantage on inputting g 3 , g x 1 3 , g x 2 3 , which is equivalent to the CDH problem according to Bao et al. (2003). The detail description of the proposed RCLS scheme is presented as follows: Define three collision-resistant hash functions H 0 : {0, 1} * → {0, 1} n u , H 1 : {0, 1} * → {0, 1} n t , H 2 : {0, 1} * → {0, 1} n m , where n u , n t , n m are fixed lengths from Z.
• Partial-Private-Key-Extraction: After receiving SSK, SPP, and a user's identity ID, KGC will first calculate a set as . . , n u }. Then KGC calculates the user's partial private key PPK ID = (PPK (1) , PPK (2) ) = (g x 2 f 1 (F ID ) r u , g r u ) where r u is randomly selected by KGC from Z * p .  (1) , TK (2) ) = (g y 2 f 2 (F ID,t ) r t , g r t ) where r t is randomly selected by KGC from Z * p . • Secret-Value-Generation: A user with identity ID randomly picks x 1 , x 2 ∈ Z * p and sets the secret value sv ID = (x 1 , x 2 ).
Proof. Assume that A I is a Type-I attacker against the proposed scheme. There is a t ′ -time algorithm B that can solve the CDH problem with advantage at least ǫ ′ by interacting with A I . Let g be a generator of G, g a , g b be two elements of G where a, b ∈ Z * p . The algorithm B can compute g ab as the solution of CDH problem by simulating a challenger for A I .
Setup: B sets l u = 2(q PPK + q S ), l m = 2q S . Suppose that l u (n u + 1) p, l m (n m + 1) p. Next B randomly selects two integers k u , k m with 0 k u n u , 0 k m n m . Afterwards, the following integers are selected by B: Besides, B defines five functions for u = H 0 (ID), ut = H 1 (ID, t), m = H 2 (M, ID, PK ID ) as follows: After that, B randomly selects α ∈ Z * p , then sets the following parameters g 1 = g a g α , and constructs the following equations: Query: Attacker A I performs queries adaptively as following: • Public-Key-Extract Query: At first, B maintains a list L PK = {(ID, sv ID , PK ID )} in order to respond to these queries. When an identity ID is supplied to this oracle, B inspects the list L PK : (1) If the tuple (ID, sv ID , PK ID ) exists in L PK , B answers to A I with PK ID .
(2) If the tuple (ID, sv ID , PK ID ) doesn't exist in L PK , B randomly picks x 1 , x 2 ∈ Z * p , calculates g x 1 , g x 2 , and sets sv ID = (x 1 , x 2 ), PK ID = (g x 1 , g x 2 ). After that, B answers to A I with PK ID and inserts the tuple (ID, sv ID , PK ID ) into L PK .
• Partial-Private-Key-Extract Query: At first, B maintains a list L PPK = {(ID, PPK ID )} in order to respond to these queries. When an identity ID is supplied to this oracle, B inspects the list L PPK : (1) If the tuple (ID, PPK ID ) exists in L PPK , B answers to A I with PPK ID .
(2) If the tuple (ID, PPK ID ) doesn't exist in L PPK , and F 1 (u) = 0 mod p, B randomly picks r u ∈ Z * p and calculates After that, B answer to A I with PPK ID and inserts the tuple (ID, PPK ID ) into L PPK . (3) Otherwise, B outputs "failure" and discontinues.
• Time-Key-Update Query: When a tuple (ID, T ) is supplied to this oracle, B randomly selects r t ∈ Z * p and calculates the time key TK T = (TK (1) , TK (2) ) = (g α 2 f r t 2 (T ), g r t ). • Secret-Value-Extract Query: When an identity ID is supplied to this oracle, B inspects the list L PK : (1) If the tuple (ID, sv ID , PK ID ) exists in L PK , B answers to A I with sv ID .
(2) If the tuple (ID, sv ID , PK ID ) doesn't exist in L PK , B makes a Public-Key-Extract Query with ID to obtain (PK ID , sv ID ). After that, B updates (PK ID , sv ID ) into L PK and answers to A I with sv ID .
• Public-Key-Replace Query: When an identity (ID, PK ′ ID ) is supplied to this oracle, B inspects the list L PK : (1) If the tuple (ID, sv ID , PK ID ) exists in L PK , B sets PK ID = PK ′ ID , sv ID = sv ′ ID and then updates (PK ID , sv ID ) into L PK . (2) If the tuple (ID, sv ID , PK ID ) doesn't exist in L PK , B first makes a Public-Key-Extract Query with ID to obtain (PK ID , sv ID ). And then B sets PK ID = PK ′ ID , sv ID = sv ′ ID . After that, B updates (PK ID , sv ID ) into L PK .
(2) If the tuple (ID, sv ID , PK ID ) doesn't exist in L PK , B makes a Public-Key-Extract Query with ID and then repeats step (1).
Now we analyse the probability that B can solve the given CDH problem instance. At first, let u 1 , . . . , u q U be the H 0 's result that appears in either Partial-Private-Key-Extract Query or in RCL-Sign Query but not including the algorithm's identity ID * . Let ut 1 , . . . , ut q T be the H 1 's result that appears in Time-Key-Update Query. Let m 1 , . . . , m q M be the H 2 's result that appears in RCL-Sign Query including all identity ID. Obviously, there are q U q PPK + q S , q T q TK and q M q S . Next, we define the following events for simplifying the probability analysis.
(1) E i (i = 1, . . . , q U ): F 1 (u i ) = 0 mod l u , in other words, B does not discontinue in the A I 's Partial-Private-Key-Extract Query.
Proof. The proof of Theorem 2 is similar to that of Theorem 1 and the detail of the proof is omitted here.
Proof. The proof of Theorem 3 is similar to that of Theorem 1 and the detail of the proof is omitted here.

Performance Evaluation
This section investigates the property of the proposed scheme and its performance in terms of computational and communication overhead. Table 1 demonstrates the properties of different schemes in respect of the security level, revocation mechanism, security model and security assumption for the existing RCLS schemes (Tsai et al., 2014;Xiong and Qin, 2015;Hung et al., 2016;Zheng et al., 2017) and our proposed scheme. Here, the symbol " " represents that the scheme satisfies the property and "×" represents that the scheme does not satisfy the property. "ROM" and "SM" denote that the security model is the random oracle model and the standard model, respectively. Obviously, our proposed scheme holds all properties. Especially, our proposed RCLS scheme is provably secure in the standard model and resists the attack mounted by the malicious-but-passive KGC. Table 2 shows theoretical evaluation of the signature size, signing and verification cost. In the computational overhead comparison, there are five operations that are considered:  pairing, scalar multiplication, multiplication in G, exponentiation in G T and hash operations, which are denoted by P , SM, M, E and H respectively. Especially, it is known that the pairing operation and the scalar multiplication on a curve make up the major part of the computational complexity. In the communication overhead comparison, signature size is measured with respect to the number of group elements. From Table 2, it is readily to observe that Hung et al.' scheme (Hung et al., 2016) has better performance than the schemes in Tsai et al. (2014), Xiong and Qin (2015), Zheng et al. (2017) and our presented scheme in terms of computation and communication overhead. However, the scheme of Hung et al. (2016) was constructed in the random oracle model. Although the scheme of Tsai et al. (2014) was constructed without random oracles same as our scheme, their scheme needs more verification cost and cannot resist the malicious-but-passive attacks. Therefore, our proposed scheme is more secure and efficient in actual life.

Conclusion
This paper first analyses a certificateless signature scheme with revocation of Tsai et al. (2014), which was proved to be secure without random oracles. However, this paper demonstrates that their scheme is insecure against the malicious-but-passive attacks.
Considering that there does not exist a secure RCLS scheme under the standard model at present, this paper constructs a new and provably secure RCLS scheme without random oracles.
To explain readily the proposed revocable certificateless signature scheme, this paper formalizes the RCLS scheme's definition and security model. Furthermore, a concrete RCLS construction scheme is given, whose security analysis is proved in the standard model with CDH assumption. Compared to the existing solutions, the RCLS proposed in this paper is more efficient and secure.