Cryptanalysis on Du-Wen Certificateless Short Signature Scheme

Cryptanalysis on Du-Wen Certificateless Short Signature Scheme C.I. Fan, R.H. Hsu, and P.H. Ho Joint Workshop on Information Security Presenter: Yu-Chi Chen

Outline. • Review of Hu et al.’s paper • Review of Du and Wen’s CLS scheme • Fan et al.’s improved CLS scheme • Conclusion

Review of Hu et al’s paper • Hu et al.’s remedy: • The public key is inserted into the partial-private-key.

Hu et al.’s remedy: • Achieving level-3 security. • KGC does not know any user's secret value and cannot act as any user by generating a false partial private key without being detected.

Review of DW CLS scheme • This scheme is presented by Chun-Yen Lee in 2009/12/29. • Title: Efficient and provably-secure certificateless short signature scheme from bilinear pairings • From: Computer Standards & Interfaces (IF:1.074 42/86) • Author: Hongzhen Du, Qiaoyan Wen

An efficient CLS scheme (1/9) • This scheme • Setup: • Partial-Private-Key-Extract: • Set-Secret-Value: • Set-Private-Key: • Set-Public-Key: • CL-Sign: • CL-Verify:

An efficient CLS scheme (2/9) • Setup: KGC • security parameter l • G1 and G2 (same prime order q>2l) • P is a generator of groupG1 • g = e(P,P) • H1:{0, 1}*→Z*q, H2:{0, 1}*×G1 → Z*q

An efficient CLS scheme (3/9) • s∈ Z*q (system master key) • Computes public key Ppub=sP ∈G1 • KGC publishes the system list params: {l, G1, G2 ,e, q, P, g, Ppub , H1, H2}

user An efficient CLS scheme (4/9) • Partial-Private-Key-Extract: KGC dID Secure channel

An efficient CLS scheme (5/9) • Set-Secret-Value: • r∈ Z*q (secret value) • Set-Private-Key: • (dID, r) (private key) • Set-Public-Key: • pkID = r(Ppub+QIDP) = rT

An efficient CLS scheme (6/9) • CL-Sign: • m ∈ (0, 1)* • Sets h=H2(m, pkID) • Computes

An efficient CLS scheme(7/9) • CL-Verify: • Computes h = H2(m, pkID)

An efficient CLS scheme(9/9)

Fan et al.’s improved CLS scheme • Fan et al. base on DW scheme to propose an improved CLS scheme. • This scheme does not require more computing than DW scheme, but it needs two components of the public key [pk, pk’].

FHH scheme (1/9) • This scheme as DW scheme • Setup: • Partial-Private-Key-Extract: • Set-Secret-Value: • Set-Private-Key: • Set-Public-Key: • CL-Sign: • CL-Verify:

FHH scheme (2/9) • Setup: KGC • security parameter l • G1 and G2 (same prime order q>2l) • P is a generator of groupG1 • g = e(P,P) • H1:{0, 1}*→Z*q, H2:{0, 1}*×G1 → Z*q

FHH scheme(3/9) • s∈ Z*q (system master key) • Computes public key Ppub=sP ∈G1 • KGC publishes the system list params: {l, G1, G2 ,e, q, P, g, Ppub , H1, H2}

user FHH scheme (4/9) • Partial-Private-Key-Extract: KGC dID Secure channel

FHH scheme (5/9) • Set-Secret-Value: • r∈ Z*q (secret value) • Set-Private-Key: • (dID, r) (private key) • Set-Public-Key: • pkID = r(Ppub+QIDP) = rT, pk’ID = rP

FHH scheme (6/9) • CL-Sign: • m ∈ (0, 1)* • Sets h=H2(m, pkID) • Computes

FHH scheme (7/9) • CL-Verify: • Computes h = H2(m, pkID)

Cryptanalysis on Du-Wen Certificateless Short Signature Scheme

Cryptanalysis on Du-Wen Certificateless Short Signature Scheme

Presentation Transcript

Certificateless Threshold Ring Signature

A new provably secure certificateless short signature scheme

Proxy Blind Signature Scheme

The Cryptanalysis on A New and Efficient Fail-stop Signature Scheme

Cryptanalysis

A new certificateless aggregate signature scheme

Cryptanalysis of a Cognitive Authentication Scheme

Cryptanalysis of Some Proxy Signature Schemes without Certificates

Cryptanalysis

Cryptanalysis

Cryptanalysis

Cryptanalysis

Cryptanalysis

Cryptanalysis

Cryptanalysis

Key Replacement Attack on a Certificateless Signature Scheme

Certificateless Threshold Ring Signature

Certificateless signature revisited

A New Provably Secure Certificateless Signature Scheme

Cryptanalysis

Cryptanalysis

Cryptanalysis of a Cognitive Authentication Scheme