170 likes | 327 Views
A new provably secure certificateless short signature scheme. Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput . Math. Appl . ( IF:1.472) Vol. 61, 2011, pp. 1760-1768 Presenter: Yu-Chi Chen. Outline. Introduction Certificateless signatures Shim’s attack The improved scheme
E N D
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source:Comput. Math. Appl.(IF:1.472)Vol. 61, 2011, pp. 1760-1768 Presenter: Yu-Chi Chen
Outline • Introduction • Certificateless signatures • Shim’s attack • The improved scheme • Conclusions
Introduction • Identity-based cryptography • Without CA to manage certificates of public keys. • Private key generator (PKG) knows everyone’s full private key as known as the key escrow problem. • Certificatelesscryptography • Solving the key escrow problem • Key generation center (KGC) cannot has everyone’s full private key
Certificatelesssignatures • A CLS scheme usually constitutes the following algorithms. • Setup • Partial private key extract • Set public key • Set secret value • Sign • Verify
Security model • Two types adversaries - Existential Unforgeability • Type 1 adversary: An outsider • Can replace public key • Cannot access the system master key • Type 2adversary: The KGC • Cannot replace public key • Can access the system master key
Type 1 adversary • Setup. • Attack. • Partial-private-key queries • Public key queries • Secret value queries • Public key replacement • Sign queries • Forgery.A forged signature of • Win the game if the conditions hold. • The forged signature is valid. • The partial-private-key and the forged signature have never been queried. • The public key has never been replaced.
Type 2 adversary • Setup. • Attack. • Partial-private-key queries • Public key queries • Secret value queries • Public key replacement • Sign queries • Forgery.A forged signature of • Win the game if the conditions hold. • The forged signature is valid. • The secret value and the forged signature have never been queried.
Remark on security models • Several different security models have been presented. • In particular, Huang et al. classify different levels of adversaries according to their abilities. • Normal Type 1 adversary • Strong Type 1 adversary • Super Type 1 adversary • …
Outline • Introduction • Certificateless signatures • Shim’s attack • The improved scheme • Conclusions
Shim’s attack • An adversary (Type 1), A, first sets a secret value of ID, r*, and then he computes the corresponding public key pk*. • He replaces the public key of ID with pk*. • He queries a signature of (M, ID, pk*). • Finally, he can recover the partial-private-key by the signature of (M, ID, pk*) and the secret value r*.
Outline • Introduction • Certificateless signatures • Shim’s attack • The improved scheme • Conclusions
The proposed scheme • Setup • Bilinear map:with order q, and P is the generator of G1. • Master key: • Master public key: • Hash functions:
The proposed scheme • Partial-private-key-extract. • User A with IDA can obtain the partial-private-key • Set secret value. • User A with IDAchooses as his secret value. • Set public key. • His public key
Sign. input: • Set • Compute • Return σ as the signature of m. • Verify. • Compute • Check
Security analysis • Our short certificateless signature scheme is existentially unforgeable against a super Type I adversary in random oracle model under the CDH assumption. • Our short certificateless signature scheme is existentially unforgeable against a super Type II adversary in random oracle model under the CDH assumption.
Outline • Introduction • Certificateless signatures • Shim’s attack • The improved scheme • Conclusions
Conclusions • Choi et al. introduces an improved scheme withstand Shim’s attack. • The major inspiration is the two components of partial-private-key. • This scheme is existentially unforgeableunder the CDH assumption respectively against super Type I and II adversaries.