270 likes | 449 Views
A New Identity-based Proxy Blind Signature Scheme. Junjie He, Chuanda Qi, and Fang Sun 2012 IEEE International Conference on Information Science and Technology Presenter: 陳昱安 Date:2013/12/09. Outline. Introduction Preliminaries ID-based p roxy b lind s ignature s cheme
E N D
A New Identity-based Proxy Blind Signature Scheme Junjie He, Chuanda Qi, and Fang Sun 2012 IEEE International Conference on Information Science and Technology Presenter:陳昱安 Date:2013/12/09
Outline • Introduction • Preliminaries • ID-based proxy blind signature scheme • Analysis of the proposed scheme • Conclusion 2
Outline • Introduction • Preliminaries • ID-based proxy blind signature scheme • Analysis of the proposed scheme • Conclusion 3
Introduction(2/2) • The new scheme satisfies strong unforgeability, nonrepudiation, blindness and unlinkability, etc.. • Moreover, compared with other identity-based proxy blind signature schemes, the scheme has better computational efficiency and less traffic. 5
Outline • Introduction • Preliminaries • ID-based proxy blind signature scheme • Analysis of the proposed scheme • Conclusion 6
Preliminaries • Bilinear pairings • Computational problems • Discrete Logarithm Problem (DLP) • Diffie-Hellman Problem (DHP) • Security requirements of proxy blind signature • Distinguishability • Verifiability • Undeniability • Identifiability • Unforgeability • Unmisusability • Blindness • Unlinkability 7
Outline • Introduction • Preliminaries • ID-based proxy blind signature scheme • Analysis of the proposed scheme • Conclusion 8
ID-based proxy blind signature scheme (2/7) We assume there is a trusted key generation center (KGC) that establishes the identity-based cryptosystem and generates private keys for users. 10
ID-based proxy blind signature scheme (3/7) • Setup KGC selects a prime q, two groups G1and G2, generator Pof G1, and a bilinear pairing e:G1×G1→G2. It also specifies two hash functions H1:→G1and H2:→. KGC picks a master private key sat random and sets his public key Ppub= sP. That is to say, the system parameters are {G1, G2, q, P, Ppub, H1, H2}. 11
ID-based proxy blind signature scheme (4/7) • Extract For a given public identity information of user u. KGC computes , , and sends to user u. After received ,User uchecks . 12
ID-based proxy blind signature scheme (5/7) • Proxy Delegation • First, the original signer A generates proxy warrant . • The original signer A selects randomly,computes,, . • A send to the proxy signer B. • After received , B computes and checks . If it is correct, B accepts the delegation, and computes the proxy secret key . Responding proxy public key is . 13
ID-based proxy blind signature scheme (6/7) • Proxy Blind Signature Issuing Protocol For given message m: • The proxy signer B selects randomly, computes, and sendto the message owner C. • After received, C selects randomly, computes, , , and send to the proxy signer B. • After received, B computes , andsend to the message owner C. • After received, C computes . Finally, the proxy blind signature of message mis . 14
ID-based proxy blind signature scheme (7/7) • Verification • Given a proxy blind signature, the receiver gets the original signer A and proxy signer B's identity IDi, i=A,B from the proxy warrant . • Computes their public key ,i=A,B ,and generates the proxy public key , where . • Then computes , and checks . 15
Outline • Introduction • Preliminaries • ID-based proxy blind signature scheme • Analysis of the proposed scheme • Conclusion 16
Analysis of the proposed scheme(1/9) • Correctness 17
Analysis of the proposed scheme(2/9) • Security (1) Distinguishability On the one hand, the proxy warrant is included in proxy blind signature . On the other hand, the proxy public key includes the original signer A’s public key and the proxy signer B’s public key . 18
Analysis of the proposed scheme(3/9) (2) Verifiability The proxy blind signature includes the proxy warrant . (3)Undeniability The proxy secret key . The original signer A does not know the proxy signer B’s private key, so only B knows the proxy secret key. 19
Analysis of the proposed scheme(4/9) (4)Identifiability The proxy blind signature contains the proxy warrant, which includes the identity information of the original signer A and proxy signer B. (5)Unforgeability We analyze the unforgeability of the proposed scheme through the following four aspects. 20
Analysis of the proposed scheme(5/9) • First, the attacker can not get the master secret key. Ppub= sP(DLP on G1 ) • Second, the attacker can‘t get user’s private key. (CDHP on G1) • Third, the attacker can’t get the proxy secret key. = s . 21
Analysis of the proposed scheme(6/9) • Fourth, the scheme can resist against the universal forgery attack. Attacker forge the proxy blind signature proxy public key the attacker selects G1 randomly. (CDHPon G1) 22
Analysis of the proposed scheme(7/9) the attacker select G1 randomly. compute via (DLP and inverse of hash function) (6)Unmisusability The proxy warrantincludes the valid period of delegation, and possible otherrestrictions on the signing capability delegated to the proxysigner. With the proxy private/public key pair, the proxysigner cannot sign messages which have not been authorizedby the original signer. 23
Analysis of the proposed scheme(8/9) (7) Blindness The proxy signer B signs which is theresult oftransformation with hash function and blind factors by the message owner C. (8)Unlinkability The proxy blind signature of message mis . The proxy signer B selects a intermediate result randomly. B can compute , butcan’t compute byor. (DLP on G1) 24
Analysis of the proposed scheme(9/9) • Efficiency pairing operation(Pa) point scalar multiplication on G1(Pm) exponentiation in G2 (Pe) division in (Div) 25
Outline • Introduction • Preliminaries • ID-based proxy blind signature scheme • Analysis of the proposed scheme • Conclusion 26
Conclusion • We proved its correctness and analyzed the security and computational performance. • Analysis shows that the proposed scheme not only satisfies strong unforgeability, non-repudiation, blindness and unlinkability and other security requirements, but also has better computational efficiency and less traffic. 27