360 likes | 499 Views
A new certificateless aggregate signature scheme. Computer communications 32(2009) 1079-1085 Author: Lei Zhang, Futai Zhang Presenter: 紀汶承. Outline. Introduction Preliminaries A CLAS scheme Two type of adversaries An efficient certificateless aggregate sig nature scheme Security proof.
E N D
A new certificateless aggregate signature scheme Computer communications 32(2009) 1079-1085 Author: Lei Zhang, Futai Zhang Presenter: 紀汶承
Outline • Introduction • Preliminaries • A CLAS scheme • Two type of adversaries • An efficient certificateless aggregate sig nature scheme • Security proof
Introduction • 目的: • 把多個簽章整合成一個簽章,以減少整體簽章長度。 • 相對於很多個不同的單一個簽章,減少驗證時運算所花費的cost。
Preliminaries • Bilinear Pairing • Table (notations and means) • CDH problem
Bilinear Pairing • G1 : cyclic additive group generated by P whose order is a prime q. G2 : cyclic multiplicative group of the same order q. A bilinear pairing is a computable map e: G1 × G1 → G2 with the following properties
Bilinear Pairing • Bilinear: for any a,b and • Non-degenerate: There exists such that
Table (notations and means) CLAS: Certificateless Aggregate Signature KGC: Key Generation Center A1/A2: A type I/II adversary IDi,Pi: The identity, Public key of a user,respectively Xi,Di: The secre value, partial private key of a user with identity IDi l: A security parameter e: A bilinear map Zq: A additive group whose elements are 0,…,q-1. Mi: A message M: Message space σi: A single signature on a message σ: An aggregate signature Δ: A state information Hi: A hash function ⊥: It means the value is empty.
Computational Diffie-hellman Group • Define the system parameters as Params={G1,G2,e,q,P,H} • Hash function : H : • CDH problem : given P, aP, bP ∈ G1 for all a,b ∈ compute abP
A CLAS scheme • Setup: perform by KGC, use a parameter l to generate a master key snd a list of system parameters params. • Partial-Private-Key-Extract: perform by KGC, use user’s IDi, params and master key to produce user’s partial-private-key. • UserKeyGen: run by user ,produce private/public key xi/pi.
A CLAS scheme(cont.) • Sign: run by user, input params, state information Δ, message Mi, IDi, Pi, sign key(xi,Di), output σi as signature. • Aggregate: run aggregate signature generator. Output σ as aggregate signature on messages M1,…,Mn. • AggregateVerify: if aggregate signature is valid, output true else false.
Two type of adversaries • Type1: A1 does not have master key, but can replace public key as his choice. • Type2: A2 has the master key but cannot perform public key replacement.
Two type of adversaries(cont.) • Game1: • Setup: C run setup algo. Input security parameter l,產生master key 以及 system params. Then send params to A1. • Attack: A1 可以在polynomially bounded number內執行下列queries .
Partial-Private-Key queries(IDi): A1可以要求任何user的partial-private-key,C 會output給A1. • Public-Key queries(IDi): C 會output user的public key給A1. • Secret-Value queries(IDi): C 會output user的screte key xi給A1. • Public-Key-replacement queries(IDi,pi’):A1可以決定一個new public key Pi’去替換user i的公鑰 Pi .C會紀錄下來. • Sign queries(Δi,Mi,IDi,Pi): A1可以要求user i的簽章,C會去計算i的合法簽章on state information Δi.
Forgery: A1 output a set of n users U*={U1*,…Un*},a state information Δ* and a aggregate signature σ*. • A1 wins the game1,iff • σ*是一個valid aggregate signature . • 至少一個IDi ,並未要求ppk(IDi) queries. And S(Δi,Mi,IDi,Pi)並未query.
Game2: • Setup: C run setup algo. Input security parameter l,產生master key 以及 system params. Then send master and params to A2. • Attack: A2 可以在polynomially bounded number內執行下列queries .
Public-Key queries(IDi): C 會output user的public key給A2. • Secret-Value queries(IDi): C 會output user的screte key xi給A2. • Sign queries(Δi,Mi,IDi,Pi): A1可以要求user i的簽章,C會去計算i的合法簽章on state information Δi.
Forgery: A2 output a set of n users U*={U1*,…Un*},a state information Δ* and a aggregate signature σ*. • A2 wins the game2,iff • σ*是一個valid aggregate signature . • 至少一個IDi ,並未要求sv(IDi) queries. And S(Δi,Mi,IDi,Pi)並未query.
An efficient certificateless aggregate sig- nature scheme • Setup: input a security parameter l ,KGC選擇一個cyclic additive group G1,G2 .a bilinear map e:G1xG1→G2. choose random λ∈ Zq* as the master key and set PT=λP,choose hash function H1:{0,1}* →G1, H2:{0,1}* →G1, H3:{0,1}* →G1,system parameter is{G1,G2,e,P,PT,H1,H2,H3},message space is M={0,1}*
Partial-private-key-extract: • Compute Qi=H1(IDi) • Output the partial private key Di=λQi. • UserKeyGen: • Select random • And set the secrete value/public key as xi/Pi=xiP.
Sign: to sign a message M using the signing key (xi,Di) and chooses a state information Δ. then perform the following steps: • Choose a random ,compute Ri=riP • W=H2(Δ),Si=H3(Δ||Mi||IDi||Pi||Ri) • Vi=Di+xiW+riSi. • σi=(Ri,Vi) as the signature on Mi.
Aggregate: σi=(Ri,Vi) for i=1~n, aggregate to σ=(R1,…,Rn,V). V=ΣVi. • Aggregate verify: • Compute W=H2(Δ), Qi=H1(IDi), Si=H3(Δ||Mi||IDi||Pi||Ri) • Verify
Security proof • Assuming CDH problem is hard. • Theorem1: • In random oracle,存在一個type 1 adversary A1 who has an advantage ε in forging a signature. • Then CDH problem can be solved with probability
Proof: let C be a CDH attacker who receives a random instance (P,aP,bP) of CDH problem in G1,A1 is a type1 adversary who interact with C. • Setup: C set PT=aP and params=(G1,G2,e,P,PT,H1,H2,H3) then send to A1. • Attack: A1 can perform the following type of queries in an adaptive manner.
H1 queries: • C maintains a list of tuples (IDj,αj,Qj,cj). This list is initially empty. Whenever receiving an H1 query on IDi, the same answer from the list will be given if the request has been asked before. • Otherwise, C first picks at random then flips a coin ci :{0,1} that yields 0 with probability δ and 1 with probability1-δ, If ci=0,C sets Qi = αibP, adds (IDi,⊥,Qi,ci) to and returns Qi as answer; otherwise, sets Qi = αiP, adds (IDi,αi,Qi,ci) to and returns Qi as answer.
H2 queries: • C keeps a list of tuples (Δj,Wj,βj). This list is initially empty. Whenever A1 issues a query H2(Δi), the same answer from the list will be given if the request has been asked before. • Otherwise, C selects a random , computes Wi=βiP, adds (Δi,Wi,βi) to .and returns Wi as answer.
H3 queries: • C keeps a list of tuples (Δj,Mj,IDj,Pj,Rj,Sj,γj). This list is initially empty. Whenever A1 issues a query(Δi||Mi||IDi||Pi||Ri) to H3, the same answer from the list will be given if the request has been asked before. • Otherwise, C selects a random , computes Si =γiP, adds (Δj,Mj,IDj,Pj,Rj,Sj,γj) to and return Si as answer.
Partial-Private-Key queries: • C keeps a list of tuples (IDj,xj,Dj,Pj). This list is initially empty. When A1 issues a query Partial-Private-Key PPK(IDi), the same answer from the list will be given if the request has been asked before. • Otherwise, C first makes an H1 query on IDi and finds the tuple (IDi,αi,Qi,ci) on ,then does as follows: • (1) If ci = 0, abort. • (2) Else if there’s a tuple (IDi,xi,Di,Pi) on , set Di = αiPT and return Di as answer. • (3) Otherwise, compute Di = αiPT, set xi = Pi = ⊥, then return Di as answer and add (IDi,xi,Di,Pi) to .
Public-Key queries: • On receiving a Public-Key query PK(IDi), if the request has been asked before the current public key from the list will be given. • Otherwise, C does as follows: • (1) If there’s a tuple (IDi,xi,Di,Pi) on (in this case, the public key Pi of IDi is ⊥), choose , compute , return Di as answer and update (IDi,xi,Di,Pi) to . • (2) Otherwise, choose , compute Pi = xiP, return Pi as answer, set Di = ⊥ and add (IDi,xi,Di,Pi) to .
Secret-Value queries: • On receiving a Secret-Value query SV(IDi),C first makes PK(IDi) then finds the tuple (IDi,xi,Di,Pi) on and returns xi as answer (Note that the value of xi maybe⊥). • Public-Key-Replacement queries: • A1 can choose a new public key for the user whose identity is IDi. On receiving a Public-Key-Replacement query PKR(IDi,Pi’),C first finds the tuple (IDi,xi,Di,Pi) on (if such a tuple does not exists on or Pi = ⊥,C first makes PK(IDi)), then C updates Pi to Pi’.
Sign queries: • On receive a Sign query S(Δi,Mi,IDi,Pi), where Pi denotes the public key chosen by A1 ,C first makes H1(IDi),H2(Δi)queries then recovers (IDi,αi,Qi,ci) from , (Δi,Wi,βi) from and then generates the signature as follows: • (1) If ci = 0, choose , set , set Si = γiPT, add(Δi,Mi,IDi,Pi,Ri,Si,γi) to (if there is a tuple (Δi,Mi,IDi,Pi,Ri,Si,γi) on , then redo this step), compute Vi = βiPi + riγiPT,output σi = (Ri,Vi). • (2) Else ci = 1, randomly choose , set Vi = αiPT + βiPi + γiRi,output σi = (Ri,Vi).
Forgery: • A1 return a forged aggregate signature σ*=(R1*,…,Rn*,V*).It required that there exists I:{1,…,n} such that A1 has not asked the partial private key for IDI. And A1 has not made a S(ΔI,MI,IDI,PI) query. Without loss of generality, let I=1. • the forged aggregate signature must satisfy
C now proceeds only if c1*=0,ci*=1 for all 2≦i≦n,otherwise,C aborts. • Then • In our setting : for all i,2≦i≦n, • then
分析:須滿足下列三個事件 • E 1: C does not abort as a result of any of A1’s Partial-Private-Key queries. • E 2: A1 generates a valid and nontrivial aggregate signature forgery. • E 3: Event E2 occurs, c1*=0 and ci*=1 for all I, 2≦i≦n.
Pr[E1ΛE2ΛE3]= Pr[E1]Pr[E2|E1]Pr[E 3|E1ΛE2]. • The probability that C does not abort as a result of A1’s key extraction queries is at least .then Pr[E1]≧ • Suppose algorithm C does not abort as a result of A1’s signature queries and key extraction queries, then algorithm A1’s view is identical to its view in the real attack,Pr[E2-E1]≧ε. • The probability that C does not abort after A1 outputting a valid and nontrivial forgery is at least • Then Pr[E 3|E1ΛE2]≧
So,we have • When , is maximized at • qk is large ,then we have
在sign方面 花費 2n(s)scalar multiplication<3n(s)(using PKL) • 在verify方面 花費n+3次(pairing operation) • 可否減少cost?