250 likes | 376 Views
A New Provably Secure Certificateless Signature Scheme. Date : 2010.3.16 Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications (ICC 2008),vol.4. Outline. INTRODUCTION PERLIMINARIES OUR CERTIFICATELESS SIGNATURE SCHEME SECURITY PROOF CONCLUSIONS. INTRODUCTION.
E N D
A New Provably Secure Certificateless Signature Scheme Date:2010.3.16 Reporter:Chien-Wen Huang 出處:2008 IEEE International Conference on Communications (ICC 2008),vol.4
Outline • INTRODUCTION • PERLIMINARIES • OUR CERTIFICATELESS SIGNATURE SCHEME • SECURITY PROOF • CONCLUSIONS
INTRODUCTION • Identity-based public key cryptography(ID-PKC) • was first introduced by Shamir in 1984. • Have the key escrow problem. • Certificateless public key cryptography(CL-PKC) • Al-Riyamiet al.“Certificateless public key cryptography. ”Asiacrypt2003,LNCS. • Huang et al.[9]“Certificateless signature revisited. ”ACISP 2007, LNCS. • X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless • signature revisited. ACISP 2007, LNCS, vol. 4586, pages 308-322, • Springer-Verlag, 2007. • Zhang et al.[17]“Certificateless public-key signature: security model and efficient construction.”ACNS 2006, LNCS.
INTRODUCTION • Related Works • Type I/II Adversary- Normal: under the original public key from the target signer. Strong: under the replaced public key.(supply the secret value corresponding to the replaced public key)
INTRODUCTION Super:under the public key chosen by himself without supplying the secret value corresponding to the public key. • there are only a few CLS schemes secure[9],[17] against a super type I/II adversary.
INTRODUCTION • Our Contribution: • the CLS(certificateless signature) scheme requires only two pairing operations. • The signature length of new scheme is 2/3 of Huang et al’s scheme. • super Type I/II adversary- proved secure in the strongest security model of CLS.
PERLIMINARIES • A. Bilinear Maps • Let G1 be an additive group of prime order q. • Let G2 be a multiplicative group of the same order. • Bilinear: • Non-degeneracy: • Computable: There exists an efficient algorithm to compute
PERLIMINARIES • B. Framework of Certificateless Signature Schemes • Setup input: a security parameter l output: a master-key,system parameters params. • Partial-Private-Key-Extract input: ID,params,master-key output: user’s partial private key . • Set-Secret-Value input: ID,params output: user’s secret value
PERLIMINARIES • Set-Public-Key input: ID,params, output: public key • Sign accepts(params, ,ID, , , )to produce a signature on message. • Verify ( , ,params,ID, ) if the signature is valid or not.
PERLIMINARIES • C.Adversarial Model of Certificateless Signature Schemes • the following two games between a challenger C and an adversary AI or AII . Game 1 (for Type I Adversary) Setup:C runs the Setup algorithm • Input: a security parameter l • obtain:a master-key,system parameters params
PERLIMINARIES Attack: Partial-Private-Key Queries PPK( ) AI request: the partial private key of any user’s identity C output: the partial private key Public-Key Queries PK( ) AI request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) AI request:the secret value of a user’s identity C output:the secret value (if PK replaced,output ) ⊥
PERLIMINARIES Public-Key-Replacement Queries PKR( , ) AIcan choose a new public key as the public key of this user.C will record this replacement. Sign Queries S( ) Onreceiving a query S( ),C generates a signature (AIneed not supply the secret value) Forgery:AIoutputs • is a valid signature on under and • AIhas never requested the Partial-Private-Key(of user’s ) • S( )has never been submitted WIN!!
PERLIMINARIES Game 2 (for Type II Adversary ) Setup:C runs the Setup algorithm • Input: a security parameter l • obtain:a master-key,system parameters params Attack: Public-Key Queries PK( ) AIIrequest: the public key of a user’s identity C output:the public key Secret-Value Queries SV( ) AII choose a user and request the secret value C output:the secret value (if PK replaced,output ) ⊥
PERLIMINARIES Public-Key-Replacement Queries PKR( , ) AIIcan choose a new public key as the public key of this user. Sign Queries S( ) Onreceiving a query S( ),C replies a signature (AII need not supply the secret value) Forgery: AII outputs • is a valid signature on under and • AII has never requested the Secret-Value (of user’s ) • AII has not requested PKR query on • S( )has never been queried WIN!!
OUR CERTIFICATELESS SIGNATURE SCHEME • A. An Efficient Construction • Setup • Given a security parameter l, • chooses a master-key and set • , , • params= , • Partial-Private-Key-Extract • input: params,master-key , Computes • Outputs:users partial private key
OUR CERTIFICATELESS SIGNATURE SCHEME • Set-Secret-Value input: params, output: as the users secret value. • Set-Public-Key input: params, , output: the user’s public key • Sign input: • Choose a random ,compute • Compute • Compute • Output on .
OUR CERTIFICATELESS SIGNATURE SCHEME • Verify To verify a signature on a message for an identity and public key . • Compute , 2. Verify
OUR CERTIFICATELESS SIGNATURE SCHEME • B. Comparison P: pairing operation. S: a scalar multiplication in G1. H: a MapToPoint hash operation. E: an exponentiation in G2. SL:signature length. PKL:signature length. P1:the length of a point in G1. Z1:the length of a point in
SECURITY PROOF • Theorem :unforgeable against a supertypeI/II adversary in the random oracle model(CDH problem is intractable.) • TypeI proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.) • C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI. • H1Queries:AI can make at most qH1 times H1 queries,C chooses J∈[1,qH1].C maintains an initially empty list H1of tuples(IDj,αj,Qj).On receiving a new query H1(IDi||P), • If i = J, set Qi = bP ,add(IDi,⊥,Qi)toH1 and return Qias answer. • Otherwise ,pick at random,set ,add (IDi,αi,Qi)toH1 and return Qias answer.
H2 Queries: C keeps an initially empty list H2of tuples( ).AI issues a query( )to H2,If the query is new,C selects a random adds( )to H2and returns as answer. • H3 Queries:AI issues a query( )to H3,for a new query,C selects a random adds( )to H2and returns as answer. • Partial-Private-Key Queries: C keeps an initially empty list K of tuples( ).Whenever AI issues a query PPK( ).If the query is new,C does the following. • If ,abort. • Else if there’s a tuple() onK • If( )on H1,set and return as answer. • Otherwise,first make an H1query on(IDi||P), to generate( ),thenset and return as answer.
Otherwise,do the following. • If a tuple( ) on H1,compute ,set ,return as answer and add ( )toK. • Else,generate the tuple( )tosimulates the random oracle H1,after the same way as a). • Public-Key Queries: receiving a query PK(IDi),the current public key from K will be given.Otherwise,C does as follows. • If a tuple ( )on K,choose ,compute ,return as answer and update to ( ). • Otherwise,choose ,set ,and add the tuple to K.
Secret-Value Queries:receiving a query SV( ),if the public key has been replaced,C returns .Otherwise,if a tuple( )on K,C returns as answer;else,C first makes PK( ) then returns as answer. • Public-Key-Replacement Queries: AI choose a new public key for the user’s identity( ).On receiving a query PKR( , ),C first finds the tuple( ) on K,then C updates to . • Sign Queries: On receive a Sign query S( ), denotes the public key chosen by AI ,C generates the signature as follows. • Choose ,set • Set , • Compute and output
Forgery: Finally, AI returns a successful forgery If ,C aborts. • Type II proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.) • C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI. • Public-Key Queries:C keeps an initially empty list K of tuples(IDj,xj,Pj) For a new query,if ,C return as answer and adds to K ;else,C picks ,compute add to K and return .
Secret-Value Queries: On receiving a query SV( ), if the public key of has been replaced, C returns ⊥; otherwise, if , C aborts; else if a tuple on K, C returns as answer; else, C first makes PK( ), then recovers the tuple from K, returns . • Public-Key-Replacement Queries: AII can choose a new public key for the user’s identity .On receiving a query PKR( ) if , C aborts; otherwise, C finds the tuple on K and updates to .
CONCLUSIONS • Only two pairing operations are required in signing and verification. • It is more efficient than the other CLS schemes achieving the same security level.