1 / 14

Certificateless signature: a new security model and an improved generic construction

Certificateless signature: a new security model and an improved generic construction. B.C. Hu, D.S. Wang, X.Deng, Z. Zhang Des Codes Crypt (2007) 42 (IF:0.745 58/86) Presenter: Yu-Chi Chen. Outline. Introduction Hu et al.’s construction Girault level-3 security Conclusion. Introduction.

nascha
Download Presentation

Certificateless signature: a new security model and an improved generic construction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certificateless signature: a new security model and an improved generic construction B.C. Hu, D.S. Wang, X.Deng, Z. Zhang Des Codes Crypt (2007) 42 (IF:0.745 58/86) Presenter: Yu-Chi Chen

  2. Outline. • Introduction • Hu et al.’s construction • Girault level-3 security • Conclusion

  3. Introduction. • Traditional PKC • ID-based PKC: 1984 • CertificatelessPKC: 2003

  4. ID-PKC User (signer) ID1 Private Key Generation master-key = s mpk=sP Secure channel Require priv-key Sign: σ=sH(ID1)+H(M,…) Return priv-key=sH(ID1) User (verifier) Use ID1 and PKG’s mpk=sP to check e(σ,P)=? e(mpk, H(ID1))e(H(M,…),P)

  5. CL-PKC Decide his secret value r And public key pk=rP User (signer) ID1 Key Generation Center master-key = s mpk=sP Secure channel Require part-priv-key Sign: σ=sH(ID1)+rH(M,…) Return part-priv-key=sH(ID1) bulletin board User (verifier) Use ID1 and PKG’s mpk=sP to check e(σ,P)=? e(mpk, H(ID1))e(H(M,…),pk)

  6. Outline. • Introduction • Hu et al.’s construction • Girault level-3 security • Conclusion

  7. Hu et al.’s construction • In this paper, Hu et al. proposed • The public key replacement for some schemes. • A new security model (a little modification for the previous model) • An improved generic construction (with IDB, more algorithms) • good or not good? • An extended construction

  8. CL-PKC Decide his secret value r And public key pk=rP User (signer) ID1 Key Generation Center master-key = s mpk=sP Secure channel Require part-priv-key Sign: σ=sH(ID1)+rH(M,…) Return part-priv-key=sH(ID1) bulletin board User (verifier) Use ID1 and PKG’s mpk=sP to check e(σ,P)=? e(mpk, H(ID1))e(H(M,…),pk)

  9. A malicious KGC impersonates a user as a signer to generate a valid signature which can be accepted by the verifier. Decide his secret value r’ And public key pk’=r’P KGC (signer) ID1 User (signer) ID1 Key Generation Center master-key = s mpk=sP Secure channel Require part-priv-key Sign: σ=sH(ID1)+r’H(M,…) Return part-priv-key=sH(ID1) This signature is not mine. I want to deny. bulletin board User (verifier) Sorry, there is no way to prove the claim of this user is right. Use ID1 and PKG’s mpk=sP to check e(σ,P)=? e(mpk, H(ID1))e(H(M,…),pk’)

  10. Hu et al.’s construction • Hu et al.’s remedy: • The public key is inserted into the partial-private-key.

  11. Hu et al.’s remedy: • The user’s public key is replaced by the KGC with another key. • He can take his partial-private-key to argue that the public key is not his, since the partial-private-key contains his actual public key.

  12. Outline. • Introduction • Hu et al.’s construction • Girault level-3 security • Conclusion

  13. Girault level-3 security • Level 3. KGC does not know any user's secret value and cannot act as any user by generating a false partial private key without being detected.

  14. Outline. • Introduction • Hu et al.’s construction • Girault level-3 security • Conclusion

More Related