1 / 25

A New Provably Secure Certificateless Signature Scheme

A New Provably Secure Certificateless Signature Scheme. Date : 2010.3.16 Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications (ICC 2008),vol.4. Outline. INTRODUCTION PERLIMINARIES OUR CERTIFICATELESS SIGNATURE SCHEME SECURITY PROOF CONCLUSIONS. INTRODUCTION.

valentine-elias
Download Presentation

A New Provably Secure Certificateless Signature Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A New Provably Secure Certificateless Signature Scheme Date:2010.3.16 Reporter:Chien-Wen Huang 出處:2008 IEEE International Conference on Communications (ICC 2008),vol.4

  2. Outline • INTRODUCTION • PERLIMINARIES • OUR CERTIFICATELESS SIGNATURE SCHEME • SECURITY PROOF • CONCLUSIONS

  3. INTRODUCTION • Identity-based public key cryptography(ID-PKC) • was first introduced by Shamir in 1984. • Have the key escrow problem. • Certificateless public key cryptography(CL-PKC) • Al-Riyamiet al.“Certificateless public key cryptography. ”Asiacrypt2003,LNCS. • Huang et al.[9]“Certificateless signature revisited. ”ACISP 2007, LNCS. • X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless • signature revisited. ACISP 2007, LNCS, vol. 4586, pages 308-322, • Springer-Verlag, 2007. • Zhang et al.[17]“Certificateless public-key signature: security model and efficient construction.”ACNS 2006, LNCS.

  4. INTRODUCTION • Related Works • Type I/II Adversary- Normal: under the original public key from the target signer. Strong: under the replaced public key.(supply the secret value corresponding to the replaced public key)

  5. INTRODUCTION Super:under the public key chosen by himself without supplying the secret value corresponding to the public key. • there are only a few CLS schemes secure[9],[17] against a super type I/II adversary.

  6. INTRODUCTION • Our Contribution: • the CLS(certificateless signature) scheme requires only two pairing operations. • The signature length of new scheme is 2/3 of Huang et al’s scheme. • super Type I/II adversary- proved secure in the strongest security model of CLS.

  7. PERLIMINARIES • A. Bilinear Maps • Let G1 be an additive group of prime order q. • Let G2 be a multiplicative group of the same order. • Bilinear: • Non-degeneracy: • Computable: There exists an efficient algorithm to compute

  8. PERLIMINARIES • B. Framework of Certificateless Signature Schemes • Setup input: a security parameter l output: a master-key,system parameters params. • Partial-Private-Key-Extract input: ID,params,master-key output: user’s partial private key . • Set-Secret-Value input: ID,params output: user’s secret value

  9. PERLIMINARIES • Set-Public-Key input: ID,params, output: public key • Sign accepts(params, ,ID, , , )to produce a signature on message. • Verify ( , ,params,ID, ) if the signature is valid or not.

  10. PERLIMINARIES • C.Adversarial Model of Certificateless Signature Schemes • the following two games between a challenger C and an adversary AI or AII . Game 1 (for Type I Adversary) Setup:C runs the Setup algorithm • Input: a security parameter l • obtain:a master-key,system parameters params

  11. PERLIMINARIES Attack: Partial-Private-Key Queries PPK( ) AI request: the partial private key of any user’s identity C output: the partial private key Public-Key Queries PK( ) AI request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) AI request:the secret value of a user’s identity C output:the secret value (if PK replaced,output ) ⊥

  12. PERLIMINARIES Public-Key-Replacement Queries PKR( , ) AIcan choose a new public key as the public key of this user.C will record this replacement. Sign Queries S( ) Onreceiving a query S( ),C generates a signature (AIneed not supply the secret value) Forgery:AIoutputs • is a valid signature on under and • AIhas never requested the Partial-Private-Key(of user’s ) • S( )has never been submitted WIN!!

  13. PERLIMINARIES Game 2 (for Type II Adversary ) Setup:C runs the Setup algorithm • Input: a security parameter l • obtain:a master-key,system parameters params Attack: Public-Key Queries PK( ) AIIrequest: the public key of a user’s identity C output:the public key Secret-Value Queries SV( ) AII choose a user and request the secret value C output:the secret value (if PK replaced,output ) ⊥

  14. PERLIMINARIES Public-Key-Replacement Queries PKR( , ) AIIcan choose a new public key as the public key of this user. Sign Queries S( ) Onreceiving a query S( ),C replies a signature (AII need not supply the secret value) Forgery: AII outputs • is a valid signature on under and • AII has never requested the Secret-Value (of user’s ) • AII has not requested PKR query on • S( )has never been queried WIN!!

  15. OUR CERTIFICATELESS SIGNATURE SCHEME • A. An Efficient Construction • Setup • Given a security parameter l, • chooses a master-key and set • , , • params= , • Partial-Private-Key-Extract • input: params,master-key , Computes • Outputs:users partial private key

  16. OUR CERTIFICATELESS SIGNATURE SCHEME • Set-Secret-Value input: params, output: as the users secret value. • Set-Public-Key input: params, , output: the user’s public key • Sign input: • Choose a random ,compute • Compute • Compute • Output on .

  17. OUR CERTIFICATELESS SIGNATURE SCHEME • Verify To verify a signature on a message for an identity and public key . • Compute , 2. Verify

  18. OUR CERTIFICATELESS SIGNATURE SCHEME • B. Comparison P: pairing operation. S: a scalar multiplication in G1. H: a MapToPoint hash operation. E: an exponentiation in G2. SL:signature length. PKL:signature length. P1:the length of a point in G1. Z1:the length of a point in

  19. SECURITY PROOF • Theorem :unforgeable against a supertypeI/II adversary in the random oracle model(CDH problem is intractable.) • TypeI proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.) • C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI. • H1Queries:AI can make at most qH1 times H1 queries,C chooses J∈[1,qH1].C maintains an initially empty list H1of tuples(IDj,αj,Qj).On receiving a new query H1(IDi||P), • If i = J, set Qi = bP ,add(IDi,⊥,Qi)toH1 and return Qias answer. • Otherwise ,pick at random,set ,add (IDi,αi,Qi)toH1 and return Qias answer.

  20. H2 Queries: C keeps an initially empty list H2of tuples( ).AI issues a query( )to H2,If the query is new,C selects a random adds( )to H2and returns as answer. • H3 Queries:AI issues a query( )to H3,for a new query,C selects a random adds( )to H2and returns as answer. • Partial-Private-Key Queries: C keeps an initially empty list K of tuples( ).Whenever AI issues a query PPK( ).If the query is new,C does the following. • If ,abort. • Else if there’s a tuple() onK • If( )on H1,set and return as answer. • Otherwise,first make an H1query on(IDi||P), to generate( ),thenset and return as answer.

  21. Otherwise,do the following. • If a tuple( ) on H1,compute ,set ,return as answer and add ( )toK. • Else,generate the tuple( )tosimulates the random oracle H1,after the same way as a). • Public-Key Queries: receiving a query PK(IDi),the current public key from K will be given.Otherwise,C does as follows. • If a tuple ( )on K,choose ,compute ,return as answer and update to ( ). • Otherwise,choose ,set ,and add the tuple to K.

  22. Secret-Value Queries:receiving a query SV( ),if the public key has been replaced,C returns .Otherwise,if a tuple( )on K,C returns as answer;else,C first makes PK( ) then returns as answer. • Public-Key-Replacement Queries: AI choose a new public key for the user’s identity( ).On receiving a query PKR( , ),C first finds the tuple( ) on K,then C updates to . • Sign Queries: On receive a Sign query S( ), denotes the public key chosen by AI ,C generates the signature as follows. • Choose ,set • Set , • Compute and output

  23. Forgery: Finally, AI returns a successful forgery If ,C aborts. • Type II proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.) • C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI. • Public-Key Queries:C keeps an initially empty list K of tuples(IDj,xj,Pj) For a new query,if ,C return as answer and adds to K ;else,C picks ,compute add to K and return .

  24. Secret-Value Queries: On receiving a query SV( ), if the public key of has been replaced, C returns ⊥; otherwise, if , C aborts; else if a tuple on K, C returns as answer; else, C first makes PK( ), then recovers the tuple from K, returns . • Public-Key-Replacement Queries: AII can choose a new public key for the user’s identity .On receiving a query PKR( ) if , C aborts; otherwise, C finds the tuple on K and updates to .

  25. CONCLUSIONS • Only two pairing operations are required in signing and verification. • It is more efficient than the other CLS schemes achieving the same security level.

More Related