Upload
alexia-black
View
214
Download
2
Embed Size (px)
Citation preview
A new provably secure certificateless short signature scheme
Authors: K.Y. Choi, J.H. Park, D.H. Lee
Source: Comput. Math. Appl. (IF:1.472)Vol. 61, 2011, pp. 1760-1768
Presenter: Yu-Chi Chen
Outline
• Introduction• Certificateless signatures• Shim’s attack• The improved scheme• Conclusions
Introduction
• Identity-based cryptography–Without CA to manage certificates of public keys.– Private key generator (PKG) knows everyone’s
full private key as known as the key escrow problem.
• Certificateless cryptography– Solving the key escrow problem– Key generation center (KGC) cannot has
everyone’s full private key
Certificateless signatures
• A CLS scheme usually constitutes the following algorithms.– Setup– Partial private key extract– Set public key– Set secret value– Sign– Verify
Security model
• Two types adversaries - Existential Unforgeability– Type 1 adversary: An outsider• Can replace public key• Cannot access the system master key
– Type 2 adversary: The KGC• Cannot replace public key• Can access the system master key
Type 1 adversary
• Setup.• Attack.– Partial-private-key
queries– Public key queries– Secret value queries– Public key replacement– Sign queries
• Forgery. A forged signature of
• Win the game if the conditions hold.– The forged signature is
valid.– The partial-private-key
and the forged signature have never been queried.
– The public key has never been replaced.
),,( *** MpkID ID
Type 2 adversary
• Setup.• Attack.– Partial-private-key
queries– Public key queries– Secret value queries– Public key replacement– Sign queries
• Forgery. A forged signature of
• Win the game if the conditions hold.– The forged signature is
valid.– The secret value and the
forged signature have never been queried.
),,( *** MpkID ID
Remark on security models
• Several different security models have been presented.
• In particular, Huang et al. classify different levels of adversaries according to their abilities.– Normal Type 1 adversary– Strong Type 1 adversary– Super Type 1 adversary–…
Outline
• Introduction• Certificateless signatures• Shim’s attack• The improved scheme• Conclusions
Shim’s attack
1. An adversary (Type 1), A, first sets a secret value of ID, r*, and then he computes the corresponding public key pk*.
2. He replaces the public key of ID with pk*.
3. He queries a signature of (M, ID, pk*).
4. Finally, he can recover the partial-private-key by the signature of (M, ID, pk*) and the secret value r*.
Outline
• Introduction• Certificateless signatures• Shim’s attack• The improved scheme• Conclusions
The proposed scheme
• Setup– Bilinear map:
with order q, and P is the generator of G1.
–Master key:–Master public key:– Hash functions:
211: GGGe
*qZs
sPPpub
**22
*1
*110
}1,0{:,
}1,0{:,,
qZHH
GHHH
2211021 ,,,,,,,,,, HHHHHPPqGGeparams pub
The proposed scheme
• Partial-private-key-extract.– User A with IDA can obtain the partial-private-key
• Set secret value.– User A with IDA chooses as his secret value.
• Set public key.– His public key
),(AAA IDIDID DDSK
)(
)(
0
0
AID
AID
IDHD
IDHD
A
A
AIDr
PrPKAA IDID
• Sign. input:1. Set
2. Compute
3. Return σ as the signature of m.
• Verify.1. Compute
2. Check
mSKrIDAA IDIDA ,,,
),,(
),,,(),,,(
2
21
AID
AIDAID
IDPKmHh
IDPKmHhIDPKmHT
A
AA
AAA IDIDID DhhDTx
),,(),,,(
),,,(),(),(
22
100
AIDAID
AIDAIDAID
IDPKmHhIDPKmHh
IDPKmHTIDHQIDHQ
AA
AAA
),(),(?),( pubIDIDID PQhhQePKTePeAAA
Security analysis
• Our short certificateless signature scheme is existentially unforgeable against a super Type I adversary in random oracle model under the CDH assumption.
• Our short certificateless signature scheme is existentially unforgeable against a super Type II adversary in random oracle model under the CDH assumption.
Outline
• Introduction• Certificateless signatures• Shim’s attack• The improved scheme• Conclusions
Conclusions
• Choi et al. introduces an improved scheme withstand Shim’s attack.
• The major inspiration is the two components of partial-private-key.
• This scheme is existentially unforgeable under the CDH assumption respectively against super Type I and II adversaries.