A new provably secure certificateless short signature scheme

Authors: K.Y. Choi, J.H. Park, D.H. Lee

Source: Comput. Math. Appl. (IF:1.472)Vol. 61, 2011, pp. 1760-1768

Presenter: Yu-Chi Chen

Outline

• Introduction• Certificateless signatures• Shim’s attack• The improved scheme• Conclusions

Introduction

• Identity-based cryptography–Without CA to manage certificates of public keys.– Private key generator (PKG) knows everyone’s

full private key as known as the key escrow problem.

• Certificateless cryptography– Solving the key escrow problem– Key generation center (KGC) cannot has

everyone’s full private key

Certificateless signatures

• A CLS scheme usually constitutes the following algorithms.– Setup– Partial private key extract– Set public key– Set secret value– Sign– Verify

Security model

• Two types adversaries - Existential Unforgeability– Type 1 adversary: An outsider• Can replace public key• Cannot access the system master key

– Type 2 adversary: The KGC• Cannot replace public key• Can access the system master key

Type 1 adversary

• Setup.• Attack.– Partial-private-key

queries– Public key queries– Secret value queries– Public key replacement– Sign queries

• Forgery. A forged signature of

• Win the game if the conditions hold.– The forged signature is

valid.– The partial-private-key

and the forged signature have never been queried.

– The public key has never been replaced.

),,( *** MpkID ID

Type 2 adversary

• Setup.• Attack.– Partial-private-key

queries– Public key queries– Secret value queries– Public key replacement– Sign queries

• Forgery. A forged signature of

• Win the game if the conditions hold.– The forged signature is

valid.– The secret value and the

forged signature have never been queried.

),,( *** MpkID ID

Remark on security models

• Several different security models have been presented.

• In particular, Huang et al. classify different levels of adversaries according to their abilities.– Normal Type 1 adversary– Strong Type 1 adversary– Super Type 1 adversary–…

Outline

• Introduction• Certificateless signatures• Shim’s attack• The improved scheme• Conclusions

Shim’s attack

1. An adversary (Type 1), A, first sets a secret value of ID, r*, and then he computes the corresponding public key pk*.

2. He replaces the public key of ID with pk*.

3. He queries a signature of (M, ID, pk*).

4. Finally, he can recover the partial-private-key by the signature of (M, ID, pk*) and the secret value r*.

Outline

• Introduction• Certificateless signatures• Shim’s attack• The improved scheme• Conclusions

The proposed scheme

• Setup– Bilinear map:

with order q, and P is the generator of G1.

–Master key:–Master public key:– Hash functions:

211: GGGe

*qZs

sPPpub

**22

*1

*110

}1,0{:,

}1,0{:,,

qZHH

GHHH

2211021 ,,,,,,,,,, HHHHHPPqGGeparams pub

The proposed scheme

• Partial-private-key-extract.– User A with IDA can obtain the partial-private-key

• Set secret value.– User A with IDA chooses as his secret value.

• Set public key.– His public key

),(AAA IDIDID DDSK

)(

)(

0

0

AID

AID

IDHD

IDHD

A

A

AIDr

PrPKAA IDID

• Sign. input:1. Set

2. Compute

3. Return σ as the signature of m.

• Verify.1. Compute

2. Check

mSKrIDAA IDIDA ,,,

),,(

),,,(),,,(

2

21

AID

AIDAID

IDPKmHh

IDPKmHhIDPKmHT

A

AA

AAA IDIDID DhhDTx

),,(),,,(

),,,(),(),(

22

100

AIDAID

AIDAIDAID

IDPKmHhIDPKmHh

IDPKmHTIDHQIDHQ

AA

AAA

),(),(?),( pubIDIDID PQhhQePKTePeAAA

Security analysis

• Our short certificateless signature scheme is existentially unforgeable against a super Type I adversary in random oracle model under the CDH assumption.

• Our short certificateless signature scheme is existentially unforgeable against a super Type II adversary in random oracle model under the CDH assumption.

Outline

• Introduction• Certificateless signatures• Shim’s attack• The improved scheme• Conclusions

Conclusions

• Choi et al. introduces an improved scheme withstand Shim’s attack.

• The major inspiration is the two components of partial-private-key.

• This scheme is existentially unforgeable under the CDH assumption respectively against super Type I and II adversaries.