A New Provably Secure A New Provably Secure Certificateless Signature Certificateless Signature SchemeScheme
Date : 2010.3.16Reporter:Chien-Wen Huang出處 :2008 IEEE International Conference on Communications (ICC 2008),vol.4
1
OutlineOutline1. INTRODUCTION
2. PERLIMINARIES
3. OUR CERTIFICATELESS SIGNATURE SCHEME
4. SECURITY PROOF
5. CONCLUSIONS2
INTRODUCTIONINTRODUCTION Identity-based public key cryptography(ID-PKC)
◦ was first introduced by Shamir in 1984.◦ Have the key escrow problem.
Certificateless public key cryptography(CL-PKC)◦ Al-Riyami et al.“Certificateless public key
cryptography. ”Asiacrypt2003,LNCS.◦ Huang et al.[9]“Certificateless signature revisited.
”ACISP 2007, LNCS. X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu.
Certificateless signature revisited. ACISP 2007, LNCS, vol. 4586,
pages 308-322, Springer-Verlag, 2007.
◦ Zhang et al.[17]“Certificateless public-key signature: security model and efficient construction.”ACNS 2006, LNCS.
3
INTRODUCTIONINTRODUCTIONRelated Works
◦Type I/II Adversary- Normal: under the original public key
from the target signer.
Strong: under the replaced public key.(supply the secret value corresponding to the replaced public key)
4
INTRODUCTIONINTRODUCTIONSuper:under the public key chosen by himself without supplying the secret value corresponding to the public key.
◦there are only a few CLS schemes secure[9],[17] against a super type I/II adversary.
5
INTRODUCTIONINTRODUCTIONOur Contribution:
◦the CLS(certificateless signature) scheme requires only two pairing operations.
◦The signature length of new scheme is 2/3 of Huang et al’s scheme.
◦super Type I/II adversary-proved secure in the strongest security model of CLS. 6
PERLIMINARIESPERLIMINARIESA. Bilinear Maps
◦Let G1 be an additive group of prime order q.
◦Let G2 be a multiplicative group of the same order.
◦ 1.Bilinear:2.Non-degeneracy: 3.Computable: There exists an efficient
algorithm to compute
211: GGGe
.Z, a,bGP,Qe(P,Q)e(aP, bQ) *q
ab 1
.e(P,Q) GP,Q 1 s.t. 1
1,any for GQPe(P,Q) 7
PERLIMINARIESPERLIMINARIESB. Framework of Certificateless Signature
Schemes◦Setup
input: a security parameter output: a master-key,system parameters params.
◦Partial-Private-Key-Extractinput: ID,params,master-keyoutput: user’s partial private key .
◦Set-Secret-Valueinput: ID,params output: user’s secret value
IDx
IDD
8
PERLIMINARIESPERLIMINARIES◦Set-Public-Key
input: ID,params,output: public key
◦Signaccepts(params, ,ID, , , )to produce a
signature on message .
◦Verify ( , ,params,ID, ) if the signature is valid or not.
IDx
IDP
M IDP IDDIDx
M IDP
M
9
PERLIMINARIESPERLIMINARIESC.Adversarial Model of Certificateless
Signature Schemes◦the following two games between a challenger
C and an adversary AI or AII .
Game 1 (for Type I Adversary)Setup:C runs the Setup algorithm
1. Input: a security parameter 2. obtain:a master-key,system parameters params
10
PERLIMINARIESPERLIMINARIESAttack:
Partial-Private-Key Queries PPK( )AI request: the partial private key of any user’s
identityC output: the partial private key
Public-Key Queries PK( )AI request: the public key of a user’s identity
C output: the public key
Secret-Value Queries SV( )AI request:the secret value of a user’s identity
C output:the secret value (if PK replaced,output )
iID
iID
iIDiD
iID
iID
iID
ix ⊥
11
PERLIMINARIESPERLIMINARIESPublic-Key-Replacement Queries PKR( , )AI can choose a new public key as the public key of
this user.C will record this replacement.
Sign Queries S( )On receiving a query S( ),C generates a signature (AI need not supply the secret value)
Forgery:AI outputs1. is a valid signature on under and 2. AI has never requested the Partial-Private-Key(of user’s
)3. S( )has never been submitted
12
iID 'iP
'iP
iii PIDM ,,
iii PIDM ,, i
)( *ID
*** , P, ID, σM* *ID *ID
P
*ID*,, **
IDPIDM
WIN!!
*M
PERLIMINARIESPERLIMINARIESGame 2 (for Type II Adversary )Setup:C runs the Setup algorithm
1. Input: a security parameter 2. obtain:a master-key,system parameters params
Attack:Public-Key Queries PK( )
AII request: the public key of a user’s identity
C output: the public key
Secret-Value Queries SV( )AII choose a user and request the secret value
C output:the secret value (if PK replaced,output ) 13
iID
iID
iID
iID
ix ⊥
iP
PERLIMINARIESPERLIMINARIESPublic-Key-Replacement Queries PKR( , )
AII can choose a new public key as the public key of this user.
Sign Queries S( ) On receiving a query S( ),C replies a
signature (AII need not supply the secret value)
Forgery: AII outputs1. is a valid signature on under and2. AII has never requested the Secret-Value (of user’s )
3. AII has not requested PKR query on
4. S( )has never been queried
14
iID 'iP
'iP
iii PIDM ,,
iii PIDM ,,
i)( *ID
*** , P, ID, σM**M *ID
*IDP *ID
*ID
WIN!!
*,, **
IDPIDM
OUR CERTIFICATELESS OUR CERTIFICATELESS SIGNATURE SCHEMESIGNATURE SCHEME
A. An Efficient Construction◦Setup1.Given a security parameter ,2.chooses a master-key and set3. , ,4.params= ,
◦Partial-Private-Key-Extract1.input: params,master-key ,
Computes 2.Outputs:users partial private key
211: GGGe *qZ PPT
1*
1 }1,0{: GH **2 }1,0{: qZH **
3 }1,0{: qZH ),,,,,,,( 32121 HHHPPeGG T
*}1,0{M
*}1,0{iID
31 )||( PIDHQ ii
ii QD
15
OUR CERTIFICATELESS OUR CERTIFICATELESS SIGNATURE SCHEMESIGNATURE SCHEME
◦Set-Secret-Value input: params, output: as the users secret value.
◦Set-Public-Key input: params, , output: the user’s public key
◦Sign input:
1.Choose a random ,compute 2.Compute3.Compute 4.Output on .
iID*qi Zx
iID*qi Zx
PxP ii
iiii PIDxDM ,, uesecert val,key private partial,*qZr rPR
||M)(R||PH||M),(R||PHu ii 32
iii DQruxV )(),( VR M
16
OUR CERTIFICATELESS OUR CERTIFICATELESS SIGNATURE SCHEMESIGNATURE SCHEME
◦VerifyTo verify a signature on a message for an
identity and public key .
1.Compute , 2. Verify
M iID
iP
)||(1 PIDHQ ii ||M)(R||PHu i2 ||M)(R||PH i3,
),(),(?
iTi QRPuPePVe
17
OUR CERTIFICATELESS OUR CERTIFICATELESS SIGNATURE SCHEMESIGNATURE SCHEME
B. Comparison
P: pairing operation.
S: a scalar multiplication in G1.
H: a MapToPoint hash operation.E: an exponentiation in G2.
SL:signature length.PKL:signature length.P1:the length of a point in G1.
Z1:the length of a point in*qZ 18
SECURITY PROOFSECURITY PROOFTheorem :unforgeable against a super typeI/II adversary
in the random oracle model(CDH problem is intractable.)TypeI proof:
Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.)
C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI.
H1 Queries:AI can make at most qH1 times H1 queries,C chooses J∈[1,qH1].C maintains an initially empty list H1 of tuples(IDj,αj,Qj).On receiving a new query H1(IDi||P),
1) If i = J, set Qi = bP ,add(IDi,⊥,Qi)to H1 and return Qi as answer.
2)Otherwise ,pick at random,set ,add (IDi,αi,Qi)to H1 and return Qi as answer. 19
*qi Z PQ ii
H2 Queries: C keeps an initially empty list H2 of tuples( ).AI issues a query( )to H2,If the query is new,C selects a random adds( )to H2 and returns as answer.
H3 Queries: AI issues a query( )to H3,for a new query,C selects a random adds( )to H2 and returns as answer.
Partial-Private-Key Queries: C keeps an initially empty list K of tuples( ).Whenever AI issues a query PPK( ).If the query is new,C does the following.
1) If ,abort.2)Else if there’s a tuple( ) on K
a) If( )on H1,set and return as answer.
b) Otherwise,first make an H1 query on(IDi||P), to
generate( ),then set and return as answer. 20
jjjj uMPR ,,, iii MPR ||||*qi Zu
iiii uMPR ,,,
iu
iii MPR ||||
iiii uMPR ,,,
*qi Zv
iv
jjjj PDxID ,,, iID
Ji IDID
iiii PDxID ,,,
iii QID ,, Tii PD iD
iii QID ,, Tii PD iD
3) Otherwise,do the following.a) If a tuple( ) on H1,compute ,set
,return as answer and add ( )to K.
b) Else,generate the tuple( )to simulates the random oracle H1,after the same way as a).
Public-Key Queries: receiving a query PK(IDi),the
current public key from K will be given.Otherwise,C does as follows.
1) If a tuple ( )on K,choose ,compute,return as answer and update to ( ).2) Otherwise,choose ,set , and add
the tuple to K.
21
iii QID ,,
Tii PD ii Px iD
iiii PDxID ,,,
iii QID ,,
iiii PDxID ,,,*'qi Zx PxP ii
'' 'iP
'' ,,, iiii PDxID*qi Zx PxP ii iD
Secret-Value Queries:receiving a query SV( ),if the public key has been replaced,C returns .Otherwise,if a tuple( )on K,C returns as answer;else,C first makes PK( ) then returns as answer.
Public-Key-Replacement Queries: AI choose a new public key for the user’s identity( ).On receiving a query PKR( , ),C first finds the tuple( ) on K,then C updates to .
Sign Queries: On receive a Sign query S( ), denotes the public key chosen by AI ,C generates the signature as follows.
1)Choose ,set2)Set , 3)Compute and output 22
iID
iiii PDxID ,,, ixix
iIDiID '
iP iiii PDxID ,,,'
iP iP
iii PIDM ,, iP
*,, qiii Zrvu )( Tiiiii PvPuPrR
iiii u) ||M||P(RH 2 iiii v)||M||P(RH 3
)||(1 PIDHrV iii .,VRσ iii )(
iID
Forgery: Finally, AI returns a successful forgery
If ,C aborts.
Type II proof:Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.)
C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI.
Public-Key Queries:C keeps an initially empty list K of tuples(IDj,xj,Pj)
For a new query,if ,C return as answer and adds
to K;else,C picks ,compute add to K
and return . 23
),),,(,( ******
IDPIDVRM
JIDID *
Ji IDID PxP ii
*qi Zx PxP ii ),,( iii PxID
iP
),,( ii PID
Secret-Value Queries: On receiving a query SV( ), if the public key of
has been replaced, C returns ⊥;otherwise, if , C aborts; else if a tuple on K, C returns as answer; else, C first makes PK( ), then recovers the tuple from K, returns .
Public-Key-Replacement Queries: AII can choose a new public key for the user’s identity .On receiving a query PKR( )if , C aborts; otherwise, C finds the tuple on K and updates to .
24
iIDiID
Ji IDID ),,( iii PxID
ix iID),,( iii PxID
ix
iID', ii PID
Ji IDID ),,( iii PxID
iP
'iP
CONCLUSIONSCONCLUSIONSOnly two pairing operations are
required in signing and verification.
It is more efficient than the other CLS schemes achieving the same security level.
25