下載/瀏覽Download
Download
Report
Transcript 下載/瀏覽Download
A New Provably Secure
Certificateless Signature Scheme
Date:2010.3.16
Reporter:Chien-Wen Huang
出處:2008 IEEE International Conference on
Communications (ICC 2008),vol.4
1
Outline
1.
INTRODUCTION
2.
PERLIMINARIES
3.
OUR CERTIFICATELESS SIGNATURE
SCHEME
4.
SECURITY PROOF
5.
CONCLUSIONS
2
INTRODUCTION
Identity-based public key cryptography(ID-PKC)
◦ was first introduced by Shamir in 1984.
◦ Have the key escrow problem.
Certificateless public key cryptography(CL-PKC)
◦ Al-Riyami et al.“Certificateless public key
cryptography. ”Asiacrypt2003,LNCS.
◦ Huang et al.[9]“Certificateless signature revisited. ”ACISP 2007, LNCS.
X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless
signature revisited. ACISP 2007, LNCS, vol. 4586, pages 308-322,
Springer-Verlag, 2007.
◦ Zhang et al.[17]“Certificateless public-key signature: security model and
efficient construction.”ACNS 2006, LNCS.
3
INTRODUCTION
Related Works
◦ Type I/II AdversaryNormal: under the original public key from
the target signer.
Strong: under the replaced public key.(supply
the secret value corresponding to the
replaced public key)
4
INTRODUCTION
Super:under the public key chosen by himself
without supplying the secret value
corresponding to the public key.
◦ there are only a few CLS schemes
secure[9],[17] against a super type I/II
adversary.
5
INTRODUCTION
Our Contribution:
◦ the CLS(certificateless signature) scheme
requires only two pairing operations.
◦ The signature length of new scheme is 2/3 of
Huang et al’s scheme.
◦ super Type I/II adversaryproved secure in the strongest security model
of CLS.
6
PERLIMINARIES
A. Bilinear Maps
◦ Let G1 be an additive group of prime order q.
◦ Let G2 be a multiplicative group of the same
order.
◦
e : G1 G1 G2
1.Bilinear:
2.Non-degeneracy:
e(aP, bQ) e(P,Q)ab P,Q G1, a,b Z q* .
3.Computable: There exists
anefficient
P,Q
G1 s.t. algorithm
e(P,Q) to
1.
compute
e(P,Q) for any P, Q G1
7
PERLIMINARIES
B. Framework of Certificateless Signature Schemes
◦ Setup
input: a security parameter l
output: a master-key,system parameters params.
◦ Partial-Private-Key-Extract
input: ID,params,master-key
output: user’s partial private key DID .
◦ Set-Secret-Value
input: ID,params
output: user’s secret value
xID
8
PERLIMINARIES
◦ Set-Public-Key
input: ID,params,
output: public key
◦ Sign
accepts(params,
on message
xID
PID
,ID,
M
.
produce a signature
P,ID xID, D)to
ID
M
◦ Verify
(M , ,params,ID, PID
)
if the signature is valid or not.
9
PERLIMINARIES
C.Adversarial Model of Certificateless Signature
Schemes
◦ the following two games between a challenger C and an
adversary AI or AII .
Game 1 (for Type I Adversary)
Setup:C runs the Setup algorithm
1. Input: a security parameter l
2. obtain:a master-key,system parameters params
10
Attack:
PERLIMINARIES
Partial-Private-Key Queries PPK( IDi)
AI request: the partial private key of any user’s identity
C output: the partial private key
Di
IDi
Public-Key Queries PK(IDi )
AI request: the public key of a user’s identity
C output: the public key
IDi
Secret-Value Queries SV( IDi)
AI request:the secret value of a user’s identity
C output:the secret value (ifxPK
replaced,output
i
IDi
)
⊥
11
PERLIMINARIES
'
ID
P
Public-Key-Replacement Queries PKR( ,i i)
'
AI can choose a new public key Pi as the public key of this user.C
will record this replacement.
Sign Queries S(M i , IDi , Pi)
On receiving a query S(M i , IDi , Pi),C generates a signature i(AI
need not supply the secret value)
Forgery:AI outputs
1.
2.
3.
is* a valid signature on
(M * , σ* , ID* , PID* )
*
under
M
PID *
and
ID *
AI has never requested the Partial-Private-Key(of user’s
*
ID
S(
)has never been submitted
*
*
M , ID , PID*
)
WIN!!
12
PERLIMINARIES
Game 2 (for Type II Adversary )
Setup:C runs the Setup algorithm
1. Input: a security parameter l
2. obtain:a master-key,system parameters params
Attack:
Public-Key Queries PK( IDi )
AII request: the public key of a user’s identity
C output: the public key
IDi
Pi
Secret-Value Queries SV( IDi)
AII choose a user
IDiand request the secret value
xi PK replaced,output
C output:the secret value
(if
)
⊥
13
PERLIMINARIES
Public-Key-Replacement Queries PKR( ID,i Pi )'
'
AII can choose a new public key
Sign Queries S(
M i , IDi , Pi
asPithe public key of this user.
)
On receiving a query S(
),C replies a
M i ,supply
IDi , Pi the secret value)
signature
(AII need not
i
Forgery: AII outputs
1.
2.
3.
4.
WIN!!
*
*
*
(
M
,
σ
,
ID
,
P
)
under
and
ID*
is a valid signature on
*
*
*
ID
P
AM
has
never
requested
the
Secret-Value
(of
user’s
)
ID
*
II
ID
*
AII has not requested PKR query on
S(
)has never been queried
*
*
ID *
M , ID , PID*
14
OUR CERTIFICATELESS
SIGNATURE SCHEME
A. An Efficient Construction
◦ Setup
1.Given a security parameter l, e : G1 G1 G2
2.chooses a master-key and
PT P
Z q* set
3. H1 : {0,1}* G, 1 H 2 : {0,1}* Z q*, H 3 : {0,1}* Z q*
4.params= (G1 , G2 , e, P, PT , H1 , H 2 , H 3,) M {0,1}*
◦ Partial-Private-Key-Extract
1.input: params,master-key
,
Computes Qi H1 ( IDi || P ) 3
2.Outputs:users partial private key
IDi {0,1}*
Di Qi
15
OUR CERTIFICATELESS
SIGNATURE SCHEME
◦ Set-Secret-Value
input: params,
IDi
output: xi Z q* as the users secret value.
◦ Set-Public-Key
*
x
Z
ID
input: params,
,i
i
q
output: the user’s public key
◦ Sign
Pi xi P
input: M , partial private key Di , secert val ue xi , IDi , Pi
r
Z q*
R rP
1.Choose a random
,compute
u H 2(R||Pi||M), H 3(R||Pi||M)
2.Compute
3.Compute
V (uxi r )Qi Di
4.Output ( R, Von) M.
16
OUR CERTIFICATELESS
SIGNATURE SCHEME
◦ Verify
To verify a signature
public key
. Pi
1.Compute
2. Verify
on a message
M an identity
for
andIDi
Qi H1 ( IDi || ,P)u H 2(R||Pi||M), H 3(R||Pi||M)
?
e(V , P) e(uPi PT R, Qi )
17
OUR CERTIFICATELESS
SIGNATURE SCHEME
B. Comparison
P: pairing operation.
S: a scalar multiplication in G1.
H: a MapToPoint hash operation.
E: an exponentiation in G2.
SL:signature length.
PKL:signature length.
P1:the length of a point in G1.
Z1:the length of a point in Z q*
18
SECURITY PROOF
Theorem :unforgeable against a super typeI/II adversary in the random
oracle model(CDH problem is intractable.)
TypeI proof:
Let C be a CDH attacker who receives a random instance (P,aP,bP)
and to compute the value of abP.( C can use AI to solve the CDH
problem.)
C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI.
H1 Queries:AI can make at most qH1 times H1 queries,C chooses
J∈[1,qH1].C maintains an initially empty list H1 of tuples(IDj,αj,Qj).On
receiving a new query H1(IDi||P),
1) If i = J, set Qi = bP ,add(IDi,⊥,Qi)to H1 and return Qi as answer.
2) Otherwise ,pick
at random,set
,add (IDi,αi,Qi)to H1
Qi i P
and return Qi as answer.
i Z q*
19
H2 Queries: C keeps an initially empty list H2 of
tuples( R j , Pj , M j , u j).AI issues a query( Ri || Pi || M)to
i H2,If the query
is new,C selects a random
adds(
H2 and
R)to
ui Z q*
i , Pi , M
i , ui
returns
as answer.
ui
H3 Queries: AI issues a query( Ri || Pi || M
)toi H3,for a new query,C
R)to
Mand
i, P
i,2
i , ui returns
selects a random
adds(
H
as
vi Z q*
answer. vi
Partial-Private-Key Queries: C keeps an initially empty list K of
Pj
tuples( ID j , x j , D j ,).Whenever
AI issues a query PPK( IDi ).If the
query is new,C does the following.
1) If IDi IDJ,abort.
2) Else if there’s a tuple(
) on
K
IDi , xi , D
i , Pi
a) If( IDi , i , Qi )on H1,set Di i PT and return Di as answer.
b) Otherwise,first make an H1 query on(IDi||P), to
generate( IDi , i , Q)i,then set Di i PTand return Das
i answer.
20
3)
Otherwise,do the following.
a) If a tuple( IDi , i , Q)i on
H1,compute Di i PT ,set xi Pi ,return Di as answer and
add (
)to
K.
IDi , xi , D
i, P
i
, Qi simulates the random oracle
b) Else,generate the tuple( IDi , i )to
H1,after the same way as a).
Public-Key Queries: receiving a query PK(IDi),the
current public key from K will be given.Otherwise,C does as follows.
1) If a tuple (
)on K,choose
,compute
'
'
'
*
'
P
x
x
Z
ID
,
x
,
D
,
P
i
iP
i
q ).
,return Pi as answer
update
to (
i
i and
i
i
ID,i , xi' , Di ,and
P i' add the tuple to
2) Otherwise,choose
,set
*
x
Z
Pi xi P Di
K.
i
q
21
Secret-Value Queries:receiving a query SV(
),ifID
the
i public key has
been replaced,C returns .Otherwise,if a tuple(
)on K,C
returnsIDi , xas
answer;else,C
first makes
) then returns
as
xi PK(
i, D
i , Pi
answer.
xi
IDi
Public-Key-Replacement Queries: AI choose a new public key for
IDi a query PKR( , ),C first
the user’s identity(
).On receiving
IDC
IDi tuple(
finds the
) on K,then
updates
to
.
Pi '
i, x
i , Di , Pi
Pi '
Pi
Sign Queries: On receive a Sign query S(
),
denotes
M i , IDi as
, Pifollows.
Pi
the public key chosen by AI ,C generates the signature
1) Choose
,set
2) Set
,
*
ui , vi , ri Z q
Riand
rioutput
P (ui Pi vi PT )
3) Compute
H 2(Ri||Pi||M i ) ui H 3(Ri||Pi||M i ) vi
Vi ri H1 ( IDi || P)
σ i ( Ri ,Vi ).
22
Forgery: Finally, AI returns a successful forgery
(M * , * ( R* ,V * ), ID* , PID* )
*
ID
IDJ ,C aborts.
If
Type II proof:
Let C be a CDH attacker who receives a random instance (P,aP,bP)
and to compute the value of abP.( C can use AI to solve the CDH
problem.)
C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI.
Public-Key Queries:C keeps an initially empty list K of tuples(IDj,xj,Pj)
For a new query,if
,C return
as answer and adds
Pi xi P
to K IDi IDJ
( IDi , picks
, Pi )
;else,C
,compute
add
to K and
*
( IDi , xi , Pi )
return . xi Z q
Pi xi P
Pi
23
IDpublic
Secret-Value Queries: On receiving a query SV(
), if the
key of
i
IDi
has been replaced,
C returns ⊥;
otherwise, if
, C aborts; else if a tuple
on K,
( IDirecovers
, xi , Pi )
C returns
asID
answer;
), then
i IDJelse, C first makes PK(
the tuple
from K, returns
.
IDi
xi
( IDi , xi , Pi )
xi
Public-Key-Replacement Queries: AII can choose a new public key for the
Pi
user’s identity
.On receiving a query PKR(
)
IDi
if
, C aborts;
'
IDi , Pi
otherwise, C finds the tuple
on K and updates
to
.
IDi IDJ
( IDi , xi , Pi )
Pi '
24
CONCLUSIONS
Only two pairing operations are required in
signing and verification.
It is more efficient than the other CLS
schemes achieving the same security level.
25