下載/瀏覽Download
Download
Report
Transcript 下載/瀏覽Download
多媒體網路安全實驗室
Anonymous ID
Signature Scheme with
Provable Identity
Date:2010.04.02
Reporter :Chien-Wen Huang
出處: 2008 Second International Conference on Future
Generation Communication and Networking
多媒體網路安全實驗室
Outline
1
Introduction
2
Bilinear Maps and Some Concepts
3
Anonymous ID Signature Scheme with
Provable Identity
4
5
3
Analysis on the Scheme
Conclusion
多媒體網路安全實驗室
Introduction
ID-based Public Key Cryptography(ID-PKC)
was firstly proposed by Shamir in 1984.
users can communicate securely without
-exchanging public key certificates,
-keeping a public key directory,or using online service
of a third party.
Blind signature scheme
was firstly proposed by Chaum in 1982.
protect the privacy of the user effectively.
Identity-based blind signature (IBBS)
多媒體網路安全實驗室
Introduction
Blind signature scheme involves
a)blind message signature scheme
message m was blinded to m’.
verification: on the signature of m would be valid
with no leak of m to signer.
b)blind parameter signature scheme
sign(m) which is the signature of message m could
be blinded to sign’(m).
The verification on (m, sign’(m)) would be valid.
多媒體網路安全實驗室
Bilinear Maps and Some Concepts
Concepts of Bilinear Maps
Let G1 and G2 be two cyclic groups of prime order q.
G1 is additive group,G2 is a multiplicative group.
1)Bilinear
e : G1 G1 G2 is bilinear if e(aP, bQ) e( P, Q) ab
P, Q G1and a, b Z *
2)Non-degenerate
The map does not send all pairs in G1 G1 to the
identity in G2
3)Computable
An efficient algorithm to compute e( P, Q ) for any P, Q G1
多媒體網路安全實驗室
Bilinear Maps and Some Concepts
Some Difficult Problems
1. Discrete Logarithm Problem
*
n
Z
For any P, Q G1 ,find
q ,which satisfy Q nP is difficult.
2. Decision Diffie-Hellman Problem(DDHP)
For P, aP, bP, cP G1 , a, b, cR Z q , decide whether
c ab(mod q ) is difficult.
*
3. Computational Diffie-Hellman Problem(GDHP)
For a, bR Z q* , P G1, given ( P, ap, bp ) to compute abp is difficult.
4. gap Diffie-Hellman Problem(GDH)
easy to decided whether c ab(mod q ) and hard to
compute abp . (easy to resolve DDHP and hard to resolve
CDHP -> G1 is a GDH group)
多媒體網路安全實驗室
Anonymous ID Signature Scheme with
Provable Identity
based on ID-based blind parameter signature scheme
and BLS short signature scheme.
1)System Parameters Setup
G1 is a GDH group,G2 is a multiplicative cyclic group,
G1 p , q | G1 || G2 | is a prime , e : G1 G1 G2
2)System Initialize
Choosep G1 , s Z q ,computePpub sP .choose
h : {0,1}* Z q , h1 : {0,1}* G1 , h2 : G1 Z q and h3 : G1 {0,1}*
public system parameter is
*
(G1 , G2 , e, q, P, Ppub , h, h1 , h2 , h3 )
多媒體網路安全實驗室
Anonymous ID Signature Scheme with
Provable Identity
3) Generate Key Pair for Verifying Identity of User
the real identity of user is ID ,computes QID h1 ( ID) ,and
corresponding private key S ID sQID .
4) Generate Key Pair for signing
Make use of aR Z q*as private key , Corresponding public
key is U aP
5) Generate Anonymous Identity of User
a) User send (ID,U) to KGC.
b) KGC chooses kR Z q* ,computes U ' kU ,and
S ' k 1 (h2 (U ' ) S ID+h( ID) PID ) .then send (U’, S’) to user.
1 '
'
c) User computes S a S ,and (U , S ) is the blind
parameter signature
ID ' h ( S )
多媒體網路安全實驗室
Anonymous ID Signature Scheme with
Provable Identity
6) Verify Anonymous Identity of User
When doubt appears, user submits the evidence
information to KGC involves ( ID,U ' , S, ID ' )
KGC computes QID h1 ( ID),and following formula exist:
h2 (U ' )
e(U , S ) e( Ppub , QID )
e( P, Ppub ) h ( ID )
'
If exists, then compute ID1 h3 ( S )
'
7) Message Sign
a)Maps m to G1, h1 (m) G1
) signature is (m, T , ID )
b)Computes T ah1 (m,so
8) Signature Verification
Receives signature ( m, T , ID ) and obtains user’s public key U
if the following formula exists: e(T , P) e(h1 (m), U )
多媒體網路安全實驗室
Analysis on the Scheme
Theorem 1 Verification for anonymous identity
satisfies correctness.
Proof:
1
e(U , S ) e(kU , a S ) ... e( Ppub , QID )
'
'
h2 (U ' )
e( P, Ppub ) h ( ID )
Theorem 2 Signature Verification satisfies
correctness.
Proof: e(T , P) e(ah1 (m), P) e(h1 (m), ap) e(h1 (m),U )
多媒體網路安全實驗室
Analysis on the Scheme
Theorem 3 This scheme satisfies blindness.
Proof:
1. user’s anonymous ID’ comes from the blinded signature
that generated by KGC.
2. When doubt appears, KGC can not get private key a
from (ID,U’,S,ID’) ,even have U aP.
Theorem 4 This scheme satisfies anonymity of
identity.
Proof:
1
Because S a S ,KGC can not get S, so he can’t
compute the anonymous ID ' h3 ( S ) .
'
多媒體網路安全實驗室
Conclusion
Shortage: when doubt appears(the anonymous
identity would be leaked to KGC),user can’t use
it any longer. Applying another anonymous
identity would increase user’s spending on
some aspects.
Tomorrow work: resolve the invalidation
problem on anonymous identity after identity
verification.
多媒體網路安全實驗室