下載/瀏覽Download

Download Report

Transcript 下載/瀏覽Download 

多媒體網路安全實驗室
Anonymous ID
Signature Scheme with
Provable Identity
Date:2010.04.02
Reporter :Chien-Wen Huang
出處: 2008 Second International Conference on Future
Generation Communication and Networking
多媒體網路安全實驗室
Outline
1
Introduction
2
Bilinear Maps and Some Concepts
3
Anonymous ID Signature Scheme with
Provable Identity
4
5
3
Analysis on the Scheme
Conclusion
多媒體網路安全實驗室
Introduction
ID-based Public Key Cryptography(ID-PKC)
 was firstly proposed by Shamir in 1984.
 users can communicate securely without
-exchanging public key certificates,
-keeping a public key directory,or using online service
of a third party.
Blind signature scheme
 was firstly proposed by Chaum in 1982.
 protect the privacy of the user effectively.
Identity-based blind signature (IBBS)
多媒體網路安全實驗室
Introduction
Blind signature scheme involves
a)blind message signature scheme
 message m was blinded to m’.
 verification: on the signature of m would be valid
with no leak of m to signer.
b)blind parameter signature scheme
 sign(m) which is the signature of message m could
be blinded to sign’(m).
 The verification on (m, sign’(m)) would be valid.
多媒體網路安全實驗室
Bilinear Maps and Some Concepts
Concepts of Bilinear Maps
 Let G1 and G2 be two cyclic groups of prime order q.
 G1 is additive group,G2 is a multiplicative group.
1)Bilinear
e : G1  G1  G2 is bilinear if e(aP, bQ)  e( P, Q) ab
P, Q  G1and a, b  Z *
2)Non-degenerate
The map does not send all pairs in G1  G1 to the
identity in G2
3)Computable
An efficient algorithm to compute e( P, Q ) for any P, Q  G1
多媒體網路安全實驗室
Bilinear Maps and Some Concepts
Some Difficult Problems
1. Discrete Logarithm Problem
*
n

Z
For any P, Q  G1 ,find
q ,which satisfy Q  nP is difficult.
2. Decision Diffie-Hellman Problem(DDHP)
For P, aP, bP, cP  G1 , a, b, cR Z q , decide whether
c  ab(mod q ) is difficult.
*
3. Computational Diffie-Hellman Problem(GDHP)
For a, bR Z q* , P  G1, given ( P, ap, bp ) to compute abp is difficult.
4. gap Diffie-Hellman Problem(GDH)
easy to decided whether c  ab(mod q ) and hard to
compute abp . (easy to resolve DDHP and hard to resolve
CDHP -> G1 is a GDH group)
多媒體網路安全實驗室
Anonymous ID Signature Scheme with
Provable Identity
based on ID-based blind parameter signature scheme
and BLS short signature scheme.
1)System Parameters Setup
G1 is a GDH group,G2 is a multiplicative cyclic group,
G1  p , q | G1 || G2 | is a prime , e : G1  G1  G2
2)System Initialize
Choosep  G1 , s  Z q ,computePpub  sP .choose
h : {0,1}*  Z q , h1 : {0,1}*  G1 , h2 : G1  Z q and h3 : G1  {0,1}*
public system parameter is
*
(G1 , G2 , e, q, P, Ppub , h, h1 , h2 , h3 )
多媒體網路安全實驗室
Anonymous ID Signature Scheme with
Provable Identity
3) Generate Key Pair for Verifying Identity of User
the real identity of user is ID ,computes QID  h1 ( ID) ,and
corresponding private key S ID  sQID .
4) Generate Key Pair for signing
Make use of aR Z q*as private key , Corresponding public
key is U  aP
5) Generate Anonymous Identity of User
a) User send (ID,U) to KGC.
b) KGC chooses kR Z q* ,computes U '  kU ,and
S '  k 1 (h2 (U ' ) S ID+h( ID) PID ) .then send (U’, S’) to user.
1 '
'
c) User computes S  a S ,and (U , S ) is the blind
parameter signature
ID '  h ( S )
多媒體網路安全實驗室
Anonymous ID Signature Scheme with
Provable Identity
6) Verify Anonymous Identity of User
When doubt appears, user submits the evidence
information to KGC involves ( ID,U ' , S, ID ' )
KGC computes QID  h1 ( ID),and following formula exist:
h2 (U ' )
e(U , S )  e( Ppub , QID )
e( P, Ppub ) h ( ID )
'
If exists, then compute ID1  h3 ( S )
'
7) Message Sign
a)Maps m to G1, h1 (m)  G1
) signature is (m, T , ID )
b)Computes T  ah1 (m,so
8) Signature Verification
Receives signature ( m, T , ID ) and obtains user’s public key U
if the following formula exists: e(T , P)  e(h1 (m), U )
多媒體網路安全實驗室
Analysis on the Scheme
Theorem 1 Verification for anonymous identity
satisfies correctness.
Proof:
1
e(U , S )  e(kU , a S )  ...  e( Ppub , QID )
'
'
h2 (U ' )
e( P, Ppub ) h ( ID )
Theorem 2 Signature Verification satisfies
correctness.
Proof: e(T , P)  e(ah1 (m), P)  e(h1 (m), ap)  e(h1 (m),U )
多媒體網路安全實驗室
Analysis on the Scheme
Theorem 3 This scheme satisfies blindness.
Proof:
1. user’s anonymous ID’ comes from the blinded signature
that generated by KGC.
2. When doubt appears, KGC can not get private key a
from (ID,U’,S,ID’) ,even have U  aP.
Theorem 4 This scheme satisfies anonymity of
identity.
Proof:
1
Because S  a S ,KGC can not get S, so he can’t
compute the anonymous ID '  h3 ( S ) .
'
多媒體網路安全實驗室
Conclusion
Shortage: when doubt appears(the anonymous
identity would be leaked to KGC),user can’t use
it any longer. Applying another anonymous
identity would increase user’s spending on
some aspects.
Tomorrow work: resolve the invalidation
problem on anonymous identity after identity
verification.
多媒體網路安全實驗室