下載/瀏覽Download
Download
Report
Transcript 下載/瀏覽Download
多媒體網路安全實驗室
Certificateless signature
revisited
Date:2010.6.20
Reporter:Chien-Wen Huang
Auther:Xinyi Huang,Yi Mu,Willy Susilo,Duncan S. Wong, and
Wei Wu
出處:ACISP 2007, LNCS 4586, pp. 308–322, 2007
多媒體網路安全實驗室
Outline
1
2
Introduction
Certificateless signature
3
Security Models
4
Our Proposed Schemes
5
3
Comparison
6
4
Conclusion
2
多媒體網路安全實驗室
Introduction
In secret-key system
-use a secure channel to transmit secret key.
In public-key system
-anyone has public key and private key.
3
多媒體網路安全實驗室
ID-PKC(Identity-based public key cryptography)
Signer(ID)
KGC
“master”public key
master-private key
Require private-key
Return master private-key(ID)
Sign:
σ=PH(ID)+H(M,…)
Assume the KGC completely trusted!!
Use ID and PKG’s public key to check
Verifier
4
多媒體網路安全實驗室
CL-PKC(Certificateless public key cryptography)
KGC
master public key=mpk
partial-private-key
Signer(ID)
Decide secret value
and PK(use xID )
xID
Require partial-private-key
Return partial-private-key(ID)
Sign:
σ=PH(ID)+
the key escrow is resolved!!
Use ID,correspounding PK
and PKG’s mpk to verify
Verifier
5
xID H(M,…)
多媒體網路安全實驗室
Certificateless signature
Outline of the Certificateless Signature Schemes
Setup
k
input: a security parameter l
output: a master-secret key msk, master- public key
mpk,system parameters param.
Partial-Private-Key-Extract
input: ID,param,master-secret key msk,master-public key
mpk
output: partial private key DID.
Set-Secret-Value
input: master-public key mpk,param.
output: secret value xID
6
多媒體網路安全實驗室
Set-Public-Key
input: master-public key mpk, param,ID and xID
output: public key PKID
Sign
input:mpk, param,ID, xID , DID and a message M.
output: a certificateless signature
Verify
input:mpk, param,ID, PKID and a message/signature(M/)
output: true or false
7
多媒體網路安全實驗室
Adversaries and Oracles
A :replaces the user’s public key PKID .But
not given this user’s partial private key DID .
A :knows the master secret key but cannot
replace the target user’s public key.
8
多媒體網路安全實驗室
1. Create-User:
input a query ID{0,1}*
to obtain DID , PKID , xID . adds (ID, DID , xID , PKID ) to
list L.
2. Public-Key-Replace:
'
input a (query
.
ID, PK ID
)
'
PK
replaces user ID
‘s
and updates the list
'
'
PK
x
L.(not
required to
to generate
ID
ID provide
9
)
多媒體網路安全實驗室
3. Secret-Value-Extract:
input a query ID,browses the list L and
returns xID .(to generate ID’s original public
keyPKID .But it can’t output the secret value
'
associated with the PK ID
)
10
多媒體網路安全實驗室
Security Models
Security Against a Normal Type I Adversary
the attack scenarios as follows:
1. Aobtain
some pairs (mi , (using
target user’s DID
i)
and xID)
2.The target user will keep xIDand DIDas secret.
3.replace the target user’s PKID
and dupe any other
'
third party to verify user’s signatures(using PK ID
)
11
多媒體網路安全實驗室
a signature scheme against a Normal Type I:
Phase1: challenger runs Setup and returns mpk,param to A
Phase2: can adaptively access all the oracles
• Partial-Private-Key-Extract:input a query ID, It browses
the list L and returns DID
• Normal-Sign: input a query (ID,m). Output
s.t. true Verify( m, , params, ID, PK ID )
12
多媒體網路安全實驗室
Phase3: After all the queries, A outputs a forgery (m* , * , ID* )
if the forgery satisfies the following requirements:
*
*
(
ID
,
m
) the oracle Normal-Sign.
1. Ahas never submitted
to
*
2. Ahas never submitted IDto Partial-Private-Key-Extract or
Secret-Value-Extract.
3. true Verify( m, , params, ID, PK ID* )
cma ,cida
• The success probability A wins the games: Succ A ,normal
• Definition 1. secure against a (t , qCU , qPPK , qPKR , qSV , qNS )
Normal Type I adversary A and Succ Acma,cida is negligible.
,normal
13
多媒體網路安全實驗室
Security Against a Strong Type I Adversary
A see some pairs (mi , i ) are generated by Sign
using sv and DID .
the only difference:Strong-Sign.
Phase1: challenger runs Setup and returns mpk,param to A
Phase2: access all the oracles
Strong-Sign: input a query(ID, m, sv )
-if sv nil ,uses original secret value xID and DID.output
-Otherwise,usesv andDID to generate
14
多媒體網路安全實驗室
Phase3: After all the queries, A outputs a forgery(m* , * , ID* ) .
Let PK * be the current public key in the list L.
ID
if the forgery satisfies the following requirements:
*
*
(
ID
,
m
, sv )to Strong-Sign.
1. Ahas never submitted
*
2. Ahas never submitted ID to Partial-Private-Key-Extract.
3. true Verify( m, , params, ID, PK ID* )
cma,cida
A
Succ
The success probability wins the games:
A , strong
Definition 2. secure against a (t , qCU , qPPK , qPKR , qSV , qSS )
StrongType I adversary A and Succcma,cida is negligible.
A , strong
15
多媒體網路安全實驗室
Security Against a Super Type I Adversary
A obtain some(mi , i ), true Verify( mi , i , params, ID, PK ID )
implies exists a black-box can extract xID from the
public key chosen by A (using xID and DID to sign).
Phsae1: challenger runs Setup and returns mpk,param to A
Phase2: access all the oracles and Super-Sign oracle.
if PKID=PKID,returned
Sign:input a query ( ID, m ) ,output
s.t. true Verify(
from Create-User
m, , params, ID,
PK ID ) ID=PK’ID
;otherwise,PK
submitted to PublicKey-Replace
16
多媒體網路安全實驗室
Phase3:After all the queries, A outputs a forgery (m* , * , ID* )
Let PK * be the current public key in the list L.
ID
if the forgery satisfies the following requirements:
*
*
(
ID
,
m
)to Super-Sign.
1. Ahas never submitted
*
2. Ahas never submitted ID to Partial-Private-Key-Extract.
3. true Verify( m, , params, ID, PK ID* )
cma,cida
A
Succ
• The success probability
wins the games:
A ,super
• Definition 3. secure against a (t , qCU , qPPK , qPKR , qSV , qSS )
,cida
SuperType I adversary Aand Succ Acma
is negligible.
,super
17
多媒體網路安全實驗室
Type II Adversaries
divided into: Normal(Normal-Sign), Strong(StrongSign) and Super(Super-Sign).
Phase1:challenger runs Setup and returns mpk,param to A
Phase2: A access all the oracles(Normal-Sign,…)
Phase3: After all the queries, A outputs a forgery (m* , * , ID* )
if the forgery satisfies the following requirements:
1. Ahas never submitted (ID* , m* )to the sign oracle.
*
2. Ahas never submitted ID to the oracle Secret-Value-Extract.
3. true Verify( m, , params, ID, PK * )
ID
18
多媒體網路安全實驗室
cma,cida
Succ
• The success probability A wins the games:
A
• Definition 4. secure against a (t , qCU , qPKR , qSV , qS )
Type II adversary A and Succ Acma,cida is negligible.
Malicious but Passive KGC Attack
the KGC holds the master secret key is
assumed malicious(at the very beginning of
the Setup.)
KGC generate his master public/secret key
pair maliciously.
19
多媒體網路安全實驗室
Our Proposed Schemes
Bilinear Groups and Security Assumptions
G1 :an additive group of prime order p
GT :a multiplicative group of the same order.
P is a generator in G1
Discrete Logarithm Problem:
Given ( P, aP) G1 ,find a
Computational Diffie-Hellman Problem:
Given elements ( P, aP, bP ) in G1 ,find abP
20
多媒體網路安全實驗室
Scheme I
against a Normal Type I adversary and Super
Type II adversary.
p ≥ 2k
Setup:
1) Let be(G1 , GT ) be bilinear groups.( G1 GT p)
2) e : G1 G1 GT
*
*
3) H 0 , H1 : {0,1} G1
KGC sets system’s master public key Ppub sP, master
secret keys and publishes
{G1 , GT , p, e, P, H 0 , H1 , Ppub}
21
多媒體網路安全實驗室
Partial-Private-Key-Extract:Given user’s ID, KGC
computesQID H 0 (.ID).then set DID sQID
Set-Secret-Value:user chooses a random number xID Z *p
Set-Public-Key:Given xID .user compute PKID xID P
Sign: the user computes DID xID H1 (m || ID || PKID )
?
Verify: e( , P) e(QID , Ppub )e( PK ID , H1 (m || ID || PK ID ))
22
多媒體網路安全實驗室
Security Analysis of Scheme I
Theorem 1.
1 qPPK qSV
1
1
q NS
CDH
,cida
SuccB ,G1 (1
)
(1
)
Succ Acma
,normal
qCU
q NS 1
qCU (q NS 1)
Theorem 2.
Succ
CDH
B ,G1
1 qS V
1
1
qS S
,cida
(1
) (1
)
Succ Acma
, sup er
qCU
qSS 1
qCU (q SS 1)
23
多媒體網路安全實驗室
Scheme II
against a Super Type I and Type II adversary.
*
*
H
:
{
0
,
1
}
Z
1
p
Sign:For a message m ,the user computes (u, v,W )
- u H1 (m || ID || PKID || r1P || e( P, P) r )
- v r1 uxID (mod p),W r2 P uDID
Verify:
Given a pair(m, (u, v,W )) and PKID ,anyone check
2
?
u H1 (m || ID || PK ID || vP uPK ID || e(W , P)e(QID , Ppub )u )
24
多媒體網路安全實驗室
Security Analysis of Scheme II
Theorem 1.
Succ
CDH
B ,G1
1
1 qPPK
,cida
(1
) Succ Acma
,su per
qCU
qCU
Theorem 2.
Succ
DL
B ,G1
1
1 qSV
,cida
(1
) Succ Acma
,super
qCU
qCU
25
多媒體網路安全實驗室
Comparison
26
多媒體網路安全實驗室
27
多媒體網路安全實驗室
Conclusion
The first scheme has the shortest
signature length compared to any existing
CLS schemes in the literature.
The second scheme has lower operation
cost but a little longer signature length,
compared with another concrete scheme
which has the similar security level.
28
多媒體網路安全實驗室