Transcript 下載/瀏覽Download

多媒體網路安全實驗室
Certificateless signature
revisited
Date：2010.6.20
Reporter:Chien-Wen Huang
Auther:Xinyi Huang,Yi Mu,Willy Susilo,Duncan S. Wong, and
Wei Wu
出處:ACISP 2007, LNCS 4586, pp. 308–322, 2007
多媒體網路安全實驗室
Outline
1
2
Introduction
Certificateless signature
3
Security Models
4
Our Proposed Schemes
5
3
Comparison
6
4
Conclusion
2
多媒體網路安全實驗室
Introduction
In secret-key system
-use a secure channel to transmit secret key.
In public-key system
-anyone has public key and private key.
3
多媒體網路安全實驗室
ID-PKC(Identity-based public key cryptography)
Signer(ID)
KGC
“master”public key
master-private key
Require private-key
Return master private-key(ID)
Sign:
σ=PH(ID)+H(M,…)
Assume the KGC completely trusted!!
Use ID and PKG’s public key to check
Verifier
4
多媒體網路安全實驗室
CL-PKC(Certificateless public key cryptography)
KGC
master public key=mpk
partial-private-key
Signer(ID)
Decide secret value
and PK(use xID )
xID
Require partial-private-key
Return partial-private-key(ID)
Sign:
σ=PH(ID)+
the key escrow is resolved!!
Use ID,correspounding PK
and PKG’s mpk to verify
Verifier
5
xID H(M,…)
多媒體網路安全實驗室
Certificateless signature
Outline of the Certificateless Signature Schemes
 Setup
k
input: a security parameter l
output: a master-secret key msk, master- public key
mpk,system parameters param.
 Partial-Private-Key-Extract
input: ID,param,master-secret key msk,master-public key
mpk
output: partial private key DID.
 Set-Secret-Value
input: master-public key mpk,param.
output: secret value xID
6
多媒體網路安全實驗室
 Set-Public-Key
input: master-public key mpk, param,ID and xID
output: public key PKID
 Sign
input:mpk, param,ID, xID , DID and a message M.
output: a certificateless signature 
 Verify
input:mpk, param,ID, PKID and a message/signature(M/)
output: true or false
7
多媒體網路安全實驗室
Adversaries and Oracles
 A :replaces the user’s public key PKID .But
not given this user’s partial private key DID .
 A :knows the master secret key but cannot
replace the target user’s public key.
8
多媒體網路安全實驗室
1. Create-User:
 input a query ID{0,1}*
to obtain DID , PKID , xID . adds (ID, DID , xID , PKID ) to
list L.
2. Public-Key-Replace:

'
input a (query
.
ID, PK ID
)
'
PK
replaces user ID
‘s
and updates the list
'
'
PK
x
L.(not
required to
to generate
ID
ID provide
9
)
多媒體網路安全實驗室
3. Secret-Value-Extract:
 input a query ID,browses the list L and
returns xID .(to generate ID’s original public
keyPKID .But it can’t output the secret value
'
associated with the PK ID
)
10
多媒體網路安全實驗室
Security Models
Security Against a Normal Type I Adversary
the attack scenarios as follows:
1. Aobtain
some pairs (mi ,  (using
target user’s DID

i)
and xID)
2.The target user will keep xIDand DIDas secret.
3.replace the target user’s PKID
and dupe any other
'
third party to verify user’s signatures(using PK ID
)
11
多媒體網路安全實驗室
 a signature scheme against a Normal Type I:
Phase1: challenger runs Setup and returns mpk,param to A
Phase2: can adaptively access all the oracles
• Partial-Private-Key-Extract:input a query ID, It browses
the list L and returns DID
• Normal-Sign: input a query (ID,m). Output 
s.t. true  Verify( m,  , params, ID, PK ID )
12
多媒體網路安全實驗室
Phase3: After all the queries, A outputs a forgery (m* ,  * , ID* )
if the forgery satisfies the following requirements:
*
*
(
ID
,
m
) the oracle Normal-Sign.
1. Ahas never submitted
to
*
2. Ahas never submitted IDto Partial-Private-Key-Extract or
Secret-Value-Extract.
3. true  Verify( m,  , params, ID, PK ID* )
cma ,cida
• The success probability A wins the games: Succ A ,normal
• Definition 1. secure against a (t , qCU , qPPK , qPKR , qSV , qNS )
Normal Type I adversary A and Succ Acma,cida is negligible.
 ,normal
13
多媒體網路安全實驗室
Security Against a Strong Type I Adversary
 A see some pairs (mi ,  i ) are generated by Sign
using sv and DID .
 the only difference:Strong-Sign.
Phase1: challenger runs Setup and returns mpk,param to A
Phase2: access all the oracles
Strong-Sign: input a query(ID, m, sv )
-if sv  nil ,uses original secret value xID and DID.output 
-Otherwise,usesv andDID to generate 
14
多媒體網路安全實驗室
Phase3: After all the queries, A outputs a forgery(m* ,  * , ID* ) .
Let PK * be the current public key in the list L.
ID
if the forgery satisfies the following requirements:
*
*
(
ID
,
m
, sv )to Strong-Sign.
1. Ahas never submitted
*
2. Ahas never submitted ID to Partial-Private-Key-Extract.
3. true  Verify( m,  , params, ID, PK ID* )
cma,cida
A
Succ
The success probability  wins the games:
A , strong
Definition 2. secure against a (t , qCU , qPPK , qPKR , qSV , qSS )
StrongType I adversary A and Succcma,cida is negligible.
A , strong
15
多媒體網路安全實驗室
Security Against a Super Type I Adversary
A obtain some(mi ,  i ), true  Verify( mi ,  i , params, ID, PK ID )
 implies exists a black-box can extract xID from the
public key chosen by A (using xID and DID to sign).
Phsae1: challenger runs Setup and returns mpk,param to A
Phase2: access all the oracles and Super-Sign oracle.
if PKID=PKID,returned
Sign:input a query ( ID, m ) ,output
s.t. true  Verify(
from Create-User
m,  , params, ID,
PK ID ) ID=PK’ID
;otherwise,PK
submitted to PublicKey-Replace
16
多媒體網路安全實驗室
Phase3:After all the queries, A outputs a forgery (m* ,  * , ID* )
Let PK * be the current public key in the list L.
ID
if the forgery satisfies the following requirements:
*
*
(
ID
,
m
)to Super-Sign.
1. Ahas never submitted
*
2. Ahas never submitted ID to Partial-Private-Key-Extract.
3. true  Verify( m,  , params, ID, PK ID* )
cma,cida
A
Succ
• The success probability
 wins the games:
A ,super
• Definition 3. secure against a (t , qCU , qPPK , qPKR , qSV , qSS )
,cida
SuperType I adversary Aand Succ Acma
is negligible.
,super

17
多媒體網路安全實驗室
Type II Adversaries
 divided into: Normal(Normal-Sign), Strong(StrongSign) and Super(Super-Sign).
Phase1:challenger runs Setup and returns mpk,param to A
Phase2: A access all the oracles(Normal-Sign,…)
Phase3: After all the queries, A outputs a forgery (m* ,  * , ID* )
if the forgery satisfies the following requirements:
1. Ahas never submitted (ID* , m* )to the sign oracle.
*
2. Ahas never submitted ID to the oracle Secret-Value-Extract.
3. true  Verify( m,  , params, ID, PK * )
ID
18
多媒體網路安全實驗室
cma,cida
Succ
• The success probability A wins the games:
A
• Definition 4. secure against a (t , qCU , qPKR , qSV , qS )
Type II adversary A and Succ Acma,cida is negligible.

Malicious but Passive KGC Attack
 the KGC holds the master secret key is
assumed malicious(at the very beginning of
the Setup.)
 KGC generate his master public/secret key
pair maliciously.
19
多媒體網路安全實驗室
Our Proposed Schemes
Bilinear Groups and Security Assumptions




G1 :an additive group of prime order p
GT :a multiplicative group of the same order.
P is a generator in G1
Discrete Logarithm Problem:
Given ( P, aP)  G1 ,find a
 Computational Diffie-Hellman Problem:
Given elements ( P, aP, bP ) in G1 ,find abP
20
多媒體網路安全實驗室
Scheme I
 against a Normal Type I adversary and Super
Type II adversary.
p ≥ 2k
 Setup:
1) Let be(G1 , GT ) be bilinear groups.( G1  GT  p)
2) e : G1  G1  GT
*
*
3) H 0 , H1 : {0,1}  G1
KGC sets system’s master public key Ppub  sP, master
secret keys and publishes
{G1 , GT , p, e, P, H 0 , H1 , Ppub}
21
多媒體網路安全實驗室
 Partial-Private-Key-Extract:Given user’s ID, KGC
computesQID  H 0 (.ID).then set DID  sQID
 Set-Secret-Value:user chooses a random number xID  Z *p
 Set-Public-Key:Given xID .user compute PKID  xID P
 Sign: the user computes   DID  xID H1 (m || ID || PKID )
?
 Verify: e( , P)  e(QID , Ppub )e( PK ID , H1 (m || ID || PK ID ))
22
多媒體網路安全實驗室
Security Analysis of Scheme I
 Theorem 1.
1 qPPK  qSV
1
1
q NS
CDH
,cida
SuccB ,G1  (1 
)
(1 
)
Succ Acma
 ,normal
qCU
q NS  1
qCU (q NS  1)
 Theorem 2.
Succ
CDH
B ,G1
1 qS V
1
1
qS S
,cida
 (1 
) (1 
)
Succ Acma
 , sup er
qCU
qSS  1
qCU (q SS 1)
23
多媒體網路安全實驗室
Scheme II
 against a Super Type I and Type II adversary.
*
*
H
:
{
0
,
1
}

Z
 1
p
 Sign:For a message m ,the user computes   (u, v,W )
- u  H1 (m || ID || PKID || r1P || e( P, P) r )
- v  r1  uxID (mod p),W  r2 P  uDID
 Verify:
Given a pair(m,   (u, v,W )) and PKID ,anyone check
2
?
u  H1 (m || ID || PK ID || vP  uPK ID || e(W , P)e(QID , Ppub )u )
24
多媒體網路安全實驗室
Security Analysis of Scheme II
 Theorem 1.
Succ
CDH
B ,G1
1
1 qPPK
,cida

(1 
) Succ Acma
 ,su per
qCU
qCU
 Theorem 2.
Succ
DL
B ,G1
1
1 qSV
,cida

(1 
) Succ Acma
 ,super
qCU
qCU
25
多媒體網路安全實驗室
Comparison
26
多媒體網路安全實驗室
27
多媒體網路安全實驗室
Conclusion
The first scheme has the shortest
signature length compared to any existing
CLS schemes in the literature.
The second scheme has lower operation
cost but a little longer signature length,
compared with another concrete scheme
which has the similar security level.
28
多媒體網路安全實驗室