A Concrete Certificateless Signature Scheme without Pairings 2009 International Conference on Multimedia Information Networking and Security Author: Aijun Ge, Shaozhen Chen, Anna Lauks Adviser: 鄭錦楸 ,郭文中 教授 Reporter: 林彥宏 大部份的免憑證簽章法都架構在ECC的雙線性映射環境下,因此也比較耗成本 本論文提出一新的免憑證簽章法不需利用pairing, 計算上會更有效率,此外本論文最後也提出random oracle model 的安全性證明

Outline 1 Click to add Title 2 Click to add Title 3 Click to add Title 4

Key Generating Center (KGC), who holds a master key INTRODUCTION Certificateless Public Key Cryptography －Al-Riyami, S.S., Paterson, K.G., ASIACRYPT 2003. LNCS, vol. 2894 find a public key system that does not use certificates does not have the key escrow problem Key Generating Center (KGC), who holds a master key most certificateless cryptography schemes are based on bilinear mappings on elliptic curves Heavy computational cost key escrow 金鑰託管

INTRODUCTION Certificateless Public Key Encryption without Pairing. －Baek, J., Safavi-Naini, R., Susilo, ISC 2005. LNCS,vol. 3650, pp. 134-148. first without bilinear mappings scheme Strongly Secure Certificateless Public Key Encryption Without Pairing－Sun, Y.X., Zhang, F.T., Baek, CANS 2007, LNCS, vol. 4856, pp. 194-208. more computationally efficient In this paper, we present the first concrete efficient certificateless signature scheme without pairings, and prove its security in the random oracle model.

Partial-Key-Extract(params, ID, msk). PRELIMINARIES Setup(k): Input: secret parameter k Output: master secret key msk ; master public key mpk ; list of public system parameters params. Partial-Key-Extract(params, ID, msk). Input: user’s identity ID Output: partial private key DID ; partial public key PID Set-Secret-Value(params,mpk). Output: secret value sID.

Set-Public-Key( params, mpk, ID, PID, sID). PRELIMINARIES Set-Public-Key( params, mpk, ID, PID, sID). Output: public key PKID . Set-Private-Key(params, DID , sID). Output: private key SKID . Sign(params, mpk, ID, SKID, m). Output: certificateless signature σ. Verify(params, mpk, ID, PKID, m, σ). Verify( params, mpk, ID, PKID, m, Sign(params, mpk, ID, SKID ,m )) = valid.

PRELIMINARIES Type I: adversary AI can replace any user’s public key but does not have the partial private key obtain some message/signature pairs which are valid under the public key chosen by itself Type II: adversary AII simulates a dishonest KGC who has the knowledge of the master secret key but is not allowed to replace the target user’s public key. Definition: The security of our certificateless signature scheme can be reduced to the hardness of discrete logarithm problem. 由於是免憑證,因此無法去確認使用者的公鑰,所以要考慮兩種攻擊者

THE PROPOSED SCHEME Setup: security parameter k primes p, q, where p, q > 2k , and q|(p-1) secret key x, public key y=gx (mod p) H1: {0, 1}* ×Zp* → Zq* H2: {0, 1}* ×Zp* ×Zp* → Zq* H3: {0, 1}* ×{0, 1}* (Zp* )4×Zq* ×Zp* → Zq* system parameters params=(p, q, g, G, y, H1, H2, H3).

Partial-Key-Extract: THE PROPOSED SCHEME Partial-Key-Extract: user’s identity ID Picks s0, s1 , p0=gs0 (mod p) and p1=gs1 (mod p) d0=s0+x·H1(ID, p0) (mod q) d1=s1+x·H2(ID, p0, p1) (mod q) partial private key DID = d0, partial public key PID = (p0, p1, d1). Algorithms Setup and Partial-Key-Extract are executed by KGC. user checks gd0=p0·y H1(ID, p0) (mod p) and gd1=p1·y H2(ID, p0, p1) (mod p)

THE PROPOSED SCHEME Set-Secret-Value: Set-Private-Key: Set-Public-Key: pick z at random set sID = z as the user’s secret value Set-Private-Key: user’s full private key SKID = (DID, sID) = (d0, z). Set-Public-Key: μ = gz (mod p). user’s full public key PKID = (PID, μ) = (p0, p1, d1, μ).

THE PROPOSED SCHEME Sign: Verify: randomly selects r, r’ , calculates c = gr (mod p) , c’ = gr’(mod p)) u = H3(m, ID, c, c’, PKID) calculates v = r−uz (mod q) and w = r’ −ud0 (mod q) the signature on the message m is σ = (u, v, w). Verify: gd1 = p1yH2(ID, p0, p1) (mod p) u = H2(m, ID, gvμu, gw(p0y H1(ID, p0) )u, PKID)

Thank You !