A New Provably Secure Certificateless Signature Scheme Date：2010.3.16 Reporter:Chien-Wen Huang 出處:2008 IEEE International Conference on Communications (ICC 2008),vol.4

Outline INTRODUCTION PERLIMINARIES OUR CERTIFICATELESS SIGNATURE SCHEME SECURITY PROOF CONCLUSIONS

INTRODUCTION Identity-based public key cryptography(ID- PKC) was first introduced by Shamir in 1984. Have the key escrow problem. Certificateless public key cryptography(CL- PKC) Al-Riyami et al.“Certificateless public key cryptography. ”Asiacrypt2003,LNCS. Huang et al.[9]“Certificateless signature revisited. ”ACISP 2007, LNCS. Zhang et al.[17]“Certificateless public-key signature: security model and efficient construction.”ACNS 2006, LNCS.

INTRODUCTION Related Works Type I/II Adversary- Normal: under the original public key from the target signer. Strong: under the replaced public key.(supply the secret value corresponding to the replaced public key)

INTRODUCTION Super:under the public key chosen by himself without supplying the secret value corresponding to the public key. there are only a few CLS schemes secure[9],[17] against a super type I/II adversary.

INTRODUCTION Our Contribution: the CLS(certificateless signature) scheme requires only two pairing operations. The signature length of new scheme is 2/3 of Huang et al’s scheme. super Type I/II adversary- proved secure in the strongest security model of CLS.

PERLIMINARIES A. Bilinear Maps Let G1 be an additive group of prime order q. Let G2 be a multiplicative group of the same order. Bilinear: Non-degeneracy: Computable: There exists an efficient algorithm to compute

PERLIMINARIES B. Framework of Certificateless Signature Schemes Setup input: a security parameter l output: a master-key,system parameters params. Partial-Private-Key-Extract input: ID,params,master-key output: user’s partial private key . Set-Secret-Value input: ID,params output: user’s secret value

PERLIMINARIES Set-Public-Key Sign Verify ( , ,params,ID, ) input: ID,params, output: public key Sign accepts(params, ,ID, , , )to produce a signature on message . Verify ( , ,params,ID, ) if the signature is valid or not.

PERLIMINARIES C.Adversarial Model of Certificateless Signature Schemes the following two games between a challenger C and an adversary AI or AII . Game 1 (for Type I Adversary) Setup:C runs the Setup algorithm Input: a security parameter l obtain:a master-key,system parameters params

PERLIMINARIES Attack: Partial-Private-Key Queries PPK( ) AI request: the partial private key of any user’s identity C output: the partial private key Public-Key Queries PK( ) AI request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) AI request:the secret value of a user’s identity C output:the secret value (if PK replaced,output ) ⊥

PERLIMINARIES Public-Key-Replacement Queries PKR( , ) AI can choose a new public key as the public key of this user.C will record this replacement. Sign Queries S( ) On receiving a query S( ),C generates a signature (AI need not supply the secret value) Forgery:AI outputs is a valid signature on under and AI has never requested the Partial-Private-Key(of user’s ) S( )has never been submitted WIN!!

PERLIMINARIES Game 2 (for Type II Adversary ) Setup:C runs the Setup algorithm Input: a security parameter l obtain:a master-key,system parameters params Attack: Public-Key Queries PK( ) AII request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) AII choose a user and request the secret value C output:the secret value (if PK replaced,output ) ⊥

PERLIMINARIES Public-Key-Replacement Queries PKR( , ) AII can choose a new public key as the public key of this user. Sign Queries S( ) On receiving a query S( ),C replies a signature (AII need not supply the secret value) Forgery: AII outputs is a valid signature on under and AII has never requested the Secret-Value (of user’s ) AII has not requested PKR query on S( )has never been queried WIN!!

OUR CERTIFICATELESS SIGNATURE SCHEME A. An Efficient Construction Setup Given a security parameter l, chooses a master-key and set , , params= , Partial-Private-Key-Extract input: params,master-key , Computes Outputs:users partial private key

OUR CERTIFICATELESS SIGNATURE SCHEME Set-Secret-Value input: params, output: as the users secret value. Set-Public-Key input: params, , output: the user’s public key Sign input: Choose a random ,compute Compute Output on .

OUR CERTIFICATELESS SIGNATURE SCHEME Verify To verify a signature on a message for an identity and public key . Compute , 2. Verify

OUR CERTIFICATELESS SIGNATURE SCHEME B. Comparison P: pairing operation. S: a scalar multiplication in G1. H: a MapToPoint hash operation. E: an exponentiation in G2. SL:signature length. PKL:signature length. P1:the length of a point in G1. Z1:the length of a point in

SECURITY PROOF Theorem :unforgeable against a super typeI/II adversary in the random oracle model(CDH problem is intractable.) TypeI proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.) C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI. H1 Queries:AI can make at most qH1 times H1 queries,C chooses J∈[1,qH1].C maintains an initially empty list H1 of tuples(IDj,αj,Qj).On receiving a new query H1(IDi||P), If i = J, set Qi = bP ,add(IDi,⊥,Qi)to H1 and return Qi as answer. Otherwise ,pick at random,set ,add (IDi,αi,Qi)to H1 and return Qi as answer.

H2 Queries: C keeps an initially empty list H2 of tuples( ) H2 Queries: C keeps an initially empty list H2 of tuples( ).AI issues a query( )to H2,If the query is new,C selects a random adds( )to H2 and returns as answer. H3 Queries: AI issues a query( )to H3,for a new query,C selects a random adds( )to H2 and returns as answer. Partial-Private-Key Queries: C keeps an initially empty list K of tuples( ).Whenever AI issues a query PPK( ).If the query is new,C does the following. If ,abort. Else if there’s a tuple( ) on K If( )on H1,set and return as answer. Otherwise,first make an H1 query on(IDi||P), to generate( ),then set and return as answer.

Otherwise,do the following. If a tuple( ) on H1,compute ,set ,return as answer and add ( )to K. Else,generate the tuple( )to simulates the random oracle H1,after the same way as a). Public-Key Queries: receiving a query PK(IDi),the current public key from K will be given.Otherwise,C does as follows. If a tuple ( )on K,choose ,compute ,return as answer and update to ( ). Otherwise,choose ,set , and add the tuple to K.

Secret-Value Queries:receiving a query SV( ),if the public key has been replaced,C returns .Otherwise,if a tuple( )on K,C returns as answer;else,C first makes PK( ) then returns as answer. Public-Key-Replacement Queries: AI choose a new public key for the user’s identity( ).On receiving a query PKR( , ),C first finds the tuple( ) on K,then C updates to . Sign Queries: On receive a Sign query S( ), denotes the public key chosen by AI ,C generates the signature as follows. Choose ,set Set , Compute and output

Forgery: Finally, AI returns a successful forgery If ,C aborts. Type II proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.) C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI. Public-Key Queries:C keeps an initially empty list K of tuples(IDj,xj,Pj) For a new query,if ,C return as answer and adds to K ;else,C picks ,compute add to K and return .

Secret-Value Queries: On receiving a query SV( ), if the public key of has been replaced, C returns ⊥; otherwise, if , C aborts; else if a tuple on K, C returns as answer; else, C first makes PK( ), then recovers the tuple from K, returns . Public-Key-Replacement Queries: AII can choose a new public key for the user’s identity .On receiving a query PKR( ) if , C aborts; otherwise, C finds the tuple on K and updates to .

CONCLUSIONS Only two pairing operations are required in signing and verification. It is more efficient than the other CLS schemes achieving the same security level.