1 A new identity based proxy signature scheme Source: E print Author: Bin Wang Presenter: 林志鴻

2 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

3 Introduction 1.Full delegation 2.Partial delegation 3.Delegation by warrant Alice Bob 1.SK of Alice 2.PPK 3.delegation

4 Introduction(cont.)  Verifiability  Unforgeability  Strong identifiability  Undeniability  Prevention of misuse

5 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

6 Preliminaries  Bilinear Pairing  Compurarional Diffie-Hellman  Proxy key exposure attack

7 Bilinear Pairing  e : G 1 × G 1 → G 2  Bilinearity  Non-degeneracy  Computability

8 Compurarional Diffie-Hellman  CDH problem on G 1 ︰ given P, aP, bP ∈ G 1 compute abP  (t,ε)-CDH solver ︰ 擁有不可忽視的 ε 在執行演算法 t 次內解開問 題

9 Proxy key exposure attack  由於代簽常用於有潛在威脅的環境故不應假 設傳送代簽金鑰的管道是安全的  Xu et al.’s scheme 中  可由下式算出代理者私鑰

10 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

11 Proposed Scheme  MasterKeyGen  UserKeyGen  Sign  Verf  ProxyKeyGen  Proxy_Sign  Proxy_Verf  IDP

12 Proposed Scheme (cont.)  MasterKeyGen : 設定 k 為安全參數 G 1 and G 2 ( 由 P 產生 prime order q ) e : G 1 × G 1 → G 2 隨機選取 master key s ∈ Z ∗ q 並設定 key pair = 選擇三個 hash functions H 1 : {0, 1} ∗ → G 1 H 2 : {0, 1} ∗ × G 1 → G 1 H 3 : {0, 1} ∗ × G 1 → G 1 Params =

13 Proposed Scheme (cont.)  UserKeyGen : 給一使用者 ID i, 計算 Q i =H 1 (ID i ) 及 sk i = msk ． Q i  Sign : 對訊息 m 簽章 1. 隨機選取 k i ∈ Z ∗ q K i =k i ． P 2. 計算 V i =H 2 (ID i,m,K i ), U i =k i ． V i +Sk i 3. σ=  Verf : 取 mpk,ID i,m 來確認 σ 之正確性 計算 V i =H 2 (ID i,m,K i ) 驗證等式 e(U i, P) = e(V i, K i ) ． e(Q i, mpk) where Q i =H 1 (ID i )

14 Proposed Scheme (cont.)  ProxyKeyGen : m w = warrant σ’ = Sign(ID i,Sk i,m w ) = ID j 取得 驗證 Verf(mpk,ID i,m w,σ’)=1 驗證失敗則重新要求 m w 合法簽章 代簽金鑰 psk [i→j] =

15 Proposed Scheme (cont.)  Proxy_Sign : 隨機選取 k j ∈ Z ∗ q K j =k j ． P 計算 V j =H 3 (ID i,ID j,m w,m,(K j +K i ’)) U j =U i ’+Sk j +k j ． V j pσ=

16 Proposed Scheme (cont.)  Proxy_Ver : 取得 m,m w,pσ  驗證 m w 是否有效 2. 計算 V j =H 3 (ID i,ID j,m w,m,(K j +K i ’)) 3.e(U j,P)=e(V i ’,K i ’ ) ． e(V i,K i ) ． e(Q i +Q j,mpk) 驗證成功回傳 1  IDP : 驗證正確性後 回傳 ID j

17 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

18 Efficiency Analysis SchemeProxy Signature Length Proxy signing costProxy signature verification cost Secure against Proxy key exposure (a)Xu et al.’s scheme 3|G1|2Mu+1Ad+1H5P+ExpNo (b)Wu et al.’s scheme 3|G1|4Mu+3Ad+2H5PYes (c)this paper’s scheme 3|G1|2Mu+3Ad+1H4PYes (a) (b) (c) e(U j,P)=e(V i ’,K i ’) ． e(V i,K i ) ． e(Q i +Q j,mpk) Mu: 乘法 Ad: 加法 H :hash

19 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

20 Conclusion  本篇簡化了 ID-Based 代簽的安全模組藉以簡 化了方法與解 CDH 問題難度相關的證明  本篇所提出的方法效能較其他方法高且能 抵抗 proxy key exposure attack