Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Concrete Certificateless Signature Scheme without Pairings

Similar presentations

Presentation on theme: "A Concrete Certificateless Signature Scheme without Pairings"— Presentation transcript:

1 A Concrete Certificateless Signature Scheme without Pairings
2009 International Conference on Multimedia Information Networking and Security Author: Aijun Ge, Shaozhen Chen, Anna Lauks Adviser: 鄭錦楸 ,郭文中 教授 Reporter: 林彥宏 大部份的免憑證簽章法都架構在ECC的雙線性映射環境下,因此也比較耗成本 本論文提出一新的免憑證簽章法不需利用pairing, 計算上會更有效率,此外本論文最後也提出random oracle model 的安全性證明

2 Outline 1 Click to add Title 2 Click to add Title 3 Click to add Title

3 Key Generating Center (KGC), who holds a master key
INTRODUCTION Certificateless Public Key Cryptography -Al-Riyami, S.S., Paterson, K.G., ASIACRYPT LNCS, vol. 2894 find a public key system that does not use certificates does not have the key escrow problem Key Generating Center (KGC), who holds a master key most certificateless cryptography schemes are based on bilinear mappings on elliptic curves Heavy computational cost key escrow 金鑰託管

4 INTRODUCTION Certificateless Public Key Encryption without Pairing. -Baek, J., Safavi-Naini, R., Susilo, ISC LNCS,vol. 3650, pp first without bilinear mappings scheme Strongly Secure Certificateless Public Key Encryption Without Pairing-Sun, Y.X., Zhang, F.T., Baek, CANS 2007, LNCS, vol. 4856, pp more computationally efficient In this paper, we present the first concrete efficient certificateless signature scheme without pairings, and prove its security in the random oracle model.

5 Partial-Key-Extract(params, ID, msk).
PRELIMINARIES Setup(k): Input: secret parameter k Output: master secret key msk ; master public key mpk ; list of public system parameters params. Partial-Key-Extract(params, ID, msk). Input: user’s identity ID Output: partial private key DID ; partial public key PID Set-Secret-Value(params,mpk). Output: secret value sID.

6 Set-Public-Key( params, mpk, ID, PID, sID).
PRELIMINARIES Set-Public-Key( params, mpk, ID, PID, sID). Output: public key PKID . Set-Private-Key(params, DID , sID). Output: private key SKID . Sign(params, mpk, ID, SKID, m). Output: certificateless signature σ. Verify(params, mpk, ID, PKID, m, σ). Verify( params, mpk, ID, PKID, m, Sign(params, mpk, ID, SKID ,m )) = valid.

7 PRELIMINARIES Type I: adversary AI can replace any user’s public key but does not have the partial private key obtain some message/signature pairs which are valid under the public key chosen by itself Type II: adversary AII simulates a dishonest KGC who has the knowledge of the master secret key but is not allowed to replace the target user’s public key. Definition: The security of our certificateless signature scheme can be reduced to the hardness of discrete logarithm problem. 由於是免憑證,因此無法去確認使用者的公鑰,所以要考慮兩種攻擊者

8 THE PROPOSED SCHEME Setup: security parameter k
primes p, q, where p, q > 2k , and q|(p-1) secret key x, public key y=gx (mod p) H1: {0, 1}* ×Zp* → Zq* H2: {0, 1}* ×Zp* ×Zp* → Zq* H3: {0, 1}* ×{0, 1}* (Zp* )4×Zq* ×Zp* → Zq* system parameters params=(p, q, g, G, y, H1, H2, H3).

9 Partial-Key-Extract:
THE PROPOSED SCHEME Partial-Key-Extract: user’s identity ID Picks s0, s1 , p0=gs0 (mod p) and p1=gs1 (mod p) d0=s0+x·H1(ID, p0) (mod q) d1=s1+x·H2(ID, p0, p1) (mod q) partial private key DID = d0, partial public key PID = (p0, p1, d1). Algorithms Setup and Partial-Key-Extract are executed by KGC. user checks gd0=p0·y H1(ID, p0) (mod p) and gd1=p1·y H2(ID, p0, p1) (mod p)

10 THE PROPOSED SCHEME Set-Secret-Value: Set-Private-Key: Set-Public-Key:
pick z at random set sID = z as the user’s secret value Set-Private-Key: user’s full private key SKID = (DID, sID) = (d0, z). Set-Public-Key: μ = gz (mod p). user’s full public key PKID = (PID, μ) = (p0, p1, d1, μ).

randomly selects r, r’ , calculates c = gr (mod p) , c’ = gr’(mod p)) u = H3(m, ID, c, c’, PKID) calculates v = r−uz (mod q) and w = r’ −ud0 (mod q) the signature on the message m is σ = (u, v, w). Verify: gd1 = p1yH2(ID, p0, p1) (mod p) u = H2(m, ID, gvμu, gw(p0y H1(ID, p0) )u, PKID)

12 Thank You !

Download ppt "A Concrete Certificateless Signature Scheme without Pairings"

Similar presentations

Ads by Google