Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certificateless signature revisited

Similar presentations


Presentation on theme: "Certificateless signature revisited"— Presentation transcript:

1 Certificateless signature revisited
Date: Reporter:Chien-Wen Huang Auther:Xinyi Huang,Yi Mu,Willy Susilo,Duncan S. Wong, and Wei Wu 出處:ACISP 2007, LNCS 4586, pp. 308–322, 2007

2 Outline Introduction Certificateless signature Security Models
1 Certificateless signature 2 Security Models 3 Our Proposed Schemes 4 Comparison 3 5 Conclusion 4 6

3 Introduction In secret-key system -use a secure channel to transmit secret key. In public-key system -anyone has public key and private key.

4 ID-PKC(Identity-based public key cryptography)
Signer(ID) KGC “master”public key master-private key Require private-key Sign: σ=PH(ID)+H(M,…) Return master private-key(ID) Assume the KGC completely trusted!! Use ID and PKG’s public key to check Verifier

5 CL-PKC(Certificateless public key cryptography)
Signer(ID) Decide secret value and PK(use ) KGC master public key=mpk partial-private-key Require partial-private-key Sign: σ=PH(ID) H(M,…) Return partial-private-key(ID) the key escrow is resolved!! Use ID,correspounding PK and PKG’s mpk to verify Verifier

6 Certificateless signature
Outline of the Certificateless Signature Schemes Setup input: a security parameter output: a master-secret key msk, master- public key mpk,system parameters param. Partial-Private-Key-Extract input: ID,param,master-secret key msk,master-public key mpk output: partial private key Set-Secret-Value input: master-public key mpk,param. output: secret value

7 Set-Public-Key Sign Verify input: master-public key mpk, param,ID and
output: public key Sign input:mpk, param,ID, , and a message M. output: a certificateless signature Verify input:mpk, param,ID, and a message/signature(M/ ) output: true or false

8 Adversaries and Oracles
:replaces the user’s public key But not given this user’s partial private key :knows the master secret key but cannot replace the target user’s public key.

9 Create-User: Public-Key-Replace: input a query
to obtain , , adds to list L. Public-Key-Replace: input a query replaces user ‘s and updates the list L.(not required to provide to generate )

10 Secret-Value-Extract:
input a query ID,browses the list L and returns (to generate ID’s original public key But it can’t output the secret value associated with the )

11 Security Against a Normal Type I Adversary
Security Models Security Against a Normal Type I Adversary the attack scenarios as follows: obtain some pairs (using target user’s and ) The target user will keep and as secret. replace the target user’s and dupe any other third party to verify user’s signatures(using )

12 a signature scheme against a Normal Type I:
Phase1: challenger runs Setup and returns mpk,param to Phase2: can adaptively access all the oracles Partial-Private-Key-Extract:input a query ID, It browses the list L and returns Normal-Sign: input a query (ID,m). Output

13 Phase3: After all the queries, outputs a forgery
if the forgery satisfies the following requirements: has never submitted to the oracle Normal-Sign. has never submitted to Partial-Private-Key-Extract or Secret-Value-Extract. The success probability wins the games: Definition 1. secure against a Normal Type I adversary and is negligible.

14 Security Against a Strong Type I Adversary
see some pairs are generated by Sign using and the only difference:Strong-Sign. Phase1: challenger runs Setup and returns mpk,param to Phase2: access all the oracles Strong-Sign: input a query -if ,uses original secret value and output -Otherwise,use and to generate

15 Phase3: After all the queries, outputs a forgery .
Let be the current public key in the list L. if the forgery satisfies the following requirements: has never submitted to Strong-Sign. has never submitted to Partial-Private-Key-Extract. The success probability wins the games: Definition 2. secure against a StrongType I adversary and is negligible.

16 Security Against a Super Type I Adversary
obtain some , implies exists a black-box can extract from the public key chosen by (using and to sign). Phsae1: challenger runs Setup and returns mpk,param to Phase2: access all the oracles and Super-Sign oracle. Sign:input a query ,output if PKID=PKID,returned from Create-User ;otherwise,PKID=PK’ID submitted to Public-Key-Replace

17 Phase3:After all the queries, outputs a forgery
Let be the current public key in the list L. if the forgery satisfies the following requirements: has never submitted to Super-Sign. has never submitted to Partial-Private-Key-Extract. The success probability wins the games: Definition 3. secure against a SuperType I adversary and is negligible.

18 Type II Adversaries divided into: Normal(Normal-Sign), Strong(Strong-Sign) and Super(Super-Sign). Phase1:challenger runs Setup and returns mpk,param to Phase2: access all the oracles(Normal-Sign,…) Phase3: After all the queries, outputs a forgery if the forgery satisfies the following requirements: has never submitted to the sign oracle. has never submitted to the oracle Secret-Value-Extract.

19 Malicious but Passive KGC Attack
The success probability wins the games: Definition 4. secure against a Type II adversary and is negligible. Malicious but Passive KGC Attack the KGC holds the master secret key is assumed malicious(at the very beginning of the Setup.) KGC generate his master public/secret key pair maliciously.

20 Bilinear Groups and Security Assumptions
Our Proposed Schemes Bilinear Groups and Security Assumptions :an additive group of prime order :a multiplicative group of the same order. is a generator in Discrete Logarithm Problem: Given ,find Computational Diffie-Hellman Problem: Given elements in ,find

21 Scheme I against a Normal Type I adversary and Super Type II adversary. Setup: Let be be bilinear groups.( ) KGC sets system’s master public key , master secret key and publishes p ≥ 2k

22 Partial-Private-Key-Extract:Given user’s ID, KGC computes . .then set
Set-Secret-Value:user chooses a random number Set-Public-Key:Given user compute Sign: the user computes Verify:

23 Security Analysis of Scheme I
Theorem 1. Theorem 2.

24 Scheme II against a Super Type I and Type II adversary.
Sign:For a message ,the user computes - Verify: Given a pair and ,anyone check

25 Security Analysis of Scheme II
Theorem 1. Theorem 2.

26 Comparison

27

28 Conclusion The first scheme has the shortest signature length compared to any existing CLS schemes in the literature. The second scheme has lower operation cost but a little longer signature length, compared with another concrete scheme which has the similar security level.

29 Thank You !


Download ppt "Certificateless signature revisited"

Similar presentations


Ads by Google