Presentation is loading. Please wait.

Presentation is loading. Please wait.

A New Provably Secure Certificateless Signature Scheme

Similar presentations


Presentation on theme: "A New Provably Secure Certificateless Signature Scheme"— Presentation transcript:

1 A New Provably Secure Certificateless Signature Scheme
Date: Reporter:Chien-Wen Huang 出處:2008 IEEE International Conference on Communications (ICC 2008),vol.4

2 Outline INTRODUCTION PERLIMINARIES
OUR CERTIFICATELESS SIGNATURE SCHEME SECURITY PROOF CONCLUSIONS

3 INTRODUCTION Identity-based public key cryptography(ID- PKC)
was first introduced by Shamir in 1984. Have the key escrow problem. Certificateless public key cryptography(CL- PKC) Al-Riyami et al.“Certificateless public key cryptography. ”Asiacrypt2003,LNCS. Huang et al.[9]“Certificateless signature revisited. ”ACISP 2007, LNCS. Zhang et al.[17]“Certificateless public-key signature: security model and efficient construction.”ACNS 2006, LNCS.

4 INTRODUCTION Related Works Type I/II Adversary-
Normal: under the original public key from the target signer. Strong: under the replaced public key.(supply the secret value corresponding to the replaced public key)

5 INTRODUCTION Super:under the public key chosen by himself without supplying the secret value corresponding to the public key. there are only a few CLS schemes secure[9],[17] against a super type I/II adversary.

6 INTRODUCTION Our Contribution:
the CLS(certificateless signature) scheme requires only two pairing operations. The signature length of new scheme is 2/3 of Huang et al’s scheme. super Type I/II adversary- proved secure in the strongest security model of CLS.

7 PERLIMINARIES A. Bilinear Maps
Let G1 be an additive group of prime order q. Let G2 be a multiplicative group of the same order. Bilinear: Non-degeneracy: Computable: There exists an efficient algorithm to compute

8 PERLIMINARIES B. Framework of Certificateless Signature Schemes Setup
input: a security parameter l output: a master-key,system parameters params. Partial-Private-Key-Extract input: ID,params,master-key output: user’s partial private key Set-Secret-Value input: ID,params output: user’s secret value

9 PERLIMINARIES Set-Public-Key Sign Verify ( , ,params,ID, )
input: ID,params, output: public key Sign accepts(params, ,ID, , , )to produce a signature on message Verify ( , ,params,ID, ) if the signature is valid or not.

10 PERLIMINARIES C.Adversarial Model of Certificateless Signature Schemes
the following two games between a challenger C and an adversary AI or AII . Game 1 (for Type I Adversary) Setup:C runs the Setup algorithm Input: a security parameter l obtain:a master-key,system parameters params

11 PERLIMINARIES Attack: Partial-Private-Key Queries PPK( )
AI request: the partial private key of any user’s identity C output: the partial private key Public-Key Queries PK( ) AI request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) AI request:the secret value of a user’s identity C output:the secret value (if PK replaced,output )

12 PERLIMINARIES Public-Key-Replacement Queries PKR( , )
AI can choose a new public key as the public key of this user.C will record this replacement. Sign Queries S( ) On receiving a query S( ),C generates a signature (AI need not supply the secret value) Forgery:AI outputs is a valid signature on under and AI has never requested the Partial-Private-Key(of user’s ) S( )has never been submitted WIN!!

13 PERLIMINARIES Game 2 (for Type II Adversary )
Setup:C runs the Setup algorithm Input: a security parameter l obtain:a master-key,system parameters params Attack: Public-Key Queries PK( ) AII request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) AII choose a user and request the secret value C output:the secret value (if PK replaced,output )

14 PERLIMINARIES Public-Key-Replacement Queries PKR( , )
AII can choose a new public key as the public key of this user. Sign Queries S( ) On receiving a query S( ),C replies a signature (AII need not supply the secret value) Forgery: AII outputs is a valid signature on under and AII has never requested the Secret-Value (of user’s ) AII has not requested PKR query on S( )has never been queried WIN!!

15 OUR CERTIFICATELESS SIGNATURE SCHEME
A. An Efficient Construction Setup Given a security parameter l, chooses a master-key and set , , params= , Partial-Private-Key-Extract input: params,master-key , Computes Outputs:users partial private key

16 OUR CERTIFICATELESS SIGNATURE SCHEME
Set-Secret-Value input: params, output: as the users secret value. Set-Public-Key input: params, , output: the user’s public key Sign input: Choose a random ,compute Compute Output on

17 OUR CERTIFICATELESS SIGNATURE SCHEME
Verify To verify a signature on a message for an identity and public key Compute , 2. Verify

18 OUR CERTIFICATELESS SIGNATURE SCHEME
B. Comparison P: pairing operation. S: a scalar multiplication in G1. H: a MapToPoint hash operation. E: an exponentiation in G2. SL:signature length. PKL:signature length. P1:the length of a point in G1. Z1:the length of a point in

19 SECURITY PROOF Theorem :unforgeable against a super typeI/II adversary in the random oracle model(CDH problem is intractable.) TypeI proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.) C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI. H1 Queries:AI can make at most qH1 times H1 queries,C chooses J∈[1,qH1].C maintains an initially empty list H1 of tuples(IDj,αj,Qj).On receiving a new query H1(IDi||P), If i = J, set Qi = bP ,add(IDi,⊥,Qi)to H1 and return Qi as answer. Otherwise ,pick at random,set ,add (IDi,αi,Qi)to H1 and return Qi as answer.

20 H2 Queries: C keeps an initially empty list H2 of tuples( )
H2 Queries: C keeps an initially empty list H2 of tuples( ).AI issues a query( )to H2,If the query is new,C selects a random adds( )to H2 and returns as answer. H3 Queries: AI issues a query( )to H3,for a new query,C selects a random adds( )to H2 and returns as answer. Partial-Private-Key Queries: C keeps an initially empty list K of tuples( ).Whenever AI issues a query PPK( ).If the query is new,C does the following. If ,abort. Else if there’s a tuple( ) on K If( )on H1,set and return as answer. Otherwise,first make an H1 query on(IDi||P), to generate( ),then set and return as answer.

21 Otherwise,do the following.
If a tuple( ) on H1,compute ,set ,return as answer and add ( )to K. Else,generate the tuple( )to simulates the random oracle H1,after the same way as a). Public-Key Queries: receiving a query PK(IDi),the current public key from K will be given.Otherwise,C does as follows. If a tuple ( )on K,choose ,compute ,return as answer and update to ( ). Otherwise,choose ,set , and add the tuple to K.

22 Secret-Value Queries:receiving a query SV( ),if the public key has been replaced,C returns .Otherwise,if a tuple( )on K,C returns as answer;else,C first makes PK( ) then returns as answer. Public-Key-Replacement Queries: AI choose a new public key for the user’s identity( ).On receiving a query PKR( , ),C first finds the tuple( ) on K,then C updates to Sign Queries: On receive a Sign query S( ), denotes the public key chosen by AI ,C generates the signature as follows. Choose ,set Set , Compute and output

23 Forgery: Finally, AI returns a successful forgery
If ,C aborts. Type II proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use AI to solve the CDH problem.) C sets PT = aP,selects params=(G1,G2, e, P, PT,H1,H2,H3) to AI. Public-Key Queries:C keeps an initially empty list K of tuples(IDj,xj,Pj) For a new query,if ,C return as answer and adds to K ;else,C picks ,compute add to K and return .

24 Secret-Value Queries: On receiving a query SV( ), if the public key of
has been replaced, C returns ⊥; otherwise, if , C aborts; else if a tuple on K, C returns as answer; else, C first makes PK( ), then recovers the tuple from K, returns Public-Key-Replacement Queries: AII can choose a new public key for the user’s identity On receiving a query PKR( ) if , C aborts; otherwise, C finds the tuple on K and updates to

25 CONCLUSIONS Only two pairing operations are required in signing and verification. It is more efficient than the other CLS schemes achieving the same security level.


Download ppt "A New Provably Secure Certificateless Signature Scheme"

Similar presentations


Ads by Google