Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A new certificateless aggregate signature scheme Computer communications 32(2009) 1079- 1085 Author: Lei Zhang, Futai Zhang Presenter: 紀汶承.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A new certificateless aggregate signature scheme Computer communications 32(2009) 1079- 1085 Author: Lei Zhang, Futai Zhang Presenter: 紀汶承."— Presentation transcript:

1 1 A new certificateless aggregate signature scheme Computer communications 32(2009) 1079- 1085 Author: Lei Zhang, Futai Zhang Presenter: 紀汶承

2 2 Outline Introduction Preliminaries A CLAS scheme Two type of adversaries An efficient certificateless aggregate sig nature scheme Security proof

3 3 Introduction 目的 :  把多個簽章整合成一個簽章,以減少整體 簽章長度。  相對於很多個不同的單一個簽章,減少驗 證時運算所花費的 cost 。

4 4 Preliminaries Bilinear Pairing Table (notations and means) CDH problem

5 5 Bilinear Pairing G1 : cyclic additive group generated by P whose order is a prime q. G2 : cyclic multiplicative group of the same order q. A bilinear pairing is a computable map e : G1 × G1 → G2 with the following properties

6 6 Bilinear Pairing 1. Bilinear: for any a,b and 2. Non-degenerate: There exists such that

7 7 Table (notations and means) CLAS: Certificateless Aggregate Signature KGC: Key Generation Center A 1 /A 2 : A type I/II adversary ID i,P i : The identity, Public key of a user,respectively X i,D i : The secre value, partial private key of a user with identity IDi l: A security parameter e: A bilinear map Z q : A additive group whose elements are 0,…,q-1. M i : A message M: Message space σi : A single signature on a message σ: An aggregate signature Δ: A state information H i : A hash function ⊥ : It means the value is empty.

8 8 Computational Diffie-hellman Group Define the system parameters as Params={G1,G2,e,q,P,H}  Hash function : H :  CDH problem : given P, aP, bP ∈ G1 for all a,b ∈ compute abP

9 9 A CLAS scheme Setup: perform by KGC, use a parameter l to generate a master key snd a list of system parameters params. Partial-Private-Key-Extract: perform by KGC, use user’s ID i, params and master key to produce user’s partial-private-key. UserKeyGen: run by user,produce private/public key x i /p i.

10 10 A CLAS scheme(cont.) Sign: run by user, input params, state information Δ, message M i, ID i, P i, sign key(x i,D i ), output σ i as signature. Aggregate: run aggregate signature generator. Output σ as aggregate signature on messages M 1,…,M n. Aggregate Verify: if aggregate signature is valid, output true else false.

11 11 Two type of adversaries Type1: A1 does not have master key, but can replace public key as his choice. Type2: A2 has the master key but cannot perform public key replacement.

12 12 Two type of adversaries(cont.) Game1:  Setup: C run setup algo. Input security parameter l, 產生 master key 以及 system params. Then send params to A1.  Attack: A1 可以在 polynomially bounded number 內執行下列 queries.

13 13 1. Partial-Private-Key queries(ID i ): A1 可以要求任 何 user 的 partial-private-key,C 會 output 給 A1. 2. Public-Key queries(ID i ): C 會 output user 的 public key 給 A1. 3. Secret-Value queries(ID i ): C 會 output user 的 screte key x i 給 A1. 4. Public-Key-replacement queries(ID i,p i ’):A1 可以 決定一個 new public key P i ’ 去替換 user i 的公鑰 P i.C 會紀錄下來. 5. Sign queries(Δ i,M i,ID i,P i ): A1 可以要求 user i 的簽 章,C 會去計算 i 的合法簽章 on state information Δ i.

14 14 Forgery: A1 output a set of n users U*={U 1 *,…U n *},a state information Δ* and a aggregate signature σ*. A1 wins the game1,iff  σ* 是一個 valid aggregate signature.  至少一個 ID i, 並未要求 ppk(ID i ) queries. And S(Δ i,M i,ID i,P i ) 並未 query.

15 15 Game2:  Setup: C run setup algo. Input security parameter l, 產生 master key 以及 system params. Then send master and params to A2.  Attack: A2 可以在 polynomially bounded number 內執行下列 queries.

16 16 1. Public-Key queries(ID i ): C 會 output user 的 public key 給 A2. 2. Secret-Value queries(ID i ): C 會 output user 的 screte key x i 給 A2. 3. Sign queries(Δ i,M i,ID i,P i ): A1 可以要求 user i 的簽章,C 會去計算 i 的合法簽章 on state information Δ i.

17 17 Forgery: A2 output a set of n users U*={U 1 *,…U n *},a state information Δ* and a aggregate signature σ*. A2 wins the game2,iff  σ* 是一個 valid aggregate signature.  至少一個 ID i, 並未要求 sv(ID i ) queries. And S(Δ i,M i,ID i,P i ) 並未 query.

18 18 An efficient certificateless aggregate sig- nature scheme Setup: input a security parameter l,KGC 選擇一個 cyclic additive group G 1,G 2.a bilinear map e:G 1 xG 1 →G 2. choose random λ ∈ Z q * as the master key and set P T =λP,choose hash function H 1 :{0,1}* →G 1, H 2 :{0,1}* →G 1, H 3 :{0,1}* →G 1,system parameter is{G 1,G 2,e,P,P T,H 1,H 2,H 3 },message space is M={0,1}*

19 19 Partial-private-key-extract:  Compute Q i =H 1 (ID i )  Output the partial private key D i =λQ i. UserKeyGen:  Select random  And set the secrete value/public key as x i /P i =x i P.

20 20 Sign: to sign a message M using the signing key (x i,D i ) and chooses a state information Δ. then perform the following steps:  Choose a random,compute R i =r i P  W=H 2 (Δ),S i =H 3 (Δ||M i ||ID i ||P i ||R i )  V i =D i +x i W+r i S i.  σ i =(R i,V i ) as the signature on M i.

21 21 Aggregate: σ i =(R i,V i ) for i=1~n, aggregate to σ=(R 1,…,R n,V). V=ΣV i. Aggregate verify:  Compute W=H 2 (Δ), Q i =H 1 (ID i ), S i =H 3 (Δ||M i ||ID i ||P i ||R i )  Verify

22 22 Security proof Assuming CDH problem is hard. Theorem1:  In random oracle, 存在一個 type 1 adversary A1 who has an advantage ε in forging a signature.  Then CDH problem can be solved with probability

23 23 Proof: let C be a CDH attacker who receives a random instance (P,aP,bP) of CDH problem in G 1,A1 is a type1 adversary who interact with C.  Setup: C set P T =aP and params=(G 1,G 2,e,P,P T,H 1,H 2,H 3 ) then send to A1.  Attack: A1 can perform the following type of queries in an adaptive manner.

24 24 H1 queries:  C maintains a list of tuples (ID j,α j,Q j,c j ). This list is initially empty. Whenever receiving an H 1 query on ID i, the same answer from the list will be given if the request has been asked before.  Otherwise, C first picks at random then flips a coin c i :{0,1} that yields 0 with probability δ and 1 with probability1-δ, If c i =0,C sets Q i = α i bP, adds (ID i, ⊥,Q i,c i ) to and returns Q i as answer; otherwise, sets Q i = α i P, adds (ID i,α i,Q i,c i ) to and returns Q i as answer.

25 25 H2 queries:  C keeps a list of tuples (Δ j,W j,β j ). This list is initially empty. Whenever A1 issues a query H 2 (Δ i ), the same answer from the list will be given if the request has been asked before.  Otherwise, C selects a random, computes W i =β i P, adds (Δ i,W i,β i ) to.and returns W i as answer.

26 26 H3 queries:  C keeps a list of tuples (Δ j,M j,ID j,P j,R j,S j,γ j ). This list is initially empty. Whenever A1 issues a query(Δ i ||M i ||ID i ||P i ||R i ) to H 3, the same answer from the list will be given if the request has been asked before.  Otherwise, C selects a random, computes S i =γ i P, adds (Δ j,M j,ID j,P j,R j,S j,γ j ) to and return Si as answer.

27 27 Partial-Private-Key queries:  C keeps a list of tuples (ID j,x j,D j,P j ). This list is initially empty. When A1 issues a query Partial-Private-Key PPK(ID i ), the same answer from the list will be given if the request has been asked before.  Otherwise, C first makes an H 1 query on ID i and finds the tuple (ID i,α i,Q i,c i ) on,then does as follows: (1) If c i = 0, abort. (2) Else if there’s a tuple (ID i,x i,D i,P i ) on, set D i = α i P T and return D i as answer. (3) Otherwise, compute D i = α i P T, set x i = P i = ⊥, then return D i as answer and add (ID i,x i,D i,P i ) to.

28 28 Public-Key queries:  On receiving a Public-Key query PK(ID i ), if the request has been asked before the current public key from the list will be given.  Otherwise, C does as follows: (1) If there’s a tuple (ID i,x i,D i,P i ) on (in this case, the public key P i of ID i is ⊥ ), choose, compute, return D i as answer and update (ID i,x i,D i,P i ) to. (2) Otherwise, choose, compute P i = x i P, return P i as answer, set D i = ⊥ and add (ID i,x i,D i,P i ) to.

29 29 Secret-Value queries:  On receiving a Secret-Value query SV(ID i ),C first makes PK(ID i ) then finds the tuple (ID i,x i,D i,P i ) on and returns x i as answer (Note that the value of x i maybe ⊥ ). Public-Key-Replacement queries:  A1 can choose a new public key for the user whose identity is ID i. On receiving a Public-Key- Replacement query PKR(ID i,P i ’),C first finds the tuple (ID i,x i,D i,P i ) on (if such a tuple does not exists on or P i = ⊥,C first makes PK(ID i )), then C updates P i to P i ’.

30 30 Sign queries:  On receive a Sign query S(Δ i,M i,ID i,P i ), where P i denotes the public key chosen by A1,C first makes H 1 (ID i ),H 2 (Δ i )queries then recovers (ID i,α i,Q i,c i ) from, (Δ i,W i,β i ) from and then generates the signature as follows: (1) If c i = 0, choose, set, set S i = γ i P T, add(Δ i,M i,ID i,P i,R i,S i,γi) to (if there is a tuple (Δ i,M i,ID i,P i,R i,S i,γi) on, then redo this step), compute V i = β i P i + r i γ i P T,output σ i = (R i,V i ). (2) Else c i = 1, randomly choose, set V i = α i P T + β i P i + γ i R i,output σ i = (R i,V i ).

31 31 Forgery:  A1 return a forged aggregate signature σ*=(R 1 *,…,R n *,V*).It required that there exists I:{1,…,n} such that A1 has not asked the partial private key for ID I. And A1 has not made a S(Δ I,M I,ID I,P I ) query. Without loss of generality, let I=1.  the forged aggregate signature must satisfy

32 32 C now proceeds only if c 1 *=0,c i *=1 for all 2 ≦ i ≦ n,otherwise,C aborts. Then In our setting : for all i,2 ≦ i ≦ n, then

33 33 分析 : 須滿足下列三個事件  E 1: C does not abort as a result of any of A1’s Partial-Private-Key queries.  E 2: A1 generates a valid and nontrivial aggregate signature forgery.  E 3: Event E2 occurs, c 1 *=0 and c i *=1 for all I, 2 ≦ i ≦ n.

34 34 Pr[E1ΛE2ΛE3]= Pr[E1]Pr[E2|E1]Pr[E 3|E1ΛE2].  The probability that C does not abort as a result of A1’s key extraction queries is at least.then Pr[E1] ≧  Suppose algorithm C does not abort as a result of A1’s signature queries and key extraction queries, then algorithm A1’s view is identical to its view in the real attack,Pr[E2-E1] ≧ ε.  The probability that C does not abort after A1 outputting a valid and nontrivial forgery is at least  Then Pr[E 3|E1ΛE2] ≧

35 35 So,we have When, is maximized at q k is large,then we have

36 36 在 sign 方面 花費 2n(s)scalar multiplication<3n(s)(using PKL) 在 verify 方面 花費 n+3 次 (pairing operation)  可否減少 cost?

Download ppt "1 A new certificateless aggregate signature scheme Computer communications 32(2009) 1079- 1085 Author: Lei Zhang, Futai Zhang Presenter: 紀汶承."

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Efficient Group Signatures from Bilinear Pairing Author: Xiangguo Cheng, Huafei Zhu, Ying Qiu, and Xinmei Wang Presenter: 紀汶承.

Efficient Group Signatures from Bilinear Pairing Author: Xiangguo Cheng, Huafei Zhu, Ying Qiu, and Xinmei Wang Presenter: 紀汶承.
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.

BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.
1 ID-Based Proxy Signature Using Bilinear Pairings Author: Jing Xu, Zhenfeng Zhang, and Dengguo Feng Presenter: 林志鴻.

1 ID-Based Proxy Signature Using Bilinear Pairings Author: Jing Xu, Zhenfeng Zhang, and Dengguo Feng Presenter: 林志鴻.
Self proxy signature scheme IJCSNS International Journal of Computer Science and Network Security,VOL.7 No.2,Februry 2007 Author:Young-seol Kim,Jik Hyun.

Self proxy signature scheme IJCSNS International Journal of Computer Science and Network Security,VOL.7 No.2,Februry 2007 Author:Young-seol Kim,Jik Hyun.
Public Key Encryption That Allows PIR Queries Dan Boneh, Eyal Kushilevitz, Rafail Ostrovsky, William E. Skeith III Presenter: 紀汶承.

Public Key Encryption That Allows PIR Queries Dan Boneh, Eyal Kushilevitz, Rafail Ostrovsky, William E. Skeith III Presenter: 紀汶承.
亂數產生器安全性評估 之統計測試 SEC HW7 姓名:翁玉芬 學號:89321037.

亂數產生器安全性評估 之統計測試 SEC HW7 姓名:翁玉芬 學號:
Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao.

Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao.
消費者物價指數反映生活成本。當消費者物價指數上升時,一般家庭需要花費更多的金錢才能維持相同的生活水準。經濟學家用物價膨脹(inflation)來描述一般物價持續上升的現象,而物價膨脹率(inflation rate)為物價水準的變動百分比。

消費者物價指數反映生活成本。當消費者物價指數上升時,一般家庭需要花費更多的金錢才能維持相同的生活水準。經濟學家用物價膨脹(inflation)來描述一般物價持續上升的現象,而物價膨脹率(inflation rate)為物價水準的變動百分比。
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
1 A new identity based proxy signature scheme Source: Lecture Notes In Computer Science Author: Chunxiang Gu and Yuefei Zhu Presenter: 林志鴻.

1 A new identity based proxy signature scheme Source: Lecture Notes In Computer Science Author: Chunxiang Gu and Yuefei Zhu Presenter: 林志鴻.
Identity Based Encryption

Identity Based Encryption
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
1 Identity-Based Proxy Signature from Pairings Source: Autonomic and Trusted Computing Author: Wei Wu, Yi Mu, Willy Susilo, Jennifer Seberry, and Xinyi.

1 Identity-Based Proxy Signature from Pairings Source: Autonomic and Trusted Computing Author: Wei Wu, Yi Mu, Willy Susilo, Jennifer Seberry, and Xinyi.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
結構學(一) 第七次作業 97/05/15.

結構學(一) 第七次作業 97/05/15.
公司加入市場的決定. 定義  平均成本 = 總成本 ÷ 生產數量 = 每一單位產量所耗的成本  平均固定成本 = 總固定成本 ÷ 生產數量  平均變動成本 = 總變動成本 ÷ 生產數量.

公司加入市場的決定. 定義  平均成本 = 總成本 ÷ 生產數量 = 每一單位產量所耗的成本  平均固定成本 = 總固定成本 ÷ 生產數量  平均變動成本 = 總變動成本 ÷ 生產數量.
1 10944:Nuts for nuts..Nuts for nuts.. ★★★★☆ 題組: Problem Set Archive with Online Judge 題號: 10944:Nuts for nuts.. 解題者:楊家豪 解題日期: 2006 年 2 月 題意: 給定兩個正整數 x,y.

:Nuts for nuts..Nuts for nuts.. ★★★★☆ 題組: Problem Set Archive with Online Judge 題號: 10944:Nuts for nuts.. 解題者:楊家豪 解題日期: 2006 年 2 月 題意: 給定兩個正整數 x,y.
Dynamic Multi-signatures for Secure Autonomous Agents Panayiotis Kotzanikolaou Mike Burmester.

Dynamic Multi-signatures for Secure Autonomous Agents Panayiotis Kotzanikolaou Mike Burmester.

Similar presentations

Ads by Google