1. 1 ID-Based Proxy Signature Using Bilinear Pairings Author: Jing Xu, Zhenfeng Zhang, and Dengguo Feng Presenter: 林志鴻

2. 2 Outline Introduction Preliminaries The Proposed Scheme Conclusion

3. 3 Introduction An entity to delegate signing capabilities to other participants so that they can sign on behalf of the entity within a given context Alice Bob context

4. 4 Outline Introduction Preliminaries The Proposed Scheme Conclusion

5. 5 Preliminaries Bilinear Pairing Gap Diffie-Hellman (GDH) Group ID-Based

6. 6 Bilinear Pairing e : G × G → V Bilinearity Non-degeneracy Computability

7. 7 Gap Diffie-Hellman (GDH) Group (t, ε)-gap Diffie-Hellman group CDH problem ︰ given P, aP, bP ∈ G compute abP

8. 8 ID-Based The user’s public key can be calculated directly from his/her identity rather than being extracted from a certificate issued by a certificate authority (CA)

9. 9 Outline Introduction Preliminaries The Proposed Scheme Conclusion

10. 10 Proposed Scheme PS=(G,K, S, V, (D,P),PS,PV,ID) – G: 設定 k 為安全參數. G 是由 P 產生 prime order q > 2 k 的 GDH group, 而 e : G × G → V 是一個 bilinear map. 隨機選取 master key s ∈ Z ∗ q 並設定 P pub = sP 使用 hash functions H1,H2,H3 : {0, 1} ∗ → G, H4 : {0, 1} ∗ → Z ∗ q

11. 11 Proposed Scheme (cont.) – K: 給一使用者 ID, 計算 Q ID = H1(ID) ∈ G 及對應的私鑰 d ID = sQ ID ∈ G – S: 為了對訊息 m ω 簽章給指定者 ID i 的私鑰 d i 1. 隨機選取 r ω ∈ Z ∗ q 計算 U ω = r ω P ∈ G 並令 H ω = H2(ID i,m ω, U ω ) ∈ G 2. 計算 V ω = d i + r ω H ω ∈ G m ω 上的簽章是 warrant ω = U ω, V ω

12. 12 Proposed Scheme (cont.) – V: 驗證 ID i 對 m ω 做的簽章 ω = U ω, V ω 驗證者取 Q i = H1(ID i ) ∈ G 和 H ω = H2(ID i,m ω, U ω ) ∈ G e(P, V ω ) = e(P pub,Q i )e(U ω,H ω ) – (D,P): 為了指定 ID j 為代理者 proxy signing key skp = H4(ID i, ID j,m ω, U ω )d j + V ω ID i ID j mω +Warrant ω

13. 13 Proposed Scheme (cont.) – PS: ID j 為代表 ID i 對 m 做簽章時給予一個 skp 1. 隨機選取 r p ∈ Z ∗ q 計算 U p = r p P ∈ G 令 H p = H3(ID j,m,U p ) ∈ G 2. 計算 V p = skp + r p H p ∈ G 此時 psig =(m ω,ID j,U ω,U p,V p )

14. 14 Proposed Scheme (cont.) – PV: 使用指定者 ID i 驗證對 m 做出的代理簽章 psig, 取出 Q i = H1(ID i ) ∈ G, Q j = H1(ID j ) ∈ G, H ω = H2(ID i,m ω,U ω ) ∈ G 和 H p = H3(ID j,m,U p ) ∈ G – ID: 給一用於 m 得代理簽章 psig 則 ID(psig)= ID j 表示代理認證演算法

15. 15 Proposed Scheme (cont.) 正確性

16. 16 Outline Introduction Preliminaries The Proposed Scheme Conclusion

17. 17 Conclusion 本篇所提出的方法之安全性與在 Random Oracle model 中解 CDH 問題有緊密的關聯 並達到 ID-based 代理簽章中安全縮減最佳化