Certificateless signature revisited Date：2010.6.20 Reporter:Chien-Wen Huang Auther:Xinyi Huang,Yi Mu,Willy Susilo,Duncan S. Wong, and Wei Wu 出處:ACISP 2007, LNCS 4586, pp. 308–322, 2007

Outline Introduction Certificateless signature Security Models 1 Certificateless signature 2 Security Models 3 Our Proposed Schemes 4 Comparison 3 5 Conclusion 4 6

Introduction In secret-key system -use a secure channel to transmit secret key. In public-key system -anyone has public key and private key.

ID-PKC(Identity-based public key cryptography) Signer(ID) KGC “master”public key master-private key Require private-key Sign: σ=PH(ID)+H(M,…) Return master private-key(ID) Assume the KGC completely trusted!! Use ID and PKG’s public key to check Verifier

CL-PKC(Certificateless public key cryptography) Signer(ID) Decide secret value and PK(use ) KGC master public key=mpk partial-private-key Require partial-private-key Sign: σ=PH(ID)+ H(M,…) Return partial-private-key(ID) the key escrow is resolved!! Use ID,correspounding PK and PKG’s mpk to verify Verifier

Certificateless signature Outline of the Certificateless Signature Schemes Setup input: a security parameter output: a master-secret key msk, master- public key mpk,system parameters param. Partial-Private-Key-Extract input: ID,param,master-secret key msk,master-public key mpk output: partial private key . Set-Secret-Value input: master-public key mpk,param. output: secret value

Set-Public-Key Sign Verify input: master-public key mpk, param,ID and output: public key Sign input:mpk, param,ID, , and a message M. output: a certificateless signature Verify input:mpk, param,ID, and a message/signature(M/ ) output: true or false

Adversaries and Oracles :replaces the user’s public key .But not given this user’s partial private key . :knows the master secret key but cannot replace the target user’s public key.

Create-User: Public-Key-Replace: input a query to obtain , , . adds to list L. Public-Key-Replace: input a query . replaces user ‘s and updates the list L.(not required to provide to generate )

Secret-Value-Extract: input a query ID,browses the list L and returns .(to generate ID’s original public key .But it can’t output the secret value associated with the )

Security Against a Normal Type I Adversary Security Models Security Against a Normal Type I Adversary the attack scenarios as follows: obtain some pairs (using target user’s and ) The target user will keep and as secret. replace the target user’s and dupe any other third party to verify user’s signatures(using )

a signature scheme against a Normal Type I: Phase1: challenger runs Setup and returns mpk,param to Phase2: can adaptively access all the oracles Partial-Private-Key-Extract:input a query ID, It browses the list L and returns Normal-Sign: input a query (ID,m). Output

Phase3: After all the queries, outputs a forgery if the forgery satisfies the following requirements: has never submitted to the oracle Normal-Sign. has never submitted to Partial-Private-Key-Extract or Secret-Value-Extract. The success probability wins the games: Definition 1. secure against a Normal Type I adversary and is negligible.

Security Against a Strong Type I Adversary see some pairs are generated by Sign using and . the only difference:Strong-Sign. Phase1: challenger runs Setup and returns mpk,param to Phase2: access all the oracles Strong-Sign: input a query -if ,uses original secret value and .output -Otherwise,use and to generate

Phase3: After all the queries, outputs a forgery . Let be the current public key in the list L. if the forgery satisfies the following requirements: has never submitted to Strong-Sign. has never submitted to Partial-Private-Key-Extract. The success probability wins the games: Definition 2. secure against a StrongType I adversary and is negligible.

Security Against a Super Type I Adversary obtain some , implies exists a black-box can extract from the public key chosen by (using and to sign). Phsae1: challenger runs Setup and returns mpk,param to Phase2: access all the oracles and Super-Sign oracle. Sign:input a query ,output if PKID=PKID,returned from Create-User ;otherwise,PKID=PK’ID submitted to Public-Key-Replace

Phase3:After all the queries, outputs a forgery Let be the current public key in the list L. if the forgery satisfies the following requirements: has never submitted to Super-Sign. has never submitted to Partial-Private-Key-Extract. The success probability wins the games: Definition 3. secure against a SuperType I adversary and is negligible.

Type II Adversaries divided into: Normal(Normal-Sign), Strong(Strong-Sign) and Super(Super-Sign). Phase1:challenger runs Setup and returns mpk,param to Phase2: access all the oracles(Normal-Sign,…) Phase3: After all the queries, outputs a forgery if the forgery satisfies the following requirements: has never submitted to the sign oracle. has never submitted to the oracle Secret-Value-Extract.

Malicious but Passive KGC Attack The success probability wins the games: Definition 4. secure against a Type II adversary and is negligible. Malicious but Passive KGC Attack the KGC holds the master secret key is assumed malicious(at the very beginning of the Setup.) KGC generate his master public/secret key pair maliciously.

Bilinear Groups and Security Assumptions Our Proposed Schemes Bilinear Groups and Security Assumptions :an additive group of prime order :a multiplicative group of the same order. is a generator in Discrete Logarithm Problem: Given ,find Computational Diffie-Hellman Problem: Given elements in ,find

Scheme I against a Normal Type I adversary and Super Type II adversary. Setup: Let be be bilinear groups.( ) KGC sets system’s master public key , master secret key and publishes p ≥ 2k

Partial-Private-Key-Extract:Given user’s ID, KGC computes . .then set Set-Secret-Value:user chooses a random number Set-Public-Key:Given .user compute Sign: the user computes Verify:

Security Analysis of Scheme I Theorem 1. Theorem 2.

Scheme II against a Super Type I and Type II adversary. Sign:For a message ,the user computes - Verify: Given a pair and ,anyone check

Security Analysis of Scheme II Theorem 1. Theorem 2.

Comparison

Conclusion The first scheme has the shortest signature length compared to any existing CLS schemes in the literature. The second scheme has lower operation cost but a little longer signature length, compared with another concrete scheme which has the similar security level.

Thank You !