1 A new identity based proxy signature scheme Source: Lecture Notes In Computer Science Author: Chunxiang Gu and Yuefei Zhu Presenter: 林志鴻

2 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

3 Introduction 1.Full delegation 2.Partial delegation 3.Delegation by warrant 4.Partial delegation with warrant Alice Bob 1.SK of Alice 2.PPK 3.delegation

4 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

5 Preliminaries  Bilinear Pairing  k-BDHI problem

6 Bilinear Pairing  e : G 1 × G 1 → G 2  Bilinearity  Non-degeneracy  Computability

7 k-BDHI problem  BDHI ︰ Bilinear Di ffi e-Hellman Inverse  k-BDHI problem ︰ 給定 (P,aP,a 2 P,...a k P) ∈ ( G 1 * ) k+1 ，輸出 令一演算法 A 解此問題的機率為 ε

8 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

9 Proposed Scheme  Steup  Extract  Delegate  Dverify  PKgen  PSign  PVerify  ID

10 Proposed Scheme (cont.)  Steup : 設定 k 為安全參數 Ω = G 1 and G 2 ( 由 P 產生 prime order q ) e : G 1 × G 1 → G 2 P s = sP, P ss = s 2 P, g = e(P,P) g s =e(P s,P) 選擇二個 hash functions H 1 : {0, 1} ∗ → Z q * H 2 : {0, 1} ∗ × G 1 → Z q

11 Proposed Scheme (cont.)  Extract : 給一使用者 ID X ∈ Z ∗ q, 計算 D X =(H 1 (ID X )+s) -1 P  Delegate : A 授權給 B 1. 隨機選取 x ∈ Z ∗ q 2. 計算 q B =H 1 (ID B ), r A =g s x ． g qBx, h A =H 2 (m ω, r A ), V A =(x+h A )D A 3. W A→B =(m ω, r A, V A )  DVerify : B 驗證 計算 h A =H 2 (m ω, r A ), q A =H 1 (ID A ), q B =H 1 (ID B ) 驗證等式 e((q A +q B )P s +q A q B P+P ss,V A )=r A ． g s hA ． g qBhA g = e(P,P) g S =e(P s,P) P S =sP P SS =s 2 P

12 Proposed Scheme (cont.)  PKGen : B 接受了 W A→B =(m ω, r A, V A ) 計算代簽金鑰 D P =h A ． D B － V A  PSign : 代簽者預先計算 ζ= g hA(qA-qB) /r A, q A =H 1 (ID A ), q B =H 1 (ID B ),r A 從 W A→B 取得 隨機選取 y ∈ Z ∗ q 計算 r P =ζ y, h P =H 2 (m, r p ), V P =(y+h P )D P (m, τ)=(m, r P, V P, m ω, r A ) 為完成之簽章 r A =g s x ． g qBx h A =H 2 (m ω, r A ) V A =(x+h A )D A D X =(H 1 (ID X )+s) -1 P

13 Proposed Scheme (cont.)  PVerify: 對簽章 (m, r P, V P, m ω, r A ) 接收者先驗證授權 計算 h P =H 2 (m, r P ), q A =H 1 (ID A ), q B =H 1 (ID B ) 驗證等式  ID: 從 m ω 中可獲得代簽者 ID B 的身份 h P =H 2 (m, r p ), P S =sP V P =(y+h P )D P, P SS =s 2 P r A =g s x ． g qBx h A =H 2 (m ω, r A )

14 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

15 Efficiency Analysis SchemeDelgateDVerifyPKgenPSignPVerify (a) Zhang-Kim’s scheme 2M +1E2e +1E +1H1M2M +1E2e +2E +2H (b)this paper’s scheme 1M +2E1e +2M +2E1M1M +1E1e +2M +2E M: 乘法 E: 指數運算 H :hash e:pairing

16 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

17 Conclusion  雖然 pairing 的計算效率已加強但仍為一個效 能的重擔而本篇的方法在驗證時只需要一個 pairing 故較為有效率  本篇所提出的方法之安全建立於在 random oracle model 中的 k-BDHI problem 困難假設