A New Provably Secure Certificateless Signature Scheme Date： Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications (ICC 2008),vol.4 1

Outline 1. INTRODUCTION 2. PERLIMINARIES 3. OUR CERTIFICATELESS SIGNATURE SCHEME 4. SECURITY PROOF 5. CONCLUSIONS 2

INTRODUCTION Identity-based public key cryptography(ID-PKC) ◦ was first introduced by Shamir in ◦ Have the key escrow problem. Certificateless public key cryptography(CL-PKC) ◦ Al-Riyami et al.“Certificateless public key cryptography. ”Asiacrypt2003,LNCS. ◦ Huang et al.[9]“Certificateless signature revisited. ”ACISP 2007, LNCS. X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless signature revisited. ACISP 2007, LNCS, vol. 4586, pages , Springer-Verlag, ◦ Zhang et al.[17]“Certificateless public-key signature: security model and efficient construction.”ACNS 2006, LNCS. 3

INTRODUCTION Related Works ◦ Type I/II Adversary- Normal: under the original public key from the target signer. Strong: under the replaced public key.(supply the secret value corresponding to the replaced public key) 4

INTRODUCTION Super:under the public key chosen by himself without supplying the secret value corresponding to the public key. ◦ there are only a few CLS schemes secure[9],[17] against a super type I/II adversary. 5

INTRODUCTION Our Contribution: ◦ the CLS(certificateless signature) scheme requires only two pairing operations. ◦ The signature length of new scheme is 2/3 of Huang et al’s scheme. ◦ super Type I/II adversary- proved secure in the strongest security model of CLS. 6

PERLIMINARIES A. Bilinear Maps ◦ Let G 1 be an additive group of prime order q. ◦ Let G 2 be a multiplicative group of the same order. ◦ 1.Bilinear: 2.Non-degeneracy: 3.Computable: There exists an efficient algorithm to compute 7

PERLIMINARIES B. Framework of Certificateless Signature Schemes ◦ Setup input: a security parameter output: a master-key,system parameters params. ◦ Partial-Private-Key-Extract input: ID,params,master-key output: user’s partial private key. ◦ Set-Secret-Value input: ID,params output: user’s secret value 8

PERLIMINARIES ◦ Set-Public-Key input: ID,params, output: public key ◦ Sign accepts(params,,ID,,, )to produce a signature on message. ◦ Verify (,,params,ID, ) if the signature is valid or not. 9

PERLIMINARIES C.Adversarial Model of Certificateless Signature Schemes ◦ the following two games between a challenger C and an adversary A I or A II. Game 1 (for Type I Adversary) Setup:C runs the Setup algorithm 1.Input: a security parameter 2.obtain:a master-key,system parameters params 10

PERLIMINARIES Attack: Partial-Private-Key Queries PPK( ) A I request: the partial private key of any user’s identity C output: the partial private key Public-Key Queries PK( ) A I request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) A I request:the secret value of a user’s identity C output:the secret value (if PK replaced,output ) ⊥ 11

PERLIMINARIES Public-Key-Replacement Queries PKR(, ) A I can choose a new public key as the public key of this user.C will record this replacement. Sign Queries S( ) On receiving a query S( ),C generates a signature (A I need not supply the secret value) Forgery: A I outputs 1. is a valid signature on under and 2. A I has never requested the Partial-Private-Key(of user’s ) 3. S( )has never been submitted 12 WIN!!

PERLIMINARIES Game 2 (for Type II Adversary ) Setup:C runs the Setup algorithm 1.Input: a security parameter 2.obtain:a master-key,system parameters params Attack: Public-Key Queries PK( ) A II request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) A II choose a user and request the secret value C output:the secret value (if PK replaced,output ) 13 ⊥

PERLIMINARIES Public-Key-Replacement Queries PKR(, ) A II can choose a new public key as the public key of this user. Sign Queries S( ) On receiving a query S( ),C replies a signature (A II need not supply the secret value) Forgery: A II outputs 1. is a valid signature on under and 2. A II has never requested the Secret-Value (of user’s ) 3. A II has not requested PKR query on 4. S( )has never been queried 14 WIN!!

OUR CERTIFICATELESS SIGNATURE SCHEME A. An Efficient Construction ◦ Setup 1.Given a security parameter, 2.chooses a master-key and set 3.,, 4.params=, ◦ Partial-Private-Key-Extract 1.input: params,master-key, Computes 2.Outputs:users partial private key 15

OUR CERTIFICATELESS SIGNATURE SCHEME ◦ Set-Secret-Value input: params, output: as the users secret value. ◦ Set-Public-Key input: params,, output: the user’s public key ◦ Sign input: 1.Choose a random,compute 2.Compute 3.Compute 4.Output on. 16

OUR CERTIFICATELESS SIGNATURE SCHEME ◦ Verify To verify a signature on a message for an identity and public key. 1.Compute, 2. Verify 17

OUR CERTIFICATELESS SIGNATURE SCHEME B. Comparison P: pairing operation. S: a scalar multiplication in G 1. H: a MapToPoint hash operation. E: an exponentiation in G 2. SL:signature length. PKL:signature length. P 1 :the length of a point in G 1. Z 1 :the length of a point in 18

SECURITY PROOF Theorem :unforgeable against a super typeI/II adversary in the random oracle model(CDH problem is intractable.) TypeI proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use A I to solve the CDH problem.) C sets P T = aP,selects params=(G 1,G 2, e, P, P T,H 1,H 2,H 3 ) to A I. H 1 Queries:A I can make at most qH1 times H 1 queries,C chooses J ∈ [1,q H1 ].C maintains an initially empty list H 1 of tuples(ID j, α j,Q j ).On receiving a new query H 1 (ID i ||P), 1) If i = J, set Q i = bP,add(ID i, ⊥,Q i )to H 1 and return Q i as answer. 2) Otherwise,pick at random,set,add (ID i, α i,Q i )to H 1 and return Q i as answer. 19

H 2 Queries: C keeps an initially empty list H 2 of tuples( ).A I issues a query( )to H 2,If the query is new,C selects a random adds( )to H 2 and returns as answer. H 3 Queries: A I issues a query( )to H 3,for a new query,C selects a random adds( )to H 2 and returns as answer. Partial-Private-Key Queries: C keeps an initially empty list K of tuples( ).Whenever A I issues a query PPK( ).If the query is new,C does the following. 1) If,abort. 2) Else if there’s a tuple( ) on K a)If( )on H 1,set and return as answer. b)Otherwise,first make an H 1 query on(ID i ||P), to generate( ), then set and return as answer. 20

3) Otherwise,do the following. a)If a tuple( ) on H 1,compute,set,return as answer and add ( )to K. b)Else,generate the tuple( )to simulates the random oracle H 1,after the same way as a). Public-Key Queries: receiving a query PK(ID i ),the current public key from K will be given.Otherwise,C does as follows. 1) If a tuple ( )on K,choose,compute,return as answer and update to ( ). 2) Otherwise,choose,set, and add the tuple to K. 21

Secret-Value Queries:receiving a query SV( ),if the public key has been replaced,C returns.Otherwise,if a tuple( )on K,C returns as answer;else,C first makes PK( ) then returns as answer. Public-Key-Replacement Queries: A I choose a new public key for the user’s identity( ).On receiving a query PKR(, ),C first finds the tuple( ) on K,then C updates to. Sign Queries: On receive a Sign query S( ), denotes the public key chosen by A I,C generates the signature as follows. 1) Choose,set 2) Set, 3) Compute and output 22

Forgery: Finally, AI returns a successful forgery If,C aborts. Type II proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use A I to solve the CDH problem.) C sets P T = aP,selects params=(G 1,G 2, e, P, P T,H 1,H 2,H 3 ) to A I. Public-Key Queries:C keeps an initially empty list K of tuples(ID j,x j,P j ) For a new query,if,C return as answer and adds to K ;else,C picks,compute add to K and return. 23

Secret-Value Queries: On receiving a query SV( ), if the public key of has been replaced, C returns ⊥ ; otherwise, if, C aborts; else if a tuple on K, C returns as answer; else, C first makes PK( ), then recovers the tuple from K, returns. Public-Key-Replacement Queries: A II can choose a new public key for the user’s identity.On receiving a query PKR( ) if, C aborts; otherwise, C finds the tuple on K and updates to. 24

CONCLUSIONS Only two pairing operations are required in signing and verification. It is more efficient than the other CLS schemes achieving the same security level. 25