1. A Concrete Certificateless Signature Scheme without Pairings
2009 International Conference on Multimedia Information Networking and Security
Author: Aijun Ge, Shaozhen Chen, Anna Lauks
Adviser: 鄭錦楸 ,郭文中 教授
Reporter: 林彥宏
大部份的免憑證簽章法都架構在ECC的雙線性映射環境下,因此也比較耗成本
本論文提出一新的免憑證簽章法不需利用pairing, 計算上會更有效率,此外本論文最後也提出random oracle model 的安全性證明

2. Outline 1 Click to add Title 2 Click to add Title 3 Click to add Title4

3. Key Generating Center (KGC), who holds a master key
INTRODUCTION
Certificateless Public Key Cryptography －Al-Riyami, S.S., Paterson, K.G., ASIACRYPT LNCS, vol. 2894
find a public key system that does not use certificates
does not have the key escrow problem
Key Generating Center (KGC), who holds a master key
most certificateless cryptography schemes are based on bilinear mappings on elliptic curves
Heavy computational cost
key escrow 金鑰託管

4. INTRODUCTION
Certificateless Public Key Encryption without Pairing. －Baek, J., Safavi-Naini, R., Susilo, ISC LNCS,vol. 3650, pp
first without bilinear mappings scheme
Strongly Secure Certificateless Public Key Encryption Without Pairing－Sun, Y.X., Zhang, F.T., Baek, CANS 2007, LNCS, vol. 4856, pp
more computationally efficient
In this paper, we present the first concrete efficient certificateless signature scheme without pairings, and prove its security in the random oracle model.

5. Partial-Key-Extract(params, ID, msk).
PRELIMINARIES
Setup(k):
Input: secret parameter k
Output: master secret key msk ; master public key mpk ;
list of public system parameters params.
Partial-Key-Extract(params, ID, msk).
Input: user’s identity ID
Output: partial private key DID ; partial public key PID
Set-Secret-Value(params,mpk).
Output: secret value sID.

6. Set-Public-Key( params, mpk, ID, PID, sID).
PRELIMINARIES
Set-Public-Key( params, mpk, ID, PID, sID).
Output: public key PKID .
Set-Private-Key(params, DID , sID).
Output: private key SKID .
Sign(params, mpk, ID, SKID, m).
Output: certificateless signature σ.
Verify(params, mpk, ID, PKID, m, σ).
Verify( params, mpk, ID, PKID, m, Sign(params, mpk, ID, SKID ,m )) = valid.

7. PRELIMINARIES
Type I: adversary AI can replace any user’s public key but does not have the partial private key
obtain some message/signature pairs which are valid under the public key chosen by itself
Type II: adversary AII simulates a dishonest KGC who has the knowledge of the master secret key but is not allowed to replace the target user’s public key.
Definition:
The security of our certificateless signature scheme can be reduced to the hardness of discrete logarithm problem.
由於是免憑證,因此無法去確認使用者的公鑰,所以要考慮兩種攻擊者

8. THE PROPOSED SCHEME Setup: security parameter k
primes p, q, where p, q > 2k , and q|(p-1)
secret key x, public key y=gx (mod p)
H1: {0, 1}* ×Zp* → Zq*
H2: {0, 1}* ×Zp* ×Zp* → Zq*
H3: {0, 1}* ×{0, 1}* (Zp* )4×Zq* ×Zp* → Zq*
system parameters params=(p, q, g, G, y, H1, H2, H3).

9. Partial-Key-Extract:
THE PROPOSED SCHEME
Partial-Key-Extract:
user’s identity ID
Picks s0, s1 , p0=gs0 (mod p) and p1=gs1 (mod p)
d0=s0+x·H1(ID, p0) (mod q)
d1=s1+x·H2(ID, p0, p1) (mod q)
partial private key DID = d0, partial public key PID = (p0, p1, d1).
Algorithms Setup and Partial-Key-Extract are executed by KGC.
user checks gd0=p0·y H1(ID, p0) (mod p) and gd1=p1·y H2(ID, p0, p1) (mod p)

10. THE PROPOSED SCHEME Set-Secret-Value: Set-Private-Key: Set-Public-Key:
pick z at random
set sID = z as the user’s secret value
Set-Private-Key:
user’s full private key SKID = (DID, sID) = (d0, z).
Set-Public-Key:
μ = gz (mod p).
user’s full public key PKID = (PID, μ) = (p0, p1, d1, μ).

11. THE PROPOSED SCHEME Sign: Verify:
randomly selects r, r’ , calculates c = gr (mod p) , c’ = gr’(mod p))
u = H3(m, ID, c, c’, PKID)
calculates v = r−uz (mod q) and w = r’ −ud0 (mod q)
the signature on the message m is σ = (u, v, w).
Verify:
gd1 = p1yH2(ID, p0, p1) (mod p)
u = H2(m, ID, gvμu, gw(p0y H1(ID, p0) )u, PKID)

12. Thank You !