Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certificateless signature revisited

Published byBenjamin Houston Modified over 5 years ago

Similar presentations

Presentation on theme: "Certificateless signature revisited"— Presentation transcript:

1 Certificateless signature revisited
Date: Reporter:Chien-Wen Huang Auther:Xinyi Huang,Yi Mu,Willy Susilo,Duncan S. Wong, and Wei Wu 出處:ACISP 2007, LNCS 4586, pp. 308–322, 2007

2 Outline Introduction Certificateless signature Security Models
1 Certificateless signature 2 Security Models 3 Our Proposed Schemes 4 Comparison 3 5 Conclusion 4 6

3 Introduction In secret-key system -use a secure channel to transmit secret key. In public-key system -anyone has public key and private key.

4 ID-PKC(Identity-based public key cryptography)
Signer(ID) KGC “master”public key master-private key Require private-key Sign: σ=PH(ID)+H(M,…) Return master private-key(ID) Assume the KGC completely trusted!! Use ID and PKG’s public key to check Verifier

5 CL-PKC(Certificateless public key cryptography)
Signer(ID) Decide secret value and PK(use ) KGC master public key=mpk partial-private-key Require partial-private-key Sign: σ=PH(ID) H(M,…) Return partial-private-key(ID) the key escrow is resolved!! Use ID,correspounding PK and PKG’s mpk to verify Verifier

6 Certificateless signature
Outline of the Certificateless Signature Schemes Setup input: a security parameter output: a master-secret key msk, master- public key mpk,system parameters param. Partial-Private-Key-Extract input: ID,param,master-secret key msk,master-public key mpk output: partial private key Set-Secret-Value input: master-public key mpk,param. output: secret value

7 Set-Public-Key Sign Verify input: master-public key mpk, param,ID and
output: public key Sign input:mpk, param,ID, , and a message M. output: a certificateless signature Verify input:mpk, param,ID, and a message/signature(M/ ) output: true or false

8 Adversaries and Oracles
:replaces the user’s public key But not given this user’s partial private key :knows the master secret key but cannot replace the target user’s public key.

9 Create-User: Public-Key-Replace: input a query
to obtain , , adds to list L. Public-Key-Replace: input a query replaces user ‘s and updates the list L.(not required to provide to generate )

10 Secret-Value-Extract:
input a query ID,browses the list L and returns (to generate ID’s original public key But it can’t output the secret value associated with the )

11 Security Against a Normal Type I Adversary
Security Models Security Against a Normal Type I Adversary the attack scenarios as follows: obtain some pairs (using target user’s and ) The target user will keep and as secret. replace the target user’s and dupe any other third party to verify user’s signatures(using )

12 a signature scheme against a Normal Type I:
Phase1: challenger runs Setup and returns mpk,param to Phase2: can adaptively access all the oracles Partial-Private-Key-Extract:input a query ID, It browses the list L and returns Normal-Sign: input a query (ID,m). Output

13 Phase3: After all the queries, outputs a forgery
if the forgery satisfies the following requirements: has never submitted to the oracle Normal-Sign. has never submitted to Partial-Private-Key-Extract or Secret-Value-Extract. The success probability wins the games: Definition 1. secure against a Normal Type I adversary and is negligible.

14 Security Against a Strong Type I Adversary
see some pairs are generated by Sign using and the only difference:Strong-Sign. Phase1: challenger runs Setup and returns mpk,param to Phase2: access all the oracles Strong-Sign: input a query -if ,uses original secret value and output -Otherwise,use and to generate

15 Phase3: After all the queries, outputs a forgery .
Let be the current public key in the list L. if the forgery satisfies the following requirements: has never submitted to Strong-Sign. has never submitted to Partial-Private-Key-Extract. The success probability wins the games: Definition 2. secure against a StrongType I adversary and is negligible.

16 Security Against a Super Type I Adversary
obtain some , implies exists a black-box can extract from the public key chosen by (using and to sign). Phsae1: challenger runs Setup and returns mpk,param to Phase2: access all the oracles and Super-Sign oracle. Sign:input a query ,output if PKID=PKID,returned from Create-User ;otherwise,PKID=PK’ID submitted to Public-Key-Replace

17 Phase3:After all the queries, outputs a forgery
Let be the current public key in the list L. if the forgery satisfies the following requirements: has never submitted to Super-Sign. has never submitted to Partial-Private-Key-Extract. The success probability wins the games: Definition 3. secure against a SuperType I adversary and is negligible.

18 Type II Adversaries divided into: Normal(Normal-Sign), Strong(Strong-Sign) and Super(Super-Sign). Phase1:challenger runs Setup and returns mpk,param to Phase2: access all the oracles(Normal-Sign,…) Phase3: After all the queries, outputs a forgery if the forgery satisfies the following requirements: has never submitted to the sign oracle. has never submitted to the oracle Secret-Value-Extract.

19 Malicious but Passive KGC Attack
The success probability wins the games: Definition 4. secure against a Type II adversary and is negligible. Malicious but Passive KGC Attack the KGC holds the master secret key is assumed malicious(at the very beginning of the Setup.) KGC generate his master public/secret key pair maliciously.

20 Bilinear Groups and Security Assumptions
Our Proposed Schemes Bilinear Groups and Security Assumptions :an additive group of prime order :a multiplicative group of the same order. is a generator in Discrete Logarithm Problem: Given ,find Computational Diffie-Hellman Problem: Given elements in ,find

21 Scheme I against a Normal Type I adversary and Super Type II adversary. Setup: Let be be bilinear groups.( ) KGC sets system’s master public key , master secret key and publishes p ≥ 2k

22 Partial-Private-Key-Extract:Given user’s ID, KGC computes . .then set
Set-Secret-Value:user chooses a random number Set-Public-Key:Given user compute Sign: the user computes Verify:

23 Security Analysis of Scheme I
Theorem 1. Theorem 2.

24 Scheme II against a Super Type I and Type II adversary.
Sign:For a message ,the user computes - Verify: Given a pair and ,anyone check

25 Security Analysis of Scheme II
Theorem 1. Theorem 2.

26 Comparison

27

28 Conclusion The first scheme has the shortest signature length compared to any existing CLS schemes in the literature. The second scheme has lower operation cost but a little longer signature length, compared with another concrete scheme which has the similar security level.

29 Thank You !

Download ppt "Certificateless signature revisited"

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.

11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Certificateless Authenticated Two-Party Key Agreement Protocols

Certificateless Authenticated Two-Party Key Agreement Protocols
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Certificateless Threshold Ring Signature Source: Information Sciences 179(2009) 3685-3696 Author: Shuang Chang, Duncan S. Wong, Yi Mu, Zhenfeng Zhang Presenter:

Certificateless Threshold Ring Signature Source: Information Sciences 179(2009) Author: Shuang Chang, Duncan S. Wong, Yi Mu, Zhenfeng Zhang Presenter:
Improved Searchable Public Key Encryption with Designated Tester Author : Hyun Sook Rhee, Jong Hwan Park, Willy Susilo, Dong Hoon Lee Presenter: Li-Tzu.

Improved Searchable Public Key Encryption with Designated Tester Author : Hyun Sook Rhee, Jong Hwan Park, Willy Susilo, Dong Hoon Lee Presenter: Li-Tzu.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Similar presentations

Ads by Google