1. 1 Identity-Based Proxy Signature from Pairings Source: Autonomic and Trusted Computing Author: Wei Wu, Yi Mu, Willy Susilo, Jennifer Seberry, and Xinyi Huang Presenter : 林志鴻

2. 2 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

3. 3 Introduction  There are three type of proxy signatures: full delegation, partial delegation, and delegation by warrant.

4. 4 Introduction (cont.) 1.Full delegation 2.Partial delegation 3.Delegation by warrant  Proxy-unprotected scheme  Proxy-protected scheme Alice Bob 1.SK of Alice 2.PPK 3.delegation

5. 5 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

6. 6 Preliminaries  Bilinear Pairing  Compurarional Diffie-Hellman

7. 7 Bilinear Pairing  e : G × G → V  Bilinearity  Non-degeneracy  Computability

8. 8 Compurarional Diffie-Hellman  CDH problem on G ︰ given P, aP, bP ∈ G compute abP

9. 9 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

10. 10 Proposed Scheme  ParaGen  KeyEtract  StandardSign  StandardVer  DelegationGen  PorxySign  PorxyVer

11. 11 Proposed Scheme (cont.)  ParaGen: 設定 L 為安全參數 G 1 and G T ( 由 P 產生 prime order q > 2 L ) CDH is hard in G 1 e : G 1 × G 1 → G T 隨機選取 master key s ∈ Z ∗ q 並設定 P pub = sP 使用 hash functions H 0,H 1,H 2 : {0, 1} ∗ → G 1 Para ={L, G 1, G T, q,e,P, P pub, H 0,H 1,H 2 }

12. 12 Proposed Scheme (cont.)  KeyEtract: 給一使用者 ID, 計算 H 0 (ID) ∈ G 1 及 sk ID = sH 0 (ID)  StandardSign: 對訊息 M 簽章 1. 隨機選取 r ∈ Z ∗ q 2. 計算 σ s =( sk ID + rH 1 (M), rP)  StandardVer: 驗證等式 e(σ s, P) = e(H 0 (ID), P pub )e(H 1 (M), rP)

13. 13 Proposed Scheme (cont.)  DelegationGen: W= warrant signed by Alice to delegate signing rights to Bob ID A, ID B = ID of Alice and Bob 隨機選取 r A ∈ Z ∗ q σ W = (sk ID A + r A H 1 (W,ID A,ID B ),r A P) ID A ID B σ W +Warrant W

14. 14 Proposed Scheme (cont.)  PorxySign: B 對訊息 M 用 A 的授權簽章 隨機選取 r B ∈ Z ∗ q 計算 σ = (σ 1, σ 2, σ 3 ) σ 1 = sk ID A + r A H 1 (W,ID A,ID B ) + sk ID B + r B H 2 (M,W,ID A,ID B ) σ 2 = r A P σ 3 = r B P

15. 15 Proposed Scheme (cont.)  PorxyVer : 取 (ID A, ID B ), W, M, σ 代入下式 e(σ 1, P)=e(H 0 (ID A ), P pub )e(H 0 (ID B ), P pub ) e(H 1 (W,ID A,ID B ), σ 2 )e(H 2 (M,W,ID A,ID B ), σ 3 )

16. 16 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

17. 17 Efficiency Analysis  Compare with Xu et al. ’ s scheme SchemeSignature Length Pairings in Verification exp. in G2 (a)Xu et al. ’ s scheme 3|G1|4(2 can be precomputed) 1 (b)this paper ’ s scheme 3|G1|4(2 can be precomputed) 0 (a) (b)

18. 18 Outline  Introduction  Preliminaries  The Proposed Scheme  Efficiency Analysis  Conclusion

19. 19 Conclusion  本篇改善了 Xu 等人所提出的 ID-based 代 理簽章的安全模組讓攻擊者在 oracle accessing 時表現的更有適應性  本篇所提出的方法減少運算成本因此能力 比現存的其他方法好