Download presentation
Presentation is loading. Please wait.
Published byAlexia Black Modified over 9 years ago
1
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011, pp. 1760-1768 Presenter: Yu-Chi Chen
2
Outline Introduction Certificateless signatures Shim’s attack The improved scheme Conclusions
3
Introduction Identity-based cryptography – Without CA to manage certificates of public keys. – Private key generator (PKG) knows everyone’s full private key as known as the key escrow problem. Certificateless cryptography – Solving the key escrow problem – Key generation center (KGC) cannot has everyone’s full private key
4
Certificateless signatures A CLS scheme usually constitutes the following algorithms. – Setup – Partial private key extract – Set public key – Set secret value – Sign – Verify
5
Security model Two types adversaries - Existential Unforgeability – Type 1 adversary: An outsider Can replace public key Cannot access the system master key – Type 2 adversary: The KGC Cannot replace public key Can access the system master key
6
Type 1 adversary Setup. Attack. – Partial-private-key queries – Public key queries – Secret value queries – Public key replacement – Sign queries Forgery. A forged signature of Win the game if the conditions hold. – The forged signature is valid. – The partial-private-key and the forged signature have never been queried. – The public key has never been replaced.
7
Type 2 adversary Setup. Attack. – Partial-private-key queries – Public key queries – Secret value queries – Public key replacement – Sign queries Forgery. A forged signature of Win the game if the conditions hold. – The forged signature is valid. – The secret value and the forged signature have never been queried.
8
Remark on security models Several different security models have been presented. In particular, Huang et al. classify different levels of adversaries according to their abilities. – Normal Type 1 adversary – Strong Type 1 adversary – Super Type 1 adversary – …
9
Outline Introduction Certificateless signatures Shim’s attack The improved scheme Conclusions
10
Shim’s attack 1.An adversary (Type 1), A, first sets a secret value of ID, r *, and then he computes the corresponding public key pk *. 2.He replaces the public key of ID with pk *. 3.He queries a signature of (M, ID, pk * ). 4.Finally, he can recover the partial-private-key by the signature of (M, ID, pk * ) and the secret value r *.
11
Outline Introduction Certificateless signatures Shim’s attack The improved scheme Conclusions
12
The proposed scheme Setup – Bilinear map: with order q, and P is the generator of G 1. – Master key: – Master public key: – Hash functions:
13
The proposed scheme Partial-private-key-extract. – User A with ID A can obtain the partial-private-key Set secret value. – User A with ID A chooses as his secret value. Set public key. – His public key
14
Sign. input: 1.Set 2.Compute 3.Return σ as the signature of m. Verify. 1.Compute 2.Check
15
Security analysis Our short certificateless signature scheme is existentially unforgeable against a super Type I adversary in random oracle model under the CDH assumption. Our short certificateless signature scheme is existentially unforgeable against a super Type II adversary in random oracle model under the CDH assumption.
16
Outline Introduction Certificateless signatures Shim’s attack The improved scheme Conclusions
17
Choi et al. introduces an improved scheme withstand Shim’s attack. The major inspiration is the two components of partial-private-key. This scheme is existentially unforgeable under the CDH assumption respectively against super Type I and II adversaries.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.