Presentation is loading. Please wait.

Presentation is loading. Please wait.

A New Provably Secure Certificateless Signature Scheme Date:2010.3.16 Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications.

Published bySuzanna Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "A New Provably Secure Certificateless Signature Scheme Date:2010.3.16 Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications."— Presentation transcript:

1 A New Provably Secure Certificateless Signature Scheme Date:2010.3.16 Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications (ICC 2008),vol.4 1

2 Outline 1. INTRODUCTION 2. PERLIMINARIES 3. OUR CERTIFICATELESS SIGNATURE SCHEME 4. SECURITY PROOF 5. CONCLUSIONS 2

3 INTRODUCTION Identity-based public key cryptography(ID-PKC) ◦ was first introduced by Shamir in 1984. ◦ Have the key escrow problem. Certificateless public key cryptography(CL-PKC) ◦ Al-Riyami et al.“Certificateless public key cryptography. ”Asiacrypt2003,LNCS. ◦ Huang et al.[9]“Certificateless signature revisited. ”ACISP 2007, LNCS. X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu. Certificateless signature revisited. ACISP 2007, LNCS, vol. 4586, pages 308-322, Springer-Verlag, 2007. ◦ Zhang et al.[17]“Certificateless public-key signature: security model and efficient construction.”ACNS 2006, LNCS. 3

4 INTRODUCTION Related Works ◦ Type I/II Adversary- Normal: under the original public key from the target signer. Strong: under the replaced public key.(supply the secret value corresponding to the replaced public key) 4

5 INTRODUCTION Super:under the public key chosen by himself without supplying the secret value corresponding to the public key. ◦ there are only a few CLS schemes secure[9],[17] against a super type I/II adversary. 5

6 INTRODUCTION Our Contribution: ◦ the CLS(certificateless signature) scheme requires only two pairing operations. ◦ The signature length of new scheme is 2/3 of Huang et al’s scheme. ◦ super Type I/II adversary- proved secure in the strongest security model of CLS. 6

7 PERLIMINARIES A. Bilinear Maps ◦ Let G 1 be an additive group of prime order q. ◦ Let G 2 be a multiplicative group of the same order. ◦ 1.Bilinear: 2.Non-degeneracy: 3.Computable: There exists an efficient algorithm to compute 7

8 PERLIMINARIES B. Framework of Certificateless Signature Schemes ◦ Setup input: a security parameter output: a master-key,system parameters params. ◦ Partial-Private-Key-Extract input: ID,params,master-key output: user’s partial private key. ◦ Set-Secret-Value input: ID,params output: user’s secret value 8

9 PERLIMINARIES ◦ Set-Public-Key input: ID,params, output: public key ◦ Sign accepts(params,,ID,,, )to produce a signature on message. ◦ Verify (,,params,ID, ) if the signature is valid or not. 9

10 PERLIMINARIES C.Adversarial Model of Certificateless Signature Schemes ◦ the following two games between a challenger C and an adversary A I or A II. Game 1 (for Type I Adversary) Setup:C runs the Setup algorithm 1.Input: a security parameter 2.obtain:a master-key,system parameters params 10

11 PERLIMINARIES Attack: Partial-Private-Key Queries PPK( ) A I request: the partial private key of any user’s identity C output: the partial private key Public-Key Queries PK( ) A I request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) A I request:the secret value of a user’s identity C output:the secret value (if PK replaced,output ) ⊥ 11

12 PERLIMINARIES Public-Key-Replacement Queries PKR(, ) A I can choose a new public key as the public key of this user.C will record this replacement. Sign Queries S( ) On receiving a query S( ),C generates a signature (A I need not supply the secret value) Forgery: A I outputs 1. is a valid signature on under and 2. A I has never requested the Partial-Private-Key(of user’s ) 3. S( )has never been submitted 12 WIN!!

13 PERLIMINARIES Game 2 (for Type II Adversary ) Setup:C runs the Setup algorithm 1.Input: a security parameter 2.obtain:a master-key,system parameters params Attack: Public-Key Queries PK( ) A II request: the public key of a user’s identity C output: the public key Secret-Value Queries SV( ) A II choose a user and request the secret value C output:the secret value (if PK replaced,output ) 13 ⊥

14 PERLIMINARIES Public-Key-Replacement Queries PKR(, ) A II can choose a new public key as the public key of this user. Sign Queries S( ) On receiving a query S( ),C replies a signature (A II need not supply the secret value) Forgery: A II outputs 1. is a valid signature on under and 2. A II has never requested the Secret-Value (of user’s ) 3. A II has not requested PKR query on 4. S( )has never been queried 14 WIN!!

15 OUR CERTIFICATELESS SIGNATURE SCHEME A. An Efficient Construction ◦ Setup 1.Given a security parameter, 2.chooses a master-key and set 3.,, 4.params=, ◦ Partial-Private-Key-Extract 1.input: params,master-key, Computes 2.Outputs:users partial private key 15

16 OUR CERTIFICATELESS SIGNATURE SCHEME ◦ Set-Secret-Value input: params, output: as the users secret value. ◦ Set-Public-Key input: params,, output: the user’s public key ◦ Sign input: 1.Choose a random,compute 2.Compute 3.Compute 4.Output on. 16

17 OUR CERTIFICATELESS SIGNATURE SCHEME ◦ Verify To verify a signature on a message for an identity and public key. 1.Compute, 2. Verify 17

18 OUR CERTIFICATELESS SIGNATURE SCHEME B. Comparison P: pairing operation. S: a scalar multiplication in G 1. H: a MapToPoint hash operation. E: an exponentiation in G 2. SL:signature length. PKL:signature length. P 1 :the length of a point in G 1. Z 1 :the length of a point in 18

19 SECURITY PROOF Theorem :unforgeable against a super typeI/II adversary in the random oracle model(CDH problem is intractable.) TypeI proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use A I to solve the CDH problem.) C sets P T = aP,selects params=(G 1,G 2, e, P, P T,H 1,H 2,H 3 ) to A I. H 1 Queries:A I can make at most qH1 times H 1 queries,C chooses J ∈ [1,q H1 ].C maintains an initially empty list H 1 of tuples(ID j, α j,Q j ).On receiving a new query H 1 (ID i ||P), 1) If i = J, set Q i = bP,add(ID i, ⊥,Q i )to H 1 and return Q i as answer. 2) Otherwise,pick at random,set,add (ID i, α i,Q i )to H 1 and return Q i as answer. 19

20 H 2 Queries: C keeps an initially empty list H 2 of tuples( ).A I issues a query( )to H 2,If the query is new,C selects a random adds( )to H 2 and returns as answer. H 3 Queries: A I issues a query( )to H 3,for a new query,C selects a random adds( )to H 2 and returns as answer. Partial-Private-Key Queries: C keeps an initially empty list K of tuples( ).Whenever A I issues a query PPK( ).If the query is new,C does the following. 1) If,abort. 2) Else if there’s a tuple( ) on K a)If( )on H 1,set and return as answer. b)Otherwise,first make an H 1 query on(ID i ||P), to generate( ), then set and return as answer. 20

21 3) Otherwise,do the following. a)If a tuple( ) on H 1,compute,set,return as answer and add ( )to K. b)Else,generate the tuple( )to simulates the random oracle H 1,after the same way as a). Public-Key Queries: receiving a query PK(ID i ),the current public key from K will be given.Otherwise,C does as follows. 1) If a tuple ( )on K,choose,compute,return as answer and update to ( ). 2) Otherwise,choose,set, and add the tuple to K. 21

22 Secret-Value Queries:receiving a query SV( ),if the public key has been replaced,C returns.Otherwise,if a tuple( )on K,C returns as answer;else,C first makes PK( ) then returns as answer. Public-Key-Replacement Queries: A I choose a new public key for the user’s identity( ).On receiving a query PKR(, ),C first finds the tuple( ) on K,then C updates to. Sign Queries: On receive a Sign query S( ), denotes the public key chosen by A I,C generates the signature as follows. 1) Choose,set 2) Set, 3) Compute and output 22

23 Forgery: Finally, AI returns a successful forgery If,C aborts. Type II proof: Let C be a CDH attacker who receives a random instance (P,aP,bP) and to compute the value of abP.( C can use A I to solve the CDH problem.) C sets P T = aP,selects params=(G 1,G 2, e, P, P T,H 1,H 2,H 3 ) to A I. Public-Key Queries:C keeps an initially empty list K of tuples(ID j,x j,P j ) For a new query,if,C return as answer and adds to K ;else,C picks,compute add to K and return. 23

24 Secret-Value Queries: On receiving a query SV( ), if the public key of has been replaced, C returns ⊥ ; otherwise, if, C aborts; else if a tuple on K, C returns as answer; else, C first makes PK( ), then recovers the tuple from K, returns. Public-Key-Replacement Queries: A II can choose a new public key for the user’s identity.On receiving a query PKR( ) if, C aborts; otherwise, C finds the tuple on K and updates to. 24

25 CONCLUSIONS Only two pairing operations are required in signing and verification. It is more efficient than the other CLS schemes achieving the same security level. 25

Download ppt "A New Provably Secure Certificateless Signature Scheme Date:2010.3.16 Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications."

Similar presentations

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
Server-Aided Verification : Theory and Practice Source: ASIACRYPT 2005, LNCS 3788, pp. 605-623 Author: Marc Girault and David Lefranc Presenter: Chun-Yen.

Server-Aided Verification : Theory and Practice Source: ASIACRYPT 2005, LNCS 3788, pp Author: Marc Girault and David Lefranc Presenter: Chun-Yen.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Certificateless Authenticated Two-Party Key Agreement Protocols

Certificateless Authenticated Two-Party Key Agreement Protocols
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.

1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Certificateless Threshold Ring Signature Source: Information Sciences 179(2009) 3685-3696 Author: Shuang Chang, Duncan S. Wong, Yi Mu, Zhenfeng Zhang Presenter:

Certificateless Threshold Ring Signature Source: Information Sciences 179(2009) Author: Shuang Chang, Duncan S. Wong, Yi Mu, Zhenfeng Zhang Presenter:
Identity Base Threshold Proxy Signature Jing Xu, Zhenfeng Zhang, and Dengguo Feng Form eprint Presented by 魏聲尊.

Identity Base Threshold Proxy Signature Jing Xu, Zhenfeng Zhang, and Dengguo Feng Form eprint Presented by 魏聲尊.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Hybrid Signcryption with Outsider Security

Hybrid Signcryption with Outsider Security
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
1 A new certificateless aggregate signature scheme Computer communications 32(2009) 1079- 1085 Author: Lei Zhang, Futai Zhang Presenter: 紀汶承.

1 A new certificateless aggregate signature scheme Computer communications 32(2009) Author: Lei Zhang, Futai Zhang Presenter: 紀汶承.

Similar presentations

Ads by Google