A Concrete Certificateless Signature Scheme without Pairings 2009

  • Slides: 12
Download presentation
多媒體網路安全實驗室 A Concrete Certificateless Signature Scheme without Pairings 2009 International Conference on Multimedia Information

多媒體網路安全實驗室 A Concrete Certificateless Signature Scheme without Pairings 2009 International Conference on Multimedia Information Networking and Security Author: Aijun Ge, Shaozhen Chen, Anna Lauks Adviser: 鄭錦楸 , 郭文中 教授 Reporter: 林彥宏

多媒體網路安全實驗室 Outline 1 Click to add Title 2 Click to add Title 3 Click

多媒體網路安全實驗室 Outline 1 Click to add Title 2 Click to add Title 3 Click to add Title 4 Click to add Title

多媒體網路安全實驗室 INTRODUCTION v Certificateless Public Key Cryptography -Al-Riyami, S. S. , Paterson, K. G.

多媒體網路安全實驗室 INTRODUCTION v Certificateless Public Key Cryptography -Al-Riyami, S. S. , Paterson, K. G. , ASIACRYPT 2003. LNCS, vol. 2894 § find a public key system that does not use certificates § does not have the key escrow problem § Key Generating Center (KGC), who holds a master key v most certificateless cryptography schemes are based on bilinear mappings on elliptic curves § Heavy computational cost

多媒體網路安全實驗室 INTRODUCTION v Certificateless Public Key Encryption without Pairing. - Baek, J. , Safavi-Naini,

多媒體網路安全實驗室 INTRODUCTION v Certificateless Public Key Encryption without Pairing. - Baek, J. , Safavi-Naini, R. , Susilo, ISC 2005. LNCS, vol. 3650, pp. 134 -148. § first without bilinear mappings scheme v Strongly Secure Certificateless Public Key Encryption Without Pairing-Sun, Y. X. , Zhang, F. T. , Baek, CANS 2007, LNCS, vol. 4856, pp. 194 -208. § more computationally efficient v In this paper, we present the first concrete efficient certificateless signature scheme without pairings, and prove its security in the random oracle model.

多媒體網路安全實驗室 PRELIMINARIES v Setup(k): § Input: secret parameter k § Output: master secret key

多媒體網路安全實驗室 PRELIMINARIES v Setup(k): § Input: secret parameter k § Output: master secret key msk ; master public key mpk ; list of public system parameters params. v Partial-Key-Extract(params, ID, msk). § Input: user’s identity ID § Output: partial private key DID ; partial public key PID v Set-Secret-Value(params, mpk). § Output: secret value s. ID.

多媒體網路安全實驗室 PRELIMINARIES v Set-Public-Key( params, mpk, ID, PID, s. ID). § Output: public key

多媒體網路安全實驗室 PRELIMINARIES v Set-Public-Key( params, mpk, ID, PID, s. ID). § Output: public key PKID. v Set-Private-Key(params, DID , s. ID). § Output: private key SKID. v Sign(params, mpk, ID, SKID, m). § Output: certificateless signature σ. v Verify(params, mpk, ID, PKID, m, σ). § Verify( params, mpk, ID, PKID, m, Sign(params, mpk, ID, SKID , m )) = valid.

多媒體網路安全實驗室 PRELIMINARIES v Type I: adversary AI can replace any user’s public key but

多媒體網路安全實驗室 PRELIMINARIES v Type I: adversary AI can replace any user’s public key but does not have the partial private key § obtain some message/signature pairs which are valid under the public key chosen by itself v Type II: adversary AII simulates a dishonest KGC who has the knowledge of the master secret key but is not allowed to replace the target user’s public key. v Definition: v The security of our certificateless signature scheme can be reduced to the hardness of discrete logarithm problem.

多媒體網路安全實驗室 THE PROPOSED SCHEME v Setup: § § § § security parameter k primes

多媒體網路安全實驗室 THE PROPOSED SCHEME v Setup: § § § § security parameter k primes p, q, where p, q > 2 k , and q|(p-1) secret key x, public key y=gx (mod p) H 1: {0, 1}* ×Zp* → Zq* H 2: {0, 1}* ×Zp* → Zq* H 3: {0, 1}* ×{0, 1}* (Zp* )4×Zq* ×Zp* → Zq* system parameters params=(p, q, g, G, y, H 1, H 2, H 3).

多媒體網路安全實驗室 THE PROPOSED SCHEME v Partial-Key-Extract: § § § user’s identity ID Picks s

多媒體網路安全實驗室 THE PROPOSED SCHEME v Partial-Key-Extract: § § § user’s identity ID Picks s 0, s 1 , p 0=gs 0 (mod p) and p 1=gs 1 (mod p) d 0=s 0+x·H 1(ID, p 0) (mod q) d 1=s 1+x·H 2(ID, p 0, p 1) (mod q) partial private key DID = d 0, partial public key PID = (p 0, p 1, d 1). v Algorithms Setup and Partial-Key-Extract are executed by KGC. v user checks gd 0=p 0·y H 1(ID, p 0) (mod p) and gd 1=p 1·y H 2(ID, p 0, p 1) (mod p)

多媒體網路安全實驗室 THE PROPOSED SCHEME v Set-Secret-Value: § pick z at random § set s.

多媒體網路安全實驗室 THE PROPOSED SCHEME v Set-Secret-Value: § pick z at random § set s. ID = z as the user’s secret value v Set-Private-Key: § user’s full private key SKID = (DID, s. ID) = (d 0, z). v Set-Public-Key: § μ = gz (mod p). § user’s full public key PKID = (PID, μ) = (p 0, p 1, d 1, μ).

多媒體網路安全實驗室 THE PROPOSED SCHEME v Sign: § randomly selects r, r’ , calculates c

多媒體網路安全實驗室 THE PROPOSED SCHEME v Sign: § randomly selects r, r’ , calculates c = gr (mod p) , c’ = gr’(mod p)) § u = H 3(m, ID, c, c’, PKID) § calculates v = r−uz (mod q) and w = r’ −ud 0 (mod q) § the signature on the message m is σ = (u, v, w). v Verify: § gd 1 = p 1 y. H 2(ID, p 0, p 1) (mod p) § u = H 2(m, ID, gvμu, gw(p 0 y H 1(ID, p 0) )u, PKID)