Upload
tamsin-carr
View
227
Download
1
Embed Size (px)
Citation preview
多媒體網路安全實驗室
Certificateless multi-proxy signature
Certificateless multi-proxy signature
Date:2011/04/08報告人:向峻霈
出處 : Zhengping Jin , Qiaoyan Wen: Computer Communications ,
pp. 344-352 ,2011
多媒體網路安全實驗室
Outline
Introduction1
Definition of certificatelessmulti-proxy signature schemes2
Security model33
A certificateless multi-proxy signature scheme44
Conclusion35
2
多媒體網路安全實驗室
The concept of proxy signature was first introduced by Mambo
Introduction
Original signer Proxy signer
Signature
3
多媒體網路安全實驗室
HwangShi
Introduction
Original signer
Proxy signer A Proxy signer B Proxy signer C
Signature
4
多媒體網路安全實驗室
The concept of identity-based cryptography was first introduced by Shamir in 1984
Introduction
User
identify
identify identities with a master key
5
Public key
Private key
多媒體網路安全實驗室
IBC 內部問題 密鑰管理問題
Introduction
Master key
PKGS PKGS identities6
多媒體網路安全實驗室
Certificateless public key cryptography (CLPKC)
one component is the partial private key generated by PKG with the master key
another component is the secret value chosen by the user himself.
public key derived from the user’s secret value should also be published,
Introduction
7
多媒體網路安全實驗室
Definition of certificateless multi-proxy signature schemes
Security model
Formal model of certificateless multi-proxy signature schemes
8
多媒體網路安全實驗室 Definition of certificateless multi-proxy
signature schemes
SetupkMaster key s
System parameters params
Partial-Private-Key-
ExtractiID
public
secret
iD +s(verify identity)
User-Key-GenerateiD
Xi(rand)
User
full private key ski
iPpublic key
9
多媒體網路安全實驗室 Definition of certificateless multi-proxy
signature schemes
Sign
m
iPiID
User
Verify
Proxy-Key-Generate
osID
npspspsID ,..., 21
npspsisk ,...
iPSK (Each proxy signer)
10
多媒體網路安全實驗室 Definition of certificateless multi-proxy
signature schemes
Multi-Proxy-Signm
必須滿足 w
mps Original signer with the multi-proxy signature secret keys PSKi
behalf
Multi-Proxy-Verifymps OS
Reject
11
多媒體網路安全實驗室
For certificateless cryptosystems, the widely accepted notion of security was defined by Al-Riyami and Paterson
Type I AdversaryType II Adversary
Security model
12
多媒體網路安全實驗室
Security model
Public key
Master key
replace
13
多媒體網路安全實驗室
Security model
Public key
Master key
cannot perform
有權限可以存取
14
多媒體網路安全實驗室
Setup. Taken a security parameter k as input, C runs the Setup algorithm to obtain a master key s and the system parameters params
Then C sends params to , but keeps s secret.Queries. makes a polynomially bounded number of
the following queries in an adaptive manner.
Security model-game1
1A
1A
1A C15
多媒體網路安全實驗室
Public-Key-Inquiry
Public-Key-Replacement
Security model-game1
iP
1A C
submits a public key request with a user’s identity iID
public key
1A C
Public key iP
iP'Public key
Record
16
多媒體網路安全實驗室
Partial-Private-Key-Extraction:
Secret-Value-Extraction:
Security model-game1
iID
iD
iID
ix
submits a partial private key request with a user’s identity
1A Cpartial private key
C
公鑰是否取代
secret value
yes
no17
多媒體網路安全實驗室
Delegation: This query can be divided into two cases.
Security model-game1
18
多媒體網路安全實驗室
Case 1
Security model-game1
1A C
delegator’s request with a warrant w
當他選擇 original signer
Proxy-Key-Generate
Warrp
runaccess
),( iPSKw
視為 proxy signers
19
多媒體網路安全實驗室
Case 2
Security model-game1
1A C
當他選擇 proxy signers
Proxy-Key-Generate
Warro
runsend
w
iPSID
視為 original signer
iPSK
20
多媒體網路安全實驗室
Multi-Proxy-Signing-Query
Security model-game1
1A
C
warrant w and a message m of his choice
check
1. checks if it exists
iPSK
2. m satisfies w
3. public keys of all proxy usersoriginal signer 是否取代
yes
MPSno
21
多媒體網路安全實驗室
Forgery. Eventually, outputs a forgery and wins the game if any of the following events occurs:
Security model-game1
1A
22
多媒體網路安全實驗室
Security model-game1
1E
1A
*forged
*m
* Signing-Query
Where*ID
Partial-Private-Key-
Extract
Secret-Value-Extraction
query
or
Public-Key-Replacement
query
has not been submitted
23
多媒體網路安全實驗室
Security model-game1
:2E
1A
MPS*forged
*m
proxy signersunder the warrant
*w
MPS* Multi-Proxy-Signing-Query
To work against one of the proxy signers
24
多媒體網路安全實驗室
Security model-game1
:3E To work against the original signer
1A
MPS*forged
*m
Multi-proxy signatureunder the warrant
*w
Warro
*w 1AAdv
defined to be the probability that succeeds in the above Game 1.1A
25
多媒體網路安全實驗室
Setup. Taken a security parameter k as input
runs the Setup algorithm to obtain a master key s and the system parameters params. Then sends both params and s to C. It is noted that the system parameters are chosen by
Security model-game2
IIA C
IIA
IIA
sparams
IIA
26
多媒體網路安全實驗室
Forgery
Eventually, outputs a forgery and wins the game if any of the following events occurs
Security model-game2
IIA
27
多媒體網路安全實驗室
Security model-game2
1E
IIA
*forged
*m
* Signing-Query
Where*ID Secret-Value-
Extraction query
has not been submitted
28
多媒體網路安全實驗室
Security model-game2
:2E
IIA
MPS*forged
*m
proxy signersunder the warrant
*w
MPS* Multi-Proxy-Signing-Query
To work against one of the proxy signers
29
多媒體網路安全實驗室
Security model-game2
:3E To work against the original signer
IIA
MPS*forged
*m
Multi-proxy signatureunder the warrant
*w
Warro
*w IIAIAdv
defined to be the probability that succeeds in the above Game 2.IIA
30
多媒體網路安全實驗室
Definition 1.
An adversary A is said to be an -forger of a CLMPS scheme if A has advantage or
in above games running in time t
A CLMPS scheme is said to be existentially unforgeable or -secure against adaptively chosen warrant attacks and chosen message and identity attacks if no such a -forger exists, where is non-negligible and t is a polynomially bounded number.
Security model
),( t
IAIAdv
IIAIAdv
),( t
),( t
31
多媒體網路安全實驗室
CLMPS scheme is based upon Zhang and Zhang’s certificateless aggregate signature scheme
SetupPartial-Private-Key-ExtractUser-Key-GenerateSignVerifyProxy-Key-GenerateMulti-Proxy-SignMulti-Proxy-Verify
A certificateless multi-proxy signature scheme
32
多媒體網路安全實驗室
Setup : Given a security parameter k, the PKG does as follows: Choose groups and of prime order q such that an
admissible bilinear pairing e: can be constructed and pick an arbitrary generator P of
Choose a random number s as the master key msk and set Q=sP as the master public key
Choose six different cryptographic hash functions
H1~ H3: {0,1}* ->G and H4~ H6: {0,1}*->
Publish the system parameters params =(G,GT,e,P,Q,H1~6)
while keeping the master key msk = s secret
A certificateless multi-proxy signature scheme
G TGTGGG
GpZ *
.*pZ
33
多媒體網路安全實驗室
Partial-Private-Key-Extract
User-Key-Generate
Partial-Private-Key-
ExtractiID iD)(1 iIDsH
corresponding user through a safe channel
sends
User-Key-GenerateiID
selects a random number xi
.*pi Zx Pi = xiP
iPpublic key
iD
ixas his secret key ski
34
多媒體網路安全實驗室
SignTo sign a message m {0,1}* with ski = (xi, Di), the
signer, whose identity is IDi and public key is Pi, performs the following steps
1. Choose a random number r and compute R = rP
2. Compute W = H2(params), T = H3(Q), h = H4(params||m||IDi||Pi||R).3. Compute V = h Di + xiW+ rT4. Output = (R, V) as the signature on m
A certificateless multi-proxy signature scheme
pZ *
35
多媒體網路安全實驗室
VerifyTo verify a signature signed on m by the user
whose identity and public key are IDi and Pi respectively, the verifier checks whether
e(V, P) = e(hH1(IDi), Q)e(W, Pi)e(T, R)
W=H2(params),T=H3(Q),h=H4(params||m||IDi||Pi||R)
A certificateless multi-proxy signature scheme
),( VR
36
多媒體網路安全實驗室
Proxy-Key-Generate(1/2) Delegation generation
A certificateless multi-proxy signature scheme
original signer
OSOSID
OSPwarrant w
必須要遵守
2.the original signer
1.proxy signers
3. 委託的類型訊息4. 何時授權
proxy signer
37
多媒體網路安全實驗室
Proxy-Key-Generate(2/2) Delegation generation
1.Choose a random number ro compute R0 = r0P
2.Compute h0 = H5(params||w||IDOS||POS||R0), W = H2(params) T = H3(Q) and V0 = h0DOS + xOSW+ r0T
Send (w, R0, V0) to each proxy signer PSi i=1,2,. . .,n.
A certificateless multi-proxy signature scheme
38
多媒體網路安全實驗室
Proxy-Key-Generate Delegation verification
checking e(V0, P) = e(h0H1(IDOS), Q)e(W, POS)e(T, R0) h0 = H5(params||w||IDOS||POS||R0) W= H2(params) T = H3(Q).
A certificateless multi-proxy signature scheme
proxy signer
(w, R0, V0)
original signer
1.requests a valid one from OS,
2. 終止協議
39
3. 成功
多媒體網路安全實驗室
Proxy-Key-Generate Proxy secret key generation
If all proxy signers PSi confirm the delegation
sets PSKi=(skpsi,r0,v0)
as his multiproxy signature secret key respectively
A certificateless multi-proxy signature scheme
40
多媒體網路安全實驗室
Multi-Proxy-Sign
A certificateless multi-proxy signature scheme
41
多媒體網路安全實驗室
Multi-Proxy-Sign
A certificateless multi-proxy signature scheme
42
多媒體網路安全實驗室
Multi-Proxy-Verify
A certificateless multi-proxy signature scheme
43
多媒體網路安全實驗室
we have defined the generic construction the formal security model for CLMPS
concrete CLMPS scheme which is proven to be secure under the computational Diffie–Hellman assumption in the random oracle model
our proposal outperforms most of the existing multi-proxy signature schemes that constructed in public key infrastructure or identity-based setting
Conclusions
44
多媒體網路安全實驗室