多媒體網路安全實驗室

Certificateless multi-proxy signature

Certificateless multi-proxy signature

Date:2011/04/08報告人：向峻霈

出處 : Zhengping Jin , Qiaoyan Wen: Computer Communications ,

pp. 344-352 ,2011

多媒體網路安全實驗室

Outline

Introduction1

Definition of certificatelessmulti-proxy signature schemes2

Security model33

A certificateless multi-proxy signature scheme44

Conclusion35

2

多媒體網路安全實驗室

The concept of proxy signature was first introduced by Mambo

Introduction

Original signer Proxy signer

Signature

3

多媒體網路安全實驗室

HwangShi

Introduction

Original signer

Proxy signer A Proxy signer B Proxy signer C

Signature

4

多媒體網路安全實驗室

The concept of identity-based cryptography was first introduced by Shamir in 1984

Introduction

User

identify

identify identities with a master key

5

Public key

Private key

多媒體網路安全實驗室

IBC 內部問題 密鑰管理問題

Introduction

Master key

PKGS PKGS identities6

多媒體網路安全實驗室

Certificateless public key cryptography (CLPKC)

one component is the partial private key generated by PKG with the master key

another component is the secret value chosen by the user himself.

public key derived from the user’s secret value should also be published,

Introduction

7

多媒體網路安全實驗室

Definition of certificateless multi-proxy signature schemes

Security model

Formal model of certificateless multi-proxy signature schemes

8

多媒體網路安全實驗室 Definition of certificateless multi-proxy

signature schemes

SetupkMaster key s

System parameters params

Partial-Private-Key-

ExtractiID

public

secret

iD  +s(verify identity)

User-Key-GenerateiD

Xi(rand)

User

full private key ski

iPpublic key

9

多媒體網路安全實驗室 Definition of certificateless multi-proxy

signature schemes

Sign

m

iPiID

User

Verify

Proxy-Key-Generate

osID

npspspsID ,..., 21

npspsisk ,...

iPSK (Each proxy signer)

10

多媒體網路安全實驗室 Definition of certificateless multi-proxy

signature schemes

Multi-Proxy-Signm

必須滿足 w

mps Original signer with the multi-proxy signature secret keys PSKi

behalf

Multi-Proxy-Verifymps OS

Reject

11

多媒體網路安全實驗室

For certificateless cryptosystems, the widely accepted notion of security was defined by Al-Riyami and Paterson

Type I AdversaryType II Adversary

Security model

12

多媒體網路安全實驗室

Security model

Public key

Master key

replace

13

多媒體網路安全實驗室

Security model

Public key

Master key

cannot perform

有權限可以存取

14

多媒體網路安全實驗室

Setup. Taken a security parameter k as input, C runs the Setup algorithm to obtain a master key s and the system parameters params

Then C sends params to , but keeps s secret.Queries. makes a polynomially bounded number of

the following queries in an adaptive manner.

Security model-game1

1A

1A

1A C15

多媒體網路安全實驗室

Public-Key-Inquiry

Public-Key-Replacement

Security model-game1

iP

1A C

submits a public key request with a user’s identity iID

public key

1A C

Public key iP

iP'Public key

Record

16

多媒體網路安全實驗室

Partial-Private-Key-Extraction:

Secret-Value-Extraction:

Security model-game1

iID

iD

iID

ix

submits a partial private key request with a user’s identity

1A Cpartial private key

C

公鑰是否取代

secret value

yes

no17

多媒體網路安全實驗室

Delegation: This query can be divided into two cases.

Security model-game1

18

多媒體網路安全實驗室

Case 1

Security model-game1

1A C

delegator’s request with a warrant w

當他選擇 original signer

Proxy-Key-Generate

Warrp

runaccess

),( iPSKw

視為 proxy signers

19

多媒體網路安全實驗室

Case 2

Security model-game1

1A C

當他選擇 proxy signers

Proxy-Key-Generate

Warro

runsend

w

iPSID

視為 original signer

iPSK

20

多媒體網路安全實驗室

Multi-Proxy-Signing-Query

Security model-game1

1A

C

warrant w and a message m of his choice

check

1. checks if it exists

iPSK

2. m satisfies w

3. public keys of all proxy usersoriginal signer 是否取代

yes

MPSno

21

多媒體網路安全實驗室

Forgery. Eventually, outputs a forgery and wins the game if any of the following events occurs:

Security model-game1

1A

22

多媒體網路安全實驗室

Security model-game1

1E

1A

*forged

*m

* Signing-Query

Where*ID

Partial-Private-Key-

Extract

Secret-Value-Extraction

query

or

Public-Key-Replacement

query

has not been submitted

23

多媒體網路安全實驗室

Security model-game1

:2E

1A

MPS*forged

*m

proxy signersunder the warrant

*w

MPS* Multi-Proxy-Signing-Query

To work against one of the proxy signers

24

多媒體網路安全實驗室

Security model-game1

:3E To work against the original signer

1A

MPS*forged

*m

Multi-proxy signatureunder the warrant

*w

Warro

*w 1AAdv

defined to be the probability that succeeds in the above Game 1.1A

25

多媒體網路安全實驗室

Setup. Taken a security parameter k as input

runs the Setup algorithm to obtain a master key s and the system parameters params. Then sends both params and s to C. It is noted that the system parameters are chosen by

Security model-game2

IIA C

IIA

IIA

sparams

IIA

26

多媒體網路安全實驗室

Forgery

Eventually, outputs a forgery and wins the game if any of the following events occurs

Security model-game2

IIA

27

多媒體網路安全實驗室

Security model-game2

1E

IIA

*forged

*m

* Signing-Query

Where*ID Secret-Value-

Extraction query

has not been submitted

28

多媒體網路安全實驗室

Security model-game2

:2E

IIA

MPS*forged

*m

proxy signersunder the warrant

*w

MPS* Multi-Proxy-Signing-Query

To work against one of the proxy signers

29

多媒體網路安全實驗室

Security model-game2

:3E To work against the original signer

IIA

MPS*forged

*m

Multi-proxy signatureunder the warrant

*w

Warro

*w IIAIAdv

defined to be the probability that succeeds in the above Game 2.IIA

30

多媒體網路安全實驗室

Definition 1.

An adversary A is said to be an -forger of a CLMPS scheme if A has advantage or

in above games running in time t

A CLMPS scheme is said to be existentially unforgeable or -secure against adaptively chosen warrant attacks and chosen message and identity attacks if no such a -forger exists, where is non-negligible and t is a polynomially bounded number.

Security model

),( t

IAIAdv

IIAIAdv

),( t

),( t

31

多媒體網路安全實驗室

CLMPS scheme is based upon Zhang and Zhang’s certificateless aggregate signature scheme

SetupPartial-Private-Key-ExtractUser-Key-GenerateSignVerifyProxy-Key-GenerateMulti-Proxy-SignMulti-Proxy-Verify

A certificateless multi-proxy signature scheme

32

多媒體網路安全實驗室

Setup ： Given a security parameter k, the PKG does as follows: Choose groups and of prime order q such that an

admissible bilinear pairing e: can be constructed and pick an arbitrary generator P of

Choose a random number s as the master key msk and set Q=sP as the master public key

Choose six different cryptographic hash functions

H1~ H3: {0,1}* ->G and H4~ H6: {0,1}*->

Publish the system parameters params =(G,GT,e,P,Q,H1~6)

while keeping the master key msk = s secret

A certificateless multi-proxy signature scheme

G TGTGGG

GpZ *

.*pZ

33

多媒體網路安全實驗室

Partial-Private-Key-Extract

User-Key-Generate

Partial-Private-Key-

ExtractiID iD)(1 iIDsH

corresponding user through a safe channel

sends

User-Key-GenerateiID

selects a random number xi

.*pi Zx Pi = xiP

iPpublic key

iD

ixas his secret key ski

34

多媒體網路安全實驗室

SignTo sign a message m {0,1}* with ski = (xi, Di), the

signer, whose identity is IDi and public key is Pi, performs the following steps

1. Choose a random number r and compute R = rP

2. Compute W = H2(params), T = H3(Q), h = H4(params||m||IDi||Pi||R).3. Compute V = h Di + xiW+ rT4. Output = (R, V) as the signature on m

A certificateless multi-proxy signature scheme

pZ *

35

多媒體網路安全實驗室

VerifyTo verify a signature signed on m by the user

whose identity and public key are IDi and Pi respectively, the verifier checks whether

e(V, P) = e(hH1(IDi), Q)e(W, Pi)e(T, R)

W=H2(params),T=H3(Q),h=H4(params||m||IDi||Pi||R)

A certificateless multi-proxy signature scheme

),( VR

36

多媒體網路安全實驗室

Proxy-Key-Generate(1/2) Delegation generation

A certificateless multi-proxy signature scheme

original signer

OSOSID

OSPwarrant w

必須要遵守

2.the original signer

1.proxy signers

3. 委託的類型訊息4. 何時授權

proxy signer

37

多媒體網路安全實驗室

Proxy-Key-Generate(2/2) Delegation generation

1.Choose a random number ro compute R0 = r0P

2.Compute h0 = H5(params||w||IDOS||POS||R0), W = H2(params) T = H3(Q) and V0 = h0DOS + xOSW+ r0T

Send (w, R0, V0) to each proxy signer PSi i=1,2,. . .,n.

A certificateless multi-proxy signature scheme

38

多媒體網路安全實驗室

Proxy-Key-Generate Delegation verification

checking e(V0, P) = e(h0H1(IDOS), Q)e(W, POS)e(T, R0) h0 = H5(params||w||IDOS||POS||R0) W= H2(params) T = H3(Q).

A certificateless multi-proxy signature scheme

proxy signer

(w, R0, V0)

original signer

1.requests a valid one from OS,

2. 終止協議

39

3. 成功

多媒體網路安全實驗室

Proxy-Key-Generate Proxy secret key generation

If all proxy signers PSi confirm the delegation

sets PSKi=(skpsi,r0,v0)

as his multiproxy signature secret key respectively

A certificateless multi-proxy signature scheme

40

多媒體網路安全實驗室

Multi-Proxy-Sign

A certificateless multi-proxy signature scheme

41

多媒體網路安全實驗室

Multi-Proxy-Sign

A certificateless multi-proxy signature scheme

42

多媒體網路安全實驗室

Multi-Proxy-Verify

A certificateless multi-proxy signature scheme

43

多媒體網路安全實驗室

we have defined the generic construction the formal security model for CLMPS

concrete CLMPS scheme which is proven to be secure under the computational Diffie–Hellman assumption in the random oracle model

our proposal outperforms most of the existing multi-proxy signature schemes that constructed in public key infrastructure or identity-based setting

Conclusions

44

多媒體網路安全實驗室