An Efficient Certificateless Signature Scheme

1
An Efficient Certificateless Signature Scheme

• Wun-She Yap, Swee-Huay Heng and Bok-Min Goi
• Centre of Cryptography and Information Security
  (CCIS)
• Multimedia University, Malaysia

SECUBIQ 2006 in Conjunction with EUC 2006 Seoul,
Korea, August 1-4, 2006
2
Outline

• Introduction
• Contributions
• Generic Construction
• Security Model
• Concrete Scheme
• Analysis
• Conclusion

3
What is Certificateless Public Key Cryptography?

• Introduced by Al-Riyami and Paterson in 2003 at
  Asiacrypt
• Public keys used consist of 2 components ID and
  self-generated public key
• Private key partial private key and secret value
• Existing certificateless schemes
• Encryption
• Signature

4

• Advantages
• Implicit certification
• No certificate is needed in signing and
  decrypting
• No certificate management issues
• Free key escrow
• The Key Generation Center (KGC) cannot sign or
  decrypt without knowing the users secret value,
  and hence the users private key

5
Our Contributions

• We propose a certificateless signature (CLS)
  scheme which is
• Provable secure against existentially forgery on
  adaptive chosen message and ID attacks (EUF-CMIA)
  in random oracle model based on the
  intractability of computational Diffie-Hellman
  problem (CDHP)
• More efficient (lesser bilinear pairing
  computations and shorter public key length)
• Achieve trust level 3

6
General Construction of CLS

• CLS is specified by seven algorithms

Remark These 2 steps are run by KGC
7
Remark These 3 steps are run by the user himself
8
(No Transcript)
9
Security Model of CLS

• Type I Adversary Can replace public key
• AI cannot extract the private key for IDch
• AI cannot request the private key for any ID if
  the corresponding public key has been replaced
• AI cannot both replace the public key for IDch
  and extract the partial private key for IDch
• AI cannot make a sign query on the forged message
  for IDch
• Type II Adversary Has access to master key
• AII cannot replace the public key at any point
• AII cannot extract the private key for IDch
• AII cannot make a sign query on the forged
  message for IDch

10
Adaptive Chosen Message Attack Game

• Setup
• The challenger generates params and gives it to
  the adversary A. If A is of Type II, the
  master-key will be given to her too.
• Attack
• A is allowed to make a sequence of requests
  adaptively, each of which is either a Partial
  Private Key Extraction, a Private Key Extraction,
  a Request for Public Key, a Replace Public Key or
  a Sign Queries, but are subjected to the rules on
  adversary behaviors.
• Forgery
• A outputs a certificateless signature on
  message m signed by the user who holds IDA and
  public key PA. The only restriction is that (m ,
  IDA does not appear in the set of previous sign
  queries.

s
11
Proposed CLS Scheme

• Setup
• G1, G2 generators of group G with prime order q
• e G1 X G1 ? G2
• P ? G1
• H1 0,1 ? G1, H2 0,1 X G1 ? Zq
• P0 sP, s ? Zq
• params (G1,G2,e,q,P,P0,H1,H2)
• master-key s

• Set-Partial-Private-Key
• QA H1(IDA) ? G1
• DA sQA ? G1
• Set-Secret-Value
• xA ? Zq
• Set-Private-Key
• SA xAQA DA
• Set-Public-Key
• PA xAP

Difference Public key no longer consists of 2
elements compared other existing CLS scheme
12

• Sign
• U rQA
• h H2 (mU)
• V (r h)SA
• Signature of m (U, V)
• Verify
• h H2 (mU)
• Check e (P, V) e (P0 PA, U hQA)

13
Analysis

• i. Correctness
• e (P, V) e (P, (r h) SA)
• e (P, (r h) (xAQA sQA))
• e (P, (r h) (xA s) QA)
• e ((xA s) P, (r h) QA)
• e (xAP sP, rQA hQA)
• e (P0 PA, U hQA)

14
ii. Performance
Table 1 Comparison of CLS Schemes
p Bilinear Pairing s scalar
multiplication e exponentiation
iii. Security The proposed CLS scheme is
existential unforgeable against the Type I
adversary and Type II adversary in the random
oracle model under the CDH assumption in G1.
15
Extended Construction

• 3 trust levels Level 1, Level 2 and Level 3
• Level 1 The authority knows the private keys and
  is capable of impersonating any user without
  being detected
• Level 2 The authority does not know the private
  keys, but it can still impersonate any user by
  generating false certificates that may be used
  without being detected
• Level 3 The authority does not know the private
  keys and if it generates false certificates for
  users, it can be proven
• Increase trust level 2 to 3
• How Binding technique which ensures that users
  can only create one public key
• Authenticate with KGC to fix PA xAP
• DA sQA where QA H1 (IDAPA)
• Disadvantage user no longer can regenerate
  public key

16
Conclusion and Future Work

• Proposed a more efficient provably secure CLS
  scheme against EUF-CMIA in the random oracle
  model based on the intractability of CDHP
• The scheme can achieve trust level 3 as that of a
  traditional signature scheme
• Efficiency of CLS can be further increased by
  using key construction of Sakai-Kasahara IBE
  scheme and Baek et al.s CLPKE scheme.
• Future direction including proposing a provable
  secure CLS scheme in standard model.

17
THANK YOU !