cryptanalysis on du-wen certificateless short signature scheme
Post on 13-Jan-2016
54 Views
Preview:
DESCRIPTION
TRANSCRIPT
Cryptanalysis on Du-Wen Certificateless Short Signature Scheme
C.I. Fan, R.H. Hsu, and P.H. Ho
Joint Workshop on Information Security
Presenter: Yu-Chi Chen
Outline.
• Review of Hu et al.’s paper
• Review of Du and Wen’s CLS scheme
• Fan et al.’s improved CLS scheme
• Conclusion
Review of Hu et al’s paper
• Hu et al.’s remedy: – The public key is inserted into the partial-private-
key.
• Hu et al.’s remedy: – Achieving level-3 security.
– KGC does not know any user's secret value and cannot act as any user by generating a false partial private key without being detected.
Outline.
• Review of Hu et al.’s paper
• Review of Du and Wen’s CLS scheme
• Fan et al.’s improved CLS scheme
• Conclusion
Review of DW CLS scheme
• This scheme is presented by Chun-Yen Lee in 2009/12/29.– Title: Efficient and provably-secure certificateless
short signature scheme from bilinear pairings
– From: Computer Standards & Interfaces (IF:1.074 42/86)
– Author: Hongzhen Du, Qiaoyan Wen
112/04/21 7
An efficient CLS scheme (1/9)
• This scheme– Setup:
– Partial-Private-Key-Extract:
– Set-Secret-Value:
– Set-Private-Key:
– Set-Public-Key:
– CL-Sign:
– CL-Verify:
112/04/21 8
An efficient CLS scheme (2/9)
• Setup: KGC– security parameter l
– G1 and G2 (same prime order q>2l)
– P is a generator of group G1
– g = e(P,P)
– H1:{0, 1}*→Z*q, H2:{0, 1}*×G1 → Z*
q
112/04/21 9
An efficient CLS scheme (3/9)
– s ∈ Z*q (system master key)
– Computes public key Ppub=sP ∈ G1
– KGC publishes the system list params:
{l, G1, G2 , e, q, P, g, Ppub , H1, H2}
112/04/21 10
An efficient CLS scheme (4/9)
• Partial-Private-Key-Extract:
ID 1
IDID
Q H ID
1d P
Qs
KGC
user
Secure channel?
( , )ID pub IDe d P Q P g
pub IDT P Q P
dID
112/04/21 11
An efficient CLS scheme (5/9)
• Set-Secret-Value:• r Z∈ *
q (secret value)
• Set-Private-Key:• (dID, r) (private key)
• Set-Public-Key:• pkID = r(Ppub+QIDP) = rT
112/04/21 12
An efficient CLS scheme (6/9)
• CL-Sign:– m (0, 1)∈ *
• Sets h=H2(m, pkID)
• Computes 1 1
( )( )IDID
S d Pr h r h s Q
112/04/21 13
An efficient CLS scheme(7/9)
• CL-Verify:– Computes h = H2(m, pkID)
– ( , , , , ) 1 ( , )ID IDVer params m ID pk S e S pk hT g
112/04/21 14
An efficient CLS scheme(9/9)
Outline.
• Review of Hu et al.’s paper
• Review of Du and Wen’s CLS scheme
• Fan et al.’s improved CLS scheme
• Conclusion
Fan et al.’s improved CLS scheme
• Fan et al. base on DW scheme to propose an improved CLS scheme.
• This scheme does not require more computing than DW scheme, but it needs two components of the public key [pk, pk’].
112/04/21 17
FHH scheme (1/9)
• This scheme as DW scheme– Setup:
– Partial-Private-Key-Extract:
– Set-Secret-Value:
– Set-Private-Key:
– Set-Public-Key:
– CL-Sign:
– CL-Verify:
112/04/21 18
FHH scheme (2/9)
• Setup: KGC– security parameter l
– G1 and G2 (same prime order q>2l)
– P is a generator of group G1
– g = e(P,P)
– H1:{0, 1}*→Z*q, H2:{0, 1}*×G1 → Z*
q
112/04/21 19
FHH scheme(3/9)
– s ∈ Z*q (system master key)
– Computes public key Ppub=sP ∈ G1
– KGC publishes the system list params:
{l, G1, G2 , e, q, P, g, Ppub , H1, H2}
112/04/21 20
FHH scheme (4/9)
• Partial-Private-Key-Extract:
KGC
user
Secure channel
dID
PQpkHs
d
IDHQ
IDIDID
ID
)'(
1
)(
1
1
112/04/21 21
FHH scheme (5/9)
• Set-Secret-Value:• r Z∈ *
q (secret value)
• Set-Private-Key:• (dID, r) (private key)
• Set-Public-Key:• pkID = r(Ppub+QIDP) = rT, pk’ID = rP
112/04/21 22
FHH scheme (6/9)
• CL-Sign:– m (0, 1)∈ *
• Sets h=H2(m, pkID)
• Computes
PQpkHshr
dhr
SIDID
ID ))'()((
11
1
112/04/21 23
FHH scheme (7/9)
• CL-Verify:– Computes h = H2(m, pkID)
–
gPpkHThpkpkHpkSe
SpkIDmparamsVer
IDIDIDID
)))'((')'(,(
1),,,,(
11
Outline.
• Review of Hu et al.’s paper
• Review of Du and Wen’s CLS scheme
• Fan et al.’s improved CLS scheme
• Conclusion
top related