non-repudiation. In an ordinary digital signature scheme, anyone can verify the validity of a signature using the signer's public key. However, in some scenarios ...
An Efficient Certificateless Designated Verifier Signature Scheme
IA
Debiao He, Jianhua Chen School of Mathematics and Statistics, Wuhan University, China
T JI
Abstract: To solve the key escrow problem in identity-based (ID-based) cryptosystem, Al-Riyami et al. introduced the certificateless public key cryptography. As an important cryptographic primitive, certificateless designated verifier signature scheme was studied widely. Following Al-Riyami et al.’s work, many certificateless designated verifier signature schemes using bilinear pairings have been proposed. But the relative computation cost of the pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group. In order to improve the performance we propose a certificateless designated verifier signature scheme without bilinear pairings. With the running time of the signature being saved greatly, our scheme is more practical than the previous related schemes for practical application.
Fi
Keywords: Certificateless public key cryptography, designated verifier signature, bilinear pairings, elliptic curve, Random oracle model.
rs
Received December 28, 2010; accepted May 10, 2011
tO
1. Introduction
n
io
at
lic ub
eP
in nl
Public key cryptography is an important technique to realize network and information security. Traditional public key infrastructure requires a trusted certification authority to issue a certificate binding the identity and the public key of an entity. Hence, the problem of certificate management arises. To solve the problem, Shamir defined a new public key paradigm called identity-based public key cryptography [1]. However, identity-based public key cryptography needs a trusted KGC to generate a private key for an entity according to his identity. So we are confronted with the key escrow problem. Fortunately, the two problems in traditional public key infrastructure and identity-based public key cryptography can be prohibited by introducing Certificateless Public Key Cryptography (CL-PKC) [2], which can be conceived as an intermediate between traditional public key infrastructure and identity-based cryptography. Digital signatures, one of the general primitives of cryptography, have many applications in information security to provide authentication, data integrity, and non-repudiation. In an ordinary digital signature scheme, anyone can verify the validity of a signature using the signer’s public key. However, in some scenarios, this public verification is not desired, if the signer does not want the recipient of a digital signature to show this signature to a third party at will. To address this problem above, Jakobsson et al. [3] proposed the concept of Designated Verifier Signature (DVS) schemes. A DVS scheme is special type of digital signature which provides message authentication without non-repudiation. These signatures have several
applications such as in E-voting, call for tenders and software licensing. Suppose Alice has sent a DVS to Bob. Unlike the conventional digital signatures, Bob cannot prove to a third party that Alice has created the signature. This is accomplished by the Bob’s capability of creating another signature designated to himself which is indistinguishable from Alice’s signature. Following the pioneering work due to Jakobsson et al. [3], many PKC-based DVS [4, 5, 6] and IDbased DVS [7, 8, 9, 10, 11] have been proposed. In 2006, Huang et al. [12] presented the first Certificateless Designated Verifier Signature (CLDVS) scheme. Unfortunately, their scheme is insecure against a malicious but passive KGC attack. In order to improve the security, several CLDVS schemes [13, 14, 15, 16] have been proposed. All the above CLS schemes may be practical, but they are from bilinear pairings and the pairing is regarded as the most expensive cryptography primitive. The relative computation cost of a pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group [17]. Therefore, CLDVS schemes without bilinear pairings would be more appealing in terms of efficiency. In this paper, we present a CLDVS scheme without pairings. The scheme rests on the Elliptic Curve Computational Diffie-Hellman Problem (ECDHP).With the pairing-free realization, the scheme’s overhead is lower than that of previous schemes [12, 13, 14, 15, 16] in computation. The rest of the paper is organized as follows: in section 2, we recall the model for CLDVS and the security properties of CLDVS; we propose our scheme in
section 4; Security analysis and performance analysis of the proposed scheme are given in section 5. Finally, we conclude this paper.
2. Preliminaries 2.1. Background of Elliptic Curve Group
user's partial private key d ID and his secret value sID as inputs, and outputs the full private key sk ID {d ID , sID } . Set-Public-Key: Taking as inputs params and a user's secret value sID and d ID , and generates a public key
Let the symbol E / Fp denote an elliptic curve E over
pk ID for the user.
IA
Sign: It takes as inputs params , a message m , the
a prime finite field Fp , defined by an equation: y 2 x 3 ax b , a, b F p
Set-Private-Key: This algorithm mtakes params , a
(1)
signer A ’s identity IDA , and A ’s private key sk IDA , the designated verifier’s B ’s identity IDB public key
T JI
And with the discriminant :
4a 3 27b 2 0
(2)
The points on E / Fp together with an extra point O called the point at infinity form a group:
Fi
G {( x, y ) : x, y Fp , E ( x, y ) 0} {O}
(3)
tO
rs
Let the order of G be n . G is a cyclic additive group under the point addition “+” defined as follows: Let P, Q G , l be the line containing P and Q (tangent line to E / Fp if P = Q ), and R , the third point of intersection of l with E / Fp . Let l be the line
Verify: It takes as inputs params , a public key pk ID , a message m , the signer A ’s public key pk IDA , the designated verifier’s B ’s identity IDB , B ’s private key sk IDB and a signature S , and returns 1 means that the signature is accepted. Otherwise, 0 means rejected. Transcript-Simulation: An algorithm that is run by the designated verifier B to produce identically distributed transcripts that are indistinguishable from the original signer A .
2.3. Security Properties of Certificateless Designated Verifier Signatures
in nl
connecting R and O . Then P “+” Q is the point such
pk IDB and outputs a signature S .
that l intersects E / Fp at R and O and P “+” Q. Scalar multiplication over E / Fp can be computed as follows:
(4)
and Q2 b P compute Q ab P .
io
2.4. Security Model For Certificateless Designated Verifier Signatures
n
A CLDVS scheme consists of eight algorithms [2]: Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key, Sign, Verify and Transcript-Simulation. Setup: Taking security parameter k as input and returns the system parameters params and master key. Partial-Private-Key-Extract: It takes params , master key and a user's identity ID as inputs. It returns a partial private key d ID . Set-Secret-Value: Taking as inputs params and a user's identity ID ,this algorithm generates a secret value sID .
at
2.2. Certificateless Designated Verifier Signatures
lic ub
The following problems defined over G are assumed to be intractable within polynomial time. Computational Eliptic curve Diffie-Hellman problem: For P the generator of G , given Q1 a P
Correctness: If the signer properly produces a CLDVS by the CLDVS -Sign algorithm, then the verifying algorithm must accept the produced signature. Unforgeability: It is computationally infeasible to construct a valid CLDVS without the knowledge of the private key of either the signer or the designated verifier. Source Hiding: Given a message m and a CLDVS on m, it is infeasible to determine who created this signature either the original signer or the designated verifier, even if one knows all the private keys. Non-Delegatability: Given any indirect form of the private key of the signer, it is infeasible to construct a valid CLDVS to any designated verifier.
eP
tP P P … P (t times )
The CLDVS scheme must satisfy the following properties.
In CLDVS, as defined in [2], there are two types of adversaries with different capabilities, we assume Type 1 Adversary, A 1 acts as a dishonest user while Type 2 Adversary, A 2 acts as a malicious KGC: CLDVS Type 1 Adversary: such an adversary A 1 represents a third party attacks against the CLDVS scheme. A 1 does not have access to the master key
algorithms: Setup, Partial-Private-Key-Extract, SetSecret-Value, Set-Private-Key, Set-Public-Key, Sign, Verify and Transcript-Simulation. Setup: Takes a security parameter k , returns system parameters and a master key. Given k , KGC does as follows:
designated verifier’s identity ID*j and corresponding
compute the master public key Ppub x P .
T JI
IA
nor the user partial private key, but A 1 can compromise users’ secret values or replace users’ public keys at will, because of the uncertified nature of the public keys generated by the users. On input system parameters, an adaptively chosenmessage and identity attacker A 1 can make hash queries, partial private key extraction queries, public key extraction queries, secret value extraction queries, public key replacement queries, Sign queries, Verify queries. Finally, A 1 outputs a message-signature pair ( m* , * ) with the signer’s identity IDi* and the *
public keys pk ID* and pk ID* . A 1 is successful if m i
j
with the signer’s identity IDi* and the designated verifier’s identity ID*j and corresponding public keys
Fi
pk ID* and pk ID* have not been submitted to Sign i
j
* i
rs
oracle and the message-signature pair is valid. Also ID
and ID*j have not been submitted to partial private key
tuple {Fp , E / Fp , G, P} as defined in Section 2.1. 2. Choose the master private key x Z n* and 3. Choose two cryptographic secure hash functions H1 :{0,1}* Z n* and H 2 :{0,1}* Z n* . 4. Publish params {Fp , E / Fp , G, P, Ppub , H1 , H 2 } as system parameters and keep the master key x secretly. Set-Secret-Value: The user with identity ID picks randomly sID Z n* , computes PID sID P and sets
sID as his secret value. Partial-Private-Key-Extract: This algorithm takes system parameters, master key, a user’s identifier and PID sID P as input and returns the user’s ID-based private key. With this algorithm, KGC works as follows for each user with identifier IDU :
in nl
tO
extraction oracle. CLDVS Type 2 Adversary: such an Adversary A 2 represents a malicious-but-passive KGC who is assumed malicious at the very beginning of the Setup stage of the system. A 2 can access to the master key, but cannot obtain the user secret value nor replace the user public key. On input system parameters, an adaptively chosenmessage and identity attacker A 2 can make hash queries, public key extraction queries, Sign queries, Verify queries. Finally, A 2 outputs a messagesignature pair ( m* , * ) with the signer’s identity IDi*
1. Choose a k -bit prime p and determine the
i
j
*
successful if m with the signer’s identity IDi* and the designated verifier’s identity ID*j and corresponding i
j
3. Our scheme 3.1. Scheme Description In this section, we present an ID-based signature scheme without pairing. Our scheme consists of eight
private key d ID and his secret value sID , and output a pair sk ID {d ID , sID } as the user's private key. Set-Public-Key: This algorithm takes params , the user's secret value sID as inputs and as inputs,
computes PID sID P and generates the user's public
n
private key extraction oracle. Definition 1: A CDVS scheme is existential unforgeable against adaptively chosen message and identity attacks if and only if it is secure against both types of adversaries.
valid if the equation holds and vice versa. Set-Private-Key: Given params , the user's partial
io
to Sign oracle and the message-signature pair is valid. Also IDi* and ID*j have not been submitted to partial
The user’s s partial private key is the tuple {d ID , RID } and he can validate her private key by checking whether the equation d ID P RID hID Ppub holds. The private key is
at
public keys pk ID* and pk ID* have not been submitted
random
lic ub
corresponding public keys pk ID* and pk ID* . A 1 is
at
eP
ID*j and
and the designated verifier’s identity
rID Z n* , compute RID rID P and hID H1 ( ID, RID , PID ) . 2. Compute d ID rID hID x mod n . 1. Choose
key pk ID {RID , PID } Sign: This algorithm takes system parameters, the signer A ’s identity IDA , and A ’s private key sk IDA , the designated verifier’s B ’s identity IDB public key
pk IDB and a message m as input and returns a signature of the message m . The user does as the follows:
1. Compute hIDB H1 ( IDB , RIDB , PIDB ) . 2. Choose
at
random
compute c l ( PIDB RIDB hIDB
l Z n* Ppub ) .
to
3. Compute r H 2 (m, c) . 4. Choose
at
compute s lt
t Z n*
random
and
1
r (d IDA sIDA ) mod n . 5. The resulting signature is ( r , s, t ).
IA
T JI
key sk IDB
verifier’s B ’s
IDB private , a message m and a signature ( r , s, t ) as
identity
Fi
inputs. Then return 1 means that the signature is accepted. Otherwise, 0 means rejected. The user does as the follows. 1. Compute hIDA H1 ( IDA , RIDA , PIDA ) .
rs
2. Compute
1. Correctness: The correctness of proposed scheme can be verified by the following equations. Since (d IDA sIDA ) P PIDA RIDA hIDA Ppub and (d IDB sIDA ) P PIDB RIDB hIDB Ppub , we have
Verify: This algorithm takes system parameters, the signer A ’s identity IDA , and A ’s public key pk IDA , the
designated
proposed scheme is secure under the difficulty of solving the ECCDH problem.
c t ( d IDB sIDB )( s P r ( PIDA RIDA hIDA Ppub )) .
tO
3. Check whether r H 2 (m, c) holds. Return 1 if it is equal. Otherwise return 0.
t (d IDB sIDB )((lt 1 r (d IDA sIDA )) P r ( PIDA RIDA hIDA Ppub ))
(6)
1
t (d IDB sIDB )lt P l (d IDB sIDB ) P l ( PIDB RIDB hIDB Ppub ) c
Then the correctness of our scheme is proved. 2. Unforgeability: We will prove our scheme can provide the unforgeability property by the following two theorems. The proof of the two theorems are given in the appendixes: Theorem 1: If there is a type 1 adversary A 1 that breaks our proposed CLDVS scheme, then there exists an algorithm F which solves the ECDHP problem with non-negligible probability. Theorem 2: If there is a type 2 adversary A 2 that breaks our proposed CLDVS scheme, then there exists an algorithm F which solves the EDCDH problem with non-negligible probability. 3. Source Hiding: Given a DVS ( r , s, t ) on a message m , even if a third party knows the signer A ’s private key pair ( d IDA , sIDA ) and the verifier
key pk IDA , the designated verifier’s B ’s identity IDB
private key sk IDB and a message m as inputs. Then generate a signature ( r , s, t ).The user does as the follows. 1. Compute hIDA H1 ( IDA , RIDA , PIDA ) . at
random
compute c s P r ( PIDA
s, r Z n* , RIDA hIDA Ppub ) ,
r H 2 (m, c) , l r l 1 mod n , s sl 1 mod n and t l (d IDB sIDB ) 1 mod n . 3. The resulting signature is ( r , s, t ).
identify whether ( d IDA , sIDA ) or ( d IDB , sIDB ) has
been used in the construction of the term s because he does not have the knowledge of the random numbers l used during the signing process. Hence, it is infeasible to determine whether the original signer or the designated verifier creates the signature. 4. Non-Delegatability: The problem of delegatability does not exist in our scheme. Because the construction of the term s requires the signer’s private key pair ( d IDA , sIDA ), and it is impossible
c t (d IDB sIDB )( s P r ( PIDA RIDA hIDA Ppub ))
(5)
s P r ( PIDA RIDA hIDA Ppub )) c
Then the designated verifier can generate the same transcripts in an indistinguishable way.
n
sl P rl ( PIDA RIDA hIDA Ppub ))
io
at
Since l ( s P r ( PIDA RIDA hIDA Ppub ))
B ’s private key pair ( d IDB , sIDB ), he cannot
lic ub
2. Choose
eP
in nl
Transcript-Simulation: This algorithm takes system parameters, the signer A ’s identity IDA , and A ’s public
c t (d IDB sIDB )( s P r ( PIDA RIDA hIDA Ppub ))
for the signer to delegate his signing capability to any third party without disclosing his private keys, a third party can not generate a valid signature ( r , s, t ) on a message m .
3.2. Security Analysis
4. Comparison with Previous Scheme
In the section, we give security analysis of our proposed scheme and show that the security of our
In this section, we will compare the efficiency of our new scheme with the latest CLDVS schemes, i.e.,
Huang et al.’s scheme [12], Yang et al.’s scheme [13], Chen et al.’s scheme[14], Yang et al.’s scheme [15] and Xiao et al.’s scheme [16]. For the convenience of evaluating the computational cost, we define some notations as follows:
TGexp : The time of executing a modular exponentiation
IA
operation. TG pair : The time of executing a pairing operation.
TG pbsm : The time of executing a pairing-based scalar
T JI
multiplication operation of point. TGebsm : The time of executing an ECC-based scalar multiplication operation of point. TG padd : The time of executing an addition operation of points
Fi
TGinv : The time of executing a modular inversion
tO
rs
operation. TGmul : The time of executing a general multiplication operation. TGadd : The time of executing a general addition operation. TGmtph : The time of executing a map-to-point hash
Xiao et al.’s scheme [16]
1 TG pair +4 TG pbsm +
1 TG pair +2 TG pbsm +
TGmtph + TGh +
TGmtph + TGh +
1 TG padd
1 TG padd
3 TG pbsm + TGinv +
1 TGexp +2 TG pair +
TGmtph + TGh
1 TG pbsm + TGmtph + TGh
Our scheme
2 TGebsm +1 TGinv +
2 TGebsm +3 TG padd +
3 TG padd +2 TGh +
2 TGh +1 TGmul +
2 TGmul +2 TGadd
1 TGadd
As the main computational overheads, we only consider the bilinear pairing operation, the modular exponentiation, the scale multiplication and the pairing-based scale multiplication. From the theoretical analysis [17] and the experimental result [18-21], we know the relative computation cost of the bilinear pairing operation, the modular exponentiation and the pairing-based scale multiplication are at least 19, 3 and 3 times that of the scalar multiplication separately. The running time of the sign algorithm of our scheme is 9.09% of Huang et al.’s scheme [12], 7.14% of Yang et al.’s scheme [13], 9.09% of Chen et al.’s scheme[14], 6.45% of Yang et al.’s scheme [15] and 22.22% of Xiao et al.’s scheme [16], the running time of the verify algorithm of our scheme is 3.33% of Huang et al.’s scheme [12], 3.18% of Yang et al.’s scheme [13], 9.09% of Chen et al.’s scheme[14], 8.00% of Yang et al.’s scheme [15] and 4.54% of Xiao et al.’s scheme [16]. Thus our scheme is more useful and efficient than the previous schemes[12-16].
In Table 1, we summarize the performance results of different CLDVS schemes. From the Table 1, we know that the client side requires only 3 TG pair +1 TG pbsm + TGmtph + TGh +1 TG padd .
[18]. For the ECC-based schemes, to achieve the same security level, we employ some secure elliptic curve on a finite field Fp or F2m , where the length of p is 160
In this paper, we have proposed an efficient certificateless DVS scheme without bilinear pairings. We also prove the security of the scheme under random oracle. Compared with previous scheme, the new scheme reduces both the running time. Therefore, our scheme is more practical than the previous related schemes for practical application.
Table 1. Performance evaluation of our protocol. Verify 3 TG pair +1 TG pbsm +
1 TGinv +1 TGmtph +
TGmtph + TGh +
1 TGh +1 TG padd
1 TG padd
1 TG pair +3 TG pbsm +
3 TG pair +2 TG pbsm +
TGmtph + TGh
1 TG padd + TGh
References
1 TG pair +1 TG pbsm +
1 TG pair +1 TG pbsm +
[1]
TGmtph + TGh
TGmtph + TGh
The authors thank the anonymous reviewers and the editors for their valuable comments. This research was supported by the Fundamental Research Funds for the Central Universities under Grants 201275786.
n
Yang et al.’s scheme [13] Chen et al.’s scheme [14]
6. Acknowledgements
Sign 1 TG pair +1 TG pbsm +
io
Huang et al.’s scheme [12]
at
bits at least [18]. Table 1 shows the results of the performance comparison.
5. Conclusions
lic ub
For the pairing-based scheme, to achieve the 1024bit RSA level security, we have to use the Tate pairing defined over some supersingular elliptic curve on a finite field Fq , where the length of q is 512 bits at least
eP
in nl
function. TGh : The time of executing a one-way hash function.
Yang et al.’s scheme [15]
A. Shamir, “Identity-based cryptosystems and signature schemes”, Proc. CRYPTO1984, pp.47– 53, 1984.
[2] [3]
[4]
IA
S. Al-Riyami, K.G. Paterson, “Certificateless public key cryptography”, Proceedings of ASIACRYPT 2003, pp. 452–473, 2003. Jakobsson, M., Sako, K., Impagliazzo, R. “Designated verifier proofs and their applications”, Advances in Eurocrypt 1996, pp. 143-154, 1996. S. Saeednia, S. Kremer, O. Markowitch, “An Efficient Strong Designated Verifier Signature Scheme”, ICISC 2003, pp. 40–54, 2004. H. Lipmaa, G. Wang, F. Bao, “Designated Verifier Signature Schemes:Attacks, New Security Notions and a New Construction”, ICALP 2005, LNCS 3580, pp. 459–471, 2005. R. Tso, T. Okamoto, E. Okamoto, “Practical Strong Designated Verifier Signature Schemes Based on Double Discrete Logarithms”, CISC 2005, pp. 113–127, 2005. Saeednia, S., Kramer, S., Markovitch, O. “An efficient strong designated verifier signature scheme”. ICISC 2003, pp. 40–54, 2003. Susilo, W., Zhang, F., Mu, Y. “Identity-based strong designated verifier signature schemes”, ACISP 2004, pp. 313–324, 2004. Kumar, K., Shailaja, G., Saxena, A.”Identity based strong designated verifier signature scheme”, . Zhang, J., Mao, J. “A novel ID-based designated verifier signature scheme”. Information Science, vol. 178, no. 3, pp. 766-773, 2008. B.Kang, C. Boyd, E. Dawson, “A novel identitybased strong designated verifier signature scheme”, The Journal of Systems and Software, no. 82, pp. 270–273, 2009. X. Huang, Willy Susilo, Yi Mu, F. Zhang, “Certificateless designated verifier signature schemes”, Proc. AINA’06, pp.15-19, 2006. MING Yang, SHEN Xiao-qin, WANG Yu-min, “Certificateless universal designated verifier signature Schemes”, Journal of China Universitles Posts and Telecommunications, Vol.14, no. 3,pp. 85-91, 2007. Chen, H, Song, RS, Zhang, FT, Song, FG, “An Efficient Certificateless Short Designated Verifier Signature Scheme”, 4th international Conference on Wireless Networking and Mobile Computing, pp. 4627-4632, 2008. Yang B., Hu Z., Xiao Z., “Efficient Certificateless Strong Designated Verifier Signature Scheme”, International Conference on Computational Intelligence and Security 2009, pp.432-436, 2009 Xiao Z., Yang B., Li S., “Certificateless Strong Designated Verifier Signature Scheme”, 2nd International Conference on e-Business and Information System Security, pp. 1 – 5, 2010.
[5]
T JI
[6]
[11]
n
[16]
io
[15]
at
[14]
Jianhua Chen received the B.Sc. degrees in computer science from Harbin Institute of Technology, Harbin, China, in 1983, and received the M.Sc and the Ph.D. degree in applied mathematics from Wuhan University, Wuhan, China, in 1989 and 1994, respectively. Currently, he is a professor of Wuhan University. His current research interests include number theory, information security and network security.
lic ub
[13]
eP
[12]
Debiao He received the B.Sc. degrees in computer science from the Shandong Teacher’s University, Jinan, China, in 2003, and received the M.Sc and the Ph.D. degree in applied mathematics from Wuhan University, Wuhan, China, in 2006 and 2009, respectively. His current research interests include cryptography, information security and network security.
in nl
[10]
tO
[9]
rs
[8]
Fi
[7]
[17] Chen L., Cheng Z., Smart N., “Identity-based key agreement protocols from pairings”, Int. J. Inf. Secur, no.6, pp.213–241, 2007. [18] Cao X., Kou W. “A Pairing-free Identity-based Authenticated Key Agreement Scheme with Minimal Message Exchanges”, Information Sciences, DOI: 10.1016/j.ins.2010.04.002. [19] He D., Chen J., Hu J. “An ID-based proxy signature schemes without bilinear pairings, Annals of Telecommunications. DOI: 10.1007/s12243-011-0244-0. [20] He D., Chen J., Hu J. ”A pairing-free certificateless authenticated key agreement protocol”, International Journal of Communication Systems, DOI: 10.1002/dac.1265. [21] He D., Chen J., Zhang R., “An efficient identitybased blind signature scheme without bilinear pairings”, Computers & Electrical Engineering , DOI:10.1016/j.compeleceng.2011.05.009
pk IDi {PIDi , RIDi } and adds ( IDi , sIDi , pk IDi ) to
Appendixes Proof for Theorem1: Suppose F is challenged with a ECCDH instance ( P, Q1 aP, Q2 bP ) and is tasked to compute Q3 ab P . To do so, F picks two
IA
identity IDI and IDJ at random as the challenged ID in this game, and gives {Fp , E / Fp , G, P, Ppub Q1 , H1 , H 2 } to A 1 as the
T JI
public parameters. Then F answers A 1’s queries as follows. H1-Queries: F maintains a hash list LH1 of tuple ( IDi , RIDi , PIDi , d IDi , hIDi ) as explained below. The list
the Lpk . Private Key Extraction Queries: For query on input IDi , If IDi IDI or IDi IDJ , F stops and outputs “failure”. Otherwise, F performs as follows: If the LH1 and the Lpk contain the corresponding tuple (
IDi , RIDi , sIDi , hIDi
(
IDi , sIDi , pk IDi
)
)
and
respectively,
the
tuple
F
sets
sk IDi {d IDi , sIDi } and sends it to A 1. Otherwise, F makes a partial private key extraction query and a public key extraction query on IDi , then simulates as the above process and sends sk IDi {d IDi , sIDi } to A
then the previously defined value is returned. Otherwise, F acts as described in the partial private key extraction queries. H2-Queries: F maintains a hash list LH 2 of tuple
Public Key Replacement:When A 1 queries on
rs
Fi
is initially empty. When A 1 makes a hash oracle query on IDi , if the query IDi has already appeared on LH1 ,
1.
pk IDi ),F checks whether the tuple input ( IDi , ( IDi , sIDi , pk IDi ) is contained in the Lpk . If it does, F
pk IDi and adds the tuple ( IDi , , pk IDi ) sets pk IDi
IDi on the message m j , F chooses a random value
to the Lpk .
hj Z
* n,
tO
( m j , c j , h j ). When A 1 makes H2 queries for identity sets h j H 2 (m j , c j ) and adds ( m j , c j , h j ) to
in nl
LH 2 , and sends h j to A 1.
Partial Private Key Extraction Queries: A 1 is allowed to query the extraction oracle for an identity IDi . F query H1 oracle IDi is on LH1 , then F response with ( IDi , RIDi , PIDi , d IDi , hIDi ). Otherwise, if
IDi , RIDi , PIDi , d IDi , hIDi
( IDi , RIDi , PIDi , d IDi , hIDi )
),
and
into LH1 .
inserts Note
that
( RIDi , d IDi , hIDi ) generated in this way satisfies the
contains a tuple for this input. If it does, the previously defined value is returned. Otherwise, if IDi IDJ , F picks a random value sID Z n* , computes PIDi sIDi P . If IDi IDJ , F sets PIDi b P and sIDi . F queries Partial Private Key Extraction Queries with IDi and
PIDi and get response RIDi . At last F returns
consistency. If IDA or IDB has not been queried to the partial private extraction oracle and the private extraction oracle, F executes the simulation of the partial private extraction oracle and the private extraction oracle, then uses the corresponding secret key to sign the message. Finally, A 1 stops and outputs a signature S {r , s, t} on the message m with the signer A ’s identity IDA , and A ’s private key sk IDA , the
n
When A 1 queries on input IDi , F checks whether Lpk
message m and stores the value H 2 (m, c) in LH 2 for
io
key extraction algorithm. It is a valid secret key. Public Key Extraction Queries: F maintains a list Lpk of tuple ( IDi , sIDi , pk IDi ) which is initially empty.
tables and uses these values to sign for the message according to the signing algorithm described in the scheme. It outputs the signature ( r , s, t ) for the
at
equation d ID P RID hID Ppub in the partial private
yes, it just retrieves ( d IDA , sIDA , PIDB , RIDB ) from the
lic ub
hIDi H1 ( IDi , RIDi ) ai mod n , response with
( IDi , sIDi , pk IDi ) are in LH1 and Lpk separately. If
eP
simulates the oracle as follows. It chooses ai , bi Z n* at random, sets RIDi ai Ppub bi P , d IDi bi , (
Signing Queries: When a message m , the signer A ’s identity IDA , the designated verifier’s B ’s identity IDB is coming, F acts as follows: F first checks that whether tuple ( IDi , RIDi , d IDi , hIDi ) and
designated verifier’s B ’s identity IDB public key
pk IDB , which satisfies the following equation Verify ( params,, m, IDA , sk IDB , pk IDA , S ) 1 .
If IDA IDI or IDB IDJ , F outputs “failure” and aborts. Otherwise, F recovers the tuple ( IDI , RIDI , d IDI , hIDI ) and ( IDJ , RIDJ , d IDJ , hIDJ ) from LH1 ,
the tuple
( IDI , sIDI , pk IDI ) and
( IDJ , sIDJ , pk IDJ ) from Lpk and the tuple ( m, c, h )
IDI and IDJ at random as the challenged ID in this
from LH 2 .
game,
Then, we have c t (d IDJ sIDJ )( s P r ( PIDI
(7)
RIDI hIDI Ppub ))
Since PIDI sIDI P , RIDJ b P and Ppub a P , we could have
and
gives
public
parameters Q, H1 , H 2 } and the master
{Fp , E / Fp , G, P, Ppub key s to A 2. Then F answers A 2’s queries as
follows. H1-Queries: F maintains a hash list LH1 of tuple ( IDi , RIDi , PIDi , d IDi , hIDi ) indexed by IDi . The list is
IA
initially empty. When A 2 makes a hash oracle query on IDi , if the query IDi has already appeared on LH1 ,
c t (d IDJ sIDJ )( s P r ( PIDI RIDI hIDI Ppub ))
T JI
t s Q2 t s sIDJ P t r sIDI Q2
(8)
t r d IDI Q2 t r hIDI Q3
then the previously defined value is returned. Otherwise, F makes the partial private key extraction query with IDi , and sends hIDi to A 2. H2-Queries: F maintains a hash list LH 2 of tuple
t sIDJ r ( PIDI RIDI hIDI Ppub )
( m j , c j , h j ). When A 2 makes H2 queries for identity
Fi
Then we have
IDi on the message m j , F chooses a random value
t r hIDI Q3 c t s Q2 t s sIDJ P
rs
t r sIDI Q2 t r d IDI Q2
h j Z n* , sets h j H 2 (m j , c j ) and adds ( m j , c j , h j ) (9)
Partial Private Key Extraction Queries: A 2 is allowed to query the extraction oracle for an identity IDi . F query H1 oracle IDi is on LH1 , then F response with ( IDi , RIDi , PIDi , d IDi , hIDi ). Otherwise, if
t s sIDJ P t r sIDI Q2 t r d IDI Q2 (10)
simulates the oracle as follows. It chooses rIDi at
And
Q3 (t r hIDI ) 1 (c t s Q2
t sIDJ r ( PIDI RIDI hIDI Ppub ))
in nl
tO
t sIDJ r ( PIDI RIDI hIDI Ppub )
to LH 2 , and sends h j to A 2.
or
ECCDH probability
problem
with
non-negligible
),
and
with inserts
Private Key Extraction Queries: F maintains a list
Lsk of tuple ( IDi , d IDi , sIDi ) which is initially empty.
For query on input IDi , F performs as follows: 1) If the query IDi has already appeared on Lsk , then the previously defined value is returned. 2) Else if IDi IDI , F sets sIDi , PIDi Q1 . 3) Else if IDi IDJ , F sets sIDi , PIDi Q2 . 4) Else if IDi IDI and IDI IDJ , F generates
io
a random number sIDi Z n* , compute PIDi sIDi P . Then F looks up (
IDi , RIDi , d IDi , hIDi
),
(
IDi , d IDi , sIDi , PIDi
)
LH1 to get the tuple and to
Lsk
add ,
n
signing queries and qh hashing queries respectively. Then, we will show how to use the ability of A 2 to construct an algorithm F solving the ECCDH. Suppose F is challenged with a ECCDH instance ( P, Q1 aP, Q2 bP ) and is tasked to
IDi , RIDi , PIDi , d IDi , hIDi
response
( IDi , RIDi , PIDi , d IDi , hIDi ) into LH1 .
the ECCDH assumption. Proof for Theorem2: Suppose that there is a type 2 Adversar A 2 who can breaks our scheme with probability , when making qe extraction queries, qs
,
at
2 , which is in contradiction with qs (qs 1)
(
d IDi rIDi x hIDi
lic ub
1 IDB IDJ is . Thus, we can obtain qs (qs 1) 2 Q3 ab P with the probability . In other qs (qs 1) words, given ( P, Q1 aP, Q2 bP ), F can solve the
and
eP
Obviously, the probability of IDA IDI
random, sets RIDi rIDi P , hIDi H1 ( IDi , RIDi , PIDi )
the
tuple
and
sends
sk IDi {d IDi , sIDi } to A 2. Public Key Extraction Queries: F maintains a list
compute Q3 ab P . To do so, F chooses a
Lpk of tuple ( IDi , pk IDi ) which is initially empty.
random x Z n* , computes Q xP , picks two identity
When A 2 queries on input IDi , F checks whether L pk
c t (d IDJ sIDJ )( s P r ( PIDI
contains a tuple for this input. If it does, the previously defined value is returned. Otherwise, F looks up the and Lsk and gets the tuple tables LH1 ( IDi , RIDi , d IDi , hIDi )
and
RIDI hIDI Ppub )) t s RIDJ t d IDJ r ( PIDI
( IDi , d IDi , sIDi , PIDi )
RIDI hIDI Ppub ) t s PIDJ
separately. At last F returns pk IDi {PIDi , RIDi } and
t r Q3 t d IDI r Q2 t r hIDI x Q2
adds ( IDi , pk IDi ) to the L pk .
IA
Signing Queries: When a message m , the signer A ’s identity IDA , the designated verifier’s B ’s
(12) Then we have
t r Q3 c t s RIDJ
IDA IDI or IDA IDJ , F terminates the simulation.
t d IDJ r ( PIDI RIDI hIDI Ppub )
T JI
identity IDB is coming, F acts as follows: If Otherwise, F first checks that whether tuple ( IDi , RIDi , d IDi , hIDi ) and ( IDi , pk IDi ) are in LH1 and
Lpk
separately.
If
yes,
it
just
retrieves
t s PIDJ t d IDI r Q2 t r hIDI x Q2 And
Q3 (t r ) 1 (c t s RIDJ
values to sign for the message according to the signing algorithm described in the scheme. It outputs the signature ( r , s, t ) for the message m and stores the
t d IDJ r ( PIDI RIDI hIDI Ppub )
rs
Fi
( d IDA , sIDA , PIDB , RIDB ) from the tables and uses these
(14)
t s PIDJ t d IDI r Q2 t r hIDI x Q2 ) Obviously, the probability of IDA IDI or
has not been queried to the partial private extraction oracle and the private extraction oracle, F executes the simulation of the partial private extraction oracle and the private extraction oracle, then uses the corresponding secret key to sign the message. Finally, A 2 stops and outputs a signature S {r , s, t} on the message m with the signer A ’s
1 . Thus, we can obtain qs (qs 1) 2 Q3 ab P with the probability . In other qs (qs 1) words, given ( P, Q1 aP, Q2 bP ), F can solve the
identity IDA , and A ’s private key sk IDA , the
ECCDH
designated verifier’s B ’s identity IDB public key
eP
tO
value H 2 (m, c) in LH 2 for consistency. If IDA or IDB
(13)
IDB IDJ is
in nl
pk IDB , which satisfies the following equation If IDA IDI or IDB IDJ , F outputs “failure” and aborts. Otherwise, F recovers the tuple ( IDI , RIDI , d IDI , hIDI ) and ( IDJ , RIDJ , d IDJ , hIDJ ) from LH1 ,
the
tuple
( IDI , sIDI , pk IDI )
and
from LH 2 .
c t (d IDJ sIDJ )( s P r ( PIDI RIDI hIDI Ppub )) Since PIDI Q1 a P , RIDJ Q2 b P and
Ppub x P , we could have
the ECCDH assumption.
n
(11)
2 , which is in contradiction with qs (qs 1)
io
Then, we have
non-negligible
at
( IDJ , sIDJ , pk IDJ ) from L pk and the tuple ( m, c, h )
with
lic ub
Verify ( params,, m, IDA , sk IDB , pk IDA , S ) 1 .
probability
problem