An Efficient Certificateless Designated Verifier Signature Scheme

4 downloads 395090 Views 528KB Size Report
non-repudiation. In an ordinary digital signature scheme, anyone can verify the validity of a signature using the signer's public key. However, in some scenarios ...
An Efficient Certificateless Designated Verifier Signature Scheme

IA

Debiao He, Jianhua Chen School of Mathematics and Statistics, Wuhan University, China

T JI

Abstract: To solve the key escrow problem in identity-based (ID-based) cryptosystem, Al-Riyami et al. introduced the certificateless public key cryptography. As an important cryptographic primitive, certificateless designated verifier signature scheme was studied widely. Following Al-Riyami et al.’s work, many certificateless designated verifier signature schemes using bilinear pairings have been proposed. But the relative computation cost of the pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group. In order to improve the performance we propose a certificateless designated verifier signature scheme without bilinear pairings. With the running time of the signature being saved greatly, our scheme is more practical than the previous related schemes for practical application.

Fi

Keywords: Certificateless public key cryptography, designated verifier signature, bilinear pairings, elliptic curve, Random oracle model.

rs

Received December 28, 2010; accepted May 10, 2011

tO

1. Introduction

n

io

at

lic ub

eP

in nl

Public key cryptography is an important technique to realize network and information security. Traditional public key infrastructure requires a trusted certification authority to issue a certificate binding the identity and the public key of an entity. Hence, the problem of certificate management arises. To solve the problem, Shamir defined a new public key paradigm called identity-based public key cryptography [1]. However, identity-based public key cryptography needs a trusted KGC to generate a private key for an entity according to his identity. So we are confronted with the key escrow problem. Fortunately, the two problems in traditional public key infrastructure and identity-based public key cryptography can be prohibited by introducing Certificateless Public Key Cryptography (CL-PKC) [2], which can be conceived as an intermediate between traditional public key infrastructure and identity-based cryptography. Digital signatures, one of the general primitives of cryptography, have many applications in information security to provide authentication, data integrity, and non-repudiation. In an ordinary digital signature scheme, anyone can verify the validity of a signature using the signer’s public key. However, in some scenarios, this public verification is not desired, if the signer does not want the recipient of a digital signature to show this signature to a third party at will. To address this problem above, Jakobsson et al. [3] proposed the concept of Designated Verifier Signature (DVS) schemes. A DVS scheme is special type of digital signature which provides message authentication without non-repudiation. These signatures have several

applications such as in E-voting, call for tenders and software licensing. Suppose Alice has sent a DVS to Bob. Unlike the conventional digital signatures, Bob cannot prove to a third party that Alice has created the signature. This is accomplished by the Bob’s capability of creating another signature designated to himself which is indistinguishable from Alice’s signature. Following the pioneering work due to Jakobsson et al. [3], many PKC-based DVS [4, 5, 6] and IDbased DVS [7, 8, 9, 10, 11] have been proposed. In 2006, Huang et al. [12] presented the first Certificateless Designated Verifier Signature (CLDVS) scheme. Unfortunately, their scheme is insecure against a malicious but passive KGC attack. In order to improve the security, several CLDVS schemes [13, 14, 15, 16] have been proposed. All the above CLS schemes may be practical, but they are from bilinear pairings and the pairing is regarded as the most expensive cryptography primitive. The relative computation cost of a pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group [17]. Therefore, CLDVS schemes without bilinear pairings would be more appealing in terms of efficiency. In this paper, we present a CLDVS scheme without pairings. The scheme rests on the Elliptic Curve Computational Diffie-Hellman Problem (ECDHP).With the pairing-free realization, the scheme’s overhead is lower than that of previous schemes [12, 13, 14, 15, 16] in computation. The rest of the paper is organized as follows: in section 2, we recall the model for CLDVS and the security properties of CLDVS; we propose our scheme in

section 4; Security analysis and performance analysis of the proposed scheme are given in section 5. Finally, we conclude this paper.

2. Preliminaries 2.1. Background of Elliptic Curve Group

user's partial private key d ID and his secret value sID as inputs, and outputs the full private key sk ID  {d ID , sID } . Set-Public-Key: Taking as inputs params and a user's secret value sID and d ID , and generates a public key

Let the symbol E / Fp denote an elliptic curve E over

pk ID for the user.

IA

Sign: It takes as inputs params , a message m , the

a prime finite field Fp , defined by an equation: y 2  x 3  ax  b , a, b  F p

Set-Private-Key: This algorithm mtakes params , a

(1)

signer A ’s identity IDA , and A ’s private key sk IDA , the designated verifier’s B ’s identity IDB public key

T JI

And with the discriminant :

  4a 3  27b 2  0

(2)

The points on E / Fp together with an extra point O called the point at infinity form a group:

Fi

G  {( x, y ) : x, y  Fp , E ( x, y )  0}  {O}

(3)

tO

rs

Let the order of G be n . G is a cyclic additive group under the point addition “+” defined as follows: Let P, Q  G , l be the line containing P and Q (tangent line to E / Fp if P = Q ), and R , the third point of intersection of l with E / Fp . Let l  be the line

Verify: It takes as inputs params , a public key pk ID , a message m , the signer A ’s public key pk IDA , the designated verifier’s B ’s identity IDB , B ’s private key sk IDB and a signature S , and returns 1 means that the signature is accepted. Otherwise, 0 means rejected. Transcript-Simulation: An algorithm that is run by the designated verifier B to produce identically distributed transcripts that are indistinguishable from the original signer A .

2.3. Security Properties of Certificateless Designated Verifier Signatures

in nl

connecting R and O . Then P “+” Q is the point such

pk IDB and outputs a signature S .

that l  intersects E / Fp at R and O and P “+” Q. Scalar multiplication over E / Fp can be computed as follows:

(4)

and Q2  b  P compute Q  ab  P .

io

2.4. Security Model For Certificateless Designated Verifier Signatures

n

A CLDVS scheme consists of eight algorithms [2]: Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key, Sign, Verify and Transcript-Simulation. Setup: Taking security parameter k as input and returns the system parameters params and master key. Partial-Private-Key-Extract: It takes params , master key and a user's identity ID as inputs. It returns a partial private key d ID . Set-Secret-Value: Taking as inputs params and a user's identity ID ,this algorithm generates a secret value sID .

at

2.2. Certificateless Designated Verifier Signatures

lic ub

The following problems defined over G are assumed to be intractable within polynomial time. Computational Eliptic curve Diffie-Hellman problem: For P the generator of G , given Q1  a  P

Correctness: If the signer properly produces a CLDVS by the CLDVS -Sign algorithm, then the verifying algorithm must accept the produced signature. Unforgeability: It is computationally infeasible to construct a valid CLDVS without the knowledge of the private key of either the signer or the designated verifier. Source Hiding: Given a message m and a CLDVS on m, it is infeasible to determine who created this signature either the original signer or the designated verifier, even if one knows all the private keys. Non-Delegatability: Given any indirect form of the private key of the signer, it is infeasible to construct a valid CLDVS to any designated verifier.

eP

tP  P  P  …  P (t times )

The CLDVS scheme must satisfy the following properties.

In CLDVS, as defined in [2], there are two types of adversaries with different capabilities, we assume Type 1 Adversary, A 1 acts as a dishonest user while Type 2 Adversary, A 2 acts as a malicious KGC: CLDVS Type 1 Adversary: such an adversary A 1 represents a third party attacks against the CLDVS scheme. A 1 does not have access to the master key

algorithms: Setup, Partial-Private-Key-Extract, SetSecret-Value, Set-Private-Key, Set-Public-Key, Sign, Verify and Transcript-Simulation. Setup: Takes a security parameter k , returns system parameters and a master key. Given k , KGC does as follows:

designated verifier’s identity ID*j and corresponding

compute the master public key Ppub  x  P .

T JI

IA

nor the user partial private key, but A 1 can compromise users’ secret values or replace users’ public keys at will, because of the uncertified nature of the public keys generated by the users. On input system parameters, an adaptively chosenmessage and identity attacker A 1 can make hash queries, partial private key extraction queries, public key extraction queries, secret value extraction queries, public key replacement queries, Sign queries, Verify queries. Finally, A 1 outputs a message-signature pair ( m* ,  * ) with the signer’s identity IDi* and the *

public keys pk ID* and pk ID* . A 1 is successful if m i

j

with the signer’s identity IDi* and the designated verifier’s identity ID*j and corresponding public keys

Fi

pk ID* and pk ID* have not been submitted to Sign i

j

* i

rs

oracle and the message-signature pair is valid. Also ID

and ID*j have not been submitted to partial private key

tuple {Fp , E / Fp , G, P} as defined in Section 2.1. 2. Choose the master private key x  Z n* and 3. Choose two cryptographic secure hash functions H1 :{0,1}*  Z n* and H 2 :{0,1}*  Z n* . 4. Publish params  {Fp , E / Fp , G, P, Ppub , H1 , H 2 } as system parameters and keep the master key x secretly. Set-Secret-Value: The user with identity ID picks randomly sID  Z n* , computes PID  sID  P and sets

sID as his secret value. Partial-Private-Key-Extract: This algorithm takes system parameters, master key, a user’s identifier and PID  sID  P as input and returns the user’s ID-based private key. With this algorithm, KGC works as follows for each user with identifier IDU :

in nl

tO

extraction oracle. CLDVS Type 2 Adversary: such an Adversary A 2 represents a malicious-but-passive KGC who is assumed malicious at the very beginning of the Setup stage of the system. A 2 can access to the master key, but cannot obtain the user secret value nor replace the user public key. On input system parameters, an adaptively chosenmessage and identity attacker A 2 can make hash queries, public key extraction queries, Sign queries, Verify queries. Finally, A 2 outputs a messagesignature pair ( m* ,  * ) with the signer’s identity IDi*

1. Choose a k -bit prime p and determine the

i

j

*

successful if m with the signer’s identity IDi* and the designated verifier’s identity ID*j and corresponding i

j

3. Our scheme 3.1. Scheme Description In this section, we present an ID-based signature scheme without pairing. Our scheme consists of eight

private key d ID and his secret value sID , and output a pair sk ID  {d ID , sID } as the user's private key. Set-Public-Key: This algorithm takes params , the user's secret value sID as inputs and as inputs,

computes PID  sID  P and generates the user's public

n

private key extraction oracle. Definition 1: A CDVS scheme is existential unforgeable against adaptively chosen message and identity attacks if and only if it is secure against both types of adversaries.

valid if the equation holds and vice versa. Set-Private-Key: Given params , the user's partial

io

to Sign oracle and the message-signature pair is valid. Also IDi* and ID*j have not been submitted to partial

The user’s s partial private key is the tuple {d ID , RID } and he can validate her private key by checking whether the equation d ID  P  RID  hID  Ppub holds. The private key is

at

public keys pk ID* and pk ID* have not been submitted

random

lic ub

corresponding public keys pk ID* and pk ID* . A 1 is

at

eP

ID*j and

and the designated verifier’s identity

rID  Z n* , compute RID  rID  P and hID  H1 ( ID, RID , PID ) . 2. Compute d ID  rID  hID x mod n . 1. Choose

key pk ID  {RID , PID } Sign: This algorithm takes system parameters, the signer A ’s identity IDA , and A ’s private key sk IDA , the designated verifier’s B ’s identity IDB public key

pk IDB and a message m as input and returns a signature of the message m . The user does as the follows:

1. Compute hIDB  H1 ( IDB , RIDB , PIDB ) . 2. Choose

at

random

compute c  l  ( PIDB  RIDB  hIDB

l  Z n*  Ppub ) .

to

3. Compute r  H 2 (m, c) . 4. Choose

at

compute s  lt

t  Z n*

random

and

1

 r (d IDA  sIDA ) mod n . 5. The resulting signature is ( r , s, t ).

IA

T JI

key sk IDB

verifier’s B ’s

IDB private , a message m and a signature ( r , s, t ) as

identity

Fi

inputs. Then return 1 means that the signature is accepted. Otherwise, 0 means rejected. The user does as the follows. 1. Compute hIDA  H1 ( IDA , RIDA , PIDA ) .

rs

2. Compute

1. Correctness: The correctness of proposed scheme can be verified by the following equations. Since (d IDA  sIDA )  P  PIDA  RIDA  hIDA  Ppub and (d IDB  sIDA )  P  PIDB  RIDB  hIDB  Ppub , we have

Verify: This algorithm takes system parameters, the signer A ’s identity IDA , and A ’s public key pk IDA , the

designated

proposed scheme is secure under the difficulty of solving the ECCDH problem.

c  t ( d IDB  sIDB )( s  P  r  ( PIDA  RIDA  hIDA  Ppub )) .

tO

3. Check whether r  H 2 (m, c) holds. Return 1 if it is equal. Otherwise return 0.

 t (d IDB  sIDB )((lt 1  r (d IDA  sIDA ))  P  r  ( PIDA  RIDA  hIDA  Ppub ))

(6)

1

 t (d IDB  sIDB )lt  P  l (d IDB  sIDB )  P  l ( PIDB  RIDB  hIDB  Ppub )  c

Then the correctness of our scheme is proved. 2. Unforgeability: We will prove our scheme can provide the unforgeability property by the following two theorems. The proof of the two theorems are given in the appendixes: Theorem 1: If there is a type 1 adversary A 1 that breaks our proposed CLDVS scheme, then there exists an algorithm F which solves the ECDHP problem with non-negligible probability. Theorem 2: If there is a type 2 adversary A 2 that breaks our proposed CLDVS scheme, then there exists an algorithm F which solves the EDCDH problem with non-negligible probability. 3. Source Hiding: Given a DVS ( r , s, t ) on a message m , even if a third party knows the signer A ’s private key pair ( d IDA , sIDA ) and the verifier

key pk IDA , the designated verifier’s B ’s identity IDB

private key sk IDB and a message m as inputs. Then generate a signature ( r , s, t ).The user does as the follows. 1. Compute hIDA  H1 ( IDA , RIDA , PIDA ) . at

random

compute c  s  P  r   ( PIDA

s, r   Z n* ,  RIDA  hIDA  Ppub ) ,

r  H 2 (m, c) , l  r l 1 mod n , s  sl 1 mod n and t  l (d IDB  sIDB ) 1 mod n . 3. The resulting signature is ( r , s, t ).

identify whether ( d IDA , sIDA ) or ( d IDB , sIDB ) has

been used in the construction of the term s because he does not have the knowledge of the random numbers l used during the signing process. Hence, it is infeasible to determine whether the original signer or the designated verifier creates the signature. 4. Non-Delegatability: The problem of delegatability does not exist in our scheme. Because the construction of the term s requires the signer’s private key pair ( d IDA , sIDA ), and it is impossible

c  t (d IDB  sIDB )( s  P  r  ( PIDA  RIDA  hIDA  Ppub ))

(5)

 s  P  r   ( PIDA  RIDA  hIDA  Ppub ))  c

Then the designated verifier can generate the same transcripts in an indistinguishable way.

n

 sl  P  rl  ( PIDA  RIDA  hIDA  Ppub ))

io

at

Since  l ( s  P  r  ( PIDA  RIDA  hIDA  Ppub ))

B ’s private key pair ( d IDB , sIDB ), he cannot

lic ub

2. Choose

eP

in nl

Transcript-Simulation: This algorithm takes system parameters, the signer A ’s identity IDA , and A ’s public

c  t (d IDB  sIDB )( s  P  r  ( PIDA  RIDA  hIDA  Ppub ))

for the signer to delegate his signing capability to any third party without disclosing his private keys, a third party can not generate a valid signature ( r , s, t ) on a message m .

3.2. Security Analysis

4. Comparison with Previous Scheme

In the section, we give security analysis of our proposed scheme and show that the security of our

In this section, we will compare the efficiency of our new scheme with the latest CLDVS schemes, i.e.,

Huang et al.’s scheme [12], Yang et al.’s scheme [13], Chen et al.’s scheme[14], Yang et al.’s scheme [15] and Xiao et al.’s scheme [16]. For the convenience of evaluating the computational cost, we define some notations as follows:

TGexp : The time of executing a modular exponentiation

IA

operation. TG pair : The time of executing a pairing operation.

TG pbsm : The time of executing a pairing-based scalar

T JI

multiplication operation of point. TGebsm : The time of executing an ECC-based scalar multiplication operation of point. TG padd : The time of executing an addition operation of points

Fi

TGinv : The time of executing a modular inversion

tO

rs

operation. TGmul : The time of executing a general multiplication operation. TGadd : The time of executing a general addition operation. TGmtph : The time of executing a map-to-point hash

Xiao et al.’s scheme [16]

1 TG pair +4 TG pbsm +

1 TG pair +2 TG pbsm +

TGmtph + TGh +

TGmtph + TGh +

1 TG padd

1 TG padd

3 TG pbsm + TGinv +

1 TGexp +2 TG pair +

TGmtph + TGh

1 TG pbsm + TGmtph + TGh

Our scheme

2 TGebsm +1 TGinv +

2 TGebsm +3 TG padd +

3 TG padd +2 TGh +

2 TGh +1 TGmul +

2 TGmul +2 TGadd

1 TGadd

As the main computational overheads, we only consider the bilinear pairing operation, the modular exponentiation, the scale multiplication and the pairing-based scale multiplication. From the theoretical analysis [17] and the experimental result [18-21], we know the relative computation cost of the bilinear pairing operation, the modular exponentiation and the pairing-based scale multiplication are at least 19, 3 and 3 times that of the scalar multiplication separately. The running time of the sign algorithm of our scheme is 9.09% of Huang et al.’s scheme [12], 7.14% of Yang et al.’s scheme [13], 9.09% of Chen et al.’s scheme[14], 6.45% of Yang et al.’s scheme [15] and 22.22% of Xiao et al.’s scheme [16], the running time of the verify algorithm of our scheme is 3.33% of Huang et al.’s scheme [12], 3.18% of Yang et al.’s scheme [13], 9.09% of Chen et al.’s scheme[14], 8.00% of Yang et al.’s scheme [15] and 4.54% of Xiao et al.’s scheme [16]. Thus our scheme is more useful and efficient than the previous schemes[12-16].

In Table 1, we summarize the performance results of different CLDVS schemes. From the Table 1, we know that the client side requires only 3 TG pair +1 TG pbsm + TGmtph + TGh +1 TG padd .

[18]. For the ECC-based schemes, to achieve the same security level, we employ some secure elliptic curve on a finite field Fp or F2m , where the length of p is 160

In this paper, we have proposed an efficient certificateless DVS scheme without bilinear pairings. We also prove the security of the scheme under random oracle. Compared with previous scheme, the new scheme reduces both the running time. Therefore, our scheme is more practical than the previous related schemes for practical application.

Table 1. Performance evaluation of our protocol. Verify 3 TG pair +1 TG pbsm +

1 TGinv +1 TGmtph +

TGmtph + TGh +

1 TGh +1 TG padd

1 TG padd

1 TG pair +3 TG pbsm +

3 TG pair +2 TG pbsm +

TGmtph + TGh

1 TG padd + TGh

References

1 TG pair +1 TG pbsm +

1 TG pair +1 TG pbsm +

[1]

TGmtph + TGh

TGmtph + TGh

The authors thank the anonymous reviewers and the editors for their valuable comments. This research was supported by the Fundamental Research Funds for the Central Universities under Grants 201275786.

n

Yang et al.’s scheme [13] Chen et al.’s scheme [14]

6. Acknowledgements

Sign 1 TG pair +1 TG pbsm +

io

Huang et al.’s scheme [12]

at

bits at least [18]. Table 1 shows the results of the performance comparison.

5. Conclusions

lic ub

For the pairing-based scheme, to achieve the 1024bit RSA level security, we have to use the Tate pairing defined over some supersingular elliptic curve on a finite field Fq , where the length of q is 512 bits at least

eP

in nl

function. TGh : The time of executing a one-way hash function.

Yang et al.’s scheme [15]

A. Shamir, “Identity-based cryptosystems and signature schemes”, Proc. CRYPTO1984, pp.47– 53, 1984.

[2] [3]

[4]

IA

S. Al-Riyami, K.G. Paterson, “Certificateless public key cryptography”, Proceedings of ASIACRYPT 2003, pp. 452–473, 2003. Jakobsson, M., Sako, K., Impagliazzo, R. “Designated verifier proofs and their applications”, Advances in Eurocrypt 1996, pp. 143-154, 1996. S. Saeednia, S. Kremer, O. Markowitch, “An Efficient Strong Designated Verifier Signature Scheme”, ICISC 2003, pp. 40–54, 2004. H. Lipmaa, G. Wang, F. Bao, “Designated Verifier Signature Schemes:Attacks, New Security Notions and a New Construction”, ICALP 2005, LNCS 3580, pp. 459–471, 2005. R. Tso, T. Okamoto, E. Okamoto, “Practical Strong Designated Verifier Signature Schemes Based on Double Discrete Logarithms”, CISC 2005, pp. 113–127, 2005. Saeednia, S., Kramer, S., Markovitch, O. “An efficient strong designated verifier signature scheme”. ICISC 2003, pp. 40–54, 2003. Susilo, W., Zhang, F., Mu, Y. “Identity-based strong designated verifier signature schemes”, ACISP 2004, pp. 313–324, 2004. Kumar, K., Shailaja, G., Saxena, A.”Identity based strong designated verifier signature scheme”, . Zhang, J., Mao, J. “A novel ID-based designated verifier signature scheme”. Information Science, vol. 178, no. 3, pp. 766-773, 2008. B.Kang, C. Boyd, E. Dawson, “A novel identitybased strong designated verifier signature scheme”, The Journal of Systems and Software, no. 82, pp. 270–273, 2009. X. Huang, Willy Susilo, Yi Mu, F. Zhang, “Certificateless designated verifier signature schemes”, Proc. AINA’06, pp.15-19, 2006. MING Yang, SHEN Xiao-qin, WANG Yu-min, “Certificateless universal designated verifier signature Schemes”, Journal of China Universitles Posts and Telecommunications, Vol.14, no. 3,pp. 85-91, 2007. Chen, H, Song, RS, Zhang, FT, Song, FG, “An Efficient Certificateless Short Designated Verifier Signature Scheme”, 4th international Conference on Wireless Networking and Mobile Computing, pp. 4627-4632, 2008. Yang B., Hu Z., Xiao Z., “Efficient Certificateless Strong Designated Verifier Signature Scheme”, International Conference on Computational Intelligence and Security 2009, pp.432-436, 2009 Xiao Z., Yang B., Li S., “Certificateless Strong Designated Verifier Signature Scheme”, 2nd International Conference on e-Business and Information System Security, pp. 1 – 5, 2010.

[5]

T JI

[6]

[11]

n

[16]

io

[15]

at

[14]

Jianhua Chen received the B.Sc. degrees in computer science from Harbin Institute of Technology, Harbin, China, in 1983, and received the M.Sc and the Ph.D. degree in applied mathematics from Wuhan University, Wuhan, China, in 1989 and 1994, respectively. Currently, he is a professor of Wuhan University. His current research interests include number theory, information security and network security.

lic ub

[13]

eP

[12]

Debiao He received the B.Sc. degrees in computer science from the Shandong Teacher’s University, Jinan, China, in 2003, and received the M.Sc and the Ph.D. degree in applied mathematics from Wuhan University, Wuhan, China, in 2006 and 2009, respectively. His current research interests include cryptography, information security and network security.

in nl

[10]

tO

[9]

rs

[8]

Fi

[7]

[17] Chen L., Cheng Z., Smart N., “Identity-based key agreement protocols from pairings”, Int. J. Inf. Secur, no.6, pp.213–241, 2007. [18] Cao X., Kou W. “A Pairing-free Identity-based Authenticated Key Agreement Scheme with Minimal Message Exchanges”, Information Sciences, DOI: 10.1016/j.ins.2010.04.002. [19] He D., Chen J., Hu J. “An ID-based proxy signature schemes without bilinear pairings, Annals of Telecommunications. DOI: 10.1007/s12243-011-0244-0. [20] He D., Chen J., Hu J. ”A pairing-free certificateless authenticated key agreement protocol”, International Journal of Communication Systems, DOI: 10.1002/dac.1265. [21] He D., Chen J., Zhang R., “An efficient identitybased blind signature scheme without bilinear pairings”, Computers & Electrical Engineering , DOI:10.1016/j.compeleceng.2011.05.009

pk IDi  {PIDi , RIDi } and adds ( IDi , sIDi , pk IDi ) to

Appendixes Proof for Theorem1: Suppose F is challenged with a ECCDH instance ( P, Q1  aP, Q2  bP ) and is tasked to compute Q3  ab  P . To do so, F picks two

IA

identity IDI and IDJ at random as the challenged ID in this game, and gives {Fp , E / Fp , G, P, Ppub  Q1 , H1 , H 2 } to A 1 as the

T JI

public parameters. Then F answers A 1’s queries as follows. H1-Queries: F maintains a hash list LH1 of tuple ( IDi , RIDi , PIDi , d IDi , hIDi ) as explained below. The list

the Lpk . Private Key Extraction Queries: For query on input IDi , If IDi  IDI or IDi  IDJ , F stops and outputs “failure”. Otherwise, F performs as follows: If the LH1 and the Lpk contain the corresponding tuple (

IDi , RIDi , sIDi , hIDi

(

IDi , sIDi , pk IDi

)

)

and

respectively,

the

tuple

F

sets

sk IDi  {d IDi , sIDi } and sends it to A 1. Otherwise, F makes a partial private key extraction query and a public key extraction query on IDi , then simulates as the above process and sends sk IDi  {d IDi , sIDi } to A

then the previously defined value is returned. Otherwise, F acts as described in the partial private key extraction queries. H2-Queries: F maintains a hash list LH 2 of tuple

Public Key Replacement:When A 1 queries on

rs

Fi

is initially empty. When A 1 makes a hash oracle query on IDi , if the query IDi has already appeared on LH1 ,

1.

pk IDi ),F checks whether the tuple input ( IDi , ( IDi , sIDi , pk IDi ) is contained in the Lpk . If it does, F

pk IDi and adds the tuple ( IDi , , pk IDi ) sets pk IDi 

IDi on the message m j , F chooses a random value

to the Lpk .

hj  Z

* n,

tO

( m j , c j , h j ). When A 1 makes H2 queries for identity sets h j  H 2 (m j , c j ) and adds ( m j , c j , h j ) to

in nl

LH 2 , and sends h j to A 1.

Partial Private Key Extraction Queries: A 1 is allowed to query the extraction oracle for an identity IDi . F query H1 oracle IDi is on LH1 , then F response with ( IDi , RIDi , PIDi , d IDi , hIDi ). Otherwise, if

IDi , RIDi , PIDi , d IDi , hIDi

( IDi , RIDi , PIDi , d IDi , hIDi )

),

and

into LH1 .

inserts Note

that

( RIDi , d IDi , hIDi ) generated in this way satisfies the

contains a tuple for this input. If it does, the previously defined value is returned. Otherwise, if IDi  IDJ , F picks a random value sID  Z n* , computes PIDi  sIDi  P . If IDi  IDJ , F sets PIDi  b  P and sIDi  . F queries Partial Private Key Extraction Queries with IDi and

PIDi and get response RIDi . At last F returns

consistency. If IDA or IDB has not been queried to the partial private extraction oracle and the private extraction oracle, F executes the simulation of the partial private extraction oracle and the private extraction oracle, then uses the corresponding secret key to sign the message. Finally, A 1 stops and outputs a signature S  {r , s, t} on the message m with the signer A ’s identity IDA , and A ’s private key sk IDA , the

n

When A 1 queries on input IDi , F checks whether Lpk

message m and stores the value H 2 (m, c) in LH 2 for

io

key extraction algorithm. It is a valid secret key. Public Key Extraction Queries: F maintains a list Lpk of tuple ( IDi , sIDi , pk IDi ) which is initially empty.

tables and uses these values to sign for the message according to the signing algorithm described in the scheme. It outputs the signature ( r , s, t ) for the

at

equation d ID  P  RID  hID  Ppub in the partial private

yes, it just retrieves ( d IDA , sIDA , PIDB , RIDB ) from the

lic ub

hIDi  H1 ( IDi , RIDi )  ai mod n , response with

( IDi , sIDi , pk IDi ) are in LH1 and Lpk separately. If

eP

simulates the oracle as follows. It chooses ai , bi  Z n* at random, sets RIDi  ai  Ppub  bi  P , d IDi  bi , (

Signing Queries: When a message m , the signer A ’s identity IDA , the designated verifier’s B ’s identity IDB is coming, F acts as follows: F first checks that whether tuple ( IDi , RIDi , d IDi , hIDi ) and

designated verifier’s B ’s identity IDB public key

pk IDB , which satisfies the following equation Verify ( params,, m, IDA , sk IDB , pk IDA , S )  1 .

If IDA  IDI or IDB  IDJ , F outputs “failure” and aborts. Otherwise, F recovers the tuple ( IDI , RIDI , d IDI , hIDI ) and ( IDJ , RIDJ , d IDJ , hIDJ ) from LH1 ,

the tuple

( IDI , sIDI , pk IDI ) and

( IDJ , sIDJ , pk IDJ ) from Lpk and the tuple ( m, c, h )

IDI and IDJ at random as the challenged ID in this

from LH 2 .

game,

Then, we have c  t (d IDJ  sIDJ )( s  P  r  ( PIDI

(7)

 RIDI  hIDI  Ppub ))

Since PIDI  sIDI  P , RIDJ  b  P and Ppub  a  P , we could have

and

gives

public

parameters  Q, H1 , H 2 } and the master

{Fp , E / Fp , G, P, Ppub key s to A 2. Then F answers A 2’s queries as

follows. H1-Queries: F maintains a hash list LH1 of tuple ( IDi , RIDi , PIDi , d IDi , hIDi ) indexed by IDi . The list is

IA

initially empty. When A 2 makes a hash oracle query on IDi , if the query IDi has already appeared on LH1 ,

c  t (d IDJ  sIDJ )( s  P  r  ( PIDI  RIDI  hIDI  Ppub ))

T JI

 t  s  Q2  t  s  sIDJ  P  t  r  sIDI  Q2

(8)

t  r  d IDI  Q2  t  r  hIDI  Q3

then the previously defined value is returned. Otherwise, F makes the partial private key extraction query with IDi , and sends hIDi to A 2. H2-Queries: F maintains a hash list LH 2 of tuple

t  sIDJ  r  ( PIDI  RIDI  hIDI  Ppub )

( m j , c j , h j ). When A 2 makes H2 queries for identity

Fi

Then we have

IDi on the message m j , F chooses a random value

t  r  hIDI  Q3  c  t  s  Q2  t  s  sIDJ  P 

rs

t  r  sIDI  Q2  t  r  d IDI  Q2

h j  Z n* , sets h j  H 2 (m j , c j ) and adds ( m j , c j , h j ) (9)

Partial Private Key Extraction Queries: A 2 is allowed to query the extraction oracle for an identity IDi . F query H1 oracle IDi is on LH1 , then F response with ( IDi , RIDi , PIDi , d IDi , hIDi ). Otherwise, if

t  s  sIDJ  P  t  r  sIDI  Q2  t  r  d IDI  Q2  (10)

simulates the oracle as follows. It chooses rIDi at

And

Q3  (t  r  hIDI ) 1 (c  t  s  Q2 

t  sIDJ  r  ( PIDI  RIDI  hIDI  Ppub ))

in nl

tO

t  sIDJ  r  ( PIDI  RIDI  hIDI  Ppub )

to LH 2 , and sends h j to A 2.

or

ECCDH probability

problem

with

non-negligible

),

and

with inserts

Private Key Extraction Queries: F maintains a list

Lsk of tuple ( IDi , d IDi , sIDi ) which is initially empty.

For query on input IDi , F performs as follows: 1) If the query IDi has already appeared on Lsk , then the previously defined value is returned. 2) Else if IDi  IDI , F sets sIDi  , PIDi  Q1 . 3) Else if IDi  IDJ , F sets sIDi  , PIDi  Q2 . 4) Else if IDi  IDI and IDI  IDJ , F generates

io

a random number sIDi  Z n* , compute PIDi  sIDi  P . Then F looks up (

IDi , RIDi , d IDi , hIDi

),

(

IDi , d IDi , sIDi , PIDi

)

LH1 to get the tuple and to

Lsk

add ,

n

signing queries and qh hashing queries respectively. Then, we will show how to use the ability of A 2 to construct an algorithm F solving the ECCDH. Suppose F is challenged with a ECCDH instance ( P, Q1  aP, Q2  bP ) and is tasked to

IDi , RIDi , PIDi , d IDi , hIDi

response

( IDi , RIDi , PIDi , d IDi , hIDi ) into LH1 .

the ECCDH assumption. Proof for Theorem2: Suppose that there is a type 2 Adversar A 2 who can breaks our scheme with probability  , when making qe extraction queries, qs

,

at

2 , which is in contradiction with qs (qs  1)

(

d IDi  rIDi  x  hIDi

lic ub

1 IDB  IDJ is . Thus, we can obtain qs (qs  1) 2 Q3  ab  P with the probability . In other qs (qs  1) words, given ( P, Q1  aP, Q2  bP ), F can solve the

and

eP

Obviously, the probability of IDA  IDI

random, sets RIDi  rIDi  P , hIDi  H1 ( IDi , RIDi , PIDi )

the

tuple

and

sends

sk IDi  {d IDi , sIDi } to A 2. Public Key Extraction Queries: F maintains a list

compute Q3  ab  P . To do so, F chooses a

Lpk of tuple ( IDi , pk IDi ) which is initially empty.

random x  Z n* , computes Q  xP , picks two identity

When A 2 queries on input IDi , F checks whether L pk

c  t (d IDJ  sIDJ )( s  P  r  ( PIDI 

contains a tuple for this input. If it does, the previously defined value is returned. Otherwise, F looks up the and Lsk and gets the tuple tables LH1 ( IDi , RIDi , d IDi , hIDi )

and

RIDI  hIDI  Ppub ))  t  s  RIDJ  t  d IDJ  r  ( PIDI 

( IDi , d IDi , sIDi , PIDi )

RIDI  hIDI  Ppub )  t  s  PIDJ

separately. At last F returns pk IDi  {PIDi , RIDi } and

t  r  Q3  t  d IDI  r  Q2  t  r  hIDI  x  Q2

adds ( IDi , pk IDi ) to the L pk .

IA

Signing Queries: When a message m , the signer A ’s identity IDA , the designated verifier’s B ’s

(12) Then we have

t  r  Q3  c  t  s  RIDJ 

IDA  IDI or IDA  IDJ , F terminates the simulation.

t  d IDJ  r  ( PIDI  RIDI  hIDI  Ppub ) 

T JI

identity IDB is coming, F acts as follows: If Otherwise, F first checks that whether tuple ( IDi , RIDi , d IDi , hIDi ) and ( IDi , pk IDi ) are in LH1 and

Lpk

separately.

If

yes,

it

just

retrieves

t  s  PIDJ  t  d IDI  r  Q2  t  r  hIDI  x  Q2 And

Q3  (t  r ) 1 (c  t  s  RIDJ 

values to sign for the message according to the signing algorithm described in the scheme. It outputs the signature ( r , s, t ) for the message m and stores the

t  d IDJ  r  ( PIDI  RIDI  hIDI  Ppub ) 

rs

Fi

( d IDA , sIDA , PIDB , RIDB ) from the tables and uses these

(14)

t  s  PIDJ  t  d IDI  r  Q2  t  r  hIDI  x  Q2 ) Obviously, the probability of IDA  IDI or

has not been queried to the partial private extraction oracle and the private extraction oracle, F executes the simulation of the partial private extraction oracle and the private extraction oracle, then uses the corresponding secret key to sign the message. Finally, A 2 stops and outputs a signature S  {r , s, t} on the message m with the signer A ’s

1 . Thus, we can obtain qs (qs  1) 2 Q3  ab  P with the probability . In other qs (qs  1) words, given ( P, Q1  aP, Q2  bP ), F can solve the

identity IDA , and A ’s private key sk IDA , the

ECCDH

designated verifier’s B ’s identity IDB public key

eP

tO

value H 2 (m, c) in LH 2 for consistency. If IDA or IDB

(13)

IDB  IDJ is

in nl

pk IDB , which satisfies the following equation If IDA  IDI or IDB  IDJ , F outputs “failure” and aborts. Otherwise, F recovers the tuple ( IDI , RIDI , d IDI , hIDI ) and ( IDJ , RIDJ , d IDJ , hIDJ ) from LH1 ,

the

tuple

( IDI , sIDI , pk IDI )

and

from LH 2 .

c  t (d IDJ  sIDJ )( s  P  r  ( PIDI  RIDI  hIDI  Ppub )) Since PIDI  Q1  a  P , RIDJ  Q2  b  P and

Ppub  x  P , we could have

the ECCDH assumption.

n

(11)

2 , which is in contradiction with qs (qs  1)

io

Then, we have

non-negligible

at

( IDJ , sIDJ , pk IDJ ) from L pk and the tuple ( m, c, h )

with

lic ub

Verify ( params,, m, IDA , sk IDB , pk IDA , S )  1 .

probability

problem