1

A new certificateless aggregate signature scheme

Computer communications 32(2009) 1079-1085Author: Lei Zhang, Futai ZhangPresenter: 紀汶承

2

Outline

Introduction Preliminaries A CLAS scheme Two type of adversaries An efficient certificateless aggregate si

g nature scheme Security proof

3

Introduction

目的 : 把多個簽章整合成一個簽章，以減少整體

簽章長度。 相對於很多個不同的單一個簽章，減少驗

證時運算所花費的 cost 。

4

Preliminaries

Bilinear Pairing Table (notations and means) CDH problem

5

Bilinear Pairing

G1 : cyclic additive group generated by P whose order is a prime q.

G2 : cyclic multiplicative group of the same order q.

A bilinear pairing is a computable map

e : G1 × G1 → G2 with the following properties

6

Bilinear Pairing

1. Bilinear: for any a,b and

2. Non-degenerate: There exists

such that

abRRebRaRe ),(),( 2121 qZ

121 , GRR

121 , GRR 1),( 21 RRe

7

Table (notations and means)

CLAS: Certificateless Aggregate SignatureKGC: Key Generation CenterA1/A2: A type I/II adversaryIDi,Pi: The identity, Public key of a user,respectivelyXi,Di: The secre value, partial private key of a user with identity IDil: A security parametere: A bilinear mapZq: A additive group whose elements are 0,…,q-1.Mi: A messageM: Message spaceσi: A single signature on a messageσ: An aggregate signatureΔ: A state informationHi: A hash function⊥: It means the value is empty.

8

Computational Diffie-hellman Group

Define the system parameters as Params={G1,G2,e,q,P,H} Hash function : H : CDH problem : given P, aP, bP G∈ 1 for

all a,b ∈ compute abP

**}1,0{ qZ

*qZ

9

A CLAS scheme

Setup: perform by KGC, use a parameter l to generate a master key snd a list of system parameters params.

Partial-Private-Key-Extract: perform by KGC, use user’s IDi, params and master key to produce user’s partial-private-key.

UserKeyGen: run by user ,produce private/public key xi/pi.

*qi Zx

10

A CLAS scheme(cont.)

Sign: run by user, input params, state information Δ, message Mi, IDi, Pi, sign key(xi,Di), output σi as signature.

Aggregate: run aggregate signature generator. Output σ as aggregate signature on messages M1,…,Mn.

Aggregate Verify: if aggregate signature is valid, output true else false.

11

Two type of adversaries

Type1: A1 does not have master key, but can replace public key as his choice.

Type2: A2 has the master key but cannot perform public key replacement.

12

Two type of adversaries(cont.)

Game1: Setup: C run setup algo. Input security pa

rameter l, 產生 master key 以及 system params. Then send params to A1.

Attack: A1 可以在 polynomially bounded number 內執行下列 queries .

13

1. Partial-Private-Key queries(IDi): A1 可以要求任何 user 的 partial-private-key,C 會 output 給 A1.

2. Public-Key queries(IDi): C 會 output user 的 public key 給 A1.

3. Secret-Value queries(IDi): C 會 output user 的 screte key xi 給 A1.

4. Public-Key-replacement queries(IDi,pi’):A1 可以決定一個 new public key Pi’ 去替換 user i 的公鑰 Pi .C 會紀錄下來 .

5. Sign queries(Δi,Mi,IDi,Pi): A1 可以要求 user i 的簽章 ,C 會去計算 i 的合法簽章 on state information Δi.

14

Forgery: A1 output a set of n users U*={U1*,…Un*},a state information Δ* and a aggregate signature σ*.

A1 wins the game1,iff σ* 是一個 valid aggregate signature . 至少一個 IDi , 並未要求 ppk(IDi) queries.

And S(Δi,Mi,IDi,Pi) 並未 query.

15

Game2: Setup: C run setup algo. Input security pa

rameter l, 產生 master key 以及 system params. Then send master and params to A2.

Attack: A2 可以在 polynomially bounded number 內執行下列 queries .

16

1. Public-Key queries(IDi): C 會 output user的 public key 給 A2.

2. Secret-Value queries(IDi): C 會 output user 的 screte key xi 給 A2.

3. Sign queries(Δi,Mi,IDi,Pi): A1 可以要求 user i 的簽章 ,C 會去計算 i 的合法簽章 on state information Δi.

17

Forgery: A2 output a set of n users U*={U1*,…Un*},a state information Δ* and a aggregate signature σ*.

A2 wins the game2,iff σ* 是一個 valid aggregate signature . 至少一個 IDi , 並未要求 sv(IDi) queries. An

d S(Δi,Mi,IDi,Pi) 並未 query.

18

An efficient certificateless aggregate sig- nature scheme

Setup: input a security parameter l ,KGC 選擇一個 cyclic additive group G1,G2 .a bilinear map e:G1xG1→G2. choose random λ∈ Zq* as the master key and set PT=λP,choose hash function H1:{0,1}* →G1, H2:{0,1}* →G1, H3:{0,1}* →G1,system parameter is{G1,G2,e,P,PT,H1,H2,H3},message space is M={0,1}*

19

Partial-private-key-extract: Compute Qi=H1(IDi) Output the partial private key Di=λQi.

UserKeyGen: Select random And set the secrete value/public key as xi

/Pi=xiP.

*qi Zx

20

Sign: to sign a message M using the signing key (xi,Di) and chooses a state information Δ. then perform the following steps: Choose a random ,compute Ri=riP W=H2(Δ),Si=H3(Δ||Mi||IDi||Pi||Ri) Vi=Di+xiW+riSi. σi=(Ri,Vi) as the signature on Mi.

*qi Zr

21

Aggregate: σi=(Ri,Vi) for i=1~n, aggregate to σ=(R1,…,Rn,V). V=ΣVi.

Aggregate verify: Compute W=H2(Δ), Qi=H1(IDi), Si=H3(Δ||

Mi||IDi||Pi||Ri) Verify ),(),(),(),( 111

?

iinii

nii

niT RSePWeQPePVe

22

Security proof

Assuming CDH problem is hard. Theorem1:

In random oracle, 存在一個 type 1 adversary A1 who has an advantage ε in forging a signature.

Then CDH problem can be solved with probability

enqk )(

1'

23

Proof: let C be a CDH attacker who receives a random instance (P,aP,bP) of CDH problem in G1,A1 is a type1 adversary who interact with C. Setup: C set PT=aP and params=(G1,G2,

e,P,PT,H1,H2,H3) then send to A1. Attack: A1 can perform the following type

of queries in an adaptive manner.

24

H1 queries: C maintains a list of tuples (IDj,αj,Qj,cj). This list is init

ially empty. Whenever receiving an H1 query on IDi, the same answer from the list will be given if the request has been asked before.

Otherwise, C first picks at random then flips a coin ci :{0,1} that yields 0 with probability δ and 1 with probability1-δ, If ci=0,C sets Qi = αibP, adds (IDi, ,Q⊥ i,ci) to and returns Qi as answer; otherwise, sets Qi = αiP, adds (IDi,αi,Qi,ci) to and returns Qi as answer.

listH1

listH1

*qi Z

listH1listH1

25

H2 queries: C keeps a list of tuples (Δj,Wj,βj). This

list is initially empty. Whenever A1 issues a query H2(Δi), the same answer from the list will be given if the request has been asked before.

Otherwise, C selects a random , computes Wi=βiP, adds (Δi,Wi,βi) to .and returns Wi as answer.

listH 2

listH 2

*qi Z

listH 2

26

H3 queries: C keeps a list of tuples

(Δj,Mj,IDj,Pj,Rj,Sj,γj). This list is initially empty. Whenever A1 issues a query(Δi||Mi||IDi||Pi||Ri) to H3, the same answer from the list will be given if the request has been asked before.

Otherwise, C selects a random , computes Si =γiP, adds (Δj,Mj,IDj,Pj,Rj,Sj,γj) to and return Si as answer.

*qi Z

listH 3

listH 3

listH 3

27

Partial-Private-Key queries: C keeps a list of tuples (IDj,xj,Dj,Pj). This list i

s initially empty. When A1 issues a query Partial-Private-Key PPK(IDi), the same answer from the list will be given if the request has been asked before.

Otherwise, C first makes an H1 query on IDi and finds the tuple (IDi,αi,Qi,ci) on ,then does as follows: (1) If ci = 0, abort. (2) Else if there’s a tuple (IDi,xi,Di,Pi) on , set Di = αi

PT and return Di as answer. (3) Otherwise, compute Di = αiPT, set xi = Pi = , then r⊥

eturn Di as answer and add (IDi,xi,Di,Pi) to .

listH1

listK

listK

listK

listK

28

Public-Key queries: On receiving a Public-Key query PK(IDi), if the re

quest has been asked before the current public key from the list will be given.

Otherwise, C does as follows: (1) If there’s a tuple (IDi,xi,Di,Pi) on (in this case, th

e public key Pi of IDi is ), choose , compute ⊥ , return Di as answer and update (IDi,xi,Di,Pi) to .

(2) Otherwise, choose , compute Pi = xiP, return Pi as answer, set Di = and add (ID⊥ i,xi,Di,Pi) to .

listK

listK*'qi Zx

PxP ii''

),,,( ''iiii PDxID

*qi Zx

listK

29

Secret-Value queries: On receiving a Secret-Value query SV(IDi),C first

makes PK(IDi) then finds the tuple (IDi,xi,Di,Pi) on and returns xi as answer (Note that the value of xi maybe ).⊥

Public-Key-Replacement queries: A1 can choose a new public key for the user whos

e identity is IDi. On receiving a Public-Key-Replacement query PKR(IDi,Pi’),C first finds the tuple (IDi,xi,Di,Pi) on (if such a tuple does not exists on or Pi = ,C first makes PK(ID⊥ i)), then C updates Pi to Pi’.

listK

listKlistK

30

Sign queries: On receive a Sign query S(Δi,Mi,IDi,Pi), where Pi

denotes the public key chosen by A1 ,C first makes H1(IDi),H2(Δi)queries then recovers (IDi,αi,Qi,ci) from , (Δi,Wi,βi) from and then generates the signature as follows: (1) If ci = 0, choose , set , se

t Si = γiPT, add(Δi,Mi,IDi,Pi,Ri,Si,γi) to (if there is a tuple (Δi,Mi,IDi,Pi,Ri,Si,γi) on , then redo this step), compute Vi = βiPi + riγiPT,output σi = (Ri,Vi).

(2) Else ci = 1, randomly choose , set Vi = αiPT + βiPi + γiRi,output σi = (Ri,Vi).

listH1listH 2

listH 3listH 3

*, qii Zr iiii QPrR 1

1GRi

31

Forgery: A1 return a forged aggregate signature σ

*=(R1*,…,Rn*,V*).It required that there exists I:{1,…,n} such that A1 has not asked the partial private key for IDI. And A1 has not made a S(ΔI,MI,IDI,PI) query. Without loss of generality, let I=1.

the forged aggregate signature must satisfy

),(),(),(),( **11

**

1

**ii

ni

n

i i

n

i iT RSePWeQPePVe

32

C now proceeds only if c1*=0,ci*=1 for all 2 i n,otherwise,C aborts.≦≦

Then

In our setting : for all i,2 i n,≦≦

then

n

i ii

n

i i

n

i iTT RSePWeRSePWeQPePVeQPe2

1*1

*1

*1

***

2

**

2

***1 )),(),()),()(,(),()(,(),(

))((2

*1

*1

*1

*******1*1

n

i iiiTi RPRPPVabP

),(),(),(),( **11

**

1

**ii

ni

n

i i

n

i iT RSePWeQPePVe

PSPQ iiii**** ,

PSPWbPQ *1

*1

***1

*1 ,,

33

分析 : 須滿足下列三個事件 E 1: C does not abort as a result of any of

A1’s Partial-Private-Key queries. E 2: A1 generates a valid and nontrivial a

ggregate signature forgery. E 3: Event E2 occurs, c1*=0 and ci*=1 for

all I, 2 i n.≦ ≦

34

Pr[E1ΛE2ΛE3]= Pr[E1]Pr[E2|E1]Pr[E 3|E1ΛE2]. The probability that C does not abort as a result of A1’s ke

y extraction queries is at least .then Pr[E1]≧ Suppose algorithm C does not abort as a result of A1’s sig

nature queries and key extraction queries, then algorithm A1’s view is identical to its view in the real attack,Pr[E2-E1] ε.≧

The probability that C does not abort after A1 outputting a valid and nontrivial forgery is at least

Then Pr[E 3|E1ΛE2]≧

kq)1( kq)1(

1)1( n1)1( n

35

So,we have

When , is maximized at

qk is large ,then we have

)1(1 )1()1()1(]321Pr[' nqnq kkEEE

)(

1

nqk

)1()1

1()(

1

nq

kk

k

nqnq

)1()1( nqk

enqk )(

1'

36

在 sign 方面 花費 2n(s)scalar multiplication<3n(s)(using PKL)

在 verify 方面 花費 n+3 次 (pairing operation) 可否減少 cost?