Certificateless signature revisited

X. Huang, Yi Mu, W. Susilo, D.S. Wong, W. Wu

ACISP’07

Presenter: Yu-Chi Chen

Outline.

• Introduction

• Huang et al.’s scheme

• Conclusion

2

Introduction.

• Traditional PKC

• ID-based PKC: 1984

• Certificateless PKC: 2003

3

ID-PKC

Private Key Generationmaster-key = smpk=sP Require priv-key

Return priv-key= sH(ID1)

User (signer) ID1

Sign:σ=sH(ID1)+H(M,…)

Secure channel

User (verifier)

Use ID1 and PKG’s mpk=sP to check e(σ,P) =? e(mpk, H(ID1))e(H(M,…),P)

4

CL-PKC

Key Generation Centermaster-key = smpk=sP Require part-priv-key

Return part-priv-key= sH(ID1)

User (signer) ID1

Sign:σ=sH(ID1)+rH(M,…)

Secure channel

User (verifier)

Use ID1 and PKG’s mpk=sP to check e(σ,P) =? e(mpk, H(ID1))e(H(M,…),pk)

Decide his secret value rAnd public key pk=rP

bulletin board

ID pk

5

Outline.

• Introduction

• Huang et al.’s scheme

• Conclusion

6

Huang et al.’s scheme

• In this paper, Huang et al. proposed a short certificateless signature scheme– Short: 160 bit (elliptic curve)

– Conventional security model

7

Conventional security model

• Game I (An adversary can replace any user’s public key, but it cannot access master-key)– Setup.

– Attack: public-key queries, partial-private-key queries, sign queries, public-key-replacement.

– Forgery.• A wins the game iff it can forge a valid signature which

has never been queried.

Short CLS

• Setup. (omitted.)

• Secret-Value: The user sets a value

• Partial-private-key: KGC sets the partial-private-key to the user

Short CLS

• Public-key: the user sets his public key

• Private-key: the user sets his private key

• Sign:

• Ver:

Outline.

• Introduction

• Huang et al.’s scheme

• Conclusion

11

Conclusion

• Hu et al.’s CLS scheme is short, but Du and Wen’s scheme is more efficient.

• Shim in 2009 present a cryptanalysis for short CLS schemes. (next page.)

12