Mar 31, 2007 - features of true two key digital signature systems combined in a ... to the provider, such that c (s (c(x))) = s (x), and c(x) and s give no clue about ...
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Fast and Proven Secure Blind Identity-Based Signcryption from Pairing Tsz Hon Yuen and Victor K. Wei Presented by: Xiaohui Liang
March 31, 2007
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Outline
1. Contribution 2. Preliminaries 3. Blind Identity-Based Signcryption Scheme 4. Security analysis 5. Comparison with others
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Outline
1. Contribution 2. Preliminaries 3. Blind Identity-Based Signcryption Scheme 4. Security analysis 5. Comparison with others
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Outline
1. Contribution 2. Preliminaries 3. Blind Identity-Based Signcryption Scheme 4. Security analysis 5. Comparison with others
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Outline
1. Contribution 2. Preliminaries 3. Blind Identity-Based Signcryption Scheme 4. Security analysis 5. Comparison with others
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Outline
1. Contribution 2. Preliminaries 3. Blind Identity-Based Signcryption Scheme 4. Security analysis 5. Comparison with others
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Contribution I
This paper presents the first blind identity-based signcryption(BIBSC).
I
This paper formulates the first BIBSC security models to define security notions including blindness and parallel one-more unforgeability(plm-uf)
I
This paper constructs the first BIBSC scheme from pairings, and prove its security. The blindness of BIBSC from pairings is statistical ZK, and the plm-uf is reduced to Schnorr’s ROS Problem in the random oracle model plus the generic group and pairing model(GGPM).
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Contribution I
This paper introduces the generic group and pairing model(GGPM) which is an extension of the generic group model by including support for pairings.
I
This paper also introduces a strengthening of Boyen’s security model for (non-blind) identity-based signcryption (IBSC) to add support of authenticated encryption.
I
This paper constructs the first proven secure IBSC in the strengthened model. It is also the fastest IBSC(resp. shortest) in this model as well as in Boyen’s.
I
The shortcomings of several existing IBSC in the strengthened model are shown.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Preliminaries
I
Blind signature
I
Signcryption
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Blind Signature 1982 D. Chaum. Blind signatures for untraceable payments. [1] Blind signature systems might be thought of as including the features of true two key digital signature systems combined in a special way with commutative style public key systems. The following three functions make up the blind signature cryptosystem: 1. A signing function s 0 known only to the signer, and the corresponding publically known inverse s, such that s(s 0 (x)) = x and s give no clue about s 0 . 2. A commuting function c and its inverse c 0 , both known only to the provider, such that c 0 (s 0 (c(x))) = s 0 (x), and c(x) and s 0 give no clue about x. 3. A redundancy checking predicate r, that checks for sufficient redundancy to make search for valid signatures impractical. Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Blind Signature 1982 D. Chaum. Blind signatures for untraceable payments. [1] Blind signature systems might be thought of as including the features of true two key digital signature systems combined in a special way with commutative style public key systems. The following three functions make up the blind signature cryptosystem: 1. A signing function s 0 known only to the signer, and the corresponding publically known inverse s, such that s(s 0 (x)) = x and s give no clue about s 0 . 2. A commuting function c and its inverse c 0 , both known only to the provider, such that c 0 (s 0 (c(x))) = s 0 (x), and c(x) and s 0 give no clue about x. 3. A redundancy checking predicate r, that checks for sufficient redundancy to make search for valid signatures impractical. Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Blind Signature Protocol:
Signer ←
signs c(x) sends s 0 (c(x))
Provider x at random r (x) sends c(x)
Anyone
→ strips signed matter c 0 (s 0 (c(x))) = s 0 (x) sends s 0 (x)
→ checking that r (s(s 0 (x)))
In most blind signature schemes, they usually generate blind factors (α, β) to substitute function c and c 0 . Most blind signature schemes are modified from classic signature schemes.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Signcryption
Signcryption [2, 3]is a scheme which combines a function of digital signature scheme with a symmetric encryption algorithm. A digital signature scheme is used for the authentication of messages and an encryption scheme is used for the confidentiality of messages. Signcryption offers these two properties at the same time and a more efficient computational cost than the traditional signature-then-encryption.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Primitives
An IBSC scheme consists of four algorithms: (Setup, Extract, Signcrypt, Unsigncrypt). The algorithms are specified as follows: I
Setup: On input a security parameter k, the TA generates hζ, πi where ζ is the randomly generated master key, and π is the corresponding public parameter.
I
Extract: On input ID, the TA computes its corresponding private key SID (corresponding to hζ, πi) and sends back to its owner in a secure channel.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Primitives
An IBSC scheme consists of four algorithms: (Setup, Extract, Signcrypt, Unsigncrypt). The algorithms are specified as follows: I
Setup: On input a security parameter k, the TA generates hζ, πi where ζ is the randomly generated master key, and π is the corresponding public parameter.
I
Extract: On input ID, the TA computes its corresponding private key SID (corresponding to hζ, πi) and sends back to its owner in a secure channel.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Primitives
I
Signcrypt: On input the private key of sender A, SA , recipient identity IDB and a message m, outputs a ciphertext σ corresponding to π.
I
Unsigncrypt: On input private key of recipient B, SB , and ciphertext σ, decrypt to get sender identity IDA , message m and signature s corresponding to π. Verify s and verify if encryptor = signer . Output > for ”true” or ⊥ for ”false”.
We make the consistency constraint that if σ ← Signcrypt(SA , IDB , m), then m ← Unsigncrypt(SB , σ).
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Primitives
I
Signcrypt: On input the private key of sender A, SA , recipient identity IDB and a message m, outputs a ciphertext σ corresponding to π.
I
Unsigncrypt: On input private key of recipient B, SB , and ciphertext σ, decrypt to get sender identity IDA , message m and signature s corresponding to π. Verify s and verify if encryptor = signer . Output > for ”true” or ⊥ for ”false”.
We make the consistency constraint that if σ ← Signcrypt(SA , IDB , m), then m ← Unsigncrypt(SB , σ).
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Primitives
I
Signcrypt: On input the private key of sender A, SA , recipient identity IDB and a message m, outputs a ciphertext σ corresponding to π.
I
Unsigncrypt: On input private key of recipient B, SB , and ciphertext σ, decrypt to get sender identity IDA , message m and signature s corresponding to π. Verify s and verify if encryptor = signer . Output > for ”true” or ⊥ for ”false”.
We make the consistency constraint that if σ ← Signcrypt(SA , IDB , m), then m ← Unsigncrypt(SB , σ).
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Setup and Extract Setup: On inputting a security parameter n ∈ N, a generator G [1n ] will generates G1 , G2 , G3 , q and e. The TA chooses a generator P ∈ G1 and pick a random s ∈ Zq as master key. Then TA sets PTA = P s ∈ G1 . After that TA chooses cryptographic hash functions H0 : {0, 1}∗ → G2 , H1 : {0, 1}∗ × G2 × {0, 1}∗ → Zq , H2 : G3 → {0, 1}∗ , H3 : G3 × {0, 1}∗ → G2 . The system parameters are hq, G1 , G2 , G3 , e, P, PTA , H0 , H1 , H2 , H3 i. Extract: Given a user identity string ID ∈ {0, 1}∗ , his public key is QID = H0 (ID) ∈ G2 . His private key SID = (QID )s ∈ G2 is calculated by TA.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Setup and Extract Setup: On inputting a security parameter n ∈ N, a generator G [1n ] will generates G1 , G2 , G3 , q and e. The TA chooses a generator P ∈ G1 and pick a random s ∈ Zq as master key. Then TA sets PTA = P s ∈ G1 . After that TA chooses cryptographic hash functions H0 : {0, 1}∗ → G2 , H1 : {0, 1}∗ × G2 × {0, 1}∗ → Zq , H2 : G3 → {0, 1}∗ , H3 : G3 × {0, 1}∗ → G2 . The system parameters are hq, G1 , G2 , G3 , e, P, PTA , H0 , H1 , H2 , H3 i. Extract: Given a user identity string ID ∈ {0, 1}∗ , his public key is QID = H0 (ID) ∈ G2 . His private key SID = (QID )s ∈ G2 is calculated by TA.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Signcrypt Signcrypt: Suppose Alice wants to signcrypt a message m to Bob. I
Sign: Assume Alice’s identity is IDA and Bob’s identity is IDB . The public key and private key of Alice are QA and SA respectively. Alice chooses a random r ∈ Zq and computes: X = P r ∈ G1
(1)
h = H1 (m, X , IDB ) ∈ Zq
(2)
h
(3)
r
W = SA QA ∈ G2 I
Encrypt: Alice computes QB = H0 (IDB ) ∈ G2 and: V = e(PTA r , QB ) ∈ G3
(4)
Y = H3 (V , IDA ) ⊕ W ∈ G2 Z = H2 (V ) ⊕ hIDA , mi ∈ {0, 1}
(5) ∗
(6)
Alice outputs ciphertext σ = hX , Y , Z i after encryption and sends to Bob. Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Signcrypt Signcrypt: Suppose Alice wants to signcrypt a message m to Bob. I
Sign: Assume Alice’s identity is IDA and Bob’s identity is IDB . The public key and private key of Alice are QA and SA respectively. Alice chooses a random r ∈ Zq and computes: X = P r ∈ G1
(1)
h = H1 (m, X , IDB ) ∈ Zq
(2)
h
(3)
r
W = SA QA ∈ G2 I
Encrypt: Alice computes QB = H0 (IDB ) ∈ G2 and: V = e(PTA r , QB ) ∈ G3
(4)
Y = H3 (V , IDA ) ⊕ W ∈ G2 Z = H2 (V ) ⊕ hIDA , mi ∈ {0, 1}
(5) ∗
(6)
Alice outputs ciphertext σ = hX , Y , Z i after encryption and sends to Bob. Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Unsigncrypt Unsigncrypt: Bob receives the ciphertext σ = hX , Y , Z i I
Decrypt: Assume the private key of Bob is SB . Bob decrypts σ by computing: V 0 = e(X , SB ) (7) hIDA , mi = H2 (V 0 ) ⊕ Z
(8)
Output hIDA , mi together with hX , Y , V 0 i to verify. I
Verify: Bob computes W 0 = H3 (V 0 , IDA ) ⊕ Y . Compare if: e(P, W 0 ) = e(X PTA h , QA )
(9)
where h = H1 (m, X , IDB ) Output > if the above verification is true, or output ⊥ if false.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
IBSC Unsigncrypt Unsigncrypt: Bob receives the ciphertext σ = hX , Y , Z i I
Decrypt: Assume the private key of Bob is SB . Bob decrypts σ by computing: V 0 = e(X , SB ) (7) hIDA , mi = H2 (V 0 ) ⊕ Z
(8)
Output hIDA , mi together with hX , Y , V 0 i to verify. I
Verify: Bob computes W 0 = H3 (V 0 , IDA ) ⊕ Y . Compare if: e(P, W 0 ) = e(X PTA h , QA )
(9)
where h = H1 (m, X , IDB ) Output > if the above verification is true, or output ⊥ if false.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
BIBSC Scheme Bank
Warden
randomly choose r r
send X = P ∈ G!
randomly choose α, β → ˆ = X α P β ∈ G1 , h ˆ = H(m, X ˆ , IDB ) ∈ Zq computes X ˆ ∈ Zq send h = α−1 h
← h
r
send W = SA QA ∈ G2 and V = e(PTA r , QB ) ∈ G2
→ ˆ = W α QA β computes W ˆ = V α e(PTA β , QB ) ∈ G3 computes V ˆ = H3 (V ˆ , IDA ) ⊕ W ˆ ∈ G2 computes Y ˆ = H2 (V ˆ ) ⊕ hIDA , mi ∈ {0, 1}∗ computes Z ˆ, Y ˆ,Z ˆi outputs σ = hX
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
BIBSC Unsigncrypt ˆ , Yˆ , Zˆ i. Unsigncrypt: Bob receives the ciphertext σ = hX Consistency is verified as: ˆ V
ˆ) = V α e(PTA β , QB ) e(P, W s(r α+β) = e(P , QB ) α β = e(X P , SB ) ˆ , SB ) = e(X
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
= e(P, W α QA β ) ˆ = e(P, QA )s h+αr +β ˆ = e(PTA h X α P β , QA ) ˆ PTA hˆ , QA ) = e(X
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Security Analysis
1. Chosen Cipher Attack (CCA2) 2. Chosen Message Attack (CMA) 3. Blindness 4. Parallel one-more unforgability
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Chosen Cipher Attack (CCA2) Theorem 1: Our IBSC scheme is IND-IBSC-CCA2 secure provided the co-BDH Problem is hard in the random oracle model. Key extraction oracle KEO: Upon input an identity, the key extraction oracle outputs the private key corresponding to this identity. Signcryption oracle SO: Upon input m, IDA , IDB , produce valid signcryption σ for the triple of input. Unsigncryption oracle UO: Upon input ciphertext σ and receiver ID, the unsigncryption oracle outputs the decryption result, verification outcome of signature and verification outcome of encryptor=signer.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Chosen Cipher Attack (CCA2) Theorem 1: Our IBSC scheme is IND-IBSC-CCA2 secure provided the co-BDH Problem is hard in the random oracle model. Key extraction oracle KEO: Upon input an identity, the key extraction oracle outputs the private key corresponding to this identity. Signcryption oracle SO: Upon input m, IDA , IDB , produce valid signcryption σ for the triple of input. Unsigncryption oracle UO: Upon input ciphertext σ and receiver ID, the unsigncryption oracle outputs the decryption result, verification outcome of signature and verification outcome of encryptor=signer.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Chosen Cipher Attack (CCA2) Theorem 1: Our IBSC scheme is IND-IBSC-CCA2 secure provided the co-BDH Problem is hard in the random oracle model. Key extraction oracle KEO: Upon input an identity, the key extraction oracle outputs the private key corresponding to this identity. Signcryption oracle SO: Upon input m, IDA , IDB , produce valid signcryption σ for the triple of input. Unsigncryption oracle UO: Upon input ciphertext σ and receiver ID, the unsigncryption oracle outputs the decryption result, verification outcome of signature and verification outcome of encryptor=signer.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Chosen Cipher Attack (CCA2) Theorem 1: Our IBSC scheme is IND-IBSC-CCA2 secure provided the co-BDH Problem is hard in the random oracle model. Key extraction oracle KEO: Upon input an identity, the key extraction oracle outputs the private key corresponding to this identity. Signcryption oracle SO: Upon input m, IDA , IDB , produce valid signcryption σ for the triple of input. Unsigncryption oracle UO: Upon input ciphertext σ and receiver ID, the unsigncryption oracle outputs the decryption result, verification outcome of signature and verification outcome of encryptor=signer.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Chosen Cipher Attack (CCA2)
Dealer D: (P, P α , P β , Q) → e(P, Q)αβ . Simulator S: receives (P, P α , P β , Q) from D, help D to compute e(P, Q)αβ . Attacker F: CCA2. Assumption: 1. F queries hash functions From S. 2. S makes some modification of the schemes. 3. F believes that S’s SO and UO are correct.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Chosen Cipher Attack (CCA2)
Dealer D: (P, P α , P β , Q) → e(P, Q)αβ . Simulator S: receives (P, P α , P β , Q) from D, help D to compute e(P, Q)αβ . Attacker F: CCA2. Assumption: 1. F queries hash functions From S. 2. S makes some modification of the schemes. 3. F believes that S’s SO and UO are correct.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Proof of CCA2 1. S selects PTA = P β and send it to F. 2. S gives the pub-key P λ with random λ except for IDQ with pub-key Q, then record hID, pub-keyi into tape L0 . 3. KEO: Input ID. If ID = IDQ , terminate with F; ow, return pri-key S = (P β )λ . 4. SO: Input m, IDA , IDB . If IDA = IDQ , S has not A’s pri-key, So S randomly choose r , h, X = P r (P β )−h , W = Q r , add hm, X, h⊕IDB i to L1 for H1 ; ow, S find A’s pri-key and generates σ = hX , Y , Z i. 5. UO: Input IDB , σ = hX , Y , Z i. If IDB = IDQ , S searches its L1 , L2 , L3 . S decrypts hIDA , mi and verifies the signature with all the possible parameters; ow, S find B’s pri-key and run Unsigncrypt using SB to get hIDA , mi or ⊥. 6. F challenges m1 , IDA1 , IDB1 . If IDA1 = IDQ , S return hX = P α , Y , Z i. If F wants to guess m1 correctly, F should query the H2 to get V = e(X , SQ ) = e(P α , SQ ) = e(P, Q)αβ Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Proof of CCA2 1. S selects PTA = P β and send it to F. 2. S gives the pub-key P λ with random λ except for IDQ with pub-key Q, then record hID, pub-keyi into tape L0 . 3. KEO: Input ID. If ID = IDQ , terminate with F; ow, return pri-key S = (P β )λ . 4. SO: Input m, IDA , IDB . If IDA = IDQ , S has not A’s pri-key, So S randomly choose r , h, X = P r (P β )−h , W = Q r , add hm, X, h⊕IDB i to L1 for H1 ; ow, S find A’s pri-key and generates σ = hX , Y , Z i. 5. UO: Input IDB , σ = hX , Y , Z i. If IDB = IDQ , S searches its L1 , L2 , L3 . S decrypts hIDA , mi and verifies the signature with all the possible parameters; ow, S find B’s pri-key and run Unsigncrypt using SB to get hIDA , mi or ⊥. 6. F challenges m1 , IDA1 , IDB1 . If IDA1 = IDQ , S return hX = P α , Y , Z i. If F wants to guess m1 correctly, F should query the H2 to get V = e(X , SQ ) = e(P α , SQ ) = e(P, Q)αβ Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Proof of CCA2 1. S selects PTA = P β and send it to F. 2. S gives the pub-key P λ with random λ except for IDQ with pub-key Q, then record hID, pub-keyi into tape L0 . 3. KEO: Input ID. If ID = IDQ , terminate with F; ow, return pri-key S = (P β )λ . 4. SO: Input m, IDA , IDB . If IDA = IDQ , S has not A’s pri-key, So S randomly choose r , h, X = P r (P β )−h , W = Q r , add hm, X, h⊕IDB i to L1 for H1 ; ow, S find A’s pri-key and generates σ = hX , Y , Z i. 5. UO: Input IDB , σ = hX , Y , Z i. If IDB = IDQ , S searches its L1 , L2 , L3 . S decrypts hIDA , mi and verifies the signature with all the possible parameters; ow, S find B’s pri-key and run Unsigncrypt using SB to get hIDA , mi or ⊥. 6. F challenges m1 , IDA1 , IDB1 . If IDA1 = IDQ , S return hX = P α , Y , Z i. If F wants to guess m1 correctly, F should query the H2 to get V = e(X , SQ ) = e(P α , SQ ) = e(P, Q)αβ Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Proof of CCA2 1. S selects PTA = P β and send it to F. 2. S gives the pub-key P λ with random λ except for IDQ with pub-key Q, then record hID, pub-keyi into tape L0 . 3. KEO: Input ID. If ID = IDQ , terminate with F; ow, return pri-key S = (P β )λ . 4. SO: Input m, IDA , IDB . If IDA = IDQ , S has not A’s pri-key, So S randomly choose r , h, X = P r (P β )−h , W = Q r , add hm, X, h⊕IDB i to L1 for H1 ; ow, S find A’s pri-key and generates σ = hX , Y , Z i. 5. UO: Input IDB , σ = hX , Y , Z i. If IDB = IDQ , S searches its L1 , L2 , L3 . S decrypts hIDA , mi and verifies the signature with all the possible parameters; ow, S find B’s pri-key and run Unsigncrypt using SB to get hIDA , mi or ⊥. 6. F challenges m1 , IDA1 , IDB1 . If IDA1 = IDQ , S return hX = P α , Y , Z i. If F wants to guess m1 correctly, F should query the H2 to get V = e(X , SQ ) = e(P α , SQ ) = e(P, Q)αβ Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Proof of CCA2 1. S selects PTA = P β and send it to F. 2. S gives the pub-key P λ with random λ except for IDQ with pub-key Q, then record hID, pub-keyi into tape L0 . 3. KEO: Input ID. If ID = IDQ , terminate with F; ow, return pri-key S = (P β )λ . 4. SO: Input m, IDA , IDB . If IDA = IDQ , S has not A’s pri-key, So S randomly choose r , h, X = P r (P β )−h , W = Q r , add hm, X, h⊕IDB i to L1 for H1 ; ow, S find A’s pri-key and generates σ = hX , Y , Z i. 5. UO: Input IDB , σ = hX , Y , Z i. If IDB = IDQ , S searches its L1 , L2 , L3 . S decrypts hIDA , mi and verifies the signature with all the possible parameters; ow, S find B’s pri-key and run Unsigncrypt using SB to get hIDA , mi or ⊥. 6. F challenges m1 , IDA1 , IDB1 . If IDA1 = IDQ , S return hX = P α , Y , Z i. If F wants to guess m1 correctly, F should query the H2 to get V = e(X , SQ ) = e(P α , SQ ) = e(P, Q)αβ Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Proof of CCA2 1. S selects PTA = P β and send it to F. 2. S gives the pub-key P λ with random λ except for IDQ with pub-key Q, then record hID, pub-keyi into tape L0 . 3. KEO: Input ID. If ID = IDQ , terminate with F; ow, return pri-key S = (P β )λ . 4. SO: Input m, IDA , IDB . If IDA = IDQ , S has not A’s pri-key, So S randomly choose r , h, X = P r (P β )−h , W = Q r , add hm, X, h⊕IDB i to L1 for H1 ; ow, S find A’s pri-key and generates σ = hX , Y , Z i. 5. UO: Input IDB , σ = hX , Y , Z i. If IDB = IDQ , S searches its L1 , L2 , L3 . S decrypts hIDA , mi and verifies the signature with all the possible parameters; ow, S find B’s pri-key and run Unsigncrypt using SB to get hIDA , mi or ⊥. 6. F challenges m1 , IDA1 , IDB1 . If IDA1 = IDQ , S return hX = P α , Y , Z i. If F wants to guess m1 correctly, F should query the H2 to get V = e(X , SQ ) = e(P α , SQ ) = e(P, Q)αβ Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Chosen Message Attack (CMA) Theorem 2: Our IBSC scheme is EU-IBSC-CMA secure provided the co-CDH Problem is hard, in the random oracle model. Dealer D: (P, P β , Q) → Q β . Simulator S: receives (P, P β , Q) from D, help D to compute Q β . Attacker F: CMA. 1. Oracle Simulation is the same with CCA2’s proof. 2. Witness Extraction: Assume F is a PPT forger. Rewind F to the random oracle query whose output appears in the verification in unsigncryption. Then we obtain W = SAh QAr 0 and W 0 = SAh QAr in respective forks. Combining, we can compute the co-CDH Problem if QA = Q. Then 0 −1 Q β = SA = (W 0 /W )(h −h) . Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Chosen Message Attack (CMA) Theorem 2: Our IBSC scheme is EU-IBSC-CMA secure provided the co-CDH Problem is hard, in the random oracle model. Dealer D: (P, P β , Q) → Q β . Simulator S: receives (P, P β , Q) from D, help D to compute Q β . Attacker F: CMA. 1. Oracle Simulation is the same with CCA2’s proof. 2. Witness Extraction: Assume F is a PPT forger. Rewind F to the random oracle query whose output appears in the verification in unsigncryption. Then we obtain W = SAh QAr 0 and W 0 = SAh QAr in respective forks. Combining, we can compute the co-CDH Problem if QA = Q. Then 0 −1 Q β = SA = (W 0 /W )(h −h) . Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Chosen Message Attack (CMA) Theorem 2: Our IBSC scheme is EU-IBSC-CMA secure provided the co-CDH Problem is hard, in the random oracle model. Dealer D: (P, P β , Q) → Q β . Simulator S: receives (P, P β , Q) from D, help D to compute Q β . Attacker F: CMA. 1. Oracle Simulation is the same with CCA2’s proof. 2. Witness Extraction: Assume F is a PPT forger. Rewind F to the random oracle query whose output appears in the verification in unsigncryption. Then we obtain W = SAh QAr 0 and W 0 = SAh QAr in respective forks. Combining, we can compute the co-CDH Problem if QA = Q. Then 0 −1 Q β = SA = (W 0 /W )(h −h) . Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Blindness Theorem 3: Our BIBSC scheme has blindness. To prove the blindness of BIBSC, we show that given a valid ciphertext ˆ , Yˆ , Zˆ i and any transcript of blinding factors α, β ∈ Zq∗ . Since the hX blinding factors are randomly chosen, the blindness of BIBSC is achieved. ˆ , Yˆ , Zˆ i, then there exist a unique (X ˆ , Yˆ , Zˆ , m) Given a valid ciphertext hX for this ciphertext. Then for any transcript of blind signcryption (X , h, W , V ), the following equations must hold for α, β ∈ Zq∗ : ˆ = X αP β X
(10)
ˆ) h = α H1 (m, X β ˆ = W α QA W
(11) (12)
ˆ = V α e(P β , QB ) V TA
(13)
−1
We see that there exist a blinding factor ˆ )/h, β = logP (X ˆ X −α ) which are computed from (10),(11) α = H1 (m, X and satisfy (12),(13). Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Blindness Theorem 3: Our BIBSC scheme has blindness. To prove the blindness of BIBSC, we show that given a valid ciphertext ˆ , Yˆ , Zˆ i and any transcript of blinding factors α, β ∈ Zq∗ . Since the hX blinding factors are randomly chosen, the blindness of BIBSC is achieved. ˆ , Yˆ , Zˆ i, then there exist a unique (X ˆ , Yˆ , Zˆ , m) Given a valid ciphertext hX for this ciphertext. Then for any transcript of blind signcryption (X , h, W , V ), the following equations must hold for α, β ∈ Zq∗ : ˆ = X αP β X
(10)
ˆ) h = α H1 (m, X β ˆ = W α QA W
(11) (12)
ˆ = V α e(P β , QB ) V TA
(13)
−1
We see that there exist a blinding factor ˆ )/h, β = logP (X ˆ X −α ) which are computed from (10),(11) α = H1 (m, X and satisfy (12),(13). Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Blindness Theorem 3: Our BIBSC scheme has blindness. To prove the blindness of BIBSC, we show that given a valid ciphertext ˆ , Yˆ , Zˆ i and any transcript of blinding factors α, β ∈ Zq∗ . Since the hX blinding factors are randomly chosen, the blindness of BIBSC is achieved. ˆ , Yˆ , Zˆ i, then there exist a unique (X ˆ , Yˆ , Zˆ , m) Given a valid ciphertext hX for this ciphertext. Then for any transcript of blind signcryption (X , h, W , V ), the following equations must hold for α, β ∈ Zq∗ : ˆ = X αP β X
(10)
ˆ) h = α H1 (m, X β ˆ = W α QA W
(11) (12)
ˆ = V α e(P β , QB ) V TA
(13)
−1
We see that there exist a blinding factor ˆ )/h, β = logP (X ˆ X −α ) which are computed from (10),(11) α = H1 (m, X and satisfy (12),(13). Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Blindness
Notice that there exists a SB which is the private key for QB . Then: ˆ V
ˆ , SB ) ˆ) = e(X e(P, W α β = e(X P , SB ) = e(X , SB )α e(P β , SB ) β = V α e(PTA , QB )
ˆ , QA )e(PTA , QA )H1 (m,Xˆ ,IDB ) = e(X = e(X α P β , QA )e(PTA , QA )αh ˆ = e(X PTA h , QA )α e(P β , QA ) = e(P, W )α e(P, QAβ ) = e(P, W α QAβ )
Prob(σ by Warden) = Prob(σ by Warden|T )
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Parallel one-more unforgability Theorem 4: Our BIBSC scheme is plm-uf secure provided Schnorr’s ROS Problem is hard in the ROM+GGPM. Plm-uf: Parallel one-more forgery against blind signature is that an attacker interacts for l times with a signer and produces from these interactions l + 1 signatures. ROS-problem: Find an overdetermined, solvable system of linear equations modulo q with random inhomogenities. Specifically, given an oracle random function F : Zlq → Zq , find coefficients ak,i ∈ Zq and a sovable system of l + 1 distinct equations in the unknowns c1 , ..., cl over Zq : ak,1 c1 + ... + ak,l cl = F (ak,1 , ..., ak,l ) for k = 1, ..., t We evaluate the expected number of solvable subsystems consisting of l + 1 out of t equations. Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Parallel one-more unforgability Theorem 4: Our BIBSC scheme is plm-uf secure provided Schnorr’s ROS Problem is hard in the ROM+GGPM. Plm-uf: Parallel one-more forgery against blind signature is that an attacker interacts for l times with a signer and produces from these interactions l + 1 signatures. ROS-problem: Find an overdetermined, solvable system of linear equations modulo q with random inhomogenities. Specifically, given an oracle random function F : Zlq → Zq , find coefficients ak,i ∈ Zq and a sovable system of l + 1 distinct equations in the unknowns c1 , ..., cl over Zq : ak,1 c1 + ... + ak,l cl = F (ak,1 , ..., ak,l ) for k = 1, ..., t We evaluate the expected number of solvable subsystems consisting of l + 1 out of t equations. Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Parallel one-more unforgability Theorem 4: Our BIBSC scheme is plm-uf secure provided Schnorr’s ROS Problem is hard in the ROM+GGPM. Plm-uf: Parallel one-more forgery against blind signature is that an attacker interacts for l times with a signer and produces from these interactions l + 1 signatures. ROS-problem: Find an overdetermined, solvable system of linear equations modulo q with random inhomogenities. Specifically, given an oracle random function F : Zlq → Zq , find coefficients ak,i ∈ Zq and a sovable system of l + 1 distinct equations in the unknowns c1 , ..., cl over Zq : ak,1 c1 + ... + ak,l cl = F (ak,1 , ..., ak,l ) for k = 1, ..., t We evaluate the expected number of solvable subsystems consisting of l + 1 out of t equations. Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Comparison
1. IND-A implies anonymity of sender. (Sender’s identity) 2. IND-B implies anonymity of recipient. (CCA2’s subgame) 3. IND-C implies message confidentiality. (CCA2’s subgame) 4. EU implies ciphertext non-repudiation. (CMA) Assume that a message m of length ||m|| have to cut into k pieces for signcryption, usually with 160-bit for each piece. ||G1 || denotes the size of G1 element, which is about 160 bits for most representative in elliptic curve implementation and signcryption applications.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Comparison
1. IND-A implies anonymity of sender. (Sender’s identity) 2. IND-B implies anonymity of recipient. (CCA2’s subgame) 3. IND-C implies message confidentiality. (CCA2’s subgame) 4. EU implies ciphertext non-repudiation. (CMA) Assume that a message m of length ||m|| have to cut into k pieces for signcryption, usually with 160-bit for each piece. ||G1 || denotes the size of G1 element, which is about 160 bits for most representative in elliptic curve implementation and signcryption applications.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Comparison
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Comparison Additional functionalities of this scheme: 1. TA Compatibility. In the reality, sender and recipient may use different TAs. Assume all TAs use same pairing e, hash functions and P ∈ G1 . Now let Alice uses TA1 with master key s1 and Bob uses TA2 with master key s2 . In Encrypt, h , Q ). change V = e(QBr , PTA2 ). In Verify, e(P, Y ) = e(PTA A 1 Others remain unchanged. 2. Forward secrecy. This scheme can achieve forward secrecy. It is implied by IND-CCA2. If sender and recipient use different TAs, then it can even achieve partial TA forward secrecy. If master key of TA1 is compromised, then past communications with users using different TAs will not be compromised, since the adversary still cannot compute V . Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Comparison Additional functionalities of this scheme: 1. TA Compatibility. In the reality, sender and recipient may use different TAs. Assume all TAs use same pairing e, hash functions and P ∈ G1 . Now let Alice uses TA1 with master key s1 and Bob uses TA2 with master key s2 . In Encrypt, h , Q ). change V = e(QBr , PTA2 ). In Verify, e(P, Y ) = e(PTA A 1 Others remain unchanged. 2. Forward secrecy. This scheme can achieve forward secrecy. It is implied by IND-CCA2. If sender and recipient use different TAs, then it can even achieve partial TA forward secrecy. If master key of TA1 is compromised, then past communications with users using different TAs will not be compromised, since the adversary still cannot compute V . Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Reference D. Chaum. Blind signatures for untraceable payments. In Proc. CRYPTO 82, pages 199¨C203. NY, 1983. Plenum. J.H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In Proc. CRYPTO 2002, pages 83¨C107. Springer-Verlag, 2002. Lecture Notes in Computer Science No. 2332. K.C. Reddy D. Nalla. Signcryption scheme for identity-based cryptosystems. Cryptology ePrint Archive, Report 2003/066, 2003. http://eprint.iacr.org/.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Reference C. P. Schnorr. Practical security in public-key cryptography. In Proc. ICISC. Springer, 2001. Lecture Notes in Computer Science. C. P. Schnorr. Security of blind discrete log signatures against interactive attacks. In Proc. ICISC, pages 1¨C12. Springer-Verlag, 2001. Lecture Notes in Computer Science No. 2229. V. Shoup. Lower bounds for discrete logarithms and related problems. In Proc. EUROCRYPT 97, pages 256¨C266. Springer-Verlag, 1997. Lecture Notes in Computer Science No. 1233.
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
Outline
Contribution
Preliminaries
BIBSC Scheme
Security Analysis
Comparison
References
Thank you! Q&A
Tsz Hon Yuen and Victor K. Wei Fast and Proven Secure Blind Identity-Based Signcryption from Pairing
Presented by: Xiaohui Liang
