CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction


 Randell James
 2 years ago
 Views:
Transcription
1 International Journal of Network Security, Vol.16, No.3, PP , May CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction Min Zhou 1, Mingwu Zhang 2, Chunzhi Wang 2, and Bo Yang 3 (Corresponding author: Min Zhou) College of Information, South China Agricultural University 1 College of Computer Science and Engineering, Hubei University of Technology 2 School of Computer Sciences, Shaanxi Normal University 3 (Received June 29, 2012; revised and accepted Jan. 12 & Feb. 21, 2013) Abstract Aggregate signatures are useful compact cryptographic schemes for reducing the size multiple individual signatures, which can be used in message size compactness and certificate chains reduction. Certificateless signature is a paradigm in overcoming the key escrow problem of identitybased cryptography schemes. In this paper, we construct a compact aggregate signature in the certificateless public key settings, which performs a full aggregation needs that the aggregate signature length is the same as that of any individual signature. Furthermore, the proposed scheme can aggregate and extract an individual signature expansively, and it also keeps the integrity of the remained aggregate signature. The security models, under two adversary models such as malicious KGC and malicious user, are also analyzed in the random oracle model. The proposed scheme is existentially unforgeable under adaptive chosenmessage attacks and chosenidentity attacks assuming the computational DiffieHellman problem is hard. Keywords: Aggregate signature, certificateless cryptographic, unforgeability 1 Introduction 1.1 Aggregate Signature and Related Works An aggregate signature scheme [2, 7, 8, 9] is a digital signature that supports multiple individual signatures aggregate into one single signature. It allows a collection of signatures to be compressed into one short signature, where this single signature along with a given original message m i (i [1, n]) and the list of signer identities will convince the verifier that user ID i indeed has signed message m i. The concept of aggregation can be considered almost everywhere in cryptographic protocols where a large or moderate group is involved, which is a useful technique in cryptography for reducing the communication and computation complexity. The first aggregate signature scheme was proposed by Boneh et al. [2] that is based on BLS short signature scheme in the groups with efficiently computable bilinear maps. Their scheme is called general aggregation scheme since aggregation can be done by anyone and without the cooperation of the signers, but it rejects if the messages m 1,..., m n are not distinct. Subsequently, Lysyanskaya et al. [9] proposed a RSAbased sequential aggregate signature scheme. In a sequential aggregation scheme, signature aggregation can only be done during the signing process. Each signer sequentially modifies the aggregate signature in turn by adding his signature to the current aggregate. Recently, Lu et al. [8] proposed a sequential aggregate signature scheme without random oracle. The security of their scheme relies on the hardness of the Computational DiffieHellman (CDH) problem in bilinear groups. The total information needed to verify the aggregate signature must include individual signers public keys, whose lengths depend on the security parameters of the scheme. Since the verifier cannot be expected to know all n signers public keys, practically, the length of an aggregate signature is not significantly shorter than the length of n traditional signatures. Hence, for large value of n, it is preferable to specify the signers by their identities. To solve the public key certificate issues, the identitybased cryptography was first introduced by Shamir in [13], which simplifies key management and avoid the use of digital certificates. A Private Key Generator (PKG) computes keys from a master key and distributes these to the users participating in the scheme, which eliminates the need for certificates as used in a traditional public key infrastructure. In [3], Gentry and Ramzan introduced an identitybased aggregate signature which is secure in the random oracle model. They use of an identitybased scheme that the signer does not need to send an individual public key and certificate with its signature. Moreover, the scheme
2 International Journal of Network Security, Vol.16, No.3, PP , May of Gentry and Ramzan produces short signatures and is efficiently computational. Verification requires only three pairings computations, regardless of the number of signers. Wang et al. [14] proposed a novel identitybased aggregate signature scheme with efficient computing time, but Selvi et al. [12] pointed that the Wang et al. s scheme is not secure against universal forgery. Certificateless public key cryptography (CLPKC), was first proposed by AlRiyami and Paterson [1], is a new paradigm to overcome the key escrow problem of identitybased cryptography schemes. Certificateless cryptography involves a Key Generator Center (KGC), which issues a partial key to a user and the user also independently generates an additional public/secret key pair in such a way that the KGC only knows the partial key but he does the additional secret key is unable to do any cryptographic operation on behalf of the user, and a third party who replaces the public/secret pair but does not know the partial key and cannot do any cryptographic operation as the user either [22]. Huang et al. [6] formatted the security model of certificateless signature scheme. Gong et al. [4] defined the security model of certificateless aggregate signature schemes for the first time, however, Zhang et al. [21] pointed out some drawbacks of the security model of Gong et al. s model. In [5], Huang et al. presented a generic way to construct certificateless signature (CLS) schemes. There is little attention has been paid to aggregate signatures in certificateless public key settings. Zhang et al. [19] described security models for certificateless aggregate signature schemes. Wen et al. [15] constructed an aggregate signature scheme that required constant pairing operations in the verification algorithm and the size of aggregate signature is independent of the number of signers, but Selvi et al. [12] pointed that Wen et al. s scheme is not secure in individual signature forgery. An aggregate signature supporting manytoone authentication deploying in the certificateless signature environment is proposed in [18]. Recently, Zhang et al. [20] proposed a certificateless aggregate signature scheme, but their scheme only support partial aggregation. Wen et al. [16] proposed an aggregate signature with specified designated verifier. In order to improve the computing efficiency and reduce the signature size, Yu et al. [17] presented an aggregate signature without any bilinear pairing operation, and Mu et al. [11] constructed a compact sequential aggregate signature, respectively. Recently, Marc et al. [10] constructed a sequential aggregate scheme that supports historyfree property. Aggregating signatures of different messages can be very helpful in many situations, in order to save both memory space and cost of verification. Informally, the length of the aggregate signature should be constant, independent of the number of signed messages. The length of the aggregate signature σ = (R 1,..., R n, T ) is half the length of n initial signatures, but it s linear with respect to the number of signatures for that R cannot be compacted even if all the signatures come from the same signers. 1.2 Our Contribution and Roadmap In this paper, we propose a compact certificateless aggregate signature scheme (CCLAS) that supports full aggregate model. With the aggregation of multiple signatures, the length of aggregate signature will not be increased. The CCLAS scheme is provably secure in the random oracle model. It adapts the notion of security of two adversary models to describe the malicious forger and maliciousbutpassive KGC for certificateless aggregate signature scheme. The result of this aggregation is an aggregate signature whose length is the same as that of any of an individual signatures. This scheme has the property that a verifier given along with the identities of the parties involved and their respective messages is convinced that each user signed his respective message. The rest of the paper is organized as follows: Section 2 gives some preliminaries including bilinear pairing and security assumption; The formal model of compact certificateless aggregate signature scheme and its security notions are described in Section 3 and the detail algorithms are proposed in Section 4; The security analysis of the CCLAS scheme is demonstrated in Section 5 and the conclusion is drawn in Section 6. 2 Preliminaries 2.1 Pairings The CCLAS scheme uses a bilinear map, which is often called a pairing. Typically, the pairing used is a modified Weil or Tate pairing on a supersingular elliptic curve or abelian variety. Throughout the paper we use the following notation to provide the bilinear map requirements: 1) (G 1, +) and (G 2, ) be cyclic groups of the same large prime order q; 2) P be a generator of G 1, and e(p, P ) be a generator of G 2 ; 3) e is a computable bilinear map: e : G 1 G 1 G Security Assumption In this paper, we base our security reductions on the Computational DiffieHellman assumption (CDH problem) that is widely regarded as a hard problem and is often used as the basis of cryptographic schemes listed as defined below: Definition 1. CDH assumption: Consider a cyclic group G of order q, the CDH assumption states that given tuples (P, ap, bp ) for a randomly chosen generator P and random integer a, b Z/qZ, it s computational intractable to compute the value of abp. More precisely, the CDH problem is said to be secure if the advantage function AdvA CDH (λ) is a negligible function in λ for all polynomial time adversaries A CDH, where AdvA CDH (λ) = P r[a(p, ap, bp ) abp ].
3 International Journal of Network Security, Vol.16, No.3, PP , May Models and Security Notations 3.1 The CCLAS Model The CCLAS scheme is an efficient certificateless signature scheme defined by eight probabilisticpolynomial time algorithms: Setup, PartialKeyGen, UserKeyGen, IndiSign, IndiVeri, SignAggr, SignVeri and ExtAggr. Setup: This algorithm is performed by KGC that accepts a security parameter λ to generate a masterkey s and a list of system parameters params. PartialKeyGen: This algorithm is performed by KGC that accepts a users identity ID i, a parameter list params and a masterkey s to produce the user s partial secret key D i. UserKeyGen: This algorithm is run by a user that takes the users identity ID i as input, and outputs the users secret value x i and public key P i. IndiSign: This algorithm accepts a message m M, the signer s identity ID i together with corresponding public key P i, a parameter list params and the signing key (D i, x i ) to generate a individual signature σ i on message m. IndiVeri: This algorithm accepts a message m, a signature σ i, public list params, the signer s identity ID i and corresponding public key P i to output true if the signature is valid, or otherwise. SignAggr: This algorithm is run by the aggregate signature generator such as any user or a third party that takes as inputs a state information ω, an aggregating users set U i U(i = 1,..., n) whose identity is ID i and the corresponding public key P i, and signatures σ i on a message m i with state information ω under identity ID i and public key P i for each user U i U. It outputs an aggregate signature σ on messages m 1,..., m n. SignVeri: This algorithm takes as input state information string ω, a set U of n users U 1,..., U n, each with identity ID i and public key P i, an aggregate signature σ on messages m 1,..., m n. It outputs true if the aggregate signature is valid, or otherwise. ExtAggr: This algorithm can extract and decomposite an individual signature σ from aggregate signature σ. After extracted a valid signature σ from aggregate signature σ, the new aggregate signature σ (σ = σ σ ) is also a valid aggregate signature. Remark 1. For the first time, our CCLAS scheme introduces a ExtAggr algorithm to extract a valid individual signature. It is also a valid aggregate signature if an individual signature is be extracted from the aggregate signature. 3.2 Security Notations The CCLAS scheme should be secure against existential forgery under adaptivechosenmessage attacks and adaptivechosenidentity attacks. Informally, existential forgery means that the adversary attempts to forge an identitybased individual signature or aggregate signature on identities and messages of his choice. There are two types of security in a certificateless aggregate signature scheme, TypeI security and TypeII security [1], along with two types of adversaries, A I and A II, respectively. TypeI adversary. TypeI adversary A I models a malicious adversary that he can compromise the user private key or replace the user public key. However, he can not compromise the masterkey nor access the user partial key. TypeII adversary. TypeII adversary A II models the maliciousbutpassive KGC that he knows the masterkey but cannot perform public key replacement of the user being attacked. TypeI game. The typei game is performed between a challenger C and the TypeI forger A I for a CCLAS signature scheme as follows: Initialization. C runs Setup algorithm to generate the master key and public parameters to forger A I. Note that A I does not know the master key. Queries. Forger A I may require the following queries to C by an adaptive manner. PartialKeyGen queries: When A I requests the partial private key for a user with identity ID, C responds the user s private key D ID by running PartialKeyGen algorithm. UserKeyGen queries: When A I requests the secret key for a user with identity ID, C responds the user s full secret key x ID by running UserKeyGen algorithm. UserPublicKey queries: When A I requests the public key of a user with identity ID, C answers the corresponding public key P ID. PublicKeyReplacement queries (ID, P ID ): This query is to replace the public key P ID for an identity ID with a new value P ID. On receiving such a query, C updates the public key to the new value P ID. IndiSign queries: When A I requests a signature on a message m for a user with identity ID, C responds a valid signature σ for m by running IndiSign algorithm. SignAggr queries: When A I requests a serial of signature aggregate queries for multiple signatures, C returns an aggregate signature σ by SignAggr algorithm. ExtAggr queries: When A I performs a signature extract query, C returns a new signature that extracts the subset signature σ by ExtAggr algorithm. Forgery. Finally, A I outputs an aggregate signature σ = (R, S ) and wins the game if
4 International Journal of Network Security, Vol.16, No.3, PP , May σ can pass the SignVeri algorithm and return result is not ; A I has never asked all the partial private keys or private keys of the user ID 1,...ID n who participates the aggregate signature σ ; σ has never been queried by the IndiSign and SignAggr oracles. Definition 2. TypeI unforgeability. The CCLAS scheme is existentially unforgeable against TypeI adversary under adaptively chosenidentity and chosenmessage attacks if the success probability of any polynomially bounded TypeI adversary in the TypeI game is negligible. TypeII game. Initialization. C runs the Setup algorithm and sends params and masterkey to the adversary A II. Note that adversary A II knows the master key and can obtain anyone s partial private key, so he need not perform PartialKeyGen oracles. Queries. Forger A II may perform the following queries by an adaptive manner. UserKeyGen queries. When A II requests the private key of a user with identity ID, C outputs the secret key x ID by running UserKeyGen algorithm. UserPublicKey queries. When A II requests the public key of a user with identity ID, C outputs the corresponding public key P ID. IndiSign queries. When A II requests an identity ID s signature on a message m together with a public key P ID, C answers with a signature σ on message m for the user ID. SignAggr queries: When A II requests a serial of signatures aggregate queries for multiple signatures, C returns an aggregate signature σ by running SignAggr algorithm. ExtAggr queries: When A II performs a individual signature extract query, C returns a new signature that extracts the subset signature. F orgery. Adversary A II outputs a tuple σ = (R, S, m 1, ID1,..., m n, IDn). A II will win the game if: σ can pass the SignVeri algorithm and return result is not ; A II has never asked all the private keys of the users ID 1,...ID n ; σ has never been queried by the IndiSign and SignAggr oracles. Definition 3. TypeII unforgeability. The CCLAS scheme is existentially unforgeable against TypeII adversary under adaptively chosenidentity and chosenmessage attacks if the success probability of any polynomially bounded TypeII adversary in the TypeII game is negligible. Remark 2. The CCLAS scheme is existentially unforgeable under adaptively chosenidentity and chosenmessage attacks if it is existentially unforgeable against TypeI adversaries in TypeI game, and TypeII adversaries in TypeII game, respectively. 4 The CCLAS Scheme In this section, we describe the proposed CCLAS scheme which consists of eight probability polynomial time algorithms. Setup: On input a security parameter λ, the KGC generates parameters by this algorithm as follows:  Generates groups G 1 and G 2 of prime order q and an admissible pairing e : G 1 G 1 G 2 ;  Chooses an arbitrary generator P G 1 ;  Picks s Z/qZ randomly, and sets P pub = sp ;  Chooses two cryptographic hash functions, H 1, H 2 : {0, 1} G 1, H 3 : {0, 1} l {0, 1} G 1 ;  KGC publishes the params=< G 1, G 2, e,q, P, P pub, H 1, H 2, H 3 >, and keeps the master key s. The message space is M {0, 1} l. PartialKeyGen: KGC generates the partial private key for the user U i with identity ID i as follows:  Computes Q i = H 1 (ID i ) G 1 ;  Outputs the partial private key D i = sq i. UserKeyGen: On input the params and a user s identity ID i {0, 1}, it generates the partial secret key for the user as follows:  Picks a random x i Z/qZ and outputs x i as the user s secret value. Note that the user s full secret key SK i =< x i, D i >;  Computes and sets user s public key P i = x i P ; IndiSign: The first signer picks a random string ω {0, 1} that it has never used before. Each subsequent signer checks that it has not used the string ω chosen by the first signer. To sign a message m i M using the signing key < x i, D i >, the signer ID i with corresponding public key P i does as following steps:  Computes P ω = H 2 (ω) G 1 ;  Picks r i Z/qZ randomly, computes R i = r i P G 1 ;
5 International Journal of Network Security, Vol.16, No.3, PP , May Computes h i = H 3 (m i, ID i, ω) G 1 ;  Computes S i = r i P ω + D i + x i h i ;  Outputs σ =< R i, S i > as the signature on m i by the user ID i. IndiVeri: On received the signature σ =< R i, S i > on the state string ω and message m i, anyone can verify the origin of the sender:  Computes P ω = H 2 (ω);  Computes h i = H 3 (m i, ID i, ω);  Accepts the message m i iff e(p, S i ) = e(r i, P ω )e(p pub, Q i )e(p i, h i ). SignAggr: Anyone can aggregate a collection of individual signatures σ 1 =< R 1, S 1 >,..., σ n =< R n, S n > by n different users ID 1,..., ID n respectively, which uses the same state string ω. It does as follows  Computes S = n i=1 S i, R = n i=1 R i;  Outputs the aggregate signature σ =< R, S > under the state string ω on messages m 1,..., m n. Remark 3. The CCLAS scheme is a full aggregate signature scheme that supports the compact of R i and S i (1 i n). In many aggregate signature schemes such as [20, 21], they only provides partial aggregation that compacts the S i by S = n i=1 S i. Remark 4. The purpose of the onetimeuse state string ω in CCLAS scheme is to disturb this linearity, which provides a manner where all the signers can reach a common randomness. The CCLAS scheme does not provide the aggregation of individual signatures that use different ω s. If an individual signature will be extracted from an aggregate signature, it also needs the same state string. SignVeri: To verify an aggregate signature σ =< R, S > with the same state string ω on message m 1,..., m n for identity ID 1,..., ID n under public key P 1,..., P n, respectively, the verifier performs the following steps:  Computes P ω = H 2 (ω);  For i = 1 to n, computes Q i = H 1 (ID i ), and h i = H 3 (m i, ID i, ω);  Checks whether the following equation holds e(p, S) = e(r, P ω )e(p pub, n i=1 Q i)( n i=1 e(p i, h i ));  If above equation holds, outputs true as success, otherwise outputs. Remark 5. In [2], to ensure the security of the aggregate signature scheme, it is required that the messages m 1,..., m n to be signed are distinct. However, in our proposed scheme this restriction can be removed for that all individual signature can be aggregated by a same state string. ExtAggr: To extract an individual signature σ = (R, S ) that aggregated in a signature σ, it does  Computes R = R R, S = S S ;  Outputs σ = (R, S ). Remark 6. It easy sees that σ = (R, S ) is a valid aggregate signature if σ = (R, S ) is be extracted from σ. The check equation is: e(p, S ) = e(r, P ω)e(p pub, n i=1,i Qi)( n i=1,i e(pi, hi)); In CCLAS scheme, it is possible to aggregate individual identitybased signatures even if the signers have different KGCs, and the security proof goes through. However, to verify such a multiplekgc aggregate signature, the verifier only needs the public key of every KGC. 5 Security Analysis We show that the CCLAS scheme is existentially unforgeable under adaptively chosenidentity and chosenmessage attacks if it is existentially unforgeable against TypeI adversaries in TypeI game, and TypeII adversaries in TypeII game, respectively. Theorem 1. In the random oracle model, if there exists a typei adversary A I who has an advantage to break the GameI with nonnegligible probability ɛ for a security parameter λ, after asking at most q K times partial private key queries, q P times public key queries, q Hi times H i (i=1,2,3) queries, q S times IndiSign queries, q A times SignAggr queries and q E extract signature queries, then the CDH problem in G 1 can be solved with nonnegligible the advantage ɛ ɛ (q K +n)e. Proof. Algorithm B is given an instance (P, ap, bp ) of CDH problem, and will interact with algorithm A I as follows in an attempt to compute abp. First, B sets P pub = ap, and chooses the system parameters params = (G 1, G 2, e, P, P pub, H 1, H 2, H 3 ). Here the H i s are random oracles controlled by B. A I can perform the following types of queries in an adaptive manner. B maintains lists relating to its previous hash query responses for consistency that the responding lists are initially empty.  H 1 queries: B keeps a list of tuples (ID j, coin j, Q j, b j ). If ID i was in a previous H 1 query, B answers with Q i in H 1 list; otherwise, B generates a random coin i {0, 1} so that P r[coin i = 1] = δ. It picks b i R Z/qZ randomly, if coin i = 1, B sets Q i = b j bp ; else, Q j = b j P, and stores (ID i, coin i, Q i, b i ) to H 1 list and answers with Q i.  H 2 queries: B keeps a list of tuples (ω j, P ωj, c j ). Whenever A I issues a query H 2 (ω i ) to H 2 oracle, the same answer P ωi from the H 2 list will be given if the request has been asked before. Otherwise, B selects a random c i Z/qZ, computes P ωi = c i P, adds (ω i, P ωi, c i ) to H 2 list and answers with P i.
6 International Journal of Network Security, Vol.16, No.3, PP , May H 3 queries: B keeps a list H 3 list of tuples (ω j, m j, ID j, h j, d j ). Whenever A I issues a query H 3 (m i, ID i, ω i ) to H 3 oracle, the same answer h i from the H 3 list will be given if the request has been asked before. Otherwise, B selects a random d i Z/qZ, computes h i = d i P, adds (ω i, m i, ID i, h i, d i ) to H 3 list and answers with h i.  PartialKeyGen queries: When A requests the partial private key corresponding to ID i, B finds in H 1  list, if H 1 coin i =0, answers with Q i = b i P, else B abort.  Public key queries: B keeps a list PKlist of tuples (ID j, x j, P j, e j ). On receiving a Public Key query, the same answer from the list PKlist will be given if the request has been asked before. Otherwise, B aborts and returns as answer.  Secret value queries: On receiving a secret value query, B first makes P K(ID i ) and recovers the tuple (ID i, x i, P i, e i ) from PKlist and answers with x i. If it cannot find in the list, it returns as answer.  Sign queries: On receive an individual sign query IndiSign(ω i, m i, ID i, P i ), where P i denotes the public key chosen by A I, B first makes H 2 (ω) and P K(ID i ) queries, then finds the tuple ω i, P ωi, c i ) on H 2 list, the tuple (ID i, x i, P i, e i ) on PKlist and generates the signature σ as following steps: 1) If H 1.coin i = 0, B randomly chooses R i G 1, computes S i = c i R i +b i P pub +d i P i, and outputs (R i, S i ) as answer. 2) If H 1.coin i = 1, B randomly picks r i, d i Z/qZ, computes R i = r i P d 1 i Q i, and then stores (ω i, m i, ID i, h i, d i ) to H 3 list. B computes S i = c i P i + r i d i P pub, and outputs σ i = (R i, S i ) as answer. Forgery. Finally, A I returns a set U of n users, whose identities is ID1,..., IDn and corresponding public keys is P1,..., Pn, a state string ω and a forged aggregate signature σ = (R, S ). It requires that there exists π [1, n] such that A I has neither asked the partial private for ID π nor queried IndiSign for ID π and message m π. In addition, the aggregate signature σ satisfies the following equation n n e(p, S ) = e(r, P ω )e(p pub, Q i )( e(pi, h i )) (1) i=1 i=1 where h i = H 3 (m i, ID i, ω ), P ω = H 2 (ω ). The above equation holds if b π = 0 and b i = 1 for all i [1,..., π 1, π + 1,...n]; otherwise, B aborts. By our setting, Q π = b π bp, P ω = c π P, h π = d π P. For all i = 1,..., π 1, π + 1,..., n, Q i = b ip, h i = d ip. It has abp = (S n i=1,i π (d i P i +b j P pub +c i R i ) c π R π d π P π ) (2) Now we determine the probability ɛ for B to solve the given instance of CDH problem. We analyze the following events needed for B to succeed: E1: B does not abort as a result of any of A I s secret value queries. For a key extract query, the probability does not abort is δ. Under the q K times key extract queries, the probability that B does not failure is at least δ q K. E2: A I generates a valid and nontrivial aggregate signature forgery. It easy sees that Pr[E2E1] ɛ. E3: Event E2 occurs, c π = 0 and c i = 1 for all i = 1,..., π 1, π + 1,..., n. The probability that B does not abort is at least (1 δ)δ n 1. B succeeds if all of these events happen. The probability P r[e1 E2 E3] can be decomposed as P r[e1 E2 E3] = P r[e1][e2 E1][E3 E1 E2] = (1 δ)δ (qk+n 1) ɛ ɛ (q K +n)e Theorem 2. In the random oracle model, if there exists a typeii adversary A II who has an advantage ɛ in forging an aggregate signature of the proposed CCLAS scheme in an attack modeled by GameII running for a security parameter λ and asking at most q P times public key queries, q K times secret key queries, q H2 times H 2 queries, q H3 times H 3 queries, q S times Sign queries, q A times SignAggr queries and q E extract signature queries, then the CDH problem in G 1 can be solved with probability advantage ɛ 1 (q P +n)e ɛ. Proof. Let C receives a random instance (P, ap, bp ) of the CDH problem and has to compute the value of abp. A II is a typeii adversary who interacts with C as defined in GameII. We show that it can use A II to compute abp. At first, C selects a random s Z/qZ as the masterkey, computes P pub = sp, and selects the system parameters params = (G 1, G 2, e, P, P pub, H 1, H 2, H 3 ). A II has the ability to access to the masterkey s, and obtain the anyone s secret key by PartialKeyGen oracle. A II can perform the following queries in an adaptive manner. The responding lists are initially empty.  H 2 queries: Whenever A II requests query H 2 (ω i ) to H 2 oracle, the same answer P ωi from the H 2 list will be given if the request has been asked before. Otherwise, C selects a random c i Z/qZ, computes P ωi = c i ap, adds (ω i, P ωi, c i ) to H 2 list and answers with P ωi.  H 3 queries: Whenever A II issues a query H 3 (m i, ID i, ω i ) to H 3 oracle, the same answer h i from the H 3 list will be given if the request has been asked before. Otherwise, C selects a random d i Z/qZ, computes h i = d i P, adds (ω i, m i, ID i, h i, d i ) to H 3 list and returns h i as answer.
7 International Journal of Network Security, Vol.16, No.3, PP , May Public key queries(pkqueries): On receiving a public key query, the same answer from the list PKlist will be given if the request has been asked before. Otherwise, C first selects x j Z/qZ, and flips a coin coin i {0, 1} that yields 1 with probability δ and 0 with probability 1δ. If coin i = 1 returns P i = x i bp and adds (ID i, x i, P i, coin i ) to PKlist; otherwise, C computes P i = x i P, returns P i as answer and adds (ID i, x i, P i, coin i ) to PKlist.  Secret value queries: On receiving a secret value query, C first makes P K(ID i ) and searches the tuple (ID i, x i, P i, coin i ) from PKlist. If coin i = 1 then C aborts; otherwise, C returns x i as answer.  Sign queries: On receive a sign query IndiSign(ω i, m i, ID i, P i ), where P i denotes the public key chosen by A II, C first makes H 2 (ω i ) and P K(ID i ) queries, then searches the tuple (ω i, P ωi, c i ) on H 2 list, the tuple (ID i, x i, P i, coin i ) on PKlist. C generates the signature σ as following steps: 1) If coin i = 0, C generate individual signature σ i = (R i, S i ) by IndiSign oracle because he knows the anyone s full signing key, and outputs σ i = (R i, S i ) as answer. 2) If coin i = 1, C randomly picks r i Z/qZ, computes R i = r i P (c i x i /d i )bp, and h i = d i ap, computes S i = r i P ωi + sh 1 (ID i ), outputs the signature σ i = (R i, S i ) as answer. Forgery. Finally, A II returns a set U of n users, whose identities is ID1,..., IDn and corresponding public keys is P1,..., Pn, a state string ω and a forged aggregate signature σ = (R, S ). It requires that there exists π [1, n] such that A II has not asked the partial private for ID π. In addition, the aggregate signature σ should satisfies the verification equation: e(p, S ) = e(r, P ω )e(p pub, n n Q i )( e(pi, h i )) (3) i=1 i=1 where h i = H 3 (m i, ID i, ω ), P ω = H 2 (ω ). C sets Pπ = x πbp, P ω = c i ap, for all i [1,..., n], i π, sets h i = d i P. Hence, C can computes abp = S i=1,i π (dipω + sq i + x ir i ) sq π x πr π d πc i (4) Now we determine the probability ɛ for C to solve the given instance of CDH problem. We analyze the following events needed for C to succeed: E1: C does not abort as a result of any of A II secret value queries. E2: A II generates a valid and nontrivial aggregate signature forgery. E3: Event E2 occurs, c π = 1 and c i = 0 for all i = 1,..., π 1, π + 1,..., n. C succeeds if all of these events happen. The probability of C will succeed is P r[e1 E2 E3] P r[e1 E2 E3] = P r[e1][e2 E1][E3 E1 E2] = (1 δ)δ (q P +n 1) ɛ 1 (q P +n)e ɛ 6 Conclusion We proposed a certificateless aggregate signature scheme that supports compacted full aggregation, whose signature size is the same as that of any of an individual signature. We have presented the security model about unforgeability under two adversaries model. The proposed scheme has been proven to be existentially unforgeable under adaptive chosenmessage attack in the random oracle model. It s an interesting issue to implement fixed size and constant pairing operator in certificateless aggregate signature scheme. Acknowledgments This work was supported by the National Natural Science Foundation of China under Grant , and , and Guangdong Natural Science Foundation under Grant S References [1] S. AlRiyami and K. Paterson, Certificateless public key cryptography, in ASIACRYPT 03, LNCS 2894, pp , SpringerVerlag, [2] D. Boneh, D. Gentry, B. Lynn, and H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps, in Eurocrypt 03, LNCS 2656, pp , SpringerVerlag, [3] C. Gentry and Z. Ramzan, Identitybased aggregate signatures, in PKC 06, LNCS 3958, pp , SpringerVerlag, [4] Z. Gong, Y. Long, X. Hong, and K. Chen, Two certificateless aggregate signatures from bilinear maps, in SNPD 07, pp , [5] X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu, Certificateless signature revisited, in ACISP 07, LNCS 4586, pp , SpringerVerlag, [6] X. Huang, W. Susilo, Y. Mu, and F. Zhang, On the security of a certificateless signature scheme, in CANS 05, LNCS 3810, pp , SpringerVerlag, [7] J. Y. Hwang, D. H. Lee, and H. Yung, Universial forgery of the identitybased sequential aggregate signature scheme, in ASIACCS 09, 2009.
8 International Journal of Network Security, Vol.16, No.3, PP , May [8] D. Lu, R. Ostrovsky, A. Sahai, H. Shacham, and B. Waters, Sequential aggregate signatures and multisignatures without random oracles, in Advances in Cryptology  Eurocrypt 06, pp , [9] A. Lysyanskaya, S. Micali, L. Reyzin, and H. Shacham, Sequential aggregate signatures from trapdoor permutations, in Advances in Cryptology  Eurocrypt 04, LNCS 3027, pp , Springer Verlag, [10] F. Marc, L. Anja, and S. Dominique, Historyfree sequential aggregate signatures, in SCN 12, LNCS 7845, pp , SpringerVerlag, [11] Y. Mu, W. Susilo, and H. Zhu, Compact sequential aggregate signatures, in SAC 07, pp , ACM, [12] S. S. D. Selvi, S. S. Vivek, J. Shriram, S. Kalaivani, and C. P. Rangan, Security analysis of aggregate signature and batch verification signature schemes, [13] A. Shamir, Identitybased cryptosystems and signature schemes, in Advances in Cryptology  Crypto 84, LNCS 196, pp , SpringerVerlag, [14] Z. Wang, H. Chen, D. Ye, and Q. Wu, Practical identitybased aggregate signature scheme from bilinear maps, Journal of Shanghai Jiaotong University, vol. 13, no. 6, pp , [15] Y. Wen and J. Ma, An aggregate signature scheme with constant pairing operations, in CSSE 08, pp , [16] Y. Wen, J. Ma, and H. Huang, An aggregate signature scheme with specified verifier, Chinese Journal of Electrnics, vol. 20, no. 2, pp , [17] Y. Yu, X. Zheng, and H. Sun, An identity based aggregate signature scheme with pairing, Journal of Networks, vol. 6, no. 4, pp , [18] L. Zhang, B. Qin, Q. Wu, and F. Zhang, Efficient manytoone authentication with certificateless aggregate signature, Computer Network, vol. 54, no. 14, pp , [19] L. Zhang and F. Zhang, Security model for certificateless aggregate signature schemes, in CIS 08, pp , [20] L. Zhang and F. Zhang, A new certificateless aggregate signature scheme, Computer Communications, vol. 32, no. 1, pp , [21] L. Zhang, F. Zhang, and F. Zhang, New efficient certificateless signature scheme, in EUC 07, LNCS 4809, pp , SpringerVerlag, [22] M. Zhang, J. Yao, C. Wang, and T. Takagi, Public key replacement and universal forgery of a scls scheme, International Journal of Network Security, vol. 15, no. 1, pp , Min Zhou is an associate professor at College of Information, South China Agriculutral University. Her research interests focus on Security Multiparty Computation and Network Security. Mingwu Zhang is now working at Hubei University of Technology. He is a senior member of Chinese Computer Federation, a senior member of Chinese Association for Cryptologic Research(CACR), and a member of IEEE Computer Society. His research interests include Network and Information Security. Chunzhi Wang, Ph.D, professor, and is currently working at School of Computer Science and Engineering, Hubei University of Technology. Her research interests focus on Network Protocol and System Security. Bo Yang received his B. S. degree from Peking University in 1986, and the M. S. and Ph. D. degrees from Xidian University in 1993 and 1999, respectively. He is currently a professor and supervisor of Ph.D. at School of Computer Science, Shaanxi Normal University. He is a senior member of Chinese Institute of Electronics (CIE), a member of specialist group on information security in Ministry of Information Industry of China and a member of specialist group on computer network and information security in Shanxi Province. His research interests include Information Theory and Cryptography.
New Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationA Certificateless Signature Scheme for Mobile Wireless CyberPhysical Systems
The 28th International Conference on Distributed Computing Systems Workshops A Certificateless Signature Scheme for Mobile Wireless CyberPhysical Systems Zhong Xu Xue Liu School of Computer Science McGill
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationThe Journal of Systems and Software
The Journal of Systems and Software 82 (2009) 789 793 Contents lists available at ScienceDirect The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss Design of DLbased certificateless
More informationNew Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings
New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings Fangguo Zhang 1, Reihaneh SafaviNaini 1 and ChihYin Lin 2 1 School of Information Technology and Computer
More informationIdentity Based Undeniable Signatures
Identity Based Undeniable Signatures Benoît Libert JeanJacques Quisquater UCL Crypto Group Place du Levant, 3. B1348 LouvainLaNeuve. Belgium {libert,jjq}@dice.ucl.ac.be http://www.uclcrypto.org/ Abstract.
More informationSecure Key Issuing in IDbased Cryptography
Secure Key Issuing in IDbased Cryptography Byoungcheon Lee 1,2 Colin Boyd 1 Ed Dawson 1 Kwangjo Kim 3 Jeongmo Yang 2 Seungjae Yoo 2 1 Information Security Research Centre, Queensland University of Technology,
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications EunKyung Ryu 1), KeeYoung Yoo 2), KeumSook Ha 3) Abstract The technique
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationA Strong RSAbased and Certificatelessbased Signature Scheme
International Journal of Network Security, Vol.18, No.2, PP.201208, Mar. 2016 201 A Strong RSAbased and Certificatelessbased Signature Scheme ChinChen Chang 1,2, ChinYu Sun 3, and ShihChang Chang
More informationSimple Certificateless Signature with Smart Cards
JAIST Reposi https://dspace.j Title Simple Certificateless Signature wit Author(s)Omote, Kazumasa; Miyaji, Atsuko; Kat Citation IEEE/IFIP International Conference o and Ubiquitous Computing, 2008. EUC
More informationSECURE AND EFFICIENT PRIVACYPRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE
International Journal of Computer Network and Security(IJCNS) Vol 7. No.1 2015 Pp. 18 gopalax Journals, Singapore available at : www.ijcns.com ISSN: 09758283 
More informationSimplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings
Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March
More informationSome Identity Based Strong BiDesignated Verifier Signature Schemes
Some Identity Based Strong BiDesignated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra282002 (UP), India. Email sunder_lal2@rediffmail.com,
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationSecure and Efficient Identitybased Proxy Multisignature Using Cubic Residues
International Journal of Network Security, Vol.18, No.1, PP.9098, Jan. 2016 90 Secure and Efficient Identitybased Proxy Multisignature Using Cubic Residues Feng Wang 1,2, ChinChen Chang 2,3, Changlu
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationAn Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood
An Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of publickey cryptography is its dependence on a publickey infrastructure
More informationThreshold Identity Based Encryption Scheme without Random Oracles
WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yatsen University Guangzhou, P.R. China Yanming Wang Lingnan College
More informationMetered Signatures  How to restrict the Signing Capability 
JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL.?, NO.?, 1 Metered Signatures  How to restrict the Signing Capability  WooHwan Kim, HyoJin Yoon, and Jung Hee Cheon Abstract: We propose a new notion of metered
More informationSecure Single Signon Schemes Constructed from Nominative Signatures
Secure Single Signon Schemes Constructed from Nominative Signatures Jingquan Wang, Guilin Wang, and Willy Susilo Center for Computer and Information Security Research School of Computer Science and Software
More informationLecture 25: PairingBased Cryptography
6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: PairingBased Cryptography Scribe: Ben Adida 1 Introduction The field of PairingBased Cryptography
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationKey Privacy for Identity Based Encryption
Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 20062 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March
More informationA Performance Analysis of IdentityBased Encryption Schemes
A Performance Analysis of IdentityBased Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented
More informationEfficient CertificateBased Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55568 (04) Efficient CertificateBased Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information
More informationIdentity based cryptography
Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationCiphertextAuditable Identitybased Encryption
International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 CiphertextAuditable Identitybased Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and ChinChen Chang 4,5 (Corresponding
More informationModular Security Proofs for Key Agreement Protocols
Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.
More informationIEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009
Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity
More informationComments on "public integrity auditing for dynamic data sharing with multiuser modification"
University of Wollongong Research Online Faculty of Engineering and Information Sciences  Papers Faculty of Engineering and Information Sciences 2016 Comments on "public integrity auditing for dynamic
More informationAn Efficient and Provablysecure Digital signature Scheme based on Elliptic Curve Bilinear Pairings
Theoretical and Applied Informatics ISSN 896 5334 Vol.24 (202), no. 2 pp. 09 8 DOI: 0.2478/v0790200090 An Efficient and Provablysecure Digital signature Scheme based on Elliptic Curve Bilinear Pairings
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationDEVELOPMENT OF CERTIFICATE LESS DIGITAL SIGNATURE SCHEME & ITS APPLICATION IN ECASH SYSTEM
DEVELOPMENT OF CERTIFICATE LESS DIGITAL SIGNATURE SCHEME & ITS APPLICATION IN ECASH SYSTEM A Thesis is submitted in partial fulfilment of the requirements for the degree of Bachelor of Technology In Computer
More informationHybrid Signcryption Schemes with Insider Security (Extended Abstract)
Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Alexander W. Dent Royal Holloway, University of London Egham Hill, Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationEfficient Online/Offline IdentityBased Signature for Wireless Sensor Network
Efficient Online/Offline IdentityBased Signature for Wireless Sensor Network Joseph K. Liu Joonsang Baek Jianying Zhou Yanjiang Yang Jun Wen Wong Institute for Infocomm Research Singapore {ksliu, jsbaek,
More informationSignature Amortization Technique for Authenticating Delay Sensitive Stream
Signature Amortization Technique for Authenticating Delay Sensitive Stream M Bruntha 1, Dr J. Premalatha Ph.D. 2 1 M.E., 2 Professor, Department of Information Technology, Kongu Engineering College, Perundurai,
More informationA Survey on Optimistic Fair Digital Signature Exchange Protocols
A Survey on Optimistic Fair Digital Signature Exchange s Alfin Abraham Vinodh Ewards Harlay Maria Mathew Abstract Security services become crucial to many applications such as ecommerce payment protocols,
More informationSecure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment
Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationImprovement of digital signature with message recovery using selfcertified public keys and its variants
Applied Mathematics and Computation 159 (2004) 391 399 www.elsevier.com/locate/amc Improvement of digital signature with message recovery using selfcertified public keys and its variants Zuhua Shao Department
More informationPerformance Evaluation Panda for Data Storage and Sharing Services in Cloud Computing
Performance Evaluation Panda for Data Storage and Sharing Services in Cloud Computing Gunnala Ajay Kumar M.Tech Student Department of CSE Global Group Of Institutions Batasingaram, Ranga Reddy (Dist),
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationA novel deniable authentication protocol using generalized ElGamal signature scheme
Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme WeiBin Lee a, ChiaChun Wu a, WoeiJiunn Tsaur
More informationBreaking An IdentityBased Encryption Scheme based on DHIES
Breaking An IdentityBased Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project  INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University
More informationCryptography. Identitybased Encryption. JeanSébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg
Identitybased Encryption Université du Luxembourg May 15, 2014 Summary IdentityBased Encryption (IBE) What is IdentityBased Encryption? Difference with conventional PK cryptography. Applications of
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationAn Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
ROMANIAN JOURNAL OF INFORMATION SCIENCE AND TECHNOLOGY Volume 16, Number 4, 2013, 324 335 An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
More informationNonBlackBox Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
NonBlackBox Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationOblivious SignatureBased Envelope
Oblivious SignatureBased Envelope Ninghui Li Department of Computer Science Stanford University Gates 4B Stanford, CA 943059045 ninghui.li@cs.stanford.edu Wenliang Du Department of Electrical Engineering
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More informationOn the Security of Three Public Auditing Schemes in Cloud Computing
International Journal of Network Security, Vol.17, No.6, PP.795802, Nov. 2015 795 On the Security of Three Public Auditing Schemes in Cloud Computing Yang Ming 1 and Yumin Wang 2 (Corresponding author:
More informationA Factoring and Discrete Logarithm based Cryptosystem
Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511517 HIKARI Ltd, www.mhikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationAN EFFECTIVE STUDY ON IMPROVED DATA AUTHENTICATION IN CLOUD SYSTEM
INTERNATIONAL JOURNAL OF ADVANCED RESEARCH IN ENGINEERING AND SCIENCE AN EFFECTIVE STUDY ON IMPROVED DATA AUTHENTICATION IN CLOUD SYSTEM Bairu Ravi 1, B.Ramya 2 1 M.Tech Student, Dept of CSE, Arjun College
More informationEnhancing Data Security in Cloud Storage Auditing With Key Abstraction
Enhancing Data Security in Cloud Storage Auditing With Key Abstraction 1 Priyadharshni.A, 2 Geo Jenefer.G 1 Master of engineering in computer science, Ponjesly College of Engineering 2 Assistant Professor,
More informationKey Refreshing in Identitybased Cryptography and its Application in MANETS
Key Refreshing in Identitybased Cryptography and its Application in MANETS Shane Balfe, Kent D. Boklan, Zev Klagsbrun and Kenneth G. Paterson Royal Holloway, University of London, Egham, Surrey, TW20
More informationHierarchical IDBased Cryptography
Hierarchical IDBased Cryptography Craig Gentry 1 and Alice Silverberg 2 1 DoCoMo USA Labs San Jose, CA, USA cgentry@docomolabsusa.com 2 Department of Mathematics Ohio State University Columbus, OH, USA
More informationProvably Secure Cryptography: State of the Art and Industrial Applications
Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services FrenchJapanese Joint Symposium on Computer Security Outline
More informationKeyword Search over Shared Cloud Data without Secure Channel or Authority
Keyword Search over Shared Cloud Data without Secure Channel or Authority Yilun Wu, Jinshu Su, and Baochun Li College of Computer, National University of Defense Technology, Changsha, Hunan, China Department
More informationDIGITAL SIGNATURES 1/1
DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan
More informationStrengthen Cloud Computing Security with Federal Identity Management Using Hierarchical IdentityBased Cryptography
Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical IdentityBased Cryptography Liang Yan, Chunming Rong, and Gansen Zhao University of Stavanger, Norway {liang.yan,chunming.rong}@uis.no
More informationSecure Computation Without Authentication
Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. Email: {canetti,talr}@watson.ibm.com
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes
More informationBlinding SelfCertified Key Issuing Protocols Using Elliptic Curves
Blinding SelfCertified Key Issuing Protocols Using Elliptic Curves Billy Bob Brumley Helsinki University of Technology Laboratory for Theoretical Computer Science billy.brumley@hut.fi Abstract SelfCertified
More informationA Survey of IdentityBased Cryptography
A Survey of IdentityBased Cryptography Joonsang Baek 1 Jan Newmarch 2, Reihaneh SafaviNaini 1, and Willy Susilo 1 1 School of Information Technology and Computer Science, University of Wollongong {baek,
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More information1523943696 RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACYPRESERVING MECHANISM
RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACYPRESERVING MECHANISM Dhanashri Bamane Vinayak Pottigar Subhash Pingale Department of Computer Science and Engineering SKN
More informationNEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES
NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,
More informationForwardSecure Sequential Aggregate Authentication (Short Paper)
ForwardSecure Sequential Aggregate Authentication (Short Paper) Di Ma, Gene Tsudik University of California, Irvine {dma1, gts}@ics.uci.edu Abstract Wireless sensors are employed in a wide range of applications.
More informationAnonymous Network Information Acquirement Protocol for Mobile Users in Heterogeneous Wireless Networks
International Journal of Network Security, Vol.18, No.1, PP.193200, Jan. 2016 193 Anonymous Network Information Acquirement Protocol for Mobile Users in Heterogeneous Wireless Networks Guangsong Li 1,
More informationTwin Signatures: an Alternative to the HashandSign Paradigm
Proceedings of the 8th ACM Conference on Computer and Communications Security. Pages 20 27. (november 5 8, 2001, Philadelphia, Pennsylvania, USA) Twin Signatures: an Alternative to the HashandSign Paradigm
More informationKeywords:  Ring Signature, Homomorphic Authenticable Ring Signature (HARS), Privacy Preserving, Public Auditing, Cloud Computing.
Survey on Privacy Preserving Public Auditing Techniques for Shared Data in the Cloud Kedar Jayesh Rasal 1, Dr. S.V.Gumaste 2, Sandip A. Kahate 3 Computer Engineering, Pune University, SPCOE, Otur, Pune,
More informationA More Robust Authentication Scheme for Roaming Service in Global Mobility Networks Using ECC
International Journal of Network Security, Vol.18, No.2, PP.217223, Mar. 2016 217 A More Robust Authentication Scheme for Roaming Service in Global Mobility Networks Using ECC Dianli Guo and Fengtong
More informationA New ForwardSecure Digital Signature Scheme
The extended abstract of this work appears Advances in Cryptology Asiacrypt 2000, Tatsuaki Okamoto, editor, Lecture Notes in Computer Science vol. 1976, SpringerVerlag, 2000. c IACR A New ForwardSecure
More informationFuzzy IdentityBased Encryption
Fuzzy IdentityBased Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) IdentityBased Encryption Formal definition Security Idea Ingredients Construction Security Extensions
More informationSecurity of Blind Digital Signatures
Security of Blind Digital Signatures (Revised Extended Abstract) Ari Juels 1 Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Fountain 3 UCLA, Email: rafail@cs.ucla.edu.
More informationSecure LargeScale Bingo
Secure LargeScale Bingo Antoni MartínezBallesté, Francesc Sebé and Josep DomingoFerrer Universitat Rovira i Virgili, Dept. of Computer Engineering and Maths, Av. Països Catalans 26, E43007 Tarragona,
More informationIntroduction to Security Proof of Cryptosystems
Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counterparts of the message authentication schemes in the public
More informationUnified Public Key Infrastructure Supporting Both Certificatebased and IDbased Cryptography
2010 International Conference on Availability, Reliability and Security Unified Public Key Infrastructure Supporting Both Certificatebased and IDbased Cryptography Byoungcheon Lee Dept. of Information
More informationBatch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes
Batch Decryption of ncrypted Short Messages and Its Application on Concurrent SSL Handshakes Yongdong Wu and Feng Bao System and Security Department Institute for Infocomm Research 21, Heng Mui Keng Terrace,
More informationGroup Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the
More informationLecture 15  Digital Signatures
Lecture 15  Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations  easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationConstructing PairingFriendly Elliptic Curves with Embedding Degree 10
with Embedding Degree 10 University of California, Berkeley, USA ANTSVII, 2006 Outline 1 Introduction 2 The CM Method: The Basic Construction The CM Method: Generating Families of Curves 3 Outline 1 Introduction
More informationGroup Security Model in Wireless Sensor Network using Identity Based Cryptographic Scheme
Group Security Model in Wireless Sensor Network using Identity Based Cryptographic Scheme Asha A 1, Hussana Johar 2, Dr B R Sujatha 3 1 M.Tech Student, Department of ECE, GSSSIETW, Mysuru, Karnataka, India
More informationEfficient online electronic checks
Applied Mathematics and Computation 162 (2005) 1259 1263 www.elsevier.com/locate/amc Efficient online electronic checks WeiKuei Chen Department of Computer Science and Information Engineering, ChingYun
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationA Secure and Efficient Conference Key Distribution System
********************** COVER PAGE ********************** A Secure and Efficient Conference Key Distribution System (Extended Abstract) Mike Burmester Department of Mathematics Royal Holloway University
More informationEfficient Hierarchical Identity Based Encryption Scheme in the Standard Model
Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University
More informationImplementation and Comparison of Various Digital Signature Algorithms. Nazia Sarang Boise State University
Implementation and Comparison of Various Digital Signature Algorithms Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information
More informationThe Exact Security of Digital Signatures How to Sign with RSA and Rabin
Appears in Advances in Cryptology Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., SpringerVerlag, 1996. The Exact Security of Digital Signatures How to Sign with
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More information