CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction"

Transcription

1 International Journal of Network Security, Vol.16, No.3, PP , May CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction Min Zhou 1, Mingwu Zhang 2, Chunzhi Wang 2, and Bo Yang 3 (Corresponding author: Min Zhou) College of Information, South China Agricultural University 1 College of Computer Science and Engineering, Hubei University of Technology 2 School of Computer Sciences, Shaanxi Normal University 3 (Received June 29, 2012; revised and accepted Jan. 12 & Feb. 21, 2013) Abstract Aggregate signatures are useful compact cryptographic schemes for reducing the size multiple individual signatures, which can be used in message size compactness and certificate chains reduction. Certificateless signature is a paradigm in overcoming the key escrow problem of identity-based cryptography schemes. In this paper, we construct a compact aggregate signature in the certificateless public key settings, which performs a full aggregation needs that the aggregate signature length is the same as that of any individual signature. Furthermore, the proposed scheme can aggregate and extract an individual signature expansively, and it also keeps the integrity of the remained aggregate signature. The security models, under two adversary models such as malicious KGC and malicious user, are also analyzed in the random oracle model. The proposed scheme is existentially unforgeable under adaptive chosen-message attacks and chosen-identity attacks assuming the computational Diffie-Hellman problem is hard. Keywords: Aggregate signature, certificateless cryptographic, unforgeability 1 Introduction 1.1 Aggregate Signature and Related Works An aggregate signature scheme [2, 7, 8, 9] is a digital signature that supports multiple individual signatures aggregate into one single signature. It allows a collection of signatures to be compressed into one short signature, where this single signature along with a given original message m i (i [1, n]) and the list of signer identities will convince the verifier that user ID i indeed has signed message m i. The concept of aggregation can be considered almost everywhere in cryptographic protocols where a large or moderate group is involved, which is a useful technique in cryptography for reducing the communication and computation complexity. The first aggregate signature scheme was proposed by Boneh et al. [2] that is based on BLS short signature scheme in the groups with efficiently computable bilinear maps. Their scheme is called general aggregation scheme since aggregation can be done by anyone and without the cooperation of the signers, but it rejects if the messages m 1,..., m n are not distinct. Subsequently, Lysyanskaya et al. [9] proposed a RSA-based sequential aggregate signature scheme. In a sequential aggregation scheme, signature aggregation can only be done during the signing process. Each signer sequentially modifies the aggregate signature in turn by adding his signature to the current aggregate. Recently, Lu et al. [8] proposed a sequential aggregate signature scheme without random oracle. The security of their scheme relies on the hardness of the Computational Diffie-Hellman (CDH) problem in bilinear groups. The total information needed to verify the aggregate signature must include individual signers public keys, whose lengths depend on the security parameters of the scheme. Since the verifier cannot be expected to know all n signers public keys, practically, the length of an aggregate signature is not significantly shorter than the length of n traditional signatures. Hence, for large value of n, it is preferable to specify the signers by their identities. To solve the public key certificate issues, the identitybased cryptography was first introduced by Shamir in [13], which simplifies key management and avoid the use of digital certificates. A Private Key Generator (PKG) computes keys from a master key and distributes these to the users participating in the scheme, which eliminates the need for certificates as used in a traditional public key infrastructure. In [3], Gentry and Ramzan introduced an identitybased aggregate signature which is secure in the random oracle model. They use of an identity-based scheme that the signer does not need to send an individual public key and certificate with its signature. Moreover, the scheme

2 International Journal of Network Security, Vol.16, No.3, PP , May of Gentry and Ramzan produces short signatures and is efficiently computational. Verification requires only three pairings computations, regardless of the number of signers. Wang et al. [14] proposed a novel identity-based aggregate signature scheme with efficient computing time, but Selvi et al. [12] pointed that the Wang et al. s scheme is not secure against universal forgery. Certificateless public key cryptography (CL-PKC), was first proposed by Al-Riyami and Paterson [1], is a new paradigm to overcome the key escrow problem of identitybased cryptography schemes. Certificateless cryptography involves a Key Generator Center (KGC), which issues a partial key to a user and the user also independently generates an additional public/secret key pair in such a way that the KGC only knows the partial key but he does the additional secret key is unable to do any cryptographic operation on behalf of the user, and a third party who replaces the public/secret pair but does not know the partial key and cannot do any cryptographic operation as the user either [22]. Huang et al. [6] formatted the security model of certificateless signature scheme. Gong et al. [4] defined the security model of certificateless aggregate signature schemes for the first time, however, Zhang et al. [21] pointed out some drawbacks of the security model of Gong et al. s model. In [5], Huang et al. presented a generic way to construct certificateless signature (CLS) schemes. There is little attention has been paid to aggregate signatures in certificateless public key settings. Zhang et al. [19] described security models for certificateless aggregate signature schemes. Wen et al. [15] constructed an aggregate signature scheme that required constant pairing operations in the verification algorithm and the size of aggregate signature is independent of the number of signers, but Selvi et al. [12] pointed that Wen et al. s scheme is not secure in individual signature forgery. An aggregate signature supporting many-to-one authentication deploying in the certificateless signature environment is proposed in [18]. Recently, Zhang et al. [20] proposed a certificateless aggregate signature scheme, but their scheme only support partial aggregation. Wen et al. [16] proposed an aggregate signature with specified designated verifier. In order to improve the computing efficiency and reduce the signature size, Yu et al. [17] presented an aggregate signature without any bilinear pairing operation, and Mu et al. [11] constructed a compact sequential aggregate signature, respectively. Recently, Marc et al. [10] constructed a sequential aggregate scheme that supports history-free property. Aggregating signatures of different messages can be very helpful in many situations, in order to save both memory space and cost of verification. Informally, the length of the aggregate signature should be constant, independent of the number of signed messages. The length of the aggregate signature σ = (R 1,..., R n, T ) is half the length of n initial signatures, but it s linear with respect to the number of signatures for that R cannot be compacted even if all the signatures come from the same signers. 1.2 Our Contribution and Roadmap In this paper, we propose a compact certificateless aggregate signature scheme (CCLAS) that supports full aggregate model. With the aggregation of multiple signatures, the length of aggregate signature will not be increased. The CCLAS scheme is provably secure in the random oracle model. It adapts the notion of security of two adversary models to describe the malicious forger and malicious-but-passive KGC for certificateless aggregate signature scheme. The result of this aggregation is an aggregate signature whose length is the same as that of any of an individual signatures. This scheme has the property that a verifier given along with the identities of the parties involved and their respective messages is convinced that each user signed his respective message. The rest of the paper is organized as follows: Section 2 gives some preliminaries including bilinear pairing and security assumption; The formal model of compact certificateless aggregate signature scheme and its security notions are described in Section 3 and the detail algorithms are proposed in Section 4; The security analysis of the CCLAS scheme is demonstrated in Section 5 and the conclusion is drawn in Section 6. 2 Preliminaries 2.1 Pairings The CCLAS scheme uses a bilinear map, which is often called a pairing. Typically, the pairing used is a modified Weil or Tate pairing on a supersingular elliptic curve or abelian variety. Throughout the paper we use the following notation to provide the bilinear map requirements: 1) (G 1, +) and (G 2, ) be cyclic groups of the same large prime order q; 2) P be a generator of G 1, and e(p, P ) be a generator of G 2 ; 3) e is a computable bilinear map: e : G 1 G 1 G Security Assumption In this paper, we base our security reductions on the Computational Diffie-Hellman assumption (CDH problem) that is widely regarded as a hard problem and is often used as the basis of cryptographic schemes listed as defined below: Definition 1. CDH assumption: Consider a cyclic group G of order q, the CDH assumption states that given tuples (P, ap, bp ) for a randomly chosen generator P and random integer a, b Z/qZ, it s computational intractable to compute the value of abp. More precisely, the CDH problem is said to be secure if the advantage function AdvA CDH (λ) is a negligible function in λ for all polynomial time adversaries A CDH, where AdvA CDH (λ) = P r[a(p, ap, bp ) abp ].

3 International Journal of Network Security, Vol.16, No.3, PP , May Models and Security Notations 3.1 The CCLAS Model The CCLAS scheme is an efficient certificateless signature scheme defined by eight probabilistic-polynomial time algorithms: Setup, PartialKeyGen, UserKeyGen, IndiSign, IndiVeri, SignAggr, SignVeri and ExtAggr. Setup: This algorithm is performed by KGC that accepts a security parameter λ to generate a master-key s and a list of system parameters params. PartialKeyGen: This algorithm is performed by KGC that accepts a users identity ID i, a parameter list params and a master-key s to produce the user s partial secret key D i. UserKeyGen: This algorithm is run by a user that takes the users identity ID i as input, and outputs the users secret value x i and public key P i. IndiSign: This algorithm accepts a message m M, the signer s identity ID i together with corresponding public key P i, a parameter list params and the signing key (D i, x i ) to generate a individual signature σ i on message m. IndiVeri: This algorithm accepts a message m, a signature σ i, public list params, the signer s identity ID i and corresponding public key P i to output true if the signature is valid, or otherwise. SignAggr: This algorithm is run by the aggregate signature generator such as any user or a third party that takes as inputs a state information ω, an aggregating users set U i U(i = 1,..., n) whose identity is ID i and the corresponding public key P i, and signatures σ i on a message m i with state information ω under identity ID i and public key P i for each user U i U. It outputs an aggregate signature σ on messages m 1,..., m n. SignVeri: This algorithm takes as input state information string ω, a set U of n users U 1,..., U n, each with identity ID i and public key P i, an aggregate signature σ on messages m 1,..., m n. It outputs true if the aggregate signature is valid, or otherwise. ExtAggr: This algorithm can extract and decomposite an individual signature σ from aggregate signature σ. After extracted a valid signature σ from aggregate signature σ, the new aggregate signature σ (σ = σ σ ) is also a valid aggregate signature. Remark 1. For the first time, our CCLAS scheme introduces a ExtAggr algorithm to extract a valid individual signature. It is also a valid aggregate signature if an individual signature is be extracted from the aggregate signature. 3.2 Security Notations The CCLAS scheme should be secure against existential forgery under adaptive-chosen-message attacks and adaptive-chosen-identity attacks. Informally, existential forgery means that the adversary attempts to forge an identity-based individual signature or aggregate signature on identities and messages of his choice. There are two types of security in a certificateless aggregate signature scheme, Type-I security and Type-II security [1], along with two types of adversaries, A I and A II, respectively. Type-I adversary. Type-I adversary A I models a malicious adversary that he can compromise the user private key or replace the user public key. However, he can not compromise the master-key nor access the user partial key. Type-II adversary. Type-II adversary A II models the malicious-but-passive KGC that he knows the masterkey but cannot perform public key replacement of the user being attacked. Type-I game. The type-i game is performed between a challenger C and the Type-I forger A I for a CCLAS signature scheme as follows: Initialization. C runs Setup algorithm to generate the master key and public parameters to forger A I. Note that A I does not know the master key. Queries. Forger A I may require the following queries to C by an adaptive manner. PartialKeyGen queries: When A I requests the partial private key for a user with identity ID, C responds the user s private key D ID by running PartialKeyGen algorithm. UserKeyGen queries: When A I requests the secret key for a user with identity ID, C responds the user s full secret key x ID by running UserKeyGen algorithm. UserPublicKey queries: When A I requests the public key of a user with identity ID, C answers the corresponding public key P ID. PublicKeyReplacement queries (ID, P ID ): This query is to replace the public key P ID for an identity ID with a new value P ID. On receiving such a query, C updates the public key to the new value P ID. IndiSign queries: When A I requests a signature on a message m for a user with identity ID, C responds a valid signature σ for m by running IndiSign algorithm. SignAggr queries: When A I requests a serial of signature aggregate queries for multiple signatures, C returns an aggregate signature σ by SignAggr algorithm. ExtAggr queries: When A I performs a signature extract query, C returns a new signature that extracts the subset signature σ by ExtAggr algorithm. Forgery. Finally, A I outputs an aggregate signature σ = (R, S ) and wins the game if

4 International Journal of Network Security, Vol.16, No.3, PP , May σ can pass the SignVeri algorithm and return result is not ; A I has never asked all the partial private keys or private keys of the user ID 1,...ID n who participates the aggregate signature σ ; σ has never been queried by the IndiSign and SignAggr oracles. Definition 2. Type-I unforgeability. The CCLAS scheme is existentially unforgeable against Type-I adversary under adaptively chosen-identity and chosenmessage attacks if the success probability of any polynomially bounded Type-I adversary in the Type-I game is negligible. Type-II game. Initialization. C runs the Setup algorithm and sends params and master-key to the adversary A II. Note that adversary A II knows the master key and can obtain anyone s partial private key, so he need not perform PartialKeyGen oracles. Queries. Forger A II may perform the following queries by an adaptive manner. UserKeyGen queries. When A II requests the private key of a user with identity ID, C outputs the secret key x ID by running UserKeyGen algorithm. UserPublicKey queries. When A II requests the public key of a user with identity ID, C outputs the corresponding public key P ID. IndiSign queries. When A II requests an identity ID s signature on a message m together with a public key P ID, C answers with a signature σ on message m for the user ID. SignAggr queries: When A II requests a serial of signatures aggregate queries for multiple signatures, C returns an aggregate signature σ by running SignAggr algorithm. ExtAggr queries: When A II performs a individual signature extract query, C returns a new signature that extracts the subset signature. F orgery. Adversary A II outputs a tuple σ = (R, S, m 1, ID1,..., m n, IDn). A II will win the game if: σ can pass the SignVeri algorithm and return result is not ; A II has never asked all the private keys of the users ID 1,...ID n ; σ has never been queried by the IndiSign and SignAggr oracles. Definition 3. Type-II unforgeability. The CCLAS scheme is existentially unforgeable against Type-II adversary under adaptively chosen-identity and chosenmessage attacks if the success probability of any polynomially bounded Type-II adversary in the Type-II game is negligible. Remark 2. The CCLAS scheme is existentially unforgeable under adaptively chosen-identity and chosen-message attacks if it is existentially unforgeable against Type-I adversaries in Type-I game, and Type-II adversaries in Type-II game, respectively. 4 The CCLAS Scheme In this section, we describe the proposed CCLAS scheme which consists of eight probability polynomial time algorithms. Setup: On input a security parameter λ, the KGC generates parameters by this algorithm as follows: - Generates groups G 1 and G 2 of prime order q and an admissible pairing e : G 1 G 1 G 2 ; - Chooses an arbitrary generator P G 1 ; - Picks s Z/qZ randomly, and sets P pub = sp ; - Chooses two cryptographic hash functions, H 1, H 2 : {0, 1} G 1, H 3 : {0, 1} l {0, 1} G 1 ; - KGC publishes the params=< G 1, G 2, e,q, P, P pub, H 1, H 2, H 3 >, and keeps the master key s. The message space is M {0, 1} l. PartialKeyGen: KGC generates the partial private key for the user U i with identity ID i as follows: - Computes Q i = H 1 (ID i ) G 1 ; - Outputs the partial private key D i = sq i. UserKeyGen: On input the params and a user s identity ID i {0, 1}, it generates the partial secret key for the user as follows: - Picks a random x i Z/qZ and outputs x i as the user s secret value. Note that the user s full secret key SK i =< x i, D i >; - Computes and sets user s public key P i = x i P ; IndiSign: The first signer picks a random string ω {0, 1} that it has never used before. Each subsequent signer checks that it has not used the string ω chosen by the first signer. To sign a message m i M using the signing key < x i, D i >, the signer ID i with corresponding public key P i does as following steps: - Computes P ω = H 2 (ω) G 1 ; - Picks r i Z/qZ randomly, computes R i = r i P G 1 ;

5 International Journal of Network Security, Vol.16, No.3, PP , May Computes h i = H 3 (m i, ID i, ω) G 1 ; - Computes S i = r i P ω + D i + x i h i ; - Outputs σ =< R i, S i > as the signature on m i by the user ID i. IndiVeri: On received the signature σ =< R i, S i > on the state string ω and message m i, anyone can verify the origin of the sender: - Computes P ω = H 2 (ω); - Computes h i = H 3 (m i, ID i, ω); - Accepts the message m i iff e(p, S i ) = e(r i, P ω )e(p pub, Q i )e(p i, h i ). SignAggr: Anyone can aggregate a collection of individual signatures σ 1 =< R 1, S 1 >,..., σ n =< R n, S n > by n different users ID 1,..., ID n respectively, which uses the same state string ω. It does as follows - Computes S = n i=1 S i, R = n i=1 R i; - Outputs the aggregate signature σ =< R, S > under the state string ω on messages m 1,..., m n. Remark 3. The CCLAS scheme is a full aggregate signature scheme that supports the compact of R i and S i (1 i n). In many aggregate signature schemes such as [20, 21], they only provides partial aggregation that compacts the S i by S = n i=1 S i. Remark 4. The purpose of the one-time-use state string ω in CCLAS scheme is to disturb this linearity, which provides a manner where all the signers can reach a common randomness. The CCLAS scheme does not provide the aggregation of individual signatures that use different ω s. If an individual signature will be extracted from an aggregate signature, it also needs the same state string. SignVeri: To verify an aggregate signature σ =< R, S > with the same state string ω on message m 1,..., m n for identity ID 1,..., ID n under public key P 1,..., P n, respectively, the verifier performs the following steps: - Computes P ω = H 2 (ω); - For i = 1 to n, computes Q i = H 1 (ID i ), and h i = H 3 (m i, ID i, ω); - Checks whether the following equation holds e(p, S) = e(r, P ω )e(p pub, n i=1 Q i)( n i=1 e(p i, h i )); - If above equation holds, outputs true as success, otherwise outputs. Remark 5. In [2], to ensure the security of the aggregate signature scheme, it is required that the messages m 1,..., m n to be signed are distinct. However, in our proposed scheme this restriction can be removed for that all individual signature can be aggregated by a same state string. ExtAggr: To extract an individual signature σ = (R, S ) that aggregated in a signature σ, it does - Computes R = R R, S = S S ; - Outputs σ = (R, S ). Remark 6. It easy sees that σ = (R, S ) is a valid aggregate signature if σ = (R, S ) is be extracted from σ. The check equation is: e(p, S ) = e(r, P ω)e(p pub, n i=1,i Qi)( n i=1,i e(pi, hi)); In CCLAS scheme, it is possible to aggregate individual identity-based signatures even if the signers have different KGCs, and the security proof goes through. However, to verify such a multiple-kgc aggregate signature, the verifier only needs the public key of every KGC. 5 Security Analysis We show that the CCLAS scheme is existentially unforgeable under adaptively chosen-identity and chosen-message attacks if it is existentially unforgeable against Type-I adversaries in Type-I game, and Type-II adversaries in Type-II game, respectively. Theorem 1. In the random oracle model, if there exists a type-i adversary A I who has an advantage to break the Game-I with non-negligible probability ɛ for a security parameter λ, after asking at most q K times partial private key queries, q P times public key queries, q Hi times H i (i=1,2,3) queries, q S times IndiSign queries, q A times SignAggr queries and q E extract signature queries, then the CDH problem in G 1 can be solved with non-negligible the advantage ɛ ɛ (q K +n)e. Proof. Algorithm B is given an instance (P, ap, bp ) of CDH problem, and will interact with algorithm A I as follows in an attempt to compute abp. First, B sets P pub = ap, and chooses the system parameters params = (G 1, G 2, e, P, P pub, H 1, H 2, H 3 ). Here the H i s are random oracles controlled by B. A I can perform the following types of queries in an adaptive manner. B maintains lists relating to its previous hash query responses for consistency that the responding lists are initially empty. - H 1 queries: B keeps a list of tuples (ID j, coin j, Q j, b j ). If ID i was in a previous H 1 -query, B answers with Q i in H 1 -list; otherwise, B generates a random coin i {0, 1} so that P r[coin i = 1] = δ. It picks b i R Z/qZ randomly, if coin i = 1, B sets Q i = b j bp ; else, Q j = b j P, and stores (ID i, coin i, Q i, b i ) to H 1 -list and answers with Q i. - H 2 queries: B keeps a list of tuples (ω j, P ωj, c j ). Whenever A I issues a query H 2 (ω i ) to H 2 oracle, the same answer P ωi from the H 2 -list will be given if the request has been asked before. Otherwise, B selects a random c i Z/qZ, computes P ωi = c i P, adds (ω i, P ωi, c i ) to H 2 -list and answers with P i.

6 International Journal of Network Security, Vol.16, No.3, PP , May H 3 queries: B keeps a list H 3 -list of tuples (ω j, m j, ID j, h j, d j ). Whenever A I issues a query H 3 (m i, ID i, ω i ) to H 3 oracle, the same answer h i from the H 3 -list will be given if the request has been asked before. Otherwise, B selects a random d i Z/qZ, computes h i = d i P, adds (ω i, m i, ID i, h i, d i ) to H 3 -list and answers with h i. - PartialKeyGen queries: When A requests the partial private key corresponding to ID i, B finds in H 1 - list, if H 1 -coin i =0, answers with Q i = b i P, else B abort. - Public key queries: B keeps a list PK-list of tuples (ID j, x j, P j, e j ). On receiving a Public Key query, the same answer from the list PK-list will be given if the request has been asked before. Otherwise, B aborts and returns as answer. - Secret value queries: On receiving a secret value query, B first makes P K(ID i ) and recovers the tuple (ID i, x i, P i, e i ) from PK-list and answers with x i. If it cannot find in the list, it returns as answer. - Sign queries: On receive an individual sign query IndiSign(ω i, m i, ID i, P i ), where P i denotes the public key chosen by A I, B first makes H 2 (ω) and P K(ID i ) queries, then finds the tuple ω i, P ωi, c i ) on H 2 -list, the tuple (ID i, x i, P i, e i ) on PK-list and generates the signature σ as following steps: 1) If H 1.coin i = 0, B randomly chooses R i G 1, computes S i = c i R i +b i P pub +d i P i, and outputs (R i, S i ) as answer. 2) If H 1.coin i = 1, B randomly picks r i, d i Z/qZ, computes R i = r i P d 1 i Q i, and then stores (ω i, m i, ID i, h i, d i ) to H 3 -list. B computes S i = c i P i + r i d i P pub, and outputs σ i = (R i, S i ) as answer. Forgery. Finally, A I returns a set U of n users, whose identities is ID1,..., IDn and corresponding public keys is P1,..., Pn, a state string ω and a forged aggregate signature σ = (R, S ). It requires that there exists π [1, n] such that A I has neither asked the partial private for ID π nor queried IndiSign for ID π and message m π. In addition, the aggregate signature σ satisfies the following equation n n e(p, S ) = e(r, P ω )e(p pub, Q i )( e(pi, h i )) (1) i=1 i=1 where h i = H 3 (m i, ID i, ω ), P ω = H 2 (ω ). The above equation holds if b π = 0 and b i = 1 for all i [1,..., π 1, π + 1,...n]; otherwise, B aborts. By our setting, Q π = b π bp, P ω = c π P, h π = d π P. For all i = 1,..., π 1, π + 1,..., n, Q i = b ip, h i = d ip. It has abp = (S n i=1,i π (d i P i +b j P pub +c i R i ) c π R π d π P π ) (2) Now we determine the probability ɛ for B to solve the given instance of CDH problem. We analyze the following events needed for B to succeed: E1: B does not abort as a result of any of A I s secret value queries. For a key extract query, the probability does not abort is δ. Under the q K times key extract queries, the probability that B does not failure is at least δ q K. E2: A I generates a valid and nontrivial aggregate signature forgery. It easy sees that Pr[E2-E1] ɛ. E3: Event E2 occurs, c π = 0 and c i = 1 for all i = 1,..., π 1, π + 1,..., n. The probability that B does not abort is at least (1 δ)δ n 1. B succeeds if all of these events happen. The probability P r[e1 E2 E3] can be decomposed as P r[e1 E2 E3] = P r[e1][e2 E1][E3 E1 E2] = (1 δ)δ (qk+n 1) ɛ ɛ (q K +n)e Theorem 2. In the random oracle model, if there exists a type-ii adversary A II who has an advantage ɛ in forging an aggregate signature of the proposed CCLAS scheme in an attack modeled by Game-II running for a security parameter λ and asking at most q P times public key queries, q K times secret key queries, q H2 times H 2 queries, q H3 times H 3 queries, q S times Sign queries, q A times SignAggr queries and q E extract signature queries, then the CDH problem in G 1 can be solved with probability advantage ɛ 1 (q P +n)e ɛ. Proof. Let C receives a random instance (P, ap, bp ) of the CDH problem and has to compute the value of abp. A II is a type-ii adversary who interacts with C as defined in Game-II. We show that it can use A II to compute abp. At first, C selects a random s Z/qZ as the masterkey, computes P pub = sp, and selects the system parameters params = (G 1, G 2, e, P, P pub, H 1, H 2, H 3 ). A II has the ability to access to the master-key s, and obtain the anyone s secret key by PartialKeyGen oracle. A II can perform the following queries in an adaptive manner. The responding lists are initially empty. - H 2 queries: Whenever A II requests query H 2 (ω i ) to H 2 oracle, the same answer P ωi from the H 2 -list will be given if the request has been asked before. Otherwise, C selects a random c i Z/qZ, computes P ωi = c i ap, adds (ω i, P ωi, c i ) to H 2 -list and answers with P ωi. - H 3 queries: Whenever A II issues a query H 3 (m i, ID i, ω i ) to H 3 oracle, the same answer h i from the H 3 -list will be given if the request has been asked before. Otherwise, C selects a random d i Z/qZ, computes h i = d i P, adds (ω i, m i, ID i, h i, d i ) to H 3 -list and returns h i as answer.

7 International Journal of Network Security, Vol.16, No.3, PP , May Public key queries(pk-queries): On receiving a public key query, the same answer from the list PK-list will be given if the request has been asked before. Otherwise, C first selects x j Z/qZ, and flips a coin coin i {0, 1} that yields 1 with probability δ and 0 with probability 1-δ. If coin i = 1 returns P i = x i bp and adds (ID i, x i, P i, coin i ) to PK-list; otherwise, C computes P i = x i P, returns P i as answer and adds (ID i, x i, P i, coin i ) to PK-list. - Secret value queries: On receiving a secret value query, C first makes P K(ID i ) and searches the tuple (ID i, x i, P i, coin i ) from PK-list. If coin i = 1 then C aborts; otherwise, C returns x i as answer. - Sign queries: On receive a sign query IndiSign(ω i, m i, ID i, P i ), where P i denotes the public key chosen by A II, C first makes H 2 (ω i ) and P K(ID i ) queries, then searches the tuple (ω i, P ωi, c i ) on H 2 -list, the tuple (ID i, x i, P i, coin i ) on PK-list. C generates the signature σ as following steps: 1) If coin i = 0, C generate individual signature σ i = (R i, S i ) by IndiSign oracle because he knows the anyone s full signing key, and outputs σ i = (R i, S i ) as answer. 2) If coin i = 1, C randomly picks r i Z/qZ, computes R i = r i P (c i x i /d i )bp, and h i = d i ap, computes S i = r i P ωi + sh 1 (ID i ), outputs the signature σ i = (R i, S i ) as answer. Forgery. Finally, A II returns a set U of n users, whose identities is ID1,..., IDn and corresponding public keys is P1,..., Pn, a state string ω and a forged aggregate signature σ = (R, S ). It requires that there exists π [1, n] such that A II has not asked the partial private for ID π. In addition, the aggregate signature σ should satisfies the verification equation: e(p, S ) = e(r, P ω )e(p pub, n n Q i )( e(pi, h i )) (3) i=1 i=1 where h i = H 3 (m i, ID i, ω ), P ω = H 2 (ω ). C sets Pπ = x πbp, P ω = c i ap, for all i [1,..., n], i π, sets h i = d i P. Hence, C can computes abp = S i=1,i π (dipω + sq i + x ir i ) sq π x πr π d πc i (4) Now we determine the probability ɛ for C to solve the given instance of CDH problem. We analyze the following events needed for C to succeed: E1: C does not abort as a result of any of A II secret value queries. E2: A II generates a valid and nontrivial aggregate signature forgery. E3: Event E2 occurs, c π = 1 and c i = 0 for all i = 1,..., π 1, π + 1,..., n. C succeeds if all of these events happen. The probability of C will succeed is P r[e1 E2 E3] P r[e1 E2 E3] = P r[e1][e2 E1][E3 E1 E2] = (1 δ)δ (q P +n 1) ɛ 1 (q P +n)e ɛ 6 Conclusion We proposed a certificateless aggregate signature scheme that supports compacted full aggregation, whose signature size is the same as that of any of an individual signature. We have presented the security model about unforgeability under two adversaries model. The proposed scheme has been proven to be existentially unforgeable under adaptive chosen-message attack in the random oracle model. It s an interesting issue to implement fixed size and constant pairing operator in certificateless aggregate signature scheme. Acknowledgments This work was supported by the National Natural Science Foundation of China under Grant , and , and Guangdong Natural Science Foundation under Grant S References [1] S. Al-Riyami and K. Paterson, Certificateless public key cryptography, in ASIACRYPT 03, LNCS 2894, pp , Springer-Verlag, [2] D. Boneh, D. Gentry, B. Lynn, and H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps, in Eurocrypt 03, LNCS 2656, pp , Springer-Verlag, [3] C. Gentry and Z. Ramzan, Identity-based aggregate signatures, in PKC 06, LNCS 3958, pp , Springer-Verlag, [4] Z. Gong, Y. Long, X. Hong, and K. Chen, Two certificateless aggregate signatures from bilinear maps, in SNPD 07, pp , [5] X. Huang, Y. Mu, W. Susilo, D. Wong, and W. Wu, Certificateless signature revisited, in ACISP 07, LNCS 4586, pp , Springer-Verlag, [6] X. Huang, W. Susilo, Y. Mu, and F. Zhang, On the security of a certificateless signature scheme, in CANS 05, LNCS 3810, pp , Springer-Verlag, [7] J. Y. Hwang, D. H. Lee, and H. Yung, Universial forgery of the identity-based sequential aggregate signature scheme, in ASIACCS 09, 2009.

8 International Journal of Network Security, Vol.16, No.3, PP , May [8] D. Lu, R. Ostrovsky, A. Sahai, H. Shacham, and B. Waters, Sequential aggregate signatures and multisignatures without random oracles, in Advances in Cryptology - Eurocrypt 06, pp , [9] A. Lysyanskaya, S. Micali, L. Reyzin, and H. Shacham, Sequential aggregate signatures from trapdoor permutations, in Advances in Cryptology - Eurocrypt 04, LNCS 3027, pp , Springer- Verlag, [10] F. Marc, L. Anja, and S. Dominique, History-free sequential aggregate signatures, in SCN 12, LNCS 7845, pp , Springer-Verlag, [11] Y. Mu, W. Susilo, and H. Zhu, Compact sequential aggregate signatures, in SAC 07, pp , ACM, [12] S. S. D. Selvi, S. S. Vivek, J. Shriram, S. Kalaivani, and C. P. Rangan, Security analysis of aggregate signature and batch verification signature schemes, [13] A. Shamir, Identity-based cryptosystems and signature schemes, in Advances in Cryptology - Crypto 84, LNCS 196, pp , Springer-Verlag, [14] Z. Wang, H. Chen, D. Ye, and Q. Wu, Practical identity-based aggregate signature scheme from bilinear maps, Journal of Shanghai Jiaotong University, vol. 13, no. 6, pp , [15] Y. Wen and J. Ma, An aggregate signature scheme with constant pairing operations, in CSSE 08, pp , [16] Y. Wen, J. Ma, and H. Huang, An aggregate signature scheme with specified verifier, Chinese Journal of Electrnics, vol. 20, no. 2, pp , [17] Y. Yu, X. Zheng, and H. Sun, An identity based aggregate signature scheme with pairing, Journal of Networks, vol. 6, no. 4, pp , [18] L. Zhang, B. Qin, Q. Wu, and F. Zhang, Efficient many-to-one authentication with certificateless aggregate signature, Computer Network, vol. 54, no. 14, pp , [19] L. Zhang and F. Zhang, Security model for certificateless aggregate signature schemes, in CIS 08, pp , [20] L. Zhang and F. Zhang, A new certificateless aggregate signature scheme, Computer Communications, vol. 32, no. 1, pp , [21] L. Zhang, F. Zhang, and F. Zhang, New efficient certificateless signature scheme, in EUC 07, LNCS 4809, pp , Springer-Verlag, [22] M. Zhang, J. Yao, C. Wang, and T. Takagi, Public key replacement and universal forgery of a scls scheme, International Journal of Network Security, vol. 15, no. 1, pp , Min Zhou is an associate professor at College of Information, South China Agriculutral University. Her research interests focus on Security Multiparty Computation and Network Security. Mingwu Zhang is now working at Hubei University of Technology. He is a senior member of Chinese Computer Federation, a senior member of Chinese Association for Cryptologic Research(CACR), and a member of IEEE Computer Society. His research interests include Network and Information Security. Chunzhi Wang, Ph.D, professor, and is currently working at School of Computer Science and Engineering, Hubei University of Technology. Her research interests focus on Network Protocol and System Security. Bo Yang received his B. S. degree from Peking University in 1986, and the M. S. and Ph. D. degrees from Xidian University in 1993 and 1999, respectively. He is currently a professor and supervisor of Ph.D. at School of Computer Science, Shaanxi Normal University. He is a senior member of Chinese Institute of Electronics (CIE), a member of specialist group on information security in Ministry of Information Industry of China and a member of specialist group on computer network and information security in Shanxi Province. His research interests include Information Theory and Cryptography.

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems

A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems The 28th International Conference on Distributed Computing Systems Workshops A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems Zhong Xu Xue Liu School of Computer Science McGill

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

A New and Efficient Signature on Commitment Values

A New and Efficient Signature on Commitment Values International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

More information

The Journal of Systems and Software

The Journal of Systems and Software The Journal of Systems and Software 82 (2009) 789 793 Contents lists available at ScienceDirect The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss Design of DL-based certificateless

More information

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings Fangguo Zhang 1, Reihaneh Safavi-Naini 1 and Chih-Yin Lin 2 1 School of Information Technology and Computer

More information

Identity Based Undeniable Signatures

Identity Based Undeniable Signatures Identity Based Undeniable Signatures Benoît Libert Jean-Jacques Quisquater UCL Crypto Group Place du Levant, 3. B-1348 Louvain-La-Neuve. Belgium {libert,jjq}@dice.ucl.ac.be http://www.uclcrypto.org/ Abstract.

More information

Secure Key Issuing in ID-based Cryptography

Secure Key Issuing in ID-based Cryptography Secure Key Issuing in ID-based Cryptography Byoungcheon Lee 1,2 Colin Boyd 1 Ed Dawson 1 Kwangjo Kim 3 Jeongmo Yang 2 Seungjae Yoo 2 1 Information Security Research Centre, Queensland University of Technology,

More information

Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

More information

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Efficient Unlinkable Secret Handshakes for Anonymous Communications 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

A Strong RSA-based and Certificateless-based Signature Scheme

A Strong RSA-based and Certificateless-based Signature Scheme International Journal of Network Security, Vol.18, No.2, PP.201-208, Mar. 2016 201 A Strong RSA-based and Certificateless-based Signature Scheme Chin-Chen Chang 1,2, Chin-Yu Sun 3, and Shih-Chang Chang

More information

Simple Certificateless Signature with Smart Cards

Simple Certificateless Signature with Smart Cards JAIST Reposi https://dspace.j Title Simple Certificateless Signature wit Author(s)Omote, Kazumasa; Miyaji, Atsuko; Kat Citation IEEE/IFIP International Conference o and Ubiquitous Computing, 2008. EUC

More information

SECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE

SECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE International Journal of Computer Network and Security(IJCNS) Vol 7. No.1 2015 Pp. 1-8 gopalax Journals, Singapore available at : www.ijcns.com ISSN: 0975-8283 ----------------------------------------------------------------------------------------------------------------------------------------------------------

More information

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March

More information

Some Identity Based Strong Bi-Designated Verifier Signature Schemes

Some Identity Based Strong Bi-Designated Verifier Signature Schemes Some Identity Based Strong Bi-Designated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra-282002 (UP), India. E-mail- sunder_lal2@rediffmail.com,

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

Secure and Efficient Identity-based Proxy Multi-signature Using Cubic Residues

Secure and Efficient Identity-based Proxy Multi-signature Using Cubic Residues International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 90 Secure and Efficient Identity-based Proxy Multi-signature Using Cubic Residues Feng Wang 1,2, Chin-Chen Chang 2,3, Changlu

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of public-key cryptography is its dependence on a public-key infrastructure

More information

Threshold Identity Based Encryption Scheme without Random Oracles

Threshold Identity Based Encryption Scheme without Random Oracles WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

More information

Metered Signatures - How to restrict the Signing Capability -

Metered Signatures - How to restrict the Signing Capability - JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL.?, NO.?, 1 Metered Signatures - How to restrict the Signing Capability - Woo-Hwan Kim, HyoJin Yoon, and Jung Hee Cheon Abstract: We propose a new notion of metered

More information

Secure Single Sign-on Schemes Constructed from Nominative Signatures

Secure Single Sign-on Schemes Constructed from Nominative Signatures Secure Single Sign-on Schemes Constructed from Nominative Signatures Jingquan Wang, Guilin Wang, and Willy Susilo Center for Computer and Information Security Research School of Computer Science and Software

More information

Lecture 25: Pairing-Based Cryptography

Lecture 25: Pairing-Based Cryptography 6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

More information

A Performance Analysis of Identity-Based Encryption Schemes

A Performance Analysis of Identity-Based Encryption Schemes A Performance Analysis of Identity-Based Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented

More information

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55-568 (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information

More information

Identity based cryptography

Identity based cryptography Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography

More information

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

More information

Ciphertext-Auditable Identity-based Encryption

Ciphertext-Auditable Identity-based Encryption International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 Ciphertext-Auditable Identity-based Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and Chin-Chen Chang 4,5 (Corresponding

More information

Modular Security Proofs for Key Agreement Protocols

Modular Security Proofs for Key Agreement Protocols Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.

More information

IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009

IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009 Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity

More information

Comments on "public integrity auditing for dynamic data sharing with multi-user modification"

Comments on public integrity auditing for dynamic data sharing with multi-user modification University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers Faculty of Engineering and Information Sciences 2016 Comments on "public integrity auditing for dynamic

More information

An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings

An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings Theoretical and Applied Informatics ISSN 896 5334 Vol.24 (202), no. 2 pp. 09 8 DOI: 0.2478/v079-02-0009-0 An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

DEVELOPMENT OF CERTIFICATE LESS DIGITAL SIGNATURE SCHEME & ITS APPLICATION IN E-CASH SYSTEM

DEVELOPMENT OF CERTIFICATE LESS DIGITAL SIGNATURE SCHEME & ITS APPLICATION IN E-CASH SYSTEM DEVELOPMENT OF CERTIFICATE LESS DIGITAL SIGNATURE SCHEME & ITS APPLICATION IN E-CASH SYSTEM A Thesis is submitted in partial fulfilment of the requirements for the degree of Bachelor of Technology In Computer

More information

Hybrid Signcryption Schemes with Insider Security (Extended Abstract)

Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Alexander W. Dent Royal Holloway, University of London Egham Hill, Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

Efficient Online/Offline Identity-Based Signature for Wireless Sensor Network

Efficient Online/Offline Identity-Based Signature for Wireless Sensor Network Efficient Online/Offline Identity-Based Signature for Wireless Sensor Network Joseph K. Liu Joonsang Baek Jianying Zhou Yanjiang Yang Jun Wen Wong Institute for Infocomm Research Singapore {ksliu, jsbaek,

More information

Signature Amortization Technique for Authenticating Delay Sensitive Stream

Signature Amortization Technique for Authenticating Delay Sensitive Stream Signature Amortization Technique for Authenticating Delay Sensitive Stream M Bruntha 1, Dr J. Premalatha Ph.D. 2 1 M.E., 2 Professor, Department of Information Technology, Kongu Engineering College, Perundurai,

More information

A Survey on Optimistic Fair Digital Signature Exchange Protocols

A Survey on Optimistic Fair Digital Signature Exchange Protocols A Survey on Optimistic Fair Digital Signature Exchange s Alfin Abraham Vinodh Ewards Harlay Maria Mathew Abstract Security services become crucial to many applications such as e-commerce payment protocols,

More information

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,

More information

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

Improvement of digital signature with message recovery using self-certified public keys and its variants

Improvement of digital signature with message recovery using self-certified public keys and its variants Applied Mathematics and Computation 159 (2004) 391 399 www.elsevier.com/locate/amc Improvement of digital signature with message recovery using self-certified public keys and its variants Zuhua Shao Department

More information

Performance Evaluation Panda for Data Storage and Sharing Services in Cloud Computing

Performance Evaluation Panda for Data Storage and Sharing Services in Cloud Computing Performance Evaluation Panda for Data Storage and Sharing Services in Cloud Computing Gunnala Ajay Kumar M.Tech Student Department of CSE Global Group Of Institutions Batasingaram, Ranga Reddy (Dist),

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

A novel deniable authentication protocol using generalized ElGamal signature scheme

A novel deniable authentication protocol using generalized ElGamal signature scheme Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme Wei-Bin Lee a, Chia-Chun Wu a, Woei-Jiunn Tsaur

More information

Breaking An Identity-Based Encryption Scheme based on DHIES

Breaking An Identity-Based Encryption Scheme based on DHIES Breaking An Identity-Based Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project - INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University

More information

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography ROMANIAN JOURNAL OF INFORMATION SCIENCE AND TECHNOLOGY Volume 16, Number 4, 2013, 324 335 An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

More information

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

More information

Oblivious Signature-Based Envelope

Oblivious Signature-Based Envelope Oblivious Signature-Based Envelope Ninghui Li Department of Computer Science Stanford University Gates 4B Stanford, CA 94305-9045 ninghui.li@cs.stanford.edu Wenliang Du Department of Electrical Engineering

More information

Lecture 2: Complexity Theory Review and Interactive Proofs

Lecture 2: Complexity Theory Review and Interactive Proofs 600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

More information

On the Security of Three Public Auditing Schemes in Cloud Computing

On the Security of Three Public Auditing Schemes in Cloud Computing International Journal of Network Security, Vol.17, No.6, PP.795-802, Nov. 2015 795 On the Security of Three Public Auditing Schemes in Cloud Computing Yang Ming 1 and Yumin Wang 2 (Corresponding author:

More information

A Factoring and Discrete Logarithm based Cryptosystem

A Factoring and Discrete Logarithm based Cryptosystem Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

AN EFFECTIVE STUDY ON IMPROVED DATA AUTHENTICATION IN CLOUD SYSTEM

AN EFFECTIVE STUDY ON IMPROVED DATA AUTHENTICATION IN CLOUD SYSTEM INTERNATIONAL JOURNAL OF ADVANCED RESEARCH IN ENGINEERING AND SCIENCE AN EFFECTIVE STUDY ON IMPROVED DATA AUTHENTICATION IN CLOUD SYSTEM Bairu Ravi 1, B.Ramya 2 1 M.Tech Student, Dept of CSE, Arjun College

More information

Enhancing Data Security in Cloud Storage Auditing With Key Abstraction

Enhancing Data Security in Cloud Storage Auditing With Key Abstraction Enhancing Data Security in Cloud Storage Auditing With Key Abstraction 1 Priyadharshni.A, 2 Geo Jenefer.G 1 Master of engineering in computer science, Ponjesly College of Engineering 2 Assistant Professor,

More information

Key Refreshing in Identity-based Cryptography and its Application in MANETS

Key Refreshing in Identity-based Cryptography and its Application in MANETS Key Refreshing in Identity-based Cryptography and its Application in MANETS Shane Balfe, Kent D. Boklan, Zev Klagsbrun and Kenneth G. Paterson Royal Holloway, University of London, Egham, Surrey, TW20

More information

Hierarchical ID-Based Cryptography

Hierarchical ID-Based Cryptography Hierarchical ID-Based Cryptography Craig Gentry 1 and Alice Silverberg 2 1 DoCoMo USA Labs San Jose, CA, USA cgentry@docomolabs-usa.com 2 Department of Mathematics Ohio State University Columbus, OH, USA

More information

Provably Secure Cryptography: State of the Art and Industrial Applications

Provably Secure Cryptography: State of the Art and Industrial Applications Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services French-Japanese Joint Symposium on Computer Security Outline

More information

Keyword Search over Shared Cloud Data without Secure Channel or Authority

Keyword Search over Shared Cloud Data without Secure Channel or Authority Keyword Search over Shared Cloud Data without Secure Channel or Authority Yilun Wu, Jinshu Su, and Baochun Li College of Computer, National University of Defense Technology, Changsha, Hunan, China Department

More information

DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan

More information

Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography

Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography Liang Yan, Chunming Rong, and Gansen Zhao University of Stavanger, Norway {liang.yan,chunming.rong}@uis.no

More information

Secure Computation Without Authentication

Secure Computation Without Authentication Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

More information

Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves

Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves Billy Bob Brumley Helsinki University of Technology Laboratory for Theoretical Computer Science billy.brumley@hut.fi Abstract Self-Certified

More information

A Survey of Identity-Based Cryptography

A Survey of Identity-Based Cryptography A Survey of Identity-Based Cryptography Joonsang Baek 1 Jan Newmarch 2, Reihaneh Safavi-Naini 1, and Willy Susilo 1 1 School of Information Technology and Computer Science, University of Wollongong {baek,

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

15-2394-3696 RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACY-PRESERVING MECHANISM

15-2394-3696 RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACY-PRESERVING MECHANISM RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACY-PRESERVING MECHANISM Dhanashri Bamane Vinayak Pottigar Subhash Pingale Department of Computer Science and Engineering SKN

More information

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

More information

Forward-Secure Sequential Aggregate Authentication (Short Paper)

Forward-Secure Sequential Aggregate Authentication (Short Paper) Forward-Secure Sequential Aggregate Authentication (Short Paper) Di Ma, Gene Tsudik University of California, Irvine {dma1, gts}@ics.uci.edu Abstract Wireless sensors are employed in a wide range of applications.

More information

Anonymous Network Information Acquirement Protocol for Mobile Users in Heterogeneous Wireless Networks

Anonymous Network Information Acquirement Protocol for Mobile Users in Heterogeneous Wireless Networks International Journal of Network Security, Vol.18, No.1, PP.193-200, Jan. 2016 193 Anonymous Network Information Acquirement Protocol for Mobile Users in Heterogeneous Wireless Networks Guangsong Li 1,

More information

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm Proceedings of the 8th ACM Conference on Computer and Communications Security. Pages 20 27. (november 5 8, 2001, Philadelphia, Pennsylvania, USA) Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

More information

Keywords: - Ring Signature, Homomorphic Authenticable Ring Signature (HARS), Privacy Preserving, Public Auditing, Cloud Computing.

Keywords: - Ring Signature, Homomorphic Authenticable Ring Signature (HARS), Privacy Preserving, Public Auditing, Cloud Computing. Survey on Privacy Preserving Public Auditing Techniques for Shared Data in the Cloud Kedar Jayesh Rasal 1, Dr. S.V.Gumaste 2, Sandip A. Kahate 3 Computer Engineering, Pune University, SPCOE, Otur, Pune,

More information

A More Robust Authentication Scheme for Roaming Service in Global Mobility Networks Using ECC

A More Robust Authentication Scheme for Roaming Service in Global Mobility Networks Using ECC International Journal of Network Security, Vol.18, No.2, PP.217-223, Mar. 2016 217 A More Robust Authentication Scheme for Roaming Service in Global Mobility Networks Using ECC Dianli Guo and Fengtong

More information

A New Forward-Secure Digital Signature Scheme

A New Forward-Secure Digital Signature Scheme The extended abstract of this work appears Advances in Cryptology Asiacrypt 2000, Tatsuaki Okamoto, editor, Lecture Notes in Computer Science vol. 1976, Springer-Verlag, 2000. c IACR A New Forward-Secure

More information

Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

More information

Security of Blind Digital Signatures

Security of Blind Digital Signatures Security of Blind Digital Signatures (Revised Extended Abstract) Ari Juels 1 Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Fountain 3 UCLA, Email: rafail@cs.ucla.edu.

More information

Secure Large-Scale Bingo

Secure Large-Scale Bingo Secure Large-Scale Bingo Antoni Martínez-Ballesté, Francesc Sebé and Josep Domingo-Ferrer Universitat Rovira i Virgili, Dept. of Computer Engineering and Maths, Av. Països Catalans 26, E-43007 Tarragona,

More information

Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

More information

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

More information

Digital Signatures. What are Signature Schemes?

Digital Signatures. What are Signature Schemes? Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

More information

Unified Public Key Infrastructure Supporting Both Certificate-based and ID-based Cryptography

Unified Public Key Infrastructure Supporting Both Certificate-based and ID-based Cryptography 2010 International Conference on Availability, Reliability and Security Unified Public Key Infrastructure Supporting Both Certificate-based and ID-based Cryptography Byoungcheon Lee Dept. of Information

More information

Batch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes

Batch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes Batch Decryption of ncrypted Short Messages and Its Application on Concurrent SSL Handshakes Yongdong Wu and Feng Bao System and Security Department Institute for Infocomm Research 21, Heng Mui Keng Terrace,

More information

Group Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10

Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10 with Embedding Degree 10 University of California, Berkeley, USA ANTS-VII, 2006 Outline 1 Introduction 2 The CM Method: The Basic Construction The CM Method: Generating Families of Curves 3 Outline 1 Introduction

More information

Group Security Model in Wireless Sensor Network using Identity Based Cryptographic Scheme

Group Security Model in Wireless Sensor Network using Identity Based Cryptographic Scheme Group Security Model in Wireless Sensor Network using Identity Based Cryptographic Scheme Asha A 1, Hussana Johar 2, Dr B R Sujatha 3 1 M.Tech Student, Department of ECE, GSSSIETW, Mysuru, Karnataka, India

More information

Efficient on-line electronic checks

Efficient on-line electronic checks Applied Mathematics and Computation 162 (2005) 1259 1263 www.elsevier.com/locate/amc Efficient on-line electronic checks Wei-Kuei Chen Department of Computer Science and Information Engineering, Ching-Yun

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

A Secure and Efficient Conference Key Distribution System

A Secure and Efficient Conference Key Distribution System ********************** COVER PAGE ********************** A Secure and Efficient Conference Key Distribution System (Extended Abstract) Mike Burmester Department of Mathematics Royal Holloway University

More information

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University

More information

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University Implementation and Comparison of Various Digital Signature Algorithms -Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information

More information

The Exact Security of Digital Signatures How to Sign with RSA and Rabin

The Exact Security of Digital Signatures How to Sign with RSA and Rabin Appears in Advances in Cryptology Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996. The Exact Security of Digital Signatures How to Sign with

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information