A New Identity-based Proxy Blind Signature Scheme

A New Identity-based Proxy Blind Signature Scheme

Junjie He, Chuanda Qi, and Fang Sun2012 IEEE International Conference on

Information Science and Technology

Presenter:陳昱安Date:2013/12/09

Outline

• Introduction• Preliminaries• ID-based proxy blind signature scheme• Analysis of the proposed scheme• Conclusion

2

Outline


3

Introduction(1/2)

4

Proxy blind signature

Identity-based cryptography

ID-based proxy blind signature

Introduction(2/2)

5

• The new scheme satisfies strong unforgeability, nonrepudiation, blindness and unlinkability, etc..

• Moreover, compared with other identity-based proxy blind signature schemes, the scheme has better computational efficiency and less traffic.

Outline


6

Preliminaries

• Bilinear pairings • Computational problems• Discrete Logarithm Problem (DLP)• Diffie-Hellman Problem (DHP)

• Security requirements of proxy blind signature• Distinguishability• Verifiability• Undeniability• Identifiability• Unforgeability• Unmisusability• Blindness• Unlinkability

7

Outline


8

ID-based proxy blind signature scheme (1/7)

Setup Extract Proxy Delegation

Proxy Blind Signature

Issuing ProtocolVerification

9


10

We assume there is a trusted key generation center (KGC) that establishes the identity-based cryptosystem and generates private keys for users.


11

• Setup KGC selects a prime q, two groups G1 and G2 , generator P of G1, and a bilinear pairing e:G1 ×G1 →G2. It also specifies two hash functions H1:→G1 and H2 :→ . KGC picks a master private key s at random andsets his public key Ppub = sP .

That is to say, the system parameters are {G1, G2, q, P, Ppub, H1, H2}.


12

• ExtractFor a given public identity information of user u.

KGC computes , , and sends to user u.

After received , User u checks .


13

• Proxy Delegation(1) First, the original signer A generates proxy warrant .(2) The original signer A selects randomly, computes , , .(3) A send to the proxy signer B.(4) After received , B computes and checks . If it is correct, B accepts the delegation, and computes the proxy secret key . Responding proxy public key is .


14

• Proxy Blind Signature Issuing ProtocolFor given message m :(1) The proxy signer B selects randomly, computes , and

send to the message owner C.(2) After received , C selects randomly, computes , ,

, and send to the proxy signer B.(3) After received, B computes , and send to the message

owner C.(4) After received , C computes . Finally, the proxy blind signature of message m is .


15

• Verification(1) Given a proxy blind signature , the receiver gets the

original signer A and proxy signer B's identity IDi, i=A,B from the proxy warrant .

(2) Computes their public key ,i=A,B ,and generates the proxy public key , where .

(3) Then computes , and checks .

Outline


16

Analysis of the proposed scheme(1/9)

17

• Correctness


18

• Security(1) Distinguishability On the one hand, the proxy warrant is included in proxy blind signature .

On the other hand, the proxy public key includes the original signer A’s public key and the proxy signer B’s public key .


19

(2) VerifiabilityThe proxy blind signature includes the proxy warrant .

(3) UndeniabilityThe proxy secret key .The original signer A does not know the proxy signer B’s private key, so only B knows the proxy secret key .


20

(4) Identifiability The proxy blind signature contains the proxy warrant , which includes the identity information of the original signer A and proxy signer B.

(5) UnforgeabilityWe analyze the unforgeability of the proposed scheme through the following four aspects.


21

• First, the attacker can not get the master secret key. Ppub = sP (DLP on G1 )

• Second, the attacker can‘t get user’s private key. (CDHP on G1)

• Third, the attacker can’t get the proxy secret key. = s .


22

• Fourth, the scheme can resist against the universal forgery attack.

Attacker forge the proxy blind signature proxy public key the attacker selects G1 randomly. (CDHP on G1)


23

the attacker select G1 randomly.compute via (DLP and inverse of hash function)

(6) Unmisusability The proxy warrant includes the valid period of delegation, and possible other restrictions on the signing capability delegated to the proxy signer.

With the proxy private/public key pair, the proxy signer cannot sign messages which have not been authorized by the original signer.


24

(7) Blindness The proxy signer B signs which is the result of transformation with hash function and blind factorsby the message owner C.

(8) UnlinkabilityThe proxy blind signature of message m is .The proxy signer B selects a intermediate result randomly.B can compute , but can’t compute by or . (DLP on G1)


25

• Efficiencypairing operation(Pa)point scalar multiplication on G1 (Pm)exponentiation in G2 (Pe)division in (Div)

Outline


26

Conclusion

• We proved its correctness and analyzed the security and computational performance.

• Analysis shows that the proposed scheme not only satisfies strong unforgeability, non-repudiation, blindness and unlinkability and other security requirements, but also has better computational efficiency and less traffic.

27

A New Identity-based Proxy Blind Signature Scheme

Documents

Transcript of A New Identity-based Proxy Blind Signature Scheme