Cryptanalysis on Du-Wen Certificateless Short Signature Scheme

C.I. Fan, R.H. Hsu, and P.H. Ho

Joint Workshop on Information Security

Presenter: Yu-Chi Chen

Outline.

• Review of Hu et al.’s paper

• Review of Du and Wen’s CLS scheme

• Fan et al.’s improved CLS scheme

• Conclusion

Review of Hu et al’s paper

• Hu et al.’s remedy: – The public key is inserted into the partial-private-

key.

• Hu et al.’s remedy: – Achieving level-3 security.

– KGC does not know any user's secret value and cannot act as any user by generating a false partial private key without being detected.

Outline.

• Review of Hu et al.’s paper

• Review of Du and Wen’s CLS scheme

• Fan et al.’s improved CLS scheme

• Conclusion

Review of DW CLS scheme

• This scheme is presented by Chun-Yen Lee in 2009/12/29.– Title: Efficient and provably-secure certificateless

short signature scheme from bilinear pairings

– From: Computer Standards & Interfaces (IF:1.074 42/86)

– Author: Hongzhen Du, Qiaoyan Wen

112/04/21 7

An efficient CLS scheme (1/9)

• This scheme– Setup:

– Partial-Private-Key-Extract:

– Set-Secret-Value:

– Set-Private-Key:

– Set-Public-Key:

– CL-Sign:

– CL-Verify:

112/04/21 8

An efficient CLS scheme (2/9)

• Setup: KGC– security parameter l

– G1 and G2 (same prime order q>2l)

– P is a generator of group G1

– g = e(P,P)

– H1:{0, 1}*→Z*q, H2:{0, 1}*×G1 → Z*

q

112/04/21 9

An efficient CLS scheme (3/9)

– s ∈ Z*q (system master key)

– Computes public key Ppub=sP ∈ G1

– KGC publishes the system list params:

{l, G1, G2 , e, q, P, g, Ppub , H1, H2}

112/04/21 10

An efficient CLS scheme (4/9)

• Partial-Private-Key-Extract:　

ID 1

IDID

Q H ID

1d P

Qs

KGC

user

Secure channel?

( , )ID pub IDe d P Q P g

pub IDT P Q P

dID

112/04/21 11

An efficient CLS scheme (5/9)

• Set-Secret-Value:• r Z∈ *

q (secret value)

• Set-Private-Key:• (dID, r) (private key)

• Set-Public-Key:• pkID = r(Ppub+QIDP) = rT

112/04/21 12

An efficient CLS scheme (6/9)

• CL-Sign:– m (0, 1)∈ *

• Sets h=H2(m, pkID)

• Computes 1 1

( )( )IDID

S d Pr h r h s Q

112/04/21 13

An efficient CLS scheme(7/9)

• CL-Verify:– Computes h = H2(m, pkID)

– ( , , , , ) 1 ( , )ID IDVer params m ID pk S e S pk hT g

112/04/21 14

An efficient CLS scheme(9/9)

Outline.

• Review of Hu et al.’s paper

• Review of Du and Wen’s CLS scheme

• Fan et al.’s improved CLS scheme

• Conclusion

Fan et al.’s improved CLS scheme

• Fan et al. base on DW scheme to propose an improved CLS scheme.

• This scheme does not require more computing than DW scheme, but it needs two components of the public key [pk, pk’].

112/04/21 17

FHH scheme (1/9)

• This scheme as DW scheme– Setup:

– Partial-Private-Key-Extract:

– Set-Secret-Value:

– Set-Private-Key:

– Set-Public-Key:

– CL-Sign:

– CL-Verify:

112/04/21 18

FHH scheme (2/9)

• Setup: KGC– security parameter l

– G1 and G2 (same prime order q>2l)

– P is a generator of group G1

– g = e(P,P)

– H1:{0, 1}*→Z*q, H2:{0, 1}*×G1 → Z*

q

112/04/21 19

FHH scheme(3/9)

– s ∈ Z*q (system master key)

– Computes public key Ppub=sP ∈ G1

– KGC publishes the system list params:

{l, G1, G2 , e, q, P, g, Ppub , H1, H2}

112/04/21 20

FHH scheme (4/9)

• Partial-Private-Key-Extract:　

KGC

user

Secure channel

dID

PQpkHs

d

IDHQ

IDIDID

ID

)'(

1

)(

1

1

112/04/21 21

FHH scheme (5/9)

• Set-Secret-Value:• r Z∈ *

q (secret value)

• Set-Private-Key:• (dID, r) (private key)

• Set-Public-Key:• pkID = r(Ppub+QIDP) = rT, pk’ID = rP

112/04/21 22

FHH scheme (6/9)

• CL-Sign:– m (0, 1)∈ *

• Sets h=H2(m, pkID)

• Computes

PQpkHshr

dhr

SIDID

ID ))'()((

11

1

112/04/21 23

FHH scheme (7/9)

• CL-Verify:– Computes h = H2(m, pkID)

–

gPpkHThpkpkHpkSe

SpkIDmparamsVer

IDIDIDID

)))'((')'(,(

1),,,,(

11

Outline.

• Review of Hu et al.’s paper

• Review of Du and Wen’s CLS scheme

• Fan et al.’s improved CLS scheme

• Conclusion