DOI QR코드

DOI QR Code

A pairing-free key-insulated certificate-based signature scheme with provable security

  • Xiong, Hu (School of Computer Science and Engineering, University of Electronic Science and Technology of China) ;
  • Wu, Shikun (School of Computer Science and Engineering, University of Electronic Science and Technology of China) ;
  • Geng, Ji (School of Computer Science and Engineering, University of Electronic Science and Technology of China) ;
  • Ahene, Emmanuel (School of Computer Science and Engineering, University of Electronic Science and Technology of China) ;
  • Wu, Songyang (Third Research Institute, Ministry of Public Security) ;
  • Qin, Zhiguang (School of Computer Science and Engineering, University of Electronic Science and Technology of China)
  • Received : 2014.10.02
  • Accepted : 2015.01.21
  • Published : 2015.03.31

Abstract

Certificate-based signature (CBS) combines the advantages of both public key-based signature and identity-based signature, while saving from the disadvantages of drawbacks in both PKS and IBS. The insecure deployment of CBS under the hostile circumstances usually causes the exposure of signing key to be inescapable. To resist the threat of key leakage, we present a pairing-free key insulated CBS scheme by incorporating the idea of key insulated mechanism and CBS. Our scheme eliminates the costly pairing operations and as a matter of fact outperforms the existing key insulated CBS schemes. It is more suitable for low-power devices. Furthermore, the unforgeability of our scheme has been formally proven to rest on the discrete logarithm assumption in the random oracle model.

Keywords

1. Introduction

The digital signature, as a counterpart to ink signature in the electronic world, can be used to authenticate a digital message or document. A valid signature provides an enough evidence for a receiver to believe that the message or document was indeed issued by the claimed signer [1]. The digital signature was originally introduced in traditional asymmetric cryptography. In this environment, a certificate generated by the trusted certificate authority (CA) is needed to establish the connection between the public key (usually an unreadable random string) and the identity of the signer [2-4]. The extremely expensive overhead of certificate generation, distribution and revocation impedes digital signature from wide adoption in the government affair, financial transaction and software distribution. To lower the maintenance costs of certificates in traditional public key cryptography (PKC), Shamir [5] creatively put forward the notion of Identity-based (ID-based) cryptosystem. In ID-based cryptosystem, the certificates in the traditional PKC is no longer demanded due to the fact that the public key of the signer can be effortlessly derived from signer’s known identity information (phone number, email address and so on). For this reason, digital signature is extensively studied in ID-based cryptosystems [6-8]. However, the merits of ID-based cryptosystem are associated with the notorious key escrow problem. Specifically, the private key of the signer will be generated by a fully trusted private key generator (PKG) according to his/her identity and the PKG can impersonate all of the signers in the system without being detected and punished.

By incorporating the basic idea of both ID-based cryptosystem and conventional PKC simultaneously, certificate-based cryptography (CBC) [9] has been suggested to save from their disadvantages simultaneously. In CBC, the public and private key pair of the user is generated by the user himself/herself and a corresponding certificate of his/her public key is requested from the CA. On one hand, the certificate can guarantee the connection between the user and his/her public key as in traditional PKC. On the other hand, this certificate in CBC acts as part of the user’s private key such that the cryptographic operation such as signing or decrypting can only be performed by using user’s private key and certificate together. Featured with implicit certification, CBC revokes the need of third-party query in traditional PKC, and thus simplifies the complex certificate management. Also, CBC does not inherit key escrow problem from ID-based cryptosystem because the private key is generated and kept by the user himself/herself. Certificate-based signature (CBS) [10-14], the combination of digital signature and CBC, has been naturally investigated.

It could be very disastrous if the private key is exposed in case CBS is insecurely deployed in a hostile environment. In the light of this, the key-insulated CBS [15-16] has been proposed. In the key-insulated mechanism, the life cycle of user’s private key is partitioned into different time slices. The private key of the user will evolve from one time period to the next with the aid of a physically secure device (helper) while the public key of the user will be fixed during the whole lifetime. As such, the corruption of private key in some time periods will not affect the security of private key in the other time periods. The first concrete key-insulated CBS scheme [17] has been proposed recently based on the costly bilinear pairing operation [18,19]. Hence, the construction of pairing-free key insulated CBS along with formal security proof is still an interesting and challenging problem.

In this paper, a pairing-free key-insulated CBS scheme has been presented. Our scheme eliminates the costly pairing operations and as a matter of fact outperforms the existing key insulated CBS schemes. It is more suitable for low-power devices. Furthermore, the unforgeability of our scheme is formally proven under the discrete logarithm assumption in the random oracle model [20].

 

2. Preliminaries

In this section, we review the formal definition of CBS scheme and the building blocks of our scheme.

2.1 Mathematical Assumption

Definition 1. (Discrete Logarithm (DL) Assumption) Given a group with prime order p along with a generator P, the DL problem refers to compute x ∈ with the presence of a random element Q ∈ such that Q = xP. The DL assumption means that the DL problem in cannot be solved by an adversary with a non-negligible probability.

2.2 Modeling key-insulated CBS

According to [17], a key insulated CBS scheme involves a CA, and a signer equipped with a helper, and consists of following eight algorithms: Setup, UserKeyGen, CertGen, SetInitialKey, UpdH, UpdS, Sign, and Verify.

2.3 Security definitions

Motivated by the security models for key insulated signature in traditional PKI [15,16], ID-based cryptosystems [21,22], and certificate-based signature [12-14], Li et al. [17] formalized the security model for key insulated CBS scheme as follows: Two types of adversaries, type I adversary 1 and type II adversary 2, along with two security games is considered to capture the attacks launched by the outside attacker and the malicious CA respectively. 1 is an adversary who acts as an outsider and wants to forge a valid signature with the ability to replace the public key. The restriction for 1 is that the master secret key cannot be accessed and the certificate of the replaced public key cannot be obtained by this kind of adversary. 2 models the malicious CA as an adversary who wants to forge a valid signature by using the master secret key. The restriction for 2 is that this kind of adversary cannot replace the public key of the target user. The security games against 1 and 2 are described as follows.

Game I (for the adversary 1):

Setup: In this phase, the Setup algorithm is run by the challenger C. After that, params will be sent to 1 and msk will be kept by C itself secretly.

Queries: C will answer the adaptive queries issued by 1 as follows.

Forgery: 1 outputs a signature σ* on message m* in time period t* under the identity ID* and public key . We say that 1 wins the game if: (a) Verify (params, (t*,σ*), m*, ID*, ) = 1 . (b) {ID*, } has never been submitted to the Certification query. (c) {ID*, t*} has never been submitted to the Temporary secret key query. (d) {ID*, , m*, t*} has never been submitted to the Sign query.

Game II: (for the adversary 2)

Setup: In this phase, the Setup algorithm is run by the challenger C. After that, params and msk will be sent to 2.

Queries: Similar to Game I, the UserKeyGen, Corruption, Temporary secret key and Sign oracles can be queried adaptively by 2 in this phase. Different from Game I, the Certification oracle is no longer needed to be queried due to the fact that the master secret key can be accessed by 2 itself. In addition, the ReplacePK oracle can not be accessed by 2.

Forgery: 2 outputs a signature σ* on message m* in time period t* under the identity ID* and public key . We say that 2 wins the game if: (a) Verify(params, (t*,σ*), m*, ID*, ) = 1. (b) ID* has never been submitted to the Corruption query. (c) {ID*, t*} has never been submitted to the Temporary secret key query. (d) {ID*, , m*, t*} has never been submitted to the Sign query.

Definition 2. We say that a key insulated key CBS can achieve existential unforgeability against the adaptively chosen-message attack iff no adversary can win the Game I and Game II with non-negligible probability.

 

3. Our Proposed Scheme

In this section, the concrete construction of our key insulated CBS scheme is presented based on the idea in [14,21].

If it holds, accept the signature; else reject it.

 

4. Analysis of our scheme

4.1 Security analysis

We show that the unforgeability of our key insulated CBS scheme against chosen-message attack rests on the discrete logarithm assumption in this section.

Theorem 1. (Unforgeability against adversary 1) If a Type I adversary 1 has forged a valid key insulated CBS scheme successfully in Game I defined in Section 2.3, then the DL problem can be solved. If a Type I adversary 1 has an advantage ε in forging a certificate-based signature in Game I defined in Section 2.3 and making qHi (i=0, 1, 2, 3) queries to Hi queries, qu queries to the UserKeyGen request oracle, qcert queries to the Certification extraction oracle, qr queries to the ReplacePK extraction oracle, qcor queries to the Corruption extraction oracle, qt queries to the Temporary secret key extraction oracle, and qs queries to the Sign oracle, then the discrete logarithm problem can be solved with probability .

Proof. The basic idea of our security proof, borrowed from [14,17], is that the simulator C can use the type I adversary 1 as a function to solve the DL problem. C is given a tuple {p, E/p, , P} according to the definition in [23]. The task of C is to find α ∈R in the presence of Y = αP .

Setup: C chooses four hash functions H0 : {0,1}* → , H1 : {0,1}* → , H2 : {0,1}* → and H3 : {0,1}* → , and sends the system parameter params = {p, E/p, , P, Y, H0, H1, H2, H3} to 1. Also, C will simulate these four hash functions as random oracles and keep α secret.

Queries: Seven initially empty lists and L will be maintained by C to avoid the conflict of the simulation. A random index j will also be chosen by C such that 1 ≤ j ≤ qH0 and qH0 is the maximum times 1 can query the oracle H0. After that, C sets IDi = ID* where IDj is the j-th query to the oracle H0. Finally, C answers the following adaptive queries issued by 1.

H0 oracle: Given a tuple (IDi, upkIDi, WIDi) as the query, C first searches the list H0 to confirm whether the hash function of H0 on this tuple has already been created or not. If not, C randomly chooses hi0 ∈ as a hash function of (IDi, upkIDi, WIDi) and inserts the item (IDi, upkIDi, WIDi, hi0) into the list H0, and C does nothing otherwise. In both cases, hi0 will be returned as the answer.

H1 oracle: Given a tuple (TIDi, IDi, upkIDi, WIDi) as the query, C first searches the list H1 to confirm whether the hash function of H1 on this tuple has already been created or not. If not, C randomly chooses hi1 ∈ as a hash function of (TIDi, IDi, upkIDi, WIDi) and inserts the item (TIDi, IDi, upkIDi, WIDi, hi1) into the list H1, and C does nothing otherwise. In both cases, hi1 will be returned as the answer.

H2 oracle: Given a tuple (TIDi, IDi, upkIDi, WIDi, t) as the query, C first searches the list H2 to confirm whether the hash function of H2 on this tuple has already been created or not. If not, C randomly chooses hi2 ∈ as a hash function of (TIDi, IDi, upkIDi, WIDi, t) and inserts the item (TIDi, IDi, upkIDi, WIDi, t, hi2) to H2, and C does nothing otherwise. In both cases, hi2 will be returned as the answer.

H3 oracle: Given a tuple (m, t, TIDi, IDi, upkIDi, WIDi, U) as the query, C first searches the list H3 to confirm whether the hash function of H3 on this tuple has already been created or not. If not, C randomly chooses hi3 ∈ as a hash function of (m, t, TIDi, IDi, upkIDi, WIDi, U) and inserts the item (m, t, TIDi, IDi, upkIDi, WIDi, U, hi3) to H3, and C does nothing otherwise. In both cases, hi3 will be returned as the answer.

1. If i ≠ j, C scans the list M to confirm whether the certificate associated with (IDi, upkIDi) has already been created or not. If not, C chooses hi0, dIDi ∈ at random and computes WIDi = dIDiP - hi0Y. Then C searches the list H0 to confirm whether the item (IDi, upkIDi, WIDi) has already been created or not. If so, C will rechoose hi0, dIDi ∈ to avoid collision, otherwise C further inserts (IDi, upkIDi, WIDi, hi0) into the list H0 and (IDi, upkIDi, WIDi, dIDi) into the list M respectively. In both cases, C then returns (WIDi, dIDi) as the answer.

2. If i = j, the simulation will be aborted.

Forgery: Finally, 1 outputs a valid signature (z*, U*, WID*, TID*) on message m* on behalf of the identity ID* and the corresponding public key in time period t*. If ID* ≠ IDj, C aborts. Otherwise, C can replay 1 with the same random tape in the simulation of H1, H2 and H3 but different choice of the hash function H0 based on the forking lemma [24]. After that, C can get another valid signature (z', U*, WID*, TID*). From these two valid ring signatures, C obtain

and

According to the above two equations we observe that . It is obvious that the DL problem can be solved by C successfully.

This completes the descripton of the simulation and it remains to analyze the probability of C’s advantage. Define the event E1 as that Cdoes not abort when answering oracle queres, the event E2 as that 1 outputs a valid signature successfully and the event E3 as that the identity of the forged signature output by the 1 in the forgery phase is IDj. Observations from the simulation demonstrate that , Pr[E2] = ε and . Thus, the success probability of C solving the DL problem is .

Theorem 2. (Unforgeability against adversary 2) If a Type II adversary 2 has an advantage ε in forging a certificate-based signature in Game II defined in Section 2.3 and making qHi (i=0, 1, 2, 3) queries to Hi queries, qu queries to the UserKeyGen request oracle, qcert queries to the Certification extraction oracle, qr queries to the ReplacePK extraction oracle, qcor queries to the Corruption extraction oracle, qt queries to the Temporary secret key extraction oracle, and qs queries to the Sign oracle, then the discrete logarithm problem can be solved with probability .

The security proof is similar to Theorem 1 and is omitted here.

Theorem 3. Our key insulated CBS scheme can offer secure key-updates.

This theorem follows from the fact that for any target identity IDi, public key upkIDi and the time indices i and j, the update key UKID,t,t' can be derived from the temporary secret key SIDi,t and SIDi,t'.

4.2 Performance evaluation

We compare our approach with Li et al.’s key insulated CBS scheme [17] in terms of communication overhead and the computation cost. To offer the security level equal to 1024-bit RSA in Li et al.’s pairing-based scheme, a Tate pairing defining on the supersingular elliptic curve E/p : y2 = x3 + x is adopted. Here, the embedding degree of curve E/p is 2, q = 2159 + 217 +1 refers to a 160-bit Solinas prime, and p = 12qr - 1 is a 512-bit prime. To achieve the similar level of security for our pairing-free approach, the Koblitz elliptic curve y2 = x3 + ax2 + b defined on 2163 can be used. Here, a = 11 and b is a randomly chosen prime with the length of 163-bit. The running time of the cryptographic operation listed in Table 1 can be derived using the standard cryptographic library MIRACAL [25], and the hardware and OS for the experiment is PIV 3 GHZ processor with 512 M bytes storage capacity, and the Windows XP operating system respectively [26].

Table 1.Cryptographic operation time in milliseconds

The computation and communication efficiency is evaluated based on the method proposed in [27]. For example, in the Verify algorithm of Li et al.’s scheme [17], five pairing operations are needed, and thus the computation time is 5 × 20.01 = 100.05 ms. The signature Li et al.’s scheme [17] consists of three points in the pairing-based group, and thus the bandwidth for Li et al.’s scheme [17] is 512 × 3/8 = 192 byte. Observing the comparison results listed in Table 2, our scheme outperforms the existing key insulated CBS scheme and is more suitable for the low power device.

Table 2.Performance comparisons with existing work

 

5. Conclusion

In this paper, a pairing-free key insulated CBS scheme has been proposed. The proposal can achieve unforgeability in the random oracle model provided that the discrete logarithm problem is hard. Our approach can trigger the deployment of CBS in the hostile and resource-limited scenarios.

References

  1. W. Diffie, M. E. Hellman, "New directions in cryptography," IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644-654, 1976. https://doi.org/10.1109/TIT.1976.1055638
  2. R. L. Rivest, A. Shamir, L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems," Communications of the ACM, vol. 21, no. 2, pp. 120-126, 1978. https://doi.org/10.1145/359340.359342
  3. T. ElGamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," Advances in Cryptology-CRYPTO 1984, Springer-Verlag, LNCS 196, pp. 10-18, 1984.
  4. D. Boneh, B. Lynn, and H. Shacham, "Short signatures from the weil pairing," Advances in Cryptology- ASIACRYPT 2001, Springer-Verlag, LNCS 2248, pp. 514-532, 2001.
  5. A. Shamir, "Identity-based cryptosystems and signature schemes," Advances in Cryptology-CRYPTO 1984, Springer-Verlag, LNCS 196, pp. 47-53, 1984.
  6. F. Hess, "Efficient identity based signature schemes based on pairings," Selected Areas in Cryptography-SAC 2002, Springer-Verlag, LNCS 2595, pp. 310-324, 2003.
  7. K. G. Paterson, "ID-based signatures from pairings on elliptic curves," Electronics Letters, vol. 38, no. 18, pp. 1025-1026, 2002. https://doi.org/10.1049/el:20020682
  8. M. Bellare, C. Namprempre, G. Neven, "Security Proofs for Identity-Based Identification and Signature Schemes," Journal of Cryptology, vol. 22, no. 1, pp. 1-61, 2009. https://doi.org/10.1007/s00145-008-9028-8
  9. C. Gentry, "Certificate-based encryption and the certificate revocation problem," Advances in Cryptology- EUROCRYPT 2003, Springer-Verlag, LNCS 2656, pp. 272-293, 2003.
  10. B. G. Kang, J. H. Park, S. G. Hahn, "A certificate-based signature scheme," in Proc. of Topics in Cryptology-CT-RSA 2004, The Cryptographers' Track at the RSA Conference 2004, Springer-Verlag, LNCS 2964, pp. 99-111, 2004.
  11. K. Joseph, J. B. Liu, S. Willy, J. Zhou, "Certificate-Based Signature Schemes without Pairings or Random Oracles," in Proc. of 11th International Conference on Information Security (ISC 2008), Springer-Verlag, LNCS 5222, pp. 285-297, 2008.
  12. J. Li, X. Huang, Y. Mu, W. Susilo, and Q. Wu, "Certificate-based signature: Security model and efficient construction," in Proc. of 4th European PKIWorkshop: Theory and Practice (EuroPKI' 07), Springer-Verlag, LNCS 4582, pp. 110-125, 2007.
  13. J. Li, X. Huang, X. Zhang, L. Xu, "An efficient short certificate-based signature scheme," Journal of Systems and Software, vol. 85, no. 2, pp. 314-322, 2012. https://doi.org/10.1016/j.jss.2011.08.014
  14. J. Li, Z. Wang, Y. Zhang, "Provably secure certificate-based signature scheme without pairings," Information Sciences, vol. 233, no. 1, pp. 313-320, 2013. https://doi.org/10.1016/j.ins.2013.01.013
  15. Y. Dodis, J. Katz, S. Xu, and M.Yung, "Key-insulated public key cryptosystems," in Advances in Cryptology- Eurocrypt'02, Springer-Verlag, LNCS 2332, pp. 65-82, 2002.
  16. Y. Dodis, J. Katz, S. Xu, and M.Yung, "Strong key-insulated signature scheme," in Proc. of 6th International Workshop on Practice and Theory in Public Key Cryptography(PKC 2003), Springer-Verlag, LNCS 2567, pp. 130-144, 2003.
  17. J. Li, H. Du, Y. Zhang, T. Li, Y. Zhang, "Provably Secure Certificate-based Key-Insulated Signature Scheme," Concurrency and Computation Practice and Experience, vol. 26, no. 8, pp. 1546-1560, 2014. https://doi.org/10.1002/cpe.3019
  18. D. Hofheinz, T. Jager, E. Kiltz, "Short signatures from weaker assumptions," Advances in Cryptology-ASIACRYPT 2011, LNCS 7073, Berlin: Springer-Verlag, pp. 647-666, 2011.
  19. L. Chen, Z. Cheng, N. P. Smart, "Identity-based key agreement protocols from pairings", International Journal of Information Security, vol. 6, no. 4, pp. 213-241, 2007. https://doi.org/10.1007/s10207-006-0011-9
  20. M. Bellare, P. Rogaway, "Random oracles are practical: a paradigm for designing efficient protocols," in Proc. of 1st ACM Conf. on Computer and Communications Security (CCS 1993), pp. 62-72, 1993.
  21. J. Weng, S. Liu, K. Chen, X. Li., "Identity-Based Key-Insulated Signature with Secure Key-Updates," in Proc. of 2nd SKLOIS Conference on Information Security and Cryptology-Inscrypt 2006, Springer-Verlag, LNCS 4318, pp. 13-26, 2006.
  22. Y. Zhou, Z. Cao, and Z. Chai, "Identity based key insulated signature," in Proc. of 2nd International Conference on Information Security Practice and Experience (ISPEC 2006), Springer-Verlag, LNCS 3903, pp. 226-234, 2006.
  23. A. Cilardo, L. Coppolino, N. Mazzocca, L. Romano, "Elliptic curve cryptography engineering," Proceedings of the IEEE, vol. 94, no. 2, pp. 395-406, 2006. https://doi.org/10.1109/JPROC.2005.862438
  24. D. Pointcheval, J. Stern, "Security arguments for digital signatures and blind signatures," Journal of Cryptology, vol. 13, no. 3, pp. 361-369, 2000. https://doi.org/10.1007/s001450010003
  25. Shamus Software Ltd., "Multiprecision Integer and Rational Arithmetic Cryptographic Library (Miracl)", http://www.certivox.com/miracl/
  26. X. Cao, W. Kou, X. Du, "A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges," Information Sciences, vol. 180, no. 15, pp. 2895-2903, 2010. https://doi.org/10.1016/j.ins.2010.04.002
  27. K. Ren, W. Lou, K. Zeng, P. J.Moran, "On broadcast authentication in wireless sensor networks," IEEE Trans. Wireless Commun., vol. 6, no. 11, pp. 4136-4144, 2007. https://doi.org/10.1109/TWC.2007.060255

Cited by

  1. Certificateless Key-Insulated Generalized Signcryption Scheme without Bilinear Pairings vol.2017, pp.None, 2017, https://doi.org/10.1155/2017/8405879