An ID-Based Server-Aided Verification Short Signature Scheme Avoid Key Escrow *

Transcription

1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 29, (213 An ID-Based Server-Aided Verifiation Sort Signature Seme Avoid ey Esrow JIANHONG ZHANG 1,2 AND ZHIBIN SUN 1 1 College of Sienes Nort Cina University of Tenology Beijing, 1144.R. Cina 2 Te State ey Laboratory of Integrated Servies Networks Xidian University Xi an, 7171.R. Cina A server-aided verifiation signature, some omplex omputation for verifiation of a signature is arried out by a server. Tus, it is very suitable for low-power omputation devies. In tis paper, by ombining ID-based ryptograpy and server-aided verifiation signature, we propose an ID-based server-aided verifiation signature seme, and give two SA-Verifying ways to realize server-aided verifiation. Te seme as te following advantages: (1 sort signature lengt; (2 avoiding key esrow problem of ID-base ryptograpy; (3 less omputational ost for a verifier. After we formally define te existential unforgeability seurity model of ID-based server-aided verifiation signature to apture te attak of te disonest signer and te disonest G, a detail instane is given. And we sow tat our seme is seure in te random orale model. To te best of our knowledge, it is te first ID-based server-aided signature seme. By omparison wit SAV-BLS, we sow tat our semes ave te same signature lengt 16bits and te approximately omputational ost. Espeially, te verifier doesn t require pairing operator in te seond SA-verifying way. eywords: ID-based server-aid verifiation, te BDH assumption, key esrow, seurity proof, sort signature lengt 1. INTRODUCTION Wit internet development, many power-onstrained devies su as smart ards and mobile terminals are widely applied in real life senarios. To provide autentiation and enryption, we may take ryptograpi tenique into aount to satisfy te requirements in tose devies. However, designing effiient signature and identifiation (or autentiation semes is one of te main allenges of li key ryptograpy. Indeed, wit te development of smart ards and RFID tags, low time-delay requirement in veiular ad o networks or more generally low ost ips wit small omputation apabilities, it beomes ruial to propose semes suited to su devies. Tus, we an onsider inluding a powerful server wi elps exeute omplex omputation for te lowpower devies beause ell pones and sensors always interat wit teir base stations in reality. To realize effiient autentiation, a server-aided verifiation signature seme is very suitable for tis senario, sine te omputational requirement of signature verifia- Reeived Mar 3, 211; revised September 7 & Otober 4, 211; aepted Deember 29, 211. Communiated by Wen-Guey Tzeng. Tis work was supported by Beijing Muniipal Natural Siene Foundation (No: , , te New Star lan rojet of Beijing Siene and Tenology (No. 27B1, and te important development of Hig-Caliber Talents projet of Beijing Muniipal Institutions (CIT&TCD

2 46 JIANHONG ZHANG AND ZHIBIN SUN tion still remains eavy to low-power devies. A promising solution is server-aid verifiation, were a verifier an ek a signature wit te elp of a powerful server. In traditional li-key ryptograpy (C, a pair of li/private keys is omputed by ea user. Sine te li key is a string of random bits, a digital ertifiate of te li key is required to provide li-key autentiation. Anyone wo wants to send messages to oters must obtain teir autorized ertifiates tat ontain te li key. However, it results in omplex ertifiate management problems. In order to simplify te li-key ertifiate management, Samir [13] introdued te onept of identity-based (ID-based ryptosystem problem in In ID-based ryptograpy, te ertifiate of a random li key does not be needed any more sine lily known information su as address is used as user s li key. However, an inerent problem of ID-C is tat a ey Generation Center (GC generates any user s private key using a master-key of GC. Obviously a maliious GC is able to forge te signature of any signer. Tis is alled key esrow problem. It means tat all users must unonditionally trust te GC. To solve key esrow problem, many new rypto-systems were proposed, su as ertifiateless ryptograpy (CLC [2] and self-ertified ryptograpy (SCC [2]. In CLC, te CA generates a partial seret key from te user s identity using te master seret key, wile te user generates is own private and li key wi is independent to te partial seret key. In SCC, ea user s li key is derived from te signature of te user s seret key wit is identity, signed by te system autority using te system s seret key. Te li key of ea user need not be aompanied wit a separate ertifiate to be autentiated by verifier. To improve te effiieny of exeuting ryptograpi algoritm, several teniques (e.g., pre-omputation and off-line omputation ave been adopted. Even toug tese teniques an redue te omputational load, but te omputational requirement of many ryptograpi systems still remains too eavy for many low-power devies. For example, pairing operator on ellipti urves is an expensive omputation. Due to its elegant properties, pairing is often been widely employed as a building blok to onstrut identity-based enryption and ID-based sort signatures. However, performing a pairing on an ellipti urve requires mu more omputational ost tan exeuting an exponentiation omputation. It remains a allenging task to redue te omputational ost in pairing-based ryptograpy. A simplest may is to appeal a server to elp a user to exeute omplex omputation. In 1989, Quisquater and De Soete inluded te server-aided verifiation signature [12] for speeding up RSA verifiation wit a small exponent. In a server-aided-verifiation signature seme SAV-, te verifiation of signatures an be exeuted by te serveraided verifiation protool wit te server, were te verifier exeutes less omputation tan te original verifiation algoritm. In 1995, Lim and Lee extended tis idea into disrete-logaritm based semes [11], to speed up te verifiation of disrete-logaritmbased identity proofs and signatures. In 25, Girault and Lefrane [7] proposed a more generalized model of server-aided verifiation witout te assumption in [11]. A generi server-aided verifiation protool for digital signatures from bilinear maps was also proposed [7]. Teir protool an be applied to signature semes wit similar onstrutions, su as te ZSS signature seme [19]. Reently, Wu et al. gave two server-aided verifiation signature semes [16] based on BLS signature seme [4] and Waters signature [14].

3 ID-BASED SERVER-AIDED VERIFICATION SHORT SIGNATURE SCHEME 461 To te best of our knowledge, tere does not exist ID-based server-aided verifiation signature seme. To fill te gap, we propose an ID-based server-aided verifiation signature seme avoid key esrow. We first give te formal definition of ID-based server-aided verifiation signature seme avoid key esrow, and ten give te orresponding seurity model. Finally, we onstrut a new seme in our seurity models and sow tat te seme is seure in te random orale model. To overome key esrow problem of IDC, te user randomly produes a number Y and takes ID Y as identity of te user to submit to G. Ten G is based on ID Y to produe a seret key of te user. Te differenes between CLC and our IDC ave two folds: (1 te user an randomly ange is li/private key in CLC, wile Y is fixed and not be anged in our seme; (2 In seurity model of CLC, te user an replae is li key, wile seurity model in our seme doesn t inlude replae orale of li key. 2. RELIMINARIES In tis setion, we briefly review te basi definition and properties of te bilinear pairings. Let G 1 be a yli additive group generated by te generator, wose order is a prime q, and G 2 be a yli multipliative group of te same prime order q. We assume tat te disrete logaritm problem (DL in bot G 1 and G 2 are ard. An admissible pairing e: G 1 G 1 G 2, wi satisfies te following tree properties: Bilinear: If, Q G 1 and a, b Z q, ten a, bq =, Q ab ; Non-degenerate: Tere exists a G 1 su tat, 1; Computable: If, Q G 1, one an ompute, Q G 2 in polynomial time. We note te modified Weil and Tate pairings assoiated wit super singular ellipti urves are examples of su admissible pairings. Te seurity of te ID-based signature seme disussed in tis paper is based on te following seurity assumption. Definition 1 Given two group G 1 and G 2 of te same prime order q, a bilinear map e: G 1 G 1 G 2 and a generator of group G 1, te Deisional Bilinear Diffie-Hellman problem (DBDH in (G 1, G 2, e is to deide weter =, ab given (, a, b, and an element G 2. We define te advantage of a distinguiser against te DBDH as follows: AdvD = r a,b, R Z q, R G 2 (1 D(a, b,, r a,b, R Z q (1 D(a, b,,, ab. Definition 2 (Computational Diffie-Hellman (CDH Assumption Let Gen be CDH parameter generator. We say an algoritm A as advantage (k in solving te CDH problem for Gen if for a suffiiently large k, Adv Gen,A (t = r[a(q, G 1, x, y = xy (q, G 1 Gen k, G 1, x, y Z q ]. We say tat G 1 satisfies te CDH assumption if for any randomized polynomial time in t algoritm A we ave Adv Gen,A (t is a negligible funtion.

4 462 JIANHONG ZHANG AND ZHIBIN SUN Definition 3 Bilinear Diffie-Hellman roblem (BDH Given (, a, b, for some a, b, Z q, ompute, ab G 2. An algoritm A as advantage in solving BDH problem on groups (G 1, G 2 if r[a(, a, b, =, ab : a, b, Z q ]. 3. FORMAL DEFINITION AND SECURITY MODEL OF ID-BASED SAV SIGNATURE AVOID EY ESCROW In tis setion, we provide te definitions of an ID-based signature avoid key esrow and an ID-based server-aided verifiation signature avoid key esrow. 3.1 Te Syntax of an ID-based Signature Avoid ey Esrow For a seure ID-based signature seme avoid key esrow, it onsists of te following five algoritms <System Setup, rivate ey Generation, ey Extrat, Sign, Verify>. Te detail desription is done as follows: System Setup: tis algoritm, exeuted by te G, tat takes a (random parameter k as input and generates from it params (system parameters and master-key s. arams is lily known, wile master-key is only known to te G. ey Extrat: Te algoritm, exeuted by te G, tat takes as input params, masterkey and an arbitrary ID {,1}, provided by a user, and returns a private key d, Note ID is an arbitrary string tat is used as a li key and d is te orresponding private key. Sign: An algoritm tat takes as input params, d, x and a signed message m, and returns a signature Sig defined as follows: Sig = ID-SIGN(params, d, m. Verify: An algoritm tat takes as input a message m, its signature Sig, te system parameters params, a li value Y and te user s identity ID and performs valid = ID- VERIFY (Sig; ID; Y; params; m. Valid is a binary value tat is set to if te signature is invalid and to 1 if te signature is valid. An ID-based server-aided verifiation signature seme avoid key esrow SAV- is omposed of seven algoritms: System Setup, rivate ey Generation, ey Extrat, Sign, Verify, SAV-Setup and SAV-Verify. Te first five algoritms are te same as te above signature seme. Te rest algoritms are desribed as follows: SAV-Setup: Tis algoritm takes as input te system parameters param and returns bit string VString, wi ontains te information tat an be pre-omputed by te verifier. Note tat VString may be te same as param if no pre-omputation is done. SAV-Verify: Tis protool is exeuted interatively between te server and te verifier. Te verifier only as a limited omputational apability and annot fulfill te verifiation operations alone. Given te message/signature pair (m,, te li key Y, ID and

5 ID-BASED SERVER-AIDED VERIFICATION SHORT SIGNATURE SCHEME 463 VString, te verifier eks te validity of signature wit te elp of a powerful server by running te SAV-Verify protool. Even te server is untrustworty, if SAV-Verify returns Valid, ten is valid. Oterwise, is invalid. 3.2 Te Computation-Saving in an ID-based SAV-ID- Te main goal in a SAV-signature seme is to save te omputation of a verifier. Tus, omputation-saving is probably is te most important property tat an distinguis a server-aided verifiation signature seme SAV- from an ordinary signature seme. Tis property enables te verifier in SAV- to ek te validity of a signatures in a more omputationally effiient way tan tat in. Tis property is formally defined as follow. Definition 4 (Computation-Saving Let -ID-Verify and -ID-SA-Verify denote te verifier s omputational ost of verifier in an original ID-based signature seme and in an ID-based SAV-signature seme, respetively. An ID-based server-aided verifiation signature seme ID-SAV- is said to be Computation-Saving if -ID-SA-Verify is stritly less tan -ID-Verify, i.e., -ID-SA-Verify < -ID-Verify. 3.3 Te Existential Unforgeability of SAV-ID- Unforgeability is a primitive property in a digital signature seme. In te following seurity model, we follow te assumption in [7]. Namely, te server does not ave te valid signature of te message wen it tries to use SA-Verify to onvine te verifier tat an invalid signature of tat message is valid. Existential unforgeability of an ID-SAV-signature requires tat te adversary sould not be (omputationally apable of produing a new message-signature pair wi an be proved as Valid by ID-SA-Verify after making a series of queries, even if te adversary ats as Server. A formal game-based definition is desribed as follows. System Setup: Te allenger C runs te algoritms System Setup and ID-SA-Verifier-Setup to obtain system parameter param and ID-VString. Te adversary A is given param and te li key of G. Queries: Te adversary A an make te following queries: ey Extration Queries roeeding adaptively, wen te adversary A an request seret key of te user wit identity ID and li key Y, te allenger C returns D i = eyextrat(id, Y, s as te user s seret key. Signature Queries roeeding adaptively, te adversary A an request signatures of at most q nk messages. For ea signature query (m j, ID i, Y IDi {(m 1, ID i, Y IDi,, (m n, ID k, Y IDk }, te allenger C returns i = Sig(param, (m j, ID i, Y IDi, x, ID i as te response.

6 464 JIANHONG ZHANG AND ZHIBIN SUN Server-Aided Verifiation Queries roeeding adaptively, te adversary A an make at most q v server-aided verifiation queries. For ea query (m, under te user s identity ID and li key Y, te allenger C responds by exeuting ID-SA-Verify wit te adversary A, were te adversary A ats as Server and te allenger C ats as Verifier. At te end of ea exeution, te allenger returns te output of ID-SA-Verify to te adversary A. Eventually, te adversary A outputs a message-signature pair (m, under te user wit identity ID and li key Y and wins te game if: 1. (m, ID, Y as never been queried for signature query, note tat m an been queried for signature queries, and Y an be an arbitrary li key wi is osen by te adversary A. Tus, our seurity model is very strong. 2. ID as never been queried for key extration query. ( param, ID, Y ( m,, VString 3. ID SA Verify( A, C valid We define ID-SAV- -Adv A to be te probability tat te adversary A wins in te above game, taken over te oin tosses made by A and te allenger C. Definition 5 An adversary A is said to (t, q k, q s, q v, -break an ID-SAV- if A runs in time at most t, makes at most q k key extration query, q nk signature queries and q v serveraided verifiation queries, and ID-SAV- -Adv A is at least. A ID-SAV- is (t, q k, q nk, q v, -existentially unforgeable under adaptive osen message attaks if tere exists no forger tat (t, q k, q s, q v, -breaks it. 4. OUR ID-SAV SIGNATURE SCHEME AVOID EY ESCROW In tis setion, we give a sort server-aided ID-based signature seme wi omits key esrow problem in ID-based ryptograpy. Te details of our seme are desribed as follows: 4.1 Setup Given k, selet two bilinear map groups (G 1, G 2 of prime order q > 2 k, let e: G 1 G 1 G 2 be a bilinear map and R G 1 be a generator of group G 1. Define four as funtions H : {, 1} G 1, H 1 : G 1 {, 1} G 1 and H 2 : G 1 {, 1} Z q. H 3 : {, 1} G 2 Z q is an one-way rypto grapial funtion. Randomly oose s Z q as master key of G and ompute te orresponding li key = s. ublis te system parameters aram = (G 1, G 2, q, e,, H 1, H 2, H, H 3, and G seretly keeps s as is master key.

7 ID-BASED SERVER-AIDED VERIFICATION SHORT SIGNATURE SCHEME ey Extration Wen a user registers is identity ID to G, it exeutes te following steps: 1. First, te user ooses a random number x ID Z q as is partial seret key and ompute Y ID = x ID. 2. Ten, te user sends is identity ID and Y ID to te G. 3. Te G omputes D ID = sh (ID Y ID, D ID1 = sh 1 (ID Y ID 1 and sends tem to te user via a seure annel. 4. Te user aepts private key pair (D ID, D ID1, x ID if and only if H (ID Y ID, = D ID, and H (ID Y ID, = D ID,. 4.3 Signing Let m be a signed message, to produe a signature, te user wit identity ID exeutes te following steps: 1. ompute T = H 1 (m,, Y ID, = H 2 (m Y ID, = H 2 (m Y ID 1 and k = H 3 (m, Q 1, Q,, were Q = H (ID Y ID and Q 1 = H (ID Y ID ten ompute = x ID kt + D ID + D ID1. 3. return = (, m, Y ID as a message-signature. 4.4 Verifying ase Upon reeiving a signature, te verifier does as follows: 1. Firstly, te verifier omputes Q = H (ID Y ID and Q 1 = H (ID Y ID Ten, it omputes T = H 1 (m,, Y ID. 3. We aept tis signature if and only if te following equation olds., = T, Y ID k Q + Q 1, were k = H 3 (m, Q 1, Q,, = H 2 (m Y ID and = H 2 (m Y ID 1. If so, output valid; if not, output invalid. Note tat te size of te signature is only 16 bit. 4.5 SA-Verifying Setup ase Given te system parameters arams, te verifier randomly oose r Z q to ompute 1 = r. Ten te VString is (r, 1.

8 466 JIANHONG ZHANG AND ZHIBIN SUN 4.6 SA-Verifying ase Te verifier and te server interat wit ea oter using te following protool: 1. Te verifier sends ( 1, to te server. 2. Te server omputes 3 = 1,, 4 = H (ID Y ID, and 5 = H (ID Y ID 1,, and sends ( 3, 4, 5 to te verifier. 3. Ten, te verifier omputes 2 = T, Y ID, were T = H 1 (m,, Y ID is also omputed by te verifier. 4. Finally, te verifier eks weter m, 4, ' r 3 ( 2 4 were = H 2 (m Y ID ID and = H 2 (m Y ID ID 1. By te above verifiation, we an know te verifier only needs exeute a pair to aieve te verifiation te signature. For te better improving effiieny of te verifier, we an adopt te following protool, te VString is (r, Te Seond SA-Verifying ase In te following, we will propose te most effiient seme. In te seme, te verifier and te server interat wit ea oter using te following protool: 1. Te verifier randomly ooses t Z q to ompute = t and send ( 1,, Y ID to te server. 2. Te server omputes 3 = 1,, 4 = H (ID Y ID,, 5 = H (ID Y ID 1, and 2 = T, Y ID were T = H 1 (m,, Y ID, ten sends ( 2, 3, 4, 5 to te verifier. 3. Finally, te verifier eks weter 1 t m, 4, r ( 3 ( 2 4 or m, 4, rt ( 3 ( 2 4 were = H 2 (m Y ID and = H 2 (m Y ID 1. Table 1. Comparison. Verifiation airing Exponentiation on G 2 Map to point Our seme Our SAV-Seme Our SAV-Seme2 3 1 Computation-Saving From te Table 1, te verifier in our ID-SAV-seme1 desribed above needs to ompute one pairing, tree exponentiation on G 2, and one map-to-point as. However, te verifier in our ID-SAV-seme2 desribed above only needs to om-

9 ID-BASED SERVER-AIDED VERIFICATION SHORT SIGNATURE SCHEME 467 pute tree exponentiation on G 2 and one map-to-point as. No pairing operator is required in te seond seme. It is obvious tat our two semes satisfy -SA-verify <. In te following seurity analysis, we only analyze te seurity of te first seme. Te similar seurity analysis an be obtained in te seond seme. 5. SECURITY ANALYSIS Teorem 1 (Unforgeability Te SAV-seme above is (t, q s, q v, -existentially unforgeable against osen message attak if te (t + -BDH assumption olds on (G 1, G 2. roof: In te following, we sow tat if tere exists a (t, q s, q v -adversary A tat breaks our seme wit probability, ten tere exists anoter algoritm B wi an a random instane of te bilinear Diffie-Hellman problem in time t wit suess probability (qs + 1. In te wole game, we regard te as funtion H, H 1 as te random orale. And te adversary A an adaptively make H, H 1 queries, Signature queries and Server-Aided verifiation queries. Let G 1, G 2 be bilinear group of prime order q. Algoritm B is given (, a, b, G 1 wi is a random instane of te BDH problem. Its goal is to ompute, ab. In te following, algoritm B will simulate te allenger and interat wit te adversary A to exeute te game. Setup: B sets te li key = a of G and 1 =, were a, are te inputs of te BDH problem, return (G 1, G 2,, q,, e to te adversary A. Let j {1,, q H } be a allenge te user s identity. H -Queries: Wen te adversary A makes te query wit (ID i, Y IDi, to respond tis query, if i j, ten B randomly ooses t, t 1 Z q to set H (ID i, Y IDi, = t i = i, H (ID i, Y IDi, 1 = t i1 = i1. Oterwise, B randomly ooses t 1, t Z q to set H (ID i, Y IDi, = t b = i, H (ID i, Y IDi, 1 = t 1 b = i1. And add (ID i, Y IDi, i, i1, t i, t i1 in te H -list. H 1 -Queries: Wen te adversary A makes te query wit (ID i, Y IDi, m j, to respond tis query, ten B randomly ooses ij Z q to set H 1 (m j,, Y IDi = ij = T ij, and adds (m,, Y IDi, ij, T ij in te H 1 -list. ey Extration Wen te adversary A makes a key extration query wit (ID i, Y IDi, B responses as follows: 1. if i j, ten B find (ID i, Y IDi, i, i1, t i, t i1 in te H -list, ten return D i = t i a, D i1 = t i1 a. 2. Oterwise, B outputs fail and abort it. Signing Queries Wen an adversary A makes a signing query wit (m j, ID i, Y IDi, B responses as below.

10 468 JIANHONG ZHANG AND ZHIBIN SUN First, B eks weter (ID i, Y IDi exists in te H -list. If it exists, ten B returns (ID i, Y IDi, i, i1, t i, t i1 from te H -list. Oterwise, B makes a H query wit (ID i, Y IDi. 1. Ten B eks weter (ID i, Y IDi exists in te H 1 -list. If it exists, ten B returns (m j,, Y IDi, ij, T ij from te H 1 -list. Oterwise, B makes a H query wit (m j, Y IDi. 2. Next, B omputes te signature ij = ij ky IDi + ( t i + 1 t i1, and adds (m j, Y IDi, ij to te S-list, were = H 2 (m j Y IDi ID i, ' = H 2 (m j Y IDi ID i 1 and k = H 3 (m j Q 1, Q,. 3. Finally, send (m j, Y IDi, ij to te adversary A. Server-Aided Verifiation Queries At any time, te adversary A an make a serveraided verifiation query wit (m j, ij, ID i, Y IDi, B responses as follows: 1. If (m j, ij, ID i, Y IDi as never appeared as one of signature queries before tis query, ten B will exeute a server-aided verifiation wit te adversary A to output invalid at te end of te protool. 2. Oterwise, A as even make a signature query wit (m j, ij, ID i, Y IDi and te orresponding response is (m j, ' ij for B. In tis ase, B will exeute an interative protool wit A. Firstly, B sends ( ij, 1 to te adversary A. Ten A responds wit ( 3, 4, 5 to B. Finally, B outputs valid if 3 = ' ij, 1, 4 = H (ID i Y IDi and 5 = H (ID i Y IDi 1 old. Output Eventually, A outputs a message-signature pair (m, under te user s li key (ID, Y ID } wit non-negligent probability. And te adversary A wins te game if it satisfies te following restrition onditions 1. (m, ID, Y ID as never been queried during signature queries. 2. ID = ID j. 3. Te adversary A onvines B tat (m, is valid by SA-verify. Beause (m, is valid by SA-verify, we ave te following relation 3 ( ( ( ( ( ( T, Y ID (, Y ID 4 t b, 5 H t b, a b, a ID t t1 b, a, b, a t t1 t b, t t1 t b, a 1 1 H ID 1, were = H 2 (m Y ID and = H 2 (m Y ID 1.

11 ID-BASED SERVER-AIDED VERIFICATION SHORT SIGNATURE SCHEME 469 Tus, we an obtain te following relation a, b 1 3 t t1, Y ID It means tat te adversary A an solve te bilinear Diffie-Hellman problem wit non-negligible probability. Aording to te above seurity proof, we know tat te adversary an randomly oose li key Y of te allenged user wit te identity ID. It means tat te signer may be maliious. It may attempt to produe a forgery witout te seret key wi is produed by G. In te oter words, te above seurity model only aptures te attak of te maliious signer. For an ID-base ryptograpy, G takes arge to issue te seret key of te user. It may result in te G to attempt to forge a signature in te real life. Tus, we must onsider te G s attak. In te following, we give te seurity model for te G s attak. Te model is defined as follows: System Setup: Te allenger C runs te algoritms System Setup and ID-SA-Verifier-Setup to obtain system parameter param and ID-VString. Let Y be allenged user s li key. Te G randomly ooses s Z q as master seret key and omputes = s. Finally, te adversary A is given params, te li-private key pair (, s of G and te user s li key Y. Queries: Te adversary A an adaptively make Signature Queries and Server-Aided Verifiation Queries. Eventually, te adversary A outputs a message-signature pair (m, under te li key Y and wins te game if: (1 (m,, Y as never been queried for signature queries. (2 ID SA verify(a (param,id,y ID, C (m,,vstring,x = valid. We define ID-SAV- -Adv A to be te probability tat te adversary A wins in te above game, taken over te oin tosses made by A and te allenger C. Teorem 2 Assume tat tere exists te disonest G making q i queries to random orales H i (i =, 1, 2, q s queries to te signature orale and q v queries to server-aided verifiation orale. If te G an produe a signature forgery wit non-negligible probability. Ten, tere exists an algoritm B is able to solve te Bilinear Deffie-Hellman problem. roof: Suppose tat te disonest G is an adversary A wi is able to break our IDbased SAV signature seme. Given a BDH instane (, a, b, (a, b, R Z q, we will onstrut an algoritm B to ompute te BDH solution a, b in G 2 by using te adversary A as subroutine. To do so, algoritm B performs te following simulation by interating wit te adversary A..

12 47 JIANHONG ZHANG AND ZHIBIN SUN Setup: Te algoritm B randomly ooses s Z q to ompute = s and sets VString 1 =. Ten B sets Y = b as te allenged li key. Finally, B sends (s,, 1, Y and system parameters params to te adversary A. H -Queries Wen te adversary A makes te query wit (ID i, Y IDi, to respond tis query, ten B randomly ooses t, t 1 Z q to set H (ID i, Y IDi, = t i = i, H (ID i, Y IDi, 1 = t i1 = i1. And add (ID i, Y IDi, i, i1, t i, t i1 in te H -list. H 1 -Queries Wen te adversary A makes te query wit (ID i, Y IDi, m j, to respond tis query, ten B randomly ooses oin i {, 1} su tat r[oin i = 1] = 1/(q s if oin i =, ten B randomly ooses ij Z q to set H 1 (m j,, Y IDi = ij = T ij. 2. if oin i = 1, ten B randomly ooses ij Z q to set H 1 (m j,, Y IDi = ij a = T ij. Finally, add (oin i, m j,, Y IDi, ij, T ij in te H 1 -list and returns T ij. Signing Queries Wen an adversary A makes a signing query wit (m j, ID i, Y IDi, B responses as below. 1. First, B eks weter (ID i, Y IDi, m j exists in te H 1 -list. If it exists and te orresponding oin i =, ten B omputes i = k ij Y IDi + s(q + Q 1, were k = H 3 (m j Q, Q 1,, = H 2 (m j Y IDi ID and = H 2 (m j Y IDi ID 1. If it exists and te orresponding oin i = 1, te B aborts it. 2. Oterwise, B makes an H 1 query wit (ID i, Y IDi, m j, and make te simulating steps aording to te oin value. 3. Finally, send (m j, Y IDi, ij to A. Server-Aided Verifiation Queries At any time, te adversary A an make a serveraided verifiation query wit (m j, ij, ID i, Y IDi, B responses as follows: 1. if (m j, ij, ID i, Y IDi as never appeared as one of signature query before tis query, ten B will exeute a server-aided verifiation wit te adversary A to output invalid at te end of te protool. 2. Oterwise, A as even make a signature query wit (m j, ID i, Y IDi and te orresponding response is (m j, ij for B. In tis ase, B will exeute an interative protool wit A. Firstly, B sends ( ij, 1 to te adversary A. Ten A responds wit ( 3, 4, 5 to B. Finally, B outputs valid if 3 = ij, 1, 4 = H (ID i Y IDi and 5 = H (ID i Y IDi 1 old. Output Eventually, A outputs a forgery signature = (, m on a message m under te user wit identity ID and li key Y. If te following onstraint onditions old, ten B wins te game. 1. For te query of (m, Y, in te H 1 -list, te orresponding oin = 1 olds. 2. (m,, Y as never been queried by signature queries. 3. ID-SA-Verify(m, Y,, ID, = valid.

13 ID-BASED SERVER-AIDED VERIFICATION SHORT SIGNATURE SCHEME 471 Ten te signature = (, m sould satisfy 3 ( ( T 2, Y ( a, b ( a, b ( a, b a, b 4 5 H H sh sh sh,,, were = H 2 (m Y ID and = H 2 (m Y ID 1. Tus, we an obtain te following relation H H sh s H s H 1, 1, 1, 1, 1, 1 a, b ( H H 1 3 (. ( ID 1, s1 It means tat te algoritm B an solve te Bilinear Diffie-Hellman problem in a nonnegligible probability. 5.1 Effiieny Analysis In te following, we will give te orresponding effiieny analysis in terms of te lengt of signature and te verifiation omputational ost. We sow tat our two semes are very effiient by omparison wit te effiient SAV-BLS [16] in te following Table 2. Even toug our seme is more tree exponentiations tan SAV-BLS [16], but our seme is an ID-based signature seme and omits key esrow problem of ID-based ryptograpy. Table 2. Comparison. seme lengt airing Exponentiation on G 2 Map to point ID SAV-BLS 16 bits No Our SAV-1 16 bits Yes Our SAV-2 16 bits 3 1 Yes 6. CONCLUSION ID-based ryptograpy exists an inerent problem: key esrow. To overome te problem, we give an ID-based Server-aided signature seme avoid key esrow. After we formally defined te existential unforgeability seurity model of ID-based server-aided verifiation signature, a detail instane is given. And in te above seurity model, we sow tat our semes are seure in te random orale model. Te important advantage

14 472 JIANHONG ZHANG AND ZHIBIN SUN is effetive in our seme. To te best of our knowledge, it is te first ID-based serveraided signature seme. By omparison wit SAV-BLS [16], we sow tat our semes are te same signature lengt 16bits and ave te approximate omputational ost. REFERENCES 1. J. Baek, R. Steinfeld, and Y. Zeng, Formal proofs for te seurity of signrytion, in roeedings of ubli ey Cryptograpy, 22, pp S. Barreto, B. Libert, N. MCullag, and J. Quisquater, Effiient and provablyseure identity-based signatures and signrypion from bilinear maps, in roeeding of ASIACRYT, 25, pp M. Bellare and G. Neven, Identity-based multi-signatures from RSA, in roeeding of CT-RSA, 27, pp D. Bone, G. Lynn, and H. Saam, Sort signature from te weil pairing, in roeedings of ASIACRYT, 21, pp X. Boyen, Multipurpose identity-based signryption: A Swiss ary knife for identitybased ryptology, Advanes in Cryptology-Crypto, 23, pp R. Cramer and V. Soup, A pratial li key ryptosystem provably seure against adaptive osen ipertext attak, in roeedings of Crypto, 1998, pp M. Girault and D. Lefran, Server-aided verifiation: teory and pratie, in roeedings of ASIACRYT, 25, pp S. Goldwasser, S. Miali, and R. Rivest, A digital signature seme seure against adaptive osen-message attaks, SIAM Journal of Computing, Vol. 17, 1988, pp S. awamura and A. Simbo, Fast server-aided seret omputation protools for modular exponentiation, IEEE Journal on Seleted Areas Communiations, Vol. 11, 1993, pp B. Libert and J. Quisquater, A new identity based signryption semes from pairings, in roeedings of IEEE Information Teory Worksop, 23, pp C. H. Lim and. J. Lee, Seurity and performane of server-aided RSA omputation protools, Advanes in Cryptology CRYTO, 1995, pp J. J. Quisquater and M. de Soete, Speeding up smart ard RSA omputation wit inseure oproessors, in roeedings of Smart Cards, 2, pp A. Samir, Identity-based ryptosystems and signature semes, in roeedings of CRYTO, 1984, pp B. Waters, Effiient identity-based enryption witout random orales, in roeedings of EUROCRYT, 25, pp Z. Wang, L. Wang, Y. Yang, and Z. Hu, Comment on Wu et al. s server-aided verifiation signature semes, International Journal of Network Seurity, Vol. 1, 21, pp W. Wu, Y. Mu, W. Susilo, and X. Huang, rovably seure server-aided verifiation signatures, Computers and Matematis wit Appliations, Vol. 61, 211, pp F. Zang, R. Safavi-Naini, and W. Susilo, An effiient signature seme from bili-

15 ID-BASED SERVER-AIDED VERIFICATION SHORT SIGNATURE SCHEME 473 near pairing and its appliations, in roeedings of ubli ey Cryptograpy, 24, pp M. Zang, B. Yang, S. Zu, and W. Zang, Assertions signryption seme in deentralized autonomous trust environments, in roeedings of te 5t International Conferene on Autonomi and Trusted Computing, 28, pp M. Girault, Self-ertified li keys, Advanes in Cryptology-Eurorypt, 1991, pp S. Al-Riyami,. G. aterson, and A. Hollway, Certifiateless li key ryptograpy, in roeedings of Advanes in Cryptology, 23, pp J. Zang and J. Mao, Anoter effiient proxy signature seme in te standard model, Journal of Information Siene and Engineering, Vol. 27, 211, pp Jianong Zang ( 张键红 reeived is.d. degrees in Cryptograpy from Xidian University, Xi an, Sanxi, in 24 and is M.S. degree in Computer Software from Guizou University, Guiyang, Guizou, in 21. He was engaging in postdotoral resear at eking University from Otober 25 to Deember 27. He as been an Assistant roessor of College of Sienes, Nort Cina University of Tenology, Beijing Cina, sine 21. His resear interests inlude omputer networks, ryptograpy, eletroni ommere seurity, omputer software. Zibin Sun ( 孙 宾 reeived te M.E. in Computer Siene from Renmin University of Cina in 24. He is now an Assoiate rofessor in College of Siene, Nort Cina University of Tenology, Beijing, Cina. He as lised more tan 3 papers in international onferenes and journals. His resear interest inludes applied matematis, eonomi matematis, omputer software and multimedia proessing.