1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings

Transcription

1 Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, Abstract: Many identity-based digital signature schemes using bilinear airings have been roosed. But the relative comutation cost of the airing is aroximately twenty times higher than that of the scalar multilication over ellitic curve grou. In order to save the running time the size of the signature, we roose an identity based signature scheme without bilinear airings. With both the running time the size of the signature being saved greatly, our scheme is more ractical than the revious related schemes for ractical alication. Key words: Digital signature, Identity-based crytograhy, Bilinear airings, Ellitic curve 1. Introduction The concet of identity-based (ID-based) crytograhy was first formulated by Shamir [1]. In ID-based crytograhy, a user s unique identifier acts as the user s ublic key, the corresonding rivate key generated by a trusted Key Generation Center (KGC) acts as the user s imlicit certificate, thereby removing the requirement of ublic key certificate. In the first ID-based signature scheme, roosed by Shamir [1], the signature has 048 bits when one uses a 104-bit RSA modulus. In 1988, Guillou et al.[] imroved Shamir s scheme shortened the signature size to 1184 bits when one uses a 104-b RSA modulus a 160-b hash function, e.g., Secure Hash Stard. However, the comutation of modular exonentiation required by the above schemes make unavailable the alication of the schemes in some environment, such as mobile devices, where the comutation ability battery caacity of mobile devices are limited. Fortunately, Ellitic curve crytosystem (ECC) [3,4] has significant advantages like smaller key sizes, faster comutations comared with other ublic-key crytograhy. Many IBS schemes using the ellitic curve airings have been roosed [5-7]. In site of the significant imrovements in the comutation seed, the airing is still regarded as the most exensive crytograhy rimitive. The relative comutation cost of a airing is aroximately twenty times higher than that of the scalar multilication over ellitic curve grou [8]. Therefore, IBS schemes without bilinear airings would be more aealing in terms of efficiency. In this aer, we resent an IBS scheme without airings. The scheme rests on the ellitic curve discrete logarithm roblem (ECDLP).With the airing-free realization, the scheme s overhead is lower than that of revious schemes [5-7] in both comutation the size of signature.. Background of ellitic curve grou We will just give a simle introduction of ellitic curve defined on rime field F in this art, Corresonding author. hedebiao@163.com, Tel:

2 while the knowledge of ellitic curve defined on binary field can be found in [3,4]. Let the symbol E / F denote an ellitic curve E over a rime finite field by an equation with the discriminant y = x 3 + ax + b, a, b F (1) 3 Δ= 4a + 7b 0. () F, defined grou The oints on E / F together with an extra oint O called the oint at infinity form a G = {( x, y): x, y F, E( x, y) = 0} { O}. (3) Let the order of G be n. G is a cyclic additive grou under the oint addition + defined as follows: Let PQ, G, l be the line containing P Q (tangent line to E / F if P = Q ), R, the third oint of intersection of l with E / F. Let l be the line connecting R O. Then P + Q is the oint such that l intersects E / F at R O P + Q. Scalar multilication over E / F can be comuted as follows: tp = P + P + + P( t times) (4). The following roblems defined over G are assumed to be intractable within olynomial time. Elitic curve discrete logarithm roblem: For x Z P the generator of G, R n given Q = x P comute x. 3. Our scheme 3.1.Scheme descrition In this section, we resent an ID-based signature scheme without airing. Our scheme consists of four algorithms: Setu, Extract, Sign, Verify. Setu: This algorithm takes a security arameter k as inut, returns system arameters a master key. Given k, KGC does as follows. 1) Choose a k-bit rime determine the tule { F, E/ F, G, P } as defined in Secttion.

3 ) Choose the master rivate key x Z n comute the master ublic key Pub = x P. 3) Choose two crytograhic secure hash functions H :{0,1} 1 Zn H :{0,1} G Z. 4) Publish { F, E/ F, G, P, P, H1, H } as system arameters kee the master ub key x secretly. Extract: This algorithm takes system arameters, master key a user s identifier as inuts, returns the user s ID-based rivate key. With this algorithm, KGC works as follows for each user with identifier ID. 1) Choose a rom number r Z, comute R = r P h (, ) = H1 ID R. n ) Comute s = r + hx. s rivate key is the tule ( s, R ) is transmitted to via a secure out-of-b channel. can validate her rivate key by checking whether the equation s P= R + h Pub holds. The rivate key is valid if the equation holds vice versa. Sign: This algorithm takes system arameters, user s rivate key ( s, R ) a message m as inuts, returns a signature of the message m. The user does as the follows. 1) Choose a rom number l Z n to comute R = l P. ) Comute h= H ( m, R). 3) Verify whether the equation gcd( l+ h, n) = 1 holds. If the equation does not holds, return to ste 1). 4) Comute s= l+ h s n. mod 5) Outut the signature ( ID, R, R, s). Verify: To verify the signature ( ID, R, R, s) for message m, the verifier first comutes h (, ) = H1 ID R, h = H ( m, R) then checks whether s ( R+ h P) = R + h Pub

4 Accet if it is equal. Otherwise reject. Since R = l P s= l+ h s n, we have mod s R+ h P = l+ h s l P+ h P = l+ h s l+ h P= s P = R + h P ub Then the correctness of our scheme is roved. (5) 3..Security analysis We rove the security of our schemeσin the rom oracle model which treats H 1 H as two rom oracles [9] using the signature security model defined in [10]. As for the security of Σ, the following theorem is rovided. Theorem 1: Consider an adatively chosen message attack in the rom oracle model against Σ. If there is an attacker A that can break Σwith at most q H H -queries q S signature queries within time bound t robability ε 10( q + 1)( q + q ) / k, then the H H S ECDLP can be solved within running time t 3 q t/ ε with robability ε 1/9. H Proof: Suose that there is an attacker A for an adatively chosen message attack against Σ. Then, we show how to use the ability of A to construct an algorithm S solving the ECDLP. Suose S is challenged with a ECDLP instance ( PQ), is tasked to comute x Z n satisfying Q= x P. To do so, S sets { F, E/ F, G, P, Pub = Q, H1, H} as the system arameter answers A s queries as follows. Extract-query: A is allowed to query the extraction oracle for an identity ID. S simulates the oracle as follows. It chooses a, b Z at rom sets n R = a Pub + b P, s = b, h (, ) mod = H1 ID R a n (6) Note that ( s, R ) generated in this way satisfies the equation s P= R + h Pub in the extract algorithm. It is a valid secret key. S oututs ( s, R ) as the secret key of ID stores the value of ( s, R, H1( ID, R), ID ) in the H1 -table.

5 Signature-query: To answer A s signature query on m i (1 i qs ) an identity ID, S chooses at rom a, b Z. Then, it gets h (, ) = H1 ID R from H1 -table, i i n comutes Ri = ai R bi P+ ai h Pub, s = ai sets h (, ) i = H1 mi Ri bi adds ( mi, Ri, b i) to the H -list. If the air ( mi, R i) has been defined in the H -table. S oututs fail exits. Since b i is chosen at rom, the robability of fail is no more than 1/n is negligible. It is straightforward to verify that ( R, R, s ) is a erfect simulation. A will i i not be able to tell the difference between the simulation the reality if S does not abort. If A can forge a valid signature on message m with the robability ε 10( q + 1)( q + q ) / k, where m has not been queried to the signature oracle, then a H H S relay of S with the same rom tae but different choice of H will outut two valid signatures ( mr,, Ri, hi, s) i ( mr,, Ri, h i, s i ). Then we have s ( R+ h P) = R + h P, (7) i i ub s ( R+ h P) = R + h P. (8) i i ub Let R = r P, R = a Pub + b P, Pub = Q= x P, then we have then we have Hence, we have s ( r P+ h P) = a x P+ a P+ h x P, (9) i i s ( r P+ h P) = a x P+ a P+ h x P. (10) i i s s ( r P+ h P) = s a x P+ s a P+ s h x P, (11) i i i i i i s s ( r P+ h P) = s a x P+ s a P+ s h x P. (1) i i i i i i ( s a + s h s a s h ) x P= ( s s h s a s s h + s a ) P. (13) i i i i i i i i i i i i Let u = s a + s h s a s h n ( i i i i ) mod v= ( s s h s a s s h + s a )modn, then, we get x = uv mod n. i i i i i i i i

6 According to [10, Lemma 4], the ECDLP can be solved with robabilityε 1/9 time t 3 q t/ ε. H 4. Comarison with revious scheme In this section, we will comare the efficiency of our new scheme with Cha et al. s scheme [5], Yi s scheme [6] Hess s scheme [7]. In the comutation efficiency comarison, we obtain the running time for crytograhic oerations using MIRACAL [11], a stard crytograhic library. The hardware latform is a PIV 3-GHZ rocessor with 51-MB memory a Windows XP oeration system. For the airing-based scheme, to achieve the 104-bit RSA level security, we use the Tate airing defined over the suersingular ellitic curve 3 E F y x x / : = + with embedding degree, where q is a 160-bit Solinas rime q = a 51-bit rime satisfying + 1= 1qr. For the ECC-based schemes, to achieve the same security level, we emloyed the arameter sec160r1[1], recommended by the Certicom Cororation, where = 1. The running times are listed in Table 1 where sca.mul. sts for scalar multilication. Table 1. Crytograhic Oeration Time(in milliseconds) Pairing Pairing-based ECC-based Ma-to-oint sca.mul sca.mul. hash To evaluate the comutation efficiency of different schemes, we use the simle method from [13]. For examle, the sign algorithm of our scheme requires one ECC-based scale multilication; thus, the comutation time of the sign algorithm is.1 1 =.1 ms; the verify algorithm has to carry out three ECC-based scalar multilications, the resulting running time is.1 3 = 6.63 ms. As another examle, in Cha et al. s scheme[5], the sign algorithm should carry out two airing-based scalar multilications a ma-to-oint hash comutation; thus, the comutation time for a client is = 15.8 ms; the verify algorithm has to carry out one airing, the resulting running time is = 0.04 ms. The size of signature is evaluated by the overall size of the messages generated by the sign algorithm in a scheme. For examle, in our scheme, the generated message comrises an identity, two oints of ellitic curve a number in Z n. Assuming that the size of identity is 4B, the resulting signaling traffic is = 104 B. As another examle, in Cha et al. s scheme, the generated message comrises an identity two oints of ellitic curve, then the resulting signaling traffic is = 60 B. Table shows the results of the erformance comarison.

7 Table. Performance comarison of different schemes Running time Size of signature Sign Verify Cha et al. s 15.8 ms 0.04 ms 60 B scheme [5] Yi s scheme [6] ms ms 60B Hess s scheme 6.4 ms ms 13B [7] Our scheme.1 ms 6.63 ms 104 B According to Table, the running time of the sign algorithm of our scheme is 13.98% of Cha et al. s schemes, 11.54% of Yi s et al. s scheme 8.36% of Hess s scheme, the running time of the verify algorithm of our scheme is 33.08% of Cha et al. s schemes, 14.7% of Yi s et al. s scheme 16.54% of Hess s scheme, the size of signature of our scheme is 40% of Cha et al. s schemes, 40% of Yi s et al. s scheme 78.79% of Hess s scheme. Thus our scheme is more useful efficient than the revious schemes[5-7]. 5. Conclusion In this aer, we have roosed an efficient identity-based digital signature scheme. We also rove the security of the scheme under rom oracle. Comared with revious scheme, the new scheme reduces both the running time the size of signature. Therefore, our scheme is more ractical than the revious related schemes for ractical alication. 6. References [1]. A. Shamir, Identity-based crytosystems signature schemes, Proc. CRYPTO1984, LNCS, vol.196,.47 53, []. L. C. Guillou J. J. Quisquater, A aradoxical identity-based signature scheme resulting from zero-knowledge, in Proc. Cryto 88, Santa Barbara, CA, Aug. 1988, [3]. V.S. Miller, se of ellitic curves in crytograhy. In: Advances in crytology, roceedings of CRYPTO 85, vol. 18. LNCS, Sringer-Verlag; 1986: [4]. Koblitz N. Ellitic curve crytosystem. Mathematics of Comutation 1987, 48: [5]. J. C. Cha J. H. Cheon, An Identity-Based Signature from Ga Diffie-Hellman Grous, PKC 003, LNCS 567, , 003. [6]. X. Yi, An Identity-Based Signature Scheme From the Weil Pairing, IEEE COMMNICATIONS LETTERS, VOL. 7, NO., FEBRARY 003, [7]. Hess, F.: Efficient identity based signature schemes based on airings. In: Nyberg, K., Heys, H.M. (eds.) SAC 00. LNCS, vol. 595, Sringer, Heidelberg(003). [8]. L. Chen, Z. Cheng, N.P. Smart, Identity-based key agreement rotocols from airings, Int. J. Inf. Secur, no.6,.13 41, 007. [9]. M. Bellare P. Rogaway, Rom oracles are ractical: A aradigm for designing efficient schemes, in Proc. 1st ACM Conf. Comut. Commun. Security, 1993, [10]. P. David, S. Jacque,Security Arguments for Digital Signatures Blind Signatures, Journal

8 of Crytology, Vol. 13, No , 000. [11]. Shamus Software Ltd., Miracl library, htt:// ie/index.h?age=home. [1]. The Certicom Cororation, SEC : Recommended Ellitic Curve Domain Parameters, [13]. X. Cao, X. Zeng, W. Kou, L. Hu, Identity-based anonymous remote authentication for value-added services in mobile networks, IEEE Transactions on Vehicular Technology, vol.58, no.7, , 009.