Provably secure revocable IDbased signature in ... - Wiley Online Library

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2013; 6:1250–1260 Published online 18 January 2013 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.696

RESEARCH ARTICLE

Provably secure revocable ID-based signature in the standard model Tung-Tso Tsai1, Yuh-Min Tseng1* and Tsu-Yang Wu2 1 2

Department of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua City 500, Taiwan School of Computer Science and Technology, Shenzhen Graduate School, Harbin Institute of Technology, Shenzhen 518055, China

ABSTRACT A signature scheme is one of the important primitives in modern cryptography, which may offer functionalities of user identification, non-repudiation, and message authentication. With the advent of identity (ID)-based public key systems with bilinear pairings defined on elliptic curves, many ID-based signature schemes have been proposed. Like certificate-based public key systems, any ID-based public key system must provide a revocation method to revoke misbehaving users. There was little work on studying the revocation problem of ID-based public key systems, and no ID-based signature scheme deals with how to revoke the signing ability of misbehaving users. Quite recently, Tseng and Tsai presented a practical revocation mechanism using a public channel for ID-based public key systems. In this paper, we adopt Tseng and Tsai’s revocation concept to define the new framework and security notions of revocable ID-based signature (RIBS) scheme and propose the first RIBS scheme in the standard model. Under the computational Diffie–Hellman assumption, we demonstrate that the proposed RIBS scheme is provably secure while remaining efficient for signing and verification as compared with previously proposed ID-based signature schemes. Copyright © 2013 John Wiley & Sons, Ltd. KEYWORDS revocation; identity-based signature; standard model; provable security; bilinear pairing *Correspondence Yuh-Min Tseng, Department of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua City 500, Taiwan. E-mail: [email protected]

1. INTRODUCTION In 1984, Shamir [1] presented a good idea for public key systems that a user’s identity (ID) such as social security number, e-mail address, or telephone number may be viewed as the user’s public key, called ID-based public key system, that is different from certificate-based public key systems. In the certificate-based public key systems, users require certificates to make publicly available the mapping between identities and public keys. Until 2001, Boneh and Franklin [2] followed Shamir’s idea to propose the first practical ID-based encryption (IBE) on the progress in elliptic curves with bilinear pairings such as Weil, Tate, and Ate pairings. In their IBE, there are two roles: a trusted private key generator (PKG) and users. Users authenticate themselves to the PKG, and then, the PKG generates the corresponding private keys to the users. Afterwards, a large number of literatures have been published such as ID-based authentication protocols [3,4], ID-based key agreement protocols [5–7], ID-based 1250

signature (IBS) schemes [8–12], IBE schemes [13–16], and ID-based group key agreement schemes [17–19]. A signature scheme is one of the important primitives in modern cryptography, which may offer functionalities of user identification, non-repudiation, and message authentication. In 2002, on the basis of Boneh and Franklin’s ID-based public key system [2], Paterson [8] proposed an IBS scheme making uses of bilinear pairings on elliptic curves in the random oracle model [20]. For improving efficiency of computation and signature size, Cha and Cheon [9] proposed an efficient IBS scheme based on the gap Diffie–Hellman assumption. In 2009, Tseng et al. [11] furthermore proposed an efficient and provably secure IBS scheme supporting variant kinds of batch verifications, which extremely improves the verification performance for many cooperative and distributed applications. Most of the existing ID-based cryptographic schemes had been proven to be secure in the random oracle model [20]. However, these schemes could be insecure when random oracles are instantiated with concrete hash Copyright © 2013 John Wiley & Sons, Ltd.

T.-T. Tsai, Y.-M. Tseng and T.-Y. Wu

functions [21–23]. For solving this problem, the study of ID-based cryptographic mechanisms in the standard model (without random oracles) has received much attention from researchers [10,13,23–25]. In 2006, Paterson and Schuldt [10] proposed an efficient IBS scheme without random oracles based on Waters’s IBE scheme. Their proposed IBS scheme is computationally efficient, and the signature size is short. However, a critical issue, revocation problem for key management of ID-based public key systems, was not discussed in their proposed IBS. A practical IBS scheme must provide a revocation mechanism to revoke misbehaving/compromised users. Nevertheless, any ID-based public key system or certificate-based public key system must provide a revocation mechanism to revoke misbehaving/compromised users from the public key systems. In 2001, for the revocation problem in the ID-based public key systems, Boneh and Franklin [2] suggested that the PKG generates all nonrevoked users’ new private keys for each period and users can periodically receive new private keys from the PKG. In 2008, Boldyreva et al. [26] used a binary tree structure to construct a revocable IBE that reduces the key update size to logarithmic in the number of users. In 2009, Libert and Vergnaud [27] improved the scheme of Boldyreva et al. to present an adaptive-ID secure revocable IBE scheme. However, the aforementioned revocation methods need a secure channel to transmit the users’ new private keys for each period. As a result, the PKG and non-revoked users need enormous computation workload of encryption and decryption procedures for each period, respectively. To eliminate the requirement and computation workload for the secure channel established between the PKG and each user, quite recently, Tseng and Tsai [28] presented a new ID-based public key setting and its associated revocation mechanism with a public channel. A user’s private (decryption) key was partitioned into two components including an initial secret key and a time update key. The initial secret key is fixed and unchanged, whereas the time update key is changed along with period. The PKG periodically generates new time update keys for non-revoked users, and then, the PKG sends them to users using a public channel. Each non-revoked user may update a new time update key from a public channel, and then, non-revoked user can use his or her initial secret key to generate the decryption key. If the PKG would like to revoke misbehaving users, the PKG just stops to issue the new time update keys for those users. Thus, a revoked user cannot obtain the time update key in a public channel. In this paper, we adopt the technique of revocation mechanism presented by Tseng and Tsai [28] to propose the first revocable IBS (RIBS) scheme in the standard model (without random oracles). We first present the new framework of the RIBS construction with public revocation while defining its new security notions. Following the framework, we propose the first RIBS scheme in the standard model. For the new security notions of the RIBS with a public channel, we consider two kinds of attackers consisting of an inside adversary (or a revoked user) and an outside adversary.

Revocable ID-based signature in the standard model

We will give the formal security analysis of the proposed RIBS scheme for the inside and outside adversaries, respectively. Under the computational Diffie–Hellman (CDH) assumption, we demonstrate that the proposed RIBS scheme is provably secure while remaining efficient for signing and verification as compared with the well-known IBS scheme proposed by Paterson and Schuldt [10]. The remainder of the paper is organized as follows. Preliminaries are given in Section 2. In Section 3, we present the definitions and security notions of RIBS. Section 4 gives the concrete RIBS scheme. In Section 5, we analyze the security of the proposed RIBS scheme. Comparisons are presented in Section 6. Conclusions are given in Section 7.

2. PRELIMINARIES In this section, we briefly introduce the concept of bilinear pairings and the related mathematical assumptions. 2.1. Bilinear pairings Let G1 and G2 be two multiplicative cyclic groups of large prime order p, and let g be a generator of G1. We say that the map ê: G1 G1 ! G2 is an admissible bilinear map if it satisfies the following properties: (1) Bilinearity: ê(ga, gb) = ê(g, g)ab for all g 2 G1 and a, b 2 Z*p. (2) Non-degeneracy: ê(g1, g2) 6¼ 1 for all g1, g2 2 G1. (3) Computability: there exists an efficient algorithm to compute ê(g1, g2) for all g1, g2 2 G1. We refer the reader to previous literature such as [2,5,13] for full descriptions of groups, maps, and other parameters. 2.2. Related mathematical assumption Here, we present a mathematical problem and define a security assumption on that our scheme is based. • Computational Diffie–Hellman problem: Given a group G1 of large prime order p with generator g and elements g, ga, gb 2 G1 for unknown a, b 2 Zp*, the CDH problem in G1 is to compute gab. Definition 1. (CDH assumption). Given g, ga, gb 2 G1 for unknown a, b 2 Zp*, there exists no probabilistic polynomial-time adversary A with non-negligible probability who can compute gab. The successful probability (advantage) of the adversary A is presented as AdvA ¼ Pr g 2 G1 ; a; b 2 Zp : A g; ga ; gb ¼ gab where the probability is over the random choice consumed by the adversary A.

Security Comm. Networks 2013; 6:1250–1260 © 2013 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1251



2.3. Notations We define the following notations that are used throughout this paper: • • • • • •

ê: an admissible bilinear map, ê: G1 G1 ! G2. g: a generator of the group G1. s: the system secret key. ID: the identity of a user. DID: the user’s initial secret key. t: a period, where 1 ≤ t ≤ z and z denotes the total number of periods. • TID,t: a user ID’s time update key for period t. • SID,t: a user ID’s signing key for period t. Note that the user’s signing key SID,t is obtained by the user’s initial secret key DID and time update key TID,t.

3. FRAMEWORK AND SECURITY NOTIONS OF RIBS In this section, we formally define the framework and security notions of RIBS with a public channel. Following the framework and security notions of IBS presented by Cha and Cheon [9] and Paterson and Schuldt [10], we redefine the framework of RIBS by adding one time key update algorithm for private key update. Under the new framework of RIBS, a point is that a user’s private (signing) key is divided into two components including a fixed initial secret key and a changed time update key along with periods. As a result, one time update key query for the adversary must be added to the security notions of RIBS. We define the new framework and security notions of RIBS with a public channel as follows. Definition 2. A RIBS with a public channel has five-tuple of polynomial-time algorithms (G, IKE, TKU, S, V) as follows: • System setup algorithm G: This algorithm is a probabilistic algorithm that takes as input a security parameter l and the total number z of all periods; it returns a system secret key s and the public parameters Parms. The public parameters Parms are made public and implicitly inputted to all the following algorithms. • Initial key extract algorithm IKE: This algorithm is a deterministic algorithm that takes as input the system secret key s and a user’s ID; the algorithm returns the user’s initial secret key DID. • Time key update algorithm TKU: For a period t, take as input the system secret key and a user ID; the algorithm returns the user’s time update key TID,t. Note that the user can use the initial secret key DID and the time update key TID,t to obtain the signing key SID,t. • Signing algorithm S: Take as input an index t of period, a user’s signing key SID,t, and a message M; the algorithm generates a signature s. 1252

• Verification algorithm V: Take as input a signature pair (t, s), a message M and the user’s ID; the algorithm outputs “accept” if (t, s) is a valid signature on the message M and “reject” otherwise. Definition 3. We say that a RIBS scheme offers existential unforgeability against adaptive chosen-message attacks (RID-UF-ACMA) if no probabilistic polynomial-time adversary A has a non-negligible advantage in the following game (RID-UF-ACMA game) played with a challenger B. • Setup. The challenger B runs the system setup algorithm G of RIBS to produce a system secret key s and the public parameters Parms. Then, the challenger B gives the adversary A the Parms and keeps the system secret key s to itself. • Queries. The adversary A may issue a number of different queries to the challenger B as follows: (1) Initial key extract query (ID). Upon receiving this query with ID, the challenger B runs the initial key extract algorithm IKE to return the user’s initial secret key DID to A. (2) Time key update query (ID, t). Upon receiving this query with (ID, t), the challenger B runs the time key update algorithm TKU to return the user’s time update key TID,t to A. (3) Signing queries (ID, t, M). Upon receiving this query with (ID, t, M), the challenger B runs the signing algorithm S to obtain a signature s on the message M using the user’s signing key SID,t. Then, the challenger B returns s to A. • Forgery. The adversary A generates a tuple (M*, ID*, t*,s*). We say that the adversary A wins the RID-UFACMA game if the following conditions are satisfied: (1) The response of the verification algorithm V on (M*, ID*, t*,s*) is “accept.” (2) The signature s* was not returned by the signing query S on input (ID*, t*, M*). (3) Either ID* or (ID*, t*) did not appear in the initial key extract query or the time key update query, respectively. The adversary A’s advantage is defined as the probability that A wins.

4. THE RIBS SCHEME IN THE STANDARD MODEL Here, we present the concrete RIBS scheme that consists of five algorithms: system setup, initial key extract, time key update, signing, and verification. • System setup: A trusted PKG takes a security parameter l and the total number z of periods as input. Two groups G1 and G2 of large prime order p > 2l, an admissible bilinear map ê: G1 G1 ! G2, and a




message, in which vmk denotes the kth bit of vm. Let W ⊂ {1, 2,. . ., n} be the set of index k such that vmk = 1, for k = 1, 2,. . ., n. A non-revoked signer with ID chooses a random number rm 2 Zp* and uses his or her signing key SID,t = (S1, S2, S3) to compute the signature on the message M as follows.

generator g of G1 are generated by the PKG. The PKG then performs the following tasks. (1) Set three collision-resistant hash functions H1:{0, 1}* ! {0, 1}h, H2:{0, 1}* ! {0, 1}m, and H3:{0, 1}* ! {0, 1}n, where h, m, and n are fixed lengths. (2) Choose two secret random values a, b 2 Zp* and compute g1 = ga+b 2 G1. (3) Randomly choose g2 2 G1 and three values u0 , t0 , w0 2 G1 as well as three vectors U = (ui) of length h, T = (tj) of length m, and W = (wk) of length n, where ui, tj, wk 2 G1 for i 2 [1, h], j 2 [1, m], and k 2 [1, n]. (4) Return the system secret key s = (ga2 , gb2 ) and the public parameters Parms = (G1, G2, ê, g, g1, g2, H1, H2, H3, u0 , U, t0 , T, w0 , W). • Initial key extract: Given a user’s ID 2 {0, 1}*, the PKG computes v = H1(ID). Here, v is a bit string of length h representing the ID, in which vi denotes the ith bit of v. Let U ⊂ {1, 2,. . ., h} be the set of index i such that vi = 1, for i = 1, 2,. . ., h. The PKG chooses a random rv 2 Zp* and computes the initial secret key Y DID = (D1, D2) = ( ga2 (u0 ui ) rv , grv ). Finally, the

s ¼ ðs1 ; s2 ; s3 ; s4 Þ Y wk Þrm ; S2 ; S3 ; grm Þ ¼ ðS1 ðw0 k2W

!r v !r !rm Y Y t Y aþb 0 0 0 ui t tj w wk ; grv ; grt ; grm ¼ g2 u i2U

j2T

• Verification: Given a signature s = (s1, s2, s3, s4) of a non-revoked signer ID on a message M in a period t, any verifier can validate the signature tuple as follows: 0

ê ðs1 ; gÞ ¼ ê ðg1 ; ; g2 Þê s2 ; u

Y

i2U

ê ðs1 ; gÞ ¼

0

u

Y

!r v t

ui

i2U aþb

¼ ê ðg2 ; gÞ

0

ê u

Y

Y

aþb

¼ ê g2 ; g

!r t w

tj

ui ; g

ê u

0

Y

ê t

ui ; g

i2U

¼ ê ðg1 ; ; g2 Þê s2 ; u

0

Y

0

Y

ê t

Y

wk

0

tj ê s4 ; w

Y

! wk

k2W

; gÞ

!rt 0

tj ; g

0

Y

ê w

tj ; g

ui ê s3 ; t

0

Y j2T

rt

!

Y

!rm wk ; g

k2W

!

j2T

!

tj )rt , grt ).

!

!rm

Y

j2T

i2U

the time update key TID,t = (T1, T2) = (gb2 (t0

0

! rv

Y j2T

k2W

!r v

i2U

ui ê s3 ; t

0

It outputs “accept” if the checking equation holds and “reject” otherwise. In the following, we present the correctness of the checking equation in the verification algorithm as follows:

j2T 0

!

i2U

PKG transmits DID to the user via a secure channel. • Time key update: Let vt = H2(ID, t) be a bit string of length m representing an ID and a period t, in which vtj denotes the jth bit of vt. Let T ⊂ {1, 2,. . ., m} be the set of index j such that vtj = 1, for j = 1, 2,. . ., m. The PKG chooses a random rt 2 Zp* and computes

ê ðgaþb 2

k2W

ê w

0

Y

! wk ; g

rm

k2W

tj ê s4 ; w

0

Y

! wk

k2W

5. SECURITY ANALYSIS

j2T

The PKG sends TID,t to the user via a public channel. Thus, the non-revoked user can use DID and TID,t to compute his or her signing key for the period t as follows.

SID;t ¼ ðS1 ; S2 ; S3 Þ¼ ðD1 T1 ; D2 ; T2 Þ !r v !rt Y Y aþb 0 0 ¼ðg2 u ui t tj ;grv ;grt Þ i2U

j2U

• Signing: For a period t, given a message M 2 {0, 1}*, let vm = H3(M) be a bit string of length n representing the

Here, we will give the security analysis for the proposed RIBS scheme. As mentioned in the RID-UF-ACMA game, without loss of generality, assume that the adversary would like to forge a valid signature s*. The adversary is allowed to obtain either the initial secret key or the time update key in the RID-UF-ACMA game. To simplify the security proof, we consider two types of adversaries: the outside adversary and the inside adversary (or a revoked user). In the first case, except for the initial key extract query on ID*, the outside adversary is allowed to issue all queries in the RID-UF-ACMA game. In the second case, except for the time key update query on (ID*, t*), the inside adversary is


1253



allowed to issue all queries in the RID-UF-ACMA game. In the following, we use the similar technique in [10,11,13] to present two theorems and show that the proposed RIBS scheme with a public channel is provably secure for the outside and the inside adversaries, respectively. Theorem 1. In the standard model, the proposed RIBS scheme offers existential unforgeability against adaptive chosen-message attacks (RID-UF-ACMA) under the CDH assumption. Concretely, assume that there is an outside adversary A that has an advantage e against the proposed RIBS scheme within a running time t and that A can make at most qE > 0 initial key extract queries, qU > 0 time key update queries, and qS > 0 signing queries. Then, the proposed RIBS scheme is (t, qE, qU, qS, e)-RID-UF-ACMA secure assuming that the CDH problem is (t0 , e0 )-intractable, where t0 = t + O((hqE + mqU + (h + m + n)qS)t1 + (qE + qU + qS)t2) and e0 = 16ðqE þqS ÞqSeðhþ1Þðnþ1Þ , in which t1 and t2 denote the executing time of a multiplication in G1 and an exponentiation in G1, respectively. Proof. Assume that an adversary A can break the proposed RIBS scheme. Using the adversary A, we can construct a challenger B in the RID-UF-ACMA game to solve the CDH problem. We assume that the challenger B is given hG1, G2, ê, g, ga, gbi as an instance of the CDH problem, where a, b 2 Z*p. The challenger B would like to compute gab. B simulates the challenger in the RID-UF-ACMA game for A as follows. • Setup. The challenger B sets lv = 2(qE + qS) and lm = 2 qS, and randomly chooses two integers kv and km, with 0 ≤ kv ≤ h and 0 ≤ km ≤ n. We assume that lv(h + 1) < p and lm(n + 1) < p for the given values of qE, qS, h, and n. The challenger B randomly chooses an integer x0 2 Zlv and a vector X = (xi) of length h, where xi 2 Zlv for i = 1, 2,. . ., h. The challenger B randomly chooses an integer y0 2 Zp and a vector Y = (yi) of length h, where yi 2 Zp for i = 1, 2,. . ., h. And then, the challenger B randomly chooses an integer z0 2 Zp and a vector Z = (zj) of length m, where zj 2 Zp for j = 1, 2,. . ., m. Finally, the challenger B randomly chooses an integer c0 2 Zlm and a vector C = (ck) of length n, where ck 2 Zlm for k = 1, 2,. . ., n. Meanwhile, the challenger B randomly chooses an integer d0 2 Zp and a vector D = (dk) of length n, where dk 2 Zp for k = 1, 2,. . ., n. We define two functions for v = H1(ID), one function for vt = H2 (ID, t), and two functions for vm = H3(M) as follows: X X F ðvÞ ¼ x0 þ xi -lv kv and J ðvÞ ¼ y0 þ yi i2U i2U X E ðvtÞ ¼ z0 þ zj j2T X X K ðvmÞ ¼ c0 þ ck -lm km and LðvmÞ ¼ d0 þ dk k2W

k2W

The challenger B chooses a random value b 2 Zp as the secret value of the time update key, then assigns g1 = gagb, 0 0 0 v kv þx y g2 = gb, u0 = gl g , ui = gx2i gyi , t0 = gz , tj = gzj , w0 = 2 1254

0

m km þc d gl g , and wk = gc2k gdk , for 1 ≤ i ≤ h, 1 ≤ j ≤ m, and 2 1 ≤ k ≤ n. 0

• Queries. B respectively responds the initial key extract query with ID, the time key update query with (ID, t), and the signing query with (ID, t, M) as follows. • Initial key extract query (ID): Upon receiving this query with ID, the challenger B computes v = H1(ID) and then computes F(v) and J(v). If F(v) = 0 mod p, the challenger B reports failure and terminates. If F (v) 6¼ 0 mod p, the challenger B chooses a random rv 2 Zp and computes the initial secret key DID as follows. DID ¼ ðD1 ; D2 Þ !r v Jðv Þ=F ðvÞ Y g1 g 1=F ðvÞ rv 0 ¼ u ui ; b1 g b g g i2U

ð

Þ

Now, we show that DID = (D1, D2) is a valid initial secret key as follows. !r v J ðvÞ=F ðvÞ Y g1 0 D1 ¼ u ui gb i2U ¼

gaþb gb

J ðvÞ=FðvÞ

0 0 v kv þx y gl g 2

Y i2U

X

0

B v kv þx y i2U ¼ ðga ÞJ ðvÞ=FðvÞ @gl g g2 2 0

xi

0

!r v gx2i gyi X 1rv yi C g i2U A

0 X 1r v X xi lv kv þx0 yi þy0 =F ðvÞ B i2U C ¼ ga g-a gaJ ðvÞ @g g i2U A 2

2 2

rv aF ðvÞ aJ ðvÞ =F ðvÞ F ðvÞ ¼ ga2 g2 g g2 gJ ðvÞ a=F ðvÞ rv F ðvÞ F ðvÞ ¼ ga2 g2 gJ ðvÞ g2 gJ ðvÞ rv a=F ðvÞ F ðvÞ ¼ ga2 g2 gJ ðvÞ ¼ ga2 u0

Y

!r v 0 ui

i2U

and 1=F ðvÞ g1 grv gb aþb 1=F ðvÞ g ¼ grv gb ¼ ðga Þ1=F ðvÞ grv ¼ grv a=F ðvÞ 0 ¼ grv

D2 ¼

where rv 0 = rv a/F(v).




• Time key update query (ID, t): Upon receiving this query with (ID, t), the challenger B chooses a random rt 2 Zp and uses the secret value b 2 Zp to compute the time update key as follows. !r t ! Y b 0 rt TID;t ¼ ðT1 ; T2 Þ ¼ g2 t tj ; g

a signature in a similar way as the construction of an initial secret key in the initial key extract query. The challenger B computes vm = H3(M) and then uses vm to compute K(vm). If K(vm) = 0 mod lm, the challenger B reports failure and terminates. If K(vm) 6¼ 0 mod p, the challenger B chooses random values rv, rt, rm 2 Zp and constructs the signature as follows.

j2T

s ¼ ðs1 ; s2 ; s3 ; s4 Þ !rt !r m ! 1=K ðvmÞ Y g1 LðvmÞ=K ðvmÞ g1 0 rv rt rm ¼ u ui t tj b w wk ;g ;g ; b g g g i2U j2T k2W !r v !r t !rm ! Y Y Y b 0 0 a LðvmÞ=K ðvmÞ 0 rv rt a 1=K ðvmÞ rm ui t tj ðg Þ w wk ; g ; g ; ðg Þ g ¼ g2 u i2U j2T k2W !rv !r t !r m ! Y Y Y b 0 0 a -a aLðvmÞ =K ðvmÞ 0 r v rt rm a=K ðvmÞ ui t tj g2 g2 g w wk ;g ;g ;g ¼ g2 u i2U j2T k2W !r v !r t ! Y Y K ðvmÞ LðvmÞ a=K ðvmÞ K ðvmÞ LðvmÞ rm r v rt b 0 0 a rm a=K ðvmÞ ui t tj g2 g2 g g2 g ;g ;g ;g ¼ g2 u i2U j2T !r v !r t ! Y Y K ðvmÞ LðvmÞ rm a=K ðvmÞ rv rt g ; g ; g ; grm a=K ðvmÞ ¼ gb2 u0 ui t 0 tj ga2 g2 i2U !rv j2T !r t ! Y Y K ðvmÞ LðvmÞ rm a=K ðvmÞ r v rt b a 0 0 rm a=K ðvmÞ ui t tj g2 g ;g ;g ;g ¼ g2 g2 u i2U j2T 0 1 !rv !rt !r m 0 Y Y Y 0 aþb 0 0 0 r r r ui t tj w wk ; g v; g t; g m A ¼ @g u gb2

0

Y

!r v

0

Y

2

i2U

j2T

k2W

• Signing query (ID, t, M): Upon receiving this query with (ID, t, M), the challenger B computes v = H1 (ID) and then computes F(v) and J(v). If F(v) 6¼ 0 mod lv, the challenger B can just construct the initial secret key for v = H1(ID) and the time update key for vt = H2(ID, t) as in the initial key extract query and the time key update query, respectively, and then use the signing algorithm to create a signature on M. If F(v) = 0 mod lv, the challenger B will try to construct

gaþb 2

s1 J ðv Þ

s2

E ðvt Þ

s3

Lðvm Þ

s4

gb2

¼

¼

where rm 0 = rm a/K(vm). • Forgery. If the challenger B does not abort and have responded all aforementioned queries, the adversary A generates v* = H1(ID*), vt* = H2(ID*, t*), vm* = H3 (M*), and s* = (s1, s2, s3, s4). If F(v*) 6¼ 0 mod p or K(vm*) 6¼ 0 mod p, the challenger B reports failure and terminates. If F(v*) = 0 mod p and K(vm*) = 0 mod p, the challenger B computes and outputs gab as follows.

0

u

Y

!r v ui

t

0

Y

!r t w

Y

!r m

wk k2W grv J ðv Þ grt Eðvt Þ grm Lðvm Þ gb2 r r F ðv Þ J ðv Þ v E ðvt Þ rt K ðvm Þ Lðvm Þ m gaþb g g g2 g 2 g2 i2U

¼ ¼

tj

0

j2T

grv J ðv Þ grt Eðvt Þ grm Lðvm Þ gb2 0 J ðv Þ rv Eðvt Þ rt 0 Lðvm Þ rm gaþb g g2 g 2 g2 g grv J ðv Þ grt Eðvt Þ grm Lðvm Þ gb2 ga2

¼ gab


1255



In the phase of Queries, it is obvious that the challenger B perfectly simulates the initial key extract queries, the time key update queries, and the signing queries. We analyze the probability of the challenger B not aborting. In the phase of Queries, if F(v) = 0 mod p and K(vm) = 0 mod p, the challenger B reports failure and terminates. To make the analysis of the simulation easier, we force the challenger B to abort whenever F(v) = 0 mod lv and K(vm) = 0 mod lm. By the early mentioned assumptions lv (h + 1) < p and lm(n + 1) < p, we X can imply 0 ≤ lvkv ≤ p, 0 ≤ x0 + xi ≤ p, 0 ≤ lmkm ≤ p, i2U X and 0 ≤ c0 + ck ≤ p. It is easy to see that F(v) = 0 mod p

and

qM ¼ 1 Pr ∨ ≥1 B jB :B jB Pr ∧ k k qM

k¼1

k¼1

qM h i X qM qS Pr :Bk jB ¼ 1 ≥1 l lm m k¼1

Hence, we can obtain that i h i h qI i 1 1 h qI qE þ qS 1 Pr ∧ Ai ∧A ¼ Pr A Pr ∧ Ai A ≥ i¼1 i¼1 lv h þ 1 lv

k2W

implies F(v) = 0 mod lv and K(vm) = 0 mod p implies K(vm) = 0 mod lm. On the other hand, in the phase of Forgery, if F (v*) 6¼ 0 mod p or K(vm*) 6¼ 0 mod p, the challenger B reports failure and terminates. Let v1,. . ., vqI , be the identities appearing in either initial key extract queries or signing queries not involving the challenge ID and let vt1,. . ., vtqT , be the identities with the period appearing in the time key update queries. Finally, let vm1,. . ., vmqM , be the message in the signing queries involving the challenge ID. Clearly, we will have qI < qE + qS, qT < qU, and qM < qS. To simplify the analysis, we define the events Ai: F(vi) 6¼ 0 mod lv, A*: F(v*) = 0 mod p, Bk: K(vmk) 6¼ 0 mod lm, and B*: K(vm*) = 0 mod p. From the aforementioned analysis, the probability of the challenger B not aborting is qI

qM

i¼1

k¼1

Pr½:abort ≥ Pr½ ∧ Ai ∧A ∧ ∧ Bk ∧B qI

qM

i¼1

k¼1

¼ Pr½A Pr½ ∧ Ai jA Pr½B Pr½ ∧ Bk jB By the assumptions lv (h + 1) < p and lm(n + 1) < p, they lead to that F(v) = 0 mod p implies F(v) = 0 mod lv and K (vm) = 0 mod p implies K(vm) = 0 mod lm. Thus, we have that if F(v) = 0 mod lv and K(vm) = 0 mod lm, there will be a unique choice of kv with 0 ≤ kv ≤ h and km with 0 ≤ km ≤ n such that F(v) = 0 mod p and K(vm) = 0 mod p. Because kv, x0 , X, km, c0 , and C are chosen randomly, we have the probabilities of the events A* and B* as follows.

and h qS i h i h qS i 1 1 qS 1 Pr ∧ Bk ∧B ¼ Pr B Pr ∧ Bk B ≥ k¼1 k¼1 lm n þ 1 lm

We have set lv = 2(qE + qS) and lm = 2qS, then the resulting probability of the challenger B not aborting is qE

qS

i¼1

k¼1

Pr½:abort ≥Pr½ ∧ Ai ∧A ∧ ∧ Bk ∧B qI

qM

¼ Pr½A Pr½ ∧ Ai jA Pr½B Pr½ ∧ Bk jB i¼1

k¼1

1 4ðqE þ qS Þðh þ 1Þ4qS ðn þ 1Þ e ¼ 16ðqE þ qS ÞqS ðh þ 1Þðn þ 1Þ ≥

According to the aforementioned descriptions for the challenger B, it is obvious that it requires O(h) multiplications and O(1) exponentiations in the initial key extract queries. It is also obvious that it requires O(m) multiplications and O(1) exponentiations in the time key update queries. It requires O(h + m + n) multiplications and O(1) exponentiations in the signing queries. So, we have t0 = t + O((h qE + m qU + (h + m + n) qS) t1 + (qE + qU + qS) t2), where t1 and t2 denote the executing time of a multiplication in G1 and an exponentiation in G1, respectively. □

Pr½A ¼ Pr½F ðv Þ ¼ 0 mod p ∧ F ðv Þ ¼ 0 mod lv ¼ Pr½F ðv Þ ¼ 0 mod lv Pr½F ðv Þ ¼ 0 mod pjF ðv Þ ¼ 0 mod lv 1 1 ¼ lv h þ 1 Pr½B ¼ Pr½K ðvm Þ ¼ 0 mod p ∧ K ðvm Þ ¼ 0 mod lm ¼ Pr½K ðvm Þ ¼ 0 mod lm Pr½K ðvm Þ ¼ 0 mod pjK ðvm Þ ¼ 0 mod lm 1 1 lm n þ 1 We also have that

qI

qI

Pr ∧ Ai jA ¼ 1 Pr ∨ :Ai jA ≥1 i¼1

i¼1

¼1

1256

qI qE þ qS ≥1 lv lv

qI X i¼1

Pr½:Ai jA

Theorem 2. In the standard model, the proposed RIBS scheme offers existential unforgeability against adaptive chosen-message attacks (RID-UF-ACMA) under the CDH assumption. Concretely, assume that there is an inside adversary A that has an advantage e against the proposed RIBS scheme within a running time t and A can Security Comm. Networks 2013; 6:1250–1260 © 2013 John Wiley & Sons, Ltd. DOI: 10.1002/sec



make at most qE > 0 initial key extract queries, qU > 0 time key update queries, and qS > 0 signing queries. Then, the proposed RIBS scheme is (t, qE, qU, qS, e)- RID-UFACMA secure assuming that the CDH problem is (t0 , e0 )intractable, where t0 = t + O((h qE + m qU + (h + m + n) qS) t1 + (qE + qU + qS) t2) and e0 = 16ðqU þqS ÞqSeðmþ1Þðnþ1Þ , in which t1 and t2 denote the executing time of a multiplication in G1 and an exponentiation in G1, respectively. Proof. Assume that an adversary A can break the proposed RIBS scheme. Using the adversary A, we can construct a challenger B in the RID-UF-ACMA game to solve the CDH problem. We assume that the challenger B is given hG1, G2, ê, g, ga, gbi as an instance of the CDH problem, where a, b 2 Z*p. The challenger B would like to compute gab. B simulates the challenger in the RID-UF-ACMA game for A as follows.

DID ¼ ðD1 ; D2 Þ ¼

F ðvt Þ ¼ x0 þ K ðvmÞ ¼ c0 þ

X i2U X j2T X k2W

X

ck lm km and LðvmÞ ¼ d0 þ

dk

k2W

ui

! ;g

rv

ð

Þ

Now, we show that TID,t = (T1, T2) is a valid initial secret key as follows. !r t Jðvt Þ=FðvtÞ Y g1 0 T1 ¼ t tj ga j2T !r t aþa Jðvt Þ=F ðvtÞ Y x g lvt kvt þx0 y0 j yj ¼ g2 g g2 g ga Xj2T X 1rt 0 xj yj B C a J ðvt Þ=F ðvt Þ B lvt kvt þx0 y0 j2T ¼ ðg Þ @g2 g g2 g j2T C A 0 X =FðvtÞ B j2T ¼ ga2 g-2a gaJ ðvtÞ B @g2

xj lvt kvt þx0

X g j2T

yj þy0

1r t C C A

=F ðvtÞ rt aF ðvt Þ aJ ðvt Þ F ðvt Þ ¼ ga2 g2 g g2 gJ ðvtÞ a=F ðvtÞ rt F ðvt Þ F ðvt Þ ¼ ga2 g2 gJ ðvtÞ g2 gJ ðvtÞ rt a=F ðvtÞ F ðvt Þ ¼ ga2 g2 gJ ðvtÞ !r t 0 Y a 0 ¼ g2 t tj j2T

and 1=FðvtÞ g1 grt ga aþa 1=F ðvtÞ g ¼ grt ga ¼ ðga Þ1=FðvtÞ grt ¼ grt a=F ðvtÞ 0 ¼ grt

The challenger B chooses a random value a 2 Zp as the secret value of the time update key, then assigns g1 = gaga, 0 0 0 x vt kvt þx y g2 = gb, u0 = gz , ui = gzi , t0 = gl g , tj = g2j gyj , w0 = 2 ck dk lm km þc0 d 0 g2 g , and wk = g2 g , for 1 ≤ i ≤ h, 1 ≤ j ≤ m, and 1 ≤ k ≤ n. • Queries. B respectively responds the initial key extract query with ID, the time key update query with (ID, t) and the signing query with (ID, t, M) as follows. • Initial key extract query (ID): Upon receiving this query with ID, the challenger B chooses a random rv Zp and uses the secret value a 2 Zp to compute the time update key as follows.

!rv

TID;t ¼ ðT1 ; T2 Þ !r t Jðvt Þ=F ðvtÞ Y g1 g 1=F ðvtÞ rt 0 ¼ t t ; 1a g j a g g j2T

yj

j2T X

Y

• Time key update query (ID, t): Upon receiving this query with ID (ID, t), the challenger B computes vt = H2(ID, t) and then computes F(vt) and J(vt). If F(vt) = 0 mod p, the challenger B reports failure and terminates. If F(vt) 6¼ 0 mod p, the challenger B chooses a random rt 2 Zp and computes the initial secret key TID,t as follows.

zi xj lvt kvt and J ðvtÞ ¼ y0 þ

u

0

i2U

• Setup. The challenger B sets lvt = 2(qU + qS) and lm = 2qS, and randomly chooses two integers kvt and km, with 0 ≤ kvt ≤ m and 0 ≤ km ≤ n. We assume that lvt(m + 1) < p and lm(n + 1) < p for the given values of qU, qS, m, and n. The challenger B randomly chooses an integer z0 2 Zp and a vector Z = (zi) of length h, where zi 2 Zp for i = 1, 2,. . ., h. And then, the challenger B randomly chooses an integer x0 2 Zlvt and a vector X = (xj) of length m, where xj 2 Zlvt for j = 1, 2,. . ., m. The challenger B randomly chooses an integer y0 2 Zp and a vector Y = (yj) of length m, where yj 2 Zp for j = 1, 2,. . ., m. Finally, the challenger B randomly chooses an integer c0 2 Zlm and a vector C = (ck) of length n, where ck 2 Zlm for k = 1, 2,. . ., n. Meanwhile, the challenger B randomly chooses an integer d0 2 Zp and a vector D = (dk) of length n, where dk 2 Zp for k = 1, 2,. . ., n. We define one function for v = H1(ID), two functions for vt = H2 (ID, t), and two functions for vm = H3(M) as follows: E ðvÞ ¼ z0 þ

ga2

T2 ¼

where rt 0 = rt a/F(vt).


• Signing query (ID, t, M): Upon receiving this query with (ID, t, M), the challenger B computes vt = H2(ID, t) and then computes F(vt) and J(vt). If F(vt) 6¼ 0 mod lvt, the challenger B can just construct the initial secret 1257



The analysis is similar to Theorem . The probability of the challenger B not aborting is Pr[:abort] ≥ 1 16ðqU þqS ÞqS ðmþ1Þðnþ1Þ . Then, the successful probability (advantage) of the challenger B who can solve the CDH problem is at least 16ðqU þqS ÞqSeðmþ1Þðnþ1Þ . The executing time ist + O((h qE + m qU + (h + m + n) qS) t1 + (qE + qU + qS) t2), where t1 and t2 denote the executing time of a multiplication in G1 and an exponentiation in G1, respectively.

key for v = H1(ID) and the time update key for vt = H2 (ID, t) as in the initial key extract query and the time key update query respectively, and then use the signing algorithm to create a signature on M. If F(vt) = 0 mod lvt, the challenger B will try to construct a signature similar to the construction of a time update key in the time update key query. The challenger B computes vm = H3(M) and then uses vm to compute K(vm). If K (vm) = 0 mod lm, the challenger B reports failure and terminates. If K(vm) 6¼ 0 mod p, the challenger B chooses random values rv, rt, rm 2 Zp and constructs the signature similar to that in Theorem 1.

6. COMPARISONS Here, we compare our proposed RIBS scheme with the well-known IBS scheme without random oracles proposed by Paterson and Schuldt [10]. Table I lists the comparisons

s ¼ ðs1 ; s2 ; s3 ; s4 Þ

!r t !rm ! 1=K ðvmÞ Y g1 LðvmÞ=K ðvmÞ g1 0 rv rt rm ¼ u ui t tj a w wk ;g ;g ; a g g g i2U j2T k2W 0 1 !r v !rt !r m 0 Y Y Y 0 aþa 0 0 0 @ ui t tj w wk ; grv ; grt ; grm A ¼ g2 u ga2

0

Y

!r v

0

Y

i2U

j2T

k2W

where rm 0 = rm a/K(vm).

between the proposed RIBS scheme and Paterson and Schuldt’s IBS scheme [10] in terms of computational cost and revocable functionality. For the signing procedures of both Paterson and Schuldt’s IBS scheme and the proposed RIBS scheme, they require no pairing operation to sign a message. For the verification of Paterson and Schuldt’s IBS scheme, it requires four pairing operations to verify the signature. For the verification of the proposed RIBS scheme, it requires five pairing operations. Although

• Forgery. If the challenger B does not abort and have responded all queries earlier, the adversary A generates v* = H1(ID*), vt* = H2(ID*, t*), vm* = H3(M*), and s* = (s1, s2, s3, s4). If F(vt*) 6¼ 0 mod p or K(vm*) 6¼ 0 mod p, the challenger B reports failure and terminates. If F(vt*) = 0 mod p and K(vm*) = 0 mod p, the challenger B computes and outputs gab as follows.

E ðv Þ

s2

s1 J ðvt Þ

s3

0 gaþa 2 u Lðvm Þ

s4

ga2

¼ ¼

Y i2U

!r v ui

t0

Y

!r t tj

j2T

w0

Y

!r m wk

k2W

grv Eðv Þ grt J ðvt Þ grm Lðvm Þ ga2 Fðvt Þ J ðvt Þ rt K ðvm Þ Lðvm Þ rm E ðv Þ rv gaþa g2 g g2 g 2 g

grv Eðv Þ grt J ðvt Þ grm Lðvm Þ ga2 rv r t rm gaþa gEðv Þ g02 gJ ðvt Þ g02 gLðvm Þ ¼ 2 grv Eðv Þ grt J ðvt Þ grm Lðvm Þ ga2 ¼ ga2 ¼ gab

Table I. Comparisons between our RIBS scheme and the previously proposed IBS scheme.

Pairing operation for signature Pairing operation for verification Revocable solution Required channel for revocation Periodical encryption/decryption for revocation

1258

Paterson and Schuldt’s IBS scheme [10]

Our proposed RIBS scheme

0 4 Boneh and Franklin [2] approach Secure channel Required

0 5 Tseng and Tsai [28] approach Public channel Not required



our proposed RIBS scheme increases one pairing operation as compared with Paterson and Schuldt’s IBS scheme for the verification procedure, the point is that our proposed RIBS scheme provides a flexible revocation mechanism with a public channel. Certainly, Paterson and Schuldt’s IBS scheme may involve the revocation mechanism presented by Boneh and Franklin [2]. But it required a secure channel to transmit the users’ new private keys for each period. Thus, the PKG and non-revoked users need enormous computation workload of encryption and decryption procedures for each period, respectively.

7. CONCLUSIONS In this paper, we have proposed a provably secure RIBS scheme based on Paterson and Schuldt’s IBS scheme in the standard model (without random oracles). As compared with the original IBS scheme, the proposed RIBS scheme provides an efficient and flexible revocation mechanism. In addition, we appropriately combined the initial secret key and time update key to obtain the signing key so that the performance of the signing and verifying procedures is remained. For the security analysis, we demonstrate that the proposed RIBS scheme is provably secure under the CDH assumption. For enhancing the practicality of ID-based public key systems, we think that an efficient revocation mechanism must be involved in the design of various ID-based cryptographic schemes and protocols in the future.

ACKNOWLEDGEMENT This research was partially supported by National Science Council, Taiwan, under contract no. NSC101-2221-E018-027.

REFERENCES 1. Shamir A. Identity-based cryptosystems and signature schemes. Proc. Crypto’84, LNCS 196, Springer-Verlag, 1984; 47–53. 2. Boneh D, Franklin M. Identity-based encryption from the Weil pairing. Proc. Crypto’01, LNCS 2139, Springer-Verlag, 2001; 213–229. 3. Bellare M, Namprempre C, Neven G. Security proofs for identity-based identification and signature schemes. Journal of Cryptology 2004; 22(1):1–61. 4. Tseng Y-M, Wu T-Y, Wu J-D. A pairing-based user authentication scheme for wireless clients with smart cards. Informatica 2008; 19(2):285–302. 5. Chen L, Cheng Z, Smart NP. Identity-based key agreement protocols from pairings. International Journal of Information Security 2007; 6(4):213–241.


6. Wu T-Y, Tseng Y-M. An ID-based mutual authentication and key exchange protocol for low-power mobile devices. The Computer Journal 2010; 53(7): 1062–1070. 7. Wu T-Y, Tseng Y-M. An efficient user authentication and key exchange protocol for mobile client–server environment. Computer Networks 2010; 54(9):1520–1530. 8. Paterson KG. Identity-based signatures from pairings on elliptic curves. Electronics Letters 2002; 38(18): 1025–1026. 9. Cha J-C, Cheon J-H. An identity-based signature from gap Diffie–Hellman groups. Proc. PKC’03, LNCS 2567, Springer-Verlag, 2003; 18–30. 10. Paterson KG, Schuldt JCN. Efficient identity-based signatures secure in the standard model. Proc. ACISP’06, LNCS 4058, Springer-Verlag, 2006; 207–222. 11. Lu S, Ostrovsky R, Sahai A, Shacham H, Waters B. Sequential aggregate signatures and multisignatures without random oracles. Proc. EUROCRYPT’06, LNCS 4004, Springer-Verlag, 2006; 465–485. 12. Chang T-Y. An ID-based multi-signer universal designated multi-verifier signature scheme. Information and Computation 2011; 209(7):1007–1015. 13. Waters B. Efficient identity-based encryption without random oracles. Proc. Eurocrypt’05, LNCS 3494, Springer-Verlag, 2005; 1–33. 14. Gentry C. Practical identity-based encryption without random oracles. Proc. Eurocrypt’06, LNCS 4004, Springer-Verlag, 2006; 445–464. 15. Boneh D, Hamburg M. Generalized identity based and broadcast encryption schemes. Proc. Asiacrypt’08, LNCS 5350, Springer-Verlag, 2008; 455–470. 16. Fan C-I, Huang L-Y, Ho P-H. Anonymous multireceiver identity-based encryption. IEEE Transactions on Computers 2010; 59(9):1239–1249. 17. Choi K-Y, Hwang J-Y, Lee D-H. ID-based authenticated group key agreement secure against insider attacks. IEICE Trans. Fundamentals 2008; E91-A(7): 1828–1830. 18. Wu T-Y, Tseng Y-M. Towards ID-based authenticated group key exchange protocol with identifying malicious participants. Informatica 2012; 23(2): 315–334. 19. Wu T-Y, Tseng Y-M, Yu C-W. A secure ID-based authenticated group key exchange protocol resistant to insider attacks. Journal of Information Science and Engineering 2011; 27(3): 915932. 20. Bellare M, Rogaway P. Random oracles are practical: a paradigm for designing efficient protocols. Proc. CCS’93, ACM, 1993; 62–73. 21. Canetti R, Goldreich O, Halevi S. The random oracle methodology, revisited (preliminary version). Proc. STOC’98, 1998; 209–218.


1259



22. Bellare M, Boldyreva A, Palacio A. An uninstantiable random oracle model scheme for a hybrid encryption problem. Proc. Cachin and Camenisch’04, LNCS 3027, Springer-Verlag, 2004; 171–188. 23. Boneh D, Boyen X. Efficient selective-ID identity based encryption without random oracles. Proc. Eucrypt’04, LNCS 3027, Springer-Verlag, 2004, 223–238. 24. Canetti R, Halevi S, Katz J. A forward-secure publickey encryption scheme. Proc. Eurocrypt’03, LNCS 2656, Springer-Verlag, 2003; 255–271.

1260

25. Boneh D, Boyen X. Secure identity based encryption without random oracles. Proc. Crypto’04, LNCS 3152, Springer-Verlag, 2004; 443–459. 26. Boldyreva A, Goyal V, Kumar V. Identity-based encryption with efficient revocation. Proc. CCS’08, ACM, 2008; 417–426. 27. Libert B, Vergnaud D. Adaptive-ID secure revocable identity-based encryption. Proc. CT-RSA’09, LNCS 5473, Springer-Verlag, 2009; 1–15. 28. Tseng Y-M, Tsai T-T. Efficient revocable ID-based encryption with a public channel. The Computer Journal 2012; 55(4):475–486.
