10.1 Signature Schemes

10.1.2 A Hierarchical Identity-Based Signature

As in the case of PKE schemes, for a signature scheme to be properly functional, the verifier Bob needs to trust the verification key of the signer Alice, i.e., Bob needs to be sure that the public key indeed belongs to Alice. As otherwise, an adversary Eve may use her signing key to sign a message and then pose as Alice to Bob, i.e., present her verification key as that of Alice. This will lead to Bob accepting that the message has been signed by Alice when it has actually been signed by Eve. So, Bob needs some way to verify that Alice’s verification key indeed belongs to her. This brings in the issue of digital certificates and certifying authorities as in the case of PKE schemes.

Identity-based signature (IBS) can avoid using the associated machinery required for a usual signature scheme to work. This notion was proposed by Shamir himself in his pioneering work on identity based encryption [155]. As in the case of IBE schemes, there is a PKG who publishes public parameters (PP) and possesses a master secret key. It issues signing keys associated to an identity. A signer uses his/her identity, the signing key and the PP to sign a message. The verifier uses the identity of the signer and the PP to verify a message-signature pair. Similar

to encryption, this has a straightforward extension to a hierarchical identity-based signature scheme (HIBS).

It should be noted that constructing an IBS scheme is significantly easier com- pared to that of an IBE scheme. Shamir’s original paper on identity-based cryptosys- tems [155] had itself provided an IBS scheme even though it took significantly more time to come up with an IBE scheme.

An HIBS scheme can be seen as an extension of a signature scheme to the identity-based setting. We provide the definition of such a scheme.

Definition. A HIBS scheme consists of four algorithms (which are probabilistic and polynomial time in the security parameter):Set-Up,KeyGen,SignandVerify.

For a HIBS of height h (henceforth denoted as h-HIBS) any identityidis a tuple (id1, . . . ,idj)where 1≤j≤h.

• HIBS.SetUpandHIBS.KeyGen(id,d_id|j−1,PP)are exactly the same as that of an HIBE scheme.

• HIBS.Sign(id,d_id,M,PP). Takes as inputid, a private key d_idforid, the message M and the public parameter of the PKG PP, and returnssig, the signature of M under the identityid.

• HIBS.Verify(id,M,sig,PP). Takes as inputid, message M, signaturesigand out- putsyesifsigis a valid signature for M underidor if this does not hold, then it outputsno.

Note that for h=1, the above definition reduces to that of an IBS scheme. The security model for existential unforgeability under chosen message attacks consists of a game between an adversary and a simulator that goes through the following phases.

Set-Up. The simulator sets up the HIBS scheme, i.e., generates the public parameter PPand the master secret key for the scheme and provides the adversary with PP.

Queries. The adversary makes two types of queries in an interleaved and adaptive manner.

• Extract queries. The adversary can ask for the private key of any identity. The simulator provides a private key for this identity and the distribution of the private key should be the same as that generated byHIBS.KeyGen.

• Signature queries.In this type of query, the adversary provides an identity and a message. The simulator has to provide a proper signature on the message under the given identity.

Forgery. At the end of the interaction, the adversary outputs a message M^∗, an identityid^∗and a signaturesig^∗. The adversary is successful if the followings hold.

• HIBS.Verify(id^∗,M^∗,sig^∗,PP)returnsyes.

• The adversary has not made any previous key extraction query onid^∗or any of its prefix.

• The adversary has not made any previous signature query on(M^∗,id^∗).

The advantage of an adversary is defined to be the probability that the adversary succeeds in the above game. As usual, the HIBS scheme is said to be(t,q_id,q_S,ε)- secure if the advantage of any adversary which runs in time t, makes qidkey extrac- tion queries and qSsignature queries is at mostε^.

In the above definition, one requirement on a forgery is that the pair (M^∗,id^∗) has to be “new”. This condition can be changed by only insisting that the signature sig^∗is “new”. For this changed condition, an adversary can be successful by produc- ing a new signature on an earlier message. A signature scheme satisfying this new requirement is said to satisfy strong unforgeability against chosen message attacks (as opposed to existential unforgeability against chosen message attacks). But, the signature scheme obtained below does not satisfy this condition as it is possible to convert an already known signature on a message into a new signature on the same message.

Construction. The method of converting an IBE to a signature scheme extends to convert an HIBE scheme into a hierarchical identity-based signature (HIBS) scheme. This has been noted in [94].

An entity with identityid= (id1, . . . ,idj)has a corresponding decryption key did. Signature on a message M is then simply the decryption key for the identity tuple (id1, . . . ,idj,M)which can be generated using d_id, which now acts as a signing key.

So an (h+1)-level HIBE scheme gives rise to an h-level HIBS scheme. Though conceptually simple, there is a problematic issue. For such a scheme, the message space and the identity space should be disjoint. As otherwise, someone possessing the signature of M for the identity(id1, . . . ,idj)can now use this signature as a sign- ing key to produce a forgery for a message M^′under the identity(id1, . . . ,idj,M).

Paterson and Schuldt [144] had described an identity-based signature (IBS) scheme based on 2-level Waters’ HIBE in [169]. The scheme has been proved to be secure. Now, consider the situation where the individual entities and the PKG bothsign messages. The PKG signs messages using the master secret key and an individual entity signs messages using the signing key obtained from the PKG. For such a scenario, the scheme in [144] is no longer secure. Basically, the above sit- uation applies. An adversary may obtain the PKG’s signature on a “message” M and then use this signature as the signing key to sign messages under the “identity”

M. This happens due to the fact that the scheme in [144] does not ensure that the message and identity spaces are disjoint.

As mentioned above an HIBS scheme can be obtained from the Gentry-Silverberg HIBE [94]. The security of this scheme holds in the random oracle model. The technical details are essentially an extension of the way in which the BLS signature scheme is obtained from the BF-IBE. Below we describe the construction of a HIBS scheme which is based upon [63]. A signature scheme and an IBS scheme can be obtained as particular cases. The IBS improves upon [144] by reducing the size of the public parameters by almost half. This improvement is a result of the reduction in public parameters of the HIBE in Section 7.4 of Chapter 7 over the HIBE in [169].

Let H :{0,1}^∗→ {0,1}ⁿbe a collision resistant hash function. The output of H is assumed to consist of l blocks where each block is an n/l-bit string considered

to be an element of the set{0, . . . ,2^n/l−1}. Messages are assumed to be arbitrary binary strings and identities are assumed to be of the type(str1, . . . ,str_j), 1≤j≤h andstr_k, 1≤k≤jis an arbitrary binary string. These are hashed into n-bit strings in the following manner. Ifmsgis a message, then compute H(0||msg), while if str_kis a component of an identity tuple then compute H(1||str_k). This ensures that n-bit strings obtained from messages will not be equal to n-bit strings obtained from identity components (assuming that H is collision resistant). Following the notation of HIBE schemes, we will writeidk=H(1||strk).

With the above modifications, one can easily convert an(h+1)level HIBE to an hlevel HIBS. For an identity at the j-th level, the signature will be the decryption key of a(j+1)level identity, with the message to be signed constituting the last level “identity” in the hierarchy.

The HIBS scheme can be described using both symmetric as well as asymmetric pairings. Since we have described the Boneh-Lynn-Shacham scheme using asym- metric pairings, we do the same for the HIBS scheme.

Set-Up. As in the HIBE scheme in Section 7.4, identities consists of l blocks of n/l-bit strings, where n is the security parameter and l is an integer which divides n.

The scheme is built from an asymmetric pairing (G1=hP1i,G2=hP2i,GT,e).

Suppose the maximum number of levels in the HIBS is h. The PKG chooses random xi,yj∈ZZ^∗_p, where 1≤i≤h+1 and 1≤ j≤land computes U_i^′=xiP1, W_i^′=xiP2, Uj=yjP1, Wj=yjP2. The PKG also chooses a random R1∈G1and a random inte- ger x∈ZZpand computes Q2=xP2and e(R1,Q2). The public parameters are the fol- lowing elements: P2, e(R1,Q₂), U₁^′, . . . ,U_h+1^′ ,U₁, . . . ,U_l,W₁^′, . . . ,W_h+1^′ ,W₁, . . . ,W_l), The master secret is xR1. The hash function H is also specified as part of the set-up.

KeyGen. Let(str1, . . . ,strj)be the identity for which a key has to be generated and letidk=H(1||strk)for 1≤k≤ j. A key corresponding to this identity is generated by essentially applying the key generation algorithm of the HIBE scheme in Sec- tion 7.4 to(id1, . . . ,idj). For example, for a first level identitystr1,id1=H(1||str1) and the PKG computes the corresponding private key as d0=xR1+r1V1,1(id1)and d1=r1P1, where V1,k(idk) =U_k^′+∑^li=1id_k,iU_ifor 1≤k≤h+1 and r1∈RZZ^∗_p. Sim- ilarly, the entity with a signing key for (id1, . . . ,id_j−1) (i.e. for(str1, . . . ,str_j−1)) can generate a signing key for(id1, . . . ,idj)(i.e. for(str1, . . . ,strj)). Note that the signing key thus generated contains elements of G1only.

Sign. Suppose a messagemsgis to be signed under an identity(str1, . . . ,strj). Let idi=H(1||stri), for 1≤i≤ j andidj+1=H(0||msg)and let id= (id1, . . . ,idj).

Suppose that didis a signing key forid(i.e., for(str1, . . . ,strj)).

Then a signature onmsgunder the identity(str1, . . . ,strj)is obtained by apply- ing the key generation algorithm described above in the following manner. Using the key didforid, a key for the “identity”(id1, . . . ,idj,idj+1)is created and this key is returned as the signaturesig.

Verify. The input is a tuple(msg,(str1, . . . ,strj),sig)where sig= (d₀,d₁, . . . ,d_j+1)∈G₁^j+2.

Letid_k=H(1||str_k), 1≤k≤jandid_j+1=H(0||msg)and let V2,k=V_2,k(idk) = W_k^′+∑^li=1idk,iWi for 1≤k≤h+1. The input is accepted if the following equality holds:

e(d0,P2) =e(R1,Q2)×

∏

j+1 k=1

e(d_k,V_2,k).

Note.

1. The security of this signature scheme can be shown to be based on the co-CDH problem in G1and G2for asymmetric pairing settings. This problem is the ana- logue of the CDH problem in G for symmetric pairing settings. See [45] for the definition of the co-CDH problem.

2. If h=1, then the above scheme yields an identity-based signature (IBS).

3. The scheme can also be seen as providing a usual signature scheme. For this, the PKG is no longer required since there are no identities. Neither is the hash function H required and the messages are taken to be bit strings of length n.

Further for l=n, the symmetric pairing based variant of this signature scheme is exactly the signature scheme described by Waters [169].