Revocable ID-based signature scheme with batch verifications Tsu-Yang Wu * School of Computer Science and Technology Shenzhen Graduate School, Harbin Institute of Technology Shenzhen 518055, P.R. China * E-mail: wutsuyang@gmail.com Tung-Tso Tsai and Yuh-Min Tseng Department of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua City 500, Taiwan, R.O.C. E-mail: ymtseng@cc.ncue.edu.tw Abstract—Signature scheme is one of important primitives in modern cryptography, which may offer functionalities of user identification, non-repudiation, and message authentication. With the advent of identity (ID)-based public key system (IDPKS) with bilinear pairings, many cryptographic schemes and protocols based on the IDPKS system have been proposed. Though the IDPKS system has the advantage to eliminate certificate management, it is a critical issue to revoke misbehaving or compromised users in this system. Quite recently, Tseng and Tsai presented a practical revocation mechanism using a public channel for the IDPKS system. In this paper, we adopt Tseng and Tsai’s revocation concept to propose the first revocable ID-based signature scheme with batch verifications (RID-SBV). Meanwhile, we discuss the several cases of batch verifications. Under the computational Diffie-Hellman assumption, we demonstrate that the proposed RID-SBV scheme is a provably secure signature scheme. Keywords-Revocation; ID-based; Signature; Batch verifications; Security I. INTRODUCTION In 1984, Shamir [1] first proposed the concept of ID- based public key system (IDPKS). In this system, each user’s identity (e.g. e-mail address or name) can be viewed as the public key and the user’s private key is computed by a trusted private key generation center (PKG). Thus, it can eliminate the need of certificates to simplify certificate management of the certificate-based public key system. In 2001, Boneh and Franklin [2] followed Shamir’s concept to propose a practical ID-based encryption (IBE) scheme from the Weil pairing. Later on, the design of ID-based cryptographic mechanisms using bilinear pairings has received much attention from researchers and numerous literatures have been presented such as signature schemes [3- 5], IBE schemes [6-9], key agreement protocols [10-12], group key agreement protocols [13-15], and user authentication schemes [16, 17]. Though the IDPKS system has the advantage to eliminate certificate management, it is a critical issue to revoke misbehaving or compromised users in this system. For example, in ID-based encryption/signature scheme, since only the system’s public parameters and the user’s identity should be involved to the encryption/verification procedure [2, 3], it is difficult to notify senders/verifiers that a particular identity was revoked. Thus, any ID-based cryptographic schemes and protocols must provide a method to revoke misbehaving or compromised users from the public key systems. However, there has been little work on studying the revocation mechanisms of the IDPKS system. For the revocation problem of the IDPKS system, Boneh and Franklin [2] have suggested a solution. In their suggestion, the PKG can periodically generate new private keys for non-revoked users. When the PKG wants to revoke a specific user, it only stops to issue the new private key. However, this method has two disadvantages: (1) the periodical workload of computing new private keys is too heavy for the PKG; (2) secure channels must be established between non-revoked users and the PKG to transmit the new private keys for each time period. In 2008, Boldyreva et al. [18] proposed a revocable IBE (RIBE) scheme to reduce the PKG’s periodical workload required in Boneh and Franklin’s IBE [2]. In their RIBE scheme, a binary tree is used to reduce the total size of key updating. However, the security of their scheme is under a weak security model. In 2009, Libert and Vergnaud [19] presented an adaptive-ID secure RIBE scheme relying on the Boldyreva et al.’s work [18]. Though both protocols [18, 19] can provide the revocation functionality, there still exist several drawbacks: (1) each user must hold 3logn private keys; (2) secure channel is still required to transmit new private keys; (3) the PKG must maintain a binary tree of n leaf nodes, where n denotes the total number of all users. Very recently, Tseng and Tsai [9] proposed an efficient RIBE scheme and its associated revocation mechanism to solve the revocation problem efficiently, called revocable ID-based public key system (R-IDPKS). In the R-IDPKS system, each user’s private key consists of a fixed initial secret key and a time update key, where the time update key is changed along with time period. For non-revoked users, the PKG periodically generates new time update keys and sends them to the non-revoked users via a public channel. Upon receiving the new time update keys, the non-revoked users can update own private keys by themselves. Obviously, the PKG can stop issuing the new update time keys to revoke the misbehaving or compromised users because they are unable to update their private keys. For the security and efficiency, the Tseng-Tsai RIBE scheme is semantically secure against adaptive chosen ciphertext attacks and is efficient than the previously proposed protocols [18, 19]. 2012 Eighth International Conference on Intelligent Information Hiding and Multimedia Signal Processing 978-0-7695-4712-1/12 $26.00 © 2012 IEEE DOI 10.1109/IIH-MSP.2012.18 49