provably secure identity-based identification schemes and transitive signatures

Provably Secure Identity-Based Identification Schemes and Transitive Signatures

ir. Gregory Neven

Advisors: Prof. Dr. ir. Frank

Piessens

Prof. Dr. ir. Bart De Decker

Katholieke Universiteit LeuvenFaculteit Toegepaste WetenschappenDepartement Computerwetenschappen

2

Overview

Introduction: Provable security

Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre)

Concept

Framework of transforms

Summary of results

Transitive signatures(joint work with Mihir Bellare)

Concept

Node certification technique

Summary of results

Conclusion

3

Standard digital signatures (SS)

Sign

sk pk

MM, σ

acc/rej

pkpk

Diffie-Hellman, 1976

Cryptography= study of mathematical techniques for information security

1k Kg (pk,sk)

sk

Vf

4

Standard identification (SI) schemes

P

sk pk

acc/rej

pkpk

Cryptography= study of mathematical techniques for information security

1k Kg (pk,sk)

sk

V

5

Provable security

Until 1980s: ad-hoc design“secure until proven insecure”

More recently: provable security [GMR88] Step 1: security notion

meaning of “security” of the scheme Step 2: security proof

only way to break scheme is by solving supposedly hard mathematical problem breaking underlying cryptographic building block

From theoreticians’ toy to industry-relevant property

6

on messages chosen by adversary

Mi

σi

(M,σ) such that Vf(pk,M,σ)=acc

unforgeability even after seeing many valid signatures

sk

Step 1: Security notion

Desirable properties of signature scheme: infeasible to compute sk from pk

pk

sk

(M1,σ1)…(Mn,σn)

7

even after seeing valid signatures on messages chosen by adversary

Security (uf-cma)= no “reasonable” algorithm has non-negligible probability

of winning game

Step 1: Security notion

Desirable properties: infeasible to compute sk from pk unforgeability

pk

(M,σ) such that Vf(pk,M,σ)=acc

σi

MiFSign(sk,·

)

Sign(sk,·)

8

Step 2: Security proof

By contradiction:suppose such algorithm F exists

then “reasonable” algorithm A exists that solves supposedly hard mathematical problem breaks underlying cryptographic building block

Aσi

pk

(M,σ)

Mi F

hard problem

solution

9

FactoringGiven N = pq where p,q large primesFind p,q

RSAGiven N = pq where p,q large primes

e where gcd(e,φ(N)) = 1 and φ(N) = (p-1)(q-1)

y ∈ ZN

Find x : xe = y mod N Discrete logarithms

Given p large prime

g generator of Zp

y ∈ Zp

Find x : gx = y mod p

(Also subgroups of Zp, elliptic curves)

Mathematically hard problems

*

**

*

10

Random oracle model

Cryptographic hash function H:

one-wayness: given y, finding x s.t. H(x) = y is hard collision-resistance: finding x1,x2 s.t. H(x1) = H(x2) is hard

Random oracle model [BR93b]H behaves as an unpredictable, truly random function

– unsatisfiable assumption

– no longer proof, only (good) heuristic

– counterexamples known [CGH98, Nie02, GK03, BBP04]

+ “provable” security for practical schemes

+ counterexamples mostly contrived

+ proof in RO model preferable over ad-hoc design

Hx ∈ {0,1}* y ∈ {0,1}k

11

Overview

Introduction: Provable security

Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre)

Concept

Framework of transforms

Summary of results

Transitive signatures(joint work with Mihir Bellare)

Concept

Node certification technique

Summary of results

Conclusion

12

Identity-based signatures (IBS)

Sign VfMM, σ

acc/rej

sk pk

sk pkAlice, pk

“Alice”

?

?

Shamir, 1984

13

mpk, “Alice”

Identity-based signatures (IBS)

SignMM, σ

acc/rej

uskA

usk

A

Shamir, 1984

msk(mpk,msk)1k MKg

UKg

uskA mpk

msk,“Alice” uskA

mpk

Vf

14

mpk, “Alice”

Identity-based identification (IBI)

P acc/rej

uskA

usk

A

Shamir, 1984

msk(mpk,msk)1k MKg

UKgmsk,“Alice” uskA

mpk

uskA mpk

V

15

State of the area prior to this work

IBI schemes many proposed [FS86, Bet88, GQ89, Gir90, Oka93] no appropriate security notion proofs under non-ID-based notion or entirely lacking

IBS schemes many proposed

[Sha84, FS86, GQ89, SOK00, Pat02, CC03, Hes03, Yi03] good security definition [CC03] general transform “trapdoor” SS to IBS [DKXY03] some gaps remain

16

Our contributions

Security definitions for IBI schemes Framework of security-preserving transforms

Security proofs for 12 scheme “families” by implication through transforms by surfacing and proving unanalyzed SI schemes by proving as IBI schemes directly (exceptions)

Attack on 1 scheme family

SI IBI

SS IBS

17

Security of IBS and IBI schemes

IBS schemes: uf-cma security [CC03]

IBI schemes: imp-pa, imp-aa, imp-ca security1. Learning phase:

Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca)

2. Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak

F

mpkInitializ

e

InitializeID

CorruptCorruptID

uskID

M,ID

σ

ID,M,σ

Sign(uskID,·)

18

The framework

SI IBI

SS IBS

fs-I-2-S

SI to SS: fs-I-2-S“canonical” SI → SS [FS86]

Theorem: SI is imp-pa secure⇓

SS = fs-I-2-S(SI) is uf-cma secure in the random oracle model

[AABN02]

19

The framework

SI IBI

SS IBS

fs-I-2-S

cSI-2-IBI SI to SS: fs-I-2-S“canonical” SI → SS [FS86]

SI to IBI: cSI-2-IBI“convertible” SI → IBI

Theorem: SI is imp-xx secure⇓

IBI = cSI-2-IBI(SI) is imp-xx secure in the random oracle model

20

The framework

SI IBI

SS IBS

fs-I-2-S

cSI-2-IBI

cSS-2-IBS

SI to SS: fs-I-2-S“canonical” SI → SS [FS86]

SI to IBI: cSI-2-IBI“convertible” SI → IBI

SS to IBS: cSS-2-IBS“convertible” SS → IBS

generalization of [DKXY03]Theorem: SS is uf-cma secure

⇓IBS = cSS-2-IBS(SS) is uf-cma

secure in the random oracle model

21

The framework

SI IBI

SS IBS

fs-I-2-S

cSI-2-IBI

cSS-2-IBS

SI to SS: fs-I-2-S“canonical” SI → SS [FS86]

SI to IBI: cSI-2-IBI“convertible” SI → IBI

SS to IBS: cSS-2-IBS“convertible” SS → IBS

generalization of [DKXY03]

IBI to IBS: fs-I-2-S“canonical converted” IBI → IBS

cSS-2-IBS(fs-I-2-S(SI)) = fs-I-2-S(cSI-2-IBI(SI))

not security-preserving for all IBI

fs-I-2-S

22

The framework

SI IBI

SS IBS

fs-I-2-S

cSI-2-IBI

cSS-2-IBS

SI to SS: fs-I-2-S“canonical” SI → SS [FS86]

SI to IBI: cSI-2-IBI“convertible” SI → IBI

SS to IBS: cSS-2-IBS“convertible” SS → IBS

generalization of [DKXY03]

IBI to IBS: fs-I-2-S“canonical converted” IBI → IBS

cSS-2-IBS(fs-I-2-S(SI)) = fs-I-2-S(cSI-2-IBI(SI))

not security-preserving for all IBI

IBI to IBS: efs-IBI-2-IBS“canonical” IBI → IBS

Theorem: IBI is imp-pa secure⇓

IBS = efs-IBI-2-IBS(SS) is uf-cma secure in the random oracle model

fs-I-2-S

efs-IBI-2-IBS

23

Shamir*

Shamir

Results for concrete schemes

IIIIIPPPIBI, IBSGQ

IIIIIPPPSI, IBI, SSOkRSA

II??I??PIBIBeth

IIPPPIIIIBIOkDL

IIAAIAA PIBSSOK

IPIIIPPPIBSHess

PIIIIPPPIBSCha-Cheon

IIIIIPPPSI

IIPPPIIISI, IBIBNNDL

AAAAAAAASI, IBIGirault

IIAAIAAPIBS

IIIIIPPPSI, SSFF

II?II?PPSI, SSIt. Root

IIIIIPPPIBI, IBSFiat-Shamir

uf-cmauf-cmacaaapacaaapa

IBSSSIBISIOriginName

P = proved I = implied A = attacked ? = open problem = new contribution

II??I??PIBIBeth

IIPPPIIIIBIOkDL

IIAAIAA PIBSSOK

IPIIIPPPIBSHess

PIIIIPPPIBSCha-Cheon

IIPPPIIISI, IBIBNNDL

AAAAAAAASI, IBIGirault

IIIIIPPPSI, SSFF

II?II?PPSI, SSIt. Root

IIIIIPPPIBI, IBSFiat-Shamir

IIIIIPPPIBI, IBSGQ

IIIIIPPPSI, IBI, SSOkRSA

IIIIIPPPSIShamir*

IIAAIAAPIBSShamir

24

Overview

Introduction: Provable security

Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre)

Concept

Framework of transforms

Summary of results

Transitive signatures(joint work with Mihir Bellare)

Concept

Node certification technique

Summary of results

Conclusion

25

σ2,3

3

σi,ji,j

Transitive signatures

Message is pair of nodes i,j

Signing i,j = creating and authenticating edge {i,j}

An authenticated graph grows with time

σ1,2

1

2

i,j

TSigntsk

TVf

σ’i,j

tpk

TKg (tpk,tsk)1k

acc/rej

σ4,54 5

Micali-Rivest, 2002

26

σ2,3

3

σi,ji,j

Transitive signatures

σ1,2

1

2

i,j

TSigntsk

TVf

σ’i,j

tpk

TKg (tpk,tsk)1k

acc/rej

σ4,54 5

Comp

tpk

i,j,k

σi,j

σi,k

σj,k

Additional composition algorithm

Authenticated graph is transitive closure of directly signed edges

σ1,3

27

Security of transitive signatures Standard uf-cma security definition doesn’t apply:

composition allows some extent of forgery

New security goal [MR02b]: computationally infeasible to forge signatures not in transitive

closure of the edges signed directly by the signer even under “chosen-edge” attack

tpk

{1,4}, σ1,4

σ1,4

σ1,3

σ1,2 σ2,3

σ4,5

1

2

3

4 5

2,3

σ2,3

1,2

σ1,2

4,5

σ4,5

TSign (tsk,·,·) F

28

Node certification technique

For each node i, the signer:

x1

x2

x3

chooses secret label xiσ2,3

σ1,3

Composition of σ1,2 and σ2,3

σ1,3 = ( , , δ1,3)

where δ1,3 = h(δ1,2,δ2,3)

1,y1 3,y3

,y1

,y2

,y3

computes public label yi = f(xi)

1,y1 3,y3

2,y2

creates node certificate i,yi

σ1,2

Signature σ1,2 = ( , , δ1,2)

where δ1,2 = g(x1,x2)

1,y1 2,y2

Verification of σ1,2 = ( , , δ1,2)

check validity of node certificates

compare δ1,2 to y1,y2

1,y1 2,y2

1

2

3

29

Eliminating node certificates

For each node i, the signer:

computes public label yi = H(i)

y1

y2

y3x1,

x2,

x3,

computes secret label xi = f -1(yi)

(using trapdoor information)

σ2,3

σ1,3

σ1,2

Signature σ1,2 = δ1,2 = g(x1,x2)

Verification of σ1,2 = δ1,2

compare δ1,2 to H(1), H(2)

Composition of σ1,2 and σ2,3

σ1,3 = δ1,3 = h(δ1,2,δ2,3)

1

2

3

30

Trivial

Scheme contributions

170 bitsYesOne-more Gap-DHGapH-TS

1024 bitsYesFactoringFactH-TS

1024 bitsYesOne-more RSARSAH-TS

2558 bitsNoSecurity of SS schemeOne-more Gap-DH

Gap-TS

4256 bits (SDL)2548 bits (EC)

NoSecurity of SS schemeOne-more discrete logarithms

DL1m-TS

5120 bitsNoSecurity of SS schemeFactoring

Fact-TS

5120 bitsNoSecurity of SS schemeOne-more RSA

RSA-TS

4416 bits (SDL)2708 bits (EC)

NoSecurity of SS schemeDiscrete logarithms

DL-TS

O(|path|)NoSecurity of SS scheme

Signature lengthRandom oracle?Security assumptionsScheme

SDL = subgroup discrete log EC = elliptic curve = new contribution

170 bitsYesOne-more Gap-DHGapH-TS

1024 bitsYesFactoringFactH-TS

1024 bitsYesOne-more RSARSAH-TS

2558 bitsNoSecurity of SS schemeOne-more Gap-DH

Gap-TS

4256 bits (SDL)2548 bits (EC)

NoSecurity of SS schemeOne-more discrete logarithms

DL1m-TS

5120 bitsNoSecurity of SS schemeFactoring

Fact-TS

5120 bitsNoSecurity of SS schemeOne-more RSA

RSA-TS

4416 bits (SDL)2708 bits (EC)

NoSecurity of SS schemeDiscrete logarithms

DL-TS

O(|path|)NoSecurity of SS schemeTrivial

31

Overview

Introduction: Provable security

Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre)

Concept

Framework of transforms

Summary of results

Transitive signatures(joint work with Mihir Bellare)

Concept

Node certification technique

Summary of results

Conclusion

32

Summary of contributions

Identity-based identification and signature schemes Security notion for IBI schemes

Framework of security-preserving transforms

Proofs for 12 scheme families, attack for 1 family

Direct proofs as IBI schemes for 2 families

Transitive signature schemes Security proof for RSA-TS scheme

New provably secure schemes based on factoring, discrete logarithms and Gap-DH groups

Hash-based technique to eliminate node certificates

33

Open problems

Open problems in proofs for IBI/IBS schemes

Tighter bounds for IBI/IBS schemes through direct proofs

Provably secure identity-based cryptography without

random oracles

Directed transitive signatures

Signature scheme such that

Sign(sk1,pk2), Sign(sk2,M) → Sign(sk1,M)

to compress certificate chains

[BB04]