provably secure identity-based identification schemes and transitive signatures
Post on 12-Jan-2016
33 Views
Preview:
DESCRIPTION
TRANSCRIPT
Provably Secure Identity-Based Identification Schemes and Transitive Signatures
ir. Gregory Neven
Advisors: Prof. Dr. ir. Frank
Piessens
Prof. Dr. ir. Bart De Decker
Katholieke Universiteit LeuvenFaculteit Toegepaste WetenschappenDepartement Computerwetenschappen
2
Overview
Introduction: Provable security
Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre)
Concept
Framework of transforms
Summary of results
Transitive signatures(joint work with Mihir Bellare)
Concept
Node certification technique
Summary of results
Conclusion
3
Standard digital signatures (SS)
Sign
sk pk
MM, σ
acc/rej
pkpk
Diffie-Hellman, 1976
Cryptography= study of mathematical techniques for information security
1k Kg (pk,sk)
sk
Vf
4
Standard identification (SI) schemes
P
sk pk
acc/rej
pkpk
Cryptography= study of mathematical techniques for information security
1k Kg (pk,sk)
sk
V
5
Provable security
Until 1980s: ad-hoc design“secure until proven insecure”
More recently: provable security [GMR88] Step 1: security notion
meaning of “security” of the scheme Step 2: security proof
only way to break scheme is by solving supposedly hard mathematical problem breaking underlying cryptographic building block
From theoreticians’ toy to industry-relevant property
6
on messages chosen by adversary
Mi
σi
(M,σ) such that Vf(pk,M,σ)=acc
unforgeability even after seeing many valid signatures
sk
Step 1: Security notion
Desirable properties of signature scheme: infeasible to compute sk from pk
pk
sk
(M1,σ1)…(Mn,σn)
7
even after seeing valid signatures on messages chosen by adversary
Security (uf-cma)= no “reasonable” algorithm has non-negligible probability
of winning game
Step 1: Security notion
Desirable properties: infeasible to compute sk from pk unforgeability
pk
(M,σ) such that Vf(pk,M,σ)=acc
σi
MiFSign(sk,·
)
Sign(sk,·)
8
Step 2: Security proof
By contradiction:suppose such algorithm F exists
then “reasonable” algorithm A exists that solves supposedly hard mathematical problem breaks underlying cryptographic building block
Aσi
pk
(M,σ)
Mi F
hard problem
solution
9
FactoringGiven N = pq where p,q large primesFind p,q
RSAGiven N = pq where p,q large primes
e where gcd(e,φ(N)) = 1 and φ(N) = (p-1)(q-1)
y ∈ ZN
Find x : xe = y mod N Discrete logarithms
Given p large prime
g generator of Zp
y ∈ Zp
Find x : gx = y mod p
(Also subgroups of Zp, elliptic curves)
Mathematically hard problems
*
**
*
10
Random oracle model
Cryptographic hash function H:
one-wayness: given y, finding x s.t. H(x) = y is hard collision-resistance: finding x1,x2 s.t. H(x1) = H(x2) is hard
Random oracle model [BR93b]H behaves as an unpredictable, truly random function
– unsatisfiable assumption
– no longer proof, only (good) heuristic
– counterexamples known [CGH98, Nie02, GK03, BBP04]
+ “provable” security for practical schemes
+ counterexamples mostly contrived
+ proof in RO model preferable over ad-hoc design
Hx ∈ {0,1}* y ∈ {0,1}k
11
Overview
Introduction: Provable security
Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre)
Concept
Framework of transforms
Summary of results
Transitive signatures(joint work with Mihir Bellare)
Concept
Node certification technique
Summary of results
Conclusion
12
Identity-based signatures (IBS)
Sign VfMM, σ
acc/rej
sk pk
sk pkAlice, pk
“Alice”
?
?
Shamir, 1984
13
mpk, “Alice”
Identity-based signatures (IBS)
SignMM, σ
acc/rej
uskA
usk
A
Shamir, 1984
msk(mpk,msk)1k MKg
UKg
uskA mpk
msk,“Alice” uskA
mpk
Vf
14
mpk, “Alice”
Identity-based identification (IBI)
P acc/rej
uskA
usk
A
Shamir, 1984
msk(mpk,msk)1k MKg
UKgmsk,“Alice” uskA
mpk
uskA mpk
V
15
State of the area prior to this work
IBI schemes many proposed [FS86, Bet88, GQ89, Gir90, Oka93] no appropriate security notion proofs under non-ID-based notion or entirely lacking
IBS schemes many proposed
[Sha84, FS86, GQ89, SOK00, Pat02, CC03, Hes03, Yi03] good security definition [CC03] general transform “trapdoor” SS to IBS [DKXY03] some gaps remain
16
Our contributions
Security definitions for IBI schemes Framework of security-preserving transforms
Security proofs for 12 scheme “families” by implication through transforms by surfacing and proving unanalyzed SI schemes by proving as IBI schemes directly (exceptions)
Attack on 1 scheme family
SI IBI
SS IBS
17
Security of IBS and IBI schemes
IBS schemes: uf-cma security [CC03]
IBI schemes: imp-pa, imp-aa, imp-ca security1. Learning phase:
Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca)
2. Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak
F
mpkInitializ
e
InitializeID
CorruptCorruptID
uskID
M,ID
σ
ID,M,σ
Sign(uskID,·)
18
The framework
SI IBI
SS IBS
fs-I-2-S
SI to SS: fs-I-2-S“canonical” SI → SS [FS86]
Theorem: SI is imp-pa secure⇓
SS = fs-I-2-S(SI) is uf-cma secure in the random oracle model
[AABN02]
19
The framework
SI IBI
SS IBS
fs-I-2-S
cSI-2-IBI SI to SS: fs-I-2-S“canonical” SI → SS [FS86]
SI to IBI: cSI-2-IBI“convertible” SI → IBI
Theorem: SI is imp-xx secure⇓
IBI = cSI-2-IBI(SI) is imp-xx secure in the random oracle model
20
The framework
SI IBI
SS IBS
fs-I-2-S
cSI-2-IBI
cSS-2-IBS
SI to SS: fs-I-2-S“canonical” SI → SS [FS86]
SI to IBI: cSI-2-IBI“convertible” SI → IBI
SS to IBS: cSS-2-IBS“convertible” SS → IBS
generalization of [DKXY03]Theorem: SS is uf-cma secure
⇓IBS = cSS-2-IBS(SS) is uf-cma
secure in the random oracle model
21
The framework
SI IBI
SS IBS
fs-I-2-S
cSI-2-IBI
cSS-2-IBS
SI to SS: fs-I-2-S“canonical” SI → SS [FS86]
SI to IBI: cSI-2-IBI“convertible” SI → IBI
SS to IBS: cSS-2-IBS“convertible” SS → IBS
generalization of [DKXY03]
IBI to IBS: fs-I-2-S“canonical converted” IBI → IBS
cSS-2-IBS(fs-I-2-S(SI)) = fs-I-2-S(cSI-2-IBI(SI))
not security-preserving for all IBI
fs-I-2-S
22
The framework
SI IBI
SS IBS
fs-I-2-S
cSI-2-IBI
cSS-2-IBS
SI to SS: fs-I-2-S“canonical” SI → SS [FS86]
SI to IBI: cSI-2-IBI“convertible” SI → IBI
SS to IBS: cSS-2-IBS“convertible” SS → IBS
generalization of [DKXY03]
IBI to IBS: fs-I-2-S“canonical converted” IBI → IBS
cSS-2-IBS(fs-I-2-S(SI)) = fs-I-2-S(cSI-2-IBI(SI))
not security-preserving for all IBI
IBI to IBS: efs-IBI-2-IBS“canonical” IBI → IBS
Theorem: IBI is imp-pa secure⇓
IBS = efs-IBI-2-IBS(SS) is uf-cma secure in the random oracle model
fs-I-2-S
efs-IBI-2-IBS
23
Shamir*
Shamir
Results for concrete schemes
IIIIIPPPIBI, IBSGQ
IIIIIPPPSI, IBI, SSOkRSA
II??I??PIBIBeth
IIPPPIIIIBIOkDL
IIAAIAA PIBSSOK
IPIIIPPPIBSHess
PIIIIPPPIBSCha-Cheon
IIIIIPPPSI
IIPPPIIISI, IBIBNNDL
AAAAAAAASI, IBIGirault
IIAAIAAPIBS
IIIIIPPPSI, SSFF
II?II?PPSI, SSIt. Root
IIIIIPPPIBI, IBSFiat-Shamir
uf-cmauf-cmacaaapacaaapa
IBSSSIBISIOriginName
P = proved I = implied A = attacked ? = open problem = new contribution
II??I??PIBIBeth
IIPPPIIIIBIOkDL
IIAAIAA PIBSSOK
IPIIIPPPIBSHess
PIIIIPPPIBSCha-Cheon
IIPPPIIISI, IBIBNNDL
AAAAAAAASI, IBIGirault
IIIIIPPPSI, SSFF
II?II?PPSI, SSIt. Root
IIIIIPPPIBI, IBSFiat-Shamir
IIIIIPPPIBI, IBSGQ
IIIIIPPPSI, IBI, SSOkRSA
IIIIIPPPSIShamir*
IIAAIAAPIBSShamir
24
Overview
Introduction: Provable security
Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre)
Concept
Framework of transforms
Summary of results
Transitive signatures(joint work with Mihir Bellare)
Concept
Node certification technique
Summary of results
Conclusion
25
σ2,3
3
σi,ji,j
Transitive signatures
Message is pair of nodes i,j
Signing i,j = creating and authenticating edge {i,j}
An authenticated graph grows with time
σ1,2
1
2
i,j
TSigntsk
TVf
σ’i,j
tpk
TKg (tpk,tsk)1k
acc/rej
σ4,54 5
Micali-Rivest, 2002
26
σ2,3
3
σi,ji,j
Transitive signatures
σ1,2
1
2
i,j
TSigntsk
TVf
σ’i,j
tpk
TKg (tpk,tsk)1k
acc/rej
σ4,54 5
Comp
tpk
i,j,k
σi,j
σi,k
σj,k
Additional composition algorithm
Authenticated graph is transitive closure of directly signed edges
σ1,3
27
Security of transitive signatures Standard uf-cma security definition doesn’t apply:
composition allows some extent of forgery
New security goal [MR02b]: computationally infeasible to forge signatures not in transitive
closure of the edges signed directly by the signer even under “chosen-edge” attack
tpk
{1,4}, σ1,4
σ1,4
σ1,3
σ1,2 σ2,3
σ4,5
1
2
3
4 5
2,3
σ2,3
1,2
σ1,2
4,5
σ4,5
TSign (tsk,·,·) F
28
Node certification technique
For each node i, the signer:
x1
x2
x3
chooses secret label xiσ2,3
σ1,3
Composition of σ1,2 and σ2,3
σ1,3 = ( , , δ1,3)
where δ1,3 = h(δ1,2,δ2,3)
1,y1 3,y3
,y1
,y2
,y3
computes public label yi = f(xi)
1,y1 3,y3
2,y2
creates node certificate i,yi
σ1,2
Signature σ1,2 = ( , , δ1,2)
where δ1,2 = g(x1,x2)
1,y1 2,y2
Verification of σ1,2 = ( , , δ1,2)
check validity of node certificates
compare δ1,2 to y1,y2
1,y1 2,y2
1
2
3
29
Eliminating node certificates
For each node i, the signer:
computes public label yi = H(i)
y1
y2
y3x1,
x2,
x3,
computes secret label xi = f -1(yi)
(using trapdoor information)
σ2,3
σ1,3
σ1,2
Signature σ1,2 = δ1,2 = g(x1,x2)
Verification of σ1,2 = δ1,2
compare δ1,2 to H(1), H(2)
Composition of σ1,2 and σ2,3
σ1,3 = δ1,3 = h(δ1,2,δ2,3)
1
2
3
30
Trivial
Scheme contributions
170 bitsYesOne-more Gap-DHGapH-TS
1024 bitsYesFactoringFactH-TS
1024 bitsYesOne-more RSARSAH-TS
2558 bitsNoSecurity of SS schemeOne-more Gap-DH
Gap-TS
4256 bits (SDL)2548 bits (EC)
NoSecurity of SS schemeOne-more discrete logarithms
DL1m-TS
5120 bitsNoSecurity of SS schemeFactoring
Fact-TS
5120 bitsNoSecurity of SS schemeOne-more RSA
RSA-TS
4416 bits (SDL)2708 bits (EC)
NoSecurity of SS schemeDiscrete logarithms
DL-TS
O(|path|)NoSecurity of SS scheme
Signature lengthRandom oracle?Security assumptionsScheme
SDL = subgroup discrete log EC = elliptic curve = new contribution
170 bitsYesOne-more Gap-DHGapH-TS
1024 bitsYesFactoringFactH-TS
1024 bitsYesOne-more RSARSAH-TS
2558 bitsNoSecurity of SS schemeOne-more Gap-DH
Gap-TS
4256 bits (SDL)2548 bits (EC)
NoSecurity of SS schemeOne-more discrete logarithms
DL1m-TS
5120 bitsNoSecurity of SS schemeFactoring
Fact-TS
5120 bitsNoSecurity of SS schemeOne-more RSA
RSA-TS
4416 bits (SDL)2708 bits (EC)
NoSecurity of SS schemeDiscrete logarithms
DL-TS
O(|path|)NoSecurity of SS schemeTrivial
31
Overview
Introduction: Provable security
Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre)
Concept
Framework of transforms
Summary of results
Transitive signatures(joint work with Mihir Bellare)
Concept
Node certification technique
Summary of results
Conclusion
32
Summary of contributions
Identity-based identification and signature schemes Security notion for IBI schemes
Framework of security-preserving transforms
Proofs for 12 scheme families, attack for 1 family
Direct proofs as IBI schemes for 2 families
Transitive signature schemes Security proof for RSA-TS scheme
New provably secure schemes based on factoring, discrete logarithms and Gap-DH groups
Hash-based technique to eliminate node certificates
33
Open problems
Open problems in proofs for IBI/IBS schemes
Tighter bounds for IBI/IBS schemes through direct proofs
Provably secure identity-based cryptography without
random oracles
Directed transitive signatures
Signature scheme such that
Sign(sk1,pk2), Sign(sk2,M) → Sign(sk1,M)
to compress certificate chains
[BB04]
top related