Loading in 5 sec....

Security Proofs for Identity-Based Identification and Signature SchemesPowerPoint Presentation

Security Proofs for Identity-Based Identification and Signature Schemes

- 64 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Security Proofs for Identity-Based Identification and Signature Schemes' - aurora-david

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Security Proofs for Identity-Based Identification and Signature Schemes

Mihir Bellare University of California at San Diego, USAChanathip NamprempreThammasat University, ThailandGregory Neven Katholieke Universiteit Leuven, Belgium

Proposed by Shamir (1984) Signature Schemes

Efficiently implemented by Boneh-Franklin (2001)

Identity-based encryptionKDC

MKg

1k

(mpk,msk)

UKg

msk,“Bob”

uskB

mpk

uskB

Alice

Bob

mpk,“Bob”

uskB

C

E

D

M

M

Proposed and implemented Signature Schemesby Shamir (1984)

Alternative implementations followed [FS86, GQ89]

Renewed interest using pairings [SOK00, P02, CC03, H03, Yi03]

Identity-based signatures (IBS)KDC

MKg

1k

(mpk,msk)

UKg

msk,“Alice”

uskA

uskA

mpk

Alice

Bob

uskA

mpk, “Alice”

M,σ

Sign

Vf

M

acc/rej

Proposed by Shamir (1984) Signature Schemes

Numerous implementations followed [FS86, B88, GQ89, G90, O93]

Identity-based identification (IBI)KDC

MKg

1k

(mpk,msk)

UKg

msk,“Alice”

uskA

uskA

mpk

Alice

Bob

uskA

mpk, “Alice”

P

V

acc/rej

Provable security of IBI/IBS schemes Signature Schemes

- IBI schemes
- no appropriate security definitions
- proofs in weak model (fixed identity) or entirely lacking

- IBS schemes
- good security definition [CC03]
- security proofs for some schemes directly [CC03] or through “trapdoor SS” to IBS transform [DKXY03]
- some gaps remain

Existing security proofs Signature Schemes

Existing security proofs for

- identification schemes underlying IBI schemes e.g. [FFS88] prove [FS86] [BP02] prove [GQ89]
- signature schemes underlying IBS schemes e.g. analyses of Fiat-Shamir transform [PS96, OO98, AABN02]
refer to standard identification (SI) and signature (SS) schemes.

Build on these proofs, rather than from scratch.

SI Signature Schemes

IBI

SS

IBS

Our contributions- Security definitions for IBI schemes
- Security proofs for “trivial” certificate-based IBI/IBS schemes
- Framework of security-preserving transforms
- Security proofs for 12 scheme “families”
- by implication through transforms
- by surfacing and proving unanalyzed SI schemes
- by proving as IBI schemes directly (exceptions)

- Attack on 1 scheme family

Independent work Signature Schemes

Kurosawa, Heng (PKC 2004):

- security definitions for IBI schemes
- transform from SS to IBI schemes

Security of IBS and IBI schemes Signature Schemes

- IBS schemes: uf-cma security [CC03]
- IBI schemes: imp-pa, imp-aa, imp-ca security
- Learning phase:Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca)
- Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak

mpk

Initialize

ID

M,ID

F

Sign(uskID,·)

ID

σ

Corrupt

uskID

ID,M,σ

(N,e,d) Signature Schemes← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

“surfaced” from Shamir-IBS [S84]

(statistical) HVZK + POK ⇒ imp-pa secure

not imp-aa secure (attack: choose c=0)

The Shamir-SI schemeKg(1k)

P(sk)

V(pk)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

z ← xyc mod N

(N,e,X) ← pk

c ← {0,1}ℓ(k)

If ze = XYc mod Nthen accept else reject

*

*

R

R

Y

c

R

z

(N,e,d) Signature Schemes← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

The Shamir-SS schemeKg(1k)

Sign(sk,M)

Vf(pk,M,σ)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

c ← H(Y,M)

z ← xyc mod N

σ ← (Y,z)

(N,e,X) ← pk

(Y,z) ← σ

c ← H(Y,M)

If ze = XYc mod Nthen accept else reject

*

*

R

R

The framework: SI to SS [FS86] Signature Schemes

“canonical” SI scheme:

sk

pk

Cmt

P

V

Ch

SI

IBI

Rsp

Dec(pk,Cmt,Ch,Rsp)

fs-I-2-S

fs-I-2-S

IBS

SS

- Sign(sk,M):
Ch ← H(Cmt,M)

σ ← (Cmt,Rsp)

- Vf(pk,M,σ):
Dec(pk, Cmt, H(Cmt,M), Rsp)

Theorem: SI is imp-pa secure⇓SS = fs-I-2-S(SI) is uf-cma secure in the RO model [AABN02]

(N,e,d) Signature Schemes← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

The Shamir-SI schemeKg(1k)

P(sk)

V(pk)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

z ← xyc mod N

(N,e,X) ← pk

c ← {0,1}ℓ(k)

If ze = XYc mod Nthen accept else reject

*

*

R

R

Y

c

z

(N,e,d) Signature Schemes← Krsa(1k)

mpk ← (N,e)

msk ← (N,e,d)

Return (mpk,msk)

The Shamir-IBI schemeMKg(1k)

P(usk)

V(mpk,ID)

(N,e,x) ← usk

y ← ZN

Y ← ye mod N

z ← xyc mod N

(N,e) ← mpk

c ← {0,1}ℓ(k)

If ze = H(ID)∙Yc mod Nthen accept else reject

*

*

R

Y

c

z

UKg(msk,ID)

(N,e,d) ← msk

X ← H(ID)

x ← Xd mod N

usk ← (N,e,x)

Return usk

The framework: SI to IBI Signature Schemes

“convertible” SI scheme:

- Kg(1k):
“trapdoor samplable relation” R

sk ← (R,x) ; pk ← (R,y)

such that (x,y) ∈R

cSI-2-IBI

SI

IBI

fs-I-2-S

cSI-2-IBI

- MKg(1k):
generate relation R with trapdoor t

mpk ← R ; msk ← (R,t)

- UKg(msk, ID):
y ← H(ID)

use t to compute x s.t. (x,y) ∈R

usk ← (R,x)

IBS

SS

Theorem: SI is imp-xx secure⇓IBI = cSI-2-IBI(SI) is imp-xx secure in the RO model

(N,e,d) Signature Schemes← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

The Shamir-SS schemeKg(1k)

Sign(sk,M)

Vf(pk,M,σ)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

c ← H(Y,M)

z ← xyc mod N

σ ← (Y,z)

(N,e,X) ← pk

(Y,z) ← σ

c ← H(Y,M)

If ze = XYc mod Nthen accept else reject

*

*

R

R

(N,e,d) Signature Schemes← Krsa(1k)

mpk ← (N,e)

msk ← (N,e,d)

Return (mpk,msk)

The Shamir-IBS schemeMKg(1k)

Sign(usk,M)

Vf(mpk,ID,M,σ)

(N,e,x) ← usk

y ← ZN

Y ← ye mod N

c ← H(Y,M)

z ← xyc mod N

σ ← (Y,z)

(N,e) ← mpk

(Y,z) ← σ

c ← H(Y,M)

If ze = H(ID)∙Yc mod Nthen accept else reject

*

*

R

UKg(msk,ID)

(N,e,d) ← msk

X ← H(ID)

x ← Xd mod N

usk ← (N,e,x)

Return usk

= Shamir-IBS as proposed in [S84]

- IBI to IBS Signature Schemes
- “canonical” IBI → IBS
- For canonical convertible SI X:
cSS-2-IBS(fs-I-2-S(X)) = fs-I-2-S(cSI-2-IBI(X))

- fs-I-2-Snot security-preserving for canonical IBI schemes in general

fs-I-2-S

(efs-IBI-2-IBS)

Theorem: IBI is imp-pa secure⇓IBS = efs-IBI-2-IB(IBI) is uf-cma secure in the RO model

- modified efs-IBI-2-IBS transform: Ch ← H(Cmt,M,ID)

- SS to IBS: cSS-2-IBS
- analogous to cSI-2-IBI
- “convertible” SS → IBS
- generalization of [DKXY03]

cSI-2-IBI

SI

IBI

fs-I-2-S

cSS-2-IBS

IBS

SS

Theorem: SI is imp-pa secure⇓IBS = fs-I-2-S(cSI-2-IBI(SS)) is uf-cma secure in the RO model

Theorem: SS is uf-cma secure⇓IBS = cSS-2-IBS(SS) is uf-cma secure in the RO model

Fiat-Shamir Signature Schemes

IBI, IBS

P

P

P

I

I

I

I

I

It. Root

SI, SS

P

P

I

I

I

I

FF

SI, SS

P

P

P

I

I

I

I

I

GQ

IBI, IBS

P

P

P

I

I

I

I

I

Shamir

IBS

P

A

A

I

A

A

I

I

Shamir*

SI

P

P

P

I

I

I

I

I

OkRSA

SI, IBI, SS

P

P

P

I

I

I

I

I

Girault

SI, IBI

A

A

A

A

A

A

A

A

SOK

IBS

P

A

A

I

A

A

I

I

Hess

IBS

P

P

P

I

I

I

P

I

Cha-Cheon

IBS

P

P

P

I

I

I

I

P

Beth

IBI

P

I

I

I

OkDL

IBI

I

I

I

P

P

P

I

I

BNNDL

SI, IBI

I

I

I

P

P

P

I

I

Results for concrete schemesName

Origin

Name-SI

Name-IBI

Name-SS

Name-IBS

pa

aa

ca

pa

aa

ca

uf-cma

uf-cma

Fiat-Shamir

IBI, IBS

P

P

P

I

I

I

I

I

It. Root

SI, SS

P

P

I

I

I

I

FF

SI, SS

P

P

P

I

I

I

I

I

GQ

IBI, IBS

P

P

P

I

I

I

I

I

Shamir

IBS

P

A

A

I

A

A

I

I

Shamir*

SI

P

P

P

I

I

I

I

I

OkRSA

SI, IBI, SS

P

P

P

I

I

I

I

I

Girault

SI, IBI

A

A

A

A

A

A

A

A

SOK

IBS

P

A

A

I

A

A

I

I

Hess

IBS

P

P

P

I

I

I

P

I

Cha-Cheon

IBS

P

P

P

I

I

I

I

P

Beth

IBI

P

I

I

I

OkDL

IBI

I

I

I

P

P

P

I

I

BNNDL

SI, IBI

I

I

I

P

P

P

I

I

P = proven I = implied A = attacked = known result = new contribution

Download Presentation

Connecting to Server..