Security proofs for identity based identification and signature schemes
Download
1 / 19

Security Proofs for Identity-Based Identification and Signature Schemes - PowerPoint PPT Presentation


  • 64 Views
  • Uploaded on

Security Proofs for Identity-Based Identification and Signature Schemes. Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat University, Thailand Gregory Neven Katholieke Universiteit Leuven, Belgium. Proposed by Shamir (1984)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Security Proofs for Identity-Based Identification and Signature Schemes' - aurora-david


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security proofs for identity based identification and signature schemes

Security Proofs for Identity-Based Identification and Signature Schemes

Mihir Bellare University of California at San Diego, USAChanathip NamprempreThammasat University, ThailandGregory Neven Katholieke Universiteit Leuven, Belgium


Identity based encryption

Proposed by Shamir (1984) Signature Schemes

Efficiently implemented by Boneh-Franklin (2001)

Identity-based encryption

KDC

MKg

1k

(mpk,msk)

UKg

msk,“Bob”

uskB

mpk

uskB

Alice

Bob

mpk,“Bob”

uskB

C

E

D

M

M


Identity based signatures ibs

Proposed and implemented Signature Schemesby Shamir (1984)

Alternative implementations followed [FS86, GQ89]

Renewed interest using pairings [SOK00, P02, CC03, H03, Yi03]

Identity-based signatures (IBS)

KDC

MKg

1k

(mpk,msk)

UKg

msk,“Alice”

uskA

uskA

mpk

Alice

Bob

uskA

mpk, “Alice”

M,σ

Sign

Vf

M

acc/rej


Identity based identification ibi

Proposed by Shamir (1984) Signature Schemes

Numerous implementations followed [FS86, B88, GQ89, G90, O93]

Identity-based identification (IBI)

KDC

MKg

1k

(mpk,msk)

UKg

msk,“Alice”

uskA

uskA

mpk

Alice

Bob

uskA

mpk, “Alice”

P

V

acc/rej


Provable security of ibi ibs schemes
Provable security of IBI/IBS schemes Signature Schemes

  • IBI schemes

    • no appropriate security definitions

    • proofs in weak model (fixed identity) or entirely lacking

  • IBS schemes

    • good security definition [CC03]

    • security proofs for some schemes directly [CC03] or through “trapdoor SS” to IBS transform [DKXY03]

    • some gaps remain


Existing security proofs
Existing security proofs Signature Schemes

Existing security proofs for

  • identification schemes underlying IBI schemes e.g. [FFS88] prove [FS86] [BP02] prove [GQ89]

  • signature schemes underlying IBS schemes e.g. analyses of Fiat-Shamir transform [PS96, OO98, AABN02]

    refer to standard identification (SI) and signature (SS) schemes.

    Build on these proofs, rather than from scratch.


Our contributions

SI Signature Schemes

IBI

SS

IBS

Our contributions

  • Security definitions for IBI schemes

  • Security proofs for “trivial” certificate-based IBI/IBS schemes

  • Framework of security-preserving transforms

  • Security proofs for 12 scheme “families”

    • by implication through transforms

    • by surfacing and proving unanalyzed SI schemes

    • by proving as IBI schemes directly (exceptions)

  • Attack on 1 scheme family


Independent work
Independent work Signature Schemes

Kurosawa, Heng (PKC 2004):

  • security definitions for IBI schemes

  • transform from SS to IBI schemes


Security of ibs and ibi schemes
Security of IBS and IBI schemes Signature Schemes

  • IBS schemes: uf-cma security [CC03]

  • IBI schemes: imp-pa, imp-aa, imp-ca security

    • Learning phase:Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca)

    • Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak

mpk

Initialize

ID

M,ID

F

Sign(uskID,·)

ID

σ

Corrupt

uskID

ID,M,σ


The shamir si scheme

(N,e,d) Signature Schemes← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

“surfaced” from Shamir-IBS [S84]

(statistical) HVZK + POK ⇒ imp-pa secure

not imp-aa secure (attack: choose c=0)

The Shamir-SI scheme

Kg(1k)

P(sk)

V(pk)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

z ← xyc mod N

(N,e,X) ← pk

c ← {0,1}ℓ(k)

If ze = XYc mod Nthen accept else reject

*

*

R

R

Y

c

R

z


The shamir ss scheme

(N,e,d) Signature Schemes← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

The Shamir-SS scheme

Kg(1k)

Sign(sk,M)

Vf(pk,M,σ)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

c ← H(Y,M)

z ← xyc mod N

σ ← (Y,z)

(N,e,X) ← pk

(Y,z) ← σ

c ← H(Y,M)

If ze = XYc mod Nthen accept else reject

*

*

R

R


The framework si to ss fs86
The framework: SI to SS [FS86] Signature Schemes

“canonical” SI scheme:

sk

pk

Cmt

P

V

Ch

SI

IBI

Rsp

Dec(pk,Cmt,Ch,Rsp)

fs-I-2-S

fs-I-2-S

IBS

SS

  • Sign(sk,M):

    Ch ← H(Cmt,M)

    σ ← (Cmt,Rsp)

  • Vf(pk,M,σ):

    Dec(pk, Cmt, H(Cmt,M), Rsp)

Theorem: SI is imp-pa secure⇓SS = fs-I-2-S(SI) is uf-cma secure in the RO model [AABN02]


The shamir si scheme1

(N,e,d) Signature Schemes← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

The Shamir-SI scheme

Kg(1k)

P(sk)

V(pk)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

z ← xyc mod N

(N,e,X) ← pk

c ← {0,1}ℓ(k)

If ze = XYc mod Nthen accept else reject

*

*

R

R

Y

c

z


The shamir ibi scheme

(N,e,d) Signature Schemes← Krsa(1k)

mpk ← (N,e)

msk ← (N,e,d)

Return (mpk,msk)

The Shamir-IBI scheme

MKg(1k)

P(usk)

V(mpk,ID)

(N,e,x) ← usk

y ← ZN

Y ← ye mod N

z ← xyc mod N

(N,e) ← mpk

c ← {0,1}ℓ(k)

If ze = H(ID)∙Yc mod Nthen accept else reject

*

*

R

Y

c

z

UKg(msk,ID)

(N,e,d) ← msk

X ← H(ID)

x ← Xd mod N

usk ← (N,e,x)

Return usk


The framework si to ibi
The framework: SI to IBI Signature Schemes

“convertible” SI scheme:

  • Kg(1k):

    “trapdoor samplable relation” R

    sk ← (R,x) ; pk ← (R,y)

    such that (x,y) ∈R

cSI-2-IBI

SI

IBI

fs-I-2-S

cSI-2-IBI

  • MKg(1k):

    generate relation R with trapdoor t

    mpk ← R ; msk ← (R,t)

  • UKg(msk, ID):

    y ← H(ID)

    use t to compute x s.t. (x,y) ∈R

    usk ← (R,x)

IBS

SS

Theorem: SI is imp-xx secure⇓IBI = cSI-2-IBI(SI) is imp-xx secure in the RO model


The shamir ss scheme1

(N,e,d) Signature Schemes← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

The Shamir-SS scheme

Kg(1k)

Sign(sk,M)

Vf(pk,M,σ)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

c ← H(Y,M)

z ← xyc mod N

σ ← (Y,z)

(N,e,X) ← pk

(Y,z) ← σ

c ← H(Y,M)

If ze = XYc mod Nthen accept else reject

*

*

R

R


The shamir ibs scheme

(N,e,d) Signature Schemes← Krsa(1k)

mpk ← (N,e)

msk ← (N,e,d)

Return (mpk,msk)

The Shamir-IBS scheme

MKg(1k)

Sign(usk,M)

Vf(mpk,ID,M,σ)

(N,e,x) ← usk

y ← ZN

Y ← ye mod N

c ← H(Y,M)

z ← xyc mod N

σ ← (Y,z)

(N,e) ← mpk

(Y,z) ← σ

c ← H(Y,M)

If ze = H(ID)∙Yc mod Nthen accept else reject

*

*

R

UKg(msk,ID)

(N,e,d) ← msk

X ← H(ID)

x ← Xd mod N

usk ← (N,e,x)

Return usk

= Shamir-IBS as proposed in [S84]


The framework ss and ibi to ibs

  • IBI to IBS Signature Schemes

    • “canonical” IBI → IBS

    • For canonical convertible SI X:

      cSS-2-IBS(fs-I-2-S(X)) = fs-I-2-S(cSI-2-IBI(X))

    • fs-I-2-Snot security-preserving for canonical IBI schemes in general

fs-I-2-S

(efs-IBI-2-IBS)

Theorem: IBI is imp-pa secure⇓IBS = efs-IBI-2-IB(IBI) is uf-cma secure in the RO model

  • modified efs-IBI-2-IBS transform: Ch ← H(Cmt,M,ID)

The framework: SS and IBI to IBS

  • SS to IBS: cSS-2-IBS

    • analogous to cSI-2-IBI

    • “convertible” SS → IBS

    • generalization of [DKXY03]

cSI-2-IBI

SI

IBI

fs-I-2-S

cSS-2-IBS

IBS

SS

Theorem: SI is imp-pa secure⇓IBS = fs-I-2-S(cSI-2-IBI(SS)) is uf-cma secure in the RO model

Theorem: SS is uf-cma secure⇓IBS = cSS-2-IBS(SS) is uf-cma secure in the RO model


Results for concrete schemes

Fiat-Shamir Signature Schemes

IBI, IBS

P

P

P

I

I

I

I

I

It. Root

SI, SS

P

P

I

I

I

I

FF

SI, SS

P

P

P

I

I

I

I

I

GQ

IBI, IBS

P

P

P

I

I

I

I

I

Shamir

IBS

P

A

A

I

A

A

I

I

Shamir*

SI

P

P

P

I

I

I

I

I

OkRSA

SI, IBI, SS

P

P

P

I

I

I

I

I

Girault

SI, IBI

A

A

A

A

A

A

A

A

SOK

IBS

P

A

A

I

A

A

I

I

Hess

IBS

P

P

P

I

I

I

P

I

Cha-Cheon

IBS

P

P

P

I

I

I

I

P

Beth

IBI

P

I

I

I

OkDL

IBI

I

I

I

P

P

P

I

I

BNNDL

SI, IBI

I

I

I

P

P

P

I

I

Results for concrete schemes

Name

Origin

Name-SI

Name-IBI

Name-SS

Name-IBS

pa

aa

ca

pa

aa

ca

uf-cma

uf-cma

Fiat-Shamir

IBI, IBS

P

P

P

I

I

I

I

I

It. Root

SI, SS

P

P

I

I

I

I

FF

SI, SS

P

P

P

I

I

I

I

I

GQ

IBI, IBS

P

P

P

I

I

I

I

I

Shamir

IBS

P

A

A

I

A

A

I

I

Shamir*

SI

P

P

P

I

I

I

I

I

OkRSA

SI, IBI, SS

P

P

P

I

I

I

I

I

Girault

SI, IBI

A

A

A

A

A

A

A

A

SOK

IBS

P

A

A

I

A

A

I

I

Hess

IBS

P

P

P

I

I

I

P

I

Cha-Cheon

IBS

P

P

P

I

I

I

I

P

Beth

IBI

P

I

I

I

OkDL

IBI

I

I

I

P

P

P

I

I

BNNDL

SI, IBI

I

I

I

P

P

P

I

I

P = proven I = implied A = attacked = known result = new contribution


ad