A new construction of the server-aided verification signature scheme

1. A new construction of the server-aided verification signature scheme Zhowei Wang Mathematical and Computer Modelling, 2011

2. Outline • Introduction • Model • Proposed scheme • Security analysis • Conclusion

3. Introduction • The notion of server-aided verification signature (SAV-Σ) • First introduced by Quisquater and De Soete, 1989. • Speeding up smart card RSA computation with insecure coprosessors. • Girault et al. • The malicious server could collude with other. • Wei et al. • The server could collude with a valid signer. • If the server is untrusted, it is meaningless to collude with a valid signer. • Likely to conspire with a signature forger to prove the verifier that an invalid signature is valid.

4. Introduction • Motivation • To design a secure and efficient SAV-Σ scheme for LP devices. • Provide a new definition of the existential unforgeability of SAV-Σ against collusion and adaptive chosen message attack. • SAV-Σ scheme based on Paillier signature scheme. • The scheme is secure in the security model.

5. Outline • Introduction • Model • Proposed scheme • Security analysis • Conclusion

6. Definition of SAV-Σ • ParamGen(k) = param • KeyGen(param) = (sk, pk) • Sign(param, m, sk, pk) = σ

7. Definition of SAV-Σ • Verify(param, m, σ, pk) = Valid / Invalid • SAV-Setup(param, pk) = VSting • Contains the information that can be pre-compute by the verifier. • SAV-Verify • Interactively by the server and the verifier. • Even the server is untrustworthy, if SAV-Verify returns Valid, then σ is valid. Otherwise, σ is invalid.

8. Security model of SAV-Σ • An untrusted server is very likely to with a signature forger. • The untrusted server can prove the verifier that the forger’s signature is correct under the valid signer’s key pair. • Define a new definition of the security of SAV-Σ against collusion and adaptive chosen message attacks. • The adversary A acts as the server. • The challenger C acts as the verifier.

9. Security model of SAV-Σ • Setup. • C obtain param, two key pairs (sk, pk) and (skf, pkf) and VString. A is given param and (skf, pkf) • Queries. • A only needs to make server-aided verification queries. • Proceeding adaptively, A can make at most qv queries. • For each (m, σ), C responds by executing SAV-Verify with A.

10. Security model of SAV-Σ • Output. • A will output a pair (m*, σ*) and σ* is chosen by A according to the key pair (skf, pkf). • A wins the game if SAV-Verify(A, C(m*. σ*, pk, VSting)) = Valid. • ADVA = the probability of A wins the game. • SAV protocol is soundness if ADVA is negligible.

11. Outline • Introduction • Model • Proposed scheme • Security analysis • Conclusion

12. Paillier signature scheme • ParamGen() • N = pq, where p and q are two k-bit primes. • λ(N) = lcm(p - 1, q - 1) • L(x) = (x – 1) / N, for all x ∈ Sn = {x | x < N2 and x = 1 mod N}

13. Paillier signature scheme • KeyGen(1k) • Randomly choose two k-bit primes p and q. • N = pq • λ = λ(N) • g∈Z*N2 which has order N. • Hash function h(): {0, 1}* → Z*N2 • Public key pk = (N, h(), g) • Secret key sk = (p, q, λ)

14. Paillier signature scheme • Sign(m) • The signature is (s1, s2)

15. Paillier signature scheme • Verify(m, s1, s2) • If the equation holds, output Valid, o.w., output Invalid.

16. The new server-aided verification signature scheme • ParamGen / KeyGen / Sign / Verify are the same as Paillier signature scheme. • SAV-Setup(param, pk) • pk = (N, h(), g) • The verifier randomly choose r ∈ Zn, t ∈ Zn* • Compute φ = grtN mod N2. • The VString = {r, t, φ}

17. The new server-aided verification signature scheme • SAV-Verify(m ,s1, s2, pk) • The verifier • Randomly choose a l-bit number a • Compute x = as1 + r mod N • Compute y = ts2a mod N • Send(x, y, m) to the server • The server • Compute ω = gxyN mod N, then send it to the verifier • The verifier • Checks whether h(m)aφ = ω mod N2 holds. • If the equation holds, outputs Valid, o.w., outputs Invalid.

18. The new server-aided verification signature scheme • Completeness of SAV-verify • Computational saving • |N| ≧ 1024, l ≧160 • The verifier: 2 modular small exponentiations (160 bits) • The original verification algorithm: 1 modular large exponentiation (1024 bits)

19. Outline • Introduction • Model • Proposed scheme • Security analysis • Conclusion

20. Security analysis • If Paillier signature scheme is secure under adaptive chosen message attacks, then the SAV protocol is soundness. • A: an adversary for SAV protocol. • C: a challenger for the Paillier signature scheme. • B: task is to attack Paillier signature scheme by calling A. • If the SAV protocol can be broken, Paillier signature scheme also can be broken.

21. Security analysis • C • Obtain param, (skf = (pf, qf), pkf = (Nf, gf, h())), VString = {r, t, φ} • Randomly choose a public key pk = (N, g, h()) • Send {param, (skf, pkf), VString, pk} to B. • B • B’s task is to forge a signature for pk. • C offers B with the common hash query and signature query. • Construct B as the proposed scheme. • Send {param, (skf, pkf)} to A.

22. Security analysis • A • Make several SAV queries to B. • For each query (h(m), s1, s2), B using the target public key pk to responds by executing SAV-Verify with A. • Finally, if A outputs a forged signature (h(m*), s1*, s2*) satisfying SAV-Verify(A, C(h(m*). s1*, s2*, pk, r, t, φ)) = Valid.

23. Security analysis • Case 1 • (h(m*), s1*, s2*) is a valid signature of the target public key pk. • B sends (h(m*), s1*, s2*) to C as the forged signature. • Case 2 • (h(m*), s1*, s2*) is not a valid signature of the target public key pk, but h(m*)aφ = gx*y*N mod N2 holds. • B compute s1** = x* - r mod N and s2** = y* / t mod N, send (h(m*)a, s1**, s2**) to C as the forged signature.

24. Outline • Introduction • Model • Proposed scheme • Security analysis • Conclusion

25. Conclusion • A new security model of SAV signature scheme. • Based on Paillier signature scheme. • Homomorphic property in Paillier signature scheme.