An efficient strong key insulated signature scheme and its application
This presentation is the property of its rightful owner.
Sponsored Links
1 / 35

An Efficient Strong Key-Insulated Signature Scheme and Its Application PowerPoint PPT Presentation


  • 75 Views
  • Uploaded on
  • Presentation posted in: General

An Efficient Strong Key-Insulated Signature Scheme and Its Application. 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake 1 , Goichiro Hanaoka 2 , and Kazuto Ogawa 1 1 Japan Broadcasting Corporation

Download Presentation

An Efficient Strong Key-Insulated Signature Scheme and Its Application

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


An efficient strong key insulated signature scheme and its application

An Efficient Strong Key-Insulated Signature Scheme and Its Application

5th European PKI Workshop

June 16-17, 2008

NTNU, Trondheim, Norway

Go Ohtake1, Goichiro Hanaoka2, and Kazuto Ogawa1

1Japan Broadcasting Corporation

2National Institute of Advanced Industrial Science and Technology


An efficient strong key insulated signature scheme and its application

Motivation


Background

Background

  • “Key exposure” is a critical problem !!

    • Even if a “secure” signature scheme is used, key leakage results in impersonation of the user.

more critical

for

bidirectional broadcasting services!!


Bidirectional broadcasting service

Smart card

Signed Request

Personal information

Bidirectional broadcasting service

  • e.g. TV shopping, Quiz program, etc.

Broadcaster

User

network

Signing key

Verification key

Service property:

Real-time service


Problem for signing key leakage

Smart card

Key update

Signed Request

Signed Request

Personal information

Personal information

key leakage

Critical damage !!

Adversary

Problem for signing key leakage

Broadcaster

User

network

Signing key

Verification key

Broadcaster =


Problem for key update in bidirectional broadcasting service

CA

CRL

CRL

CRL

CRL

Smart card

Smart card

Smart card

Smart card

Broadcaster

Heavy load !!

Real-time service

cannot be offered !!

Problem for key update in bidirectional broadcasting service

  • PKI cannot be applied directly.

User 1

Verification key

User 2

Verification key

network

User 3

Signing key

Verification key

Verification key

・・・

update

User n

Verification key


Solution

No redistribution

of verification key !!

Smart card

Smart card

Smart card

Smart card

No CRL!!

Broadcaster

Solution

  • Strong key-insulated signature (KIS) scheme

User 1

Verification key

User 2

update

network

Verification key

User 3

Signing key

Verification key

・・・

Verification key

does NOT have to be updated.

User n

Verification key


Motivation

Our target

Design an efficientstrong KIS scheme

with a significantly short signature size

Motivation

  • In bidirectional broadcasting service, …

    • Signature size is required as short as possible

      • Multiple copies of signed message are individually transmitted to users.

    • Conventional strong KIS scheme not efficient !!


An efficient strong key insulated signature scheme and its application

Related works


Key insulated signature kis scheme

secure against

signing key leakage

Adversary

+ signature with time stamp

message

Key-insulated signature (KIS) scheme

  • Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03]

master key

time stamp

reject

secure device

verify signature

partial key

Signer

Verifier

old signing key

verification key

update signing key

[DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘

Proc. of PKC’03. (2003)


Strong kis scheme

secure against

signing key leakage

or

master key leakage

Adversary

+ signature with time stamp

message

Strong KIS scheme

  • Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03]

master key

reject

time stamp

secure device

reject

verify signature

partial key

Signer

Verifier

old signing key

update signing key

verification key

[DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘

Proc. of PKC’03. (2003)


An efficient strong key insulated signature scheme and its application

Our contribution


Performance

Performance

CB scheme: Certificate-based strong KIS scheme using the Schnorr signatures

GQ scheme: strong KIS scheme based on the Guillou-Quisquater signature


Security

Security

  • Our strong KIS scheme is secure

    • We achieved the same level of security as conventional strong KIS schemes.

master key leakage

Adversary

valid

or

Signer

signing key leakage


An efficient strong key insulated signature scheme and its application

Our construction


Basic concept of our kis scheme

Constructing an efficient strong KIS scheme

from the Abe-Okamoto scheme is not a trivial exercise.

Basic concept of our KIS scheme

  • Efficientstrong KIS scheme

    • By extending Abe-Okamoto proxy signature scheme [AO02]

      • Efficient proxy signature scheme in terms of verification cost and communication cost

[AO02] M.Abe and T.Okamoto : “Delegation Chains Secure up to Constant Length,'‘

IEICE Trans. (2002)


Why is it not a trivial exercise 1

We must construct a scheme without the above conversions.

Why is it not a trivial exercise? (1)

  • Extend the KIS scheme to a strongKIS scheme without increasing the signature size.

    • Conversion of proxy signature scheme to KIS scheme

      • Proposed by Malkin, Obana, Yung in 2004. [MOY04]

      • The resulting KIS scheme is not a strongKIS scheme.

    • Conversion of (standard) KIS scheme to strong KIS scheme

      • Proposed by Dodis, Katz, Xu, Yung in 2003. [DKXY03]

      • Employs double signing: a signature with the master key and a signature with the signer’s secret key not efficient

[MOY04] T. Malkin, S. Obana, and M. Yung : “The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures,'‘ Proc. of Eurocrypt’04,. (2004)


Why is it not a trivial exercise 2

We must address adaptive security

with a formal security proof from scratch.

Why is it not a trivial exercise? (2)

  • Extend the Abe-Okamoto scheme to a KIS scheme that provides adaptive security

    • Not taken into consideration in the security definition of [AO02]


Our proposed kis scheme 1

Our proposed KIS scheme (1)

  • Gen: key generation algorithm

essential secret info.

Signer

Secure device

master key:

verification key:


Our proposed kis scheme 2

time stamp

Verifying

partial key

partial key

master key

?

Our proposed KIS scheme (2)

  • Upd*: partial key generation algorithm

  • Upd: key-update algorithm

Signer

Secure device

Upd*

Upd

signing key for a time period T


Our proposed kis scheme 3

time stamp

?

signing key

Verifying

signature

verification key

Our proposed KIS scheme (3)

  • Sign: signing algorithm

  • Vrfy: verifying algorithm

Verifier

Signer

Sign

Vrfy


Remarkable properties of our scheme

Remarkable properties of our scheme

  • A signer can update their signing key without updating verification key.

  • The signature size of our scheme is significantly short : 480 bits


Another feature of our scheme

Another feature of our scheme

  • Partial key verification

    • The signercan verify whether the partial keytransmitted from the secure device is valid.

  • If the secure device storing the master key is completely reliable, …

    • Partial key verification is unnecessary during the signing key update.

    • One of the verification keys can be , instead of and .

Verification key size can be reduced by half.


An efficient strong key insulated signature scheme and its application

Security Analysis


Basic concept of security definition 1

Basic concept of Security definition (1)

  • KIS scheme

Broadcaster

Adversary

signing key

valid


Basic concept of security definition 2

Basic concept of Security definition (2)

  • Strong KIS scheme

Broadcaster

Adversary

master key

valid


Security definition of kis scheme

Security definition of KIS scheme

Success probability of signature forgery

Key exposure oracle

k: security parameter

N: total number of time periods

Adversary A

Random oracle

Security definition of KIS scheme

A is allowed to submit a query to the key exposure oracle up to ttimes.

If is negligible, is (t,N)-key-insulated.

If is (N-1,N)-key-insulated, is perfectly key-insulated.

Forged signature

Signing oracle


Security definition of strong kis scheme

Security definition of strong KIS scheme

Success probability of signature forgery

master key

k: security parameter

N: total number of time periods

Adversary B

Random oracle

Security definition of strong KIS scheme

If is negligible, is strong (t,N)-key-insulated.

If is strong (N-1,N)-key-insulated,

is perfectly strong key-insulated.

Forged signature

Signing oracle


Overview of security proof

Our scheme is strong key-insulated

under DL assumption

Overview of security proof

  • Step1: modified Schnorr signature scheme

    EUF-ACMAsecure underDL assumption

  • Step2: our scheme

    key-insulated if the modified Schnorr signature scheme isEUF-ACMA secure.

  • Step3: our scheme

    strong key-insulated if our scheme is key-insulated.


An efficient strong key insulated signature scheme and its application

Application


Bidirectional content distribution system proposed by ohtake hanaoka ogawa in 2006

Broadcaster

User

Bidirectional content distribution system(proposed by Ohtake, Hanaoka, Ogawa in 2006)

Content server

Generate

master key

verification key

initial signing key

Terminal

Create signature

Network

Personal

information management

server

Key management server

Smart card

master key

Verify signature

Update signing key

Generate partial key

Our KIS scheme can be applicable.


Improved system based on our scheme

Broadcaster

User

Efficient signing

- Signature size: 480 bits

- Reduce the network cost for

transmitting signed messages

x’

master key x0

Reduced damage due to master key leakage

- Even if the master key x0 is leaked, the signing key

cannot be updated without x’.

Improved system based on our scheme

Content server

Terminal

Key management server

Personal information management server

network

Smart card

PK

Efficient verification

- Verification key size: 160 bits

- Suitable for a smart card


An efficient strong key insulated signature scheme and its application

Summary


Summary

The most suitable signature scheme

for bidirectional broadcasting services

Summary

  • Efficient strong KIS scheme

    • Significantly short signature size: 480 bits

    • Provably secure under DL assumption


An efficient strong key insulated signature scheme and its application

Thank you for your attention !!


  • Login