1 / 19

Security Proofs for Identity-Based Identification and Signature Schemes

Security Proofs for Identity-Based Identification and Signature Schemes. Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat University, Thailand Gregory Neven Katholieke Universiteit Leuven, Belgium. Proposed by Shamir (1984)

Download Presentation

Security Proofs for Identity-Based Identification and Signature Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USAChanathip NamprempreThammasat University, ThailandGregory Neven Katholieke Universiteit Leuven, Belgium

  2. Proposed by Shamir (1984) Efficiently implemented by Boneh-Franklin (2001) Identity-based encryption KDC MKg 1k (mpk,msk) UKg msk,“Bob” uskB mpk uskB Alice Bob mpk,“Bob” uskB C E D M M

  3. Proposed and implemented by Shamir (1984) Alternative implementations followed [FS86, GQ89] Renewed interest using pairings [SOK00, P02, CC03, H03, Yi03] Identity-based signatures (IBS) KDC MKg 1k (mpk,msk) UKg msk,“Alice” uskA uskA mpk Alice Bob uskA mpk, “Alice” M,σ Sign Vf M acc/rej

  4. Proposed by Shamir (1984) Numerous implementations followed [FS86, B88, GQ89, G90, O93] Identity-based identification (IBI) KDC MKg 1k (mpk,msk) UKg msk,“Alice” uskA uskA mpk Alice Bob uskA mpk, “Alice” P V acc/rej

  5. Provable security of IBI/IBS schemes • IBI schemes • no appropriate security definitions • proofs in weak model (fixed identity) or entirely lacking • IBS schemes • good security definition [CC03] • security proofs for some schemes directly [CC03] or through “trapdoor SS” to IBS transform [DKXY03] • some gaps remain

  6. Existing security proofs Existing security proofs for • identification schemes underlying IBI schemes e.g. [FFS88] prove [FS86] [BP02] prove [GQ89] • signature schemes underlying IBS schemes e.g. analyses of Fiat-Shamir transform [PS96, OO98, AABN02] refer to standard identification (SI) and signature (SS) schemes. Build on these proofs, rather than from scratch.

  7. SI IBI SS IBS Our contributions • Security definitions for IBI schemes • Security proofs for “trivial” certificate-based IBI/IBS schemes • Framework of security-preserving transforms • Security proofs for 12 scheme “families” • by implication through transforms • by surfacing and proving unanalyzed SI schemes • by proving as IBI schemes directly (exceptions) • Attack on 1 scheme family

  8. Independent work Kurosawa, Heng (PKC 2004): • security definitions for IBI schemes • transform from SS to IBI schemes

  9. Security of IBS and IBI schemes • IBS schemes: uf-cma security [CC03] • IBI schemes: imp-pa, imp-aa, imp-ca security • Learning phase:Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca) • Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak mpk Initialize ID M,ID F Sign(uskID,·) ID σ Corrupt uskID ID,M,σ

  10. (N,e,d) ← Krsa(1k) X ← ZN x ← Xd mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) “surfaced” from Shamir-IBS [S84] (statistical) HVZK + POK ⇒ imp-pa secure not imp-aa secure (attack: choose c=0) The Shamir-SI scheme Kg(1k) P(sk) V(pk) (N,e,x) ← sk y ← ZN Y ← ye mod N z ← xyc mod N (N,e,X) ← pk c ← {0,1}ℓ(k) If ze = XYc mod Nthen accept else reject * * R R Y c R z

  11. (N,e,d) ← Krsa(1k) X ← ZN x ← Xd mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) The Shamir-SS scheme Kg(1k) Sign(sk,M) Vf(pk,M,σ) (N,e,x) ← sk y ← ZN Y ← ye mod N c ← H(Y,M) z ← xyc mod N σ ← (Y,z) (N,e,X) ← pk (Y,z) ← σ c ← H(Y,M) If ze = XYc mod Nthen accept else reject * * R R

  12. The framework: SI to SS [FS86] “canonical” SI scheme: sk pk Cmt P V Ch SI IBI Rsp Dec(pk,Cmt,Ch,Rsp) fs-I-2-S fs-I-2-S IBS SS • Sign(sk,M): Ch ← H(Cmt,M) σ ← (Cmt,Rsp) • Vf(pk,M,σ): Dec(pk, Cmt, H(Cmt,M), Rsp) Theorem: SI is imp-pa secure⇓SS = fs-I-2-S(SI) is uf-cma secure in the RO model [AABN02]

  13. (N,e,d) ← Krsa(1k) X ← ZN x ← Xd mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) The Shamir-SI scheme Kg(1k) P(sk) V(pk) (N,e,x) ← sk y ← ZN Y ← ye mod N z ← xyc mod N (N,e,X) ← pk c ← {0,1}ℓ(k) If ze = XYc mod Nthen accept else reject * * R R Y c z

  14. (N,e,d) ← Krsa(1k) mpk ← (N,e) msk ← (N,e,d) Return (mpk,msk) The Shamir-IBI scheme MKg(1k) P(usk) V(mpk,ID) (N,e,x) ← usk y ← ZN Y ← ye mod N z ← xyc mod N (N,e) ← mpk c ← {0,1}ℓ(k) If ze = H(ID)∙Yc mod Nthen accept else reject * * R Y c z UKg(msk,ID) (N,e,d) ← msk X ← H(ID) x ← Xd mod N usk ← (N,e,x) Return usk

  15. The framework: SI to IBI “convertible” SI scheme: • Kg(1k): “trapdoor samplable relation” R sk ← (R,x) ; pk ← (R,y) such that (x,y) ∈R cSI-2-IBI SI IBI fs-I-2-S cSI-2-IBI • MKg(1k): generate relation R with trapdoor t mpk ← R ; msk ← (R,t) • UKg(msk, ID): y ← H(ID) use t to compute x s.t. (x,y) ∈R usk ← (R,x) IBS SS Theorem: SI is imp-xx secure⇓IBI = cSI-2-IBI(SI) is imp-xx secure in the RO model

  16. (N,e,d) ← Krsa(1k) X ← ZN x ← Xd mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) The Shamir-SS scheme Kg(1k) Sign(sk,M) Vf(pk,M,σ) (N,e,x) ← sk y ← ZN Y ← ye mod N c ← H(Y,M) z ← xyc mod N σ ← (Y,z) (N,e,X) ← pk (Y,z) ← σ c ← H(Y,M) If ze = XYc mod Nthen accept else reject * * R R

  17. (N,e,d) ← Krsa(1k) mpk ← (N,e) msk ← (N,e,d) Return (mpk,msk) The Shamir-IBS scheme MKg(1k) Sign(usk,M) Vf(mpk,ID,M,σ) (N,e,x) ← usk y ← ZN Y ← ye mod N c ← H(Y,M) z ← xyc mod N σ ← (Y,z) (N,e) ← mpk (Y,z) ← σ c ← H(Y,M) If ze = H(ID)∙Yc mod Nthen accept else reject * * R UKg(msk,ID) (N,e,d) ← msk X ← H(ID) x ← Xd mod N usk ← (N,e,x) Return usk = Shamir-IBS as proposed in [S84]

  18. IBI to IBS • “canonical” IBI → IBS • For canonical convertible SI X: cSS-2-IBS(fs-I-2-S(X)) = fs-I-2-S(cSI-2-IBI(X)) • fs-I-2-Snot security-preserving for canonical IBI schemes in general fs-I-2-S (efs-IBI-2-IBS) Theorem: IBI is imp-pa secure⇓IBS = efs-IBI-2-IB(IBI) is uf-cma secure in the RO model • modified efs-IBI-2-IBS transform: Ch ← H(Cmt,M,ID) The framework: SS and IBI to IBS • SS to IBS: cSS-2-IBS • analogous to cSI-2-IBI • “convertible” SS → IBS • generalization of [DKXY03] cSI-2-IBI SI IBI fs-I-2-S cSS-2-IBS IBS SS Theorem: SI is imp-pa secure⇓IBS = fs-I-2-S(cSI-2-IBI(SS)) is uf-cma secure in the RO model Theorem: SS is uf-cma secure⇓IBS = cSS-2-IBS(SS) is uf-cma secure in the RO model

  19. Fiat-Shamir IBI, IBS P P P I I I I I It. Root SI, SS P P I I I I FF SI, SS P P P I I I I I GQ IBI, IBS P P P I I I I I Shamir IBS P A A I A A I I Shamir* SI P P P I I I I I OkRSA SI, IBI, SS P P P I I I I I Girault SI, IBI A A A A A A A A SOK IBS P A A I A A I I Hess IBS P P P I I I P I Cha-Cheon IBS P P P I I I I P Beth IBI P I I I OkDL IBI I I I P P P I I BNNDL SI, IBI I I I P P P I I Results for concrete schemes Name Origin Name-SI Name-IBI Name-SS Name-IBS pa aa ca pa aa ca uf-cma uf-cma Fiat-Shamir IBI, IBS P P P I I I I I It. Root SI, SS P P I I I I FF SI, SS P P P I I I I I GQ IBI, IBS P P P I I I I I Shamir IBS P A A I A A I I Shamir* SI P P P I I I I I OkRSA SI, IBI, SS P P P I I I I I Girault SI, IBI A A A A A A A A SOK IBS P A A I A A I I Hess IBS P P P I I I P I Cha-Cheon IBS P P P I I I I P Beth IBI P I I I OkDL IBI I I I P P P I I BNNDL SI, IBI I I I P P P I I P = proven I = implied A = attacked = known result = new contribution

More Related