1 / 33

Provably Secure Identity-Based Identification Schemes and Transitive Signatures

Katholieke Universiteit Leuven Faculteit Toegepaste Wetenschappen Departement Computerwetenschappen. Provably Secure Identity-Based Identification Schemes and Transitive Signatures. ir. Gregory Neven Advisors: Prof. Dr. ir. Frank Piessens Prof. Dr. ir. Bart De Decker. Overview.

wyanet
Télécharger la présentation

Provably Secure Identity-Based Identification Schemes and Transitive Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Katholieke Universiteit LeuvenFaculteit Toegepaste WetenschappenDepartement Computerwetenschappen Provably Secure Identity-Based Identification Schemes and Transitive Signatures ir. Gregory Neven Advisors: Prof. Dr. ir. Frank Piessens Prof. Dr. ir. Bart De Decker

  2. Overview • Introduction: Provable security • Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre) • Concept • Framework of transforms • Summary of results • Transitive signatures (joint work with Mihir Bellare) • Concept • Node certification technique • Summary of results • Conclusion

  3. Standard digital signatures (SS) Diffie-Hellman, 1976 Kg 1k (pk,sk) sk pk pk sk pk Sign Vf M, σ M acc/rej Cryptography= study of mathematical techniques for information security

  4. Standard identification (SI) schemes Kg 1k (pk,sk) sk pk pk sk pk P V acc/rej Cryptography= study of mathematical techniques for information security

  5. Provable security • Until 1980s: ad-hoc design “secure until proven insecure” • More recently: provable security [GMR88] • Step 1: security notion meaning of “security” of the scheme • Step 2: security proof only way to break scheme is by • solving supposedly hard mathematical problem • breaking underlying cryptographic building block • From theoreticians’ toy to industry-relevant property

  6. unforgeability • on messages chosen by adversary • even after seeing many valid signatures sk Mi σi (M,σ) such that Vf(pk,M,σ)=acc Step 1: Security notion • Desirable properties of signature scheme: • infeasible to compute sk from pk pk (M1,σ1)…(Mn,σn) sk

  7. Step 1: Security notion • unforgeability • on messages chosen by adversary • Security (uf-cma) = no “reasonable” algorithm has non-negligible probability of winning game • even after seeing valid signatures • Desirable properties: • infeasible to compute sk from pk pk Sign(sk,·) Mi F σi (M,σ) such that Vf(pk,M,σ)=acc

  8. pk Mi F σi (M,σ) Step 2: Security proof By contradiction: suppose such algorithm F exists then “reasonable” algorithm A exists that • solves supposedly hard mathematical problem • breaks underlying cryptographic building block hard problem A solution

  9. Factoring Given N = pq where p,q large primes Find p,q RSA Given N = pq where p,q large primes e where gcd(e,φ(N)) = 1 and φ(N) = (p-1)(q-1) y ∈ ZN Find x : xe = y mod N Discrete logarithms Given p large prime g generator of Zp y ∈ Zp Find x : gx = y mod p (Also subgroups of Zp, elliptic curves) Mathematically hard problems * * * *

  10. Random oracle model • Cryptographic hash function H: • one-wayness: given y, finding x s.t. H(x) = y is hard • collision-resistance: finding x1,x2 s.t. H(x1) = H(x2) is hard • Random oracle model [BR93b] H behaves as an unpredictable, truly random function – unsatisfiable assumption – no longer proof, only (good) heuristic – counterexamples known [CGH98, Nie02, GK03, BBP04] + “provable” security for practical schemes + counterexamples mostly contrived + proof in RO model preferable over ad-hoc design H x ∈ {0,1}* y ∈ {0,1}k

  11. Overview • Introduction: Provable security • Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre) • Concept • Framework of transforms • Summary of results • Transitive signatures (joint work with Mihir Bellare) • Concept • Node certification technique • Summary of results • Conclusion

  12. Shamir, 1984 Alice, pk sk ? sk pk ? “Alice” Identity-based signatures (IBS) pk Sign Vf M, σ M acc/rej

  13. Identity-based signatures (IBS) Shamir, 1984 MKg 1k (mpk,msk) msk UKg msk,“Alice” uskA uskA mpk uskA mpk uskA mpk, “Alice” Sign Vf M, σ M acc/rej

  14. Identity-based identification (IBI) Shamir, 1984 MKg 1k (mpk,msk) msk UKg msk,“Alice” uskA uskA mpk uskA mpk uskA mpk, “Alice” P V acc/rej

  15. State of the area prior to this work • IBI schemes • many proposed [FS86, Bet88, GQ89, Gir90, Oka93] • no appropriate security notion • proofs under non-ID-based notion or entirely lacking • IBS schemes • many proposed [Sha84, FS86, GQ89, SOK00, Pat02, CC03, Hes03, Yi03] • good security definition [CC03] • general transform “trapdoor” SS to IBS [DKXY03] • some gaps remain

  16. SI IBI SS IBS Our contributions • Security definitions for IBI schemes • Framework of security-preserving transforms • Security proofs for 12 scheme “families” • by implication through transforms • by surfacing and proving unanalyzed SI schemes • by proving as IBI schemes directly (exceptions) • Attack on 1 scheme family

  17. Security of IBS and IBI schemes • IBS schemes: uf-cma security [CC03] • IBI schemes: imp-pa, imp-aa, imp-ca security • Learning phase:Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca) • Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak mpk Initialize ID M,ID F Sign(uskID,·) ID σ Corrupt uskID ID,M,σ

  18. The framework • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] SI IBI fs-I-2-S IBS SS Theorem: SI is imp-pa secure⇓SS = fs-I-2-S(SI) is uf-cma secure in the random oracle model [AABN02]

  19. The framework cSI-2-IBI • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] • SI to IBI: cSI-2-IBI “convertible” SI → IBI SI IBI fs-I-2-S IBS SS Theorem: SI is imp-xx secure⇓IBI = cSI-2-IBI(SI) is imp-xx secure in the random oracle model

  20. The framework cSI-2-IBI • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] • SI to IBI: cSI-2-IBI “convertible” SI → IBI • SS to IBS: cSS-2-IBS “convertible” SS → IBS generalization of [DKXY03] SI IBI fs-I-2-S cSS-2-IBS IBS SS Theorem: SS is uf-cma secure⇓IBS = cSS-2-IBS(SS) is uf-cma secure in the random oracle model

  21. The framework cSI-2-IBI • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] • SI to IBI: cSI-2-IBI “convertible” SI → IBI • SS to IBS: cSS-2-IBS “convertible” SS → IBS generalization of [DKXY03] • IBI to IBS: fs-I-2-S “canonical converted” IBI → IBS cSS-2-IBS(fs-I-2-S(SI)) = fs-I-2-S(cSI-2-IBI(SI)) not security-preserving for all IBI SI IBI fs-I-2-S fs-I-2-S cSS-2-IBS IBS SS

  22. The framework cSI-2-IBI • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] • SI to IBI: cSI-2-IBI “convertible” SI → IBI • SS to IBS: cSS-2-IBS “convertible” SS → IBS generalization of [DKXY03] • IBI to IBS: fs-I-2-S “canonical converted” IBI → IBS cSS-2-IBS(fs-I-2-S(SI)) = fs-I-2-S(cSI-2-IBI(SI)) not security-preserving for all IBI • IBI to IBS: efs-IBI-2-IBS “canonical” IBI → IBS SI IBI fs-I-2-S fs-I-2-S efs-IBI-2-IBS cSS-2-IBS IBS SS Theorem: IBI is imp-pa secure⇓IBS = efs-IBI-2-IBS(SS) is uf-cma secure in the random oracle model

  23. Fiat-Shamir IBI, IBS P P P I I I I I It. Root SI, SS P P ? I I ? I I FF SI, SS P P P I I I I I GQ IBI, IBS P P P I I I I I OkRSA SI, IBI, SS P P P I I I I I Shamir IBS P A A I A A I I Shamir* SI P P P I I I I I Girault SI, IBI A A A A A A A A SOK IBS P A A I A A I I Hess IBS P P P I I I P I Cha-Cheon IBS P P P I I I I P Beth IBI P ? ? I ? ? I I OkDL IBI I I I P P P I I BNNDL SI, IBI I I I P P P I I Results for concrete schemes Name Origin SI IBI SS IBS pa aa ca pa aa ca uf-cma uf-cma Fiat-Shamir IBI, IBS P P P I I I I I It. Root SI, SS P P ? I I ? I I FF SI, SS P P P I I I I I GQ IBI, IBS P P P I I I I I OkRSA SI, IBI, SS P P P I I I I I Shamir IBS P A A I A A I I Shamir* SI P P P I I I I I Girault SI, IBI A A A A A A A A SOK IBS P A A I A A I I Hess IBS P P P I I I P I Cha-Cheon IBS P P P I I I I P Beth IBI P ? ? I ? ? I I OkDL IBI I I I P P P I I BNNDL SI, IBI I I I P P P I I P = proved I = implied A = attacked ? = open problem = new contribution

  24. Overview • Introduction: Provable security • Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre) • Concept • Framework of transforms • Summary of results • Transitive signatures (joint work with Mihir Bellare) • Concept • Node certification technique • Summary of results • Conclusion

  25. Transitive signatures • Micali-Rivest, 2002 TKg (tpk,tsk) 1k • Message is pair of nodes i,j • Signing i,j = creating and authenticating edge {i,j} TSign tsk σi,j i,j • An authenticated graph grows with time TVf tpk acc/rej i,j σ’i,j 2 σ1,2 σ2,3 1 3 4 5 σ4,5

  26. i,j,k σi,k σi,j σj,k Transitive signatures • Additional composition algorithm TKg (tpk,tsk) 1k • Authenticated graph is transitive closure of directly signed edges TSign tsk σi,j i,j TVf tpk acc/rej i,j σ’i,j 2 Comp σ1,2 σ2,3 tpk 1 3 σ1,3 4 5 σ4,5

  27. 2 σ1,2 σ2,3 1 3 σ1,3 σ1,4 4 5 σ4,5 Security of transitive signatures • Standard uf-cma security definition doesn’t apply: composition allows some extent of forgery • New security goal [MR02b]: • computationally infeasible to forge signatures not in transitive closure of the edges signed directly by the signer • even under “chosen-edge” attack tpk 1,2 F σ1,2 2,3 TSign(tsk,·,·) σ2,3 4,5 σ4,5 {1,4}, σ1,4

  28. x2 ,y2 • chooses secret label xi σ1,2 σ2,3 • computes public label yi = f(xi) • creates node certificate σ1,3 x1 ,y1 x3 ,y3 Signature σ1,2 = ( , , δ1,2) where δ1,2 = g(x1,x2) Verification of σ1,2 = ( , , δ1,2) • check validity of node certificates • compare δ1,2 to y1,y2 2,y2 2,y2 2,y2 Composition of σ1,2 and σ2,3 σ1,3 = ( , , δ1,3) where δ1,3 = h(δ1,2,δ2,3) 1,y1 1,y1 1,y1 1,y1 i,yi 3,y3 3,y3 Node certification technique For each node i, the signer: 2 1 3

  29. x2, σ1,2 σ2,3 • computes secret label xi = f-1(yi) (using trapdoor information) σ1,3 x1, x3, Signature σ1,2 = δ1,2 = g(x1,x2) Verification of σ1,2 = δ1,2 compare δ1,2 to H(1), H(2) Composition of σ1,2 and σ2,3 σ1,3 = δ1,3 = h(δ1,2,δ2,3) Eliminating node certificates For each node i, the signer: y2 • computes public label yi = H(i) 2 1 3 y1 y3

  30. Trivial Security of SS scheme No O(|path|) DL-TS Security of SS schemeDiscrete logarithms No 4416 bits (SDL)2708 bits (EC) RSA-TS Security of SS schemeOne-more RSA No 5120 bits Fact-TS Security of SS schemeFactoring No 5120 bits DL1m-TS Security of SS schemeOne-more discrete logarithms No 4256 bits (SDL)2548 bits (EC) Gap-TS Security of SS schemeOne-more Gap-DH No 2558 bits RSAH-TS One-more RSA Yes 1024 bits FactH-TS Factoring Yes 1024 bits GapH-TS One-more Gap-DH Yes 170 bits Scheme contributions Scheme Security assumptions Random oracle? Signature length Trivial Security of SS scheme No O(|path|) DL-TS Security of SS schemeDiscrete logarithms No 4416 bits (SDL)2708 bits (EC) RSA-TS Security of SS schemeOne-more RSA No 5120 bits Fact-TS Security of SS schemeFactoring No 5120 bits DL1m-TS Security of SS schemeOne-more discrete logarithms No 4256 bits (SDL)2548 bits (EC) Gap-TS Security of SS schemeOne-more Gap-DH No 2558 bits RSAH-TS One-more RSA Yes 1024 bits FactH-TS Factoring Yes 1024 bits GapH-TS One-more Gap-DH Yes 170 bits SDL = subgroup discrete log EC = elliptic curve = new contribution

  31. Overview • Introduction: Provable security • Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre) • Concept • Framework of transforms • Summary of results • Transitive signatures (joint work with Mihir Bellare) • Concept • Node certification technique • Summary of results • Conclusion

  32. Summary of contributions • Identity-based identification and signature schemes • Security notion for IBI schemes • Framework of security-preserving transforms • Proofs for 12 scheme families, attack for 1 family • Direct proofs as IBI schemes for 2 families • Transitive signature schemes • Security proof for RSA-TS scheme • New provably secure schemes based on factoring, discrete logarithms and Gap-DH groups • Hash-based technique to eliminate node certificates

  33. [BB04] Open problems • Open problems in proofs for IBI/IBS schemes • Tighter bounds for IBI/IBS schemes through direct proofs • Provably secure identity-based cryptography without random oracles • Directed transitive signatures • Signature scheme such that Sign(sk1,pk2), Sign(sk2,M) → Sign(sk1,M) to compress certificate chains

More Related