190 likes | 299 Views
Security Proofs for Identity-Based Identification and Signature Schemes. Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat University, Thailand Gregory Neven Katholieke Universiteit Leuven, Belgium. Proposed by Shamir (1984)
E N D
Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USAChanathip NamprempreThammasat University, ThailandGregory Neven Katholieke Universiteit Leuven, Belgium
Proposed by Shamir (1984) Efficiently implemented by Boneh-Franklin (2001) Identity-based encryption KDC MKg 1k (mpk,msk) UKg msk,“Bob” uskB mpk uskB Alice Bob mpk,“Bob” uskB C E D M M
Proposed and implemented by Shamir (1984) Alternative implementations followed [FS86, GQ89] Renewed interest using pairings [SOK00, P02, CC03, H03, Yi03] Identity-based signatures (IBS) KDC MKg 1k (mpk,msk) UKg msk,“Alice” uskA uskA mpk Alice Bob uskA mpk, “Alice” M,σ Sign Vf M acc/rej
Proposed by Shamir (1984) Numerous implementations followed [FS86, B88, GQ89, G90, O93] Identity-based identification (IBI) KDC MKg 1k (mpk,msk) UKg msk,“Alice” uskA uskA mpk Alice Bob uskA mpk, “Alice” P V acc/rej
Provable security of IBI/IBS schemes • IBI schemes • no appropriate security definitions • proofs in weak model (fixed identity) or entirely lacking • IBS schemes • good security definition [CC03] • security proofs for some schemes directly [CC03] or through “trapdoor SS” to IBS transform [DKXY03] • some gaps remain
Existing security proofs Existing security proofs for • identification schemes underlying IBI schemes e.g. [FFS88] prove [FS86] [BP02] prove [GQ89] • signature schemes underlying IBS schemes e.g. analyses of Fiat-Shamir transform [PS96, OO98, AABN02] refer to standard identification (SI) and signature (SS) schemes. Build on these proofs, rather than from scratch.
SI IBI SS IBS Our contributions • Security definitions for IBI schemes • Security proofs for “trivial” certificate-based IBI/IBS schemes • Framework of security-preserving transforms • Security proofs for 12 scheme “families” • by implication through transforms • by surfacing and proving unanalyzed SI schemes • by proving as IBI schemes directly (exceptions) • Attack on 1 scheme family
Independent work Kurosawa, Heng (PKC 2004): • security definitions for IBI schemes • transform from SS to IBI schemes
Security of IBS and IBI schemes • IBS schemes: uf-cma security [CC03] • IBI schemes: imp-pa, imp-aa, imp-ca security • Learning phase:Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca) • Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak mpk Initialize ID M,ID F Sign(uskID,·) ID σ Corrupt uskID ID,M,σ
(N,e,d) ← Krsa(1k) X ← ZN x ← Xd mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) “surfaced” from Shamir-IBS [S84] (statistical) HVZK + POK ⇒ imp-pa secure not imp-aa secure (attack: choose c=0) The Shamir-SI scheme Kg(1k) P(sk) V(pk) (N,e,x) ← sk y ← ZN Y ← ye mod N z ← xyc mod N (N,e,X) ← pk c ← {0,1}ℓ(k) If ze = XYc mod Nthen accept else reject * * R R Y c R z
(N,e,d) ← Krsa(1k) X ← ZN x ← Xd mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) The Shamir-SS scheme Kg(1k) Sign(sk,M) Vf(pk,M,σ) (N,e,x) ← sk y ← ZN Y ← ye mod N c ← H(Y,M) z ← xyc mod N σ ← (Y,z) (N,e,X) ← pk (Y,z) ← σ c ← H(Y,M) If ze = XYc mod Nthen accept else reject * * R R
The framework: SI to SS [FS86] “canonical” SI scheme: sk pk Cmt P V Ch SI IBI Rsp Dec(pk,Cmt,Ch,Rsp) fs-I-2-S fs-I-2-S IBS SS • Sign(sk,M): Ch ← H(Cmt,M) σ ← (Cmt,Rsp) • Vf(pk,M,σ): Dec(pk, Cmt, H(Cmt,M), Rsp) Theorem: SI is imp-pa secure⇓SS = fs-I-2-S(SI) is uf-cma secure in the RO model [AABN02]
(N,e,d) ← Krsa(1k) X ← ZN x ← Xd mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) The Shamir-SI scheme Kg(1k) P(sk) V(pk) (N,e,x) ← sk y ← ZN Y ← ye mod N z ← xyc mod N (N,e,X) ← pk c ← {0,1}ℓ(k) If ze = XYc mod Nthen accept else reject * * R R Y c z
(N,e,d) ← Krsa(1k) mpk ← (N,e) msk ← (N,e,d) Return (mpk,msk) The Shamir-IBI scheme MKg(1k) P(usk) V(mpk,ID) (N,e,x) ← usk y ← ZN Y ← ye mod N z ← xyc mod N (N,e) ← mpk c ← {0,1}ℓ(k) If ze = H(ID)∙Yc mod Nthen accept else reject * * R Y c z UKg(msk,ID) (N,e,d) ← msk X ← H(ID) x ← Xd mod N usk ← (N,e,x) Return usk
The framework: SI to IBI “convertible” SI scheme: • Kg(1k): “trapdoor samplable relation” R sk ← (R,x) ; pk ← (R,y) such that (x,y) ∈R cSI-2-IBI SI IBI fs-I-2-S cSI-2-IBI • MKg(1k): generate relation R with trapdoor t mpk ← R ; msk ← (R,t) • UKg(msk, ID): y ← H(ID) use t to compute x s.t. (x,y) ∈R usk ← (R,x) IBS SS Theorem: SI is imp-xx secure⇓IBI = cSI-2-IBI(SI) is imp-xx secure in the RO model
(N,e,d) ← Krsa(1k) X ← ZN x ← Xd mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) The Shamir-SS scheme Kg(1k) Sign(sk,M) Vf(pk,M,σ) (N,e,x) ← sk y ← ZN Y ← ye mod N c ← H(Y,M) z ← xyc mod N σ ← (Y,z) (N,e,X) ← pk (Y,z) ← σ c ← H(Y,M) If ze = XYc mod Nthen accept else reject * * R R
(N,e,d) ← Krsa(1k) mpk ← (N,e) msk ← (N,e,d) Return (mpk,msk) The Shamir-IBS scheme MKg(1k) Sign(usk,M) Vf(mpk,ID,M,σ) (N,e,x) ← usk y ← ZN Y ← ye mod N c ← H(Y,M) z ← xyc mod N σ ← (Y,z) (N,e) ← mpk (Y,z) ← σ c ← H(Y,M) If ze = H(ID)∙Yc mod Nthen accept else reject * * R UKg(msk,ID) (N,e,d) ← msk X ← H(ID) x ← Xd mod N usk ← (N,e,x) Return usk = Shamir-IBS as proposed in [S84]
IBI to IBS • “canonical” IBI → IBS • For canonical convertible SI X: cSS-2-IBS(fs-I-2-S(X)) = fs-I-2-S(cSI-2-IBI(X)) • fs-I-2-Snot security-preserving for canonical IBI schemes in general fs-I-2-S (efs-IBI-2-IBS) Theorem: IBI is imp-pa secure⇓IBS = efs-IBI-2-IB(IBI) is uf-cma secure in the RO model • modified efs-IBI-2-IBS transform: Ch ← H(Cmt,M,ID) The framework: SS and IBI to IBS • SS to IBS: cSS-2-IBS • analogous to cSI-2-IBI • “convertible” SS → IBS • generalization of [DKXY03] cSI-2-IBI SI IBI fs-I-2-S cSS-2-IBS IBS SS Theorem: SI is imp-pa secure⇓IBS = fs-I-2-S(cSI-2-IBI(SS)) is uf-cma secure in the RO model Theorem: SS is uf-cma secure⇓IBS = cSS-2-IBS(SS) is uf-cma secure in the RO model
Fiat-Shamir IBI, IBS P P P I I I I I It. Root SI, SS P P I I I I FF SI, SS P P P I I I I I GQ IBI, IBS P P P I I I I I Shamir IBS P A A I A A I I Shamir* SI P P P I I I I I OkRSA SI, IBI, SS P P P I I I I I Girault SI, IBI A A A A A A A A SOK IBS P A A I A A I I Hess IBS P P P I I I P I Cha-Cheon IBS P P P I I I I P Beth IBI P I I I OkDL IBI I I I P P P I I BNNDL SI, IBI I I I P P P I I Results for concrete schemes Name Origin Name-SI Name-IBI Name-SS Name-IBS pa aa ca pa aa ca uf-cma uf-cma Fiat-Shamir IBI, IBS P P P I I I I I It. Root SI, SS P P I I I I FF SI, SS P P P I I I I I GQ IBI, IBS P P P I I I I I Shamir IBS P A A I A A I I Shamir* SI P P P I I I I I OkRSA SI, IBI, SS P P P I I I I I Girault SI, IBI A A A A A A A A SOK IBS P A A I A A I I Hess IBS P P P I I I P I Cha-Cheon IBS P P P I I I I P Beth IBI P I I I OkDL IBI I I I P P P I I BNNDL SI, IBI I I I P P P I I P = proven I = implied A = attacked = known result = new contribution