1 / 35

An Efficient Strong Key-Insulated Signature Scheme and Its Application

An Efficient Strong Key-Insulated Signature Scheme and Its Application. 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake 1 , Goichiro Hanaoka 2 , and Kazuto Ogawa 1 1 Japan Broadcasting Corporation

kiora
Download Presentation

An Efficient Strong Key-Insulated Signature Scheme and Its Application

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Efficient Strong Key-Insulated Signature Scheme and Its Application 5th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake1, Goichiro Hanaoka2, and Kazuto Ogawa1 1Japan Broadcasting Corporation 2National Institute of Advanced Industrial Science and Technology

  2. Motivation

  3. Background • “Key exposure” is a critical problem !! • Even if a “secure” signature scheme is used, key leakage results in impersonation of the user. more critical for bidirectional broadcasting services!!

  4. Smart card Signed Request Personal information Bidirectional broadcasting service • e.g. TV shopping, Quiz program, etc. Broadcaster User network Signing key Verification key Service property: Real-time service

  5. Smart card Key update Signed Request Signed Request Personal information Personal information key leakage Critical damage !! Adversary Problem for signing key leakage Broadcaster User network Signing key Verification key Broadcaster =

  6. CA CRL CRL CRL CRL Smart card Smart card Smart card Smart card Broadcaster Heavy load !! Real-time service cannot be offered !! Problem for key update in bidirectional broadcasting service • PKI cannot be applied directly. User 1 Verification key User 2 Verification key network User 3 Signing key Verification key Verification key ・・・ update User n Verification key

  7. No redistribution of verification key !! Smart card Smart card Smart card Smart card No CRL!! Broadcaster Solution • Strong key-insulated signature (KIS) scheme User 1 Verification key User 2 update network Verification key User 3 Signing key Verification key ・・・ Verification key does NOT have to be updated. User n Verification key

  8. Our target Design an efficientstrong KIS scheme with a significantly short signature size Motivation • In bidirectional broadcasting service, … • Signature size is required as short as possible • Multiple copies of signed message are individually transmitted to users. • Conventional strong KIS scheme not efficient !!

  9. Related works

  10. secure against signing key leakage Adversary + signature with time stamp message Key-insulated signature (KIS) scheme • Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03] master key time stamp reject secure device verify signature partial key Signer Verifier old signing key verification key update signing key [DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘ Proc. of PKC’03. (2003)

  11. secure against signing key leakage or master key leakage Adversary + signature with time stamp message Strong KIS scheme • Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03] master key reject time stamp secure device reject verify signature partial key Signer Verifier old signing key update signing key verification key [DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘ Proc. of PKC’03. (2003)

  12. Our contribution

  13. Performance CB scheme: Certificate-based strong KIS scheme using the Schnorr signatures GQ scheme: strong KIS scheme based on the Guillou-Quisquater signature

  14. Security • Our strong KIS scheme is secure • We achieved the same level of security as conventional strong KIS schemes. master key leakage Adversary valid or Signer signing key leakage

  15. Our construction

  16. Constructing an efficient strong KIS scheme from the Abe-Okamoto scheme is not a trivial exercise. Basic concept of our KIS scheme • Efficientstrong KIS scheme • By extending Abe-Okamoto proxy signature scheme [AO02] • Efficient proxy signature scheme in terms of verification cost and communication cost [AO02] M.Abe and T.Okamoto : “Delegation Chains Secure up to Constant Length,'‘ IEICE Trans. (2002)

  17. We must construct a scheme without the above conversions. Why is it not a trivial exercise? (1) • Extend the KIS scheme to a strongKIS scheme without increasing the signature size. • Conversion of proxy signature scheme to KIS scheme • Proposed by Malkin, Obana, Yung in 2004. [MOY04] • The resulting KIS scheme is not a strongKIS scheme. • Conversion of (standard) KIS scheme to strong KIS scheme • Proposed by Dodis, Katz, Xu, Yung in 2003. [DKXY03] • Employs double signing: a signature with the master key and a signature with the signer’s secret key not efficient [MOY04] T. Malkin, S. Obana, and M. Yung : “The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures,'‘ Proc. of Eurocrypt’04,. (2004)

  18. We must address adaptive security with a formal security proof from scratch. Why is it not a trivial exercise? (2) • Extend the Abe-Okamoto scheme to a KIS scheme that provides adaptive security • Not taken into consideration in the security definition of [AO02]

  19. Our proposed KIS scheme (1) • Gen: key generation algorithm essential secret info. Signer Secure device master key: verification key:

  20. time stamp Verifying partial key partial key master key ? Our proposed KIS scheme (2) • Upd*: partial key generation algorithm • Upd: key-update algorithm Signer Secure device Upd* Upd signing key for a time period T

  21. time stamp ? signing key Verifying signature verification key Our proposed KIS scheme (3) • Sign: signing algorithm • Vrfy: verifying algorithm Verifier Signer Sign Vrfy

  22. Remarkable properties of our scheme • A signer can update their signing key without updating verification key. • The signature size of our scheme is significantly short : 480 bits

  23. Another feature of our scheme • Partial key verification • The signercan verify whether the partial keytransmitted from the secure device is valid. • If the secure device storing the master key is completely reliable, … • Partial key verification is unnecessary during the signing key update. • One of the verification keys can be , instead of and . Verification key size can be reduced by half.

  24. Security Analysis

  25. Basic concept of Security definition (1) • KIS scheme Broadcaster Adversary signing key valid

  26. Basic concept of Security definition (2) • Strong KIS scheme Broadcaster Adversary master key valid

  27. Security definition of KIS scheme Success probability of signature forgery Key exposure oracle k: security parameter N: total number of time periods Adversary A Random oracle Security definition of KIS scheme A is allowed to submit a query to the key exposure oracle up to ttimes. If is negligible, is (t,N)-key-insulated. If is (N-1,N)-key-insulated, is perfectly key-insulated. Forged signature Signing oracle

  28. Security definition of strong KIS scheme Success probability of signature forgery master key k: security parameter N: total number of time periods Adversary B Random oracle Security definition of strong KIS scheme If is negligible, is strong (t,N)-key-insulated. If is strong (N-1,N)-key-insulated, is perfectly strong key-insulated. Forged signature Signing oracle

  29. Our scheme is strong key-insulated under DL assumption Overview of security proof • Step1: modified Schnorr signature scheme EUF-ACMAsecure underDL assumption • Step2: our scheme key-insulated if the modified Schnorr signature scheme isEUF-ACMA secure. • Step3: our scheme strong key-insulated if our scheme is key-insulated.

  30. Application

  31. Broadcaster User Bidirectional content distribution system(proposed by Ohtake, Hanaoka, Ogawa in 2006) Content server Generate master key verification key initial signing key Terminal Create signature Network Personal information management server Key management server Smart card master key Verify signature Update signing key Generate partial key Our KIS scheme can be applicable.

  32. Broadcaster User Efficient signing - Signature size: 480 bits - Reduce the network cost for transmitting signed messages x’ master key x0 Reduced damage due to master key leakage - Even if the master key x0 is leaked, the signing key cannot be updated without x’. Improved system based on our scheme Content server Terminal Key management server Personal information management server network Smart card PK Efficient verification - Verification key size: 160 bits - Suitable for a smart card

  33. Summary

  34. The most suitable signature scheme for bidirectional broadcasting services Summary • Efficient strong KIS scheme • Significantly short signature size: 480 bits • Provably secure under DL assumption

  35. Thank you for your attention !!

More Related