320 likes | 505 Views
The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures. Tal Malkin (Columbia Univ.) Satoshi Obana (NEC and Columbia Univ.) Moti Yung (Columbia Univ.). Outline of the Talk. Brief Overview of Key Evolving Signatures Forward-Secure Signatures (FS)
E N D
The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures Tal Malkin (Columbia Univ.) Satoshi Obana (NEC and Columbia Univ.) Moti Yung (Columbia Univ.)
Outline of the Talk • Brief Overview of Key Evolving Signatures • Forward-Secure Signatures (FS) • Key-Insulated Signatures (KI) • Intrusion-Resilient Signatures (IR) • Security Hierarchy of Key Evolving Sigs. IR KI FS • Formal Definition of Proxy Signatures • Characterization of Proxy Signatures Proxy KI
Key Evolving Signatures • Localize damage of secret key exposure • Splitting time into periods: 0,1,…,T • Updating secret (signing) key for each period without changing public (verification) key • Several models exist (for different settings and different security goals) • Forward-Secure Signatures (FS) [And97,BM99] • Key-Insulated Signatures (KI) [DKXY02] • Intrusion-Resilient Signatures (IR) [IR02]
Forward-Secure Signatures 1k,T SK0 SKj PK M SKj SKj-1 Accept Reject <j,sig> Gen Signer SKj-1 Upd Sign Vrfy
Security of FS Signature • The adversary has access to • The signing oracleOsig(M,i) outputs the valid signature for the message M in the time period i • The key exposure oracleOsec(“s”, j) outputs the secret key SKj of the time period j • The adversary successfully breaks the scheme if it outputs (M,<i,s>) s.t. • (M,i) is never queried to the signing oracle • (“s”,i’) is never queried to the key exposure oracle such that i’< i
Key-Insulated Signatures 1k,T SK* SKj SK0 PK i, j SKj M SKi <j,sig> SK’i,j Gen KI possesses random access key capability Securely protected Base Signer SKi Vrfy Upd* Upd Sign
Security of KI Signature • The adversary has access to • The signing oracleOsig(M,i) outputs the valid signature for the message M in the time period i • The key exposure oracleOsec(“s”, j) outputs the secret key SKj of the time period j • The adversary successfully breaks the scheme if it outputs (M,<i,s>) s.t. • (M,i) is never queried to the signing oracle • (“s”,i) is never queried to the key exposure oracle
Intrusion-Resilient Signatures 1k,T PK SKB(j-1).r SKBj.r SKBj.r SKBj.0 SKB0.0 SKBj.(r+1) SKS(j-1).r SKSj.r SKSj.(r+1) SKSj.r SKSj.0 SKS0.0 M SKSj.(r+1) SKBj.0 SKBj.(r+1) SKSj.r <j,sig> SKBj.r SKRj.r SKS(j-1).r SKSj.0 SKB(j-1).r SKUj-1 NOT protected Gen Base Signer Vrfy Sign Refr* Refr Upd* Upd
Security of IR Signature • The adversary has access to • The signing oracleOsig(M,i.r) outputs Sign(SKSi,r, M) • The key exposure oracleOsec(query) outputs • SKSj,rif query=(“s”, j.r) • SKBj.rif query=(“b”, j.r) • SKUj and SKRj+1.0 if query=(“u”, j) • SKRj.rif query=(“r”, j.r) • The adversary successfully breaks the scheme if it outputs (M,<i,s>) s.t. • (M,i) is never queried to the signing oracle • SKSi,r is not exposed by the oracle calls • No SKSi’.r’and SKBi’.r’ are exposed by the oracle calls for any i’<i
Question: Security hierarchy exists among these models! IR KI FS Further, all the security reductions are tight (via concrete security analysis) Are there any relations among these “similar” models? Answer: Yes!
Theorem (IR KI) We can construct KI from IR in such a way that if there exists adversary which breaks KI (constructed from IR) then we can construct adversary which breaks IR where • : running time of the adversary • : success probability of the adversary • : number of queries to signing oracle • : number of queries to key exposure oracle
Constructing KI from IR (Gen) 1k SKB0.0 SKS0.0 PK SK*=<SKB0.1,SKS0.1> SK0=SKS0.1 PK=PK(IR) Gen Gen(IR) 1k Refr*(IR) Refr(IR) Base Signer Vrfy Upd* Upd Sign
Constructing KI from IR (Upd*) i, j SKB0.1 SKB1.0 SKB1.1 SKS0.1 SKS1.0 SKS1.1 SK’i,j =SKSj.1 Random access to the key can be achieved Base SK*=<SKB0.1,SKS0.1> Signer Upd* SKi Upd*(IR) Upd(IR) SKBj.1 SKBj.0 SKB3.1 SKB3.0 SKB2.1 SKB2.0 SKSj.1 SKSj.0 SKS3.1 SKS2.1 SKS2.0 SKS3.0 Upd Sign Refr*(IR) Refr(IR)
Constructing KI from IR (cont’d) SKj=SKSj.1 M SK’i,j =SKSj.1 Accept Reject Signer SKi=SKSi.1 PK=PK(IR) Base SK* Upd Sign Vrfy Upd Vrfy(IR) Sign(IR)
Constructing Oracles Oracles for KI can be also constructed from oracles for IR as follows • Osig(M, j) = Osig(M, j.1) • Osec(“s”, j) = Osec(“s”, j.1) It is easy to see if the adversary successfully breaks KI then the adversary also breaks IR with the same output.
Other relations • KI IR: IR can be constructed from KI by sharing signer keys of KI between the signer and the base of IR • IR FS: Straightforward (All the algorithms of the signer and the base are put into the signer of FS) • Both reductions are tight (in the sense of no security loss in the reductions)
Proxy Signatures • Method of giving (partial) signing right of an entity (delegator) to the others (proxy signer) • A lot of schemes have been proposed so far but a few of them are proven to be secure • No formal model exists (except [BPW03] which gives a formal model for one-level delegation)
Our Results on Proxy Signatures • Formal model for “fully hierarchical” proxy signature (based on [BPW03]) • Characterization of proxy signatures via key evolving signature: Proxy KI
Model of Proxy Signatures 1k w W SKD PKD SKP PKP SKPD>P M M sig ps accept reject accept reject Gen Delegator Proxy Signer DlgP PSig DlgD Sign Vrfy PVrf
Multi-Level Delegation SKPI>D>P WI>D>P wD>P WI>D SKPI>D PK If the delegator wants to delegate the signing right which she is delegated from others Delegator Proxy Signer SKP PKP DlgP PSig DlgD
Self Delegation If the delegator wants to delegate the signing right to herself (possibly to an insecure device) Secret key of the delegator is not inputted in the case of self delegation Delegator Proxy Signer wD>P SKD PKD SKD PKD DlgP DlgD
Security def. of Proxy Signatures The adversary has access to • Signing OracleOsig • Key exposure OracleOsec • Delegation OracleODlg interacts with the adversary on behalf of DlgD or DlgP Proxy signature is secure if the adversary cannot forge a proxy signature(non-proxy signature) when the adversary cannot compute the proxy signing key and the warrant(signing key) through the queries to the oracles
Proxy Sigs. and Key Evolving Sigs. Some similarities exist • Localize the damage of key exposure • Prevent non-delegated users (who knows its signing key) from forging the proxy signature • Key is evolved for “each time period” • Proxy signing key is generated for “each delegation” Characterization of Proxy Signatures via Key Evolving Signatures (Equivalence between KI and Proxy)
Theorem (Proxy KI) We can construct KI from Proxy in such a way that if there exists adversary which breaks KI (constructed from Proxy) then we can construct adversary which breaks Proxy s.t. where • : running time of the adversary • : success probability of the adversary • : number of queries to oracle A
Theorem (KI Proxy) We can construct Proxy (with n delegator and the number of self delegation is limited to c) from KI in such a way that if there exists adversary which breaks Proxy (constructed from KI) then we can construct adversary which breaks KI s.t.
Conclusion • Security Hierarchy of Key Evolving Signatures. IR KI FS • Formal Definition of Fully Hierarchical Proxy Signatures • Characterization of Proxy Signatures Proxy KI