270 likes | 409 Views
An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model. (Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi. Contents. 1. Introduction.
E N D
An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model (Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
1. Introduction An identification scheme enables one party to identify itself securely to another party authentically and without repudiation. ID-based cryptography – user generates own public key using an identity string. ID-based cryptography does away with certificates binding the public key to the private key, as opposed to traditional public key infrastructure systems.
1. Introduction Why Passwords Aren’t Enough? If I can guess/know your password, I can impersonate you. (Easy to guess: keyloggers, peek into your password database, sticky notes with passwords in your office, steal from your hand phone etc) Why IBI and SI can overcome this? Challenge-response identification. Zero-knowledge of secret key involved.
1. Introduction IBI fundamental paper proposed by Fiat and Shamir in 1984. Rigorous definition and security proofs only formalized in 2004 - Kurosawa and Heng - Bellare, Namprempre and Neven Schemes’ mostly have provable security based on the random oracle model Schemes’ with provable security in the standard model are not very efficient and few in number History of IBI
1. Introduction first introduced by Bellare and Rogaway in 1993. The Random Oracle The Random Oracle I answer anybody’s queries with totally random and uniformly distributed answers I’ve seen this New query before query Give new random answer, and save query for next time query Existing answer
1. Introduction Disadvantages of RO: - heuristic in nature - Canetti et al. showed certain schemes secure in the random oracle model is insecure once implemented - idealistic: doesn’t exist in real world Conclusion - scheme secure in ROM better than no proof at all - best to prove in standard model The Random Oracle
1. Introduction Kurosawa and Heng proposed the first 2 IBI schemes in the standard model in 2005. Kurosawa and Heng used a trapdoor commitment scheme and a digital signature scheme to construct another IBI scheme in the standard model in 2006. Yang et al. proposed a general framework to construct IBI schemes in the random oracle model in 2007. Recent Developments
2. Preliminaries a) Bilinearity. e(ga,gb)=e(g,g)ab b) Non-degeneracy. e(g,g) ≠1 c) Efficiently computable. Bilinear Pairings
a) Security against Passive Attacks: Computational Diffie-Hellman problem (CDHP) - Find gab given g and ga ,gb b) Security against Active/Concurrent Attacks: One-More Computational Diffie-Hellman Problem (OMCDHP) - Adversary is given a challenge oracle and a CDH oracle. Adversary queries random challenge point from challenge oracle and obtains solution by querying the CDH oracle. Adversary wins the game if at the end the number of queries to the solution oracle is strictly less than the queries to the challenge oracle. 2. Preliminaries Security Assumptions
3. Formal Definitions For IBI IBI=(S,E,P,V) - 4 probabilistic, polynomial-time algorithms Definition of IBI The Canonical Three Move Protocol input param mpk, usk, ID mpk, ID Setup(S) Prover(P) (Prove that I know usk) Verifier(V) Accept only if you Know usk mpk, msk CMT ID Extract(E) CHA RSP usk
3. Formal Definition of IBI Goal of adversary towards IBI - impersonation. Considered successful if: - Interact with verifier as prover with public ID - Accepted by verifier with non-negligible probability Stronger assumptions of IBI vs SI: 1. The adversary can choose a target identity ID to impersonate as opposed to a random public key. 2. IBI has access to extract oracle -> the adversary can possess private keys of some users which she has chosen. Security Model for IBI
3. Formal Definition for IBI Passive attacks (imp-pa) Eavesdrop Active attacks (imp-aa) Interacts with provers as a cheating verifier Concurrent attacks (imp-ca) Interacts with provers as a cheating verifier concurrently. Security Model for IBI
3. Formal Definition for IBI The impersonation attack between the impersonator I, and challenger C is described in a two phase game. Phase 1: I either extracts transcript queries for imp-pa or acts as a cheating verifier in imp-aa and imp-ca. Phase 2: I plays the cheating prover it picks to convince the verifier. Security Model for IBI
3. Formal Definition for IBI Security Model for IBI An IBI scheme is (t,qI,ε)- secure against imp-pa/imp-aa/imp-ca if for any I who runs in time t, Pr(I can impersonate)<ε, where I can make at most qI queries.
4. Construction Construction of IBI scheme based on the Waters Signature Scheme Let and be finite cyclic groups or order and let be a generator of . Let be an efficiently computed bilinear map. Use a collision-resistant hash function to hash identities to an arbitrary length to a bit string of length .
4. Construction Setup Select an n-length vector
4. Construction Extract ID:hashed user identity string of length n Let:ith-bit of ID Let be the set of all i where di=1
4. Construction Prove and Verify
4. Construction Correctness
5. Security Analysis Security against Passive Attacks Theorem 1: The proposed IBI scheme is (t,qI,ε)-secure against impersonation under passive attacks in the standard model if the CDHP is (t’,ε’)-hard where : time for multiplication in : time for exponentiation in : extract queries made : transcript queries made and
5. Security Analysis Security against Active/Concurrent Attacks Theorem 2: The proposed IBI scheme is (t,qI,ε)-secure against impersonation under active/concurrent attacks in the standard model if the OMCDHP is (t”,qCDH,ε”)-hard where : time for multiplication in : time for exponentiation in : extract queries made : transcript queries made and
5. Security Analysis Efficiency Table 1: Complexity Cost
5. Security Analysis Efficiency Table 2: Comparisons with other IBI
6. Conclusion Merits of Proposed IBI • Direct proof • Provable security against both imp-pa and imp-aa/ca in the standard model. • More efficient than other IBI schemes in standard model.
7. Open Problems More IBI schemes that are efficient and provably secure in the standard model. More IBI Schemes with direct proof to a hard-mathematical problem as opposed to reductions from transformations. An IBI scheme with provable security against imp-aa/ca using a weaker assumption like DLOG or CDH.