330 likes | 440 Views
Katholieke Universiteit Leuven Faculteit Toegepaste Wetenschappen Departement Computerwetenschappen. Provably Secure Identity-Based Identification Schemes and Transitive Signatures. ir. Gregory Neven Advisors: Prof. Dr. ir. Frank Piessens Prof. Dr. ir. Bart De Decker. Overview.
E N D
Katholieke Universiteit LeuvenFaculteit Toegepaste WetenschappenDepartement Computerwetenschappen Provably Secure Identity-Based Identification Schemes and Transitive Signatures ir. Gregory Neven Advisors: Prof. Dr. ir. Frank Piessens Prof. Dr. ir. Bart De Decker
Overview • Introduction: Provable security • Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre) • Concept • Framework of transforms • Summary of results • Transitive signatures (joint work with Mihir Bellare) • Concept • Node certification technique • Summary of results • Conclusion
Standard digital signatures (SS) Diffie-Hellman, 1976 Kg 1k (pk,sk) sk pk pk sk pk Sign Vf M, σ M acc/rej Cryptography= study of mathematical techniques for information security
Standard identification (SI) schemes Kg 1k (pk,sk) sk pk pk sk pk P V acc/rej Cryptography= study of mathematical techniques for information security
Provable security • Until 1980s: ad-hoc design “secure until proven insecure” • More recently: provable security [GMR88] • Step 1: security notion meaning of “security” of the scheme • Step 2: security proof only way to break scheme is by • solving supposedly hard mathematical problem • breaking underlying cryptographic building block • From theoreticians’ toy to industry-relevant property
unforgeability • on messages chosen by adversary • even after seeing many valid signatures sk Mi σi (M,σ) such that Vf(pk,M,σ)=acc Step 1: Security notion • Desirable properties of signature scheme: • infeasible to compute sk from pk pk (M1,σ1)…(Mn,σn) sk
Step 1: Security notion • unforgeability • on messages chosen by adversary • Security (uf-cma) = no “reasonable” algorithm has non-negligible probability of winning game • even after seeing valid signatures • Desirable properties: • infeasible to compute sk from pk pk Sign(sk,·) Mi F σi (M,σ) such that Vf(pk,M,σ)=acc
pk Mi F σi (M,σ) Step 2: Security proof By contradiction: suppose such algorithm F exists then “reasonable” algorithm A exists that • solves supposedly hard mathematical problem • breaks underlying cryptographic building block hard problem A solution
Factoring Given N = pq where p,q large primes Find p,q RSA Given N = pq where p,q large primes e where gcd(e,φ(N)) = 1 and φ(N) = (p-1)(q-1) y ∈ ZN Find x : xe = y mod N Discrete logarithms Given p large prime g generator of Zp y ∈ Zp Find x : gx = y mod p (Also subgroups of Zp, elliptic curves) Mathematically hard problems * * * *
Random oracle model • Cryptographic hash function H: • one-wayness: given y, finding x s.t. H(x) = y is hard • collision-resistance: finding x1,x2 s.t. H(x1) = H(x2) is hard • Random oracle model [BR93b] H behaves as an unpredictable, truly random function – unsatisfiable assumption – no longer proof, only (good) heuristic – counterexamples known [CGH98, Nie02, GK03, BBP04] + “provable” security for practical schemes + counterexamples mostly contrived + proof in RO model preferable over ad-hoc design H x ∈ {0,1}* y ∈ {0,1}k
Overview • Introduction: Provable security • Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre) • Concept • Framework of transforms • Summary of results • Transitive signatures (joint work with Mihir Bellare) • Concept • Node certification technique • Summary of results • Conclusion
Shamir, 1984 Alice, pk sk ? sk pk ? “Alice” Identity-based signatures (IBS) pk Sign Vf M, σ M acc/rej
Identity-based signatures (IBS) Shamir, 1984 MKg 1k (mpk,msk) msk UKg msk,“Alice” uskA uskA mpk uskA mpk uskA mpk, “Alice” Sign Vf M, σ M acc/rej
Identity-based identification (IBI) Shamir, 1984 MKg 1k (mpk,msk) msk UKg msk,“Alice” uskA uskA mpk uskA mpk uskA mpk, “Alice” P V acc/rej
State of the area prior to this work • IBI schemes • many proposed [FS86, Bet88, GQ89, Gir90, Oka93] • no appropriate security notion • proofs under non-ID-based notion or entirely lacking • IBS schemes • many proposed [Sha84, FS86, GQ89, SOK00, Pat02, CC03, Hes03, Yi03] • good security definition [CC03] • general transform “trapdoor” SS to IBS [DKXY03] • some gaps remain
SI IBI SS IBS Our contributions • Security definitions for IBI schemes • Framework of security-preserving transforms • Security proofs for 12 scheme “families” • by implication through transforms • by surfacing and proving unanalyzed SI schemes • by proving as IBI schemes directly (exceptions) • Attack on 1 scheme family
Security of IBS and IBI schemes • IBS schemes: uf-cma security [CC03] • IBI schemes: imp-pa, imp-aa, imp-ca security • Learning phase:Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca) • Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak mpk Initialize ID M,ID F Sign(uskID,·) ID σ Corrupt uskID ID,M,σ
The framework • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] SI IBI fs-I-2-S IBS SS Theorem: SI is imp-pa secure⇓SS = fs-I-2-S(SI) is uf-cma secure in the random oracle model [AABN02]
The framework cSI-2-IBI • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] • SI to IBI: cSI-2-IBI “convertible” SI → IBI SI IBI fs-I-2-S IBS SS Theorem: SI is imp-xx secure⇓IBI = cSI-2-IBI(SI) is imp-xx secure in the random oracle model
The framework cSI-2-IBI • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] • SI to IBI: cSI-2-IBI “convertible” SI → IBI • SS to IBS: cSS-2-IBS “convertible” SS → IBS generalization of [DKXY03] SI IBI fs-I-2-S cSS-2-IBS IBS SS Theorem: SS is uf-cma secure⇓IBS = cSS-2-IBS(SS) is uf-cma secure in the random oracle model
The framework cSI-2-IBI • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] • SI to IBI: cSI-2-IBI “convertible” SI → IBI • SS to IBS: cSS-2-IBS “convertible” SS → IBS generalization of [DKXY03] • IBI to IBS: fs-I-2-S “canonical converted” IBI → IBS cSS-2-IBS(fs-I-2-S(SI)) = fs-I-2-S(cSI-2-IBI(SI)) not security-preserving for all IBI SI IBI fs-I-2-S fs-I-2-S cSS-2-IBS IBS SS
The framework cSI-2-IBI • SI to SS: fs-I-2-S “canonical” SI → SS [FS86] • SI to IBI: cSI-2-IBI “convertible” SI → IBI • SS to IBS: cSS-2-IBS “convertible” SS → IBS generalization of [DKXY03] • IBI to IBS: fs-I-2-S “canonical converted” IBI → IBS cSS-2-IBS(fs-I-2-S(SI)) = fs-I-2-S(cSI-2-IBI(SI)) not security-preserving for all IBI • IBI to IBS: efs-IBI-2-IBS “canonical” IBI → IBS SI IBI fs-I-2-S fs-I-2-S efs-IBI-2-IBS cSS-2-IBS IBS SS Theorem: IBI is imp-pa secure⇓IBS = efs-IBI-2-IBS(SS) is uf-cma secure in the random oracle model
Fiat-Shamir IBI, IBS P P P I I I I I It. Root SI, SS P P ? I I ? I I FF SI, SS P P P I I I I I GQ IBI, IBS P P P I I I I I OkRSA SI, IBI, SS P P P I I I I I Shamir IBS P A A I A A I I Shamir* SI P P P I I I I I Girault SI, IBI A A A A A A A A SOK IBS P A A I A A I I Hess IBS P P P I I I P I Cha-Cheon IBS P P P I I I I P Beth IBI P ? ? I ? ? I I OkDL IBI I I I P P P I I BNNDL SI, IBI I I I P P P I I Results for concrete schemes Name Origin SI IBI SS IBS pa aa ca pa aa ca uf-cma uf-cma Fiat-Shamir IBI, IBS P P P I I I I I It. Root SI, SS P P ? I I ? I I FF SI, SS P P P I I I I I GQ IBI, IBS P P P I I I I I OkRSA SI, IBI, SS P P P I I I I I Shamir IBS P A A I A A I I Shamir* SI P P P I I I I I Girault SI, IBI A A A A A A A A SOK IBS P A A I A A I I Hess IBS P P P I I I P I Cha-Cheon IBS P P P I I I I P Beth IBI P ? ? I ? ? I I OkDL IBI I I I P P P I I BNNDL SI, IBI I I I P P P I I P = proved I = implied A = attacked ? = open problem = new contribution
Overview • Introduction: Provable security • Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre) • Concept • Framework of transforms • Summary of results • Transitive signatures (joint work with Mihir Bellare) • Concept • Node certification technique • Summary of results • Conclusion
Transitive signatures • Micali-Rivest, 2002 TKg (tpk,tsk) 1k • Message is pair of nodes i,j • Signing i,j = creating and authenticating edge {i,j} TSign tsk σi,j i,j • An authenticated graph grows with time TVf tpk acc/rej i,j σ’i,j 2 σ1,2 σ2,3 1 3 4 5 σ4,5
i,j,k σi,k σi,j σj,k Transitive signatures • Additional composition algorithm TKg (tpk,tsk) 1k • Authenticated graph is transitive closure of directly signed edges TSign tsk σi,j i,j TVf tpk acc/rej i,j σ’i,j 2 Comp σ1,2 σ2,3 tpk 1 3 σ1,3 4 5 σ4,5
2 σ1,2 σ2,3 1 3 σ1,3 σ1,4 4 5 σ4,5 Security of transitive signatures • Standard uf-cma security definition doesn’t apply: composition allows some extent of forgery • New security goal [MR02b]: • computationally infeasible to forge signatures not in transitive closure of the edges signed directly by the signer • even under “chosen-edge” attack tpk 1,2 F σ1,2 2,3 TSign(tsk,·,·) σ2,3 4,5 σ4,5 {1,4}, σ1,4
x2 ,y2 • chooses secret label xi σ1,2 σ2,3 • computes public label yi = f(xi) • creates node certificate σ1,3 x1 ,y1 x3 ,y3 Signature σ1,2 = ( , , δ1,2) where δ1,2 = g(x1,x2) Verification of σ1,2 = ( , , δ1,2) • check validity of node certificates • compare δ1,2 to y1,y2 2,y2 2,y2 2,y2 Composition of σ1,2 and σ2,3 σ1,3 = ( , , δ1,3) where δ1,3 = h(δ1,2,δ2,3) 1,y1 1,y1 1,y1 1,y1 i,yi 3,y3 3,y3 Node certification technique For each node i, the signer: 2 1 3
x2, σ1,2 σ2,3 • computes secret label xi = f-1(yi) (using trapdoor information) σ1,3 x1, x3, Signature σ1,2 = δ1,2 = g(x1,x2) Verification of σ1,2 = δ1,2 compare δ1,2 to H(1), H(2) Composition of σ1,2 and σ2,3 σ1,3 = δ1,3 = h(δ1,2,δ2,3) Eliminating node certificates For each node i, the signer: y2 • computes public label yi = H(i) 2 1 3 y1 y3
Trivial Security of SS scheme No O(|path|) DL-TS Security of SS schemeDiscrete logarithms No 4416 bits (SDL)2708 bits (EC) RSA-TS Security of SS schemeOne-more RSA No 5120 bits Fact-TS Security of SS schemeFactoring No 5120 bits DL1m-TS Security of SS schemeOne-more discrete logarithms No 4256 bits (SDL)2548 bits (EC) Gap-TS Security of SS schemeOne-more Gap-DH No 2558 bits RSAH-TS One-more RSA Yes 1024 bits FactH-TS Factoring Yes 1024 bits GapH-TS One-more Gap-DH Yes 170 bits Scheme contributions Scheme Security assumptions Random oracle? Signature length Trivial Security of SS scheme No O(|path|) DL-TS Security of SS schemeDiscrete logarithms No 4416 bits (SDL)2708 bits (EC) RSA-TS Security of SS schemeOne-more RSA No 5120 bits Fact-TS Security of SS schemeFactoring No 5120 bits DL1m-TS Security of SS schemeOne-more discrete logarithms No 4256 bits (SDL)2548 bits (EC) Gap-TS Security of SS schemeOne-more Gap-DH No 2558 bits RSAH-TS One-more RSA Yes 1024 bits FactH-TS Factoring Yes 1024 bits GapH-TS One-more Gap-DH Yes 170 bits SDL = subgroup discrete log EC = elliptic curve = new contribution
Overview • Introduction: Provable security • Identity-based identification schemes (joint work with Mihir Bellare and Chanathip Namprempre) • Concept • Framework of transforms • Summary of results • Transitive signatures (joint work with Mihir Bellare) • Concept • Node certification technique • Summary of results • Conclusion
Summary of contributions • Identity-based identification and signature schemes • Security notion for IBI schemes • Framework of security-preserving transforms • Proofs for 12 scheme families, attack for 1 family • Direct proofs as IBI schemes for 2 families • Transitive signature schemes • Security proof for RSA-TS scheme • New provably secure schemes based on factoring, discrete logarithms and Gap-DH groups • Hash-based technique to eliminate node certificates
[BB04] Open problems • Open problems in proofs for IBI/IBS schemes • Tighter bounds for IBI/IBS schemes through direct proofs • Provably secure identity-based cryptography without random oracles • Directed transitive signatures • Signature scheme such that Sign(sk1,pk2), Sign(sk2,M) → Sign(sk1,M) to compress certificate chains