Post on 20-Dec-2015
transcript
Proactive Secure Mobile Digital Signatures
Work in progress.
Ivan Damgård and Gert Læssøe MikkelsenUniversity of Aarhus.
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing our definition
• Proof of Security
• Proactive Security
Motivation for mobility
• We want Alice to be able to use any computer.
• No or low trust in the computer used.
• No key material on the computer used.
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing our definition
• Proof of Security
• Proactive Security
Definition of Security
• Using the Universal Composability framework
• Ideal world: Definition of the security
• Real world: Our protocol
• Prove by simulation some equavalense between the two worlds
Intuition behind FSIG
• The simulator generates keys– This makes FSIG general and not related to the
specific algorithms.
• FSIG is acting like a storage:– Signing: Messages get recorded.– Verification: If the message has been
recorded then it is accepted.
• If the signer (Alices computer) is corrupted everything can be verified.
FM-SIG: Revised Edition of FSIG
• We want the human user “U” to decide if a message should be signed and thereby verified.
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing FM-SIG
• Proof of Security
• Proactive Security
1’st approach
• Assume that the adversary at most controls one of {MD,T,S}
• Use RSA signatures• Additive secret share the users private
exponent: d = d1 + d2
• Assume that keys are set up beforehand.
2’nd approach
Why 2’nd:– We implemented it.– It was a bit slow.
• Assume that the mobile device has limited computational power (No exponentiation)
• We want to give privacy back to the user. – This one is easy: RSA signatures already use
hashing, so just send the has to the server.
mU
m
dMD dS
K K
m pwd
m
m ok
δMD
δMD= dMD + FK(H(m))
σMD, H(m), pwd
σS
σMD= H(m) mod NδMD σS= H(m) mod N
dS-FK(H(m))
σ = σMD × σS mod N = H(m) mod NdMD + FK(H(m)) + dS - FK(H(m))
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing our definition
• Proof of Security
• Proactive Security
Sketch of security proof
• Reduction R: If an adversary A can break our protocol, then R can use A to break standard RSA signatures.
• Given:– a RSA-oracle O, which provide a public key, and will
sign message.– an Adversary, that can break the security of our
protocol.
• R produces a signature on a message, never sent to O.
Sketch of reduction
• Flip coin c: – 0: Guess A will corrupt S
• dS = random number mod n• Simulate: σMD from σ, m and dS
– Calculate σS – σMD = σ × σS
-1 mod n
– 1: Guess A will corrupt MD or T• dMD = random number mod n• Simulate: σS from σ, m and dMD
– Calculate δMD and σMD
– σS = σ × σMD-1 mod n
• If the guess was wrong: “Bad luck”, but only polynomial “bad luck”
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing our definition
• Proof of Security
• Proactive Security
Proactive security
• Corrupted parties, can recover• Nice property in our protocol.
• Changes to the protocol:– Assume deletion is possible on MD and S.– Assume all parties are honest during recovery – User U has a Paillier secret key.– The server S has d encrypted under the
Paillier public key.
Proactive security (Sketch)
• Recover the computer T:– Make a new password pwd
• Recover MD or S:– MD and S, deletes dMD and dS
– S selects random dS and uses the homomorphic property of Paillier to make an encryption of a new dMD
– Send the encryption of dMD to MD.
Sketch of security proof
• We cannot just make a guess, like in the non-proactive case.– Not a polynomial reduction
• Solution: Rewind A– But: m, that A can sign by itself may have been send to O before
rewinding. • Solution: A is polynomial => m would be send to O at
polynomial time after a rewind, and A would be rewinded in this particular run. Try to guess and rewind before m would have been send to O
• Similar to proof by [ADN06]• Tighter reduction is possible, requires more complex
protocol.