Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | gerard-richard |
View: | 214 times |
Download: | 1 times |
1
An Efficient and Provable Secure Identity-Based Identification
Scheme in the Standard Model
(Multimedia University) Ji-Jian Chin
Swee-Huay HengBok-Min Goi
2
Contents1 Introduction 3
2 Preliminaries 9
3 Formal Definition of IBI 11
4 Construction 16
5 Security Analysis 21
6 Conclusion 25
7 Open Problems 26
3
1. Introduction
An identification scheme enables one party to identify itself securely to another party authentically and without repudiation.
ID-based cryptography – user generates own public key using an identity string.
ID-based cryptography does away with certificates binding the public key to the private key, as opposed to traditional public key infrastructure systems.
4
1. Introduction
If I can guess/know your password, I can impersonate you.(Easy to guess: keyloggers, peek into your password database, sticky notes with passwords in your office, steal from your hand phone etc)
Why IBI and SI can overcome this?Challenge-response identification.Zero-knowledge of secret key involved.
Why Passwords Aren’t Enough?
5
1. Introduction
IBI fundamental paper proposed by Fiat and Shamir in 1984.
Rigorous definition and security proofs only formalized in 2004- Kurosawa and Heng- Bellare, Namprempre and Neven
Schemes’ mostly have provable security based on the random oracle model
Schemes’ with provable security in the standard model are not very efficient and few in number
History of IBI
6
1. Introduction
first introduced by Bellare and Rogaway in 1993.The Random Oracle
I answer anybody’s queries with totally random and uniformly distributed
answers
I’ve seen this Newquery before query
query
Existing answer
Give new random answer, and save query for next time
The Random Oracle
7
1. Introduction
Disadvantages of RO:
- heuristic in nature
- Canetti et al. showed certain schemes secure in the random oracle model is insecure once implemented
- idealistic: doesn’t exist in real world Conclusion
- scheme secure in ROM better than no proof at all
- best to prove in standard model
The Random Oracle
8
1. Introduction
1. Kurosawa and Heng proposed the first 2 IBI schemes in the standard model in 2005.
2. Kurosawa and Heng used a trapdoor commitment scheme and a digital signature scheme to construct another IBI scheme in the standard model in 2006.
3. Yang et al. proposed a general framework to construct IBI schemes in the random oracle model in 2007.
Recent Developments
9
2. Preliminaries
a) Bilinearity. e(ga,gb)=e(g,g)ab
b) Non-degeneracy. e(g,g) ≠1
c) Efficiently computable.
Bilinear Pairings
10
a) Security against Passive Attacks:Computational Diffie-Hellman problem (CDHP)
- Find gab given g and ga ,gb
b) Security against Active/Concurrent Attacks:One-More Computational Diffie-Hellman Problem (OMCDHP)
- Adversary is given a challenge oracle and a CDH oracle.- Adversary queries random challenge point from challenge
oracle and obtains solution by querying the CDH oracle.- Adversary wins the game if at the end the number of queries to
the solution oracle is strictly less than the queries to the challenge oracle.
2. PreliminariesSecurity Assumptions
11
3. Formal Definitions For IBI
IBI=(S,E,P,V) - 4 probabilistic, polynomial-time algorithms
Setup(S)Setup(S)
Extract(E)Extract(E)
input paraminput param
mpk, mpk, mskmsk
ID
Prover(P)Prover(P)(Prove (Prove that that I know I know usk)usk)
Verifier(V)Verifier(V)Accept onlyAccept only
if you if you Know uskKnow usk
usk
mpk, usk, mpk, usk, IDID
mpk, IDmpk, ID
CMCMTT
CHCHAA
RSPRSP
The Canonical Three Move ProtocolThe Canonical Three Move Protocol
Definition of IBI
12
3. Formal Definition of IBI
Goal of adversary towards IBI - impersonation.
Considered successful if:- Interact with verifier as prover with public ID- Accepted by verifier with non-negligible probability
Stronger assumptions of IBI vs SI:1. The adversary can choose a target identity ID to impersonate
as opposed to a random public key. 2. IBI has access to extract oracle -> the adversary can possess
private keys of some users which she has chosen.
Security Model for IBI
13
3. Formal Definition for IBI
Passive attacks (imp-pa)Eavesdrop
Active attacks (imp-aa)Interacts with provers as a cheating verifier
Concurrent attacks (imp-ca)Interacts with provers as a cheating verifier concurrently.
Security Model for IBI
14
3. Formal Definition for IBI
The impersonation attack between the impersonator I, and challenger C is described in a two phase game.
Phase 1:
I either extracts transcript queries for imp-pa or acts as a cheating verifier in imp-aa and imp-ca.
Phase 2:
I plays the cheating prover it picks to convince the verifier.
Security Model for IBI
15
3. Formal Definition for IBI
An IBI scheme is (t,qI,ε)- secure against imp-pa/imp-aa/imp-ca if for any I who runs in
time t, Pr(I can impersonate)<ε, where I can make at most qI queries.
Security Model for IBI
16
Let and be finite cyclic groups or order and let be a generator of . Let be an efficiently computed bilinear map. Use a collision-resistant hash function to hash identities to an arbitrary length to a bit string of length .
4. Construction
G TG p gG TGGGe :
nH },{},{: * 1010 n
Construction of IBI scheme based on the Waters Signature Scheme
17
4. Construction
Gug
gg
Za
R
a
pR
',2
1
Select an n-length vector GuuU Rn },...,{ 1
)(:
),,',,,,,(:a
T
gmsk
HUuggeGGmpk
2
1
Setup
18
4. Construction
pR Zr
ID:hashed user identity string of length n
Let :ith-bit of ID
r
r
IDii
a
gR
uugS
)'(2
),(: RSusk
},...,{ nID 1 be the set of all i where di=1Let
id
Extract
19
4. Construction
Prove Verify
Accept if
z
z
IDii
gY
uuX
2
)'( RYX ,,
Z
cp
R Zc
czSZ
),)'((),(),( RuuXegYgegZe c
IDii
c
12
Prove and Verify
20
4. Construction
),)'((),(
),)'()'((),(
),))'(((
),(
)(
RuuXegYge
guuuuegge
guuge
gZe
c
IDii
c
rc
IDii
z
IDii
cza
czr
IDii
a
12
2
2
Correctness
21
5. Security Analysis
Theorem 1:
The proposed IBI scheme is (t,qI,ε)-secure
against impersonation under passive attacks in
the standard model if the CDHP is (t’,ε’)-hard
where
Security against Passive Attacks
2
114
pnq ue ')( ))())(((' II qqnOtt 2
: time for multiplication in
: time for exponentiation in
: extract queries made
: transcript queries made and
iqeq
ieI qqq
22
5. Security Analysis
Theorem 2:
The proposed IBI scheme is (t,qI,ε)-secure
against impersonation under active/concurrent
attacks in the standard model if the OMCDHP is
(t”,qCDH,ε”)-hard where
Security against Active/Concurrent Attacks
2
114
pnq ue ")( ))())(((" II qqnOtt 2
: time for multiplication in
: time for exponentiation in
: extract queries made
: transcript queries made and
iqeq
ieI qqq
23
5. Security AnalysisEfficiency
Multiplication Exponentiation Pairing
Setup 0 2 0
Extract Max:n+2, Avg:(n/2)+2 2 0
Prove Max:n+1, Avg:(n/2)+1 3 0
Verify Max:n+3, Avg:(n/2)+3 2 3
Table 1: Complexity Cost
24
5. Security AnalysisEfficiency
Efficiency of P and V
Imp-pa assumption
Imp-aa/ca assumption
HKIBI05a 6G,6E,4P q-SDH Unknown
HKIBI05b 12G,12E,6P
q-SDH q-SDH
HKIBI06 9G,11E,3P,1 SOTSS
q-SDH q-SDH
Proposed IBI (n+4)G,5E,3P
CDH OMCDHP
Table 2: Comparisons with other IBI
25
6. Conclusion
Merits of Proposed IBI Direct proof Provable security against both imp-pa and
imp-aa/ca in the standard model. More efficient than other IBI schemes in
standard model.
26
7. Open Problems
1. More IBI schemes that are efficient and provably secure in the standard model.
2. More IBI Schemes with direct proof to a hard-mathematical problem as opposed to reductions from transformations.
3. An IBI scheme with provable security against imp-aa/ca using a weaker assumption like DLOG or CDH.