Proactive Secure Mobile Digital Signatures

Work in progress.

Ivan Damgård and Gert Læssøe MikkelsenUniversity of Aarhus.

Outline

• Motivation

• Revised Definition of Security

• Protocol Securely Realizing our definition

• Proof of Security

• Proactive Security

Motivation for better securityHi Bob

SignatureHi Bob

Motivation for mobility

• We want Alice to be able to use any computer.

• No or low trust in the computer used.

• No key material on the computer used.

Outline

• Motivation

• Revised Definition of Security

• Protocol Securely Realizing our definition

• Proof of Security

• Proactive Security

Definition of Security

• Using the Universal Composability framework

• Ideal world: Definition of the security

• Real world: Our protocol

• Prove by simulation some equavalense between the two worlds

Ideal Functionality for digital signatures

• Ran Canetti [C05]

Intuition behind FSIG

• The simulator generates keys– This makes FSIG general and not related to the

specific algorithms.

• FSIG is acting like a storage:– Signing: Messages get recorded.– Verification: If the message has been

recorded then it is accepted.

• If the signer (Alices computer) is corrupted everything can be verified.

FM-SIG: Revised Edition of FSIG

• We want the human user “U” to decide if a message should be signed and thereby verified.

Outline

• Motivation

• Revised Definition of Security

• Protocol Securely Realizing FM-SIG

• Proof of Security

• Proactive Security

Idear behind our protocol

1’st approach

• Assume that the adversary at most controls one of {MD,T,S}

• Use RSA signatures• Additive secret share the users private

exponent: d = d1 + d2

• Assume that keys are set up beforehand.

2’nd approach

Why 2’nd:– We implemented it.– It was a bit slow.

• Assume that the mobile device has limited computational power (No exponentiation)

• We want to give privacy back to the user. – This one is easy: RSA signatures already use

hashing, so just send the has to the server.

mU

m

dMD dS

K K

m pwd

m

m ok

δMD

δMD= dMD + FK(H(m))

σMD, H(m), pwd

σS

σMD= H(m) mod NδMD σS= H(m) mod N

dS-FK(H(m))

σ = σMD × σS mod N = H(m) mod NdMD + FK(H(m)) + dS - FK(H(m))

Outline

• Motivation

• Revised Definition of Security

• Protocol Securely Realizing our definition

• Proof of Security

• Proactive Security

Sketch of security proof

• Reduction R: If an adversary A can break our protocol, then R can use A to break standard RSA signatures.

• Given:– a RSA-oracle O, which provide a public key, and will

sign message.– an Adversary, that can break the security of our

protocol.

• R produces a signature on a message, never sent to O.

Sketch of reduction

• Flip coin c: – 0: Guess A will corrupt S

• dS = random number mod n• Simulate: σMD from σ, m and dS

– Calculate σS – σMD = σ × σS

-1 mod n

– 1: Guess A will corrupt MD or T• dMD = random number mod n• Simulate: σS from σ, m and dMD

– Calculate δMD and σMD

– σS = σ × σMD-1 mod n

• If the guess was wrong: “Bad luck”, but only polynomial “bad luck”

Outline

• Motivation

• Revised Definition of Security

• Protocol Securely Realizing our definition

• Proof of Security

• Proactive Security

Proactive security

• Corrupted parties, can recover• Nice property in our protocol.

• Changes to the protocol:– Assume deletion is possible on MD and S.– Assume all parties are honest during recovery – User U has a Paillier secret key.– The server S has d encrypted under the

Paillier public key.

Proactive security (Sketch)

• Recover the computer T:– Make a new password pwd

• Recover MD or S:– MD and S, deletes dMD and dS

– S selects random dS and uses the homomorphic property of Paillier to make an encryption of a new dMD

– Send the encryption of dMD to MD.

Sketch of security proof

• We cannot just make a guess, like in the non-proactive case.– Not a polynomial reduction

• Solution: Rewind A– But: m, that A can sign by itself may have been send to O before

rewinding. • Solution: A is polynomial => m would be send to O at

polynomial time after a rewind, and A would be rewinded in this particular run. Try to guess and rewind before m would have been send to O

• Similar to proof by [ADN06]• Tighter reduction is possible, requires more complex

protocol.

Conclusion etc.

• We proposed a revised definition of security for digital signatures

• We proposed a proactive protocol in this revised security definition.

• Part of the ITSCI project.

• Prototype.