Security Proofs for Identity-Based Identification and Signature Schemes

Mihir Bellare University of California at San Diego, USA

Chanathip NamprempreThammasat University, Thailand

Gregory Neven Katholieke Universiteit Leuven, Belgium

2

Bob

KDC

Alice

uskBmsk,“Bob”

Identity-based encryption

(mpk,msk)1k MKg

uskB

M

mpk

mpk,“Bob”

UKg

E M

uskB

DC

Proposed by Shamir (1984)

Efficiently implemented by Boneh-Franklin (2001)

3

KDC

Alice

uskAmsk,“Alice”

Identity-based signatures (IBS)

(mpk,msk)1k MKg

mpk

M

uskA

uskA

UKg

Sign

Bob

acc/rej

mpk, “Alice”

VfM,σ

Proposed and implemented by Shamir (1984)

Alternative implementations followed [FS86, GQ89]

Renewed interest using pairings [SOK00, P02, CC03, H03, Yi03]

4

Bob

KDC

Alice

uskAmsk,“Alice”

Identity-based identification (IBI)

(mpk,msk)1k MKg

mpkuskA

uskA

UKg

acc/rej

mpk, “Alice”

Proposed by Shamir (1984)

Numerous implementations followed [FS86, B88, GQ89, G90, O93]

P V

5

Provable security of IBI/IBS schemes

IBI schemes no appropriate security definitions

proofs in weak model (fixed identity) or entirely lacking

IBS schemes good security definition [CC03]

security proofs for some schemes directly [CC03] or

through “trapdoor SS” to IBS transform [DKXY03]

some gaps remain

6

Existing security proofs

Existing security proofs for identification schemes underlying IBI schemes

e.g. [FFS88] prove [FS86][BP02] prove [GQ89]

signature schemes underlying IBS schemes e.g. analyses of Fiat-Shamir transform

[PS96, OO98, AABN02]

refer to standard identification (SI) and signature (SS) schemes.

Build on these proofs, rather than from scratch.

7

Our contributions

Security definitions for IBI schemes

Security proofs for “trivial” certificate-based IBI/IBS schemes

Framework of security-preserving transforms

Security proofs for 12 scheme “families” by implication through transforms

by surfacing and proving unanalyzed SI schemes

by proving as IBI schemes directly (exceptions)

Attack on 1 scheme family

SI IBI

SS IBS

8

Independent work

Kurosawa, Heng (PKC 2004): security definitions for IBI schemes transform from SS to IBI schemes

9

Security of IBS and IBI schemes

IBS schemes: uf-cma security [CC03]

IBI schemes: imp-pa, imp-aa, imp-ca security1. Learning phase:

Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca)

2. Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak

F

mpkInitializ

e

InitializeID

CorruptCorruptID

uskID

M,ID

σ

ID,M,σ

Sign(uskID,·)

10

The Shamir-SI scheme

(N,e,d) ← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

*(N,e,x) ← sk

y ← ZN

Y ← ye mod N

z ← xyc mod N

Kg(1k) P(sk)

(N,e,X) ← pk

c ← {0,1}ℓ(k)

If ze = XYc mod Nthen accept else reject

V(pk)

Ycz

*

R

RR

“surfaced” from Shamir-IBS [S84] (statistical) HVZK + POK ⇒ imp-pa secure not imp-aa secure (attack: choose c=0)

11

The Shamir-SS scheme

(N,e,d) ← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

c ← H(Y,M)

z ← xyc mod N

σ ← (Y,z)

Kg(1k) Sign(sk,M)

(N,e,X) ← pk

(Y,z) ← σ

c ← H(Y,M)

If ze = XYc mod Nthen accept else reject

Vf(pk,M,σ)

* *RR

12

The framework: SI to SS [FS86]“canonical” SI scheme:

SI

SS

fs-I-2-S

pk

Dec(pk,Cmt,Ch,Rsp)

sk

Cmt

ChRsp

Sign(sk,M):Ch ← H(Cmt,M)

σ ← (Cmt,Rsp)

Vf(pk,M,σ):

Dec(pk, Cmt, H(Cmt,M), Rsp)

fs-I-2-S

Theorem: SI is imp-pa secure⇓

SS = fs-I-2-S(SI) is uf-cma secure in the RO model [AABN02]

P VIBI

IBS

13

The Shamir-SI scheme

(N,e,d) ← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

z ← xyc mod N

Kg(1k) P(sk)

(N,e,X) ← pk

c ← {0,1}ℓ(k)

If ze = XYc mod Nthen accept else reject

V(pk)

Ycz

* *RR

14

The Shamir-IBI scheme

(N,e,d) ← Krsa(1k)

mpk ← (N,e)

msk ← (N,e,d)

Return (mpk,msk)

(N,e,x) ← usk

y ← ZN

Y ← ye mod N

z ← xyc mod N

MKg(1k) P(usk)

(N,e) ← mpk

c ← {0,1}ℓ(k)

If ze = H(ID)∙Yc mod Nthen accept else reject

V(mpk,ID)

Ycz

*

(N,e,d) ← msk

X ← H(ID)

x ← Xd mod N

usk ← (N,e,x)

Return usk

UKg(msk,ID)

*R

15

The framework: SI to IBI

SI IBI

SS

fs-I-2-S

cSI-2-IBI

cSI-2-IBI

Theorem: SI is imp-xx secure⇓

IBI = cSI-2-IBI(SI) is imp-xx secure in the RO model

“convertible” SI scheme:

Kg(1k):“trapdoor samplable relation” R

sk ← (R,x) ; pk ← (R,y)

such that (x,y) ∈ R

MKg(1k):generate relation R with trapdoor t

mpk ← R ; msk ← (R,t)

UKg(msk, ID):y ← H(ID)

use t to compute x s.t. (x,y) ∈ R

usk ← (R,x)

IBS

16

The Shamir-SS scheme

(N,e,d) ← Krsa(1k)

X ← ZN

x ← Xd mod N

pk ← (N,e,X)

sk ← (N,e,x)

Return (pk,sk)

(N,e,x) ← sk

y ← ZN

Y ← ye mod N

c ← H(Y,M)

z ← xyc mod N

σ ← (Y,z)

Kg(1k) Sign(sk,M)

(N,e,X) ← pk

(Y,z) ← σ

c ← H(Y,M)

If ze = XYc mod Nthen accept else reject

Vf(pk,M,σ)

* *RR

17

The Shamir-IBS scheme

(N,e,d) ← Krsa(1k)

mpk ← (N,e)

msk ← (N,e,d)

Return (mpk,msk)

MKg(1k)

(N,e,d) ← msk

X ← H(ID)

x ← Xd mod N

usk ← (N,e,x)

Return usk

UKg(msk,ID)

(N,e,x) ← usk

y ← ZN

Y ← ye mod N

c ← H(Y,M)

z ← xyc mod N

σ ← (Y,z)

Sign(usk,M)

(N,e) ← mpk

(Y,z) ← σ

c ← H(Y,M)

If ze = H(ID)∙Yc mod Nthen accept else reject

Vf(mpk,ID,M,σ)

**R

= Shamir-IBS as proposed in [S84]

18

Theorem: SI is imp-pa secure⇓

IBS = fs-I-2-S(cSI-2-IBI(SS)) is uf-cma secure in the RO model

(efs-IBI-2-IBS)

modified efs-IBI-2-IBS transform: Ch ← H(Cmt,M,ID)

Theorem: IBI is imp-pa secure⇓

IBS = efs-IBI-2-IB(IBI) is uf-cma secure in the RO model

The framework: SS and IBI to IBS

SI IBI

SS IBS

fs-I-2-S

cSI-2-IBI

cSS-2-IBS

SS to IBS: cSS-2-IBS analogous to cSI-2-IBI “convertible” SS → IBS generalization of [DKXY03]

Theorem: SS is uf-cma secure⇓

IBS = cSS-2-IBS(SS) is uf-cma secure in the RO model

IBI to IBS “canonical” IBI → IBS For canonical convertible SI X:

cSS-2-IBS(fs-I-2-S(X)) = fs-I-2-S(cSI-2-IBI(X))

fs-I-2-S not security-preserving for canonical IBI schemes in general

fs-I-2-S

19

I

I

I

P

I

I

I

I

A

I

I

I

I

I

uf-cma

I

I

Results for concrete schemes

IIPIBIBeth

IPPPIIIIBIOkDL

IAAIAA PIBSSOK

IIIIPPPIBSHess

PIIIPPPIBSCha-Cheon

IIIIPPPSIShamir*

IIIPPPSI, IBI, SSOkRSA

IPPPIIISI, IBIBNNDL

AAAAAAASI, IBIGirault

IAAIAAPIBSShamir

IIIIPPPIBI, IBSGQ

IIIIPPPSI, SSFF

IIIPPSI, SSIt. Root

IIIPPPIBI, IBSFiat-Shamir

uf-cmacaaapacaaapa

Name-IBSName-SSName-IBIName-SIOriginName

P = proven I = implied A = attacked = known result = new contribution

IIIPIBIBeth

IIPPPIIIIBIOkDL

IIAAIAA PIBSSOK

IPIIIPPPIBSHess

PIIIIPPPIBSCha-Cheon

IIIIIPPPSIShamir*

IIPPPIIISI, IBIBNNDL

AAAAAAAASI, IBIGirault

IIAAIAAPIBSShamir

IIIIIPPPIBI, IBSGQ

IIIIIPPPSI, SSFF

IIIIPPSI, SSIt. Root

IIIIIPPPIBI, IBSFiat-Shamir

IIIIIPPPSI, IBI, SSOkRSA