Date post: | 31-Dec-2015 |
Category: |
Documents |
Upload: | aurora-david |
View: | 21 times |
Download: | 0 times |
Security Proofs for Identity-Based Identification and Signature Schemes
Mihir Bellare University of California at San Diego, USA
Chanathip NamprempreThammasat University, Thailand
Gregory Neven Katholieke Universiteit Leuven, Belgium
2
Bob
KDC
Alice
uskBmsk,“Bob”
Identity-based encryption
(mpk,msk)1k MKg
uskB
M
mpk
mpk,“Bob”
UKg
E M
uskB
DC
Proposed by Shamir (1984)
Efficiently implemented by Boneh-Franklin (2001)
3
KDC
Alice
uskAmsk,“Alice”
Identity-based signatures (IBS)
(mpk,msk)1k MKg
mpk
M
uskA
uskA
UKg
Sign
Bob
acc/rej
mpk, “Alice”
VfM,σ
Proposed and implemented by Shamir (1984)
Alternative implementations followed [FS86, GQ89]
Renewed interest using pairings [SOK00, P02, CC03, H03, Yi03]
4
Bob
KDC
Alice
uskAmsk,“Alice”
Identity-based identification (IBI)
(mpk,msk)1k MKg
mpkuskA
uskA
UKg
acc/rej
mpk, “Alice”
Proposed by Shamir (1984)
Numerous implementations followed [FS86, B88, GQ89, G90, O93]
P V
5
Provable security of IBI/IBS schemes
IBI schemes no appropriate security definitions
proofs in weak model (fixed identity) or entirely lacking
IBS schemes good security definition [CC03]
security proofs for some schemes directly [CC03] or
through “trapdoor SS” to IBS transform [DKXY03]
some gaps remain
6
Existing security proofs
Existing security proofs for identification schemes underlying IBI schemes
e.g. [FFS88] prove [FS86][BP02] prove [GQ89]
signature schemes underlying IBS schemes e.g. analyses of Fiat-Shamir transform
[PS96, OO98, AABN02]
refer to standard identification (SI) and signature (SS) schemes.
Build on these proofs, rather than from scratch.
7
Our contributions
Security definitions for IBI schemes
Security proofs for “trivial” certificate-based IBI/IBS schemes
Framework of security-preserving transforms
Security proofs for 12 scheme “families” by implication through transforms
by surfacing and proving unanalyzed SI schemes
by proving as IBI schemes directly (exceptions)
Attack on 1 scheme family
SI IBI
SS IBS
8
Independent work
Kurosawa, Heng (PKC 2004): security definitions for IBI schemes transform from SS to IBI schemes
9
Security of IBS and IBI schemes
IBS schemes: uf-cma security [CC03]
IBI schemes: imp-pa, imp-aa, imp-ca security1. Learning phase:
Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca)
2. Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak
F
mpkInitializ
e
InitializeID
CorruptCorruptID
uskID
M,ID
σ
ID,M,σ
Sign(uskID,·)
10
The Shamir-SI scheme
(N,e,d) ← Krsa(1k)
X ← ZN
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
*(N,e,x) ← sk
y ← ZN
Y ← ye mod N
z ← xyc mod N
Kg(1k) P(sk)
(N,e,X) ← pk
c ← {0,1}ℓ(k)
If ze = XYc mod Nthen accept else reject
V(pk)
Ycz
*
R
RR
“surfaced” from Shamir-IBS [S84] (statistical) HVZK + POK ⇒ imp-pa secure not imp-aa secure (attack: choose c=0)
11
The Shamir-SS scheme
(N,e,d) ← Krsa(1k)
X ← ZN
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
(N,e,x) ← sk
y ← ZN
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
Kg(1k) Sign(sk,M)
(N,e,X) ← pk
(Y,z) ← σ
c ← H(Y,M)
If ze = XYc mod Nthen accept else reject
Vf(pk,M,σ)
* *RR
12
The framework: SI to SS [FS86]“canonical” SI scheme:
SI
SS
fs-I-2-S
pk
Dec(pk,Cmt,Ch,Rsp)
sk
Cmt
ChRsp
Sign(sk,M):Ch ← H(Cmt,M)
σ ← (Cmt,Rsp)
Vf(pk,M,σ):
Dec(pk, Cmt, H(Cmt,M), Rsp)
fs-I-2-S
Theorem: SI is imp-pa secure⇓
SS = fs-I-2-S(SI) is uf-cma secure in the RO model [AABN02]
P VIBI
IBS
13
The Shamir-SI scheme
(N,e,d) ← Krsa(1k)
X ← ZN
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
(N,e,x) ← sk
y ← ZN
Y ← ye mod N
z ← xyc mod N
Kg(1k) P(sk)
(N,e,X) ← pk
c ← {0,1}ℓ(k)
If ze = XYc mod Nthen accept else reject
V(pk)
Ycz
* *RR
14
The Shamir-IBI scheme
(N,e,d) ← Krsa(1k)
mpk ← (N,e)
msk ← (N,e,d)
Return (mpk,msk)
(N,e,x) ← usk
y ← ZN
Y ← ye mod N
z ← xyc mod N
MKg(1k) P(usk)
(N,e) ← mpk
c ← {0,1}ℓ(k)
If ze = H(ID)∙Yc mod Nthen accept else reject
V(mpk,ID)
Ycz
*
(N,e,d) ← msk
X ← H(ID)
x ← Xd mod N
usk ← (N,e,x)
Return usk
UKg(msk,ID)
*R
15
The framework: SI to IBI
SI IBI
SS
fs-I-2-S
cSI-2-IBI
cSI-2-IBI
Theorem: SI is imp-xx secure⇓
IBI = cSI-2-IBI(SI) is imp-xx secure in the RO model
“convertible” SI scheme:
Kg(1k):“trapdoor samplable relation” R
sk ← (R,x) ; pk ← (R,y)
such that (x,y) ∈ R
MKg(1k):generate relation R with trapdoor t
mpk ← R ; msk ← (R,t)
UKg(msk, ID):y ← H(ID)
use t to compute x s.t. (x,y) ∈ R
usk ← (R,x)
IBS
16
The Shamir-SS scheme
(N,e,d) ← Krsa(1k)
X ← ZN
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
(N,e,x) ← sk
y ← ZN
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
Kg(1k) Sign(sk,M)
(N,e,X) ← pk
(Y,z) ← σ
c ← H(Y,M)
If ze = XYc mod Nthen accept else reject
Vf(pk,M,σ)
* *RR
17
The Shamir-IBS scheme
(N,e,d) ← Krsa(1k)
mpk ← (N,e)
msk ← (N,e,d)
Return (mpk,msk)
MKg(1k)
(N,e,d) ← msk
X ← H(ID)
x ← Xd mod N
usk ← (N,e,x)
Return usk
UKg(msk,ID)
(N,e,x) ← usk
y ← ZN
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
Sign(usk,M)
(N,e) ← mpk
(Y,z) ← σ
c ← H(Y,M)
If ze = H(ID)∙Yc mod Nthen accept else reject
Vf(mpk,ID,M,σ)
**R
= Shamir-IBS as proposed in [S84]
18
Theorem: SI is imp-pa secure⇓
IBS = fs-I-2-S(cSI-2-IBI(SS)) is uf-cma secure in the RO model
(efs-IBI-2-IBS)
modified efs-IBI-2-IBS transform: Ch ← H(Cmt,M,ID)
Theorem: IBI is imp-pa secure⇓
IBS = efs-IBI-2-IB(IBI) is uf-cma secure in the RO model
The framework: SS and IBI to IBS
SI IBI
SS IBS
fs-I-2-S
cSI-2-IBI
cSS-2-IBS
SS to IBS: cSS-2-IBS analogous to cSI-2-IBI “convertible” SS → IBS generalization of [DKXY03]
Theorem: SS is uf-cma secure⇓
IBS = cSS-2-IBS(SS) is uf-cma secure in the RO model
IBI to IBS “canonical” IBI → IBS For canonical convertible SI X:
cSS-2-IBS(fs-I-2-S(X)) = fs-I-2-S(cSI-2-IBI(X))
fs-I-2-S not security-preserving for canonical IBI schemes in general
fs-I-2-S
19
I
I
I
P
I
I
I
I
A
I
I
I
I
I
uf-cma
I
I
Results for concrete schemes
IIPIBIBeth
IPPPIIIIBIOkDL
IAAIAA PIBSSOK
IIIIPPPIBSHess
PIIIPPPIBSCha-Cheon
IIIIPPPSIShamir*
IIIPPPSI, IBI, SSOkRSA
IPPPIIISI, IBIBNNDL
AAAAAAASI, IBIGirault
IAAIAAPIBSShamir
IIIIPPPIBI, IBSGQ
IIIIPPPSI, SSFF
IIIPPSI, SSIt. Root
IIIPPPIBI, IBSFiat-Shamir
uf-cmacaaapacaaapa
Name-IBSName-SSName-IBIName-SIOriginName
P = proven I = implied A = attacked = known result = new contribution
IIIPIBIBeth
IIPPPIIIIBIOkDL
IIAAIAA PIBSSOK
IPIIIPPPIBSHess
PIIIIPPPIBSCha-Cheon
IIIIIPPPSIShamir*
IIPPPIIISI, IBIBNNDL
AAAAAAAASI, IBIGirault
IIAAIAAPIBSShamir
IIIIIPPPIBI, IBSGQ
IIIIIPPPSI, SSFF
IIIIPPSI, SSIt. Root
IIIIIPPPIBI, IBSFiat-Shamir
IIIIIPPPSI, IBI, SSOkRSA