Design and Security Analysis of Marked Blind Signature Attività formativa Design and Security Analysis of Marked Blind Signature Studente Claudia Snels Professore Giuseppe Bianchi

Presentation outline Introduction Security analysis Blind signatures New Marked Blind Signature (MBS) Security analysis General methods Security Analysis of MBS Ongoing work on MBS Applications Conclusions

Chaum’s Blind RSA Signature Be P mod n Server Client (Be P)d = B Pd mod n B Blinding Term P Message to be signed (d,n) Server’s private key (e,n) Server’s public key User unblinds the received message and obtains a valid signature for P Server doesn’t know what he has signed BLIND SIGNATURE Introduction: Blind signatures

Marked Blind Signature Goal: add random “mark” R inside signature R unknown/unforgeable by both server/client Application “stamp” the act of signing Anticipated certificate verification Wrap proof of possession of a certificate private key inside the signature! SPARTA pseudonym/authorization approach from Netlab (more later) Introduction: New Marked Blind Signatures

Marked Blind Signature Simpler (but flawed) version  easier to understand R=XY inserted by client (full-domain hashed with P) Blinding with same factor B Approach: use homomorphic property of RSA encryption X = client random; B = blinding factor Homomorphic computation of R=XY (blindly) Signed credential Server side blind insertion of R=XY Additive insertion to avoid forgery and easy attacks Flaw: traceability! Server associate to real user the following value

Marked Blind Signature Actual (correct) version Discrete Logarithm modulus n (server RSA) DL-strong base g (Double) Homomorphic computation of R=XY+Z - X,Z: client random - Y: server random - under the condition XY+Z<n Elimination of B now harmless Introduction: New Marked Blind Signatures

Signature verification Authorization Credential: Signed pseudonym After server signature, client computes R as Verification: Client verifies certificate P usual challenge handshake Client presents P, R, cred Server checks: Introduction: New Marked Blind Signatures

How to develop a security analysis Security protocol Message Exchange Message exchange Cryptographic primitives Logic correctness Explicitness of information exchanged Automatic Theorem Provers (Isabelle) Semantic Analysis Black Box Cryptography is supposed to work well Security analysis: General methods

How to develop a security analysis Cryptographic primitives Simple signatures scheme like RSA, Diffie-Hellmann More complicated schemes like Chaum’s Blind Signature, elliptic curve signature Massive usage of basic number theory theorems A jungle of papers about: zero knowledge proof, Random Oracles WHY? Security analysis: General methods

Security analysis: our choice Problem: Simple Ideas but with “uncommon” requirements (e.g. untraceability) are VERY difficult to proof Two strategies Design very complicated protocol which can satisfy a large number of hypothesis. Under such strict hypotheses a rigorous mathetical proof is possible Maintain a simple idea! Try an attack based security analysis, and build a rigorous proof when possible Problem: unapplicability of such protocols in software tools OUR CHOICE Security analysis: General methods

Main features of a blind signature scheme Unforgeability of R: R should be a random created by both peers but not forgeable in order to prevent traceability or reusage of the same marker Unforgeability of mbs: client should not be able to generate (forge) a valid signature Untraceability: Server should not be able to trace Client Security analysis of mbs

Security analysis of mbs Unforgeability of R We remind that the strategy of the attack is to choose a suitable x (for Client) or y (for Server) such that mod n or mod n. In the first case we have R=s, so its value is decided by Client. Values having this property are the Euler totient function and the Carmichael function, but this values are known only to Bob who possesses the factorization of n=pq. So we can conclude: Server can choose a suitable y but this is not an advantage for him Client can’t choose a suitable x, or in another way this is as difficult as factorising RSA modulo n R is UNFORGEABLE Security analysis of mbs

Security analysis of mbs Unforgeability of mbs How Alice can try to forge mbs? We refer to the one more forgery, in the sense that if Client owns a signing oracle she can’t obtain one more mbs than the number of queries she makes to the oracle. HOMOMORPHIC PROPERTY OF RSA With Marked Blind Signature is this possible? Security analysis of mbs

Security analysis of mbs Unforgeability of mbs Try to find a R and a message m such that Hard computation due to multiple hash terms presence of R inside and outside the Hash Under Random Oracle Hypothesis, our signature is as unforgeable as Chaum’s blind signature Security analysis of mbs

Security analysis of mbs Untraceability We focus on the possibility for the server to build a marker univocally linkable to one client (remember the flaw of the first scheme presented). In our case we can eliminate the blinding term B and produce the following ratios While good candidates for markers are Always blinded Not directly obtainable by Server Security analysis of mbs

Security analysis of mbs Untraceability In order to obtain we must have We have demonstrated that is not obtainable as long as Server doesn’t know B So next question is: how to obtain B? During handshake Blindness during handshake 2 equations 3 variables Security analysis of mbs

Formal proof of validity and blindness Definition. A signature scheme is called blind if Server’s view V and the triple (mbs,R,m) are statistically indipendent, that is during verification phase Server cannot recognise Client. Theorem. The triple (mbs,R,m) is a valid signature for message m and the mbs protocol is a blind scheme. Proof. Validity if the hash is collision free Security analysis of mbs

Formal proof of validity and blindness Blindness. we show that given any view V and any valid triple (mbs,R,m) there exist a unique pair of blinding factors B and R. Because Client chooses both blinding terms at random (in fact we have previously underlined the unforgeability of R), the blindness of the signature scheme follows. If the signature (mbs,R) has been generated during an execution of the protocol with view V consisting of y, x1, x2, (x1y + x2), then the following equations must hold One parameter solution x,s random R unforgeable Unique solution Security analysis of mbs

Security analysis of mbs Harn’s attack Harn’s attack is a Server attack based on: Blind signature Collection of signatures and handshake terms Let m be a generic message to be blindly signed, the attack is developed in two steps Server collects for each client the received term Bem and Bmd When Server receives the signature md he divides every Bmd term and tries if the B obtained gives a correct match for Bem. With a positive match he can trace user Security analysis of mbs

Resistance of mbs against Harn’s attack Let and the signature received by Server during verification and suppose that we have two registered users 1) If Server operates the strategy previously described and he succeds to identificate Client 1 2) If Server operates the strategy previously described but he first tries to identificate Client 2 as Client 1 We write Server uncorrectly identify Client 2 as Client 1 Security analysis of mbs

Open problems: distribution of R If we want the signature to be valid we must have R<n But x y and s are random It is necessary to choose suitable distributions and ranges such that R looks like a uniformly distributed random variable Problem: BAD distribution Naive approach Try x and y uniform in S uniform in Ongoing work on mbs

Attack on distribution of R The distribution of R has a very different concentration for high or low values of y. So if Server gives a Client a low y he knows that with very high probability R will assume a certain range of values and viceversa. Server can classify and consequently trace classes of users y=1 Ongoing work on MBS

Guidelines for distribution choices Y protects server from client’s attack on R so its distribution range should not be small Client is already protected by s so x can be small S can smooth the distribution of R (convolution) so it should have a large range Ongoing work on MBS

Some insights about distributions If x and y are uniform in the same range Logarithm like distribution If x and y uniform in Almost uniform And s uniform in Ongoing work on MBS

Sample MBS application: pseudonym’s blind authorization PKI-like Pseudonym assignement Infrastructure Blind signature P Alice Server auth Applications

Pseudonym assignement Infrastructure Pseudonym Hijacking Pseudonym assignement Infrastructure Evil Server P P auth Alice Evil is authorised as Alice, because he has stolen her pseudonym MBS as a tool to show possession of the pseudonym private key Applications

MBS for pseudonym authorization Inclusion of pseudonym private key to permit verification at registration time Applications

Conclusions Proven security of Marked Blind Signature Design of a simple scheme that can be easily integrated in an AAA with pseudoyms New insights about distributions of random numbers introduced in signatures and related server attacks Conclusions