1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake 1, Goichiro Hanaoka 2, and Kazuto Ogawa 1 1 Japan Broadcasting Corporation 2 National Institute of Advanced Industrial Science and Technology
2 Motivation
3 Background “Key exposure” is a critical problem !! Even if a “secure” signature scheme is used, key leakage results in impersonation of the user. more critical for bidirectional broadcasting services !!
4 Bidirectional broadcasting service Signed Request Personal information Broadcaster network Smart card User Verification key Signing key e.g. TV shopping, Quiz program, etc. Service property: Real-time service
5 Problem for signing key leakage Signed Request Personal information Broadcaster network Smart card User Verification key Signing key key leakage Adversary Signed Request Personal information Key update Critical damage !! Broadcaster =
6 Problem for key update in bidirectional broadcasting service PKI cannot be applied directly. Smart card network User 1 User 2 User 3 User n Broadcaster Signing key Verification key CRL Verification key update CA Heavy load !! Real-time service cannot be offered !!
7 Solution Strong key-insulated signature (KIS) scheme Smart card network User 1 User 2 User 3 User n Broadcaster Verification key Signing key update Verification key does NOT have to be updated. No CRL!! No redistribution of verification key !!
8 Motivation In bidirectional broadcasting service, … Signature size is required as short as possible Multiple copies of signed message are individually transmitted to users. Conventional strong KIS scheme not efficient !! Our target Design an efficient strong KIS scheme with a significantly short signature size
9 Related works
10 Adversary Key-insulated signature (KIS) scheme Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03] master key [DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘ Proc. of PKC’03. (2003) Signer Verifier message + signature with time stamp old signing key update signing key time stamp partial key verification key verify signature reject secure against signing key leakage secure device
11 Adversary Strong KIS scheme Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03] master key [DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘ Proc. of PKC’03. (2003) message + signature with time stamp old signing key update signing key time stamp partial key verification key verify signature secure device reject secure against signing key leakage or master key leakage Signer Verifier
12 Our contribution
13 Performance CB schemeGQ schemeOur scheme Verification key size (bits) Signature size (bits) Computational cost (signing) Computational cost (verification) Security assumptionDLRSADL CB scheme: Certificate-based strong KIS scheme using the Schnorr signatures GQ scheme: strong KIS scheme based on the Guillou-Quisquater signature
14 Security Our strong KIS scheme is secure We achieved the same level of security as conventional strong KIS schemes. Adversary master key leakage valid signing key leakage or Signer
15 Our construction
16 Basic concept of our KIS scheme Efficient strong KIS scheme By extending Abe-Okamoto proxy signature scheme [AO02] Efficient proxy signature scheme in terms of verification cost and communication cost [AO02] M.Abe and T.Okamoto : “Delegation Chains Secure up to Constant Length,'‘ IEICE Trans. (2002) Constructing an efficient strong KIS scheme from the Abe-Okamoto scheme is not a trivial exercise.
17 Why is it not a trivial exercise? (1) Extend the KIS scheme to a strong KIS scheme without increasing the signature size. Conversion of proxy signature scheme to KIS scheme Proposed by Malkin, Obana, Yung in [MOY04] The resulting KIS scheme is not a strong KIS scheme. Conversion of (standard) KIS scheme to strong KIS scheme Proposed by Dodis, Katz, Xu, Yung in [DKXY03] Employs double signing: a signature with the master key and a signature with the signer’s secret key not efficient We must construct a scheme without the above conversions. [MOY04] T. Malkin, S. Obana, and M. Yung : “The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures,'‘ Proc. of Eurocrypt’04,. (2004)
18 Why is it not a trivial exercise? (2) Extend the Abe-Okamoto scheme to a KIS scheme that provides adaptive security Not taken into consideration in the security definition of [AO02] We must address adaptive security with a formal security proof from scratch.
19 Our proposed KIS scheme (1) Secure device Signer master key: verification key: Gen: key generation algorithm essential secret info.
20 Our proposed KIS scheme (2) Upd * : partial key generation algorithm Upd: key-update algorithm ? Secure device Signer time stamp signing key for a time period T master keypartial key Verifying partial key Upd* Upd
21 Our proposed KIS scheme (3) Sign: signing algorithm Vrfy: verifying algorithm ? Signer Verifier signing key Verifying signature verification key Sign Vrfy time stamp
22 Remarkable properties of our scheme A signer can update their signing key without updating verification key. The signature size of our scheme is significantly short : 480 bits
23 Another feature of our scheme Partial key verification The signer can verify whether the partial key transmitted from the secure device is valid. If the secure device storing the master key is completely reliable, … Partial key verification is unnecessary during the signing key update. One of the verification keys can be, instead of and. Verification key size can be reduced by half.
24 Security Analysis
25 Basic concept of Security definition (1) KIS scheme Adversary valid signing key Broadcaster
26 Basic concept of Security definition (2) Strong KIS scheme Adversary valid master key Broadcaster
27 Security definition of KIS scheme Adversary A Signing oracle Forged signature Random oracle Key exposure oracle Success probability of signature forgery Security definition of KIS scheme k : security parameter N : total number of time periods A is allowed to submit a query to the key exposure oracle up to t times. If is negligible, is (t,N)- key-insulated. If is (N-1,N)-key-insulated, is perfectly key-insulated.
28 Security definition of strong KIS scheme Adversary B Signing oracle Forged signature Random oracle Success probability of signature forgery Security definition of strong KIS scheme k : security parameter N : total number of time periods If is negligible, is strong (t,N)-key-insulated. If is strong (N-1,N)-key-insulated, is perfectly strong key-insulated. master key
29 Overview of security proof Step1: modified Schnorr signature scheme EUF-ACMA secure under DL assumption Step2: our scheme key-insulated if the modified Schnorr signature scheme is EUF-ACMA secure. Step3: our scheme strong key-insulated if our scheme is key- insulated. Our scheme is strong key-insulated under DL assumption
30 Application
31 Bidirectional content distribution system (proposed by Ohtake, Hanaoka, Ogawa in 2006) Network Broadcaster User Content server Personal information management server Key management server master key Smart card Terminal Generate master key verification key initial signing key Update signing key Generate partial key Verify signature Create signature Our KIS scheme can be applicable.
32 Improved system based on our scheme network Content server Personal information management server Key management server Smart card PK Terminal master key x 0 x’x’ Reduced damage due to master key leakage - Even if the master key x 0 is leaked, the signing key cannot be updated without x’. Efficient verification - Verification key size: 160 bits - Suitable for a smart card Efficient signing - Signature size: 480 bits - Reduce the network cost for transmitting signed messages Broadcaster User
33 Summary
34 Summary Efficient strong KIS scheme Significantly short signature size: 480 bits Provably secure under DL assumption The most suitable signature scheme for bidirectional broadcasting services
35 Thank you for your attention !!