Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Outline Motivation Revised Definition of Security Protocol Securely Realizing our definition Proof of Security Proactive Security
Motivation for better security Hi Bob SignatureHi Bob
Motivation for mobility We want Alice to be able to use any computer. No or low trust in the computer used. No key material on the computer used.
Outline Motivation Revised Definition of Security Protocol Securely Realizing our definition Proof of Security Proactive Security
Definition of Security Using the Universal Composability framework Ideal world: Definition of the security Real world: Our protocol Prove by simulation some equavalense between the two worlds
Ideal Functionality for digital signatures Ran Canetti [C05]
Intuition behind F SIG The simulator generates keys –This makes F SIG general and not related to the specific algorithms. F SIG is acting like a storage: –Signing: Messages get recorded. –Verification: If the message has been recorded then it is accepted. If the signer (Alices computer) is corrupted everything can be verified.
F M-SIG : Revised Edition of F SIG We want the human user “U” to decide if a message should be signed and thereby verified.
Outline Motivation Revised Definition of Security Protocol Securely Realizing F M-SIG Proof of Security Proactive Security
Idear behind our protocol
1’st approach Assume that the adversary at most controls one of {MD,T,S} Use RSA signatures Additive secret share the users private exponent: d = d 1 + d 2 Assume that keys are set up beforehand.
2’nd approach Why 2’nd: –We implemented it. –It was a bit slow. Assume that the mobile device has limited computational power (No exponentiation) We want to give privacy back to the user. –This one is easy: RSA signatures already use hashing, so just send the has to the server.
mUmU m d MD dSdS K K m pwd m m ok δ MD δ MD = d MD + F K (H(m)) σ MD, H(m), pwd σSσS σ MD = H(m) mod N δ MD σ S = H(m) mod N d S -F K (H(m)) σ = σ MD × σ S mod N = H(m) mod N d MD + F K (H(m)) + d S - F K (H(m))
Outline Motivation Revised Definition of Security Protocol Securely Realizing our definition Proof of Security Proactive Security
Sketch of security proof Reduction R: If an adversary A can break our protocol, then R can use A to break standard RSA signatures. Given: –a RSA-oracle O, which provide a public key, and will sign message. –an Adversary, that can break the security of our protocol. R produces a signature on a message, never sent to O.
Sketch of reduction Flip coin c: –0: Guess A will corrupt S d S = random number mod n Simulate: σ MD from σ, m and d S –Calculate σ S –σ MD = σ × σ S -1 mod n –1: Guess A will corrupt MD or T d MD = random number mod n Simulate: σ S from σ, m and d MD –Calculate δ MD and σ MD –σ S = σ × σ MD -1 mod n If the guess was wrong: “Bad luck”, but only polynomial “bad luck”
Outline Motivation Revised Definition of Security Protocol Securely Realizing our definition Proof of Security Proactive Security
Proactive security Corrupted parties, can recover Nice property in our protocol. Changes to the protocol: –Assume deletion is possible on MD and S. –Assume all parties are honest during recovery –User U has a Paillier secret key. –The server S has d encrypted under the Paillier public key.
Proactive security (Sketch) Recover the computer T: –Make a new password pwd Recover MD or S: –MD and S, deletes d MD and d S –S selects random d S and uses the homomorphic property of Paillier to make an encryption of a new d MD –Send the encryption of d MD to MD.
Sketch of security proof We cannot just make a guess, like in the non-proactive case. –Not a polynomial reduction Solution: Rewind A –But: m, that A can sign by itself may have been send to O before rewinding. Solution: A is polynomial => m would be send to O at polynomial time after a rewind, and A would be rewinded in this particular run. Try to guess and rewind before m would have been send to O Similar to proof by [ADN06] Tighter reduction is possible, requires more complex protocol.
Conclusion etc. We proposed a revised definition of security for digital signatures We proposed a proactive protocol in this revised security definition. Part of the ITSCI project. Prototype.