Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat University, Thailand Gregory Neven Katholieke Universiteit Leuven, Belgium

2 Bob KDC Alice usk B msk,“Bob” Identity-based encryption (mpk,msk)1k1k MKg usk B M mpk mpk,“Bob” UKg E M usk B D C  Proposed by Shamir (1984)  Efficiently implemented by Boneh-Franklin (2001)

3 KDC Alice usk A msk,“Alice” Identity-based signatures (IBS) (mpk,msk)1k1k MKg mpk M usk A UKg Sign Bob acc/rej mpk, “Alice” Vf M,σ  Proposed and implemented by Shamir (1984)  Alternative implementations followed [FS86, GQ89]  Renewed interest using pairings [SOK00, P02, CC03, H03, Yi03]

4 Bob KDC Alice usk A msk,“Alice” Identity-based identification (IBI) (mpk,msk)1k1k MKg mpk usk A UKg acc/rej mpk, “Alice”  Proposed by Shamir (1984)  Numerous implementations followed [FS86, B88, GQ89, G90, O93] PV

5 Provable security of IBI/IBS schemes  IBI schemes  no appropriate security definitions  proofs in weak model (fixed identity) or entirely lacking  IBS schemes  good security definition [CC03]  security proofs for some schemes directly [CC03] or through “trapdoor SS” to IBS transform [DKXY03]  some gaps remain

6 Existing security proofs Existing security proofs for  identification schemes underlying IBI schemes e.g.[FFS88] prove [FS86] [BP02] prove [GQ89]  signature schemes underlying IBS schemes e.g. analyses of Fiat-Shamir transform [PS96, OO98, AABN02] refer to standard identification (SI) and signature (SS) schemes. Build on these proofs, rather than from scratch.

7 Our contributions  Security definitions for IBI schemes  Security proofs for “trivial” certificate-based IBI/IBS schemes  Framework of security-preserving transforms  Security proofs for 12 scheme “families”  by implication through transforms  by surfacing and proving unanalyzed SI schemes  by proving as IBI schemes directly (exceptions)  Attack on 1 scheme family SIIBI SSIBS

8 Independent work Kurosawa, Heng (PKC 2004):  security definitions for IBI schemes  transform from SS to IBI schemes

9 Security of IBS and IBI schemes  IBS schemes: uf-cma security [CC03]  IBI schemes: imp-pa, imp-aa, imp-ca security 1.Learning phase: Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca) 2.Attack phase: Impersonate uncorrupted identity ID break of adversary’s choice Oracles blocked of for ID = ID break F mpk Initializ e ID Corrupt ID usk ID M,ID σ ID,M,σ Sign(usk ID,·)

10 The Shamir-SI scheme (N,e,d) ← K rsa (1 k ) X ← Z N x ← X d mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) * (N,e,x) ← sk y ← Z N Y ← y e mod N z ← xy c mod N Kg(1 k )P(sk) (N,e,X) ← pk c ← {0,1} ℓ(k) If z e = XY c mod N then accept else reject V(pk) Y c z * R R R  “surfaced” from Shamir-IBS [S84]  (statistical) HVZK + POK ⇒ imp-pa secure  not imp-aa secure (attack: choose c=0)

11 The Shamir-SS scheme (N,e,d) ← K rsa (1 k ) X ← Z N x ← X d mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) (N,e,x) ← sk y ← Z N Y ← y e mod N c ← H(Y,M) z ← xy c mod N σ ← (Y,z) Kg(1 k )Sign(sk,M) (N,e,X) ← pk (Y,z) ← σ c ← H(Y,M) If z e = XY c mod N then accept else reject Vf(pk,M,σ) * * R R

12 The framework: SI to SS [FS86] “canonical” SI scheme: SI SS fs-I-2-S pk Dec(pk,Cmt,Ch,Rsp) sk Cmt Ch Rsp  Sign(sk,M): Ch ← H(Cmt,M) σ ← (Cmt,Rsp)  Vf(pk,M, σ): Dec(pk, Cmt, H(Cmt,M), Rsp) fs-I-2-S Theorem: SI is imp-pa secure ⇓ SS = fs-I-2-S(SI) is uf-cma secure in the RO model [AABN02] PV IBI IBS

13 The Shamir-SI scheme (N,e,d) ← K rsa (1 k ) X ← Z N x ← X d mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) (N,e,x) ← sk y ← Z N Y ← y e mod N z ← xy c mod N Kg(1 k )P(sk) (N,e,X) ← pk c ← {0,1} ℓ(k) If z e = XY c mod N then accept else reject V(pk) Y c z * * R R

14 The Shamir-IBI scheme (N,e,d) ← K rsa (1 k ) mpk ← (N,e) msk ← (N,e,d) Return (mpk,msk) (N,e,x) ← usk y ← Z N Y ← y e mod N z ← xy c mod N MKg(1 k )P(usk) (N,e) ← mpk c ← {0,1} ℓ(k) If z e = H(ID)∙Y c mod N then accept else reject V(mpk,ID) Y c z * (N,e,d) ← msk X ← H(ID) x ← X d mod N usk ← (N,e,x) Return usk UKg(msk,ID) * R

15 The framework: SI to IBI SI IBI SS fs-I-2-S cSI-2-IBI Theorem: SI is imp-xx secure ⇓ IBI = cSI-2-IBI(SI) is imp-xx secure in the RO model “convertible” SI scheme:  Kg(1 k ): “trapdoor samplable relation” R sk ← (R,x) ; pk ← (R,y) such that (x,y) ∈ R  MKg(1 k ): generate relation R with trapdoor t mpk ← R ; msk ← (R,t)  UKg(msk, ID): y ← H(ID) use t to compute x s.t. (x,y) ∈ R usk ← (R,x) IBS

16 The Shamir-SS scheme (N,e,d) ← K rsa (1 k ) X ← Z N x ← X d mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) (N,e,x) ← sk y ← Z N Y ← y e mod N c ← H(Y,M) z ← xy c mod N σ ← (Y,z) Kg(1 k )Sign(sk,M) (N,e,X) ← pk (Y,z) ← σ c ← H(Y,M) If z e = XY c mod N then accept else reject Vf(pk,M,σ) * * R R

17 The Shamir-IBS scheme (N,e,d) ← K rsa (1 k ) mpk ← (N,e) msk ← (N,e,d) Return (mpk,msk) MKg(1 k ) (N,e,d) ← msk X ← H(ID) x ← X d mod N usk ← (N,e,x) Return usk UKg(msk,ID) (N,e,x) ← usk y ← Z N Y ← y e mod N c ← H(Y,M) z ← xy c mod N σ ← (Y,z) Sign(usk,M) (N,e) ← mpk (Y,z) ← σ c ← H(Y,M) If z e = H(ID)∙Y c mod N then accept else reject Vf(mpk,ID,M,σ) ** R = Shamir-IBS as proposed in [S84]

18 Theorem: SI is imp-pa secure ⇓ IBS = fs-I-2-S(cSI-2-IBI(SS)) is uf-cma secure in the RO model (efs-IBI-2-IBS)  modified efs-IBI-2-IBS transform: Ch ← H(Cmt,M,ID) Theorem: IBI is imp-pa secure ⇓ IBS = efs-IBI-2-IB(IBI) is uf-cma secure in the RO model The framework: SS and IBI to IBS SI IBI SS IBS fs-I-2-S cSI-2-IBI cSS-2-IBS  SS to IBS: cSS-2-IBS  analogous to cSI-2-IBI  “convertible” SS → IBS  generalization of [DKXY03] Theorem: SS is uf-cma secure ⇓ IBS = cSS-2-IBS(SS) is uf-cma secure in the RO model  IBI to IBS  “canonical” IBI → IBS  For canonical convertible SI X: cSS-2-IBS(fs-I-2-S(X)) = fs-I-2-S(cSI-2-IBI(X))  fs-I-2-S not security-preserving for canonical IBI schemes in general fs-I-2-S

19 I I I P I I I I A I I I I I uf-cma I I Results for concrete schemes IIPIBIBeth IPPPIIIIBIOkDL IAAIAAPIBSSOK IIIIPPPIBSHess PIIIPPPIBSCha-Cheon IIIIPPPSIShamir* IIIPPPSI, IBI, SSOkRSA IPPPIIISI, IBIBNNDL AAAAAAASI, IBIGirault IAAIAAPIBSShamir IIIIPPPIBI, IBSGQ IIIIPPPSI, SSFF IIIPPSI, SSIt. Root IIIPPPIBI, IBSFiat-Shamir uf-cmacaaapacaaapa Name-IBSName-SSName-IBIName-SIOriginName P = proven I = implied A = attacked = known result = new contribution IIIPIBIBeth IIPPPIIIIBIOkDL IIAAIAAPIBSSOK IPIIIPPPIBSHess PIIIIPPPIBSCha-Cheon IIIIIPPPSIShamir* IIPPPIIISI, IBIBNNDL AAAAAAAASI, IBIGirault IIAAIAAPIBSShamir IIIIIPPPIBI, IBSGQ IIIIIPPPSI, SSFF IIIIPPSI, SSIt. Root IIIIIPPPIBI, IBSFiat-Shamir IIIIIPPPSI, IBI, SSOkRSA

20 Results for concrete schemes NameOriginName-SIName-IBIName-SSName-IBS paaacapaaacauf-cma Fiat-ShamirIBI, IBSPPPIIIII It. RootSI, SSPPIIII FFSI, SSPPPIIIII GQIBI, IBSPPPIIIII ShamirIBSPAAIAAII Shamir*SIPPPIIIII OkRSASI, IBI, SSPPPIIIII GiraultSI, IBIAAAAAAAA SOKIBSPAAIAAII HessIBSPPPIIIPI Cha-CheonIBSPPPIIIIP BethIBIPIII OkDLIBIIIIPPPII BNNDLSI, IBIIIIPPPII P = proven I = implied A = attacked = known result = new contribution

21 Provable security of IBI/IBS schemes  IBI schemes  no appropriate security definitions  proofs in weak model (fixed identity) or entirely lacking  IBS schemes  good security definition [CC03]  security proofs for some schemes directly [CC03] or through “trapdoor SS” to IBS transform [DKXY03]  some gaps remain  Existing security proofs  many SI schemes proven, e.g. [FS86, GQ89] in [FFS88, BP02]  SS schemes through Fiat-Shamir transform [PS96, OO98, AABN02] refer to SI/SS schemes, not IBI/IBS schemes build on these results, rather than from scratch