Presentation is loading. Please wait.

Presentation is loading. Please wait.

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

Published byGerard Richard Modified over 9 years ago

Similar presentations

Presentation on theme: "(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi"— Presentation transcript:

1 (Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model (Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

2 Contents 1 Introduction 3 2 Preliminaries 9 Formal Definition of IBI
11 4 Construction 16 5 Security Analysis 21 6 Conclusion 25 7 Open Problems 26

3 1. Introduction An identification scheme enables one party to identify itself securely to another party authentically and without repudiation. ID-based cryptography – user generates own public key using an identity string. ID-based cryptography does away with certificates binding the public key to the private key, as opposed to traditional public key infrastructure systems.

4 1. Introduction Why Passwords Aren’t Enough? If I can guess/know your password, I can impersonate you. (Easy to guess: keyloggers, peek into your password database, sticky notes with passwords in your office, steal from your hand phone etc) Why IBI and SI can overcome this? Challenge-response identification. Zero-knowledge of secret key involved.

5 1. Introduction History of IBI IBI fundamental paper proposed by Fiat and Shamir in 1984. Rigorous definition and security proofs only formalized in 2004 - Kurosawa and Heng - Bellare, Namprempre and Neven Schemes’ mostly have provable security based on the random oracle model Schemes’ with provable security in the standard model are not very efficient and few in number

6 1. Introduction first introduced by Bellare and Rogaway in 1993.
The Random Oracle first introduced by Bellare and Rogaway in 1993. The Random Oracle I answer anybody’s queries with totally random and uniformly distributed answers I’ve seen this New query before query Give new random answer, and save query for next time query Existing answer

7 1. Introduction The Random Oracle Disadvantages of RO:
- heuristic in nature - Canetti et al. showed certain schemes secure in the random oracle model is insecure once implemented - idealistic: doesn’t exist in real world Conclusion - scheme secure in ROM better than no proof at all - best to prove in standard model

8 1. Introduction Recent Developments
Kurosawa and Heng proposed the first 2 IBI schemes in the standard model in 2005. Kurosawa and Heng used a trapdoor commitment scheme and a digital signature scheme to construct another IBI scheme in the standard model in 2006. Yang et al. proposed a general framework to construct IBI schemes in the random oracle model in 2007.

9 2. Preliminaries a) Bilinearity. e(ga,gb)=e(g,g)ab
Bilinear Pairings a) Bilinearity. e(ga,gb)=e(g,g)ab b) Non-degeneracy. e(g,g) ≠1 c) Efficiently computable.

10 2. Preliminaries Security Assumptions
a) Security against Passive Attacks: Computational Diffie-Hellman problem (CDHP) - Find gab given g and ga ,gb b) Security against Active/Concurrent Attacks: One-More Computational Diffie-Hellman Problem (OMCDHP) - Adversary is given a challenge oracle and a CDH oracle. Adversary queries random challenge point from challenge oracle and obtains solution by querying the CDH oracle. Adversary wins the game if at the end the number of queries to the solution oracle is strictly less than the queries to the challenge oracle.

11 3. Formal Definitions For IBI
Definition of IBI IBI=(S,E,P,V) - 4 probabilistic, polynomial-time algorithms The Canonical Three Move Protocol input param mpk, usk, ID mpk, ID Setup(S) Prover(P) (Prove that I know usk) Verifier(V) Accept only if you Know usk mpk, msk CMT ID Extract(E) CHA RSP usk

12 3. Formal Definition of IBI
Security Model for IBI Goal of adversary towards IBI - impersonation. Considered successful if: - Interact with verifier as prover with public ID - Accepted by verifier with non-negligible probability Stronger assumptions of IBI vs SI: 1. The adversary can choose a target identity ID to impersonate as opposed to a random public key. 2. IBI has access to extract oracle -> the adversary can possess private keys of some users which she has chosen.

13 3. Formal Definition for IBI
Security Model for IBI Passive attacks (imp-pa) Eavesdrop Active attacks (imp-aa) Interacts with provers as a cheating verifier Concurrent attacks (imp-ca) Interacts with provers as a cheating verifier concurrently.

14 3. Formal Definition for IBI
Security Model for IBI The impersonation attack between the impersonator I, and challenger C is described in a two phase game. Phase 1: I either extracts transcript queries for imp-pa or acts as a cheating verifier in imp-aa and imp-ca. Phase 2: I plays the cheating prover it picks to convince the verifier.

15 3. Formal Definition for IBI
Security Model for IBI An IBI scheme is (t,qI,ε)- secure against imp-pa/imp-aa/imp-ca if for any I who runs in time t, Pr(I can impersonate)<ε, where I can make at most qI queries.

16 4. Construction Construction of IBI scheme based on the Waters Signature Scheme Let and be finite cyclic groups or order and let be a generator of . Let be an efficiently computed bilinear map. Use a collision-resistant hash function to hash identities to an arbitrary length to a bit string of length .

17 4. Construction Setup Select an n-length vector 17

18 4. Construction ID:hashed user identity string of length n
Extract ID:hashed user identity string of length n Let :ith-bit of ID Let be the set of all i where di=1 18

19 4. Construction Prove and Verify Prove Verify Accept if 19

20 4. Construction Correctness 20

21 5. Security Analysis Theorem 1:
Security against Passive Attacks Theorem 1: The proposed IBI scheme is (t,qI,ε)-secure against impersonation under passive attacks in the standard model if the CDHP is (t’,ε’)-hard where : time for multiplication in : time for exponentiation in : extract queries made : transcript queries made and 21

22 5. Security Analysis Theorem 2:
Security against Active/Concurrent Attacks Theorem 2: The proposed IBI scheme is (t,qI,ε)-secure against impersonation under active/concurrent attacks in the standard model if the OMCDHP is (t”,qCDH,ε”)-hard where : time for multiplication in : time for exponentiation in : extract queries made : transcript queries made and 22

23 5. Security Analysis Table 1: Complexity Cost Efficiency
Multiplication Exponentiation Pairing Setup 2 Extract Max:n+2, Avg:(n/2)+2 Prove Max:n+1, Avg:(n/2)+1 3 Verify Max:n+3, Avg:(n/2)+3 Table 1: Complexity Cost 23

24 5. Security Analysis Table 2: Comparisons with other IBI Efficiency
Efficiency of P and V Imp-pa assumption Imp-aa/ca assumption HKIBI05a 6G,6E,4P q-SDH Unknown HKIBI05b 12G,12E,6P HKIBI06 9G,11E,3P,1 SOTSS Proposed IBI (n+4)G,5E,3P CDH OMCDHP Table 2: Comparisons with other IBI 24

25 6. Conclusion Merits of Proposed IBI Direct proof
Provable security against both imp-pa and imp-aa/ca in the standard model. More efficient than other IBI schemes in standard model. 25

26 7. Open Problems More IBI schemes that are efficient and provably secure in the standard model. More IBI Schemes with direct proof to a hard-mathematical problem as opposed to reductions from transformations. An IBI scheme with provable security against imp-aa/ca using a weaker assumption like DLOG or CDH. 26

27 Thank You Q&A

Download ppt "(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi"

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
Efficient Signature Generation by Smart Cards 20103112 Suk Ki Kim 20103114 Sunyeong Kim.

Efficient Signature Generation by Smart Cards Suk Ki Kim Sunyeong Kim.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Cryptography Basic (cont)

Cryptography Basic (cont)
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.

1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google