Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat.

Published byRebecca Holland Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat."— Presentation transcript:

1 Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat University, Thailand Gregory Neven Katholieke Universiteit Leuven, Belgium

2 2 Bob KDC Alice usk B msk,“Bob” Identity-based encryption (mpk,msk)1k1k MKg usk B M mpk mpk,“Bob” UKg E M usk B D C  Proposed by Shamir (1984)  Efficiently implemented by Boneh-Franklin (2001)

3 3 KDC Alice usk A msk,“Alice” Identity-based signatures (IBS) (mpk,msk)1k1k MKg mpk M usk A UKg Sign Bob acc/rej mpk, “Alice” Vf M,σ  Proposed and implemented by Shamir (1984)  Alternative implementations followed [FS86, GQ89]  Renewed interest using pairings [SOK00, P02, CC03, H03, Yi03]

4 4 Bob KDC Alice usk A msk,“Alice” Identity-based identification (IBI) (mpk,msk)1k1k MKg mpk usk A UKg acc/rej mpk, “Alice”  Proposed by Shamir (1984)  Numerous implementations followed [FS86, B88, GQ89, G90, O93] PV

5 5 Provable security of IBI/IBS schemes  IBI schemes  no appropriate security definitions  proofs in weak model (fixed identity) or entirely lacking  IBS schemes  good security definition [CC03]  security proofs for some schemes directly [CC03] or through “trapdoor SS” to IBS transform [DKXY03]  some gaps remain

6 6 Existing security proofs Existing security proofs for  identification schemes underlying IBI schemes e.g.[FFS88] prove [FS86] [BP02] prove [GQ89]  signature schemes underlying IBS schemes e.g. analyses of Fiat-Shamir transform [PS96, OO98, AABN02] refer to standard identification (SI) and signature (SS) schemes. Build on these proofs, rather than from scratch.

7 7 Our contributions  Security definitions for IBI schemes  Security proofs for “trivial” certificate-based IBI/IBS schemes  Framework of security-preserving transforms  Security proofs for 12 scheme “families”  by implication through transforms  by surfacing and proving unanalyzed SI schemes  by proving as IBI schemes directly (exceptions)  Attack on 1 scheme family SIIBI SSIBS

8 8 Independent work Kurosawa, Heng (PKC 2004):  security definitions for IBI schemes  transform from SS to IBI schemes

9 9 Security of IBS and IBI schemes  IBS schemes: uf-cma security [CC03]  IBI schemes: imp-pa, imp-aa, imp-ca security 1.Learning phase: Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca) 2.Attack phase: Impersonate uncorrupted identity ID break of adversary’s choice Oracles blocked of for ID = ID break F mpk Initializ e ID Corrupt ID usk ID M,ID σ ID,M,σ Sign(usk ID,·)

10 10 The Shamir-SI scheme (N,e,d) ← K rsa (1 k ) X ← Z N x ← X d mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) * (N,e,x) ← sk y ← Z N Y ← y e mod N z ← xy c mod N Kg(1 k )P(sk) (N,e,X) ← pk c ← {0,1} ℓ(k) If z e = XY c mod N then accept else reject V(pk) Y c z * R R R  “surfaced” from Shamir-IBS [S84]  (statistical) HVZK + POK ⇒ imp-pa secure  not imp-aa secure (attack: choose c=0)

11 11 The Shamir-SS scheme (N,e,d) ← K rsa (1 k ) X ← Z N x ← X d mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) (N,e,x) ← sk y ← Z N Y ← y e mod N c ← H(Y,M) z ← xy c mod N σ ← (Y,z) Kg(1 k )Sign(sk,M) (N,e,X) ← pk (Y,z) ← σ c ← H(Y,M) If z e = XY c mod N then accept else reject Vf(pk,M,σ) * * R R

12 12 The framework: SI to SS [FS86] “canonical” SI scheme: SI SS fs-I-2-S pk Dec(pk,Cmt,Ch,Rsp) sk Cmt Ch Rsp  Sign(sk,M): Ch ← H(Cmt,M) σ ← (Cmt,Rsp)  Vf(pk,M, σ): Dec(pk, Cmt, H(Cmt,M), Rsp) fs-I-2-S Theorem: SI is imp-pa secure ⇓ SS = fs-I-2-S(SI) is uf-cma secure in the RO model [AABN02] PV IBI IBS

13 13 The Shamir-SI scheme (N,e,d) ← K rsa (1 k ) X ← Z N x ← X d mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) (N,e,x) ← sk y ← Z N Y ← y e mod N z ← xy c mod N Kg(1 k )P(sk) (N,e,X) ← pk c ← {0,1} ℓ(k) If z e = XY c mod N then accept else reject V(pk) Y c z * * R R

14 14 The Shamir-IBI scheme (N,e,d) ← K rsa (1 k ) mpk ← (N,e) msk ← (N,e,d) Return (mpk,msk) (N,e,x) ← usk y ← Z N Y ← y e mod N z ← xy c mod N MKg(1 k )P(usk) (N,e) ← mpk c ← {0,1} ℓ(k) If z e = H(ID)∙Y c mod N then accept else reject V(mpk,ID) Y c z * (N,e,d) ← msk X ← H(ID) x ← X d mod N usk ← (N,e,x) Return usk UKg(msk,ID) * R

15 15 The framework: SI to IBI SI IBI SS fs-I-2-S cSI-2-IBI Theorem: SI is imp-xx secure ⇓ IBI = cSI-2-IBI(SI) is imp-xx secure in the RO model “convertible” SI scheme:  Kg(1 k ): “trapdoor samplable relation” R sk ← (R,x) ; pk ← (R,y) such that (x,y) ∈ R  MKg(1 k ): generate relation R with trapdoor t mpk ← R ; msk ← (R,t)  UKg(msk, ID): y ← H(ID) use t to compute x s.t. (x,y) ∈ R usk ← (R,x) IBS

16 16 The Shamir-SS scheme (N,e,d) ← K rsa (1 k ) X ← Z N x ← X d mod N pk ← (N,e,X) sk ← (N,e,x) Return (pk,sk) (N,e,x) ← sk y ← Z N Y ← y e mod N c ← H(Y,M) z ← xy c mod N σ ← (Y,z) Kg(1 k )Sign(sk,M) (N,e,X) ← pk (Y,z) ← σ c ← H(Y,M) If z e = XY c mod N then accept else reject Vf(pk,M,σ) * * R R

17 17 The Shamir-IBS scheme (N,e,d) ← K rsa (1 k ) mpk ← (N,e) msk ← (N,e,d) Return (mpk,msk) MKg(1 k ) (N,e,d) ← msk X ← H(ID) x ← X d mod N usk ← (N,e,x) Return usk UKg(msk,ID) (N,e,x) ← usk y ← Z N Y ← y e mod N c ← H(Y,M) z ← xy c mod N σ ← (Y,z) Sign(usk,M) (N,e) ← mpk (Y,z) ← σ c ← H(Y,M) If z e = H(ID)∙Y c mod N then accept else reject Vf(mpk,ID,M,σ) ** R = Shamir-IBS as proposed in [S84]

18 18 Theorem: SI is imp-pa secure ⇓ IBS = fs-I-2-S(cSI-2-IBI(SS)) is uf-cma secure in the RO model (efs-IBI-2-IBS)  modified efs-IBI-2-IBS transform: Ch ← H(Cmt,M,ID) Theorem: IBI is imp-pa secure ⇓ IBS = efs-IBI-2-IB(IBI) is uf-cma secure in the RO model The framework: SS and IBI to IBS SI IBI SS IBS fs-I-2-S cSI-2-IBI cSS-2-IBS  SS to IBS: cSS-2-IBS  analogous to cSI-2-IBI  “convertible” SS → IBS  generalization of [DKXY03] Theorem: SS is uf-cma secure ⇓ IBS = cSS-2-IBS(SS) is uf-cma secure in the RO model  IBI to IBS  “canonical” IBI → IBS  For canonical convertible SI X: cSS-2-IBS(fs-I-2-S(X)) = fs-I-2-S(cSI-2-IBI(X))  fs-I-2-S not security-preserving for canonical IBI schemes in general fs-I-2-S

19 19 I I I P I I I I A I I I I I uf-cma I I Results for concrete schemes IIPIBIBeth IPPPIIIIBIOkDL IAAIAAPIBSSOK IIIIPPPIBSHess PIIIPPPIBSCha-Cheon IIIIPPPSIShamir* IIIPPPSI, IBI, SSOkRSA IPPPIIISI, IBIBNNDL AAAAAAASI, IBIGirault IAAIAAPIBSShamir IIIIPPPIBI, IBSGQ IIIIPPPSI, SSFF IIIPPSI, SSIt. Root IIIPPPIBI, IBSFiat-Shamir uf-cmacaaapacaaapa Name-IBSName-SSName-IBIName-SIOriginName P = proven I = implied A = attacked = known result = new contribution IIIPIBIBeth IIPPPIIIIBIOkDL IIAAIAAPIBSSOK IPIIIPPPIBSHess PIIIIPPPIBSCha-Cheon IIIIIPPPSIShamir* IIPPPIIISI, IBIBNNDL AAAAAAAASI, IBIGirault IIAAIAAPIBSShamir IIIIIPPPIBI, IBSGQ IIIIIPPPSI, SSFF IIIIPPSI, SSIt. Root IIIIIPPPIBI, IBSFiat-Shamir IIIIIPPPSI, IBI, SSOkRSA

20 20 Results for concrete schemes NameOriginName-SIName-IBIName-SSName-IBS paaacapaaacauf-cma Fiat-ShamirIBI, IBSPPPIIIII It. RootSI, SSPPIIII FFSI, SSPPPIIIII GQIBI, IBSPPPIIIII ShamirIBSPAAIAAII Shamir*SIPPPIIIII OkRSASI, IBI, SSPPPIIIII GiraultSI, IBIAAAAAAAA SOKIBSPAAIAAII HessIBSPPPIIIPI Cha-CheonIBSPPPIIIIP BethIBIPIII OkDLIBIIIIPPPII BNNDLSI, IBIIIIPPPII P = proven I = implied A = attacked = known result = new contribution

21 21 Provable security of IBI/IBS schemes  IBI schemes  no appropriate security definitions  proofs in weak model (fixed identity) or entirely lacking  IBS schemes  good security definition [CC03]  security proofs for some schemes directly [CC03] or through “trapdoor SS” to IBS transform [DKXY03]  some gaps remain  Existing security proofs  many SI schemes proven, e.g. [FS86, GQ89] in [FFS88, BP02]  SS schemes through Fiat-Shamir transform [PS96, OO98, AABN02] refer to SI/SS schemes, not IBI/IBS schemes build on these results, rather than from scratch

Download ppt "Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat."

Similar presentations

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.

Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Key Distribution CS 470 Introduction to Applied Cryptography

Key Distribution CS 470 Introduction to Applied Cryptography

Similar presentations

Ads by Google