Transcript Security Proofs for Identity-Based Identification and

Security Proofs for Identity-Based
Identification and Signature Schemes
Mihir Bellare
University of California at San Diego, USA
Chanathip Namprempre
Thammasat University, Thailand
Gregory Neven
Katholieke Universiteit Leuven, Belgium
Identity-based encryption
KDC
 Proposed by Shamir (1984)
 Efficiently implemented by
Boneh-Franklin (2001)
1k
MKg
(mpk,msk)
msk,“Bob”
UKg
uskB
mpk
Alice
M
uskB
mpk,“Bob”
E
uskB
C
D
Bob
M
2
Identity-based signatures (IBS)
 Proposed and implemented
by Shamir (1984)
KDC
1k
MKg
(mpk,msk)
 Alternative implementations
followed [FS86, GQ89]
msk,“Alice”
UKg
uskA
 Renewed interest using pairings
[SOK00, P02, CC03, H03, Yi03]
Alice
M
uskA
mpk
uskA
Sign
M,σ
mpk, “Alice”
Bob
Vf
acc/rej
3
Identity-based identification (IBI)
 Proposed by Shamir (1984)
 Numerous implementations
followed [FS86, B88, GQ89,
G90, O93]
KDC
1k
MKg
(mpk,msk)
msk,“Alice”
UKg
uskA
uskA
Alice
mpk
uskA
mpk, “Alice”
Bob
P
V
acc/rej
4
Provable security of IBI/IBS schemes
 IBI schemes
 no appropriate security definitions
 proofs in weak model (fixed identity) or entirely lacking
 IBS schemes
 good security definition [CC03]
 security proofs for some schemes directly [CC03] or
through “trapdoor SS” to IBS transform [DKXY03]
 some gaps remain
5
Existing security proofs
Existing security proofs for
 identification schemes underlying IBI schemes
e.g. [FFS88] prove [FS86]
[BP02] prove [GQ89]
 signature schemes underlying IBS schemes
e.g. analyses of Fiat-Shamir transform
[PS96, OO98, AABN02]
refer to standard identification (SI) and signature (SS) schemes.
Build on these proofs, rather than from scratch.
6
Our contributions
 Security definitions for IBI schemes
 Security proofs for “trivial” certificate-based IBI/IBS schemes
 Framework of security-preserving transforms
SI
IBI
SS
IBS
 Security proofs for 12 scheme “families”
 by implication through transforms
 by surfacing and proving unanalyzed SI schemes
 by proving as IBI schemes directly (exceptions)
 Attack on 1 scheme family
7
Independent work
Kurosawa, Heng (PKC 2004):
 security definitions for IBI schemes
 transform from SS to IBI schemes
8
Security of IBS and IBI schemes
 IBS schemes: uf-cma security [CC03]
mpk
Sign(uskID,·)
M,ID
σ
ID
F
Initializ
e
ID
uskID
Corrupt
ID,M,σ
 IBI schemes: imp-pa, imp-aa, imp-ca security
1. Learning phase:
Initialize and corrupt oracles, see conversation transcripts (pa),
interact with provers sequentially (aa) or in parallel (ca)
2. Attack phase:
Impersonate uncorrupted identity IDbreak of adversary’s choice
Oracles blocked of for ID = IDbreak
9
The Shamir-SI scheme
Kg(1k)
P(sk)
V(pk)
(N,e,d) ← Krsa(1k)
R
X←
Z*N
(N,e,x) ← sk
(N,e,X) ← pk
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
R
y←
Z*N
Y ← ye mod N
z ← xyc mod N
Y
c
z
R
c←
{0,1}ℓ(k)
If ze = XYc mod N
then accept else reject
 “surfaced” from Shamir-IBS [S84]
 (statistical) HVZK + POK ⇒ imp-pa secure
 not imp-aa secure (attack: choose c=0)
10
The Shamir-SS scheme
Kg(1k)
(N,e,d) ← Krsa(1k)
R
X←
Z*N
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
Sign(sk,M)
Vf(pk,M,σ)
(N,e,x) ← sk
(N,e,X) ← pk
R
y←
Z*N
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
(Y,z) ← σ
c ← H(Y,M)
If ze = XYc mod N
then accept else reject
11
The framework: SI to SS [FS86]
“canonical” SI scheme:
sk
SI
IBI
pk
Cmt
Ch
Rsp
P
V
Dec(pk,Cmt,Ch,Rsp)
fs-I-2-S
fs-I-2-S
SS
IBS
Theorem: SI is imp-pa secure
⇓
SS = fs-I-2-S(SI) is uf-cma secure
in the RO model [AABN02]
 Sign(sk,M):
Ch ← H(Cmt,M)
σ ← (Cmt,Rsp)
 Vf(pk,M,σ):
Dec(pk, Cmt, H(Cmt,M), Rsp)
12
The Shamir-SI scheme
Kg(1k)
P(sk)
(N,e,d) ← Krsa(1k)
R
X←
Z*N
(N,e,x) ← sk
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
R
y←
Z*N
Y ← ye mod N
z ← xyc mod N
V(pk)
(N,e,X) ← pk
Y
c
z
c ← {0,1}ℓ(k)
If ze = XYc mod N
then accept else reject
13
The Shamir-IBI scheme
MKg(1k)
P(usk)
(N,e,d) ← Krsa(1k)
(N,e,x) ← usk
mpk ← (N,e)
msk ← (N,e,d)
Return (mpk,msk)
R
y←
Z*N
Y ← ye mod N
z ← xyc mod N
UKg(msk,ID)
V(mpk,ID)
(N,e) ← mpk
Y
c
z
c ← {0,1}ℓ(k)
If ze = H(ID)∙Yc mod N
then accept else reject
(N,e,d) ← msk
X ← H(ID)
x ← Xd mod N
usk ← (N,e,x)
Return usk
14
The framework: SI to IBI
“convertible” SI scheme:
 Kg(1k):
SI
cSI-2-IBI
IBI
“trapdoor samplable relation” R
sk ← (R,x) ; pk ← (R,y)
such that (x,y) ∈ R
fs-I-2-S
SS
cSI-2-IBI
IBS
 MKg(1k):
generate relation R with trapdoor t
mpk ← R ; msk ← (R,t)
Theorem: SI is imp-xx secure
⇓
 UKg(msk, ID):
IBI = cSI-2-IBI(SI) is imp-xx secure
y ← H(ID)
in the RO model
use t to compute x s.t. (x,y) ∈ R
usk ← (R,x)
15
The Shamir-SS scheme
Kg(1k)
(N,e,d) ← Krsa(1k)
R
X←
Z*N
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
Sign(sk,M)
Vf(pk,M,σ)
(N,e,x) ← sk
(N,e,X) ← pk
R
y←
Z*N
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
(Y,z) ← σ
c ← H(Y,M)
If ze = XYc mod N
then accept else reject
16
The Shamir-IBS scheme
MKg(1k)
Sign(usk,M)
Vf(mpk,ID,M,σ)
(N,e,d) ← Krsa(1k)
(N,e,x) ← usk
(N,e) ← mpk
mpk ← (N,e)
msk ← (N,e,d)
Return (mpk,msk)
R
y←
Z*N
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
(Y,z) ← σ
UKg(msk,ID)
c ← H(Y,M)
If ze = H(ID)∙Yc mod N
then accept else reject
(N,e,d) ← msk
X ← H(ID)
x ← Xd mod N
usk ← (N,e,x)
Return usk
= Shamir-IBS as proposed in [S84]
17
The framework: SS and IBI to IBS
 SS to IBS: cSS-2-IBS
SI
cSI-2-IBI
IBI
 analogous to cSI-2-IBI
 “convertible” SS → IBS
 generalization of [DKXY03]
 IBI to IBS
fs-I-2-S
SS
fs-I-2-S
(efs-IBI-2-IBS)
cSS-2-IBS
IBS
Theorem: SS
IBI
SI is
is imp-pa
imp-pa
secure
Theorem:
uf-cma secure
⇓
IBS
fs-I-2-S(cSI-2-IBI(SS))
is uf-cma
uf-cma
is
IBS == efs-IBI-2-IB(IBI)
cSS-2-IBS(SS)
is
uf-cma
secure
in RO
the RO
model
secure
in the
model
 “canonical” IBI → IBS
 For canonical convertible SI X:
cSS-2-IBS(fs-I-2-S(X))
= fs-I-2-S(cSI-2-IBI(X))
 fs-I-2-S not security-preserving for
canonical IBI schemes in general
 modified efs-IBI-2-IBS transform:
Ch ← H(Cmt,M,ID)
18
Results for concrete schemes
Name
Origin
Fiat-Shamir
IBI, IBS
It. Root
SI, SS
FF
SI, SS
GQ
IBI, IBS
Shamir
IBS
Shamir*
SI
OkRSA
SI, IBI, SS
Girault
SI, IBI
SOK
IBS
Hess
IBS
Cha-Cheon
IBS
Beth
IBI
OkDL
IBI
BNNDL
SI, IBI
Name-SI
pa aa ca
P
P
P
P
P
P
P
P
P
P
P
P
A
A
P
P
P
P
P
P
A
A
A
P
A
A
P
P
P
P
P
P
P
I
I
I
I
I
I
P = proven I = implied A = attacked
Name-IBI
pa aa ca
I
I
I
I
I
I
I
I
I
I
I
I
A
A
I
I
I
I
I
I
A
A
A
I
A
A
I
I
I
I
I
I
I
P
P
P
P
P
P
= known result
Name-SS Name-IBS
uf-cma
uf-cma
I
I
I
I
I
I
I
I
I
I
I
I
I
I
A
A
I
I
P
I
I
P
I
I
I
I
I
I
= new contribution
19