Security Proofs for Identity-Based Identification and
Download
Report
Transcript Security Proofs for Identity-Based Identification and
Security Proofs for Identity-Based
Identification and Signature Schemes
Mihir Bellare
University of California at San Diego, USA
Chanathip Namprempre
Thammasat University, Thailand
Gregory Neven
Katholieke Universiteit Leuven, Belgium
Identity-based encryption
KDC
Proposed by Shamir (1984)
Efficiently implemented by
Boneh-Franklin (2001)
1k
MKg
(mpk,msk)
msk,“Bob”
UKg
uskB
mpk
Alice
M
uskB
mpk,“Bob”
E
uskB
C
D
Bob
M
2
Identity-based signatures (IBS)
Proposed and implemented
by Shamir (1984)
KDC
1k
MKg
(mpk,msk)
Alternative implementations
followed [FS86, GQ89]
msk,“Alice”
UKg
uskA
Renewed interest using pairings
[SOK00, P02, CC03, H03, Yi03]
Alice
M
uskA
mpk
uskA
Sign
M,σ
mpk, “Alice”
Bob
Vf
acc/rej
3
Identity-based identification (IBI)
Proposed by Shamir (1984)
Numerous implementations
followed [FS86, B88, GQ89,
G90, O93]
KDC
1k
MKg
(mpk,msk)
msk,“Alice”
UKg
uskA
uskA
Alice
mpk
uskA
mpk, “Alice”
Bob
P
V
acc/rej
4
Provable security of IBI/IBS schemes
IBI schemes
no appropriate security definitions
proofs in weak model (fixed identity) or entirely lacking
IBS schemes
good security definition [CC03]
security proofs for some schemes directly [CC03] or
through “trapdoor SS” to IBS transform [DKXY03]
some gaps remain
5
Existing security proofs
Existing security proofs for
identification schemes underlying IBI schemes
e.g. [FFS88] prove [FS86]
[BP02] prove [GQ89]
signature schemes underlying IBS schemes
e.g. analyses of Fiat-Shamir transform
[PS96, OO98, AABN02]
refer to standard identification (SI) and signature (SS) schemes.
Build on these proofs, rather than from scratch.
6
Our contributions
Security definitions for IBI schemes
Security proofs for “trivial” certificate-based IBI/IBS schemes
Framework of security-preserving transforms
SI
IBI
SS
IBS
Security proofs for 12 scheme “families”
by implication through transforms
by surfacing and proving unanalyzed SI schemes
by proving as IBI schemes directly (exceptions)
Attack on 1 scheme family
7
Independent work
Kurosawa, Heng (PKC 2004):
security definitions for IBI schemes
transform from SS to IBI schemes
8
Security of IBS and IBI schemes
IBS schemes: uf-cma security [CC03]
mpk
Sign(uskID,·)
M,ID
σ
ID
F
Initializ
e
ID
uskID
Corrupt
ID,M,σ
IBI schemes: imp-pa, imp-aa, imp-ca security
1. Learning phase:
Initialize and corrupt oracles, see conversation transcripts (pa),
interact with provers sequentially (aa) or in parallel (ca)
2. Attack phase:
Impersonate uncorrupted identity IDbreak of adversary’s choice
Oracles blocked of for ID = IDbreak
9
The Shamir-SI scheme
Kg(1k)
P(sk)
V(pk)
(N,e,d) ← Krsa(1k)
R
X←
Z*N
(N,e,x) ← sk
(N,e,X) ← pk
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
R
y←
Z*N
Y ← ye mod N
z ← xyc mod N
Y
c
z
R
c←
{0,1}ℓ(k)
If ze = XYc mod N
then accept else reject
“surfaced” from Shamir-IBS [S84]
(statistical) HVZK + POK ⇒ imp-pa secure
not imp-aa secure (attack: choose c=0)
10
The Shamir-SS scheme
Kg(1k)
(N,e,d) ← Krsa(1k)
R
X←
Z*N
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
Sign(sk,M)
Vf(pk,M,σ)
(N,e,x) ← sk
(N,e,X) ← pk
R
y←
Z*N
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
(Y,z) ← σ
c ← H(Y,M)
If ze = XYc mod N
then accept else reject
11
The framework: SI to SS [FS86]
“canonical” SI scheme:
sk
SI
IBI
pk
Cmt
Ch
Rsp
P
V
Dec(pk,Cmt,Ch,Rsp)
fs-I-2-S
fs-I-2-S
SS
IBS
Theorem: SI is imp-pa secure
⇓
SS = fs-I-2-S(SI) is uf-cma secure
in the RO model [AABN02]
Sign(sk,M):
Ch ← H(Cmt,M)
σ ← (Cmt,Rsp)
Vf(pk,M,σ):
Dec(pk, Cmt, H(Cmt,M), Rsp)
12
The Shamir-SI scheme
Kg(1k)
P(sk)
(N,e,d) ← Krsa(1k)
R
X←
Z*N
(N,e,x) ← sk
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
R
y←
Z*N
Y ← ye mod N
z ← xyc mod N
V(pk)
(N,e,X) ← pk
Y
c
z
c ← {0,1}ℓ(k)
If ze = XYc mod N
then accept else reject
13
The Shamir-IBI scheme
MKg(1k)
P(usk)
(N,e,d) ← Krsa(1k)
(N,e,x) ← usk
mpk ← (N,e)
msk ← (N,e,d)
Return (mpk,msk)
R
y←
Z*N
Y ← ye mod N
z ← xyc mod N
UKg(msk,ID)
V(mpk,ID)
(N,e) ← mpk
Y
c
z
c ← {0,1}ℓ(k)
If ze = H(ID)∙Yc mod N
then accept else reject
(N,e,d) ← msk
X ← H(ID)
x ← Xd mod N
usk ← (N,e,x)
Return usk
14
The framework: SI to IBI
“convertible” SI scheme:
Kg(1k):
SI
cSI-2-IBI
IBI
“trapdoor samplable relation” R
sk ← (R,x) ; pk ← (R,y)
such that (x,y) ∈ R
fs-I-2-S
SS
cSI-2-IBI
IBS
MKg(1k):
generate relation R with trapdoor t
mpk ← R ; msk ← (R,t)
Theorem: SI is imp-xx secure
⇓
UKg(msk, ID):
IBI = cSI-2-IBI(SI) is imp-xx secure
y ← H(ID)
in the RO model
use t to compute x s.t. (x,y) ∈ R
usk ← (R,x)
15
The Shamir-SS scheme
Kg(1k)
(N,e,d) ← Krsa(1k)
R
X←
Z*N
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
Sign(sk,M)
Vf(pk,M,σ)
(N,e,x) ← sk
(N,e,X) ← pk
R
y←
Z*N
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
(Y,z) ← σ
c ← H(Y,M)
If ze = XYc mod N
then accept else reject
16
The Shamir-IBS scheme
MKg(1k)
Sign(usk,M)
Vf(mpk,ID,M,σ)
(N,e,d) ← Krsa(1k)
(N,e,x) ← usk
(N,e) ← mpk
mpk ← (N,e)
msk ← (N,e,d)
Return (mpk,msk)
R
y←
Z*N
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
(Y,z) ← σ
UKg(msk,ID)
c ← H(Y,M)
If ze = H(ID)∙Yc mod N
then accept else reject
(N,e,d) ← msk
X ← H(ID)
x ← Xd mod N
usk ← (N,e,x)
Return usk
= Shamir-IBS as proposed in [S84]
17
The framework: SS and IBI to IBS
SS to IBS: cSS-2-IBS
SI
cSI-2-IBI
IBI
analogous to cSI-2-IBI
“convertible” SS → IBS
generalization of [DKXY03]
IBI to IBS
fs-I-2-S
SS
fs-I-2-S
(efs-IBI-2-IBS)
cSS-2-IBS
IBS
Theorem: SS
IBI
SI is
is imp-pa
imp-pa
secure
Theorem:
uf-cma secure
⇓
IBS
fs-I-2-S(cSI-2-IBI(SS))
is uf-cma
uf-cma
is
IBS == efs-IBI-2-IB(IBI)
cSS-2-IBS(SS)
is
uf-cma
secure
in RO
the RO
model
secure
in the
model
“canonical” IBI → IBS
For canonical convertible SI X:
cSS-2-IBS(fs-I-2-S(X))
= fs-I-2-S(cSI-2-IBI(X))
fs-I-2-S not security-preserving for
canonical IBI schemes in general
modified efs-IBI-2-IBS transform:
Ch ← H(Cmt,M,ID)
18
Results for concrete schemes
Name
Origin
Fiat-Shamir
IBI, IBS
It. Root
SI, SS
FF
SI, SS
GQ
IBI, IBS
Shamir
IBS
Shamir*
SI
OkRSA
SI, IBI, SS
Girault
SI, IBI
SOK
IBS
Hess
IBS
Cha-Cheon
IBS
Beth
IBI
OkDL
IBI
BNNDL
SI, IBI
Name-SI
pa aa ca
P
P
P
P
P
P
P
P
P
P
P
P
A
A
P
P
P
P
P
P
A
A
A
P
A
A
P
P
P
P
P
P
P
I
I
I
I
I
I
P = proven I = implied A = attacked
Name-IBI
pa aa ca
I
I
I
I
I
I
I
I
I
I
I
I
A
A
I
I
I
I
I
I
A
A
A
I
A
A
I
I
I
I
I
I
I
P
P
P
P
P
P
= known result
Name-SS Name-IBS
uf-cma
uf-cma
I
I
I
I
I
I
I
I
I
I
I
I
I
I
A
A
I
I
P
I
I
P
I
I
I
I
I
I
= new contribution
19