An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model

1

An Efficient and Provable Secure Identity-Based Identification

Scheme in the Standard Model

(Multimedia University) Ji-Jian Chin

Swee-Huay HengBok-Min Goi

2

Contents1 Introduction 3

2 Preliminaries 9

3 Formal Definition of IBI 11

4 Construction 16

5 Security Analysis 21

6 Conclusion 25

7 Open Problems 26

3

1. Introduction

An identification scheme enables one party to identify itself securely to another party authentically and without repudiation.

ID-based cryptography – user generates own public key using an identity string.

ID-based cryptography does away with certificates binding the public key to the private key, as opposed to traditional public key infrastructure systems.

4

1. Introduction

If I can guess/know your password, I can impersonate you.(Easy to guess: keyloggers, peek into your password database, sticky notes with passwords in your office, steal from your hand phone etc)

Why IBI and SI can overcome this?Challenge-response identification.Zero-knowledge of secret key involved.

Why Passwords Aren’t Enough?

5

1. Introduction

IBI fundamental paper proposed by Fiat and Shamir in 1984.

Rigorous definition and security proofs only formalized in 2004- Kurosawa and Heng- Bellare, Namprempre and Neven

Schemes’ mostly have provable security based on the random oracle model

Schemes’ with provable security in the standard model are not very efficient and few in number

History of IBI

6

1. Introduction

first introduced by Bellare and Rogaway in 1993.The Random Oracle

I answer anybody’s queries with totally random and uniformly distributed

answers

I’ve seen this Newquery before query

query

Existing answer

Give new random answer, and save query for next time

The Random Oracle

7

1. Introduction

Disadvantages of RO:

- heuristic in nature

- Canetti et al. showed certain schemes secure in the random oracle model is insecure once implemented

- idealistic: doesn’t exist in real world Conclusion

- scheme secure in ROM better than no proof at all

- best to prove in standard model

The Random Oracle

8

1. Introduction

1. Kurosawa and Heng proposed the first 2 IBI schemes in the standard model in 2005.

2. Kurosawa and Heng used a trapdoor commitment scheme and a digital signature scheme to construct another IBI scheme in the standard model in 2006.

3. Yang et al. proposed a general framework to construct IBI schemes in the random oracle model in 2007.

Recent Developments

9

2. Preliminaries

a) Bilinearity. e(ga,gb)=e(g,g)ab

b) Non-degeneracy. e(g,g) ≠1

c) Efficiently computable.

Bilinear Pairings

10

a) Security against Passive Attacks:Computational Diffie-Hellman problem (CDHP)

- Find gab given g and ga ,gb

b) Security against Active/Concurrent Attacks:One-More Computational Diffie-Hellman Problem (OMCDHP)

- Adversary is given a challenge oracle and a CDH oracle.- Adversary queries random challenge point from challenge

oracle and obtains solution by querying the CDH oracle.- Adversary wins the game if at the end the number of queries to

the solution oracle is strictly less than the queries to the challenge oracle.

2. PreliminariesSecurity Assumptions

11

3. Formal Definitions For IBI

IBI=(S,E,P,V) - 4 probabilistic, polynomial-time algorithms

Setup(S)Setup(S)

Extract(E)Extract(E)

input paraminput param

mpk, mpk, mskmsk

ID

Prover(P)Prover(P)(Prove (Prove that that I know I know usk)usk)

Verifier(V)Verifier(V)Accept onlyAccept only

if you if you Know uskKnow usk

usk

mpk, usk, mpk, usk, IDID

mpk, IDmpk, ID

CMCMTT

CHCHAA

RSPRSP

The Canonical Three Move ProtocolThe Canonical Three Move Protocol

Definition of IBI

12

3. Formal Definition of IBI

Goal of adversary towards IBI - impersonation.

Considered successful if:- Interact with verifier as prover with public ID- Accepted by verifier with non-negligible probability

Stronger assumptions of IBI vs SI:1. The adversary can choose a target identity ID to impersonate

as opposed to a random public key. 2. IBI has access to extract oracle -> the adversary can possess

private keys of some users which she has chosen.

Security Model for IBI

13

3. Formal Definition for IBI

Passive attacks (imp-pa)Eavesdrop

Active attacks (imp-aa)Interacts with provers as a cheating verifier

Concurrent attacks (imp-ca)Interacts with provers as a cheating verifier concurrently.

Security Model for IBI

14

3. Formal Definition for IBI

The impersonation attack between the impersonator I, and challenger C is described in a two phase game.

Phase 1:

I either extracts transcript queries for imp-pa or acts as a cheating verifier in imp-aa and imp-ca.

Phase 2:

I plays the cheating prover it picks to convince the verifier.

Security Model for IBI

15

3. Formal Definition for IBI

An IBI scheme is (t,qI,ε)- secure against imp-pa/imp-aa/imp-ca if for any I who runs in

time t, Pr(I can impersonate)<ε, where I can make at most qI queries.

Security Model for IBI

16

Let and be finite cyclic groups or order and let be a generator of . Let be an efficiently computed bilinear map. Use a collision-resistant hash function to hash identities to an arbitrary length to a bit string of length .

4. Construction

G TG p gG TGGGe :

nH },{},{: * 1010 n

Construction of IBI scheme based on the Waters Signature Scheme

17

4. Construction

Gug

gg

Za

R

a

pR

',2

1

Select an n-length vector GuuU Rn },...,{ 1

)(:

),,',,,,,(:a

T

gmsk

HUuggeGGmpk

2

1

Setup

18

4. Construction

pR Zr

ID:hashed user identity string of length n

Let :ith-bit of ID

r

r

IDii

a

gR

uugS

)'(2

),(: RSusk

},...,{ nID 1 be the set of all i where di=1Let

id

Extract

19

4. Construction

Prove Verify

Accept if

z

z

IDii

gY

uuX

2

)'( RYX ,,

Z

cp

R Zc

czSZ

),)'((),(),( RuuXegYgegZe c

IDii

c

12

Prove and Verify

20

4. Construction

),)'((),(

),)'()'((),(

),))'(((

),(

)(

RuuXegYge

guuuuegge

guuge

gZe

c

IDii

c

rc

IDii

z

IDii

cza

czr

IDii

a

12

2

2

Correctness

21

5. Security Analysis

Theorem 1:

The proposed IBI scheme is (t,qI,ε)-secure

against impersonation under passive attacks in

the standard model if the CDHP is (t’,ε’)-hard

where

Security against Passive Attacks

2

114

pnq ue ')( ))())(((' II qqnOtt 2

: time for multiplication in

: time for exponentiation in

: extract queries made

: transcript queries made and

iqeq

ieI qqq

22

5. Security Analysis

Theorem 2:

The proposed IBI scheme is (t,qI,ε)-secure

against impersonation under active/concurrent

attacks in the standard model if the OMCDHP is

(t”,qCDH,ε”)-hard where

Security against Active/Concurrent Attacks

2

114

pnq ue ")( ))())(((" II qqnOtt 2

: time for multiplication in

: time for exponentiation in

: extract queries made

: transcript queries made and

iqeq

ieI qqq

23

5. Security AnalysisEfficiency

Multiplication Exponentiation Pairing

Setup 0 2 0

Extract Max:n+2, Avg:(n/2)+2 2 0

Prove Max:n+1, Avg:(n/2)+1 3 0

Verify Max:n+3, Avg:(n/2)+3 2 3

Table 1: Complexity Cost

24

5. Security AnalysisEfficiency

Efficiency of P and V

Imp-pa assumption

Imp-aa/ca assumption

HKIBI05a 6G,6E,4P q-SDH Unknown

HKIBI05b 12G,12E,6P

q-SDH q-SDH

HKIBI06 9G,11E,3P,1 SOTSS

q-SDH q-SDH

Proposed IBI (n+4)G,5E,3P

CDH OMCDHP

Table 2: Comparisons with other IBI

25

6. Conclusion

Merits of Proposed IBI Direct proof Provable security against both imp-pa and

imp-aa/ca in the standard model. More efficient than other IBI schemes in

standard model.

26

7. Open Problems

1. More IBI schemes that are efficient and provably secure in the standard model.

2. More IBI Schemes with direct proof to a hard-mathematical problem as opposed to reductions from transformations.

3. An IBI scheme with provable security against imp-aa/ca using a weaker assumption like DLOG or CDH.

27

Thank YouQ&A