Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat University, Thailand Gregory Neven Katholieke Universiteit Leuven, Belgium
Feb 01, 2016
Security Proofs for Identity-Based Identification and Signature Schemes
Mihir Bellare University of California at San Diego, USA
Chanathip NamprempreThammasat University, Thailand
Gregory Neven Katholieke Universiteit Leuven, Belgium
2
Bob
KDC
Alice
uskBmsk,“Bob”
Identity-based encryption
(mpk,msk)1k MKg
uskB
M
mpk
mpk,“Bob”
UKg
E M
uskB
DC
Proposed by Shamir (1984)
Efficiently implemented by Boneh-Franklin (2001)
3
KDC
Alice
uskAmsk,“Alice”
Identity-based signatures (IBS)
(mpk,msk)1k MKg
mpk
M
uskA
uskA
UKg
Sign
Bob
acc/rej
mpk, “Alice”
VfM,σ
Proposed and implemented by Shamir (1984)
Alternative implementations followed [FS86, GQ89]
Renewed interest using pairings [SOK00, P02, CC03, H03, Yi03]
4
Bob
KDC
Alice
uskAmsk,“Alice”
Identity-based identification (IBI)
(mpk,msk)1k MKg
mpkuskA
uskA
UKg
acc/rej
mpk, “Alice”
Proposed by Shamir (1984)
Numerous implementations followed [FS86, B88, GQ89, G90, O93]
P V
5
Provable security of IBI/IBS schemes
IBI schemes no appropriate security definitions
proofs in weak model (fixed identity) or entirely lacking
IBS schemes good security definition [CC03]
security proofs for some schemes directly [CC03] or
through “trapdoor SS” to IBS transform [DKXY03]
some gaps remain
6
Existing security proofs
Existing security proofs for identification schemes underlying IBI schemes
e.g. [FFS88] prove [FS86][BP02] prove [GQ89]
signature schemes underlying IBS schemes e.g. analyses of Fiat-Shamir transform
[PS96, OO98, AABN02]
refer to standard identification (SI) and signature (SS) schemes.
Build on these proofs, rather than from scratch.
7
Our contributions
Security definitions for IBI schemes
Security proofs for “trivial” certificate-based IBI/IBS schemes
Framework of security-preserving transforms
Security proofs for 12 scheme “families” by implication through transforms
by surfacing and proving unanalyzed SI schemes
by proving as IBI schemes directly (exceptions)
Attack on 1 scheme family
SI IBI
SS IBS
8
Independent work
Kurosawa, Heng (PKC 2004): security definitions for IBI schemes transform from SS to IBI schemes
9
Security of IBS and IBI schemes
IBS schemes: uf-cma security [CC03]
IBI schemes: imp-pa, imp-aa, imp-ca security1. Learning phase:
Initialize and corrupt oracles, see conversation transcripts (pa), interact with provers sequentially (aa) or in parallel (ca)
2. Attack phase:Impersonate uncorrupted identity IDbreak of adversary’s choiceOracles blocked of for ID = IDbreak
F
mpkInitializ
e
InitializeID
CorruptCorruptID
uskID
M,ID
σ
ID,M,σ
Sign(uskID,·)
10
The Shamir-SI scheme
(N,e,d) ← Krsa(1k)
X ← ZN
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
*(N,e,x) ← sk
y ← ZN
Y ← ye mod N
z ← xyc mod N
Kg(1k) P(sk)
(N,e,X) ← pk
c ← {0,1}ℓ(k)
If ze = XYc mod Nthen accept else reject
V(pk)
Ycz
*
R
RR
“surfaced” from Shamir-IBS [S84] (statistical) HVZK + POK ⇒ imp-pa secure not imp-aa secure (attack: choose c=0)
11
The Shamir-SS scheme
(N,e,d) ← Krsa(1k)
X ← ZN
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
(N,e,x) ← sk
y ← ZN
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
Kg(1k) Sign(sk,M)
(N,e,X) ← pk
(Y,z) ← σ
c ← H(Y,M)
If ze = XYc mod Nthen accept else reject
Vf(pk,M,σ)
* *RR
12
The framework: SI to SS [FS86]“canonical” SI scheme:
SI
SS
fs-I-2-S
pk
Dec(pk,Cmt,Ch,Rsp)
sk
Cmt
ChRsp
Sign(sk,M):Ch ← H(Cmt,M)
σ ← (Cmt,Rsp)
Vf(pk,M,σ):
Dec(pk, Cmt, H(Cmt,M), Rsp)
fs-I-2-S
Theorem: SI is imp-pa secure⇓
SS = fs-I-2-S(SI) is uf-cma secure in the RO model [AABN02]
P VIBI
IBS
13
The Shamir-SI scheme
(N,e,d) ← Krsa(1k)
X ← ZN
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
(N,e,x) ← sk
y ← ZN
Y ← ye mod N
z ← xyc mod N
Kg(1k) P(sk)
(N,e,X) ← pk
c ← {0,1}ℓ(k)
If ze = XYc mod Nthen accept else reject
V(pk)
Ycz
* *RR
14
The Shamir-IBI scheme
(N,e,d) ← Krsa(1k)
mpk ← (N,e)
msk ← (N,e,d)
Return (mpk,msk)
(N,e,x) ← usk
y ← ZN
Y ← ye mod N
z ← xyc mod N
MKg(1k) P(usk)
(N,e) ← mpk
c ← {0,1}ℓ(k)
If ze = H(ID)∙Yc mod Nthen accept else reject
V(mpk,ID)
Ycz
*
(N,e,d) ← msk
X ← H(ID)
x ← Xd mod N
usk ← (N,e,x)
Return usk
UKg(msk,ID)
*R
15
The framework: SI to IBI
SI IBI
SS
fs-I-2-S
cSI-2-IBI
cSI-2-IBI
Theorem: SI is imp-xx secure⇓
IBI = cSI-2-IBI(SI) is imp-xx secure in the RO model
“convertible” SI scheme:
Kg(1k):“trapdoor samplable relation” R
sk ← (R,x) ; pk ← (R,y)
such that (x,y) ∈ R
MKg(1k):generate relation R with trapdoor t
mpk ← R ; msk ← (R,t)
UKg(msk, ID):y ← H(ID)
use t to compute x s.t. (x,y) ∈ R
usk ← (R,x)
IBS
16
The Shamir-SS scheme
(N,e,d) ← Krsa(1k)
X ← ZN
x ← Xd mod N
pk ← (N,e,X)
sk ← (N,e,x)
Return (pk,sk)
(N,e,x) ← sk
y ← ZN
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
Kg(1k) Sign(sk,M)
(N,e,X) ← pk
(Y,z) ← σ
c ← H(Y,M)
If ze = XYc mod Nthen accept else reject
Vf(pk,M,σ)
* *RR
17
The Shamir-IBS scheme
(N,e,d) ← Krsa(1k)
mpk ← (N,e)
msk ← (N,e,d)
Return (mpk,msk)
MKg(1k)
(N,e,d) ← msk
X ← H(ID)
x ← Xd mod N
usk ← (N,e,x)
Return usk
UKg(msk,ID)
(N,e,x) ← usk
y ← ZN
Y ← ye mod N
c ← H(Y,M)
z ← xyc mod N
σ ← (Y,z)
Sign(usk,M)
(N,e) ← mpk
(Y,z) ← σ
c ← H(Y,M)
If ze = H(ID)∙Yc mod Nthen accept else reject
Vf(mpk,ID,M,σ)
**R
= Shamir-IBS as proposed in [S84]
18
Theorem: SI is imp-pa secure⇓
IBS = fs-I-2-S(cSI-2-IBI(SS)) is uf-cma secure in the RO model
(efs-IBI-2-IBS)
modified efs-IBI-2-IBS transform: Ch ← H(Cmt,M,ID)
Theorem: IBI is imp-pa secure⇓
IBS = efs-IBI-2-IB(IBI) is uf-cma secure in the RO model
The framework: SS and IBI to IBS
SI IBI
SS IBS
fs-I-2-S
cSI-2-IBI
cSS-2-IBS
SS to IBS: cSS-2-IBS analogous to cSI-2-IBI “convertible” SS → IBS generalization of [DKXY03]
Theorem: SS is uf-cma secure⇓
IBS = cSS-2-IBS(SS) is uf-cma secure in the RO model
IBI to IBS “canonical” IBI → IBS For canonical convertible SI X:
cSS-2-IBS(fs-I-2-S(X)) = fs-I-2-S(cSI-2-IBI(X))
fs-I-2-S not security-preserving for canonical IBI schemes in general
fs-I-2-S
19
I
I
I
P
I
I
I
I
A
I
I
I
I
I
uf-cma
I
I
Results for concrete schemes
IIPIBIBeth
IPPPIIIIBIOkDL
IAAIAA PIBSSOK
IIIIPPPIBSHess
PIIIPPPIBSCha-Cheon
IIIIPPPSIShamir*
IIIPPPSI, IBI, SSOkRSA
IPPPIIISI, IBIBNNDL
AAAAAAASI, IBIGirault
IAAIAAPIBSShamir
IIIIPPPIBI, IBSGQ
IIIIPPPSI, SSFF
IIIPPSI, SSIt. Root
IIIPPPIBI, IBSFiat-Shamir
uf-cmacaaapacaaapa
Name-IBSName-SSName-IBIName-SIOriginName
P = proven I = implied A = attacked = known result = new contribution
IIIPIBIBeth
IIPPPIIIIBIOkDL
IIAAIAA PIBSSOK
IPIIIPPPIBSHess
PIIIIPPPIBSCha-Cheon
IIIIIPPPSIShamir*
IIPPPIIISI, IBIBNNDL
AAAAAAAASI, IBIGirault
IIAAIAAPIBSShamir
IIIIIPPPIBI, IBSGQ
IIIIIPPPSI, SSFF
IIIIPPSI, SSIt. Root
IIIIIPPPIBI, IBSFiat-Shamir
IIIIIPPPSI, IBI, SSOkRSA