The Hierarchy of Key Evolving Signatures and a
Characterization of Proxy Signatures
Tal Malkin (Columbia Univ.)Satoshi Obana (NEC and Columbia
Univ.)Moti Yung (Columbia Univ.)
Outline of the Talk
• Brief Overview of Key Evolving Signatures– Forward-Secure Signatures (FS)– Key-Insulated Signatures (KI)– Intrusion-Resilient Signatures (IR)
• Security Hierarchy of Key Evolving Sigs.
IR KI FS• Formal Definition of Proxy Signatures• Characterization of Proxy Signatures
Proxy KI
The Hierarchy ofKey Evolving Signatures
Key Evolving Signatures
• Localize damage of secret key exposure– Splitting time into periods: 0,1,…,T– Updating secret (signing) key for each period without
changing public (verification) key
• Several models exist (for different settings and different security goals)– Forward-Secure Signatures (FS) [And97,BM99]– Key-Insulated Signatures (KI) [DKXY02]– Intrusion-Resilient Signatures (IR) [IR02]
SK0SKj-1
Signer
Forward-Secure Signatures
Gen1k,T
Upd Sign
PK
SKj-1
SKj
SKj M
Vrfy<j,sig> Accept
Reject
Security of FS Signature
• The adversary has access to – The signing oracle Osig(M,i) outputs the valid signatu
re for the message M in the time period i– The key exposure oracle Osec(“s”, j) outputs the secr
et key SKj of the time period j
• The adversary successfully breaks the scheme if it outputs (M,<i,s>) s.t.– (M,i) is never queried to the signing oracle– (“s”, i’) is never queried to the key exposure oracle
such that i’< i
SK0SKi
Key-Insulated Signatures
Signer
Gen1k,T
Upd
SKi
SKj
SKj
SK*Base
Upd*
PK
Sign
VrfyM
<j,sig>
Securely protected
SK’i,j
i, j
KI possesses random access key capability
Security of KI Signature
• The adversary has access to – The signing oracle Osig(M,i) outputs the valid signatu
re for the message M in the time period i– The key exposure oracle Osec(“s”, j) outputs the secr
et key SKj of the time period j
• The adversary successfully breaks the scheme if it outputs (M,<i,s>) s.t.– (M,i) is never queried to the signing oracle– (“s”,i) is never queried to the key exposure oracle
SKS0.0SKB0.0SKB(j-1).r SKS(j-1).r
Intrusion-Resilient Signatures
Signer
Gen1k,T
Upd
SignSKSj.r
Vrfy
Base
Upd*
PK
Refr* RefrSKRj.r
SKBj.r
NOT protected
SKS(j-1).rSKB(j-1).r
SKUj-1
SKBj.0
SKBj.0
SKSj.0
SKSj.0SKBj.r SKSj.r
SKBj.(r+1)
SKBj.(r+1)
SKSj.(r+1)
SKSj.(r+1)SKSj.rSKBj.r
<j,sig>
M
Security of IR Signature• The adversary has access to
– The signing oracle Osig(M,i.r) outputs Sign(SKSi,r, M)
– The key exposure oracle Osec(query) outputs• SKSj,r if query=(“s”, j.r)
• SKBj.r if query=(“b”, j.r)
• SKUj and SKRj+1.0 if query=(“u”, j)
• SKRj.r if query=(“r”, j.r)
• The adversary successfully breaks the scheme if it outputs (M,<i,s>) s.t.– (M,i) is never queried to the signing oracle– SKSi,r is not exposed by the oracle calls
– No SKSi’.r’ and SKBi’.r’ are exposed by the oracle calls for any i’<i
Question:Are there any relations among these “similar” models?
Answer:
Security hierarchy exists among these models!
IR KI FSFurther, all the security reductions are tight (via concrete security analysis)
Yes!
Theorem (IR KI)
We can construct KI from IR in such a way that if there exists adversary which breaks KI (constructed from IR) then we can construct adversary which breaks IR
),,,( secsig qq
),,,( secsig qq
where• : running time of the adversary• : success probability of the adversary• : number of queries to signing oracle• : number of queries to key exposure oracle
secq
sigq
Constructing KI from IR (Gen)
Signer
Gen
1k
Upd Sign Vrfy
Base
Upd*
Gen(IR) 1k
SKB0.0 SKS0.0 PKRefr(IR)Refr*(IR)
SK*=<SKB0.1,SKS0.1> SK0=SKS0.1 PK=PK(IR)
SKB0.1 SKS0.1SKB1.0 SKS1.0SKS1.1
Constructing KI from IR (Upd*)
Signer
Upd Sign
SKi
Base
Refr*(IR)
SK*=<SKB0.1,SKS0.1>
Refr(IR)
Upd(IR)Upd*(IR)
Upd*
i, j
SK’i,j=SKSj.1
SKS2.0SKS2.1SKS3.0SKS3.1SKSj.0SKSj.1SKB1.1SKB2.0SKB2.1SKB3.0SKB3.1SKBj.0SKBj.1
Random access to the key can be achieved
Constructing KI from IR (cont’d)
Base
Upd
SK*
SignerSKi=SKSi.1
Upd Sign Vrfy
SK’i,j=SKSj.1
Sign(IR) Vrfy(IR)
PK=PK(IR)
M
AcceptReject
SKj=SKSj.1
Constructing Oracles
Oracles for KI can be also constructed from oracles for IR as follows
– Osig(M, j) = Osig(M, j.1)– Osec(“s”, j) = Osec(“s”, j.1)
It is easy to see if the adversary successfully breaks KI then the adversary also breaks IR with the same output.
Other relations
• KI IR: IR can be constructed from KI by sharing signer keys of KI between the signer and the base of IR
• IR FS: Straightforward (All the algorithms of the signer and the base are put into the signer of FS)
• Both reductions are tight (in the sense of no security loss in the reductions)
A Characterization ofProxy Signatures
Proxy Signatures
• Method of giving (partial) signing right of an entity (delegator) to the others (proxy signer)
• A lot of schemes have been proposed so far but a few of them are proven to be secure
• No formal model exists (except [BPW03] which gives a formal model for one-level delegation)
Our Results on Proxy Signatures
• Formal model for “fully hierarchical” proxy signature (based on [BPW03])
• Characterization of proxy signatures via key evolving signature:
Proxy KI
Model of Proxy Signatures
Proxy Signer
Gen1k
PSigSign
Vrfy
Delegator
DlgD DlgP
SKD PKD
PVrf
M
sig
acceptreject
w SKPD>P W
M
ps
acceptreject
SKP PKP
Multi-Level Delegation
Proxy Signer
PSig
Delegator
DlgD DlgP
SKP PKPwD>PSKPI>D>P WI>D>PSKPI>D WI>D
If the delegator wants to delegate the signing right which she is delegated from others
PK
Self Delegation
Proxy SignerDelegator
DlgD DlgP
SKD PKDPKDwD>P
If the delegator wants to delegate the signing right to herself (possibly to an insecure device)
SKD
Secret key of the delegator is not inputted in the case of
self delegation
Security def. of Proxy Signatures
The adversary has access to– Signing Oracle Osig – Key exposure Oracle Osec – Delegation Oracle ODlg interacts with the adve
rsary on behalf of DlgD or DlgP
Proxy signature is secure if the adversary cannot forge a proxy signature (non-proxy signature) when the adversary cannot compute the proxy signing key and the warrant (signing key) through the queries to the oracles
Proxy Sigs. and Key Evolving Sigs.
Some similarities exist– Localize the damage of key exposure– Prevent non-delegated users (who knows its
signing key) from forging the proxy signature
– Key is evolved for “each time period”– Proxy signing key is generated for “each
delegation”
Characterization of Proxy Signatures via Key Evolving Signatures (Equivalence between KI and
Proxy)
Theorem (Proxy KI)
We can construct KI from Proxy in such a way that if there exists adversary which breaks KI (constructed from Proxy) then we can construct adversary which breaks Proxy s.t.
),,,,( DlgPS
secPS
sigPSPSPS qqq
),,,( secKI
sigKIKIKI qq
where• : running time of the adversary• : success probability of the adversary• : number of queries to oracle A
Aq
secKI
DlgPS
secKI
secPS
sigKI
sigPSKIPSKIPS ,,,, qqqqqq
Theorem (KI Proxy)
We can construct Proxy (with n delegator and the number of self delegation is limited to c) from KI in such a way that if there exists adversary which breaks Proxy (constructed from KI) then we can construct adversary which breaks KI s.t.
),,,,( DlgPS
secPS
sigPSPSPS qqq
),,,( secKI
sigKIKIKI qq
DlgPS
secPS
secKI
DlgPS
sigPS
sigKI
PSKIPSKI
,
,,
qcqqqqq
Conclusion
• Security Hierarchy of Key Evolving Signatures.
IR KI FS• Formal Definition of Fully
Hierarchical Proxy Signatures
• Characterization of Proxy Signatures
Proxy KI
Thank you!
Difference among the modelsBase Key
Evolution Security
FS sequential
Past signatures are protected
KI SecureRandom access is possible
Signatures of all the uncorrupted time periods are protected
IR Insecuresequenti
al
Signatures of all the uncorrupted time periods are protected
Forward Security can be assured even if signer key and base key are corrupted simultaneously