Provably Secure Identity-Based Identification Schemes and Transitive Signatures

1
Provably Secure Identity-Based Identification
Schemes and Transitive Signatures
Katholieke Universiteit LeuvenFaculteit
Toegepaste WetenschappenDepartement
Computerwetenschappen

• ir. Gregory Neven
• Advisors Prof. Dr. ir. Frank Piessens
• Prof. Dr. ir. Bart De Decker

2
Overview

• Introduction Provable security
• Identity-based identification schemes
• (joint work with Mihir Bellare and Chanathip
  Namprempre)
• Concept
• Framework of transforms
• Summary of results
• Transitive signatures
• (joint work with Mihir Bellare)
• Concept
• Node certification technique
• Summary of results
• Conclusion

3
Standard digital signatures (SS)
Diffie-Hellman, 1976
Kg
1k
(pk,sk)
sk
pk
pk
sk
pk
Sign
Vf
M, s
M
acc/rej
Cryptography study of mathematical techniques
for information security
4
Standard identification (SI) schemes
Kg
1k
(pk,sk)
sk
pk
pk
sk
pk
P
V
acc/rej
Cryptography study of mathematical techniques
for information security
5
Provable security

• Until 1980s ad-hoc design
• secure until proven insecure
• More recently provable security GMR88
• Step 1 security notion
• meaning of security of the scheme
• Step 2 security proof
• only way to break scheme is by
• solving supposedly hard mathematical problem
• breaking underlying cryptographic building block
• From theoreticians toy to industry-relevant
  property

6
Step 1 Security notion

• Desirable properties of signature scheme
• infeasible to compute sk from pk

pk
(M1,s1)(Mn,sn)
sk
7
Step 1 Security notion

• unforgeability

• even after seeing valid signatures

• on messages chosen by adversary
• Security (uf-cma)
• no reasonable algorithm has non-negligible
  probability of winning game

• Desirable properties
• infeasible to compute sk from pk

pk
Sign(sk,)
Mi
F
si
(M,s) such that Vf(pk,M,s)acc
8
Step 2 Security proof

• By contradiction
• suppose such algorithm F exists
• then reasonable algorithm A exists that
• solves supposedly hard mathematical problem
• breaks underlying cryptographic building block

hard problem
A
solution
9
Mathematically hard problems

• Factoring
• Given N pq where p,q large primes
• Find p,q
• RSA
• Given N pq where p,q large primes
• e where gcd(e,f(N)) 1 and f(N) (p-1)(q-1)
• y ? ZN
• Find x xe y mod N
• Discrete logarithms
• Given p large prime
• g generator of Zp
• y ? Zp
• Find x gx y mod p
• (Also subgroups of Zp, elliptic curves)

10
Random oracle model

• Cryptographic hash function H
• one-wayness given y, finding x s.t. H(x) y is
  hard
• collision-resistance finding x1,x2 s.t. H(x1)
  H(x2) is hard
• Random oracle model BR93b
• H behaves as an unpredictable, truly random
  function
• unsatisfiable assumption
• no longer proof, only (good) heuristic
• counterexamples known CGH98, Nie02, GK03,
  BBP04
• provable security for practical schemes
• counterexamples mostly contrived
• proof in RO model preferable over ad-hoc design

H
x ? 0,1
y ? 0,1k
11
Overview

• Introduction Provable security
• Identity-based identification schemes
• (joint work with Mihir Bellare and Chanathip
  Namprempre)
• Concept
• Framework of transforms
• Summary of results
• Transitive signatures
• (joint work with Mihir Bellare)
• Concept
• Node certification technique
• Summary of results
• Conclusion

12
Identity-based signatures (IBS)
pk
Sign
Vf
M, s
M
acc/rej
13
Identity-based signatures (IBS)
Shamir, 1984
MKg
(mpk,msk)
1k
msk
UKg
msk,Alice
uskA
uskA
mpk
uskA
mpk
uskA
mpk, Alice
Sign
Vf
M, s
M
acc/rej
14
Identity-based identification (IBI)
Shamir, 1984
MKg
(mpk,msk)
1k
msk
UKg
msk,Alice
uskA
uskA
mpk
uskA
mpk
uskA
mpk, Alice
P
V
acc/rej
15
State of the area prior to this work

• IBI schemes
• many proposed FS86, Bet88, GQ89, Gir90, Oka93
• no appropriate security notion
• proofs under non-ID-based notion or entirely
  lacking
• IBS schemes
• many proposed
• Sha84, FS86, GQ89, SOK00, Pat02, CC03, Hes03,
  Yi03
• good security definition CC03
• general transform trapdoor SS to IBS DKXY03
• some gaps remain

16
Our contributions

• Security definitions for IBI schemes
• Framework of security-preserving transforms
• Security proofs for 12 scheme families
• by implication through transforms
• by surfacing and proving unanalyzed SI schemes
• by proving as IBI schemes directly (exceptions)
• Attack on 1 scheme family

17
Security of IBS and IBI schemes

• IBS schemes uf-cma security CC03
• IBI schemes imp-pa, imp-aa, imp-ca security
• Learning phaseInitialize and corrupt oracles,
  see conversation transcripts (pa), interact with
  provers sequentially (aa) or in parallel (ca)
• Attack phaseImpersonate uncorrupted identity
  IDbreak of adversarys choiceOracles blocked of
  for ID IDbreak

mpk
Initialize
ID
F
M,ID
Sign(uskID,)
ID
s
Corrupt
uskID
ID,M,s
18
The framework

• SI to SS fs-I-2-S
• canonical SI ? SS FS86

SI
IBI
fs-I-2-S
IBS
SS
Theorem SI is imp-pa secure?SS fs-I-2-S(SI)
is uf-cma secure in the random oracle model
AABN02
19
The framework

• SI to SS fs-I-2-S
• canonical SI ? SS FS86
• SI to IBI cSI-2-IBI
• convertible SI ? IBI

cSI-2-IBI
SI
IBI
fs-I-2-S
IBS
SS
Theorem SI is imp-xx secure?IBI
cSI-2-IBI(SI) is imp-xx secure in the random
oracle model
20
The framework

• SI to SS fs-I-2-S
• canonical SI ? SS FS86
• SI to IBI cSI-2-IBI
• convertible SI ? IBI
• SS to IBS cSS-2-IBS
• convertible SS ? IBS
• generalization of DKXY03

cSI-2-IBI
SI
IBI
fs-I-2-S
cSS-2-IBS
IBS
SS
Theorem SS is uf-cma secure?IBS
cSS-2-IBS(SS) is uf-cma secure in the random
oracle model
21
The framework

• SI to SS fs-I-2-S
• canonical SI ? SS FS86
• SI to IBI cSI-2-IBI
• convertible SI ? IBI
• SS to IBS cSS-2-IBS
• convertible SS ? IBS
• generalization of DKXY03
• IBI to IBS fs-I-2-S
• canonical converted IBI ? IBS
• cSS-2-IBS(fs-I-2-S(SI))
  fs-I-2-S(cSI-2-IBI(SI))
• not security-preserving for all IBI

cSI-2-IBI
SI
IBI
fs-I-2-S
fs-I-2-S
cSS-2-IBS
IBS
SS
22
The framework

• SI to SS fs-I-2-S
• canonical SI ? SS FS86
• SI to IBI cSI-2-IBI
• convertible SI ? IBI
• SS to IBS cSS-2-IBS
• convertible SS ? IBS
• generalization of DKXY03
• IBI to IBS fs-I-2-S
• canonical converted IBI ? IBS
• cSS-2-IBS(fs-I-2-S(SI))
  fs-I-2-S(cSI-2-IBI(SI))
• not security-preserving for all IBI
• IBI to IBS efs-IBI-2-IBS
• canonical IBI ? IBS

cSI-2-IBI
SI
IBI
fs-I-2-S
fs-I-2-S
efs-IBI-2-IBS
cSS-2-IBS
IBS
SS
Theorem IBI is imp-pa secure?IBS
efs-IBI-2-IBS(SS) is uf-cma secure in the random
oracle model
23
Results for concrete schemes
IBS
SS
IBI
SI
Origin
Name
uf-cma
uf-cma
ca
aa
pa
ca
aa
pa
I
I
I
I
I
P
P
P
IBI, IBS
Fiat-Shamir
I
I
?
I
I
?
P
P
SI, SS
It. Root
I
I
I
I
I
P
P
P
SI, SS
FF
I
I
I
I
I
P
P
P
IBI, IBS
GQ
I
I
I
I
I
P
P
P
SI, IBI, SS
OkRSA
Shamir
I
I
A
A
I
A
A
P
IBS
Shamir
I
I
I
I
I
P
P
P
SI
A
A
A
A
A
A
A
A
SI, IBI
Girault
I
I
A
A
I
A
A
P
IBS
SOK
I
P
I
I
I
P
P
P
IBS
Hess
P
I
I
I
I
P
P
P
IBS
Cha-Cheon
I
I
?
?
I
?
?
P
IBI
Beth
I
I
P
P
P
I
I
I
IBI
OkDL
I
I
P
P
P
I
I
I
SI, IBI
BNNDL
P proved I implied A attacked ?
open problem new contribution
24
Overview

• Introduction Provable security
• Identity-based identification schemes
• (joint work with Mihir Bellare and Chanathip
  Namprempre)
• Concept
• Framework of transforms
• Summary of results
• Transitive signatures
• (joint work with Mihir Bellare)
• Concept
• Node certification technique
• Summary of results
• Conclusion

25
Transitive signatures

• Micali-Rivest, 2002

TKg
(tpk,tsk)
1k

• Message is pair of nodes i,j

• Signing i,j creating and authenticating edge
  i,j

TSign
tsk
si,j
i,j

• An authenticated graph grows with time

TVf
tpk
i,j
acc/rej
si,j
2
s2,3
s1,2
3
1
4
5
s4,5
26
Transitive signatures

• Additional composition algorithm

TKg
(tpk,tsk)
1k

• Authenticated graph is transitive closure of
  directly signed edges

TSign
tsk
si,j
i,j
TVf
tpk
i,j
acc/rej
si,j
2
s2,3
s1,2
Comp
tpk
3
1
s1,3
4
5
s4,5
27
Security of transitive signatures

• Standard uf-cma security definition doesnt
  apply
• composition allows some extent of forgery
• New security goal MR02b
• computationally infeasible to forge signatures
  not in transitive closure of the edges signed
  directly by the signer
• even under chosen-edge attack

tpk
1,2
F
s1,2
2,3
TSign (tsk,,)
s2,3
4,5
s4,5
1,4, s1,4
28
Node certification technique

• For each node i, the signer

2
1
3
29
Eliminating node certificates

• For each node i, the signer

y2

• computes public label yi H(i)

2
1
3
y1
y3
30
Scheme contributions
Signature length
Random oracle?
Security assumptions
Scheme
Trivial
O(path)
No
Security of SS scheme
4416 bits (SDL)2708 bits (EC)
No
Security of SS schemeDiscrete logarithms
DL-TS
5120 bits
No
Security of SS schemeOne-more RSA
RSA-TS
5120 bits
No
Security of SS schemeFactoring
Fact-TS
4256 bits (SDL)2548 bits (EC)
No
Security of SS schemeOne-more discrete logarithms
DL1m-TS
2558 bits
No
Security of SS schemeOne-more Gap-DH
Gap-TS
1024 bits
Yes
One-more RSA
RSAH-TS
1024 bits
Yes
Factoring
FactH-TS
170 bits
Yes
One-more Gap-DH
GapH-TS
SDL subgroup discrete log EC elliptic
curve new contribution
31
Overview

• Introduction Provable security
• Identity-based identification schemes
• (joint work with Mihir Bellare and Chanathip
  Namprempre)
• Concept
• Framework of transforms
• Summary of results
• Transitive signatures
• (joint work with Mihir Bellare)
• Concept
• Node certification technique
• Summary of results
• Conclusion

32
Summary of contributions

• Identity-based identification and signature
  schemes
• Security notion for IBI schemes
• Framework of security-preserving transforms
• Proofs for 12 scheme families, attack for 1
  family
• Direct proofs as IBI schemes for 2 families
• Transitive signature schemes
• Security proof for RSA-TS scheme
• New provably secure schemes based on factoring,
  discrete logarithms and Gap-DH groups
• Hash-based technique to eliminate node
  certificates

33
Open problems

• Open problems in proofs for IBI/IBS schemes
• Tighter bounds for IBI/IBS schemes through direct
  proofs
• Provably secure identity-based cryptography
  without random oracles
• Directed transitive signatures
• Signature scheme such that
• Sign(sk1,pk2), Sign(sk2,M) ? Sign(sk1,M)
• to compress certificate chains

34
Results for concrete schemes
Name-IBS
Name-SS
Name-IBI
Name-SI
Origin
Name
uf-cma
uf-cma
ca
aa
pa
ca
aa
pa
P proved I implied A attacked ?
open problem new contribution
35
Results for concrete schemes
Name Origin Name-SI Name-SI Name-SI Name-IBI Name-IBI Name-IBI Name-SS Name-IBS
pa aa ca pa aa ca uf-cma uf-cma
Fiat-Shamir IBI, IBS P P P I I I I I
It. Root SI, SS P P ? I I ? I I
FF SI, SS P P P I I I I I
GQ IBI, IBS P P P I I I I I
OkRSA SI, IBI, SS P P P I I I I I
Shamir IBS P A A I A A I I
Shamir SI P P P I I I I I
Girault SI, IBI A A A A A A A A
SOK IBS P A A I A A I I
Hess IBS P P P I I I P I
Cha-Cheon IBS P P P I I I I P
Beth IBI P ? ? I ? ? I I
OkDL IBI I I I P P P I I
BNNDL SI, IBI I I I P P P I I
P proved I implied A attacked ?
open problem new contribution
36
Scheme contributions
Scheme Security assumptions Random oracle? Signature length
Trivial Securiy of SS scheme No O(path)
DL-TS Security of SS schemeDiscrete logarithms No 4416 bits (SDL)2708 bits (EC)
RSA-TS Security of SS schemeOne-more RSA No 5120 bits
Fact-TS Security of SS schemeFactoring No 5120 bits
DL1m-TS Security of SS schemeOne-more discrete logarithms No 4256 bits (SDL)2548 bits (EC)
Gap-TS Security of SS schemeOne-more Gap-DH No 2558 bits
RSAH-TS One-more RSA Yes 1024 bits
FactH-TS Factoring Yes 1024 bits
GapH-TS One-more Gap-DH Yes 170 bits
SDL subgroup discrete log EC elliptic
curve new contribution
37
Scheme contributions
Signature length
Random oracle?
Security assumptions
Scheme
SDL subgroup discrete log EC elliptic
curve new contribution