GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks

Transcription

1 GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks [Mihir Bellare, Adriana Palacio] Iliopoulos Fotis School of Electrical and Computer Engineering National Technical University of Athens January 28, 2013 F. Iliopoulos (NTUA) Crypto Project January 28, / 12

2 Introduction What is an Identfication Scheme? Prover - holds Secret Key Verifer - verifies the identity of the prover Zero Knowledge Fiat-Shamir Identification Scheme F. Iliopoulos (NTUA) Crypto Project January 28, / 12

3 Security under different kinds of attacks Passive Attack - The adversary obtains transcript of interractions between the prover and verifier. Active Attack - The adversary as a cheating verifier - interacts with the prover before impersonation attempt Concurrent Attack - The adversary as cheating verifierinteracts with many differnt prover-clones concurrently F. Iliopoulos (NTUA) Crypto Project January 28, / 12

4 Impersonation under Concurrent Attack A game with two phases 1 Impersonator acts as a cheating verifier, interracts with multiple prover clones (all the same pk) 2 Impersonator acts as a cheating prover interactig with the verifier While concurrent attacks, phase 1 is completed before phase 2 stars Model for ATMs, smart cards - not for Internet! F. Iliopoulos (NTUA) Crypto Project January 28, / 12

5 GQ Identification Scheme - Initialisation AlgorithmK(k) (N, e, d) K rsa (k) x R Z N X x e mod N pk N, e, X sk (N, x) Return(pk, sk) F. Iliopoulos (NTUA) Crypto Project January 28, / 12

6 GQ Identification Scheme - Interaction Prover P Verifier V y R Z N Y y e mod N z yx c mod N Y c z c R {0, 1} l(k) If z e YX c mod N then d 1 else d 0 F. Iliopoulos (NTUA) Crypto Project January 28, / 12

7 Schnorr - Initialisation AlgorithmK(k) (q, g) K dl (k) x R Z q X g x pk (q, g, X ) sk (q, x) Return(pk, sk) F. Iliopoulos (NTUA) Crypto Project January 28, / 12

8 Schnorr Identification Scheme - Interaction Prover P Verifier V y R Z q Y g y z y + cx mod q Y c z c R {0, 1} l(k) If g z YX c then d 1 else d 0 F. Iliopoulos (NTUA) Crypto Project January 28, / 12

9 Main Results GQ ID is secure against impersonation under concurrent attacks if RSA is secure under one or more inversions Schnorr ID is secure against impersonation under concurrent attacks if DL is secure under one or more inversions in the underlying group First proofs for security of this kind Turns the problem of security into a number theoretic problem F. Iliopoulos (NTUA) Crypto Project January 28, / 12

10 RSA security under one or more inversions assumption An rsa-omi adversary is a randomized polynomial-time algorithm I, inputs N,e and access to two oracles RSA-inversion Oracle: given Y Z N returns Y d mod N Challenge Oracle: Returns a random challenge point W Z N Adversary wins if outputs the RSA inverse of every chalenge -output of Challenge Oracle - and also the number of queries to RSA-inversion oracle is stricly less than to Challenge oracle F. Iliopoulos (NTUA) Crypto Project January 28, / 12

11 Main Theorem Theorem Let ID = (K, P, V) be the GQ identification scheme associated to prime-exponent RSA key generator K RSA and challenge length l. Let A = ( ˆV, ˆP) be an imp-ca adversary of time complexity t( ) attacking ID. Then there exists an rsa-omi adversary I attacking K rsa such that for every k Adv imp ca ID,A (k) 2 l(k) + Adv rsa omi K rsa,i (k) (1) Furthermore, the time complexity of I is 2t(k) + O(k 4 + (n(k) + 1) l(k) k 2 ), where n(k) is the number of prover clones with which ˆV interacts. F. Iliopoulos (NTUA) Crypto Project January 28, / 12

12 Proof Sketch 1 Reset lemma: Upper bounds the probability that a cheating prover can convince the verifier to accept as a function of the probability that a certain experiment based on resetting the prover yields two accepting conversation transcripts. 2 I can simulate the envivorment of adversary A (via oracles) 3 The probability that I wins is equal to the probability that the cheating prover manages two accepting conversation transcripts given that the verifier s challanges are different. F. Iliopoulos (NTUA) Crypto Project January 28, / 12