Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Similar documents
Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Security Analysis of Some Batch Verifying Signatures from Pairings

An Enhanced ID-based Deniable Authentication Protocol on Pairings

Applied cryptography

A Strong Identity Based Key-Insulated Cryptosystem

ID-Based Blind Signature and Ring Signature from Pairings

Accumulators and U-Prove Revocation

Short Signature Scheme From Bilinear Pairings

Identity-Based Chameleon Hash Scheme Without Key Exposure

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

Secure Certificateless Public Key Encryption without Redundancy

An Introduction to Pairings in Cryptography

An Anonymous Authentication Scheme for Trusted Computing Platform

An Efficient Signature Scheme from Bilinear Pairings and Its Applications

An Efficient Signature Scheme from Bilinear Pairings and Its Applications

REMARKS ON IBE SCHEME OF WANG AND CAO

Boneh-Franklin Identity Based Encryption Revisited

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Identity Based Undeniable Signatures

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

A NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION

Generic construction of (identity-based) perfect concurrent signatures

Key-Exposure Free Chameleon Hashing and Signatures Based on Discrete Logarithm Systems

A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System

Pairing-Based Cryptographic Protocols : A Survey

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

Secure and Practical Identity-Based Encryption

New Identity-based Key-exposure Free Chameleon Hash from Bilinear Pairings

One-Round ID-Based Blind Signature Scheme without ROS Assumption

Multi-key Hierarchical Identity-Based Signatures

Identity-Based Delegated Signatures

Constructing Verifiable Random Number in Finite Field

The Cramer-Shoup Strong-RSA Signature Scheme Revisited

Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings

A Note on the Cramer-Damgård Identification Scheme

Sharing DSS by the Chinese Remainder Theorem

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

PAPER An Identification Scheme with Tight Reduction

Simple SK-ID-KEM 1. 1 Introduction

Public-Key Cryptosystems CHAPTER 4

Public-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use

A Fair and Efficient Solution to the Socialist Millionaires Problem

Public Key Encryption with Conjunctive Field Keyword Search

A new signature scheme without random oracles from bilinear pairings

Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings

A Direct Anonymous Attestation Scheme for Embedded Devices

Zero-Knowledge Proofs with Witness Elimination

Remove Key Escrow from The Identity-Based Encryption System

[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex

Type-based Proxy Re-encryption and its Construction

Recent Advances in Identity-based Encryption Pairing-based Constructions

PAIRING-BASED IDENTIFICATION SCHEMES

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

Cryptography from Pairings

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Identity Based Proxy Signature from RSA without Pairings

An Improved Online/Offline Identity-based Signature Scheme for WSNs

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)

An ID-based Server-aided Verification Short Signature Scheme Avoid Key Escrow

Public-key Cryptography and elliptic curves

Ring Signatures without Random Oracles

On the Key-collisions in the Signature Schemes

Pairing-Based Cryptography An Introduction

A New Key Exchange Protocol Based on DLP and FP in Centralizer Near-Ring

Efficient Identity-Based Encryption Without Random Oracles

An Identity-Based Signature from Gap Diffie-Hellman Groups

INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING

Masao KASAHARA. Graduate School of Osaka Gakuin University

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

New Variant of ElGamal Signature Scheme

Pairing-Based Identification Schemes

Efficient Identity-based Encryption Without Random Oracles

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

A Fully-Functional group signature scheme over only known-order group

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Non-interactive Designated Verifier Proofs and Undeniable Signatures

Secure Bilinear Diffie-Hellman Bits

G Advanced Cryptography April 10th, Lecture 11

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Efficient Tate Pairing Computation Using Double-Base Chains

A Pairing-Based DAA Scheme Further Reducing TPM Resources

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Introduction to Elliptic Curve Cryptography. Anupam Datta

Lecture 1: Introduction to Public key cryptography

A SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM TO NON-ABELIAN GROUPS

An Identification Scheme Based on KEA1 Assumption

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Sharing a Secret in Plain Sight. Gregory Quenell

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Anonymous Authentication Protocol for Dynamic Groups with Power-Limited Devices

Threshold Undeniable RSA Signature Scheme

The Computational Square-Root Exponent Problem- Revisited

Transcription:

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen University, Guangzhou 510275, P.R.China isdzhfg@zsu.edu.cn 2 Department of Computer Science, Sun Yat-sen University, Guangzhou 510275, P.R.China isschxf@zsu.edu.cn Abstract. An ad-hoc anonymous identification scheme is a new multiuser cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Recently, Nguyen [11] proposed an ID-based ad-hoc anonymous identification scheme from bilinear pairings. However, in this paper, we propose an attack on Nguyen s ID-based ad-hoc anonymous identification scheme. We show that any one can impersonate a valid group member to perform the anonymous identification protocol successfully. Furthermore, we propose a solution to improve this scheme against our attack. Keywords: Bilinear pairings, Ad-hoc anonymous identification, Attack 1 Introduction Identification schemes allow a prover (say Alice) to securely identify herself to a verifier (say Bob). Secure identification schemes were introduced by Feige, Fiat and Shamir [9,7, 8]. In an anonymous group identification scheme, a member A of a group G can convince B that she is a member of G without revealing any information about her identity. This is a very useful primitive which enables A to control her privacy while enjoying privileges of the groups. For example, being able to enter an office building by proving that she is an employee while ensuring that her entrance to the building will not be logged. Secure group identification systems have been be designed in [2, 10,12,13] using public key cryptography. Ad-hoc anonymous identification was introduced by Dodos et al. at EURO- CRYPT 2004 [6]. An ad-hoc anonymous identification scheme is a new multi-user This work is supported by the National Natural Science Foundation of China (No. 60403007) and Natural Science Foundation of Guangdong Province, China (No. 04205407).

2 cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. An accumulator with one-way domain is the main tool in construction of ad-hoc anonymous identification scheme. Dodos et al. demonstrated the relationship between the accumulator with one-way domain and ad-hoc anonymous identification scheme by presenting a generic construction based on any accumulator with one-way domain. Recently, Nguyen [11] proposed a dynamic accumulator scheme from bilinear pairings and used it to construct an ID-based ad-hoc anonymous identification scheme and identity escrow scheme with membership revocation. However, in this paper, we propose an attack on Nguyen s ID-based ad-hoc anonymous identification scheme. We show that any one can impersonate a valid group member to perform the anonymous identification protocol successfully. Furthermore, we propose a proposal to repair this scheme. The rest of this paper is organized as follows. After introducing bilinear pairings in next section, we review Nguyen s ID-based ad-hoc anonymous identification scheme in brief in Section 3. We propose our attack in Section 4. In section 5, we propose a solution to improve this scheme against our attack. Section 6 concludes the paper. 2 Bilinear Pairings The bilinear pairings, namely the Weil pairing and the Tate pairing of algebraic curves, are important tools for researching on algebraic geometry. In the last couple of years, the bilinear pairings have been found various applications in cryptography. They can be used to realize some cryptographic primitives that were previously unknown or impractical [1]. More precisely, they are basic tools for construction of ID-based cryptographic schemes [3]. Let G 1 be a cyclic additive group generated by P, whose order is a prime p, and G M be a cyclic multiplicative group with the same order p. Let e : G 1 G 1 G M be a bilinear pairing with the following properties: 1. Bilinearity: e(ap, bq) = e(p, Q) ab for all P, Q G 1, a, b Z p ; 2. Non-degeneracy: There exists P, Q G 1 such that e(p, Q) 1, in other words, the map does not send all pairs in G 1 G 1 to the identity in G M ; 3. Computability: There is an efficient algorithm to compute e(p, Q) for all P, Q G 1. We consider the following problems in the additive group (G 1 ; +). Discrete Logarithm Problem (DLP): Given two group elements P and Q, find an integer n Z p, such that Q = np whenever such an integer exists. Computational Diffie-Hellman Problem (CDHP): For a, b Z p, given P, ap, bp, compute abp.

3 3 Review of Nguyen s ID-based ad-hoc anonymous identification scheme We first review Nguyen s ID-based ad-hoc anonymous identification scheme in brief using the same notation as [11]. Nguyen s identity-based ad-hoc anonymous identification scheme is defined as a tuple IA =(Setup, KeyGen, Make-GPK, Make-GSK, IAID P, IAID V ) of PT (polynomial-time) algorithms, which are described as follows. Setup, on a security parameter l, generates the public parameters params = (l, t, t, f, g, Q, Q pub, u, H), here t = (p, G 1, G M, e, P), e : G 1 G 1 G M is a bilinear pairing and P is a generator of G 1. t = (P, P pub = sp,..., s q P), where s R Z p and q is the upper bound on the number of identities to be aggregated. The auxiliary information s can be safely deleted, as it will never be used later. f and g are two functions defined as: f : Z p Z p Z p f(u, x) (x + s)u g : Z p G 1 g(u) up Q R G 1, u, s m R Z p and Q pub = s m Q. H is a collision-free function H : {0, 1} Z p. The master key is mk = s m. KeyGen extracts a private key s id = R id for an identity id as R id = 1 H(id)+s m Q. The user can verifies the private key by checking e(h(id)q + Q pub, R id ) = e(q, Q). Make-GPK, given a set of identities {id i } k i=1, computes the set X= {H(id i)} k i=1 and generates the group public key for the set gpk = V = g(f(u, X)). Make-GSK generates the group secret key gsk for a user id and a set of identities {id i } k i=1 by computing the set X = {H(id i )} k i=1, h id = H(id i ) and the witness W = g(f(u,x )). The group secret key is gsk = (h id, s id, W). (IAID P,IAID V ). This protocol IAID has the common input params and gpk and the prover (user id) also has gsk. It is a combination of the proof that an identity is accumulated and a proof of knowledge of the user private key corresponding to that identity. The protocol proves the knowledge of (h id, R id, W) satisfying equations e(h id Q + Q pub, R id ) = e(q, Q) and e(h id P + P pub, W) = e(p, V ). The details of the identification protocol are shown in Fig. 1. About the correctness and the security analysis of the scheme, please refer to [11]. 4 Cryptanalysis of Nguyen s ID-based ad-hoc anonymous identification scheme In this section, we propose an attack on Nguyen s ID-based ad-hoc anonymous identification scheme. We show that any one can impersonate a valid group member to perform the anonymous identification protocol successfully. This means that the scheme is totally broken.

4 IAID P IAID V r 1, r 2, r 3, r 4, k 1, k 2, k 3, k 4 R Z p U 1 = r 1(h id Q + Q pub ), U 2 = r 1 1 R id U 3 = r 2U 1 + r 3H, S 1 = r 1r 2(h id P + P pub ); S 2 = (r 1r 2) 1 W;T 1 = k 1Q + k 2Q pub + k 3H; T 2 = k 4U 1 + k 3H, T 3 = k 1P + k 2P pub U 1, U 2, U 3, S 1, S 2 T 1, T 2, T 3 e(u 1, U 2) =? e(q, Q) s 1 = k 1 + cr 1r 2h id mod p s 2 = k 2 + cr 1r 2 mod p c e(s 1, S 2)? = e(p, V ) c R Z p s 3 = k 3 + cr 3 mod p s 4 = k 4 + cr 2 mod p s 1, s 2, s 3, s 4 T? 1 = s 1Q + s 2Q pub + s 3H cu 3 T 2? = s 4U 1 + s 3H cu 3 T 3? = s 1P + s 2P pub cs 1 Fig.1. The anonymous identification protocol Assume that A is an adversary, who does not have any valid group member s secret key. However, we show that he can impersonate a valid group member to perform the anonymous identification protocol. The details of the attack are described as follows: The (Setup, KeyGen, Make-GPK, and Make-GSK are same as above description. For the anonymous identification protocol, A can impersonate a valid group member to perform it with IAID V successfully without any secret key as show in Fig. 2. IAID V will accept A, this is because: s 1 Q + s 2 Q pub + s 3 H cu 3 = (k 1 + crr )Q + k 2 Q pub + (k 3 + cr )H c(r U 1 + r H) = k 1 Q + k 2 Q pub + k 3 H + crr Q + cr H c(r rq + r H) = k 1 Q + k 2 Q pub + k 3 H = T 1

5 A IAID V r, r, r, k 1, k 2, k 3, k 4 R Z p U 1 = rq, U 2 = r 1 Q U 3 = r U 1 + r H, S 1 = rr P; S 2 = (rr ) 1 V ; T 1 = k 1Q + k 2Q pub + k 3H; T 2 = k 4U 1 + k 3H, T 3 = k 1P + k 2P pub U 1, U 2, U 3, S 1, S 2 T 1, T 2, T 3 e(u 1, U 2) =? e(q, Q) s 1 = k 1 + crr s 2 = k 2 mod p mod p c e(s 1, S 2)? = e(p, V ) c R Z p s 3 = k 3 + cr mod p s 4 = k 4 + cr mod p s 1, s 2, s 3, s 4 T? 1 = s 1Q + s 2Q pub + s 3H cu 3 T 2? = s 4U 1 + s 3H cu 3 T 3? = s 1P + s 2P pub cs 1 Fig. 2. The impersonation attack s 4 U 1 + s 3 H cu 3 = (k 4 + cr )U 1 + (k 3 + cr )H c(r U 1 + r H) = k 4 U 1 + k 3 H + cr U 1 + cr H cr U 1 cr H = k 4 U 1 + k 3 H = T 2 s 1 P + s 2 P pub cs 1 = (k 1 + crr )P + k 2 P pub crr P = k 1 P + k 2 P pub + crr P crr P = k 1 P + k 2 P pub = T 3

6 From the above impersonation attack, A can convince IAID V that he is a valid group member without any secret key. This means that the scheme is totally broken. In [11], the author also designs an ID-based ring signature scheme and an identity escrow scheme with membership revocation using his ID-based adhoc anonymous identification scheme. Because of the above attack on the IDbased ad-hoc anonymous identification scheme, both the ID-based ring signature scheme and the identity escrow scheme with membership revocation are insecure. 5 Improvements At the anonymous identification phase, the prover will convince a verifier that she has a valid group certificate without revealing any information about her certificate. The identification protocol proves the knowledge of (h id, R id, W) satisfying the equations e(h id Q + Q pub, R id ) = e(q, Q) and e(h id P + P pub, W) = e(p, V ). In Nguyen s ID-based ad-hoc anonymous identification scheme, IAID P provides U 1, U 2, U 3, S 1, S 2 to IAID V which satisfy e(u 1, U 2 ) = e(q, Q) and e(s 1, S 2 ) = e(p, V ). Meanwhile, IAID P provides IAID V a proof that he knows the representations of U 3 about Q, Q pub and H, U 3 about U 1 and H, S 1 about P and P pub. Our attack on Nguyen s ID-based ad-hoc anonymous identification scheme is based on follow facts: The commitments U 1, U 2, U 3, S 1, S 2, T 1, T 2, T 3 in the anonymous identification phase are not fixed, they can be different and random at each performance. Even the representation of U 3 about Q pub is zero, we still can give a proof that we know the representations of U 3 about Q, Q pub and H. Our attack is due to these facts. To avoid such an attack, a simple solution is to employ a proof that the representation of U 3 about Q pub (and/or S 1 about P pub ) is not zero, or it lies in an interval [1, q 1], i.e., ZKP {(α, β, γ) U 3 = αq + βq pub + γh β [1, p 1]}. Such protocols can be found at [4, 5]. 6 Conclusion Ad-hoc anonymous identification scheme is a new and very useful cryptographic primitive. In this paper, we propose an attack on Nguyen s ID-based ad-hoc anonymous identification scheme. We show that any one can impersonate a valid group member to perform the anonymous identification protocol successfully. This means that the scheme is broken. Meanwhile, we propose a solution to improve the scheme against our attack.

7 References 1. P. S. L. M. Barreto, The Pairing-Based Crypto Lounge. Available at http://planeta.terra.com.br/informatica/paulobarreto/pblounge.html. 2. D. Boneh and M. Franklin, Anonymous authentication with subset queries, In Proceedings of 6th ACM-CCS, pp.73-82. ACM press, 1999. 3. D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, Advances in Cryptology-Crypto 2001, LNCS 2139, pp.213-229, Springer-Verlag, 2001. 4. F. Boudot, Efficient proofs that a committed number lies in an interval, Advances in Cryptology-Eurocrypt 2000, LNCS 1807, pp.431-444, Springer-Verlag, 2000. 5. A. Chan, Y. Frankel, and Y. Tsiounis, Easy come easy go divisible cash, Advances in Cryptology-Eurocrypt 1998, LNCS 1403, pp. 561-575, Springer-Verlag, 1998. 6. Y. Dodis, A. Kiayias, A. Nicolosi, and V. Shoup, Anonymous identification in Ad Hoc groups, Advances in Cryptology-Eurocrypt 2004, LNCS 3027, pp. 609-626, Springer-Verlag, 2004. 7. U. Feige, A. Fiat, and A. Shamir, Zero knowledge proofs of identity, In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing (STOC 87), pp. 210-217, New York City, 1987. 8. U. Feige, A. Fiat, and A. Shamir, Zero knowledge proofs of identity, Journal of Cryptology. 1: 77-94. 1988. 9. A. Fiat and A. Shamir, How to prove yourself: practical solutions to identification and signature problems, Advances in Cryptology-Crypto 1986, LNCS 263, pp. 186-194, Springer-Verlag, 1987. 10. C. H. Lee, X. Deng, and H. Zhu, Design and security analysis of anonymous group identification protocols, PKC 2002, LNCS 2274, pp. 188-198, Springer-Verlag, 2002. 11. L. Nguyen, Accumulators from bilinear pairings and applications, CT-RSA 2005, LNCS 3376, pp. 275-292, Springer-Verlag, 2005. 12. A. D. Santis, G. D. Crescenzo and G. Persiano, Communication-efficient anonymous group identification, In Proceedings of 5th Conference on Computer and Communications Security, 1998, pp.73-82. ACM press, 1998. 13. A. D. Santis, G. D. Crescenzo, G. Persiano and M. Yung, On monotone formula closure of SZK, in Proceedings of 35th IEEE Symposium on Foundations of Computer Science (FOCS 94), pp.454-465, 1994.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback