Constructing Provably-Secure Identity-Based Signature Schemes

Similar documents
Schnorr Signature. Schnorr Signature. October 31, 2012

Constructing Provably Secure Identity-Based Signature Schemes.

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Katz, Lindell Introduction to Modern Cryptrography

Digital Signatures. Adam O Neill based on

Digital Signatures from Challenge-Divided Σ-Protocols

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Short Signatures Without Random Oracles

Design Validations for Discrete Logarithm Based Signature Schemes

A Security Proof of KCDSA using an extended Random Oracle Model

Some Security Comparisons of GOST R and ECDSA Signature Schemes

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

An Identification Scheme Based on KEA1 Assumption

Multi-key Hierarchical Identity-Based Signatures

Lecture 18: Message Authentication Codes & Digital Signa

Simple Schnorr Multi-Signatures with Applications to Bitcoin

A short identity-based proxy ring signature scheme from RSA

Transitive Signatures Based on Non-adaptive Standard Signatures

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

A Lightweight Identity Based Signature Scheme

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

II. Digital signatures

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

One-Round ID-Based Blind Signature Scheme without ROS Assumption

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Foundations of Cryptography

Provable Security Proofs and their Interpretation in the Real World

Certificate-Based Signature Schemes without Pairings or Random Oracles

VI. The Fiat-Shamir Heuristic

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

A DL Based Short Strong Designated Verifier Signature Scheme with Low Computation

Tightly-Secure Signatures From Lossy Identification Schemes

Efficient Identity-Based Encryption Without Random Oracles

March 19: Zero-Knowledge (cont.) and Signatures

Security Arguments for Digital Signatures and Blind Signatures

Identity-based encryption

On the Big Gap Between p and q in DSA

PAPER An Identification Scheme with Tight Reduction

Boneh-Franklin Identity Based Encryption Revisited

2 Message authentication codes (MACs)

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Authentication. Chapter Message Authentication

Identity Based Deterministic Signature Scheme Without Forking-Lemma

Evaluation Report on the ECDSA signature scheme

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Identity Based Undeniable Signatures

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

Provably Secure Partially Blind Signatures

A NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION

Applied cryptography

Efficient Identity-based Encryption Without Random Oracles

Digital Signatures. p1.

Anonymous Proxy Signature with Restricted Traceability

Digital signature schemes

G Advanced Cryptography April 10th, Lecture 11

Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures

Identity-Based Identification Schemes

[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

The Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes

Introduction to Elliptic Curve Cryptography

Ring Signatures without Random Oracles

Efficient Certificateless Online/Offline Signature with tight security

Identity Based Proxy Signature from RSA without Pairings

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Round-Optimal ID-Based Blind Signature Schemes without ROS Assumption

Security Analysis of Some Batch Verifying Signatures from Pairings

SIS-based Signatures

PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED

Certificateless Signcryption without Pairing

Cryptographical Security in the Quantum Random Oracle Model

Proxy Re-Signature Schemes without Random Oracles

Anonymous Signatures Made Easy

A Strong Identity Based Key-Insulated Cryptosystem

From 5-pass MQ-based identification to MQ-based signatures

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Ring Group Signatures

RSA and Rabin Signatures Signcryption

Concurrent Non-malleable Commitments from any One-way Function

John Hancock enters the 21th century Digital signature schemes. Table of contents

Uninstantiability of Full-Domain Hash

A New Certificateless Blind Signature Scheme

Gentry IBE Paper Reading

Cryptography and Security Final Exam

On the Impossibility of Tight Cryptographic Reductions

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Lecture 1: Introduction to Public key cryptography

REMARKS ON IBE SCHEME OF WANG AND CAO

Introduction to Cryptography

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Notes on Zero Knowledge

Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)

ID-based tripartite key agreement with signatures

Searchable encryption & Anonymous encryption

New Approach for Selectively Convertible Undeniable Signature Schemes

Transcription:

Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013

Overview Table of contents Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

Overview Contents Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

Identity-Based Cryptography Introduced by Shamir in 1984. Any arbitrary string can be used as public key. Certificate management can be avoided. A trusted private key generator (PKG) generates secret keys. PKG mpk msk Alice Bob

Identity-Based Cryptography Introduced by Shamir in 1984. Any arbitrary string can be used as public key. Certificate management can be avoided. A trusted private key generator (PKG) generates secret keys. PKG mpk msk Alice usk A Bob

Identity-Based Cryptography Introduced by Shamir in 1984. Any arbitrary string can be used as public key. Certificate management can be avoided. A trusted private key generator (PKG) generates secret keys. PKG mpk msk Alice usk A Alice Bob

Identity-Based Cryptography Introduced by Shamir in 1984. Any arbitrary string can be used as public key. Certificate management can be avoided. A trusted private key generator (PKG) generates secret keys. PKG mpk msk Alice usk A Alice Bob Bob usk B

Identity-Based Signatures IBS: digital signatures extended to identity-based setting PKG usk id mpk Signer (σ; (id, m)) Verifier

Identity-Based Signatures IBS: digital signatures extended to identity-based setting PKG usk id mpk Signer (σ; (id, m)) Verifier Focus of the work: construction of IBS schemes 1. Concrete IBS based on Schnorr signature 2. Generic construction from a weaker model

Overview Contents Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

Public-Key Signature Consists of three PPT algorithms {K, S, V }: Key Generation, K(κ) Used by the signer to generate the key-pair (pk,sk) pk is published and the sk kept secret Signing, S sk (m) Used by the signer to generate signature on some message m The secret key sk used for signing Verification, V pk (σ, m) Used by the verifier to validate a signature Outputs 1 if σ is a valid signature on m; else, outputs 0

Identity-Based Signature Consists of four PPT algorithms {G, E, S, V }: Set-up, G(κ) Used by PKG to generate the master key-pair (mpk,msk) mpk is published and the msk kept secret Key Extraction, E msk (id) Used by PKG to generate the user secret key (usk) usk is then distributed through a secure channel Signing, S usk (id, m) Used by the signer (with identity id) to generate signature on some message m The user secret key usk used for signing Verification, V mpk (σ, id, m) Used by the verifier to validate a signature Outputs 1 if σ is a valid signature on m by the user with identity id; otherwise, outputs 0

STANDARD SECURITY MODELS

Security Model for PKS: EU-CMA C O s pk (ˆσ; ˆm) A Existential unforgeability under chosen-message attack 1. C generates key-pair (pk, sk) and passes pk to A 2. A allowed: Signature Queries through an oracle O s 3. Forgery: A wins if (ˆσ; ˆm) is valid and non-trivial Adversary s advantage in the game: [ ] Pr 1 V pk (ˆσ; ˆm) : (sk, pk) $ K(κ); (ˆσ; ˆm) $ A O s (pk)

Security Model for IBS: EU-ID-CMA mpk A CO {s,ε} (ˆσ; ( id, ˆ ˆm)) Existential unforgeability with adaptive identity under chosen-message attack 1. C generates key-pair (mpk, msk) and passes mpk to A 2. A allowed: Signature Queries, Extract Queries 3. Forgery: A wins if (ˆσ; ( id, ˆ ˆm)) is valid and non-trivial Adversary s advantage in the game: [ ] Pr 1 V mpk (ˆσ; ( id, ˆ ˆm)) : (msk, mpk) $ G(κ); (ˆσ; ( id, ˆ ˆm)) $ A O {s,ε}(mpk)

SCHNORR SIGNATURE AND ORACLE REPLAY ATTACK

Schnorr Signature: Features Derived from Schnorr identification (FS Transform) Uses one hash function Security: Based on discrete-log assumption Hash function modelled as a random oracle (RO) Argued using (random) oracle replay attacks

Schnorr Signature: Construction The Setting: 1. We work in group G = g of prime order p. 2. A hash function H : {0, 1} Z p is used. Key Generation: 1. Select z U Z p as the sk 2. Set Z := g z as the pk Signing: U 1. Select r Z p, set R := g r and c := H(m, R). 2. The signature on m is σ := (y, R) where y := r + zc Verification: 1. Let σ := (y, R) and c := H(m, R). 2. σ is valid if g y = RZ c

Oracle Replay Attack Random oracle H i th RO query Q i replied with s i Π H C Π H Q i s i Π A Adversary re-wound to Q I Simulation in round 1 from Q I using a different random function s I s γ Q I +1 Q γ round 0 s 1 Q 1 Q 2 Q I s I Q I +1 Q γ round 1 s γ

Oracle Replay Attack Random oracle H i th RO query Q i replied with s i. Π H C Π H Q i s i Π A 1. Adversary re-wound to Q I Simulation in round 1 from Q I using a different random function s I s γ Q I +1 Q γ round 0 s 1 Q 1 Q 2 Q I s I Q I +1 Q γ round 1 s γ

Oracle Replay Attack Random oracle H i th RO query Q i replied with s i. Π H C Π H Q i s i Π A 1. Adversary re-wound to Q I 2. Simulation in round 1 from Q I using a different random function s I s γ Q I +1 Q γ round 0 s 1 Q 1 Q 2 Q I s I Q I +1 Q γ round 1 s γ

Security of Schnorr Signature, In Brief C DLP = (G, g, p, g α ) DLP B SS pk := EU-NMA SS A α H ˆσ = ((y, R); ˆm) c Q I +1 Q γ ˆσ 0 = ((y = r + αc, R); ˆm) round 0 Q 1 Q 2 Q I : H( ˆm, R) α = y y c c c Q I +1 Q γ ˆσ 1 = ((y = r + αc, R); ˆm) round 1

Cost of Oracle Replay Attack Forking Lemma [PS00]: bounds success probability of the oracle replay attack (frk) in terms of 1. success probability of the adversary (ɛ) 2. bound on RO queries (q) DLP O(q/ɛ 2 ) Schnorr Signature Analysis done using the Splitting Lemma [PS00] Pointcheval and Stern. Security arguments for digital signatures and blind signatures. JoC, 13 [Seu12] Seurin. On the exact security of Schnorr-type signatures in the random oracle model. Eurocrypt 12

Cost of Oracle Replay Attack Forking Lemma [PS00]: bounds success probability of the oracle replay attack (frk) in terms of 1. success probability of the adversary (ɛ) 2. bound on RO queries (q) DLP O(q/ɛ 2 ) Schnorr Signature Analysis done using the Splitting Lemma The cost: security degrades by O (q) More or less optimal [Seu12] [PS00] Pointcheval and Stern. Security arguments for digital signatures and blind signatures. JoC, 13 [Seu12] Seurin. On the exact security of Schnorr-type signatures in the random oracle model. Eurocrypt 12

General-Forking Lemma Forking Lemma is something purely probabilistic, not about signatures [BN06] Abstract version of the Forking Lemma Separates out details of simulation (of adversary) from analysis A wrapper algorithm used as intermediary 1. Simulate protocol environment to A 2. Simulate RO as specified by S [BN06] Bellare and Neven. Multi-signatures in plain public-key model and a general forking lemma. CCS 06

General-Forking Lemma Forking Lemma is something purely probabilistic, not about signatures [BN06] Abstract version of the Forking Lemma Separates out details of simulation (of adversary) from analysis A wrapper algorithm used as intermediary 1. Simulate protocol environment to A 2. Simulate RO as specified by S S A Structure of a wrapper call: (I, σ) W (x, s 1,..., s q ; ρ)

General-Forking Lemma Forking Lemma is something purely probabilistic, not about signatures [BN06] Abstract version of the Forking Lemma Separates out details of simulation (of adversary) from analysis A wrapper algorithm used as intermediary 1. Simulate protocol environment to A 2. Simulate RO as specified by S S S A W A Structure of a wrapper call: (I, σ) W (x, s 1,..., s q ; ρ) [BN06] Bellare and Neven. Multi-signatures in plain public-key model and a general forking lemma. CCS 06

...General-Forking Lemma... General-Forking Algorithm F W (x) Pick coins ρ for W at random {s 1,..., s q } U S; (I, σ) W (x, s 1,..., s q ; ρ) /round 0 if (I = 0) then return (0,, ) {s I 0,..., s q } U S; (I, σ ) W (x, s 1,..., s I 1, s I,..., s q ; ρ) /round 1 if (I = I s I s I ) then return (1, σ, σ ) else return (0,, )

...General-Forking Lemma... General-Forking Algorithm F W (x) Pick coins ρ for W at random {s 1,..., s q } U S; (I, σ) W (x, s 1,..., s q ; ρ) /round 0 if (I = 0) then return (0,, ) {s I 0,..., s q } U S; (I, σ ) W (x, s 1,..., s I 1, s I,..., s q ; ρ) /round 1 if (I = I s I s I ) then return (1, σ, σ ) else return (0,, ) General-Forking Lemma: bounds success probability of the oracle replay attack (frk) in terms of 1. success probability of W (acc) 2. bound on RO queries (q) frk acc 2 /q

Overview Contents Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

Galindo-Garcia IBS: Features Derived from Schnorr signature scheme nesting [GG09] Based on the discrete-log (DL) assumption Efficient, simple and does not use pairing Uses two hash functions Security argued using nested replay attacks [GG09] Galindo and Garcia. A Schnorr-like lightweight identity-based signature scheme. Africacrypt 09

Galindo-Garcia IBS: Construction Setting: 1. We work in a group G = g of prime order p. 2. Two hash functions H, G : {0, 1} Z p are used. Set-up: 1. Select z U Z p as the msk; set Z := g z as the mpk Key Extraction: U 1. Select r Z p and set R := g r. 2. Return usk := (y, R) as the usk, where y := r + zc and c := H(id, R). Signing: 1. Select a U Z p and set A := g a. 2. Return σ := (b, R, A) as the signature, where b := a + yd and d := G(id, m, A).

MULTIPLE FORKING

Multiple Forking: Overview Introduced by Boldyreva et al. [BPW12] Motivation: General Forking: elementary replay attack restricted to one RO and single replay attack Multiple Forking: nested replay attack two ROs and multiple (n) replay attacks [BPW12] Boldyreva et al.. Secure proxy signature schemes for delegation of signing rights. JoC, 25. [CMW12] Chow et al.. Zero-knowledge argument for simultaneous discrete logarithms. Algorithmica, 64(2)

Multiple Forking: Overview Introduced by Boldyreva et al. [BPW12] Motivation: General Forking: elementary replay attack restricted to one RO and single replay attack Multiple Forking: nested replay attack two ROs and multiple (n) replay attacks Used in [BPW12] to argue security of a DL-based proxy SS Used further in 1. Galindo-Garcia IBS 2. Chow et al. Zero-Knowledge Argument [CMW12] [BPW12] Boldyreva et al.. Secure proxy signature schemes for delegation of signing rights. JoC, 25. [CMW12] Chow et al.. Zero-knowledge argument for simultaneous discrete logarithms. Algorithmica, 64(2)

Multiple-Forking Algorithm Multiple-Forking Algorithm M W,3 Pick coins ρ for W at random {s 0 1,..., s0 q } U S; (I 0, J 0, σ 0) W (x, s 0 1,..., s0 q ; ρ) /round 0 if ((I 0 = 0) (J 0 = 0)) then return (0, ) {s 1 I 0,..., s 1 q } U S; (I 1, J 1, σ 1) W (x, s 0 1,..., s 0 I0 1, s1 I,..., s 1 0 q ; ρ) /round 1 ( ) if (I 1, J 1) (I 0, J 0) (s 1 I = s 0 0 I ) then return (0, ) 0 {s 2 J 0,..., s 2 q } U S; (I 2, J 2, σ 2) W (x, s 0 1,..., s 0 J0 1, s2 J,..., s 2 0 q ; ρ) /round 2 ( ) if (I 2, J 2) (I 0, J 0) (s 2 J = s 1 0 J ) then return (0, ) 0 {s 3 I 2,..., s 3 q} U S; (I 3, J 3, σ 3) W (x, s 0 1,..., s 0 J0 1, s2 J,..., s 2 0 I 2 1, s 3 I2,..., s 3q; ρ) /round 3 if ((I 3, J 3) (I 0, J 0) (s 3 I 0 = s 2 I 0)) then return (0, ) return (1, {σ 0,..., σ 3})

...Multiple-Forking Algorithm... d 0 Q 0 I 0 +1 Q 0 q ˆσ 0 /round 0 Q 0 J 0 +1 Q 0 I 0 c 0 d 1 Q 1 I 0 +1 Q 1 q ˆσ 1 /round 1 Q 0 1 Q 0 2 Q 0 J 0 c 1 d 2 Q I 1 +1 2 Q 2 q ˆσ 2 /round 2 Q 2 J 0 +1 Q 2 I 0 d 3 Q 3 I 1 +1 Q 3 q ˆσ 3 /round 3

Multiple-Forking Lemma Multiple-Forking Lemma: bounds success probability of nested replay attack (mfrk) in terms of 1. success probability of W (acc) 2. bound on RO queries (q) 3. number of rounds of forking (n) mfrk acc n+1 /q 2n

Multiple-Forking Lemma Multiple-Forking Lemma: bounds success probability of nested replay attack (mfrk) in terms of 1. success probability of W (acc) 2. bound on RO queries (q) 3. number of rounds of forking (n) mfrk acc n+1 /q 2n Follows from condition F : (I n, J n ) = (I n 1, J n 1 ) =... = (I 0, J 0 ) Degradation: O ( q 2n) Cost per forking (involving two ROs): O ( q 2)

SECURITY ARGUMENT

Original Security Argument Two reductions: B 1 and B 2 depending on the type of adversary (event E and Ē) DLP GG-IBS U E Ē B 1 B 2

Original Security Argument Two reductions: B 1 and B 2 depending on the type of adversary (event E and Ē) DLP GG-IBS U E Ē B 1 B 2 Reduction Success Prob. ( ) Forking Algorithm B 1 ɛ 2 /q 3 G General Forking (F W ) B 2 ɛ 4 /(q H q G ) 6 Multiple Forking (M W,3 )

Original Security Argument: Flaws We found several problems with B 1 and B 2 1. B 1 : Fails in the standard security model for IBS 2. B 2 : All the adversarial strategies were not covered Simulation is distinguishable from real execution! [CKK12] Chatterjee et al.. Galindo-Garcia identity-based signature, revisited. ICISC 12

Original Security Argument: Flaws We found several problems with B 1 and B 2 1. B 1 : Fails in the standard security model for IBS 2. B 2 : All the adversarial strategies were not covered Simulation is distinguishable from real execution! Contribution: fixed the security argument Slightly tighter reduction [CKK12] [CKK12] Chatterjee et al.. Galindo-Garcia identity-based signature, revisited. ICISC 12

Fixed Security Argument Type Ē further split: type F and F F: A makes target G(,, ) before target H(, ) (G < H) U E Ē R 1 F F R 2 R 3 1. R 1 addresses problems with B 1 + Coron s Technique 2. R 2 covers unaddressed adversarial strategy in B 2 (i.e., H < G) 3. R 3 same as the original reduction B 2

Fixed Security Argument Reduction Success Prob. ( ) Forking Used R 1 ɛ 2 q G q ε F W R 2 ɛ 2 (q H +q G ) 2 M W,1 R 3 ɛ 4 (q H +q G ) 6 M W,3

Reduction R 3 C DLP = (G, g, p, g α ) DLP R 3 GG mpk := EU-ID-CMA GG A α H,G ˆσ = ((ˆb, ˆR, Â); ( ˆ id, ˆm)) d 0 Q 0 I 0 +1 Q 0 q ˆσ 0 = (ˆb 0, ˆR, Â0) round 0 Q 0 J 0 +1 Q 0 I 0 : G(îd, ˆm 0, Â0) Q 0 1 Q 0 2 Q 0 J 0 : H(îd, ˆR) c 0 d 1 Q 1 I 0 +1 Q 1 q ˆσ 1 = (ˆb 1, ˆR, Â 0 ) round 1 c 1 d 2 Q I 1 +1 2 Q 2 q ˆσ 2 = (ˆb 2, ˆR, Â2) round 2 Q 2 J 0 +1 Q 2 I 0 : G( ˆ id, ˆm 2, Â 2 ) d 3 Q 3 I 1 +1 Q 3 q ˆσ 3 = (ˆb 3, ˆR, Â 2 ) round 3

Degradation Degradation: O ( q 6) Reason: cost per forking is O ( q 2)

Degradation Degradation: O ( q 6) Reason: cost per forking is O ( q 2) Can we improve?

Overview Contents Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

The Intuition Recall, condition F : (I 3, J 3 ) = (I 2, J 2 ) = (I 1, J 1 ) = (I 0, J 0 ) Q 0 I 0 +1 Q 0 q round 0 Q 0 J 0 +1 Q 0 I 0 : G( ˆ id, ˆm 0, Â 0 ) Q 1 I 0 +1 Q 1 q round 1 Q 0 1 Q 0 2 Q 0 J 0 : H(îd, ˆR) Q I 1 +1 2 Q 2 q round 2 Q 2 J 0 +1 Q 2 I 0 : G( ˆ id, ˆm 2, Â2) Q 3 I 1 +1 Q 3 q round 3

The Intuition Recall, condition F : (I 3, J 3 ) = (I 2, J 2 ) = (I 1, J 1 ) = (I 0, J 0 ) Q 0 I 0 +1 Q 0 q round 0 Q 0 J 0 +1 Q 0 I 0 : G( ˆ id, ˆm 0, Â 0 ) Q 1 I 0 +1 Q 1 q round 1 Q 0 1 Q 0 2 Q 0 J 0 : H(îd, ˆR) Q I 1 +1 2 Q 2 q round 2 Q 2 J 0 +1 Q 2 I 0 : G( ˆ id, ˆm 2, Â2) Observations: 1. Independence condition O 1 : I 2 need not equal I 0 Q 3 I 1 +1 Q 3 q round 3

The Intuition Recall, condition F : (I 3, J 3 ) = (I 2, J 2 ) = (I 1, J 1 ) = (I 0, J 0 ) Q 0 I 0 +1 Q 0 q round 0 Q 0 J 0 +1 Q 0 I 0 : G( ˆ id, ˆm 0, Â 0 ) Q 1 I 0 +1 Q 1 q round 1 Q 0 1 Q 0 2 Q 0 J 0 : H(îd, ˆR) Q I 1 +1 2 Q 2 q round 2 Q 2 J 0 +1 Q 2 I 0 : G( ˆ id, ˆm 2, Â2) Q 3 I 1 +1 Q 3 q round 3 Observations: 1. Independence condition O 1 : I 2 need not equal I 0 2. Dependence condition O 2 : (I 1 = I 0 ) can imply (J 1 = J 0 )

The Intuition Recall, condition F : (I 3, J 3 ) = (I 2, J 2 ) = (I 1, J 1 ) = (I 0, J 0 ) Q 0 I 0 +1 Q 0 q round 0 Q 0 J 0 +1 Q 0 I 0 : G( ˆ id, ˆm 0, Â 0 ) Q 1 I 0 +1 Q 1 q round 1 Q 0 1 Q 0 2 Q 0 J 0 : H(îd, ˆR) Q I 1 +1 2 Q 2 q round 2 Q 2 J 0 +1 Q 2 I 0 : G( ˆ id, ˆm 2, Â2) Q 3 I 1 +1 Q 3 q round 3 Observations: 1. Independence condition O 1 : I 2 need not equal I 0 2. Dependence condition O 2 : (I 1 = I 0 ) can imply (J 1 = J 0 ) (similarly (I 3 = I 2 ) can imply (J 3 = J 2 ))

...The Intuition... Effect of O 1 and O 2 on F : (I 3, J 3 ) = (I 2, J 2 ) = (I 1, J 1 ) = (I 0, J 0 ) O 1 : I 2 need not equal I 0 (I 3, J 3 ) = (I 2, J 2 ) (J 2 = J 0 ) (I 1, J 1 ) = (I 0, J 0 ) O 2 : (I 1 = I 0 ) = (J 1 = J 0 ) and (I 3 = I 2 ) = (J 3 = J 2 ) (I 3 = I 2 = I 1 = I 0 ) (J 2 = J 0 )

...The Intuition... Effect of O 1 and O 2 on F : (I 3, J 3 ) = (I 2, J 2 ) = (I 1, J 1 ) = (I 0, J 0 ) O 1 : I 2 need not equal I 0 (I 3, J 3 ) = (I 2, J 2 ) (J 2 = J 0 ) (I 1, J 1 ) = (I 0, J 0 ) O 2 : (I 1 = I 0 ) = (J 1 = J 0 ) and (I 3 = I 2 ) = (J 3 = J 2 ) (I 3 = I 2 = I 1 = I 0 ) (J 2 = J 0 ) Together, O 1 & O 2 : (I 3 = I 2 ) (I 1 = I 0 ) (J 2 = J 0 )

...The Intuition... Effect of O 1 and O 2 on F : (I 3, J 3 ) = (I 2, J 2 ) = (I 1, J 1 ) = (I 0, J 0 ) O 1 : I 2 need not equal I 0 (I 3, J 3 ) = (I 2, J 2 ) (J 2 = J 0 ) (I 1, J 1 ) = (I 0, J 0 ) O 2 : (I 1 = I 0 ) = (J 1 = J 0 ) and (I 3 = I 2 ) = (J 3 = J 2 ) (I 3 = I 2 = I 1 = I 0 ) (J 2 = J 0 ) Together, O 1 & O 2 : (I 3 = I 2 ) (I 1 = I 0 ) (J 2 = J 0 ) Intuitively, degradation reduced to O ( q 3) In general, degradation reduced to O (q n )

MORE ON (IN)DEPENDENCE

Inducing RO Dependence Consider round 0 and round 1 of simulation for GG-IBS Q 0 J 0 : H( ˆ id, ˆR) d 0 c 0 Q 0 I 0 : G( id, ˆ ˆm 0, Â 0 ) Q 0 I 0 +1 round 0 d 1 Q 1 I 0 +1 round 1

Inducing RO Dependence Consider round 0 and round 1 of simulation for GG-IBS Q 0 J 0 : H( ˆ id, ˆR) d 0 c 0 Q 0 I 0 : G( id, ˆ ˆm 0, Â 0 ) Q 0 I 0 +1 round 0 d 1 Q 1 I 0 +1 round 1 Need to explicitly ensure that (J 1 = J 0 )

Inducing RO Dependence Consider round 0 and round 1 of simulation for GG-IBS Q 0 J 0 : H( ˆ id, ˆR) d 0 c 0 Q 0 I 0 : G( id, ˆ ˆm 0, Â 0 ) Q 0 I 0 +1 round 0 d 1 Q 1 I 0 +1 round 1 Need to explicitly ensure that (J 1 = J 0 ) Q 0 J 0 : H( ˆ id, ˆR) d 0 c 0 Q 0 I 0 : G( id, ˆ ˆm 0, Â 0, c 0 ) Q 0 I 0 +1 round 0 d 1 Q 1 I 0 +1 round 1

Inducing RO Dependence Consider round 0 and round 1 of simulation for GG-IBS Q 0 J 0 : H( ˆ id, ˆR) d 0 c 0 Q 0 I 0 : G( id, ˆ ˆm 0, Â 0 ) Q 0 I 0 +1 round 0 d 1 Q 1 I 0 +1 round 1 Need to explicitly ensure that (J 1 = J 0 ) Q 0 J 0 : H( ˆ id, ˆR) d 0 c 0 Q 0 I 0 : G( id, ˆ ˆm 0, Â 0, c 0 ) Q 0 I 0 +1 round 0 Hence, (I 1 = I 0 ) = (J 1 = J 0 )! d 1 Q 1 I 0 +1 round 1

...Inducing RO Dependence... Definition (RO Dependence) An RO H 2 is η-dependent on RO H 1 (H 1 H 2 ) if: 1. (1 J < I q) and 2. Pr[(J J) (I = I )] η

...Inducing RO Dependence... Definition (RO Dependence) An RO H 2 is η-dependent on RO H 1 (H 1 H 2 ) if: 1. (1 J < I q) and 2. Pr[(J J) (I = I )] η Claim (Binding induces dependence) Binding H 2 to H 1 induces a RO dependence H 1 H 2 with η b := q 1 (q 1 1)/ R 1. q 1 : upper bound on queries to H 1 R 1 : range of H 1

Galindo-Garcia IBS with Binding Setting: 1. We work in a group G = g of prime order p. 2. Two hash functions H, G : {0, 1} Z p are used. Set-up: 1. Select z U Z p as the msk; set Z := g z as the mpk Key Extraction: U 1. Select r Z p and set R := g r. 2. Return usk := (y, R) as the usk, where y := r + zc and c := H(id, R). Signing: 1. Select a U Z p and set A := g a. 2. Return σ := (b, R, A) as the signature, where b := a + yd and d := G(m, A, c).

Effects of (In)Dependence Enables better (but involved) analysis Imparts a structure to underlying set of random tapes Analysis using the Splitting Lemma (twice) in place of an Extended Splitting Lemma

Effects of (In)Dependence Enables better (but involved) analysis Imparts a structure to underlying set of random tapes Analysis using the Splitting Lemma (twice) in place of an Extended Splitting Lemma Effective degradation for GG-IBS: O ( q 3) Cost per forking (involving two ROs): O (q)

The Conceptual Wrapper Observations better formulated using a conceptual wrapper Clubs two (consecutive) executions of the original wrapper Denoted by Z (I k, J k, σ k ), (I k+1, J k+1, σ k+1 )) Z ( x, S k, S k+1 ; ρ ) Q 0 I 0 +1 Q 0 q round 0 Q 0 J 0 +1 Q 0 I 0 Q 1 I 0 +1 Q 1 q round 1 Q 0 1 Q 0 2 Q 0 J 0 Q I 1 +1 2 Q 2 q round 2 Q 2 J 0 +1 Q 2 I 0 Q 3 I 1 +1 Q 3 q round 3

The Conceptual Wrapper Observations better formulated using a conceptual wrapper Clubs two (consecutive) executions of the original wrapper Denoted by Z (I k, J k, σ k ), (I k+1, J k+1, σ k+1 )) Z ( x, S k, S k+1 ; ρ ) Q 0 I 0 +1 Q 0 q round 0 Q 0 J 0 +1 Q 0 I 0 Q 1 I 0 +1 Q 1 q round 1 Q 0 1 Q 0 2 Q 0 J 0 Q I 1 +1 2 Q 2 q round 2 Q 2 J 0 +1 Q 2 I 0 Q 3 I 1 +1 Q 3 q round 3

Abstracting (In)Dependence Index Dependence: It is possible to design protocols such that, for the k th invocation of Z, (I k+1 = I k ) = (J k+1 = J k ). Index Independence: It is not necessary for the I indices across Z to be the same I k need not be equal to I k 2, I k 4,..., I 0 for k = 2, 4,..., n 1 [CK13a] Chatterjee and Kamath. A Closer Look at Multiple Forking: Leveraging (In)dependence for a Tighter Bound IACR eprint archive, 2013/651

Abstracting (In)Dependence Index Dependence: It is possible to design protocols such that, for the k th invocation of Z, (I k+1 = I k ) = (J k+1 = J k ). Index Independence: It is not necessary for the I indices across Z to be the same I k need not be equal to I k 2, I k 4,..., I 0 for k = 2, 4,..., n 1 We formulated a unified model for multiple forking [CK13a] Four different cases depending on applicability of O 1 & O 2 [CK13a] Chatterjee and Kamath. A Closer Look at Multiple Forking: Leveraging (In)dependence for a Tighter Bound IACR eprint archive, 2013/651

Overview Contents Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

Construction of IBS from sid-ibs sid Model: a weaker model Adversary has to, beforehand, commit to the target identity Goal: construct ID-secure IBS from sid-secure IBS 1. without random oracles 2. with sub-exponential degradation Tools used: 1. Chameleon Hash Function (CHF) 2. GCMA-secure PKS [CK13b] Chatterjee and Kamath. From selective-id to full-id IBS without random oracles. SPACE 13

Construction of IBS from sid-ibs sid Model: a weaker model Adversary has to, beforehand, commit to the target identity Goal: construct ID-secure IBS from sid-secure IBS 1. without random oracles 2. with sub-exponential degradation Tools used: 1. Chameleon Hash Function (CHF) 2. GCMA-secure PKS Main result: EU-ID-CMA-IBS (EU-sID-CMA-IBS)+(EU-GCMA-PKS)+(CR-CHF) Further: EU-ID-CMA-IBS (EU-wID-CMA-IBS)+(EU-GCMA-PKS)+(CR-CHF) [CK13b] Chatterjee and Kamath. From selective-id to full-id IBS without random oracles. SPACE 13

Overview Contents Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

Conclusions: Conclusion and Future Work Identified flaws in security argument of GG-IBS Came up with a tighter security bound for GG-IBS Constructed IBS from weaker IBS Future directions: Is the bound optimal? Other applications for RO dependence? Γ-protocols [YZ13] Extended Forking Lemma [YADV+12] Other techniques to induce RO dependence [YZ13] Yao and Zhao. Online/offline signatures for low-power devices. IEEE IFS, 8(2) [YADV+12] Yousfi-Alaoui et al.. Extended Security Arguments for Signature Schemes. Africacrypt 12

THANK YOU!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback