Enforcing honesty of certification authorities: Tagged one-time signature schemes

Similar documents
Authentication. Chapter Message Authentication

Lattice-based DAPS and Generalizations

Digital signature schemes

Lecture 18: Message Authentication Codes & Digital Signa

1 Number Theory Basics

Katz, Lindell Introduction to Modern Cryptrography

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Lecture 1. Crypto Background

II. Digital signatures

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Protean Signature Schemes

Hash-based signatures & Hash-and-sign without collision-resistance

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Uninstantiability of Full-Domain Hash

2 Message authentication codes (MACs)

ASYMMETRIC ENCRYPTION

CPSC 467: Cryptography and Computer Security

Lecture 1: Introduction to Public key cryptography

Ring Group Signatures

Entity Authentication

DATA PRIVACY AND SECURITY

Computing on Authenticated Data for Adjustable Predicates

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

CPSC 467: Cryptography and Computer Security

Digital Signatures. Adam O Neill based on

Sampling Lattice Trapdoors

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Cryptographic Security of Macaroon Authorization Credentials

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Lecture 17: Constructions of Public-Key Encryption

Post-quantum security models for authenticated encryption

Multi-Key Homomorphic Authenticators

CPSC 467: Cryptography and Computer Security

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Threshold RSA for Dynamic and Ad-Hoc Groups

An update on Hash-based Signatures. Andreas Hülsing

Mitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song

Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption

Cryptographical Security in the Quantum Random Oracle Model

Privacy Preserving Verifiable Key Directories

CPSC 467: Cryptography and Computer Security

Constant-round Non-Malleable Commitments from Any One-Way Function

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Security of Blind Signatures Revisited

Foundations of Network and Computer Security

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

A survey on quantum-secure cryptographic systems

CPSC 467b: Cryptography and Computer Security

Notes on BAN Logic CSG 399. March 7, 2006

CPSC 467: Cryptography and Computer Security

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

1 Cryptographic hash functions

Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)

Transitive Signatures Based on Non-adaptive Standard Signatures

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Hash-based Signatures. Andreas Hülsing

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Notes on Zero Knowledge

Verification of the TLS Handshake protocol

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs

CPSC 467: Cryptography and Computer Security

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cryptographic Hardness Assumptions

Week 12: Hash Functions and MAC

A Composition Theorem for Universal One-Way Hash Functions

Constant-Round Non-Malleable Commitments from Any One-Way Function

Block Ciphers/Pseudorandom Permutations

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Interactive Zero-Knowledge with Restricted Random Oracles

ECS 189A Final Cryptography Spring 2011

Asymmetric Encryption

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

2: Iterated Cryptographic Hash Functions

On the (In)security of SNARKs in the Presence of Oracles

Multi-key Hierarchical Identity-Based Signatures

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption

Foundations of Cryptography

Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions

From Secure MPC to Efficient Zero-Knowledge

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Cryptography in the Multi-string Model

Essam Ghadafi CT-RSA 2016

On the Security Notions for Homomorphic Signatures

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant

ECash and Anonymous Credentials

1 Cryptographic hash functions

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Random Oracles in a Quantum World

Privacy-enhanced Designated Confirmer Signature without Random Oracles

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Introduction to Cryptography Lecture 13

Transcription:

Enforcing honesty of certification authorities: Tagged one-time signature schemes Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013

PKIs and CAs: Current situation CA id, PK Cert = Sign(sk, id PK) Client... Client Client Signature-based PKIs full concentration of trust into CA CA has to be absolutely trustworthy

PKIs and CAs: Current threats CA Cert = Sign(sk, id PK ) id, PK Cert = Sign(sk, id PK) Client... Client Client Malicious CA could falsely bind identities in use to auxiliary PKs run man-in-the-middle attacks against web sessions ALL SECURITY IS LOST

PKIs and CAs: Should we really trust CAs? Reasons not to trust CAs poor management practices we will see examples... security breaches we will see examples... criminal intention coercion by crime organizations legal coercion by law enforcement legal(?) coercion by intelligence services

CA incidents: A brief history Recent security incidents DigiNotar in July 2011 security breach, malicious certificates for many domains issued TURKTRUST in August 2011 issued intermediate CA with wildcard signing capabilities later used for man-in-the-middle proxy filtering/scanning no evidence for use in attack detected only in Jan 2013 Digicert Malaysia in November 2011 22 certificates with weak private keys or missing revocation details issued KPN/Getronics in November 2011 suspended CA business after detecting infection on its web server no evidence of certificate malfeasance

CA incidents: Technical countermesures So far, what helps against malicious CAs? Pinning (in HTTP) hosts ask clients to remember PKs that appear in certificate chain identified DigiNotar and TURKTRUST breaches IETF Web Security Internet draft Tacking (in TLS) hosts announce that their PK is not going to change for a specified amount of time IETF TLS-WG Internet draft DANE (in DNS/TLS) DNS-Based Authentication of Named Entities DNS records announce PKs used within TLS RFC 6698

Focus of this presentation In this talk, we want to cryptographically enforce a unique binding of ids to PKs no such guarantees in (signature-based) PKIs so far remain in non-interactive setting no (trusted?) third parties no out-of-band communication preserves robustness of PKIs

Focus of this presentation In this talk, we want to cryptographically enforce a unique binding of ids to PKs no such guarantees in (signature-based) PKIs so far remain in non-interactive setting no (trusted?) third parties no out-of-band communication preserves robustness of PKIs We propose a modified signature scheme for use in certification

Focus of this presentation In this talk, we want to cryptographically enforce a unique binding of ids to PKs no such guarantees in (signature-based) PKIs so far remain in non-interactive setting no (trusted?) third parties no out-of-band communication preserves robustness of PKIs We propose a modified signature scheme for use in certification Our scheme makes misbehaving (cryptographically) fatal gives strong incentive to do well with management practices puts CAs into strong position against legal coercion

TOSS: Tagged One-time Signature Scheme New primitive: tagged one-time signatures (TOSS) similar to standard signature schemes authentication of tag/message pairs adversary cannot forge signatures (akin to EUF-CMA) distinguishing property: double-signature forgeability intended security loss if signer misbehaves Syntax of TOSS (sk, vk) KGen(1 λ ) outputs signing key and verification key σ Sign(sk, tag, msg) signs tag, msg {0, 1} {0, 1} Ver(vk, tag, msg, σ) verifies signatures Correctness of TOSS as usual, with universal quantification over tag, msg {0, 1}

Security of TOSS: Unforgeability Security goal: unforgeability (EUF) similar to unforgeability of standard signature schemes main difference: adversary not allowed to request signatures on different messages for the same tag Exp EUF (1 λ ) (sk, vk) KGen(1 λ ) (tag, msg, σ ) A O Sign(vk) If A queries O Sign (tag, msg): Append (tag, msg) to SigList σ Sign(sk, tag, msg) Return σ to A Return 1 iff all the following hold: Ver(vk, tag, msg, σ ) = 1 (tag, msg ) SigList tag, msg 0, msg 1 : (tag, msg 0 ), (tag, msg 1 ) SigList msg 0 = msg 1

Security of TOSS: Compromising pair of signatures Intuition: A TOSS shall be forgeable once signer issued signatures on different messages but the same tag. We make the condition precise: Definition (Compromising pair of signatures) Fix verification key vk and tag/message/signature triples such that S 1 = (tag 1, msg 1, σ 1 ) and S 2 = (tag 2, msg 2, σ 2 ) Ver(vk, tag 1, msg 1, σ 1 ) = 1 with Ver(vk, tag 2, msg 2, σ 2 ) = 1. Pair (S 1, S 2 ) is compromising if tag 1 = tag 2 and msg 1 msg 2. Note: exactly this condition is excluded in Exp EUF

Security of TOSS: Double-signature forgeability Security goal: double-signature forgeability (DSF) Intuition: given a compromising pair (S 1, S 2 ) issued by a malicious signer, it should be trivial to craft valid signatures defined in respect to auxiliary algorithm σ Forge(vk, (S 1, S 2 ), tag, msg ) that computes signatures for arbitrary tags/messages two variants: DSF and DSF (the latter with trusted setup ) Exp DSF (1 λ ) (vk, (S 1, S 2 ), tag, msg ) A(1 λ ) σ Forge(vk, (S 1, S 2 ), tag, msg ) Return 1 iff all the following hold: (S 1, S 2 ) is compromising Ver(vk, tag, msg, σ ) 1 Exp DSF (1 λ ) (sk, vk) KGen(1 λ ) ((S 1, S 2 ), tag, msg ) A(sk, vk) σ Forge(vk, (S 1, S 2 ), tag, msg ) Return 1 iff all the following hold: (S 1, S 2 ) is compromising Ver(vk, tag, msg, σ ) 1

Security of TOSS: Double-signature extractability Security goal: double-signature extractability (DSE) Intuition: given a compromising pair (S 1, S 2 ) issued by a malicious signer, it should be trivial to compute the signing key defined in respect to auxiliary algorithm that outputs a signing key sk Extract(vk, (S 1, S 2 )) two variants: DSE and DSE (the latter with trusted setup ) Exp DSE (1 λ ) (vk, (S 1, S 2 )) A(1 λ ) sk Extract(vk, (S 1, S 2 )) Return 1 iff all the following hold: (S 1, S 2 ) is compromising sk is not the signing key corresponding to vk Exp DSE (1 λ ) (sk, vk) KGen(1 λ ) (S 1, S 2 ) A(sk, vk) sk Extract(vk, (S 1, S 2 )) Return 1 iff all the following hold: (S 1, S 2 ) is compromising sk sk

Double-signature extractability stronger than forgeability Comparing DSF and DSE DSF tag, msg DSE tag, msg A S 1, S 2 Forge σ A S 1, S 2 Extract sk Sign σ DSE strictly stronger than DSF by Forge := Sign Extract construction DSE natural from engineer s perspective our construction offers DSE our construction can be extended to DSE DSE = DSE = = DSF = DSF

Double-signature extractability stronger than forgeability Comparing DSF and DSE DSF tag, msg DSE tag, msg A S 1, S 2 Forge σ A S 1, S 2 Extract sk Sign σ DSE strictly stronger than DSF by Forge := Sign Extract construction DSE natural from engineer s perspective our construction offers DSE our construction can be extended to DSE DSE = DSE = = DSF = DSF Further advantage of DSE forged signatures look identical to honest ones relevant feature in practice could be formalized: double-signature indistinguishability counterexamples for DSF exist

Application of TOSS: Enforcing honesty of CAs in PKIs Current PKI certificates { } id, PK, Sign STD (sk, id PK) where id is domain name, email address,... PK is certified public key Sign STD is standard signature scheme id = bank.com, PK = 69 6e 2c 20... id = bank.com, PK = 72 20 64 61...

Application of TOSS: Enforcing honesty of CAs in PKIs Current PKI certificates { } id, PK, Sign STD (sk, id PK) TOSS-based PKI certificates { } id, PK, Sign TOSS (sk, id, PK) where id is domain name, email address,... PK is certified public key Sign STD is standard signature scheme Sign TOSS is a tagged one-time signature id = bank.com, PK = 69 6e 2c 20... id = bank.com, PK = 72 20 64 61... id = bank.com, PK = 69 6e 2c 20... id = bank.com, PK = 72 20 64 61... New property: CA looses sk when certifying different PKs for same id

Application of TOSS: Internet timestamping Internet timestamping service use current time epoch as tag use digest of current documents as msg publish Sign TOSS (sk, tag, msg) DSF guarantees: timestamping service cannot rewind history Time: 8234098324 - Document: This patent covers a beer umbrella Time: 8234098324 - Document: This patent covers a life expectancy watch

Application of TOSS: Digital notaries Digital notary service use subject of contract as tag use affected bodies as msg publish Sign TOSS (sk, tag, msg) DSF guarantees: contract can be signed only once Subject: Real property #94794 is sold to.... - Body: Alice Subject: Real property #94794 is sold to.... - Body: Bob

2:1-TDF: Two-to-one trapdoor functions New primitive: two-to-one trapdoor function (2:1-TDF) finite sets A, B such that A = 2 B A B

2:1-TDF: Two-to-one trapdoor functions New primitive: two-to-one trapdoor function (2:1-TDF) finite sets A, B such that A = 2 B surjective 2:1 function f : A B A B

2:1-TDF: Two-to-one trapdoor functions New primitive: two-to-one trapdoor function (2:1-TDF) finite sets A, B such that A = 2 B surjective 2:1 function f : A B if f 1 (b, 0) and f 1 (b, 1) denote the two preimages of b B, define A 0 = f 1 (B, 0) and A 1 = f 1 (B, 1) A A 0 B A 1

2:1-TDF: Two-to-one trapdoor functions New primitive: two-to-one trapdoor function (2:1-TDF) finite sets A, B such that A = 2 B surjective 2:1 function f : A B if f 1 (b, 0) and f 1 (b, 1) denote the two preimages of b B, define A 0 = f 1 (B, 0) and A 1 = f 1 (B, 1) f efficient, but f 1 hard without trapdoor x define relation a 0 a 1 a 0 a 1 f (a 0 ) = f (a 1 ) A A 0 B A 1

2:1-TDF: One-wayness Technical requirement A 0, A 1, B shall be efficiently publicly samplable and decidable

2:1-TDF: One-wayness Technical requirement A 0, A 1, B shall be efficiently publicly samplable and decidable One-wayness preimage resistance (INV-1) second preimage resistance (INV-2) Exp INV-1 A (1 λ ) (td, par) 2:1-Gen(1 λ ) b R B(par) a A(par, b) Return 1 iff f (a) = b Exp INV-2 B (1 λ ) (td, par) 2:1-Gen(1 λ ) a R A(par) a B(par, a) Return 1 iff a x a

2:1-TDF: Extractability Extractability (optional) defined in respect to auxiliary algorithm td Extract(par, a, a ) that computes td = td from all a, a A with a x a

2:1-TDF: Extractability Extractability (optional) defined in respect to auxiliary algorithm td Extract(par, a, a ) that computes td = td from all a, a A with a x a INV-1 vs. INV-2 INV-2 INV-1 (as expected) if extractable: INV-1 INV-2

2:1-TDF: Extractability Extractability (optional) defined in respect to auxiliary algorithm td Extract(par, a, a ) that computes td = td from all a, a A with a x a INV-1 vs. INV-2 INV-2 INV-1 (as expected) if extractable: INV-1 INV-2 2:1-TDF vs. CFP (claw-free permutation) CFPs imply 2:1-TDFs, other direction unclear CFPs have no (formalized) extraction capability

2:1-TDF: Factoring-based construction I Let n = pq be Blum integer. QR n Z n Z n / ±1 J n J n QR n Known facts QR n not decidable, not directly samplable

2:1-TDF: Factoring-based construction I Let n = pq be Blum integer. QR n Z n Z n / ±1 J n J n QR n Known facts QR n not decidable, not directly samplable squaring operation Z n (J n, QR n ) QR n is 4:1 (2:1, 1:1) computing square roots as hard as factoring n can be factored from x 0 J n, x 1 J n with x 2 0 = x 2 1

2:1-TDF: Factoring-based construction II Let n = pq be Blum integer. The following bases on [GMR88,HK09]. QR n Z n Z n / ±1 J n QR n J n QR n / ±1 = J n / ±1 QR n / ±1 Some number theory {±1} normal in Z n, induces homomorphism ψ : Z n Z n / ±1 define groups QR n / ±1 = ψ(qr n ) and J n / ±1 = ψ(j n ) computing square roots as hard as factoring n can be factored from x 0 QR n / ±1, x 1 QR n / ±1 with x 2 0 = x 2 1

2:1-TDF: Factoring-based construction III Let n = pq be Blum integer. The following bases on [GMR88,HK09]. QR n Z n A 0 = B A 1 Z n / ±1 J n QR n J n QR n / ±1 = J n / ±1 QR n / ±1 Constructing a 2:1-TDF set A 0 = B = QR n / ±1 and A 1 = QR n / ±1 A 0 and A 1 and B are efficiently samplable squaring operation A B is 2:1-TDF any a, a A with a x a leak factorization

Our TOSS construction (simplified) TOSS construction KGen 2:1-Gen Sign(sk, tag, msg) i : b i = H(tag, i) H : {0, 1} B random oracle d 1,..., d λ H # (tag, msg) H # : {0, 1} {0, 1} λ CRHF i : a i = f 1 (b i, d i ) f extractable 2:1-TDF σ = (a 1,..., a λ ) Ver(vk, tag, msg) clear (requires decidability A 0 A 1 ) tag b 1 b 2 b λ 1 b λ H(tag, i) d 1 = 0 f 1 (b i, d i ) d 1 = 1 σ = ( a 1 a 1, a 2 a 2,..., a λ 1 a λ 1, a λ a λ )

Our TOSS construction (full) The scheme is simple and elegant.

Our TOSS construction (full) The scheme is simple and elegant. But it is unclear how to do the security reduction...

Our TOSS construction (full) The scheme is simple and elegant. But it is unclear how to do the security reduction... Repaired TOSS construction KGen 2:1-Gen Sign(sk, tag, msg) s f 1 (H(tag), 0) i : b i = H(s, tag, i) d 1,..., d λ H # (s, tag, msg) i : a i = f 1 (b i, d i ) σ = (a 1,..., a λ ) H : {0, 1} B random oracle H # : {0, 1} {0, 1} λ CRHF f extractable 2:1-TDF Ver(vk, tag, msg) clear (requires decidability A 0 A 1 )

Our TOSS construction (full) The scheme is simple and elegant. But it is unclear how to do the security reduction... Repaired TOSS construction KGen 2:1-Gen Sign(sk, tag, msg) s f 1 (H(tag), 0) i : b i = H(s, tag, i) d 1,..., d λ H # (s, tag, msg) i : a i = f 1 (b i, d i ) σ = (a 1,..., a λ ) H : {0, 1} B random oracle H # : {0, 1} {0, 1} λ CRHF f extractable 2:1-TDF Ver(vk, tag, msg) clear (requires decidability A 0 A 1 ) Theorem (Unforgeability of TOSS) If H is RO, H # is CRHF, and f is 2:1-TDF, then TOSS provides EUF. Note: TOSS even strongly unforgeable (and unique)

Our TOSS construction: DSE tag b 1 b 2 b λ 1 b λ H(s, tag, i) d 2 = 0 d 2 = 1 f 1 (b i, d i ) a 1 a 1 a 2 x a 2 a λ 1 a λ 1 a λ a λ Theorem (Double-signature extractability of TOSS) If H # is CRHF and f is extractable 2:1-TDF, then TOSS provides DSE. Note: Can be strengthened to DSE. Really relevant?

Our TOSS construction: Practical aspects Security requirements tolerated forging probability 2 80 2 25 signature queries allowed ECRYPT recommendations Derived key/signature sizes moduli of 2432 bits TOSS signature size: 48 kb Efficiency of signature verification λ + 1 squarings λ Jacobi symbol evaluations (A 0 A 1 ) λ Jacobi symbol evaluations (sampling of b i in RO H)

Conclusion Tagged one-time signature schemes (TOSS) violation of rules always catastrophic (for signers) enforcement of honesty of signers? Security of TOSS notions of DSF, DSF, DSE, DSE and their relations Extractable 2:1 trapdoor functions (2:1-TDF) 2:1 version of TDPs, more general than CFPs extractability: colliding preimages reveal trapdoor construction based on factorization 2:1-TDF-based TOSS achieves EUF, DSE and DSF (DSE and DSF feasible) efficient verification signature size not prohibitively large

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback