Fuzzy Identity Based Signature
advertisement
Based on P Yang et al 2008 Kittipat Virochsiri Introduction • What is it? • Applications What is it? An Identity Based Signature scheme With some error tolerance A signature issued by a user with identity 𝜔 can be verified by another user with identity 𝜔′ If 𝜔 and 𝜔′ are within a certain distance judged by some metric Applications Attribute-based signature Biometric identity based signature Preliminaries • Bilinear Pairing • Computational Diffie-Hellman • Threshold Secret Sharing Schemes Bilinear pairing Let 𝐺 and 𝐺𝑇 be multiplicative groups of the same prime order 𝑝 Bilinear pairing is a map 𝑒: 𝐺 × 𝐺 → 𝐺𝑇 with following properties: Bilinear: 𝑒 𝑢𝑎 , 𝑣 𝑏 = 𝑒(𝑢, 𝑣)𝑎𝑏 , where 𝑢, 𝑣 ∈ 𝐺 and 𝑎, 𝑏 ∈ ℤ𝑝 Non-degeneracy: ∃ 𝑢, 𝑣 ∈ 𝐺: 𝑒 𝑢, 𝑣 ≠ 1 Computability: It is efficient to compute 𝑒(𝑢, 𝑣) for all 𝑢, 𝑣 ∈ 𝐺 Computational DiffieHellman (CDH) 𝑔, 𝐴 = 𝑔𝑎 , 𝐵 = 𝑔𝑏 Challenger 𝒞 Adversary ℬ 𝑔𝑎𝑏 ∈ 𝔾 CDH Assumption An adversary ℬ has at least 𝜖 advantage if: Pr ℬ 𝑔, 𝑔𝑎 , 𝑔𝑏 = 𝑔𝑎𝑏 ≥ 𝜖 The computational (t,𝜖) - DH assumption holds if no polynomial-time adversary has at least 𝜖 advantage in solving the game Threshold Secret Sharing Scheme Threshold Secret Sharing Scheme Let: 𝐺𝐹 𝑞 be a finite field with 𝑞 ≥ 𝑛 elements 𝑠 ∈ 𝐺𝐹 𝑞 be the secret 𝑓 𝑥 =𝑠+ 𝑡−1 𝑗 𝑗=1 𝑎𝑗 𝑥 Assign every player 𝑅𝑖 with a unique field element 𝛼𝑖 𝑠𝑖 = 𝑓 𝛼𝑖 Set of players 𝑆, where 𝑆 ≥ 𝑑 can recover secret using 𝑓 𝑥 = 𝑅𝑖 ∈𝑆 Δ𝛼𝑖 ,𝑆 Δ𝛼𝑖 ,𝑆 𝑥 = 𝑥 𝑓 𝛼𝑖 = 𝑥−𝛼𝑖 𝑅𝑖 ∈𝑆,𝑙≠𝑖 𝛼 −𝛼 𝑙 𝑖 𝑅𝑖 ∈𝑆 Δ𝛼𝑖 ,𝑆 𝑥 𝑠𝑖 Fuzzy Identity Based Signature (FIBS) scheme Consisted of 4 steps: • Setup • Extract • Sign • Verify 1𝑘 Setup 𝐼𝐷 FIBS schemes 𝑝𝑎𝑟𝑎𝑚𝑠 𝑀 Sign 𝑚𝑘 𝜎 Extract Verify 𝐷𝐼𝐷 0/1 𝐼𝐷′ Security Model Unforgeable Fuzzy Identity Based Signature against ChosenMessage Attack (UF-FIBS-CMA) Security Model Setup 𝑀𝑖 , 𝛼 𝛼 Adversary 𝒜 Private Key Oracle Signing Oracle 𝐾𝛾𝑖 𝜎 ∗ for (𝑀∗ , 𝛼) 𝜎𝑖 Definition 𝒜’s success probability is 𝑈𝐹−𝐹𝐼𝐵𝑆−𝐶𝑀𝐴 𝑆𝑢𝑐𝑐𝐹𝐼𝐵𝑆,𝒜 𝑘 = Pr 𝑉𝑒𝑟𝑖𝑓𝑦 𝛼, 𝑀, 𝜎 = 1 The fuzzy identity based signature scheme FIBS is said to be UF-FIBS-CMA secure if 𝑈𝐹−𝐹𝐼𝐵𝑆−𝐶𝑀𝐴 𝑆𝑢𝑐𝑐𝐹𝐼𝐵𝑆,𝒜 𝑘 is negligible in the security parameter 𝑘 The Scheme 𝑛, 1𝑘𝑑 Setup 𝐼𝐷 𝜔 FIBS schemes 𝑝𝑎𝑟𝑎𝑚𝑠 𝑃𝑃 𝑀 Sign 𝑀𝐾 𝑚𝑘 𝜎 𝑆 Extract Verify 𝐷 𝐾𝐼𝐷 𝜔 invalid/valid 0/1 𝐼𝐷′ 𝜔′ Building Blocks 𝔾 and 𝔾 𝑇 are groups of the prime order 𝑝 Bilinear pairing 𝑒: 𝔾 × 𝔾 → 𝔾 𝑇 𝑔 is a generator of 𝔾 Identities are sets of 𝑛 elements of ℤ∗𝑝 Δ𝑖,𝑆 𝑥 = 𝑥−𝛼𝑖 𝑅𝑖 ∈𝑆,𝑙≠𝑖 𝛼 −𝛼 𝑖 𝑙 Setup 𝑛, 𝑑 Choose 𝑔1 = 𝑔 𝑦 , 𝑔2 ∈ 𝔾 Choose 𝑡1 , … , 𝑡𝑛+1 uniformly random from 𝔾 Let 𝑁 be the set 1, … , 𝑛 + 1 𝑛 Δ 𝑥 𝑖,𝑁 𝑛+1 𝑇 𝑥 = 𝑔2𝑥 𝑡 𝑖=1 𝑖 Select a random integer 𝑧 ′ ∈ ℤ𝑝 Select a random vector 𝑧 = 𝑧1 , … , 𝑧𝑚 ∈ ℤ𝑚 𝑝 ′ Public parameters 𝑃𝑃 = 𝑔1 , 𝑔2 , 𝑡1 , … , 𝑡𝑛+1 , 𝑣 ′ = 𝑔 𝑧 , 𝑣1 Extract 𝑃𝑃, 𝑀𝐾, 𝜔 Choose a random 𝑑 − 1 degree polynomial 𝑞 such that 𝑞 0 = 𝑦 Return 𝐾𝜔 = 𝐷𝑖 𝑖∈𝜔 , 𝑑𝑖 𝑖∈𝜔 ∈ 𝔾2𝑛 𝑞 𝑖 𝐷𝑖 = 𝑔2 𝑇 𝑖 𝑟𝑖 𝑑𝑖 = 𝑔−𝑟𝑖 𝑟𝑖 is a random number from ℤ𝑝 defined for all 𝑖 ∈ 𝜔 Sign 𝑃𝑃, 𝐾𝜔 , 𝑀 A bit string 𝑀 = 𝜇1 ⋯ 𝜇𝑚 ∈ 0,1 Select a random 𝑠𝑖 ∈ ℤ𝑝 for 𝑖 ∈ 𝜔 Output 𝑆= ∈ 𝔾3𝑛 𝐷𝑖 ∙ 𝑣′ 𝑚 𝑗=1 𝜇𝑗 𝑣𝑗 𝑚 𝑠𝑖 , 𝑑𝑖 𝑖∈𝜔 −𝑠𝑖 , 𝑔 𝑖∈𝜔 𝑖∈𝜔 ′ Verify 𝑃𝑃, 𝜔 , 𝑀, 𝜎 𝑆 = 𝑆1 𝑖 𝑖 , 𝑆2 𝑖∈𝜔 𝜔′ ∩ 𝑖 𝑖∈𝜔 , 𝑆3 𝑖∈𝜔 𝜔′ where 𝜔 ≥𝑑 Choose an arbitrary 𝑑-element subset 𝑆 of 𝜔′ ∩ 𝜔 Verify 𝑖 𝑆 𝑖 𝑒 𝑆1 , 𝑔 ∙ 𝑒 𝑆2 , 𝑇 𝑖 Correctness check 𝑆 𝑒 𝑆1𝑖 , 𝑔 ∙ 𝑒 𝑆2𝑖 , 𝑇 𝑖 𝑆 𝑒 𝑔2 𝑞 𝑖 𝑞 𝑖 𝑔2 𝑆 𝑒 𝑆 𝑒 𝑔2 𝑒 𝑔2 , 𝑒 𝑔2 , 𝑔 𝑒 𝑒 𝑒 𝑒 𝑞 𝑖 ∙𝑇 𝑖 𝑟𝑖 ,𝑔 ∙ 𝑒 𝑇 𝑖 ,𝑔 Δ𝑖,𝑆 0 𝑞 𝑖 Δ𝑖,𝑆 0 𝑆𝑔 𝑆 𝑞 𝑖 Δ𝑖,𝑆 0 𝑔2 , 𝑔𝑞 𝑔2 , 𝑔 𝑦 𝑔2 , 𝑔1 𝑔1 , 𝑔2 0 ∙ 𝑣′ 𝑟𝑖 ∙ 𝑒 𝑆3𝑖 , 𝑣 ′ 𝜇𝑗 𝑠𝑖 𝑚 𝑗=1 𝑣𝑗 ,𝑔 ∙ 𝑒 𝑣 ′ 𝜇𝑗 𝑚 𝑗=1 𝑣𝑗 Δ𝑖,𝑆 0 , 𝑔 ∙ 𝑒 𝑔−𝑟𝑖 , 𝑇 𝑖 𝜇𝑗 𝑠𝑖 𝑚 𝑗=1 𝑣𝑗 ∙ 𝑒 𝑔−𝑠𝑖 , 𝑣 ′ ,𝑔 ∙ 𝑒 𝑔 −𝑟𝑖 ,𝑇 𝑖 Δ𝑖,𝑆 0 𝜇𝑗 𝑚 𝑗=1 𝑣𝑗 ∙𝑒 𝑔 −𝑠𝑖 ,𝑣 ′ 𝜇𝑗 𝑚 𝑗=1 𝑣𝑗 Δ𝑖,𝑆 0 Security Proof Security Game Setup 𝑀, 𝛼 ∗ 𝛼∗ Adversary 𝒜 Private Key Oracle 𝑔, 𝑔𝑎 , 𝑔𝑏 Signing Oracle 𝐾𝛾 𝜎 𝜎 ∗ for (𝑀∗ , 𝛼) Simulator ℬ 𝑔𝑎𝑏 Theorem Let 𝒜 be an adversary that makes at most 𝑙 ≪ 𝑝 signature queries and produces a successful forgery against the scheme with probability 𝜖 in time 𝑡 Then there exists an algorithm ℬ that solves the CDH 𝜖 problem in ℤ𝑝 with probability 𝜖 ≥ 𝑛 in time 𝑡 ≈ 𝑡 4𝑝 𝑛𝑙 Setup Select a random identity 𝛼 ∗ Choose A random number 𝑘 ∈ 0, … , 𝑚 Random numbers 𝑥 ′ , 𝑥1 , … , 𝑥𝑚 in the interval 0, … , 2𝑙 − 1 Random exponents 𝑧 ′ , 𝑧1 , … , 𝑧𝑚 ∈ ℤ𝑝 Setup Let 𝑔1 = 𝑔𝑎 and 𝑔2 = 𝑔𝑏 Choose A random 𝑛 degree polynomial 𝑓 𝑥 An 𝑛 degree polynomial 𝑢 𝑥 such that ∀𝑥 𝑢 𝑥 = −𝑥 𝑛 if and only if 𝑥∈𝛼 𝑢 𝑖 𝑡𝑖 = 𝑔2 𝑇 𝑖 = 𝑔𝑓 𝑛 𝑔2𝑖 𝑖 for 𝑖 from 1 to 𝑛 + 1 𝑛+1 𝑗=1 𝑢 𝑗 𝑔2 𝑔 𝑓 𝑗 Δ𝑗,𝑁 𝑖 𝑃𝑃 = 𝑔, 𝑔1 , 𝑔2 , 𝑡1 , … , 𝑡𝑛+1 , 𝑣 ′ = 𝑔2𝑥 = 𝑖 𝑛 +𝑢 𝑖 𝑔2 ′ −2𝑘𝑙 ′ 𝑔𝑓 𝑖 𝑥 𝑔 𝑧 , 𝑣𝑗 = 𝑔2 𝑗 𝑔 𝑧𝑗 𝑗=1,…,𝑚 ,𝐴 = Private Key Oracle Answer private key query on identity 𝛾 𝛾 ∩ 𝛼∗ < 𝑑 Define Γ, Γ ′ , 𝑆 Γ=𝛾∩𝛼 Γ ⊆ Γ ′ ⊆ 𝛾 and Γ ′ = 𝑑 − 1 𝑆 = Γ′ ∪ 0 Private Key Oracle Define private key 𝐾𝛾 for 𝑖 ∈ 𝛾 For 𝑖 ∈ Γ ′ 𝜆 𝐷𝑖 𝑖∈Γ′ = 𝑔2 𝑖 𝑇 𝑖 𝑟𝑖 , 𝑑𝑖 ′ 𝑖∈Γ 𝑖∈Γ′ = 𝑔−𝑟𝑖 𝑖∈Γ′ 𝜆𝑖 and 𝑟𝑖 are chosen randomly in ℤ𝑝 For 𝑖 ∈ 𝛾 − Γ ′ 𝐷𝑖 = 𝑑𝑖 = 𝜆𝑗 Δ𝑗,𝑆 𝑖 𝑔2 𝑗∈Γ′ −Δ0,𝑆 𝑖 −𝑓 𝑖 𝑖 𝑛 +𝑢 𝑖 𝑔1 ′ 𝑟 𝑖 𝑔 −𝑓 𝑖 𝑛 𝑔1𝑖 +𝑢 𝑖 𝑖 𝑛 +𝑢(𝑖) 𝑓 𝑖 𝑔2 𝑔 𝑟𝑖′ Δ0,𝑆 𝑖 Private Key Oracle Define 𝑑 − 1 degree polynomial 𝑞 𝑥 as 𝑞 𝑖 = 𝜆𝑖 , 𝑞 0 =𝑎 Let 𝑟𝑖 = 𝑟𝑖′ − 𝑎 𝑖 𝑛 +𝑢 𝑖 Δ0,𝑆 𝑖 For 𝑖 ∈ 𝛾 − Γ ′ , it can be shown that 𝜆𝑖 𝐷𝑖 = 𝑔2 𝑇 𝑖 𝑟𝑖 𝑑𝑖 = 𝑔−𝑟𝑖 Signing Oracle Answer signature query on identity 𝛼 ∗ for some 𝑀 = 𝜇1 ⋯ 𝜇𝑚 𝐹 = −2𝑘𝑙 + 𝑥 ′ + 𝑚 𝑗=1 𝑥𝑗 𝜇𝑗 𝐽 = 𝑧′ + 𝑚 𝑗=1 𝑧𝑗 𝜇𝑗 If 𝐹 ≡ 0 𝑚𝑜𝑑 𝑝 , then the simulator aborts Select a random set Λ Λ ⊂ 𝛼∗ Λ =𝑑−1 Signing Oracle For 𝑖 ∈ Λ 𝑔 𝑞′ 𝑖 =𝑔 𝜆′𝑖 𝜆′𝑖 is chosen randomly in ℤ𝑝 For 𝑖 ∈ 𝛼 ∗ − Λ 𝑔 𝑞′ 𝑖 = 𝑑−1 𝑗=1 𝑔 𝜆′𝑗 Δ𝑗,𝛼∗ 𝑖 𝑔𝑎Δ0,𝛼∗ 𝑖 Signing Oracle Pick random 𝑟𝑖 , 𝑠𝑖 for 𝑖 ∈ 𝛼 ∗ Compute 𝑖 𝑆1 = 𝑔𝑞 ′ 𝑖 𝐽 −𝐹 𝑔 𝑓 𝑖 𝑟𝑖 𝑖 1 𝐹 −𝑠𝑖 𝑔 𝑖 𝑆2 = 𝑔−𝑟𝑖 𝑖 𝑆3 = 𝑔 𝑞′ 𝑔 𝐽 𝑔2𝐹 𝑠𝑖 Signing Oracle For 𝑠 = 𝑠𝑖 − (𝑖) 𝑆1 𝑖 𝑞′ 𝑖 𝐹 , it can be shown that 𝑞′ = 𝑔2 𝑖 𝑆3 = 𝑔−𝑠𝑖 𝑇 𝑖 𝑟𝑖 𝑣 ′ 𝑚 𝑗=1 𝜇𝑗 𝑣𝑗 𝑠𝑖 Producing Forgery Output a valid forgery 𝑆 ∗ = 𝑆1 𝑖 ∗ 𝑖 ∗ , 𝑆2 𝑖∈𝛼 ∗ ∗ 𝜇1 ⋯ 𝜇𝑚 ∈ = 0,1 𝐹 ∗ = −2𝑘𝑙 + 𝑥 ′ + 𝑚 ∗ 𝑧 𝜇 𝑗=1 𝑗 𝑗 𝛼 ∗ or 𝐹 ∗ ≢ 0 𝑖 ∗ , 𝑆3 𝑖∈𝛼 𝑚 for 𝑖∈𝛼 on 𝑀∗ identity 𝛼 𝑚 ∗ 𝑥 𝜇 𝑗 𝑗 𝑗=1 𝐽∗ = 𝑧 ′ + If 𝛼 ≠ 𝑚𝑜𝑑 𝑝 , then aborts. Producing Forgery For some 𝑟𝑖∗ , 𝑠𝑖∗ ∈ ℤ𝑝 𝑆1 𝑖 ∗ = 𝑞∗ 𝑖 𝑞∗ 𝑖 𝑔2 𝑇 𝑖 𝑟𝑖∗ ∗ ∗ 𝑠∗ 𝑓 𝑖 𝑟 𝐽 𝑖 𝑔 𝑔 𝑖 = 𝑔2 ∗ 𝑖 ∗ −𝑟 𝑖 𝑆2 = 𝑔 ∗ 𝑖 ∗ −𝑠 𝑖 𝑆3 = 𝑔 𝑣′ 𝑚 𝑗=1 ∗ 𝑠 𝑖 𝜇𝑗∗ 𝑣𝑗 Producing Forgery Select a random set Λ′ such that Λ′ ⊂ 𝛼 and Λ′ = 𝑑 Compute 𝑆1∗ = = 𝑔𝑎𝑏 𝑆2∗ 𝑆3∗ = = 𝑖∈Λ′ 𝑖∈Λ′ 𝑆1 𝑖 ∗ Δ𝑖,𝛼 𝑖 ∗ ∗ 𝑠∗ Δ 𝑖 𝑓 𝑖 𝑟 Δ 𝑖 𝐽 𝑖,𝛼 𝑖,𝛼 𝑖 𝑖 𝑔 𝑔 Δ 𝑖 𝑓 𝑖 𝑖 ∗ 𝑖,𝛼 𝑆2 ′ 𝑖∈Λ Δ 𝑖 𝑖 ∗ 𝑖,𝛼 𝑆3 = 𝑖∈Λ′ = 𝑖∈Λ′ 𝑖∈Λ′ ∗ −Δ 𝑖 𝑓 𝑖 𝑟 𝑖,𝛼 𝑖 𝑔 −Δ𝑖,𝛼 𝑖 𝑠𝑖∗ 𝑔 Solving CDH ℬ could solve the CDH instance by outputting ∗ ∗ ∗ 𝐽∗ 𝑆1 ∙ 𝑆2 ∙ 𝑆3 = 𝑔𝑎𝑏 The probability is Pr 𝑡ℎ𝑒 𝑠𝑖𝑚𝑢𝑙𝑎𝑡𝑖𝑜𝑛 𝑛𝑜𝑡 𝑎𝑏𝑜𝑟𝑡𝑖𝑛𝑔 = Pr 𝛼 = 𝛼 ∗ ∙ Pr 𝐹 ≢ 0 𝑚𝑜𝑑 𝑝 ∙ Pr 𝐹 ∗ ≡ 0 𝑚𝑜𝑑 𝑝 1 1 1 1 = 𝑛∙ 1− ∙ ≤ 𝑛 𝑝 2𝑙 2𝑛𝑙 4𝑝 𝑛𝑙 𝜖 ≥ 𝜖 ∙ Pr 𝑡ℎ𝑒 𝑠𝑖𝑚𝑢𝑙𝑎𝑡𝑖𝑜𝑛 𝑛𝑜𝑡 𝑎𝑏𝑜𝑟𝑡𝑖𝑛𝑔 ≥ 𝜖 ∙ 1 4𝑝𝑛 𝑛𝑙 Issues • Privacy • Capture and replay Privacy No anonymity for signer Capture and replay Only secure when forgery of identity can be detected Conclusion Conclusion Allows identity 𝜔 to issue a signature that identity 𝜔′ can verify Provided that 𝜔 and 𝜔′ are within some distance Unforgeable against adaptively chosen message attack Thank you Question? References 1. 2. 3. 4. 5. 6. Dan Boneh and Matthew K. Franklin. Identity-based encryption from the weil pairing. In CRYPTO ’01: Proceedings of the 21st Annual International Cryptography Conference on Advance in Cryptology, page 213-229, London, UK, 2001. Springer-Verlag. Jin Li and Kwangjo Kim. Attribute-based ring signature. Cryptology ePrint Archive, Report 2008/394, 2008. Amit Sahai and Brent Waters. Fuzzy Identity-Based encryption. In Advance in Cryptography – EUROCRYPT 2005, page 457-473. 2005. Siamak F Shahandashti and Reihaneh Safavi-Naini. Threshold attributebased signatures and their application to anonymous credential systems. Cryptology ePrint Archive, Report 2009/126, 2009. Brent Waters. Efficient Identity-Based encryption without random oracles. In Advance in Cryptography – EUROCRYPT 2005, page 114-127. 2005. Piyi Yang, Zhenfu Cao, and Xiaolei Dong. Fuzzy identity based signature. Cryptology ePrint Archive, Report 2008/002, 2008.
