An Efficient and Provable Secure Identity

advertisement
An Efficient and Provable Secure
Identity-Based Identification
Scheme in the Standard Model
(Multimedia University)
Ji-Jian Chin
Swee-Huay Heng
Bok-Min Goi
1
Contents
1
Introduction
3
2
Preliminaries
9
3
Formal Definition of IBI
11
4
Construction
16
5
Security Analysis
21
6
Conclusion
25
7
Open Problems
26
2
1. Introduction



An identification scheme enables one party to
identify itself securely to another party
authentically and without repudiation.
ID-based cryptography – user generates own
public key using an identity string.
ID-based cryptography does away with
certificates binding the public key to the
private key, as opposed to traditional public
key infrastructure systems.
3
1. Introduction
Why Passwords Aren’t Enough?
If I can guess/know your password, I can
impersonate you.
(Easy to guess: keyloggers, peek into your
password database, sticky notes with
passwords in your office, steal from your
hand phone etc)
Why IBI and SI can overcome this?
Challenge-response identification.
Zero-knowledge of secret key involved.
4
1. Introduction
History of IBI




IBI fundamental paper proposed by Fiat and
Shamir in 1984.
Rigorous definition and security proofs only
formalized in 2004
- Kurosawa and Heng
- Bellare, Namprempre and Neven
Schemes’ mostly have provable security based on
the random oracle model
Schemes’ with provable security in the standard
model are not very efficient and few in number
5
1. Introduction
The Random Oracle
first introduced by Bellare and Rogaway in
The Random Oracle
1993.
I answer anybody’s queries with totally
random and uniformly distributed
answers
query
I’ve seen this
query before
New
query
Give new random
answer, and save query
for next time
Existing
answer
6
1. Introduction
The Random Oracle


Disadvantages of RO:
- heuristic in nature
- Canetti et al. showed certain schemes secure
in the random oracle model is insecure once
implemented
- idealistic: doesn’t exist in real world
Conclusion
- scheme secure in ROM better than no proof at all
- best to prove in standard model
7
1. Introduction
Recent Developments
1.
2.
3.
Kurosawa and Heng proposed the first 2 IBI
schemes in the standard model in 2005.
Kurosawa and Heng used a trapdoor commitment
scheme and a digital signature scheme to
construct another IBI scheme in the standard
model in 2006.
Yang et al. proposed a general framework to
construct IBI schemes in the random oracle model
in 2007.
8
2. Preliminaries
Bilinear Pairings
a) Bilinearity. e(ga,gb)=e(g,g)ab
b) Non-degeneracy. e(g,g) ≠1
c) Efficiently computable.
9
2. Preliminaries
Security Assumptions
a)
b)
-
Security against Passive Attacks:
Computational Diffie-Hellman problem (CDHP)
Find gab given g and ga ,gb
Security against Active/Concurrent Attacks:
One-More Computational Diffie-Hellman Problem (OMCDHP)
Adversary is given a challenge oracle and a CDH oracle.
Adversary queries random challenge point from challenge
oracle and obtains solution by querying the CDH oracle.
Adversary wins the game if at the end the number of queries to
the solution oracle is strictly less than the queries to the
challenge oracle.
10
3. Formal Definitions For IBI
Definition of IBI
IBI=(S,E,P,V) - 4 probabilistic, polynomial-time algorithms
The Canonical Three Move Protocol
input param
Setup(S)
mpk, usk, ID
mpk, msk
ID
Extract(E)
usk
Prover(P)
(Prove
that
I know
usk)
mpk, ID
CMT
CHA
Verifier(V)
Accept only
if you
Know usk
RSP
11
3. Formal Definition of IBI
Security Model for IBI

Goal of adversary towards IBI - impersonation.

Considered successful if:
- Interact with verifier as prover with public ID
- Accepted by verifier with non-negligible probability
Stronger assumptions of IBI vs SI:
1. The adversary can choose a target identity ID to impersonate
as opposed to a random public key.
2. IBI has access to extract oracle -> the adversary can possess
private keys of some users which she has chosen.
12
3. Formal Definition for IBI
Security Model for IBI
Passive attacks (imp-pa)
Eavesdrop
Active attacks (imp-aa)
Interacts with provers as a cheating verifier
Concurrent attacks (imp-ca)
Interacts with provers as a cheating verifier
concurrently.
13
3. Formal Definition for IBI
Security Model for IBI
The impersonation attack between the impersonator
I, and challenger C is described in a two phase
game.
Phase 1:
I either extracts transcript queries for imp-pa or
acts as a cheating verifier in imp-aa and imp-ca.
Phase 2:
I plays the cheating prover it picks to convince the
verifier.
14
3. Formal Definition for IBI
Security Model for IBI
An IBI scheme is (t,qI,ε)- secure against imppa/imp-aa/imp-ca if for any I who runs in
time t, Pr(I can impersonate)<ε, where I can
make at most qI queries.
15
4. Construction
Construction of IBI scheme based on the Waters
Signature Scheme
Let G and GT be finite cyclic groups or order p and let g
be a generator of G. Let e : G  G  GT be an efficiently
computed bilinear map. Use a collision-resistant hash
function H : {0,1} *  {0,1} n to hash identities to an
arbitrary length to a bit string of length n.
16
4. Construction
Setup
R
a 
Zp
g1  g a
R
g 2 , u ' 
G
Select an n-length vector  U  {u1 ,...,un } R G
mpk : (G ,GT , e , g , g1 , u ' ,  U  , H )
msk : (g 2a )
17
4. Construction
Extract
ID:hashed user identity string of length n
Let d i :ith-bit of ID
Let ID  {1,..., n} be the set of all i where di=1
R
r 
Zp
S  g 2a (u '  ui )r
iID
R  gr
usk : (S, R )
18
4. Construction
Prove and Verify
Prove
X  (u '  u i ) z
X ,Y ,R


 Verify
iID
Y  g 2z
c

Z  S z c
R
c 
Zp
Accept if
Z

e(Z , g )  e (Yg 2c , g1 )e( X (u '  ui )c , R )
iID
19
4. Construction
Correctness
e (Z , g )
 e (g 2a ((u '  ui )r )z c , g )
iID
 e (g 2a ( z c ) , g )e ((u '  ui )z (u '  ui )c , g r )
iID
iID
 e (Yg 2c , g1 )e ( X (u '  ui )c , R )
iID
20
5. Security Analysis
Security against Passive Attacks
Theorem 1:
The proposed IBI scheme is (t,qI,ε)-secure
against impersonation under passive attacks in
the standard model if the CDHP is (t’,ε’)-hard
where
1
  4qe (nu  1) '  2
p
t '  t  O(  (2n(qI ))   (qI ))
 : time for multiplication in
 : time for exponentiation in
qe : extract queries made
qi : transcript queries made and qI  qe  qi
21
5. Security Analysis
Security against Active/Concurrent Attacks
Theorem 2:
The proposed IBI scheme is (t,qI,ε)-secure
against impersonation under active/concurrent
attacks in the standard model if the OMCDHP is
(t”,qCDH,ε”)-hard where
1
  4qe (nu  1) "  2
p
t "  t  O(  (2n(qI ))   (qI ))
 : time for multiplication in
 : time for exponentiation in
qe : extract queries made
qi : transcript queries made and qI  qe  qi
22
5. Security Analysis
Efficiency
Multiplication
Exponentiation
Pairing
0
2
0
Extract Max:n+2, Avg:(n/2)+2 2
0
Prove
Max:n+1, Avg:(n/2)+1 3
0
Verify
Max:n+3, Avg:(n/2)+3 2
3
Setup
Table 1: Complexity Cost
23
5. Security Analysis
Efficiency
HKIBI05a
HKIBI05b
Efficiency Imp-pa
of P and V assumption
Imp-aa/ca
assumption
6G,6E,4P
Unknown
q-SDH
12G,12E,6 q-SDH
P
HKIBI06
9G,11E,3P, q-SDH
1 SOTSS
Proposed IBI (n+4)G,5E, CDH
3P
q-SDH
q-SDH
OMCDHP
Table 2: Comparisons with other IBI
24
6. Conclusion
Merits of Proposed IBI

Direct proof

Provable security against both imp-pa and
imp-aa/ca in the standard model.

More efficient than other IBI schemes in
standard model.
25
7. Open Problems
1.
2.
3.
More IBI schemes that are efficient and
provably secure in the standard model.
More IBI Schemes with direct proof to a
hard-mathematical problem as opposed to
reductions from transformations.
An IBI scheme with provable security
against imp-aa/ca using a weaker
assumption like DLOG or CDH.
26
Thank You
Q&A
27
Download