An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model (Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi 1 Contents 1 Introduction 3 2 Preliminaries 9 3 Formal Definition of IBI 11 4 Construction 16 5 Security Analysis 21 6 Conclusion 25 7 Open Problems 26 2 1. Introduction An identification scheme enables one party to identify itself securely to another party authentically and without repudiation. ID-based cryptography – user generates own public key using an identity string. ID-based cryptography does away with certificates binding the public key to the private key, as opposed to traditional public key infrastructure systems. 3 1. Introduction Why Passwords Aren’t Enough? If I can guess/know your password, I can impersonate you. (Easy to guess: keyloggers, peek into your password database, sticky notes with passwords in your office, steal from your hand phone etc) Why IBI and SI can overcome this? Challenge-response identification. Zero-knowledge of secret key involved. 4 1. Introduction History of IBI IBI fundamental paper proposed by Fiat and Shamir in 1984. Rigorous definition and security proofs only formalized in 2004 - Kurosawa and Heng - Bellare, Namprempre and Neven Schemes’ mostly have provable security based on the random oracle model Schemes’ with provable security in the standard model are not very efficient and few in number 5 1. Introduction The Random Oracle first introduced by Bellare and Rogaway in The Random Oracle 1993. I answer anybody’s queries with totally random and uniformly distributed answers query I’ve seen this query before New query Give new random answer, and save query for next time Existing answer 6 1. Introduction The Random Oracle Disadvantages of RO: - heuristic in nature - Canetti et al. showed certain schemes secure in the random oracle model is insecure once implemented - idealistic: doesn’t exist in real world Conclusion - scheme secure in ROM better than no proof at all - best to prove in standard model 7 1. Introduction Recent Developments 1. 2. 3. Kurosawa and Heng proposed the first 2 IBI schemes in the standard model in 2005. Kurosawa and Heng used a trapdoor commitment scheme and a digital signature scheme to construct another IBI scheme in the standard model in 2006. Yang et al. proposed a general framework to construct IBI schemes in the random oracle model in 2007. 8 2. Preliminaries Bilinear Pairings a) Bilinearity. e(ga,gb)=e(g,g)ab b) Non-degeneracy. e(g,g) ≠1 c) Efficiently computable. 9 2. Preliminaries Security Assumptions a) b) - Security against Passive Attacks: Computational Diffie-Hellman problem (CDHP) Find gab given g and ga ,gb Security against Active/Concurrent Attacks: One-More Computational Diffie-Hellman Problem (OMCDHP) Adversary is given a challenge oracle and a CDH oracle. Adversary queries random challenge point from challenge oracle and obtains solution by querying the CDH oracle. Adversary wins the game if at the end the number of queries to the solution oracle is strictly less than the queries to the challenge oracle. 10 3. Formal Definitions For IBI Definition of IBI IBI=(S,E,P,V) - 4 probabilistic, polynomial-time algorithms The Canonical Three Move Protocol input param Setup(S) mpk, usk, ID mpk, msk ID Extract(E) usk Prover(P) (Prove that I know usk) mpk, ID CMT CHA Verifier(V) Accept only if you Know usk RSP 11 3. Formal Definition of IBI Security Model for IBI Goal of adversary towards IBI - impersonation. Considered successful if: - Interact with verifier as prover with public ID - Accepted by verifier with non-negligible probability Stronger assumptions of IBI vs SI: 1. The adversary can choose a target identity ID to impersonate as opposed to a random public key. 2. IBI has access to extract oracle -> the adversary can possess private keys of some users which she has chosen. 12 3. Formal Definition for IBI Security Model for IBI Passive attacks (imp-pa) Eavesdrop Active attacks (imp-aa) Interacts with provers as a cheating verifier Concurrent attacks (imp-ca) Interacts with provers as a cheating verifier concurrently. 13 3. Formal Definition for IBI Security Model for IBI The impersonation attack between the impersonator I, and challenger C is described in a two phase game. Phase 1: I either extracts transcript queries for imp-pa or acts as a cheating verifier in imp-aa and imp-ca. Phase 2: I plays the cheating prover it picks to convince the verifier. 14 3. Formal Definition for IBI Security Model for IBI An IBI scheme is (t,qI,ε)- secure against imppa/imp-aa/imp-ca if for any I who runs in time t, Pr(I can impersonate)<ε, where I can make at most qI queries. 15 4. Construction Construction of IBI scheme based on the Waters Signature Scheme Let G and GT be finite cyclic groups or order p and let g be a generator of G. Let e : G G GT be an efficiently computed bilinear map. Use a collision-resistant hash function H : {0,1} * {0,1} n to hash identities to an arbitrary length to a bit string of length n. 16 4. Construction Setup R a Zp g1 g a R g 2 , u ' G Select an n-length vector U {u1 ,...,un } R G mpk : (G ,GT , e , g , g1 , u ' , U , H ) msk : (g 2a ) 17 4. Construction Extract ID:hashed user identity string of length n Let d i :ith-bit of ID Let ID {1,..., n} be the set of all i where di=1 R r Zp S g 2a (u ' ui )r iID R gr usk : (S, R ) 18 4. Construction Prove and Verify Prove X (u ' u i ) z X ,Y ,R Verify iID Y g 2z c Z S z c R c Zp Accept if Z e(Z , g ) e (Yg 2c , g1 )e( X (u ' ui )c , R ) iID 19 4. Construction Correctness e (Z , g ) e (g 2a ((u ' ui )r )z c , g ) iID e (g 2a ( z c ) , g )e ((u ' ui )z (u ' ui )c , g r ) iID iID e (Yg 2c , g1 )e ( X (u ' ui )c , R ) iID 20 5. Security Analysis Security against Passive Attacks Theorem 1: The proposed IBI scheme is (t,qI,ε)-secure against impersonation under passive attacks in the standard model if the CDHP is (t’,ε’)-hard where 1 4qe (nu 1) ' 2 p t ' t O( (2n(qI )) (qI )) : time for multiplication in : time for exponentiation in qe : extract queries made qi : transcript queries made and qI qe qi 21 5. Security Analysis Security against Active/Concurrent Attacks Theorem 2: The proposed IBI scheme is (t,qI,ε)-secure against impersonation under active/concurrent attacks in the standard model if the OMCDHP is (t”,qCDH,ε”)-hard where 1 4qe (nu 1) " 2 p t " t O( (2n(qI )) (qI )) : time for multiplication in : time for exponentiation in qe : extract queries made qi : transcript queries made and qI qe qi 22 5. Security Analysis Efficiency Multiplication Exponentiation Pairing 0 2 0 Extract Max:n+2, Avg:(n/2)+2 2 0 Prove Max:n+1, Avg:(n/2)+1 3 0 Verify Max:n+3, Avg:(n/2)+3 2 3 Setup Table 1: Complexity Cost 23 5. Security Analysis Efficiency HKIBI05a HKIBI05b Efficiency Imp-pa of P and V assumption Imp-aa/ca assumption 6G,6E,4P Unknown q-SDH 12G,12E,6 q-SDH P HKIBI06 9G,11E,3P, q-SDH 1 SOTSS Proposed IBI (n+4)G,5E, CDH 3P q-SDH q-SDH OMCDHP Table 2: Comparisons with other IBI 24 6. Conclusion Merits of Proposed IBI Direct proof Provable security against both imp-pa and imp-aa/ca in the standard model. More efficient than other IBI schemes in standard model. 25 7. Open Problems 1. 2. 3. More IBI schemes that are efficient and provably secure in the standard model. More IBI Schemes with direct proof to a hard-mathematical problem as opposed to reductions from transformations. An IBI scheme with provable security against imp-aa/ca using a weaker assumption like DLOG or CDH. 26 Thank You Q&A 27