constructing provably secure identity based signature
play

Constructing Provably-Secure Identity-Based Signature Schemes - PowerPoint PPT Presentation

Jan 28, 2023 •963 likes •1.76k views

Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Background

  1. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013

  2. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Table of contents Overview Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

  3. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Contents Overview Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

  4. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice Bob

  5. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice usk A Bob

  6. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice Alice Bob usk A Alice

  7. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice Alice Bob Bob usk A usk B Alice Bob

  8. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Signatures • IBS: digital signatures extended to identity-based setting PKG usk m p id k Signer ( σ ; ( id , m )) Verifier

  9. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Signatures • IBS: digital signatures extended to identity-based setting PKG usk m p id k Signer ( σ ; ( id , m )) Verifier • Focus of the work: construction of IBS schemes 1. Concrete IBS based on Schnorr signature 2. Generic construction from a weaker model

  10. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Contents Overview Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

  11. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Public-Key Signature Consists of three PPT algorithms {K , S , V} : • Key Generation , K ( κ ) • Used by the signer to generate the key-pair ( pk , sk ) • pk is published and the sk kept secret • Signing , S sk ( m ) • Used by the signer to generate signature on some message m • The secret key sk used for signing • Verification , V pk ( σ, m ) • Used by the verifier to validate a signature • Outputs 1 if σ is a valid signature on m ; else, outputs 0

  12. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Signature Consists of four PPT algorithms {G , E , S , V} : • Set-up , G ( κ ) • Used by PKG to generate the master key-pair ( mpk , msk ) • mpk is published and the msk kept secret • Key Extraction , E msk ( id ) • Used by PKG to generate the user secret key ( usk ) • usk is then distributed through a secure channel • Signing , S usk ( id , m ) • Used by the signer (with identity id ) to generate signature on some message m • The user secret key usk used for signing • Verification , V mpk ( σ, id , m ) • Used by the verifier to validate a signature • Outputs 1 if σ is a valid signature on m by the user with identity id ; otherwise, outputs 0

  13. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion STANDARD SECURITY MODELS

  14. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Security Model for PKS: EU-CMA pk C A (ˆ σ ; ˆ m ) O s • Existential unforgeability under chosen-message attack 1. C generates key-pair ( pk , sk ) and passes pk to A 2. A allowed: Signature Queries through an oracle O s 3. Forgery: A wins if (ˆ σ ; ˆ m ) is valid and non-trivial • Adversary’s advantage in the game: � � $ − A O s ( pk ) $ Pr 1 ← V pk (ˆ σ ; ˆ m ) : ( sk , pk ) ← − K ( κ ); (ˆ σ ; ˆ m ) ←

  15. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Security Model for IBS: EU-ID-CMA mpk C A σ ; ( ˆ (ˆ id , ˆ m )) O { s ,ε } • Existential unforgeability with adaptive identity under chosen-message attack 1. C generates key-pair ( mpk , msk ) and passes mpk to A 2. A allowed: Signature Queries, Extract Queries σ ; ( ˆ 3. Forgery: A wins if (ˆ id , ˆ m )) is valid and non-trivial • Adversary’s advantage in the game: � � $ $ σ ; ( ˆ σ ; ( ˆ − A O { s ,ε } ( mpk ) Pr 1 ← V mpk (ˆ id , ˆ m )) : ( msk , mpk ) ← − G ( κ ); (ˆ id , ˆ m )) ←

  16. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion SCHNORR SIGNATURE AND ORACLE REPLAY ATTACK

  17. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Schnorr Signature: Features • Derived from Schnorr identification (FS Transform) • Uses one hash function • Security: • Based on discrete-log assumption • Hash function modelled as a random oracle (RO) • Argued using (random) oracle replay attacks

  18. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Schnorr Signature: Construction The Setting: 1. We work in group G = � g � of prime order p . 2. A hash function H : { 0 , 1 } ∗ �→ Z p is used. Key Generation: U 1. Select z ← − Z p as the sk 2. Set Z := g z as the pk Signing: − Z p , set R := g r and c := H( m , R ). U 1. Select r ← 2. The signature on m is σ := ( y , R ) where y := r + zc Verification: 1. Let σ := ( y , R ) and c := H( m , R ). 2. σ is valid if g y = RZ c

  19. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Oracle Replay Attack • Random oracle H – i th RO query Q i replied with s i Π Π Q i C A Π s i H H Adversary re-wound to Q I Simulation in round 1 from Q I using a different random function s γ Q I +1 Q γ round 0 s I s 1 Q 1 Q 2 Q I s ′ I Q ′ Q ′ round 1 I +1 γ s ′ γ

  20. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Oracle Replay Attack • Random oracle H – i th RO query Q i replied with s i . Π Π Q i C A Π s i H H 1. Adversary re-wound to Q I Simulation in round 1 from Q I using a different random function s γ Q I +1 Q γ round 0 s I s 1 Q 1 Q 2 Q I s ′ I Q ′ Q ′ round 1 I +1 γ s ′ γ

  21. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Oracle Replay Attack • Random oracle H – i th RO query Q i replied with s i . Π Π Q i C A Π s i H H 1. Adversary re-wound to Q I 2. Simulation in round 1 from Q I using a different random function s γ Q I +1 Q γ round 0 s I s 1 Q 1 Q 2 Q I s ′ I Q ′ Q ′ round 1 I +1 γ s ′ γ

  22. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Security of Schnorr Signature, In Brief DLP DLP SS SS ∆ = ( G , g , p , g α ) pk := ∆ C B A EU-NMA α ˆ σ = (( y , R ); ˆ m ) H σ 0 = (( y = r + α c , R ); ˆ ˆ m ) Q I +1 Q γ round 0 c Q I : H( ˆ m , R ) Q 1 Q 2 c ′ σ 1 = (( y ′ = r + α c ′ , R ); ˆ Q ′ Q ′ ˆ m ) α = y − y ′ I +1 γ round 1 c − c ′

  23. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Cost of Oracle Replay Attack • Forking Lemma [PS00]: bounds success probability of the oracle replay attack ( frk ) in terms of 1. success probability of the adversary ( ǫ ) 2. bound on RO queries ( q ) DLP ≤ O( q /ǫ 2 ) Schnorr Signature • Analysis done using the Splitting Lemma [PS00] Pointcheval and Stern. Security arguments for digital signatures and blind signatures. JoC , 13 [Seu12] Seurin. On the exact security of Schnorr-type signatures in the random oracle model. Eurocrypt’12

Recommend

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Contents Background Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based Signature Conclusion Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university,

563 views • 35 slides
Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas

Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas

Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas Kumar Indian Institute of Science, Bangalore November 2, 2013 Galindo-Garcia Identity-Based

584 views • 57 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Identity Based Ring Signature Why, How, and What Next Sherman S.M. Chow Richard W.C. Lui Lucas

Identity Based Ring Signature Why, How, and What Next Sherman S.M. Chow Richard W.C. Lui Lucas

Identity Based Ring Signature Why, How, and What Next Sherman S.M. Chow Richard W.C. Lui Lucas C.K. Hui S.M. Yiu The University of Hong Kong Outline Introduction PKI vs ID-based Ring Signatures Technical Preliminaries

1.81k views • 29 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure, pseudonymous, 2-party, web domain based, authenticated identity solution, including complete identity

840 views • 38 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford DEcentralized and DIstributed Systems Goal Anonymity Accountability Usability 2 Ring Signature Anonymous Spontaneous 3 Linkable Ring

372 views • 24 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement) S

Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement) S

Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement) S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure,

898 views • 41 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Securing WSNs and the IoT: Performance Analysis of Identity-based Signatures Tobias Markmann

Securing WSNs and the IoT: Performance Analysis of Identity-based Signatures Tobias Markmann

Securing WSNs and the IoT: Performance Analysis of Identity-based Signatures Tobias Markmann tobias.markmann@haw-hamburg.de 23.04.2014 Outline 1. Introduction 2. Background 3. Identity-based Signature Schemes 4. Evaluation 5. Results 6.

1.06k views • 35 slides
Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute of Technology Thanks to Roberto Guanciale, Musard Balliu, Christoph Baumann, Hamed Nemati, Oliver Schwarz, Victor Do, Christian Gehrmann, Jonas

1.41k views • 114 slides
Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G. Paterson Information Security Group Royal Holloway, University of London Outline of the Talk Hierarchical Key Assignment Schemes Definition of

802 views • 48 slides
Practical Implementation of Ring-SIS/LWE based Signature and IBE Pauline Bert, Pierre-Alain

Practical Implementation of Ring-SIS/LWE based Signature and IBE Pauline Bert, Pierre-Alain

Practical Implementation of Ring-SIS/LWE based Signature and IBE Pauline Bert, Pierre-Alain Fouque, Adeline Roux-Langlois, and Mohamed Sabt PQCrypto 2018, April 11 Univ Rennes, CNRS, IRISA 1 Identity Based Encryption Private Key Generator E

754 views • 23 slides
ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12] Michael Backes 1 , 2 Aniket Kate 1 Matteo Maffei 2 Kim Pecina 2 1 MPI-SWS, Germany 2 Saarland University, Germany Tracking in the Advertising World Today

744 views • 35 slides
Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

PETS 2017 The 17th Privacy Enhancing T echnologies Symposium July 1821, 2017 Minneapolis, MN, USA Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur Rahaman 1 , Long Cheng 1 , Danfeng (Daphne)

650 views • 18 slides
Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

738 views • 52 slides

More recommend