Forward-Secure ID-Based Setting Madeline Gonz lez Mu iz* and Peeter - PowerPoint PPT Presentation

Chameleon Hashes in the Forward-Secure ID-Based Setting Madeline Gonz á lez Mu ñ iz* and Peeter Laud Theory Days Tõrve , Estonia October 8, 2011

MOTIVATION FOR CHAMELEON HASHING 2 of 33

Sanitizable Signature Schemes » Allow modification to the original message  Pre-determined deletion  Pre-determined modification  Chameleon hashes » Sender →Sanitizer→Receiver 3

Chameleon Hashes » Introduced by Krawczyk and Rabin in 2000 » Collision-resistant with a trapdoor for finding collisions » Key exposure problem » Non-transferable 4

Key Exposure Problem [KR2000] » For public key y = g x mod p » Hash defined as h ( m , r )= g m y r mod p » One can solve for x given ( m , r ) and ( m' , r' ) such that g m y r = g m' y r' 5

PRELIMINARIES 6 of 33

Identity-Based Cryptography Has a master public/private Authenticate to Key key Generator Key Generator gives ID a private key for the system Public key computed from ID 7

Bilinear Map (Pairing) Let G 1 (+) and G 2 ( · ) be two groups of prime order q e : G 1 Χ G 1 → G 2 a bilinear map: 1. Bilinear: e ( α P , β Q )= e ( P , Q ) αβ 2. Non-degenerate 3. Efficiently computable 8

Bilinear Computational Diffie- Hellman Problem Given P , α P , β P , γ P , compute: e ( P, P ) αβγ We will refer to this as BCDH 9

Bilinear Decisional Diffie- Hellman Problem Given P , α P , β P , γ P , decide: random element in G 2 or e ( P, P ) αβγ We will refer to this as BDDH 10

Pseudorandom Bit Generator » Bellare and Yee 2003 » G =( G k , G n , k , T )  G k takes no input, outputs Seed 0  G n deterministically takes input Seed t -1 , outputs ( Out t , Seed t ) where Out t is a k -bit block and runs a max of T times » Indistinguishable from a function that outputs k -bit blocks unif at random 11

CHAMELEON HASHES IN ID-BASED SETTING W/O KEY EXPOSURE 12 of 33

Chen et al. 2010 Proposed Scheme » Setup e : G 1 Χ G 1 → G 2 Master Secret key s Master Public key sP H ( ID ) 13

Key Extraction s sP Authenticate as ID sH ( ID ) 14

Chameleon Hash Sender • Select a uniformly at random • r =( aP , e ( a ( sP) , H ( ID )) • h = aP + mH 1 ( L ) public H ( ID ) L is a transaction label 15

Collision (Forgery) by ID • Select message m' • a'P=aP+ ( m - m' ) H 1 ( L ) • r' =( a'P , e ( a'P , sH ( ID )) private The proof relies on the sH ( ID ) difficulty of computing the second component of r' 16

The Problem » Who can verify the correctness of the second component of r and r' ?  Sender knows discrete log a  Forger using private key  BDDH easy » Solution  Include a NIZK proof 17

SECURITY MODEL W/ FORWARD SECURITY 18 of 33

Properties » Forward-secure collision resistance » Indistinguishability 19

Forward-Secure Collision Resistance » Users in the system are honest params P 0 P 1 P t SK ID for break-in time t 20

Collision Forgery » For t' < t P t' , ID' , L , m , r P t' , ID' , L , m' , r' Same hash output 21

Indistinguishability params Extraction Oracle P t , ID , L , m h ( P t , ID , L , m , r ) h ( P t , ID , L , m * , r ) 22

PROPOSED CONSTRUCTION 23 of 33

Proposed Forward-Secure KGC Model e : G 1 Χ G 1 → G 2 G =( G k , G n , k , T ) At time t =0 Master secret key S 0 =( s 0 , Seed 0 ) Master public key P 0 = s 0 P Given S t -1 =( s t -1 , Seed t -1 ) G n ( Seed t -1 )=( Out t , Seed t ) Master Compute s t = H ( Out t ) s t -1 Key Master secret key S t =( s t , Seed t ) Update Master public key P t = s t P 24

Key Extraction and Identity Update Authenticate as ID s t H ( ID ), P t Given S t -1 =( s t -1 H ( ID ), Seed t -1 ), P t -1 User G n ( Seed t -1 )=( Out t , Seed t ) Key User secret key S t =( H ( Out t ) s t -1 H ( ID ), Seed t ) Update =( s t H ( ID ), Seed t ) Master public key P t = H ( Out t ) P t -1 25

Hashing Algorithm Sender • Select a uniformly at random • r =( aP , e ( aP t , H ( ID ))) • h = aP + mH 1 ( L ) and NIZK π that r was correctly formed 26

Collision (Forging) Algorithm • Select message m' • a'P=aP+ ( m-m' ) H 1 ( L ) • r'= ( a'P, e ( a'P , s t H ( ID ))) • NIZK π ' that r' was correctly formed Receiver 27

SECURITY OF PROPOSED CONSTRUCTION 28 of 33

BCDH Reduction Challenger P , αP , βP , γP A can create a collision in e ( P, P ) αβγ the hash B interacts with A to solve BCDH B A 29

Collision Resistance » Assumption that BCDH is hard » Using the second component of r and r' we have the following:  e ( a'P , s t H ( ID )) = e ( aP + ( m-m' ) H 1 ( L ), s t H ( ID )) = e ( aP , s t H ( ID )) e ( H 1 ( L ), s t H ( ID )) m-m'  e ( a'P , s t H ( ID )) / e ( aP , s t H ( ID )) = e ( s t H ( ID ), H 1 ( L )) m - m'  e ( s t H ( ID ), H 1 ( L )) used in simulation to introduce challenge 30

BCDH Challenge Given P α P=P t = s t P β P=H ( ID ) γ P=H 1 ( L ) compute: e ( s t H ( ID ), H 1 ( L ))= e ( P , P ) αβγ 31

Open Problem » Attribute-based setting  User with threshold number of attributes can compute collision  Sahai and Waters  Public parameter for each attribute  Chameleon hash with the following condition:  Hash depends on message, attributes, and attribute authority’s public key  User and attribute authority interact once 32

THANKS 33