A Closer Look at Multiple Forking: Leveraging (In)dependence for a - PowerPoint PPT Presentation

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work A Closer Look at Multiple Forking: Leveraging (In)dependence for a Tighter Bound Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore November 3, 2013

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Table of contents Background Schnorr Signature and Oracle Replay Attack General Forking Multiple Forking Galindo-Garcia IBS and Nested Replay Attack Multiple-Forking Lemma Improving on Multiple Forking Intuition: The GG-IBS Perspective Notion of (In)Dependency A Unified Treatment Conclusion and Future Work

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work BACKGROUND

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Schnorr Signature: Features • Derived from Schnorr identification through FS Transform • Uses one hash function • Security: • Based on the discrete-log assumption • Hash function modelled as a random oracle (RO) • Security argued using (random) oracle replay attacks

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Schnorr Signature: Construction The Setting: 1. We work in group G = � g � of prime order p . 2. A hash function H : { 0 , 1 } ∗ → Z p is used. Key Generation: 1. Select z ∈ R Z p as the sk 2. Set Z := g z as the pk Signing: 1. Select r ∈ R Z p , set R := g r and c := H( m , R ). 2. The signature on m is σ := ( y , R ) where y := r + zc Verification: 1. Let σ = ( y , R ) and c = H( m , R ). 2. σ is valid if g y = RZ c

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work The Oracle Replay Attack • Random oracle H – i th RO query Q i replied with s i . Q i Π Π C A Π s i H H Adversary re-wound to Q I Simulation in round 1 from Q I using a different random function s γ Q I +1 Q γ round 0 s I s 1 Q 1 Q 2 Q I s ′ I Q ′ Q ′ round 1 γ I +1 s ′ γ

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work The Oracle Replay Attack • Random oracle H – i th RO query Q i replied with s i . Q i Π Π C A Π s i H H 1. Adversary re-wound to Q I Simulation in round 1 from Q I using a different random function s γ Q I +1 Q γ round 0 s I s 1 Q 1 Q 2 Q I s ′ I Q ′ Q ′ round 1 γ I +1 s ′ γ

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work The Oracle Replay Attack • Random oracle H – i th RO query Q i replied with s i . Q i Π Π C A Π s i H H 1. Adversary re-wound to Q I 2. Simulation in round 1 from Q I using a different random function s γ Q I +1 Q γ round 0 s I s 1 Q 1 Q 2 Q I s ′ I Q ′ Q ′ round 1 γ I +1 s ′ γ

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Security of Schnorr Signature, In Brief ∆ = ( G , g , p , g α ) pk := ∆ DLP DLP SS SS B C A EU-NMA α H σ = (( y , R ); ˆ ˆ m ) ˆ σ 0 = (( y = r + α c , R ); ˆ m ) Q I +1 Q γ round 0 c Q I : H( ˆ m , R ) Q 1 Q 2 c ′ σ 1 = (( y ′ = r + α c ′ , R ); ˆ Q ′ Q ′ ˆ m ) α = y − y ′ γ I +1 round 1 c − c ′

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Cost of Oracle Replay Attack The Forking Lemma [PS00] gives a bound on the success probability of the oracle replay attack in terms of 1. success probability of the adversary ( ǫ ) 2. bound on RO queries ( q ) DLP ≤ O( q /ǫ 2 ) Schnorr Signature

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Cost of Oracle Replay Attack The Forking Lemma [PS00] gives a bound on the success probability of the oracle replay attack in terms of 1. success probability of the adversary ( ǫ ) 2. bound on RO queries ( q ) DLP ≤ O( q /ǫ 2 ) Schnorr Signature The cost: security degrades by O ( q ) • More or less optimal [Seu12]

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work General Forking Lemma “Forking Lemma is something purely probabilistic, not about signatures” [BN06] • Abstract version of the Forking Lemma • Separates out details of simulation (of adversary) from analysis • A wrapper algorithm used as intermediary • Simulate the protocol environment to A • Simulate the RO as specified by S

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work General Forking Lemma “Forking Lemma is something purely probabilistic, not about signatures” [BN06] • Abstract version of the Forking Lemma • Separates out details of simulation (of adversary) from analysis • A wrapper algorithm used as intermediary • Simulate the protocol environment to A • Simulate the RO as specified by S S A

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work General Forking Lemma “Forking Lemma is something purely probabilistic, not about signatures” [BN06] • Abstract version of the Forking Lemma • Separates out details of simulation (of adversary) from analysis • A wrapper algorithm used as intermediary • Simulate the protocol environment to A • Simulate the RO as specified by S S S W A A • Structure of a wrapper call: ( I , σ ) ← W ( x , s 1 , . . . , s q ; ρ )

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work ...General Forking Lemma... General-Forking Algorithm F W ( x ) Pick coins ρ for W at random { s 1 , . . . , s q } ∈ R S ; ( I , σ ) ← W ( x , s 1 , . . . , s q ; ρ ) / / round 0 if ( I = 0) then return (0 , ⊥ , ⊥ ) { s ′ I 0 , . . . , s ′ q } ∈ R S ; ( I ′ , σ ′ ) ← W ( x , s 1 , . . . , s I − 1 , s ′ I , . . . , s ′ q ; ρ ) / / round 1 if ( I ′ = I ∧ s ′ I � = s I ) then return (1 , σ, σ ′ ) else return (0 , ⊥ , ⊥ )

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work ...General Forking Lemma... General-Forking Algorithm F W ( x ) Pick coins ρ for W at random { s 1 , . . . , s q } ∈ R S ; ( I , σ ) ← W ( x , s 1 , . . . , s q ; ρ ) / / round 0 if ( I = 0) then return (0 , ⊥ , ⊥ ) { s ′ I 0 , . . . , s ′ q } ∈ R S ; ( I ′ , σ ′ ) ← W ( x , s 1 , . . . , s I − 1 , s ′ I , . . . , s ′ q ; ρ ) / / round 1 if ( I ′ = I ∧ s ′ I � = s I ) then return (1 , σ, σ ′ ) else return (0 , ⊥ , ⊥ ) The General Forking Lemma gives a bound on the success probability of the oracle replay attack ( frk ) in terms of 1. success probability of W ( acc ) 2. bound on RO queries ( q ) frk ≥ acc 2 / q

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work MULTIPLE FORKING

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Overview • Introduced by Boldyreva et al. [BPW12] • Motivation: • General Forking restricted to one RO and single replay attack • Multiple Forking considers two ROs and multiple replay attacks

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Overview • Introduced by Boldyreva et al. [BPW12] • Motivation: • General Forking restricted to one RO and single replay attack • Multiple Forking considers two ROs and multiple replay attacks • Used originally to argue security of a DL-based proxy signature scheme • Used further in 1. Galindo-Garcia IBS [GG09] 2. Chow et al. Zero-Knowledge Argument [CMW12]

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work GALINDO-GARCIA IBS

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Galindo-Garcia IBS: Features • Derived from Schnorr signature scheme – nesting • Based on the discrete-log (DL) assumption • Efficient, simple and does not use pairing • Uses two hash functions • Security argued using nested replay attacks

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Galindo-Garcia IBS: Construction Setting: 1. We work in a group G = � g � of prime order p . 2. Two hash functions H , G : { 0 , 1 } ∗ → Z p are used. Set-up: 1. Select z ∈ R Z p as the msk ; set Z := g z as the mpk Key Extraction: 1. Select r ∈ R Z p and set R := g r . 2. Return usk := ( y , R ) as the usk , where y := r + zc and c := H( id , R ). Signing: 1. Select a ∈ R Z p and set A := g a . 2. Return σ := ( b , R , A ) as the signature, where b := a + yd and d := G( id , m , A ).

Background Multiple Forking Improving on Multiple Forking Conclusion and Future Work Security, In Brief/The Nested Replay Attack ∆ = ( G , g , p , g α ) mpk := ∆ DLP DLP GG GG B C A EU-ID-CMA H , G α σ = ((ˆ b , ˆ R , ˆ A ); ( ˆ ˆ id , ˆ m )) Q 0 Q 0 σ 0 = (ˆ b 0 , ˆ R , ˆ ˆ A 0 ) I 0+1 q d 0 round 0 Q 0 Q 0 m 0 , ˆ I 0 : G( ˆ id , ˆ A 0 ) J 0+1 c 0 d 1 Q 1 Q 1 σ 1 = (ˆ b 1 , ˆ R , ˆ ˆ A 0 ) I 0+1 q round 1 Q 0 Q 0 Q 0 id , ˆ J 0 : H( ˆ R ) 1 2 Q I 1+1 Q 2 σ 2 = (ˆ b 2 , ˆ R , ˆ ˆ A 2 ) c 1 d 2 2 q round 2 Q 2 Q 2 I 0 : G( ˆ m 2 , ˆ id , ˆ A 2 ) J 0+1 d 3 Q 3 Q 3 σ 3 = (ˆ b 3 , ˆ R , ˆ α = (ˆ b 0 − ˆ b 1 )( d 2 − d 3 ) − (ˆ b 2 − ˆ ˆ A 2 ) b 3 )( d 0 − d 1 ) I 1+1 q round 3 ( c 0 − c 1 )( d 0 − d 1 )( d 2 − d 3 )