constructing provably secure identity based signature
play

Constructing Provably-Secure Identity-Based Signature Schemes - PowerPoint PPT Presentation

Jan 28, 2023 •963 likes •1.76k views

Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Background

  1. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013

  2. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Table of contents Overview Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

  3. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Contents Overview Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

  4. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice Bob

  5. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice usk A Bob

  6. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice Alice Bob usk A Alice

  7. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice Alice Bob Bob usk A usk B Alice Bob

  8. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Signatures • IBS: digital signatures extended to identity-based setting PKG usk m p id k Signer ( σ ; ( id , m )) Verifier

  9. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Signatures • IBS: digital signatures extended to identity-based setting PKG usk m p id k Signer ( σ ; ( id , m )) Verifier • Focus of the work: construction of IBS schemes 1. Concrete IBS based on Schnorr signature 2. Generic construction from a weaker model

  10. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Contents Overview Background Formal Definitions Schnorr Signature and Oracle Replay Attack General Forking Galindo-Garcia IBS Galindo-Garcia IBS Multiple-Forking Lemma Security Argument GG-IBS, Improved Intuition (In)Dependence for Random Oracles Transformation Conclusion

  11. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Public-Key Signature Consists of three PPT algorithms {K , S , V} : • Key Generation , K ( κ ) • Used by the signer to generate the key-pair ( pk , sk ) • pk is published and the sk kept secret • Signing , S sk ( m ) • Used by the signer to generate signature on some message m • The secret key sk used for signing • Verification , V pk ( σ, m ) • Used by the verifier to validate a signature • Outputs 1 if σ is a valid signature on m ; else, outputs 0

  12. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Identity-Based Signature Consists of four PPT algorithms {G , E , S , V} : • Set-up , G ( κ ) • Used by PKG to generate the master key-pair ( mpk , msk ) • mpk is published and the msk kept secret • Key Extraction , E msk ( id ) • Used by PKG to generate the user secret key ( usk ) • usk is then distributed through a secure channel • Signing , S usk ( id , m ) • Used by the signer (with identity id ) to generate signature on some message m • The user secret key usk used for signing • Verification , V mpk ( σ, id , m ) • Used by the verifier to validate a signature • Outputs 1 if σ is a valid signature on m by the user with identity id ; otherwise, outputs 0

  13. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion STANDARD SECURITY MODELS

  14. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Security Model for PKS: EU-CMA pk C A (ˆ σ ; ˆ m ) O s • Existential unforgeability under chosen-message attack 1. C generates key-pair ( pk , sk ) and passes pk to A 2. A allowed: Signature Queries through an oracle O s 3. Forgery: A wins if (ˆ σ ; ˆ m ) is valid and non-trivial • Adversary’s advantage in the game: � � $ − A O s ( pk ) $ Pr 1 ← V pk (ˆ σ ; ˆ m ) : ( sk , pk ) ← − K ( κ ); (ˆ σ ; ˆ m ) ←

  15. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Security Model for IBS: EU-ID-CMA mpk C A σ ; ( ˆ (ˆ id , ˆ m )) O { s ,ε } • Existential unforgeability with adaptive identity under chosen-message attack 1. C generates key-pair ( mpk , msk ) and passes mpk to A 2. A allowed: Signature Queries, Extract Queries σ ; ( ˆ 3. Forgery: A wins if (ˆ id , ˆ m )) is valid and non-trivial • Adversary’s advantage in the game: � � $ $ σ ; ( ˆ σ ; ( ˆ − A O { s ,ε } ( mpk ) Pr 1 ← V mpk (ˆ id , ˆ m )) : ( msk , mpk ) ← − G ( κ ); (ˆ id , ˆ m )) ←

  16. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion SCHNORR SIGNATURE AND ORACLE REPLAY ATTACK

  17. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Schnorr Signature: Features • Derived from Schnorr identification (FS Transform) • Uses one hash function • Security: • Based on discrete-log assumption • Hash function modelled as a random oracle (RO) • Argued using (random) oracle replay attacks

  18. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Schnorr Signature: Construction The Setting: 1. We work in group G = � g � of prime order p . 2. A hash function H : { 0 , 1 } ∗ �→ Z p is used. Key Generation: U 1. Select z ← − Z p as the sk 2. Set Z := g z as the pk Signing: − Z p , set R := g r and c := H( m , R ). U 1. Select r ← 2. The signature on m is σ := ( y , R ) where y := r + zc Verification: 1. Let σ := ( y , R ) and c := H( m , R ). 2. σ is valid if g y = RZ c

  19. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Oracle Replay Attack • Random oracle H – i th RO query Q i replied with s i Π Π Q i C A Π s i H H Adversary re-wound to Q I Simulation in round 1 from Q I using a different random function s γ Q I +1 Q γ round 0 s I s 1 Q 1 Q 2 Q I s ′ I Q ′ Q ′ round 1 I +1 γ s ′ γ

  20. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Oracle Replay Attack • Random oracle H – i th RO query Q i replied with s i . Π Π Q i C A Π s i H H 1. Adversary re-wound to Q I Simulation in round 1 from Q I using a different random function s γ Q I +1 Q γ round 0 s I s 1 Q 1 Q 2 Q I s ′ I Q ′ Q ′ round 1 I +1 γ s ′ γ

  21. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Oracle Replay Attack • Random oracle H – i th RO query Q i replied with s i . Π Π Q i C A Π s i H H 1. Adversary re-wound to Q I 2. Simulation in round 1 from Q I using a different random function s γ Q I +1 Q γ round 0 s I s 1 Q 1 Q 2 Q I s ′ I Q ′ Q ′ round 1 I +1 γ s ′ γ

  22. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Security of Schnorr Signature, In Brief DLP DLP SS SS ∆ = ( G , g , p , g α ) pk := ∆ C B A EU-NMA α ˆ σ = (( y , R ); ˆ m ) H σ 0 = (( y = r + α c , R ); ˆ ˆ m ) Q I +1 Q γ round 0 c Q I : H( ˆ m , R ) Q 1 Q 2 c ′ σ 1 = (( y ′ = r + α c ′ , R ); ˆ Q ′ Q ′ ˆ m ) α = y − y ′ I +1 γ round 1 c − c ′

  23. Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Cost of Oracle Replay Attack • Forking Lemma [PS00]: bounds success probability of the oracle replay attack ( frk ) in terms of 1. success probability of the adversary ( ǫ ) 2. bound on RO queries ( q ) DLP ≤ O( q /ǫ 2 ) Schnorr Signature • Analysis done using the Splitting Lemma [PS00] Pointcheval and Stern. Security arguments for digital signatures and blind signatures. JoC , 13 [Seu12] Seurin. On the exact security of Schnorr-type signatures in the random oracle model. Eurocrypt’12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Contents Background Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based Signature Conclusion Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university,

563 views • 35 slides
Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas

Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas

Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas Kumar Indian Institute of Science, Bangalore November 2, 2013 Galindo-Garcia Identity-Based

584 views • 57 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Identity Based Ring Signature Why, How, and What Next Sherman S.M. Chow Richard W.C. Lui Lucas

Identity Based Ring Signature Why, How, and What Next Sherman S.M. Chow Richard W.C. Lui Lucas

Identity Based Ring Signature Why, How, and What Next Sherman S.M. Chow Richard W.C. Lui Lucas C.K. Hui S.M. Yiu The University of Hong Kong Outline Introduction PKI vs ID-based Ring Signatures Technical Preliminaries

1.81k views • 29 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure, pseudonymous, 2-party, web domain based, authenticated identity solution, including complete identity

840 views • 38 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford DEcentralized and DIstributed Systems Goal Anonymity Accountability Usability 2 Ring Signature Anonymous Spontaneous 3 Linkable Ring

372 views • 24 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement) S

Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement) S

Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement) S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure,

898 views • 41 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Evolution of a two-level system strongly coupled to a thermal bath Marco Merkli Deptartment of

Evolution of a two-level system strongly coupled to a thermal bath Marco Merkli Deptartment of

Evolution of a two-level system strongly coupled to a thermal bath Marco Merkli Deptartment of Mathematics and Statistics Memorial University, St. Johns, Canada QMath13, October 2016, Atlanta Collaborations with M. K onenberg (2016)

352 views • 22 slides
The influence of particle shape on jamming: From ellipsoids to dimers to bumpy particles to

The influence of particle shape on jamming: From ellipsoids to dimers to bumpy particles to

The influence of particle shape on jamming: From ellipsoids to dimers to bumpy particles to friction Prof. Corey S. O Hern Department of Mechanical Engineering & Materials Science Department of Physics Yale University The O Hern Group The

433 views • 39 slides
Height representation of XOR-Ising loops via bipartite dimers C edric Boutillier (UPMC) B

Height representation of XOR-Ising loops via bipartite dimers C edric Boutillier (UPMC) B

Height representation of XOR-Ising loops via bipartite dimers C edric Boutillier (UPMC) B eatrice de Tili` ere (UPMC) LAGA Universit e Paris Nord March 11, 2015 The Ising model and the XOR-Ising model The Ising model Let G =

797 views • 43 slides
Finite dimensional algebras arising from dimer models and their derived equivalences Yusuke

Finite dimensional algebras arising from dimer models and their derived equivalences Yusuke

Finite dimensional algebras arising from dimer models and their derived equivalences Yusuke Nakajima Kavli IPMU, University of Tokyo September 19th, 2018 Yusuke Nakajima (Kavli IPMU) Algebras arising from dimer models September 19th, 2018 1

283 views • 15 slides
Open Room Reservation System Buswell Library, Wheaton College March 3, 2016 Cheryl Grubb

Open Room Reservation System Buswell Library, Wheaton College March 3, 2016 Cheryl Grubb

Open Room Reservation System Buswell Library, Wheaton College March 3, 2016 Cheryl Grubb & Jeffrey Mudge The OLD way of scheduling study rooms Physical keys Paper reservation charts Student worker PowerPoint training

453 views • 23 slides
Diffuse Interstellar Bands: Co Cosmic S c Shadow of Interstellar Molecules Satoshi Hamano

Diffuse Interstellar Bands: Co Cosmic S c Shadow of Interstellar Molecules Satoshi Hamano

Diffuse Interstellar Bands: Co Cosmic S c Shadow of Interstellar Molecules Satoshi Hamano Kyoto Sangyo University Cosmic Shadow 2018 2018/11/25 1 Diffuse interstellar bands (DIBs) u DIBs: Absorption features from interstellar medium

497 views • 13 slides
O(D,D) Covariant Noether Currents and Global Charges in Double Field Theory Yuho Sakatani Seoul

O(D,D) Covariant Noether Currents and Global Charges in Double Field Theory Yuho Sakatani Seoul

O(D,D) Covariant Noether Currents and Global Charges in Double Field Theory Yuho Sakatani Seoul National University (SNU), Institute for Basic Sciences (IBS) based on arXiv:1507.07545, to appear in JHEP , with J-H. Park (Sogang U.), S-J.

361 views • 20 slides
Testing DAMA/LIBRA signal with ANAIS-112 M. Martinez, On behalf of the 3rd IBS-MultiDark-IPPP

Testing DAMA/LIBRA signal with ANAIS-112 M. Martinez, On behalf of the 3rd IBS-MultiDark-IPPP

Testing DAMA/LIBRA signal with ANAIS-112 M. Martinez, On behalf of the 3rd IBS-MultiDark-IPPP Workshop, ANAIS coll. 21-25 November 2016, Lumley Castel, Durham OUTLINE The ANAIS program Detectors performance Received at LSC in Dec

846 views • 33 slides

More recommend