Forward-Secure ID-Based Setting Madeline Gonz lez Mu iz* and Peeter - - PowerPoint PPT Presentation

forward secure id based setting
SMART_READER_LITE
LIVE PREVIEW

Forward-Secure ID-Based Setting Madeline Gonz lez Mu iz* and Peeter - - PowerPoint PPT Presentation

Apr 03, 2024 20 likes •351 views

Chameleon Hashes in the Forward-Secure ID-Based Setting Madeline Gonz lez Mu iz* and Peeter Laud Theory Days Trve , Estonia October 8, 2011 MOTIVATION FOR CHAMELEON HASHING 2 of 33 Sanitizable Signature Schemes Allow modification

slide-1
SLIDE 1

Chameleon Hashes in the Forward-Secure ID-Based Setting

Madeline González Muñiz* and Peeter Laud

Theory Days Tõrve, Estonia

October 8, 2011

slide-2
SLIDE 2

MOTIVATION FOR CHAMELEON HASHING

2 of 33

slide-3
SLIDE 3

Sanitizable Signature Schemes

3

» Allow modification to the original message

  • Pre-determined deletion
  • Pre-determined modification

Chameleon hashes

» Sender→Sanitizer→Receiver

slide-4
SLIDE 4

Chameleon Hashes

4

» Introduced by Krawczyk and Rabin in 2000 » Collision-resistant with a trapdoor for finding collisions » Key exposure problem » Non-transferable

slide-5
SLIDE 5

Key Exposure Problem [KR2000]

5

» For public key y=gx mod p » Hash defined as h(m, r)=gmyr mod p » One can solve for x given (m, r) and (m', r') such that gmyr =gm'yr'

slide-6
SLIDE 6

PRELIMINARIES

6 of 33

slide-7
SLIDE 7

Identity-Based Cryptography

Authenticate to Key Generator Key Generator gives ID a private key for the system Has a master public/private key

Public key computed from ID 7

slide-8
SLIDE 8

Bilinear Map (Pairing)

Let G1 (+) and G2 (·) be two groups of prime order q e: G1Χ G1→ G2 a bilinear map:

  • 1. Bilinear:

e(αP, βQ)= e(P, Q)αβ

  • 2. Non-degenerate
  • 3. Efficiently computable

8

slide-9
SLIDE 9

Bilinear Computational Diffie- Hellman Problem

Given P, αP, βP, γP, compute: e(P, P)αβγ We will refer to this as BCDH

9

slide-10
SLIDE 10

Bilinear Decisional Diffie- Hellman Problem

Given P, αP, βP, γP, decide: random element in G2 or e(P, P)αβγ We will refer to this as BDDH

10

slide-11
SLIDE 11

Pseudorandom Bit Generator

» Bellare and Yee 2003

» G=(Gk, Gn, k, T)

  • Gk takes no input, outputs Seed0
  • Gn deterministically takes input Seedt-1,
  • utputs (Outt, Seedt) where Outt is a k-bit

block and runs a max of T times » Indistinguishable from a function that

  • utputs k-bit blocks unif at random

11

slide-12
SLIDE 12

CHAMELEON HASHES IN ID-BASED SETTING W/O KEY EXPOSURE

12 of 33

slide-13
SLIDE 13

Chen et al. 2010 Proposed Scheme

13

» Setup

e: G1Χ G1→ G2 Master Secret key s Master Public key sP

H(ID)

slide-14
SLIDE 14

Key Extraction

Authenticate as

ID

sH(ID) s sP

14

slide-15
SLIDE 15

Chameleon Hash

15

public H(ID)

Sender

  • Select a uniformly at

random

  • r=(aP, e(a(sP), H(ID))
  • h=aP+mH1(L)

L is a transaction label

slide-16
SLIDE 16

Collision (Forgery) by ID

16

private sH(ID)

  • Select message m'
  • a'P=aP+(m-m') H1(L)
  • r'=(a'P, e(a'P, sH(ID))

The proof relies on the difficulty of computing the second component of r'

slide-17
SLIDE 17

The Problem

» Who can verify the correctness of the second component of r and r' ?

  • Sender knows discrete log a
  • Forger using private key
  • BDDH easy

» Solution

  • Include a NIZK proof

17

slide-18
SLIDE 18

SECURITY MODEL W/ FORWARD SECURITY

18 of 33

slide-19
SLIDE 19

Properties

» Forward-secure collision resistance » Indistinguishability

19

slide-20
SLIDE 20

Forward-Secure Collision Resistance

» Users in the system are honest

20

params

P0 P1 Pt

SKID for break-in time t

slide-21
SLIDE 21

Collision Forgery

» For t'< t

21

Pt', ID', L, m, r Pt', ID', L, m', r'

Same hash output

slide-22
SLIDE 22

Indistinguishability

22

params

Pt, ID, L, m

Extraction Oracle h(Pt, ID, L, m, r) h(Pt, ID, L, m*, r)

slide-23
SLIDE 23

PROPOSED CONSTRUCTION

23 of 33

slide-24
SLIDE 24

Proposed Forward-Secure KGC Model

24

e: G1Χ G1→ G2 G=(Gk, Gn, k, T) At time t=0 Master secret key S0=(s0, Seed0) Master public key P0= s0P Given St-1=(st-1, Seedt-1) Gn (Seedt-1)=(Outt, Seedt) Compute st= H(Outt)st-1 Master secret key St=(st, Seedt) Master public key Pt=stP Master Key Update

slide-25
SLIDE 25

Key Extraction and Identity Update

25 Authenticate as

ID

stH(ID), Pt

Given St-1=(st-1H(ID), Seedt-1), Pt-1 Gn (Seedt-1)=(Outt, Seedt) User secret key St=(H(Outt)st-1H(ID), Seedt) =(stH(ID), Seedt) Master public key Pt= H(Outt)Pt-1 User Key Update

slide-26
SLIDE 26

Hashing Algorithm

26

Sender

  • Select a uniformly at

random

  • r=(aP, e(aPt, H(ID)))
  • h=aP+mH1(L) and

NIZK π that r was correctly formed

slide-27
SLIDE 27

Collision (Forging) Algorithm

27

Receiver

  • Select message m'
  • a'P=aP+(m-m') H1(L)
  • r'=(a'P, e(a'P, st H(ID)))
  • NIZK π' that r' was

correctly formed

slide-28
SLIDE 28

SECURITY OF PROPOSED CONSTRUCTION

28 of 33

slide-29
SLIDE 29

BCDH Reduction

B interacts with A to solve BCDH

e(P, P)αβγ

P, αP, βP, γP

B A Challenger

A can create a collision in the hash

29

slide-30
SLIDE 30

Collision Resistance

» Assumption that BCDH is hard » Using the second component of r and r' we have the following:

  • e(a'P, st H(ID))

= e(aP +(m-m') H1(L), st H(ID)) = e(aP, st H(ID)) e(H1(L), st H(ID))m-m'

  • e(a'P, st H(ID)) / e(aP, st H(ID))

= e(st H(ID), H1(L))m-m'

  • e(st H(ID), H1(L)) used in simulation to

introduce challenge

30

slide-31
SLIDE 31

BCDH Challenge

Given P αP=Pt=stP βP=H(ID) γP=H1(L) compute: e(st H(ID), H1(L))=e(P, P)αβγ

31

slide-32
SLIDE 32

Open Problem

» Attribute-based setting

  • User with threshold number of attributes

can compute collision

  • Sahai and Waters

Public parameter for each attribute

  • Chameleon hash with the following

condition:

Hash depends on message, attributes, and attribute authority’s public key User and attribute authority interact once

32

slide-33
SLIDE 33

THANKS

33