From Selective-ID to Full-ID IBS without Random Oracles Sanjit - - PowerPoint PPT Presentation

from selective id to full id ibs without random oracles
SMART_READER_LITE
LIVE PREVIEW

From Selective-ID to Full-ID IBS without Random Oracles Sanjit - - PowerPoint PPT Presentation

Dec 05, 2022 881 likes •1.35k views

Overview Background The Transformation Conclusion and Future Work From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore November 3, 2013 Overview Background The

slide-1
SLIDE 1

Overview Background The Transformation Conclusion and Future Work

From Selective-ID to Full-ID IBS without Random Oracles

Sanjit Chatterjee and Chethan Kamath

Indian Institute of Science, Bangalore

November 3, 2013

slide-2
SLIDE 2

Overview Background The Transformation Conclusion and Future Work

Table of contents

Overview Background Formal Definitions The Selective-Identity Model Construction of IBS The Transformation Objects Used The Transformation Security Conclusion and Future Work

slide-3
SLIDE 3

Overview Background The Transformation Conclusion and Future Work

Identity-Based Cryptography

  • Introduced by Shamir in 1984.
  • Any arbitrary string, say e-mail address, can be used as public

key.

  • Certificate management can be avoided.
  • A trusted private key generator (PKG) generates secret keys.

PKG

msk

mpk

Alice Bob

slide-4
SLIDE 4

Overview Background The Transformation Conclusion and Future Work

Identity-Based Cryptography

  • Introduced by Shamir in 1984.
  • Any arbitrary string, say e-mail address, can be used as public

key.

  • Certificate management can be avoided.
  • A trusted private key generator (PKG) generates secret keys.

PKG

msk

mpk

Alice Bob A l i c e u s kA

slide-5
SLIDE 5

Overview Background The Transformation Conclusion and Future Work

Identity-Based Cryptography

  • Introduced by Shamir in 1984.
  • Any arbitrary string, say e-mail address, can be used as public

key.

  • Certificate management can be avoided.
  • A trusted private key generator (PKG) generates secret keys.

PKG

msk

mpk

Alice Bob uskA Alice Alice

slide-6
SLIDE 6

Overview Background The Transformation Conclusion and Future Work

Identity-Based Cryptography

  • Introduced by Shamir in 1984.
  • Any arbitrary string, say e-mail address, can be used as public

key.

  • Certificate management can be avoided.
  • A trusted private key generator (PKG) generates secret keys.

PKG

msk

mpk

Alice Bob uskA Alice Alice uskB Bob Bob

slide-7
SLIDE 7

Overview Background The Transformation Conclusion and Future Work

Identity-Based Signatures

  • IBS is the concept of digital signatures extended to

identity-based setting. Signer Verifier PKG (σ; (id, m)) usk id mpk

slide-8
SLIDE 8

Overview Background The Transformation Conclusion and Future Work

Identity-Based Signatures

  • IBS is the concept of digital signatures extended to

identity-based setting. Signer Verifier PKG (σ; (id, m)) usk id mpk

  • Focus of the talk: construction of IBS schemes
slide-9
SLIDE 9

Overview Background The Transformation Conclusion and Future Work

FORMAL DEFINITIONS

slide-10
SLIDE 10

Overview Background The Transformation Conclusion and Future Work

Public-Key Signature

Consists of three PPT algorithms {K, S, V}:

  • Key Generation, K(κ)
  • Used by the signer to generate the key-pair (pk,sk)
  • pk is published and the sk kept secret
  • Signing, Ssk(m)
  • Used by the signer to generate signature on some message m
  • The secret key sk used for signing
  • Verification, Vpk(σ, m)
  • Used by the verifier to validate a signature
  • Outputs 1 if σ is a valid signature on m; else, outputs 0
slide-11
SLIDE 11

Overview Background The Transformation Conclusion and Future Work

Identity-Based Signature

Consists of four PPT algorithms {G, E, S, V}:

  • Set-up, G(κ)
  • Used by PKG to generate the master key-pair (mpk,msk)
  • mpk is published and the msk kept secret
  • Key Extraction, Emsk(id)
  • Used by PKG to generate the user secret key (usk)
  • usk is then distributed through a secure channel
  • Signing, Susk(id, m)
  • Used by the signer (with identity id) to generate signature on

some message m

  • The user secret key usk used for signing
  • Verification, Vmpk(σ, id, m)
  • Used by the verifier to validate a signature
  • Outputs 1 if σ is a valid signature on m by the user with

identity id; otherwise, outputs 0

slide-12
SLIDE 12

Overview Background The Transformation Conclusion and Future Work

STANDARD SECURITY MODELS

slide-13
SLIDE 13

Overview Background The Transformation Conclusion and Future Work

Security Model for PKS: EU-CMA

C

Os

A

pk (ˆ σ; ˆ m)

  • Existential unforgeability under chosen-message attack
  • C generates key-pair (pk, sk) and passes pk to A.
  • Signature Queries: Access to a signing oracle Os
  • Forgery: A wins if (ˆ

σ; ˆ m) is valid and non-trivial

  • Adversary’s advantage in the game AdvEU−CMA

A

(κ): Pr

  • 1 ← Vpk(ˆ

σ; ˆ m) | (sk, pk)

$

← − K(κ); (ˆ σ; ˆ m)

$

← − AOs(pk)

slide-14
SLIDE 14

Overview Background The Transformation Conclusion and Future Work

Security Model for IBS: EU-ID-CMA

C

O{s,ε}

A

mpk (ˆ σ; ( ˆ id, ˆ m))

  • Existential unforgeability with adaptive identity under

chosen-message attack

  • C generates key-pair (mpk, msk) and passes mpk to A.
  • Extract Queries, Signature Queries
  • Forgery: A wins if (ˆ

σ; ( ˆ id, ˆ m)) is valid and non-trivial

  • Adversary’s advantage in the game AdvEU−ID−CMA

A

(κ):

Pr

  • 1 ← Vmpk(ˆ

σ; ( ˆ id, ˆ m)) | (msk, mpk)

$

← − G(κ); (ˆ σ; ( ˆ id, ˆ m))

$

← − AO{s,ε}(mpk)

slide-15
SLIDE 15

Overview Background The Transformation Conclusion and Future Work

THE SELECTIVE-IDENTITY MODEL

slide-16
SLIDE 16

Overview Background The Transformation Conclusion and Future Work

sID Model: Salient Features

  • Introduced by Canetti et al.
  • Weaker than the full model (EU-ID-CMA)
  • However, easier to design sID-secure protocols
  • Adversary has to, beforehand, commit to the target identity
  • Target identity: the identity on which the adversary forges on
  • Adversary cannot extract query on the target identity

C

O{s,ε}

A

ˆ id mpk (ˆ σ; ( ˆ id, ˆ m))

slide-17
SLIDE 17

Overview Background The Transformation Conclusion and Future Work

CONSTRUCTION OF IBS

slide-18
SLIDE 18

Overview Background The Transformation Conclusion and Future Work

Construction of IBS

  • Considered easier task than IBE
  • Folklore method: EU-ID-CMA-IBS ≡ 2(EU-CMA-PKS)
  • (EU-CMA-PKS) ≡ (EU-GCMA-PKS)+(CR-CHF)
  • Implies EU-ID-CMA-IBS ≡ 2((EU-GCMA-PKS)+(CR-CHF))
slide-19
SLIDE 19

Overview Background The Transformation Conclusion and Future Work

Construction of IBS

  • Considered easier task than IBE
  • Folklore method: EU-ID-CMA-IBS ≡ 2(EU-CMA-PKS)
  • (EU-CMA-PKS) ≡ (EU-GCMA-PKS)+(CR-CHF)
  • Implies EU-ID-CMA-IBS ≡ 2((EU-GCMA-PKS)+(CR-CHF))
  • From sID Model:
  • Random Oracle Model: guess the index of the target identity:

polynomial degradation

  • Standard Model: guess the target identity itself: exponential

degradation

slide-20
SLIDE 20

Overview Background The Transformation Conclusion and Future Work

...Construction of IBS...

  • Goal: construct ID-secure IBS from sID-secure IBS
  • 1. without random oracles
  • 2. with sub-exponential degradation (preferably, polynomial)
slide-21
SLIDE 21

Overview Background The Transformation Conclusion and Future Work

...Construction of IBS...

  • Goal: construct ID-secure IBS from sID-secure IBS
  • 1. without random oracles
  • 2. with sub-exponential degradation (preferably, polynomial)
  • Main result: EU-ID-CMA-IBS ≡

(EU-sID-CMA-IBS)+(EU-GCMA-PKS)+(CR-CHF)

  • Further: EU-ID-CMA-IBS ≡

(EU-wID-CMA-IBS)+(EU-GCMA-PKS)+(CR-CHF)

slide-22
SLIDE 22

Overview Background The Transformation Conclusion and Future Work

THE TRANSFORMATION

slide-23
SLIDE 23

Overview Background The Transformation Conclusion and Future Work

Objects used

  • 1. Chameleon Hash Function
  • 2. GCMA-secure PKS
slide-24
SLIDE 24

Overview Background The Transformation Conclusion and Future Work

Chameleon Hash Function

  • A family of randomised trapdoor hash functions
  • Collision Resistant (CR)
  • “Chameleon” property: anyone with trapdoor information can

efficiently generate collisions

slide-25
SLIDE 25

Overview Background The Transformation Conclusion and Future Work

...Chameleon Hash Function...

Consists of three PPT {G, h, h−1}: Key Generation, G(κ):

  • Generates evaluation key ek and trapdoor key td

Hash Evaluation, hek(m, r):

  • A randomiser r used to evaluate the hash

Collision Generation, h−1

td (m, r, m′):

  • Outputs randomiser r ′ such that (m, r) and (m′, r ′) is a

collision: hek(m, r) = hek(m′, r ′)

slide-26
SLIDE 26

Overview Background The Transformation Conclusion and Future Work

GCMA-secure PKS

  • Adversary has to, beforehand, commit to a set of messages ˜

M

  • The adversary can query with Os on any message from ˜

M

  • Adversary has to forge on a message not in ˜

M

C

Os

A

˜ M pk, σi (ˆ σ; ˆ m)

slide-27
SLIDE 27

Overview Background The Transformation Conclusion and Future Work

The Transformation

In a nutshell

  • Takes as input:
  • 1. an EU-sID-CMA-secure IBS Is := {Gs, Es, Ss, Vs}
  • 2. a collision-resistant CHF H := {Gh, h, h−1}
  • 3. a GCMA-secure PKS P := {K, Sp, Vp}
  • Outputs an EU-ID-CMA-secure IBS I := {G, E, S, V}
slide-28
SLIDE 28

Overview Background The Transformation Conclusion and Future Work

The Transformation

In a nutshell

  • Takes as input:
  • 1. an EU-sID-CMA-secure IBS Is := {Gs, Es, Ss, Vs}
  • 2. a collision-resistant CHF H := {Gh, h, h−1}
  • 3. a GCMA-secure PKS P := {K, Sp, Vp}
  • Outputs an EU-ID-CMA-secure IBS I := {G, E, S, V}

The idea:

  • CHF used to map identities between I and Is
  • PKS used to bind these identities
slide-29
SLIDE 29

Overview Background The Transformation Conclusion and Future Work

...The Transformation...

Set-up, G(κ):

  • Invoke Gs, K and Gh to obtain (msks, mpks), (sk, pk) and (ek, td)
  • Return msk := (msks, sk) and mpk := (mpks, pk, ek)

Key Extraction, Emsk(id):

  • Select a random r and compute ids ← hek(id, r)
  • Compute usks

$

← − Es,msks(ids) and σp

$

← − Sp,sk(ids)

  • Return usk := (usks, r, σp)

Signing, Susk(id, m):

  • Compute σs

$

← − Ss,usks(ids, m)

  • Return σ := (σs, r, σp) as the signature

Verification, Vmpk(σ, id, m):

  • Return 1 only if σp and σs are valid signatures
slide-30
SLIDE 30

Overview Background The Transformation Conclusion and Future Work

SECURITY

slide-31
SLIDE 31

Overview Background The Transformation Conclusion and Future Work

Security Argument

Strategy:

  • Adversaries classified into three: type 1, type 2 and type 3
  • type 1: break sID-security; type 2 or type 3: break the

binding Adversary Reduction From Degradation type 1 Bs Is O (qs) type 2 Bp P O (1) type 3 Bh H O (1)

Table: qs denotes the number of signature queries

slide-32
SLIDE 32

Overview Background The Transformation Conclusion and Future Work

Reduction Bs

In a nutshell:

  • Break sID-security – plug in challenge msks in the IBS I
  • type 1 adversary: target identity was queried to Os
  • Strategy: guess the index of this target identity
  • Hence the O (qs) degradation
slide-33
SLIDE 33

Overview Background The Transformation Conclusion and Future Work

...Reduction Bs...

Cs Is O{s,ε} Bs Is I O{s,ε} A I ˜ ids

  • Invoke K and Gh to obtain (sk, pk) and (ek, td)
  • Choose random id, r and commit ˜

id := hek(id, r) to Cs as the target identity; Make a guess ˜ ℓ

slide-34
SLIDE 34

Overview Background The Transformation Conclusion and Future Work

...Reduction Bs...

Cs Is O{s,ε} Bs Is I O{s,ε} A I ˜ ids mpks mpk

  • Invoke K and Gh to obtain (sk, pk) and (ek, td)
  • Choose random id, r and commit ˜

id := hek(id, r) to Cs as the target identity; Make a guess ˜ ℓ

  • Cs releases mpks Bs passes mpk := (mpks, pk, ek) to A;
slide-35
SLIDE 35

Overview Background The Transformation Conclusion and Future Work

...Reduction Bs...

Cs Is O{s,ε} Bs Is I O{s,ε} A I ˜ ids mpks mpk

  • Invoke K and Gh to obtain (sk, pk) and (ek, td)
  • Choose random id, r and commit ˜

id := hek(id, r) to Cs as the target identity; Make a guess ˜ ℓ

  • Cs releases mpks Bs passes mpk := (mpks, pk, ek) to A;
  • Extract Queries on id:
  • 1. If query on the ℓth identity then abort (abort1); else map id to

a random ids

  • 2. Query oracle Oε of Cs with ˜

id

slide-36
SLIDE 36

Overview Background The Transformation Conclusion and Future Work

...Reduction Bs...

Cs Is O{s,ε} Bs Is I O{s,ε} A I ˜ ids mpks mpk

  • Signature Queries on (id, m):
  • 1. If query on the ˜

ℓth identity then map id to ˜ ids (using knowledge of trapdoor td); else map to a random ids

  • 2. Query oracle Os of Cs with ( ˜

id, m)

slide-37
SLIDE 37

Overview Background The Transformation Conclusion and Future Work

...Reduction Bs...

Cs Is O{s,ε} Bs Is I O{s,ε} A I ˜ ids mpks ˆ σs mpk ˆ σ

  • Signature Queries on (id, m):
  • 1. If query on the ˜

ℓth identity then map id to ˜ ids (using knowledge of trapdoor td); else map to a random ids

  • 2. Query oracle Os of Cs with ( ˜

id, m)

  • Forgery (σ, r, σp): If the forgery is on the ℓth identity, pass σ

to Cs; else abort (abort2)

slide-38
SLIDE 38

Overview Background The Transformation Conclusion and Future Work

Analysis of Bs

  • Success probability governed by abort1 and abort2:

AdvEU−sID−CMA

B

(κ) = Pr [¬abort1 ∧ ¬abort2]×AdvEU−ID−CMA

A

(κ)

  • Pr [¬abort2] is the same as that of guessing ˜

ℓ Pr [¬abort2] = 1/qs

  • Pr [¬abort1 | ¬abort2] = 1
slide-39
SLIDE 39

Overview Background The Transformation Conclusion and Future Work

Analysis of Bs

  • Success probability governed by abort1 and abort2:

AdvEU−sID−CMA

B

(κ) = Pr [¬abort1 ∧ ¬abort2]×AdvEU−ID−CMA

A

(κ)

  • Pr [¬abort2] is the same as that of guessing ˜

ℓ Pr [¬abort2] = 1/qs

  • Pr [¬abort1 | ¬abort2] = 1
  • Hence

AdvEU−sID−CMA

B

(κ) = AdvEU−ID−CMA

A

(κ)/qs

slide-40
SLIDE 40

Overview Background The Transformation Conclusion and Future Work

TRANSFORMING FROM THE wID MODEL

slide-41
SLIDE 41

Overview Background The Transformation Conclusion and Future Work

Transforming from the wID Model

  • wID : the weak selective-identity model
  • Adversary has to, beforehand, commit to the target identity

and a set of query identities

  • Target identity: the identity on which the adversary forges on
  • Query identities: the identities which it can query with O{s,ε}
  • Adversary cannot extract query on the target identity

C

O{s,ε}

A

ˆ id,ˆ I mpk (ˆ σ; ( ˆ id, ˆ m))

slide-42
SLIDE 42

Overview Background The Transformation Conclusion and Future Work

Transforming from the wID Model

  • wID : the weak selective-identity model
  • Adversary has to, beforehand, commit to the target identity

and a set of query identities

  • Target identity: the identity on which the adversary forges on
  • Query identities: the identities which it can query with O{s,ε}
  • Adversary cannot extract query on the target identity

C

O{s,ε}

A

ˆ id,ˆ I mpk (ˆ σ; ( ˆ id, ˆ m))

  • A similar transformation holds for wID as well
  • EU-ID-CMA-IBS ≡

(EU-wID-CMA-IBS)+(EU-GCMA-PKS)+(CR-CHF)

slide-43
SLIDE 43

Overview Background The Transformation Conclusion and Future Work

Conclusion and Future Work

  • We discussed a generic transformation from sID/wID IBS to

ID IBS

  • Alternative paradigm for construction of IBS
  • Linear degradation

Future Work

  • Further simplification of the assumptions
  • Transformation using fewer objects
slide-44
SLIDE 44

Overview Background The Transformation Conclusion and Future Work

THANK YOU!