Download - An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model
![Page 1: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/1.jpg)
1
An Efficient and Provable Secure Identity-Based Identification
Scheme in the Standard Model
(Multimedia University) Ji-Jian Chin
Swee-Huay HengBok-Min Goi
![Page 2: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/2.jpg)
2
Contents1 Introduction 3
2 Preliminaries 9
3 Formal Definition of IBI 11
4 Construction 16
5 Security Analysis 21
6 Conclusion 25
7 Open Problems 26
![Page 3: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/3.jpg)
3
1. Introduction
An identification scheme enables one party to identify itself securely to another party authentically and without repudiation.
ID-based cryptography – user generates own public key using an identity string.
ID-based cryptography does away with certificates binding the public key to the private key, as opposed to traditional public key infrastructure systems.
![Page 4: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/4.jpg)
4
1. Introduction
If I can guess/know your password, I can impersonate you.(Easy to guess: keyloggers, peek into your password database, sticky notes with passwords in your office, steal from your hand phone etc)
Why IBI and SI can overcome this?Challenge-response identification.Zero-knowledge of secret key involved.
Why Passwords Aren’t Enough?
![Page 5: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/5.jpg)
5
1. Introduction
IBI fundamental paper proposed by Fiat and Shamir in 1984.
Rigorous definition and security proofs only formalized in 2004- Kurosawa and Heng- Bellare, Namprempre and Neven
Schemes’ mostly have provable security based on the random oracle model
Schemes’ with provable security in the standard model are not very efficient and few in number
History of IBI
![Page 6: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/6.jpg)
6
1. Introduction
first introduced by Bellare and Rogaway in 1993.The Random Oracle
I answer anybody’s queries with totally random and uniformly distributed
answers
I’ve seen this Newquery before query
query
Existing answer
Give new random answer, and save query for next time
The Random Oracle
![Page 7: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/7.jpg)
7
1. Introduction
Disadvantages of RO:
- heuristic in nature
- Canetti et al. showed certain schemes secure in the random oracle model is insecure once implemented
- idealistic: doesn’t exist in real world Conclusion
- scheme secure in ROM better than no proof at all
- best to prove in standard model
The Random Oracle
![Page 8: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/8.jpg)
8
1. Introduction
1. Kurosawa and Heng proposed the first 2 IBI schemes in the standard model in 2005.
2. Kurosawa and Heng used a trapdoor commitment scheme and a digital signature scheme to construct another IBI scheme in the standard model in 2006.
3. Yang et al. proposed a general framework to construct IBI schemes in the random oracle model in 2007.
Recent Developments
![Page 9: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/9.jpg)
9
2. Preliminaries
a) Bilinearity. e(ga,gb)=e(g,g)ab
b) Non-degeneracy. e(g,g) ≠1
c) Efficiently computable.
Bilinear Pairings
![Page 10: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/10.jpg)
10
a) Security against Passive Attacks:Computational Diffie-Hellman problem (CDHP)
- Find gab given g and ga ,gb
b) Security against Active/Concurrent Attacks:One-More Computational Diffie-Hellman Problem (OMCDHP)
- Adversary is given a challenge oracle and a CDH oracle.- Adversary queries random challenge point from challenge
oracle and obtains solution by querying the CDH oracle.- Adversary wins the game if at the end the number of queries to
the solution oracle is strictly less than the queries to the challenge oracle.
2. PreliminariesSecurity Assumptions
![Page 11: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/11.jpg)
11
3. Formal Definitions For IBI
IBI=(S,E,P,V) - 4 probabilistic, polynomial-time algorithms
Setup(S)Setup(S)
Extract(E)Extract(E)
input paraminput param
mpk, mpk, mskmsk
ID
Prover(P)Prover(P)(Prove (Prove that that I know I know usk)usk)
Verifier(V)Verifier(V)Accept onlyAccept only
if you if you Know uskKnow usk
usk
mpk, usk, mpk, usk, IDID
mpk, IDmpk, ID
CMCMTT
CHCHAA
RSPRSP
The Canonical Three Move ProtocolThe Canonical Three Move Protocol
Definition of IBI
![Page 12: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/12.jpg)
12
3. Formal Definition of IBI
Goal of adversary towards IBI - impersonation.
Considered successful if:- Interact with verifier as prover with public ID- Accepted by verifier with non-negligible probability
Stronger assumptions of IBI vs SI:1. The adversary can choose a target identity ID to impersonate
as opposed to a random public key. 2. IBI has access to extract oracle -> the adversary can possess
private keys of some users which she has chosen.
Security Model for IBI
![Page 13: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/13.jpg)
13
3. Formal Definition for IBI
Passive attacks (imp-pa)Eavesdrop
Active attacks (imp-aa)Interacts with provers as a cheating verifier
Concurrent attacks (imp-ca)Interacts with provers as a cheating verifier concurrently.
Security Model for IBI
![Page 14: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/14.jpg)
14
3. Formal Definition for IBI
The impersonation attack between the impersonator I, and challenger C is described in a two phase game.
Phase 1:
I either extracts transcript queries for imp-pa or acts as a cheating verifier in imp-aa and imp-ca.
Phase 2:
I plays the cheating prover it picks to convince the verifier.
Security Model for IBI
![Page 15: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/15.jpg)
15
3. Formal Definition for IBI
An IBI scheme is (t,qI,ε)- secure against imp-pa/imp-aa/imp-ca if for any I who runs in
time t, Pr(I can impersonate)<ε, where I can make at most qI queries.
Security Model for IBI
![Page 16: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/16.jpg)
16
Let and be finite cyclic groups or order and let be a generator of . Let be an efficiently computed bilinear map. Use a collision-resistant hash function to hash identities to an arbitrary length to a bit string of length .
4. Construction
G TG p gG TGGGe :
nH },{},{: * 1010 n
Construction of IBI scheme based on the Waters Signature Scheme
![Page 17: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/17.jpg)
17
4. Construction
Gug
gg
Za
R
a
pR
',2
1
Select an n-length vector GuuU Rn },...,{ 1
)(:
),,',,,,,(:a
T
gmsk
HUuggeGGmpk
2
1
Setup
![Page 18: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/18.jpg)
18
4. Construction
pR Zr
ID:hashed user identity string of length n
Let :ith-bit of ID
r
r
IDii
a
gR
uugS
)'(2
),(: RSusk
},...,{ nID 1 be the set of all i where di=1Let
id
Extract
![Page 19: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/19.jpg)
19
4. Construction
Prove Verify
Accept if
z
z
IDii
gY
uuX
2
)'( RYX ,,
Z
cp
R Zc
czSZ
),)'((),(),( RuuXegYgegZe c
IDii
c
12
Prove and Verify
![Page 20: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/20.jpg)
20
4. Construction
),)'((),(
),)'()'((),(
),))'(((
),(
)(
RuuXegYge
guuuuegge
guuge
gZe
c
IDii
c
rc
IDii
z
IDii
cza
czr
IDii
a
12
2
2
Correctness
![Page 21: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/21.jpg)
21
5. Security Analysis
Theorem 1:
The proposed IBI scheme is (t,qI,ε)-secure
against impersonation under passive attacks in
the standard model if the CDHP is (t’,ε’)-hard
where
Security against Passive Attacks
2
114
pnq ue ')( ))())(((' II qqnOtt 2
: time for multiplication in
: time for exponentiation in
: extract queries made
: transcript queries made and
iqeq
ieI qqq
![Page 22: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/22.jpg)
22
5. Security Analysis
Theorem 2:
The proposed IBI scheme is (t,qI,ε)-secure
against impersonation under active/concurrent
attacks in the standard model if the OMCDHP is
(t”,qCDH,ε”)-hard where
Security against Active/Concurrent Attacks
2
114
pnq ue ")( ))())(((" II qqnOtt 2
: time for multiplication in
: time for exponentiation in
: extract queries made
: transcript queries made and
iqeq
ieI qqq
![Page 23: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/23.jpg)
23
5. Security AnalysisEfficiency
Multiplication Exponentiation Pairing
Setup 0 2 0
Extract Max:n+2, Avg:(n/2)+2 2 0
Prove Max:n+1, Avg:(n/2)+1 3 0
Verify Max:n+3, Avg:(n/2)+3 2 3
Table 1: Complexity Cost
![Page 24: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/24.jpg)
24
5. Security AnalysisEfficiency
Efficiency of P and V
Imp-pa assumption
Imp-aa/ca assumption
HKIBI05a 6G,6E,4P q-SDH Unknown
HKIBI05b 12G,12E,6P
q-SDH q-SDH
HKIBI06 9G,11E,3P,1 SOTSS
q-SDH q-SDH
Proposed IBI (n+4)G,5E,3P
CDH OMCDHP
Table 2: Comparisons with other IBI
![Page 25: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/25.jpg)
25
6. Conclusion
Merits of Proposed IBI Direct proof Provable security against both imp-pa and
imp-aa/ca in the standard model. More efficient than other IBI schemes in
standard model.
![Page 26: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/26.jpg)
26
7. Open Problems
1. More IBI schemes that are efficient and provably secure in the standard model.
2. More IBI Schemes with direct proof to a hard-mathematical problem as opposed to reductions from transformations.
3. An IBI scheme with provable security against imp-aa/ca using a weaker assumption like DLOG or CDH.
![Page 27: An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model](https://reader035.vdocuments.us/reader035/viewer/2022062305/56815989550346895dc6cc1a/html5/thumbnails/27.jpg)
27
Thank YouQ&A