galindo-garcia identity-based signature revisited. filegalindo-garcia identity-based signature...
TRANSCRIPT
![Page 1: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/1.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia Identity-Based SignatureRevisited.
Sanjit Chatterjee, Chethan Kamath and Vikas Kumar
Indian Institute of Science, Bangalore
November 2, 2013
![Page 2: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/2.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Table of contents
Formal DefinitionsPublic-Key Signature and Identity-Based SignatureSecurity Models for PKS and IBS
Galindo-Garcia IBSSalient FeaturesSchnorr Signature and the Oracle Replay AttackConstruction and Original Security ArgumentNew Security Argument
Conclusion and Future Work
![Page 3: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/3.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
FORMAL DEFINITIONS
![Page 4: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/4.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Public-Key Signature and Identity-Based Signature
Definition–Public-Key SignatureAn PKS scheme consists of three PPT algorithms {K,S ,V}
I Key Generation, KI Used by the user to generate the public-private key pair
(pk, sk)I pk is published and the sk kept secretI Run on a security parameter κ
(pk, sk)$←− K(κ)
I Signing, SI Used by the user to generate signature on some message mI The secret key sk used for signing
σ$←− S (sk,m)
I Verification, VI Outputs 1 if σ is a valid signature on m; else, outputs 0
b← V (σ,m, pk)
![Page 5: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/5.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Public-Key Signature and Identity-Based Signature
Definition–Identity-Based Signature
An IBS scheme consists of four PPT algorithms {G , E ,S ,V}I Set-up, G
I Used by the PKG to generate the public parameters (mpk) andmaster secret (msk)
I mpk is published and the msk kept secretI Run on a security parameter κ
(mpk, msk)$←− G(κ)
I Key Extraction, EI Used by the PKG to generate the user secret key (usk)I usk is then distributed through a secure channel
usk$←− E (id, msk)
![Page 6: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/6.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Public-Key Signature and Identity-Based Signature
Definition–Identity-Based Signature...
An IBS scheme consists of four PPT algorithms {G , E ,S ,V}I Signing, S
I Used by a user with identity id to generate signature on somemessage m
I The user secret key usk used for signing
σ$←− S (usk, id,m, mpk)
I Verification, VI Outputs 1 if σ is a valid signature on m by the user with
identity idI Otherwise, outputs 0
b← V (σ, id,m, mpk)
![Page 7: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/7.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
SECURITY MODELS FOR PKS AND IBS
![Page 8: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/8.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Security Model for PKS–EU-CMA
COs
EU-CMA Apk
(σ, m)
I Existential unforgeability under chosen-message attack
I C generates key-pair (pk, sk) and passes pk to A.I Signature Queries: Access to a signing oracle OsI Forgery: A wins if
I σ is a valid signature on m.I A has not made a signature query on m.
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− AOs (pk)
]
![Page 9: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/9.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Security Model for PKS–EU-CMA
COs
EU-CMA Apk
(σ, m)
I Existential unforgeability under chosen-message attackI C generates key-pair (pk, sk) and passes pk to A.
I Signature Queries: Access to a signing oracle OsI Forgery: A wins if
I σ is a valid signature on m.I A has not made a signature query on m.
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− AOs (pk)
]
![Page 10: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/10.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Security Model for PKS–EU-CMA
COs
EU-CMA Apk
(σ, m)
I Existential unforgeability under chosen-message attackI C generates key-pair (pk, sk) and passes pk to A.I Signature Queries: Access to a signing oracle Os
I Forgery: A wins ifI σ is a valid signature on m.I A has not made a signature query on m.
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− AOs (pk)
]
![Page 11: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/11.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Security Model for PKS–EU-CMA
COs
EU-CMA Apk
(σ, m)
I Existential unforgeability under chosen-message attackI C generates key-pair (pk, sk) and passes pk to A.I Signature Queries: Access to a signing oracle OsI Forgery: A wins if
I σ is a valid signature on m.I A has not made a signature query on m.
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− AOs (pk)
]
![Page 12: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/12.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Security Model for PKS–EU-NMA
COs
EU-NMA Apk
(σ, m)
I Existential unforgeability under no-message attackI C generates key-pair (pk, sk) and passes pk to A.I Signature Queries: Access to a signing oracle OsI Forgery: A wins if
I σ is a valid signature on m.I A has not made a signature query on m.
I Adversary’s advantage in the game:
Pr[1← V (σ, m, pk) | (sk, pk)
$←− K(κ); (σ, m)$←− A(pk)
]
![Page 13: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/13.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Security Model for IBS: EU-ID-CMA
COsOε
EU-ID-CMA Ampk
(σ, id, m)
I Existential unforgeability with adaptive identity underno-message attack
I C generates key-pair (mpk, msk) and passes mpk to A.I Extract Queries, Signature QueriesI Forgery: A wins if
I σ is a valid signature on m by id.I A has not made an extract query on id.I A has not made a signature query on (id, m).
I Adversary’s advantage in the game:Pr
[1← V (σ, id, m, mpk) | (msk, mpk)
$←− G(κ); (σ, id, m)$←− AO{s,ε} (mpk)
]
![Page 14: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/14.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Security Model for IBS: EU-ID-CMA
COsOε
EU-ID-CMA Ampk
(σ, id, m)
I Existential unforgeability with adaptive identity underno-message attack
I C generates key-pair (mpk, msk) and passes mpk to A.
I Extract Queries, Signature QueriesI Forgery: A wins if
I σ is a valid signature on m by id.I A has not made an extract query on id.I A has not made a signature query on (id, m).
I Adversary’s advantage in the game:Pr
[1← V (σ, id, m, mpk) | (msk, mpk)
$←− G(κ); (σ, id, m)$←− AO{s,ε} (mpk)
]
![Page 15: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/15.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Security Model for IBS: EU-ID-CMA
COsOε
EU-ID-CMA Ampk
(σ, id, m)
I Existential unforgeability with adaptive identity underno-message attack
I C generates key-pair (mpk, msk) and passes mpk to A.I Extract Queries, Signature Queries
I Forgery: A wins ifI σ is a valid signature on m by id.I A has not made an extract query on id.I A has not made a signature query on (id, m).
I Adversary’s advantage in the game:Pr
[1← V (σ, id, m, mpk) | (msk, mpk)
$←− G(κ); (σ, id, m)$←− AO{s,ε} (mpk)
]
![Page 16: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/16.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Security Model for IBS: EU-ID-CMA
COsOε
EU-ID-CMA Ampk
(σ, id, m)
I Existential unforgeability with adaptive identity underno-message attack
I C generates key-pair (mpk, msk) and passes mpk to A.I Extract Queries, Signature QueriesI Forgery: A wins if
I σ is a valid signature on m by id.I A has not made an extract query on id.I A has not made a signature query on (id, m).
I Adversary’s advantage in the game:Pr
[1← V (σ, id, m, mpk) | (msk, mpk)
$←− G(κ); (σ, id, m)$←− AO{s,ε} (mpk)
]
![Page 17: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/17.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Hardness Assumption: Discrete-log Assumption
Discrete-log problem for a group G = 〈g〉 and |G| = p
CDLP
ADLP
(G, g, p, gα)
α
Definition. The DLP in G is to find α given gα, where α ∈R Zp.An adversary A has advantage ε in solving the DLP if
Pr[α′ = α | α ∈R Zp;α′ ← A(G, p, g , gα)
]≥ ε.
The (ε, t)-discrete-log assumption holds in G if no adversary hasadvantage at least ε in solving the DLP in time at most t.
![Page 18: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/18.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Formal Definitions
Security Models for PKS and IBS
Hardness Assumption: Discrete-log Assumption
Discrete-log problem for a group G = 〈g〉 and |G| = p
CDLP
ADLP
(G, g, p, gα)
α
Definition. The DLP in G is to find α given gα, where α ∈R Zp.An adversary A has advantage ε in solving the DLP if
Pr[α′ = α | α ∈R Zp;α′ ← A(G, p, g , gα)
]≥ ε.
The (ε, t)-discrete-log assumption holds in G if no adversary hasadvantage at least ε in solving the DLP in time at most t.
![Page 19: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/19.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
GALINDO-GARCIA IBS
![Page 20: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/20.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Salient Features
Galindo-Garcia IBS - Salient Features
I Derived from Schnorr signature scheme
I Based on the discrete-log assumption
I Efficient, simple and does not use pairing
I Security argued using oracle replay attacks
I Uses the random oracle heuristic
![Page 21: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/21.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
SCHNORR SIGNATURE AND
THE ORACLE REPLAY ATTACK
![Page 22: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/22.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
Schnorr SignatureThe Setting.
1. We work in group G = 〈g〉 of prime order p.2. A hash function H : {0, 1}∗ → Zp is used.
Key Generation. K(κ):1. Select z ∈R Zp as the secret key sk
2. Set Z := g z as the public key pk
Signing. S (m, sk):1. Let sk = z . Select r ∈R Zp, set R := g r and c := H(m,R).2. The signature on m is σ := (y ,R) where
y := r + zc
Verification. V (σ,m):1. Let σ = (y ,R) and c = H(m,R).2. σ is valid if
g y = RZ c
![Page 23: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/23.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
Security of Schnorr Signature–An Intuition
I Consider an adversary A with ability to launchchosen-message attack on the Schnorr signature scheme.
I Let {σ0, . . . , σn−1} with σi = (yi = ri + zci ,Ri ) on mi be thesignatures that A receives.
1 0 · · · 0 c0
0 1 · · · 0 c1
......
. . ....
...
0 0 · · · 1 cn−1
×
r0
r1
...
rn−1
z
=
y0
y1
...
rn−1
![Page 24: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/24.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
Security of Schnorr Signature–An Intuition...
I However, A can solve for x if it gets two equations containingthe same r but different c , i.e.
y = r + zc and y = r + zc
implies
z =y − y
c − cΠ
![Page 25: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/25.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
The Oracle Replay AttackI Random oracle H–i th random oracle query Q0
i replied with s0i .
CH
ΠA
ΠQ0i
s0i
ΠH
Tape re-wound to Q0I
Simulation in round 1 from Q0I using a different random
function
Q0I+1 Q0
γ round 0
Q01 Q0
2 Q0I
Q1I+1 Q1
γ round 1
s01
s0I
s1I
s0γ
s1γ
![Page 26: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/26.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
The Oracle Replay AttackI Random oracle H–i th random oracle query Q0
i replied with s0i .
CH
ΠA
ΠQ0i
s0i
ΠH
1. Tape re-wound to Q0I
Simulation in round 1 from Q0I using a different random
function
Q0I+1 Q0
γ round 0
Q01 Q0
2 Q0I
Q1I+1 Q1
γ round 1
s01
s0I
s1I
s0γ
s1γ
![Page 27: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/27.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
The Oracle Replay AttackI Random oracle H–i th random oracle query Q0
i replied with s0i .
CH
ΠA
ΠQ0i
s0i
ΠH
1. Tape re-wound to Q0I
2. Simulation in round 1 from Q0I using a different random
function
Q0I+1 Q0
γ round 0
Q01 Q0
2 Q0I
Q1I+1 Q1
γ round 1
s01
s0I
s1I
s0γ
s1γ
![Page 28: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/28.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
Proving Security of Schnorr Signature using ORA
BDLP
CDLP SS
H
ASS
∆ = (G, g , p, gα)
α
pk := ∆
EU-NMA
σ = (y ,R, m)
Q0I+1 Q0
γ σ0 = (y = r + αc,R)
Q01 Q0
2 Q0I : H(m,R)
Q1I+1 Q1
γ σ1 = (y = r + αc,R)
c
c
α =y0 − y1
c − c
![Page 29: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/29.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
Forking Lemma
I The oracle replay attack formalised through the forkingalgorithm
I The forking lemma gives a lower bound on the successprobability of the oracle replay attack (frk ) in terms of thesuccess probability of the adversary during a particular run(acc )
I Types of forking algorithms
Forking Algorithm #Oracles #Replay Attacks Success Prob. (≈)
GF–General Forking - FW 1 1 (i.e. 2 runs)acc2
γ
MF–Multiple-Forking(n) - MW ,n 2 2n-1 (i.e. 2n runs)accn
γ2n
γ–Upper bound on the number of oracle queries
![Page 30: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/30.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
Forking Lemma
I The oracle replay attack formalised through the forkingalgorithm
I The forking lemma gives a lower bound on the successprobability of the oracle replay attack (frk ) in terms of thesuccess probability of the adversary during a particular run(acc )
I Types of forking algorithms
Forking Algorithm #Oracles #Replay Attacks Success Prob. (≈)
GF–General Forking - FW 1 1 (i.e. 2 runs)acc2
γ
MF–Multiple-Forking(n) - MW ,n 2 2n-1 (i.e. 2n runs)accn
γ2n
γ–Upper bound on the number of oracle queries
![Page 31: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/31.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Schnorr Signature and the Oracle Replay Attack
Forking Lemma...
E.g. Multiple-forking algorithm for n = 3.
Q0I0+1 Q0
γ σ [round 0]
Q0J0+1 Q0
I0
Q1I0+1 Q1
γ σ1 [round 1]
Q01 Q0
2 Q0J0
Q2I0+1 Q2
γ σ2 [round 2]
Q2J0+1 Q2
I0
Q3I0+1 Q3
γ σ3 [round 3]
s0J0
s2J0
s0I0
s1I0
s2I0
s3I0
![Page 32: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/32.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Construction and Original Security Argument
GALINDO-GARCIA IBS–CONSTRUCTION
![Page 33: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/33.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Construction and Original Security Argument
The ConstructionSet-up. G(κ):
1. Let G = 〈g〉 be a group of prime order p.2. Return z ∈R Zp as msk and (G, p, g , g z ,H,G) as mpk, where
H and G are hash functions
H : {0, 1}∗ → Zp and G : {0, 1}∗ → Zp.
Key Extraction. E (id, msk, mpk):1. Select r ∈R Zp and set R := g r .2. Return usk := (y ,R) as usk, where
y := r + zc and c := H(R, id).
Signing. S (id,m, usk, mpk):1. Let usk = (y ,R). Select a ∈R Zp and set A := g a.2. Return σ := (A, b,R) as the signature, where
b := a + yd and d := G(id,A,m).
![Page 34: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/34.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Construction and Original Security Argument
The ConstructionSet-up. G(κ):
1. Let G = 〈g〉 be a group of prime order p.2. Return z ∈R Zp as msk and (G, p, g , g z ,H,G) as mpk, where
H and G are hash functions
H : {0, 1}∗ → Zp and G : {0, 1}∗ → Zp.
Key Extraction. E (id, msk, mpk):1. Select r ∈R Zp and set R := g r .2. Return usk := (y ,R) as usk, where
y := r + zc and c := H(R, id).
Signing. S (id,m, usk, mpk):1. Let usk = (y ,R). Select a ∈R Zp and set A := g a.2. Return σ := (A, b,R) as the signature, where
b := a + yd and d := G(id,A,m).
![Page 35: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/35.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Construction and Original Security Argument
The ConstructionSet-up. G(κ):
1. Let G = 〈g〉 be a group of prime order p.2. Return z ∈R Zp as msk and (G, p, g , g z ,H,G) as mpk, where
H and G are hash functions
H : {0, 1}∗ → Zp and G : {0, 1}∗ → Zp.
Key Extraction. E (id, msk, mpk):1. Select r ∈R Zp and set R := g r .2. Return usk := (y ,R) as usk, where
y := r + zc and c := H(R, id).
Signing. S (id,m, usk, mpk):1. Let usk = (y ,R). Select a ∈R Zp and set A := g a.2. Return σ := (A, b,R) as the signature, where
b := a + yd and d := G(id,A,m).
![Page 36: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/36.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Construction and Original Security Argument
The Construction
Verification. V (σ, id,m, mpk):
1. Let σ = (A, b,R), c := H(R, id) and d := G(id,A,m).2. The signature is valid if
gb = A(R · (g z)c)d .
![Page 37: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/37.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Construction and Original Security Argument
ORIGINAL SECURITY ARGUMENT
![Page 38: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/38.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Construction and Original Security Argument
Original Security Argument
I Let σ = (b,A,R) be the forgery produced by A on (id, m).
U
E E
B1 B2
E: Event that A forges using the same randomiser R as givenby C as part of signature query on id.
I In both B1 and B2, solving DLP is reduced to breaking theIBS.
![Page 39: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/39.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Construction and Original Security Argument
Original Security Argument
I Let σ = (b,A,R) be the forgery produced by A on (id, m).
U
E E
B1 B2
E: Event that A forges using the same randomiser R as givenby C as part of signature query on id.
I In both B1 and B2, solving DLP is reduced to breaking theIBS.
![Page 40: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/40.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
Construction and Original Security Argument
In a Nutshell
Reduction Success Prob. (≈) Forking Used
B1ε2
q3G
General Forking–FW
B2ε4
(qHqG)6 Multiple-Forking–MW ,3
![Page 41: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/41.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Our Contribution
I We found several problems with B1 and B2
1. B1: Fails in the standard security model for IBS2. B2: All the adversarial strategies were not covered
I The adversary is able to distinguish a simulation from the realexecution of the protocol.
I Positive contribution:
1. We give a detailed new security argument2. Tighter than the original security argument
![Page 42: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/42.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Our Contribution
I We found several problems with B1 and B2
1. B1: Fails in the standard security model for IBS2. B2: All the adversarial strategies were not covered
I The adversary is able to distinguish a simulation from the realexecution of the protocol.
I Positive contribution:
1. We give a detailed new security argument2. Tighter than the original security argument
![Page 43: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/43.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Our Contribution
I We found several problems with B1 and B2
1. B1: Fails in the standard security model for IBS2. B2: All the adversarial strategies were not covered
I The adversary is able to distinguish a simulation from the realexecution of the protocol.
I Positive contribution:
1. We give a detailed new security argument2. Tighter than the original security argument
![Page 44: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/44.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
NEW SECURITY ARGUMENT
![Page 45: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/45.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
New Security ArgumentI Let σ = (b,A,R) be the forgery produced by A on (id, m).
U
E E
R1 F F
R2 R3
F: Event that A calls G(id,A, m) before H(R, id).
1. Problems with B1 addressed in R1
2. R2 covers the unaddressed adversarial strategy in B2
3. R3 same as the original reduction B2
![Page 46: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/46.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
New Security ArgumentI Let σ = (b,A,R) be the forgery produced by A on (id, m).
U
E E
R1 F F
R2 R3
F: Event that A calls G(id,A, m) before H(R, id).
1. Problems with B1 addressed in R1
2. R2 covers the unaddressed adversarial strategy in B2
3. R3 same as the original reduction B2
![Page 47: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/47.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
New Security ArgumentI Let σ = (b,A,R) be the forgery produced by A on (id, m).
U
E E
R1 F F
R2 R3
F: Event that A calls G(id,A, m) before H(R, id).
1. Problems with B1 addressed in R1
2. R2 covers the unaddressed adversarial strategy in B2
3. R3 same as the original reduction B2
![Page 48: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/48.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Reduction R1
CDLP
R1
DLP GG
OsOεHG
AGG
∆ = (G, g , p, gα)
α
mpk := (G, g , p, g z)
EU-CMA
σ = (g a, b, g r )
Q0I+1 Q0
γ σ0 = (g a, b = a + (α + c0z)d , gα)
Q01 Q0
2 G(id, g a, m)
Q1I+1 Q1
γ σ1 = (g a, b = a + (α + c1z)d , gα)
d
d
I Problem instance plugged in the randomiser R (as in B1)
I Coron’s technique used to assign target identities (instead ofguessing) – security degradation reduced to O (qε)
I Signature Query. Os(id,m) –I Toss a biased coin β
1. If β = 0, signature given with randomiser R containing gα
2. Else, R1 uses knowledge of msk to generate user private keyfor id and then computes signature using S
I General forking algorithm (FW ) used to solve DLP (as in B1)
![Page 49: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/49.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Reduction R1
CDLP
R1
DLP GG
OsOεHG
AGG
∆ = (G, g , p, gα)
α
mpk := (G, g , p, g z)
EU-CMA
σ = (g a, b, g r )
Q0I+1 Q0
γ σ0 = (g a, b = a + (α + c0z)d , gα)
Q01 Q0
2 G(id, g a, m)
Q1I+1 Q1
γ σ1 = (g a, b = a + (α + c1z)d , gα)
d
d
I Problem instance plugged in the randomiser R (as in B1)
I Coron’s technique used to assign target identities (instead ofguessing) – security degradation reduced to O (qε)
I Signature Query. Os(id,m) –I Toss a biased coin β
1. If β = 0, signature given with randomiser R containing gα
2. Else, R1 uses knowledge of msk to generate user private keyfor id and then computes signature using S
I General forking algorithm (FW ) used to solve DLP (as in B1)
![Page 50: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/50.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Reduction R1
CDLP
R1
DLP GG
OsOεHG
AGG
∆ = (G, g , p, gα)
α
mpk := (G, g , p, g z)
EU-CMA
σ = (g a, b, g r )
Q0I+1 Q0
γ σ0 = (g a, b = a + (α + c0z)d , gα)
Q01 Q0
2 G(id, g a, m)
Q1I+1 Q1
γ σ1 = (g a, b = a + (α + c1z)d , gα)
d
d
I Problem instance plugged in the randomiser R (as in B1)
I Coron’s technique used to assign target identities (instead ofguessing) – security degradation reduced to O (qε)
I Signature Query. Os(id,m) –I Toss a biased coin β
1. If β = 0, signature given with randomiser R containing gα
2. Else, R1 uses knowledge of msk to generate user private keyfor id and then computes signature using S
I General forking algorithm (FW ) used to solve DLP (as in B1)
![Page 51: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/51.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Reduction R1
CDLP
R1
DLP GG
OsOεHG
AGG
∆ = (G, g , p, gα)
α
mpk := (G, g , p, g z)
EU-CMA
σ = (g a, b, g r )
Q0I+1 Q0
γ σ0 = (g a, b = a + (α + c0z)d , gα)
Q01 Q0
2 G(id, g a, m)
Q1I+1 Q1
γ σ1 = (g a, b = a + (α + c1z)d , gα)
d
d
I Problem instance plugged in the randomiser R (as in B1)
I Coron’s technique used to assign target identities (instead ofguessing) – security degradation reduced to O (qε)
I Signature Query. Os(id,m) –I Toss a biased coin β
1. If β = 0, signature given with randomiser R containing gα
2. Else, R1 uses knowledge of msk to generate user private keyfor id and then computes signature using S
I General forking algorithm (FW ) used to solve DLP (as in B1)
![Page 52: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/52.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Reduction R1
CDLP
R1
DLP GG
OsOεHG
AGG
∆ = (G, g , p, gα)
α
mpk := (G, g , p, g z)
EU-CMA
σ = (g a, b, g r )
Problem instance plugged in the randomiser R (as in B1)
Coron’s technique used to assign target identities (instead ofguessing) – security degradation reduced to O (qε)
Signature Query. Os(id,m) –Toss a biased coin β
If β = 0, signature given with randomiser R containing gα
Else, R1 uses knowledge of msk to generate user private keyfor id and then computes signature using S
General forking algorithm (FW ) used to solve DLP (as in B1)
Q0I+1 Q0
γ σ0 = (g a, b = a + (α + c0z)d , gα)
Q01 Q0
2 G(id, g a, m)
Q1I+1 Q1
γ σ1 = (g a, b = a + (α + c1z)d , gα)
d
d
![Page 53: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/53.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Reduction R2
CDLP
R2
DLP GG
OsOεHG
AGG
∆ = (G, g , p, gα)
α
mpk := (G, g , p, g z)
EU-CMA
σ = (g a, b, g r )
I Problem instance plugged in the public key pk (as in B2)
I Signature queries are handled as in B2
I However, Multiple-forking with n = 1 (MW ,1) used to solvethe DLP
I Hence, tighter than B2
![Page 54: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/54.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
Reduction R2
CDLP
R2
DLP GG
OsOεHG
AGG
∆ = (G, g , p, gα)
α
mpk := (G, g , p, g z)
EU-CMA
σ = (g a, b, g r )
Problem instance plugged in the public key pk (as in B2)
Signature queries are handled as in B2
However, Multiple-forking with n = 1 (MW ,1) used to solvethe DLP
Hence,tighter than B2
Q0I0+1 Q0
γ σ0 = (ga, b = a + (r + αc)d, g r )
Q01 Q0
2 G(id, ga, m) Q0J0+1 H(id, g r )
Q1I0+1 Q1
γ σ1 = (ga, b = a + (r + αc)d, g r )
d
c
c
![Page 55: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/55.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Galindo-Garcia IBS
New Security Argument
In a Nutshell
Reduction Success Prob. (≈) Forking Used
R1ε2
qGqεFW
R2ε2
(qH+qG)2 MW ,1
R3ε4
(qH+qG)6 MW ,3
![Page 56: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/56.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Conclusion and Future Work
Conclusion and Future Work
We revisited the Galindo-Garcia IBS security argument
I Analysed the original security proof; fixed ambiguities
I Provided an improved security proof
Future Work
I Replacing the ‘costly’ multiple-forking for even tighterreductions–dependent random oracles.
![Page 57: Galindo-Garcia Identity-Based Signature Revisited. fileGalindo-Garcia Identity-Based Signature Revisited. Table of contents Formal De nitions Public-Key Signature and Identity-Based](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e0f1b765168353d67064aa9/html5/thumbnails/57.jpg)
Galindo-Garcia Identity-Based Signature Revisited.
Conclusion and Future Work
THANK YOU!