Upload
kiora
View
59
Download
1
Tags:
Embed Size (px)
DESCRIPTION
An Efficient Strong Key-Insulated Signature Scheme and Its Application. 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake 1 , Goichiro Hanaoka 2 , and Kazuto Ogawa 1 1 Japan Broadcasting Corporation - PowerPoint PPT Presentation
Citation preview
1
An Efficient Strong Key-Insulated Signature Scheme and Its Application
5th European PKI WorkshopJune 16-17, 2008
NTNU, Trondheim, Norway
Go Ohtake1, Goichiro Hanaoka2, and Kazuto Ogawa1
1Japan Broadcasting Corporation2National Institute of Advanced Industrial Science and Technology
2
Motivation
3
Background
“Key exposure” is a critical problem !! Even if a “secure” signature scheme is used,
key leakage results in impersonation of the user.
more critical for
bidirectional broadcasting services !!
4
Bidirectional broadcasting service
Signed Request
Personal information
Broadcaster
network Smart card
User
Verification keySigning key
e.g. TV shopping, Quiz program, etc.
Service property:
Real-time service
5
Problem for signing key leakage
Signed Request
Personal information
Broadcaster
network Smart card
User
Verification keySigning key
key leakage
Adversary
Signed Request
Personal information
Key update
Critical damage !!Broadcaster =
6
Problem for key update in bidirectional broadcasting service PKI cannot be applied directly.
Smart card
Smart card
Smart card
Smart card
network
User 1
User 2
User 3
User n
Broadcaster
・・・Signing key Verification key
CRLCRLCRL
CRL
Verification key
Verification key
Verification key
Verification key
update
CA
Heavy load !!
Real-time servicecannot be offered !!
7
Solution
Strong key-insulated signature (KIS) scheme
Smart card
Smart card
Smart card
Smart card
network
User 1
User 2
User 3
User n
Broadcaster
・・・
Verification key
Verification key
Verification key
Verification key
Signing key
update
Verification keydoes NOT have to be updated.
No CRL!!
No redistributionof verification key !!
8
Motivation
In bidirectional broadcasting service, … Signature size is required as short as possible
Multiple copies of signed message are individually transmitted to users.
Conventional strong KIS scheme not efficient !!
Our targetDesign an efficient strong KIS schemewith a significantly short signature size
9
Related works
10
Adversary
Key-insulated signature (KIS) scheme
Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03]
master key
[DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘Proc. of PKC’03. (2003)
Signer Verifier
message+ signature with time stamp
old signing key
update signing key
time stamp
partial key
verification key
verify signature
reject
secure againstsigning key leakage
secure device
11
Adversary
Strong KIS scheme
Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03]
master key
[DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘Proc. of PKC’03. (2003)
message+ signature with time stamp
old signing key
update signing key
time stamp
partial key
verification key
verify signature
secure device
reject
reject
secure againstsigning key leakage
ormaster key leakage
Signer Verifier
12
Our contribution
13
Performance
CB scheme GQ scheme Our scheme
Verification key size (bits) 320 1024 160Signature size (bits) 1120 1184 480
Computational cost (signing) 720 1776 240Computational cost (verification) 1440 1776 720
Security assumption DL RSA DL
CB scheme: Certificate-based strong KIS scheme using the Schnorr signaturesGQ scheme: strong KIS scheme based on the Guillou-Quisquater signature
14
Security
Our strong KIS scheme is secure We achieved the same level of security as
conventional strong KIS schemes.
Adversarymaster key leakage
valid
signing key leakage
or
Signer
15
Our construction
16
Basic concept of our KIS scheme
Efficient strong KIS scheme By extending Abe-Okamoto proxy signature
scheme [AO02] Efficient proxy signature scheme in terms of
verification cost and communication cost
[AO02] M.Abe and T.Okamoto : “Delegation Chains Secure up to Constant Length,'‘IEICE Trans. (2002)
Constructing an efficient strong KIS scheme from the Abe-Okamoto scheme is not a trivial exercise.
17
Why is it not a trivial exercise? (1)
Extend the KIS scheme to a strong KIS scheme without increasing the signature size. Conversion of proxy signature scheme to KIS scheme
Proposed by Malkin, Obana, Yung in 2004. [MOY04] The resulting KIS scheme is not a strong KIS scheme.
Conversion of (standard) KIS scheme to strong KIS scheme Proposed by Dodis, Katz, Xu, Yung in 2003. [DKXY03] Employs double signing: a signature with the master key and
a signature with the signer’s secret key not efficient
We must construct a scheme without the above conversions.[MOY04] T. Malkin, S. Obana, and M. Yung : “The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures,'‘ Proc. of Eurocrypt’04,. (2004)
18
Why is it not a trivial exercise? (2)
Extend the Abe-Okamoto scheme to a KIS scheme that provides adaptive security Not taken into consideration in the security
definition of [AO02]
We must address adaptive securitywith a formal security proof from scratch.
19
Our proposed KIS scheme (1)
'x
00
xy g
0 'x x x
'' xy g
Secure device Signer
, ' U qx x Z
0, , , , , , , , ,'PK q g Gy y H
master key: 0xverification key:
Gen: key generation algorithm
*
* *
PrimeGenerator
Hash function
: {0,1}
: {0,1} {0,1}
q
q q
q q q
qg
G Z
H Z
G
GG G
essential secret info.
20
Our proposed KIS scheme (2)
11
1
1
11
1
1 0
( , )mod
U q
r
T
r Z
gc Gx xc r
vv
q
0',x y0x
Upd*: partial key generation algorithm Upd: key-update algorithm
11, ,x v T
11
11
1 0
( , )cx
c G
g v y
Tv
?
Secure device Signer
time stamp
signing key for a time period T
1 'modTS x qK x
master keypartial key
Verifying partial key
Upd* Upd
21
Our proposed KIS scheme (3)
1( , , , )mod
ss
s
s U q
r
s
s s s T
r Z
gc H mv
v vc Kr q
TS
1, ,TSK v T
Sign: signing algorithm Vrfy: verifying algorithm
0 ',y y
1, , , ,s sm vc T
1
1
1/1
1
1 1 0
( , )
( , ( ( ') ) , , )s sccs
v
v
c G
y yvc m
T
H g T
?
Signer Verifier
signing keyVerifying signature
verification key
Sign Vrfy
time stamp
22
Remarkable properties of our scheme
A signer can update their signing key without updating verification key.
The signature size of our scheme is significantly short : 480 bits
23
Another feature of our scheme
Partial key verification The signer can verify whether the partial key
transmitted from the secure device is valid. If the secure device storing the master key is
completely reliable, … Partial key verification is unnecessary during the sig
ning key update. One of the verification keys can be , instead o
f and . 0y0: 'y y y
'y
Verification key size can be reduced by half.
0x
24
Security Analysis
25
Basic concept of Security definition (1)
KIS scheme
Adversary
valid
signing key
Broadcaster
26
Basic concept of Security definition (2)
Strong KIS scheme
Adversary
valid
master key
Broadcaster
27
Security definition of KIS scheme
*0,( )
SK SKExp
* *
* *, ,0 0* *
* *, ,
*0
( , ), ( )* *,
( ) : Pr[ ( , , ) 1|
( , , ) (1 , ),
( , , ) ( )]SK SK SK SK
A PK i m
k
i m
k m i
SK PK SK N
m i A PK
Sign Exp
Succ Vrfy
Gen
,i m
Adversary A
Signing oracle
PK
* ** *
,( , , )
i mm i
Forged signature
i
iSK
Random oracle
Key exposure oracle
m
( )H m
*0,( , )
SK SKSign
Success probability of signature forgery
*( , , , , ) : KIS scheme Gen Upd Upd Sign Vrfy
Security definition of KIS scheme
k: security parameterN: total number of time periods
A is allowed to submit a query to the key exposure oracle up to t times.If is negligible, is (t,N)-key-insulated.If is (N-1,N)-key-insulated, is perfectly key-insulated.
, ( )A kSucc
28
Security definition of strong KIS scheme
* *
* , 0* *
* *, ,
*0
( , )* * *,
( ) : Pr[ ( , , ) 1|
( , , ) (1 , ),
( , , ) ( , )]SK SK
B PK i m
k
i m
k m i
SK PK SK N
m i B PK SK
Sign
Succ Vrfy
Gen
,i m
Adversary B
Signing oracle
*,PK SK
* ** *
,( , , )
i mm i
Forged signature
Random oracle
m
( )H m
*0,( , )
SK SKSign
Success probability of signature forgery
*( , , , , ) : KIS( , ) sche- - met N key insulated Gen Upd Upd Sign Vrfy
Security definition of strong KIS scheme
k: security parameterN: total number of time periods
If is negligible, is strong (t,N)-key-insulated.If is strong (N-1,N)-key-insulated, is perfectly strong key-insulated.
, ( )B kSucc
master key
29
Overview of security proof
Step1: modified Schnorr signature scheme EUF-ACMA secure under DL assumption
Step2: our scheme key-insulated if the modified Schnorr signature sche
me is EUF-ACMA secure. Step3: our scheme
strong key-insulated if our scheme is key-insulated.
Our scheme is strong key-insulated
under DL assumption
30
Application
31
Bidirectional content distribution system(proposed by Ohtake, Hanaoka, Ogawa in 2006)
Network
Broadcaster User
Content server
Personalinformation management server
Key management server
master keySmart card
Terminal
Generatemaster keyverification keyinitial signing key
Update signing key
Generate partial key
Verify signature
Create signature
Our KIS scheme can be applicable.
32
Improved system based on our scheme
network
Content server
Personal information
management server
Key management server
Smart cardPK
Terminalmaster key x0 x’
Reduced damage due to master key leakage- Even if the master key x0 is leaked, the signing keycannot be updated without x’.
Efficient verification- Verification key size: 160 bits- Suitable for a smart card
Efficient signing- Signature size: 480 bits- Reduce the network cost for transmitting signed messages
Broadcaster User
33
Summary
34
Summary
Efficient strong KIS scheme Significantly short signature size: 480 bits Provably secure under DL assumption
The most suitable signature schemefor bidirectional broadcasting services
35
Thank you for your attention !!