Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany
5848
Josef Pieprzyk Fangguo Zhang (Eds.)
Provable Security Third International Conference, ProvSec 2009 Guangzhou, China, November 11-13, 2009 Proceedings
13
Volume Editors Josef Pieprzyk Macquarie University Department of Computing Sydney, NSW 2109, Australia E-mail:
[email protected] Fangguo Zhang Sun Yat-Sen University School of Information Science and Technology Guangzhou, 510275, P.R.China E-mail:
[email protected]
Library of Congress Control Number: 2009934940 CR Subject Classification (1998): E.3, H.2.7, K.6.5, D.4.6, D.2.4, F.2.2, F.4.1 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN ISBN-10 ISBN-13
0302-9743 3-642-04641-X Springer Berlin Heidelberg New York 978-3-642-04641-4 Springer Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12764488 06/3180 543210
Preface
The third International Conference on Provable Security (ProvSec 2009) was held in Guangzhou, China, November 11-13, 2009. It continued the theme of Provable Security initiated by the ProvSec 2007 conference in Wollongong, Australia. The second ProvSec conference was organized in Shanghai, China. The conference was sponsored by the Center for Advanced Computing – Cryptography and Algorithms (ACAC), Macquarie University, Australia; Guangdong Key Laboratory of Information Security Technology, Sun Yat-sen University, China; and the National Natural Science Foundation of China (NSFC). Jiwu Huang was the General Chair and we, Josef Pieprzyk and Fangguo Zhang, were Program Co-chairs. The conference proceedings have been published by Springer in this volume of Lecture Notes in Computer Science. The Program Committee invited two distinguished researchers to deliver their keynote talks. The first speaker was Alex Dent from Royal Holloway, University of London. His talk was entitled “A Brief History of Security Models for Confidentiality”. The second speaker was Bogdan Warinschi from the University of Bristol, UK, who presented a talk on “Symbolic Methods for Provable Security”. We received 64 papers. Each paper was assigned to three referees. Papers submitted by the members of the Program Committee were assigned to five referees. In the first stage of the review process, the submitted papers were read and evaluated by the PC members and then in the second stage, the papers were scrutinized during an extensive discussion. Finally, the Program Committee chose 19 papers to be included in the conference program. The authors of the accepted papers had three weeks for revision and preparation of final versions. The revised papers were not subject to editorial review and the authors bear full responsibility for their contents. The submission and review process was supported by the Springer Online Conference Service. Many people contributed to the success of ProvSec 2009. First we would like to thank the authors of all papers (both accepted and rejected) for submitting their papers to the conference. Special thanks go to the members of the Program Committee and the external referees who gave their time, expertise and enthusiasm in order to ensure that each paper received a thorough and fair review. We are thankful to Vijayakrishnan Pasupathinathan for taking care of the OCS server. We extend our gratitude to all the people involved in organizing ProvSec 2009 from Guangdong Key Laboratory of Information Security Technology, in particular to Bo Zhang, Dong Wei, Lingling Xu, and Yamin Wen for their great efforts in making the conference run smoothly. November 2009
Josef Pieprzyk Fangguo Zhang
Third International Conference on Provable Security ProvSec 2009 November 11-13, Guangzhou, China Sponsored by Center for Advanced Computing – Cryptography and Algorithms Macquarie University, Australia Guangdong Key Laboratory of Information Security Technology Sun Yat-sen University, China The National Natural Science Foundation of China (NSFC)
General Chair Jiwu Huang
Sun Yat-sen University, China
Program Co-chairs Josef Pieprzyk Fangguo Zhang
Macquarie University, Australia Sun Yat-sen University, China
Program Committee Joonsang Baek Feng Bao Colin Boyd Xavier Boyen Lily Chen Kefei Chen Liqun Chen Serge Fehr Dengguo Feng Aggelos Kiayias Kwangjo Kim Marc Fischlin Fabien Laguillaumie Helger Lipmaa Yi Mu David Naccache Tatsuaki Okamoto Jacques Patarin Kenny Paterson Olivier Pereira
Institute for Infocomm Research, Singapore Institute for Infocomm Research, Singapore QUT, Australia Stanford University, USA NIST, USA Shanghai Jiaotong University, China Hewlett-Packard Laboratories, UK CWI, Netherlands Chinese Academy of Sciences, China University of Connecticut, USA KAIST, Korea Darmstadt University of Technology, Germany University of Caen, France University College London, UK University of Wollongong, Australia ENS, France NTT Labs, Japan Universit´e de Versailles, France Royal Holloway, UK UCL, Belgium
VIII
Organization
Dingyi Pei Raphael C.W. Phan Krzysztof Pietrzak Kouichi Sakurai Palash Sarkar Berry Schoenmakers Alice Silverberg Ron Steinfeld Willy Susilo Tsuyoshi Takagi Damien Vergnaud Jorge Villar Huaxiong Wang Duncan Wong Tzong-Chen Wu Shouhuai Xu Bo Yang Yunlei Zhao Yuliang Zheng
Guangzhou University, China Loughborough University, UK CWI, Netherlands Kyushu University, Japan Indian Statistical Institute, India TU Eindhoven, Netherlands University of California, Irvine, USA Macquarie University, Australia University of Wollongong, Australia Future University, Hakodate, Japan ENS, France Universitat Polit`ecnica de Catalunya, Spain Nanyang Technological University, Singapore City University of Hong Kong, China NTUST, Taiwan University of Texas at San Antonio, USA South China Agricultural University, China Fudan University, China University of North Carolina at Charlotte, USA
Publicity Chair Xiaofeng Chen
Xidian University, China
Organizing Committee Baodian Wei Haibo Tian Bo Zhang Lingling Xu Yamin Wen
Sun Sun Sun Sun Sun
Yat-sen Yat-sen Yat-sen Yat-sen Yat-sen
University, University, University, University, University,
China China China China China
Steering Committee Feng Bao Xavier Boyen Yi Mu Josef Pieprzyk Willy Susilo
Institute for Infocomm Research, Singapore Stanford University, USA University of Wollongong, Australia Macquarie University, Australia University of Wollongong, Australia
External Reviewers Au, Man Ho Bauer, Aurelie Canard, S´ebastien
Chen, Jianhong Dent, Alex Ding, Jintai
Galbraith, Steven Gorantla, Choudary Guo, Fuchun
Organization
Guo, Hua Groth, Jens Hohenberger, Susan Huang, Xinyi Jiang, Zhengtao Junod, Pascal Kiltz, Eike Li, Shengli
Liu, Joseph Long, Yu Minier, Marine Perlner, Ray R`afols, Carla Quaglia, Elizabeth Schr¨ oder, Dominique Stebila, Douglas
IX
Steinberger, John Turan, Meltem S¨ onmez Wang, Yongtao Weng, Jian Wu, Wei Yang, Guomin Zhang, Bin
Table of Contents
Invited Talks A Brief History of Security Models for Confidentiality . . . . . . . . . . . . . . . . Alexander W. Dent
1
Symbolic Methods for Provable Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bogdan Warinschi
2
Encryption Efficient Non-interactive Universally Composable String-Commitment Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ryo Nishimaki, Eiichiro Fujisaki, and Keisuke Tanaka
3
Spatial Encryption under Simpler Assumption . . . . . . . . . . . . . . . . . . . . . . . Muxin Zhou and Zhenfu Cao
19
Chosen-Ciphertext Secure RSA-Type Cryptosystems . . . . . . . . . . . . . . . . . Benoˆıt Chevallier-Mames and Marc Joye
32
Anonymous Conditional Proxy Re-encryption without Random Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Liming Fang, Willy Susilo, and Jiandong Wang Breaking and Fixing of an Identity Based Multi-signcryption Scheme . . . S. Sharmila Deva Selvi, S. Sree Vivek, and C. Pandu Rangan
47 61
Digital Signatures Identity-Based Verifiably Encrypted Signatures without Random Oracles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lei Zhang, Qianhong Wu, and Bo Qin
76
How to Prove Security of a Signature with a Tighter Security Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fuchun Guo, Yi Mu, and Willy Susilo
90
Twin Signature Schemes, Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sven Sch¨ age On the Insecurity of the Fiat-Shamir Signatures with Iterative Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Eiichiro Fujisaki, Ryo Nishimaki, and Keisuke Tanaka
104
118
XII
Table of Contents
Is the Notion of Divisible On-Line/Off-Line Signatures Stronger than On-Line/Off-Line Signatures? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Man Ho Au, Willy Susilo, and Yi Mu Anonymous Signatures Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vishal Saraswat and Aaram Yun
129 140
Cryptographic Protocols An eCK-Secure Authenticated Key Exchange Protocol without Random Oracles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Daisuke Moriyama and Tatsuaki Okamoto
154
Password Authenticated Key Exchange Based on RSA in the Three-Party Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E. Dongna, Qingfeng Cheng, and Chuangui Ma
168
Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Berkant Ustaoglu
183
Zero-Knowledge Protocols for NTRU: Application to Identification and Proof of Plaintext Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Keita Xagawa and Keisuke Tanaka
198
Server-Controlled Identity-Based Authenticated Key Exchange . . . . . . . . Hua Guo, Yi Mu, Xiyong Zhang, and Zhoujun Li
214
Reductions and Privacy Oracle Separation in the Non-uniform Model . . . . . . . . . . . . . . . . . . . . . . . . Ahto Buldas, Sven Laur, and Margus Niitsoo
230
GUC-Secure Set-Intersection Computation . . . . . . . . . . . . . . . . . . . . . . . . . . Yuan Tian and Hao Zhang
245
Self-enforcing Private Inference Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yanjiang Yang, Yingjiu Li, Jian Weng, Jianying Zhou, and Feng Bao
260
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
275
A Brief History of Security Models for Confidentiality Alexander W. Dent Information Security Group, Royal Holloway, University of London, U.K.
[email protected] Abstract. Despite the fact that industry continues to rate confidentiality protection as the least important security goal for a commercial organisation, the cryptographic community has a fascination with developing new encryption technologies. It often seems that the majority of advances in general cryptologic theory are a result of research designed to improve our ability to transmit messages confidentially. The development of security models are a good example of this phenomenon. The earliest attempts to produce cryptographic schemes with some provable security guarantees centred on encryption technologies (Shannon 1949; Rabin 1979). The modern security model for confidentiality dates back to the early eighties (Goldwasser–Micali 1982; Goldwasser– Micali 1984) when the notion of indistinguishability under chosen plaintext attacks (IND-CPA) was proposed. This was followed by the more advanced notions of IND-CCA1 security (Naor–Yung 1990) and IND-CCA2 security (Rackoff–Simon 1991) which are now so ubiquitous that they are often applied to new cryptographic primitives without thought. Many people have forgotten that the elegant notion of IND-CCA2 security is a simplification of the much more complex notion of semantic security. In this invited talk, we’ll consider the bedrock of cryptographic confidentiality: the notion of IND-CCA2 security. We’ll show by a series of examples that the simplifications that can be obtained in deriving the indistinguishability security notion from the semantic security notion for public key encryption can’t always be derived for other types of publickey cryptography. For example, – The IND-CCA2 model for public-key encryption only considers a single user (public key), whereas the security model for a signcryption scheme must consider multiple users. – The IND-CCA2 model for public-key encryption only considers attacks against a single (challenge) ciphertext, whereas the security model for deterministic encryption must consider attacks against multiple (challenge) ciphertexts. – The IND-CCA2 model for public-key encryption only considers an attacker that is trying to determine some information about a message of some known length, whereas some results in plaintext awareness require the attacker be unable to determine any information about a message of an unknown length. Our ultimate aim will be to define a general model and set of rules for deriving a security notion for confidentiality for an arbitrary public-key primitive. J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, p. 1, 2009. c Springer-Verlag Berlin Heidelberg 2009
Symbolic Methods for Provable Security Bogdan Warinschi Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol BS8 1UB, United Kingdom
[email protected]
Abstract. Rigorous proofs are notoriously difficult to produce and verify even for seemingly simple cryptographic tasks. As a result, many published papers contain proofs that are most of the time incomplete and ocasionally flawed. Arguably, this indicates that the provable security paradigm is heading towards an undesirable crisis of rigor. Significant research efforts are under way in order to correct this state of affairs. Examples, from the inside of the crypto community, include the works of Shoup, Bellare, and Rogaway on game playing techniques and Shai Halevi manifesto for machine assisted cryptographic proofs. Further inspiration comes from the outside of the crypto community. Symbolic methods and techniques commonly used in the areas of programming languages, language-based security, and logics have recently been employed to create general frameworks for computational security analysis. The goal of this talk is to highlight the important role that symbolic methods could/should play within the general direction of provable security. I will present some of the existent results, exciting opportunities, and future challenges that stem from bringing together two research directions that for more than twenty years have developed largely indpendently.
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, p. 2, 2009.
Efficient Non-interactive Universally Composable String-Commitment Schemes Ryo Nishimaki1,2 , Eiichiro Fujisaki1 , and Keisuke Tanaka2 1
2
NTT, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan {nishimaki.ryo,fujisaki.eiichiro}@lab.ntt.co.jp Department of Mathematical and Computing Sciences, Tokyo Institute of Technology, W8-55, 2-12-1 Ookayama, Meguro-ku, Tokyo, 152-8552, Japan
[email protected]
Abstract. The universal composability (UC) for commitment is a very strong security notion. It guarantees that commitment schemes remain secure even if they are composed with arbitrary protocols and polynomially many copies of the schemes are run concurrently. Several UC commitment schemes in the common reference string (CRS) model have been proposed, but, they are either interactive commitment or bit-commitment (not string-commitment) schemes. We propose new non-interactive string-commitment schemes that achieve UC security in the CRS model assuming the difficulty of the decisional Diffie-Hellman problem or the decisional composite residuosity problem, but our schemes are not reusable. The main building blocks of our constructions are all-but-one trapdoor functions (ABO-TDFs) introduced by Peikert and Waters in STOC 2008 to construct secure public-key encryption schemes. Our main idea is to use the homomorphic properties of the function indices of the all-but-one trapdoor functions and to extend the functions to probabilistic ones by using re-randomization of ciphertexts. This is a new application of ABO-TDFs. Keywords: universal composability, non-interactive string commitment, all-but-one trapdoor functions, homomorphism.
1 Introduction Commitment schemes are the digital analogues of envelopes. A sender provides a receiver with a sealed envelope that contains a message and later sends information for opening the sealed envelope. The notion of commitment is one of the most fundamental cryptographic primitives, such as public-key encryption (PKE) since it is an essential building block in many cryptographic protocols, such as zero-knowledge protocols [15]. 1.1 Background There are several security requirements for secure commitment schemes. If any unbounded (resp. computationally bounded) sender cannot change the message inside an envelope after sending the envelope, a commitment scheme is called statistically (resp. computationally) binding. If any computationally bounded (resp. unbounded) receiver J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 3–18, 2009. c Springer-Verlag Berlin Heidelberg 2009
4
R. Nishimaki, E. Fujisaki, and K. Tanaka
cannot learn about message m as long as the sender does not give the auxiliary information for opening the envelope, a commitment scheme is called computationally (resp. statistically) hiding. These two properties are basic security requirements [18] for secure commitment schemes in the stand-alone setting. These basic security notions were in the past thought to be sufficient. Dolev, Dwork, and Naor proposed a stronger security notion, non-malleability [14]. When an adversary sees a commitment to message m, it may be able to make a mauled commitment to another message m such that m and m have some relation, such as m = m + 1, without knowing m. Informally speaking, a commitment scheme is nonmalleable if any adversary cannot make such a mauled commitment in the man-in-themiddle setting, where an adversary is allowed to tap into the communication between a sender and a receiver and may change the content of the communication. However, even non-malleable commitment schemes are not sufficient when commitment schemes are run on today’s large network systems. In such a setting, a commitment scheme may be composed with arbitrary protocols and run concurrently. Universally composable (UC) commitment schemes [3, 5] remain secure even if polynomially many copies of the protocol are executed concurrently in an adversarially controlled manner. Universal composability is a very strong security requirement and implies non-malleability. We cannot construct UC commitment schemes in the plain model [5, 6], so we need set-up assumptions. We use a standard set-up assumption, the common reference string (CRS) model, where all parties have access to random strings that are guaranteed to be selected with a prescribed distribution by a trusted third party. Many existing UC commitment schemes are constructed in the CRS model [5, 7, 11, 12]. Constructing UC commitment schemes is very important since we can realize any UC-secure two- or multi-party computation if we obtain a UC commitment scheme [7]. 1.2 Our Contributions and Constructions We propose non-interactive universally composable commitment schemes that enable a committer to commit to a multi-bit string efficiently. Our constructions are based on all-but-one trapdoor functions (ABO-TDFs) (or equivalently lossy trapdoor functions) from the decisional Diffie-Hellman (DDH) problem [20] and the decisional composite residuosity (DCR) problem [22]. This is a new application of ABO-TDFs. ABO-TDFs were introduced by Peikert and Waters to construct PKE schemes secure against a chosen ciphertext attack (CCA PKE) [20]. Our scheme based on the DCR problem can enjoy the best redundancy ratio of a commitment to a message in the sense of communication complexity, among all the previously proposed schemes, regardless of interactive or non-interactive. Our Techniques. Here is an outline of our techniques. Loosely speaking, if a commitment scheme has two properties, called extractability and equivocality, it achieves UC security [7]. If we can extract contents of valid commitments by using trapdoors, a commitment scheme is extractable and, if we can make a fake commitment that opens to an arbitrary value later by using trapdoors, a commitment scheme is equivocal. In order to achieve these properties at the same time, we use ABO-TDFs. Each ABO-TDF is a
Efficient Non-interactive Universally Composable String-Commitment Schemes
5
trapdoor function with an extra input, called its branch. An ABO-TDF is an injective trapdoor function except for one special type of branch, called a lossy branch. If we use a lossy branch as a branch when we run an evaluation algorithm of an ABO-TDF, the output statistically loses information about the input. In this case, there are multiple input candidates for the output. That is, a simulator in the UC framework may be able to make an equivocal commitment by using trapdoors of ABO-TDFs and the lossy branch. On the other hand, if we do not use the lossy branch, the function is injective (statistically binding). That is, a simulator in the UC framework can extract the content of a valid commitment by using the trapdoors of ABO-TDFs. If we set the branches of an ABO-TDF as the verification keys of strong one-time signature schemes, any adversary in the UC framework cannot copy the verification key used by the simulator. If the simulator uses the verification key that was set as the lossy branch, a commitment generated by the simulator is equivocal and a commitment generated by the adversary is extractable. Therefore, we can achieve equivocality and extractability at the same time. However, we cannot use the original ABO-TDFs by Peikert and Waters directly since they are deterministic functions, meaning we cannot achieve equivocality. We convert them into probabilistic ones by using the homomorphic property of function indices. Function indices of ABO-TDFs consist of ciphertexts that are generated by a homomorphic encryption algorithm. Therefore, we can re-randomize ciphertexts by using their homomorphic properties and achieve equivocality. This conversion is reminiscent of the UC commitment scheme by Damgård and Nielsen [12] and is essential for our construction of UC commitment. 1.3 Related Works and Comparisons Several UC commitment schemes in the CRS model have been proposed, but none of them are both non-interactive and string commitment schemes. Canetti and Fischlin, and Canetti, Lindell, Ostrovsky, and Sahai constructed non-interactive UC commitment schemes in the CRS model, but they are bit-commitment schemes and inefficient since they are constructed from general primitives such as enhanced trapdoor permutations (eTDPs) or claw-free trapdoor function (CF-TDF) pairs [5, 7]. Both of their constructions use Ω(λ) bits to commit to one bit, where λ is the security parameter. Damgård and Nielsen, Damgård and Groth, and Camenish and Shoup constructed Table 1. Previous and our results in the CRS model
[5] [5] [7] [12] [11] [2] Ours
Bit/string bit bit bit string string string string
Interaction Reusability Assumptions non-interactive No eTDP non-interactive Yes CF-TDF pairs, CCA PKE non-interactive Yes eTDP, CCA PKE, PRC interactive Yes DCR (or p-subgroup) interactive Yes strong-RSA, DCR (or p-subgroup) interactive Yes DCR non-interactive No DCR (or DDH)
6
R. Nishimaki, E. Fujisaki, and K. Tanaka Table 2. Efficiency Comparison Communication [12] (DCR) (4s + 5)λ [11] (DCR) nmcom + 3(s + 1)λ sHVZK [2] P-com + v-enc + Πv-enc Ours (DCR) (s + 1)λ + + sig + |vk|
CRS length ≈ 17λ λ + (s + 1)λ · nparty ≈ 15λ |pknmcom | + λ ≈ 21λ |pkP-com | + |pkv-enc | ≈ 7λ (s + 1)λ + |h|
≈ (4nparty + 1)λ ≈ 5λ ≈ 9λ + |CRHF| ≈ 6λ
Round 3 3 3 1
efficient UC string-commitment schemes from number-theoretic problems, but they are interactive [2, 11, 12]. A comparison of our results and previous results is shown in Table 1. Reusability indicates whether a CRS can be reused polynomially many times or not. PRC means PKE with pseudorandom ciphertext. We propose the first efficient non-interactive UC string-commitment schemes from number-theoretic problems in the CRS model, but our schemes do not have reusability. An efficiency comparison of string-commitment schemes based on the DCR problem is shown in Table 2 (Let λ denote the security parameter). “Round” in the table means round-complexity, which is the number of interactions in the commit phase. The open phase is non-interactive in all protocols in the table. Our scheme is the most efficient since it is non-interactive. Parameters are as follows. Let s be an integer (public parameter of the Damgård-Jurik PKE [10]), nparty be the number of parties, nmcom (resp. |pknmcom |) be the length of the non-malleable commitment (resp. its public-key) based on strong-RSA [11], P-com (resp. |pkP-com |) be the length of Pedersen commitment (resp. its public-key) [19, 2], v-enc (resp. |pkv-enc |) be the ciphertext (resp. the sHVZK public-key) length of the verifiable encryption by Camenish and Shoup [2], Πv-enc be the transcript length of the proof (special honest-verifier zero-knowledge protocol) for the verifiable encryption, |CRHF| be a length of a collision resistant hash function, be a length of the committed string, sig be a signature length of a strong one-time signature, and |vk| be a verification key length of a strong one-time signature. We can set s = 3, = λ. In a work that was independent of ours, Zhu proposed a new UC commitment scheme based on the DDH problem over a squared composite modulus of the form N = pq at ISPEC’09 [23]. There are UC commitment schemes with other set-up assumptions or models [1,4,8, 16,17,21] (such as the key registration set-up [1], the generalized UC [4], and the angel model [21]), but we focus on regular UC commitment only in the CRS model and do not mention UC commitment schemes with other set-up assumptions or models.
2 Preliminaries 2.1 Notations and Conventions For any n ∈ N, let [n] be the set {1, . . . , n}. We write 0n for bit string 00 · · · 0 (n times). Let U denote the -bits uniform distribution and E[X] denote the expectation of random variable X.
Efficient Non-interactive Universally Composable String-Commitment Schemes
7
We describe probabilistic algorithms using standard notations and conventions. For probabilistic polynomial-time (PPT) algorithm A, A(x1 , x2 , ...; r) denotes the random R variable of A’s output on inputs x1 , x2 , ... and random coins r. We let y ← A(x1 , x2 , ...) denote that y is randomly selected from A(x1 , x2 , ...; r) according to its distribution. If S U is a finite set, then x ← S denotes that x is uniformly selected from S . If α is neither an algorithm nor a set, x ← α indicates that α is assigned to x. We say that function f : N → R is negligible in security parameter λ ∈ N if for every constant c ∈ N there exists kc ∈ N such that f (λ) < λ−c for any λ > kc . Hereafter, we use f < negl(λ) (or f < negl) to mean that f is negligible in λ. 2.2 Indistinguishability The statistical distance between two random variables X and Y over a countable set S is def defined as Δ(X, Y) = 12 α∈S | Pr[X = α] − Pr[X = α]|. Let X = {Xλ }λ∈I and Y = {Yλ }λ∈I denote two ensembles of random variables indexed by λ (where I is a countable set). Definition 1. We say that X and Y are statistically indistinguishable if Δ(Xλ , Yλ ) < negl. Definition 2. We say that X and Y are computationally indistinguishable if for every non-uniform PPT algorithm D, there exists negligible function negl such that for every λ ∈ I, |Pr[D(Xλ ) = 1] − Pr[D(Yλ ) = 1]| < negl. We write X ≈s Y (resp. X ≈c Y) to denote that X and Y are statistically (resp. computationally) indistinguishable. 2.3 Strongly Unforgeable Signature Schemes A signature scheme (Gen, Sign , Vrfy ) is said to be strongly unforgeable under a chosen message attack (sEUF-CMA) if the advantage of the following game is negligible. The R challenger first generates verification/signing key pair (vk, sk) ← Gen(1λ ) and gives vk to adversary A. Then, A chooses messages m ∈ M (where M is a fixed message R space) and queries them to its signing oracle, and it answers σ ← Signsk (m) to A. Then, A outputs (m , σ ) and wins the game if Vrfyvk (m , σ ) = 1 and (m , σ ) (m, σ). If A is allowed to query only one message (one-time chosen message attack), then it is said to be strongly unforgeable one-time signature (sEUF-OT). We often call it (strong) one-time signature in this paper. 2.4 Extracting Randomness Definition 3 (Pairwise Independent Hash Functions). A family of hash functions H = {hi : D → R} from domain D to range R is called pairwise independent if for every distinct x, x ∈ D and every y, y ∈ R, Pr U [h(x) = y ∧ h(x ) = y ] = 1/ |R|2 . h←H
The min-entropy of random variable X over domain S is defined as def H∞ (X) = − lg (maxs∈S Pr[X = s]). Peikert and Waters [20] used the notion of the average min-entropy as defined by Dodis, Ostrovsky, Reyzin, and Smith [13] to prove
8
R. Nishimaki, E. Fujisaki, and K. Tanaka
that their PKE scheme is secure since random variable X may be correlated with another variable Y whose value is known to adversaries in cryptographic settings. The average min-entropy is interpreted as the remaining unpredictability of X conditioned on the value of Y: def H∞ (X|Y) = − lg ( E [2−H∞ (X|Y=y) ]) = − lg ( E [max Pr[X = s]]). R
R
y←Y
y←Y
s∈S
Dodis, Ostrovsky, Reyzin, and Smith proved the following lemmas: Lemma 1 ( [13]). If Y takes at most 2r possible values and Z is any random variable, then H∞ (X|(Y, Z)) ≥ H∞ (X|Z) − r. Lemma 2 ( [13]). Let X and Y be random variables such that X ∈ {0, 1}n and H∞ (X|Y) ≥ k. Let H be a family of pairwise independent hash functions from {0, 1}n to {0, 1} . Then U for h ← H , we have Δ((Y, h, h(X)), (Y, h, U)) ≤ as long as ≤ k − 2 lg (1/ ). 2.5 Universal Composability We use the standard universal composability framework by Canetti [3] (with static or adaptive corruption of the parties). We consider the real world, the ideal world, and PPT environment Z, which tries to distinguish these two worlds. The Real World. In this world, there is adversary A and protocol π realizes functionality among some parties. Let REALπ,A,Z denote the ensemble of random variables when environment Z interacts with adversary A and parties P1 , ..., Pn running protocol π. The Ideal World. In this world, there are simulator (ideal adversary) S that simulates the real world, ideal functionality F , and dummy parties. Let IDEALF ,S,Z denote the ensemble of random variables when environment Z interacts with simulator S and ideal functionality F . Definition 4. Let F be an ideal functionality. We say that protocol π securely realizes F if for any adversary A there exists simulator S, such that for any environment Z, we have IDEALF ,S,Z ≈c REALπ,A,Z where A, S and Z are PPT interactive Turing machines. That is, ∀A, ∃S, ∀Z, Pr[Z(IDEAL ) = 1] − Pr[Z(REAL ) = 1] < negl. F ,S,Z
π,A,Z
We use the standard ideal functionalities proposed by Canetti [3]. We present the commitment functionality, FCOM in Fig. 1. In the UC framework, we consider the CRS model as an FCRS -hybrid model. See the paper of Canetti [3] for details of the UC framework, FCRS , and F -hybrid models. Intuitively, in order to achieve UC commitment (in the CRS model with adaptive corruption), a commitment scheme must satisfy the following two properties. Polynomial Equivocality. Simulator S must be able to make polynomially many fake commitments using the same CRS. That is, S can open to any string and give consistent randomness to adversary A. If S can make only one fake commitment, we call this property one-time equivocality.
Efficient Non-interactive Universally Composable String-Commitment Schemes
9
Functionality FCOM FCOM interacts with sender S and receiver R. 1. Upon receiving input (Commit, sid, m) from S, verify that sid = (S, R, sid ) for R, else ignore the input. Next, record m and generate public delayed output (Receipt, sid) to R. Once m is recorded, ignore any subsequent Commit inputs. 2. Upon receiving input (Open, sid) from S, proceed as follows: if there is recorded value m then generate public delayed output (Open, sid, m) to R. Otherwise, do nothing. 3. Upon receiving message (Corrupt-sender, sid) from the adversary, send m to the adversary. Furthermore, if the adversary now provides value m and the Receipt output was not yet written on R’s tape, change the recorded value to m . Fig. 1. Commitment functionality FCOM
Simulation Extractability. Simulator S must be able to extract the contents of any valid commitment generated by adversary A, even after A obtains polynomially many fake (equivocal) commitments generated by S. If A obtains only one fake commitment and S can do an extraction, we call this property one-time extractability. Of course, real honest parties cannot do such things. If multiple commitment (or open) operations use the same CRS in a protocol, we use an extension of FCOM that handles multiple commitment (or open) requests. This is called multi-session extension functionality FCOM [9] (or FMCOM [5]). For efficiency, we want to reuse the same CRS when multiple commitment requests occur. If we construct a protocol which realizes multi-session extension functionality FCOM , we achieve reusability [9]. A commitment scheme is said to be reusable if multiple commitment operations can use the same CRS. If a commitment scheme satisfies one-time equivocality and one-time extractability, it securely realizes single session functionality FCOM (cannot reuse the same CRS). We consider FCOM only since our schemes are not reusable. 2.6 All-But-One Trapdoor Functions Peikert and Waters proposed very useful and elegant cryptographic primitives: all-butone trapdoor functions (and lossy trapdoor functions) [20]. Definition 5 (All-But-One Trapdoor Functions [20]). Let λ be a security parameter. Let n(λ) denote the input length of the function and k(λ) the lossiness of the collection def (we omit λ hereafter). Let r = n − k be the residual leakage. In a collection of allbut-one trapdoor functions (ABO-TDFs), each function has several branches. Let B = {Bλ }λ∈N be a collection of sets whose elements are branches. A collection of (n, k)-allbut-one trapdoor functions with branch collection B consists of three polynomial-time algorithms (S abo , Gabo , G−1 abo ) having the following properties.
10
R. Nishimaki, E. Fujisaki, and K. Tanaka
Sampling a Trapdoor Function with given Lossy Branch. For any b∗ ∈ Bλ , algorithm S abo (1λ , b∗ ) outputs (ι, τ) where ι is a function index and τ is its trapdoor, that is, R (ι, τ) ← S abo (1λ , b∗ ). Injective Branch and Lossy Branch. For any b ∈ Bλ where b b∗ , algorithm Gabo (ι, b, ·) computes an injective function gι,b (·) over the domain {0, 1}n −1 ∗ ∗ and G−1 abo (τ, b, ·) computes gι,b (·). Algorithm G abo (ι, b , ·) computes function gι,b (·) over the domain {0, 1}n whose image size is at most 2r = 2n−k . Hidden Lossy Branch. For any b∗0 , b∗1 ∈ Bλ , it holds that ι0 ≈c ι1 (even if the adversary gets branches b∗0 and b∗1 ), where (ιi , τi ) ← S abo (1λ , b∗i ) for i = 0, 1. R
A few constructions of ABO-TDFs are known, but we review only the construction based on the Damgård-Jurik PKE due to the limitation of space (and its simplicity). See [20] for other constructions. An ABO-TDF based on the Damgård-Jurik PKE (i.e., from DCR) was constructed by Rosen and Segev [22]. Let N = pq be an (λ-bits) RSA modulus, where p and q are odd primes and gcd(N, φ(N)) = 1. Let φ denote Euler’s φ function and s ≥ 1 be an integer. For such N, group Z∗N s+1 as a multiplicative group is direct product G × H, where G is cyclic of order N s and H is isomorphic to Z∗N . In the Damgård-Jurik PKE, let publickey pk = (N, s), secret-key sk = lcm(p − 1, q − 1), and ciphertext c = Enc pk (m; r) = (1 + N)m r N mod N s+1 for m ∈ ZN s and r ← Z∗N . The decryption can be done by using the secret key. See [10, 22] for more details. It is confirmed that Enc pk (m1 ; r1 ) · Enc pk (m2 , r2 ) = Enc pk (m1 + m2 ; r1 · r2 ) by simple calculation. The algorithms of ABO-TDF from DCR are as follows. s
U
Sampling an ABO Function. Algorithm S abo (1λ , b∗ ) selects λ-bits RSA modulus N = pq and integer s ≥ 1. We need s ≥ 3 for meaningful lossiness (lossiness k = λs/2 − (λ + 1)). Function index ι consists of (pk, γ), where pk = (N, s) and U ∗ s γ = (1 + N)−b r N mod N s+1 = Enc pk (−b∗ ; r) for r ← Z∗N . Trapdoor τ consists of lossy branch b∗ , secret key lcm(p − 1, q − 1) and randomness r. x Evaluation. For input (ι, b, x), the output is y = Gabo (ι, b, x) = γ · (1 + N)b = x Enc pk (−b∗ ; r) · Enc pk (b; 1) . That is, y = Enc pk ((b − b∗ )x; r x ). Inversion. For input (τ, y), the output is x ← Dec sk (y)/(b − b∗ ) when b − b∗ 0.
3 Adding Randomness to ABO-TDFs for Equivocality In this section, we introduce a randomization procedure to achieve equivocality. We need equivocality to achieve UC commitment as explained in Section 2.5. Original ABO-TDFs (constructed from homomorphic encryption schemes) are deterministic functions [20]. However, if the function indices of ABO-TDFs consist of ciphertexts that have homomorphic properties, we can convert them to probabilistic functions even without knowing the trapdoors (we need only ciphertexts of 0). We need probabilistic ones to achieve equivocality (and UC commitment). The randomization technique introduced below is reminiscent of mixed commitment schemes introduced by Damgård and Nielsen [12]. In the Damgård-Jurik PKE, ciphertext re-randomization s is as follows: For r ∈ Z∗N , c · r N = Enc pk (m; r) · Encpk (0; r ) = Enc pk (m; r · r ). We can randomize output y of the evaluation algorithm.
Efficient Non-interactive Universally Composable String-Commitment Schemes
11
Randomization. For output y = Gabo (ι, b, x) and randomness r ← Z∗N , the randomU
def
ized output is Rand (y, r ) = y · Enc pk (0; r ) = Enc pk ((b − b∗ )x; r x · r ). Note that −1 Dec sk (Rand (y, r )) = Dec sk (y), that is, G−1 abo (τ, b, Rand (y, r )) = G abo (τ, b, y). For input x and randomness r , the evaluation and x randomization of ABO-TDFs are expressed as follows: Enc pk (−b∗ ; r) · Enc pk (b; 1) · Enc pk (0; r ). We can consider abstract expression below by using homomorphic encryption. Definition 6. A public-key encryption scheme (Gen, Enc , Dec ) is homomorphic if for R all λ and (pk, sk) ← Gen(1λ ), it is possible to define groups M pk , C pk , and R pk such that 1. Message space M pk is an abelian group written additively. Let 0M pk and 1M pk denote additive and multiplicative identities in M pk respectively. 2. Randomness space R pk is a group with group operator . Let 0R pk and 1R pk denote additive and multiplicative identities in R pk respectively. 3. Ciphertext space C pk is a group with group operator . 4. For every m1 , m2 ∈ M pk and r1 , r2 ∈ R pk , we have Enc pk (m1 , r1 ) Enc pk (m2 ; r2 ) = Enc pk (m1 + m2 ; r1 r2 ). We consider only additively homomorphic PKE schemes (but randomness space may be multiplicatively homomorphic as the Damgård-Jurik PKE [10]). x x def def For element c ∈ C pk (resp. r ∈ R pk ), c x = c · · · c (resp. r x = r · · · r). Let IR pk be additive or multiplicative identity in R pk , that is, 0R pk or 1R pk . Then, evaluation and randomization algorithms of ABO-TDFs constructed from additive homomorphic PKE schemes are expressed as follows: x The evaluation is ∗ Gabo (ι, b, x) = Enc pk (−b · 1M pk ; r) Enc pk (b · 1M pk ; IR pk ) and the randomization is Rand (Gabo (ι, b, x), r ) = Gabo (ι, b, x) Enc pk (0M pk ; r ) where index ι = pk, Enc pk (−b∗ · 1M pk ; r) . That is, Rand (Gabo (ι, b, x), r ) x = Enc pk (−b∗ · 1M pk ; r) Enc pk (b · 1M pk ; IR pk ) Enc pk (0M pk ; r ) x = Enc pk (b − b∗ ) · 1M pk ; r Enc pk (0M pk ; r ) = Enc pk ((b − b∗ ) · x; r x ) Enc pk (0M pk ; r ) =
Enc pk ((b − b∗ ) · x; r x r )
For ABO-TDFs based on (a variant of) ElGamal PKE, we can consider the same kind of abstract structure by using homomorphism, though we need to treat matrix encryption. See [20] for matrix encryption. We omit the details in the proceedings version due to the limitation of space. We think that the abstraction above is the essence of our UC commitment schemes. If b = b∗ (lossy branch), then Rand (Gabo (ι, b, x), r ) = Enc pk (0M ; r x r ). If we know x and r, we can choose input x and randomness r such that Enc pk (0M ; r x r ) = x x− x Enc pk (0M ; r r) by setting r = r r . This is used for the equivocation algorithm described in the next section.
12
R. Nishimaki, E. Fujisaki, and K. Tanaka
Remark 1. Adding randomness to ABO-TDFs does not kill the lossiness property of ABO-TDFs based on the Damgård-Jurik (and ElGamal) PKE, because the randomization does not change the randomness space Z∗N in the DCR-based construction (and Z p in the DDH-based construction) and the number of possible outputs is same as that of original DCR-based (and DDH-based) ABO-TDFs.
4 Construction and Security Proof We present our UC commitment schemes in this section. A function index of an ABOTDF and a pairwise independent hash function are used as CRSs. In the ideal world, simulator S knows a trapdoor of an ABO-TDF, randomness used in the sampling algorithm and a lossy branch since S can generate CRSs. Simulator S can set verification as a lossy branch ((vk, sk) is a verification/signing key pair). Therefore, if S uses key vk vk as a branch in a commit stage, the function statistically loses information about its input, i.e., every output of the function has many pre-images. Thus, S can make an equivocal commitment in this case. as a branch, the function does not However, if a party uses verification key vk vk lose any information about its input. Therefore, S can extract the input from the output of the function by using its trapdoor. In this section, (Gen, Sign, Vrfy ) denotes a strong one-time signature scheme. 4.1 Description of Our Commitment Scheme We describe our UC commitment scheme named UCC. CRS Generation. A function index of ABO-TDFs and a pairwise independent hash R function are the CRSs. Let crs ← (ι, h) be the CRSs, where (ι, τ) ← S abo (1λ , b∗ = vk
0 ), h ← H (H is a pairwise independent hash function family). In the ideal R R where (vk, sk) ← world, the simulator makes a fake CRS, (ι, τ) ← S abo (1λ , vk), λ is the lossy branch. Gen(1 ). That is, verification key vk R Commit. In order to commit m, generate (vk, sk) ← Gen(1λ ) and choose uniformly random u and v. The randomness space is according to an underlying cryptosystem. R Then, compute c1 = Rand (Gabo (ι, vk, u), v), c2 = h(u) ⊕ m, and σ ← Signsk (c1 , c2 ). Send com = (c1 , c2 , vk, σ) to the receiver. The receiver verifies that Vrfyvk ((c1 , c2 ), σ) = 1. If it is not valid, the receiver outputs ⊥. Open. Send (u, v, m) to the receiver. He verifies that c1 = Rand (Gabo (ι, vk, u), v) and c2 = h(u) ⊕ m. Extraction. Simulator S verifies that Vrfyvk ((c1 , c2 ), σ) = 1. If so, then S computes u ← G−1 abo (τ, vk, c1 ) and m ← h(u) ⊕ c2 by using τ. Else, output ⊥. Equivocation. In order to make a fake commitment, simulator S computes c 1 = U u), v (that is, uses the lossy branch), c 2 ← Rand Gabo (ι, vk, {0, 1} ( is the length U
R
of m), and σ ← Signsk c1 , c 2 ). In this case, c 1 consists of ciphertexts of 0 and ( the image size is very small, so a fake commitment is statistically indistinguishable from a real commitment (this will be proven formally in Section 4.2). Let
Efficient Non-interactive Universally Composable String-Commitment Schemes
13
com = ( c1 , c 2 , vk, σ) be the fake commitment. In order to open it to arbitrary m , first, S computes u such that c 2 = h( u) ⊕ m , i.e., u = h−1 ( c2 ⊕ m ). This computation can be done easily since h is a pairwise independent hash function. Value u is random since c 2 is uniformly distributed. Second, S computes v such that c 1 = EncN,s (0; ru · v) = EncN,s (0; r u · v), that is, v = ru− u · v (this is the DamgårdJurik PKE case). In this way, S can open com to arbitrary m by sending ( u, v, m ). Randomness r was used to generate the function index, so S knows this information. Note that u is one of the pre-images of c 1 , because no matter what input is given, c 1 consists of ciphertexts of 0 at the lossy branch (i.e., b = b∗ . See Section 2.6). Of course, honest parties and adversary A cannot execute the extraction and equivocation algorithms. In this scheme, simulator S can make a fake commitment only once and the verification key can be because the simulator needs to set the lossy branch vk the equivocation algorithm used only once. If the simulator sets the branch vki vk, does not work. 4.2 Security Proof of Our Scheme In this section, we show that UCC is a UC commitment scheme. Theorem 1. If the signature scheme is strongly unforgeable under a one-time chosen message attack, hash function family H is pairwise independent and the DCR (or DDH) problem is hard, then UCC securely realizes functionality FCOM (i.e., the single session version) in the FCRS -hybrid model. Proof. For any adversary A, we construct simulator S interacting with FCOM such that no environment Z can distinguish the ideal world with S and FCOM from the real world of scheme UCC with A. S starts by invoking a copy of A and simulates the interaction of A with Z and parties running the scheme. S proceeds as follows. Note that S and R mean a sender and a receiver respectively. Simulating the CRS. S prepares CRSs crs by sampling a function index of ABOTDFs, generating a key pair of a signature scheme, and choosing a pairwise indeR R U where (vk, sk) ← pendent hash function; (ι, τ) ← S abo (1λ , vk), Gen(1λ ), h ← H. Then, let crs ← (ι, h). When a party queries FCRS , return (CRS, sid, crs) to it. S knows trapdoor τ and randomness r used for S abo . Simulating the communication with Z. S writes every input value that it receives from Z into adversary A’s input tape. S copies every output value written by A on its output tape to S’s output tape. Simulating commit when S is uncorrupted (R may be corrupted). In the ideal world, if uncorrupted sender S is activated with (Commit, sid = (S, R, sid ), m) by Z and S passes the message to FCOM , S (who cannot know m but is informed about the commitment by receiving (Receipt, sid = (S, R, sid ))) simulates real sender σ u), v , S. That is, S sends com = ( c1 , c 2 , vk, ) to A, where c 1 = Rand Gabo (ι, vk, c 2 = υ where υ ← {0, 1} , σ = Signsk ( c1 , c 2 ). S also sends (Receipt, sid) from FCOM to R. If A corrupts S before delivering com to R and then modifies com U
14
R. Nishimaki, E. Fujisaki, and K. Tanaka
before delivering it, then S follows the instructions for a corrupted sender. If A corrupts S but does not modify the commitment, then S continues the simulation as above. Simulating open when S is uncorrupted (R may be corrupted). If uncorrupted sender S is activated with (Open, sid = (S, R, sid )) by Z and S has correctly committed to m, then S must have sent com on behalf of S in the black-box simulation of A at the commit stage. S now learns m from R via FCOM (S can obtain (Open, sid, m) from FCOM ) and opens com to m in the simulation of A by using the equivocal algorithm. Simulating corruption of parties. If A corrupts party P in the simulated interaction, S corrupts corresponding dummy party P in the ideal world and obtains all its unopened commitment values. S makes the internal state of P consistent with the values in the same way as above. Simulating commit when only S is corrupted. S sends (Corrupt-sender, sid) to FCOM . If simulated A (or Z) makes corrupted S send com∗ = (c∗1 , c∗2 , vk∗ , σ∗ ) to honest R in the simulated interaction, S must extract the committed value by A. S verifies the validity of signature σ∗ . If it is not valid, S ignores the messages. Otherwise, S runs the extraction algorithm by using τ, extracts m∗ and sends it to FCOM and Receipt response of FCOM to R. Simulating open when only S is corrupted. If A (a corrupted sender) sends open message (u∗ , v∗ , m∗ ) to uncorrupted receiver R in the simulated interaction, S verifies that (u∗ , v∗ , m∗ ) is a valid opening. If it is, S sends (Open, sid) to FCOM and sends the Open message from FCOM to R. Otherwise, S ignores the message. Simulating remaining cases. When both parties are corrupted, S simply runs A internally. In order to show that REALπ,A,Z ≈c IDEALF ,S,Z (here, π means UCC), we consider COM the following hybrid experiments with hybrid adversaries Hi (i = 1, 2, 3, 4) and their ensemble of random variables HYBiHi ,Z when environment Z interacts with Hi . HYB1H1 ,Z : The first hybrid experiment is the same as the real world experiment except
that hybrid adversary H1 aborts if adversary A sends valid commitment = vk∗ (not exact copy of a commitment generated (c∗1 , c∗2 , vk∗ , σ∗ ) such that vk by an honest sender). HYB2H2 ,Z : The second hybrid experiment is the same as the first one except that R R where (vk, sk) ← (ι, τ) ← S abo (1λ , vk) Gen(1λ ) in the CRS generation. HYB3H3 .Z : The third hybrid experiment is the same as the second one except that c 2 = υ U
where υ ← U . HYB4H4 .Z : The fourth hybrid experiment is the same as the ideal world experiment except that S does not extract m∗ . Instead, S sends 0 to dummy FCOM (in hybrid experiments, there is no FCOM ) if later A opens this commitment to m, then S patches dummy FCOM by inserting m in place of 0 . This can be done since this is a hybrid experiment and dummy FCOM is used. (Modifying FCOM in this way is illegal in the ideal world.)
Efficient Non-interactive Universally Composable String-Commitment Schemes
15
sk) is generated by Note that in these experiments, one-time signature key pair (vk, hybrid simulators and they use it as a branch when an honest party is required to make a commitment. Informal lemmas are as follows. It holds that REALπ,A,Z ≈c HYB1H1 ,Z ≈c HYB2H2 ,Z ≈s HYB3H3 ,Z ≈s HYB4H4 ,Z ≈s IDEALF ,S,Z by the following reasons. COM
REALπ,A,Z ≈c HYB1H1 ,Z holds by the strong unforgeability of the one-time signature
scheme.
HYB1H1 ,Z ≈c HYB2H2 ,Z holds by the computational indistinguishability of hidden lossy
branches.
HYB2H2 ,Z ≈s HYB3H3 ,Z holds by the statistical indistinguishability from the uniform
distribution. This follows from the generalized leftover hash lemma [13, 20].
HYB3H3 ,Z ≈s HYB4H4 ,Z holds since these are the same experiments expressed in two
different ways.
HYB4H4 ,Z ≈s IDEALF
,S,Z holds since these are the same experiments as long as adCOM versary A cannot validly open m even after A commits to m ( m ), that is, A cannot break the statistical binding property of (the ElGamal or the Damgård-Jurik) vk∗ holds, so the PKE. In these experiments, the ABO-TDF is injective since vk lemma follows.
From the sequences of indistinguishability above, the theorem follows. Formal lemmas and their proofs are as follows. Lemma 3. The environment’s views in REALπ,A,Z and HYB1H1 ,Z are computationally indistinguishable if the signature scheme is strongly unforgeable under a one-time chosen message attack. Proof. Let com = ( c1 , c 2 , vk, σ) be a commitment generated by an honest sender (or hybrid simulators in the name of the honest sender). We define event F as adversary A making valid commitment com∗ = (c∗1 , c∗2 , vk∗ , σ∗ ), such that com com∗ , We show that event F happens with negligible Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1, and vk∗ = vk. probability. The two views are identical as long as event F does not happen. Consider simulator H1 that attacks the signature scheme with a one-time chosen generated by Gen and simulates CRS generation message attack. H1 is given input vk vk
by setting crs ← (ι, h), where (ι, τ) ← S abo (1λ , 0 ) and h ← H. When Z asks an honest sender to make a commitment of message m, H 1 selects uniformly random u, v, u), v and c 2 = h(u) ⊕ m, queries its generates ( c1 , c 2 ), where c 1 = Rand Gabo (ι, vk, signing oracle on the message ( c1 , c 2 ), and obtains signature σ . Then, H1 lets com = ( c1 , c 2 , vk, σ) and sends it to A. Note that in these hybrid experiments, hybrid simulator H1 knows content m (unlike the ideal world). Upon receiving any commitment where σ∗ ) such that com com∗ = (c∗1 , c∗2 , vk∗ = vk, com∗ and Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1 from ∗ ∗ ∗ A, H1 outputs (c1 , c2 , σ ) as a forgery in the attack game of the signature scheme and sends error messages to the adversary. H1 simulates HYB1H1 ,Z perfectly to A (and environment Z). We show that event F happens if and only if H1 outputs a valid forgery. If F happens before Z asks an honest R
U
16
R. Nishimaki, E. Fujisaki, and K. Tanaka
party to make a commitment of m, then H1 makes a valid signature without queries to its signing oracle. This is a forgery. If F happens after Z asks an honest party to make a commitment of m, then we must have either ( c1 , c2 ) (c∗1 , c∗2 ) or σ σ∗ since ∗ ∗ ∗ ∗ com com . In either case, (c1 , c2 , σ ) is different from its single query ( c1 , c2 , σ) to the signing oracle. That is, it is a forgery. Since the signature scheme is strong one-time secure, event F happens with negligible probability. Thus, the lemma follows. Lemma 4. The environment’s views in HYB1H1 ,Z and HYB2H2 ,Z are computationally indistinguishable, assuming the hidden lossy branch property of the ABO-TDF collection. We show that Z’s views in HYB1H1 ,Z and HYB2H2 ,Z are computationally inR sk) ← distinguishable when signature key pair (vk, Gen is fixed. The lemma follows sk) since the distribution of (vk, sk) is identical by averaging over the choice of (vk, sk). We in these two experiments. Hereafter, in this proof of the lemma, fix any (vk, consider simulator H1/2 . H1/2 is given input (vk, sk) and ABO-TDF index ι which was R R vk vk generated as either (ι, τ) ← S abo (0 ) or (ι, τ) ← S abo (vk). That is, H1/2 sends (0 , vk) to the challenger as challenge lossy branches, then the challenger sends ι to H1/2 as the target function index. The output of H1/2 in the two experiments is computationally Proof.
vk
indistinguishable since the two inputs (index with branch 0 and index with branch are computationally indistinguishable. vk) The action of simulator H1/2 is as follows. H1/2 simulates CRS generation by set vk
ting crs ← (ι, h), where ι is the given input (ι where (ι, τ) ← S abo (0 ) or ι where R U and h ← (ι, τ) ← S abo (vk)) H . When Z asks an honest sender to make a commitment of u), v , c 2 = h(u)⊕m, message m, H1/2 generates ( c1 , c 2 , σ), where c 1 = Rand Gabo (ι, vk, and σ = Signsk ( c1 , c 2 ) (as in the first hybrid experiment, H1/2 knows content m). Then, H1/2 lets com = ( c1 , c 2 , vk, σ) and sends it to adversary A. If A makes valid commit∗ ∗ ∗ ∗ σ∗ ) such that com ment com = (c1 , c2 , vk = vk, com∗ and Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1, H2 aborts. vk R If H1/2 is given (ι, τ) ← S abo (0 ), its action is identical to H1 . If H1/2 is given R its action is identical to H2 . Therefore, the view generated by H1/2 (ι, τ) ← S abo (vk), R
vk
is identical to HYB1H1 ,Z when ι is generated by S abo (0 ) and is identical to HYB2H2 ,Z thus the lemma follows. when ι is generated by S abo (vk), Lemma 5. The environment’s views in HYB2H2 ,Z and HYB3H3 ,Z are statistically indistinguishable.
Proof. In this proof, we only consider the choice of hash function h and randomness u used by algorithm Gabo when generating commitment com because the focal point of this proof is the distribution of h(u). All other random coins are fixed. Note that randomness v does not affect the image size since it is used only for re-randomization. We show that the views in HYB2H2 ,Z and HYB3H3 ,Z are statistically indistinguishable when the coins are fixed. The lemma follows by averaging over the choice of the random coins.
Efficient Non-interactive Universally Composable String-Commitment Schemes
17
The only difference between the two experiments is whether c 2 = h(u) ⊕ m or c 2 = υ, U where υ ← U and com = ( c1 , c 2 , vk, σ) are generated by the hybrid simulator (in the ·), v is name of an honest sender). Randomized evaluation algorithm Rand Gabo (ι, vk, n−k is the lossy branch. Therefore, a lossy function with image size of at most 2 since vk random variable c1 = Rand Gabo (ι, vk, u), v can take at most 2n−k values. ∞ (u| We have H c1 , ι) ≥ H∞ (u|ι) − (n − k) = k by using Lemma 1,because randomness u is independent of index ι. Therefore, by Lemma 2 (X = u, Y = c1 , Z = ι), the hypothesis that ≤ k − 2 lg 1/ , and the definition of HYB2H2 ,Z and HYB3H3 ,Z , we have Δ(( c1 , h, h(u)), ( c1 , h, υ)) ≤ (λ), where υ ← U . That is, U
Δ(HYB2H2 ,Z , HYB3H3 ,Z ) ≤ (λ) = negl(λ). In HYB2H2 ,Z , we have c 2 = h(u) ⊕ m, while in HYB3H3 ,Z we have c 2 = υ, where υ ← U . It is easy to see that c 2 = υ is identically distributed to υ ⊕ m. The lemma follows. U
Lemma 6. The environment’s views in HYB3H3 ,Z and HYB4H4 ,Z are perfectly indistinguishable. Proof. This is trivial since these are the same two hybrid experiments expressed in two different ways. Lemma 7. The environment’s views in HYB4H4 ,Z and IDEALF ,S,Z are statistically COM indistinguishable. Proof. When adversary A (or environment Z) makes corrupted S send valid commitment com∗ = (c∗1 , c∗2 , vk∗ , σ∗ ) such that Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1, simulator S in the ideal world runs the extraction algorithm. Let m∗ be a message extracted from com∗ . In hybrid experiment HYB4H4 ,Z , A later may open commitment com∗ to m, that is, it sends (m, u, v). These two hybrid experiments are the same as long as A cannot validly open m such that m m∗ even after A commits to m∗ . When (m, u, v) is the valid opening of com∗ , c∗1 = Rand (Gabo (ι, vk∗ , u), v), c∗2 = vk∗ holds so h(u) ⊕ m, and Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1 holds. In these experiments, vk ∗ Rand (Gabo (ι, vk , u), v) is injective, that is, statistically binding. This means that com∗ uniquely determines value m. If a mismatch event m m∗ happens, then these two experiment are distinguishable, but this happens with negligible probability since the commitment is statistically binding as described above. The lemma follows.
References 1. Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally Composable Protocols with Relaxed Set-up Assumptions. In: FOCS 2004, pp. 186–195 (2004) 2. Camenisch, J., Shoup, V.: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)
18
R. Nishimaki, E. Fujisaki, and K. Tanaka
3. Canetti, R.: Universally Composable Security: A New Paradigm for Cryptograpic Protocols. In: Cryptology ePrint Archive, Report 2000/067, Preliminary version appeared in FOCS 2001 (2005) 4. Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally Composable Security with Global Setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007) 5. Canetti, R., Fischlin, M.: Universally Composable Commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001) 6. Canetti, R., Kushilevitz, E., Lindell, Y.: On the Limitations of Universally Composable TwoParty Computation Without Set-Up Assumptions. J. Cryptology 19(2), 135–167 (2006) 7. Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally Composable Two-Party and Multi-Party Secure Computation. In: STOC 2002, pp. 494–503 (2002) 8. Canetti, R., Pass, R., Shelat, A.: Cryptography from Sunspots: How to Use an Imperfect Reference String. In: FOCS 2007, pp. 249–259 (2007) 9. Canetti, R., Rabin, T.: Universal Composition with Joint State. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003) 10. Damgård, I., Jurik, M.: A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 125–140. Springer, Heidelberg (2001) 11. Damgård, I., Groth, J.: Non-interactive and Reusable Non-Malleable Commitment Schemes. In: STOC 2003, pp. 426–437 (2003) 12. Damgård, I., Nielsen, J.B.: Perfect Hiding and Perfect Binding Universally Composable Commitment Schemes with Constant Expansion Factor. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 581–596. Springer, Heidelberg (2002) 13. Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. SIAM J. Computing 38(1), 97–139 (2008) 14. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM J. Computing 30, 391–437 (2000) 15. Goldreich, O., Micali, S., Wigderson, A.: Proofs that Yield Nothing but their Validity, or All Languages in NP have Zero-Knowledge Proof Systems. Journal of the ACM 38(3), 691–729 (1991); Preliminary version appeared in FOCS 1986 16. Hofheinz, D., M¨uller-Quade, J.: Universally Composable Commitments Using Random Oracles. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 58–76. Springer, Heidelberg (2004) 17. Katz, J.: Universally Composable Multi-party Computation Using Tamper-Proof Hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007) 18. Naor, M.: Bit Commitment Using Pseudorandomness. J. Cryptology 4(2), 151–158 (1991) 19. Pedersen, T.P.: Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992) 20. Peikert, C., Waters, B.: Lossy Trapdoor Functions and Their Applications. In: STOC 2008, pp. 187–196 (2008) 21. Prabhakaran, M., Sahai, A.: New Notions of Security: Achieving Universal Composability without Trusted Setup. In: STOC 2004, pp. 242–251 (2004) 22. Rosen, A., Segev, G.: Efficient Lossy Trapdoor Functions based on the Composite Residuosity Assumption. In: Cryptology ePrint Archive, Report 2008/134 (2008) 23. Zhu, H.: New Constructions for Reusable, Non-erasure and Universally Composable Commitments. In: Bao, F., Li, H., Wang, G. (eds.) ISPEC 2009. LNCS, vol. 5451, pp. 102–111. Springer, Heidelberg (2009)
Spatial Encryption under Simpler Assumption Muxin Zhou and Zhenfu Cao Department of Computer Science and Engineering Shanghai Jiao Tong University
[email protected],
[email protected]
Abstract. Spatial encryption was first proposed by Boneh and Hamburg. They showed that many useful encryption systems can be derived from it. In this paper, we describe two variants of spatial encryption. First we present a scheme that can be proved to be secure under the decisional bilinear Diffie-Hellman assumption, which is much simpler than the BDHE assumption used by Boneh and Hamburg. However, as a compromise, our ciphertext size and private key size are larger. We also discuss some techniques to shrink the private key of this scheme in a real application. Finally, we provide a hybrid construction which allows an optimal tradeoff between efficiency and security.
1
Introduction
Identity-based encryption [15,5], or IBE for short, is a cryptographic primitive proposed by Shamir. In such a system, a message is encrypted under the recipient’s identity and only the user with the matching identity can successfully open the message. Recently, a new vision for identity based encryption [15,5] has appeared called Predicate Encryption [13]. In these settings, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SKf , corresponding to a predicate f , can be used to decrypt a ciphertext associated with attribute I if and only if f (I) = 1. First in 2005, Sahai and Waters [14] proposed fuzzy IBE, in which they defined a measurement of similarity between two IDs. Decryption works if and only if the receiver’s identity is close enough to the targeted identity in the ciphertext. Their scheme can be easily extended to a new application called Attribute-Based Encryption (ABE) [11,16], in which the predicates are boolean functions. Boneh and Waters [8] proposed Hidden Vector Encryption (HVE), and Katz, Sahai and Waters [13] also constructed such a scheme for predicates corresponding to the evaluation of inner products. Both schemes have strong emphasis on anonymity. In 2008, Boneh and Hamburg developed a new general framework called generalized IBE (GIBE) [7], for constructing IBE systems with different properties. This framework is very close to Predicate Encryption [13], except that it incorporates delegation, an important property from hierarchical IBE [12,10]. A GIBE system allows a sender to encrypt a message under a certain policy, in some set P of all allowable policies. Users hold secret keys corresponding to J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 19–31, 2009. c Springer-Verlag Berlin Heidelberg 2009
20
M. Zhou and Z. Cao
roles. Roles are organized in a partially ordered set R, i.e., a set endowed with a reflexive, transitive, antisymmetric relation . Given the key Kρ1 , there is a delegation algorithm that can generate the key Kρ2 , as long as ρ1 ρ2 . For a role ρ ∈ R and a policy π ∈ P, we write open(ρ, π) if a user with a secret key for ρ is allowed to decrypt a message encrypted under π. We require this relation to be monotone, that is, if ρ ρ and open(ρ , π) then open(ρ, π). Also for simplicity, we require that R contains a top element , such that ρ for all ρ ∈ R, and open(, π) for all π ∈ P. Spacial encryption (SE) is proposed by Boneh and Hamburg [7] as an important instance of the GIBE framework. In a spatial encryption scheme, the policy set P are the points p of an n-dimensional space Znp , the role set R are all subspaces W of Znp ordered by inclusion and open(W, p) ⇔ p ∈ W . The construction proposed in their work is very efficient. The ciphertext size is always constant and the private key size grows with the complexity of the system. They reduce its security to decisional n-BDHE assumption, where n is the space dimension. Boneh et al show that many instances of GIBE can be derived from spatial encryption. Most important examples are hierarchical IBE, broadcast IBE, forward security schemes, etc. Our Contributions. We present two alternative constructions of spatial encryption. The first one can be proved to be secure under the decisional bilinear Diffie-Hellman assumption, which is much simpler than the underlying BDHE assumption used in Boneh and Hamburg’s construction. As a tradeoff, the size of a ciphertext in our scheme is no longer constant; instead, it is linearly dependent on the space dimension. One might notice that our scheme becomes very analogous to Boneh and Boyen’s HIBE [3] and its variants [1,2]. We also discuss two techniques for reducing the private key size. Unfortunately, the ciphertext size remains large. To shrink ciphertexts, we need a compromise with a strong assumption. We then construct a hybrid scheme that allows tradeoffs between efficiency and security. It is inspired by Boneh, Boyen and Goh’s construction of hybrid HIBE [4]. This scheme allows an additional parameter ω during setup. It’s a real number between 0 and 1. A smaller ω leads to efficiency, while a bigger one improves security. More precisely, the n-dimension hybrid scheme provides O(nω ) ciphertext, O(nω ) private key (plus rank of subspace), and is secure under the decisional (n1−ω )-BDHE assumption.
2
Preliminaries
Below, we recall the definition of spatial encryption and its security model. We also review the definition of bilinear maps and discuss the complexity assumptions on which the security of our systems rely. 2.1
Spatial Encryption
A spatial encryption system fits into the GIBE framework. Such a scheme consists of four randomized algorithms that run in polynomial time:
Spatial Encryption under Simpler Assumption
21
– Setup(λ, n) takes as input a security parameter λ and a space dimension n. It returns public parameters P P and a master secret key K . – Delegate(P P, W, KW , W ) takes the secret key KW for vector space W and outputs the secret key KW for W , where W ⊆ W . We require that the distribution of the private keys produced by Delegate() should be independent of the path taken. That is, if W1 ⊇ W2 ⊇ W3 , then Delegate(P P, W1 , KW1 , W3 ) should produce the same distribution as Delegate(P P, W2 , Delegate(P P, W1 , KW1 , W2 ), W3 ). – Encrypt(P P, v, m) encrypts a message m under a vector v. – Decrypt(P P, W, KW , v, c) uses a secret key KW to decrypt the ciphertext c under v. Decryption succeeds if and only if v ∈ W , so that Decrypt(P P, W, KW , v, Encrypt(P P, v, m)) = m holds true for all P P generated by Setup, for all vectors v and spaces W , and for all keys KW for W delegated directly or indirectly from K . 2.2
Security
We define chosen ciphertext security for spatial encryption system under a chosen vector attack by the following game between an adversary and a challenger. Setup: The challenger runs Setup(λ, n) and sends P P to the adversary. Phase I: The adversary makes delegation queries Wi to the challenger, which runs Delegate(P P, , K, Wi ) and returns KWi . The adversary may also make decryption queries (Wi , v i , ci ) to the challenger, where v i ∈ Wi . The challenger runs KWi ← Delegate(P P, , K, Wi ), then runs Decrypt(P P, Wi , KWi , v i , ci ) and returns the resulting mi (or ⊥ for failure). Challenge: The adversary outputs two messages m0 , m1 and a target vector v ∗ . We require that the adversary has not been given a decryption key for the target vector, that is, v ∗ ∈ Wi for all delegation queries Wi in phase I. The challenger chooses a random b ∈ {0, 1}, runs Encrypt(P P, v ∗ , mb ), and returns the resulting challenge ciphertext c∗ to the adversary. Phase II: The second query phase is exactly like the first one, except that the adversary may not issue decryption queries for c∗ or delegation queries for subspace that contains v ∗ . Guess: The adversary outputs a guess b ∈ {0, 1} and wins if b = b. We call an adversary A in the above game a IND-Vec-CCA adversary. We define the advantage of the adversary A in attacking a scheme E as 1 AdvE,A = Pr[b = b ] − 2 Definition 1. A spatial encryption system is (t, qd , qc , ) IND-Vec-CCA secure if all t-time IND-Vec-CCA adversaries making at most qd delegation queries and at most qc decryption queries have an advantage at most in winning the above game.
22
M. Zhou and Z. Cao
Canetti, Halevi and Katz [9] introduced a weaker notion of security in which the adversary chooses in advance v ∗ and sends it to the challenger before receiving the public parameters. Such an adversary is called a selective (IND-sVec-CCA) adversary. We can define IND-sVec-CCA security for spatial encryption analogically. We also define chosen plaintext security (CPA Security). In a CPA game, the adversary may not issue decryption queries at all. Definition 2. A spatial encryption system is (t, qd , ) IND-sVec-CPA secure if it is (t, qd , 0, ) IND-sVec-CCA secure. 2.3
Bilinear Maps
We review a few facts related to groups and bilinear maps. Let G and GT be two (multiplicative) cyclic groups of prime order p. Let g be a generator of G and e be a map, e : G × G → GT . e is a bilinear map when following properties hold. 1. Bilinearity: for all u, v ∈ G and a, b ∈ Zp , we have e(ua , v b ) = e(u, v)ab . 2. Non-degeneracy: e(g, g) = 1. We say that G is a bilinear group if the group action in G can be computed efficiently and there exists a group GT and an efficiently computable bilinear map e : G×G → GT as above. Note that the map e is symmetric since e(g a , g b ) = e(g, g)ab = e(g b , g a ). 2.4
Complexity Assumption
Let G be a bilinear group of prime order p. The Decisional BDH problem in G is defined as follows. Given g, g a , g b , g s ∈ G and Z ∈ GT , where a, b, s are randomly picked from Zp , one is asked to determine whether Z is equal to e(g, g)abs . An algorithm A has advantage in solving DBDH problem in G if Pr A(g, g a , g b , g s , e(g, g)abs ) = 0 − Pr[A(g, g a , g b , g s , R) = 0] ≥ where R is a random element in GT . We refer to the distribution on the left as PDBDH and the distribution on the right as RDBDH . Definition 3. The (t, )-DBDH assumption holds in G if no t-time algorithm has advantage at least in solving the DBDH problem in G. The decisional q-BDHE problem in G is defined as follows. Randomly pick i a, s ∈ Zp and g ∈ G. Denote g a as gi . Given a tuple t = (g, g1 , . . . , gq , gq+2 , . . . , g2q , g s ) ∈ G2q+1 and Z ∈ GT , one is asked to determine whether q+1 Z is equal to e(g, g)a s . An algorithm A has advantage in solving decisional q-BDHE problem in G if q+1 Pr A(t, e(g, g)a s ) = 0 − Pr[A(t, R) = 0] ≥ where R is a random element in GT . We refer to the distribution on the left as PBDHE and the distribution on the right as RBDHE .
Spatial Encryption under Simpler Assumption
23
Definition 4. The decisional (t, , q)-BDHE assumption holds in G if no t-time algorithm has advantage at least in solving the decisional q-BDHE problem in G.
3
Spatial Encryption with Security under DBDH
Now we present an n-dimension spatial encryption system that is IND-sVecCPA secure without random oracles under the decisional bilinear Diffie-Hellman assumption. This scheme can be viewed as a modified version of the Boneh et al’s origin scheme [7], under a simpler assumption (the origin scheme relies on decisional n-BDHE assumption [6]) but expanding ciphertexts. 3.1
Notation
For convenience, we will adopt some notations described below. – All vectors in this paper are always column vectors. For a matrix M ∈ Zn× , p we use Mi to denote the i-th column vector, and Mi,j to be the value in the j-th coordinate of the i-th column vector. – For a vector v = (v1 , v2 , . . . , vn ) ∈ Znp , we use g v to denote corresponding vector in G g v := (g v1 , g v2 , . . . , g vn ) ∈ Gn . – For vectors u, v ∈ Znp , we denote u, v as the dot product. – Given a matrix M ∈ Zn× and a vector v ∈ Znp , we write Sp(M, v) ⊆ Znp for p the subspace {M x + v : x ∈ Zp }. 3.2
Construction
Let G and GT be two groups of order p. Let e : G × G → GT be a bilinear map. Our spatial encryption system works as follows. Setup(λ, n): The algorithm generates p, G, GT , e according to the security parameter λ. It picks a random generator g ∈ G, random elements α, a ∈ Zp , b ∈ Znp , and publishes public parameters as P P = p, G, GT , e, g, g a , g b , e(g, g)α The master secret key is given by K = g α . Delegate(P P, W, W , KW ): A private key for a subspace W = Sp(M, v) where M ∈ Zn× has the form p
g α+av+b,r , g r , g aM r where r is randomly picked from Znp . It easily follows that any one can rerandomize his own secret key (k0 , kr , kM ) by choosing random vector r ∈ Znp and generating a new key
24
M. Zhou and Z. Cao
k0 · g av+b,r , kr · g r , kM · g aM r The algorithm takes W = Sp(M, v) and W = Sp(M , v ). Since W is a subspace of W , there exists T ∈ Z× and y ∈ Zp , such that M = M T and p v = v + M y. It computes the derived key as
ˆ W = g α+av+b,r · g ay M r , g r , g aT M r K
= g α+av +b,r , g r , g aM r and uses a random vector r ∈ Znp to re-randomize it. Encrypt(P P, v, m): To encrypt a message m ∈ GT under vector v, the sender chooses a random s ∈ Zp and computes the ciphertext as
m · e(g, g)αs , g s , g (av+b)s Decrypt(P P, KW , v, c): The receiver parses the ciphertext c which is encrypted under v as (c0 , c , c1 , . . . , cn ). It delegates KW to obtain the key Kv = (g α+av+b,r , g r ) as (k0 , k1 , . . . , kn ), then recovers plaintext by computing n n s(avi +bi )ri sα i=1 e(ci , ki ) i=1 e(g, g) c0 · = m · e(g, g) · = m. e(c , k0 ) e(g, g)sα+sav+b,r 3.3
Security Proof
Now we prove the security of our spatial encryption scheme under the standard decisional BDH assumption in G. Theorem 1. Suppose the (t, )-Decisional BDH assumption holds in G. Then the previously defined n-SE system is (t , qd , ) IND-sVec-CPA secure for arbitrary n, qd , and any t < t − O(nqd τ ) where τ is the time for an exponentiation in G. Proof. Suppose A is an adversary that breaks our system. We construct an algorithm B, that solves DBDH problem. The simulator B takes as input a DBDH challenge (g, g a , g b , g s , Z) where Z is either e(g, g)abs or a random element in GT . B proceeds as follow. Init: The adversary gives the simulator a vector v ∗ on which it intends to attack. Setup: The simulator B randomly picks α ∈ Zp , b ∈ Znp , and sets α = ab + α , b = −av ∗ + b . Obviously, B can efficiently compute all these public parameters, and they have a distribution identical to that in the actual construction. Then it sends the public parameters to A. Phase I: To respond to the delegation query for a subspace W = Sp(M, v), B randomly chooses r ∈ Znp and finds a vector u such that u M = 0 but v − v ∗ , u = 0. Since v ∗ ∈ W , i.e., v − v ∗ ∈ Span(M ), B can efficiently calculate the vector u mentioned above. Then it sets r=
bu + r v ∗ − v, u
Spatial Encryption under Simpler Assumption
25
Obviously, B can easily calculate g r . Now we observe that, for any vector w, we have aw, r =
abw, u + aw, r abw, u = ∗ + R(w) v ∗ − v, u v − v, u
The second term (without ab) can be easily calculated, and we denote it by R(w). Note that according to the choice of b, we can write av + b, r as av − v∗ , r + b , r. The simulator computes the first element of the private key as g α+av+b,r = g α+av−v
∗
,r+b ,r
∗
= g ab+α · g abv−v ,u/v ∗ = g α · g R(v−v ) · g b ,r
∗
−v,u+R(v−v ∗ )
· g b ,r
Moreover, since M u = 0, thus g aM r in the private key can be given as ∗ g aM r /v −v,u . As we can see here, the simulator can answer any delegation query as long as v ∗ ∈ W. Challenge: The adversary A sends two plaintexts m0 , m1 . B chooses a random bit μ ∈ {0, 1} and constructs challenge ciphertext c∗ as
mμ · Z · e(g α , g s ), g s , g sb . Obviously, if Z = e(g, g)abs then c∗ is a valid encryption of mμ under the vector v ∗ . Phase II: The simulator B continues to answer A’s delegation queries as above. Guess: The adversary finally outputs a guess μ of μ. If μ = μ, the simulator output 0 indicating Z = e(g, g)abs . Otherwise it outputs 1 meaning that Z = e(g, g)abs . When the input 5-tuple is sampled from PDBDH (where Z = e(g, g)abs ), then A’s view is identical to that in a real attack. Therefore A must satisfy |Pr[μ = μ ]− 12 | > . On the other hand, when the input 5-tuple is sampled from RDBDH (where Z is uniform in GT ), the challenge ciphertext c∗ is independent from the choice of μ in adversary’s view. Thus no adversary could have advantage in wining the game, that is, Pr[μ = μ ] = 12 . Therefore, we have Pr B(g, g a, g b , g s , e(g, g)abs ) = 0 − Pr B(g, g a , g b , g s , R) = 0 ≥ as required. This completes the proof. 3.4
Extensions
This construction suffers from large private keys and ciphertexts. In this section, we present two techniques to shrink the private keys. To reduce the size of ciphertexts we need a stronger security assumption. We will present such a hybrid scheme in Section 4.
26
M. Zhou and Z. Cao
Wildcards Support. When a user can choose an arbitrary value in some coordinate independently, we say that this user has full control of the coordinate. For example, in a 5-level hierarchical IBE system, a user Alice with identity (ID1 , ID2 ) can generate private keys for identities with her id as prefix. That is, she has the power to choose arbitrary values in the third, the fourth and the fifth coordinates. In the BH’s origin scheme, we have to associate her private key with (M, v) = ((e3 , e4 , e5 ), (ID1 , ID2 , 0, 0, 0)). In the new DBDH construction, we can simply omit M . Now the private key is associated with vector v like (ID1 , ID2 , ∗, ∗, ∗). Note that in our scheme, a user can simply neglect a coordinate when the corresponding item g r is absent. This provides a property we call “wildcards support”. The wildcards are denoted by a special symbol “∗”, just like the ones in the private key given above. One can notice that this scheme is very analogous to Boneh and Boyen’s HIBE [3]. The private key size grows with the depth of the user. The encryptor can also set wildcards in the target vector, indicating that the decryptor must have full control on the corresponding coordinate. Delegation and decryption still works as the basic construction. Merging g r . Again take the 5-level HIBE as example. The two items g r1 and g r2 in Alice’s private key can be merged. In other words, we can use a common g r{1,2} to replace them. Now suppose Alice wants to produce a private key for Bob whose identity is (ID1 , ID2 , ID3 , ID4 ). She chooses a new random element r{3,4} ∈ Zp and proceeds as before. The derived private key has only three group elements, rather than five in the basic scheme. The security proof still holds. But this technique somewhat conflicts with the definition of spatial encryption: private keys from different delegation paths may have different distributions. However, we can split it again by re-randomizing. In a practical system, this technique will raise some issues related to privacy, but never lead to weakness in security.
4
A Hybrid Scheme
In some practical scenarios, we may need a compromise between security and efficiency. For those requirements, we propose a hybrid spatial encryption scheme. It combines our spatial encryption scheme in the above section and BH’s origin scheme [7]. This hybrid scheme is inspired by Boneh, Boyen and Goh’s construction of hybrid HIBE [4]. The main idea is to partition all coordinates into small groups, and each fitted into a BDHE problem. To set up such a scheme, one must specify a real number w ∈ [0, 1]. Let n be the space dimension. The hybrid scheme can achieve O(nω ) ciphertexts, while is secure when the (n1−ω )-BDHE assumption holds. At one extreme, when ω = 0, the setting corresponds to the original efficient scheme proposed by Boneh et al; at another extreme, when we set ω to 1, the setting becomes the secure one we present in Section 3.2. First we introduce a new notation to partition vectors in Znp . Given a real number w ∈ [0, 1], let n1 = nω and n2 = n1−ω . We partition an n-dimension
Spatial Encryption under Simpler Assumption
27
vector into n1 vectors so that each is n2 -dimension as follows. Let v (1) denote the sub-vector (v1 , v2 , . . . , vn2 ) , v (2) denote the sub-vector (vn2 +1 , vn2 +2 , . . . , v2n2 ) , etc. That is, in a row vector form, v = ( v1 , . . . , vn2 , vn2 +1 , . . . , v2n2 , . . . , v(n1 −1)n2 +1 , . . . , vn1 n2 ) =( v(1) , v(2) , ..., v(n ) 1) Also, we denote the element v(i−1)n2 +j as v(i,j) . Since n ≤ n1 n2 , we may need to pad v(n1 ) with some zeros. We also apply this notation to matrixes. For example, M(1) denotes first n2 rows of M . Let G and GT be two groups of order p, where log p is approximately the security parameter λ. Let e : G × G → GT be a bilinear map. The hybrid scheme is described as follows. Setup(λ, n): The algorithm generates p, G, GT , e according to the security parameter λ. Pick a random generator g ∈ G, random elements α ∈ Zp , a ∈ Znp 2 , b ∈ Znp 1 , and publish public parameters as P P = p, G, GT , e, g, g a , g b , e(g, g)α The master secret key is given by K = (g α ). Delegate(P P, W, W , KW ): A private key for the subspace W = Sp(M, v) where M ∈ Zn× has the form p
n1 n1 g α+ i=1 ri (a,v(i) +bi ) , g r , g i=1 ri M(i) a where r is randomly picked from Znp 1 . The algorithm takes W = Sp(M, v) and W = Sp(M , v ). Since W is a subspace of W , there exists T ∈ Z× and y ∈ Zp , such that M = M T and p v = v + M y. Let
n1 n1 n1 ri (a,v (i) +bi ) ˆ W = g α+ i=1 K · g i=1 ri y M(i) a , g r , g i=1 ri T M(i) a
n1 n1 = g α+ i=1 ri (a,v(i) +(My)(i) +bi ) · g r , g i=1 ri (MT )(i) a
n1 n1 = g α+ i=1 ri (a,v(i) +bi ) , g r , g i=1 ri (M )(i) a and then a random r ∈ Znp 1 could be used to re-randomize it. Encrypt(P P, v, m): To encrypt a message m ∈ GT under vector v, the sender chooses a random s ∈ Zp and computes the ciphertext as
n1
m · e(g, g)αs , g s , g (a,v(i) +bi )s i=1
1 Decrypt(P P, KW , v, c): The receiver parses the ciphertext c as (c0 , c , {ci }ni=1 ). n1 α+ i=1 ri (a,v (i) +bi ) It first delegates KW to obtain the key K{v} = (g , gr ) 1 as (k0 , {ki }ni=1 ), then recovers plaintext by computing n1 e(ci , ki ) c0 · i=1 = m. e(c , k0 )
28
M. Zhou and Z. Cao
Remarks: To prove the security of the spatial encryption scheme under the DBDH assumption in Section 3, we split up the ciphertexts and the private keys into every coordinate. Instead of that, the hybrid scheme uses a more flexible strategy. A parameter ω which controls how fine those should be split is given in the setup algorithm. When we partition a vector into n1 groups of size n2 , a hybrid scheme achieves O(n1 +n2 ) public parameters, O(n1 + ) private keys and O(n1 ) ciphertexts, while its security can be reduced to the n2 -BDHE assumption. This enables users to adjust the proposed construction according to a concrete requirement in a practical environment. We also note that the sizes of groups may differ. In Boneh and Hamburg’s work [7], they present Product Scheme, which combines several GIBEs in one SE system. For example, email encryption in their work, combines a broadcast encryption system Eb (for PKGs) and a hierarchical IBE Eh (for users). Assume that each system takes up nb and nh dimensions to work. Then we can partition all coordinates into two groups, exactly of size nb and nh . In this way, we can shrink the PKG’s private keys to O(nb ) by utilizing wildcards (in Section 3.4) and slightly improve the security (from (nb + nh )-BDHE assumption to (max{nb , nh })-BDHE assumption). That is, by carefully investigating a real application, a hybrid scheme can achieve the optimal tradeoff between security and efficiency. Theorem 2. Let G be a bilinear group of prime order p. Consider a hybrid nSE system with compromise parameter ω. Suppose the decisional (t, , n1−ω )BDHE assumption holds in G, then the hybrid SE scheme is (t , qd , ) IND-sVecCPA secure for arbitrary qd and any t < t − O(τ nqd ) where τ is the maximum time for an exponentiation in G. The proof of this theorem is similar to that for the DBDH construction and is shown in Appendix A.
5
Conclusions
We present two variants of spatial encryption system. The first construction is a DBDH version of Boneh and Hamburg’s origin scheme. The security relies on the standard DBDH assumption, which is a simpler one than that used in origin construction. However, our private keys and ciphertexts are linearly dependent on the space dimension. The second one is a hybrid scheme, which finds a tradeoff between our basic construction and BH’s construction. It gives users the ability to adjust the proposed scheme according to the requirements of practical applications.
References 1. Abdalla, M., Catalano, D., Dent, A.W., Malone-Lee, J., Neven, G., Smart, N.P.: Identity-based encryption gone wild. In: Cryptology ePrint Archive, Report 2006/304 (2006), http://eprint.iacr.org/
Spatial Encryption under Simpler Assumption
29
2. Abdalla, M., Kiltz, E., Neven, G.: Generalized key delegation for hierarchical identity-based encryption. In: Biskup, J., L´ opez, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 139–154. Springer, Heidelberg (2007) 3. Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) 4. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005) 5. Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 6. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005) 7. Boneh, D., Hamburg, M.: Generalized identity based and broadcast encryption schemes. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455–470. Springer, Heidelberg (2008) 8. Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007) 9. Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: EUROCRYPT, pp. 255–271 (2003) 10. Gentry, C., Silverberg, A.: Hierarchical id-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) 11. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006) 12. Horwitz, J., Lynn, B.: Toward hierarchical identity-based encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002) 13. Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008) 14. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005) 15. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 16. Waters, B.: Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. Cryptology ePrint Archive, Report 2008/290 (2008), http://eprint.iacr.org/
A
Proof of Hybrid Construnction
We prove that the security of hybrid construction in Section 4 can be reduced to the decisional BDHE assumption. For convinience, we re-state the theorem.
30
M. Zhou and Z. Cao
Theorem 3. Let G be a bilinear group of prime order p. Consider a hybrid nSE system with all coordinates partitioned into n1 groups of size n2 . Suppose the decisional (t, , n2 )-BDHE assumption holds in G, then the hybrid SE scheme is (t , qd , ) IND-sVec-CPA secure for arbitrary qd and any t < t − O(τ nqd ) where τ is the maximum time for an exponentiation in G. Proof. Suppose A is an adversary that breaks our system. We construct an algorithm B, that solves the decisional n2 -BDHE problem. The simulator B takes as input a n2 -BDHE challenge t = (g, g1 , . . . , gn2 , gn2 +2 , . . . , g2n2 , g s ) and n2 +1 s Z where Z is either e(g, g)a or a random element in GT . B proceeds as follow. Init: The adversary gives the simulator a vector v ∗ on which it intends to attack. Setup: The simulator B randomly picks α ∈ Zp , a ∈ Znp 2 , b ∈ Znp 1 , and sets
n1 n2 ∗ α = an2 +1 + α , aj = aj + aj j=1 , bi = −a, v(i) + bi . i=1
We claim that B can efficiently compute all the public parameters, and they have a distribution identical to that in the actual construction, since each item has a “private chosen” variable. Phase I: To respond to a delegation query for a subspace W = Sp(M, v), B finds a vector u such that u M = 0 but v − v ∗ , u = 0. Since v ∗ ∈ W, ∗ i.e., v − v ∈ Span(M ), B can efficiently calculate the vector u mentioned above. Then it sets n1 n2 n2 −j+1 + ri j=1 u(i,j) a ri = v ∗ − v, u i=1
Znp 1 .
where r is randomly chosen from Obviously, g r can be efficiently calculated. Now we observe that, for any vector w ∈ Znp , we have ri a, w =
an2 +1 u(i) , w(i) + Ri (w) v ∗ − v, u
The items without an2 +1 in ri a, w are denoted as Ri (w). They can be easily calculated from (g, g1 , . . . , gn2 , gn2 +2 , . . . , g2n2 ). Note that according to the choice of b, we can write ri a, v (i) + ri bi as ri a, v (i) − v ∗(i) + ri bi . n1
Thus g i=1 ri (a,v(i) +bi ) contains a term of gn−1 , which will cancels out 2 +1 with the unknown term in g α . The simulator calculates as g α+
n1
= gα · g
i=1
ri (a,v(i) +bi )
n1
i=1
ri a,v(i) −v∗ (i)
= (gn2 +1 g α ) · g
n1
· g r,b
n2 +1 ∗ ∗ u(i) ,v (i) −v ∗ (i) /v −v,u+Ri (v−v )) i=1 (a
u,v−v ∗ /v∗ −v,u
= (gn2 +1 g α ) · (gn2 +1
= gα · g
n1
i=1
Ri (v−v ∗ )
· g r,b
g
n1
i=1
Ri (v−v ∗ )
) · g r,b
· g r,b
Spatial Encryption under Simpler Assumption n1
31
Moreover, since for k = 1, . . . , we have u, Mk = 0, g i=1 ri M(i) a can n1 be computed as {g i=1 Ri (Mk(i) ) }k=1 without knowing gn2 +1 directly. As we can see here, all three terms of the private key can be efficiently provided by the simulator as long as v ∗ ∈ W . Therefore, the simulator can answer any delegation query. Challenge: The adversary A sends two plaintexts m0 , m1 . B chooses a random bit μ ∈ {0, 1} and constructs challenge ciphertext c∗ as
mμ · Z · e(g α , g s ), g s , g sb . n2 +1
s Obviously, if Z = e(g, g)a then c∗ is a valid encryption of mμ under the ∗ vector v . Phase II: The simulator B continues to answer A’s delegation queries as Phase I. Guess: The adversary finally outputs a guess μ of μ. If μ = μ, the simulator n2 +1 s outputs 0 indicating Z = e(g, g)a . Otherwise it outputs 1 meaning that n2 +1 a s Z = e(g, g) .
When the input tuple is sampled from PBDHE , then A’s view is identical to that in a real attack. Therefore A must satisfy |Pr[μ = μ ] − 12 | > . On the other hand, when the input tuple is sampled from RBDHE , the challenge ciphertext c∗ is independent from the choice of μ in the adversary’s view. Thus no adversary could have an advantage in wining the game. That is, Pr[μ = μ ] = 12 . Therefore, we have Pr B(t, e(g, g)abs ) = 0 − Pr [B(t, R) = 0] ≥ as required. This completes the proof.
Chosen-Ciphertext Secure RSA-Type Cryptosystems Benoˆıt Chevallier-Mames1 and Marc Joye2 1
DCSSI, Laboratoire Crypto 51 Boulevard de la Tour Maubourg, 75700 Paris, France
[email protected] 2 Thomson R&D, Security Competence Center 1 avenue de Belle Fontaine, 35576 Cesson-S´evign´e Cedex, France
[email protected] http://joye.site88.net/
Abstract. This paper explains how to design fully secure RSA-type cryptosystems from schemes only secure against passive attacks, in the standard model. We rely on instance-independence assumptions, which, roughly speaking, conjecture that for certain problems, an interactive access to a solver for another problem does not help the challenger. Previously, instance-independence assumptions were used in a “negative” way, to prove that certain schemes proven in the random oracle model were not provable in the standard model. Our paradigm applies virtually to all (weakly secure) RSA-type encryption schemes for which public-key RSA exponent can be arbitrarily chosen. As an illustration, we present a chosen-ciphertext secure variant of the Naccache-Stern encryption scheme. Keywords: Chosen-ciphertext security, public-key encryption, standard model, RSA-based encryption schemes, instance-independence assumptions, one-time mappable chameleon hashing.
1 1.1
Introduction Chosen-Ciphertext Security
Building on the seminal work of Goldwasser and Micali [24], the commonly accepted security notion for public-key encryption is that of indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2, or IND-CCA for short) [39] (see also [32] for a weaker notion considering non-adaptive adversaries). To reach this security notion, there has been an extensive body of work on public-key encryption, a recent survey of which can be can be found in [17]. 1.2
Instance-Independence Assumptions
In [34,33], Paillier and Villar considered several assumptions in order to show that several RSA-based schemes were unprovable (under a black-box reduction) J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 32–46, 2009. c Springer-Verlag Berlin Heidelberg 2009
Chosen-Ciphertext Secure RSA-Type Cryptosystems
33
in the standard model while provably secure in the random oracle model. They refer to these assumptions as non-malleability assumptions, but to avoid any confusion with the classical notion of non-malleability of an encryption scheme (as proposed by Dolev, Dwork, and Naor [18]), we use the term of instanceindependence assumptions throughout this paper. Let P be a cryptographic problem. An access (possibly with certain restrictions on entries) to an oracle solving a problem Q may be a way to find more easily a solution to problem P. More precisely, the oracle solving Q is an interactive resource that is given to the adversary. For a pair (P, Q), the problem consisting in solving P with an access to a Q-solver oracle is called the (P, Q) assisted problem. Even if the problem Q is expected to be computationally hard (and thus, even if the Q-solver oracle gives a lot of extra power to the attacker), the (P, Q) assisted problem may remain hard. These are the cases that are considered in [34,33] (see also [23,28] for non-adaptive versions) and in this paper: The assumption that solving the (P, Q) assisted problem is only negligibly easier than solving the P problem is called the (P, Q) instance-independence assumption. The first example given in [34,33] is the assisted factorization: with an oracle solving factorization of n = n0 (with the restriction that n = 0 mod n0 for obvious reasons), it should remain hard to factor modulus n0 . Another example is the assisted e-th root computation: with an oracle returning e-th roots modulo n (for (e, n) = (e0 , n0 )) — where (e, n) is a possible output of some RSA key generator1 ), it should remain hard to compute an e0 -th root modulo n0 . Remark 1. We stress that instance-independence assumptions should not be confused with one-more assumptions. In a one-more-P problem, one is given access to two oracles, OGen and OSolve , and needs to solve (n + 1) independent instances of the P challenge (these challenges being given by OGen ), using at most n accesses to OSolve , which is an oracle that solves any chosen instance of problem P. Examples of one-more problems include the one-more RSA, the one-more DL and the one-more CDH [2]. The assisted (P, Q)-problems, which are supposedly as hard as their primitive problem P under instance-independence assumptions, are of different nature. Indeed, they consist in solving only one instance of the P-problem, using a possibly very large number of queries to an oracle solving the Q-problem. What makes these assisted problems non-trivial is the fact that, in contrast with onemore problems, the entries of the Q-problem solver are supposed to be “not too related” to the P-challenge (hence the name of instance-independence). As a consequence, assisted problems and one-more problems can hardly been linked or compared together. 1
For example, it should be supposed that n is not a multiple of n0 , or that e does not share common factors with e0 . Therefore, to hope to achieve the assumption, one may assume that e is prime, and that n has a certain fixed-length n .
34
B. Chevallier-Mames and M. Joye
1.3
Our Contributions
Instance-independence assumptions were used in [34,33] to prove that security proofs of several classical cryptosystems proven in the random oracle were impossible to achieve in the standard model, under a black-box reduction. On the contrary, this paper considers positive applications of instance-independence assumptions. Namely, we consider some simple and known IND-CPA primitives with certain properties (we refer to these primitives as public-key encryptions with ephemeral key), and show how to transform them into fully secure encryption schemes. We provide a proof that, under clearly defined instance-independence assumptions, the so-obtained schemes are as secure as their underlying primitives, in the standard model. Interestingly, RSA primitives we consider in this paper corresponds — under some instance-independence assumptions — to cryptographic objects named as adaptive one-way functions in [35]. Our primitives are more efficient than the general constructions given in [35] but, being specific, they rely on stronger assumptions. For the sake of illustration, we will present an application of our paradigm from the knapsack encryption scheme of Naccache and Stern [31]. Further applications of our paradigm can be found in the full version of this paper [11]. 1.4
Relation to IBE Technique
Our technique shares many common features with the identity-based construction in [5]. Very roughly, the idea behind the identity-based encryption (IBE) paradigm can be sum up as follows. For each new encryption, the user generates a fresh key pair (pk, sk) for a certain signature scheme, and encrypts a message by using an IND-ID-CPA secure IBE scheme (the result being noted c), using the public key pk as the identity in the IBE scheme. The resulting ciphertext is then made of pk, c, appended with a signature of c under private key sk. The IND-CCA security of the so-obtained encryption scheme is achieved since access to the decryption oracle is useless for an attacker: indeed, there is no way for this latter to gain information about the challenge from the oracle since it does not know the secret key sk∗ , and thus, cannot create ciphertexts corresponding to identity pk∗ of the challenge. The IND-ID-CPA security of the underlying IBE scheme suffices to conclude the proof2 . Our scheme uses in a way the same kind of strategy. Imagine one starts from an IND-CPA RSA-type encryption primitive, where additionally the user can decide the value of the public exponent e for each ciphertext (the public exponent being thus ephemeral ). If the user proves that it has generated e by himself (by exhibiting a proof of knowledge on something closely related to e), such an exponent would not be anymore reusable by an attacker, i.e., an attacker would not be able to submit to a decryption oracle a valid ciphertext with the ephemeral public exponent e∗ appearing in the challenge. In this way, we forbid the attacker to learn information from the decryption oracle in a way similar 2
We refer the reader to [9] for a more precise security proof.
Chosen-Ciphertext Secure RSA-Type Cryptosystems
35
to the IBE setting: the signature corresponding to public key pk makes that no valid ciphertext with same identity pk∗ as in the challenge can be queried. Unfortunately, there is an additional important issue to address in our setting: we have to provide the attacker with the decryption queries.. In the IBE setting, decryption queries are answered using the IND-ID-CPA security of the underlying identity-based encryption. In our context, the underlying IND-CPA RSA-type encryption primitive is insufficient. This is where instance-independence assumptions come into play in order to assume that our reduction has an access to an oracle answering decryption queries. One may finally remark that the [5] transformation has been modified by Kiltz in [25], who proposed an efficient conversion from a tag-based encryption to form a chosen-ciphertext secure encryption scheme. This transformation is more general than the IBE based one since any identity-based encryption scheme can be turned into a tag-encryption scheme. 1.5
Outline of the Paper
The rest of this paper is organized as follows. Section 2 reviews standard definitions and security notions for public-key encryption, as well as the paradigm of chameleon hashing. Section 3 introduces new cryptographic problems, and defines instance-independence assumptions. Section 4 describes our main construction, including a complete chosen-ciphertext secure scheme. Finally, Section 5 concludes the paper.
2
Preliminaries
In this section, we introduce some background on public-key encryption. We also review some ingredients that will be used in our constructions. 2.1
Public-Key Encryption
A public-key encryption scheme, E = (Gen, Enc, Dec), can be described as a tuple of probabilistic polynomial-time algorithms. By default, the message space is {0, 1}∗. Key Generation. Given a security parameter κ, Gen(1κ ) produces a pair (pk, sk) of matching public and private keys. Encryption. Given a message m in message space M and public key pk, Encpk (m) produces a ciphertext c ← Encpk (m). If x denotes the random coins used by Enc, we equivalently write c = Encpk (m, x). Decryption. Given a ciphertext c and private key sk, Decsk (c) returns a plaintext m or a special symbol ⊥ denoting that the ciphertext is invalid. We require that if c ← Encpk (m), then Decsk (c) returns m for all (pk, sk) ← Gen(1κ ) and messages drawn in the message space.
36
2.2
B. Chevallier-Mames and M. Joye
Security Notions for Encryption Schemes
Semantic security. The notion of semantic security (IND) [24], also known as indistinguishability of encryptions, captures a strong notion of privacy: The attacker should not learn any information whatsoever about a plaintext given its encryption. The adversary A = (A1 , A2 ) is said to (κ, ε, τ )-break IND when (pk, sk) ← Gen(1κ ), (m0 , m1 , s) ← A1 (pk), IND AdvE (A) = 2 × Pr − 1 ≥ ε , (1) b,x c ← Encpk (mb ) : A2 (m0 , m1 , s, c) = b where the probability is taken over the random coins of the experiment according to the distribution induced by Gen(1κ ) as well as the ones the adversary, where b ∈ {0, 1} and m0 , m1 ∈ M. A must run in at most τ steps and it is imposed that |m0 | = |m1 |. An encryption scheme is said to be semantically secure (or IND secure) if no probabilistic algorithm can (κ, ε, τ )-break IND for τ ≤ poly (κ) and ε ≥ 1/poly (κ). As we are in the public-key setting, it is worth noting that adversary A = (A1 , A2 ) is given the public-key pk and so can encrypt any message of its choice. In other words, the adversary can mount chosen-plaintext attacks (CPA). Hence, we write IND-CPA the security level offered by an IND-secure encryption scheme, emphasizing the fact that A has access to an encryption oracle (for free). Chosen-ciphertext attacks. IND-CPA security offers an adequate security level in the presence of a passive adversary. In a number of situations however (e.g., see [40]), this may reveal insufficient in the presence of a more powerful adversary that can do more than merely eavesdropping the exchanged messages. The “right” security level against active attacks is that of IND-CCA security, or security against chosen-ciphertext attacks [39,18] (see also [32]). The definition of the adversary’s advantage as given by Eq. (1) readily extends to the IND-CCA model but the adversary A = (A1 , A2 ) now is given an adaptive access to a decryption oracle to which it can submit any ciphertext of its choice with the exception that A2 may not query the decryption oracle on challenge ciphertext c. 2.3
Chameleon Hashing
Chameleon hash functions [26] (see also [7]) are hash functions associated with a pair (hk, tk) of hashing/trapdoor keys. The name chameleon refers to the ability of the owner of the trapdoor key to modify the input without changing the output. A chameleon hash function is defined by a triple of probabilistic polynomialtime algorithms (ChamGen, ChamHash, ChamColl). ChamGen, on input 1κ , produces a pair of hashing/trapdoor keys: (hk, tk) ← ChamGen(1κ ). Given a message m and a random string r, chameleon hash algorithm with hashing key hk ChamHashhk : {0, 1}∗ × {0, 1}∗ → {0, 1}∗, (m, r) → h = ChamHashhk (m, r)
Chosen-Ciphertext Secure RSA-Type Cryptosystems
37
generates a hash value ChamHashhk (m, r). Moreover, a chameleon hash function should satisfy the properties that (i) there exists no probabilistic polynomial-time algorithm that, on input random hashing key hk, can find two pairs of message/random string, (m1 , r1 ) and (m2 , r2 ) with m1 = m2 , such that the relation ChamHashhk (m1 , r1 ) = ChamHashhk (m2 , r2 ) is satisfied, except with negligible probability; (ii) on input trapdoor key tk, given (m1 , r1 , m2 ), algorithm ChamColl can find a string r2 = ChamColltk (m1 , r1 , m2 ) such that ChamHashhk (m1 , r1 ) = ChamHashhk (m2 , r2 ). (iii) all messages m induce (computationally) indistinguishable probability distributions on chameleon hash function ChamHashhk (m, r) for r chosen uniformly at random. Example 1. Consider the group G = g generated by an element g ∈ Z∗n , where n is an RSA modulus. Suppose that H : G → {0, 1}h is a second-preimage resistant hash function. It is easy to see that function Fv given by Fv : Z|G| × Z|G| → {0, 1}h , (m, r) → Fv (m, r) := H(g r v m mod n) is a chameleon hash function where hashing key is hk = {n, g, v} while trapdoor key is tk = {y}, with g y ≡ v (mod n). Given a triple (m1 , r1 , m2 ), a colliding value can be found using trapdoor key y as r2 = r1 + y(m1 − m2 ) mod |G|. Example 2. Suppose now that the order of G is unknown but that its order of magnitude is known: |G| ≈ 2g . We then restrict the range of messages in Fv to {0, 1}c and allow for larger random strings r ∈ {0, 1}g +c +2κ (where κ is some security parameter); trapdoor key y is chosen in {0, 1}g +κ3 . Since |G| is unknown, trapdoor key y cannot be recovered as y = (r2 − r1 )/(m1 − m2 ), as in Example 1. Two different colliding pairs (m1 , r1 ) and (m2 , r2 ) will only yield a multiple of |G|: L := (r1 − r2 ) + y(m1 − m2 ) ∝ |G| . For random strings r1 ← {0, 1}g +c +2κ , the statistical zero-knowledge property guarantees that L is non-zero with overwhelming probability (see e.g. [38]). Suppose further that n is a strong RSA modulus (i.e., n = (2p + 1)(2q + 1) for some primes p and q ) and that G is the set of quadratic residues modulo n. In this case, the value of 4L is a multiple of φ(n), which, using Miller’s algorithm [30], leads to the factorization of n.
3
Complexity Assumptions
3.1
Decision RSA Short Encrypted-Prime Problem
We start with the definition. 3
Such a setting is sufficient to ensure that the discrete logarithm of v in base g (i.e., y mod |G|) is statistically indistinguishable from a random integer modulo |G|.
38
B. Chevallier-Mames and M. Joye
Definition 1 (Decision RSA Short Encrypted-Prime Problem (D-RSASEP)). Let (e , n , k ) be security parameters. The challenger is given a triple (e0 , n0 , z0 ), where n0 is an n -bit RSA modulus, e0 is an e -bit random prime, and z0 ← Z∗n0 . Its goal is to decide whether or not z0 is of the form k e0 mod n0 , for some k ∈ Primes({2k −1 , 2k }). We have no proof that D-RSA-SEP problem is hard. Yet, we try to list some key points which are needed to assess its difficulty. We also relate it to other classical and close problems that appeared in the literature. First, parameter k is important, as it codes for the number of possible primes: there are around 2k /k primes of k bits. Thus, we want this latter quantity to be larger than the expected security limit of 2κ , where κ is the security parameter. For example, for a 112-bit security level, one needs k ≥ 119. Second, exponent e cannot be too small. Indeed, if e is too small, i.e., if e·k < n , the value k e mod n is actually equal to k e over the integers. Therefore, it is easy for the challenger to solve the D-RSA-SEP problem by computing e-th roots over the integers. The same holds true when e · k ≈ n as the challenger e can then first guess the quotient kn . Hence, typically, k = 119 and e = 3 is a bad setting. All in all, it is necessary for the problem to be hard that e · k n . Note that this is also imposed by Coppersmith’s algorithm [13]. It is very simple to see that D-RSA-SEP ⇐ RSA ⇐ FACT, where ⇐ denotes polynomial reductions. Apart from these easy reductions, we do not see any way to prove the relative security of the new problem we present. This may therefore be the subject of future research. RSA-type problems. We review below in this section some problems that were proposed in the literature, that are more or less related to D-RSA-SEP. Relationship with dependent-RSA problem. The dependent-RSA problem (DRSA) was introduced by Pointcheval in [37]: it was one of the first decisional RSAtype problems proposed in the literature. The idea consists in trying to mount an RSA equivalent of the ElGamal pair (g r , y r ). Notably, one of the proposed mode is the pair (re mod n, (r + 1)e mod n). The Dependent-RSA problem, in its computational version, is defined as computing (r +1)e mod n from (e, n, re mod n), while its decisional version consists in distinguishing (r + 1)e mod n from a random element in Z∗n , being given (e, n, re mod n). Essentially, Dependent-RSA and D-RSA-SEP problems feature in common that their hardness requires e to be large enough. Relationship with decisional small e-th residues problem. In [10], Catalano, Gennaro, Howgrave-Graham and Nguyen proposed the (computational/decisional) small e-th roots problem (DSeR being the notation of the decisional version). It arises from a variant of Paillier scheme they proposed. The decisional small e-roots problem is by definition to decide whether an input is of the form re mod n2 (with r ∈ Z∗n ) or not, being given (e, n).
Chosen-Ciphertext Secure RSA-Type Cryptosystems
39
This problem is close to D-RSA-SEP in the sense that it basically requires to distinguish small values raised to a power e (a small prime in D-RSA-SEP, an half-size integer in DSeR) from random values. Relationship with Micali-Schnorr pseudo-random bit generator. The pseudorandom bit generator designed by Micali and Schnorr [29] is based on the hypothesis that the distribution of k e mod n for random k -bit integers is indistinguishable from the distribution of elements of Z∗n . This is clearly an assumption that is very close to ours: in our case, we only added that the k that are considered are primes. 3.2
Instance-Independence Assumption
In [34,33], Paillier and Villar conjectured that the RSA(e0 , n0 ) problem (that is, the computation of e0 -th roots modulo n0 ) is not significantly simpler when one was given an interactive oracle returning e-th roots modulo n, for any pair (e, n) = (e0 , n0 ) of adversary’s choice. They refer to this kind of hypothesis as non-malleability assumptions, in the sense that an RSA challenge should not be transformed into another challenge, so that the oracle would help. To avoid confusion with the classical security notion of non-malleability [18], we rename in this paper the [34,33]-style assumptions as instance-independence assumptions. Intuitively, in this paper, we consider an instance-independence variant about the D-RSA-SEP problem, conjecturing that D-RSA-SEP(e0 , n0 ) is not significantly simpler when given an RSA(e, n) oracle, where we restrict even more the control of the adversary than in [34,33]: this latter can only have access to an oracle returning e-th roots modulo n0 , with e prime and where modulus is fixed to n0 . More formally, this gives the following definition. Definition 2 (Assisted Decision RSA Short Encrypted-Prime Problem (A-D-RSA-SEP)). Let (e , n , k ) be some security parameters. The challenger is given (e0 , n0 , z0 ), where n0 is an RSA n -bit modulus, e0 is a e -bit random prime, and z0 ∈ Z∗n0 . The challenger has qD adaptive accesses to an oracle On0 , which returns an e-th root of a chosen element β modulo n0 , for a chosen e -bit prime e = e0 : α ← On0 (e, β) such that αe = β mod n0 . The challenger’s goal is to decide whether or not z0 is of the form k e0 mod n0 , for some k ∈ Primes([2k −1 , 2k [). We conjecture that the assisted decision RSA short encrypted-prime problem is at most negligibly easier than the (standard) decision RSA short encryptedprime problem. Indeed, we suppose that the RSA(e, n0 ) problems are sufficiently independent for different prime exponents e, so that the access to the (limited) RSA oracle does not “dramatically” simplify the task of the challenger. In other words, because of this supposed independence, we believe that the A-D-RSA-SEP problem, which is interactive by nature, is almost as hard as its plain version
40
B. Chevallier-Mames and M. Joye
(see Definition 1). This assumption is what we call the (D-RSA-SEP, RSA) instance-independence assumption. We remark that this latter assumption is stronger than the ones used in [34,33], because the problems to solve in our constructions are decisional.
4 4.1
New RSA-Type Schemes An IND-CPA Encryption Scheme
We describe a semantically secure RSA-type encryption scheme derived from the multiplicative knapsack cryptosystem Naccache-Stern [31]. Key Generation. Some parameters are defined, namely a bit-length n , a bitlength k and a maximum index I so that Π :=
I
pi ≤ 2n −k −1
and pI < 2k −1 ,
i=1
where pi ’s denote the first primes sorted in increasing order. The message space is {0, 1}I . Let n = pq be an n -bit RSA modulus, made of two equallength primes p and q. Define λ = lcm(p − 1, q − 1) and for an integer e > 1 with gcd(e, λ) = 1, compute d = e−1 mod λ. The public key is pk = {n, e} while the private key is sk = {d}. Encryption. To encrypt a message m = {mi }i ∈ {0, 1}I , one picks a ran dom k -bit prime k, computes w = Ii=1 pi mi and c = (w · k)e mod n. The ciphertext is c. Decryption. To decrypt a ciphertext c, the legitimate receiver calculates t = cd mod n and decomposes it into the base of primes allowing a maximal valuation of 1 for each prime pi , i.e., t=
I
p i mi · k
with mi ∈ {0, 1} .
i=1
Message m is then recovered bit-by-bit as mi =
1 0
if t mod pi = 0, otherwise .
It is easy to show that the above scheme achieves IND-CPA security under the assumption that the D-RSA-SEP problem is hard (see Definition 1). 4.2
Making It Chosen-Ciphertext Secure
As for most RSA-type schemes, public exponent e can be “freely” chosen in the key generation of the previous scheme, subject to the condition that gcd(e, λ) = 1. In other words, this scheme can be modified into a public-key encryption
Chosen-Ciphertext Secure RSA-Type Cryptosystems
41
scheme with ephemeral key. Namely, the public key pk can be split into two parts: a fixed part n and a variable (ephemeral) part e. If the private key is defined as λ, the private exponent corresponding to e can be computed from λ as d = e−1 mod λ. Suppose for a moment that the ciphertexts are formed by pairs (c, e) obtained from the previous IND-CPA encryption scheme from a random ephemeral key e. Now, in the security proof, when adversary A = (A1 , A2 ) requests the decryption of (c, e), we simply call the RSA-oracle and get back corresponding plaintext m (or ⊥). This however supposes that e = e∗ , where (c∗ , e∗ ) denotes the challenge ciphertext, because of the restriction on the oracle in the A-D-RSA-SEP problem. First, we note that the probability that A1 queries on a ciphertext (c, e) with e = e∗ is negligible as A1 has no a priori knowledge on the value of e∗ . For this, we assume that the set from which the ephemeral key e is drawn from is sufficiently large. For A2 , things are more complicated: A2 knows e∗ from the challenge ciphertext (c∗ , e∗ ). The limitation on the oracle in the A-D-RSA-SEP problem prevents to obtain the corresponding plaintext from the RSA oracle (remember that only primes e = e∗ can be submitted). Therefore we adopt another strategy: in some sense we “forbid” A2 to submit ciphertexts of the form (c, e∗ ) by making “infeasible” for anyone to reuse a prior ephemeral key picked by someone else. To this end, we append a “proof”, say π, to the ciphertexts and modify the generation of e accordingly. The ciphertexts of are now represented by tuples (c, e, π). There are several possible realizations of this idea ([5]). One-time mappable chameleon hash function. Our proof π relies on a special kind of chameleon hash functions. As will become apparent, chameleon hash functions will be used so that the value of e can be recovered from (c, π). Their salient feature is that it is infeasible to find a second pair (c , π ) = (c, π) that will yield the same e, unless some trapdoor information on the generation of e is given. Since A2 has no such information about e∗ , the probability that A2 requests the decryption of a ciphertext (c, e∗ , π) with (c, π) = (c∗ , π∗ ) is negligible. The attentive reader will observe there is a last technical complication: e∗ , the ephemeral key used in the ciphertext challenge, is an input to the reduction algorithm and so it is unclear how to get a pair (c∗ , π∗ ) that will lead to the value of e∗ 4 . This problem is alleviated through the use of one-time mappable chameleon hashing. Basically, a one-time mappable hash function is a keyed hash function that can be controlled for one given pair of input/output. Definition 3 (One-time mappable hash function). Given a family of hash functions {H(i) }j , a one-time mappable hash function H(a) is a hash function such that on input (x∗ , h∗ ), it is easy to find an index a such that H(a) (x∗ ) = h∗ . It turns out that it is straightforward to construct a one-time mappable hash function from a regular hash function. Let H be a function mapping strings 4
This technical complication appears clearly in the security analysis; see [11, § 4.3].
42
B. Chevallier-Mames and M. Joye
of arbitrary length to strings of h bits. From H, we define the family of hash functions {H(i) }i , 0 ≤ i < 2h , given by H(i) : {0, 1}∗ → {0, 1}h , x → H(i) (x) := (H(x) + i) mod 2h .
(2)
Now given a pair (x∗ , h∗ ), if we set a := (h∗ − H(x∗ )) mod 2h , we obviously have H(a) (x∗ ) = h∗ . The above construction can be composed with chameleon hash functions so as to obtain one-time mappable chameleon hash functions. Moreover, it is easy to see that doing so, Properties (i)–(iii) for chameleon hash functions (cf. § 2.3) are still satisfied, provided that function H in Eq. (2) is second pre-image collision resistant. In order to satisfy the instance-independence assumption, ephemeral keys e are required to be e -bit primes. Hence, we need to modify the output of the hash function to accommodate this additional requirement5 . We give below an example of such a function that maps integers (of length at most h bits) to e -bit primes: Je : {0, 1}h → Primes([2e −1 , 2e [), x → Je (x) := NextPrimee [T (x)] with T (x) := x · 2e −h −1 + 2e −1 . For an integer t, function NextPrimee (t) returns the first prime larger than t, provided that this prime is smaller than 2e ; if no such prime exists, it returns the first prime larger than 2e −1 . For any x1 , x2 ∈ {0, 1}h , T (x1 ) = T (x2 ) implies x1 = x2 and thus function T is injective. In our construction, e and h satisfy e h so that there always6 exists an e -bit prime in a range of 2e −h −1 consecutive e -bit integers, which in turn implies that function Je is injective too. Putting all together, the one-time mappable chameleon hash to be used, obtained from chameleon hash function of Example 2, is given by7 : c n +c +2κ ChamHash(a) → Primes([2e −1 , 2e [), v : {0, 1} × {0, 1} (a) r m (m, r) → ChamHash(a) (g v mod n, v) . (3) v (m, r) := Je H
Our scheme. We are now ready to present our IND-CCA-secure RSA-type scheme. The security analysis is presented in the next section. Key Generation. On input security parameter κ, bit-lengths n , k , and index I are defined as in the basic scheme (see § 4.1). The message space is {0, 1}I . Let n = (2p + 1)(2q + 1) be a strong RSA modulus and let QR(n) denote 5
6 7
Actually, so-called division-intractable hash functions [21] would suffice for our purposes; but as pointed out in [14], the easiest way to meet the requirement of divisionintractability is to construct hash functions mapping strings to prime numbers. Unless a breaking, surprising fact on the distribution of prime numbers. (a) The pair (g r v m mod n, v) is viewed as a bit-string in the definition of ChamHashv .
Chosen-Ciphertext Secure RSA-Type Cryptosystems
43
the set of quadratic residues modulo n. Let also H : QR(n) → {0, 1}h be a second pre-image resistant hash function, for some bit-length h ≥ κ. Select a parameter a ← {0, 1}h and define H(a) (x) := (H(x) + a) mod 2h . For some bit-length c ≥ κ, let G : Zn → {0, 1}c be a second pre-image resistant hash function. Finally, let the one-time mappable chameleon hash function given by Eq. (3) for some g ← QR(n) and bit-length e satisfying (κ + log κ) ≤ e < n /2 and h e 8 . The public key is pk = {n, g, a} while the private key is sk = {λ} with λ = 2p q . Encryption. To encrypt a message m = {mi } ∈ {0, 1}I , do the following: 1. choose a random integer y ← {0, 1}n+κ and compute v = g y mod n; 2. choose a random pair (c, r) ← {0, 1}c × {0, 1}n+c +2κ and obtain prime e = ChamHash(a) v (c, r); 3. pick a random k -bit prime k and compute c = (w · k)e mod n with I w = i=1 pi mi ; 4. compute ρ = r + y(c − G(c )). The ciphertext is C = (c , v, ρ). Decryption. To decrypt a ciphertext C = (c , v, ρ), the legitimate user does the following: 1. recover e = ChamHash(a) v (G(c ), ρ); −1 2. compute d = e mod λ; 3. compute t = cd mod n and derive bit-by-bit corresponding message m as in the basic scheme. Observe that there is no validity test in the decryption: any ciphertext is considered as valid. This is not the first time that an encryption scheme which always decrypts is adaptively secure (e.g., [36]). 4.3
Security Analysis
We prove that the scheme is IND-CCA under the (D-RSA-SEP, RSA) assumption (see § 3.2). We have the following theorem: Theorem 1. Let A be an adversary which can break the IND-CCA security with success probability ε under a chosen-ciphertext attack within time τ . Assume that H and G are second pre-image resistant hash functions. Then the (D-RSASEP, RSA) problem can be solved with success probability 2ε and within time τ + qD · TOn + poly(κ), where TOn is the time of an RSA-oracle execution and qD is the number of decryption queries. In other words, assuming the RSA(e, n0 ) instances are independent for different prime exponents e, our scheme is as secure as the regular (i.e., non-interactive) version of the decision RSA short encrypted-prime problem. Due to lack of space, the proof is omitted. We refer the reader to [11] for the proof of Theorem 1. 8
Typical values for the different parameters are n = 2048, k = 160, I = 216, h = c = 128, and e = 256.
44
4.4
B. Chevallier-Mames and M. Joye
Further Schemes
Typically, for a 2048-bit modulus, the previous scheme allows one to encrypt 216bit messages. The message bandwidth can however be significantly increased by deriving an RSA-type scheme from the recent scheme presented in [12] (rather than the basic Naccache-Stern scheme). The above conversion applies in the same way. There exist other IND-CPA-secure RSA-type schemes allowing to freely exponent e, under various assumptions. These include by Pointcheval scheme [37] (based on dependent-RSA problem) or CGHN scheme [10] by Catalano, Gennaro, Howgrave-Graham and Nguyen (based on decisional small e-th residues problem). Again, the above conversion applies in the same way to get corresponding IND-CCA-secure RSA-type encryption schemes. Moreover, there are several possible constructions of one-time mappable chameleon hash functions. We refer the reader to [11, Appendix A] for a description of the so-obtained schemes.
5
Conclusion
In the context of RSA-based cryptography, instance-independence assumptions were used in the literature as a way to provide evidence that some schemes provably attaining a certain level of security in the random oracle would never be proved to achieve the same level in the standard model (in the black-box setting). In contrast, in this paper, we have shown positive applications of instance-independence assumptions in order to construct (simple) new encryption schemes with security reductions to some decisional problems. Among the possible instances of our technique, we pointed out a chosen-ciphertext secure encryption scheme of the Naccache-Stern knapsack, as well as schemes based on the dependent-RSA problem and decisional small e-th residues problem.
References 1. Abe, M., Cui, Y., Imai, H., Kiltz, E.: Efficient hybrid encryption from ID-based encryption. In: Designs, Codes and Cryptography (to appear) 2. Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSAinversion problems and the security of Chaum’s blind signature scheme. Journal of Cryptology 16(3), 185–215 (2003) 3. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: CCS 1993, pp. 62–73. ACM Press, New York (1993) 4. Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995) 5. Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM Journal on Computing 36(5), 915–942 (2006) 6. Boneh, D., Katz, J.: Improved efficiency for CCA-secure cryptosystems built using identity- based encryption. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 87–103. Springer, Heidelberg (2005) 7. Brassard, G., Chaum, D., Cr´epeau, C.: Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences 37(2), 156–189 (1988)
Chosen-Ciphertext Secure RSA-Type Cryptosystems
45
8. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups (extended abstract). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997) 9. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004) 10. Catalano, D., Gennaro, R., Howgrave-Graham, N., Nguyen, P.Q.: Paillier’s cryptosystem revisited. In: CCS 2001, pp. 206–214. ACM Press, New York (2001) 11. Chevallier-Mames, B., Joye, M.: Chosen-ciphertext secure RSA-type cryptosystems. In: Full version of this paper, available from Cryptology ePrint Archive, http://eprint.iacr.org/2009/377 12. Chevallier-Mames, B., Naccache, D., Stern, J.: Linear bandwidth Naccache-Stern encryption. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 327–339. Springer, Heidelberg (2008) 13. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997) 14. Coron, J.-S., Naccache, D.: Security analysis of the Gennaro-Halevi-Rabin signature scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 91–101. Springer, Heidelberg (2000) 15. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998) 16. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002) 17. Dent, A.W.: A brief history of provably secure public-key encryption. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 357–370. Springer, Heidelberg (2008) 18. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM Journal on Computing 30(2), 391–437 (2000) 19. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) 20. Fujisaki, E., Okamoto, T.: How to enhance the security of public-key encryption at minimum cost. IEICE Transaction of Fundamentals of Electronic Communications and Computer Science E83-A(1), 24–32 (2000) 21. Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999) 22. Girault, M.: An identity-based identification scheme based on discrete logarithms modulo a composite number. In: Damg˚ ard, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 481–486. Springer, Heidelberg (1991) 23. Gjøsteen, K.: A new security proof for Damg˚ ard’s ElGamal. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 150–158. Springer, Heidelberg (2006) 24. Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984) 25. Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006) 26. Krawczyk, H., Rabin, T.: Chameleon signatures. In: Network and Distributed System Security Symposium (NDSS 2000), pp. 143–154. Internet Society (2000)
46
B. Chevallier-Mames and M. Joye
27. Kurosawa, K., Desmedt, Y.: A new paradigm of hybrid encryption scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004) 28. Lipmaa, H.: On CCA1-security of ElGamal and Damg˚ ard’s ElGamal. Cryptology ePrint Archive. In: Report 2008/234 (2008) 29. Micali, S., Schnorr, C.-P.: Efficient, perfect polynomial random number generators. Journal of Cryptology 3(3), 157–172 (1991) 30. Miller, G.L.: Riemann’s hypothesis and tests for primality. Journal of Computer and System Sciences 13(3), 300–317 (1976) 31. Naccache, D., Stern, J.: A new public-key cryptosystem. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 27–36. Springer, Heidelberg (1997) 32. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: 22nd ACM STOC, pp. 427–437. ACM Press, New York (1990) 33. Paillier, P.: Impossibility proofs for RSA signatures in the standard model. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 31–48. Springer, Heidelberg (2007) 34. Paillier, P., Villar, J.L.: Trading one-wayness against chosen-ciphertext security in factoring-based encryption. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 252–266. Springer, Heidelberg (2006) 35. Pandey, O., Pass, R., Vaikuntanathan, V.: Adaptive one-way functions and applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 57–74. Springer, Heidelberg (2008) 36. Phan, D.H., Pointcheval, D.: Chosen-ciphertext security without redundancy. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 1–18. Springer, Heidelberg (2003) 37. Pointcheval, D.: New public key cryptosystems based on the dependent-RSA problems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 239–254. Springer, Heidelberg (1999) 38. Poupard, G., Stern, J.: Security analysis of a practical “on the fly” authentication and signature generation. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 422–436. Springer, Heidelberg (1998) 39. Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992) 40. Shoup, V.: Why chosen ciphertext security matters. Technical Report RZ 3076, IBM Research (November 1998)
Anonymous Conditional Proxy Re-encryption without Random Oracle Liming Fang1 , Willy Susilo2 , and Jiandong Wang1 1
College of Information Science and Technology Nanjing University of Aeronautics and Astronautics, Nanjing, China
[email protected] 2 Centre for Computer and Information Security Research School of Computer Science and Software Engineering University of Wollongong, Australia
[email protected]
Abstract. A proxy re-encryption scheme enables a proxy to re-encrypt a ciphertext under a delegator’s public-key and designate it to a delegatee. Weng et al. introduced the notion of conditional proxy re-encryption (or C-PRE, for short), whereby only the ciphertext satisfying one condition set by the delegator can be transformed by the proxy and then decrypted by delegatee. Nonetheless, they left an open problem on how to construct CCA-secure C-PRE schemes with anonymity. In this paper, we first formalize the notion of anonymous condition CCA-secure PRE and present a respective security model. Then, we answer the question posed by Weng et al. affirmatively by presenting a new and efficient construction of anonymous conditional proxy re-encryption (C-PRE) scheme without requiring random oracle.
1 Introduction A proxy re-encryption (PRE) scheme allows a proxy to transform a ciphertext under a delegator’s public-key into a delegatee’s ciphertext on the same message by using some additional information. Blaze et al. [3] proposed the first PRE scheme, where plaintexts and secret keys remain hidden from the proxy. The limitation of their scheme relies on the fact that the proxy key can be used to translate ciphertexts from delegatee to delegator(i.e. bidirectional), and furthermore the proxy and the delegatee can collude to expose the delegator’s private key. In 2005, Ateniese et al. [1] showed how to construct unidirectional schemes using bilinear maps and simultaneously prevent proxies from colluding with delegatees in order to expose the delegator’s secret key. Their scheme [1] is proven secure in the random oracle model. In 2006, Green and Ateniese [15] extended the above notion to identitybased proxy re-encryption (IB-PRE), and proposed new CCA security models. Canetti and Hohenberger [9] also proposed new CCA secure PRE scheme that the proxy can verify the validity of the ciphertext prior to the transformation. In 2007, Chu and Tzeng [11] proposed a multi-use, unidirectional ID-based PRE scheme, and claimed that it was CCA secure in the standard model. On the contrary, Shao et al.[20] showed that this claim is indeed false. Till then, there was no known unidirectional PRE systems J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 47–60, 2009. c Springer-Verlag Berlin Heidelberg 2009
48
L. Fang, W. Susilo, and J. Wang
with chosen-ciphertext security that rely on the standard model. In PKC 08, Libert and Vergnaud [17] presented the first construction of unidirectional proxy re-encryption scheme with replayable chosen-ciphertext security [10] in the standard model. These constructions are based on bilinear pairings. In spite of the recent advances in implementation techniques, the pairing computation is still considered as a very expensive operation. To fill the gap, Deng et al. [12] proposed a CCA secure bidirectional PRE scheme without pairings in the random oracle model. After Deng et al.’s work, Shao and Cao [19] proposed a proxy re-encryption scheme without pairings, in which the proxy can only transform the ciphertext in one direction. Their scheme is CCA secure and collusion attack free in the random oracle model based on Decisional Diffie-Hellman (DDH) assumption and integer factorization assumption. The existing notion of PRE does not facilitate flexible delegation. We will motivate the flexible delegation by the following example. Suppose that Alice who is a manager of a bank, is having a holiday and away from work. She allows Bob to check her important emails, in case there is an urgent email. In this scenario, Alice should allow Bob to select her important emails to be read during her holiday, but not all of them. This can be done by using a proxy to transform a ciphertext under Alice’s public-key into Bob’s ciphertext when its subject contains the keyword ‘urgent’. The lack of flexible delegation has been considered as a drawback of PRE schemes [21]. To overcome the limitation of PRE, very recently, Weng et al. [21] presented a notion of conditional proxy re-encryption (C-PRE), whereby only ciphertexts satisfying one condition set by Alice can be transformed by the proxy and then decrypted by Bob. They formalized its security model and proposed an efficient C-PRE scheme, whose chosenciphertext security is proven in random oracle. Furthermore, they left an interesting open problem on how to construct CCA-secure C-PRE schemes with anonymity. Our Contributions. In this paper, we first formalize the anonymous condition of PRE security model. Then, we proceed with answering the question posed by Weng et al. [21] affirmatively by presenting a new and efficient construction of anonymous conditional proxy re-encryption (C-PRE) scheme. Based on the 3-QDBDH assumption and truncated q-ABDHE assumption, we prove its CCA security without random oracle. Compared with Weng et al.’s C-PRE [21], our scheme outperforms Weng et al.’s scheme[21] in the following aspects: (i) In contrast to Weng et al.’s scheme, our scheme provides anonymous condition; (ii) Our scheme does not rely on the random oracle model, i.e. in an idealized world where all parties get black-box accesses to a truly random function. It is well known that unfortunately a proof in the random oracle model can only serve as a heuristic argument and admittedly using quite contrived constructions, has been shown to possibly lead to insecure schemes when the random oracles are implemented in the standard model [7]. Paper Organization. The rest of this paper is organized as follows. In Section 2, we will provide the definitions and complexity assumption that will be used throughout this paper, together with the security model of anonymous C-PRE schemes. In Section 3, we present our anonymous C-PRE in the standard model. Finally, Section 4 concludes the paper.
Anonymous Conditional Proxy Re-encryption without Random Oracle
49
2 Definitions In this section, we first review the complexity assumption required in our schemes, and then provide the definition and security of a conditional proxy re-encryption scheme. 2.1 Negligible Function A function (n) : N → R is negligible in n if 1/(n) is a non-polynomially-bounded quantity in n. 2.2 Bilinear Maps Let G1 and G2 be multiplicative cyclic groups of prime order p, and g be a generator of G1 . We say e : G1 × G1 → G2 is a bilinear map [4,6], if the following conditions hold. 1. e(g 1 a , g 2 b ) = e(g 1 , g 2 )ab for all a, b ∈ Z p and g 1 , g 2 ∈ G1 . 2. e(g, g) = 1. 3. There is an efficient algorithm to compute e(g 1 , g 2 ) for all g 1 , g 2 ∈ G1 . 2.3 The 3-QDBDH Assumption Let e : G1 × G1 → G2 be a bilinear map. We define the advantage function Adv G 1 ,B 3 −QDBDH (λ) of an adversary B as 2
3
2
3
|P r[B(g, g x , g x , g x , g z , e(g, g)z /x ) = 1] − P r[B(g, g x , g x , g x , g z , e(g, g)r ) = 1]| where x, z, r ∈ Z p are randomly chosen. We say that the 3-QDBDH assumption [17] relative to generator G1 holds if Adv G 1 ,B 3 −QDBDH (λ) is negligible for all B. Dodis and Yampolskiy showed that this problem was indeed hard in generic groups [13]. Their result thus implies the hardness of 3-QDBDH in generic groups. 2.4 The Truncated q-ABDHE Assumption Let e : G1 × G1 → G2 be a bilinear map. We define the advantage function Adv G 1 ,B q−ABDHE (λ) of an adversary B as q
|P r[B(g, g x , · · · , g x , g z , g zx x
xq
z
P r[B (g, g , · · · , g , g , g
q +2
, e(g, g)zx
zx q +2
q +1
) = 1]−
r
, e(g, g) ) = 1]|
where x, z, r ∈ Z p are randomly chosen. We say that the truncated q-ABDHE assumption [14,16] relative to generator G1 holds if Adv G 1 ,B q−ABDHE (λ) is negligible for all B.
50
L. Fang, W. Susilo, and J. Wang
2.5 One-Time Signatures A one-time signature [8] consists of a triple of algorithms Sig = (G, S, V) such that, on input of a security parameter λ, G generates a one-time key pair (ssk, svk) while, for any message M , V(svk, σ, M ) outputs 1 whenever σ = S(ssk, M ) and 0 otherwise. As in [17] , we need strongly unforgeable one-time signatures, which means that no PPT adversary can create a new signature for a previously signed message. Sig = (G, S, V) is a strong one-time signature if the probability Adv OTS = P r[(ssk, svk) ← G(λ); (M, St) ← F (svk); σ ← S(ssk, M ); (M , σ ) ← F (M, σ, svk, St) : V(svk, σ , M ) = 1 ∧ (M , σ ) = (M, σ)], where St denotes the state information maintained by F between stages, is negligible for any PPT forger F . 2.6 Conditional Proxy Re-encryption In the following, we will provide the definition of a conditional proxy re-encryption scheme and the game-based security definition. Similar as [21], a C-PRE scheme involves three principals: a delegator (say user U i ), a proxy, and a delegatee (say user U j ). A message sent to U i with condition w is encrypted by the sender using both U i ’s public key and w. To authorize U j to decrypt such an encryption associated with w, U i gives the proxy a partial re-encryption key rk i,j and a condition key rk i,w corresponding to the condition w. These two keys are used by the proxy to perform ciphertext translation. One problem is when the condition w is not included in ciphertext, then how can the proxy know which conditional key should be applied? To solve the problem, we need to include a test into re-encryption algorithm, if the test result is “1” which means the condition w for ciphertext is match to the conditional key. Definition 1 (Conditional Proxy Re-encryption) A (single hop) conditional proxy re-encryption scheme [21] comprises the following algorithms: GlobalSetup(λ): The GlobalSetup algorithm is run by a trusted party that, takes as input a security parameter λ. It generates the global parameters P P . KeyGen(i): The key generation algorithm generates the public key pk i and the secret key sk i for user i. RKeyGen(sk i , pk j ): The partial re-encryption key generation algorithm, run by user i, takes as input a secret key sk i and another public key pk j . It outputs a partial re-encryption key rk i,j . CKeyGen(sk i , w): The condition key generation algorithm, run by user i, takes as input a secret key sk i and a condition w. It outputs a condition key ck i,w . Enc(pk, m, w): The encryption algorithm takes as input a public key pk, a plaintext m ∈ M and a condition w. It outputs a original conditional ciphertext CT associated with w under public key pk. Here M denotes the message space. ReEnc(CT i , rk i,j , ck i,w ): The re-encryption algorithm, run by the proxy, takes as input a conditional ciphertext CTi associated with w under public key pk i , a partial re-encryption key rk i,j and a condition key ck i,w . It first run T est(CT i , ck i,w ), if the test result is ”1”, then it outputs a re-encrypted ciphertext CTj under public key pk j , if the test result is ”0”, then it output the error symbol ⊥.
Anonymous Conditional Proxy Re-encryption without Random Oracle
51
Dec1(CT i , sk i ): The level 1 decryption algorithm takes as input a secret key sk i and a cipertext CTi . It outputs a message m ∈ M or the error symbol ⊥. Dec2(CT j , sk j ): The level 2 decryption algorithm takes as input a secret key sk j and a re-encrypted ciphertext CTj under public key pk j . It outputs a message m ∈ M or the error symbol ⊥. Note that we omit the global parameters P P as the other algorithms’ input for simplicity. The correctness of C-PRE means that, for any condition w, any message m, any (pk i , sk i ) ← KeyGen(i), (pk j , sk j ) ← KeyGen(j), and CT i = Enc(pk, m, w), P r[Dec1(CT i , sk i ) = m] = 1 and P r[Dec2(ReEnc(CT i , RKeyGen(sk i , pk j ), CKeyGen(sk i , w)), sk j ) = m] = 1. For any other condition w and user j with w = w and j = j, let be negligible, we have P r[Dec2(ReEnc(CT i , RKeyGen(ski , pkj ), CKeyGen(ski , w )), skj ) =⊥] = 1 −
and P r[Dec2(ReEnc(CT i , RKeyGen(ski , pkj ), CKeyGen(ski , w)), skj ) =⊥] = 1 − .
In the following, we provide the game-based security definition of C-PRE. Our definition considers a challenger that produces a number of public keys. As [17], we let the target public key, corrupted users and the honest users be determined at the beginning of the game. Additionally, we allow the adversary to adaptively query a re-encryption oracle and decryption oracles. We allow the challenger to reveal re-encryption keys rk ij when j is corrupt for honest users i that differ from the target receiver. Definition 2 (CPRE-IND-ANON-RCCA game) Let λ be the security parameter and A be the adversary. We consider the following two games. Let i∗ be the target user. Game 1: (IND-RCCA) 1. Setup: The challenger C perform GlobalSetup(λ) to get the public parameter P P . Give the public parameter P P to A. 2. Query phase 1. A makes the following queries: – Uncorrupted key generation query i : C first runs algorithm KeyGen(i) to obtain a public/secret key pair (pk i , sk i ), and then sends pk i to A. – Corrupted key generation query j : C first runs algorithm KeyGen(j) to obtain a public/secret key pair (pk j , sk j ), and then sends (pk j , sk j ) to A. – Partial re-encryption key query pk i , pk j : C runs algorithm RKeyGen(sk i , pk j ) to generate a partial re-encryption key rk i,j and returns it to A. Here, sk i is the secret key with respect to pk i . It is required that pk i and pk j have been generated beforehand by algorithm KeyGen.
52
L. Fang, W. Susilo, and J. Wang
– Condition key query pk i , w : C runs algorithm CKeyGen(sk i , w) to generate a condition key ck i,w and returns it to A. It is required that pk i has been generated beforehand by algorithm KeyGen. – Re-encryption query pk i , pk j , (w, CT i ) : C runs algorithm CT j = ReEnc(CT i , RKeyGen(sk i , pk j ), CKeyGen(sk i , w)) and returns the resulting ciphertext CT j to A. It is required that pk i and pk j have been generated beforehand by algorithm KeyGen. – Decryption query pk i , (w, CT i ) : Here pk i , (w, CT i ) denotes the queries on original conditional ciphertext. Challenger C returns the result of Dec1(CT i , sk i ) to A. It is required that pk i has been generated beforehand by algorithm KeyGen. – Decryption query pk j , CT j : Here pk j , CT j denotes the queries on reencrypted ciphertext. Challenger C returns the result of Dec2(CT j , sk j ) to A. It is required that pk i has been generated beforehand by algorithm KeyGen. 3. Challenge. Once A decides that Phase 1 is over, it outputs a target condition w∗ and two equal length plaintexts (m0 , m1 ). Challenger C chooses a bit b ∈ {0, 1} and sets the challenge ciphertext to be CT ∗ = Enc(pk i ∗ , mb , w∗ ), which is sent to A. 4. Query phase 2. A continues making queries as in the query phase 1. 5. Guess. A outputs the guess b . The adversary wins if b = b. During the above game, adversary A is subject to the following restrictions: – (i). A can not issue corrupted key generation queries on i∗ to obtain the target secret key sk i ∗ . – (ii). A can not issue decryption queries on neither pk i ∗ , (w∗ , CT ∗ ) nor pk j , CT j where pk j , CT j is a derivative of the challenge pair pk i ∗ , (w∗ , CT ∗ ) . Derivatives of pk i ∗ , (w∗ , CT ∗ ) are defined as Dec1(CT j , sk j ) ∈ {m0 , m1 } or Dec2 (CT j , sk j ) ∈ {m0 , m1 } (Replayable CCA-security rule, see more discussion in [17]). – (iii). A can not issue re-encryption queries on pk i ∗ , pk j , (w∗ , CT ∗ ) if pk j appears in a previous corrupted key generation query. – (iv). A can not obtain the partial re-encryption key rk i ∗ ,j if pk j appears in a previous corrupted key generation query. We refer to the above adversary A as an IND-RCCA adversary. His advantage is defined as SuccA Game 1 (λ) = |P r[b = b] − 1/2| Game 2: (IND-ANON-RCCA) – Query phase 1. Same as Game 1. – Challenge. Once A decides that Phase 1 is over, it outputs a condition pair (w0 , w1 ) and two equal length plaintexts (m0 , m1 ). Challenger C chooses a bit b ∈ {0, 1} and sets the challenge ciphertext to be CT ∗ = Enc(pk i ∗ , mb , wb ), which is sent to A.
Anonymous Conditional Proxy Re-encryption without Random Oracle
53
– Query phase 2. A continues making queries as in the query phase 1. – Guess. A outputs the guess b . The adversary wins if b = b . The restrictions in game 2 is similar to the game 1 : – (i). A can not issue corrupted key generation queries on i∗ to obtain the target secret key sk i . – (ii). A can not issue decryption queries on neither pk i ∗ , (w∗ , CT ∗ ) where w∗ ∈ {w0 , w1 } nor pk j , CT j where pk j , CT j is a derivative of the challenge pair pk i ∗ , (w∗ , CT ∗ ) . – (iii). A can not issue re-encryption queries on pk i ∗ , pk j , (w∗ , CT ∗ ) where w∗ ∈ {w0 , w1 } if pk j appears in a previous corrupted key generation query. – (iv). A can not obtain the condition key ck i ∗ ,w ∗ where w∗ ∈ {w0 , w1 }. We refer to the above adversary A as an IND-ANON-CCA adversary. His advantage is defined as SuccA Game 2 (λ) = |P r[b = b] − 1/2| The C-PRE scheme is said to be CPRE-IND-ANON-RCCA secure if both SuccA Game 1 (λ) and SuccA Game 2 (λ) are negligible.
3 Anonymous Conditional Proxy Re-encryption In this section, inspired by the original scheme by Weng et al. [21], we present our anonymous conditional proxy re-encryption scheme. We employ the technique used in Boneh et al. called public key encryption with keyword search [2,5,18]. Our main idea is to ask the sender to encrypt the message and later, by using a “trapdoor” (i.e. condition key), the proxy can then re-encrypt it. Then, the proxy will not know the contents of the message itself. 3.1 Our Construction The description of our conditional proxy re-encryption scheme is as follows. – GlobalSetup(λ): Let λ be the security parameter and (p, g, G1 , G2 , e) be the bilinear map parameters, generators u, v ∈ G1 and a strongly unforgeable one-time signature scheme sig = (G, S, V). Let message space be G2 and condition space be Z p ∗ . The global system parameters are (p, g, G1 , G2 , e, u, v, sig). – KeyGen(i): user i selects random xi , y i , a0 , a1 , a2 ∈ Z p ∗ , computes X i = g x i , Y i = g y i , hk = g a k , sets his public key as pk i = (X i , Y i , {hk }k ∈{0 ,1 ,2 }) and the secret key sk i = (pk i , xi , y i , a0 , a1 , a2 ). – RKeyGen(sk i , pk j ) : given user i’s private key sk i = (pk i , xi , y i ) and user j’s public key pk j , generates the unidirectional partial re-encryption key rk i,j = X j 1 /x i . – CKeyGen(sk i , w): given user i’s private key xi in sk i and a condition w ∈ Z p ∗ , selects three random sk ∈ Z p ∗ , computes dk = (hk g −s k )1 /(y i −w) , sets the condition key ck i,w = (dk , sk )k ∈{0 ,1 ,2 }.
54
L. Fang, W. Susilo, and J. Wang
– Enc(pk i , m, w): To encrypt a message m ∈ G2 under the public key pk i and condition w ∈ Z p ∗ , the sender proceeds as follows. 1. Selects a one-time signature key pair (ssk, svk) ← G(λ) and sets C 1 = svk. 2. Picks r ∈ Z p ∗ and computes C 2 = X i r , C 3 = e(g, g)r m, C 4 = (usvk v)r . 3. Generates a one-time signature σ = S(ssk, (C 3 , C 4 )) on the pair (C 3 , C 4 ). The regular ciphertext is CRi = (C 1 , C 2 , C 3 , C 4 , σ). 4. Pick r ∈ Z p ∗ and computes
K = e(g, h0 )r , C 3 = C 3 · K
C 5 = (Y i g −w )r , C 6 = e(g, g)r
t = H(C 3 , C 5 , C 6 ), C 7 = e(g, h1 )r t e(g, h2 )r
5. Generates another one-time signature σ = S(ssk, (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 )) on (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 ). 6. The condition ciphertext (i.e. original ciphertext) is CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ). – ReEnc(CT i , ck i,w , rk i,j ): on input of a (partial) re-encryption key rk i,j = X j 1 /x i , a condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } and a condition ciphertext CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ). It first run T est(CT i , ck i,w ), computes t = H(C 3 , C 5 , C 6 ), testing whether V(C 1 , σ , (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 )) = 1 ?
C 7 = e(C 5 , d1 t d2 )C 6 s 1 t+s 2 . If the check fails, outputs “0”, otherwise it outputs “1”, if the test result outputs “1”, then computes K = e(C 5 , d0 )C 6 s 0 , C 3 = C 3 /K. Hence, the regular ciphertext is CRi = (C 1 , C 2 , C 3 , C 4 , σ), check the validity of the latter by testing the following conditions ?
e(C 2 , uC 1 v) = e(X i , C 4 ) ?
V(C 1 , σ, (C 3 , C 4 )) = 1
(1) (2)
If well-formed, CT i , is re-encrypted by choosing t ∈ Z p ∗ and computing C 2 = X i t , C 2 = rk ij 1 /t = g (x j /x i )t
−1
, C 2 = C 2 t = X i rt
The re-encrypted ciphertext is CT j = (C 1 , C 2 , C 2 , C 2 , C 3 , C 4 , σ). If illformed, output ⊥.
Anonymous Conditional Proxy Re-encryption without Random Oracle
55
– Dec1(CT i , sk i ): On input a secret key sk i and any condition ciphertext CT i . Parse the condition ciphertext CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ). If V(C 1 , σ , (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 )) = 1, computes t = H(C 3 , C 5 , ?
C 6 ) and tests whether C 7 = (C 6 )a 1 t+a 2 . If the check fails, outputs ⊥. Otherwise, compute C 3 = C 3 /(C 6 )a 0 . Hence, the regular ciphertext is CRi = (C 1 , C 2 , C 3 , C 4 , σ), if the regular ciphertext satisfies relations (1) and (2), the receiver i can obtain m = C 3 /e(C 2 , g)1 /x i . The algorithm outputs ⊥ otherwise. – Dec2(CT j , sk j ): On input a secret key sk j and any re-encrypted ciphertext CT j = (C 1 , C 2 , C 2 , C 2 , C 3 , C 4 , σ). The validity of a re-encrypted ciphertext CT j is checked by testing if ?
e(C 2 , C 2 ) = e(X j , g) ?
e(C 2 , uC 1 v) = e(C 2 , C 4 ) ?
V(C 1 , σ, (C 3 , C 4 )) = 1
(3) (4) (5)
If relations (3)-(5) hold, the plaintext m = C 3 /e(C 2 , C 2 )1 /x j is returned. Otherwise, the algorithm outputs ⊥. Correctness. It is straightforward to verify that all the correctly generated original/reencrypted ciphertexts can be correctly decrypted. Here, we explain a re-encrypted ciphertext which has been generated by a proxy who does not have both the right partial re-encryption key and the right condition key can not be correctly decrypted by the delegatee with non-negligible probability. Given an original condition ciphertext CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ) associated with condition w under public key pk i = (X i , Y i , {hk }k ∈{0 ,1 ,2 }), there are two cases as follows. Case 1 (an error condition key.) Suppose a proxy, who has a partial re-encryption key rk i,j = X j 1 /x i and a condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } where dk = (hk g −s k )1 /(y i −w ) and w = w, runs ReEnc(CT i , ck i,w , rk i,j ) to translate ciphertext CT i into a ciphertext intended for user j. Obviously, CT i can not pass the va lidity check. Let C 5 = (Y i g −w )r , C 6 = e(g, g)r , and let t = H(C 3 , C 5 , C 6 ), C 7 = e(g, h1 )r t e(g, h2 )r . We have e(C 5 , (d1 )t (d2 ))C 6 s 1 t+s 2 = e(g, h1 )r t e(g, h2 )r = C 7 ⇔ e(g (y i −w)r , (g (a 1 −s 1 )/(y i −w ) )t e(g (y i −w)r , (g (a 2 −s 2 )/(y i −w ) ) e(g, g)r (s 1 t+s 2 ) = C7 ⇔ e(g, g)r (y i −w)/(y i −w )((a 1 −s 1 )t+(a 2 −s 2 )) e(g, g)r (s 1 t+s 2 ) = e(g, g)(a 1 t+a 2 )r ⇔ (a1 t+a2 )r ((y i −w)/(y i −w )−1)−(s1 t+s2 )r ((y i −w)/(y i −w )−1) =0 ⇔ (a1 t + a2 − s1 t − s2 )r ((w − w)/(y i − w )) =0 since s1 , s2 are randomly chosen and a1 , a2 , y i are the secret key, so (a1 t + a2 − s1 t − s2 ) = 0, w − w = 0 and y i − w = 0. Even though it passes the verification test, we can see K = e(C 5 , d0 )C 6 s 0 = e(g, h0 )r = K, since
56
L. Fang, W. Susilo, and J. Wang
⇔ K = e(g (y i −w)r , (g (a 0 −s 0 )/(y i −w ) )e(g, g)r s 0 = e(g, g)a 0 r r (y i −w)/(y i −w )(a 0 −s 0 ) r s o ⇔ e(g, g) e(g, g) = e(g, g)a 0 r ⇔ (a0 − s0 )r ((y i − w)/(y i − w ) − 1) =0 ⇔ (a0 − s0 )r (w − w)/(y i − w ) =0
Case 2 (an error partial re-encryption key). Suppose a proxy, who has a partial reencryption key rk i,j = X j 1 /x i and a condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } where dk = (hk g −s k )1 /(y i −w) and j = j, runs ReEnc(CT i , ck i,w , rk i,j ) to translate ciphertext CT i into a ciphertext CT j intended for user j. Parse CT j as (C 1 , C 2 , C 2 , −1 C 2 , C 3 , C 4 , σ), let C 2 = X i t , C 2 = rk ij 1 /t = g (x j /x i )t , C 2 = C 2 t = X i rt . Obviously, CT j can not pass the validity check when facing the decryption algorithm since e(C 2 , C 2 ) = e(X j , g). Intuitions of the security. The regular ciphertext is CRi = (C 1 , C 2 , C 3 , C 4 , σ) and the re-encrypted ciphertext CT j = (C 1 , C 2 , C 2 , C 2 , C 3 , C 4 , σ), which is the same as Libert and Vergnaud’s scheme [17]. The only difference is (C 3 , C 5 , C 6 , C 7 ) in the condition ciphertext (i.e. the original ciphertext) CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ). However, (C 3 , C 5 , C 6 , C 7 ) is the Gentry’s CCA secure IBE [14] under identity w, which is IND-ANON-CCA secure. 3.2 Security of Our PRE In this subsection, we prove the CPRE-IND-ANON-RCCA security for our scheme without requiring random oracle. The analysis of Game 1 and Game 2 are as follows. Theorem 1. If the 3-QDBDH and q-ABDHE assumption holds, then the first scheme is CPRE-IND-ANON-RCCA secure in the standard model. Lemma 1. If there exists an IND-RCCA adversary A against our scheme, then there exists an algorithm B which can solve the 3-QDBDH problem. Proof. Since the prove is similar to [17], we omit it here. You can find it in the full paper. Lemma 2. If there exists a IND-ANON-RCCA adversary A against our scheme, then there exists an algorithm B which can solve the q-ABDHE problem for q ≥ q k + 1, where q k is the number of condition key queries on target user. Proof. Our approach to proving lemma 2 closely follow the proof of security for Gentry’s IBE scheme [14]. Suppose there exists a polynomial-time adversary, A, that can attack our scheme in the standard model. Let q k is the number of condition key queries on target user. We build a simulator B that can play a q-ABDHE game for q ≥ q k + 1. In the following, we call HU the set of honest parties, including user i∗ that is assigned the target public key pk i ∗ , and CU the set of corrupt parties. The simulation proceeds as follows: We first let the challenger set the groups G1 and G2 with an efficient bilinear map e 2 q and a generator g of G1 . Simulator B inputs a q-ABDHE instance (g, g x , g x , · · · , g x , q +2 q +1 g z , g zx , T ), and has to distinguish T = e(g, g)zx from a random element in G2 . 1. Setup: Let λ be the security parameter and (p, g, G1 , G2 , e) be the bilinear map parameters, generators u, v ∈ G1 and a strongly unforgeable one-time signature
Anonymous Conditional Proxy Re-encryption without Random Oracle
57
scheme sig = (G, S, V). The global system parameters are (p, g, G1 , G2 , e, u, v, sig) 2. Query phase 1. A makes the following queries: – Uncorrupted key generation query i : public keys of target user’s i = i∗ are defined as following: B picks three random degree q polynomials f k (X) where k ∈ {0, 1, 2}, defines {hk ∗ = g f k (x ) }k ∈{0 ,1 ,2 }, Y i ∗ = g x . This implicitly defines the partail system secret key value as {ak ∗ = f k (x)}k ∈{0 ,1 ,2 } . B selects random xi ∗ ∈ Z p ∗ , computes X i ∗ = g x i ∗ , and sets target user’s public key as pk i ∗ = (X i ∗ , Y i ∗ , {hk ∗ }k ∈{0 ,1 ,2 }), and sends public key to A. Public keys of honest user i ∈ HU \{i∗} are the same as the key generation algorithm, this means the simulator B can know both the public key and secret key of user i ∈ HU \{i∗}, and sends public key to A. – Corrupted key generation query i : Public keys of corrupt user i ∈ CU are the same as the key generation algorithm, this means the simulator B can know the both the public key and secret key of user i ∈ CU , and then sends (pk i , sk i ) to A. – Partial re-encryption key query pk i , pk j : B generates the unidirectional reencryption key rk i,j = X j 1 /x i . B can computes it correct, since B known the secret key part xi for all user. – Condition key query pk i , w : For a target user’s i = i∗ , then B computes {sw ,k = f k (w)}k ∈{0 ,1 ,2 }, dw ,k = g (f k (x )−f k (w))/(x −w) sends the condition key ck i ∗ ,w = {dw ,k , sw ,k }k ∈{0 ,1 ,2 } to A. When q ≥ q k + 1, {sw ,k = f k (w)}k ∈{0 ,1 ,2 } are random values from A’s view, since f k (X) where k ∈ {0, 1, 2} are random degree q polynomials. For a user i = i∗ , B selects three random sk ∈ Z p ∗ , computes dk = (hk g −s k )1 /(y i −w) sets the condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } . – Re-encryption query pk i , pk j , w, CT i : Since B can computes unidirectional re-encryption key rk i,j and the condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } for all user i and j, so B can compute it correctly. – Decryption query pk j , CT j : If pk j , CT j denote the queries on re-encrypted ciphertext, C j = (C 1 , C 2 , C 2 , C 2 , C 3 , C 4 , σ). The validity of a re-encrypted ciphertext C j is checked by testing if ?
e(C 2 , C 2 ) = e(X j , g)
(6)
?
e(C 2 , uC 1 v) = e(C 2 , C 4 )
(7)
?
V(C 1 , σ, (C 3 , C 4 )) = 1
(8)
1 /x j
If relations (6)-(8) hold, the plaintext m = C 3 /e(C 2 , C 2 ) is returned. Otherwise, outputs ⊥. In the phase 2 stage, B must check that m differs from messages m0 , m1 involved in the challenge query. If m ∈ {m0 , m1 }, B returns ⊥ according to the replayable CCA-security rules.
58
L. Fang, W. Susilo, and J. Wang
– Decryption query pk i , w, CT i : If pk i , CT i denote the queries on original condition ciphertext CT i . B makes a re-encryption query on pk i , pk j , w, CT i to get the re-encrypted ciphertext CT j , then makes a decryption query on pk j , CT j , and sends the result to A 3. Challenge. Once A decides that Phase 1 is over, it outputs a target public key pk i ∗ , a condition pair (w0 , w1 ) and two equal length plaintexts (m0 , m1 ). B responds by choosing a random b ∈ {0, 1}, sets {sw b ,k = f k (wb )}k ∈{0 ,1 ,2 } Then B computes dw b ,k = g (f k (x )−f k (w b ))/(x −w b ) . (a) Selects a one-time signature key pair (ssk ∗ , svk ∗ ) ← G(λ) and set C 1 ∗ = svk ∗ . (b) Picks r ∈ Z p ∗ and computes ∗
C 2 ∗ = X i ∗ r , C 3 ∗ = e(g, g)r mb , C 4 ∗ = (usvk v)r . (c) Generates a one-time signature σ ∗ = S(ssk ∗ , (C 3 ∗ , C 4 ∗ )) on the pair (C 3 ∗ , C 4 ∗ ). The regular target ciphertext is CRi ∗ = (C 1 ∗ , C 2 ∗ , C 3 ∗ , C 4 ∗ , σ ∗ ). (d) Defines the degree q + 1 polynomial q+1 F ∗ (X) = (X q+2 − (wb )q+2 )/(X − wb ) = (F i ∗ X i ). i=0 Computes C 5 ∗ = g zx C6 ∗
q +2
q +2
(g z )−(w b ) ∗ q xi Fi ∗ = T F q +1 e(g z , ) i=0 (g )
C 3 ∗ = C 3 ∗ · e(C 5 ∗ , dw b ,0 )(C 6 ∗ )s w b ,0 t∗ = H(C 3 ∗ , C 5 ∗ , C 6 ∗ ) ∗
C 7 ∗ = e(C 5 ∗ , (dw b ,1 )t dw b ,2 ) · (C 6 ∗ )s w b ,1 t
∗
+s w b ,2
q +1
Let r∗ = zF ∗ (x), if T = e(g, g)zx , then ∗ ∗ ∗ C 5 ∗ = g (x −w b )r = (Y i ∗ g −w b )r C 6 ∗ = e(g, g)r , ∗ ∗ ∗ ∗ C 3 ∗ = C 3 ∗ · e(g, h0 ∗ )r and C 7 ∗ = e(g, h1 ∗ )t r e(g, h2 ∗ )r . (e) Generates another one-time signature σ ∗ = S(ssk, (C 1 ∗ , C 2 ∗ , C 3 ∗ , C 4 ∗ , σ ∗ , C 5 ∗ , C 6 ∗ , C 7 ∗ )) (f) The condition ciphertext is CT ∗ = (C 1 ∗ , C 2 ∗ , C 3 ∗ , C 4 ∗ , σ ∗ , C 5 ∗ , C 6 ∗ , C 7 ∗ , σ ∗ ). Then sends CT ∗ to A. 4. Query phase 2. A continues making queries as in the query phase 1. q +1 5. Guess. A outputs the guess b , if b = b, then output 1 meaning T = e(g, g)zx ; else output 0 meaning T = e(g, g)r .
Anonymous Conditional Proxy Re-encryption without Random Oracle
59
q +1
Probability Analysis: If T = e(g, g)zx , then the simulation is perfect, and A will guess the bit b correctly with probability 1/2 + . Else, T is uniformly random, and thus (C 5 ∗ , C 6 ∗ ) is a uniformly random and independent element. In this case, the inequality C 6 ∗ = e(C 5 ∗ , g)1 /(x −w b ) holds with probability 1 − 1/p. When these inequality hold, the value of K ∗ = e(C 5 ∗ , dw b ,0 )(C 6 ∗ )s w b ,0 = e(C 5 ∗ , (h0 )1 /(x −w b ) )((C 6 ∗ )/ (e(C 5 ∗ , g)1 /(x −w b ) ))s w b ,0 is uniformly random and independent from A’s view (except for the value C 3 ∗ ), since sw b ,0 (when q ≥ q k + 1, {sw b ,k = f k (wb )}k ∈{0 ,1 ,2 } are random values from A’s view) is uniformly random and independent from A’s view (except for the value C 3 ∗ ). Thus, C 3 ∗ is uniformly random and independent, and (C 5 ∗ , C 6 ∗ , C 3 ∗ ) can reveal no information regarding the bit b. This completes the proof of lemma 2.
4 Conclusion In this paper, we presented the first anonymous conditional proxy re-encryption (C-PRE) scheme without random oracle, which is an affirmative answer to the open question posed in [21]. Our system is efficient and only requires a well-known bilinear complexity assumption.
References 1. Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In: Proc. of the 12th Annual Network and Distributed System Security Symposium, pp. 29–44 (2005) 2. Baek, J., Safavi-Naini, R., Susilo, W.: Public key encryption with keyword search revisited. In: Gervasi, O., Murgante, B., Lagan`a, A., Taniar, D., Mun, Y., Gavrilova, M.L. (eds.) ICCSA 2008, Part I. LNCS, vol. 5072, pp. 1249–1259. Springer, Heidelberg (2008) 3. Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998) 4. Boneh, D., Boyen, X.: Efficient selective-ID based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) 5. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004) 6. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 229–231. Springer, Heidelberg (2001) 7. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proc. of 30th ACM STOC, pp. 209–218. ACM Press, New York (1998) 8. Canetti, R., Halevi, S., Katz, J.: Chosen-Ciphertext Security from Identity-Based Encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004) 9. Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: Proc. of the 14th ACM conference on Computer and communications security, pp. 185–194. ACM, New York (2007)
60
L. Fang, W. Susilo, and J. Wang
10. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003) 11. Chu, C., Tzeng, W.: Identity-based proxy re-encryption without random oracles. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 189–202. Springer, Heidelberg (2007) 12. Deng, R.H., Weng, J., Liu, S., Chen, K.: Chosen-cipertext secure proxy re-encryption without pairings. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 1–17. Springer, Heidelberg (2008) 13. Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005) 14. Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006) 15. Green, M., Ateniese, G.: Identity-based proxy re-encryption. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 288–306. Springer, Heidelberg (2007) 16. Kiltz, E., Vahlis, Y.: CCA2 secure IBE: standard model efficiency through authenticated symmetric encryption. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 221–238. Springer, Heidelberg (2008) 17. Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008) 18. Rhee, H.S., Susilo, W., Kim, H.-J.: Secure searchable public key encryption scheme against keyword guessing attacks. IEICE Electron. Express 6(5), 237–243 (2009) 19. Shao, J., Cao, Z.: CCA-secure proxy re-encryption without pairings. In: Proc. of PKC 2009. LNCS, vol. 5443, pp. 357–376. Springer, Heidelberg (2009) 20. Shao, J., Xing, D., Cao, Z.: Analysis of CCA secure unidirectional ID-based PRE scheme. Technical Report of TDT, Shanghai Jiao Tong University (2008) 21. Weng, J., Deng, R.H., Chu, C., Ding, X., Lai, J.: Conditional proxy re-encryption secure against chosen-ciphertext attack. In: Proc. of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009), pp. 322–332 (2009)
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme S. Sharmila Deva Selvi, S. Sree Vivek , and C. Pandu Rangan Theoretical Computer Science Lab, Department of Computer Science and Engineering, Indian Institute of Technology Madras, India {sharmila,svivek,prangan}@cse.iitm.ac.in
Abstract. Signcryption is a cryptographic primitive that provides authentication and confidentiality simultaneously in a single logical step. It is often required that multiple senders have to signcrypt a single message to a certain receiver. Obviously, it is inefficient to signcrypt the messages separately. An efficient alternative is to go for multi-signcryption. The concept of multi-signcryption is similar to that of multi-signatures with the added property - confidentiality. Recently, Jianhong et al. proposed an identity based multi-signcryption scheme. They claimed that their scheme is secure against adaptive chosen ciphertext attack and it is existentially unforgeable. In this paper, we show that their scheme is not secure against chosen plaintext attack and is existentially forgeable, we also provide a fix for the scheme and prove formally that the improved scheme is secure against both adaptive chosen ciphertext attack and existential forgery. Keywords: Identity Based Cryptography, Signcryption, Cryptanalysis, Multi-Signcryption, Bilinear Pairing, Provable Security , Random Oracle Model.
1
Introduction
Secure message transmission over an insecure channel like internet requires both confidentiality and authenticity. An encryption scheme is used to achieve confidentiality and digital signature is used to achieve unforgeability. Digital signcryption scheme is a cryptographic primitive that achieves both these properties together in an efficient way. In 1997, Zheng [13] proposed the first digital signcryption scheme with the aforementioned properties, lower computational cost and communication overhead than signing then encrypting (StE ) or encrypting then signing (EtS ) the message (i.e, signing and encrypting the same message independently). Since then, many signcryption schemes were proposed. Baek et
Work supported by Project No. CSE/05-06/076/DITX/CPAN on Protocols for Secure Communication and Computation sponsored by Department of Information Technology, Government of India.
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 61–75, 2009. c Springer-Verlag Berlin Heidelberg 2009
62
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
al. [2] gave the formal security model for digital signcryption schemes and provided the security proof for Zheng’s [13] scheme in the random oracle model. In 1984, Shamir [11] introduced the concept of identity based cryptography and proposed the first identity based signature scheme. The idea of identity based cryptography is to enable an user to use any arbitrary string that uniquely identifies him as his public key. Identity based cryptography serves as an efficient alternative to Public Key Infrastructure (PKI) based systems. Multi-signcryption schemes can be employed when multiple senders want to signcrypt a single message to a single receiver. Informally, a multi-signcryption scheme can be considered as a multi-signature scheme with message confidentiality. Jianhong et al. [12] were the first to propose an identity based multisigncryption scheme. There are a few multi-signcryption schemes available in the literature [9,8,10] but to the best of our knowledge Jianhong et al.’s [12] scheme is the only identity based multi-signcryption scheme available to date. Multi-signcryption schemes can be directly used in many applications, such as E-Business - for a joint signing of confidential contracts between two or more organizations, or E-Government - to signcrypt an electronic legal document by a number of higher authorities, or in membership - for access right authentication of confidential resources. In all these applications if the signcryptions are performed individually by the group of senders, the cost involved in unsigncryption is high. Multi-signcryption enables to perform unsigncryption with the cost equal to a single unsigncryption irrespective of the number of senders. Our Contribution. In this paper, we point out that Jianhong et al.’s [12] scheme is insecure with respect to chosen plaintext attack and is existentially forgeable. We also propose an improvement to Jianhong et al.’s [12] identity based multi-signcryption scheme and formally prove the confidentiality of the scheme against adaptive chosen ciphertext and identity attack. We give a new security model for unforgeability, which is adapted from Bellare et al.’s security model for identity based multi-signature schemes. Thus our scheme turns out to be the first provably secure identity based multi-signcryption scheme. We also give the complexity figure of the improved scheme.
2
Preliminaries
Dutta et al. [6] gives a brief review of Biliner Pairing, Computational Diffie Hellman Problem (CDHP) and Computational Bilinear Diffie Hellman Problem (CBDHP). We refer the Bilinear Diffie Hellman Problem (BDHP) in [6] as Computational Bilinear Diffie Hellman Problem (CBDHP) in this paper. 2.1
Identity-Based Multi-Signcryption
A generic Identity-Based Multi-Signcryption scheme for signcrypting a single message from n senders to a single recipient consists of the following probabilistic polynomial time algorithms:
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
63
– Setup(κ). Given a security parameter κ, the Private Key Generator (PKG) generates the public parameters params and master secret key msk of the system. – Key Extract(IDi ). Given an identity IDi of an user, the PKG computes the corresponding private key Si and transmits it to owner in a secure way. – Signcryption(m, L = {ID1 , . . . , IDn }, IDX , S1 , . . . , Sn ). To signcrypt a message m to the receiver IDX , the set of senders L with identity ID1 , . . . , IDn and private key S1 , . . . , Sn run this algorithm to obtain the signcryption σ. – Unsigncryption(σ, L = {ID1 , . . . , IDn }, IDX , SX ). When the receiver X with identity IDX and private key SX receives the signcrypted ciphertext σ from a set of senders L with identities L = {ID1 , . . . , IDn }, X executes this algorithm to obtain either the plain text m or a message invalid with respect to the validity of σ. 2.2
Security Model for Identity-Based Multi-Signcryption
The notion of semantic security of public key encryption was extended to identity-based signcryption scheme by Malone-Lee in [7]. This was later modified by Sherman et al. in [5] which incorporates indistinguishability against adaptive chosen ciphertext and identity attacks and existential unforgeability against adaptive chosen message and identity attacks. We describe below the security models for confidentiality of an identity-based multi-signcryption scheme against adaptively chosen ciphertext and identity attack, and provide a new model for unforgeability based on unforgeability model of Bellare et al.’s [3] for identity based multi-signature scheme. These are the strongest security notions for this problem. It is to be noted that Jianhong et al. [12] have proved confidentiality in the chosen identity model where as we prove our scheme in the adaptive chosen identity model which is considered to be stronger than chosen identity model [4]. Confidentiality: An identity based multi-signcryption scheme is indistinguishable against adaptive chosen ciphertext attacks (IND-CCA2), if no polynomially bounded adversary A has a non-negligible advantage in the following game between the challenger C and A: Setup: The challenger C runs this algorithm to generate the master public and private keys, params and msk respectively. C gives params to A and keeps the master private key msk secret from A. Phase 1: A performs a series of queries in an adaptive fashion in this phase. The queries allowed are given below: Key Extract queries: A chooses an identity IDi and gives it to C. C computes the corresponding private key Si and sends it to A. Signcryption queries: A produces a list of senders L = {ID1 , . . . , IDn }, the recipient identity IDX and a message m to C. C computes the signcryption σ of the message m with L as the group of senders, IDX as the receiver and sends σ to A.
64
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Unsigncryption queries: Given a ciphertext σ = Signcryption(m, L = {ID1 , . . . , IDn }, IDX , S1 , . . . , Sn ), C unsigncrypts σ with the receiver private key SX , the list of sender identities L and returns the corresponding message to A if σ is a valid signcryption from the list if senders L to the receiver IDX , else, C returns “invalid”. Challenge: At the end of Phase 1, A sends to C, plaintexts m0 and m1 of equal length, a receiver identity IDX and a sender list L = {ID1 , . . . , IDn }. Here, A should have created the public key corresponding to the user in the sender list L and the receiver IDX . However, A should not have queried the private key of IDX to the key extract oracle. Now, C chooses b ∈R {0, 1} and computes the challenge signcryption σ ∗ on the message mb with L as the group of senders, IDX as the receiver and returns σ ∗ to A. Phase 2: A can perform polynomially bounded number of queries adaptively again as in Phase 1 but A cannot ask the key extraction query on the receiver identity IDX or cannot ask the unsigncryption query on the challenge signcryption (σ ∗ , IDX ). Guess: A outputs a bit b and wins the game if b = b. The advantage of A is defined as AdvA = |2P r[b = b] − 1|, where P r[b = b] denotes the probability that b = b. Existential Unforgeability: Jianhong et al. [12] did not provide the formal security model for unforgeability of identity based multi-signcryption scheme but they claim that, a slightly altered security model of Malone-Lee et al. [7] has been adapted for their scheme. Bellare et al., in [3] have given two security notions for unforgeability of identity based multi-signature schemes, namely, single-signer security and multi-signer security, and have proved that single-signer security implies multi-signer security [3]. We extend the notion of single-signer security of Bellare et al. to prove the unforgeability of our improved identity based multi-signcryption scheme. An identity based multi-signcryption scheme is claimed to be existentially unforgeable under chosen message attack (EUF-CMA), if any polynomially bounded forger F has a negligible advantage in the following game: Setup: The challenger C runs the Setup algorithm to generate the master public and private keys, params and msk respectively. C gives params to F and keeps the master private key msk secret from F . Training Phase: F asks polynomial number of queries to the various oracles provided by C, without any restrictions. Forgery: At the end of the Training Phase, F chooses a message m and produces a signcryption σ ∗ on m with L = {ID1 , . . . , IDn } as the list of sender identities and IDX as the receiver identity. F wins the game if the private keys of at least one of the user in the list of senders L was not queried during Training Phase, σ ∗ is a valid signcryption and σ ∗ is not the output of any previous queries to the Signcryption Oracle with m as the message, L as the sender list and IDX as the receiver. (note that the private key SX of the receiver IDX can be queried by F during the Training Phase.)
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
3
65
Review and Attack of Jianhong et al.’s Identity Based Multi-Signcryption Scheme (JJ-IBMSC)
In this section we review the identity based multi-signcryption scheme of Jianhong et al.’s (JJ-IBMSC) presented in [12]. We also show that [12] does not provide both confidentiality and unforgeability. 3.1
Review of the Scheme
This scheme has the following four algorithms. 1. Setup: Given κ the security parameter and l the length of the message, the PKG chooses two groups G1 and G2 of prime order q > 2κ , a bilinear map eˆ : G1 × G1 → G2 and a random generator P of G1 . It then chooses a master private key s ∈R Z∗q , a system-wide public key Ppub = sP and three cryptographic hash functions H1 : {0, 1}∗ → G1 , H2 : G2 → {0, 1}l and H3 : {0, 1}∗ → Z∗q . The public parameters P arams= G1 , G2 , P, eˆ, H1 , H2 , H3 , Ppub , κ. 2. Key Extract: Given an identity IDi ∈ {0, 1}∗, the PKG does the following to extract the private key corresponding to IDi : – Computes Qi = H1 (IDi ) ∈ G1 and – Computes the private key Si = sQi . 3. Signcryption: Given a message m, a receiver identity IDX and a list of n sender identities L = {ID1 , . . . , IDn } Each sender i executes the following steps: – Chooses xi ∈R Zq ∗ and computes Ri = xi P . – Computes ωi = eˆ(Ppub , QX )xi . – Sends Ri , ωi to the other senders through a secure channel. – After receiving all other senders Ri , ωi values, each sender computes n n ω = j=1 ωj , c = H2 (ω) ⊕ m, R = j=1 Rj and Ti = xi H1 (m) + H3 (R)Si . The resultant signcryption is σ = c, T, R, L, where T = nj=1 Tj . 4. Unsigncryption: Given σ = c, T, R, L, the receiver with identity IDX does the following: – Computes ω = eˆ(R, SX ). – Retrieves the message m = H2 (ω ) ⊕ c. n ? – Accepts the message if eˆ(T, P ) = eˆ(R, H1 (m))ˆ e(Ppub , j=1 Qj )H3 (R) 3.2
Attacks on Jianhong et al.’s Identity Based Multi-Signcryption Scheme (JJ-IBMSC)
We launch two different attacks on the scheme to show both the weakness in confidentiality as well as unforgeability.
66
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Attack on Confidentiality: During the confidentiality game the adversary A interacts with the challenger C in Phase 1 by performing various queries on Hash, Key Extraction, Signcryption and Unsigncryption oracles. At the end of Phase 1, A choose two messages m0 and m1 , a list of sender identities L = {ID1 , . . . , IDn } and a targeted receiver identity IDX on which A wants to be challenged and sends them to C (note that, A should not have queried the private key for the targeted receiver identity IDX throughout the game but is allowed to query the private keys corresponding to all the senders in L). Now, C chooses a bit b ∈R {0, 1} and generates a challenge signcryption σ ∗ = c∗ , T ∗ , R∗ , L and sends σ ∗ to A. We now show that up on receiving the challenge signcryption σ ∗ , A can perform the following to check whether σ ∗ is a valid signcryption of message m0 or m1 . – Computes H0 = H1 (m0 ). ?
n – Checks whether eˆ(T, P ) = eˆ(R, H0 )ˆ e(Ppub , Σj=1 Qj )H3 (R) . ∗ – If the above check passes then σ is the signcryption of m0 , otherwise σ ∗ is the signcryption of the message m1 .
This shows that the scheme is not even secure against chosen plaintext attack because on receiving the challenge signcryption σ ∗ , A is capable of distinguishing whether σ ∗ is a signcryption of m0 or m1 , without any further interaction with C. Remark 1. This attack is possible because A knows the messages m0 and m1 during the confidentiality game and during unsigncryption, the message is di? n rectly used for the verification test eˆ(T, P ) = eˆ(R, H1 (m))ˆ e(Ppub , Σj=1 Qj )H3 (R) . ∗ Therefore, A can check the validity of σ with respect to both the messages and find out for which message the equation holds. Attack on Unforgeability: The forger F aims to generate the signcryption of a message m on a list of senders L∗ to a receiver IDY . Here the forger does not know the private key of any of the identities in L∗ . In order to achieve this, F first selects a set of identities L = {ID1 , . . . , IDk }, where F knows the private key corresponding to all the identities in L . F then sets L = L∗ ∪L . Now, F sends a message m, the list L and an identity IDX (where IDX = IDY ) to the challenger C and obtains a signcryption σ = c, T, R, L from C (Note that it is legal for F to ask this signcryption from C). F constructs σ ∗ = Signcryption(m, L = {ID1 , . . . , IDk }, IDY , S1 , . . . , Sk ) as follows: – As mentioned earlier let σ = c, T, R, L be the signcryption on m from L to IDX . – F queries the private key SY , corresponding to IDY (Since the receivers private key is available in the unforgeability game). – F takes the value R from σ and computes ω ∗ = eˆ(R, SY ) and computes a new value c∗ = m ⊕ H2 (ω ∗ ). – Computes T ∗ = T − H3 (R) (ΣIDi ∈L Si ) and sets R∗ = R
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
67
– Now, F produces σ ∗ = c∗ , T ∗ , R∗ , L∗ as a valid signcryption on the same message m as σ with L∗ as the list of senders and IDY as the receiver to the challenger. We show that the new signcryption σ ∗ = c∗ , T ∗ , R∗ , L∗ is valid because it passes the verification with respect to the private key of the receiver IDY . – Compute ω = eˆ(R∗ , SY )=ˆ e(R, SY ). – Retrieve the message m = H2 (ω ) ⊕ c∗ . – The message m obtained during unsigncryption is a valid message because ∗ n eˆ(T ∗ , P ) = eˆ(R∗ , H1 (m )) eˆ(Ppub , j=1 Qj )H3 (R ) . We show the correctness of the above check with respect to the forged signcryption. n eˆ(T ∗ , P )= eˆ(i=1 Ti , P ) n ∗ = eˆ(i=1 {xi H1 (m ) + H3 (R n)Si }, P ) ∗ n = eˆ( i=1 {xi }H1 (m ), P )ˆ e( i=1 {H 3 (R )sQi }, P ) n n = eˆ(H1 (m ), i=1 {xi P })ˆ e(H3 (R∗ ) i=1 {Qi }, sP ) ∗ n = eˆ(H1 (m ), R)ˆ e( i=1 {Qi }, Ppub )H3 (R ) Remark 2. Informally, this forgery is possible because there is no binding between the signature component Ti and the receiver identity IDX and the other senders in list L involved in the generation of signcryption σ. The component Ti acts as a signature because it is computed with the sender’s private keys. So, the forger F can alter the receiver and generate the new signcryption σ by changing the component c, the senders list and the receiver. The component c can be computed using the private key of the new receiver, which is known to F . (Note: It is well known that during unforgeability game for signcryption, F has access to the receiver’s private key in order to ensure insider security.)
4
Improved Identity Based Multi-Signcryption Scheme (I-IBMSC)
The scheme by Jianhong et al. [12] can be fixed by modifying it suitably so that it satisfies the necessary conditions outlined by An, Dodis and Rabin [1]. In this section, we present a possible fix for [12]. We also prove the indistinguishability against adaptive chosen ciphertext attack (IND-CCA2) for confidentiality and existential unforgeablity against chosen message attack (EUF-CMA) for unforgeability of I-IBMSC in the random oracle model. These are the strongest security notions for any identity based multi-signcryption scheme. Our modifications are simple and subtle and the formal proofs are non-trivial. 4.1
The Scheme (I-IBMSC)
The improved scheme has the following four algorithms as in JJ-IBMSC [12].
68
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
1. Setup: This algorithm is similar to that of the Setup algorithm in JJIBMSC with a new definition for the hash function H2 . We define H2 : {0, 1}∗ → {0, 1}l in I-IBMSC. We also add one more hash function H4 , which is defined as H4 : {0, 1}∗ → G1 . 2. Key Extract: This algorithm is identical to that of the Key Extract algorithm in JJ-IBMSC. 3. Signcryption: Given a message m, a receiver identity IDX and a list of n sender identities L = {ID1 , . . . , IDn }, each sender indexed i, for i = 1 to n executes the following steps: – Chooses xi ∈ Zq ∗ at random and computes Ri = xi P . – Computes ωi = eˆ(Ppub , QX )xi . – Sends Ri , ωi to all other senders in the list L, through a secure channel. After receiving all other senders Ri , ωi values, each sender continues to do the following; n – Computes ω = j=1 ωj and h2 = H2 (ω, L, IDX ). n – Sets c = h2 ⊕ m, computes R = j=1 Rj , M = H4 (m, ω, R, L, IDX ) and h3 = H3 (R, L, IDX ). – Computes Ti = xi M + h3 Si . Now, each sender IDi sends their corresponding Ti , c and R values to a clerk (Note that one of the senders in the list L may act as clerk), who checks whether c and R values sent by all senders are identical; if so, the clerk computes T = nj=1 Tj and outputs the resultant signcryption as σ = c, T, R, L. 4. Unsigncryption: Given σ = c, T, R, L, the receiver with identity IDX does the following to unsigncrypt it: – Computes ω = eˆ(R, SX ). – Computes h2 = H2 (ω , L, IDX ) and retrieves the message m = h2 ⊕ c. – Computes M = H4 (m , ω , R, L, IDX ) and h3 = H3 (R, L, IDX ). n ? – Accepts the message m if eˆ(T, P ) = eˆ(R, M )ˆ e(Ppub , j=1 {Qj })h3 . Note that the acceptance test is same as that of Jianhong et al.’s [12] but the change in the definition of the hash functions H2 , H3 and the introduction of the new hash function H4 provide the needed security for our system. 4.2
Security of the Scheme (I-IBMSC)
We prove the security of I-IBMSC with respect to confidentiality (IND-I-IBMSCCCA2) and unforgeability (EUF-I-IBMSC-CMA) in this section. Confidentiality Theorem 1. If an IND-I-IBMSC-CCA2 adversary A has an advantage against I-IBMSC scheme, asking qHi (i = 1, 2, 3, 4) hash queries to random oracles OHi (i = 1, 2, 3, 4), qe extract queries (qe = qe1 + qe2 , where qe1 and qe2 are the number of extract queries in the first phase and second phase respectively), qsc signcryption queries and qus unsigncryption queries, then there exist 1 an algorithm C that solves the CBDH problem with advantage qH qH . 1
2
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
69
Proof. Let C be a challenger, who is challenged with an instance of CBDHP say, (P, aP, bP, cP ) ∈ G41 for unknown a, b, c ∈ Z∗q . The aim of C is to compute α = eˆ(P, P )abc . Consider an adversary A who is capable of breaking the IND-IIBMSC-CCA2 security of I-IBMSC. C can make use of A to solve the CBDHP instance with non-negligible advantage in polynomial time as described below. It is assumed that in the IND-I-IBMSC-CCA2 game A queries OH1 oracle with ID before using ID as input for any oracle query. Setup: C starts the confidentiality game by setting up the system with P arams = κ, G1 , G2 , P, eˆ, Ppub , where Ppub = aP and models the hash functions Hi ’s as random oracles OHi , for i = 1 to 4 and sends the public parameters to A. Phase 1: A performs a series of queries to the oracles provided by C. In-order to maintain the consistency of the responses given by the oracles OHi , C maintain lists Li , for i = 1 to 4. The oracles provided by C and the responses given to the corresponding queries by C are described below: Oracle OH1 (IDi ): We will make a simplifying assumption that A queries the OH1 oracle with distinct identities in each query. There is no loss of generality due to this assumption, because, if the same identity is repeated, by definition the oracle consults the list L1 and gives the same response. Thus, we assume that A asks qH1 distinct queries for qH1 distinct identities. Among this qH1 identities, a random identity has to be selected as target identity and it is done as follows. C selects a random index γ, where 1 ≤ γ ≤ qH1 . C does not reveal γ to A. When A generates the γ th query on IDγ , C fixes IDγ as target identity for the challenge phase and C responds to A as follows: – If i = γ, C sets Qγ = bP , returns Qγ as the response to the query and stores IDγ , Qγ , ∗ in the list L1 . Here, C does not know b since C uses the bP value given in the instance of the CBDHP. – For all other queries, C chooses yi ∈R Zq∗ and sets Qi = yi P and stores IDi , Qi , yi in the list L1 . C returns Qi to A. (Note that as the identities are assumed to be distinct, for each query, we create distinct entry and add in the list L1 ). Oracle OH2 (ω, L, IDX ): When A makes this query, C checks for the tuple ω, L, IDX , h2 in the list L2 . If an entry was found then returns the corresponding h2 as the response else chooses h2 ∈R {0, 1}l and adds the tuple ω, L, IDX , h2 to the list L2 and returns h2 as the response to A. Oracle OH3 (R, L, IDX ): When A makes this query, C checks for the tuple R, L, IDX , h3 in the list L3 . If an entry was found then returns the corresponding h3 as the response else chooses h3 ∈R Z∗q and adds the tuple R, L, IDX , h3 to the list L3 and returns h3 as the response to A. Oracle OH4 (m, ω, R, L, IDX ): When A makes this query, C checks for the tuple m, ω, R, L, IDX , z, M in the list L4 . If an entry was found then returns the corresponding M as the response else chooses z ∈ Z∗q randomly and computes M = zPpub . C now adds the tuple m, ω, R, L, IDX , z, M to the list L4 and returns M as the response to A.
70
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Oracle OKeyExtract (IDi ): A chooses an identity IDi and queries the corresponding private key Si to this oracle (Note that A should have performed the OH1 (IDi ) query before performing this query). C responds to this query as follows: – If IDi = IDγ , then C aborts. – Else, C retrieves yi corresponding to IDi from L1 , computes Si = yi (aP ) = a(yi P ) = aQi and returns Si to A. Oracle OSigncryption (m, L, IDX ): Here, m is the message to be signcrypted, L is the list of identities of n senders and IDX is the identity of the receiver. If IDγ ∈ / L, then C can generate the signcryption on the message m because C knows the private key of all senders belonging to L. – If IDγ ∈ L then C performs the following: • Chooses z, r, h3 ∈R Z∗q . 1 • Computes M = z(Ppub ), R = (rP − h3 IDi ∈L Qi ). z • Stores the tuple R, L, IDX , h3 to the list L3 . • Computes T = rPpub . • Stores m, ω, R, L, IDX , z, M in list L4 . (Note: If this tuple is already available in list L4 then C repeats the above steps with different values of r and z.) • Compute ω = eˆ(R, SX ) and c = m ⊕ OH2 (ω, L, IDX ). Now, C returns the signcryption on message m as σ = c, T, R, L to A. It can be easily verified that σ is a valid signcryption on message m with L as the sender list, IDγ ∈ L and IDX as the receiver. Oracle OUnsigncryption (σ, L, IDX ): Here, σ is the signcryption, L is the list of identities of n senders and IDX is the receiver identity. To respond to this ? query, C checks whether IDX = IDγ . – If IDX = IDγ , C proceeds as per the normal unsigncryption algorithm, since C knows the private key of the receiver IDX . – If IDX = IDγ then C computes h3 = OH3 (R, L, IDX ) and performs the following to unsigncrypt σ: 1. Let Δ be the set of pairs (ω, h2 ) from the list L2 corresponding to (L, IDX ) ∈ σ. (The tuples in L2 will be of the form ω, L, IDX , h2 .) 2. For each (ω, h2 ) ∈ Δ, C performs the following, (a) Computes m = c ⊕ h2 . (b) Computes M = OH4 (m , ω, L, IDX ). ?
?
(c) Checks whether eˆ(M, R)1/z = ω and eˆ(T, P ) = eˆ(M, R)ˆ e(Ppub , h3 Q ) . (Note that z is retrieved from the tuples in the IDi ∈L i list L4 corresponding to (m , ω, L, IDX ), which is of the form m , ω, L, IDX , z, M ∈ L4 .) (d) If true, return m . 3. If the test in step 2(c) fails for all (ω, h2 ) ∈ Δ, C returns “invalid”. Challenge: At the end of Phase 1, A generates and sends to C, two plaintexts m0 and m1 of equal length, a sender list L = {ID1 , . . . , IDn } and
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
71
the receiver identity IDX . Note that A should not have queried the private key corresponding to IDX in Phase 1. C checks whether IDX = IDγ . If not, C aborts, else, C chooses a bit b ∈R {0, 1} and computes the challenge signcryption σ ∗ on the message mb with L as the group of senders and IDX as the receiver by performing the following: – C sets R = cP , chooses randomly T ∈ G1 and c ∈ {0, 1}l Now, C outputs the signcryption on the message mb as σ = c, T, R, L. Phase 2: A can perform polynomially bounded number of queries adaptively again as in Phase 1 with the restriction that A cannot query – The key extract oracle for the private key of IDX . – The unsigncryption oracle with the challenge signcryption σ ∗ , IDX . Guess: At the end of Phase 2, A outputs a guess b to C. Similar to the argument in [4], C ignores the response by A, picks a random ω from the list L2 and returns it as the solution to the CBDHP instance. Since the challenge ciphertext σ ∗ given to A is randomly distributed in the ciphertext space, A cannot gain any advantage in the IND-I-IBMSC-CCA2 game. Thus, any adversary that has advantage in the real IND-I-IBMSC-CCA2 game must necessarily recognize with probability at least that the challenge ciphertext provided by C is incorrect. For A to find that σ ∗ is not a valid ciphertext, A should have queried the OH2 oracle with ω = eˆ(R, Sγ ) (Since the receiver in σ ∗ is IDX = IDγ ). Here Sγ is the private key of the target identity and it is a(Qγ ) = abP . Also, C has set R = cP . Hence ω = eˆ(R, Sγ ) = eˆ(cP, abP ) = eˆ(P, P )abc . Therefore, one of the entries in the list L2 should be the value eˆ(P, P )abc . With probability qH1 , the value of ω chosen by C from list L2 2 will be the solution to CBDHP instance. Now, we analyze the probability of success of C. The events in which C aborts the IND-I-IBMSC-CCA2 game are, 1. E1 - when A queries the private key of the target identity IDγ and qe P r[E1 ] = 1 . qH1 2. E2 - when A does not choose the target identity IDγ as the receiver 1 during the challenge and P r[E2 ] = 1 − . qH1 − qe1 The probability that, C does not abort the IND-I-IBMSC-CCA2 game is given by qe 1 1 (P r[¬E1 ∧ ¬E2 ]) = 1 − 1 = qH1 qH1 − qe1 qH1 The probability that, the ω chosen randomly from L2 by C, being the solution 1 to CBDHP is qH . Therefore, the probability of C solving CBDHP is given 2 by, P r[C(P, aP, bP, cP |a, b, c ∈R Z∗q ) = eˆ(P, P )abc ] = qH 1qH 1
2
Since is non-negligible, the probability of C solving CBDHP is also nonnegligible.
72
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Unforgeability Theorem 2. If an EUF-I-IBMSC-CMA forger F exists against I-IBMSC scheme, asking qHi (i = 1, 2, 3, 4) hash queries to random oracles Hi (i = 1, 2, 3, 4), qe extract secret key queries, qsc signcryption queries and qus unsigncryption queries, then there exist an algorithm C that solves the CDHP with advantage. Proof. Let C be a challenger who is challenged with an instance of CDH problem say, (P, aP, bP ) ∈ G31 for unknown a, b ∈ Z∗q . The aim of C is to compute the value abP . Consider a forger F who is capable of breaking the EUF-I-IBMSCCMA security of I-IBMSC. C can make use of F to solve the CDH problem instance with non-negligible advantage in polynomial time as described below. Setup: C starts the unforgeability game by setting up the system with Ppub = aP , models the hash functions Hi ’s as random oracles OHi , for i = 1 to 4 and sends the public parameters P arams = κ, G1 , G2 , P, eˆ, Ppub to F . The elements of P arams are set identical to that of the CDH instance, C has received. It is assumed in the EUF-I-IBMSC-CMA game that A queries OH1 oracle with ID before using ID as input for any other query. Training Phase: F performs a series of queries to the oracles provided by C. In-order to maintain the consistency of the responses given by the oracles OHi , C maintain lists Li , for i = 1 to 4. The oracles OHi , i = 1, 2, 3 and OKeyExtract provided by C and the responses given to the corresponding queries by C are identical to that of the IND-I-IBMSC-CCA2 game. The description of the other oracles are given below, Oracle OH4 (m, ω, R, L, IDX ):When A makes this query, C checks for the tuple m, ω, R, L, IDX , z, M in the list L4 . If an entry was found then returns the corresponding M as the response else chooses z ∈ Z∗q randomly and if IDX = IDγ , C computes M = zP else computes M = zPpub . C now adds the tuple m, ω, R, L, IDX , z, M to the list L4 and returns M as the response to A. Oracle OSigncryption (m, L, IDX ): Here, m is the message to be signcrypted, L is the list of identities of n senders and IDX is the receiver identity (Note that the receiver identity can also be the target identity IDX ). Even in the case of IDX = IDγ , C can generate the signcryption on the message m because C knows the private key of all senders belonging to L. In order to respond to this query, C checks for each IDi ∈ L, whether IDi = IDγ . If IDγ ∈ / L, F follows the signcrypt protocol as C knows the private key of all senders in L. If IDγ ∈ L then C performs the following: – Chooses z, h3 randomly from Z∗q −h3 – Computes M = zQγ and R = Ppub . z – Computes ω = eˆ(R,SX ) and c = m ⊕ OH2 (ω, L, IDX ). – Computes T = h3 ( IDi ∈L∧IDi =IDγ Si ). – Stores m, ω, R, L, IDX , z, M in list L4 . (Note: If this tuple is already available in list L4 then C repeats the above steps with different values.)
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
73
Now, C stores m, σ = c, T, R, L, IDX in list L5 returns the signcryption on message m as σ to F . It can be easily verified that σ is a valid signcryption on message m with L as the sender list, IDγ ∈ L and IDX as the receiver. Oracle OUnsigncryption (σ, L, IDX ): Here, σ is the signcryption, L is the list of identities of n senders and IDX is the receiver identity. To respond to this query, C does the following. – If IDX = IDγ then C knows the private key of IDX and can perform the unsigncryption as per the protocol. – If IDX = IDγ , then C performs the following to unsigncrypt σ – If σ ∈ L5 , then C returns m to F , – Otherwise, C does the following: 1. Computes h3 = OH3 (R, L, IDX ). 2. Let Δ be the set of pairs (ω, h2 ) from the list L2 corresponding to (L, IDX ) ∈ σ. (The tuples in L2 will be of the form ω, L, IDX , h2 .) 3. For each (ω, h2 ) ∈ Δ, C performs the following, (a) Computes m = c ⊕ h2 . (b) Computes M = OH4 (m , ω, L, IDX ). ?
?
(c) Checks whether eˆ(M, R)1/z = ω and eˆ(T, P ) = eˆ(M, R)ˆ e(Ppub , h3 Q ) . (Note that z is retrieved from the tuples in the i IDi ∈L list L4 corresponding to (m , ω, L, IDX ), which is of the form m , ω, L, IDX , z, M ∈ L4 ). (d) If true, return m . 4. If the test in step 3(c) fails for all (ω, h2 ) ∈ Δ, C returns “invalid”. Forgery: Eventually, F outputs a forged signcryption σ ∗ = c∗ , T ∗ , R∗ , L on some message m∗ with L as the list of senders and an arbitrary receiver, say IDX . The restriction in generating σ ∗ is, F should not have generated σ ∗ by querying the signcryption oracle OSigncryption in any previous queries on the message m∗ with L as the list of senders and IDX as the receiver. C can very well unsigncrypt and verify the validity of the forged signcryption σ ∗ because C knows the secret key of the receiver during the unforgeability game. If the forged signcryption σ ∗ passes the verification and at least one of the identities in L say IDA was not the output of any previous key extract queries, then C can obtain the solution for the CDH problem instance by performing the following steps: – – – – –
C obtains ω ∗ and the message m∗ during unsigncryption. ∗ ∗ ∗ It then checks tuple of the form nthe list L4 for the n m , ω , R , L, IDX , z, M . n Computes i=1 {xi M }n= i=1 xi (zP )n = z i=1 (xi )P = zR. Computes X = T− i=1 {xi M } = i=1 h3 Si . Computes Y = ni=1 {h3 Si } − ni=1,i=A h3 Si = h3 SA . This is possible because C can retrieve the value h3 from the list L3 which corresponds to the tuple R, L, IDX , h3 and C knows the private key corresponding to all the identities of the sender list L except IDA . Therefore, C can compute: (h3 )−1 Y = (h3 )−1 h3 SA = (h3 )−1 h3 abP = abP
74
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Thus, C is capable of finding abP value which is the solution for the CDH problem instance. So, if there exists a forger who can forge a valid signcryption with non-negligible advantage, then there exists an algorithm to solve the CDH problem with non-negligible advantage. Since this is not possible, no forger can forge a valid signcryption with non-negligible advantage. Hence, I-IBMSC is secure against any EUF-I-IBMSC-CMA attack. Now we analyse the probability of success of C in solving the CDHP. P r[C(aP, bP ) = abP |a, b ∈ Z∗q ] = P r[F (σ ∗ , IDX ) = V alid].P r[¬Abort] The events in which C aborts are: – E1 - F queries the private key of the target identity to the key extract oracle qe and P r[E1 ] = . qH1 – E2 - F doesnot choose ID γ as sender in Lwhich is used for forgery and qH1 − qe − n n P r[E2 ] = = 1− . qH1 − qe qH1 − qe Therefore, the probability that C does not abort the game is given by P r[¬Abort]= P r[¬E1 ∧¬E 2 ] qe n = 1− 1− 1− qH1 qH1 − qe qH1 − qe n n = = qH1 qH1 − qe qH1 Thus, the probability of success of C is given by P r[C(aP, bP ) = abP |a, b ∈ Z∗q ] = n qH1
5
Conclusion
As the only existing identity based multi-signcryption scheme is cryptanalized for its confidentiality and unforgeability, we do not compare the efficiency of our scheme with any other scheme but we present the complexity figure of I-IBMSC scheme below: Table 1. Complexity figure for I-IBMSC
Scheme
Signcrypt Designcrypt PA SM GE M G P A SM GE M G I-IBMSC 1/sender 3/sender 1/sender 1/sender 4 1 1 P A - Pairing, SM - Scalar Multiplication, GE - Exponentiation in G2 , GM - Mapping to G1 .
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
75
We have provided an improved identity based multi-signcryption scheme, which is an extension of Jianhong et al.’s scheme with the proper binding, that provides adequate security to the scheme. We have also proved the security of the improved scheme formally under the random oracle model.
References 1. An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002) 2. Baek, J., Steinfeld, R., Zheng, Y.: Formal proofs for the security of signcryption. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 80–98. Springer, Heidelberg (2002) 3. Bellare, M., Neven, G.: Identity-based multi-signatures from rsa. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 145–162. Springer, Heidelberg (2007) 4. Boyen, X.: Multipurpose identity-based signcryption (a swiss army knife for identity-based cryptography). In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383–399. Springer, Heidelberg (2003) 5. Chow, S.S.M., Yiu, S.-M., Hui, L.C.K., Chow, K.P.: Efficient forward and provably secure id-based signcryption scheme with public verifiability and public ciphertext authenticity. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 352–369. Springer, Heidelberg (2003) 6. Dutta, R., Barua, R., Sarkar, P.: Pairing-based cryptographic protocols: A survey. In: Cryptology ePrint Archive, Report 2004/064 (2004), http://eprint.iacr.org/ 7. Malone-Lee, J.: Identity-based signcryption. In: Cryptology ePrint Archive, Report 2002/098 (2002) 8. Mitomi, S., Miyaji, A.: A multisignature scheme with message flexibility, order flexibility and order verifiability. In: Clark, A., Boyd, C., Dawson, E.P. (eds.) ACISP 2000. LNCS, vol. 1841, pp. 298–312. Springer, Heidelberg (2000) 9. Pang, X., Catania, B., Tan, K.-L.: Securing your data in agent-based p2p systems. In: Eighth International Conference on Database Systems for Advanced Applications - DASFAA 2003, pp. 55–64. IEEE Computer Society, Los Alamitos (2003) 10. Seo, S.-H., Lee, S.-H.: A secure and flexible multi-signcryption scheme. In: Lagan´ a, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3046, pp. 689–697. Springer, Heidelberg (2004) 11. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 12. Zhang, J., Mao, J.: A novel identity-based multi-signcryption scheme. Computer Communications 32(1), 14–18 (2009) 13. Zheng, Y.: Digital signcryption or how to achieve cost(signature & encryption) < < cost(signature) + cost(encryption). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997)
Identity-Based Verifiably Encrypted Signatures without Random Oracles Lei Zhang1 , Qianhong Wu1,2 , and Bo Qin1,3 1
3
UNESCO Chair in Data Privacy Department of Computer Engineering and Mathematics Universitat Rovira i Virgili Av. Pa¨ısos Catalans 26, E-43007 Tarragona, Catalonia 2 Key Lab. of Aerospace Information Security and Trusted Computing Ministry of Education, School of Computer, Wuhan University, China Dept. of Maths, School of Science, Xi’an University of Technology, China {lei.zhang,qianhong.wu,bo.qin}@urv.cat
Abstract. Fair exchange protocol plays an important role in electronic commerce in the case of exchanging digital contracts. Verifiably encrypted signatures provide an optimistic solution to these scenarios with an off-line trusted third party. In this paper, we propose an identity-based verifiably encrypted signature scheme. The scheme is non-interactive to generate verifiably encrypted signatures and the resulting encrypted signature consists of only four group elements. Based on the computational Diffie-Hellman assumption, our scheme is proven secure without using random oracles. To the best of our knowledge, this is the first identity-based verifiably encrypted signature scheme provably secure in the standard model. Keywords: Identity-Based Cryptography, Fair Exchange, Verifiably Encrypted Signature, Provable Security.
1
Introduction
Suppose that two entities Alice and Bob wish to sign some contract. However, neither is willing to produce a signature without being sure that the other will. This kind of applications is referred to as fair exchange. Fair exchange protocols play a critical role in electronic payment systems, contract signing, electronic commerce and certified e-mail. Informally, a fair exchange protocol aims at enabling two entities, who do not fully trust each other, to exchange their items (digital signatures or e-merchandise) in a fair way, so that at the end of the protocol either both entities get the other’s item, or neither does, even if the protocol is halted by any reason. In the last years, a number of fair exchange protocols have been proposed [1,3,9,10,11,15,18,21,23]. Among them, Asokan et al. [1] were the first to formally study the problem of optimistic fair exchanges. They introduced a fair exchange protocol relying on a trusted third party (TTP) in an optimistic way, in the J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 76–89, 2009. c Springer-Verlag Berlin Heidelberg 2009
Identity-Based Verifiably Encrypted Signatures without Random Oracles
77
sense that the TTP does not participate in the actual exchange protocol unless one player crashes or attempts to cheat. In this proposal, the TTP is called offline TTP. However, the protocol by Asokan et al. relies on inefficient interactive zero-knowledge proofs. A verifiably encrypted signature scheme is designed for a fair exchange environment. In this notion, a verifier is able to verify that the encrypted signature hides the user’s signature on a publicly agreed message, but the verifier cannot extract the hidden signature. In 2003, Boneh et al. [3] proposed the first noninteractive verifiably encrypted signature scheme in traditional certificate-based public key cryptography. They implement their construction by aggregating the BLS short signatures [4]. To realize a fair exchange, Alice sends Bob a verifiably encrypted signature on the contract. Then Bob can send his signature to Alice. If Alice does not respond with her signature, Bob can send to the adjudicator (i.e., the off-line TTP) Alice’s verifiably encrypted signature and the transcript of his interaction with Alice. After validating the verifiably encrypted signature and the transcript, the adjudicator will extract Alice’s signature and send it to Bob. Following the work of Boneh et al., several research papers presented other non-interactive verifiably encrypted signature schemes [9,13,15,21,20]. They are all based on traditional public key cryptography, in which a certificate issued by the certificate authority (CA) must be used to provide the binding between an entity and its public key. Such certificate can be verified by anyone and it guarantees the authenticity of an entity’s public key. In practice, the management of public key certificates is costly in terms of computation, storage and communication. To simplify certificate management in traditional public key cryptography, Shamir introduced the concept of ID-based public key cryptography (ID-PKC) [17]. In ID-PKC systems, an entity’s public key is directly derived from its public information such as telephone number, e-mail address and IP address. Therefore, there is no need to obtain the certificate to verify the authenticity of the public key, unlike in traditional public key cryptography. Recently, the investigation of ID-based verifiably encrypted signatures (ID-VES) has attracted much attention [6,8,10,11,22,23]. In [8], a generic construction of ID-VES is presented. One may notice that there is a subtlety. In their generic construction, the public key of a user is no longer his identity only, which is different from the traditional definition of ID-PKC. Based on Hess’s identity-based signature scheme [12], Kwon and Lee [14] presented an efficient and concise ID-VES scheme of smaller size than previous ID-VES schemes in ID-PKC systems. 1.1
Our Contribution
Most verifiably encrypted signature schemes only provide provable security in the random oracle model [2]. However, security proofs in this model can only be considered as a heuristic argument. Canetti et al. [5] demonstrate that behaving like a “random oracle” is not a property that can be realized in general, and that security proofs in the random oracle model do not always imply the security of
78
L. Zhang, Q. Wu, and B. Qin
the actual scheme in the real world. Therefore, verifiably encrypted signature schemes provably secure without random oracles are of great interest. However, only few verifiably encrypted signature schemes [9,15,21] have been shown secure without using random oracles. These schemes are all presented in the setting of traditional public key cryptography. In this paper, we propose an identity-based verifiably encrypted signature scheme. The proposed scheme is non-interactive and does not rely on inefficient zero-knowledge proofs. The resulting encrypted signature consists of only four group elements and the scheme is efficient. For security, the proposal is proven secure without relying on random oracles. Furthermore, we use the computational Diffie-Hellman (CDH) assumption. We also exploit the aggregate extraction assumption which is shown equivalent to the CDH assumption [7]. Hence, our scheme enjoys both desirable performance and security, and is practical for fair exchange applications. We organize the rest of the paper as follows. Section 2 gives some preliminaries, including bilinear maps, computational problems and the notion of ID-VES schemes. Section 3 defines the security of ID-VES schemes. In Section 4 we present the construction of our ID-VES scheme. We prove the security of our scheme in Section 5. Finally, we conclude in Section 6.
2
Preliminaries
In this section, we will review some fundamental background, including the involved computational assumptions and the syntax of identity based verifiably encrypted signatures. 2.1
Bilinear Maps and Computational Problems
Let G1 be an additive group of prime order q and G2 be a multiplicative group of the same order. A mapping e : G1 × G1 −→ G2 is called a bilinear mapping if it satisfies the following properties: 1. Bilinearity: e(g a , g b ) = e(g, g)ab for all a, b ∈ Zq . 2. Non-degeneracy: There exists u, v ∈ G1 such that e(u, v) = 1. 3. Computability: There exists an efficient algorithm to compute e(u, v) for any u, v ∈ G1 . Discrete Logarithm (DL) Problem in G1 : Given h ∈ G1 , find an integer a ∈ Zq such that h = g a . Computational Diffie-Hellman (CDH) Problem in G1 : Given (g α , g β ) for unknown α, β ∈ Zq , compute g αβ . Aggregate Extraction Problem in G1 : Given (g α , g β , g γ , g δ , g αγ+βδ ) for unknown α, β, γ, δ ∈ Zq , compute g αγ . The aggregate extraction problem was introduced by Boneh et al. [3]. Coron and Naccache [7] showed that it is equivalent to the standard CDH problem.
Identity-Based Verifiably Encrypted Signatures without Random Oracles
2.2
79
Syntax of Identity-Based Verifiably Encrypted Signature Schemes
An ID-VES scheme is defined by eight algorithms: Setup, AKeyGen, UKeyGen, Sign, Verify, VESign, VEVerify and Adjudication. The description of each algorithm is as follows. – Setup: This algorithm is performed by the PKG who takes as input a security parameter k to produce a master-key and a list of system parameters params. – AKeyGen: This algorithm is performed by the adjudicator who takes as input the parameter list params to produce the adjudicator’s private and public key pair (x, y). – UKeyGen: This algorithm takes as input a user’s identity ID, the parameter list params and the master-key to produce the user’s private key dID . – Sign: This algorithm takes as input a message m, an identity ID, the parameter list params and a signer’s private key dID to produce an ordinary signature σ. – Verify: This algorithm takes as input a message m, a signature σ, the parameter list params, an identity ID to output True if the signature is correct, or False otherwise. – VESign: The inputs of this algorithm are the parameter list params, a private key dID of a signer whose identity is ID, a message m, and the adjudicator’s public key y. The output of this algorithm is a verifiably encrypted signature σ on m. – VEVerify: This algorithm takes as input a message m, a verifiably encrypted signature σ, the parameter list params, an identity ID and the adjudicator’s public key y to output True if the signature is correct, or False otherwise. – Adjudication: This algorithm takes as input a message m, a verifiably encrypted signature σ, the parameter list params, an identity ID and the adjudicator’s private key x to output the ordinary signature σ on m.
3
Security Definitions of Identity-Based Verifiably Encrypted Signature Schemes
Boneh et al. [3] specify two properties (besides correctness) that a verifiably encrypted signature scheme must satisfy: unforgeability and opacity. Unforgeability requires that it be difficult to forge a valid verifiably encrypted signature. Opacity requires that it be difficult, given a verifiably encrypted signature, to extract an ordinary signature on the same message. The security of ID-VES schemes is defined by following two games which are used to capture unforgeability and opacity properties respectively. Definition 1. An ID-VES scheme is said to be existentially unforgeable secure under adaptively chosen message and ID attacks, if no polynomial time adversary has a non-negligible success probability in the following Game 1:
80
L. Zhang, Q. Wu, and B. Qin
Game 1 (for unforgeability) This game is played between a challenger C and an adversary A. It has following three stages. 1. C runs the Setup algorithm, takes as input a security parameter k to obtain the master-key and the system parameter list params. C also runs AKeyGen to generate the adjudicator’s private and public key pair (x, y). Finally, params and y are sent to the adversary A. 2. A can adaptively query the following oracles: – UKeyGen-Oracle: The input of this oracle is an identity IDi . The output of this oracle is the private key di for IDi . – Sign-Oracle: The input of this oracle is an identity IDi , a message mi . The output of this oracle is an ordinary signature σi . It is required that σi be a valid signature on message mi under identity IDi . – VESign-Oracle: The input of this oracle is an identity IDi , a message mi . The output of this oracle is a verifiably encrypted signature σ ¯i . It is required that σ ¯i be a valid verifiably encrypted signature on message mi under identity IDi and adjudicator’s public key. – Adjudication-Oracle: The input of this oracle is an identity IDi , a message mi and a verifiably encrypted signature σ i . The output of this oracle is an ordinary signature σi . It is required that σi be a valid signature on message mi under identity IDi . 3. Eventually, A outputs a tuple (ID∗ , m∗ , σ ¯ ∗ ). We say that A wins Game 1 if and only if the output (ID∗ , m∗ , σ ¯ ∗ ) satisfies the following requirements: – σ ¯ ∗ is a valid verifiably encrypted signature on message m∗ under identity ID∗ and adjudicator’s public key y. – ID∗ has never been submitted to the UKeyGen-Oracle. – (ID∗ , m∗ ) has never been submitted to the VESign-Oracle. – (ID∗ , m∗ ) has never been submitted to the Sign-Oracle. Definition 2. An ID-VES scheme is said to be opaque under adaptively chosen message and ID attacks, if no polynomial time adversary has a non-negligible success probability in the following Game 2: Game 2 (for opacity) This game is played between a challenger C and an adversary A which also comprises three stages. 1. C runs the Setup algorithm, takes as input a security parameter k to obtain master-key and the system parameter list params. C also runs AKeyGen to generate the adjudicator’s private and public key pair (x, y). Finally, C sends params and y to the adversary A. 2. A can adaptively query the following oracles as defined in Game 1: UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, Adjudication-Oracle.
Identity-Based Verifiably Encrypted Signatures without Random Oracles
81
3. At the end of A’s attack, A outputs a tuple (ID∗ , m∗ , σ ∗ ). We say that A wins Game 2 if and only if the output (ID∗ , m∗ , σ ∗ ) satisfies the following requirements: – – – –
4
σ ∗ is a valid signature on message m∗ under identity ID∗ . ID∗ has not been submitted to the UKeyGen-Oracle. (ID∗ , m∗ ) has never been submitted to the Sign-Oracle. (ID∗ , m∗ , λ) has never been submitted to the Adjudication-Oracle, where λ is any valid verifiably encrypted signature on m∗ under identity ID∗ and adjudicator’s public key y.
A Concrete Identity-Based Verifiably Encrypted Signature Scheme
In this section, we present the concrete construction of an ID-VES signature. Our scheme is motivated from the Paterson-Schuldt identity-based signature [16] and the Waters’s scheme [19]. The construction is as follows: – Setup: Given a security parameter k, the PKG does the following: 1. Select a cyclic additive group G1 which is generated by g with a prime order q, such that there exist a cyclic multiplicative group G2 of the same order, and a bilinear map e : G1 × G1 −→ G2 . 2. Randomly choose s ∈ Zq and compute g1 = g s . 3. Choose cryptographic hash functions H1 : {0, 1}∗ −→ {0, 1}l and H2 : {0, 1}∗ −→ {0, 1}n. 4. Randomly select the following elements: g2 , u , m ∈R G1 ; u ˆi ∈R G1 for ˆ = {ˆ ˆ = {m i = 1, ..., l; m ˆ i ∈R G1 for i = 1, ..., n. Let U ui}, M ˆ i }. ˆ , m , M ˆ ) and The public parameters are params = (e, G1 , G2 , g, g1 , g2 , u , U s the master-key is g2 . – AKeyGen: The adjudicator accepts params, randomly chooses x ∈ Zq , computes y = g x , and sets (x, y) as the adjudicator’s private and public key pair. – UKeyGen: This algorithm accepts params, master-key g2s , an identity ID ∈ {0, 1}∗ and constructs the private key for the user as follows: 1. Compute u = H1 (ID), parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l . 2. Select a random ru ∈ Zq . 3. Output a private key du = (d0 , d1 ) where d0 = g2s (u
l i=1
u ˆui i )ru , d1 = g ru .
– Sign: On input a signer’s (whose identity is ID) private key du and a message m, the signer performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n .
82
L. Zhang, Q. Wu, and B. Qin
2. Compute π = u li=1 u ˆui i (note that this value can be pre-computed by the signer). 3. Select rm , rv ∈ Zq at random and compute σ1 = d0 π rv (m
n i=1
i rm m ˆw , σ2 = g rm , σ3 = d1 g rv . i )
4. Output σ = (σ1 , σ2 , σ3 ) as the signer’s signature on message m. – Verify: To verify a signature σ = (σ1 , σ2 , σ3 ) on a message m signed by a signer with an identity ID, the verifier performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n . 2. Verify e(σ1 , g) = e(g1 , g2 )e(u ?
l i=1
u ˆui i , σ3 )e(m
n i=1
i m ˆw i , σ2 ).
If the above equation holds, output True. Otherwise, output False. – VESign: On input a signer’s (whose identity is ID) private key du and a message m, the signer performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and represent u as a bit string l n (u1 , ..., ul ) ∈ {0, 1} l, anduiw as a bit string w = (w1 , ..., wn ) ∈ {0, 1} . 2. Compute π = u i=1 u ˆi . 3. Select r¯u , r¯m , r¯v ∈ Zq and compute σ ¯1 = d0 π r¯u (m
n i=1
¯m r¯v i r m ˆw y ,σ ¯2 = g r¯m , σ ¯3 = d1 g r¯u , σ ¯4 = g r¯v . i )
4. Output σ ¯ = (¯ σ1 , σ ¯2 , σ ¯3 , σ ¯4 ) as the verifiably encrypted signature on message m. – VEVerify: To verify a verifiably encrypted signature σ ¯ = (¯ σ1 , σ ¯2 , σ ¯3 , σ ¯4 ) on a message m of an identity ID, a verifier performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n . 2. Verify e(¯ σ1 , g) = e(g1 , g2 )e(y, σ ¯4 )e(u ?
l i=1
u ˆui i , σ ¯3 )e(m
n i=1
i m ˆw ¯2 ). i ,σ
If the above equation holds, output True. Otherwise, output False. – Adjudication: On input a verifiably encrypted signature σ ¯ = (¯ σ1 , σ ¯2 , σ ¯3 , σ ¯4 ) on a message m of an identity ID, the adjudicator performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, w as a bit string (w1 , ..., wn ) ∈ {0, 1}n. 2. Select a, b ∈ Zq at random and compute σ1 = (u
3. Output σ =
l
uˆui i )a (m
i=1 (σ1 , σ2 , σ3 ).
n i=1
i b m ˆw ¯1 σ ¯4−x , σ2 = σ ¯2 g b , σ3 = σ ¯3 g a . i ) σ
Identity-Based Verifiably Encrypted Signatures without Random Oracles
5
83
Security Analysis
Theorem 1. If there exists an adversary A who has an advantage in forging a verifiably encrypted signature of our ID-VES scheme in an attack modeled by Game 1, within a time span t and querying at most qe , qs , qv and qa times UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, and Adjudication-Oracle, respectively; then the CDH problem in G1 can be solved within time t + O(qe l + (qs + qv + qa )(l + n))τm + O(qe + qs + qv + qa )τe with probability 1 16(qe + qs )qs (l + 1)(n + 1) where τm is the time to compute a multiplication in G1 , τe is the time to compute a exponentiation in G1 . Proof. C is given a CDH problem instance as follows. Given a group G1 , a generator g ∈ G1 , two elements g α , g β ∈ G1 , C is asked to output an element g αβ ∈ G1 . In order to use A to solve the CDH problem, C needs to simulate all the oracles in Game 1 for A. C does it in the following way. Stage 1. Let lu = 2(qe + qs ) and lm = 2qs . C randomly selects two integers ku and km such that 0 ≤ ku ≤ l and 0 ≤ km ≤ n. We assume that lu (l + 1) < q and lm (n + 1) < q for the given values of qe , qs , l and n. It also randomly selects the following integers: x ∈ Zlu ; z ∈ Zlm ; y , w ∈ Zq ; x ˆ1 , ..., x ˆl ∈ Zlu ; yˆ1 , ..., yˆl ∈ Zq ; zˆ1 , ..., zˆn ∈ Zlm ; w ˆ1 , ...w ˆ n ∈ Zq . Let u = H1 (ID) for an identity ID and w = H2 (m) for a message m; parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n. We further define the following functions for u and w as follows: F (u) = x +
l
x ˆi ui − lu ku , J(u) = y +
i=1
K(w) = z +
n
l
zˆi wi − lm km , L(w) = w +
i=1
yˆi ui ,
i=1 n
w ˆi wi .
i=1
C constructs a set of public parameters as follows: g1 = g α g2 = g β −l k +x u = g2 u u g y m = g2−lm km +z g w for 1 ≤ i ≤ l, u ˆi = g2xˆi g yˆi m ˆ i = g2zˆi g wˆi for 1 ≤ i ≤ n All the above public parameters are passed to A. C also picks x ∈ Zq as adjudicator’s private key, sets y = g x as adjudicator’s public key. y is passed to the adversary A as well. Note that the master-key will be g αβ and we have the following equations:
84
L. Zhang, Q. Wu, and B. Qin
u
l
i=1
F (u) J(u)
uˆui i = g2
g
and m
n
i=1
K(m) L(m)
i m ˆw i = g2
g
.
Stage 2. C simulates all the oracles as follows: UKeyGen-Oracle: Upon receiving a query for a private key of an identity ID, C computes u = H1 (ID) and parses u as a bit string (u1 , ..., ul ) ∈ {0, 1}l . Although C does not know the master-key, it still can construct the private key by assuming F (u) = 0 mod q. It randomly chooses r ∈ Zq and computes the private key as (d0 , d1 ) =
−J(u)/F (u) g1 (u
l i=1
−1/F (u) r u ˆui i )r , g1 g
.
By letting rˆ = r − α/F (u), it can be verified that (d0 , d1 ) is a valid private key, shown as follows: −J(u)/F (u)
d0 = g1 = = = = d1 =
(u
l
uˆui i )r
i=1 −J(u)/F (u) F (u) J(u) r F (u) g1 (g2 g ) = g −αJ(u)/F (u) (g2 g J(u) )r F (u) F (u) F (u) g −αJ(u) F (u) (g2 g J(u) )α/F (u) (g2 g J(u) )−α/F (u) (g2 g J(u) )r F (u) g −αJ(u)/F (u) g αβ g αJ(u)/F (u) (g2 g J(u) )rˆ l F (u) F (u) g αβ (g2 g J(u) )rˆ = g2α (g2 g J(u) )rˆ = g2α (u u ˆui i )rˆ i=1 −1/F (u) r r−α/F (u) rˆ g1 g =g =g
If F (u) = 0 mod q, since the above computation cannot be performed (division by 0), C aborts. To make it simple, C will abort if F (u) = 0 mod lu . The equivalency can be observed as follows. l The assumption lu (l+1) < q implies 0 ≤ lu ku < q and 0 ≤ x + i=1 x ˆi ui < q. We have −q < F (u) < q which implies if F (u) = 0 mod q then F (u) = 0 mod lu . Hence, F (u) = 0 mod lu implies F (u) = 0 mod q. Thus the former condition will be sufficient to ensure that a private key can be computed without abort. Sign-Oracle: For a given query of a signature on an identity ID and a message m, C computes u = H1 (ID), w = H2 (m), parses u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n. If F (u) = 0 mod lu , C can just construct a private key for ID as in a UKeyGen-Oracle query, and then use the Sign algorithm to create a signature on m. If F (u) = 0 mod lu , C will try to construct a signature in a similar way to the construction of a private key in a UKeyGen-Oracle query. Assume K(w) = 0 mod lm . Using the argument mentioned above, this implies K(w) = 0 mod q, given the assumption lm (n + 1) < q. The signature can be constructed by first randomly selecting ru , rm ∈ Zq
Identity-Based Verifiably Encrypted Signatures without Random Oracles
85
and then computing σ = (σ1 , σ2 , σ3 ) l n −1/K(m) rm ru ui ru −L(m)/K(m) wi rm = (u u ˆ i ) g1 (m m ˆ i ) , g1 g ,g =
i=1
g2α (u
i=1
l i=1
uˆui i )ru (m
n i=1
ˆm i r m ˆw , g rˆm , g ru i )
where rˆm = rm − α/K(m). If K(m) = 0 mod lm , C aborts. VESign-Oracle: On input an identity ID and a message m, let u = H1 (ID) and w = H2 (m), parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n. C performs the following steps: 1. Submit (ID, m) to the Sign-Oracle; if the Sign-Oracle does not abort, an ordinary signature σ = (σ1 , σ2 , σ3 ) on m will be returned. 2. Select r¯v ∈ Zq , compute σ ¯1 = σ1 y r¯v , σ ¯2 = σ2 , σ ¯3 = σ3 , σ ¯4 = g r¯v . 3. Output σ ¯ = (¯ σ1 , σ ¯2 , σ ¯3 , σ ¯4 ). Adjudication-Oracle: On input an identity ID, a message m and a verifiably encrypted signature σ on m under identity ID, C can use the Adjudication algorithm of our scheme to produce the ordinary signature, since C knows the adjudicator’s private key. Stage 3. Finally, A outputs a verifiably encrypted signature σ ¯ ∗ = (¯ σ1∗ , σ ¯2∗ , σ ¯3∗ , σ ¯4∗ ) ∗ ∗ ∗ ∗ ∗ ∗ on a message m under identity ID . Let u = H1 (ID ), w = H2 (m ), represent u∗ as (u∗1 , ..., u∗l ) ∈ {0, 1}l , w∗ as (w1∗ , ..., wn∗ ) ∈ {0, 1}n; if F (u∗ ) = 0 mod q or K(w∗ ) = 0 mod q, C aborts. Otherwise, since C knows the adjudicator’s private key, he can extract the ordinary signature σ ∗ = (σ1∗ , σ2∗ , σ3∗ ) on m from σ ¯∗. By our setting, we have u
l i=1
uˆui i
=g
J(u∗ )
,m
n i=1
∗
K(w ) i m ˆw . i =g
∗
Since σ must satisfy e(σ1∗ , g) = e(g1 , g2 )e(u
l i=1
we have g αβ =
u∗
uˆi i , σ3∗ )e(m σ1∗
σ3∗
J(u∗ )
σ2∗ K(w
∗)
n i=1
w∗
m ˆ i i , σ2∗ ),
.
This is the solution of the CDH Problem. Let u ¨1 , ..., u¨qH be the output of the hash function H1 appearing in either UKeyGen-Oracle or in Sign-Oracle queries not involving the challenge identity
86
L. Zhang, Q. Wu, and B. Qin
ID∗ , and let m ¨ 1 , ..., m ¨ qM be the output of the hash function H2 in the SignOracle. We have qH ≤ qe + qs and qM ≤ qs . We also define the events Ai , A∗ , Bi , B ∗ as follows: Ai A∗ Bi B∗
: F (¨ ui ) = 0 mod lu where i = 1, ..., qH : F (u∗ ) = 0 mod q : K(m ¨ j) = 0 mod lm where j = 1, ..., qM : K(m∗ ) = 0 mod q
The probability of C not aborting is: Pr[¬abort] ≥ Pr[
qH
qM
Ai ∧ A∗ ∧
i=1
Bj ∧ B ∗ ].
j=1
H M Note that the events qi=1 Ai ∧ A∗ and qj=1 Bj ∧ B ∗ are independent. The assumption lu (l+1) < q implies that if F (u) = 0 mod q then F (u) = 0 mod lu . In addition, it also implies that if F (u) = 0 mod lu , there will be a unique choice of ku with 0 ≤ ku ≤ l such that F (u) = 0 mod q. Since ku , x and x ˆ1 , ..., x ˆl are randomly chosen, we have Pr[A∗ ] = Pr[F (u∗ ) = 0 mod q ∧ F (u∗ ) = 0
mod lu ]
= Pr[F (u∗ ) = 0 mod lu ] Pr[F (u∗ ) = 0 1 1 = lu l + 1
mod q|F (u∗ ) = 0
mod lu ]
On the other hand, we have: Pr[
qH
Ai |A∗ ] = 1 − Pr[
i=1
qH
¬Ai |A∗ ]
i=1
≥1−
qH
Pr[¬Ai |A∗ ]
i=1
Note F (¨ ui ) = 0 mod lu and F (¨ uj ) = 0 mod lu are independent, where i = j, since the outputs of F (¨ ui ) and F (¨ uj ) will differ in at least one randomly chosen value. Also since the events Ai and A∗ are independent for any i, we have Pr[¬Ai |A∗ ] = 1/lu . Hence we have Pr[
qH
Ai ∧ A∗ ] = Pr[A∗ ] Pr[
i=1
qH
Ai |A∗ ]
i=1
1 qe + qs ≥ (1 − ) lu (l + 1) lu and setting lu = 2(qe + qs ) as in the simulation gives Pr[
qH
i=1
Ai ∧ A∗ ] ≥
1 . 4(qe + qs )(l + 1)
Identity-Based Verifiably Encrypted Signatures without Random Oracles
87
A similar analysis for the Sign-Oracle queries gives the result Pr[
q M
Bj ∧ B ∗ ] ≥
i=1
1 . 4qs (n + 1)
And we get that Pr[¬abort] ≥ Pr[
qH
i=1
Ai ∧ A∗ ] Pr[
qM
Bj ∧ B ∗ ]
j=1
1 ≥ . 16(qe + qs )qs (l + 1)(n + 1) If the simulation does not abort, A will create a valid forgery with probability at least . Algorithm C can then compute g αβ from the forgery as shown above. The time complexity of algorithm C is dominated by the exponentiations and, for larger values of l and n, by the multiplications performed in the UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, and Adjudication-Oracle queries. For UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, and Adjudication-Oracle, there are O(l), O(l + n), O(l + n) and O(l + n) multiplications in G1 and O(1), O(1), O(1) and O(1) exponentiations in G1 . Hence, the time complexity of C is t + O(qe l + (qs + qv + qa )(l + n))τm + O(qe + qs + qv + qa )τe . Thus, the theorem follows. Theorem 2. If there exists an adversary A who has an advantage in an attack modeled by Game 2, within a time span t and querying at most qe , qs , qv and qa times UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, and Adjudication-Oracle, respectively; then the aggregate extraction problem in G1 can be solved within time t + O(qe l + (qs + qv + qa )(l + n))τm + O(qe + qs + qv + qa )τe and with probability 1 . 16(qe + qs )qs (l + 1)(n + 1) Due to page limitation, the proof will be presented in the full version of this paper.
6
Conclusion
We presented an identity-based verifiably encrypted signature. The proposal is proven existentially unforgeable and opaque against adaptively chosen-message attack assuming that the CDH problem (and its equivalent variant of the aggregate extraction problem) is hard. Unlike existing schemes, our construction does not rely on the existence of random oracles. Our ID-VES scheme is also efficient and can be efficiently applied to fair exchange protocols.
88
L. Zhang, Q. Wu, and B. Qin
Acknowledgments and Disclaimer Thanks go to Josep Domingo-Ferrer for his comments on a draft of this paper. The authors are partly supported by the Spanish Government through projects TSI2007-65406-C03-01 “E-AEGIS” and CONSOLIDER INGENIO 2010 CSD2007-00004 “ARES”, and by the Government of Catalonia under grant 2009 SGR 1135. They are with the UNESCO Chair in Data Privacy, but their views do not necessarily reflect the position of UNESCO nor commit that organization.
References 1. Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communications 18(4), 593–610 (2000) 2. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM CCCS 1993, pp. 62–73. ACM Press, New York (1993) 3. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) 4. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001) 5. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004) 6. Cheng, X., Liu, J., Wang, X.: Identity-based aggregate and verifiably encrypted signatures from bilinear pairing. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Lagan´ a, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3483, pp. 1046–1054. Springer, Heidelberg (2005) 7. Coron, J.-S., Naccache, D.: Boneh et al.’s k-element aggregate extraction assumption is equivalent to the diffie-hellman assumption. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 392–397. Springer, Heidelberg (2003) 8. Galindo, D., Herranz, J., Kiltz, E.: On the generic construction of identity-based signatures with additional properties. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 178–193. Springer, Heidelberg (2006) 9. Gorantla, M., Saxena, A.: Verifiably encrypted signature without random oracles. In: Chakraborty, G. (ed.) ICDCIT 2005. LNCS, vol. 3816, pp. 357–363. Springer, Heidelberg (2005) 10. Gu, C., Zhu, Y.: An ID-based verifiably encrypted signature scheme based on Hess’s scheme. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 42–52. Springer, Heidelberg (2005) 11. Gu, C., Zhu, Y., Zhang, Y.: An ID-based optimistic fair signature exchange protocol from pairings. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS, vol. 3802, pp. 9–16. Springer, Heidelberg (2005) 12. Hess, F.: Efficient identity based signature schemes based on pairings. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310–324. Springer, Heidelberg (2003) 13. Hess, F.: On the security of the verifiably-encrypted signature scheme of Boneh, Gentry, Lynn and Shacham. Information Processing Letters 89(3), 111–114 (2004)
Identity-Based Verifiably Encrypted Signatures without Random Oracles
89
14. Kwon, S., Lee, S.H.: An efficient ID-based verifiably encrypted signature scheme based on Hess’s scheme. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 93–104. Springer, Heidelberg (2007) 15. Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006) 16. Paterson, K., Schuldt, J.: Efficient identity-based signatures secure in the standard model. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 207–222. Springer, Heidelberg (2006) 17. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 18. Shao, Z.: Certificate-based verifiably encrypted signatures from pairings. Information Sciences 178(10), 2360–2373 (2008) 19. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 20. Zhang, F., Safavi-Naini, R., Susilo, W.: Efficient verifiably encrypted signature and partially blind signature from bilinear pairings. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 191–204. Springer, Heidelberg (2003) 21. Zhang, J., Mao, J.: A novel verifiably encrypted signature scheme without random oracle. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 65–78. Springer, Heidelberg (2007) 22. Zhang, J., Zou, W.: A robust verifiably encrypted signature scheme. In: Zhou, X., Sokolsky, O., Yan, L., Jung, E.-S., Shao, Z., Mu, Y., Lee, D.C., Kim, D.Y., Jeong, Y.-S., Xu, C.-Z. (eds.) EUC Workshops 2006. LNCS, vol. 4097, pp. 731–740. Springer, Heidelberg (2006) 23. Zhang, Z., Feng, D., Xu, J., Zhou, Y.: Efficient ID-based optimistic fair exchange with provable security. In: Qing, S., Mao, W., L´ opez, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 14–26. Springer, Heidelberg (2005)
How to Prove Security of a Signature with a Tighter Security Reduction Fuchun Guo, Yi Mu, and Willy Susilo Centre for Computer and Information Security Research School of Computer Science and Software Engineering University of Wollongong, Wollongong NSW2522, Australia {fg278,ymu,wsusilo}@uow.edu.au
Abstract. It is a challenging task to construct a signature that it can be tightly reduced to a weak security assumption in the standard model. In this paper, we introduce a simple chameleon-hash-based transformation and show that it can tighten a security reduction of a signature scheme that suffers from a loose security reduction. Taking the Waters’ signature from Eurocrypt 2005 as an example, we demonstrate an improvement of the security reduction that the probability of success in the security reduction can be made as a constant and independent of the signature queries from an adversary. Our reduction methodology has never been considered in the literature and is applicable to many signature schemes such as identity-based signature schemes, online/offline signatures, and signatures with strong unforeability. Keywords: Signature, Security Proof, Chameleon Hash.
1
Introduction
A digital signature scheme is said secure, if forging a valid signature is not easier than solving a hard mathematical problem. In a security proof of signatures, if an adversary can successfully forge a valid signature with probability , one can take advantage of its ability to solve the underlying hard mathematical problem successfully with probability . This process is called security reduction. The relation for these two probabilities is therefore written as = λ for some parameter λ (≥ 1). The hardness of forging a signature and solving the underlying problem is normally not at the same level unless the security reduction is tight, i.e., λ is close to 1. Unfortunately, how to achieve a secure signature whose security can be tightly reduced to a standard mathematical problem (so-called weak assumption), such as the Computational Diffie-Hellman (CDH) problem, in the standard model, is often a challenging task. A desirable security proof should capture three properties: tightness, weak assumption, and standard model. The well-known signature schemes such as [11,7,2,12,17,1,20,18,15] are unable to capture all these properties. To date, several signature schemes (e.g., [12,17]), whose security is tightly reduced to a weak assumption, rely on random oracles. The signature schemes J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 90–103, 2009. c Springer-Verlag Berlin Heidelberg 2009
How to Prove Security of a Signature with a Tighter Security Reduction
91
[11,7,1,6] where the security can be tightly reduced to a hard assumption without random oracles must rely on a strong assumption, such as the strong RSA assumption or q-Strong Diffie-Hellman assumption or LRSW. In 2005, Waters [20] presented an efficient identity-based encryption that can be modified into a signature whose security proof is based on the CDH assumption in the standard model. However, the reduction probability varies in the sense that it depends on the number of signature queries from the adversary. If the adversary can forge a valid signature by querying only a few signatures, the security reduction is then tighter; otherwise, if the adversary has to query a large number of signatures before outputting a valid one, then the reduction is loose. In this paper, we introduce a very interesting solution to this problem, by making use of a chameleon hash and construct a new signature scheme, which is close to all the properties outlined above. The key contribution in this paper is that we demonstrate how to transfer a loose reduction to a tighter reduction with a constant probability from Waters scheme [20], where the reduction is independent of the number of signature queries. 1.1
Related Works
The notion of chameleon hash, or trapdoor hash function, was first introduced by Krawczyk and Rabin [16], who utilized it to construct chameleon signatures where the signed message is blind to the third parties. The chameleon hash is associated with a public hash key and a private hash key (trapdoor key). Loosely speaking, given the chameleon hash and the public hash key only, collisions are difficult to find, but it is easy when the private hash key is also known. Formally, let Hch be the chameleon hash and (m, s) be the input, it is hard/easy to find a new pair (m , s ) such that Hch (m, s) = Hch (m , s ) without/with the private hash key. One of most notable applications of chameleon hashing is the online/offline signature [9] due to Shamir and Tauman [19]. Another well-known application of chameleon hash is due to Boneh and Boyen [1] who applied it to a short signature construction without random oracles. Their first scheme was proved secure against weak chosen message attacks, where the adversary must output all messages to be queried before receiving the public key. Using the chameleon hash, the signature security then is transformed into strong existential unforgeability against chosen message attacks, which is slightly stronger than the standard notion. In 2005, Waters [20] introduced an efficient Identity-Based Encryption (IBE) scheme which is secure in the standard model under the CDH assumption and he also showed how to construct a signature from IBE with the same security result. However, the reduction is not tight with long public key size. Recently, Hohenberger and Waters [15] showed how the public key size can be shortened but the security still has the problem of loose reduction. Let us revisit some key points of Waters signature scheme, which we will tighten. Let the message space in his scheme be a n-bit length string and M [i] be the ith bit of message m. Define M ⊂ {1, 2, · · · , n} as the set of indices for i such
92
F. Guo, Y. Mu, and W. Susilo
that M [i] = 1. Let u0 , u1 , u2 , · · · , un be n + 1 elements randomly chosen from G of bilinear map e : G × G → GT . The format of message m in the scheme is defined as u0 i∈M ui . In the proof, each ui for all i = 0, 1, · · · , n in the setup phase of simulation contains the element g xi b , where xi is a small exponent and g b is one of the elements in the CDH problem. To be able to reduce the forgery to the CDH assumption (or to be able to solve the CDH problem), the requirements in signature query phase and the forgery phase are as follows. (1) Each signature query on message mi must satisfy that u0 i∈Mi ui includes the element g b for all signature queries; otherwise, the simulator will fail in a simulation. (2) The forged signature on message m∗ requires excluding g b from u0 i∈M∗ ui ; otherwise, the simulator cannot output the answer of the CDH problem. That is, some messages make g b ∈ u0 i∈M ui hold, but others do not. For simplicity, suppose the probability of u0 i∈M ui containing g b for a random message can be denoted by 1 − 1l (l > 1. Actually, the probability of the jth query on message mj such that g b ∈ u0 i∈Mj ui holds is less than the ith message when i ≤ j), then the simulation will succeed with probability 1 1 Pr[¬ abort] = (1 − )qs · , l l where qs is the maximum number of signature queries that the forger asks. Thus, the reduction result depends on the number of signature querying, because qs makes the reduction vary. Unfortunately, if the forger, for example, has to query qs ≈ 230 signatures to be able to forge a valid signature, then the reduction has to be regarded as loose for any l in setting. 1.2
Our Contribution
As analyzed above, a loose reduction stems from the failure of signature simulation in the query phase and then decreases the successful probability of solving the assumption in forgery phase. This observation inspires us to explore a better approach for tightening Waters signature, i.e., to make every signature generation in the simulation successful. We find that the chameleon hash is the ideal candidate for us to achieve this goal. Intuitively, in our approach, after generating all public key parameters, the simulator first generates signatures on qs random messages and then translates them into what the adversary will query by using the chameleon hash. Our contributions in this paper are twofold: 1. We apply a chameleon hash function to the Waters signature scheme and show that λ can be made less than 2n + 1 in our reduction, compared to 8qs (n + 1) of the Waters’ result; therefore, our reduction is much tighter and independent of the adversary’s requirement of signature query. 2. We apply our method to other interesting aspects. (1) We construct a tighter reduction of identity-based signature scheme. (2) We achieve an online/offline signature scheme. (3) We prove that our signature possesses strong existential unforgeability against chosen message attacks.
How to Prove Security of a Signature with a Tighter Security Reduction
93
The rest of the paper is organized as follows. Some preliminaries including the detailed construction of chameleon hash are provided in Section 2. The signature scheme and its security proof are presented in Section 3. The extensions to our scheme are described in Section 4. The conclusion is given in Section 5.
2
Definitions
In this section, we provide the definitions of our signature scheme. 2.1
Signature and Security
A signature scheme consists of the three algorithms (KeyGen, Sign, Verify), for key generation, message signing, and signature verification, respectively. The security of a signature scheme in a standard notion is modeled with existential unforgeability under a chosen message attack and strong existential unforgeability under a chosen message attack, where the games between a challenger C and an adversary (or known as a forger) A are described respectively as follows : Existential Unforgeability – Setup: The challenger C runs algorithm KeyGen to obtain a pair of private key (signing) key and public (verification) key (SK, P K). P K is given to the adversary A. – Query: A makes a signature query on message mi of his choice under P K. C responds to each query with a valid signature σmi . A can ask qs message queries at most. – Forgery: A outputs a signature pair (m∗ , σm∗ ) and wins the game if 1. A did not make a signature query on m∗ ; 2. σm∗ is a valid signature on m∗ signed by P K. We define AdvA1 as the probability that A wins in the above game. Strong Existential Unforgeability – Setup: The challenger C runs algorithm KeyGen to obtain a pair of private key (signing) key and public (verification) key (SK, P K). P K is given to the adversary A. – Query: A makes a signature query on message mi of his choice under P K. C responds to each query with a valid signature σmi . A can ask qs message queries at most. – Forgery: A outputs a signature pair (m∗ , σm∗ ) and wins the game if 1. (m∗ , σm∗ ) is not any of (m1 , σm1 ), (m2 , σm2 ), · · · , (mqs , σmqs ); 2. σm∗ is a valid signature on m∗ signed by P K. We define AdvA2 as the probability that A wins in the above game. Definition 1. A signature scheme is (t, qs , )-(strong) existential unforgeability against chosen message attack if no forger (t, qs , )-breaks it, where the forger A runs in time at most t and makes at most qs signature queries. AdvA1 (AdvA2 ) is at least .
94
2.2
F. Guo, Y. Mu, and W. Susilo
Bilinear Map
Let G and GT be two cyclic groups of prime order p. Let g be a generator of G. A map e : G × G → GT is called a bilinear map, if it satisfies the following properties: – Bilinearity: for all u, v ∈ G and a, b ∈ Zp , we have e(ua , v b ) = e(u, v)ab . – Non-degeneracy: e(g, g) = 1. I.e., e(g, g) is a generator of GT . – Computability: It is efficient to compute e(u, v) for all u, v ∈ G. 2.3
Complexity
The security of our signature scheme will be reduced to the hardness of the Discrete Log (DL) problem and the Computational Diffie-Hellman (CDH) problem in the group in which the signature is constructed. We briefly review the definition of the DL problem and the CDH problem here: Definition 2. Let G be the group defined as above with a generator g and element g a ∈ G where a is selected uniformly at random from Zp , the DL problem in G is to compute a. Definition 3. Let G be the group defined as above with a generator g and elements g a , g b ∈ G where a, b are selected uniformly at random from Zp , the CDH problem in G is to compute g ab . Definition 4. We say that the (t, )-CDH(DL) assumption holds in the group of G if there is no algorithm running in time t at most can solve the CDH(DL) problem in G with the probability at least . 2.4
Chameleon Hash
Let g ∈ G be the element from the paring e : G × G → GT and β be a random value from Zp . Set the element g3 = g β . The public chameleon hash key is (g, g3 ) and the private chameleon hash key is β. The input elements of chameleon hash is a pair (m, s) both from Zp and the output is an element of G, where the chameleon hash is defined as Hch (m, s) = g3m g s . Given a new m = m and β, it is easy to compute s = (m − m )β + s such that Hch (m , s ) = Hch (m, s). However, when the chameleon hash is secure and given the tuple (m, s, Hch (m, s)) only, any adversary cannot find a new pair (m , s ) in polynomial time such that both m = m and Hch (m , s ) = Hch (m, s) hold [19].
3
The Scheme
In this section, we show how to tighten the security reduction in the Waters signature scheme, where the reduction is independent of signature query.
How to Prove Security of a Signature with a Tighter Security Reduction
3.1
95
Signature Scheme
In our signature scheme, all messages and random values are assumed to be in Zp . Let e : G × G → GT be the bilinear map, G, GT be two cyclic groups of order p and g be the corresponding generator in G. KeyGen: Choose a secret α ∈ Zp at random and g2 , g3 , u0 randomly from G. Set the value g1 = g α . Choose a n-length vector u = (u1 , u2 , · · · , un ), where all ui ∈ G and a secure collision-resistant hash function H : {0, 1}∗ → {0, 1}n, defined in Waters signature scheme [20]. The public key P K and the private key SK are respectively P K = (g, g1 , g2 , g3 , u0 , u, H), SK = g2α . Sign: To generate a signature on m ∈ Zp : – Pick a random s ∈ Zp and set M = H(g3m g s ) ∈ {0, 1}n; – Let M [i] be the ith bit of hashing value M . Define M ⊂ {1, 2, · · · , n} to be the set of indices for i such that M [i] = 1. Pick a random r ∈ Zp and set the signature to be σm = σ1 , σ2 , σ3 = g2α (u0 ui )r , g r , s . i∈M
Verify: Given a signature σm = (σ1 , σ2 , σ3 ), a message m and the public key P K, the verifier first computes M = H(g3m g σ3 ) and then accepts the signature (σ1 , σ2 , σ3 ) on m signed by P K if the following equation holds e(σ1 , g) = e(g2 , g1 )e(u0 ui , σ2 ). i∈M
Correctness
e(σ1 , g) = e g2α (u0 ui )r , g i∈M
=
e(g2α , g)
· e (u0 ui )r , g i∈M
= e(g2 , g1 )e u0
ui , g r
i∈M
= e(g2 , g1 )e(u0
ui , σ2 ).
i∈M
Efficiency: Adding the random value s in signing, we actually do not sign message m directly but the output of hashing g3m g s . Thus, compared to Waters signature scheme, we add one 2-multi-exponent computation in signing and verification, and a 160 bit value s to the signature length when |p| = 160.
96
3.2
F. Guo, Y. Mu, and W. Susilo
Security Proof
In our construction, we sign M = H(g3m g s ) instead of message m. According to the security model definition, the forger will get signature queries from the simulator and those queries can be seen as the signatures on M1 , M2 , · · · , Mqs of pairs (m1 , s1 ), (m2 , s2 ), · · · , (mqs , sqs ), where s1 , s2 , · · · , sqs are set by the simulator. There are two kinds of adversary in forging a valid signature: Adversary I: the forger outputs an new pair of (m∗ , s∗ ), such that ∗
∗
m
g3m g s = g3 j g sj , m∗ = mj ∈ {m1 , m2 , · · · , mqs }. Then, suppose the signature on mi is (σ1 , σ2 , σ3 ), and the forger can output (σ1 , σ2 , s∗ ) as a valid forged signature on m∗ . Adversary II: the forger outputs a new pair of (m∗ , s∗ ), such that ∗
∗
g3m g s = g3mi g si , where the valid forged signature on m∗ is (σ1∗ , σ2∗ , σ3∗ ). Theorem 1. The signature scheme is (t, qs , )-existential unforgeability against the adversary I, assuming that the (t , )-DL assumption holds in G: t = t + O(qs (ntm + te )), = , where tm , te are the time for a multiplication and an exponentiation in G, respectively. Proof. The proof is similar to that of chameleon hash. Supposing there exists a (t, qs , )-adversary A against our scheme, we construct an algorithm B that solves the DL problem. Algorithm B is given as input a random pair (g, g a ) and is to output a as its goal. The interaction between algorithm B and A is as follows: To generate the signature system except the element g3 ∈ P K, B simulates all other public keys and private key as the original KeyGen algorithm by using g as the basic generator, and sets g3 = g a . Then, knowing the private key, B can respond any signature query from the adversary A. Suppose the adversary queried the signatures on m1 , m2 , · · · , mqs and B responded on each signature using random values s1 , s2 , · · · , sqs . Once the adversary finally outputs a valid forged signature (σ1 , σ2 , s∗ ) on m∗ = mj and the signature satisfies our definition above, we obtain: ∗ ∗ m g3m g s = g3 j g sj , s −s∗
and extract a = mj∗ −m3 j (mod p), which is the solution to DL problem. Absolutely, we can use it to solve the CDH assumption. The time complexity of the algorithm B is dominated by the signature generations. Since there are O(n) multiplications and O(1) exponentiations for each signature query, the time complexity of B is t = t + O(qs (ntm + te )), where tm is the time for multiplication and te is the time for exponentiation. 2
How to Prove Security of a Signature with a Tighter Security Reduction
97
Theorem 2. When the collision-resistant hash function is secure, the signature scheme is (t, qs , )-existential unforgeability against the adversary II, assuming that the (t , )-CDH assumption holds in G: t = t + O(qs (ntm + te )), = , 2n + 1 where tm , te are the time for a multiplication and an exponentiation in G, respectively. Proof. Suppose there exists a (t, qs , )-adversary A against our scheme, we construct an algorithm B that solves the CDH problem. Our approach is an extension to the proof of [20]. Algorithm B is given as input a random tuple (g, g a , g b ) and the goal is to output g ab . B works by interacting with A as follows: Setup: To generate the public key parameters P K = (g, g1 , g2 , g3 , u0 , u, H), B randomly chooses four integers k0 , k1 (k0 = k1 ), y0 and β, such that k0 , k1 ∈ [0, 2n], y0 ∈ Zp and sets g3 = g β ∈ G. B then randomly chooses a n-length vector x = (xi ) with all xi randomly from {1, 2} and another n-length vectors y = (yi ) with all yi randomly from Zp . After choosing a secure collision-resistant hash function H, B defines the parameters as: g1 = g a , g2 = g b , g3 = g β , u00 = g2−k0 g y0 , u01 = g2−k1 g y0 , ui = g2xi g yi . The following process is to choose a proper parameter from {u00 , u01 } as u0 ∈ P K. B randomly chooses γ1 , γ2 , · · · , γ2qs ∈ Zp and computes Mi = H(g γi ) ∈ {0, 1}n for all i = 1, 2, · · · , 2qs . Let F0 (M ) = xi − k0 , F1 (M ) = xi − k1 , J(M ) = y0 + yi . i∈M
i∈M
i∈M
If there are more than qs number of γi such that Fj (Mi ) = 0 for Mi ∈ {M1 , M2 , · · · , M2qs }, then there must be more than qs number of γi satisfying F1−j (Mi ) = 0, for Mi ∈ {M1 , M2 , · · · , M2qs }. Suppose j = 1 and F0 (Mi ) = 0 holds for γ1 , γ2 , · · · , γqs , then B sets u0 = u00 and the public key P K to be P K = (g, g1 , g2 , g3 , u0 , ui , H). We have the following equation holds F (M) J(M) u0 u i = g2 0 g . i∈M
Then, B sends the P K to the adversary A, stores γ1 , γ2 , · · · , γqs and responds signature queries in the following phase. Query: A makes signature queries. To respond a signature query on mi , B firstly chooses γi from the Setup phase, picks a random r ∈ Zp and sets the signature on mi to be: − J(Mi ) 1 − F (M F (M )r F (M ) ) σmi = (σ1 , σ2 , σ3 ) = g1 0 i · g2 0 i · g J(Mi )r , g r · g1 0 i , γi − mi β .
98
F. Guo, Y. Mu, and W. Susilo
Let r = r −
a F0 (Mi ) ,
we have
Mi = g3mi g σ3 = g mi β+σ3 = g γi , σ1 = g2α (u0 ui )r i∈Mi
= =
F (M ) g2a (g2 0 i g J(Mi ) )r a F (M ) r− g2a (g2 0 i g J(Mi ) ) F0 (Mi )
J(Mi ) 0 (Mi )
−F
= g1
g
) · g2−a · g1
F (Mi )r
· g2 0
J(Mi ) 0 (Mi )
−F
F (Mi ) J(Mi ) r
= g2a (g2 0
· g J(Mi )r ,
1 − F (M 0 i)
σ2 = g r = g r · g1
σ3 = si = γi − mi β Therefore, σmi is a valid signature on mi . B gives it to the adversary. Forgery: The adversary outputs a valid forged signature σm∗ = (σ1∗ , σ2∗ , σ3∗ ) on m∗ , such that ∗ ∗ g3m g σ3 = g3mi g si . ∗
∗
If H(g3m g σ3 ) = H(g3mi g si ), it is contrary to the security of hash function; otherwise, we have ∗ ∗ H(g3m g σ3 ) = H(g3mi g si ). ∗
∗
Let M ∗ = H(g3m g σ3 ), if F0 (M ∗ ) = 0, abort; otherwise, set the forged signature as σm∗ = (σ1∗ , σ2∗ , σ3∗ ) = g2α (u0 ui )r , g r , s . i∈M∗
B computes and outputs g2α (u0 i∈M∗ ui )r σ1∗ = (σ2∗ )J(M ∗ ) g rJ(M ∗ ) F (M ∗ )
∗
g a (g 0 g J(M ) )r = 2 2 rJ(M ∗ ) g = g2α = g ab , which is the solution to the given CDH problem. This completes the description of the simulation. It remains to analyze the probability of B for not aborting. From the simulation, we know that B will only abort in the forgery phase and we have
Pr[¬ abort] = Pr F0 (M ∗ ) = 0 .
How to Prove Security of a Signature with a Tighter Security Reduction
99
According to our definition, all xi ∈ {1, 2}, so we have the following range for any M ∈ {0, 1}n xi ∈ [0, 2n]. i∈M
The value k1 is universal random and according to the definition of F0 (M ) = i∈M xi − k1 , we have
1 Pr[¬ abort] = Pr F0 (M ∗ ) = 0 = . 2n + 1 That is, if the forger can output a valid forged signature with probability , the algorithm B will solve the CDH problem with probability /(2n + 1). The time complexity of the algorithm B is dominated by the exponentiations and multiplications for a large value of n. Since there are O(n) multiplications and O(1) exponentiations in the queries, the time complexity of B is t = t + O(qs (ntm + te )), where tm is the time for multiplication and te is the time for exponentiation. 2
4
Extension
Using the chameleon hash in signature construction, we can extend our methodology to the following three aspects. (1) Our method can be naturally applied to identity-based signatures. (2) It can be applied to the online/offline signing. (3) If the chameleon hash is secure, we can obtain the property of strong existential unforgeable security in our signature scheme, which can be also applied to a generic construction. 4.1
Identity-Based Signature
Paterson and Schuldt [18] proposed an identity-based signature directly utilizing a 2-level Hierarchical IBE [14,13] based on Waters’ IBE scheme but the reduction to the CDH problem is loose since it depends on the adversary’s regarding of both private key numbers and signature numbers. Using our signature construction, the reduction can be tighter where it depends on private key numbers only because the simulator is able to generate any signature query in query phase. The new IBS is not hard in construction by using Waters’ IBE as the first hierarchical level and our signature scheme as the second hierarchical level, where the proof is similar to Paterson-Schuldt’s proof. Thus, we omit the detailed scheme and proof here. 4.2
Online/Offline Signing
In our signing phase, the final signature on m is σm = σ1 , σ2 , σ3 = g2α (u0 ui )r , g r , s , i∈M
100
F. Guo, Y. Mu, and W. Susilo
where the input of hashing computation is g3m g s . Let g3 = g β for a random β ∈ Zp and the online/offline signing can be describes as follows: KeyGen: The final public key is THE P K same as in Section 3 and the private key is SK = (g2α , β). Sign: The signing is divided into the offline phase for pre-computation and the online phase for signature extraction. – Offline Phase • Randomly choose r, m, s ∈ Zp and compute σ1 , σ2 = g2α (u0 ui )r , g r , where M = H(g3m g s ). i∈M
• Store σ1 , σ2 , m, s for online computation and signature generation. – Online Phase: Given the message m ∈ Zp , compute s = (m − m )β + s and output σm = (σ1 , σ2 , s ) as the final signature on m . The signature is correct because
g3m g s = g m β g (m−m )β+s = g mβ+s = g3m g s . The signature format is not changed in online/offline construction and then the verification will be the same. In the above online/offline signing phase, the cost in online phase is only one modular multiplication, which is much faster than the exponentiations. 4.3
Strong Unforgeable Security
To achieve the strong unforgeable security, we need another collision-resistant hash function H1 : {0, 1}∗ → Zp with the other P K parameters and the construction based on the online/offline signing can be described as follows: Sign: The signing is divided into the offline phase for pre-computation and the online phase for signature extraction. – Offline Phase: Same as above. – Online Phase: Given the message m ∈ {0, 1}∗, (1) first compute m = H1 (σ1 , σ2 , m ) ∈ Zp and (2) then output s = (m − m )β + s . The final signature on m is σm = (σ1 , σ2 , s ). Verify: Given a signature σm = (σ1 , σ2 , σ3 ), a message m ∈ {0, 1}∗ and the public key P K. The verifier does as follows:
– Compute m = H1 (σ1 , σ2 , m ) and then M = H(g3m g σ3 ); – Accept the signature (σ1 , σ2 , σ3 ) on m signed by P K if the following equation holds e(σ1 , g) = e(g2 , g1 )e(u0 ui , σ2 ). i∈M
How to Prove Security of a Signature with a Tighter Security Reduction
101
Theorem 3. Assuming the security of chameleon hash and the hardness of CDH assumption, the above signature scheme possesses strong unforgeable security. Suppose the adversary queries messages mi and the signatures are σmi = σmi ,1 , σmi ,2 , σmi ,3 , for all i = 1, 2, · · · , qs . Once the adversary outputs a valid signature (σ1∗ , σ2∗ , σ3∗ ) on m∗ , the cases are as follows: – m∗ = mi for any i ∈ {m1 , m2 , · · · , mqs }: It means that the adversary can forge a signature on a new message m∗ . When the security of hash function H1 holds, we have H1 (σ1∗ , σ2∗ , m∗ ) = H1 (σmi ,1 , σmi ,2 , mi ), for all i = 1, 2, · · · , qs . H (σ∗ ,σ∗ ,m∗ )
∗
H1 (σm
,1 ,σm ,2 ,mi )
i i If g3 1 1 2 g σ3 = g3 g σmi ,3 holds for any i ∈ {1, 2, · · · , qs }, it will be contrary to the security of chameleon hash; H1 (σmi ,1 ,σmi ,2 ,mi ) σm ,3 H (σ∗ ,σ∗ ,m∗ ) σ∗ otherwise, g3 1 1 2 g 3 = g3 g i for all i = 1, 2, · · · , qs , then it is contrary to the hardness of CDH assumption since we can use the attack to break the CDH problem as in Theorem 2.
– m∗ = mj where j ∈ {m1 , m2 , · · · , mqs }: There will be two cases according to the forged signature (σ1∗ , σ2∗ , σ3∗ ) = (σmj ,1 , σmj ,2 , σmj ,3 ): • (σ1∗ , σ2∗ ) = (σmj ,1 , σmj ,2 ): This case will have the same result as above due to the inequality of output from hashing computation; • (σ1∗ , σ2∗ ) = (σmj ,1 , σmj ,2 ): This case has the same output of H1 hashH (σ1∗ ,σ2∗ ,m∗ ) σ∗ 3
ing computation but σ3∗ = σmj ,3 , which means that g3 1 H1 (σmi ,1 ,σmi ,2 ,mi ) σm ,3 g3 g i
g
=
for all i = 1, 2, · · · , qs , then the attack is also contrary to the CDH assumption. From the above, it is obvious that the strong unforgeable security is independent of our signature construction. Thus, the strong unforgeable security can be achieved in a generic way. Let a signature scheme (G, S, V), which denotes public key generation, signing and verification, respectively, be any existential unforgeability under a chosen message attack. Then, using the parameters from our above scheme, the generic way to extend to strong existential unforgeability under a chosen message attack can be described as follows: SysGen: The system parameters are SP = {G, S, V, H1 , g}. KeyGen: Let (pk, sk) be a pair of public/private key from G, randomly choose β ∈ Zp and set g3 = g β , the final public/private key of (P K, SK) is P K = (pk, g3 ), SK = (sk, β). Sign: Let σγ be a signature on g γ output from S using sk where γ ∈ Zp is secretly chosen at random. (1) First compute m = H1 (σγ , m) ∈ Zp and (2) then output s = γ − m β. The final signature on m is σm = (σγ , s ). Verify: Given the signature (σγ , s ), public key P K and system parameters SP , compute h = H1 (σγ , m). Accept the signature if σγ is a valid signature on g3h g s .
102
5
F. Guo, Y. Mu, and W. Susilo
Conclusion
A desirable signature scheme must capture all the keywords: “tightness”, “weak assumption” and “standard model” in the security proof. We showed how to transform a signature with a loose security reduction to a better scheme with a tighter security reduction. As an example, we provided an analysis to show why the Waters signature is not tight and then tighten the security reduction by applying a chameleon hash function. The security proof in our scheme demonstrated a constant probability that is independent from signature query. We also showed how to tighten an identity-based signature scheme, transform our scheme into online/offline signature and construct a signature scheme with strong unforgeable security.
References 1. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) 2. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001) 3. Boneh, D., Shen, E., Waters, B.: Strongly unforgeable signatures based on computational diffie-hellman. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 229–240. Springer, Heidelberg (2006) 4. Cheon, J.H.: Security analysis of the strong diffie-hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006) 5. Camenisch, J.L., Hohenberger, S., Pedersen, M.: Batch verification of short signatures. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 246–263. Springer, Heidelberg (2007) 6. Camenisch, J.L., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004) 7. Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. ACM Trans. on Information and System Security 3(3), 161–185 (2000) 8. Chen, X., Zhang, F., Susilo, W., Mu, Y.: Efficient generic online/offline signatures without key exposure. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 18–30. Springer, Heidelberg (2007) 9. Even, S., Goldreich, O., Micali, S.: Online/offline digital signatures. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 263–275. Springer, Heidelberg (1990) 10. Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006) 11. Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999) 12. Goh, E.J., Jarecki, S.: A signature scheme as secure as the Diffie- Hellman problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 401–415. Springer, Heidelberg (2003)
How to Prove Security of a Signature with a Tighter Security Reduction
103
13. Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) 14. Horwitz, J., Lynn, B.: Toward hierarchical identity-based encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002) 15. Hohenberger, S., Waters, B.: Realizing hash-and-sign signatures under Standard Assumptions. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 333–350. Springer, Heidelberg (2009) 16. Krawczyk, H., Rabin, T.: Chameleon signatures. In: Symposium on Network and Distributed Systems Security (NDSS 2000), February 2000, pp. 143–154. Internet Society (2000) 17. Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: 10th ACM Conf. on Computer and Communications Security, pp. 155–164 (2003) 18. Paterson, K., Schuldt, J.: Efficient identity-based signatures secure in the standard model. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 207–222. Springer, Heidelberg (2006) 19. Shamir, A., Tauman, Y.: Improved online/offline signature schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001) 20. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Twin Signature Schemes, Revisited Sven Sch¨ age Horst G¨ ortz Institute for IT-Security, University of Bochum, Germany
[email protected]
Abstract. In this paper, we revisit the twin signature scheme by Naccache, Pointcheval and Stern from CCS 2001 that is secure under the Strong RSA (SRSA) assumption and improve its efficiency in several ways. First, we present a new twin signature scheme that is based on the Strong Diffie-Hellman (SDH) assumption in bilinear groups and allows for very short signatures and key material. A big advantage of this scheme is that, in contrast to the original scheme, it does not require a computationally expensive function for mapping messages to primes. We prove this new scheme secure under adaptive chosen message attacks. Second, we present a modification that allows to significantly increase efficiency when signing long messages. This construction uses collision-resistant hash functions as its basis. As a result, our improvements make the signature length independent of the message size. Our construction deviates from the standard hash-and-sign approach in which the hash value of the message is signed in place of the message itself. We show that in the case of twin signatures, one can exploit the properties of the hash function as an integral part of the signature scheme. This improvement can be applied to both the SRSA based and SDH based twin signature scheme.
1
Introduction
Digital signature schemes need little introduction. Besides encryption systems, they are the most fundamental public-key primitives. They are used in a variety of cryptographic protocols and by now, the literature knows many variants (e.g. ring signatures, group signatures, blind signatures). The Random Oracle Model. Most of the existing signature schemes are provably secure in the random oracle model [2] which assumes the existence of publicly available functions with truly random outputs. In practical realizations, these functions are then replaced by cryptographic hash functions. However, this model represents a very strong idealization of the real world and in 1998, Canetti, Goldreich and Halevi [7] showed that there exist signature schemes which have a security proof in the random oracle model but are insecure when instantiated with any hash function. Since then, research on signature schemes which are provably secure in the standard model has gained much attention. J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 104–117, 2009. c Springer-Verlag Berlin Heidelberg 2009
Twin Signature Schemes, Revisited
105
Motivation – Twin Signatures. Practical signature schemes that are secure in the standard model seem to be much harder to construct than signature schemes in the random oracle model, where we can apply, for example, the FiatShamir heuristic [12] that provides a general method to obtain secure signature schemes from three-move zero-knowledge protocols. In the standard model, we know only few secure signature schemes and even less design principles to construct them. In 2001, Naccache, Stern and Pointcheval presented a signature scheme that is proven secure without random oracles in the standard model. The scheme is secure solely under the Strong RSA (SRSA) assumption. The basic idea is to securely combine two distinct RSA groups such that an attacker must break the SRSA assumption in at least one of them. Though essentially relying on the properties of the underlying complexity assumption, this idea comes very close to a more general design principle. However, the original scheme was defined in SRSA groups where each group element has a 1024 bit representation. It is therefore not competitive with state-of-the-art signature schemes which have signature sizes of 340 bits [3] or below [17]. In this work, we generalize the Naccache et al. scheme and improve its efficiency in several ways. Contribution. First, we present a new twin signature scheme that is based on the SDH assumption in bilinear groups. Since the representation of group elements can be much shorter in bilinear groups (≈ 170 bits) than in RSA groups (≈ 1024 bits), the new signature scheme allows for much shorter signatures. Another part of our contribution deals with a formalization and generalization of techniques to properly combine the two RSA groups to yield an adaptively secure signature scheme. In this process, we extract the notion of chaining functions. Roughly speaking, chaining functions are binary functions that fulfill a certain form of collision-resistance and one-wayness. We show that the SRSA based twin signature scheme is secure for any secure chaining function. Likewise, we are able to prove our SDH based signature scheme secure for any secure chaining function. Next, we analyze the efficiency of twin signature schemes while concentrating on the two main issues signature size and computational complexity of the signing and verification procedure. We reveal a severe efficiency bottleneck in the Naccache et al. scheme when signing long messages as in the presented form, the signature size is proportional to the length of the input message. Finally, we give a solution to this problem by designing a new provably secure chaining function. Related Work. In 1984, Goldwasser, Micali and Rivest [16] published the first provable secure, but inefficient signature scheme. More than a decade later, in 1999, Gennaro, Halevi, and Rabin [15] and independently Cramer and Shoup [10] proposed the first secure hash-and-sign signature schemes which are secure in the standard model under the Strong RSA assumption (SRSA). Since then, several signature schemes have been proposed under the SRSA assumption [5,13,17,24]. Among them, we can find several schemes that rely on functions which map messages (or message-dependent intermediate values) to prime numbers
106
S. Sch¨ age
[8,15,21]1 . Existing examples of such functions are computationally expensive, since they include several, i.e. O(lm ) – where lm is the maximal bit size of the input length, costly primality tests [8,21]. Today, there are only few other complexity assumptions that have been utilized for the construction of signature schemes without random oracles. Three assumptions have been defined in bilinear groups with an efficient bilinear pairing: the LRSW [6], the SDH assumption [3,17] and the CDH [23] assumption. Only recently, Hohenberger and Waters presented the first signature scheme that is secure under the (plain) RSA assumption [18]. Bilinear groups have the advantage that the group representation for groups elements can be much shorter than in RSA groups. So far, the schemes secure under the SDH assumption seem to provide the best overall efficiency.
2
Preliminaries
Before presenting our results, we briefly review the necessary formal and mathematical definitions. 2.1
Notation $
If B is a set we write |B| to denote its size. For a set B, we use x ← B to denote that x is drawn from B uniformly at random. If s is a string, we write |s| to denote its bit-length. If s is a string, we use s||s to denote the result when concatening s with itself. For an algorithm A we write A(i1 , i2 , . . .) to denote that A has input parameters i1 , i2 , . . . . Similarly, we denote with y ← A(i1 , i2 , . . .) that A outputs y when running on inputs i1 , i2 , . . .. We write PPT (probabilistic polynomial time) to refer to randomized algorithms that run in polynomial time. The security parameter is denoted as κ ∈ N. Finally, we use 1κ to describe the string that consist of κ ones. 2.2
Signature Scheme
A digital signature scheme S consists of three algorithms. The probabilistic polynomial time (PPT) algorithm KeyGen generates a secret and public key pair (SK, P K). The PPT algorithm Sign takes as input a secret key SK and the message m and outputs a signature σ. Finally, the deterministic polynomial time algorithm Verify processes a public key P K, a message m and a signature σ to check whether σ is a legitimate signature on m signed by the holder of the secret key corresponding to P K. On successful verification the algorithm outputs 1, otherwise 0. 1
We note that [15] also consider division-intractable functions. However, it was shown in 2000 by Coron and Naccache [9] that contrarily to the results of numerical experiments performed by Gennaro, Halevi and Rabin [15] the security of divisionintractable functions only rises subexponentially with the input length. We therefore concentrate on prime mapping functions.
Twin Signature Schemes, Revisited
2.3
107
Existential Unforgeability
The strongest notion of security for signature schemes was defined by Goldwasser, Micali and Rivest in 1988 [16]. It has been formalized in the following attack game in which the attacker is granted oracle access to a signing oracle OSK (·). Setup. In the setup phase, (SK, P K) ← KeyGen(1κ ) is run and the public key P K is given to the adversary. Signature queries. The adversary adaptively queries OSK (·) with q = q(κ) messages m1 , . . . , mq of his choice and obtains q signatures σ1 , . . . , σq with σi = Sign(SK, m) for i ∈ {1, . . . , q}. Output. The attacker outputs (m∗ , ρ∗ ) with m∗ ∈ / {m1 , . . . , mq } and Verify(P K, m∗ , σ ∗ ) = 1. We denote the success probability of an adversary A (taken over the random coins of the challenger and the adversary) to win the above game as AdvS,A . Definition 1 (Existential Unforgeability). An adversary A is said to (q, t, )-break the existential unforgeability of the signature scheme S if A has success probability AdvS,A = after generating at most q queries and running in time t. A signature scheme S is said to be (q, t, )-secure if there exists no PPT adversary that (q, t, )-breaks the existential unforgeability of S. 2.4
Complexity Assumptions
In the following we introduce the complexity assumptions on which the security of the presented signature schemes relies on. Definition 2 (Strong RSA Assumption (SRSA) [1]). Given an RSA modulus n = pq (where p, q are sufficiently large primes), and an element u ∈ Z∗n , we say that the (SRSA , tSRSA )-assumption holds if for all tSRSA -time adversaries A Pr (u1/t mod n, t) ← A(n, u), t > 1, ≤ SRSA , where the probability is over the random choices of u, n and the random coins of A. Definition 3 (Bilinear groups). Let G1 =< g1 >, G2 =< g2 > and GT be groups of prime order p. The function e : G1 × G2 → GT is a bilinear pairing if it holds that 1.) ∀a ∈ G1 , b ∈ G2 , x, y ∈ Zp : e(ax , by ) = e(a, b)xy (bilinearity), 2.) e(g1 , g2 ) = 1GT is a generator of GT (non-degeneracy), and 3.) e is efficiently computable (efficiency). We call (G1 , g1 , G2 , g2 , GT , p, e) a bilinear group. Definition 4 (Strong Diffie-Hellman assumption (SDH) [3]). Given a bilinear group (G1 , g1 , G2 , g2 , GT , p, e), we say that the (qSDH , SDH , tSDH )SDH assumption holds if for all tSDH -time attackers A that are given T = (x2 ) (xq ) g1 , g1x , g1 , . . . , g1 , g2 , g2x ∈ Gq+1 × G22 with (q = qSDH ) it holds that 1 1/(x+c) Pr (g1 , c) ← A(T ), c ∈ Zp ≤ SDH ,
108
S. Sch¨ age
where the probability is over the random choices for g1 ∈ G1 , g2 ∈ G2 , x ∈ Zp and the random bits of A. 2.5
Collision-Resistant Hashing
Our constructions make use of collision-resistant cryptographic hash functions. Definition 5 (Collision-resistant hash function). Let H = {Hk }k∈N be a family and each Hk a collection of functions of the form h : {0, 1}∗ → {0, 1}k . H is called (th , h )-collision-resistant if for all th -time adversaries A there exists a negligible function h = h (k) with
$ h ← H , (m, m ) ← A(h), m = m , k Pr ≤ h , m, m ∈ {0, 1}∗, h(m) = h(m ) where the probability is over the random bits of A. 2.6
Chaining Functions
In our signature schemes, we will combine the input message m with a random value r using a function w : R × M → R. However, we must impose some requirements on w. Definition 6 (Chaining Functions). Let W = {Wk }k∈N be a family and each Wk a collection of functions of the form w : R × M → R with |R| ≤ 2k . We say that W is (tchain , chain )-chaining if for all attackers A there exists a negligible $
function chain = chain (k) and the following properties hold for w ← Wk : 1. For all m ∈ M it holds that w(R, m) = R. 2. Given z ∈ R, m ∈ M, it is easy to find r ∈ R such that w(r, m) = z. 3. For all r¯ ∈ R, it holds for all tchain -time attackers A that (m, m ) ← A(¯ r , w), m, m ∈ M, Pr ≤ chain , m = m , w(¯ r , m) = w(¯ r , m ) where the probability is over the random coins of A.2 4. For all m ∈ M and given random r, r ∈ R, it holds for all tchain -time attackers A that
Pr m ← A(r, r , m, w), m ∈ M, w(r, m) = w(r , m ) ≤ chain , where the probability is computed over the random coins of A and the random choices for r and r . 2
If w is also a permutation or just injective in the second input parameter, this requirement is trivially fulfilled.
Twin Signature Schemes, Revisited
109
If used in signature schemes, w is fixed at random during the key generation phase. In [21], Naccache et al. implicitly show that W = {W2k }k∈N is chaining for M = {0, 1}k and R = {0, 1}2k with k ∈ N if W2k = {w(r, m) = r ⊕ (m||m)}. The advantage of this function is its statistical security. The drawback is its inefficiency when signing long messages. Lemma 1. The above function W is (·, 2−k )-chaining according to Definition 6. Proof. Properties 1 and 2 are obvious. Property 3 follows from the fact that for any two m, m ∈ {0, 1}k with m = m it also holds that m||m = m ||m and hence r ⊕ m||m = r ⊕ m ||m for all r ∈ R. To show Property 4, suppose we are given a random m ∈ {0, 1}k and random r, r ∈ {0, 1}2k . Assume that there exists m ∈ {0, 1}k such that r ⊕ m||m = r ⊕ m ||m . We then must have that r ⊕ r can be represented as r¯||¯ r for some r¯ ∈ {0, 1}k . For a given random pair r and r this only happens with probability 2−k .
3
Twin Signatures
In this section, we present a generic variant SSRSA of the SRSA based twin signature scheme. l Let R = {0, 1} r , M = {0, 1}lm , and W be a (tchain , chain )-chaining function. Additionally, let p : {0, 1}lr → N be an efficient function that injectively maps strings to prime numbers. KeyGen(1κ ). Choose two RSA moduli n1 = p1 q1 and n2 = p2 q2 . Then randomly choose u1 ∈ Z∗n1 and u2 ∈ Z∗n2 . The public key is P K = (n1 , n2 , u1 , u2 ) and the secret key consists of the factorization of n1 and n2 : SK = (p1 , q1 , p2 , q2 ). We require 2lr − 1 ≤ min{φ(n1 ), φ(n2 )}. $
Sign(SK, m). Given a secret key SK and a message m ∈ M, pick r ← R and compute the signature σ = (s1 , s2 , r)3 as 1
1
s1 = u1p(w(r,m)) mod n1 , s2 = u2p(r) mod n2 . Verify(P K, m, σ). Given a public key P K, a message m, and a signature σ = (s1 , s2 , r), verify if the following equations hold: p(w(r,m)) ?
s1 3
p(r) ?
= u1 mod n1 , s2
= u2 mod n2 .
We made a small simplification here. In the original paper, not r is part of the signature but the randomness ω that is used to generate r. We stress that since r is drawn uniformly at random from R we must have that |ω| ≥ lr = 2lm and therefore ω is also dependent on the message size.
110
S. Sch¨ age
Theorem 1. Suppose the (tSRSA , SRSA )-SRSA assumption holds and W is a (tchain , chain )-chaining function. Then, SSRSA is (q, t, )-secure against adaptive chosen message attacks provided that t ≈ tSRSA + tchain , ≤ 2SRSA + 2q 2 chain . The proof of Theorem 1 closely follows [21].
4
An SDH Based Twin Signature Scheme
In this section, we present our SDH based twin signature scheme SSDH . Let a bilinear group (G1 , g1 , G2 , g2 , GT , p, e) and a (tchain , chain )-chaining function W with R = {0, . . . , tr } and tr ≤ p be given. Let gT = e(g1 , g2 ). $
KeyGen(1κ ). Choose two elements x1 , x2 ← Zp . The public key is P K = (P K1 , P K2 ) with P K1 = g2x1 and P K2 = g2x2 . The secret key is SK = (x1 , x2 ). $
Sign(SK, m). Given a secret key SK and a message m ∈ M , pick r ← R with r = −x2 and w(r, m) = −x1 and compute σ = (s1 , s2 , r) as 1
1
s1 = g1(x1 +w(r,m)) , s2 = g1(x2 +r) . Verify(P K, m, σ). Given a public key P K a message m and a signature σ = (s1 , s2 , r), verify whether the following equations hold: ? ? w(r,m) e s1 , P K 1 · g 2 = gT , e (s2 , P K2 · g2r ) = gT .
5
Security
Theorem 2. Suppose that the (qSDH , tSDH , SDH )-SDH assumption holds and that w is a (tchain , chain )-chaining function. Then, SSDH is (q, t, )-secure against adaptive chosen message attacks with q = qSDH , t ≈ tSDH + tchain , ≤ 2SDH + 2q 2 chain . Proof. By contradiction. Assume algorithm A is a forger that (q, t, )-breaks the existential unforgeability of SSDH . Then, we can construct a simulator B, that interacts with A and after q signature queries either breaks the SDH problem or the security of the chaining function in time t with advantage . We consider four types of forgeries m∗ , (s∗1 , s∗2 , r∗ ) A can output after making q signature queries m1 , . . . , mq and receiving q responses (s1,1 , s2,1 , r1 ), . . . , (s1,q , s2,q , rq ): Type I: r∗ ∈ / {r1 , . . . , rq }. Type II: r∗ = ri , i ∈ {1, . . . , q}, w(r∗ , m∗ ) ∈ / {w(r1 , m1 ), . . . , w(rq , mq )}. Type III: r∗ = ri , w(r∗ , m∗ ) = w(rj , mj ), i, j ∈ {1, . . . , q}, i = j. Type IV: r∗ = ri , w(r∗ , m∗ ) = w(ri , mi ), i ∈ {1, . . . , q}.
Twin Signature Schemes, Revisited
111
We subsequently assume that B at the beginning of the communication guesses which type of forgery A is going to output (with probability 14 ). According to this guess, B proceeds differently. If B’s guess turns out to be wrong, he simply aborts and restarts. Theorem 2 then follows by a standard hybrid argument. (x2 ) (xq ) Let gˆ1 , gˆ1x , gˆ1 , . . . , gˆ1 , gˆ2 , gˆ2x be the SDH challenge and (m, ˆ rˆ, rˆ ) the challenge for Property 4 of the chaining function. Let Pr[Si ] denote the success probability for an attacker to successfully forge signatures in Game i. Type I Forger Game0 . This is the original attack game. By assumption, A (q, t, )-breaks S when interacting with the signing oracle OSK (·). We have Pr[S0 ] = .
(1)
Game1 . This game is like the previous one except that B constructs the values $ g1 , P K1 and P K2 using the SDH challenge. First, B chooses x1 ← Zp and $
r(x)
r1 , . . . , rq ← R. Then, it computes g1 = gˆ1 , g2 = gˆ2 , P K1 = g2x1 , P K2 = g2x , q where r(x) := i=1 (x + ri ). Note that B can easily generate g1 by computing
q r(x) the coefficients βi ∈ Z for i ∈ {0, . . . , q} of r(x) = 0 βi xi and evaluating gˆ1 = βi q (xi ) ˆ1 . Since x1 and the ri ’s are chosen at random, the distribution of i=0 g the constructed values is equal to the previous game. Thus, Pr[S1 ] = Pr[S0 ] .
(2)
Game2 . Now, B simulates OSK (·) by answering A’s signature queries. For each received message mj ∈ M, B outputs σj = (s1,j , s2,j , rj ) with 1/(x1 +w(rj ,mj ))
s1,j = g1
q
, s2,j = gˆ1
i=1,i=j
(x+ri )
.
The simulator can easily compute s1,j since it knows x1 . The value s2,j can be computed like g1 using the SDH challenge. Since the rj ’s have been chosen randomly, the changes are purely conceptual. Pr[S2 ] = Pr[S1 ] . Let us now consider the forgery (m w(r ∗ ,m∗ )
e(s∗1 , P K1 g2
∗
, s∗1 , s∗2 , r∗ )
(3)
output by A. It must hold that ∗
) = e(s∗2 , P K2 g2r ) = e(g1 , g2 ) .
By assumption, we have that r∗ ∈ / {r1 , . . . , rq }. Using long division, the simulator can now compute d ∈ Z and a polynomial r (x) of degree q − 1 with coefficients in Z such that r(x) = (x + r∗ )r (x) + d. Since (x + r∗ ) does not divide r(x) we must have that d = 0. From the second verification equation we get that 1/(x+r ∗ ) r (x)+d/(x+r ∗ ) ∗ s2 = g1 = gˆ1 . Therefore, B can compute a solution to the SDH problem as 1/d 1/(x+r ∗ ) ∗ ∗ −r (x) s2 gˆ1 = gˆ1 ,r .
112
S. Sch¨ age
We finally have that Pr[S2 ] = SDH .
(4)
Type II Forger Now suppose B rightly expects A to be a Type II Forger. The proof proceeds analogously to the proof for Type I Forgers. $
$
Game1 . In this game, B chooses random x2 ← Zp and w1 , . . . , wq ← R. Now define v(x) := qi=0 (x + wi ). Then, B computes v(x)
g1 = gˆ1
, g2 = gˆ2 , P K1 = g2x , P K2 = g2x2 .
As before, the distribution of the values is equal to the previous game. Pr[S1 ] = Pr[S0 ] .
(5)
Game2 . In this game, B simulates the signing oracle. When receiving a query mj ∈ M, it first computes rj ∈ R such that wj = w(rj , mj ). It then outputs the signature σj = (s1,j , s2,j , rj ) with q
s1,j = gˆ1
i=1,i=j
(x+wi )
1/(x2 +rj )
, s2,j = g1
.
Since the wi ’s are chosen uniformly at random from R, so are the ri ’s because w is a permutation in the first input parameter. Pr[S2 ] = Pr[S1 ] .
(6)
Similar to the previous case, B can compute a polynomial v (x) and d ∈ Z with d = 0 such that v(x) = (x + w(r∗ , m∗ ))v (x) + d because w(r∗ , m∗ ) ∈ / {w(r1 , m1 ), . . . , w(rq , mq )} and thus (x + w(r∗ , m∗ )) does not divide v(x). The simulator then outputs a solution to the SDH problem as 1/d −v (x) s∗2 gˆ1 , w(r∗ , m∗ ) . We have that Pr[S2 ] = SDH .
(7)
Type III Forger $ Game1 . In this game, we let the simulator choose both secret keys x1 , x2 ← Zp . x1 x2 It sets g1 = gˆ1 , g2 = gˆ2 , P K1 = g2 , and P K2 = g2 . Pr[S1 ] = Pr[S0 ] .
(8) $
Game2 . Next, B makes two random guesses for distinct indices j, k ← {1, . . . , q}. For all i ∈ {1, . . . , q} \ {j, k}, the simulator proceeds according to Sign to simulate OSK (·) using the secret keys x1 and x2 . In particular, this means that the ri are chosen uniformly at random from R. For the j’th signature, B computes
Twin Signature Schemes, Revisited
113
rj such that w(ˆ r , m) ˆ = w(rj , mj ) using the challenge for the chaining function. For the k’th signature, B sets rk = rˆ . Since rˆ and rˆ originate from a random challenge for the chaining function and the remaining ri are chosen randomly we still have that Pr[S2 ] = Pr[S1 ] . (9) Game3 . By assumption, we have that A outputs a forgery m∗ , (s∗1 , s∗2 , r∗ ) with r∗ = ra for some a ∈ {1, . . . , q} and w(r∗ , m∗ ) = w(rb , mb ) for some b ∈ {1, . . . , q}. We have that a = b. Now, B aborts if b = j or a = k. Since rj and rk are perfectly indistinguishable from the remaining ri we have that Pr[S3 ] = 1/q 2 · Pr[S2 ] .
(10)
Otherwise, B has found a solution to the challenge for Property 4 w(ˆ r , m∗ ) = w(rk , m∗ ) = w(ra , m∗ ) = w(r∗ , m∗ ) = w(rb , mb ) = w(ˆ r , m). ˆ Pr[S3 ] = chain .
(11)
Type IV Forger $ Game1 . As before, we let the simulator choose both secret keys x1 , x2 ← Zp . It x1 x2 sets g1 = gˆ1 , g2 = gˆ2 , P K1 = g2 , and P K2 = g2 . Clearly, Pr[S1 ] = Pr[S0 ] .
(12)
Game2 . To simulate the signing oracle, B simply uses x1 and x2 as specified by Sign. Hence, Pr[S2 ] = Pr[S1 ] . (13) By assumption we have that B w(r∗ , m∗ ) = w(rj , m∗ ) = w(rj , mj ) for some j ∈ {1, . . . , q}. From the definition of the attack game we also know that m∗ = mj . So, B has found a collision for the chaining function (Property 3) and Pr[S2 ] = chain .
(14)
Putting together Equations (1)-(14), we get that = SDH for Type I and Type II forgeries, = q 2 chain for Type III forgers, and = chain for Type IV forgers. Clearly, ≤ SDH + q 2 chain for each type of forger. Finally, considering B’s initial guess we have that ≤ 2SDH + 2q 2 chain what proofs Theorem 2.
6
Improved Chaining Function
In this section, we analyze the efficiency of twin signature schemes when signing long messages. We concentrate on two issues. The first issue concerns the computational efficiency of the scheme. Recall the chaining function from Section 2.6. Since in the SRSA based scheme the input of p and hence the computational
114
S. Sch¨ age
efficiency depends on the message size lm , Naccache et al. recommend to apply a hash function h ∈ Hk prior to the prime mapping function p [21, §B.2]: w (r, m) = h(r ⊕ (m||m)). Now, p must only map values of maximal length k to prime numbers. One can easily see, that this improvement does not address the signature size, since r, by condition lr = 2lm , still depends on lm . This is our second issue. A further improvement is to first apply the collision-resistant hash function to the input message and then to sign the resulting hash value: w (r, m) = r ⊕ (h(m)||h(m)). Now, we have that lr = 2k and, as a result, r and the signature size are independent of lm . For both improvements (w and w ) we must assume that the underlying hash function is collision-resistant and so rely on additional complexity assumptions to maintain provable security (as long as the hash function does not solely rely on complexity assumptions that are provably weaker than SRSA, SDH respectively). We stress that we use hash functions solely for the purpose of (message) domain extension, not as instantiations of random oracles. For practical parameters, say k = 160, we now have that lr = 320. The final question is if this situation can further be improved. Ideally, we would have that lr = 160. This has several benefits. First, prime mapping can be twice as fast. Second, the signature size could be reduced by 160 bits. Suprisingly, we can show that when using hash functions with the additional property that random input strings are mapped to uniformly distributed output strings, we can do without the string concatenation: w ˜ : {0, 1}k × {0, 1}∗ → {0, 1}k w(r, ˜ m) = r ⊕ h(m) . Lemma 2. Let H = {Hk } be a (th , h )-collision-resistant hash function. Furthermore, assume that for every h ∈ Hk with k ∈ N h(m) is uniformly distributed in {0, 1}k for random m ∈ {0, 1}∗. Then, W = {Wk } with Wk = {w(r, ˜ m) = r ⊕ h(m)| h ∈ Hk } is (th , h )-chaining. Proof. The first two properties can be verified by inspection. Property 3 holds because r˜⊕h(m) = r˜⊕h(m ) implies h(m) = h(m ). So, any attacker that breaks Property 3 also breaks the collision-resistance of the hash function. To show that w ˜ fulfills Property 4 observe that r˜ ⊕ h(m) = r˜ ⊕ h(m ) implies r˜ ⊕ r˜ ⊕ h(m) = h(m ) for given random r, r ∈ {0, 1}k and m ∈ {0, 1}∗. Now, for contradiction, assume there exists an attacker A that can find m with probability ≥ h in time th . Then we can construct algorithm B that uses A to find collisions in the hash function. At first B chooses uniformly at random m ¯ ∈ {0, 1}∗ and computes y = h(m). ¯ Next, B chooses a random m ∈ {0, 1}∗ and a random k r ∈ {0, 1} , computes h(m), r = y ⊕ h(m) ⊕ r and runs A on (m, r, r ). As h(m) is random in {0, 1}k , so is r . Finally, A outputs m and since we have that r ⊕ r ⊕ h(m) = h(m ) = y = h(m) ¯ and because m ¯ = m with overwhelming probability, B has found a hash collision. This contradicts the fact that H is (th , h )-collision-resistant.
Twin Signature Schemes, Revisited
115
Table 1. Efficiency Comparison of Chaining Functions. Elements in G1 have around 170 bits [4,20], while RSA moduli have at least 1024 bits. Let lmax = max{4lm , 2048}. scheme chaining function signature size in bits #prim. tests #pairings SSDH r ⊕ h(m) k + 340 – 2 SSRSA r ⊕ h(m) k + 2048 O(k) – SSRSA r ⊕ (h(m)||h(m)) 2k + 2048 O(k) – [21, §B.2] h(r ⊕ (m||m)) 2lm + 2048 O(k) – [21] r ⊕ (m||m) 2lm + lmax O(lm ) –
7
Online/Offline Signature Schemes
In this section, we present a modification that further improves the efficiency of SSRSA and SSDH by turning them into online/offline signature schemes [11]. The key idea is to precompute s1 using a random z ∈ R in the offline phase as 1/(p(z)) 1/(x +z) s1 = u1 mod n1 , s1 = g1 1 respectively. In the online phase, when the signer wants to sign message m, she only has to find r such that z = w(r, m) 1/(p(r)) 1/(x +r) and compute s2 = u2 mod n2 , s2 = g1 2 respectively. In this way, we can save costly inversion and exponentiation operations in the online phase. However, the efficiency gain seems rather small when compared with what can be achieved in online/offline signature schemes that are based on signature schemes which utilize chameleon hash functions [19], like for example [22].
8
Summary
We have generalized and improved the twin signature scheme by Naccache et al. by 1.) presenting a generic twin signature scheme that is based on the SDH assumption and provides much shorter signatures than the original scheme and 2.) designing a new chaining function which allows to very efficiently sign and verify long messages. As a result, the signature size is not dependent on the input message anymore. For a hash function with 160 bit output values, the resulting signature scheme outputs signatures with only about 500 bits (as compared to >2048 bits in the original scheme). However, the state-of-the-art scheme by Boneh-Boyen is only 340 bits and significantly smaller. This indicates that although twin signature schemes provide a very general approach for constructing secure signature schemes in the standard model, they are inferior, in terms of efficiency, to schemes that utilize for example chameleon hash functions.
References 1. Bari´c, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)
116
S. Sch¨ age
2. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993) 3. Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptology 21(2), 149–177 (2008) 4. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin [14], pp. 41–55 5. Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003) 6. Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin [14], pp. 56–72 7. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: STOC, pp. 209–218 (1998) 8. Chevallier-Mames, B., Joye, M.: A practical and tightly secure signature scheme without hash function. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 339–356. Springer, Heidelberg (2007) 9. Coron, J.-S., Naccache, D.: Security analysis of the Gennaro-Halevi-Rabin signature scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 91–101. Springer, Heidelberg (2000) 10. Cramer, R., Shoup, V.: Signature schemes based on the Strong RSA assumption. In: ACM Conference on Computer and Communications Security, pp. 46–51 (1999) 11. Even, S., Goldreich, O., Micali, S.: On-line/off-line digital signatures. J. Cryptology 9(1), 35–67 (1996) 12. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1986) 13. Fischlin, M.: The Cramer-Shoup Strong-RSA signature scheme revisited. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 116–129. Springer, Heidelberg (2003) 14. Franklin, M. (ed.): CRYPTO 2004. LNCS, vol. 3152. Springer, Heidelberg (2004) 15. Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999) 16. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988) 17. Hofheinz, D., Kiltz, E.: Programmable hash functions and their applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 21–38. Springer, Heidelberg (2008) 18. Hohenberger, S., Waters, B.: Realizing hash-and-sign signatures under standard assumptions. In: Joux, A. (ed.) EUROCRYPT. LNCS, vol. 5479, pp. 333–350. Springer, Heidelberg (2009) 19. Krawczyk, H., Rabin, T.: Chameleon signatures. In: NDSS, The Internet Society (2000) 20. Miyaji, A., Nakabayashi, M., Takano, S.: Characterization of elliptic curve traces under FR-reduction. In: Won, D. (ed.) ICISC 2000. LNCS, vol. 2015, pp. 90–108. Springer, Heidelberg (2000)
Twin Signature Schemes, Revisited
117
21. Naccache, D., Pointcheval, D., Stern, J.: Twin signatures: an alternative to the hash-and-sign paradigm. In: ACM Conference on Computer and Communications Security, pp. 20–27 (2001) 22. Shamir, A., Tauman, Y.: Improved online/offline signature schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001) 23. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 24. Zhu, H.: New digital signature scheme attaining immunity to adaptive-chosen message attack. Chinese Journal of Electronics 10(4), 484–486 (2001)
On the Insecurity of the Fiat-Shamir Signatures with Iterative Hash Functions Eiichiro Fujisaki1 , Ryo Nishimaki1 , and Keisuke Tanaka2 1
NTT, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan {fujisaki.eiichiro,nishimaki.ryo}@lab.ntt.co.jp 2 Department of Mathematical and Computing Sciences, Tokyo Institute of Technology, W8-55, 2-12-1 Ookayama, Meguro-ku, Tokyo, 152-8552, Japan
[email protected]
Abstract. At FOCS 2003, Goldwasser and Kalai showed the insecurity of the digital signature schemes obtained by the Fiat-Shamir transformation in the standard model. However, the proof of this negative result is complicated. This paper shows a much simpler counter example in the restricted (but realistic) case that the hash functions are designed by iterating an underlying hash function with an a-priori bounded input length, although we slightly extend the Fiat-Shamir paradigm. The result in [19] ruled out the case that the underlying identification schemes are interactive proofs, whereas this result can apply to the case.
1 1.1
Introduction The Fiat-Shamir Signatures
The Fiat-Shamir paradigm [17] is a general method that produces a digital signature scheme from a three-round public-coin interactive protocol by “collapsing” the interaction using a cryptographic hash function. Let (α, β, γ) be a transcript of a three-round public-coin identification protocol, such that α is the first message from the prover, β is a random query sent by the verifier, and γ is an answer to β from the prover. To remove the interaction and convert it to a digital signature scheme, the Fiat-Shamir paradigm takes the following approach: Let H be a function ensemble. The signer draws a hash function h from H and publish vk = (vk , h) as his public-key, where vk is a verification key of the underlying identification protocol. The signer, i.e., the prover in the starting identification protocol, produces α, computes β = h(α, m) by himself and finally yields γ such that (α, β, γ) is an acceptance transcript in the underlying identification protocol. Since the legitimate signer knows the secret key corresponding to vk , he can produce γ for any β such that (α, β, γ) is an acceptance transcript. The signer outputs (α, β, γ) as the signature for message m of the digital signature scheme obtained from the Fiat-Shamir paradigm on the underlying interactive protocol and hash function h. Fiat and Shamir [17] suggested that the resulting Fiat-Shamir signature schemes are secure in an “ideal” model (where the hash function is an ideal J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 118–128, 2009. c Springer-Verlag Berlin Heidelberg 2009
On the Insecurity of the Fiat-Shamir Signatures
119
function), if the underlying interactive protocols are sound. Later, this was formally validated by Pointcheval and Stern [29, 30], followed by [28, 1], in the so-called random oracle model [5]. Pointcheval and Stern [29] proved that for every three-round public-coin identification protocol that is a honest-verifier zero-knowledge proof of knowledge, the digital signature scheme transformed by the FS paradigm is existentially unforgeable against the chosen-message attacks (EUF-CMA) in the random oracle model. Later, Abdalla et. al. [1] showed necessary and sufficient conditions on three-round public-coin identifications for which the corresponding FS signature is EUF-CMA secure in the random oracle model. The condition is that the identification protocol is secure against impersonation under the passive attacks and the first message sent by the prover is randomly chosen from a large space. On the other hand, when it is implemented in the “real” world (where the random oracle is replaced with a real cryptographic function ensemble), a negative result was known. Goldwasser and Kalai [19] proved that there is a three-round public-coin protocol such that it is sound as identification, but the resulting FS signature scheme is vulnerable against key only attacks for any real cryptographic hash function (ensemble). The proof to show the insecurity of the FS paradigm is complicated: First, they proposed an identification protocol, denoted ID1 , which is not known whether it is sound or not, but the corresponding FS signature, denoted F S ID1 , is just insecure (for any cryptographic hash function ensemble). ID1 includes a heuristic 2-round CS-Proof or universal argument [25, 3], whose soundness is unknown. If the 2-round universal argument is really sound, ID1 is sound, Period. If not, there are two identification schemes, ID2 and ID3 , for which the following is satisfied: If there is a strong impersonator (against the above universal argument), it can be used to break ID3 , F S ID2 and F S ID3 , but it doesn’t work on ID2 . If there is a weak impersonator, it cannot be used to break ID3 but F S ID3 . In a nutshell, at least one (IDi , F S IDi ), for i = 1, 2, 3, results in a pair of a secure identification scheme and an insecure signature scheme, regardless of how sound the heuristic 2-round universal argument is. Since the FS signature scheme is EUF-CMA secure in the random oracle model if the underlying identification scheme is sound, this result illustrates a separation between the random oracle model and the standard model, as does the work of Canetti, et. al. [9], followed by e.g. [27, 22, 10, 8, 7, 15]. The result [19] applies only to the case that the underlying identification scheme is argument. It is still not known whether or not the resulting FS signature scheme is secure if the identification scheme is interactive proof. 1.2
Our Result
We provide a very simple example to show the failure of the (slightly extended) Fiat-Shamir paradigm in the restricted case that the hash functions (from {0, 1}∗ to {0, 1}k ) are designed by iterating an underlying hash function with an a-priori bounded input length (from {0, 1}n(k) to {0, 1}k ), which is the most common way to construct a hash function of an a-priori unbounded length input, such as Merkle-Damg˚ ard [24, 14] and [13, 4, 23, 6, 12].
120
E. Fujisaki, R. Nishimaki, and K. Tanaka
The original Fiat-Shamir paradigm is a method that converts a three-move public coin identification scheme into a digital signature scheme using a hash function ensemble. In this paper, we define an interactive Fiat-Shamir signature scheme, which is a digital signature scheme with oracle access. By starting with an (interactive) signature scheme, not an identification scheme, we can slightly relax the problem, because the complexity of a digital signature scheme can depend not only on security parameter k but on the size of message, whereas that of an identification scheme depends only on security parameter k. This paper version of the Fiat-Shamir transformation converts an interactive FS digital signature scheme into a non-interactive FS digital signature scheme by replacing an oracle with a hash function (drawn uniformly from a hash function ensemble) and providing the description of the hash function to the digital signature scheme. Soundness of this FS paradigm is now to ask if, for every interactive FS digital signature scheme, there is an efficient hash function ensemble such that the (non-interactive) FS digital signature scheme is secure in the real world, no matter when it is secure in the random oracle model. Of course, the answer to this question is negative, because of [19], but we provide a much simpler counter example in the case that a hash function is an iterative hash function. In addition, our negative result can apply to the class of the interactive Fiat-Shamir signature schemes transformed from interactive proofs, that [19] ruled out. Precisely, let H be a design for iteration, modeled as a deterministic Turing machine, which takes an arbitrary finite string and outputs a k-bit string, after having oracle access to a function mapping {0, 1}n(k) → {0, 1}k , repeatedly. We show that, for any design for iteration H, there is a Fiat-Shamir digital signature scheme, denoted F S, such that there is no function ensemble F that makes F S(H(F )) secure against universal forgery (for any sufficiently large message) G against key-only attacks, whereas F S H is EUF-CMA if H is carefully designed and G is a random oracle mapping {0, 1}n(k) to {0, 1}k . 1.3
Related Work
Canetti, Goldreich and Halevi [9] gave the first example that there are cryptographic protocols that are secure in the random oracle model, but cannot be securely instantiated in the real world. Since then, many works, e.g. [27, 19, 22, 10, 8, 7, 15], appeared that illustrate some gap between the random oracle model and the standard model. These counter examples seem to be classified to three categories: In the first category, they are constructed by attaching an artificial test algorithm to a secure cryptographic protocol, such that the test algorithm can distinguish efficiently any real cryptographic function from a random oracle and reveals the secret key if a real hash function is implemented. [9, 19, 22, 10] belong to this category. This result is also classified here. The test algorithm used in this paper is similar to that of [22]. In the second category, the target cryptographic schemes are demanded too much or constructed in too a restricted way to be realized in the real world, but in the random oracle model. In the third category, the targets are actual cryptographic protocols that are secure in the
On the Insecurity of the Fiat-Shamir Signatures
121
random oracle model. However, some separation results found in this category seem to be restrictive, so far. The result in [19] leave open the case that the underlying identification scheme is not argument, but interactive proof. Recently, Halevi, Myers and Rackoff [21] proposed a new cryptographic primitive, called a seed-incompressible (correlation intractable) function. Although they haven not yet found the existence of such functions in [21], their existence cannot be ruled out thus far. The open problem in [19] is related to the existence of this function. Our result is also related to theirs, but not directly, because seed-incompressible correlation intractable functions are, if they exist, bounded-input-length functions (whereas we essentially utilize that the hash functions have a-priori unbounded input length).
2
Definitions
Let , τ : N → R+ ∪ {0} be non-negative-valued functions. We say that (k) is negligible in k if, for any constant c > 0, there exists a constant, k0 ∈ N, such that (k) < (1/k)c for any k > k0 . We let (k) = negl(k) denote that (·) is a negligible function. We say that τ (k) is non-negligible in k if it is not negligible in k, namely, we say that τ (k) is non-negligible in k if there is constant c > 0 such that for infinitely many k’s, it holds τ (k) ≥ (1/k)c . We let τ (k) = non-negl(k) denote that τ (·) is a non-negligible function. We say that τ (k) is overwhelming in k if 1 − τ (k) = negl(k). A hash-function ensemble is a sequence of polynomial-size circuit family H = {Hk }k∈N such that for every k ∈ N, every h ∈ Hk is a function mapping {0, 1}∗ to {0, 1}k . We say that F = {Fk }k∈N is a hash-function ensemble with bounded input length n if for every k ∈ N, every f ∈ Fk is a function mapping {0, 1}n(k) to {0, 1}k . A random oracle is an ideal hash function that provides a random output for each new query. Identical input queries are given the same answer. In this paper, a random oracle maps either {0, 1}∗ to {0, 1}k , or {0, 1}n(k) to {0, 1}k . 2.1
Cryptographic Schemes
A cryptographic scheme consists of a set of probabilistic polynomial-time Turing machines, organized for one specific application, such as encryption and digital signature. We say that a cryptographic scheme has oracle access to O if algorithms in the cryptographic scheme may have oracle access to a random oracle if O is a random oracle, otherwise to a function, drawn uniformly from a function ensemble O once and for all in a “system set-up” phase. In this paper, a function to which an algorithm may have oracle access is either a function mapping {0, 1}n(k) to {0, 1}k or a function mapping {0, 1}∗ to {0, 1}k . Let Σ be a cryptographic scheme. We say that Σ is t-bounded if every algorithm in Σ runs within time t(|initial inputs|), where the initial inputs to Σ are all the inputs to all algorithms in Σ, minus all the inputs that can be created by algorithms in Σ. For example, the initial inputs to a digital signature scheme
122
E. Fujisaki, R. Nishimaki, and K. Tanaka
consist of 1k (for security parameter k) and message m. Σ is called efficient if t is a polynomial, plus every algorithm in Σ runs in a polynomial in its inputs. Let Σ be a cryptographic scheme with oracle access to a hash function ensemble H, denoted Σ H . We write Σ(H) to denote a new cryptographic scheme, constructed as follows: Every algorithm P in Σ is converted to P˜ . The algorithm firstly activated in Σ(H) draws a hash function h from H once and for all. P˜ takes as input the inputs to P and h (if necessary) and emulates P H . The main difference from Σ H is that the description of hash function h is given P˜ in Σ(H), but not P in Σ H . If H has oracle access to O, Σ(H) has oracle access to O, denoted Σ(H)O . Let G be a random oracle to which Σ may have oracle access. We define an implementation of Σ G using a function ensemble H to transform Σ G to Σ(H) by replacing G with H and converting Σ H into Σ(H). The security requirements of a cryptographic scheme are defined as specified games between a cryptographic scheme and an adversary, where an adversary is modeled as a polynomial-size circuit family. If a function is connected directly or indirectly to a cryptographic scheme, it depends on a security game, whether an adversary may have oracle access to it. A function is called public if an adversary can access it. 2.2
The Random Oracle Model
A random oracle is always public in the security games. Namely, if a cryptographic scheme has oracle access to a random oracle, an adversary may also have oracle access to the same random oracle. In addition, if a function to which the cryptographic scheme has oracle access may have oracle access to a random oracle, the adversary may have oracle access to the random oracle, too. 2.3
Indifferentiability
We use the notion of indifferentiability [22]. Let G : {0, 1}n(k) → {0, 1}k and R : {0, 1}∗ → {0, 1}k be random oracles. A Turing machine H with oracle access to G is said to be indifferentiable from R if there is a polynomial-time simulator S such that for any polynomial-size circuit family D it holds that | Pr[DH,G (1k ) = 1] − Pr[DR,S (1k ) = 1]| = negl(k), where S has oracle access to R and D has two oracle access. The simulator does not see the interaction between D and R. There exist several constructions of H with oracle access to G indifferential from R [13, 4, 23, 6, 12]. 2.4
Digital Signature Schemes
We use the standard definition of a digital signature scheme [20, 18]. A digital signature scheme is given by a triple, Σ = (KGen, Sign, Vrfy), of probabilistic polynomial-time Turing machines, where for every (sufficiently large) k ∈ N,
On the Insecurity of the Fiat-Shamir Signatures
123
– KGen, the key-generation algorithm, takes as input security parameter 1k and outputs a pair comprising the verification and signing keys, (vk, sk). – Sign, the signing algorithm, takes as input (vk, sk) and message m and produces signature σ. – Vrfy, the verification algorithm, takes as input (vk, m, σ) and outputs 0 or 1. For completeness, it is required that for any pair (vk, sk) in the range of KGen(1k ) and for any message m ∈ {0, 1}∗, it holds Vrfy(vk, m, Sign(vk, sk, m)) = 1. We stress that the running time of every algorithm in Σ is polynomially bounded in security parameter k and the size of m, only. We say that a digital signature scheme is existentially unforgeable against adaptively chosen message attacks (EUF-CMA) [20, 18], if for any adversary A of a probabilistic polynomial-time non-uniform Turing machine, the probability of the following game is negligible in k: KGen takes 1k and outputs (vk, sk). A takes vk and outputs (m, σ) after having access to Sign(vk, sk, ·) a polynomial (in k) times, where Vrfy(vk, m, σ) = 1 and m was not queried to Sig(vk, sk, ·). The probability is taken over KGen, Sign, and A. If the second condition is replaced with the case that (m, σ) was not in the query-answer history between A and Sign(vk, sk, ·) and if the probability is negligible, the signature scheme is called strongly existentially unforgeable against adaptively chosen message attacks (sEUF-CMA). We say that a digital signature scheme is vulnerable against key only attacks if there is an adversary A of a probabilistic polynomial-time non-uniform Turing machine, that takes vk drawn uniformly from KGen(1k ) and outputs the signature of an arbitrary m with a non-negligible (in k) probability, where A has no access to the signing oracle.
3
Interactive Fiat-Shamir Signature Schemes
As mentioned earlier, we start with a digital signature scheme with oracle access, and convert it to a (non-interactive) digital signature scheme by applying the Fiat-Shamir paradigm. Definition 1. Let O be an arbitrary function from {0, 1}∗ to {0, 1}k . An interactive Fiat-Shamir signature scheme F S O is a digital signature scheme with oracle access to O, such that F S = (KGen, Sign, Vrfy = (V1 , V2 )) consists of probabilistic polynomial-time Turing machines, with the following specification: For every (sufficiently large) k ∈ N, – KGen, the key-generation algorithm, takes 1k and outputs (vk, sk). – Sign, the signing algorithm, takes (vk, sk) and message m ∈ {0, 1}∗ as input. It then computes α and submits (α, m) to O to get back β = O(α, m). It then computes γ and outputs σ = (α, β, γ) as the signature of m with respects to vk.
124
E. Fujisaki, R. Nishimaki, and K. Tanaka
– Vrfy = (V1 , V2 ), the verification algorithm. V1 takes (vk, m, σ) as input. It parses σ to (α, β, γ) and submits (α, m) to O to get back β . If β = β, it outputs 0 and halts the verification procedure, otherwise feeds (vk, α, β, γ) to V2 , V2 takes (vk, α, β, γ) as input and outputs 1 or 0. The completeness is required as well: For any m ∈ {0, 1}∗, Pr[(vk, sk) ← KGen(1k ); σ ← SignO (vk, sk, m) : V1O (vk, m, σ) = 0 ∧ V2 (vk, σ) = 1] = 1. We stress that the running time of every algorithm in F S is bounded by a fixed polynomial in the security parameter k and the length of message m, which is O(poly(k + |m|)). Definition 2. We say that an interactive FS signature scheme is proof for ˜ the key generation algorithm if for any k ∈ N, for any vk ∈ KGen(1k ), it holds that maxα∈{0,1}p(k) pvk,α = negl(k), where pvk,α = Pr[β ← {0, 1}k : ˜ ˜ ˜ (α, β, γ)) = 1]. ∃γ such that V2 (vk, We define the Fiat-Shamir transformation using hash function ensemble H as the conversion of an interactive Fiat-Shamir signature scheme F S G with oracle access to O to the (non-interactive) Fiat-Shamir digital signature scheme F S(H), as follows (or as described in Sec. 2.1). Definition 3. Let O be an arbitrary function from {0, 1}∗ to {0, 1}k . Let H = {Hk }k∈N be a hash function ensemble, such that h : {0, 1}∗ → {0, 1}k for k ∈ N, and h ∈ Hk . Let F S = (KGen, Sign, Vrfy = (V1 , V2 )) be an interactive FiatShamir signature scheme with oracle access to O. The Fiat-Shamir paradigm transforms F S O into F S(H) using H. The resulting implementation, F S(H) = (KGen , Sign , Vrfy = (V1 , V2 )), is specified as follows. – KGen , the key-generation algorithm, takes as input 1k and invoke KGen with 1k to get (vk, sk). It picks up h ← Hk randomly and outputs (vk , sk ), where vk := (vk, h) and sk := sk. – Sign , the signing algorithm, takes (vk , sk , m) as input and parses vk to (vk, h). It then feeds (vk, sk, m) to Sign, where sk := sk , to let Sign submit (α, m). Sign computes β = h(α, m) to reply Sign with. Sign outputs σ as the signature of m with respects to vk , where σ is the output of Sign(vk, sk, m). – Vrfy = (V1 , V2 ), the verification algorithm. V1 takes (vk , m, σ) as input, parses vk to (vk, h) and feeds (vk, m, σ) to V1 to get (α, m), where σ = (α, β, γ). V1 computes β = h(α, m) and feeds it to V1 . If V1 outputs 0, then V1 outputs 0 and halts the verification procedure, otherwise feeds (vk , α, β, γ) to V2 . V2 takes (vk , α, β, γ) as input, parses vk to (vk, h) and feeds (vk, α, β, γ) to V2 . V2 outputs 1 if and only if V2 (vk, α, β, γ) = 1.
4
Proposed Digital Signature Scheme
A design for iteration H is a deterministic polynomial-time Turing machine. Let F S = (KGen, Sign, Vrfy = (V1 , V2 )) be an arbitrary interactive Fiat-Shamir
On the Insecurity of the Fiat-Shamir Signatures
125
signature scheme (as defined in Sec. 3). For simplicity, we assume that the first and the third messages, α , γ, sent by Sign in F S are chosen from {0, 1}p(k) for some polynomial p. We propose an interactive Fiat-Shamir signature scheme F S = (KGen , Sign , Vrfy ), as follows: – The key-generation algorithm KGen takes 1k , runs KGen with 1k , and outputs (vk, sk), generated by KGen(1k ). – The signing algorithm Sign takes as input (vk, sk) and message m and produces signature (α, β, γ) as follows. It first runs Sign on input (vk, sk) and m to get the first message (α , m). Then, Sign produces a description of an arbitrary hash function : {0, 1}n(k) → {0, 1}k , denoted π, such that |π| ≤ |m| and the maximum running steps taken by π evaluating an element in {0, 1}n(k) is less than or equal to |m|. Then, it chooses m ∈ {0, 1}|m| at random to set α = (α , π, m ). Sign submits (α, m) to hash oracle O and gets β. It then feeds β to Sign and gets γ. Finally Sign outputs (α, β, γ) as the signature of m. – The verification algorithm Vrfy = (V1 , V2 ). V1 takes as input (vk, m, σ). First, it parses σ to (α, β, γ) such that α = (α , π, m ). V1 feeds (vk, m, (α , β, γ)) to V1 . When V1 makes oracle query (α , m), V1 instead submits (α, m) to oracle O and feeds β = O(α, m) to V1 . If V1 outputs 0, V1 outputs 0 and halts, otherwise run V2 on input (vk, (α, β, γ)). V2 feeds (vk, (α , β, γ)) to V2 . If V2 outputs 1, then V2 outputs 1. Otherwise, V2 evaluates H(π)(α, m ). If it can be evaluated within an a-priori bounded number of steps, a polynomial in (k + |m|), and H(π)(α, m ) = β, V2 outputs 1, otherwise 0. Theorem 1. The proposed signature scheme F S is proof for KGen if the underlying signature scheme F S is proof for KGen. ˜ ˜ α , β, γ) with only a Since F S is proof for KGen, if vk ∈ KGen, V2 accepts (vk, negligible probability for any α . To exceed a negligible acceptance probability, it must hold H(π)(α, m ) = β with a non-negligible probability. However, the probability of holding H(π)(α, m ) = β is simply 2−k for any α, because π and m must be determined before β is chosen, where α = (α , π, m ).
5
Separation Results with Iterative Functions
The proposed signature scheme is secure in the random oracle model if H is carefully designed but for any H, cannot be securely implemented in the real world, when the implemented hash function is a iterative hash function using design for iteration H. Theorem 2. Let G : {0, 1}n(k) → {0, 1}k and R : {0, 1}∗ → {0, 1}k be random oracles. Let H be a design for iteration such that HG be computationally indifferentiable from R, such as [13, 23, 6, 12]. Let F S R be an interactive FS G signature scheme that is EUF-CMA in the random oracle model. Then, F S H is EUF-CMA in the random oracle model.
126
E. Fujisaki, R. Nishimaki, and K. Tanaka
We only give the sketch of the proof, because it is somewhat straight-forward. G Let A0 be an adversary that attacks our proposed scheme F S H in the sense of existentially forgeability under adaptively chosen message attacks in the random oracle model. We call this attack game game G0 . Let E0 be the event that A wins in game G0 . In game G1 , we construct adversary A1 (using A0 as oracle) that attacks F S R in the sense of EUF-CMA in the random oracle model. Since HG is computationally indifferentiable from random oracle R : {0, 1}∗ → {0, 1}k , for any oracle query of A0 to G, A1 can make the consistent answer, having access to R, with an overwhelming probability. Hence, Pr[E1 ] ≈ Pr[E0 ], where E1 is the event that A1 wins in game G1 . In game G2 , we modify verification algorithm Vrfy such that it accepts if and only if β = R(α, m) and V2 (vk , (α , β, γ)) = 1. Let E2 be the event that adversary A2 (= A1 ) wins in game G2 . The probability of holding H(π)(α, m ) = R(α, m) is simply 2−k for any (α, m), because π must be determined before α = (α , π, m ) is queried to R. Therefore, Pr[E2 ] ≈ Pr[E1 ]. In game G3 , we construct adversary A3 (using A2 as oracle) that attacks F S R in the sense of EUF-CMA in the random oracle model. Let E3 be the event that A3 wins in game G3 . For oracle query (α, m) of A2 to R, A3 converts it to a query (α , (π, m , m)) to R. By construction, it holds that Pr[E3 ] = Pr[E2 ]. By assumption, F S R is EUF-CMA in the random oracle model, which means Pr[E3 ] = negl(k). Hence, Pr[E0 ] = negl(k), since Pr[E0 ] ≈ Pr[E3 ]. Theorem 3. For any polynomial-time Turing machine H, F S (H(F )) is vulnerable against key only attacks for any polynomial-size hash function ensemble F = {Fk }k∈N , where F is a hash function ensemble with a bounded input length n, where for every k ∈ N, and every f ∈ Fk , f : {0, 1}n(k) → {0, 1}k . To prove the statement above, we construct an adversary that forges a signature, only given vk = (vk, f ). The adversary makes a program fˆ that efficiently computes f : {0, 1}n(k) → {0, 1}k . Let t := max(t , |fˆ|), where t is the maximum running steps of fˆ to compute f (x) for x ∈ {0, 1}n(k), and |fˆ| is the length of the binary representation of program fˆ. Note that, since f is part of vk , it is easy to construct such a program and computes the maximum running steps over {0, 1}n(k) . Then, let the adversary choose an arbitrary message m such that t ≤ |m|, arbitrary α , γ ∈ {0, 1}p(k) . Then it sets α = (α , fˆ, m) and computes β = H(fˆ)(α, m). Finally the adversary outputs (m, (α, β, γ)) as a forged signature for m, where α = (α , fˆ, m). The remain to be shown is that V2 in Vrfy can compute H(fˆ)(α, m) within an a-priori bounded polynomial number of steps in |m| + k, regardless of any (a-priori unbounded) polynomial-size function ensemble F . Let q be the number of queries of H to fˆ, which is bounded by some fixed polynomial (depending on fixed H) in the length of (α, m). So, the number of the running steps to compute H(fˆ)(α, m) is at most q · t + O(poly(k)) (Remember that t is the maximum running steps of fˆ to compute f (x) for x ∈ {0, 1}n(k)). Since the binary length of
On the Insecurity of the Fiat-Shamir Signatures
127
(α, m) is |α | + |fˆ| + 2|m|, which is O(poly(|m| + k)), the number of the running steps of computing H(fˆ)(α, m) is O(poly(|m| + k)).
6
Conclusion
If a hash function used in the Fiat-Shamir paradigm is chosen from an iterative hash function (ensemble), we can show a very simple example that the FiatShamir signature scheme cannot be securely implemented even against key only attacks. Our negative result can apply to the class that [19] ruled out. We slightly extended the Fiat-Shamir paradigm to show the above results.
References 1. Abdalla, M., An, J., Bellare, M., Namprempre, C.: From identification to signatures via the fiat-shamir transform: Minimizing assumptions for security and forwardsecurity. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 418. Springer, Heidelberg (2002) 2. Barak, B.: How to go beyond the black-box simulation barrier. In: Proceedings of the 42th IEEE Annual Symposium on Foundations of Computer Science (FOCS 2001) (October 2001), http://www.math.ias.edu/~ boaz 3. Barak, B., Goldreich, O.: Universal arguments and their applications. In: Conference on Computational Complexity 2002 (2002) 4. Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the emd transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006) 5. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: First ACM Conference on Computer and Communication Security, pp. 62–73. Association for Computing Machinery (1993) 6. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007 (May 2007) 7. Boldyreva, A., Fischlin, M.: Analysis of random oracle instantiation scenarios for oaep and other practical schemes. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 412–429. Springer, Heidelberg (2005) 8. Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004) 9. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proceedings of the 30th annual ACM Symposium on Theory of Computing (STOC 1998), New York, pp. 209–218 (1998) 10. Canetti, R., Goldreich, O., Halevi, S.: On the random oracle methodology as applied to length-restricted signature schemes. In: Naor [26], pp. 40–57 11. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004) 12. Chang, D., Nandi, M.: Improved indifferentiability security analysis of chopMD hash function. In: Preproceedings of FSE 2008 (2008)
128
E. Fujisaki, R. Nishimaki, and K. Tanaka
13. Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damg˚ ard revisited: How to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005) 14. Damg˚ ard, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990) 15. Dodis, Y., Oliveria, R., Pietrzak, K.: On the generic insecurity of the full domain hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 449–466. Springer, Heidelberg (2005) 16. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM. J. Computing 30(2), 391–437 (2000); Presented in STOC 1991 17. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1986) 18. Goldreich, O.: Foundations of Cryptography, 1st edn., vol. 2 (Basic Applications). Cambridge University Press, Cambridge (2004) 19. Goldwasser, S., Kalai, Y.T.: On the (In)security of the Fiat-Shamir Paradigm. In: Proceedings of the 44th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2003 (2003) 20. Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing 17(2), 281–308 (1988) 21. Halevi, S., Myers, S., Rackoff, C.: On seed-incompressible functions. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 19–36. Springer, Heidelberg (2008) 22. Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor [26], pp. 21–39 23. Maurer, U.M., Tessaro, S.: Domain extension of public random functions: Beyond the birthday barrier. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 187–204. Springer, Heidelberg (2007) 24. Merkle, R.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990) 25. Micali, C.: CS proofs. In: Proceedings of the 35th IEEE Annual Symposium on Foundations of Computer Science (FOCS 1994), pp. 436–453 (1997) 26. Naor, M. (ed.): TCC 2004. LNCS, vol. 2951. Springer, Heidelberg (2004) 27. Nielsen, J.B.: Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-commiting Encryption Case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 111. Springer, Heidelberg (2002) 28. Ohta, K., Okamoto, T.: On concrete security treatment of signatures derived from identification. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 354–369. Springer, Heidelberg (1998) 29. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996) 30. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13(4), 361–396 (2000) 31. Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosenciphertext security. In: Proceedings of the 40th IEEE Annual Symposium on Foundations of Computer Science (FOCS 1999), pp. 543–553 (1999) 32. De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust noninteractive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 566. Springer, Heidelberg (2001)
Is the Notion of Divisible On-Line/Off-Line Signatures Stronger than On-Line/Off-Line Signatures? Man Ho Au, Willy Susilo, and Yi Mu Center for Computer and Information Security Research School of Computer Science and Software Engineering University of Wollongong, Australia {aau,wsusilo,ymu}@uow.edu.au
Abstract. On-line/Off-line signatures are useful in many applications where the signer has a very limited response time once the message is presented. The idea is to perform the signing process in two phases. The first phase is performed off-line before the message to be signed is available and the second phase is performed on-line after the message to be signed is provided. Recently, in CT-RSA 2009, Gao et al. made a very interesting observation that most of the existing schemes possess the following structure. In the off-line phase, a partial signature, called the off-line token is computed first. Upon completion of the on-line phase, the off-line token constitutes part of the full signature. They considered the “off-line token exposure problem” in which the off-line token is exposed in the off-line phase and introduced a new model to capture this scenario. While intuitively the new requirement appears to be a stronger notion, Gao et al. cannot discover a concrete attack on any of the existing schemes under the new model. They regard clarifying the relationship between the models as an open problem. In this paper, we provide an affirmative answer to this open problem. We construct an On-line/Offline signature scheme, which is secure under the ordinary security model whilst it is insecure in the new model. Specifically, we present a security proof under the old model and a concrete attack of the scheme under the new model. This illustrates that the new model is indeed stronger. Keywords: on-line/off-line signatures, divisible on-line/off-line signatures, OS-EU-CMA, DOS-EU-CMA.
1
Introduction
The notion on-line/off-line signatures (OS) was put forth by Even, Goldreich and Micali in 1990 [11]. Their main idea is to split the signature generation algorithm into two phases, namely, off-line phase and on-line phase. To achieve efficient signing when a message is presented, they utilized an off-line phase to handle the most costly computations. When a message is available, the on-line
This work is supported by ARC Discovery Grant DP0877123.
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 129–139, 2009. c Springer-Verlag Berlin Heidelberg 2009
130
M.H. Au, W. Susilo, and Y. Mu
phase can then be performed efficiently in order to generate the required signature. Some of the signature schemes naturally fit into the framework of an on-line/off-line signature. The list includes the schemes from Fiat-Shamir (or any signature scheme obtained from Σ-Protocol using the Fiat-Shamir heuristics) [12], Schnorr [19], El-Gamal [13] and Boneh-Boyen [4]. Based on the work from Even, Goldreich and Micali, Shamir and Tauman [20] proposed an improved online/offline signature scheme utilizing the hash-signswitch paradigm . The online signing phase of their scheme maintains the efficiency of Even et al., while key size and signature size are largely reduced. Since then, many subsequent works have been done [15,24,16,22,23,7,9,6]. 1.1
Divisible of OS Schemes
Recently, in CT-RSA 2009, Gao et al. [26] made an interesting observation that most of the existing on-line/off-line signature schemes [13,22,23,7,16,9,6] share the following divisibility structure. A partial signature, called an off-line token, is first computed in the off-line phase. The remaining part of the signature is generated in the on-line phase when the message is known. OS schemes satisfying this framework is said to be divisible. Although the signature generation process is split into two stages, the transmission of the signature is a one-time process. The complete signature is sent to the recipient at the end of the on-line phase. Gao et al. studied an interesting problem: can the off-line token be transmitted to the recipient prior to the on-line phase while maintaining the security of the OS scheme? The significance of the question is that, the signer could send the signature in stages (during the off-line phase), possibly when the channel is less busy. This can make better utilization of the bandwidth. Another scenario is when the off-line tokens are unavoidably exposed to others (they referred this case as the “token exposure problem”), in case of on-line/off-line threshold signatures [9,6]. Gao et al. studied this off-line token exposure problem and proposed a new security model to capture it. In this paper, we referred the new model as DOSEU-CMA1 to distinguish it from the traditional (or ‘regular’) model of OS-EUCMA [11]. The standard notion of security for a signature scheme is existential unforgeability under chosen message attack (EU-CMA) [14]. Informally speaking, an attacker in this notion can request signatures on messages of its choice, possibly adaptively, before outputting a forged signature on any message, provided that it has not been given a signature on that message. Definition of DOSEU-CMA and OS-EU-CMA shall be reviewed in Section 2.5. Looking ahead, it is fair to say the notion OS-EU-CMA closely follows the requirement of EU-CMA in which the OS is treated as an ordinary signature. Additionally, an attacker in DOS-EU-CMA is allowed to separate his query of signature into two phases. Specifically, the attacker is allowed to decide the querying message after receiving the off-line token. 1
The abbreviation DOS refers to divisible on-line/off-line signatures.
Is the Notion of DOS Stronger than OS?
131
Gao et al. presented a new scheme secure under their new model. They also analyzed several existing schemes and observed that some of them are secure under the new model as well. Furthermore, the security of the remaining schemes under their examination is less clear. While they are not able to derive security proof under the new model, they also cannot discover any concrete attack on these schemes. Hence, they left the problem of finding the potential gap between the model of DOS-EU-CMA and OS-EU-CMA as an open problem. Specifically, they questioned whether a scheme that is secure in OS-EU-CMA but it is not secure in DOS-EU-CMA can be constructed at all, as an open problem. 1.2
Our Contribution
In this paper, we provide an affirmative answer to the aforementioned open problem. Specifically, we construct an on-line/off-line signature scheme2 and prove its security under the model of OS-EU-CMA. Then, we present a concrete attack on our scheme under the model of DOS-EU-CMA. Consequently, our construction illustrates the gap between to two models. In summary, we provide an affirmative answer to the open problem raised by Gao et al. in [26] and show that the new model is indeed stronger than the traditional model. We would like to stress that the sole purpose of our construction is to demonstrate the theoretical gap between the models. Thus, efficiency is not of our concern and indeed our scheme is by no means practical compared with existing On-line/Offline signatures. Table 1. Summary of the separation between the traditional model and the new model
[12,13,4,20,22,7] [19,9,6,26] Our scheme
1.3
Secure under the traditional model? Secure under the new model [26]? ? ×
Organization of the Paper
The rest of this paper is organized as follows. In Section 2, we review preliminaries including the models of OS-EU-CMA and DOS-EU-CMA. Next, we present our OS scheme, its security analysis under the model of OS-EU-CMA and an attack in the model of DOS-EU-CMA in Section 3. Finally, we conclude the paper in Section 4.
2
We note that we are not concentrating on developing a practical or efficient scheme. Rather, we are interested to show a scheme that is secure under OS-EU-CMA but it is not secure under DOS-EU-CMA, and hence, it provides an answer to the open problem raised by Gao et al. [26].
132
2
M.H. Au, W. Susilo, and Y. Mu
Preliminaries
2.1
Miscellaneous Notations
If S is a set, |S| represents its cardinality. If S is a non-empty set and a ∈R S, then a is an element in S drawn uniformly at random from S. We denote by Z the set of integers {. . . , −2, −1, 0, 1, 2, . . .} and by Zp we denote the set {0, . . . , p−1}. We say that a function negl(k) is a negligible function [1], if for all polynomials f (k), for all sufficiently large k, negl(k) < 1/f (k). 2.2
Bilinear Map
A pairing is a bilinear mapping from a pair of group elements to a group element. Specifically, let G1 , GT be cyclic groups of order p. Let g be a generator of G1 . A function eˆ : G1 × G1 → GT is said to be a pairing if it satisfies the following properties: – (Bilinearity.) eˆ(ux , v y ) = eˆ(u, v)xy for all u, v ∈ G1 and x, y ∈ Zp . – (Non-Degeneracy.) eˆ(g, g) = 1GT , where 1GT is the identity element of GT . – (Efficient Computability.) eˆ(u, v) can be computed efficiently (that is, in polynomial time) for all u, v ∈ G1 . – (Unique Representation.) All elements in G1 and GT have unique binary representation. 2.3
Number-Theoretic Assumptions
Security of our proposed signature scheme is related to the hardness of the following problems. The Discrete Logarithm Assumption. The discrete logarithm problem (DLP) [5] forms the basis in the security of many cryptosystems. Definition 1. The Discrete Logarithm Problem in G = g is defined as follows: On input a tuple (g, Y ) ∈ G2 , output x such that Y = g x . Shoup [21] derived a lower bound on any algorithms that solve DLP without exploiting any special properties of the encoding of the group element. Such algorithms are known as generic algorithms. Specifically, the lower bound is √ Ω d , where d is the largest prime dividing the order of the group. Indeed, such bound is met by the well-known Pollard’s rho algorithm [18] that works in arbitrary groups. The discrete logarithm assumption stated that there is no PPT algorithm solves DLP with non-negligible probability. Computational Diffie-Hellman Assumption. If we can solve DLP in G, we can also solve the computational Diffie-Hellman (CDH) [10] problem although whether the converse is true or not is still an open problem. Definition 2. The Computational Diffie-Hellman Problem in G = g such that |G| = p is defined as follows: On input a tuple (g, g x , g y ) ∈ G3 , output g xy . The CDH assumption states that no PPT solves CDHP with non-negligible probability.
Is the Notion of DOS Stronger than OS?
133
The Pairing Pre-image Assumption Definition 3. The Pairing Pre-Image Problem (PPIP) in G1 , GT such that G = g, |G1 | = |GT | = p with pairing eˆ : G1 × G1 → GT is defined as follows: On input a tuple (g, Z) ∈ G1 × GT , output X ∈ G1 such that eˆ(X, g) = Z. This problem is often implicitly assumed to be hard in many cryptosystems employing bilinear maps. Indeed , it is straightforward to show PPIP is no harder than DLP in GT and no easier than CDHP in G1 . Specifically, suppose DLP in GT is easy. Given a PPIP instance (g, Z), compute x such that Z = eˆ(g, g)x by solving DLP in GT of Z to base eˆ(g, g). Output g x as the solution to PPIP instance. On the other hand, assume PPIP is easy. Given a CDHP instance (g, g a , gb ) in G1 , compute X such that eˆ(X, g) = eˆ(g a , g b ) by solving PPIP with input g, eˆ(g a , g b ) . Output X as the solution of the CDHP instance. Thus, we have the following relationship between CDHP in G1 , PPIP and DLP in GT . CDHP in G1 <= PPIP <= DLP in GT The PPI assumption states that no PPT solves PPIP with non-negligible probability. 2.4
On-Line/Off-Line Signatures
In the following, we review the syntax of an OS scheme. Definition 4. An OS scheme consists of four algorithms, namely, KeyGen, OffSign, OnSign and Verify for generating keys, signing in the online and offline phase, and verifying signatures, respectively. (pk, sk) ← KeyGen(1λ ). On input security parameter 1λ , the key generation algorithm outputs a public/private key pair. (Σ off , St) ← OffSign(sk). On input the secret key, the off-line signing algorithm outputs an off-line token Σ off and some state information St. (Σ on ) ← OnSign(sk, St, m). On input the secret key, a state information St and a message, the on-line signing algorithm outputs an on-line token (Σ off , Σ on ). The signature of m is defined as σ = (Σ off , Σ on )). 0/1 ← Verify(pk, m, σ). On input a public key, a message and a signature, the verification algorithms output 1 if the signature is valid and 0 otherwise. As mentioned by Gao et al., every OS scheme is trivially divisible under their definition by setting Σ off as null 3 . Those schemes are called trivially divisible. Throughout this paper, we are interested in OS scheme that is non-trivially divisible, that is, Σ off is not null. 3
Or more generally, any dummy offline token.
134
2.5
M.H. Au, W. Susilo, and Y. Mu
Security Requirements
The standard notion of security for an OS scheme is existential unforgeability under chosen message attack (OS-EU-CMA) [14], which can be defined formally by the following game between a challenger C and a PPT adversary A. Definition 5 (Game OS-EU-CMA) Setup: A challenger C runs algorithm KeyGen to obtain a public key pk and a private key sk. C gives pk to A. Queries: For the i-th query, A requests a signature on message mi . C responses by computing (Σioff , St i ) ← OffSign(sk) followed by Σion ← OnSign(sk, St i , mi ). σi = (Σioff , Σion ) is returned to A. Output: A outputs a pair (m∗ , σ ∗ ). A wins the game if m∗ ∈ / {m1 , . . . , mq } and 1 ← Verify(pk, m∗ , σ ∗ ). An OS scheme is OS-EU-CMA secure if no PPT adversary can win in Game OS-EU-CMA with non-negligible probability. In the following, we will review the new model proposed by Gao et al.. Looking ahead, the major difference between the two notions is that attacker in the new model is allowed to adaptively choose the query messages based on the off-line token. This is to capture the off-line token exposure problem. Specifically, the following game between a challenger C and a PPT adversary A formally defines the security requirement for a divisible on-line/off-line (DOS) scheme, as defined by Gao et al. Definition 6 (Game DOS-EU-CMA) Setup: A challenger C runs algorithm KeyGen to obtain a public key pk and a private key sk. C gives pk to A. Off-Sign Queries: For the i-th query, A requests an off-line token. C responses by computing (Σioff , St i ) ← OffSign(sk). Σioff is given to A while (Σioff , St i ) is stored in set U. On-Sign Queries: A submits a message mi and an off-line token Σioff such that there exists an entry (Σioff , St i ) ∈ U. C computes Σion ← OnSign(sk, St i , mi ). Σion is returned to A and (Σioff , St i ) is removed from U. Output: A outputs a pair (m∗ , σ ∗ ). A wins the game if m∗ ∈ / {m1 , . . . , mq } and 1 ← Verify(pk, m∗ , σ ∗ ). An OS scheme is DOS-EU-CMA secure if no PPT adversary can win in Game DOS-EU-CMA with non-negligible probability. 2.6
Relationship of OS-EU-CMA and DOS-EU-CMA
DOS-EU-CMA is at least no weaker than OS-EU-CMA as a security notion. However, it is unclear whether there is a separation between the two.
Is the Notion of DOS Stronger than OS?
135
Gao et al. [26] analyzed a number of existing schemes and proved that several of which are in fact DOS-EU-CMA, as shown in Table 2. Of the remaining schemes that cannot be proven secure in the new model, they are not able to devise any concrete attack. The following table is obtained from their results in [26]. The symbol “?” indicates that it cannot be proven secure under the security notion while no explicit attack can be found either. The word “Sig” in the assumption represents the security also depends on the security of the underlying standard signature scheme. For the introduction to the q-SDH assumption and the one-more discrete log assumption, we refer the readers to [3,8] and [2], respectively. Table 2. Summary of existing OS schemes
Fiat-Shamir [12] El-Gamal [13] DSS [17] Boneh-Boyen [4] Shamir-Tauman (generic) [20] Xu et al. [22] Chen et al. (generic) [7] Schnorr-OS [19] Crutchfield et al. (generic) [9] Bresson et al. (generic) [6] Gao et al. [26]
3 3.1
OS-EU-CMA? DOS-EU-CMA? Assumption ? ? ? ? ? ? ? one-more-discrete log Sig + one-more-discrete log Sig + discrete log q-SDH
Our Result An On-Line/Off-Line Signature
In this section, we present our OS construction. We note that the goal of our construction is to demonstrate the gap between the security notions of OS-EUCMA and DOS-EU-CMA and thus efficiency is not of prime concern. KeyGen. Let eˆ : G1 × G1 → GT be a bilinear map. Note that |G1 | = |GT | = p for some prime p. Let g be a generator of G1 . Let H : {0, 1}∗ → Zp be a collision-resistant hash function. Let X ∈R G1 and Z = eˆ(X, g). The secret key sk is (X) while the public key pk is (ˆ e, G1 , GT , p, g, Z, H). The message space M is G1 . OffSign. Randomly generate R ∈ G1 , s ∈R Z∗p , output (Σ off , St) as (R, s). OnSign. On input M ∈ G1 , (Σ off , St) = (R, s), compute ς = X(R/M )s . FurR ther, generate r ∈R Zp , compute T = eˆ( M , g)r , c = H(T ||R||ς||M ) and on z = r − cs. Output Σ as (ς, c, z).
136
M.H. Au, W. Susilo, and Y. Mu
Verify. Given a public key (ˆ e, G1 , GT , p, g, Z, H), a message M ∈ G1 , a signature σ = (Σ off , Σ on ) = R, (ς, c, z) , verify that c = R H (ˆ e(ς, g)Z −1 )c eˆ( M , g)z ||R||ς||M . If the equality holds, output 1. Otherwise, output 0. Correctness of the scheme is straightforward. Note that c R c R R eˆ(ς, g)Z −1 eˆ( , g)z = eˆ(X( )s , g)ˆ e(X, g)−1 eˆ( , g)z M M M R s c R −1 = eˆ(X, g)ˆ e(X, g) eˆ(( ) , g) eˆ( , g)z M M R R cs z = eˆ( , g) eˆ( , g) M M R r = eˆ( , g) M =T 3.2
Security Analysis
We prove that our construction is a secure OS scheme by reduction. Suppose there is a forger A that wins in Game OS-EU-CMA with probability , we construct a simulator S, having black-box access to A, that solves the pairing pre-image problem in the random oracle model with success probability q2 , H assuming A makes qH queries to the hash oracle. Proof. S is given a problem instance (ˆ e, G1 , GT , p, g, Z) where g is a generator of G1 with prime order p, its task is to compute X such that eˆ(X, g) = Z. Setting up the public key. S sets the public key pk of the signer as (ˆ e, G1 , GT , p, g, Z). In the random oracle model, S also gets control over Hash function H. pk is given to the adversary A. Simulating the Oracles. For the i-th query, A requests a signature on message mi ∈ G1 . S responses by randomly generates R, ς ∈R G1 , c, z ∈R Zp , computes T = (ˆ e(ς, g)Z −1 )c eˆ( mRi , g)z and backpatch the output of the random oracle H(T ||R||ς||mi ) as c. Returns σi = (R, ς, c, z) to A. Hash Queries. S randomly chooses one of the qH hash queries with input T ∗ ||R∗ ||ς ∗ ||M ∗ and fork the adversary. The two copies of the adversary receives the hash output as c∗ and c such that c∗ = c respectively. The Forgery and Reduction. Finally, the two copies of A output two forged signatures. With probability at least q12 the two forged signatures are (R∗ , ς ∗ , c∗ , z ∗ ) H ∗ R∗ z∗ on message M ∗ such that c∗ = H (ˆ e(ς, g)Z −1 )c eˆ( M || R∗ || ς ∗ || M ∗ and ∗ , g)
Is the Notion of DOS Stronger than OS?
137
c∗ R∗ z∗ (R∗ , ς ∗ , c , z ) on the same message M ∗ such that eˆ(ς ∗ , g)Z −1 eˆ( M = ∗ , g) ∗ R∗ −1 c z eˆ(ς , g)Z eˆ( M ∗ , g) . ∗
z −z ∗
R c −c∗ . Indeed, S computes X as ς( M ∗)
∗ c∗ R∗ c R∗ ∗ eˆ(ς , g)Z −1 eˆ( ∗ , g)z = eˆ(ς ∗ , g)Z −1 eˆ( ∗ , g)z M M ∗ c∗ −c ∗ R∗ eˆ(ς , g)Z −1 = eˆ( ∗ , g)z −z M ∗ ∗ R∗ c −c∗ Z = eˆ( ∗ , g)z −z eˆ(ς ∗ , g)c −c M R∗ ∗ ∗ c −c∗ eˆ(X, g) = eˆ(( ∗ )z −z ς c −c , g) M R∗ z −z∗∗ eˆ(X, g) = eˆ ( ∗ ) c −c ς, g M −z ∗ R∗ zc −c ∗ X = ς( ∗ ) M Consequently, the success probability of S is at least 3.3
2 qH
.
An Attack of Our OS under Definition 6 (DOS-EU-CMA)
While our scheme is OS-EU-CMA secure, there is an attack under Definition 6 (DOS-EU-CMA), i.e. the new model proposed by Gao et al. Specifically, the attacker first obtains an off-line token R. Upon receiving R, the attacker chooses the message to query as M = R. ς in the corresponding signature R, (ς, c, z) R r will have the form of X since ς = X( M ) . Thus, the scheme is totally broken with the secret key revealed when the attacker can choose the message after knowing the off-line token. The weakness of the scheme under Definition 6 is obvious: it is insecure when the off-line token R is equal to the message M to be signed. This, however, will happen with negligible probability when R is hidden from the attacker before message M to be signed is presented and thus the scheme is still secure under Definition 5. This clearly illustrates that DOS-EU-CMA is a stronger security notion compared with OS-EU-CMA.
4
Conclusion
We presented a new OS scheme and proved that it is secure under the traditional model of on-line/off-line signatures (OS-EU-CMA). Next, we presented a concrete attack of our scheme under the newly-proposed model by Gao et al. [26], DOS-EU-CMA. This scheme exemplifies a case that the model in [26] is indeed stronger than the traditional one. Hence, it provides an affirmative answer to to the open problem in [26].
138
M.H. Au, W. Susilo, and Y. Mu
References 1. Bellare, M.: A Note on Negligible Functions. Journal of Cryptology 15(4), 271–284 (2002) 2. Bellare, M., Palacio, A.: Gq and schnorr identification schemes: Proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002) 3. Boneh, D., Boyen, X.: Short Signatures without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) 4. Boneh, D., Boyen, X.: Short signatures without random oracles and the sdh assumption in bilinear groups. Journal of Cryptology 21(2), 149–177 (2008) 5. Boneh, D., Lipton, R.J.: Algorithms for Black-Box Fields and their Application to Cryptography (Extended Abstract). In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 283–297. Springer, Heidelberg (1996) 6. Bresson, E., Catalano, D., Gennaro, R.: Improved on-line/off-line threshold signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 217–232. Springer, Heidelberg (2007) 7. Chen, X., Zhang, F., Susilo, W., Mu, Y.: Efficient generic on-line/off-line signatures without key exposure. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 18–30. Springer, Heidelberg (2007) 8. Cheon, J.H.: Security Analysis of the Strong Diffie-Hellman Problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006) 9. Crutchfield, C., Molnar, D., Turner, D., Wagner, D.: Generic on-line/off-line threshold signatures. In: Yung, et al. (eds.) [15], pp. 58–74 10. Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976) 11. Even, S., Goldreich, O., Micali, S.: On-line/off-line digital schemes. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 263–275. Springer, Heidelberg (1990) 12. Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1986) 13. Gamal, T.E.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31(4), 469–472 (1985) 14. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988) 15. Guo, F., Mu, Y.: Optimal online/offline signature: How to sign a message without online computation. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 98–111. Springer, Heidelberg (2008) 16. Kurosawa, K., Schmidt-Samoa, K.: New online/offline signature schemes without random oracles. In: Yung, et al. (eds.) [25], pp. 330–346 17. N. I. of Standards and T (NIST). The digital signature standard, 186. In: Federal Information Processing Standards Publication, FIPS PUB (1994) 18. Pollard, J.M.: Monte Carlo Methods for Index Computation (mod p). Mathematics of Computation 32(143), 918–924 (1978) 19. Schnorr, C.-P.: Efficient Signature Generation by Smart Cards. Journal of Cryptology 4(3), 161–174 (1991) 20. Shamir, A., Tauman, Y.: Improved online/offline signature schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001)
Is the Notion of DOS Stronger than OS?
139
21. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997) 22. Xu, S., Mu, Y., Susilo, W.: Online/offline signatures and multisignatures for aodv and dsr routing security. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 99–110. Springer, Heidelberg (2006) 23. Yu, P., Tate, S.R.: An online/offline signature scheme based on the strong rsa assumption. In: AINAW 2007: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, pp. 601–606. IEEE Computer Society, Washington (2007) 24. Yu, P., Tate, S.R.: Online/offline signature schemes for devices with limited computing capabilities. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 301–317. Springer, Heidelberg (2008) 25. Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.): PKC 2006. LNCS, vol. 3958. Springer, Heidelberg (2006) 26. zhi Gao, C., Wei, B., Xie, D., Tang, C.: Divisible on-line/off-line signatures. In: Fischlin, M. (ed.) Topics in Cryptology - CT-RSA 2009, The Cryptographers’ Track at the RSA Conference 2009, San Francisco, CA, USA, Proceedings, April 20-24. LNCS, vol. 5473, pp. 148–163. Springer, Heidelberg (2009)
Anonymous Signatures Revisited Vishal Saraswat and Aaram Yun University of Minnesota — Twin Cities {vishal,aaram}@cs.umn.edu
Abstract. We revisit the notion of the anonymous signature, first formalized by Yang, Wong, Deng and Wang [10], and then further developed by Fischlin [4] and Zhang and Imai [11]. We present a new formalism of anonymous signature, where instead of the message, a part of the signature is withheld to maintain anonymity. We introduce the notion unpretendability to guarantee infeasibility for someone other than the correct signer to pretend authorship of the message and signature. Our definition retains applicability for all previous applications of the anonymous signature, provides stronger security, and is conceptually simpler. We give a generic construction from any ordinary signature scheme, and also show that the short signature scheme by Boneh and Boyen [2] can be naturally regarded as such a secure anonymous signature scheme according to our formalism. Keywords: anonymous signature, signature, anonymity, unpretendability.
1
Introduction
An anonymous signature is a signature scheme where the signature σ of a message m does not reveal the identity of the signer. Yang et al. [10] discussed the usefulness of anonymous signatures in many applications where anonymity is needed, including key exchange protocols, auction systems, and anonymous paper reviewing. The notion of the anonymous signature was formalized much later than that of the anonymous encryption. Bellare et al. [1] had already defined in Asiacrypt 2001 key-privacy, or anonymity of an encryption scheme, as indistinguishability of ciphertexts encrypted by different public keys, that is, an eavesdropper cannot obtain any information about the recipient (corresponding to the public key) from the ciphertext. However, one problem for introducing the idea of anonymity to digital signatures is that a signature is publicly verifiable; if there are only a few candidate signers, the adversary of anonymity can simply try verification of the message-signature pair with respect to all candidate public keys to break anonymity. Therefore, as long as the adversary obtains both the message and the signature, it seems that anonymity is impossible.
The second author is supported by the US National Science Foundation (grant no. CCF 0621462).
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 140–153, 2009. c Springer-Verlag Berlin Heidelberg 2009
Anonymous Signatures Revisited
141
Yang et al. resolved the paradox by guaranteeing the anonymity only when the adversary obtains the signature and not the message, or when there is some randomness in the message not revealed to the adversary. In fact, there are many applications where not revealing the complete message is justifiable; for example, in the key transport example given by Yang et al., Bob already knows what Alice’s message should be from previous communication, so Alice may send only the anonymous signature without the message, and this authenticates Alice while protecting Alice’s anonymity from eavesdroppers. In the case of an auction, a bidder may append some random string r to a message m, which is his bid, and sign it. After the auction ends, only the winner may reveal the randomness r and thus his identity, and the other participants remain anonymous. This idea of hidden randomness in the message is used by Fischlin [4] to propose an elegant generic transformation for anonymous signatures out of ordinary signatures, by applying the idea of randomness extractor to extract the hidden randomness and use it for anonymizing the signature. Fischlin’s formulation of anonymous signatures is slightly different, but essentially captures the same idea as that of Yang et al. Also in [11], Zhang and Imai suggested the notion of ‘strong anonymous signatures’, where they considered the case when there is not much uncertainty in the message. 1.1
Limits of the Previous Formalism
We revisit the formal definition of anonymous signature and show that previous formalisms of anonymous signature are not completely satisfactory in that, they fail to capture the intuition fully, and actually are inconsistent with some of the suggested applications. Also, we claim that a slightly different formalism captures the intuition better, retains the applicability, more consistently models the application scenarios, enables simpler constructions, and gives better security guarantee. As explained, in the current formalism, the signer anonymity is based on hidden residual randomness of the message. As long as there is enough such randomness, the signer maintains anonymity, but of course the signature cannot be verified. Eventually the randomness in message is revealed explicitly or implicitly, and whoever has the complete message-signature pair can verify the signature. In order to model this, Yang et al. and Fischlin formalize that each signer, having public key pk , has certain message distribution M(pk ). Then, two key pairs (pk 0 , sk 0 ), (pk 1 , sk 1 ) are chosen and pk 0 and pk 1 are given to the adversary. Also, a message m is chosen from M(pk b ) with respect to a random bit b ∈ {0, 1}, and the signature σ = Sig(sk b , m) is computed and given to the adversary. If the adversary cannot guess the random bit b with probability not much greater than 1/2, then the signature scheme is considered anonymous. But this formalism is not satisfactory in some aspects. First, this is in fact inconsistent to the suggested application of anonymous auction, or anonymous
142
V. Saraswat and A. Yun
paper review. In these cases, if m is the original intended message, then the signer adds some random string r to form appended message mr, and releases the message m, together with the signature σ of the appended message mr. From the point of view of an eavesdropper, different original message m gives different message distribution of the whole appended message mr; the message distribution cannot be a function of only the public key pk , and in fact also depends on the partially revealed portion (m) of the message. Second, this definition does not formally give a guarantee of infeasibility for someone other than the correct signer to come later and pretend that the signature is his. We call this property unpretendability. For an ordinary signature for which complete message-signature pair is released at once, this problem may be less crucial; the pair is publicly verifiable and the authorship can be attributed to the signer. But for an anonymous signature, where only a part of the messagesignature pair is released initially, there is theoretical possibility that someone other than the signer may come and claim the authorship of the message and signature. For example, in the anonymous paper review example, the author A of a paper paperA picks a random string r, computes σ ← Sig(sk A , paperA r), and releases (paperA , σ) initially, and only later reveals r when the paper is accepted. Now, if the anonymous signature is not unpretendable, then another author, B, may be able to compute r satisfying Vf(pk B , paperA r , σ) = true and use such an r to claim authorship of paperA . Hence, we argue that this unpretendability should be an essential feature of an anonymous signature; otherwise anonymous signature is in fact not applicable for quite a few of originally proposed applications. Note that we are not claiming that any of the actual schemes proposed in previous papers fails to satisfy unpretendability. But, still this notion should be formally defined and guaranteed for each anonymous scheme. In fact, later we will give an example of an unforgeable signature scheme which provides complete anonymity but is not at all unpretendable. This means that, unpretendability does not follow directly from unforgeability and/or anonymity, and warrants separate definition. Third, we feel that the idea of a signature of an unknown message is somewhat counter-intuitive. Intuitively, a signature is a proof of authorship for a given document. If we do not know the document in question, or if we are not sure whether the document ends with ‘Therefore you should . . . ,’ or ‘Therefore you should not . . . ,’ then the meaning of a signature for such uncertain document is at least debatable. 1.2
Our Formalism
Discarding hidden randomness in the message. For these reasons, we propose a new definition of anonymous signatures as follows: first, instead of relying on the hidden residual randomness of the message, we introduce hidden randomness to the signature. Second, we formalize not only the notion of anonymity, but also give explicit formalization of unpretendability.
Anonymous Signatures Revisited
143
In traditional digital signatures, signature generation is considered as a randomized algorithm in general, therefore this strategy of explicit randomness is applicable no matter how much entropy (or lack thereof) the distribution of the message has. This enables us to disregard the randomness in the message altogether, and use the provided randomness directly to anonymize the public key. In fact, even when there is enough entropy in the message distribution, often the randomness is not diffused in the whole message but well-separated from the rest of the message and controllable by the signer. For example, in the bidding example where the bidder appends some random string r to the message m and then sign the appended message mr, certainly the distribution of this appended message has enough entropy which can be extracted back, but we feel this is artificial; the original message was m, and intuitively, the signer is not really interested in protecting the integrity of r, which is not part of his message m which he really wanted to sign. Hence, it is more natural to regard this r as a part of the signature, instead of regarding this as a part of the message which needs to be signed and protected. Surfacing the verification token. Therefore, in our formalism, we split a digital signature σ ˜ into two parts, σ ˜ = (σ, τ ). We call τ a verification token, or a token in short. Then σ, the rest of σ ˜ , is now just called a signature. The signature σ and the token τ are computed by the signature generation algorithm which takes the signer’s secret key and the message m as inputs, and when m, σ, and τ are presented, then anyone can verify the validity of the signature using the public key of the signer. But as long as τ is hidden, the adversary cannot break the anonymity of the signer just from the message m and the signature σ. Meanwhile, anyone to whom the token τ (along with the identity of the signer) is revealed may verify the signature. Note that our formalism is just a specialization of the traditional formalism of digital signature, and not something incompatible; (σ, τ ) together serves as a signature which is publicly verifiable, and unforgeable according to the usual definition. We only enforce our signature to have this special format, and to have anonymity and unpretendability in addition to the unforgeability. In short, we surfaced the hidden randomness of the anonymous signature explicit as the verification token, and moved it from the message to the signature itself. Also we identified and formalized the unpretendability as another property an anonymous signature should have. Enhanced notion of security. Not only separating the randomness extraction from the anonymous signature results in a conceptually cleaner formalism, but also it enables us to guarantee better notion of security. Because in previous formalisms the verification token was ‘diffused’ in the message itself, the adversary of anonymity could not choose the challenge message by himself, and a random challenge message had to be chosen out of some message distribution. But in our formalism, there is no problem for the adversary to adaptively choose the challenge message by himself, and indeed we give this stronger notion of anonymity, which all of our schemes meet.
144
V. Saraswat and A. Yun
Our contribution. In this paper, we give a new formalism for an anonymous signature following the outline given in the introduction. Also, we present some examples of efficient anonymous signature schemes. We first give a generic construction out of any ordinary unforgeable signature scheme and a commitment scheme. Also, we show that the short signature scheme by Boneh and Boyen [2] can be naturally regarded as such a secure anonymous signature scheme according to our formalism with essentially no modification.
2
Related Work
The notion of anonymous signature was first formalized by Yang et al. in [10], and explored further by Fischlin in [4]. Our work revisits this notion, and provides an alternative formalism. Zhang and Imai [11] proposed a very similar approach as ours. Their idea is to define ‘strong anonymous signature’, which maintains anonymity even when there is not much uncertainty in the message distribution. Though their definition of strong anonymity is essentially the same as our anonymity, they do not discuss unpretendability, which we argue as central to the notion of anonymous signatures. There are pre-existing security notions closely related to unpretendability; Menezes and Smart [7] studied security against the key substitution attack for signature schemes, where an adversary produces a public key (and the corresponding secret key, in their formulation) to claim the ownership of a messagesignature pair generated by someone else. Also Hu et al. [6] introduced key replacement attack, which is the similar notion in context of certificateless signatures. Galbraith and Mao [5] introduced the notion of anonymity to undeniable and confirmer signatures. Our definition of anonymity of an anonymous signature is similar to theirs, and also the fact that the signer has to provide the verification token later to let others verify the signature looks similar to the case of undeniable signatures. But an anonymous signature is not an undeniable signature; anyone who obtained the token of the signature can in fact let others verify the signature, without involvement of the signer. In general, an anonymous signature is much simpler than an anonymous undeniable signature. Also, there are notions of anonymity in group and ring signatures, but these are anonymity within the group or ring in question, on the other hand the anonymous signature in our formalism or in previous formalism is essentially a conventional signature scheme with some additional properties.
3 3.1
Definitions Notations and Conventions
We denote by v ← A(x, y, z, . . .) the operation of running a randomized or deterministic algorithm A(x, y, z, . . .) and storing the output to the variable v.
Anonymous Signatures Revisited
145
If X is a set, then v ← X denotes the operation of choosing an element v of X according to the uniform random distribution on X. Unless stated otherwise, all algorithms in this paper are probabilistic polynomial-time algorithms. R
3.2
Anonymous Signature
We define an anonymous signature Σ as a quadruple of algorithms Σ = (Par, Gen, Sig, Vf), where the parameter generation algorithm Par() outputs a common parameter P ← Par(1k ) using security parameter k, the key generation algorithm Gen() outputs a key pair (pk , sk ) ← Gen(P ) given the common parameter P as input, signature generation algorithm Sig() outputs a pair of a signature and a verification token σ ˜ = (σ, τ ) ← Sig(sk , m) with respect to the secret key sk and a message m ∈ {0, 1}∗, and the deterministic, signature verification algorithm Vf(pk , m, σ, τ ) outputs true or false. The common parameter P contains the security parameter k itself, and additionally contain other public information common to all users of the system, for example description of cryptographic groups used in the signature scheme. For consistency, we require the following: Vf(pk , m, Sig(sk , m)) = true, for P ← Par(1k ), (pk , sk ) ← Gen(P ), and for any m ∈ {0, 1}∗. 3.3
Unforgeability
We say that Σ = (Par, Gen, Sig, Vf) is unforgeable, if for any adversary A, the advantage def uf-cma Advuf-cma (k) = Pr Expr (k) = true Σ,A Σ,A is negligible in the following experiment: Experiment Expruf-cma Σ,A (k) P ← Par(1k ) (pk , sk ) ← Gen(P ) (m∗ , σ ∗ , τ ∗ ) ← ASig(sk ,·) (pk ) return Vf(pk , m∗ , σ ∗ , τ ∗ ) where the adversary A has access to the signing oracle Sig(sk , ·) with respect to the secret key sk with the requirement that A is not allowed to query the signing oracle with m∗ . Similarly, we say that Σ is strongly unforgeable, if for any adversary A, the advantage def suf-cma Advsuf-cma Σ,A (k) = Pr ExprΣ,A (k) = true uf-cma is negligible in the experiment Exprsuf-cma Σ,A , which is identical to ExprΣ,A , ∗ ∗ except that we require A not to have received (σ , τ ) as an answer to any query of form m∗ to the signing oracle.
146
3.4
V. Saraswat and A. Yun
Anonymity
Consider an adversary which is a pair of algorithms A = (A1 , A2 ). Let st be the state information which A1 passes to A2 . We say that Σ = (Par, Gen, Sig, Vf) is anonymous, if for any such A, the advantage def anon-1 anon-0 Advanon Σ,A (k) = Pr[ExprΣ,A (k) = 1] − Pr[ExprΣ,A (k) = 1] is negligible, where experiments Expranon-b Σ,A (b = 0, 1) are defined as follows: Experiment Expranon-b Σ,A (k) k P ← Par(1 ) (pk 0 , sk 0 ) ← Gen(P ); (pk 1 , sk 1 ) ← Gen(P ) Sig(sk 0 ,·),Sig(sk 1 ,·) (m∗ , st) ← A1 (pk 0 , pk 1 ) ∗ ∗ (σ , τ ) ← Sig(sk b , m∗ ) Sig(sk 0 ,·),Sig(sk 1 ,·) ∗ b ← A2 (σ , st) return b We call Σ anonymous with respect to full key exposure, when the advantage of any adversary is still negligible even if the adversary also gets the secret keys sk 0 , sk 1 as additional input. We denote by Advanon-fke (k) the advantage of an Σ,A adversary in the anonymity experiment with full key exposure. 3.5
Unpretendability
We say that Σ = (Par, Gen, Sig, Vf) is unpretendable, if for any adversary A = (A1 , A2 ), the advantage def up Advup Σ,A (k) = Pr ExprΣ,A (k) = true is negligible in the experiment Exprup Σ,A in Figure 1. Intuitively, the adversary is trying to claim the authorship of (m∗ , σ ∗ ), which is signed by the target secret key sk ∗ . The adversary tries to produce an appropriate τ so that the signature is verified with his own public key pk , which could be freshly chosen, and the definition guarantees that the success probability for this attempt is negligible. Also, we define a weaker version of unpretendability: we say that Σ = (Par, Gen, Sig, Vf) is weakly unpretendable, if for any adversary A = (A1 , A2 , A3 ), the advantage def wup Advwup Σ,A (k) = Pr ExprΣ,A (k) = true is negligible in the experiment Exprwup Σ,A in Figure 1. The difference between the unpretendability and the weak unpretendability is that, in the unpretendability, the adversary is allowed to choose his public key adaptively, but that is not allowed in the case of weak unpretendability. The notion of weak unpretendability is applicable for example in situations where
Anonymous Signatures Revisited
147
there is trustable PKI under which every party registers his public key to his identity, possibly timestamped and with proof of secret key possession; in such cases the adversary cannot adaptively choose his public key after seeing the signature, and claim the ownership under the fresh key/identity. Many applications like anonymous paper review or anonymous auction could fall into this category, but this depends on how the public keys are managed. The unpretendability is stronger in that the adversary cannot claim the ownership of the signature even when he is allowed to freshly create a new public key. Like the case of anonymity, we say that Σ is (weakly) unpretendable with respect to full key exposure, when the advantage of any adversary is still negligible even if the adversary also gets the target secret key sk ∗ as additional input. We denote the advantage of an adversary in the (weak) unpretendability experiment up-fke with full key exposure by (Advwup-fke Σ,A (k)) AdvΣ,A (k). Experiment Exprup Σ,A (k) P ← Par(1k ) (pk ∗ , sk ∗ ) ← Gen(P ) Sig(sk ∗ ,·) (m∗ , st ) ← A1 (pk ∗ ) (σ ∗ , τ ∗ ) ← Sig(sk ∗ , m∗ ) Sig(sk ∗ ,·) (τ, pk ) ← A2 (σ ∗ , τ ∗ , st ) return Vf(pk , m∗ , σ ∗ , τ ) ∧ (pk = pk ∗ )
Experiment Exprwup Σ,A (k) P ← Par(1k ) (pk , st ) ← A1 (P ) (pk ∗ , sk ∗ ) ← Gen(P ) Sig(sk ∗ ,·) (m∗ , st ) ← A2 (pk ∗ , st) ∗ ∗ ∗ ∗ (σ , τ ) ← Sig(sk , m ) Sig(sk ∗ ,·) τ ← A3 (σ ∗ , τ ∗ , st ) return Vf(pk , m∗ , σ ∗ , τ )
wup Fig. 1. Experiments Exprup Σ,A and ExprΣ,A
3.6
Security of an Anonymous Signature
Suppose that Σ = (Par, Gen, Sig, Vf) is an anonymous signature scheme. We say that Σ is a secure anonymous signature, if Σ is unforgeable, anonymous, and at least weakly unpretendable. We emphasize that the unpretendability is a crucial property that an anonymous signature should have. Already we showed that if an anonymous signature is not unpretendable, then it cannot be used for some of the suggested applications like anonymous paper review. Here, we show an example of an anonymous signature which is unforgeable, anonymous, but not weakly unpretendable. Suppose Σ = (Par, Gen, Sig, Vf) is an ordinary unforgeable signature scheme. We then construct an anonymous signature scheme Σ = (Par , Gen , Sig , Vf ) as follows: Par (1k ) is the same as Par(1k ), Gen (P ) is the same as Gen(P ). Sig (sk , m) is defined as Sig (sk , m) = (σ, τ ) = (Sig(sk , m) ⊕ τ, τ ) def
where the verification token τ is a bitstring of the same bit-length as the signature Sig(sk , m) and is chosen uniform randomly. Finally, Vf (sk , m, σ, τ ) is defined as Vf (pk , m, σ, τ ) = Vf(pk , m, σ ⊕ τ ). def
148
V. Saraswat and A. Yun
It is clear that the anonymous signature Σ is both unforgeable and anonymous; because the signature Sig(sk , m) is masked with random bitstring τ in Sig (sk , m), essentially the adversary has no information about the signature. Only later when τ is revealed, the signature σ is revealed and signature can be verified. Thus, this is equivalent to deferring the signing to the last minute when the token τ has to be revealed. Hence the scheme is unforgeable, and unless τ is revealed, the signer anonymity is guaranteed. But, it is trivial to break unpretendability of this scheme; if (m∗ , σ ∗ = Sig(sk ∗ , ∗ m ) ⊕ τ ∗ ) is given, then the adversary may compute Sig(sk , m∗ ) using his own secret key sk , and compute τ as τ = Sig(sk , m∗ ) ⊕ σ ∗ . def
Then, Vf (pk , m∗ , σ ∗ , τ ) = Vf(pk , m∗ , σ ∗ ⊕ τ ) = Vf(pk , m∗ , Sig(sk , m∗ )) = true. 3.7
Commitment Schemes
A commitment scheme Γ consists of a pair of algorithms (Com, CVf) satisfying the following: Correctness: For any bitstring s ∈ {0, 1}∗, Pr[(com, dec) ← Com(s) : CVf(com, dec, s) = true] = 1 . Hiding: For any adversary A which is a pair of algorithms (A1 , A2 ), the advantage def hide-1 hide-0 Advhide Γ,A (k) = Pr[ExprΓ,A (k) = 1] − Pr[ExprΓ,A (k) = 1] where experiments Exprhide-b Γ,A (b = 0, 1) are defined in Figure 2. Also, we require the adversary A to output s0 , s1 of the same bitlength: |s0 | = |s1 |. Binding: For any adversary A, the advantage def bind Advbind (k) = Pr Expr (k) = true Γ,A Γ,A is negligible in the experiment Exprbind Γ,A in Figure 2. Experiment Exprhide-b Γ,A (k) (s0 , s1 , st ) ← A1 (1k ) (com, dec) ← Com(sb ) b ← A2 (com, st ) return b
Experiment Exprbind Γ,A (k) (com, dec, s, dec , s ) ← A(1k ) p ← CVf(com, dec, s) p ← CVf(com, dec , s ) return p ∧ p ∧ (s = s )
bind Fig. 2. Experiments Exprhide-b Γ,A and ExprΓ,A
Anonymous Signatures Revisited
4
149
Secure Anonymous Signature Schemes
In this section, first we show how to construct an anonymous signature scheme generically from any ordinary unforgeable signature scheme. Then, we show that the short signature scheme of Boneh and Boyen [2] can be naturally considered as a secure anonymous signature according to our formalism, with essentially no modification. To be precise, it is a weakly unpretendable anonymous signature. 4.1
Generic Construction
Here we present a generic construction of an anonymous signature scheme using an ordinary signature scheme and a commitment scheme. It is required that for any security parameter k, the signature scheme is unforgeable, and the public key size and the signature size are constant for all users. Let Σ = (Par, Gen, Sig, Vf) be a signature scheme. When k is the security parameter, let lp (k) and ls (k) be the bit length of a public key pk and the bit length of a signature, respectively. Let (Com, CVf) be a commitment scheme. We construct an anonymous signature Σ = (Par , Gen , Sig , Vf ) using these as follows:
k
function Par (1 ) P ← Par(1k ) return P function Gen (P ) (pk , sk ) ← Gen(P ) pk ← pk sk ← sk pk return (pk , sk )
4.2
function Sig (sk , m) Parse sk as sk pk σ ← Sig(sk , m) (com, dec) ← Com(pk σ ) σ ← com; τ ← decσ return (σ, τ ) function Vf (pk , m, σ, τ ) Parse τ as τ1 τ2 return CVf(σ, τ1 , pk τ2 ) ∧ Vf(pk , m, τ2 )
Security of the Generic Construction
Theorem 1. Given an ordinary signature scheme Σ, consider the scheme Σ defined in the previous subsection. If Σ is unforgeable, then Σ is a secure unforgeable anonymous signature. Moreover, Σ is both anonymous and unpretendable with respect to full key exposure. Proof. First, we prove the unforgeability of Σ . Suppose that A is an adversary attacking the unforgeability of Σ . Then using A, we construct an adversary B which attacks the unforgeability of Σ, and satisfying uf-cma Advuf-cma Σ ,A (k) ≤ AdvΣ,B (k) .
The adversary B is given a public key pk of Σ, and the corresponding signing oracle Sig(sk , ·). B sets pk = pk , and gives it to A and answers the signing query of A as follows: for signing query of m, B calls its own signing oracle
150
V. Saraswat and A. Yun
with query m to obtain σ , computes (com, dec) ← Com(pk , σ ) and returns (σ = com, τ = decσ ) to A. Note that this simulation of the unforgeability experiment for A by B is perfectly done according to the description of Σ . Suppose that A halts with output (m∗ , σ ∗ , τ ∗ ). Then B parses τ ∗ as τ1 τ2 , and halts with output (m∗ , τ2 ). Whenever the output (m∗ , σ ∗ , τ ∗ ) of A is a successful forgery for Σ , then B outputs a successful forgery (m∗ , τ2 ) for Σ since from the definition of Vf , Vf (pk , m∗ , σ ∗ , τ ∗ ) = true holds only if Vf(pk , m∗ , τ2 ) = true holds. This proves the claimed inequality. Next, we show that Σ satisfies anonymity with respect to full key exposure. Suppose that A = (A1 , A2 ) is an adversary attacking anonymity of Σ . Using A, we construct B attacking the hiding property of the commitment scheme Γ , satisfying hide Advanon-fke Σ ,A (k) ≤ AdvΓ,B (k) . Consider the experiment Exprhide-b with respect to this adversary B. Given Γ,B the security parameter k, B generates common parameters of Σ and two key pairs (pk 0 , sk 0 ) and (pk 1 , sk 1 ). B then runs A1 (pk 0 , pk 1 , sk 0 , sk 1 ) to obtain an output (m∗ , st) and gives s0 = pk0 Sig(sk0 , m∗ ) and s1 = pk1 Sig(sk1 , m∗ ) to the challenger. The challenger computes (com, dec) ← Com(sb ), and gives σ ∗ = com to B. B now runs A2 (σ ∗ , st) to obtain an output b and then halts with output b . Note that this simulation of the full-key exposure anonymity experiment for A by B is perfect, and the output of B is the same as the output of A. Hence, anon-fke-b Pr[Exprhide-b (k)], for b = 0, 1. Therefore, Γ,B (k)] = Pr[ExprΣ ,A anon-fke-1 Advanon-fke (k) = 1] − Pr[Expranon-fke-0 (k) = 1] Σ ,A (k) = Pr[ExprΣ ,A Σ ,A hide-0 = Pr[Exprhide-1 Γ,B (k) = 1] − Pr[ExprΓ,B (k) = 1] = Advhide Γ,B (k). Finally, we show that Σ satisfies unpretendability with respect to full key exposure. Suppose that A = (A1 , A2 ) is an adversary attacking unpretendability of Σ . Using A, we construct an adversary B attacking the binding property of the commitment scheme Γ , satisfying bind Advup-fke Σ ,A (k) ≤ AdvΓ,B (k) .
Given the security parameter k, B generates common parameters and a key pair (pk ∗ , sk ∗ ), and runs A1 (pk ∗ , sk ∗ ) to obtain an output (m∗ , st). B then computes (σ ∗ , τ ∗ ) ← Sig (sk ∗ , m∗ ), and runs A2 (σ ∗ , τ ∗ , st ) to obtain an output (τ, pk ). Then B parses τ as τ1 τ2 and τ ∗ as τ1∗ τ2∗ and halts with output (σ ∗ , τ1∗ , pk ∗ τ2∗ , τ1 , pk τ2 ). This simulation of the full-key exposure unpretendability experiment for A by B is perfect. We claim that, in the above simulation, whenever A succeeds at breaking the unpretendability of Σ , that is, Vf (pk , m∗ , σ ∗ , τ ) = true and pk = pk ∗ , then B
Anonymous Signatures Revisited
151
also succeeds in breaking the binding property of Γ . From the definition of Vf , in order that Vf (pk , m∗ , σ ∗ , τ ) = true, it is necessary that CVf(σ ∗ , τ1 , pk τ2 ) is also true. Moreover, since (σ ∗ , τ ∗ ) = Sig (sk ∗ , m∗ ), also Vf (pk ∗ , m∗ , σ ∗ , τ ∗ ) = true holds, and from this it follows that CVf(σ ∗ , τ1∗ , pk ∗ τ2∗ ) = true. Now, pk ∗ = pk so that pk ∗ τ2∗ = pk τ2 and hence B has successfully violated the binding property of Γ .
4.3
Boneh-Boyen Short Signature
Here we give a brief description of the Boneh-Boyen signature scheme [2] for completeness. Parameter generation. A bilinear group (G1 , G2 ) with a pairing e : G1 × G2 → GT , where |G1 | = |G2 | = |GT | = p for some prime p, is chosen. The message space is Zp , which gives no essential problem since the domain can be extended by using a (target) collision resistant hash function. Key generation. Key generation algorithm chooses random generators g1 and R g2 of G1 and G2 , respectively, and chooses x, y ← Z∗p , computes u ← g2x ∈ G2 , def def v ← g2y ∈ G2 . Then, pk = (g1 , g2 , u, v), and sk = (g1 , x, y). Signing. For a secret key (g1 , x, y) and a message m ∈ Zp , the signing algorithm R 1/(x+m+yτ ) chooses τ ← Zp \ {− x+m ∈ G1 . Then the y }, and computes σ ← g1 signature is the pair (σ, τ ). Verification. For a public key (g1 , g2 , u, v), a message m, and a signature (σ, τ ), the verification can be done by checking whether e(σ, u · g2m · v τ ) = e(g1 , g2 ). 4.4
Security of Boneh-Boyen as an Anonymous Signature
The Boneh-Boyen short signature can be naturally considered as an anonymous 1/(x+m+yτ ) signature, by regarding τ in (σ = g1 , τ ) as the verification token. To be precise, because τ should not be equal to −(x + m)/y modulo p, we need to make slight modifications both to the signature scheme and to the formalism itself; for example, instead of choosing τ uniformly from Zp \ {−(x + m)/y}, τ may be chosen uniformly from Zp , and instead the signing algorithm may be allowed to fail in the negligible possibility that τ = −(x + m)/y. Then, the Boneh-Boyen short signature scheme becomes a secure anonymous signature scheme; we show that it is strongly unforgeable, anonymous with full key exposure, and weakly unpretendable with full key exposure. Strong unforgeability. Because our definition of strong unforgeability for anonymous signatures is identical to the ordinary definition of strong unforgeability, the proof of Boneh and Boyen for the strong unforgeability of the short signature scheme is directly applicable. Their proof is based on the SDH assumption on bilinear groups (G1 , G2 ).
152
V. Saraswat and A. Yun
Anonymity with full key exposure. For a message m ∈ Zp chosen by the 1/(x+m+yτ ) adversary, consider the distribution of the signature σ, where σ = g1 , R for uniformly chosen token τ ← Zp , when the secret key (g1 , x, y) is given to the adversary. Then, even conditioned on g1 , x, m, and y, still 1/(x + m + yτ ) has uniform distribution on Z∗p ∪ {⊥}, and σ has uniform distribution on (G1 \ {1}) ∪ {⊥}. Because this is true for any secret key (g1 , x, y), we conclude that the Boneh-Boyen short signature scheme is anonymous with full key exposure. Weak unpretendability with full key exposure. We will prove weak unpretendability of Boneh-Boyen signature with full key exposure, under the following assumption on the bilinear groups (G1 , G2 , GT ) which we call ‘adversarial pairing inversion assumption’: With respect to any adversarially chosen h ∈ GT \ {1}, it is infeasible R to find X ∈ G2 satisfying e(g, X) = h, for g ← G1 \ {1}. It is a nonstandard variant of pairing inversion problem; it is known that some versions of pairing inversion problem is as hard as the computational DiffieHellman problem [3,9], but here h is allowed to be chosen by the adversary, and it is not known whether this assumption can be derived from more traditional assumptions. Note also that this is an interactive assumption. But, the adversarial choice of h does not seem to allow any obvious attacks, and as a partial justification of the assumption, it can be shown that this assumption holds in generic bilinear groups. Let A be an adversary of weak unpretendability of the Boneh-Boyen signature, with key exposure. Using A, we construct the adversary B of the adversarial pairing inversion problem. The challenger of the adversarial pairing inversion problem selects the description of the bilinear groups, and passes it to B. B then runs A with the same input. After obtaining the public key output (g1 , g2 , u, v) ∈ G1 × G2 × G2 × G2 of A, B outputs h ← e(g1 , g2 ) as his chosen instance for the adversarial pairing inversion to the challenger. R def Then, the challenger sends B a random g ← G1 \ {1}. B defines g1∗ = g, and R R randomly chooses g2∗ ← G2 \ {1}, x∗ , y ∗ ← Zp , and sends g1∗ , g2∗ , x∗ , y ∗ to A. R A will then output the challenge message m∗ . B randomly chooses τ ∗ ← Zp , ∗ ∗ 1/(x∗ +m∗ +y ∗ τ ∗ ) ∗ ∗ computes σ ← (g1 ) , and sends (σ , τ ) to A. A will eventually halt with some τ . Using τ , B outputs X, where X is defined as ∗
X = (ug2m v τ )1/(x def
∗
+m∗ +y ∗ τ ∗ )
.
In the above, B provides perfect simulation for A. Suppose that the attack of A is successful: then ∗ e(g1 , g2 ) = e(σ ∗ , ug2m v τ ) ∗
∗
∗ ∗
∗
∗
∗ ∗
holds. Since σ ∗ = (g1∗ )1/(x +m +y τ ) = g 1/(x +m +y τ ) , the above equation is equivalent to e(g, X) = e(g1 , g2 ) = h, which shows that B solves the pairing inversion, whenever the weak unpretendability attack of A is successful.
Anonymous Signatures Revisited
153
On unpretendability of Boneh-Boyen. The Boneh-Boyen signature scheme satisfies weak unpretendability with full key exposure, but it is not unpretendable; it is easy to break unpretendability when the adversary is allowed to choose his public key adaptively.
Acknowledgements We thank anonymous reviewers for many constructive and helpful comments. Especially, we revised notions of the unpretendability, following criticisms on our previous definition. Also, a reviewer suggested possibility of commitmentbased generic construction of anonymous signatures. In our previous manuscript on ePrint archive [8], we had presented a pseudorandom generator based construction which was a special case of commitment based construction, but we generalized it based on any commitment scheme, following the reviewer’s suggestion.
References 1. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001) 2. Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. Journal of Cryptology 21(2), 149–177 (2008) 3. Cheon, J.H., Lee, D.H.: Diffie-Hellman problems and bilinear maps. Cryptology ePrint Archive, Report 2002/117 (2002) 4. Fischlin, M.: Anonymous signatures made easy. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 31–42. Springer, Heidelberg (2007) 5. Galbraith, S.D., Mao, W.: Invisibility and anonymity of undeniable and confirmer signatures. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 80–97. Springer, Heidelberg (2003) 6. Hu, B.C., Wong, D.S., Zhang, Z., Deng, X.: Certificateless signature: a new security model and an improved generic construction. Designs, Codes and Cryptography 42(2), 109–126 (2007) 7. Menezes, A., Smart, N.P.: Security of signature schemes in a multi-user setting. Designs, Codes and Cryptography 33(3), 261–274 (2004) 8. Saraswat, V., Yun, A.: Anonymous signatures revisited. Cryptology ePrint Archive, Report 2009/307 (2009) 9. Satoh, T.: On pairing inversion problems. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 317–328. Springer, Heidelberg (2007) 10. Yang, G., Wong, D.S., Deng, X., Wang, H.: Anonymous signature schemes. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 347–363. Springer, Heidelberg (2006) 11. Zhang, R., Imai, H.: Strong anonymous signatures. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt, vol. 5487, pp. 60–71. Springer, Heidelberg (2008)
An eCK-Secure Authenticated Key Exchange Protocol without Random Oracles Daisuke Moriyama1 and Tatsuaki Okamoto2 1
Institute of Information Security, 2-14-1, Tsuruya-cho, Kanagawa-ku, Yokohama-shi, Kanagawa, 221-0835 Japan
[email protected] 2 NTT, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan
[email protected]
Abstract. This paper presents a (PKI-based) two-pass authenticated key exchange (AKE) protocol that is secure in the extended CanettiKrawczyk (eCK) security model. The security of the proposed protocol is proven without random oracles (under three assumptions), and relies on no implementation techniques such as a trick by LaMacchia, Lauter and Mityagin (so-called the NAXOS trick). Since an AKE protocol that is eCK-secure under a NAXOS-like implementation trick will be no more eCK-secure if some realistic information leakage occurs through sidechannel attacks, it has been an important open problem how to realize an eCK-secure AKE protocol without using the NAXOS tricks (and without random oracles).
1
Introduction
A two-party key exchange protocol is a mechanism in which two parties communicate with each other and share a common secret key. The most famous key exchange protocol is the Diffie-Hellman key exchange, but it is vulnerable to man-in-the-middle attacks, i.e., the existence of an active adversary. A protocol proven secure against an active adversary is called an authenticated key exchange (AKE) protocol. Here we focus on two-party AKE protocols. The security definition for twoparty key exchange was developed by many researchers [1–3,7]. Recently, LaMacchia, Lauter and Mityagin [7] presented a strong security definition for two-pass key exchange protocol, which we call the eCK security model. Since the eCK security model allows an active adversary to obtain various private information regarding a target session, it captures many known desirable security properties for AKE including resistance to key-compromise impersonation (KCI) attacks, weak perfect forward secrecy (wPFS), and resilience to the leakage of ephemeral private keys (RLE). There are some protocols proven in the eCK security model [7, 9, 10, 12, 13]. NAXOS was presented by LaMacchia, Lauter, and Mityagin [7] and proven to be secure in the random oracle model under the Gap Diffie-Hellman (GDH) assumption. In their paper, they used an implementation technique that we J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 154–167, 2009. c Springer-Verlag Berlin Heidelberg 2009
An eCK-Secure Authenticated Key Exchange Protocol
155
call the “NAXOS trick.” CMQV was proposed by Ustaoglu [13] as a combined version of the NAXOS trick and HMQV [6]. HMQV is secure in a slight variant of the CK (we call CK’) security model and satisfies the KCI-security, wPFS and RLE, but has not been proven to be eCK-secure. CMQV is eCK-secure in the random oracle model under the GDH assumption and the NAXOS trick. The other eCK secure protocols proven in the random oracle model [9, 10] also uses the NAXOS trick. Okamoto [12] presented an eCK-secure key exchange protocol without random oracles and under the NAXOS trick. Therefore, many of the eCK-secure AKE protocols rely on the NAXOS trick. The NAXOS trick is an implementation technique that hides the exponent of an ephemeral public key from an adversary even if the adversary obtains the ephemeral private key. In a key exchange protocol that utilizes the NAXOS trick, a party generates the exponent of the ephemeral public key by hashing of the ephemeral private key (randomness for each session) and the static private key of the party. We consider whether or not the NAXOS trick is essential to archive the eCK security. The exponent of the ephemeral public key may be revealed via sidechannel attacks or power analysis in a realistic setting. Therefore, even though the NAXOS trick hides the exponent of the ephemeral public key, it may be leaked via such side-channel attacks and then the eCK security is no longer ensured. We present a new eCK secure AKE protocol without using the NAXOS trick. So, even if the exponent (i.e., the ephemeral private key) of an ephemeral public key is leaked via side-channel attacks, the eCK security is still preserved in our AKE protocol. The proposed protocol is an extended version of the Okamoto protocol [12] and secure without random oracles under the Decision Diffie-Hellman (DDH) assumption, pair-wise independent pseudo-random function family and collision resistant hash function family.
2 2.1
Preliminaries Notations
When A is a probabilistic machine or algorithm, A(x) denotes the random variR able of the output of A on input x. y ← A(x) denotes that y is randomly selected from A(x) according to its distribution. Then, A(x) → a indicates the event that U A outputs a on input x if a is a value. When A is a set, y ← A means that y is uniformly selected from A. When A is a value, y := A denotes that A is set as y. 2.2
The DDH Assumption
Let G be a group of prime order q with security parameter k. Let {G}k be the set of group G with security parameter k. For all k ∈ N, we define sets D(k) := {(G, g1 , g2 , g1x , g2x ) | G ∈ {G}k , (g1 , g2 ) ∈ G2 , x ∈ Zq } and R(k) :=
156
D. Moriyama and T. Okamoto
{(G, g1 , g2 , y1 , y2 ) | G ∈ {G}k , (g1 , g2 , y1 , y2 ) ∈ G4 }. The DDH advantage of an algorithm A is defined as U U AdvDDH (k) := Pr[A(1k , ρ) → 1 | ρ ← D(k)] − Pr[A(1k , ρ) → 1 | ρ ← R(k)] A for all k ∈ N. We say that the DDH assumption holds in {G}k∈N if for any probabilistic polynomial-time adversary A, AdvDDH (k) is negligible in k. A 2.3
Pseudo-Random Function (PRF)
Let k ∈ N be a security parameter. A pseudo-random function (PRF) family F associated with {Seedk }k∈N , {Domk }k∈N and {Rngk }k∈N is indexed by k. When R σ is randomly chosen from random seeds Σ ← Seedk , Fk,Σ,D,R maps an element σ R R of D to an element of R where D ← Domk and R ← Rngk . Let AO be a probabilistic polynomial-time machine with oracle access to O. The advantage of an algorithm AO breaking the PRF function is defined by F k RF AdvPRF (1k , D, R) → 1]|, F,A (k) := | Pr[A (1 , D, R) → 1] − Pr[A R
U
R
R
where Σ ← Seedk , σ ← Σ, D ← Domk , R ← Rngk , F := Fk,Σ,D,R , and RF : σ D → R is a truly random function. F is a PRF family if for any probabilistic polynomial-time adversary A, AdvPRF F,A (k) is negligible in k. 2.4
Pseudo-Random Function with Pairwise-Independent Random Sources (πPRF)
Okamoto [12] introduced a specific class of PRF, πPRF. Suppose that fΣ : IΣ → XΣ is a deterministic polynomial-time algorithm, where XΣ is a set of random variables and IΣ is a set of indices regarding Σ. This algorithm outputs σi ∈ XΣ from i ∈ IΣ . Let (σi0 , σi1 , . . . , σit(k) ) (ij ∈ IΣ ) be pairwisely independent random variables indexed by (IΣ , fΣ ), and each variable be uniformly distributed over Σ. That is, for any pair of (σi0 , σij ) (j = 1, . . . , t(k)), for any (x, y) ∈ Σ 2 , we have Pr[σi0 → x ∧ σij → y] = 1/|Σ|2 . Consider a probabilistic polynomial-time machine AF,IΣ that can issue oracle queries. When A inputs qj ∈ D and ij ∈ IΣ , the oracle replies with Fk,Σ,D,R (qj ) σj R
for each j = 0, 1, . . . , t(k), where (σ 0 , . . . , σ t(k) ) ← (σi0 , . . . , σit(k) ) in oracle (F, IΣ ). ARF,IΣ is same as AF,IΣ except Fk,Σ,D,R (q0 ) is replaced by a truly σ0 random function RF (q0 ). The advantage of an algorithm A breaking the πPRF function is defined by F,IΣ k AdvπPRF (1 , D, R) → 1] − Pr[ARF,IΣ (1k , D, R) → 1]|. F,IG ,A (k) := | Pr[A
We say that F is a πPRF family if for any probabilistic polynomial-time adversary A, AdvπPRF F,IG ,A (k) is negligible in k.
An eCK-Secure Authenticated Key Exchange Protocol
157
Okamoto presented an example of index (IΣ , fΣ ) for the πPRF function. For group G of prime order q, IG := {(V, W, d) ∈ G2 × Zq : (V, W, d)}, U
XG := {(V, W, d) ∈ G2 ×Zq , (r1 , r2 ) ← Z2p , σ(V,W,d) := V r1 +dr2 W : σ(V,W,d) }, fG : IG → XG is a pair-wise independent pseudo-random function (See [12]). 2.5
Collision Resistant (CR) Hash Function
Let k ∈ N be a security parameter. A collision resistant (CR) hash function family H associated with {Domk }k∈N and {Rngk }k∈N specifies two items: – A family of key spaces indexed by k. Each such key space is a probability space on bit strings denoted by KHk . There must exist a probabilistic polynomial-time algorithm whose output distribution on input 1k is equal to KHk . R R R – A family of hash functions indexed by k, h ← KHk , D ← Domk , and R ← k,D,R Rngk , where each such function Hh maps an element of D to an element of R. There must exist a deterministic polynomial-time algorithm that on input 1k , h and ρ ∈ D, outputs Hk,D,R (ρ). h We define the advantage of an algorithm A breaking the CR hash function by (ρ1 , ρ2 ) ∈ D2 ∧ ρ1 = ρ2 ∧ CR k AdvH,A (k) := Pr | A(1 , h, D, R) → (ρ1 , ρ2 ) , Hk,D,R (ρ1 ) = Hk,D,R (ρ2 ) h h R
R
R
where D ← Domk , R ← Rngk , and h ← KHk . H is a CR hash function family if for any probabilistic polynomial-time adversary A, AdvCR H,A (k) is negligible in k. 2.6
The Extended Canetti-Krawczyk (eCK) Security Model
This section introduces the eCK security definition originally introduced by LaMacchia, Lauter and Mityagin [7], and revised by Ustaoglu [13]. This paper defines this eCK security model only for two-pass protocols. Suppose that there are n parties that are modeled as probabilistic polynomialtime Turing machines. Let A and B be the party’s identity, the static public key ˆ of A is denoted by A and B has an static public key B. We consider that Aˆ (B) denotes static public key together with a certificate of the public key A (B) and identity A (B). To get a certificate of the public key, a party is required to prove the knowledge of a part of the corresponding static private key by some way (e.g., by a zero-knowledge proof of knowledge or by an administrative manner) if the key exchange protocol explicitly specifies it.1 Otherwise, the certification 1
In the eCK definition [13], such a proof of knowledge is not required.
158
D. Moriyama and T. Okamoto
authority does not require parties to prove the knowledge of static private keys, but verifies that each static public key belongs to the public key space. Here we only assume two conditions for the proof of knowledge (we do not assume any specific way to prove): 1. There exists an efficient (or polynomial-time) measure using the corresponding party as a black-box to extract the private key (with overwhelming probability). 2. Any adversary obtains (information theoretically) no additional information via the process of the proof of knowledge if the corresponding party is honest (see the definition of ‘honest’ later). When a key exchange protocol between A and B is executed, a party A can be activated to execute an instance of the protocol called a session. The party executing the session is called the owner of the session and the other party ˆ B) ˆ or (A, ˆ B, ˆ Y) is called the peer. A party is activated with the message: (A, where Y denotes the ephemeral public key of B. If the incoming message is ˆ B), ˆ A generates ephemeral public-private key pair (X, x) in the form of (A, ˆ ˆ and sends (A, B, X) to the other party B. In this case, we refer to A as the ˆ A, ˆ X), B generates pair (Y, y) and initiator of the session. When B receives (B, ˆ ˆ responds with (A, B, X, Y ) to A. B is called the responder of the session that B owns. If a party outputs the session key of a session, the session is said to be ˆ B, ˆ X, Y ), completed. We define the session identifier (sid) of the form (role, A, ˆ where role ∈ {initiator, responder}, A specified by A is the owner, B is the peer, X is the first message (outgoing or incoming) and Y is the second. We say ˆ B, ˆ X, Y ) and (role , B, ˆ A, ˆ X, Y ) are called to be matching that sessions (role, A, if role = role . The adversary, M, is modeled as probabilistic polynomial-time Turing machine and controls all communications. The adversary activates parties with incoming messages via Send(message), thereby controlling the activation of sessions. Furthermore, M can issue the following queries. – EphemeralKeyReveal(sid). The adversary obtains the ephemeral private key for the session sid. – SessionKeyReveal(sid). The adversary obtains the session key for the completed session sid. – StaticKeyReveal(pid). The adversary obtains the static private key of party pid. – EstablishParty(pid, Z). The adversary registers a static public key Z on behalf of party pid. The party is controlled by the adversary. If a party pid is established by EstablishParty(pid, Z) then we call the party dishonest. If a party is not dishonest, we call the party honest. U When adversary M issues a test query Test(sid∗ ), a bit b ← {0, 1} is chosen. If b = 1, M receives the actual session key SK ∗ of the test session sid∗ . Otherwise, ∗ U M is given a random key R∗ where R∗ ← {0, 1}|SK | . Finally, M outputs a bit b ∈ {0, 1} for the test query. To define the advantage of M, we need the notation of fresh session as follows:
An eCK-Secure Authenticated Key Exchange Protocol
159
ˆ B, ˆ X ∗, Definition 1. (fresh session of eCK security) Let sid := (role, A, ∗ Y ) be the session identifier executed by honest parties A and B. We define the matching session of sid as sid, if it exists. We define session sid to be fresh if the following conditions hold. – M issues neither • SessionKeyReveal(sid) query, nor • SessionKeyReveal(sid) query (if sid exists). – If sid exists, then M issues neither • StaticKeyReveal(A) and EphemeralKeyReveal(sid), nor • StaticKeyReveal(B) and EphemeralKeyReveal(sid). – If sid does not exist, then M issues neither • StaticKeyReveal(A) and EphemeralKeyReveal(sid), nor • StaticKeyReveal(B). Definition 2. (eCK security) Let the test session sid∗ , where adversary M issues Test(sid∗ ), be fresh. Then, we define the advantage of M by AdveCK M (k) := | Pr[b = b] − 1/2|.
A key exchange protocol is eCK-secure if the following conditions hold. – If two honest parties complete matching sessions, they compute the same session key. – For any probabilistic polynomial-time adversary M, AdveCK M (k) is negligible in k.
3
The NAXOS Trick
The NAXOS trick is one of the implementation techniques proposed by LaMacchia, Lauter, and Mityagin [7] to construct an eCK-secure key exchange protocol. In a typical key exchange protocol, ephemeral public key X is computed by X := g x and x is the ephemeral private key. If adversary M issues an ephemeral key reveal query to the session, M can directly obtain x, the exponent of X. On the other hand, the NAXOS trick specifies that ephemeral public key X is computed by X := g x˜ , where x ˜ is the hashing of ephemeral private key x and static private key a, i.e., x˜ := H(x, a). The hashed value, x˜, is not stored as ephemeral private key but is computed each time when required. So, adversary M cannot directly obtain the exponent of X, even if M issues an ephemeral key reveal query. This trick is adopted by many of the existing eCK-secure key exchange protocols [7, 9, 10, 12, 13] (except [14]), but this technique does not work in some realistic setting like side-channel attacks. For example, x˜ with X = g x˜ may be revealed to an adversary by up-to-date power-analysis. Therefore, an eCK-secure protocol based on the NAXOS trick may be vulnerable (in the sense of the eCK security) by some realistic side-channel attacks.
160
4
D. Moriyama and T. Okamoto
The Proposed Protocol
We propose an eCK-secure key exchange protocol that does not use the “NAXOS trick.” U Let k ∈ N be a security parameter and G ← {G}k be a group that has prime U order q with |q| = k. Set (g1 , g2 ) ← G2 . Let Hk be a CR hash function family R H ,RH and h1 , h2 , h3 ← Hk be an index of CR hash function Hi := Hk,D (for hi 2 18 i = {1, 2, 3}), where DH := (Πk ) × G , RH := Zq and Πk denotes the space of certified static public keys. Let F be a πPRF family and F := Fk,ΣF ,DF ,RF where ΣF := G, DF := (Πk )2 × G12 and RF := {0, 1}k . The system parameter of the proposed AKE protocol is (G, g1 , g2 , H1 , H2 , H3 , F ). U The static private key of party A is (a1 , . . . , a8 , a) ← (Zq )9 and the static public key of A is (A1 , A2 , A3 , A4 , A5 , A6 ) := (g1a1 g2a2 , g1a3 g2a4 , g1a5 g2a6 , U
g1a7 g2a8 , g1a , g2a ). Similarly, the static private key of party B is (b1 , . . . , b8 , b) ← (Zq )9 and the static public key of B is (B1 , B2 , B3 , B4 , B5 , B6 ) := (g1b1 g2b2 , g1b3 g2b4 , g1b5 g2b6 , g1b7 g2b8 , g1b , g2b ). In this protocol, a party is required to prove the knowledge of a part of the static private key, from the fifth component to the eighth component (e.g., (a5 , a6 , a7 , a8 )) (see Section 2.6 for the proof of knowledge). When the proposed key exchange protocol between initiator A and responder B is executed, A performs the following procedure to establish a session key with party B. U
1. Select ephemeral private key (x, x3 ) ← (Zq )2 . 2. Compute ephemeral public key (X1 , X2 , X3 ) := (g1x , g2x , g1x3 ). ˆ A, ˆ X1 , X2 , X3 ) to B. 3. Send (B, ˆ A, ˆ X1 , X2 , X3 ), B checks that (X1 , X2 , X3 ) ∈ G3 . If (X1 , X2 , Upon receiving (B, 3 X3 ) ∈ G , B executes the following procedure. U
1. Select ephemeral private key (y, y3 ) ← (Zq )2 . 2. Compute ephemeral public key (Y1 , Y2 , Y3 ) := (g1y , g2y , g1y3 ). ˆ B, ˆ X1 , X2 , X3 , Y1 , Y2 , Y3 ) to A. 3. Send (A, ˆ B, ˆ X1 , X2 , X3 , Y1 , Y2 , Y3 ), A checks if he sent (B, ˆ A, ˆ X1 , Upon receiving (A, 3 X2 , X3 ) to B. If the condition holds, A verifies that (Y1 , Y2 , Y3 ) ∈ G . A computes KA := Y1a1 +ca3 Y2a2 +ca4 Y3x3 B1x B2dx B3a B4ea B5a5 +ea7 B6a6 +ea8 , and B b eb b5 +eb7 b6 +eb8 computes KB := X1b1 +db3 X2b2 +db4 X3y3 Ay1 Acy A6 , where c := 2 A3 A4 A5 ˆ ˆ X1 , X2 , X3 , Y1 , Y2 , Y3 ). Here, H1 (s), d := H2 (s), e := H3 (s) and s := (A, B, s is specified as the remaining part of the initiator’s sid except the role part (‘initiator’). Finally, A outputs session key SKA := FKA (s) and B outputs SKB := FKB (s). This construction is based on the Okamoto protocol [12], but the proposed protocol does not require the NAXOS trick. Instead, we add (A3 , A4 , A5 , A6 , B3 , B4 , B5 , B6 ) to the static public key and use them in the computation for the session key to satisfy the eCK security model.
An eCK-Secure Authenticated Key Exchange Protocol
4.1
161
Security
Theorem 1. Suppose that the DDH assumption holds for {G}k∈N , F is πPRF family with index {(IG , fG )}G∈{G}k ,k∈N where IG := {(V, W, d) ∈ G2 × Zq : U
(V, W, d)} and fG : (V, W, d) → V r1 +dr2 W with (r1 , r2 ) ← Z2q , and H is CR hash function family. Then the proposed AKE protocol is eCK-secure (in the sense of Definition 2). It is clear that the first condition of Definition 2 holds. We will prove that the second condition of Definition 2 holds under the assumptions. ˆ B, ˆ X ∗ , X ∗ , X ∗ , Y ∗ , Y ∗ , Y ∗ ) be the test session chosen by M. Let sid∗ = (·, A, 1 2 3 1 2 3 Suppose that the owner A executes the protocol with the peer B at the session. A a∗ a∗ a∗ a∗ a∗ a∗ a∗ has the static public key (A∗1 , A∗2 , A∗3 , A∗4 , A∗5 , A∗6 ) := (g1 1 g2 2 , g1 3 g2 4 , g1 5 g2 6 , g1 7 ∗ ∗ ∗ ∗ a b b∗ g2 8 , g1a , g2a ), and B has the static public key (B1∗ , B2∗ , B3∗ , B4∗ , B5∗ , B6∗ ) := (g11 g22 , ∗ ∗ b∗ b∗ b∗ b∗ b∗ b∗ x∗ g13 g24 , g15 g26 , g17 g28 , g1b , g2b ). Furthermore, let (X1∗ , X2∗ , X3∗ ) := (g1x , g2x , g1 3 ) ∗ ∗ ∗ y and (Y1∗ , Y2∗ , Y3∗ ) := (g1y , g2y , g1 3 ). Without loss of generality, we assume Aˆ is the ˆ B, ˆ X ∗ , X ∗ , X ∗ , Y ∗ , Y ∗ , Y ∗ ). The session initiator of the test session and s∗ := (A, 1 2 3 1 2∗ 3 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ key of test session sid is SK := FK ∗ (s ) where K ∗ := (Y1∗ )a1 +c a3 (Y2∗ )a2 +c a4 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ (Y3∗ )x3 (B1∗ )x (B2∗ )d x (B3∗ )a (B4∗ )e a (B5∗ )a5 +e a7 (B6∗ )a6 +e a8 , c∗ := H1 (s∗ ), d∗ := H2 (s∗ ) and e∗ := H3 (s∗ ). We consider the following cases to estimate the advantage of adversary M. – There exists a matching session sid∗ of test session sid∗ . We consider the following disjoint cases: • Case 1a: The adversary issues both EphemeralKeyReveal(sid∗ ) and EphemeralKeyReveal(sid∗ ). • Case 1b: The adversary issues either EphemeralKeyReveal(sid∗ ) or EphemeralKeyReveal(sid∗ ). • Case 1c: The adversary issues neither EphemeralKeyReveal(sid∗ ) nor EphemeralKeyReveal(sid∗ ). – There exists no matching session of test session sid∗ . We consider the following disjoint cases: • Case 2a: The adversary issues EphemeralKeyReveal(sid∗ ). • Case 2b: The adversary does not issue EphemeralKeyReveal(sid∗ ). The above cases are disjoint and cover the whole. Here, Case 1a (1b) is covered by Case 2a (2b). This is because: If there exists an adversary that breaks the proposed protocol in Case 1a (1b), we can construct another adversary that breaks it in Case 2a (2b). Therefore, we consider the following three Lemmas to evaluate the advantage. Lemma 1. The advantage of M is negligible in k when Case 1c occurs. Lemma 2. The advantage of M is negligible in k when Case 2a occurs. Lemma 3. The advantage of M is negligible in k when Case 2b occurs.
162
D. Moriyama and T. Okamoto
We prove Lemmas 1 and 2, and omit the proof of Lemma 3, since one can easily obtain the security proof of Lemma 3 if (A∗5 , A∗6 ) in the proof of Lemma 2 is replaced by (X1∗ , X2∗ ) in that of Lemma 3, where (X1∗ , X2∗ , B1∗ , B2∗ ) corresponds to (A∗5 , A∗6 , B3∗ , B4∗ ) in our proof technique, but the proofs of knowledge used in that of Lemma 2 are not necessary in that of Lemma 3 (i.e., a game corresponding to Game 2-3 can be omitted in that of Lemma 3). The reduction efficiency of Lemma 3 is almost equivalent to that of Lemma 2. Case 1c: Proof (Proof of Lemma 1). We proceed in games, starting with Game 1-0 which is the original eCK game between a challenger and adversary M1 , the challenger simulates all honest parties and the answer of the test query. In each Game i, we define Advi as the advantage that the adversary wins the game. Game 1-0. This is the original eCK game with adversary M1 in Case 1c. Hence Adv1-0 = AdveCK M1 (k). Game 1-1. The challenger proceeds as Game 1-0 but abort the game if it does not correctly guess the test session. Suppose that M1 activates at most qa (k) sessions for each n(k) party. The ˆ in n(k) challenger uniformly selects the owner of test session Aˆ and peer B ˆ i-th session will be chosen as the test session in parties, and guesses that A’s advance. Then the probability that the challenger correctly guesses the test session is at least 1/(n(k)2 qa (k)). We have Adv1-0 ≤ n(k)2 qa (k) · Adv1-1 . ∗
Game 1-2. We modify Game 1-1 by changing the value of (Y3∗ )x3 to a random U
element δ ← G. If the adversary distinguishes Game 1-2 from Game 1-1 with non-negligible probability, we can construct an algorithm S1 that solves the DDH problem. U U For a given DDH instance ρ := (G, u, v, w, z), where ρ ← D(k) or ρ ← R(k), ∗ S1 sets g1 := u and chooses all parameters as Game 1-1 except X3 and Y3∗ . S1 sets X3∗ := v and Y3∗ := w as the ephemeral public key at the test session and the matching session. If M1 issues the test session, the challenger responds the ses∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ sion key using K ∗ := (Y1∗ )a1 +c a3 (Y2∗ )a2 +c a4 · z · (B1∗ )x (B2∗ )d x (B3∗ )a (B4∗ )e a ∗ ∗ ∗ ∗ ∗ ∗ a∗ +e a ∗ a +e a 7 (B ) 6 8 . When M (B5 ) 5 1 outputs a guess b , S1 outputs 1 iff b = b 6 holds. U If ρ ← D(k), the advantage of S1 in this simulation is equivalent to that ∗ ∗ x∗ y∗ in Game 1-1, since z = (Y3∗ )x3 (= (X3∗ )y3 ) where X3∗ = g1 3 and Y3∗ = g1 3 . U
Otherwise, the advantage of S1 is the same as that in Game 1-2 because ρ ← R(k) U and g3 ← G hold. Therefore, we obtain |Adv1-1 − Adv1-2 | = AdvDDH S1 (k).
An eCK-Secure Authenticated Key Exchange Protocol
163
Game 1-3. We change Game 1-2 to Game 1-3 by changing PRF F to a random function RF for test query Test(sid∗ ). If the adversary distinguishes Game 1-3 from Game 1-2 with non-negligible probability, we can construct an algorithm S2 that breaks the PRF function (in this case, πPRF property is not needed). Given oracle access to F or truly random function RF , S2 selects all parameters as Game 1-2 and proceeds with the game except for the computation of test query Test(sid∗ ). When M1 issues a test query to sid∗ , S2 issues sid∗ to the oracle and responds with the value to the adversary. When M1 outputs a guess b , S2 outputs 1 iff b = b holds. If the oracle is F , the advantage of S2 in this simulation is equivalent to that in Game 1-2 because K ∗ is uniformly random and the returned value, F , during the test session is indistinguishable from that of FK ∗ (sid∗ ). Otherwise, the advantage of S2 is the same as that in Game 1-3 because RF is random function. Therefore, we obtain |Adv1-2 − Adv1-3 | = AdvPRF F,S2 (k). It is obvious that Adv1-3 = 0, and we obtain DDH PRF 2 AdveCK M1 (k) ≤ n(k) qa (k) · (AdvS1 (k) + AdvF,S2 (k)).
Case 2a: Proof (Proof of Lemma 2). Now, we proceed in games with adversary M2 as follows. ˆ D ˆ (i) , X (i) , X (i) , X (i) , W (i) , W (i) , W (i) ), (res- ponder, Let sidi ∈ {(initiator, A, 1 2 3 1 2 3 ˆ D ˆ (i) , W (i) , W (i) , W (i) , X (i) , X (i) , X (i) )} be the identity of a session bitween A A, 1 2 3 1 2 3 and D(i) (i = 1, . . . , qa (k)), for which M2 issues session key queries. Suppose that (i) (i) (i) (i) (i) (i) public key of D(i) is denoted by (D1 , D2 , D3 , D4 , D5 , D6 ). Let SKi := (i) ∗ ∗ ∗ ∗ (i) (i) (i) (i) (i) (i) (i) FKi (si ) where Ki := (W1 )a1 +di a3 (W2 )a2 +di a4 (W3 )x3 (D1 )x (D2 )ci x (i)
∗
(i)
(j)
∗
∗
∗
(i)
(j)
∗
∗
∗
∗
∗
(D3 )a (D4 )ei a (D5 )a5 +ei a7 (D6 )a6 +ei a8 , ci := H1 (si ), di := H2 (si ), ei := ˆ D ˆ (i) , X (i) , X (i) , X (i) , W (i) , W (i) , W (i) ) (if Aˆ is initiator) or H3 (si ) and si := (A, 1 2 3 1 2 3 ˆ (i) , A, ˆ W (i) , W (i) , W (i) , X (i) , X (i) , X (i) ) (if Aˆ is responder). si := (D 1 2 3 1 2 3 Similarly, we consider a session bitween B and C (j) . Let sidj ∈ {(initiaˆ Cˆ (j) , Y (j) , Y (j) , Y (j) , Z (j) , Z (j) , Z (j) ), (responder, B, ˆ Cˆ (j) , Z (j) , Z (j) , Z (j) , tor, B, 1 2 3 1 2 3 1 2 3 (j) (j) (j) Y1 , Y2 , Y3 )} (j = 1, . . . , qa (k)) be sessions for which M2 issues session key (j) (j) (j) (j) (j) (j) queries. The public key of C (j) is denoted by (C1 , C2 , C3 , C4 , C5 , C6 ). Then, the session key of sidj is computed by SKj := FKj (sj ) where Kj := ∗
(i)
(j)
(j)
(j)
(j)
(j)
(j)
(j)
(j)
(Z1 )b1 +dj b3 (Z2 )b2 +dj b4 (Z3 )y3 (C1 )y (C2 )cj y (C3 )b (C4 )ej b ∗ ∗ ∗ ∗ (j) (j) (C5 )b5 +ej b7 (C6 )b6 +ej b8 , cj := H1 (sj ), dj := H2 (sj ), ej := H3 (sj ) and sj := (j) (j) ˆ Cˆ (j) , Y , Y , Y (j) , Z (j) , Z (j) , Z (j) ) or sj := (Cˆ (j) , B, ˆ Z (j) , Z (j) , Z (j) , Y (j) , (B, 1
(j)
(j)
Y2 , Y3 ).
2
3
1
2
3
1
2
3
1
164
D. Moriyama and T. Okamoto
Game 2-0. This is the original eCK game with adversary M2 in Case 2a. Hence Adv2-0 = AdveCK M2 (k). Game 2-1. The challenger proceeds as Game 2-0 but aborts the game if it does not correctly guess the test session in Game 2-1. This transformation is same as Game 1-1 in the security proof of Lemma 1. Then we have Adv2-0 ≤ n(k)2 qa (k) · Adv2-1 . Game 2-2. We modify Game 2-1 to Game 2-2 by changing the value of ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ B3a B4e a to (A∗5 )b5 +e b7 (A∗6 )b6 +e b8 (in the computation process of KA ). This change is purely conceptual, hence Adv2-1 = Adv2-2 . Game 2-3. We modify Game 2-2 to Game 2-3 by changing the value of (i) (i) (i) (i) (i) ∗ (i) ∗ (D3 )a (D4 )ei a to (A∗5 )d5 +ei d7 (A∗6 )d6 +ei d8 in the computation process of (i) (i) (i) (i) (i) (i) Ki , where (d5 , d6 , d7 , d8 ) is the static private key of (D3 , D4 ). (i) When M2 establishes a party D , M2 is required to prove the knowledge of (i) (i) (i) (i) (d5 , d6 , d7 , d8 ) in the public key certification process. Due to the conditions of the proof of knowledge (Section 2.6), the simulator (challenger) can obtain (i) (i) (i) (i) (d5 , d6 , d7 , d8 ) with overwhelming probability. Since this change is purely conceptual, we obtain Adv2-2 ≤ Adv2-3 + ε(k) where ε(k) is negligible in k. Game 2-4. We modify Game 2-3 to Game 2-4 by changing DH tuple (G, g1 , g2 , U U A∗5 , A∗6 ) ← D(k) to random tuple (G, g1 , g2 , A∗5 , A∗6 ) ← R(k). If the adversary distinguishes Game 2-4 from Game 2-3 with non-negligible probability, we can construct an algorithm S1 that solves the DDH problem. U U For a given DDH instance ρ := (G, u, v, w, z), where ρ ← D(k) or ρ ← R(k), S1 sets g1 := u, g2 := v and chooses all parameters as Game 2-2 except A∗5 and A∗6 . S1 sets A∗5 := w and A∗6 := z. S1 proceeds with the game and outputs 1 iff M2 correctly guesses b . U If ρ ← D(k), the advantage of S1 in this simulation is equivalent to that in U Game 2-3. If ρ ← R(k), the advantage of S1 in this simulation is equivalent to that in Game 2-4. Therefore, we have |Adv2-3 − Adv2-4 | ≤ AdvDDH S1 (k). Game 2-5. We proceed as Game 2-4 but abort the game if M2 establishes session sidj such that H3 (s∗ ) = H3 (sj ).
An eCK-Secure Authenticated Key Exchange Protocol
165
Here we assume that the matching session of test session sid∗ does not exists. Hence, s∗ = sj . Then, if the collision event does not occur, Game 2-5 is equivalent to Game 2-4. When the event does occur, we can easily construct an algorithm S2 that breaks the CR hash function by outputting (s∗ , sj ). Hence |Adv2-4 − Adv2-5 | ≤ AdvCR S2 (k). Game 2-6. We modify Game 2-5 to Game 2-6 by changing the πPRF function F to a random function RF for test query Test(sid∗ ). There are two cases for each session sidj . (j)
(j)
Case (i): (G, g1 , g2 , C5 , C6 ) ∈ D(k). That is, there exists c(j) ∈ Zq such that (j) (j) (j) (j) C5 = g1c , C6 = g2c . (j) (j) Case (ii): (G, g1 , g2 , C5 , C6 ) ∈ D(k). The probability that (G, g1 , g2 , A∗5 , A∗6 ) ∈ D(k) and g1 = 1, g2 = 1, g1 = g2 is at least (1 − 4/q) because these are uniformly selected from R(k). Then, (B3∗ , B4∗ , K ∗ , Kj ) are denoted by the following equations: logg1 B3∗ ≡ b∗5 + ηb∗6
(mod q)
logg1 B4∗ ≡ b∗7 + ηb∗8 (mod q) logg1 K ∗ ≡ a∗ (b∗5 + e∗ b∗7 ) + ηa∗0 (b∗6 logg1 Kj ≡ c
(j)
(b∗5
+
ej b∗7 )
+
+ e∗ b∗8 ) + δ
(j) ηc0 (b∗6
+
ej b∗8 )
a∗
∗
(mod q)
+γ ∗
where g2 = g1η , A∗5 = g1a , A∗6 = g2 0 , g1δ = (Y1∗ )a1 +c ∗
∗ ∗
∗
∗ ∗
∗
∗ ∗
(j)
∗ ∗ a3
(mod q). ∗
(Y2∗ )a2 +c (j) c0
∗ ∗ a4
∗
(Y3∗ )x3
(B1∗ )x (B2∗ )d x (B5∗ )a5 +e a7 (B6∗ )a6 +e a8 , C5 = g1c , C6 = g2 and g1γ = ∗ ∗ ∗ (j) ∗ (j) ∗ (j) (j) (j) (j) (j) (j) (j) ∗ (j) (Z1 )b1 +dj b3 (Z2 )b2 +dj b4 (Z3 )y3 (C1 )y (C2 )y (C3 )b (C4 )ej b . If Case (i) occurs, Kj is independent from K ∗ for any j = 1, . . . , qa (k), since (j)
(j)
logg1 Kj − γ ≡ c(j) (b∗5 + ηb∗6 ) + c(j) ej (b∗7 + ηb∗8 ) (mod q) is linearly dependent on logg1 B3∗ and logg1 B4∗ , while logg1 K ∗ is linearly independent from logg1 B3∗ and logg1 B4∗ . On the other hand, if Case (ii) occurs, we have ⎛ ⎞ ⎛ ⎞ ⎛ ∗⎞ 1 η 0 0 logg1 B3∗ b5 ⎜ logg B4∗ ⎟ ⎜ 0 ⎟ ⎜b∗6 ⎟ 0 1 η 1 ⎜ ⎟ ⎜ ⎟⎜ ⎟ ⎝logg K ∗ − δ ⎠ = ⎝ a∗ ηa∗0 e∗ a∗ ηe∗ a∗0 ⎠ ⎝b∗7 ⎠ 1 (j) (j) b∗8 . logg1 Kj − γ c(j) ηc0 ej c(j) ηej c0 This 4 × 4 matrix is regular if η 2 (a∗0 − a∗ )(c0 − c(j) )(e∗ − ej ) ≡ 0 (mod q), (j)
so K ∗ is independent from Kj since a∗0 = a ∗ , c0 probability at least 1 − 4/q.
(j)
= c(j) and e∗ = ej with
166
D. Moriyama and T. Okamoto
Now, we construct the algorithm S3 that breaks πPRF function F with index {(IG , fG )}G∈{G}k ,k∈N , where IG := {(V, W, d) ∈ G2 × Zq : (V, W, d)} and fG : U
(V, W, d) → V r1 +dr2 W with (r1 , r2 ) ← Z2q if the adversary distinguishes Games 2-5 and 2-6 with non-negligible probability. S3 selects all parameters including U η ← Zq such that g2 := g1η , and sets β1 := b∗5 + ηb∗6 , β2 := b∗7 + ηb∗8 , V ∗ := A∗6 /(A∗5 )η , Vj := C6 /(C5 )η , (j)
x∗ 1
W ∗ := (B1∗ ) (B2∗ )d ∗
∗
(B5∗ )a5 +e (j)
a∗ 7
∗ b∗ 1 +dj b3
Wj := (Z1 ) (j)
∗
∗
x∗ 2
(j)
x∗ 3
∗
(Y3∗ ) (Y1∗ )a1 +c ∗
∗ ∗ a8
(B6∗ )a6 +e (j)
∗
(Y2∗ )a2 +c
∗ ∗ a4
∗
(A∗5 )β1 +e
β2
,
∗ b∗ 2 +dj b4
(Z2 )
∗ ∗ a3
(j)
(j)
(j)
(j)
(j)
(j)
(j)
∗
(Z3 )y3 (C1 )y (C2 )cj y (C3 )b
(j)
(C4 )ej b (C5 )β1 +ej β2 . Algorithm S3 sets (r1 , r2 ) := (b∗6 , b∗8 ), and applies the index, IG := {(V, W, d) | (V, W, d) ∈ G2 × Zq } and fG : (V, W, d) → V r1 +dr2 W . Then, σ(V ∗ ,W ∗ ,e∗ ) = ∗ K and σ(Vj ,Wj ,ej ) = Kj for j = 1, . . . , t(k). Then S3 sends (V ∗ , W ∗ , e∗ ) and (Vj , Wj , ej ) (j = 1, . . . , qa (k)) to the oracle (F, IG ) or RF . When M2 outputs a guess b , S3 output 1 iff b = b holds. If the oracle is (F, IG ), the simulated game is equivalent to Game 2-5. If the oracle is RF , the simulated game is equivalent to Game 2-6. Therefore, we obtain |Adv2-5 − Adv2-6 | ≤ AdvπPRF F,IG ,S3 (k) + 4/q. Summing up the probabilities, we obtain CR πPRF 2 AdveCK (k) ≤ n (k)q (k) AdvDDH a M2 S1 (k) + AdvS2 (k) + AdvF,IG ,S3 (k)+ 4/q + ε(k) .
Acknowledgement We would like to thank Berkant Ustaoglu for useful comments on the preliminary version of this paper.
References 1. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000) 2. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
An eCK-Secure Authenticated Key Exchange Protocol
167
3. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001) 4. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal of Computing 33(1), 167–226 (2002) 5. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. Journal of ACM 33(4), 792–807 (1986) 6. Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) 7. LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007) 8. Law, L., Menezes, A., Qu, M., Solinas, J.A., Vanstone, S.A.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography 28(2), 119–134 (2003) 9. Lee, J., Park, C.S.: An efficient authenticated key exchange protocol with a tight security reduction. Cryptology ePrint Archive, Report 2008/345 (2008) 10. Lee, J., Park, J.H.: Authenticated key exchange secure under the computational diffie-hellman assumption. Cryptology ePrint Archive, Report 2008/344 (2008) 11. Menezes, A.: Another look at HMQV. Journal of Mathematical Cryptology 1(1), 148–175 (2007) 12. Okamoto, T.: Authenticated key exchange and key encapsulation without random oracles. Cryptology ePrint Archive, Report 2007/473 (2007) 13. Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Designs, Codes and Cryptography 46(3), 329–342 (2008), Cryptology ePrint Archive, Report 2007/123 14. Wu, J., Ustaoglu, B.: Efficient key exchange with tight security reduction. Cryptology ePrint Archive, Report 2009/288 (2009)
Password Authenticated Key Exchange Based on RSA in the Three-Party Settings E. Dongna1 , Qingfeng Cheng2 , and Chuangui Ma3 Zhengzhou Information Science and Technology Institute, Zhengzhou, Henan Province, 450002, China
[email protected]
Abstract. A great deal of password authenticated key exchange (PAKE) protocols have been proposed in recent years. Most of them were based on Diffie-Hellman key exchange. While the approach of designing PAKE protocols with RSA is far from maturity and perfection. In fact, the existing PAKE protocols using RSA or other public-key cryptographic techniques provide an authenticated key exchange only between a client and a server. This paper presents a new efficient PAKE protocol using RSA in the three-party settings (3PAKE-RSA). The novel protocol can be resistant to e-residue attack and provably secure under the RSA assumption in the random oracle model. Keywords: Password Authenticated Key Exchange, RSA, e-Residue Attack.
1
Introduction
When two or more parties want to communicate with each other securely, it is essential that the session key is securely established between the parties. Authenticated key exchange (AKE) protocols allow the communicating parties to share a common secure session key over an insecure channel in a mutually authenticated manner. Password has been used for AKE protocols widely because of its short and easily memorable characteristic. However, since people like to choose simply-guessed strings as their passwords, many password-based systems are vulnerable to replay attack or dictionary attack. In 1992, Bellovin and Merritt first presented a family of protocols known as encrypted key exchange protocols [1] using the password which can resist the dictionary attack. From then on, lots of password authenticated key exchange (PAKE) protocols have been proposed [2,3,4,5,6]. In recent years, PAKE protocols based on RSA have been investigated. Nevertheless, some of them have been pointed out insecure against a special type of dictionary attack, called eresidue attack [7,8]. In 1999, SNAPI protocol [10] which is based on RSA was presented. But SNAPI protocol requires the RSA public key e is an odd prime which is greater than RSA modular n so that it can be resistant to e-residue attack. Later, Zhang proposed PEKEP and CEKEP protocols [9] which avoid a public key e of a large prime in SNAPI protocol. To resist the e-residue attack, J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 168–182, 2009. c Springer-Verlag Berlin Heidelberg 2009
Password Authenticated Key Exchange Based on RSA
169
PEKEP protocol needs multiple RSA encryptions, so it’s inefficient. Because of low efficiency of PEKEP protocol, Sangjoon Park et al. presented another RSA-PAKE protocol [11] in 2007. It can resist the e-residue attack based on number-theoretic techniques and is more efficient than PEKEP protocol. But all above protocols aim at the two-party settings. Due to the practical aspects, PAKE protocols in the three-party model have been become the subject of extensive work in recent years. In a three-party PAKE protocol two clients A, B and a server S participate. A, B can authenticate each other and establish a session key which is known to nobody but both of them with the help of the trusted server S. There have been a great deal of the threeparty PAKE protocols based on Diffie-Hellman key exchange [16,17,18] to be presented. In this paper, we design a RSA-based PAKE protocol based on RSA-EPAKE protocol [11] that was proposed by Sangjoon Park et al. in 2007. Sangjoon’s protocol is applied only in two party settings, and it can’t work when two clients hold different passwords. Our new protocol works in the three-party settings, called 3PAKE-RSA protocol. In 3PAKE-RSA protocol, all RSA public/private keys are selected by clients but not distributed by a certificate authentication center so that both its security and efficiency are advanced. Like RSA-EPAKE, 3PAKE-RSA protocol uses the public key e, where e = 2H(n, s) + 1 for some s. By the Prime Number Theorem [19], it is not difficult to find such an s. But the probability of gcd (e, φ (n)) = 1 is negligible. That is, 3PAKE-RSA protocol can resist the e-residue attack. Like many previous three-party protocols, we also assume that the server is honest but curious. Under this assumption the new protocol can guarantee that the session key is private to the server. Moreover, we provide the formal security proof of 3PAKE-RSA protocol in the random oracle model. In fact, in [12] Sangjoon Park et al. proposed a generic construction which can extend any two-party protocol into a three-party one conveniently. However, it is easy to see the three-party protocol we designed is more efficient than the one got by using the generic construction. The rest of the paper is organized as follows. In Section 2, we review the formal secure model for password authenticated key exchange protocols. In Section 3, we present 3PAKE-RSA protocol and investigate its security against e-residue attacks. In Section 4, we show that the new protocol is provably secure under the RSA assumption in the random oracle model. We conclude in Section 5.
2
Security Model
This section briefly reviews the formal security model for three-party PAKE protocols introduced in [12]. We will prove security of our protocol in this model. The adversary’s capabilities are modeled through queries. We refer the reader to [12] for more details. Protocol Players. The distributed system we consider is made up of two disjoint sets : S, the set of trusted servers; U, the set of clients. As in [12], we also
170
E. Dongna, Q. Cheng, and C. Ma
assume S to contain only a single trusted server S. Let ΠUi denote the instance i of a participant U . Password. Each participant U ∈ U holds a password wU drawn from a small password space D. The server S holds a vector wS = wU U ∈U with an entry for each client. Queries. The interaction between an adversary A and the protocol players occurs only via oracle queries, which model the adversary capabilities in a real attack. i1 i2 – Execute(ΠA , S j , ΠB ): This query carries out an honest execution between i1 i2 two instances ΠA and ΠB and models passive attacks, where A, B ∈ U are two honest clients. At the end of the execution, a transcript is given to the adversary, which logs everything an adversary could see during the execution. – SendClient(U, i, M ): This query models an active attack against a client. Instance ΠUi executes as specified by the protocol and sends back its response to the adversary. – SendServer(S, j, M ): This query models an active attack against a server. It outputs the message that server instance S j would generate upon receipt of message M. i – Reveal(ΠUi ): The session key skU of ΠUi is given to the adversary. i i – T est(ΠU ): The instance ΠU generates a random bit b and outputs its session i key skU to the adversary if b = 1, or else a random session key if b = 0. This query is allowed only once, at any time during the adversary’s execution. – Oracle(M ): This gives the adversary oracle access to a function h, which is selected at random from some probability space.
We give the main definitions in the following. The definition approach of partnering uses the notion of session identifications (sid), which in our case is the concatenation of all the messages of the conversation between the clients and the server before the acceptance. j i Definition 1. Two instances ΠA and ΠB are said to be partners if the following conditions are met:
-
j i Both ΠA and ΠB accept; j i Both ΠA and ΠB share the same sid; j i The partner identification for ΠA is ΠB and vice versa; j i No instance other than ΠA (ΠB ) accepts with a partner identification equal j i to ΠB (ΠA ).
The instance which will be called T est query must be fresh so that the adversary’s capabilities for guessing the session keys in the secure model are the same with in the real attack.
Password Authenticated Key Exchange Based on RSA
171
i Definition 2. We say that ΠA is fresh if:
- It has accepted; i - A Reveal query has not been called either on ΠA or on its partner. Let Succ denote the event that A asks a single Test query on a fresh instance, outputs a bit b , and b = b, where b is the bit selected during the Test query. Definition 3. The advantage of the adversary A is defined as Adv P AKE (A) = 2 Pr (Succ) − 1 The advantage function of the protocol P is defined as AdvPP AKE (t, R) = max Adv P AKE (A) where maximum is over all A with time-complexity at most t and using resources at most R (such as the number of oracle queries). We have the following definition of secure PAKE protocol, which is the same as in [14]. Definition 4. A protocol P is called a secure 3-party PAKE protocol if for every polynomial-time adversary A that makes at most Qsend , Qsend ≤ |D|, queries of Send type to different instances, the following inequality holds, AdvPP AKE (t, R) ≤ Qsend /|D| + ε, where |D| denotes the size of the password space and ε is a negligible function of security parameters.
3
The 3PAKE-RSA Protocol
In this section, we present an efficient three-party PAKE protocol based on RSA, which is simply called 3PAKE-RSA protocol. Let D be a password space. Clients Alice and Bob share the passwords wA , wB with the server S respectively. During the initialization phase, clients generate ∗ k −1 the RSA pair (n, e). Define hash functions, H : {0, 1} → {0, 1} 1 , H0 : ∗ ∗ k {0, 1} → Zn , H1 , H2 , H3 : {0, 1} → {0, 1} 2 where k1 , k2 and l are security parameters and n is an RSA modulus of bit l. We assume that H, H1 , H2 , H3 , H0 are independent random functions. The protocol proceeds as follows (see Fig. 1 in Appendix C): 1. Client A generates the RSA public key n = pq ∈ 2l−1 , 2l , finds s such that e = 2H (n, s) + 1 is a k1 -bit prime, and gcd (e, φ (n)) = 1. Then A sends (n, s) to the server S. 2. Client B generates the RSA public key n = p q ∈ 2l−1 , 2l , finds s such that e = 2H (n , s ) + 1 is a k1 -bit prime, and gcd (e , φ (n )) = 1. Then B sends (n , s ) to the server S. 3. The server S chooses two random numbers r1 , r2 ∈R Zn∗ and computes αA = H0 (wA , A, B, s, n, s , n ), αB = H0 (wB , A, B, s, n, s , n ), e = 2H (n, s) + 1, e = 2H (n , s ) + 1, r1∗ = αA · r1e mod n and r2∗ = αB · r2e mod n . Then S sends (r1∗ , n , s ) to A, and sends (r2∗ , n, s) to B.
172
E. Dongna, Q. Cheng, and C. Ma
4. A chooses two random numbers a1 , a2 ∈R Zn∗ and obtains r1 by decrypting r1∗ . Then A computes e = 2H (n , s ) + 1, αA = H0 (wA , A, B, s, n, s , n ), AuthA = H1 (r1 , A, B, s, n, s , n , c1 , c1 ), c1 = ae1 mod n and c1 = αA · a2 . At last, A sends (AuthA , c1 , c1 ) to S. 5. B chooses two random numbers b1 , b2 ∈R Zn∗ and obtains r2 by decrypting r2∗ . Then B computes e = 2H (n, s) + 1, αB = H0 (wB , A, B, s, n, s , n ), AuthB = H1 (r2 , B, A, s , n , s, n, c2 , c2 ), c2 = be1 mod n and c2 = αB · b2 . At last, B sends (AuthB , c2 , c2 ) to S. 6. The server S verifies AuthA , AuthB . If either of them doesn’t hold, S rejects. Otherwise, S obtains a2 , b2 by decrypting c1 , c2 . Then S computes AuthA = H2 (r1 , a2 , A, B, s, n, s , n , c2 ), AuthB = H2 (r2 , b2 , B, A, s , n , s, n, c1 ) and sends (AuthA , c2 ), (AuthB , c1 ) to A and B respectively. 7. After receiving (AuthA , c2 ), A checks the value of AuthA , if incorrect, A rejects. Otherwise, A accepts and computes sk = H3 (a1 , b1 , A, B, s, n, s , n ). 8. After receiving (AuthB , c1 ), B checks the value of AuthB , if incorrect, B rejects. Otherwise, B accepts and computes sk = H3 (a1 , b1 , A, B, s, n, s , n ). In RSA-based PAKE protocols, security against the e-th residue attack [8] has to be considered. In the e-th residue attack, we assume that an adversary can prepensely choose (n, e) with e |φ (n) , i.e., (n, e) is not a valid RSA public key. Next, the adversary selects a candidate password wi drawn from D and computes r1 = α−1 · r1∗ mod n, where r1∗ was received from the server and α = H0 (wi , A, B, s, n, s , n ). If wi is the correct password, then r1 always has an e-th residue on modulo n. Otherwise, there is some possibility that r1 has no e-th residue on modulo n. If r1 has no e-th residue, then wi is not the valid password. Since the adversary A generates n and knows φ (n), A can determine whether r1 has an e-th residue or not. Thus, the adversary A can filter out invalid passwords from the password space D. Throughout several protocols; he can reduce the number of candidate passwords and, finally, can be able to determine only one real password wA . On the contrary, if gcd (e, φ (n)) = 1, then r1 always has an e-th residue regardless of the correctness of the guessed password wi . In this case, the adversary is unable to distinguish between the correct password wA and an invalid password wi . To avoid such an e-th residue attack, we adopt the approach of [11] and use an RSA public key (n, e), where e = 2H (n, s) + 1 is a k1 -bit prime for some s. Since the probability of gcd (e, φ (n)) = 1 is negligible, our protocol is secure against e-th residue attacks. The concrete proof is described in [11].
4
Security Proof
In this section, we prove the security of 3PAKE-RSA protocol within the formal model of security given in Section 2. In this model, a hash function outputs a random number for each new query. If the same query is asked twice, identical answers are returned by the oracle. In our analysis, we also assume the intractability of the RSA Problem.
Password Authenticated Key Exchange Based on RSA
173
RSA Assumption [11]. Let l be the security parameter of RSA. Let key generator GE define a family of RSA functions, i.e., (e, d, n) ← GE 1l , where n is the product of two primes of the same size, gcd (e, φ (n)) = 1, and ed ≡ 1 mod φ (n). For any probabilistic polynomial-time algorithm C in running time t, the following probability e x = e mod n : (e, d, n) ← GE 1l , rsa AdvC (t) = Pr c ∈R {0, 1}l , x ← C 1l , c, e, n rsa is negligible. In the following, we use Adv rsa (t) to denote maxC {AdvC (t)}, where the maximum is taken over all polynomial-time algorithms of running time t. Under the above assumptions, we have the following Theorem 1.
Theorem 1. Let A be an adversary which runs in time t and makes Qsend , Qsend ≤ |D|, queries of type Send to different instances. Then the adversary’s advantage in attacking the protocol 3PAKE-RSA is bounded by Adv (A, P0 ) ≤
3Qsend |D|
+ 2Qexecute (Adv rsa (O (t)) + Qoh /φ (n))
1 +2Qsend max |D| , Adv rsa (t) + 5Q2send k2
where Qexecute denotes the number of queries of type Execute, Qoh denotes the number of random oracle calls. Proof. We prove Theorem 1 using similar techniques as described in [14,15]. We define a series of hybrid experiments. In each experiment, we modify the way session keys chosen for instances involved in protocol execution. We start by choosing random session keys for instances for which the Execute oracle is called. Then we continue to choose random session keys for instances for which the Send oracle is called. These instances are gradually changed over five hybrid experiments and in the last experiment, all the session keys are selected uniformly at random. Thus, the adversary A can not distinguish them from random numbers. We denote these hybrid experiments by P0 , P1 , ..., P4 and by Adv (A, Pi ) the advantage of A when participating in experiment Pi . Experiment P0 . This describes the real adversary attack. During the attack, the adversary A makes a number of oracle calls (Send, Execute, Reveal, and T est) as specified in section 2. In addition, the adversary A has access to five independent random oracles ∗
k1 −1
H : {0, 1} → {0, 1}
∗
∗
, H0 : {0, 1} → Zn , H1 , H2 , H3 : {0, 1} → {0, 1}
k2
.
Each random oracle Hi (or H) maintains a list of input-output pairs (x0 , y0 ), (x1 , y1 ) · · · . On a new input x, Hi (or H) checks if x was queried before. If there exists xi in the list such that x = xi , then the random oracle returns the corresponding yi as its reply. If x is not in the list, the random oracle chooses a
174
E. Dongna, Q. Cheng, and C. Ma
random number y, returns y as its reply and adds the pair (x, y) to its list. It is clear that Adv (A) = Adv (A, P0 ). Experiment P1 . In this experiment, the Execute oracle is modified so that the session keys of instances for which Execute is called are selected uniformly at i1 i2 random, that is, if the oracle Execute(ΠA , S j , ΠB ) is called, then the session k j i keys skA , skB are set equal to a random number selected from {0, 1} , rather than the output of the random oracle H3 . The following lemma shows that modifying the Execute oracle in this way affects the advantage of A by a negligible value. Lemma 1. For every polynomial-time adversary A making Qexecute oracle calls of type Execute, |Adv (A, P1 ) − Adv (A, P0 )| ≤ 2Qexecute (Adv rsa (O (t)) + Qoh /φ (n)) where Qoh denotes the number of random oracle calls and t is the running time of A. The detailed proof of Lemma 1 is given in Appendix A. At this point, the Execute oracle queries are not of too much help to the adversary A. We now go on showing that the Send oracle calls only provide negligible advantage to A. There are five kinds of Send oracles in the protocol 3PAKE-RSA: i – SendA,0 : the instance ΠA selects a pair of RSA public/private key e, d, n, where e = 2H (n, s) + 1, ed = 1 mod φ (n) and returns s, n, A, S, B to the adversary A. j – SendB,0 : the instance ΠB selects a pair of RSA public/private key e , d , n , where e = 2H (n , s ) + 1, e d = 1 mod φ (n ) and returns s , n , B, S, A to the adversary A. – SendS,1 : The server S queries the random oracle H0 on (wA , A, B, s, n, s , n ) and (wB , A, B, s, n, s , n ) and receives the reply αA and αB . Then S selects two random numbers r1 , r2 ∈R Zn∗ and computes e = 2H (n, s) + 1, e = 2H (n , s ) + 1, r1∗ = αA · r1e mod n, r2∗ = αB · r2e mod n . S returns (r1∗ , n , s ) and (r2∗ , n, s) to the adversary A. i – SendA,2 (r1∗ , n , s ): ΠA computes e = 2H (n , s ) + 1, queries the random i oracle H0 on (wA , A, B, s, n, s , n ) and receives the reply αA . ΠA sets r1 −1 ∗ d i equal to αA · r1 mod n, where ed ≡ 1 mod φ (n). Then ΠA selects two random numbers a1 , a2 ∈R Zn∗ and computes c1 = ae1 mod n , c1 = αA · a2 . i Next ΠA queries the random oracle H1 on input (r1 , A, B, s, n, s , n , c1 , c1 ) and returns the reply (denoted AuthA ) of H1 and c1 , c1 to the adversary A. j – SendB,2 (r2∗ , n, s): ΠB computes e = 2H (n, s) + 1, queries the random oracle j H0 on (wB , A, B, s, n, s , n ) and receives the reply αB . ΠB sets r2 equal −1 ∗ d j to αB · r2 mod n , where e d ≡ 1 mod φ (n ). Then ΠB selects two random numbers b1 , b2 ∈R Zn∗ and computes c2 = be1 mod n, c2 = αB · b2 . j Next ΠB queries the random oracle H1 on input (r2 , B, A, s , n , s, n, c2 , c2 ) and returns the reply (denoted AuthB ) of H1 and c2 , c2 to the adversary A.
Password Authenticated Key Exchange Based on RSA
175
– SendS,3 (AuthA , c1 , c1 , AuthB , c2 , c2 ): S retrieves n, e, n , e , r1 , r2 from its internal state, and checks AuthA and AuthB . If both of them are correct, S gets a2 , b2 by decrypting c1 , c2 . Next, S queries the random oracle H2 on (r1 , a2 , A, B, s, n, s , n , c2 )((r2 , b2 , A, B, s , n , s, n, c1 )) and receives the reply AuthB (AuthA ). Last, S returns (AuthA , c2 ) and (AuthB , c1 ) to the adversary. i – SendA,4 (AuthA , c2 ): ΠA retrieves n, e, r1 , a1 , a2 from its internal state, and i verifies AuthA . If it is not correct, then ΠA returns a Reject notice to the i adversary A. Otherwise, ΠA accepts and no message is returned to the adveri sary. In the case of acceptance, ΠA obtains b1 by decrypting c2 and computes the session key sk = H3 (a1 , b1 , A, B, s, n, s , n ). j – SendB,4 (AuthB , c1 ): ΠB retrieves n , e , r2 , b1 , b2 from its internal state, and j verifies AuthB . If it is not correct, then ΠB returns a Reject notice to the j adversary A. Otherwise, ΠB accepts and no message is returned to the adj versary. In the case of acceptance, ΠB obtains a1 by decrypting c1 and computes the session key sk = H3 (a1 , b1 , A, B, s, n, s , n ). Due to the symmetry of 3PAKE-RSA protocol, we only consider the interaction between client A and the server S. A message is said to have been oracle-generated if it was output by an instance; otherwise, it is said to have been adversarially-generated. A message generated i i by ΠA is said to have been ΠA -oracle- generated. i Experiment P2 . In this experiment, we consider an instance ΠA that receives a i,j ∗ ΠS -oracle-generated message (r1 , n , s ) in a SendA,2 oracle call. If this occurs, i i then we modify the experiment as follows: If ΠA accepts, then ΠA receives a random session key. We now show that the advantage of A in P2 is close to its advantage in P1 .
Lemma 2. For every polynomial-time adversary A making Qsend oracle calls of type Send to different instances, 1 1 |Adv (A, P2 ) − Adv (A, P1 )| ≤ + Qsend |D| 2k2 where |D| is the size of the password space. i Proof. Assume that ΠA returns (AuthA , c1 , c1 ) to the adversary after receivi,j ing a ΠS -oracle-generated message (r1∗ , n , s ) in a SendA,2 oracle call, where ∗ d r1 = α−1 mod n, a1 , a2 ∈R Zn∗ , c1 = ae1 mod n , c1 = αA · a2 , AuthA = A · r1 H1 (r1 , A, B, s, n, s , n , c1 , c1 ). i Since the RSA public key (n, e) was generated by ΠA , not by A, the private key d is not known to A as well as the password of client A. So, except 1 i for a probability as small as |D| + 2k12 , when πA accepts, the message (AuthA , c2 )
176
E. Dongna, Q. Cheng, and C. Ma
i that ΠA has received in a SendA,4 oracle is ΠSi,j -oracle-generated. In the case of i acceptance, ΠA computes the session key sk = H3 (a1 , b1 , A, B, s, n, s , n ). Since A makes Qsend oracle calls of type Send to different instances, the advantage of the adversary A in distinguishing between P2 and P1 is upper
1 bounded by |D| + 2k12 Qsend .
Experiment P3 . In this experiment, we consider an instance ΠSi,j receives a i ΠA -oracle-generated message (AuthA , c1 , c1 ) in a SendS,3 oracle call, while the i instance ΠA has received a ΠSi,j -oracle-generated message in a SendA,2 oracle call. i In this case, if the instance ΠA accepts and its session key was not replaced by a random session key in experiment P2 , it is given the random session key k sk ∈R {0, 1} . It is clear that the advantage of A in P3 is the same as its advantage in P2 . Lemma 3. For every polynomial-time adversary A making Qsend oracle calls of type Send to different instances, Adv (A, P3 ) = Adv (A, P2 ) i If an instance ΠSi,j receives a ΠA -oracle-generated message (AuthA , c1 , c1 ) in i a SendS,3 oracle call but the message (r1∗ , n , s ) received by ΠA in a SendA,2 i,j oracle call was not generated by ΠS , we treat the message (AuthA , c1 , c1 ) as adversarially-generated. i Experiment P4 . In this experiment, we consider an instance ΠSi,j (or ΠA ) that receives an adversarially-generated message in a SendS,3 (or SendA,2 ) oracle call. j i In this case, if ΠB (or ΠA ) accepts, then the experiment is halted and we say the adversary have succeeded.
Lemma 4. For every polynomial-time adversary A making Qsend oracle calls of type Send to different instances, Adv (A, P3 ) ≤ Adv (A, P4 ) At this point, all accepted instances that receive Execute or Send oracle calls are given random session keys. We next proceed to bound the adversary’s success probability in P4 . Lemma 5. For every polynomial-time adversary A making Qsend oracle calls of type Send to different instances, Qsend ≤ |D|,
Password Authenticated Key Exchange Based on RSA
Qsend Adv (A, P4 ) = 2 Pr [Succ]−1 ≤ 4 k2 +2Qsend max 2
177
1 Qsend rsa , Adv (t) +2 |D| |D|
The detailed proof of Lemma 5 is given in Appendix B. By combining Lemmas 1 to 5, we have the following bound for A’s advantage in the real attack, Adv (A, P0 ) ≤
3Qsend |D|
+ 2Qexecute (Adv rsa (O (t)) + Qoh /φ (n))
1 +2Qsend max |D| , Adv rsa (t) + 5Q2send k2
This completes the proof of Theorem 1. Key Privacy with Respect to the Server. We consider the key privacy for the server, the idea that the session key shared between two instances should only be known to these two instances and nobody else, including the trusted server. The goal is to limit the amount of trust put into the server. That is, although we rely on the server to help clients establish session keys between themselves, we still want to guarantee the server can’t compute these session keys. In fact, this is the main difference between a key distribution protocol (in which the session key is known to the server) and a 3-party key exchange protocol (for which the session key remains unknown to the server). We have in mind a server which knows the passwords for all users, but that behaves in an honest but curious manner. In our protocol, the server can’t de crypt the ae1 and be1 since the server doesn’t know the private keys of two clients Alice and Bob. In other words, the server can’t compute the session key unless it can break the RSA assumption.
5
Conclusion
In this paper, we present a new three-party PAKE protocol based on RSA with the assistance of the trusted server, called 3PAKE-RSA protocol. To the best of our knowledge, it is the first try to give a concrete PAKE protocol based on RSA in the three-party settings. Our 3PAKE-RSA protocol is secure and efficient because it applies the public-key cryptographic techniques without the help of certificate authentication center. We show that the 3PAKERSA protocol is secure against e-residue attacks, which many previous PAKE protocols based on RSA can’t resist. We also provide a formal security proof of 3PAKE-RSA protocol under the RSA assumption and the random oracle model.
Acknowledgment This work was supported in part by the National High Technology Research and Development Program of China (No. 2007AA01Z431), the China Postdoctoral
178
E. Dongna, Q. Cheng, and C. Ma
Science Foundation Project (No. 20080441323) and the Key Scientific and Technological Project of Henan Province (No. 092101210500). The authors would like to thank the anonymous referees for their helpful comments.
References 1. Bellovin, M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: IEEE Symposium on Security and Privacy Oakland, California, USA, pp. 72–84 (1992) 2. Bellovin, M., Merritt, M.: Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise. In: Proc. of the 1st ACM Conference on Computer and Communications Security, pp. 244–250. ACM, New York (1993) 3. Jablon, D.: Extended password key exchange protocols immune to dictionary attacks. In: Proc.of WET-ICE 1997, pp. 248–255 (1997) 4. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) 5. Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. ACM Transactions on Information and System Security 2(3), 230–268 (1999) 6. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attack. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000) 7. MacKenzie, P., Patel, S., Swaminathan, R.: Password-authenticated key exchange based on RSA. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 599–613. Springer, Heidelberg (2000) 8. Patel, S.: Number theoretic attacks on secure password schemes. In: Proc. IEEE Symposium on Security and Privacy, Oakland, California, May 5–7 (1997) 9. MuXiang, Z.: New approaches to password authenticated key exchange based on RSA. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 230–244. Springer, Heidelberg (2004) 10. MacKenzie, P., Swaminathany, R.: Secure network authentication with password identification. Submission to IEEE P1363a (1999) 11. Sangjoon, P., Junghyun, N., Seungjoo, K., Dongho, W.: Efficient passwordauthenticated key exchange based on RSA. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 309–323. Springer, Heidelberg (2006) 12. Abdalla, M., Fouque, P., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. IEE Proc.-Inf. Secur. 153(1), 27–39 (2006) 13. Bellare, M., Rogaway, P.: Provably secure session key distribution in the three party case. In: 28th Annual ACM Symposium on Theory of Computing, pp. 57–66 (1996) 14. Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524–542. Springer, Heidelberg (2003) 15. Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)
Password Authenticated Key Exchange Based on RSA
179
16. ShuHua, W., YueFei, Z.: Three-party password-based authenticated key exchange with forward-security. Chinese Journal of Computers 30(10), 1833–1841 (2007) 17. Byun, J.W., Jeong, I.R., Lee, D.H., Park, C.S.: Password-authenticated key exchange between clients with different passwords. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 134–146. Springer, Heidelberg (2002) 18. Lin, C.L., Sun, H.M., Hwang, T.: Three-party encrypted key exchange: attacks and a solution. ACM SIGOPS Operating Systems Review 34(4), 12–20 (2000) 19. Shoup, V.: A computational introduction to number theory and algebra. Cambridge University Press, Cambridge (2005)
A
Proof of Lemma 1
Proof. We prove this lemma by showing how any advantage that A has in distinguishing P1 from P0 can be used to break RSA. In experiment P0 , the session j j i i key skA (skB ) of ΠA (ΠB ) is the output of the random oracle H3 on the input (a1 , b1 , A, B, s, n, s , n ). If the adversary doesn’t know a1 , b1 , she can’t distink guish the output of H3 from a random number uniformly selected from {0, 1} . Hence, the adversary A can distinguish P1 and P0 if and only if A can recover the integer a1 , b1 . Let pa denote the probability that A recovers the integer a1 . Let pb denote the probability that A recovers the integer b1 . Because of the symmetry of our protocol, We only consider the interaction i between the server S and the instance skA . Through the following two games, we compute pa . Game G1 . The adversary A carries out an honest execution between the inj i stances ΠA , ΠB and S as the protocol description. The game ends and the adversary A outputs her guess of the integer a1 . j i Game G2 . This game is similar to game G1 except that ΠA and ΠB do not query random oracles H1 and H2 . We modify Step 3,3 ,4,5,5 as follows: i (iii) ΠA selects two random numbers a1 , a2 ∈R Zn∗ and obtains r1 by de∗ i crypting r1 = αA · r1e mod n. Then ΠA computes e = 2H (n , s ) + 1, αA = e i H0 (wA , A, B, s, n, s , n ), c1 = a1 mod n , c1 = αA · a2 . Finally, ΠA selects a k random number μA ∈R {0, 1} and sends μA , c1 , c1 to S. j (iii ) ΠB chooses two random numbers b1 , b2 ∈R Zn∗ and obtains r2 by de j ∗ crypting r2 = αB · r2e mod n. Then ΠB computes e = 2H (n, s) + 1, αB = j e H0 (wB , A, B, s, n, s , n ), c2 = b1 mod n, c2 = αB · b2 . Finally, ΠB selects a k random number μB ∈R {0, 1} and sends μB , c2 , c2 to S. (iv) After receiving μA , c1 , c1 , μB , c1 , c1 , S selects two random numbers ηA , ηB j i ∈R {0, 1}k and sends out ηA , c2 to ΠA , sends out ηB , c1 to ΠB .
180
E. Dongna, Q. Cheng, and C. Ma
j i (v,v )After receiving ηA , ηB , both ΠA and ΠB accept. The game ends here and the adversary outputs her guess of the integer a1 .
Let pa (G1 ) denote the probability that A makes a correct guess of a1 in game G1 . Likewise, let pa (G2 ) denote the probability that A makes a correct guess of a1 in game G2 . It is clear that pa = pa (G1 ). In game G1 , A selects a random number x ∈R Zn∗ as her guess on a1 . She can verify whether x is correct or not by comparing AuthA (or AuthB ) with the reply of the random oracle H1 on ( r1 , A, B, s, n, s , n , xe , c1 )(or H2 on ( r2 , b2 , B, A, s , n , s, n, xe )). Let AskH1,2 denote the event that A queries random oracle H1 on (r1 , A, B, s, n, s , n , xe , c1 ) or H2 on (r2 , b2 , B, A, s , n , s, n, xe ). Then, we have pa (G1 ) = pa (G1 |AskH1,2 ) Pr (AskH1,2 ) + pa (G1 |¬AskH1,2 ) Pr (¬AskH1,2 ) ≤ Pr (AskH1,2 ) + pa (G1 |¬AskH1,2 ) If the event AskH1,2 didn’t occur, then AuthA and AuthB are indistinguishable k from random numbers selected from {0, 1} . Thus, pa (G1 |¬AskH1,2 ) = pa (G2 ) Let Qoh denote the number of random oracle calls to H1 and H2 by A. Then, Pr (AskH1,2 ) = Qoh /φ (n) pa = pa (G1 ) ≤ pa (G2 ) + Qoh /φ (n) In the following, we show that pa ≤ Adv rsa (O (t)). Given RSA public key (n, e) and integer c1 ∈R Zn , we construct an efficient algorithm C to decrypt c1 as follows: algorithm C runs the adversary A exactly i as in game G2 except that, in step (iii)(iv), ΠA selects the random number c1 . Algorithm C returns the output of A in game G2 . If A’output (denoted by x) in game G2 is correct, then x is the decryption of c1 . Hence, rsa
pa (G2 ) = AdvC (O (t)) ≤ Adv rsa (O (t)) , pa = Adv rsa (O (t)) + Qoh /φ (n) Similarly, we have pb = Adv rsa (O (t)) + Qoh /φ (n)
Password Authenticated Key Exchange Based on RSA
181
Assume that A makes Qexecute oracle calls of type Execute in the hybrid experiment P1 , then |Adv (A, P1 ) − Adv (A, P0 )| ≤ 2Qexecute (Adv rsa (O (t)) + Qoh /φ (n))
B
Proof of Lemma 5
Proof. Let QsendA,2 and QsendS,3 denote the number of SendA,2 and SendS,3 oracle calls made by the adversary in experiment P4 , respectively. We consider the following four cases: Case 1: Consider an instance ΠSi,j receives an adversarially-generated message (AuthA , c1 , c1 ) in a SendS,3 oracle. Assume that ΠSi,j returns (r1∗ , n , s ) in a SendS,1 oracle. To succeed in this case, the adversary A must generate a number AuthA which is equal to the output of the random oracle H1 on (r1 , A, B, s, n, s , n , c1 , c1 ) and a number AuthB which is equal to the output of the random oracle H2 on (r2 , b2 , B, A, s , n , s, n, c1 ). The probability for the adversary A to obtain r1 is 1 1 just max |D| , Adv rsa (t) ; while the probability for A to obtain b2 is |D| . The adversary’s success probability in this case is bounded by QsendS,3 1 Pr (Succ in Case1) ≤ QsendS,3 · max , Adv rsa (t) + |D| 2k2
i Case 2: Consider an instance ΠA receives an adversarially-generated message ∗ (r1 , n , s ) in a SendA,2 oracle. i The instance ΠA computes AuthA , c1 , c1 and returns them to the adversary. To succeed in this case, A must send back a number AuthA which is equal to the output of the random oracle H2 on (r1 , a2 , A, B, s, n, s , n , c2 ). Without knowledge of a2 , the probability for A to generate AuthA is just 2−k2 . The 1 probability that A recovers the integer a2 is just |D| . Hence, the adversary’s success probability in Case 2 is bounded by
Pr (Succ in Case2) ≤ Since Qsend ≤ |D|, we have
Qsend |D|
QsendA,2 QsendA,2 + |D| 2k2
≤ 1. Therefore,
Adv (A, P4 ) = 2 Pr [Succ] − 1 ≤ ≤
4Qsend 2k2 Qsend 4 2k2
send (t) + 2 Q|D| −1 Qsend 1 rsa + 2Qsend max |D| , Adv (t) + 2 |D|
+ 2Qsend max
This completes the proof of Lemma 5.
1 , Adv rsa
|D|
182
E. Dongna, Q. Cheng, and C. Ma
C
The 3PAKE-RSA Protocol
Alice (A)
Server (S) Bob (B) : wA password : wB password Generate n = pq ∈ 2l−1 , 2l Generate n = p q ∈ 2l−1 , 2l F ind s such that F ind s such that k1 -bit prime k1 -bit prime e = 2H (n, s) + 1 e = 2H (n , s ) + 1 and gcd (e, φ (n)) = 1 and gcd (e , φ (n )) = 1 n, s, A, S, B n , s , B, S, A −−−−−−−−−−−−→ ←−−−−−−− −−−−− αA = H0 (wA , A, B, s, n, s , n ) αB = H0 (wB , A, B, s, n, s , n ) r1 , r2 ∈R Zn∗ ∗ r1 = αA · r1e mod n r2∗ = αB · r2e mod n r1∗ , n , s , A, S, B r2∗ , n, s, B, S, A ←−−−−−−−−−−−−−− −−−−−−−−−− −−−→ d = e mod φ (n) d = e−1 mod φ (n ) e = 2H (n, s) + 1 e = 2H (n , s ) + 1 αA = H0 (wA , A, B, s, n, s , n ) αB = H0 (wB , A, B, s, n, s , n ) AuthA = AuthB = H1 (r1 , A, B, s, n, s , n , c1 , c1 ) H1 (r2 , B, A, s , n , s, n, c2 , c2 ) ∗ a1 , a2 ∈R Zn b1 , b2 ∈R Zn∗ e c1 = a1 mod n c2 = be1 mod n c1 = αA · a2 c2 = αB · b2 c1 , c1 AuthA , A, B c2 , c2 , AuthB , B, A −−−−−−−−−−−−→ ←−−−−−−−−−−−−− Check AuthA , AuthB , if f ailed, return reject, else AuthA = H2 (r1 , a2 , A, B, s, n, s , n , c2 ) AuthB = H2 (r2 , b2 , B, A, s , n , s, n, c1 ) −1
B, AuthA , c2 A, AuthB , c1 ←−−−− −−−−−−−−− −−−−−−−−−−−−−→ Check the value of AuthA Check the value of AuthB f f ailed then reject, else f f ailed then reject, else sk = H3 (a1 , b1 , A, B, s, n, s , n ) sk = H3 (a1 , b1 , A, B, s, n, s , n )
Fig. 1. Our 3PAKE-RSA protocol
Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols Berkant Ustaoglu NTT Information Sharing Platform Laboratories
[email protected]
Abstract. Both the “eCK” model, by LaMacchia, Lauter and Mityagin, and the “CK01” model, by Canetti and Krawczyk, address the effect of leaking session specific ephemeral data on the security of key establishment schemes. The CK01-adversary is given a SessionStateReveal query to learn session-specific private data defined by the protocol specification, whereas the eCK-adversary is equipped with an EphemeralKeyReveal query to access all ephemeral private input required to carry session computations. SessionStateReveal cannot be issued against the test session; by contrast EphemeralKeyReveal can be used against the test session under certain conditions. On the other hand, it is not obvious how EphemeralKeyReveal compares to SessionStateReveal. Thus it is natural to ask which model is more useful and practically relevant. While formally the models are not comparable, we show that recent analyses utilizing SessionStateReveal and EphemeralKeyReveal have a similar approach to ephemeral data leakage. First we pinpoint the features that determine the approach. Then by examining common motives for ephemeral data leakage we conclude that the approach is meaningful, but does not take into account timing, which turns out to be critical for security. Lastly, for Diffie-Hellman protocols we argue that it is important to consider security when discrete logarithm values of the outgoing ephemeral public keys are leaked and offer a method to achieve security even if these values are exposed. Keywords: Key agreement protocols, leaking ephemeral secrets, postponed ephemeral key derivation, pseudo-static keys.
1
Introduction
Motivation. The extensive literature dedicated to analysis of key establishment security affirms its importance. The early approach where a designer argues that a specific protocol meets an ad-hoc list of security goals is rarely used today. Instead, analysis is carried out in models which aim to simulate the environment where the protocol is deployed. The security models evolved since they were first proposed by Bellare and Rogaway [3] and Blake-Wilson, Johnson and Menezes [6]. Faced with different J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 183–197, 2009. c Springer-Verlag Berlin Heidelberg 2009
184
B. Ustaoglu
models it is important to select the right model for strongest results. However, deciding which is the strongest model is in itself a non-trivial task. The Canetti and Krawczyk model [8], henceforth called “CK01”, and the model by LaMacchia, Lauter and Mityagin [13,14], henceforth referred to as “eCK”, are considered among the most advanced models. It is claimed that eCK captures a wider range of security attributes than CK01, without leaving out any CK01 implied properties. The claim has been under scrutiny and even argued against. Both eCK and CK01 security definitions are indistinguishability based. An adversary controlling all communications interacts with parties and has to identify if the response to a test session challenge is the test session key or a randomly chosen key. During the interaction the adversary is allowed to learn secret data held by parties. Subject to the condition that the test session key is not obtained via “trivial” means, a protocol is deemed secure if the adversary cannot decide significantly better than a random guess whether the challenge response is the test session key. Both eCK and CK01 address leakage of session specific ephemeral data in relation to protocol security. Their respective treatments of leakage is one of the major differences between the two models. On one hand the CK01-adversary is given a SessionStateReveal query to learn session specific private information which is defined in the protocol specifications. On the other hand the eCK-adversary is equipped with EphemeralKeyReveal query to access all ephemeral private input required to carry the session computations. The SessionStateReveal query cannot be issued against the test session; by contrast the EphemeralKeyReveal query can be used against the test session under certain conditions, suggesting that eCK is stronger than CK01. But the relative strengths of the queries are also important and may render any comparison inconclusive. There are vastly different views on the subject: [28,25] claim that EphemeralKeyReveal is no weaker than SessionStateReveal, whereas [10] argues that SessionStateReveal is stronger; §3.1 of the full version of [7] suggests that the queries are incomparable. Contributions. In this paper we focus on Diffie-Hellman protocols. We show that even though EphemeralKeyReveal as used by the NAXOS security argument in [14] and SessionStateReveal as used by the HMQV security argument in [12] return different values, their functions in terms of underlying treatment of ephemeral secret leakage are essentially the same. We clarify the sense in which they have the same approach and how they differ. By looking at common reasons for ephemeral secret leakage we argue that the approach is well motivated, but that both arguments fail to account for timing. The importance of timing is prompted by two attack examples which fit into the leakage reasons. By themselves the reasons are not convincing to choose the HMQV’s SessionStateReveal over the NAXOS’ EphemeralKeyReveal but we give a separate motivation to consider security when the value of discrete logarithm of the ephemeral public key is exposed. We propose a method to show security for Diffie-Hellman protocols even if these values are revealed to the adversary. Consequently, our use of EphemeralKeyReveal is no weaker than SessionStateReveal as used in Krawzcyk [12] and Canetti and Krawzcyk [8]. We exhibit a new protocol utiliz-
Comparing SessionStateReveal and EphemeralKeyReveal
185
ing the method, argue its security, and show it to be among the most efficient and practical Diffie-Hellman protocols. Outline. In §2 we put side by side CK01 and eCK to motivate our comparison. In §3 we identify how HMQV and NAXOS share the same approach to security. Common sources of leakage of ephemeral secret data, described in §4, are used to compare HMQV’s and NAXOS’ definitions, and highlight the importance of timing; the section also reasons why the HMQV approach is advantageous. The new protocol, its design principles, and its comparison with other related protocols are presented in §5. The discussion wrap-ups in §6. Notation. In the paper G is a multiplicative group of prime order q generated by g; G ∗ denotes the set of non-identity elements in G. Parties engaging in key ˆ B,. ˆ . . with static public keys A,B,. . . , respectively; agreement are denoted by A, ˆ A includes the party identifier as well as the static public key. Usually X and Y ˆ respectively. Uppercase letters are denote the ephemeral public keys of Aˆ and B, public, whereas lowercase letters are private or secret data; g is an exception. Furthermore the lowercase letter will typically refer to the discrete logarithm base g of the corresponding uppercase letter. For example A = g a , in which case ˆ a is the static private key of A.
2
CK01 and eCK Models
CK01 Outline. In the CK01 model [8] there are n probabilistic polynomial time Turing machines, each called a party, that run interactive procedures. A party Aˆ possesses a certificate that binds its static public keys to the party and ˆ B, ˆ Ψ, role) to create a separate can be activated via an action request Create(A, ˆ is another subroutine within the same party called a session. In the request B ˆ role party; Ψ is a string that is unique within Aˆ and identifies the session at A; ˆ B, ˆ Ψ, role), Aˆ verifies is either initiator or responder. Upon receiving Create(A, ˆ B, ˆ Ψ, role ) for some role not that no session was previously created with (A, ˆ B, ˆ Ψ, role), Aˆ is the owner and necessarily equal to role. For a session s = (A, ˆ is the peer of s; together Aˆ and B ˆ are partners or peers of s. Parties can be B activated via an incoming message to update an existing session s. The response to an activation is an outgoing message or an action request. Within its owner every session s has an associated session state that contains only protocol-defined session-specific information related to s, portions of which ˆ B, ˆ Ψ, κ), where are labeled secret. A session produces local output of the form (A, a null value κ indicates that an error occurred and the session is aborted ; non-null κ is labeled secret and called the session key. The session state of a session that produced local output is erased from the memory of the session owner. Let s be a session that is owned by Aˆ and that produced a session key κ; given action request Expire(s), Aˆ deletes κ from its memory and labels s expired. Sessions ˆ B, ˆ Ψu , role) and sv = (B, ˆ A, ˆ Ψv , role ) are matching if Ψu = Ψv . su = (A,
186
B. Ustaoglu
The CK01 adversary controls all communications. Parties submit outgoing responses to the adversary, who makes decisions about their delivery. The adversary presents parties with incoming messages and action requests, thereby controlling session creation.1 The adversary does not have immediate access to information labeled secret, however to capture information leakage the adversary is allowed the queries: – SessionStateReveal(s): The adversary obtains the information labeled secret in the state associated with s. A special note is appended to s and it produces no further output. – SessionKeyReveal(s): The adversary obtains the session key for a session s, provided that the session holds a session key. – Corrupt(party): The adversary takes complete control over the party identified via this query and learns all information that is currently in the party’s memory. Such party cannot be activated any more and is called corrupt. If not corrupt a party is named honest or uncorrupted. ˆ B, ˆ Ψ, ∗) if the adversary issues SessionStateReveal(s) For a session s = (A, ˆ before Expire(s), including the case in or SessionKeyReveal(s), or Corrupt(A) ˆ which A is corrupted before s is even created, then s is said to be locally exposed. If neither s nor its matching session are locally exposed, then s is fresh. The adversary’s goal is to distinguish a fresh session key from a random key: at any stage during its execution the adversary is allowed to make one special query Test(s), where s is a session that produced a session key, is unexpired and is fresh. With equal probability the response is either the session key held by s or a random key. Provided that s remains fresh throughout the adversary’s execution, a protocol is CK01-secure (see [8, Definition 4]) if: (i) when two uncorrupted parties complete matching sessions, they both output the same key; and (ii) the probability that the adversary’s guess is correct is no larger that 12 plus a negligible in the security parameter function. CK01 implications. In the remainder of the paper we only consider Diffieˆ exchange static public keys Hellman protocols, where two parties Aˆ and B ∗ A, B ∈ G , and ephemeral public keys X, Y ∈ G ∗ , and thereafter compute a session key; the key derivation may also include public information like the idenˆ be partners of a session st , and let sm be the tities of session peers. Let Aˆ and B t ∗ session matching to s . If s is different from st and sm , then SessionStateReveal captures the security implications on st when s∗ is exposed. Exposing s∗ could reveal s∗ ’s ephemeral private key to the adversary. But there are protocols that are secure even if the adversary obtains x and y used in st itself. Ideally, any subset of (x, a, y, b) that contains neither (x, a) nor (y, b) should not be sufficient to compute the session key. In the CK01 model the adversary is allowed to obtain at most the pair (a, b) after st and sm are expired. Krawczyk [12] considered a model, henceforth called CK01’, that addressed many CK01 shortcomings. LaMacchia, Lauter and Mityagin [14] via eCK, which we outline next, provided another alternative. 1
Note that the adversary selects Ψ .
Comparing SessionStateReveal and EphemeralKeyReveal
187
eCK Outline. As described in [14], in eCK there are n parties each having a static public-private key pair together with a certificate that binds the public key to that party. The certifying authority does not require parties to prove possession of static private keys, but verifies that each static public key belongs to G ∗ . The adversary M is a probabilistic Turing machine and can select identifiers for the parties, as well as register static public keys on behalf of adversary controlled parties. Parties that are not adversary controlled are called honest. An honest party Aˆ can be activated to execute an instance of the protocol called a session. Depending on the activation Aˆ is either a session initiator I or a responder R. Sessions are identified via the exchanged messages, the identities of the session peers, and the role of the session owner. For Diffie-Hellman protocols ˆ B, ˆ X, Y ). If it exists the matching an initiator Aˆ identifies a session via (I, A, ˆ ˆ ˆ session is identified via (R, B, A, X, Y ) and owned by a responder B. The eCK adversary M controls all communications. Parties submit outgoing messages to M, who makes decisions about their delivery and presents parties with incoming messages via Send(message), thereby controlling session activations. Leakage of private information is captured via the following queries: – EphemeralKeyReveal(s): M learns the ephemeral private input to the session s. – SessionKeyReveal(s): M learns the session key of the completed session s. – StaticKeyReveal(party): M learns the party’s static private key. A fresh session in eCK for two-pass Diffie-Hellman is given by: Definition 1 (fresh session). Let s be the session identifier of a completed ˆ who is also honest. Let s∗ be session, owned by an honest party Aˆ with peer B, the session identifier of the matching session of s, if it exists. Define s to be fresh if none of the following conditions hold: (i) M issues a SessionKeyReveal(s) query or a SessionKeyReveal(s∗) query (if s∗ exists); (ii) s∗ exists and M makes either of the following queries: ˆ and EphemeralKeyReveal(s), or • both StaticKeyReveal(A) ˆ • both StaticKeyReveal(B) and EphemeralKeyReveal(s∗); (iii) s∗ does not exist and M makes either of the following queries: ˆ and EphemeralKeyReveal(s), or • both StaticKeyReveal(A) ˆ • StaticKeyReveal(B). As in CK01, M is allowed one Test(st ) query and has to identify if the response is the session key of st or a random session key; st must remain fresh throughout the experiment. A key agreement protocol is eCK-secure if: (i) when two honest parties complete matching sessions, then, except with negligible probability, they both compute the same session key (or both output indication of protocol failure); and (ii) no polynomially bounded adversary M can distinguish the session key of a fresh session from a randomly chosen session key, with probability greater than 12 plus a negligible in the security parameter function.
188
B. Ustaoglu
The eCK notion of freshness appears to give more power to the adversary, however, a thorough comparison should take into account the relative strengths of EphemeralKeyReveal and SessionStateReveal. Notes on Comparison. Due to different session identifiers eCK and CK01 are formally incomparable in the sense that neither model can imply the other: in CK01 the identifier is set when the session is created, by contrast in eCK the session identifier is available only after the last message is delivered, see also [13, §2.2]. The CK01 approach has a drawback: how to implement Ψ in practice. Using concatenation of messages as CK01 session identifier requires caution – an exposed session cannot be activated so the effect of SessionStateReveal on the session identifier and consequently on the matching condition is not immediately clear; in that sense [12,7] lack details. Similar issues are present in eCK [14], in case the adversary does not deliver all messages. In CK01 SessionStateReveal must not reveal the static private keys; only ephemeral information can be exposed. But [13] argued that in some cases leaking ephemeral randomness also reveals the static key via weaknesses in the cryptographic primitives used by the protocol – in some signature schemes (such as DSA) learning randomness is equivalent to learning the signing key. Hence, in the signed Diffie-Hellman protocol, SessionStateReveal should not treat signatures as a black box. This motivates the statement [13, p.8]: We require that an ephemeral secret key of an AKE session should contain all session-specific information used by a party in the AKE session. That is, all computations done by a party must deterministically depend on that party’s ephemeral key, long-term secret key, and communication received from the other party. Note the following about the CK01 model [8, p.6]: An important point here is what information is included in the local state of a session; this is to be specified by each ke protocol. Empty states leak no information, so at the expense of weakening the model by specifying empty session states, as was done in [7], SessionStateReveal does not leak the static private keys via used primitives. The weakness of the signed Diffie-Hellman example given in [13] shows that it is important to comprehend the many facets of leaking ephemeral information if stronger assurances are desired. Protocols that first perform Diffie-Hellman computations with the static private keys are better placed to guard them in the event of leakage of sessionspecific ephemeral data. But even for such protocols and even if we distance from other aspects of the underlying models, it is crucial to fully understand the meaning, strength and use of SessionStateReveal and EphemeralKeyReveal queries. Before delving into the motivations for ephemeral leakage in order to compare the queries, we look at previous use and comparison of EphemeralKeyReveal and SessionStateReveal.
Comparing SessionStateReveal and EphemeralKeyReveal
3
189
Two Protocols
HMQV. Figure 1 presents HMQV [12], which is a hashed MQV [16] variant designed to achieve both MQV efficiency and have a formal security argument. Including the identities in the key derivation function H(·) is optional for HMQV. As discussed in [12, §7.4 Lemma 30] such a modification can improve HMQV’s security attributes but not violate them. Since the variant with the identities highlights details relevant to our discussion, we focus on it. ˆ a, A = g a A, s : x, X = g x σ = (Y B e )
x+da
X→ ←Y
ˆ b, B = g b B, s : y, Y = g y σ = (XAd )
y+eb
ˆ e = He (Y, A) ˆ d = He (X, B), ˆ ˆ κ = H(σ, A, B) Fig. 1. The HMQV key agreement protocol
ˆ B, ˆ X, Y ) is matching to s∗ = Following [12, §2] a session with identifier s = (A, ˆ ˆ ˆ may (B, A, Y, X). These identifiers do not carry role information so both Aˆ and B ˆ ˆ ˆ ˆ view themselves as initiators, in which case A computes κA = H(σ, A, B) and B ˆ ˆ computes κB = H(σ, B, A). As a result matching sessions may not compute the same session key2 . For consistency with eCK we use eCK-like identifiers, which indicate the role of session owner and matching sessions must have different roles; for security no sessions with the same owner and peer are allowed. The session state of HMQV contains the discrete logarithm of the outgoing ephemeral public key. That is the session state is the doubly underlined data in Figure 1 and can be obtained via a SessionStateReveal query. NAXOS. Depicted in Figure 2, NAXOS [14] is a Diffie-Hellman variant that, unlike its counterparts, computes the ephemeral public keys using the so called NAXOS trick. With the NAXOS trick Aˆ selects an ephemeral private key x ˜ and sets the ephemeral public key X = g He (˜x,a) . This is in contrast with the more common scenario where Aˆ selects a random x and sets X = g x . NAXOS satisfies the eCK security definition with fewer assumptions and simpler analysis than HMQV. However, the NAXOS trick plays a vital role in the security argument. The ephemeral private key is the private session input x ˜ used with the static private key a to compute the outgoing ephemeral public key X. As in HMQV, the doubly underlined values are the ephemeral private data that the adversary can access via an EphemeralKeyReveal query. 2
We emphasize that this observation does not represent an attack on the core HMQV protocol. The core protocol without identities in the key derivation function is symmetric and the session identifier and the matching conditions in [12, §2] suffice to ensure that matching sessions output the same session key.
190
B. Ustaoglu ˆ a, A = g a A, s:x ˜, X = g
ˆ b, B = g b B,
He (˜ x,a)
s : y˜, Y = g He (y˜,b) X→
σA = Y a σB = B He (˜x,a) σe = Y He (˜x,a)
←Y
σA = AHe (y˜,b) σB = X b σe = X He (y˜,b)
ˆ B) ˆ κ = H(σA , σB , σe , A, Fig. 2. The NAXOS key agreement protocol
Another Interpretation. Cremers [10] suggests that SessionStateReveal could leak the shared secrets – these are σA , σB and σe for NAXOS; and σ for HMQV. By substituting EphemeralKeyReveal with SessionStateReveal and devising a NAXOS attack, [10] concludes that SessionStateReveal is the stronger query. We recall the attack and extend it to HMQV3 ; [1] presents a closely related HMQV attack. In the following, boxed and dashed-boxed values are for NAXOS and HMQV, respectively. The initiator attack [10, §3.2] proceeds as follows: ˆ B) ˆ to A, ˆ who computes an outgoing ephemeral public key 1. M issues Send(A, X and creates a session s with initiator role. ˆ A) ˆ to B, ˆ who computes an outgoing ephemeral public key 2. M issues Send(B, Y and creates a session s∗ with initiator role. ˆ upon B’s ˆ activation 3. M issues Send(s∗ ,X) to B; ˆ (a) B computes ˆ e = He (Y, A), ˆ d = He (X, B), σ = X b , σ = AHe (˜y,b) , B
A
y+eb
σ = (XAd )
σe = X He (˜y,b) (b) M issues SessionStateReveal(s∗) and obtains σA ,σB ,σe
σ
∗
ˆ completes s = (I, B, ˆ A, ˆ Y, X) with the session key (c) B ˆ A) ˆ ˆ A) ˆ κ∗ = H(σB , σA , σe , B, κ∗ = H(σ, B, 4. M issues Send(s,Y ) to Aˆ who computes σA = Y a , σB = B He (˜x,a) , σe = Y He (˜x,a)
ˆ e = He (Y, A), ˆ d = He (X, B), e x+da σ = (Y B )
ˆ B, ˆ X, Y ) with the session key and completes s = (I, A, ˆ B) ˆ κ = H(σA , σB , σe , A,
ˆ B) ˆ κ = H(σ, A,
5. M issues Test(s) and can compute κ via the information obtained at Step 3b. 3
The attack mechanisms can also be applied to MQV.
Comparing SessionStateReveal and EphemeralKeyReveal
191
In [10] it is argued that the attack mechanism is applicable to other protocols and other models provided that SessionStateReveal query is allowed; see also [1]. Naturally one can ask if there is a contradiction given that HMQV was shown secure utilizing SessionStateReveal. In relation to reflection attacks, [12, §6.3] proposes modifying d and e to identify roles, incidentally preventing the HMQV attack, but the security argument remains invalid as it is crucial for the simulation to keep σ secret from the adversary. In [10] SessionStateReveal is supposed to return “the full internal state of the Turing machine executing the protocol”. Condition 3 in [10, Definition 3] appears to imply that the adversary can learn the shared secret computed in the test session, but the paragraph following the definition clarifies that SessionStateReveal cannot be issued against fresh4 sessions in case the response trivially reveals the session key. However, if SessionStateReveal is not allowed against the test session, then the resulting model is weaker in the sense that the adversary cannot obtain any test session specific secrets. HMQV could potentially address leakage of σ but without revealing x. However [12] puts emphasis on revealing x. Since the NAXOS attack extends to HMQV, it shows that HMQV treats the session state in the same way as NAXOS treats ephemeral input – it allows leakage of protocol-defined ephemeral values associated with test session and is not concerned with exposing the full state of Turing machines. As such SessionStateReveal and EphemeralKeyReveal are functionally equivalent and the attack does not contradict the HMQV security claim in [12]. Similarly, SP800-56A [24], which standardizes MQV, considers leakage of x in its rationale [24, §6.1.1.5] but not the leakage of shared secrets. We next look at reasons for ephemeral data leakage and argue that exposing data used to compute ephemeral public keys is important, but revealing shared secrets is less relevant to practice.
4
Session Specific Ephemeral Data
Leaking Private Data. Secure random number generation is notoriously hard to achieve in practice. Poor random number generators are the most significant source of leaking ephemeral secrets. A whole subfield of cryptography is devoted to designing good generators of pseudo-randomness, and yet even with the best algorithms not only is randomness hard to achieve on a deterministic device but also implementations are error prone. Recall the work of Goldberg and Wagner [11] who exposed a major weakness in the Netscape web browser. More recently Bello [5] announced a flaw in the Debian Linux OpenSSL implementation. In both cases weak randomness breaches security and in the latter the random number could be guessed before being used. Other important sources of ephemeral secret data leakage include side channel analysis that detects if a square-and-multiply iteration performs a multiplication, thus revealing x while g x is computed. Another source is smart cards that pre-compute values X for on-line use, and store them in a less secure medium 4
The term for fresh in [10] is clean.
192
B. Ustaoglu
accessible to malicious entities. Yet another source is devices that provide good randomness but require constant external power to keep their latest state: a malicious entity gaining temporary access to the hardware can record its evolution path, reset it to the initial stage and subsequently anticipate its actions in the protocol, or alternatively can recover past states. The list is not exhaustive but for key agreement protocols it covers a wide range of practical concerns. Comparing Approaches. Leakage of x and x ˜ both take into account compromised sources of randomness. The EphemeralKeyReveal query was motivated by protocols using signature schemes that access the same random source as the protocol and is stronger than SessionStateReveal, which does not account for subroutines where leaking ephemeral and static keys are equivalent. Key agreement protocols should take into account this aspect; though in theory for Diffie-Hellman protocols such as HMQV and NAXOS that do not utilize signature schemes leaking x and x˜ are on par. The security argument for NAXOS does not account for adversaries who learn x via side channel or other means. If an adversary obtains x but not sA = x+ da, then the HMQV argument is not affected; if sA is leaked, which is possible by the side channel mechanism outlined above, then HMQV becomes insecure. Formally neither SessionStateReveal nor EphemeralKeyReveal captures precomputations: both queries are issued against activated but not yet completed sessions, whereas an adversary can access the pre-computed list before sessions begin. Krawczyk [12, §7.3] describes an HMQV attack where the adversary needs only X before the session is initiated. Another example5 is the following: with key confirmation the UM protocol [20] has forward secrecy but is not resilient key compromise impersonation (KCI). Substitute UM with KEA+ [15] and the protocol appears secure if the adversary learns x after the session completes, but if x is ˆ to A. ˆ Both leaked before the session starts the adversary can easily impersonate B examples illustrate the importance of timing. One can argue that since EphemeralKeyReveal concerns the input to the session, it is issued right before the session is activated. But in the context of pre-computations there is little if any difference between the HMQV and NAXOS treatment – they formally consider scenarios where the adversary accesses the storage medium at the same time as the party. Resettable state can be used in cases where two sessions share the same public key due to a reset. Such a scenario is covered by neither HMQV nor NAXOS, which explicitly require that an ephemeral key pair is used only once. Alternatively, if ephemeral key pairs are not reused, reset introduces a new timing venue for the adversary: not only can the adversary record in advance future output of the device, but can also recover past states. In general we can conclude that timing is not covered by EphemeralKeyReveal and SessionStateReveal. The approach in [10] mainly considers leaking shared secrets at a very specific stage, which does not necessarily take into account bad source of randomness, pre-computations and resets. Side channel attacks are better addressed – while obtaining σ (for HMQV) is weaker than obtaining sA at the very least computation involving sA is revealed. 5
We are not aware if this KEA+ attack was previously published.
Comparing SessionStateReveal and EphemeralKeyReveal
193
Diffie-Hellman Protocols. We presented important rationale that require security arguments for protocols to take into account leaking ephemeral session specific data. An essential consequence of these motivations is that “ephemeral” does not necessarily imply “short-lived” and “irrecoverable”. The attacks based on timing show that models should give the adversary flexibility on when it can ask for ephemeral information. Moreover, some attacks require only the release of ephemeral public information before a session is created. So ephemeral keys should be treated similar to static keys – the adversary should have access to the ephemeral public key before the session using it is created and should be able to learn the ephemeral private key before, during, or after the session runs. A natural choice of the definition for ephemeral session secret input is the data used to compute X. A wide range of protocols including [14,28,18,17] use the NAXOS trick and all have simpler security arguments and weaker assumptions than HMQV, but does it justify dropping x in favor of x ˜? While the random oracle guarantees security when X = g He (˜x,a) , any implementation has to approximate He by a deterministic function. For example, one can apply AES with secret key a to x ˜, thus simulating He (a, x ˜). In that case a is used for two different cryptographic algorithms: AES encryption and DH computation. Such practice is not sound and certainly not modeled. Alternatively, a could consists of two parts: one used in the computation of X and the other used for deriving the shared secrets. This only says that parties should choose ephemeral secrets as securely as static ones, but there is no guarantee that parties could follow that. The goal of revealing the ephemeral secrets is to portray scenarios where ephemeral secrets happen to leak to malicious entities. To conclude it is desirable to have secure protocols where discrete logarithm of the outgoing ephemeral public key can be exposed before, during or after a session run. Furthermore, the ephemeral public key should also be accessible to the adversary before the session becomes alive. Such model and queries will reveal no less information than SessionStateReveal as used in [12] and cover the additional scenarios that were considered in the HMQV analysis.
5
UP – Unified Protocol
The UP-protocol in Figure 3, uses “pseudo” static keys, namely XA and Y B, and offers an alternative to x ˜, namely the “postponed” ephemeral key derivation. Setting X = g He (˜x,a) implies that without both a and x ˜, an entity cannot query and learn x, which leads to simple security arguments. Postponed ephemeral key derivation achieves the same by changing the effective ephemeral public key to XAd ; d should be computable by both peers. As before, computing the corresponding discrete logarithm x + ad requires both x and a. Our derivation of d conforms to the MQV protocol, which can be viewed as the ephemeral Diffie-Hellman protocol with postponed ephemeral keys, but other alternatives are also possible, say in order to prevent Cremers’ type attacks. Furthermore an honest party has some assurances that the peer’s effective ephemeral secret key is guarded by the peer’s static private key.
194
B. Ustaoglu ˆ a, A = g a A,
ˆ b, B = g b B,
ˆ I, x, X = g x s : B, σA = (Y B e ) σB = (Y B)
x+a
X→ ←Y
x+da
d = He (X)
ˆ R, y, Y = g y s : A, σ = (XA)y+eb A
σB = (XAd )
y+b
e = He (Y )
ˆ B, ˆ X, Y, UP) κ = H(σA , σB , A, Fig. 3. UP protocol
A similar idea is applicable to static keys. The KEA+[15] session key with ˆ B). ˆ It postponed ephemeral keys is κ = H(CDH(A, Y B e ), CDH(XAd , B), A, inherits a KEA+ weakness and does not provide forward secrecy. With the “pseudo” static key XA the value a is insufficient to recover the private pseudo static key x + a. The result is UP’s shared secrets. Note that with pseudo static keys the UM protocol appears to resist KCI attacks. The above informal arguments suggest that UP is secure. A formal protocol description and argument is given in the extended version [29] using the Menezes-Ustaoglu model [19], which we denoted by eCK+. The model allows the adversary to learn ephemeral public keys before the session is initiated; similarly ephemeral private keys can be obtained before, during, and after a session completes. Last but not least the adversary can adaptively register parties after learning session specific information. Thus eCK+ takes into account our observation about the importance of timing. Comparison. In Table 1, which compares UP with Diffie-Hellman type protocols, KEA1 abbreviates “knowledge of exponent assumption” [2]; CDH is the computational Diffie-Hellman problem; gap CDH [26] is the gap variant of CDH. All analysis are done in the random oracle model [4]. For each protocol the adversary can obtain either x ˜ as in NAXOS or x as in HMQV. All protocols are assumed to perform public key validation, so it is omitted from the efficiency6 estimate, which take into account improvements such as Shamir’s trick [21, Algorithm 14.88] and Exponent Combination Method [22]; the bracketed values are the naive counts. The column “FL” indicates whether the Forking lemma [27] is used in the security argument. To compute its shared secrets, UP needs one more exponentiation than HMQV. But UP’s security argument is tighter in the sense that the forking lemma is not used. So for the same security levels the efficiency gap between (C,H)MQV and UP is smaller than one exponentiation, because of a smaller group size. Besides tightness-efficiency trade-off, UP performs no worse than HMQV and CMQV, and for each protocol improves at least one column in the table comparison. NAXOS+ [18] utilizes the twin Diffie-Hellman trapdoor test [9] and hence does not need the gap assumption. The minor reduction gap introduced by the 6
Efficiency is in terms of group exponentiations.
Comparing SessionStateReveal and EphemeralKeyReveal
195
Table 1. Protocols comparison Protocol Security Assumptions HMQV CK01’ gap CDH, KEA1 CMQV eCK gap CDH NAXOS+ eCK CDH NAXOS eCK gap CDH NETS eCK gap CDH UM CK01+ gap CDH KEA+ CK01* gap CDH UP eCK+ gap CDH
FL yes yes no no no no no no
Efficiency 2.17 (2.5) 2.17 (3) 3.34 (5) 3.17 (4) 3 3 3 3.17 (3.5)
x ˜,x x x ˜ x ˜ x ˜ x ˜ x x x
test can be ignored, but while theoretically interesting NAXOS+ is less practical than UP. It is an interesting problem to devise an efficient eCK+ secure protocol using the CDH assumption and postponed ephemeral keys. NETS [17], which effectively uses pseudo static keys, improves over NAXOS and is an important UP competitor. It is slightly more efficient, relies on the same assumptions, and very likely is eCK+ secure. Assuming NETS is eCK+ secure the main advantage of UP over NETS is the ephemeral secret data revealed to the adversary. As argued, in practice using x instead of x ˜ is more sound and therefore worth the small efficiency cost. Note that NETS can be viewed as the UM protocol with NAXOS trick and pseudo static keys. If the NAXOS trick is substituted with postponed ephemeral keys, the resulting protocol will have similar attributes to UP. Neither UM7 nor KEA+8 is eCK secure. When security is paramount the efficiency cost of UP is justified.
6
Conclusion
We have argued that for Diffie-Hellman protocols from practical perspective it is relevant to allow an adversary access to the discrete logarithm of the ephemeral public key and that the timing of leakage is important. Via UP we proposed a method to achieve strong security that takes into account these points. Comparing protocols with different set of security assumptions cannot be conclusive but it is of theoretical interest to see if the proposed approach can be adapted to the standard model or in conjunction with the trapdoor test to remove the “gap” assumption. Acknowledgements. I thank Cas Cremers, Atsushi Fujioka and Alfred Menezes for helpful discussions and comments on earlier drafts of this paper. 7 8
The UM protocol in Table 1 refers to the three pass variant analyzed in [20]. The model where KEA+ is analyzed is derived from CK01 and uses eCK-like session identifiers.
196
B. Ustaoglu
References 1. Basin, D., Cremers, C.J.F.: From Dolev-Yao to strong adaptive corruption: Analyzing security in the presence of compromising adversaries. Cryptology ePrint Archive, Report 2009/079 (2009), http://eprint.iacr.org/2009/079 2. Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004) 3. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) 4. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM, New York (1993) 5. Bello, L.: Debian open ssl predictable random number generator. Technical report, Debian.org. (2008) (retreived on February 10, 2008), http://lists.debian.org/debian-security-announce/2008/msg00152.html 6. Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997) 7. Boyd, C., Cliff, Y., Gonz´ alez Nieto, J.M., Paterson, K.: Efficient one-round key exchange in the standard model. In: Mu, et al. (eds.) [23], pp. 69–83, http://eprint.iacr.org/2008/007/ 8. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001) 9. Cash, D.M., Kiltz, E., Shoup, V.: The Twin Diffie-Hellman Problem and Applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008), http://eprint.iacr.org/2008/067 10. Cremers, C.J.F.: Session-state reveal is stronger than ephemeral key reveal: Attacking the NAXOS key exchange protocol. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) Applied Cryptography and Network Security, 7th International Conference, ACNS 2009. LNCS, vol. 5536, pp. 20–33. Springer, Heidelberg (2009) 11. Goldberg, I., Wagner, D.: Netscape ssl implementation cracked! Technical report, UC Berkeley (September 1995) (retreived on February 10, 2008), http://www.cs.berkeley.edu/~ daw/my-posts/netscape-cracked-0 12. Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) 13. LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. Cryptology ePrint Archive, Report 2006/073 (2006), http://eprint.iacr.org/2006/073 14. LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007) 15. Lauter, K., Mityagin, A.: Security analysis of KEA authenticated key exchange protocol. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 378–394. Springer, Heidelberg (2006)
Comparing SessionStateReveal and EphemeralKeyReveal
197
16. Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography 28(2), 119–134 (2003) 17. Lee, J., Park, C.S.: An efficient authenticated key exchange protocol with a tight security reduction. Cryptology ePrint Archive, Report 2008/345 (2008), http://eprint.iacr.org/2008/345 18. Lee, J., Park, J.H.: Authenticated key exchange secure under the computational Diffie-Hellman assumption. Cryptology ePrint Archive, Report 2008/344 (2008), http://eprint.iacr.org/2008/344 19. Menezes, A., Ustaoglu, B.: Comparing the pre- and post-specified peer models for key agreement. In: Mu, et al. (eds.) [23], pp. 53–68 20. Menezes, A., Ustaoglu, B.: Security arguments for the UM key agreement protocol in the NIST SP800-56A standard. In: Abe, M., Gligor, V. (eds.) ASIACCS 2008: Proceedings of the 2008 ACM symposium on Information, computer and communications security, pp. 261–270. ACM, New York (2008) 21. Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997) 22. M’Ra¨ıhi, D., Naccache, D.: Batch exponentiation: a fast dlp-based signature generation strategy. In: Gong, L., Stern, J. (eds.) CCS 1996: Proceedings of the 3rd ACM conference on Computer and communications security, pp. 58–61. ACM, New York (1996) 23. Mu, Y., Susilo, W., Seberry, J. (eds.): ACISP 2008. LNCS, vol. 5107. Springer, Heidelberg (2008) 24. NIST National Institute of Standards and Technology. Special Publication 80056A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (March 2007), http://csrc.nist.gov/publications/PubsSPs.html (last accessed July 2009) 25. Okamoto, T.: Authenticated key exchange and key encapsulation in the standard model. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 474–484. Springer, Heidelberg (2007) 26. Okamoto, T., Pointcheval, D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001) 27. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13(3), 361–396 (2000) 28. Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Designs, Codes and Cryptography 46(3), 329–342 (2008) 29. Ustaoglu, B.: Comparing SessionStateReveal and EphemeralKeyReveal for DiffieHellman protocols (extended version). Cryptology ePrint Archive, Report 2009/353 (2009), http://eprint.iacr.org/2009/353
Zero-Knowledge Protocols for NTRU: Application to Identification and Proof of Plaintext Knowledge Keita Xagawa and Keisuke Tanaka Department of Mathematical and Computing Sciences, Tokyo Institute of Technology W8-55, 2-12-1 Ookayama, Meguro-ku, Tokyo 152-8552, Japan {xagawa5,keisuke}@is.titech.ac.jp
Abstract. We propose zero-knowledge and proof-of-knowledge protocols for NTRU. One is for the relation on secret-key knowledge and the other for that on plaintext knowledge. They are the first non-trivial constructions of these protocols for NTRU. Additionally, the former directly yields an identification scheme based on NTRU. Keyword: NTRU, zero knowledge, proof of knowledge, identification, proof of plaintext knowledge, lattice-based cryptography, code.
1 Introduction Background: In 1996, Hoffstein, Pipher, and Silverman proposed a public-key encryption system, NTRU [12]. The main attractions of this encryption scheme are fast keygeneration, encryption, and decryption, and compact sizes of keys. Other lattice-based encryption schemes do not have all of these attractions. Additionally, it seems bearable against threat of quantum computers. After proposing the scheme, they founded a company named NTRU Cryptosystems. The proposers of NTRU have modified the parameters of the system. As instantiations of NTRU, there are NTRU-1998 [12], NTRU-2001 [13], NTRU-2005 [14], NTRU-2007 [11], and NTRU-2008 [27,9], where the last instantiation is in IEEE P1363.1/D12. There are several attacks after the Coppersmith–Shamir attack [3]. For the summary of the attacks, see, e.g., Mol and Yung [21]. While approximately forty papers have dealt with NTRU, surprisingly, there are no protocols except these for encryption or signature. For example, there are no secure identification schemes based on the NTRU problems and proofs of plaintext knowledge for NTRU. This contrasts with the situation that the number-theoretical assumptions allow us to construct concurrent-secure identification schemes and non-malleable proofs of plaintext knowledge for the RSA, Rabin, Paillier, and ElGamal encryption schemes [15]. Our contributions: We propose statistical-zero-knowledge and proof-of-knowledge arguments for two relations by using a statistically-hiding and computationally-binding commitment scheme. The first relation is that between a public key and a secret key, J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 198–213, 2009. c Springer-Verlag Berlin Heidelberg 2009
Zero-Knowledge Protocols for NTRU
199
which we call the relation on secret-key knowledge. This directly supplies a first identification scheme based on NTRU which is passively secure under a certain assumption. The second relation is that between a ciphertext and a pair of a message and a randomness, which we call the relation on plaintext knowledge. They will be useful tools for constructing various cryptographic primitives and protocols based on NTRU. Techniques: We plug the structure of NTRU into a variant of Stern’s protocol [26,16] and obtain statistical-zero-knowledge and proof-of-knowledge arguments for two relations on NTRU. Kawachi, Tanaka, and Xagawa [16] observed that Stern’s protocol can be used for the relations on q-ary lattices. The relation is the set of (( A, y), x) ∈ (Zn×m × Znq ) × {0, 1}m q such that Ax ≡ y (mod q) and the Hamming weight of x is d. We first observe that the well-known NTRU lattice can be considered as q-ary lattices. However, there is some difficulty to connect NTRU with the Stern’s protocol directly. In order to connect NTRU with the variant of Stern’s protocol, we modify the structure of ad hoc anonymous identification schemes by Kawachi et al. [16], which introduced the permutation splitting technique in Stern’s protocol. By this modification, we pattern a statisticalzero-knowledge and proof-of-knowledge argument for the generalized relations, say, the set of polynomials ((a, b, z), (x, y)) such that a ⊗ x + b ⊗ y ≡ z (mod αN − 1, q) and each Hamming weight of x and y is d. Then, we modify the protocols in order to employ the relations on secret-key knowledge and plaintext knowledge tailored for each instantiation of NTRU. Related works: It is well-known that the existence of one-way functions implies computational-zero-knowledge proof systems for any NP-relation. However, this general proof system is less efficient than our arguments. In general, one has a simple challenge-and-response protocol for the relation on secret-key knowledge: The verifier sends a random ciphertext to the prover, and the prover answers the plaintext of the ciphertext. This simple protocol is honest-verifier perfect zero knowledge for the relation on secret-key knowledge. However, a malicious verifier can use this protocol as the decryption oracle. In some instantiations of NTRU, this yields the universal break [21]. One can consider a protocol by combining the observations by Coppersmith and Shamir mentioned above with statistical-zero-knowledge proof systems for GapSVP and GapCVP by Micciancio and Vadhan [20]. This combination might fit for our purpose, however, we cannot provide reasonable analysis of it. Recent studies on lattice-based cryptography gave several protocols for lattice problems and cryptographic primitives based on the worst-case hardness of lattice problems. There are statistical zero-knowledge proof systems for coGapSVP and coGapCVP by Goldreich and Goldwasser [6], and ones with efficient prover for GapSVP and GapCVP by Micciancio and Vadhan [20]. Recently, Peikert and Vaikuntanathan gave non-interactive statistical-zero-knowledge proof systems with efficient prover for several lattice problems [22]. Lyubashevsky [17] and Kawachi et al. [16] proposed concurrently-secure lattice-based identification schemes. It will be an interesting task to construct non-interactive zero-knowledge protocols for NTRU.
200
K. Xagawa and K. Tanaka
We next discuss the plaintext knowledge. Our proof-of-knowledge arguments for the relations on plaintext knowledge are related to proof of plaintext knowledge (PPK). Explicit formalization of PPK is due to Aumann and Rabin (cited in Katz [15]). According to Katz [15, Section 1.2], they gave a generic solution for any public-key encryption scheme and their protocol is honest-verifier zero knowledge, while ours are (cheatingverifier) statistical zero knowledge. There are many identification schemes based on the combinatorial problems; Shamir’s scheme [25] based on the permuted kernel problem, Stern’s scheme [26] based on the syndrome decoding problem, and the scheme by Pointcheval and Poupard [23] based on the permuted perceptron problem, and etc. Section 7 compares ours and the identification schemes mentioned above. Finally, we should report that we found an independent work by Gaborit and Girault [5]. They proposed light-weight variants of Stern’s identification scheme by using NTRU-like codes, double circulant linear codes. They assumed the hardness of the syndrome decoding problem of their NTRU-like codes. We note that their paper lacks the proof of security and does not show zero-knowledge property of the protocol. We also note that their protocol cannot be used as a proof-of-knowledge argument for the relation on secret-key knowledge since they did not split the permutation.
2 Preliminaries We say a function (n) is negligible in n if (n) = 2−ω(log n) . We denote by v1 ◦ v2 the concatenation of two vectors v1 and v2 . We use the standard definitions for zero-knowledge protocols, arguments, and identification schemes. See, e.g., [1] for the formal definition for identification schemes. String-commitment schemes: In this paper, we use a string-commitment scheme in the trusted setup model. Formally, we use a statistically-hiding and computationallybinding string-commitment scheme such as the ones by Damgård, Pedersen, and Pfitzmann [4] or by Halevi and Micali [8] which are based on collision-resistant hash functions. The schemes run in two phases, called the committing and the revealing phases. In their schemes, a sender and a receiver have a common function Com. In the committing phase, the sender commits a message m to a commitment string c = Com(m; ρ) with a random string ρ, and sends c to the receiver. In the revealing phase, the sender gives the receiver the message m and the random string ρ. The receiver verifies the validity of c by some algorithm. We say that the scheme is statistically hiding, for any two messages m1 and m2 , Com(m1 ) and Com(m2 ) are statistically close. We say that the scheme is computationally binding if any polynomial-time adversarial sender cannot change the committed string after sending the commitment. See, e.g., [4] for the formal definitions. We often use the notation for Com in a different way. For example, Com(a, b; ρ) means Com((a, b); ρ). The Halevi-Micali commitment scheme: Halevi and Micali proposed a simple string commitment scheme based on the collision-resistance hash function [8], which is very
Zero-Knowledge Protocols for NTRU
201
similar to one in [4]. Let k denote the security parameter and let L be a positive integer at least 6k + 4. For simplicity, we assume that L = 7k. Let H : {0, 1}∗ → {0, 1}k be a collision-free hash function. Let H = {h : {0, 1}L → {0, 1}k } be a family of universal hash functions. For example, we can use {ha1 ,...,a6 : GF(2k )7 → GF(2k ) : ai ∈ GF(2k )}, where ha1 ,...,a6 (s0 , . . . , s6 ) = s0 + a1 s1 + · · · + a6 s6 and each k-bit string si is interpreted as an element in GF(2k ). To commit a message m ∈ {0, 1}∗ , the sender first computes s = H(m), picks a random r ∈ {0, 1}L , computes y = H(r), and picks a random function h ∈ H for which h(r) = s. It sends (h, y) as the commitment of m. To pick a random function ha1 ,...,a6 such that r0 + a1 r1 + · · · + a6 r6 = s, it computes as follows: Choose random elements a1 , . . . , a5 and compute a6 = r6−1 (s − (r0 + a1 r1 + · · · + a5 r5 )) if r6 0. If r6 = 0, choose a6 at random. To open a commitment he/she sends (m, r). The receiver verifies the validity by checking that y = H(r) and h(r) = H(m) Halevi and Micali showed that the scheme is computationally binding if H is collision resistant and 2−k -hiding. Note that the length of commitment is |y|+|h| = k+6k = 7k and the length of decommitment is |m| + |r| = |m| + 7k.
3 Brief Sketch of NTRU We briefly review NTRU. For details, see the original paper [12] and the proposals of the parameters [13,14,11,27,9]. For a positive integer n, NTRU is defined on a quotient ring R = Z[α]/(αn − 1). For a positive integer q, we denote Z[α]/(q, αn − 1) by Rq . We identify R with Zn by i n identifying f = n−1 i=0 fi α ∈ R with f = ( f0 , . . . , fn−1 ) ∈ Z . We also identify Rq with n Zq . Intuitively, the security is based on the hardness to factor a product of two short polynomials in Rq . Let n denote the dimension of Rq . The subsets of Rq , L f , Lg , Lm , Lr , and LF are defined later. They are used for key generation, encryption, and decryption. While we do not consider the decryption in this paper, we note the decryption procedure. Key Generation (KG(1k )): 1. Choose f ∈ L f and g ∈ Lg uniformly at random. f must be invertible in Rq and R p . 2. Set Fq = f −1 in Rq . 3. Compute h = p ⊗ g ⊗ Fq . 4. The public key is h and the secret key is f . Encryption (Enc(h, m; r)): The plaintext is m ∈ Lm . 1. Select r ∈ Lr uniformly at random. 2. Compute c = h ⊗ r + m. 3. The ciphertext is c. Decryption (Dec( f , c)): The ciphertext is c ∈ Rq . 1. Compute a = f ⊗ c in Rq . 2. Compute a = p ⊗ g ⊗ r + f ⊗ m in R from a by using a centering algorithm.
202
K. Xagawa and K. Tanaka
3. Compute F p = f −1 in R p . 4. Compute m = F p ⊗ a in R p . 5. The obtained plaintext is m . The decryption correctly works since the parameters are chosen carefully to ensure that a = p ⊗ g ⊗ r + f ⊗ m in R with high probability. We omit the details of the parameter setting; see the original paper or the papers on instantiations [12,27,9]. Let T denote {−1, 0, +1}n. T (d1 , d2 ) denotes the subset of T such that each polynomial in T (d1 , d2 ) has exactly d1 coefficients set to 1 and d2 coefficients set to −1. For an integer a and a subset S ⊆ Rq , we define aS as {a f : f ∈ S}. For a subset S ⊆ Rq , S∗ denotes the set of the polynomials in S which have the inverses in Rq , i.e., S∗ = { f ∈ S : ∃ f −1 ∈ Rq }. There are five instantiations of NTRU, NTRU-1998 [12], NTRU-2001 [13], NTRU2005 [14], NTRU-2007 [11], and NTRU-2008 [27,9]. For simplicity, we only consider NTRU-1998 and NTRU-2008 in this paper. The following table summarizes the parameter sets of these instantiations. Parameter Sets q p Lf Lg Lm Lr LF NTRU-1998 2k 3 T (d f , d f − 1)∗ T (dg , dg ) T T (dr , dr ) NTRU-2008 2k 3 {1 + p ⊗ F : F ∈ LF }∗ T (dg , dg ) T T (dr , dr ) T (dF )
4 Lattices, q-ary Lattices, and NTRU Lattices Since we connect NTRU and the lattice-based protocol, we briefly review lattices, q-ary lattices, and NTRU lattices. Preliminaries: For an n-dimensional integral vector f = ( f0 , . . . , fn−1 ), we define rot( f ) = ( fn−1 , f0 , . . . , fn−2 ). From the view of polynomials, this relation can be written as rot( f ) = f ⊗ α. We also define Rot( f ) = [ f rot( f ) . . . rotn−1 ( f )], that is a circulant matrix corresponding to the polynomial f . We denote by M the ring consisting of n by n integral circulant matrices. It is easy to verify that the following equations: Rot( f ) + Rot( g) = Rot( f + g), Rot( f ) · Rot( g) = Rot( f ⊗ g). Thus, Rot is a ring isomorphism from (R, +, ⊗) to (M, +, ·). It is also a ring isomorphism from (Rq , +, ⊗) to (Mq , +, ·), where Mq is M modulo q. Later, we will use the relation Rot( f ) g = f ⊗ g. Lattices: In this paper, we use the basic notations of lattices. A lattice is an additive discrete subgroup of Rm . A lattice L ⊆ Rm of rank n has a basis B ∈ Rm×n such that L(B) = {Bx : x ∈ Zn }, where the rank of B is n. For details on lattices and cryptography based on lattice problems, see, e.g., the textbook by Micciancio and Goldwasser [19].
Zero-Knowledge Protocols for NTRU
4.1
203
q-ary Lattices
Lattice-based cryptography often employs q-ary lattices L; qZm ⊆ L ⊆ Zm . For a matrix A ∈ Zn×m q , we define two m-dimensional q-ary lattices: Λq ( A) = y ∈ Zm : ∃ s ∈ Zn such that y ≡ t As (mod q) , Λ⊥q ( A) = {e ∈ Zm : Ae ≡ 0 (mod q)} . Stern’s protocol [26] and its variant [16] are based directly on the latter lattices, and we will also employ the NTRU lattices as the latter lattices. 4.2 NTRU Lattices We consider the following matrix C which is generated by a secret key: C = t Rot( f ) t Rot(p ⊗ g) . An NTRU lattice [3] is generated by a basis Rot(1) Rot(0) H= . Rot(h) Rot(q) It is easy to verify that L(H) = Λq (C) by the equation h ≡ f −1 ⊗ (p ⊗ g) (mod q). Since Stern’s protocol and its variant used Λ⊥q (A) for some A rather than Λq (C), we have to find A ∈ Zn×2n such that L(H) = Λ⊥q (A). As noted in the paper proposing q NTRUSign [10], we can verify that L(H) = Λ⊥q ([− Rot(h) Rot(1)]). Thus, we define A = [− Rot(h) Rot(1)]. In the following, we mainly consider NTRU lattices in this form.
5 Variants of Stern’s Protocol 5.1 Relations of Stern’s Protocol and Its Variant In 1993, Stern proposed an identification scheme based on a coding problem [26]. Let Bm (d) denote the set of m-dimensional binary vectors whose Hamming weights are d, i.e., the numbers of 1’s are exactly d. His protocol is for the following relation: {(( A, y), x) ∈ (Zn×m × Znq ) × {0, 1}m : (Ax ≡ y q
(mod q)) ∧ (x ∈ Bm (d))}.
Kawachi et al. proposed the variants of Stern’s protocol [16]. In an ad hoc anonymous identification scheme based on their variant, the protocol is for the relation m+l {(( A, y1 , . . . , yl ), x) ∈ (Zn×m × Zn×l q q ) × {−1, 0, +1}
: (x = xh ◦xt )∧(xh ∈ Bm (m/2))∧(xt ∈ −Bl (1))∧(Axh +[y1 . . . yl ]xl ≡ 0
(mod q))}.
In order to design the protocol, they split a permutation in Stern’s protocol [16, Section 5]; they put two permutations in their protocol, while Stern put one permutation.
204
K. Xagawa and K. Tanaka
5.2 Our Protocol Our protocol has a similar structure of the ad hoc anonymous identification schemes by Kawachi et al. [16], which are obtained by splitting a permutation in Stern’s protocol [26]. We replace the two set, Bm (m/2) and −Bl (1), with the following enumeration sets. Enumeration sets: For a positive integer n, we denote by [n] the set {0, . . . , n − 1}. S n denotes the n-dimensional permutation group, i.e., the group consisting of all of the permutations over [n]. The operator ∗ means the composition of permutations, that is, (π ∗ φ)(x) = π(φ(x)). We define a property of a subset of Rq . Let π be a permutation over [n]. For an ndimensional vector f = ( f0 , . . . , fn−1 ) ∈ Znq , we define π( f ) = ( fπ(0) , . . . , fπ(n−1) ). We note that, for a permutation π over [n] and two polynomials a and b in Rq , π(a + b) = π(a) + π(b). For a polynomial x ∈ Rq , S x denotes {π(x) : π ∈ S n } ⊂ Rq . We call these sets enumeration sets. We note that T (d1 , d2 ) is an enumeration set, while T is not. Our protocol: For two enumeration sets Sh and St , consider the following relation: R = {((Rot(ah ), Rot(at ), y), (xh, xt )) ∈ (Mq × Mq × Znq ) × (Znq × Znq ) : (Rot(ah ) · xh + Rot(at ) · xt = y) ∧ (xh ∈ Sh ) ∧ (xt ∈ St )}. This relation is interpreted as follows: R = {((ah , at , y), (xh, xt )) ∈ R3q × R2q : (ah ⊗ xh + at ⊗ xt = y) ∧ (xh ∈ Sh ) ∧ (xt ∈ St )}. If ah = −h and at = 1, the relation R is directly for the NTRU lattice. Let Com be a statistically-hiding and computationally-binding string-commitment scheme. Now, we describe our protocol, which is statistical zero knowledge and proof of knowledge for the relation R. For ease of notation, we do not write the randomness of the function Com. The common input is a tuple (ah , at , y) ∈ R3q . Prover’s auxiliary inputs are xh and xt such that ah ⊗ xh + at ⊗ xt = y, xh ∈ Sh , and xt ∈ St . The prover P and the verifier V interact as follows: Step P1: Choose random permutations πh and πt over [n]. Choose random vectors rh and rt ∈ Rq and send commitments c1 , c2 , and c3 computed as follows: – c1 = Com(πh , πt , ah ⊗ rh + at ⊗ rt ), – c2 = Com(πh (rh ), πt (rt )), – c3 = Com(πh (xh + rh ), πt (xt + rt )). Step V1: Send a random challenge Ch ∈ {1, 2, 3} to P. Step P2: – If Ch = 1, reveal c2 and c3 . So, send sh = πh (xh ), st = πt (xt ), t h = πh (rh ), t t = πt (rt ). – If Ch = 2, reveal c1 and c3 . Send φh = πh , φt = πt , uh = xh + rh , and ut = xt + rt . – If Ch = 3, reveal c1 and c2 . Send ψh = πh , ψt = πt , vh = rh , and vt = rt .
Zero-Knowledge Protocols for NTRU
205
Step V2: – If Ch = 1, check that c2 = Com(t h , t t ), c3 = Com(sh + t h , st + t t ), sh ∈ Sh , and st ∈ St . – If Ch = 2, check that c1 = Com(φh , φt , ah ⊗ uh + at ⊗ ut − y), c3 = Com(φh (uh ), φt (ut )). – If Ch = 3, check that c1 = Com(ψh , ψt , ah ⊗ vh + at ⊗ vt ) and c2 = Com(ψh (vh ), ψt (vt )). Output Dec = 1 if all of the above checks are passed, otherwise output Dec = 0. Theorem 5.1. If Com is a statistically-hiding and computationally-binding stringcommitment scheme, the above protocol is a statistical-zero-knowledge and proof-ofknowledge argument for a relation R with soundness 2/3. Proof. The correctness of the above protocol can easily be shown. The existence of a knowledge extractor implies the soundness of the protocol. Thus, in the proof, we show the existence of a simulator and a knowledge extractor. However, since these proofs are very similar to the ones in [26,16], we omit the details and give the sketch of the proof. Statistical zero knowledge: The construction of the simulator is similar to the ones in [26] and [16]. We construct a simulator S which, on input (ah , at , y) and given oracle access to a cheating verifier V∗ , outputs a simulated transcript. S chooses a random value Ch from {1, 2, 3}, a prediction of the value V∗ will not choose. Next, the simulator chooses a random tape r of V∗ . We only show how the simulator works in the case Ch = 1. The remaining cases will appear in the full paper. Case Ch = 1: S computes x h and x t such that ah ⊗ x h + at ⊗ x t = y by using linear algebra. Next, it chooses random permutations π h and π t over [n], random polynomials r h and r t from Rq , and random strings ρ i for i = 1, 2, 3. It computes commitments as – c 1 = Com(π h , π t , ah ⊗ r h + at ⊗ r t ; ρ 1 ), – c 2 = Com(π h (r h ), π t (r t ); ρ 2 ), – c 3 = Com(π h (x h + r h ), π t (x t + r t ); ρ 3 ). It sends the commitments to V∗ and receives a challenge Ch from V∗ . The simulator S computes a transcript as follows: – If Ch = 1, it outputs ⊥ and halts. – If Ch = 2, it outputs (r ; (c 1 , c 2 , c 3 ), 2, (π h, π t , x h + r h , x t + r t , ρ 1 , ρ 3 )). – If Ch = 3, it outputs (r ; (c 1 , c 2 , c 3 ), 3, (π h, π t , r h , r t , ρ 1 , ρ 2 )). We start the analysis of the case Ch = 2. In this case, we have that ViewPV∗ (z) (ah , at , y) = (r; (c1 , c2 , c3 ), 2, (πh, πt , xh + rh , xt + rt , ρ1 , ρ3 )), S(ah , at , y) = (r ; (c 1 , c 2 , c 3 ), 2, (π h, π t , x h + r h , x t + r t , ρ 1 , ρ 3 )).
Consider a one-to-one mapping (π h , π t , r h , r t , ρ 1 , ρ 3 ) = (πh , πt , rh + xh − x h , rt + xt − x t , ρ1 , ρ3 ). By this equation, we have that c 1 = c1 and c 3 = c3 , and the responses from the simulator equal to the ones from the prover. From the statistically-hiding property of Com, the statistical distance between the distributions of c2 and c 2 is negligible. Thus, the distributions of ViewPV∗ (z) (ah , at , y) and S(ah , at , y) are statistically close.
206
K. Xagawa and K. Tanaka
In the case Ch = 3, it is easy to verify the statistical distance by setting (π h , π t , r h , r t , ρ 1 , ρ 2 ) = (πh , πt , rh , rt , ρ1 , ρ2 ). Proof of knowledge: We construct the extractor following [26] and [16]. Assume that there exists P∗ that convincing V with probability 2/3 + . The knowledge extractor K works as follows: 1. Choose a random tape of P∗ . 2. Obtain three transcripts by acting as the verifier and by setting Ch = 1, 2, 3. Each ρ(i j) denotes the random string in the commitment ci in the case (1) that Ch = j. The three transcripts are ((c1 , c2 , c3 ), 1, (sh, st , t h , t t , ρ(1) 2 , ρ3 )), (2) (2) (3) (3) ((c1 , c2 , c3 ), 2, (φh, φt , uh , ut , ρ1 , ρ3 )), and ((c1 , c2 , c3 ), 3, (ψh, ψt , vh , vt , ρ1 , ρ2 )). −1 3. Output (φ−1 h (sh ), φt (st )) as a witness. We analyze the probability that the output is the witness corresponding to (ah , at , y). Since the probability that P∗ convincing V is 2/3 + , for fraction of random tapes three transcripts are valid. Hence, we have the following equations: (3) Com(φh , φt , ah ⊗ uh + at ⊗ ut − y; ρ(2) 1 ) = Com(ψh , ψt , ah ⊗ vh + at ⊗ vt ; ρ1 ),
Com(t h , t t ; ρ(1) 2 ) Com(sh + t h , st + t t ; ρ(1) 3 )
= =
Com(ψh (vh ), ψt (vt ); ρ(3) 2 ), Com(φh (uh ), φt (ut ); ρ(2) 3 ).
(1) (2) (3)
By the assumption that Com is computationally binding, there exists no distinct pair of arguments of Com in the equations (1), (2), and (3). From the equation (3), we have −1 −1 −1 −1 that uh = φ−1 h (sh + t h ) = φh (sh ) + φh (t h ) and ut = φt (st ) + φt (t t ). Combining the −1 equations φh = ψh , φt = ψt , and (2), we obtain that vh = φh (t h ) and vt = φ−1 t (t t ). By substitution in the equation (1), we have that −1 −1 −1 −1 −1 ah ⊗ (φ−1 h (sh ) + φh (t h )) + at ⊗ (φt (st ) + φt (t t )) − y = ah ⊗ (φh (t h )) + at ⊗ (φt (t t )).
Simplifying the above we obtain that −1 ah ⊗ (φ−1 h (sh )) + at ⊗ (φt (st )) = y. −1 Recall that Sh and St are enumeration sets. Therefore, φ−1 h (sh ) ∈ Sh and φt (st ) ∈ St . This completes the proof.
5.3 Relations for NTRU In this section, we tailor the relations for instantiations of NTRU. Relations on Secret-Key Knowledge For NTRU-1998: The secret keys f and g are chosen from T (d f , d f −1)∗ and T (dg , dg ), respectively. Additionally, f must be invertible in R3 = Z[α]/(3, αn − 1). The public key is computed as h = 3 g ⊗ f −1 . We define the following relation: 3 2 R1998 KEY = {((−h, 1, 0), ( f , 3 g)) ∈ Rq × Rq
: (−h ⊗ f + 3 g = 0) ∧ ( f ∈ T (d f , d f − 1)) ∧ (3 g ∈ 3T (dg , dg ))}.
Zero-Knowledge Protocols for NTRU
207
For NTRU-2008: The secret key f is chosen from {1 + 3F : F ∈ T (dF , dF )}∗ . The polynomial g is randomly chosen from T (dg , dg ). The public key is computed as h = 3 g ⊗ (1 + 3F)−1 . We define the following relation: 3 2 R2008 KEY = {((−h, 1, h), (3F, 3 g)) ∈ Rq × Rq
: (−h ⊗ 3F + 3 g = h) ∧ (3F ∈ 3T (dF , dF )) ∧ (3 g ∈ 3T (dg , dg ))}. Remark 5.1. We note that our relations do not imply that f and g are invertible in Rq . Moreover, our relation for NTRU-1998 does not assure that f is invertible in R p . They guarantee that the ∞ norm of f and g is relatively short and one can decrypt ciphertexts by using the polynomials f and g in the instantiations except NTRU-1998. In NTRU1998, the keys satisfying our relation would imply the partial decryption. Relations on Plaintext Knowledge Recall the encryption procedure of NTRU. Let m and r be a plaintext and a randomness, respectively. The ciphertext c is m + h ⊗ r. Instead of T , we use T (dm , dm ) for some dm . By changing the message spaces, each Lm is treated as an enumeration set. For NTRU-1998 and NTRU-2008: Lr is set as T (dr , dr ). We define the following relation: 2008 3 2 R1998 ENC = RENC = {((h, 1, c), (r, m)) ∈ Rq × Rq
: (h ⊗ r + m = c) ∧ (r ∈ T (dr , dr )) ∧ (m ∈ Lm )}. Remark 5.2. In order to prevent information leakage on m, NTRU-2008 recommended that the numbers of 1s, −1s, and 0s in a plaintext are at least some parameter. (See [27,9, Section 9.2.2]). Additionally, we note that certain encryption schemes used the enumeration set B(d) as the plaintext spaces. For example, the Chor–Rivest cryptosystem and the Okamoto– Tanaka–Uchiyama cryptosystem did so.
6 Identification Schemes We can simply develop identification schemes based on NTRU from our protocol; A key-generation algorithm is same as the one in NTRU. A prover and a verifier runs the protocol for secret-key knowledge t times in the sequential or the parallel way. Let us discuss the security of this identification scheme. In the following, the security parameter k specifies the parameters N, p, and q, and the spaces L f , Lg , Lm , and Lr . Assumptions: In the literature of padding schemes for NTRU, their securities are build on the one-way or the partial one-way assumption; the standard one-way assumption is stated as follows:
208
K. Xagawa and K. Tanaka
Definition 6.1 (The NTRU (one-way) assumption). It is asymptotically hard to solve the NTRU inversion problem; For any polynomial-time adversary A, the success probability Advow NTRU,A (k) is negligible in k; where Advow NTRU,A (k) = Pr
A(h, c) = m : . (h, f ) ← KG(1k ); m ← Lm ; r ← Lr ; c = h ⊗ r + m
The problem on recovering the secret key is not easier than the problem on inverting the NTRU function, since, if one can get the secret key, then one can decrypt the ciphertexts. Definition 6.2 (The NTRU factoring assumption). This assumption states that it is asymptotically hard to solve the NTRU factoring problem; For any polynomial-time adversary A, the success probability Advfac NTRU,A (k) is negligible in k; where
Advfac NTRU,A (k)
(h = p ⊗ f −1 ⊗ g ) ∧ ( f ∈ L f ) ∧ ( g ∈ Lg ) : = Pr . (h, f ) ← KG(1k ); ( f , g ) ← A(h)
Note that in the NTRU factoring assumption, the adversary has to output f which has an inverse in Rq . As stated in Remark 5.1, our protocol does not ensure that the prover has f which is invertible in Rq . Thus, we need another assumption which may be stronger then the NTRU factoring assumption. Definition 6.3 (The NTRU decomposotion assumption). This assumption states that it is asymptotically hard to solve the NTRU decomposition problem; For any polynomial-time adversary A, the success probability Advdec NTRU,A (k) is negligible in k; where ( f ⊗ h = p ⊗ g ) ∧ ( f ∈ L f ) ∧ ( g ∈ Lg ) : dec AdvNTRU,A (k) = Pr . (h, f ) ← KG(1k ); ( f , g ) ← A(h) The adversary violating this assumption still can be used to invert the NTRU function: Invoking the adversary, we obtain f and g such that f ∈ L f , g ∈ Lg , and f ⊗ h = p ⊗ g . Assume that the ciphertext is in the form c = h ⊗ r + m. Multiplying f to the ciphertext, We have that f ⊗ c = p ⊗ g ⊗ r + f ⊗ m in Rq . Since the parameters are set to decrypt correctly with overwhelming probability, we can compute a = p⊗ g⊗ r+ f ⊗ m over Z. Hence, we obtain f ⊗ m in R p . In the case of NTRU-2008, L f is {1 + pF}. Hence, we can correctly compute m. In the case of NTRU-1998, L f is T (d f , d f − 1). Even if f is not invertible in R p , we can partially decrypt m as stated in Remark 5.1. Consequently, the NTRU decomposition assumption is not stronger than the NTRU one-way assumption. Identification: As stated in the first paragraph of this section, we can develop a passivesecure identification scheme based on NTRU from our protocol for secret-key knowledge, since the protocol composed sequentially is a proof of knowledge and statistical zero knowledge.
Zero-Knowledge Protocols for NTRU
209
Theorem 6.1. Let ID denote our identification scheme which obtained by the sequential composition t times. Assume that there exists an adversary A that impersonates the valid prover with probability at least AdvIMP−PA ID,A (k). Then, there exists an adversary B which solves the NTRU decomposition problem with probability at least Advdec NTRU,B (k) or breaks the binding property of the commitment scheme with probability at least AdvCOM,B (k). We have that t √ 2 AdvIMP−PA (k) ≤ + 5 Advdec ID,A NTRU,B (k) + AdvCOM,B (k) + QtΔ, 3 where Q is the number of the queries by A and Δ denotes the statistical distance of the hiding property of the commitment scheme. Proof. This reduction is obtained in a similar way to Pointcheval and Poupard [23]. The proof will appear in the full paper. Remark 6.1. Since the protocol is (cheating-verifier) zero knowledge, the reduction algorithm can simulate the valid prover even if the adversary accesses the prover oracle in an active way. This reduction requires as many steps as Qtk times of the original reduction. For simplicity, we only consider the reduction for the passive adversary. Parameters and communication costs: In order to achieve the 80-bit security, we can set (2/3)t ≤ 2−81 ,
−166 Advdec . NTRU,B (k), AdvCOM,B (k), QtΔ ≤ 2
By solving (2/3)t ≤ 2−81 , we have that t ≥ 138.47... and set t = 150 (with reasonable margin). We use NTRU and the hash function which is suitable for use at the 192-bit security level. By setting Q = 260 , we have Δ ≤ 2−234.8137... and set Δ = 2−256 . In NTRU-2008 [27,9], three parameter sets, ees677ep1, ees887ep1, and ees1087ep1, are recommended for the 192-bit security level. We adopt ees677ep1: the public-key length is 677 · log 2048 = 7447 bits and the secret-key length is 677 · 2 = 1354 bits. We next adopt the Halevi-Micali commitment scheme [8]. In this case, we need a 192-bit secure cryptographic hash function which outputs the digest of length at least 384 bits. Then, we have the commitment scheme where the length of the commitment is 7·384 = 2688 bits and the length of the decommitment is |m|+2688 bits (m is a message to be committed). We have to compute |m|. The prover will sends two permutations and two vectors, or four vectors in Step P2. In the former, the length of the message is 2 · log 677! + 2 · 667 · log 2048 ∼ 25686 bits. In the latter, the length of the message is 2 · 677 · log 3 + 2 · 677 · log 2048 ∼ 17041 bits. Thus, the total communication cost is 150·(3·2688+2+(25686+2·2688)) = 5869200 bits (approximately 716.5kB). Discussions: By parallel composition, we can obtain almost the same identification scheme. However, this scheme has a drawback in the sense of tightness of the reduction. In this case, the tightness is cubic as in Kawachi et al. [16], rather than quadratic as in the above.
210
K. Xagawa and K. Tanaka
It seems that concurrently secure identification schemes need stronger assumptions, such as the one-more NTRU one-way assumption or the assumption that the small integer solution problem over NTRU lattices is hard on the average. The small integer so⊥ lution problem, SISβ , is, given a matrix A ∈ Zn×m q , to find a non-zero vector z ∈ Λq ( A) such that z ≤ β in some norm. Using this assumptions, Lyubashevsky [17] and Kawachi et al. [16] succeeded to construct concurrently secure identification schemes based on lattice problems.
7 Comparisons There are several identification schemes based on combinatorial problems. We compare the schemes such as Stern’s SD-based [26], Shamir’s PKP-based [25], PPP-based by Pointcheval and Poupard [23], Lyubashevsky’s C/IL-based [17,18], and C/IL-based by Kawachi et al. [16] identification schemes. For the comparison with standard identification schemes, we put GQ [7] and Schnorr [24] in Table 1. Table 1. Comparisons on reduction and security. Note: Ours, SD, PKP, PPP, and KTX-C/IL run the basic protocol in t times sequentially. In L2, t is the number for parallel. Each (k) denotes the advantage of the polynomial-time adversary against the underlying problem. Each (k) denotes Advbd COM (k), the advantage of the polynomial-time adversary against the commitment scheme. In KTX-C/IL, Δ denotes the regularity of the lattice-based hash functions. In GQ and Schnorr, l(k) denotes the length of the challenge message. In the column of security, P, A, and C denotes passive, active, and concurrent, respectively. Name NTRU
Reduction √ √ 5 (k) + (k) + QtΔ √ √ SD (2/3)t + 5 (k) + (k) + QtΔ t √ √ 126 PKP + 5.758... (k) + (k) + QtΔ 251 √ √ PPP (3/4)t + 14/3 (k) + (k) + 2QtΔ L2 2(k) + 4 · 2−kt/5 + 2−3k log k/4 √ √ t KTX-C/IL (2/3) + 10 2(k) + QtΔ + 2−Ω(k) √ (cf:) GQ (1/2)l(k) + (k) √ (cf:) Schnorr (1/2)l(k) + (k) (2/3)t +
Security |pk| (kB) Cost (kB) Ref. P (A) 0.91 716.5 Ours P (A)
0.204 (+680.9)
935.1
[26]
P (A) P (A) C C P P
≥ 2.313
≥ 90.0 ≥ 637.0 ? ? 1.885 0.967
[25] [23] [18] [16] [7] [24]
≥0.196 (+≥5.324)
? ? 0.938 (+1.875) 0.938 (+0.957 f )
In the papers [26,25], the authors ignored the commitment scheme and directly used the hash value. Thus, the proofs are not correct in the standard model (this requires stronger assumptions on the hash function). We, hence, replace the hash function with the commitment scheme. The main difficulty of comparison is that the parameter settings for other schemes were not explicit. They did not propose the parameter-generating method in order to attain the security level. Here, we briefly discuss the parameters and costs if we set 80-bit security for the identification schemes.
Zero-Knowledge Protocols for NTRU
211
Storage costs: Notice that, in all reduction, the advantages of the adversary against identification schemes are upperbounded by the square roots of the advantage of the adversary against the assumption that the underlying problem is hard. Thus, the best work factor for solving the underlying problem must be at least 2160 . We here require 196-bit security for the underlying problem. Recall that in the case of our NTRU-based identification scheme, we have a 7447-bit public key. In the GQ and Schnorr schemes, the RSA modulus N or the parameter for the group p is often of length 2048 bits. However, to achieve 196-bit security, they should be 7680-bit numbers. Interestingly, in the GQ scheme, the public key consists of N and two elements e, X in Z∗N , so, the length of public key is longer than ours. Even if (N, e) in the GQ scheme and p in the Schnorr scheme is public parameter, there is a little difference between the length of the public key. In Stern’s SD scheme [26], in order to achieve 196-bit security, it requires a random matrix in Zn×m as a public parameter, where (q, n, m) = (2, 1670, 3340) (see the estimaq tion by Canteaut and Chabaud [2, Approximation 1]). Hence it requires approximately 680kB for the public parameter. Each public key is a vector in Znq , whose length is 1670 bits. In the PKP scheme, Shamir proposed the parameter set (q, n, m) = (251, 16, 32) and (q, n, m) = (251, 37, 64), which may achieve 76-bit and 184-bit security. We adopt the latter parameter set. In the case, the public key A is a matrix in Zn×m and the length of q it is 18944 bits (approximately 2.31kB). In the PPP scheme by Poupard and Pointcheval [23], they proposed several parameters (n, m) = (121, 137) and (n, m) = (201, 217), which are estimated 264 -security and more. Hence, we adopt the latter. Note that their public parameters are of length at least 201·217 = 43617 bits. Each public key is a vector in Znm , whose length is approximately 1560 bits. Communication Costs: The communication costs mainly depend on the domain size of the permutations in the protocol. In PKP and PPP, they used a permutation over [64] or over [217], respectively. Thus, their communication costs are relatively low. On the other hand, SD uses a permutation over [3340] and ours employs two permutations over [677]. Hence, the communication costs are very large.
Acknowledgement This work is supported in part by KAKENHI No.19-55201 and NTT Information Sharing Platform Laboratories.
References 1. Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: Proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002)
212
K. Xagawa and K. Tanaka
2. Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: Application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory 44(1), 367–378 (1998) 3. Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997) 4. Damgård, I.B., Pedersen, T.P., Pfitzmann, B.: Statistical secrecy and multibit commitments. IEEE Transactions on Information Theory 44(3), 1143–1151 (1998) 5. Gaborit, P., Girault, M.: Lightweight code-based identification and signature. In: ISIT 2007, pp. 191–195 (2007) 6. Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. Journal of Computer and System Sciences 60(3), 540–563 (2000) 7. Guillou, L.C., Quisquater, J.-J.: A “paradoxical” identity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990) 8. Halevi, S., Micali, S.: Practical and provably-secure commitment scheme from collisionfree hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–215. Springer, Heidelberg (1996) 9. Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009) 10. Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: Digital signature using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003) 11. Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: Hybrid lattice reduction and meet in the middle resistant parameter selection for NTRUEncrypt (2007) 12. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998) 13. Hoffstein, J., Silverman, J.: Optimizations for NTRU (2000) 14. Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3 (2005) 15. Katz, J.: Efficient and non-malleable proofs of plaintext knowledge and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 211–228. Springer, Heidelberg (2003) 16. Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008) 17. Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008) 18. Lyubashevsky, V.: Towards Practical Lattice-Based Cryptography. PhD thesis, University of California, San Diego (2008) 19. Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: a cryptographic perspective. Kluwer Academic Publishers, Dordrecht (2002) 20. Micciancio, D., Vadhan, S.: Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003) 21. Mol, P., Yung, M.: Recovering NTRU secret key from inversion oracles. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 18–36. Springer, Heidelberg (2008) 22. Peikert, C., Vaikuntanathan, V.: Non-interactive statistical zero-knowledge for lattice problems. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 536–553. Springer, Heidelberg (2008)
Zero-Knowledge Protocols for NTRU
213
23. Pointcheval, D., Poupard, G.: A new NP-complete problem and public-key identification. Designs, Codes and Cryptography 28(1), 5–31 (2003) 24. Schnorr, C.-P.: Efficient signature generation by smart cards. Journal of Cryptology 4(3), 161–174 (1991) 25. Shamir, A.: An efficient identification scheme based on permuted kernels (extended abstract). In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 606–609. Springer, Heidelberg (1990) 26. Stern, J.: A new paradigm for public key identification. IEEE Transactions on Information Theory 42(6), 749–765 (1996) 27. Whyte, W., Howgrave-Graham, N., Hoffstein, J., Pipher, J., Silverman, J.H., Hirschhorn, P.: IEEE P1363.1/D12 draft standard for public-key cryptographic techniques based on hard problems over lattices (October 2008)
Server-Controlled Identity-Based Authenticated Key Exchange Hua Guo1 , Yi Mu2 , Xiyong Zhang3 , and Zhoujun Li1 1
2
3
School of Computer Science & Engineering, Beihang University, Beijing 100083, PRC Centre for Computer and Information Security Research, School of Computer Science Software Engineering, University of Wollongong, NSW 2522, Australia Zhengzhou Information Science and Technology Institute, Zhengzhou, 450002, PRC {hg999,ymu}@uow.edu.au,
[email protected]
Abstract. We present a threshold identity-based authenticated key exchange protocol that can be applied to an authenticated server-controlled gateway-user key exchange. The objective is to allow a user and a gateway to establish a shared session key with the permission of the back-end servers, while the back-end servers cannot obtain any information about the established session key. Our protocol has potential applications in strong access control of confidential resources. In particular, our protocol possesses the semantic security and demonstrates several highly-desirable security properties such as key privacy and transparency. We prove the security of the protocol based on the Bilinear Diffie-Hellman assumption in the random oracle model. Keywords: Identity-based Cryptography, Key Exchange, Provable Security.
1
Introduction
Consider a networked system that consists of users, a gateway, a back-end server, and services. To access a service via the gateway, a user is authenticated by the back-end server. This is a common situation in practice. With a slight modification to allow the server to control the authenticated key exchange between user and gateway, we found a potential application to a server-controlled access to a classified database or service, which requires a strong protection. Intuitively, when a user wants to access to a classified service, he communicates with the gateway for a permission. The gateway forwards the request to the server that in turn checks the user’s information stored in the server. If the result is positive, the server allows the session key establishment between the user and the gateway. The future communication between user and gateway is then protected with the session key, which is unknown to the server. To further enhance the security of the system, we divide the power of the server into several pieces that J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 214–229, 2009. c Springer-Verlag Berlin Heidelberg 2009
Server-Controlled Identity-Based Authenticated Key Exchange
215
can be shared amongst multiple servers. This situation cannot be handled with a traditional access control matrix along with an authenticated key exchange between user and gateway. Our idea is to construct a cryptographic algorithm allowing the user to securely exchange a session key with the gateway, but the back-end servers do not gain any information about the session key. The gateway cannot establish a valid session key with a user without the help from the pre-defined number of back-end servers. As bonuses, our method offers the instantaneous revocation of a corrupted gateway and the strong security that even allows the collusion amongst the gateway and back-end servers whose number is less than a predefined threshold. We notice that a password-based solution seems to be an attractive solution to this kind of problems [1,2,3], where the session key between the user and gateway is established with the aid of a user password stored in the back-end server. In fact, it is not hard to establish a session key between a user and a gateway based on some existing two-party password-based key agreement protocols [4,5,6]. Unfortunately, those schemes are unable to offer a strong security, since the low entropy of passwords leads to the dictionary attack [7,8], and cannot withstand a stronger attack such as an attack from a corrupted gateway [1]. Mediated cryptography [9,10] seem to another alternative. The main idea behind mediated cryptography is to split a user’s private key into two parts and give one piece to the on-line security mediator and the other to the user. Unfortunately, it does not fit well to our scenario for a number of reasons. For example, if both of the user and the on-line security mediator are compromised, the communication in the system will be broken. To present a better and practical solution, we adopt the notion of identitybased cryptography [11,12,13,14]. Intuitively, we split the private key of the gateway to several parts, one is distributed to the gateway, and the rest are transferred to the back-end servers by means of a duel-threshold mechanism. The power is shared amongst the back-end servers that provide a private environment allowing the gateway and user to establish a shared session key. Our method has the follows merits. (1) Semantic security of the session key: any malicious adversary cannot compute the session key of the user and gateway. (2) Session key privacy: Colluded servers cannot compute the session key of the user and gateway. Even if the gateway colludes with k servers (k < t, where t is the threshold), they are still not able to find the session key. (3) Sever-controlled: The gateway cannot establish a valid session key with a user without the help from the pre-defined number of back-end servers. (4) Transparency to users: Users do not need to know how the server side protocol is implemented. The rest of this paper is organized as follows. In Section 2, we describe the preliminaries including bilinear map and the security model. In Section 3, we present our main protocol. In Section 4, we prove that our scheme is semantically secure and possesses the key privacy. In Section 5, we conclude the paper.
216
2
H. Guo et al.
Preliminaries
In this section, we introduce the background knowledge that will be used for our scheme. 2.1
Bilinear Map and Security Assumption
We first revisit the “admissible bilinear map” [15] and the Bilinear Diffie-Hellman problem, which plays a central roles in our scheme. The admissible bilinear map eˆ is defined over two groups of the same prime-order q denoted by G and GT in which the Computational Diffie-Hellman problem is hard. More formally, we have the following definition: Definition 1. (Bilinear Map) Let G is an additive group of prime order q and GT a multiplicative group of the same order. Let P denote a generator of G. An admissible pairing is a bilinear map eˆ : G × G → GT which has the following properties: – Bilinear: given Q, R ∈ G and a, b ∈ Zq∗ , we have eˆ(aQ, bR) = eˆ(Q, R)ab . – Non-degenerate: eˆ(P, P ) = 1GT . – Computable: eˆ is efficiently computable. Throughout this paper, we will simply use the term “bilinear map” to denote the admissible bilinear map. Bilinear map captures an important cryptographic problem, i.e., the Bilinear Diffie-Hellman (BDH) problem, which was introduced by Boneh and Franklin [15]. Definition 2. (BDH) Let ABDH be an attacker modeled as a probabilistic Turing machine taking the security parameter k as input. Suppose that a, b and c are uniformly chosen at random from Z∗q and aP , bP and cP are computed. ABDH is to solve the following problem: Given (G, GT , q, eˆ, P, aP, bP, cP ), compute eˆ(P, P )abc . We define ABDH ’s success probability as BDH SuccBDH outputs eˆ(P, P )abc ]. G,ABDH (k) = Pr[A
We denote by SuccBDH (tBDH ) the maximal success probability SuccBDH G G,ABDH (k) over all attackers having running time bounded by tBDH which is polynomial in the security parameter k. The BDH problem is said to be computationally intractable if SuccBDH (tBDH ) is negligible in k. G 2.2
Threshold Secret Sharing and Lagrange Interpolation
Let us revisit Shamir’s (t, n)-secret-sharing scheme over Zq [16]. Given a secret s ∈ Zq , pick f1 , f2 , · · · , ft−1 ∈ Z∗q . Let f (x) = s+f1 x+· · ·+ft−1 xt−1 . si = f (i) is the i-th share of the secret s for 1 ≤ i ≤ n. In order to share a private key (a point in G) of the gateway, in the following, we extend Shamir’s (t, n)-secret-sharing scheme over Zq to a group G of order q.
Server-Controlled Identity-Based Authenticated Key Exchange
217
Let q be a prime order of a multiplicative group G. Let g be a generator of G and S ∈ G be a point to share. We pick F1 , F2 , · · · , Ft−1 ∈R G. Let F (x) = S·F1x · xt−1 · · · · Ft−1 . We then compute Si = F (i) as the i-th share of the secret S for 1 ≤ t−1 i ≤ n. If S = g s , F1 = g f1 , · · · , Ft−1 = g ft−1 , then F (x) = g s+f1 x+···+ft−1 x , and Si = F (i) = g f (i) . Given any subset of t − 1 shares, there is no information about s (resp. S) leaked. When the number of shares reaches the threshold t, the secret can be easily recovered with Lagrange interpolation polynomial. Let (s1 , s2 , · · · , sn ) ∈ Znq , and (S1 , S2 , · · · , Sn ) ∈ Gn satisfy that sl = f (l) and Sl = F (l), for l = 1, 2, · · · , n. With any t distinct shares, (i1 , si1 ), (i2 , si2 ), · · · , (it , sit ), the polynomial f (x) is recovered with f (x) =
t
t
j=1 l=1,l=j
x − il si . ij − il j
With any t distinct shares, (i1 , Si1 ), (i2 , Si2 ), · · · , (it , Sit ), we can recover F (x) with t t x−il l=1,l=j ij −il F (x) = Sij . j=1
Notice that the above scheme does not tolerate a malicious adversary, i.e., a bad dealer could give shares that do not lie on a polynomial of degree t and/or bad servers may prevent reconstruction by giving out bad shares. 2.3
Security Model
We revisit the security model proposed by Bellare and Rogaway [17] and extended by Chen et al. [18] and then explain how to extend it to the case of distributed servers. The model includes a set of parties and each party is involved in a session s modeled by an oracle. An oracle Πi,j denotes an instance of a party i being involved with a partner j in a session s where the instance of the party j is t Πj,i for some t. These parties cannot communicate directly; instead they only communicate with each other via an adversary. An adversary can access the oracle by issuing some specified queries as follows. s s Send(Πi,j , m): This query models an active attack. Πi,j executes the protocol and responds with an outgoing message x or a decision to indicate accepting s or rejecting the session. If the oracle Πi,j does not exist, it will be created. s s Reveal(Πi,j ): Πi,j returns the session key as its response if the oracle accepts. Otherwise, it returns ⊥. Such an oracle is called opened. Corrupt(i): The party i responds with its private key. s Test(Πi,j ): At some point, the adversary can make a Test query to a fresh s s oracle Πi,j . Πi,j , as a challenger, randomly chooses b ∈ {0, 1} and responds with the real agreed session key, if b = 0; otherwise it returns a random sample generated according to the distribution of the session key.
218
H. Guo et al.
The security of a protocol is defined using the two-phase game G played between a malicious adversary A and a collection of oracles. In the first stage, A is able to send the first three oracle queries (as defined above) at will. Then, at some s point, A will choose a fresh session Πi,j on which to be tested and send a Test query to the fresh oracle associated with the test session. After this point, the adversary can continue querying the oracles but can not reveal the test oracle or its partner, and cannot corrupt the entity j. Eventually, A terminates the game simulation and outputs a bit b for b. We say A wins if the adversary guesses the correct b. Define the advantage of A as: AdvA (k) = | 2 Pr[b = b] − 1 |, where k is a security parameter. The fresh oracle in the game is defined as follows. s s Definition 3. (Fresh oracle [19]) An oracle Πi,j is called fresh if (1) Πi,j has s accepted; (2) Πi,j is unopened; (3) j has not been corrupted; (4) there is no t s opened oracle Πj,i , which has had a matching conversation to Πi,j .
In this work, we use the concatenation of the messages in a session to define the s session ID, thus to define the matching conversation, i.e., two oracles Πi,j and t Πj,i have a matching conversation to each other if both of them have the same session ID. Now we are ready to give the definition of a secure authenticated key agreement protocol. Definition 4. [18] Protocol Π is a secure authenticated key agreement protocol, if: 1. In the presence of the benign adversary (who faithfully relays messages bes t tween parties), on Πi,j and Πj,i , both oracles always accept holding the same session key and this key is distributed uniformly at random on session key space. If for every probability polynomial time adversary A, it leads to two cases: s t 2. If two oracles Πi,j and Πj,i have matching conversations and both i and j are uncorrupted, then both accept and hold the same session key. 3. AdvA (k) is negligible. If a protocol is proved to be secure with respect to the above definition 4, then it achieves implicit mutual key authentication and the basic security properties, i.e., known session key security, key-compromise impersonation resilience and unknown key-share resilience. [18] 2.4
Threshold Security Model
Each server in the set of n authentication servers is assumed to hold a share of the private key with the gateway. Each server can authenticate the user independently. To compute the final session secret key, the gateway needs the help
Server-Controlled Identity-Based Authenticated Key Exchange
219
from at least t (t is the threshold value) servers. In addition, even all of the authentication servers collude, they are still unable to compute the final session key shared between the user and the gateway. The communication channel connecting the user and the gateway may be insecure and perhaps under the control of an adversary, so that messages can be tapped and modified by an adversary. On the other hand, the communication between the gateway and the back-end servers is carried on a authenticated and private channel. Although the server’s side is implemented via a set of n servers S1 , · · · , Sn , we do not care the communication channels between these servers, since they communicate with the gateway directly. The adversary has the control on the user and the gateway. It can do anything against the messages between the user and the gateway. However, since the threshold scheme is used among the authentication back-end servers, we assume that the adversary is passive against the back-end servers and can only overhear the communications from the back-end servers. This assumption is reasonable, because we assume that the physical security of the back-end servers are strong and cannot be taken over by the adversary and the communication channel between a back-end server and a gateway is private and authenticated. Assume that the participants in the protocol are the user U ∈ U, the gateway G ∈ G, the set of authentication servers {S1 , · · · , Sn } with Si ∈ S, and a trusted dealer (which is acted by Private Key Generator in our model). The definition of semantic security of threshold protocol follows the one given in Section 2.3. At the beginning of the semantic security experiment, Private Key Generator (PKG) generates the private key corresponding to the identity. Then, it performs the secret sharing process and sends n shares to Si . After this phase, the adversary is given access to the same set of oracles used in the standard security model defined earlier. The exception is the queries related to the servers. We need to add an additional note to the “Send” query, originated from the back-end servers, to the gateway. According to the ability of the adversary against our scheme, messages from the servers cannot be tampered, thus must be generated by the servers. We also need to add an addition explanation to the “Corrupt” query on the authentication servers. The servers should return the partial secrets they own, related to the private key of the gateway when being given CorruptS (IDi ) query, where IDi must be the identifier of the gateway. Note that the adversary can corrupt any server(s) at will. For the key privacy, the only difference from the semantic security we defined above is that the adversary has more power; namely, the adversary can access all the secret information stored in the servers. Such adversary is still unable to distinguish actual session keys from random ones.
3
The Protocol
The protocol consists of the following algorithms. Setup. Given a security parameter k, this algorithm executes the following operations:
220
H. Guo et al.
– Generate two groups G and GT of the same prime order q ≥ 2k and choose a generator P of G and specify the bilinear map eˆ : G × G → GT – Choose the master key s of Private Key Generator (PKG) at random from Z∗q and compute the PKG’s public key as Ppub = sP . – Pick three hash functions H1 , H2 and H3 as follows: H1 : {0, 1}∗ → G∗ , H2 : G∗ → G∗ , H3 : {0, 1}∗ → {0, 1}n , for some integer n > 0. – Return a set of common parameters: cp = (G, GT , q, P, eˆ, H1 , H2 , H3 , sP ). PKG keeps the master key s secret. Extract. For a user (say, A) with an identity IDA ∈ {0, 1}l, given the master secret key s and the system public parameters, this algorithm computes QA = H1 (IDA ) and DA = sQA . PKG sends DA as his private key to A via a secure channel. For a gateway (say, B), instead of sending the private key directly, PKG splits DB using the duel-threhold secret sharing captured by a 2-out-of-2 secret sharing scheme and a k-out-n secret sharing scheme as follows. – PKG chooses p random values ai−1 (i = 1, · · · , p), and then computes h(x) = ap−1 xp−1 + ap−2 xp−2 + · · · + a1 x + a0 , and f (x) = x · h(x)H1 (IDB ) + DB . – PKG chooses n + 1 random values t0 , t1 , · · · , tn and computes f (t0 ) and h(ti ) (1 ≤ i ≤ n). PKG sends (t0 , f (t0 )) to the gateway and sends (ti , h(ti )) to the back-end server by the secure channel. – The gateway publishes t0 and keeps f (t0 ) secretly. The back-end servers publish ti and keep h(ti ). Key Agreement. To establish a shared session key for the gateway and the user, the back-end servers, the gateway, and the user conduct the following tasks. – The user chooses x1 and x2 from Z∗q randomly as his ephemeral keys and then computes the corresponding ephemeral public keys T11 = x1 QA , T12 = x1 H2 (x1 QA ), T13 = x2 Ppub and T14 = x1 x2 DA . A sends T1 = T11 T12 T 13 T 14 to the gateway, where denotes a bitwise concatenation. – After receiving T1 , the gateway forwards the message to the back-end servers Si (i ∈ {1, 2, · · · n}). eˆ(T11 , H2 (T11 )) = eˆ(QA , T12 ) and eˆ(P, T14 ) = eˆ(T13 , T11 ) hold or not. If they hold, Si firstly computes g˜1 = eˆ(QA , H1 (IDB )) and g˜2 = eˆ(T11 , H1 (IDB )), and then computes (y1 )i = g˜1 h(ti ) and (y2 )i = g˜2 h(ti ) . Si sends (y1 )i and (y2 )i to the gateway. – Upon receiving at least p pairs ({(y1 )i }, {(y2 )i })(1 ≤ i ≤ n), the gateway conducts the following tasks: The gateway chooses y from Z∗q randomly as his ephemeral key and computes the corresponding ephemeral public keys T21 = yQB and T22 = yH2 (yQB ), and then sends T2 = T21 T22 to the user. The gateway computes g˜1 h(x) = g˜1
p
s=1
h(tis )
p
x−tj j=1,j=s ti −ti s j
=
p
p
((y1 )is )
s=1
x−tj j=1,j=s ti −ti s j
.
Server-Controlled Identity-Based Authenticated Key Exchange
g˜2 h(x) = g˜2
p
s=1
h(tis )
p
x−tj j=1,j=s ti −ti s j
=
p s=1
221
p
((y2 )is )
x−tj j=1,j=s ti −ti s j
.
g˜1 h(t0 ) = eˆ(QA , H1 (IDB ))h(t0 ) . g˜2 h(t0 ) = eˆ(T11 , H1 (IDB ))h(t0 ) . The gateway computes eˆ(QA , f (t0 )) (g˜1 h(t0 ) )t0
=
eˆ(QA , t0 h(t0 )H1 (IDB ) + DB ) = eˆ(QA , DB ) eˆ(QA , H1 (IDB ))t0 h(t0 )
=
eˆ(T11 , t0 h(t0 )H1 (IDB ) + DB ) = eˆ(T11 , DB ). eˆ(T11 , H1 (IDB ))t0 h(t0 )
and eˆ(T11 , f (t0 )) (g˜2
h(t0 ) t0 )
Finally, the gateway computes the session secret kBA = eˆ(QA , DB )y ·ˆ e(T11 , DB ). – Upon receiving T2 , the user checks if the equation eˆ(T21 , H2 (T21 )) = eˆ(QB , T22 ) holds using the identity of the gateway. If it holds, the user computes the shared session key as KAB = eˆ(DA , QB )x1 · eˆ(DA , T21 ). Protocol Correctness: We can easily verify the correctness: KAB = eˆ(DA , T21 ) · eˆ(DA , QB )x1 = eˆ(T11 , DB ) · eˆ(QA , DB )y = KBA . Notice that the shared secret has been established as K = KAB = KBA after running an instance of the protocol. The final shared session key is then constructed as sk = H3 (ABT1 T2 K), where H3 : {0, 1}∗ → {0, 1}n.
4
Security Analysis
Theorem 1. If H1 , H2 and H3 are random oracles and the BDH assumption holds, then our scheme is a secure key agreement protocol. In particular, suppose B is an adversary that attacks the scheme in the random oracle model with non-negligible probability n(k) and makes at most q1 , q3 queries to H1 and H3 , respectively, and creates at most qo oracles. Then there exists an algorithm A to BDH solve the BDH problem with advantage AdvA (k) ≥ q1 ·q13 ·qo n(k). Proof: Provided in the appendix A. Remark 1. This proof also implies the key privacy, since the extra ability of the servers is due to the shares of the partial key, however this can be obtained by the ordinary adversary by requiring the “CorruptS (IDi )” oracles.
222
5
H. Guo et al.
Conclusion
In this paper, we presented a server-controlled identity-based protocol which can be used to establish a session key between a user and a gateway for a controlled access. One of the most important features in our protocol is that the gateway cannot compute the final session key without the help of the pre-defined number of servers and the servers cannot extract the final session key. This protocol has potential applications in the access control of classified databases or other services. We prove the security of this protocol based on the BDH assumption in random oracle model.
References 1. Abdalla, M., Chevassut, O., Fouque, P., Pointcheval, D.: A simple threshold authenticated key exchange from short secrets. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 566–584. Springer, Heidelberg (2005) 2. Raimondo, M.D., Gennaro, R.: Provably secure threshold password-authenticated key exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 507–523. Springer, Heidelberg (2003) 3. MacKenzie, P.D., Shrimpton, T., Jakobsson, M.: Threshold passwordauthenticated key exchange. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 385. Springer, Heidelberg (2002) 4. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000) 5. Bresson, E., Chevassut, O., Pointcheval, D.: New security results on Encrypted Key Exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004) 6. Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005) 7. Byun, J.W., Lee, D.H., Lim, J.I.: Security analysis and improvement of a gatewayoriented password-based authenticated key exchange protocol. IEEE Communication Letters 10(9), 683–685 (2006) 8. Shim, K.: Cryptanalysis and enhancement of modified gateway-oriented passwordbased authenticated key exchange protocol. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E91-A(12), 3837–3839 (2008) 9. Boneh, D., Ding, X., Tsudik, G., Wong, C.: A method for fast revocation of public key certificates and security capabilities. In: Proceedings of the 10th USENIX security symposium, USENIX (2001) 10. Baek, J., Zheng, Y.: Identity-based threshold decryption. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 262–276. Springer, Heidelberg (2004) 11. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)
Server-Controlled Identity-Based Authenticated Key Exchange
223
12. Smart, N.P.: An identity based authenticated key agreement protocol based on the Weil pairing. In: Electronics Letters, vol. 38, pp. 630–632. Springer, Heidelberg (2002) 13. Chen, L., Kudla, C.: Identity based authenticated key agreement from pairings. In: Proceedings of the 16th IEEE Computer Security Foundations Workshop, pp. 219–233 (2003) 14. McCullagh, N., Barreto, P.S.L.M.: A new two-party identitybased authenticated key agreement. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 262–274. Springer, Heidelberg (2005) 15. Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 16. Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979) 17. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) 18. Chen, L., Cheng, Z., Smart, N.P.: Identity-based key agreement protocols from pairings. International Journal of Information Security 6, 213–241 (2007) 19. Cheng, Z., Nistazakis, M., Comley, R., Vasiu, L.: On the indistinguishability-based security model of key agreement protocols-simple cases. In: Proceedings of ACNS 2004, technical track (2004)
Appendix A Proof of Theorem 1: For notational convenience, we assume that the same group parameters (G, GT , q, eˆ, P ) and security parameter k are given to attackers for our scheme and the BDH problem. Session ID is defined as a concatenation of T1 T2 . Let A be an attacker against the BDH problem and let B be an attacker against our scheme. Suppose there exists a simulator that gives the instance (G, GT , q, eˆ, P, aP, bP, cP ) to A. Also, suppose that the same security parameter k is given to B. Algorithm A’s task is computing eˆ(P, P )abc using the adversary B against the protocol. A simulates the Setup algorithm to adversary B as follows. The system public parameters are defined to be the pairing parameters of the input problem. The master public key is set to be Ppub = aP , hence A doesn’t know the master secret key. The function H1 , H2 and H3 are instantiated as random oracles under the control of A. Algorithm A randomly chooses I ∈R {1, · · · q1 } and J ∈R {1, · · · , qo } and s begins its simulation. Here we should note that the notation Πi,j is the s-th oracle among all the created oracles. Algorithm A answers the queries which are asked by adversary B in arbitrary order as follows. H1 (IDi ) queries: Algorithm A maintains an initially empty list H1list with entries of the form (IDi , Qi , ∗) where ∗ ∈ {⊥, li }. When B queries the oracle H1 at a point IDi , A responds to the query in the following way: – If IDi already appears on the H1list in a tuple (IDi , Qi , ∗) where ∗ ∈ {⊥, li }, then A responds with H1 (IDi ) = Qi .
224
H. Guo et al.
– Else, if IDi is the I-th unique identifier query, then A stores (IDi , bP, ⊥) into the tuple list and responds with H1 (IDi ) = bP . – Otherwise, A checks the identifier of i. • If IDi is the identifier of a user, then A randomly selects li (i > 0) and inserts (IDi , li P, li ) into the tuple list. • If IDi is the identifier of a gateway, then A sends this query to the simulator. The simulator randomly selects li ∈ Z∗q , and sends Qi = li P to A. A inserts (IDi , Qi , ⊥) into H1list . • A responds H1 (IDi ) = Qi to B. H2 (Si ) queries: Algorithm A maintains an initially empty list H2list with entries of the form (Su , mu , Ru , wu ). A responds to the query in the follows way. – If a tuple (Si , mi , Ri , wi ) has already appeared on the H2list , then A responds with Ri . – Otherwise, A randomly selects mi (i > 0) ∈R Z∗q . If mi aP = P , then responds to the BDH challenge with eˆ(bP, cP )1/mi . Otherwise A inserts (Si , mi , mi aP, ⊥) into the tuple list. A responds with mi aP . H3 (IDit , IDjt , Tit , Tjt , K t ) queries: A maintains an initially empty list H3list with entries of the form (IDit , IDjt , Tit , Tjt , K t , ζ t ) which is indexed by (IDit , IDjt , Tit , Tjt , K t ). A responds to the query in the following way. – If a tuple indexed by (IDit , IDjt , Tit , Tjt , K t ) is on the list, then A responds with ζ t . – Otherwise, A chooses a random string ζ t ∈ {0, 1}n and inserts a new tuple (IDit , IDjt , Tit , Tjt , K t , ζ t ) into the list H3list and returns ζ t . CorruptS (IDi ): A keeps a list Δ of (IDi , h(x1 ), h(x2 ), · · · , h(xn )) where IDi is the identifier of the gateway. A checks the list Δ . – If there is a tuple indexed by IDi , A returns h(xj ) ( j ∈ {1, · · · n} ) to B. – Otherwise, A gives the query to the simulator. The simulator proceeds in the following way: • Choose p random values aj−1 (j = 1, · · · , p) and construct h(x) = ap−1 xp−1 + ap−2 xp−2 + · · · + a1 x + a0 ; • Choose n random values x1 , · · · , xn and compute h(xj ) (1 ≤ j ≤ n). • Return h(xj ) to A, then A inserts ( IDi , h(x1 ), h(x2 ), · · · , h(xn ) ) into the list Δ . • Query Qi = H1 (IDi ). If Qi = bP , then ∗ Construct f (x) = xh(x) · Qi + aQi ; ∗ Choose a random value x0 and compute f (x0 ). ∗ Return f (x0 ) to A, then A inserts (IDi , f (x0 )) to Δ.
Server-Controlled Identity-Based Authenticated Key Exchange
225
Otherwise, A inserts (IDi , ⊥) to Δ. – A returns h(xj ) to B. CorruptA (IDi ): A goes through list H1list . If IDi is not on the list, A queries H1 (IDi ). A checks the value of li : if li =⊥, then A responds with li aP ; otherwise, A aborts the game (Event 1). CorruptB (IDi ): A keeps a list Δ of (IDi , f (x0 )) and a list Δ of (IDi , h(x1 ), h(x2 ), · · · , h(xn )). – If the tuple indexed by IDi is on the list, A returns f (x0 ) to B. – Otherwise, A gives the query to the simulator. The simulator proceeds in the following way: • Choose p random values aj−1 (j = 1, · · · , p) and construct h(x) = ap−1 xp−1 + ap−2 xp−2 + · · · + a1 x + a0 ; • Choose n random values x1 , · · · , xn and compute h(xj ) (1 ≤ j ≤ n). • Return h(xj ) to A, and then A inserts (IDi , h(x1 ), h(x2 ), · · · , h(xn )) into the list Δ . • Query Qi = H1 (IDi ). If Qi = bP , the simulator does the following: ∗ Construct f (x) = xh(x) · Qi + aQi ; ∗ Choose a random value x0 and compute f (x0 ). ∗ Return f (x0 ) to A, and then A inserts (IDi , f (x0 )) to Δ. ∗ Return f (x0 ) to B. Otherwise, A inserts (IDi , ⊥) to Δ and aborts the game (Event 2). t t SendA (Πi,j , M ): A maintains a list Ω1 for each oracle of the form (Πi,j , tranti,j , t t (r1 )ti,j , (r2 )ti,j , Ki,j ,SKi,j ) where tranti,j is the transcript of the oracle so far; t t (r1 )i,j , (r2 )i,j are the random integers used by the oracle to generate the mest t sages, and Ki,j and SKi,j are set ⊥ initially. This list is updated in other queries as well. A proceeds in the following way:
– Split M as M = (M1 , M2 ), and query Qi = H1 (IDi ) = li P , Qj = H1 (IDj ) and R = H2 (M1 ). – If M = ⊥, proceed as follows: • If t = J, ∗ If Qj = bP , abort the game (Event 3). ∗ Otherwise, randomly choose ξ ∈ Z∗q and ξ such that Φ = ξli cP is not shown on H2list , then randomly sample wt ∈ Z∗q and insert (ξli cP, ⊥, wt P, wt ) into H2list . Respond with (ξli cP , wt ξcP , ξ P and ξξ li cP ). Set (r1 )ti,j = ξc = ⊥ and (r2 )ti,j = ξa = ⊥. It is easy to verify that the response can pass the message check eˆ(wt P, ξli cP ) = eˆ(wt ξcP, li P ) and eˆ(P, ξξ li cP ) = eˆ(ξli cP, ξ P ).
226
H. Guo et al.
• Otherwise, randomly choose (r1 )ti,j ∈ Z∗q and (r2 )ti,j ∈ Z∗q such that (r1 )ti,j bP has not been shown on H3list as some Xu . Respond with ((r1 )ti,j Qi , (r1 )ti,j H2 ((r1 )ti,j Qi ), (r2 )ti,j aP , (r1 )ti,j (r2 )ti,j li aP ) where li aP can be found in the tuple index by IDi from H1list . – If M is the last message on the transcript, check if the equation eˆ(M1 , R) = eˆ(Qj , M2 ) holds or not. If not, reject the session. Otherwise, do nothing but accept the session. t t t SendB (Πi,j , M ): A maintains a list Ω2 for each oracle of the form (Πi,j , tranti,j ,ri,j , t t t t Ki,j ,SKi,j ) where trani,j is the transcript of the oracle so far; ri,j is the random t t integer used by the oracle to generate the messages, and Ki,j and SKi,j are set ⊥ initially. This list is updated in other queries as well. A proceeds in the following way:
– If M is the first message on the transcript, respond with M . – If M is the third message on the transcript, do the following: • If t = J, ∗ If Qj = bP , abort the game (Event 4). ∗ Otherwise, forward the query to the simulator. The simulator randomly samples ξ ∈ Z∗q such that Φ = ξli cP is not shown on H2list , and chooses wt ∈ Z∗q , then computes ξli cP and wt ξcP and returns them to A. A inserts (ξli cP, ⊥, wt ξcP, wt ) into the list H2list , and t responds with (ξli cP , wt ξcP ) and sets ri,j = ⊥. t t • Otherwise, randomly choose ri,j ∈ Z∗q such that ri,j bP has not been list t t t shown on H3 as some Xu . Respond with (ri,j Qi , ri,j H2 (ri,j Qi )). t SendS (Πi,j , M ): A keeps an initially empty list Γ with the entries of the form t (Πi,j , ((y1 )1 , (y2 )1 ), ((y1 )2 , (y2 )2 ), · · · , ((y1 )n , (y2 )n )). A firstly spits the message M as (M1 , M2 , M3 , M4 ), then queries Qi = H1 (IDi ) and R = H2 (M1 ). A checks the equations eˆ(M1 , R) = eˆ(Qi , M2 ) and eˆ(P, M4 ) = eˆ(M3 , M1 ). If the equations do not hold, reject the section. Otherwise, do the following:
– – – – –
Query CorruptS (IDi ) and Qj = H1 (IDj ). Compute g˜1 = eˆ(Qi , Qj ) and g˜2 = eˆ(M1 , Qj ). Compute (y1 )k = g˜1 h(xk ) and (y2 )k = g˜2 h(xk ) (k ∈ {1, 2, · · · , n}). t Insert a new tuple indexed by Πi,j into the list Γ . Respond at least p pairs ((y1 )k , (y2 )k ) (1 ≤ k ≤ n) to B.
t t RevealA (Πi,j ): A maintains a list L with tuples of the form (IDi , IDj , Ti , Tj , Πi,j ) where Ti is the message generated by IDi , and Tj = (M1 , M2 ) is the message received by IDi . A answers the queries as follows: t – Get the tuple of oracle Πi,j from Ω1 . t – If oracle Πi,j has not accepted, respond with ⊥. J – If t = J or if the J-th oracle has been generated as Πa,b and IDa = IDj , IDb = IDi and two oracles have the same session ID, abort the game (Event 5).
Server-Controlled Identity-Based Authenticated Key Exchange
227
t t – If SKi,j = ⊥, return SKi,j . – Otherwise, query Qi = H1 (IDi ). • If li = ⊥ (so di = li aP ), compute t
t Ki,j = eˆ(li aP, Qj )(r1 )i,j · eˆ(li aP, M1 )
where Qj is found from H1list for identifier IDj and M1 is the first tuple of the received message Tj . By making an H3 query, set t t SKi,j = H3 (IDi , IDj , Ti , Tj , Ki,j ). t t Update Ω1 by putting SKi,j , and then return SKi,j as the response. • Otherwise, it should have di = abP . A does not know this value and t t should not be able to compute Ki,j = eˆ(abP, Qj )ri,j · eˆ(abP, M1 ). A proceeds as follows: ∗ Query R = H2 (M1 ) and Qj = H1 (IDj ). ∗ Go through the list H2list to find a tuple (M1 , mt , mt aP, ⊥) indexed by M1 . If such a tuple exists, since Tj = (M1 , M2 ) satisfied the equation
eˆ(R, M1 ) = eˆ(M2 , lj P ), i.e., eˆ(mt aP, M1 ) = eˆ(M2 , lj P ), A forwards this query to the simulator. The simulator computes t
t Ki,j = eˆ(abP, Qj )ri,j · eˆ(abP, M1 ) lj t = eˆ(ri,j aP, lj bP ) · eˆ(bP, M2 ) mt
and returns it to A. A sets t t SKi,j = H3 (IDi , IDj , Ti , Tj , Ki,j ) t ∗ Otherwise, randomly sample SKi,j ∈ {0, 1}n, put (IDi , IDj , Ti , Tj , t Ki,j ) into the list L. t ∗ Return SKi,j as the response. t RevealB (Πi,j ): A maintains a list L with tuples of the form (IDi , IDj , Ti , Tj , t Πi,j ) where Ti is the message generated by IDi , and Tj = (M1 , M2 , M3 , M4 ) is the message received by IDi . A answers the queries as follows: t – Get the tuple of oracle Πi,j from Ω2 . t – If oracle Πi,j has not accepted, respond with ⊥. J – If t = J or if the J-th oracle has been generated as Πa,b and IDa = IDj , IDb = IDi and two oracles have the same session ID, abort the game (Event 6).
228
H. Guo et al.
t t – If SKi,j = ⊥, return SKi,j . – Otherwise, • Query Qi = H1 (IDi ) and Qj = H1 (IDj ). • If Qi = bP , compute
g˜1 h(x) = g˜1
p
s=1
h(xis )
p
x−xj j=1,j=s xi −xi s j
=
p s=1
g˜2 h(x) = g˜2
p
s=1
h(xis )
p
x−xj j=1,j=s xi −xi s j
=
p s=1
p
(yis )
x−xj j=1,j=s xi −xi s j
.
p
(yis )
x−xj j=1,j=s xi −xi s j
.
g˜1 h(x0 ) = eˆ(Qj , H1 (IDi )))h(x0 ) . g˜2 h(x0 ) = eˆ(M1 , H1 (IDi ))h(x0 ) . eˆ(Qj , f (x0 )) (g˜1 h(x0 ) )x0 eˆ(M1 , f (x0 )) (g˜2
h(x0 ) x0 )
=
eˆ(Qj , x0 h(x0 )H1 (IDi ) + Di ) = eˆ(Qj , Di ). eˆ(Qj , H1 (IDi ))x0 h(x0 )
=
eˆ(M1 , x0 h(x0 )H1 (IDi ) + Di ) = eˆ(M1 , Di ). eˆ(M1 , H1 (IDi ))x0 h(x0 ) t
skij = eˆ(Qj , Di )ri,j · eˆ(M1 , Di ). Here, Qj is found from H1list and M1 is the first tuple of the received mest t sage Tj . By making an H3 query, set SKi,j = H3 (IDj , IDi , Tj , Ti , Ki,j ). t t Update Ω2 by putting SKi,j and return SKi,j as the response. • Otherwise, it should have di = abP . A does not know f (x0 ) and should not be able to compute eˆ(abP, M1 ), thus should not be able to compute t t Ki,j = eˆ(Qj , abP )ri,j · eˆ(abP, M1 ) A proceeds as follows: ∗ Query R = H2 (M1 ) where M1 is found from Ω2 . ∗ Go through the list H2list to find a tuple (M1 , mt , mt aP, ⊥) indexed by M1 . Since (M1 , M2 ) satisfied the equation eˆ(M1 , R) = eˆ(Qj , M2 ), i.e, eˆ(M1 , mt aP ) = eˆ(lj P, M2 ), we can compute t
t t skij = eˆ(Qj , abP )ri,j · eˆ(abP, M1 ) = eˆ(ri,j lj bP, aP ) · eˆ(bP,
li M2 ), mt
where Qj is found from H1list for identifier IDj and (M1 , M2 ) are the two first tuples of the received message Tj . Set t t SKi,j = H3 (IDj , IDi , Tj , Ti , Ki,j ) t ∗ Otherwise, randomly sample SKi,j ∈ {0, 1}n, put (IDi , IDj , Ti , Tj , t Ki,j ) into list L. t ∗ return SKi,j as the response.
Server-Controlled Identity-Based Authenticated Key Exchange
229
t s Test(Πi,j ): If t = J or t = J but there is an oracle Πj,i which has the same session t ID as Πi,j that has been revealed, B aborts the game (Event 7). Otherwise, B responds to A a random number ζ ∈ {0, 1}n. After B finishes the queries, it returns its guess. Then A proceeds with the following steps: J – If M1 is the first tuple of the received message of Πi,j where IDi is the identifier of the user, then compute D = eˆ(li aP, M1 ). Note that here we have di = li aP where li = ⊥ found from H1list corresponding to identifier IDi , and J Ki,j = eˆ(li aP, bP )ξc · eˆ(li aP, M1 ) = (ˆ e(P, P )abc )ξli · eˆ(li aP, M1 ). J – If M1 is the first tuple of the received message of Πi,j where IDi is the identifier of the gateway, A asks for li from the simulator. This is allowed since the simulation is already finished. A then proceeds as follows: • Compute
g˜2
h(x)
p
= g˜2
s=1
h(xis )
p
x−xj j=1,j=s xi −xi s j
=
p s=1
p j=1,j=s (yis )
x−xj xi −xi s j
,
where at least p h(xi ) can be found from the list Δ which is indexed by IDi . Then, compute g˜2 h(x0 ) = eˆ(M1 , H1 (IDi ))h(x0 ) . • Compute eˆ(M1 , f (x0 )) D= = eˆ(M1 , Di ) (g˜2 h(x0 ) )x0 where f (x0 ) is found from Δ for identifier IDi . J Note that Ki,j = eˆ(bP, li aP )ξc · eˆ(M1 , Di ) = (ˆ e(P, P )abc )li ξ · eˆ(M1 , Di ). 1
– A randomly samples Kl from the H3list , and responds (Kl /D) ξli to the BDH challenge. J Let Event 8 be that, in the attack, adversary B indeed chose the oracle Πi,j as the challenger oracle where Idj was queried on H1 as the I-th distinct identifier query. Then according to the rules of the game, we have
Pr[Event 8] = Pr[∨7i=1 Event i] ≥
1 1 · . q1 qo
Claim. Let Event 9 be the event that B noticed the inconsistence between the simulation and the real world when A did not abort the simulation. Then Event 9 implies that the probability A solves the BDH problem is non-negligible. Due to to the page limitation, the proof is omitted. Claim. Let Event 10 be the event that K = eˆ(li aP, ξbcP ) · eˆ(li aP, M1 ) was not queried on H3 conditioned on Event 8, then Pr[Event 8] ≥ n(k). Due to to the page limitation, the proof is omitted.
Oracle Separation in the Non-uniform Model Ahto Buldas1,2,3, , Sven Laur3 , and Margus Niitsoo1,3 2
1 Cybernetica, Akadeemia tee 21, 12618 Tallinn, Estonia Tallinn University of Technology, Raja 15, 12618 Tallinn, Estonia 3 University of Tartu, Liivi 2, 50409 Tartu, Estonia {Ahto.Buldas,Sven.Laur,Margus.Niitsoo}@ut.ee
Abstract. Oracle separation methods are used in cryptography to rule out blackbox reductions between cryptographic primitives. It is sufficient to find an oracle relative to which the base primitive exists but there are no secure instances of the constructed primitive. In practice, it is beyond our current reach to construct a fixed oracle with such properties for most of the reductions because it is difficult to guarantee the existence of secure base primitives. For example, to show that there exist no black-box reductions from collision-free functions to one-way permutations we have to show that secure one-way permutations exist relative to the oracle. However, no deterministic constructions for unconditionally secure one-way permutations are known yet. To overcome this gap, randomized oracles are used to create random base primitives that are secure on average. After that, a fixed oracle with the desired properties is extracted from the probability distribution by using non-constructive combinatorial arguments such as the first Borel-Cantelli lemma. This oracle extraction argument only applies to uniform reductions because it uses the countability of the set of all uniform Turing machines. In this work, we show how to adapt oracle separation results to the non-uniform security model. We consider the known separation techniques that are capable of ruling out the so-called fully black-box reductions and show that they can be extended to the non-uniform model with only minor modifications. As almost all separation results known to date fit into our separation framework, we conclude that they imply non-existence of fully black-box reductions in the non-uniform model. We also generalize our approach to a certain strong form of semi-black-box reductions. However, it stays an open question whether it is possible to adapt our technique to the weaker notions of black-box reductions in the non-uniform model.
1 Introduction Complex cryptographic protocols are often built from simpler building blocks called primitives. Usually, the security of such protocols is proved based solely on the security guarantees of the original primitives independent of their actual implementation details. Such constructions are called black-box reductions. To date, almost all security proofs for efficient cryptographic constructions utilize black-box reductions.
This research was supported by the European Regional Development Fund through the Estonian Center of Excellence in Computer Science (EXCS), by Estonian SF grant no. 6944, and by EU FP6-15964: “AEOLUS”.
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 230–244, 2009. c Springer-Verlag Berlin Heidelberg 2009
Oracle Separation in the Non-uniform Model
231
Although back-box reductions are extremely useful cryptographic tools, there exist limits on where they can be applied. There are many known cases for which it is proved that such a reduction cannot exist. This usually means that a very clever proof construction is necessary if the reduction can be achieved at all. As very few of these clever constructions are known, the power and limits of black-box reductions are of a rather special interest to many people working in the field. The first separation result involving black-box reductions was given in 1989 by Impagliazzo and Rudich [5]. They showed that there are no such reductions from key agreement protocols to one-way functions. Their seminal paper was followed by a long line of similar types of results [3,4,8]. The approach was even generalized by Kim, Simon and Tetali [6] to give bounds on reduction efficiency. Though all these results leave open the existence of more specific security proofs they are still valuable hardness indicators as they rule out the most obvious approaches. Non-existence of black-box reductions is commonly shown by oracle separation techniques. In complexity theory, oracle separation has been widely applied to prove limits of the proving techniques capable of establishing set-theoretical inclusions between complexity classes. For example, with oracle separation one can easily show that diagonal arguments are insufficient to solve the famous P vs NP question. This is done by showing two oracles—one relative to which the conjecture holds and another for which it does not. In cryptography, oracle separation is used to argue that it is impossible to securely implement a primitive or a protocol P given only black-box access to a secure low-level primitive f as an instance of a class of primitives Q. This is done by defining an oracle such that the primitive f remains secure even if the adversary can access the oracle but any instance Pf of the protocol P being considered is insecure relative to the oracle. In classical separation results of complexity theory, oracles are defined as fixed functions that always behave the same way. In cryptographic separations, it is often hard to explicitly define a fixed separation oracle. For example, if one wishes that one way functions exist relative to the oracle, an explicit functional description of such function should then be given (as a part of the oracle). This is however still unreachable for the state of the art computer science—the existence of one way functions is conjectured but not yet proved. So, in cryptographic separations we often assume that oracles are chosen randomly from certain probability distributions. We then prove that the separation statements hold on average and then argue that there exists a particular choice of the oracle for which the statements hold. For example, one-way functions indeed exist in the random oracle model because random functions are one-way on average [5]. For modeling (simulating) a random oracle, it is often fruitful to assume that oracles are stateful— their output on a given input depends not only on the random choices but also on the previous queries made to the primitive. Such extensions can still be modeled via deterministic functions by just giving them random coins and their state as an extra input parameter. However, as the oracle separation results usually construct an oracle that gives an idealized implementation of the primitive, it makes sense to allow this oracle to also be either randomized or stateful. This is often modeled by constructing a large family of suitable deterministic oracles and then analyzing what happens on average if we pick one of them randomly. The same situation can also be formalized
232
A. Buldas, S. Laur, and M. Niitsoo
by having a large oracle that models the whole family and then giving it access to a randomness source so it could internally fix which constituent oracle it would use. This means that the reductions essentially use a randomized oracle. It would then seem natural that the oracle separation results would also be stated with respect to the random oracles. However, as the classical separation theorems are adopted from the classical model, the authors still try to make their oracle choice deterministic. Such an oracle extraction approach, though, has a big limitation—it usually requires the use of Borel-Cantelli lemma which only works when there are only countably many potential adversaries. In brief, non-existence of reductions can only be shown in the uniform model via this approach, as the set of non-uniform Turing machines is not countable. In this paper, we show that in many cases the oracle extraction step is actually unnecessary and propose a new oracle separation approach that is also applicable for non-uniform and precise reductions. For that, we show that there is a hierarchy of separation results depending on whether we treat cryptographic primitives as deterministic functions or randomized algorithms. As the main result, we prove that a separation result for randomized stateless primitives also implies the non-existence of black-box reductions for deterministic primitives. This means that one can freely use randomized oracle constructions to establish classical separation results. In particular, all classical separations [5,8,4] that were proved in the uniform setting can be shown to hold in the non-uniform and precise settings with just minor restrictions.
2 Preliminaries By x ← D we mean that x is chosen randomly according to a distribution D. If A is a probabilistic function or a Turing machine, then x ← A(y) means that x is chosen according to the output distribution of A on an input y. If D1 , . . . , Dm are distributions and F (x1 , . . . , xm ) is a predicate, then Pr [x1 ← D1 , . . . , xm ← Dm : F (x1 , . . . , xm )] denotes the probability that F (x1 , . . . , xm ) is true. We use the Big Oh notation for describing asymptotic properties of functions. In particular, f (k) = O(1) means that f is bounded and f (k) = k −ω(1) means that f (k) decreases faster than any polynomial, i.e., f is negligible. A Turing machine M is polytime if it runs in time k O(1) , where k denotes the input size that is mostly referred to as the security parameter. By an oracle Turing machine we mean an incompletely specified Turing machine S that comprises calls to oracles. The description can be completed by defining the oracle ∗ ∗ as a function O : {0, 1} → {0, 1} . In this case, the machine is denoted by SO . The function y ← O(x) does not have to be computable but has a conditional running time t(x), which does not necessarily reflect the actual amount of computations needed to produce y from x. The running time of SO comprises the conditional running time of oracle calls—each call O(x) takes t(x) steps. We assume that all the oracles O are polyO(1) time, that is t(x) = |x| , where |x| denotes the bit-length of x. Note that though the classical complexity-theoretic oracles only require a single step, this more general notion is appropriate in cryptography where oracles often model abstract adversaries with running time t. We say that S is a poly-time oracle machine if SO runs in polytime, whenever O is poly-time. By a non-uniform poly-time oracle machine we mean an
Oracle Separation in the Non-uniform Model
233
ordinary poly-time oracle machine S together with a family A = {ak }k∈N of (advice) bit-strings ak with length k O(1) . For any oracle O and any input x, it is assumed that SO (x) has access to the advice string a|x| . Usually, the advice strings are omitted for simplicity, but their presence must always be assumed when S is non-uniform. One of the most important facts about non-uniform poly-time Turing machines is that there is an uncountable number of them, whereas there are only countably many ordinary Turing machines.
3 Primitives Complex cryptographic constructions can often be decomposed into a few fundamental building blocks that are called primitives. One is usually interested in proving the security of constructions based solely on the properties of the underlying primitives. Reingold et al. [7] give a formal definition by considering primitives as families of functions of type f : {0, 1}∗ → {0, 1}∗ along with a matching between these functions and Turing machines implementing them. Indeed, for many common primitives such as one-way permutations or collision-resistant hash functions this formalization coincides with our intuition—an instance of a primitive is indeed just one function. In some more complicated cases that actually have more than one type of functionality, it may make more sense to define a primitive as a tuple of functions. However, we can usually concatenate these functions into one single function—we just use the first few input bits to tell the function which subfunction we want to use. This means that we can still formalize the primitive as one single function, although it may be a little counter-intuitive. A primitive is usually defined in terms of functional requirements that the instances of the primitive must satisfy before it makes sense to talk about their security. These requirements, though, are just syntactic and have nothing to do with security. For example, every permutation is an instance of the one-way permutation primitive, however, it does not have to be a secure instance. However, in the context of cryptography we also need to talk about security. Reingold et al. [7] define security in terms of a relation between primitives and Turing machines possibly breaking them. That is, a given machine either breaks the given primitive or it doesn’t. However, many common cryptographic primitives (such as one-way functions) already have randomness in their security games and thus breakages actually occur with certain probability. Hence, it makes sense to define the advantage as a function even for deterministic primitives and Turing machines. The advantage is usually defined in terms of the security parameter k which is usually tied to the actual input (or output) lengths used in the function1. All this leads to the following general definition. Definition 1 (Deterministic primitive). A deterministic primitive P is a set of functions of type f : {0, 1}∗ → {0, 1}∗. Primitives have an advantage function A DVP k (·, ·), which given as input the security parameter k ∈ N, an instance f of P, and an oraO cle Turing machine AO (an adversary) returns a real number A DVP k (f, A ) ∈ [0, 1] 1
By definition, the functions are required to work for all input lengths. This could be relaxed by defining some restrictions in the functional requirements part.
234
A. Buldas, S. Laur, and M. Niitsoo
(the advantage of AO ). The function A DVP k (f, ·) is extended to probabilistic Turing machines by taking the average over their randomness strings, assuming that each fixed randomness string gives a deterministic poly-time Turing machine for which A DV P () is O already defined. We say that AO breaks an instance f of P if A DV P = k −ω(1) . k (f, A ) O If for a fixed oracle O no probabilistic poly-time oracle Turing machine A breaks f then f is said to be secure relative to O. We emphasize that our definition says nothing about the efficiency of f . The function may even be non-computable, as long as the advantage that can be gained by any adversary is negligible. Of course, in practice one needs an instantiation of a primitive that is both efficient and secure. Commonly, it is required that we can compute the function f with a (uniform) poly-time Turing machine for f to be called efficient. This definition of a deterministic primitive can naturally be extended to the randomized case in the following way. Definition 2 (Randomized primitive). Let P be a deterministic primitive. Then the corresponding randomized primitive Pr is the set Pr = {f : R × {0, 1}∗ → {0, 1}∗|∀r ∈ R : f (r, ·) ∈ P} r r and A DV P A DV P k (f, ·) = E k (f (r, ·), ·) , where R is a randomness space. r∈R
In order to define stateful primitives, we must extend the advantage function A DV () consistently to state machines. As it is technically cumbersome and yields no additional insight, we leave it to Appendix A. It is also straightforward to define randomized stateful primitives by combining the two modifications made to the deterministic case. Since neither of the extensions actually forces us to introduce extra parameters (we can always take S = {∅} and R = ∅), it is clear that these four classes form a hierarchy in terms of set inclusions.
4 Reductions Reductions capture the relations between different security notions. A primitive P can be reduced to a primitive Q if there exists a construction that given a secure instance of the primitive Q yields a secure instance of P. Most common cryptographic reductions are black-box reductions, where an instance f of a primitive Q is treated as an atomic object in the construction and in the security proof. Despite of the ubiquity, the exact definition of black-box reductions is somewhat vague in the cryptographic literature. Impagliazzo and Rudich [5] were the first to informally define the notion of black-box reductions. A more formal definition was later given by Gertner et al. [3]. In this work, we consider four sub-notions of black-box reductions. The first step towards classification of black-box reductions was made by Reingold, Trevisan and Vadhan [7]. They showed a complex hierarchy of 7 types of different reductions. Our classification is based on their work but leaves out some of the more general reductions and introduces one that actually arises quite often in practice. Also,
Oracle Separation in the Non-uniform Model
235
we assume that the reduction construction is deterministic whereas the original hierarchy uses probabilistic Turing machines everywhere. This is necessary for reductions between deterministic primitives as the reduction cannot be allowed any randomization in that case. If we consider randomized primitives, P can usually be made deterministic even when it is randomized in essence— the key idea is to use the oracle as a source of randomness. This approach was already used by Impagliazzo and Rudich [5] in the first paper about oracle separations in cryptology. In the first three definitions, the construction of a derived primitive is independent of the actual implementation of P, whereas the construction itself may depend on the implementation in the last definition. The reduction in question is uniform if all oracle machines in the corresponding definition are uniform, otherwise the reduction is nonuniform. We assume that the construction P is always deterministic but the adversaries are allowed to be randomized. f
Definition 3. A fully black-box reduction P =⇒ Q is determined by two poly-time oracle machines P and S, satisfying the following two conditions: (C) If f implements Q then Pf implements P. (S) For every instance f ∈ Q, if A breaks Pf (as P) then SA,f breaks f (as Q). In brief, we must to provide a universal oracle algorithm S that can handle all successful adversaries to establish a fully black-box reduction. So-called semi-black-box reductions weaken this restriction by allowing for some specialization in the security proofs. The degree to which the specialization can go is different for different authors. We give two possible definitions, one just slightly stronger than the other. ss
Definition 4. Strong semi-black-box reduction P =⇒ Q is determined by a poly-time oracle machine P, satisfying the following two conditions: (C) If f correctly implements Q then Pf correctly implements P. (S) For all poly-time oracle machines A there exists a poly-time oracle machine B such that for every instance f ∈ Q if Af breaks Pf then Bf breaks f . ws
Definition 5. Weak semi-black-box reduction P =⇒ Q is determined by a poly-time oracle machine P, satisfying the following two conditions:2 (C) If f correctly implements Q then Pf correctly implements P. (S) For every instance f ∈ Q and a poly-time oracle machine A, there exists a polytime oracle machine B such that if Af breaks Pf then Bf breaks f . The difference between the two reduction types is very subtle. In the strong case, the construction of B may non-constructively depend on A and P but it has to be universal for all f ∈ Q. In the weak case, such a universal B might not exist—the construction of B may depend on f as well as on A and P. This subtle difference is however extremely important, as it seems to create a theoretical boundary for at least one general separation method we show later. In both semi-black-box reductions P must be universal for all valid instances f ∈ Q and as such, specific properties of an instance f cannot be used in the construction. 2
This was the reduction given by Reingold et al. [7] as the semi-black-box reduction.
236
A. Buldas, S. Laur, and M. Niitsoo
Variable semi-black-box reductions3 weaken even this restriction so that the constructions of both P and B may depend on the instance f . However, such constructions must exist for all instances of Q regardless of the actual efficiency of f . If we restrict f in the following definition to efficiently implementable instances of Q, then we get the definition of white-box reductions, which is the most general type of reductions. v
Definition 6. We say that there is a variable semi-black-box reduction P =⇒ Q iff for any correct implementation f of Q: (C) there exists a poly-time oracle machine Pf that correctly implements P; (S) for every instance f ∈ Q and for any poly-time oracle machine A, there exists a poly-time oracle machine B such that if Af breaks Pf , then Bf breaks f . These reduction types form a linear hierarchy with fully black-box reductions being the strongest and white-box reductions being the weakest. Existence of a reduction of one type also trivially implies the existence of reductions of all weaker types. This is important as it means that non-existence of a weaker reduction also implies nonexistence of all stronger reductions. We note that the preceding reduction types are all well-defined for all four primitive types. Moreover, it is worth noting that the definitions of randomized and stateful primitives are constructed in such a way that once the corresponding deterministic primitive is fixed and the advantage function for it given, we obtain consistent security definitions for all types of primitives and thus also the definitions for all types of reductions. Note that a primitive as an instance of more complex primitive (e.g. deterministic primitive as a randomized primitive) has exactly the same advantage as in the base case. Since both randomized and stateful constructions also contain all the deterministic primitives and the advantages stay the same when switching contexts, it is easy to show that if no reduction is possible between deterministic primitives then also none can exist for randomized or stateful cases—a reduction in one of these cases would have to hold for the deterministic cases as well as they are a subset of both extensions. Analogously if no reduction between two randomized or two stateful primitives can exist then clearly no reduction can exist between randomized stateful primitives as any one for them would imply the existence of one for both sub-classes (Fig. 1).
5 Classical Oracle Separations Non-existence of black-box reductions does not rule out the existence of generic whitew box reductions P =⇒ Q. However, the corresponding security proofs must utilize additional properties that cannot be deduced from an abstract description of the primitive. Hence, non-existence of black-box reductions is a hardness indicator showing that it is probably not possible to construct a primitive Q form a primitive P without using additional assumptions about the structure of a primitive P. The first such non-existence result in cryptography was proved by Impagliazzo and Rudich [5]. They built an oracle relative to which key agreement does not exist but one-way permutations do, thus showing the impossibility of black-box reductions of 3
They were called ∀∃-semi-black-box by Reingold et al.
Oracle Separation in the Non-uniform Model
237
key agreement to one-way permutations. There are many other such results known in cryptography [8,4,3]. Many of these separation results actually proved non-existence of variable semi-black-box reductions. To establish non-existence of black-box reductions, one usually constructs an oracle Of that securely implements the functionality of Q but contradicts the existence of the desired reduction. To prove this, more than one type of functionality if often required from the oracle. The functions can still be merged into a single oracle Of and we use the shorthand Of = (f, g) do emphasize that this has been done. Now, simple negations of the definitions of black-box reductions give the sufficient conditions for oracle separations. We give two theorems that are used the most often—the weakest and (practically) the strongest. Weak Separation (Hsiao-Reyzin [4]). Let Of = (f, g) be an oracle such that f securely implements a primitive Q. Now if for every poly-time oracle machine P that implements P when given oracle access to an implementation of Q, there is a poly-time oracle machine Af,g that breaks Pf as an instance of P, then there are no fully black-box f reductions P =⇒ Q. Strong Separation (Reingold et al. [7]). Let Of = (f ) be an oracle such that f securely implements a primitive Q. Now if for every poly-time oracle machine Pf that implements P there is a poly-time oracle machine Af that breaks Pf as an instance of v P, then there exist no variable semi-black-box reductions P =⇒ Q. For the weak separation, we can actually supply some extra functionality g along with the f that can be used by S to help break Pf but to which P construction has no access. This extra functionality is usually formalized as a separate oracle, but may actually be thought of as a part of the primitive that is not covered by any functional or security constraints and may thus be completely useless. As P has to be a general construction that works for all possible f , it gains nothing by using that part of the primitive and we may just as easily assume it doesn’t use it. However, the adversary construction might try to use it, and as we are interested in helping the adversary along, we provide information useful to him through that part. Since P has no access to it we do not have to analyze how g might help us in constructing a secure instance of P. This is actually the main difference between the two separation results. For the strong separation result, we can still give this extra functionality g in theory. However, it must be embedded into the calls of f , that is, there must exist a poly-time oracle machine Wf that implements g. As Reingold et al. [7] demonstrate, this can usually be done and is not really a strong limiting factor. However, the extra functionality g could possibly be used to increase the security of P and whether this extra help can still be bounded is what usually determines whether a variable semi-black-box reduction can be ruled out or not. The same reduction theorems hold equally well for all the four primitive classes. As an oracle is used in the place of the original primitive, this also means that using a deterministic oracle rules out the reduction in the deterministic case and using a randomized oracle rules it out for the randomized case. The corresponding hierarchy of non-existence results is depicted in Figure 1. Note that non-existence of black-box reductions for deterministic primitives naturally implies the non-existence of such a
238
A. Buldas, S. Laur, and M. Niitsoo
Randomized stateful primitives Randomized primitives
T1
–T
3
Stateful primitives Deterministic primitives
.A
p Ap
Fig. 1. Hierarchy of primitive types with respect to non-existence of reductions
reduction for all other primitive types and thus deterministic oracle constructions provide the strongest negative results. This is probably the reason why all the preceding work in this field has concentrated on finding a fixed deterministic oracle for the separation theorems. However, in the following we prove that non-existence results for deterministic and randomized primitives are actually equivalent in many cases and thus oracle separations using randomized oracles (or a family of oracles) are often just as powerful as the ones that fix one deterministic oracle.
6 Oracle Extraction Techniques In practice it is generally difficult to construct deterministic separation oracles. Hence, most separation results are based on randomized instances Of , which are later converted to deterministic instances by a clever choice of random coins. In this section, we show the limitation of such an oracle extraction methodology. Recall that for a randomized primitive f the advantage is always defined as an average over the randomness space R. Now, given a randomized oracle construction Of that refutes the existence of some type of black-box reduction, we need to fix the coins r so that the resulting oracle ∗ O∗f would still provide a secure instance f ∗ ∈ Q but on the construction Pf would be rendered insecure. This is always possible for fully black-box and semi-black-box reductions provided that we consider uniform adversaries. The corresponding proof uses the countability of uniform algorithms and the fundamental Borel-Cantelli lemma from probability theory. Lemma 1 (Borel,Cantelli). Let E1 , E2 , E3 , E4 , . . . be a countably infinite sequence of events. Let E∞ denote the event that infinitely many of these events take place. If n Pr [En ] < ∞ then Pr [E∞ ] = 0. Theorem 1. If we consider security against uniform adversaries, the existence of fully black-box and (both) semi-black-box reductions for randomized primitives implies the corresponding existence results for deterministic primitives and vice versa. Proof. For brevity, we prove the statement of the theorem only for weak semi-blackws box reductions P =⇒ Q, since the analysis of the other cases is analogous. The simple
Oracle Separation in the Non-uniform Model
239
ws
negation of the definition of P =⇒ Q gives us that either we cannot construct P from Q at all, or there exists a secure primitive f such that some poly-time adversary A breaks Pf . The non-constructibility for randomized primitives trivially implies the existence of deterministic implementations f (r, ·) that cannot be converted to P. Hence, we have to analyze only the case when f is secure but A can break Pf . This means that for a subsequence (kn ) ⊂ N the corresponding advantage is A DVP kn (f, A) ≥ knα . For clarity, assume that each security parameter k, the primitive f uses a different randomness space Rk . Then for each kn , we can consider a restricted set of random coins P f f (r,·) R◦kn = r ∈ Rkn : A DVP (P , A) ≤ 2 · A DV (P , A) . kn kn Let Of be a modified primitive that uses the original randomness space Rk for instances k∈ / {kn } and corresponding randomness space R◦kn otherwise. Then A DVQ kn (Of , B) ≤
A DVQ 2 · A DVQ nn (f, B) kn (f, B) ≤ , ◦ knα Pr r ← Rkn : r ∈ Rkn
◦ α as A DVQ nk (·) is a non-negative function and Pr r ← Rkn : r ∈ Rkn ≥ kn /2 . Thus, the modified primitive Of is still secure as an instance of the primitive Q. Next, we will fix the randomness r ∈ R◦1 × R◦2 × · · · =: R∗ so that the resulting deterministic primitive Orf (·) = Of (r, ·) remains secure. For that, it is sufficient to show that there exist r ∈ R∗ and a constant k0 such that A DVk (Orf , B) ≤ k 2 · A DV k (Of , B) r 2 for all k > k0 . Let Ek denote the event that A DV Q k (Of , B) > k · A DV k (Of , B). Then Q the event E∞ means that we cannot find k0 such that A DVk (Orf , B) ≤ k 2 ·A DVk (Of , B) for k > k0 . From the Markov inequality it then follows that k
1 Q r 2 Pr [Ek ] = Pr r ← R∗ : A DV Q (O , B) > k ·A DV (O , B) ≤ <∞ . f k f k k2 k
k
Consequently, Lemma 1 implies Pr [E∞ ] = 0. In other words, for each oracle machine B the set of bad coins RB := {r ∈ R : E∞ holds} has measure zero. As there are only countably many uniform machines B, the set of all bad coins ∪B RB also has measure zero. Hence, the set R0 = R\(∪B RB ) is non-empty and thus there exists Orf such that for every uniform poly-time oracle machine B and for sufficiently large k we have A DVk (Orf , B) ≤ k 2 · A DV k (Of , B) = k −ω(1) . On the other hand, for any r ∈ R∗ the r construction POf is still insecure against A due to the amplification step and we thus have a contradiction for deterministic primitives. Note that the proof does not generalize to variable semi-black-box reductions, since then P is allowed to depend on f and in general it is impossible to find a non-empty subspace Rnk (where the adversary is guaranteed to be roughly as successful as on average) for all possible constructions P and thus the amplification step can fail. On the other hand, the oracle extraction step is always applicable. Consequently, we can still use Or f , A) randomized oracle constructions Of as long as we can guarantee that A DV P = k (P k −ω(1) for every r ∈ R.
240
A. Buldas, S. Laur, and M. Niitsoo
Non-equivalence in the Non-uniform Security Model. Note that the proof of Theorem 1 holds only if the set of potential adversaries is countable. In the non-uniform model this no longer holds. As it turns out, there are cases where separation on average holds in the non-uniform model but it will vanish just as the oracle becomes fixed. As an illustrative example, consider a “password” protected self-defeating implementation of a primitive. In principle we are able to define an auxiliary function breakf for almost any useful primitive Q relative to which f is totally insecure. Moreover, we may add the functionality breakf to the primitive so that it is protected with “passwords”. Namely, let Of = (f, g) be a randomized oracle for which f is a secure instance of Q. For g k part, we use the randomness to generate an advice string ak ← {0, 1} and then define g(ak , x) = breakf (x) and g(y, x) = 0 for every y = ak . Then on average f remains secure, since the probability of correctly guessing the ak is negligible. On the other hand, if we fix random coins ak , then the non-uniform adversary A with advice ak can trivially break f .
7 Oracle Separation for Poly-preserving Reductions One more crucial obstacle for generalizing the separation results to non-uniform reductions is the guarantee condition of the reduction. In the definitions of the reductions the guarantee condition is too weak—much weaker than what is usually expected when constructing practical reductions. We will now strengthen the definitions which allows us to prove the equivalence of non-existence results in the non-uniform model. Definition 7 (Poly-preserving reductions). We say that a reduction P =⇒ Q is polypreserving if the corresponding mapping A → B in the security guarantee (S) decreases the advantage by at most a polynomial amount, i.e., there exists c ≥ 1 (the same for all f and A) such that c P f A DV Q . k (f, B) ≥ A DV k (P , A) The definition is not too restrictive—for most common reductions, the coefficient c is between 1 and 2. In fact, the authors are not aware of any reductions that are not polypreserving. Moreover, one is usually concerned with the tightness of the reduction and thus tries to minimize c. Actually, we do not have to use the power function (·)c —any convex-cup function that leaves negligible functions negligible will do. Theorem 2. For poly-preserving reductions, the existence of fully black-box or strong semi-black-box reductions for randomized primitives implies the corresponding existence results for deterministic primitives and vice versa. Proof. Obviously any reduction for randomized primitives must also work for the deterministic primitives. Hence, we must consider only the opposite implication. We do the proof for strong semi-black-box reductions, as the proof for the fully black-box case is analogous. Assume that there exists a reduction from P to Q for deterministic primitives. Then this reduction can be generalized to randomized primitives. Obviously, Pf is still a correct implementation of P as Pf (r,·) ∈ P for each r ∈ R. For each adversary
Oracle Separation in the Non-uniform Model
241
A, we can still use the adversary B offered by the deterministic reduction. However, since the primitive is randomized, we have to re-estimate the advantage
c Q P f r A DV Q (f, B) = E A DV (f (r, ·), B) ≥ E A DV (P (r, ·), A) k k k r∈Rf r∈Rf c c Pr f f ≥ E A DVP (P (r, ·), A) = A DV (P , A) , k k r∈Rf
where the first inequality follows form the deterministic security guarantee and the second follows from Jensen inequality. The claim follows, as reductions for deterministic and randomized primitives exist simultaneously. Sadly, this proof method already fails for weak semi-black-box reductions as it is essential that B is the same for all f (r, ·) and this is not guaranteed by any of the weaker reductions. However, it still allows us to generalize many of the known non-existence results to the non-uniform setting. We note that this approach cannot directly be generalized to stateful oracle constructions. There exists an explicit counterexample (see appendix A), where separation for stateful primitives does not imply a separation for deterministic functions. At first glance, the stateful case seems harder to analyze, but it would be interesting to know if anything at all similar could be shown for it. Inherently Random Primitives. There are some primitives that are inherently random, like encryption, message authentication and key exchange. We can still view them as deterministic constructions f (r, x) by treating randomness r ∈ R◦ as an auxiliary argument. However, the corresponding security game that defines the advantage A DV P (·) must then initialize this randomness within the game. Again, the advantage is first defined for the game with fixed r and then generalized as an average over the distribution R◦ . As a result, the construction of any algorithm A is independent of the fixed r ∈ R◦ in the particular case. For such primitives, there is no difference whether we consider randomized or deterministic primitives as we can pack the extra randomness into R◦ . In that case, the corresponding randomized primitive can be viewed as a deterministic one where the randomness required is given to it within the security game. If the game has many different calls to the primitive, we have to make sure that randomness is used only in the parts where it is actually supplied. However, if we account for that, we again have an equivalence result. Theorem 3. For inherently random primitives, the existence of any type of reductions for randomized primitives implies the corresponding existence results for deterministic primitives and vice versa provided that the use of randomness is consistent with the security game.
8 Practical Separations As a direct corollary of theorems 1 and 2 we get:
242
A. Buldas, S. Laur, and M. Niitsoo
Theorem 4. If for every deterministic poly-time oracle machine P and every probabilistic poly-time oracle-machine A there is a distribution R of oracle pairs Of = (f, g) such that for infinitely many k (1) f implements Q, for all Of ∈ R; (2) if Pf ∈ P for all Of ∈ R then EOf ←R A DVk (g, Pf ) = k −ω(1) . (3) EOf ←R A DV k (Ag,f , f ) = k −ω(1) ; then there exist no uniform fully-black-box reductions and no (potentially non-uniform) poly-preserving reductions of P to Q. Furthermore, if g can be embedded into f (so that Of = (f ) and g can be efficiently computed from f and the algorithm for doing so does not depend on Of or A), then there are no strong semi-black-box reductions between them, neither uniform nor non-uniform poly-preserving. Proof. Just note that the conditions together imply the non-existence of a reduction (either fully black-box or strongly semi-black-box) from Pr to Qr . Then theorems 1 and 2 imply that such reductions also cannot exist in the deterministic case, that is from P to Q. As the deterministic case is the strongest, this also rules out the reductions in the other classes. These results allow us to generalize many known non-existence results into the nonuniform model. The generalization itself is usually rather straightforward, as the proofs generally study the average case behavior sufficiently before extracting the oracle.
9 Generalizing the Known Constructions The non-existence theorems in cryptology can roughly be divided into three different categories. Classical. These are the classical non-existence results such as the one given by Impagliazzo and Rudich [5] and the one by Gertner et al. [3]. Reductions are made just by constructing one oracle or oracle family and then showing that in the relativized world that it creates, Q exists but P does not. As the concept of the reduction is simple and generally only rules out fully black-box reductions, they can nearly trivially be generalized to the non-uniform model. Specific. These are the results starting with the work of Simon [8] and continued by Hsiao and Reyzin [4] and Reingold et al. [7]. They noticed that stronger results can be obtained by using more involved reduction techniques like embedding or using different oracles for the construction and the adversary. In these cases the generalization may not be as trivial as it was for the first type, but it can still usually be done. However, as our theorems are limited to strong semi-black-box reductions, we cannot prove anything below that bar in the non-uniform model except in the cases that are inherently randomized. Efficiency Bounds. These are the results [1,2] starting with Kim, Simon and Tetali [6] that do not rule out reductions but rather say something about their efficiency. They
Oracle Separation in the Non-uniform Model
243
usually still fit within the model first proposed by Impagliazzo and Rudich, but focus more on exact bounds on security and runtime. As our theorems work in the asymptotic model, the results would also first need to be translated into this framework before the theorems could be applied. However, the authors of this paper see no inherent reasons why this could not be done. In most cases, some modifications need to be made before our theorems can be applied. First of all, not all the results listed above use Borel-Cantelli lemma or even oracles explicitly. If this is the case, they are usually implicitly somewhere in the proofs. For instance, Kim et al. [6] get a contradiction by showing that a construction for a one-way function exists that uses no oracles, unless their claim holds. This proof can be made unconditional by adding a PSPACE oracle to get a world where P = NP and the existence of a one-way function would actually be a contradiction [5]. Also, the oracle constructions are usually made in such a way that the oracle does not implement the primitive Q directly but rather a secure instance can be implemented efficiently with its help. This is usually done to simplify the proof that no secure P can be constructed with these oracles. However, if this is the case, no secure instance of P could be obtained from the resulting instance of Q either. Therefore, we can always assume that the oracle implements the primitive functionality directly, with the other functions either being embedded or used as a separate oracle g.
10 Conclusions We showed that oracle separation can be used in the non-uniform model with minor restrictions that should hold for almost all practical separations anyway. Still, it seems that with our proof techniques we cannot go below strong semi-black-box reductions in the non-uniform model. This boundary occurs in a curious place—in between two semi-black-box reductions, which have not even been clearly differentiated in previous works. To overcome this barrier is an open problem. To mention some implications of our work, it follows from [8] that there exist no (non-uniform) strong semi-black-box reductions from collision-free functions to oneway permutations and from [5,7] that there are no strong semi-black-box reductions from key agreement to one-way permutations. It would be interesting to know if something similar (to our results) can be proven for stateful constructions. The initial results in this direction are not quite promising but there may still be some clever transformations that might work.
References 1. Gennaro, R., Gertner, Y., Katz, J.: Lower bounds on the efficiency of encryption and digital signature schemes. In: Proceedings of the thirty-fifth annual ACM symposium on Theory of computing, pp. 417–425 (2003) 2. Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. SIAM journal on Computing 35, 217–246 (2006) 3. Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: 41st Annual Symposium on Foundations of Computer Science, Redondo Beach, California, November 2000, pp. 325–335 (2000)
244
A. Buldas, S. Laur, and M. Niitsoo
4. Hsiao, C.Y., Reyzin, L.: Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004) 5. Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proc. of the Twenty First Annual ACM Symp. on Theory of Comp., pp. 44–61 (1989) 6. Kim, J.H., Simon, D.R., Tetali, P.: Limits on the efficiency of one-way permutation-based hash functions. In: Proc. of the 40th Annual Symposium on Foundations of Computer Science, pp. 535–542 (1999) 7. Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004) 8. Simon, D.: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)
A Stateful Primitives A stateful function f : S × {0, 1}∗ → S × {0, 1}∗ where S is the state space and f (s, x) = (t, y) is accessed as a function fˆs : {0, 1}∗ → {0, 1}∗ where fˆs (x) = y. Then s and t are the state of the function before and after that access, respectively. We assume, that in the beginning the state is the empty string and after each call the state is altered to whatever the stateful function says in the output. As a next step, we must generalize the advantage function A DV P (·) consistently for stateful instances f ∈ P. Usually, this step is trivial, as the security game that defines the advantage can also handle stateful primitives. Otherwise, we have to extend A DV P (·) so that for all stateful functions f so that for all stateless functions it coincides with the definition for deterministic functions. Secondly, we must generalize the notion of functional requirements. For that, we need a concept of trace trx (f ), which is just a deterministic function g that behaves identically on calls x = (x1 , . . . , xk ). Definition 8 (Stateful primitive). Let P be a deterministic primitive. Then the corresponding stateful primitive Ps is the set Ps = {f : S × {0, 1}∗ → S × {0, 1}∗|∀x ∈ s {0, 1}∗∗ : trx (f ) ∈ P}. The advantage A DVP k (f, A) is defined analogously to the deterministic primitives. Non-Equivalence Results for Stateful Primitives. It is straightforward to see that non-existence of a certain black-box reduction does not imply the corresponding nonexistence result for deterministic primitives. As an example, recall that collision resistance implies one-wayness for compressing functions. The latter is not true for the stateful primitives, since we can define the following oracle Of . Let g be the corresponding extra functionality that is embedded into f . Then the oracle answers only two calls of g. As the first query, the adversary A can send the construction of P to Of . Since it is finite it can be encoded as an argument of g. As a second call the adversary A can query (POf )−1 (x). The oracle replies only if no queries to f are made. Now for obvious reasons no Pf can possibly be a secure one-way function if the adversary is allowed access to g, yet f still remains collision resistant. Note that embedding g into f is trivial as we can use two fixed input values x0 and x1 to transfer information to Of .
GUC-Secure Set-Intersection Computation Yuan Tian and Hao Zhang School of Software, Dalian University of Technology, Dalian, Liaoning, 116620, China
[email protected],
[email protected]
Abstract. Secure set-intersection computation is one of the important problems in secure multiparty computation. We propose a general protocol construction for secure 2-party set-intersection computation based-on the anonymous IBE scheme and its user private-keys blind generation techniques. Compared with related works, this construction is provably GUC (generalized universally composable) secure in standard model with acceptable efficiency. In addition, an efficient instantiation based-on the Boyen-Waters IBE scheme is also presented. Keywords: Secure Multiparty Computation, Secure Set-Intersection Computation, Anonymous Identity-based Encryption, Generalized Universally Composable Security.
1
Introduction
Secure set-intersection computation is one of the important problems in the field of secure multiparty computation, where participants with their own private dataset get the intersection of all their private sets and nothing more (except for each private set’s cardinality). In this paper, like most recent works, we focus on the 2-party case and make an efficient GUC-secure solution in standard model. Much work has been done in designing solutions to secure computation for different cryptographic functions, but only few are about this special problem among which [8,11,12] are most relevant to this paper. They are different techniques and security concepts and (except [12]) are focused on the 2-party case. However, none reaches Canetti’s UC/GUC security [4,6]. In [8] Freedman et al present provably-secure and efficient protocols for this problem against semihonest and malicious adversaries respectively based-on polynomial interpolation and homomorphic encryption schemes. The solution against malicious adversaries assumes the random oracle model. Kissner and Song [12] solve this problem via smartly exploiting mathematical properties of polynomials and get fullysimulatable security [10] so that their solution is securely composable (but the concept of fully-simulatable security is strictly weaker than Canetti’s UC/GUC security proposed in [4,5]). As indicated by [11], [12] executes lots of zeroknowledge proofs of knowledge most of which are known how to efficiently realize but not all. Most recently [11] proposes solutions to this problem via oblivious pseudorandom function evaluation techniques. They work in two relaxed adversary models to achieve security of “half-simulatability” and “full-simulatability J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 245–259, 2009. c Springer-Verlag Berlin Heidelberg 2009
246
Y. Tian and H. Zhang
against covert adversaries” [1]. At the price of relaxation in security, the protocols in [11] are highly efficient, so these solutions can be considered as practical and reasonable compromise between security and efficiency. In this paper we construct a protocol for secure set-intersection computation in standard model which is efficient and GUC-secure. Like most previous works, we focus on the 2-party case, however, there are substantial differences between our solution and the others. Technically, our construction is based-on the anonymous IBE scheme and it’s user private-key’s blind generation techniques (i.e., to generate the correct user private-key usk(a) for a user without leaking the user-identity a to the key-generator). The high-level idea is simple: let Π = (Setup, U KG, E, D) be an IBE scheme (formally defined in section 2.2), M0 be a publicly-known plaintext, P1 own (for example) X1 = {x1 , x2 , x3 , x4 } and P2 own X2 = {x1 , x2 , x5 , x6 }. Let P1 generate IBE’s master public/secret key-pair (mpk, msk), send mpk and all yi = E(mpk, xi , M0 )(i = 1, 2, 3, 4) to P2 . When P2 tries to decipher each yi by private-keys usk(x1 ), usk(x2 ), usk(x5 ) and usk(x6 ) (obtained via Π’s user private-keys blind generation protocol), only usk(x1 ) and usk(x2 ) can succeed in obtaining M0 . As a result, X1 ∩ X2 = {x1 , x2 }. In addition, Π’s anonymity prevents P2 from knowing anything about X1 \ X2 = {x3 , x4 } through y3 , y4 . (Interestingly, this approach doesn’t require IBE’s data-privacy so its efficiency may be further improved if we can get some “anonymous (key-private) but not data-private” IBE scheme). To be GUC-secure, the formal construction is more involved (section 3). It is constant-round in communications and linear-size in message-complexity (close to [8,11]). In computation-complexity, one party is O(N1 + N2 ) (close to [8,11]) and the other is O(N1 N2 ) (close to [12]) where N1 , N2 are each party’s private set’s cardinality. It is well-modularized, only executing few zero-knowledge proofs of knowledge which can be efficiently instantiated. Most importantly and distinctively, our construction reaches Canetti’s GUC-security: it is GUC-secure against malicious adversaries assuming static corruptions in the ACRS (augmented common reference string) model [5]. For this goal we introduce a notion of identity-augmented non-malleable zero-knowledge proofs of knowledge which may be of independent values.
2
Notations, Definitions and Tools
P.P.T. means “probabilistic polynomial-time”, xy means string x and y in concatenation, |x| means string x’s size (in bits) and |X| (X is a set) means X’s cardinality, x ←$ X means randomly selecting x from the domain X. k denotes the complexity parameter. ≈P P T stands for computational indistinguishability and ≈ for perfect indistinguishability. 2.1
Secure Set-Intersection Computation and Its GUC Security
Briefly speaking, GUC-security means that any adversary attacking the realworld protocol can be efficiently simulated by an adversary attacking the idealworld functionality, both have the outputs indistinguishable by the (malicious)
GUC-Secure Set-Intersection Computation
247
environment. For space limitations, we assume the reader’s familiarity with the whole theory in [4-6] and only provide necessary descriptions with respect to the secure set-intersection computation problem here. Similar to most previous works, we only focus on the unidirectional 2-party scenario. The ideal cryptographic functionality for such set-intersection computation is defined as FIN T : (X1 , X2 ) → (|X2 |, |X1 |(X1 ∩ X2 )) The bi-directional functionality is defined as ∗ FIN T : (X1 , X2 ) → (|X2 |(X1 ∩ X2 ), |X1 |(X1 ∩ X2 )) ∗ It’s not hard to implement FIN T as a FIN T -hybrid protocol. However, unidirectional set-intersection computation per se is independently useful in practice. Let P1∗ , P2∗ be parties in ideal model with private sets X1 and X2 respectively, N1 = |X1 |, N2 = |X2 |, S be the adversary in ideal model. The ideal model works as follows:
On receiving message (sid,“input”,P1∗ , X1 ) from P1∗ , FIN T records X1 and sends message (sid,“input”,N1 ) to P2∗ and S; On receiving message (sid,“input”,P2∗ , X2 ) from P2∗ , FIN T records X2 and sends (sid,“input”,N2 ) to P1∗ and S. On receiving message (sid,“intersection”, P2∗ ) from P2∗ , FIN T responses ∗ P2 with message (sid,“intersection”, X1 ∩ X2 ). At last P1∗ outputs N2 , P2∗ outputs N1 (X1 ∩ X2 ). Let ψ be the real-world protocol, each party Pi of ψ corresponds to an idealworld party Pi∗ . A is the real-world adversary attacking ψ, Z is the environment in which the real protocol/ideal functionality executes. According to [4-5], Z is a P.P.T. machine modeling all malicious behaviors against the protocol’s execution. Z is empowered to provide inputs to parties and interacts with A and S, e.g., Z gives special inputs or instructions to A/S, collects outputs from A/S to make some analysis, etc. In UC theory [4], Z cannot access parties’ shared functionality (such shared functionality is specified in specific protocol) while in the improved GUC theory [5] Z is enhanced to do this, i.e., to provide inputs to and get outputs from the shared functionality. As a result, in GUC theory Z is strictly stronger and more realistic than in UC theory. Let outputZ (ψ, A) denote the output (as a joint stochastic variable) from ψ’s parties P1 , P2 under Z and A, outputZ (FIN T , S) denote the similar thing under Z and S. During the real/ideal protocol’s execution, Z (as an active distinguisher) interacts with A/S and raises its final output, w.l.o.g., 0 or 1. Such output is denoted as Z(outputZ (ψ, A), u) and Z(outputZ (FIN T , S), u) respectively, where u is the auxiliary information. Definition 2.1 (GUC security [5]). If for any P.P.T. adversary A in realworld, there exists a P.P.T. adversary S (called A’s simulator) in ideal-world, both corrupt the same set of parties, such that for any environment Z the function
248
Y. Tian and H. Zhang
|P r[Z(outputZ (ψ, A), u) = 1] − P r[Z(outputZ (FIN T , S), u) = 1]| is negligible in complexity parameter k (hereafter denote this fact as outputZ (ψ, A) ≈P P T outputZ (FIN T , S)), then we define that ψ GUC-emulates FIN T or say ψ is GUCsecure, denoted as ψ →GUC FIN T . The most significant property of GUC-security is the universal composition theorem. Briefly speaking, given protocols ϕ2 , ϕ1 and ψ(ϕ1 ) where ψ(ϕ1 ) is the so-called ϕ1 -hybrid protocol, if ϕ2 →GUC ϕ1 then (under some technical conditions, e.g., subroutine-respecting) ψ(ϕ2 /ϕ1 ) →GUC ψ(ϕ1 ) where ψ(ϕ2 /ϕ1 ) is a protocol in which every call to the subprotocol ϕ1 is replaced with a call to ϕ2 . This guarantees that a GUC-secure protocol can be composed in any execution context while still preserving its proved security. A similar consequence is also true in UC theory but with some serious constraints [4,5]. 2.2
IBE Scheme, Its Anonymity and Blind User-Private Key Generation Protocol
In addition to data-privacy, anonymity (key-privacy) is another valuable property for public-key encryption schemes [2]. An IBE scheme Π = (Setup, U KG, E, D) is a group of P.P.T. algorithms, where Setup takes the complexity parameter k as input to generate master public/secret-key pair (mpk, msk), U KG takes msk and user id a as input to generate user private-key usk(a); E takes (mpk, a, M ) as input where M is the message plaintext to generate ciphertext y, D takes (mpk, usk(a), y) as input to do decryption. Altogether these algorithms satisfy the consistency property: for any k, a and M P r[(mpk, msk) ← Setup(k); usk(a) ← U KG(msk, a); y ← E(mpk, a, M ) : D(mpk, usk(a), y) = M ] = 1 Definition 2.2 (IBE Scheme’s chosen plaintext anonymity [2]). Given an IBE scheme Π = (Setup, U KG, E, D), for any P.P.T. attacker A = (A1 , A2 ) O CP A consider the following experiment ExpAN (k): Π,A (mpk, msk) ← Setup(k); UKG(msk,.) (M ∗ , a∗0 , a∗1 , St) ← A1 (mpk), a∗0 = a∗1 ; $ b ← {0, 1}; y ∗ ← E(mpk, a∗b , M ∗ ); UKG(msk,.) d ← A2 (St, y ∗ ); output(d ⊕ b); A is constrained not to query its oracle U KG(msk, .) with a∗0 and a∗1 . Define AN O CP A O CP A AN O CP A AdvΠ,A as |2P [ExpAN (k) = 1] − 1|. If AdvΠ,A is negligible in Π,A k for any P.P.T. attacker A then Π is called anonymous against chosen plaintext attack (AN O CP A for short). In the above, if M ∗ , a∗0 , a∗1 are generated independent of mpk then Π is called selective AN O CP A. AN O CP A AN O CP A AN O CP A Denote maxA∈P.P.T. AdvΠ,A (k) as AdvΠ (k) or AdvΠ (t, q) where t is the adversary’s maximum time-complexity and q is the maximum number of queries for the UKG-oracle.
GUC-Secure Set-Intersection Computation
249
Π Now we present the ideal functionality FBlind−UKG for an IBE scheme Π’s user private-key blind generation (even IBE scheme is not anonymous this functionality still makes sense, however, in this paper only anonymous IBE’s such protocol is needed). In the ideal model, one party generates (just one time) Π Π’s master public/secret-key pair (mpk, msk) and submits it to FBlind−UKG ; Π FBlind−UKG generates usk(a) = U KG(msk, a) for another party who submits its private input a (this computation can take place any times and each time for a new a), revealing nothing about a to the party who provides (mpk, msk) except how many private-keys are generated. Formally, let S be the ideal adversary, P1∗ , P2∗ the ideal party, sid and ssid the session-id and subsession-id respectively, the ideal model works as follows:
P1∗ selects randomness ρ and computes (mpk, msk) ← Setup(ρ), sends Π Π the message (sid, mpkmskρ) to FBlind−UKG ; FBlind−UKG sends message ∗ (sid, mpk) to P2 and S; On receiving a message (sidssid, a) from P2∗ (ssid and a are fresh everyΠ time), in response FBlind−UKG computes usk(a) ← U KG(msk, a), sends the message (sidssid, usk(a)) to P2∗ and the message (sidssid, n) to P1∗ and S, where n is initialized to be 0 and increased by 1 everytime the computation takes place. At last, P1∗ outputs its last n, P2∗ outputs all its obtained usk(a)’s. 2.3
(Identity-Augmented) Non-malleable Zero-Knowledge Proofs of Knowledge
This subsection presents the concept of zero-knowledge proofs of knowledge following [9,13] with slight symbolic modifications. Let L be a NP language, R is its associated P-class binary relation. i.e., x ∈ L if f there exists w such that R(x, w) = 1. Let A, B be two machines, then A(x; B)[σ] represents A’s output due to its interactions with B under a public common input x and common reference string (c.r.s.) σ, trA,B (x)[σ] represents the transcripts due to interactions between A and B under a common input x and c.r.s. σ. When we emphasize A’s private input, (say) y, we also use the expression Ay (x; B)[σ] and trA(y),B (x)[σ] respectively. Let A = (A1 , A2 ), B and C be machines where A1 can coordinate with A2 by transferring status information to it, then ( B, A1 , A2 , C) represents the interaction between A1 and B, (maybe concurrently) A2 and C. Due to such interactions, let tr be the transcripts between A2 and C, u be the final output from A2 and v be the final output form C, then ( B, A1 , A2 , C)’s output is denoted as (u, tr, v). We say two transcripts tr1 and tr2 are matched each other, if tr1 and tr2 are the same message sequence (consisted of the same messages in the same order) and the only difference is that any corresponding messages are in the opposite directions. Let A be a machine, the symbol A represents such a machine that accepts two kinds of instructions: the first one is in the form of (“start”, i,x,w) and A in response starts a new instance of A, associates it with a unique name i and
250
Y. Tian and H. Zhang
provides it with public input x and private input w; the second is in form of (“message”,i,m) and A in response sends message m to instance Ai and then returns Ai ’s response to m. Definition 2.3 (Zero-Knowledge Proof and Non-Malleable ZeroKnowledge Proof Protocol [9,13]). ZP oKR = (Dcrs , P, V, Sim = (Sim1 , im2 )) is a group of P.P.T. algorithms where Dcrs takes k (complexity parameter) as input to generate c.r.s. σ; P (called prover ) takes (σ, x, w) as input where R(x, w) = 1 and generates a proof π; V (called verifier ) takes (σ, x) as input and generates 0 or 1; Sim1 (k) generates (σ, s), Sim2 takes x ∈ L and (σ, s) as input and generates the simulation. All algorithms except Dcrs and Sim1 take the c.r.s. σ as one of their inputs (so σ is no longer explicitly included in all the following expressions unless for emphasis). Now ZP oKR is defined as a zero-knowledge proof protocol for relation R, if all the following properties are satisfied: (1) For any x ∈ L and σ ← Dcrs , it’s always true that P r[V (x; P )[σ] = 1] = 1; (2) For any P.P.T. algorithm A, x ∈ / L and σ ← Dcrs , it’s always true that P r[V (x; A)[σ] = 1] = 01 ; (3) For any P.P.T. algorithm A which outputs 0 or 1, let ε be empty string, the function |P r[σ ← Dcrs ; b ← A(ε; P )[σ] : b = 1] − P r[(σ, s) ← Sim1 (k); b ← A(ε; Sim2 (s) )[σ] : b = 1]| is always negligible in k, where we emphasize the fact by symbol Sim2 (s) that all Sim2 instances have the same s as one of their inputs. The non-malleable zero-knowledge proof protocol for relation R is defined as NMZPoKR = (Dcrs , P, V, Sim = (Sim1 , Sim2 ), Ext = (Ext1 , Ext2 )) where (Dcrs , P, V, Sim) is a zero-knowledge proof protocol for relation R as above, P.P.T. algorithm Ext1 (k) generates (σ, s, τ ) and the interactive P.P.T. machine Ext2 (called witness extractor) takes (σ, τ ) and protocol’s transcripts as input and extracts w, and all the following properties hold: (4) The distribution of the first output of Sim1 is identical to that of Ext1 ; (5) For any τ , the distribution of the output of V is identical to that of Ext2 ’s restricted output which does not include the extracted value (i.e., the extracted witness w); (6) There exists a negligible function η(k) (called knowledge-error function) such that for any P.P.T. algorithm A = (A1 , A2 ) it’s true that P r[(σ, s, τ ) ← Ext1 (k); (x, tr, (b, w)) ← ( Sim2 (s) , A1 , A2 , Ext2 (τ ))[σ] : b = 1 ∧ R(x, w) = 1 ∧ tr doesn’t match any transcript generated by Sim2 (s) ] > P r[(σ, s) ← Sim1 (k); (x, tr, b) ← ( Sim2 (s) , A1 , A2 , V )[σ] : b = 1 ∧ tr doesn’t match any transcript generated by Sim2 (s) ] − η(k). 1
More precisely this protocol should be called “zero-knowledge argument”, however, such difference is not essential in this paper so we harmlessly abuse the terminology.
GUC-Secure Set-Intersection Computation
251
It’s easy to see that NMZPoKR is a zero-knowledge proof of knowledge. [9,13] developed an efficient method to derive non-malleable zero-knowledge proof protocols based-on simulation-sound tag-based commitment schemes and the so-called Ω-protocols (proposed in [13]). In order to achieve GUC-security in our construction, we need to further enhance NMZPoK to the concept of identity-augmented non-malleable zero-knowledge proof protocol (IA-NMZPoK) as follows. Definition 2.4 (IA-NMZPoK Protocol for Relation R). The IA-NMZPoK Protocol for relation R, IA-NMZPoKR =(D, Setup, U KG, P, V, Sim = (Sim1 , Sim2 ), Ext = (Ext1 , Ext2 )) is a group of P.P.T. algorithms where Setup(k) generates master public/secret key-pair (mpk, msk), U KG(msk, id) generates id’s private-key usk(id) where id ∈ {P, V } (the prover’s and verifier’s identity). Sim1 takes usk(V ) as input, Ext1 takes usk(P ) as input. All algorithms except Setup take (mpk, σ) as one of its input (so it no longer explicitly appears). The protocol has the same properties as R’s NMZPoK protocol in definition 2.3. Note that by this definition an IA-NMZPoK protocol works in ACRS model [5] which ACRS is its mpk. In particular, only the corruptted verifier can run Sim (Sim1 taking usk(V ) as input) and only the corruptted prover can run Ext (Ext1 taking usk(P ) as input). This is exactly what is required in the ACRS model. Given a relation R, a general and efficient construction of IA-NMZPoK protocol for R is presented in the full version paper available at eprint.iacr.org/2008/392. 2.4
Commitment Scheme
We need the non-interactive identity-based trapdoor commitment scheme [5] (IBTC for short) as another important tool in our construction. Definition 2.5 (IBTC scheme [5]). The non-interactive identity-based trapdoor commitment scheme IBT C = (D, Setup, U KG, Cmt, V f, F akeCmt, F akeDmt) is a group of P.P.T. algorithms, where D(k) generates id, Setup(k) generates master public/secret key-pair (mpk, msk), U KG(msk, id) generates id’s user private-key usk(id), Cmt(mpk, id, M ) generates message M ’s commitment/decommitment pair (cmt, dmt), V f (mpk, id, M, cmt, dmt) outputs 0 or 1, by verifying whether cmt is M ’s commitment with respect to id. These algorithms are consistant, i.e., for any M : P r[(mpk, msk) ← Setup(k); (cmt, dmt) ← Cmt(mpk, id, M ) : V f (mpk, id, M, cmt, dmt) = 1] = 1 F akeCmt(mpk, id, usk(id)) generates (cmt, λ), F akeDmt(mpk, M, λ, cmt) gen¯ erates d(w.l.o.g. λ contains idusk(id) as one of its components so F akeDmt doesn’t explicitly take id and usk(id) as its input). A secure IBTC scheme has the following properties: (1) Hiding: for any id and M0 , M1 , (cmti , dmti ) ← Cmt(mpk, id, Mi ), i = 0, 1, then cmt0 ≈P.P.T. cmt1 ; binding (2) Binding: for any P.P.T. algorithm A, the function AdvIBT C,A (k) ≡ P r[(mpk, ∗ ∗ ∗ ∗ ∗ ∗ UKG(msk,.) msk) ← Setup(k); (id , cmt , M0 , d0 , M1 , d1 ) ← A (mpk) : A doesn’t
252
Y. Tian and H. Zhang
query oracle-U(msk,.) with id∗ ∧ M0∗ = M1∗ ∧ V f (mpk, id∗ , M0∗ , cmt∗ , d∗0 ) = ∗ ∗ ∗ ∗ V f (mpk, id , M1 , cmt , d1 ) = 1] is always negligible in k. (3) Equivocability: For any P.P.T. algorithm A = (A1 , A2 ) the following experiment always has |P r[b∗ = b] − 1/2| upper-bounded by a negligible function in k: (mpk, msk) ← Setup(k); (St, id∗ , M ∗ ) ← A1 (mpk, msk); usk(id∗ ) ← U KG(msk, id∗ ); (cmt, λ) ← F akeCmt(mpk, id∗ , usk(id∗ )); d1 ← F akeDmt(mpk, M ∗ , λ, cmt); d0 ←$ {0, 1}|d1| ; b ←$ {0, 1}; b∗ ← A2 (St, db ); Note that equivocability implies P r[V f (mpk, id∗ , M ∗ , cmt, d∗1 ) = 1] > 1 − γ(k) where γ(k) is a negligible function in k. [5] presents an efficient IBTC construction and proved its security.
3
General Construction
Now we present the formal construction of the real-world private set-intersection computation protocol Ψ . P1 and P2 denote two real-world parties with private set X1 = {x1 , . . . , xN 1 } and X2 = {y1 , . . . , yN 2 } respectively. Π = (ESetup, U KG, E, D) is a selective AN O CP A anonymous IBE scheme, ΔΠ Blind−UKG is the real-world protocol for Π’s user private-keys blind generation. IA-NMZPoK(w : R(x, w) = 1) denotes an IA-NMZPoK protocol for relation R where w is x’s witness. T C = (D, T Setup, U KG, Cmt, V f, F akeCmt, F akeDmt) is an IBTC scheme. M0 is a (fixed) public common plaintext. Ψ ’s ACRS is mpkT C mpkΔ mpkZK M0 where mpkT C , mpkΔ , mpkZK are respectively TC’s, ΔΠ Blind−UKG ’s and an IA-NMZPoK protocol (see below)’s master public key. Ψ works as follows: (1) P1 computes Π’s master public/secret-key (mpk, msk) ← ESetup(k), for each xi ∈ X1 (i = 1, . . . , N1 ) computes ciphertext ξi ← E(mpk, xi , M0 ; ri ) where ri is the independent randomness in each encryption, then computes (cmt, dmt) ← Cmt(mpkT C , P2 , ξ1 . . . ξN 1 ) and sends mpkcmt to P2 . (2) P1 and P2 run the protocol ΔΠ Blind−UKG where P1 (as the key-generater) inputs (mpk, msk) and P2 (as the key-receiver) inputs y1 , . . . , yN 2 to ΔΠ Blind−UKG . On ΔΠ ’s completion, P obtains N and P obtains usk(y 1 2 2 1 ), . . . , Blind−UKG usk(yN 2 ) as the output. (3) P1 sends ξ1 . . . ξN 1 dmt to P2 . (4) P2 verifies V f (mpkT C , P2 , ξ1 . . . ξN 1 , cmt, dmt) = 1. (5) P1 runs the protocol IA-NMZPoK((xi , ri ) : ξi = E(mpk, xi , M0 ; ri ), i = 1, , N1 ) as a prover with P2 as a verifier. On this IA-NMZPoK’s completion, P2 tries to decrypt each ξi by usk(yj )’s it obtained in step 2 and generates the set X0 ← {yj ∈ X2 : there exists ξi s.t. D(mpk, usk(yj ), ξi ) = M0 }. (6) P1 outputs N2 and P2 outputs X0 .
GUC-Secure Set-Intersection Computation
253
This general construction of Ψ is a ΔΠ Blind−UKG -hybrid protocol and we reGUC Π quire ΔΠ → F Blind−UKG Blind−UKG (definition 2.1). Since for each ξi = E(mpk, xi , M0 ; ri ), D(mpk, usk(yj ), ξi ) = M0 if and only if xi = yj so X0 = X1 ∩ X2 , i.e., P2 outputs the correct intersection. Regarding security, because the IBE scheme Π is (selective) anonymous, i.e., ciphertext ξi hides xi unless P2 has the correct user private-key usk(xi ), P2 knows nothing about X1 beyond X1 ∩ X2 . On the other hand, ΔΠ Blind−UKG ’s (GUC) security prevents P1 from knowing anything about P2 ’s private set X2 . GUC Π However, merely requiring ΔΠ FBlind−UKG cannot guarantee Blind−UKG → Ψ ’s GUC-security but only “half GUC-security” instead (i.e., the real adversary A corrupting P1 can be completely simulated by an ideal adversary S but this is not true when A corrupts P2 . Only data-privacy can be proved in the latter case). In order to make the real adversary always completely simulatable in ideal-world, some additional property is required for ΔΠ Blind−UKG . This leads to definition 3.1 and it is not hard to verify that our concrete construction of ΔΠ Blind−UKG in section 4 really satisfies this definition. Definition 3.1 (IBE’s User Private-keys Blind Generation Protocol with Extractor). Given IBE scheme Π=(ESetup, U KG, E, D) and GUC Π ΔΠ FBlind−UKG , let P1 , P2 be ΔΠ Blind−UKG → Blind−UKG ’s parties where P2 provides user-id a and obtains usk(a), P1 owns msk and (blindly) generates usk(a) for P2 . This ΔΠ Blind−UKG is defined as extractable, if there exists P.P.T. algorithm SetupΔ, U KGΔ , ExtΔ = (Ext1 , Ext2 ) and a negligible function δ(k), called the error function, such that (1) SetupΔ (k) generates the master public/secret-key pair (mpkΔ , mskΔ ). (2) U KGΔ (mskΔ , id) outputs a trapdoor uskΔ (P2 ) when id = P2 (key-receiver’s identity) and outputs nothing otherwise. (3) for any user-id a, honest P1 and any P.P.T. algorithm A, it is true that (via notations in subsection 2.3) Ext1 (usk(P2 )) outputs (σ, τ ) such that P r[Ext2 (mpkτ ; A(a))[σ] =a]>P r[Aa (mpk; P1 (mpk, msk))[σ] =U KG(msk, a)]−δ(k) where (mpk, msk) is Π’s master public/secret-key owned by P1 (mpk is published). We stress that all extractors in definition 2.3 and definition 3.1 are non-rewinding. Combining all the instantiations of subprotocols in this general construction (some presented in next section 4), it’s easy to see that we can get a O(1) and O(N1 + N2 ) message-complexity solution. Furthermore P1 , P2 has computationcomplexity of O(N1 + N2 ) and O(N1 N2 ) encryptions/decryptions respectively. The exact efficiency analysis can be only done for specific instantiation (e.g., that presented in next section) which is provided in the full version paper. The formal security consequence is the following theorem. Theorem 3.1. Suppose that Π=(ESetup, U KG, E, D) is a selective AN O CP A GUC Π anonymous IBE scheme, ΔΠ FBlind−UKG with extractor Blind−UKG →
254
Y. Tian and H. Zhang
ExtΠ = (ExtΠ,1 , ExtΠ,2 ) and error function δ as in def.3.1, IA-NMZPoK((xi , ri ) : ξi = E(mpk, xi , M0 ; ri ), i = 1, . . . , N1 ) is an IA-NMZPoK protocol, T C = (D, T Setup, U KG, Cmt, V f, F akeCmt, F akeDmt) is an IBTC scheme, then Ψ →GUC FIN T assuming static corruptions. Proof. At first it’s easy to verify that Ψ produces the correct intersection X1 ∩X2 at P2 . Now we prove its GUC-security in two cases that the real-world adversary A corrupts P1 or P2 respectively. Below P1∗ and P2∗ stand for P1 and P2 ’s respective counterparts in ideal-world. All parties are assumed to be initialized with a copy of the common reference string ACRS, i.e., the concatenation of TC’s master public-key mpkT C , ΔΠ Blind−UKG ’s mpkΔ , the IA-NMZPoK protocol’s mpkZK and M0 , generated by the pre-setup GACRS . For this ACRS, its msk is mskT C mskΔ mskZK and U KG(msk, id) outputs usk(id) = uskT C (id)uskΔ (id)uskZK (id) where uskT C (id), uskΔ (id) and uskZK (id) are respectively T C’s, ΔΠ Blind−UKG ’s and the IA-NMZPoK protocol’s user private-keys corresponding to id ∈ {P1 , P2 }. Π (1) A corrupts P1 : for simplicity we first make the proof in FBlind−UKG -hybrid model and then complete the proof by generalized universal composition the∗ orem. Let X1 = {x∗1 , . . . , x∗N 1 } be A’s (i.e., P1 ’s) own set, X2 = {y1∗ , . . . , yN 2} ∗ be P2 ’s own set. We need to construct an ideal adversary S1 who corrupts P1∗ , runs A as a black-box and simulates the real-world honest party P2 to interact with A: On receiving the message (sid, “input”, N2 ) from FIN T , S1 gets usk(P1 ) by querying the shared functionality GACRS with (“retrieve”, sid, P1 ) where usk(P1 )=uskT C (P1 )uskΔ (P1 )uskZK (P1 ), computes (σ, s, τ ) ←IA-NMZPoK:: Ext1 (uskZK (P1 )) (to avoid ambiguity, we use Γ :: f to represent a protocol Γ ’s algorithm f ), generates N2 data-items y1 , . . . , yN 2 at random and then starts A; After A sends the first message (mpkcmt), S1 interacts with A as an honest Π key-receiver in model of FBlind−UKG and obtains usk(y1 ), . . . , usk(yN 2 ); S1 intercepts the message ξ1 . . . ξN 1 dmt sent from A, verifies whether V f (mpkT C , P2 , ξ1 . . . ξN 1 , cmt, dmt) = 1 and then participates in protocol IANMZPoK((x∗i , ri ) : ξi = E(mpk, x∗i , M0 ; ri ), i = 1, . . . , N1 as a verifier calling the knowledge extractor IA-NMZPoK::Ext2 (τ ) to extract the witness (x∗i , ri ), i = 1, . . . , N1 (in fact only x∗i ’s are needed in this proof); S1 sends the message (sid,“input”, {x∗1 , . . . , x∗N 1 }) to FIN T , then outputs whatever A outputs to the environment. Let tr(A, S1 ) denote the transcripts due to the interaction between S1 and A, trψ (A, P2 (X2 )) denote the transcripts due to the interaction between A and P2 (X2 ) in the real-world protocol Ψ (P2 (X2 ) means the real-world party possessing the same private set X2 as P2∗ ). From A’s perspective, the difference beΠ tween tr(A, S1 ) and trψ (A, P2 (X2 )) is that the former provides FBlind−UKG with Π ∗ ∗ {y1 , . . . , yN 2 } as the input, the latter provides FBlind−UKG with {y1 , . . . , yN 2 }, Π but according to FBlind−UKG ’s specification A knows nothing about what dataΠ items are provided to FBlind−UKG by the other party except the number N2 , as a result, tr(A, S1 ) ≈ trψ (A, P2 (X2 )) (perfectly indistinguishable) from A’s
GUC-Secure Set-Intersection Computation
255
perspective. In particular, the distribution of A’s output due to interactions with S1 is the same as that (in real-world protocol Ψ ) due to interactions with P2 (X2 ). Let η be IA-NMZPoK protocol’s error function, AdvTbinding be attacker’s advanC tage against TC’s binding property, all are negligible functions in k. It’s not hard to show (by contradiction) that the probability with which S1 correctly extracts all A’s data-items x∗1 , . . . , x∗N 1 is greater than P r[P2 (mpkξ1 . . . ξN 1 ; A) = 1] − N1 (η + AdvTbinding ) ≥ P r[X0 = X1 ∩ X2 ] − N1 (η + AdvTbinding ), thereC C fore, the difference between the probability with which P2∗ (X2 ) outputs X1 ∩ X2 under the ideal-world adversary S1 ’s attacks and the probability with which P2 (X2 ) outputs X1 ∩ X2 under the real-world adversary A’s attacks against Ψ is upper-bounded by N1 (η +AdvTbinding ), also a negligible function in k. Combining C all the above facts, for any P.P.T. environment Z we have outputZ (Ψ, A) ≈P P T Π outputZ (FIN T , S1 ), i.e., Ψ →GUC FIN T in FBlind−UKG -hybrid model. Π Now replace the ideal functionality FBlind−UKG with ΔΠ Blind−UKG in Ψ . By GUC Π what is just proved, the assumption ΔΠ → F Blind−UKG Blind−UKG and the GUC-theorem, we still have the GUC-emulation consequence. In addition, it’s not hard to estimate S1 ’s time complexity TS1 = TA + O(N2 + N1 Te ) where TA and Te are A’s and the knowledge extractor’s computation time. ∗ ∗ (2) A corrupts P2 : Denote A’s (i.e.,P2 ’s) own set as X2 = {y1∗ , . . . , yN 2 }, P1 ’s ∗ ∗ own set as X1 = {x1 , . . . , xN 1 }, we need to construct an ideal adversary S2 . S2 corrupts P2∗ , gets usk(P2 ) by querying the pre-setup GACRS with (“retrieve”, sid, P2 ) where usk(P2 ) = uskT C (P2 )uskΔ (P2 )uskZK (P2 ), generates (σ, s) ←IANMZPoK::Sim1(uskZK (P2 )), runs A as a black-box and simulates the real-world honest party P1 to interact with A: On receiving message (sid, “input”, N1 ) from FIN T , S2 generates x1 , . . . , xN 1 at random, computes (mpk, msk) ← Setup(k) and ξi ← E(mpk, xi , M0 ; ri ) for each xi where ri is the independent randomness in each encryption, computes (cmt0 , λ) ← F akeCmt(mpkT C , P2 , uskT C (P2 )), starts A and sends the message mpkcmt0 to A; S2 interacts with A as the user private-key generator in ΔΠ Blind−UKG and calls ∗ ∗ the extractor ΔΠ :: Ext (usk (P )) to extract y Δ Δ 2 1 , . . . , yN 2 , sends the Blind−UKG ∗ ∗ ∗ message (sid, “input”, P2 , {y1 , . . . , yN 2 }) to FIN T ; S2 sends the message (sid, “intersection”, P2∗ ) to FIN T and gets the response ∗ ∗ {yj1 , . . . , yjt } (i.e., the set-intersection). To simplify the symbol, denote this response set as {y1∗ , . . . , yt∗ }. S2 computes ξi∗ ← E(mpk, yi∗ , M0 ; ri∗ ) (ri∗ ’s are selected at random) for i = 1, . . . , t, replaces arbitrary t ξi ’s with ξi∗ ’s and keeps other N1 -t ξi ’s unchanged, 0 making a new sequence denoted as ξ1 . . . ξN ← 1 , computes dmt 0 F akeDmt(mpkT C , ξ1 . . . ξN 1 , λ, cmt ). S2 sends the message ξ1 . . . ξN 1 dmt0 to A, interacts with A by calling IA-NMZPoK::Sim2(ξ 1 . . . ξN , s) where 1 ξi = E(mpk, x0i , M0 ; ri ), i = 1, . . . , N1 , x0i = yi∗ for t of N1 i’s and x0i = xi for other i’s. Finally S2 outputs whatever A outputs to the environment. Let tr(S2 , A) denote the transcripts due to the interaction between A and S2 , trΨ (P1 (X1 ), A) denote the transcripts due to the interaction between A and
256
Y. Tian and H. Zhang
the real-world party P1 (X1 ) (possessing the same set X1 = {x∗1 , . . . , x∗N 1 } as the ideal-world party P1∗ ). From A’s perspective, the differences between these two transcripts are: a) cmt in these two transcripts are respectively cmt0 output by F akeCmt and cmt output by Cmt(mpkT C , P2 , E(mpk, x∗1 , M0 ; r1 ) . . . E(mpk, x∗N 1 , M0 ; rN 1 )); b) dmt in these two transcripts are dmt0 output by F akeDmt and dmt output by Cmt(mpkT C , P2 , E(mpk, x∗1 , M0 ; r1 ) . . . E(mpk, x∗N 1 , M0 ; rN 1 )) respectively; c) Among the ciphertext sequence ξ1 . . . ξN 1 in these two transcripts, there are t ciphertexts ξi having the same identity public-key (i.e., x∗i ) but the remaining N1 -t ciphertexts having different identity public-keys; d) there are t IA-NMZPoK-witness’ with the same x0i . By TC’s equivocation property, (cmt, dmt)’s are P.P.T.-indistinguishable in both cases; because of IBE scheme’s selective AN O CP A anonymity, ξ1 . . . ξN 1 dmt in both cases are P.P.T.-indistinguishable (otherwise suppose they are P.P.T.-distinguishable with the difference δ ≥ 1/poly(k), it’s easy to construct a selective AN O CP A attacker against Π with an advantage at least δ/N1 , contradicting with Π’s selective AN O CP A anonymity). Now (1) (1) denote the ciphertext sequence ξ1 . . . ξN 1 in two cases as ξ1 . . . ξN 1 (2) (2) and ξ1 . . . ξN 1 respectively, denote the transcripts in session of IA(1) (1) NMZPoK as IA-NMZPoK(1)(= trS2(x1,,xN 1),A (mpkM0 ξ1 . . . ξN 1 )) and IA(2)
(2)
NMZPoK(2)(=trP 1(x∗ 1,...,x∗ N 1),A (mpkM0 ξ1 . . . ξN 1 )) respectively, by the (1) above analysis we have ξ1 . . . (1) (2) (2) ξN 1 ≈P P T ξ1 . . . ξN 1 ; furthermore,
by IA-NMZPoK’s zero-knowledge prop-
erty we have (2)
(2)
IA-NMZPoK(2) ≈P P T IA-NMZPoK::Sim2(ξ1 . . . ξN 1 , s) and by S2 ’s construction we also have (1)
(1)
IA-NMZPoK(1) =IA-NMZPoK::Sim2(ξ1 . . . ξN 1 , s) so IA-NMZPoK(1) ≈P P T IA-NMZPoK(2). As a result, the transcripts received by A in both cases are P.P.T.-indistinguishable. Let δ be ΔΠ Blind−UKG ’s extractor’s error function (negligible in k), then the probability with which S2 correctly extracts A’s one data-item yi∗ is at least P r[A(mpk; P1 (mpk, msk)) = U KG(msk, yi∗ )] − δ, so the probability with which ∗ S2 correctly extracts A’s all data-items y1∗ , . . . , yN 2 is at least P r[A(mpk; ∗ P1 (mpk, msk)) = U KG(msk, yi ) : i = 1, . . . , N2 ] − N2 δ ≥ P r[X0 = X1 ∩ X2 ] − N2 δ. As a result, S2 ’s output is P.P.T.- indistinguishable from A’s output in Ψ with respect to the GUC-environment Z with an error upper-bounded by AN O CP A N1 (k)AdvΠ (k) + N2 δ, which is also negligible in k. Note that in both cases the other party P1∗ (X1 ) and P1 (X1 ) always output the same N2 , so we have the consequence that outputZ (ψ, A) ≈P P T outputZ (FIN T , S2 ) and it’s easy to estimate S2 ’s time-complexity TS2 = TA + O(N1 + N2 Text ) where TA and Text are A’s and the extractor’s computation-time. By all the facts, we have Ψ →GUC FIN T .
GUC-Secure Set-Intersection Computation
4
257
An Instantiation via Boyen-Waters IBE Scheme
Theorem 3.1 presents security conditions for the general construction Ψ , among which some are available in existing works, e.g., the commitment scheme can be directly borrowed from [5]. The subprotocols which require new efficient constructions are only IBE scheme’s user private-keys generation protocol and the protocol IA-NMZPoK((a, r) : ξ = E(mpk, a, M0 ; r)). In this section we present an efficient instantiation of Ψ via Boyen-Waters IBE scheme. 4.1
Boyen-Waters IBE [3]
Given an bilinear group pairing ensemble J = {(p, G1 , G2 , e)}k where |G1 | = |G2 | = p, p is k-bit prime number, e : G1 × G1 → G2 is a non-degenerate pairing, Boyen-Waters IBE consists of ESetup(k) : g, g0 , g1 ←$ G1 ; ω, t1 , t2 , t3 , t4 ←$ Zp ; Ω ← e(g, g)t1 t2 ω ; v1 ← g t1 ; v2 ← g t2 ; v3 ← g t3 ; v4 ← g t4 ; mpk ← (G1 , G2 , p, e, Ω, g, g0 , g1 , v1 , v2 , v3 , v4 ); msk ← (ω, t1 , t2 , t3 , t4 ); return(mpk, msk); U KG(msk, a), a ∈ Zp : r1 , r2 ←$ Zp ; usk(a) ← (g r1 t1 t2 +r2 t3 t4 , g −t2 (g0 g1a )−r1 t2 , g −t1 (g0 g1a )−r1 t1 , (g0 g1a )−r2 t4 , (g0 g1a )−r2 t3 ); return(usk(a)); E(mpk, a, M ), M ∈ G2 : s, s1 , s2 ←$ Zp ; ξ ← (Ω s M, (g0 g1a )s , v1s−s1 , v2s1 , v3s−s2 , v4s2 ); return(ξ); D(mpk, usk(a), (ξ00 , ξ0 , ξ1 , ξ2 , ξ3 , ξ4 )) where usk(a) ≡ (d0 , d1 , d2 , d3 , d4 ) : T ← e(d0 , ξ0 )e(d1 , ξ1 )e(d2 , ξ2 )e(d3 , ξ3 )e(d4 , ξ4 ); return(ξ00 T ). [3] has proven that assuming the decisional bilinear Diffie-Hellman problem (DBDHP)’s hardness on J, this scheme is IN D CP A secure (data-private); assuming the decisional linear problem (D-LP)’s hardness, this scheme is selective AN O CP A anonymous. Notice that D-BDHP hardness implies D-LP’s hardness, all the above consequences can be also obtained only under D-BDHP’s hardness. 4.2
aters User Private-Keys Blind Generation Protocol ΔBoyen−W Blind−U KG and Its GUC-Security
For simplicity we only present how to blindly generate usk(a) for a single userid a. The generalization to blindly generating usk(a1 ) . . . usk(aN ) for multiple user-id’s a1 . . . aN is trival and still constant-round, though the total messagecomplexity is linearly increased. The two parties are P1 (with private input msk) and P2 (with private input a). Both parties have the common input mpk where (mpk, msk) are generated
258
Y. Tian and H. Zhang
by IBE scheme’s ESetup(k) (usually msk per se is the randomness in ESetup aters so we use a simplified notation mpk ← ESetup(msk) hereafter). ΔBoyen−W Blind−UKG has two IA-NMZPoK subprotocols (see below) which ACRS’s are denoted as aters mpkZK,II and mpkZK,III . ΔBoyen−W is in ACRS model which ACRS is Blind−UKG Boyen−W aters mpkZK,II mpkZK,III . ΔBlind−UKG works as follows: (1) P1 runs a protocol IA-NMZPoK(msk : mpk = ESetup(msk)) as a prover with P2 as a verifier, where the meaning of the notation IA-NMZPoK(msk : mpk = ESetup(msk)) follows section 3. Denote this protocol as IA-NMZPoKII . (2) P2 selects r1 , r2 , y1 , y2 , y3 , y4 at random, computes Ui ← g ri , Vi ← (g0 g1a )−ri for i = 1, 2 and hj ← g yj g1a for j = 1, 2, 3, 4, sends U1 U2 V1 V2 h1 h2 h3 h4 to P1 . Then P2 runs the protocol IA-NMZPoK((a, r1 , r2 , y1 , y2 , y3 , y4 ) : ∧i=1,2 Ui = g ri ∧i=1,2 Vi = (g0 g1a )−ri ∧j=1,2,3,4 hj = g yj g1a ) as a prover with P1 as a verifier. Denote this protocol as IA-NMZPoKIII . (3) P1 selects σ, r1 , r2 at random, computes d0 ← (g r1 U1σ )t1 t2 (g r2 U2σ )t3 t4 ; d1 ← −t2 −r1 t2 σt2 r1 t2 −t1 −r1 t1 σt1 g (h1 g0 ) V1 ; d1 ← g ; d2 ← g (h2 g0 ) V1 ; d2 ← g r1 t1 ; d3 ← σt σt (h3 g0 )−r2 t4 V2 4 ; d3 ← g r2 t4 ; d4 ← (h4 g0 )−r2 t3 V2 3 ; d4 ← g r2 t3 and sends d0 d1 d1 d2 d2 d3 d3 d4 d4 to P2 . y (4) P2 computes dj ← dj dj j , j = 1, 2, 3, 4 and outputs (d0 , d1 , d2 , d3 , d4 ). It’s easy to show by direct calculation that P2 outputs the cor rect usk(a) = (d0 , d1 , d2 , d3 , d4 ) where d0 =g (r1 +r1 σ)t1 t2 +(r2 +r2 σ)t3 t4 , d1 =g −t2 (g0 g1a )−(r1 +r1 σ)t2 , d2 = g −t1 (g0 g1a )−(r1 +r1 σ)t1 , d3 = (g0 g1a )−(r2 +r2 σ)t4 , d4 = (g0 g1a )−(r2 +r2 σ)t3 . Theorem 4.1. Suppose the bilinear group pairing J has D-BDHP hardness, both IA-NMZPoKII and IA-NMZPoKIII are identity-augmented non-malleable zero-knowledge proof protocols for specific relations described in the above, aters Boyen−W aters then ΔBoyen−W →GUC FBlind−UKG assuming static corruptions and Blind−UKG aters ΔBoyen−W satisfies def. 3.1. Blind−UKG The full version paper (eprint.iacr.org/2008/392) has detailed proof and all related IA-NMZPoK protocols’ constructions.
References 1. Aumann, Y., Lindell, Y.: Security against Covert Adversaries: Efficient Protocols for Realistic Adversaries. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 137–156. Springer, Heidelberg (2007) 2. Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., Malonelee, J., Neven, G., Paillier, P., Shi, H.: Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE and Extensions. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005) 3. Boyen, X., Waters, B.: Anonymous Hierarchical Identity-based Encryption without Random Oracles. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307. Springer, Heidelberg (2006)
GUC-Secure Set-Intersection Computation
259
4. Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: 42nd Annual Symposium on foundations of computer Science. IEEE Computer Society, pp. 136–145. IEEE Press, New York (2001) (Updated in 2005, http://eprint.iacr.org/2000/067http://eprint.iacr.org/2000/067) 5. Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally Composable Security with Global-Setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007) 6. Dodis, Y., Shoup, V., Walfish, S.: Efficient Constructions of Composable Commitments and Zero-Knowledge Proofs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 515–535. Springer, Heidelberg (2008) 7. Freedman, M., Ishai, Y., Pinkas, B., Reingold, O.: Keyword Search and Oblivious Pseudorandom Functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 303–324. Springer, Heidelberg (2005) 8. Freedman, M., Nissim, K., Pinkas, B.: Efficient Private Matching and Set Intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004) 9. Garay, J., MacKenzie, P., Yang, K.: Strengthening Zero-Knowledge Protocols Using Signatures. Journal of Cryptology 19(2), 169–209 (2006) 10. Goldreich, O.: Foundations of Cryptography, vol. 1-2. Cambridge University Press, Cambridge (2004) 11. Hazay, C., Lindell, Y.: Efficient Protocols for Set Intersection and Pattern Matching with Security Against Malicious and Covert Adversaries. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 155–175. Springer, Heidelberg (2008) 12. Kissner, L., Song, D.: Privacy-Preserving Set Operations. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 241–257. Springer, Heidelberg (2005) 13. MacKenzie, P., Yang, K.: On Simulation-Sound Trapdoor Commitments. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 382–400. Springer, Heidelberg (2004)
Appendix A: ACRS Model Recently [5] improves and generalizes the early UC-theory proposed in [4] to make a more general, realistic and strictly stronger security notion. The universal composition theorem is still true in this paradigm, however, the pre-setup needs to be strictly enhanced. In GUC paradigm the CRS model is insufficient to implement general cryptographic functionalities, instead we need a new pre-setup model called ACRS (augmented common reference string) model. This pre-setup Setup,UKG can be performed via a shared functionality Gacrs with two parameter functions Setup and U KG similar to IBE scheme’s master public/secret-key Setup,UKG generator and its user private-key generator. Gacrs ’s program is [5]: Initialization Phase: compute (mpk, msk) ← Setup(k) and store (mpk, msk); Running Phase: on receiving message (“CRS request”,Pi ) from any party Pi , response (“ACRS”, mpk) to Pi and the adversary S; On receiving message (“Retrieve”,sid,Pi ) from a corrupt party Pi , compute usk(Pi ) ← U KG(msk, Pi ) and return the message (“Private-key”, sid, usk(Pi )) to Pi ; if Pi is not a corrupt party, response nothing.
Self-enforcing Private Inference Control Yanjiang Yang1 , Yingjiu Li2 , Jian Weng3 , Jianying Zhou1 , and Feng Bao1
2
1 Institute for Infocomm Research, Singapore {yyang,jyzhou,baofeng}@i2r.a-star.edu.sg School of Information Systems, Singapore Management University
[email protected] 3 Dept. of Computer Science, Jinan University, China
[email protected]
Abstract. Private inference control enables simultaneous enforcement of inference control and protection of users’ query privacy. Private inference control is a useful tool for database applications, especially when users are increasingly concerned about individual privacy nowadays. However, protection of query privacy on top of inference control is a double-edged sword: without letting the database server know the content of user queries, users can easily launch DoS attacks. To assuage DoS attacks in private inference control, we propose the concept of selfenforcing private inference control, whose intuition is to force users to only make inference-free queries by enforcing inference control themselves; otherwise, penalty will inflict upon the violating users. Towards instantiating the concept, we formalize a model on selfenforcing private inference control, and propose a concrete provably secure scheme, based on Woodruff and Staddon’s work. In our construction, “penalty” is instantiated to be a deprivation of users’ access privilege: so long as a user makes an inference-enabling query, his access privilege is forfeited and he is rejected to query the database any further. We also discuss several important issues that complement and enhance the basic scheme. Keywords: Inference control, self-enforcing, database.
1
Introduction
The inference problem, first studied in statistical databases [2,11] and then extended to multilevel databases and general-purpose databases [14], has been a long standing issue in database security. Inference refers to the fact that sensitive information beyond one’s privileges (with respect to the access control policy) can be inferred from the unsensitive data to which one is granted access. Access control (e.g., mandatory access control mechanism) cannot solve the inference problem, since inference results from the combination of a series of legitimate queries that are authorized by access control. The set of queries whose responses lead to inference is said to form an inference channel. The aim of inference control is to prevent the formation of inference channels. Many of the J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 260–274, 2009. c Springer-Verlag Berlin Heidelberg 2009
Self-enforcing Private Inference Control
261
inference control methods audit queries in order to ensure that a user’s current query, together with his past queries, cannot form any inference channel (see e.g., [12,26,13,8,10,16,21,22,29]). By complementing access control, inference control works as an extra line of defence to database secrecy. What forms an inference channel depends closely on the data to be protected and the protection objective. For example, in statistical databases, the objective is to answer queries on statistics of records (e.g., sum, mean, etc) without releasing individual records [4]; so an inference channel is created if an individual value can be deduced from a set of queries, each of which returns a statistic value of multiple records. In a multilevel database, a set of queries involving data classified at lower levels forms an inference channel if data classified at a high level can be derived from them, by means of database integrity constrains such as functional, multivalued, and join dependencies [3,27]. Our concern in this work is the inference channels that result in identifying the subjects contained in the database. As an example, let us consider a database of medical records for individuals: the explicit identifying information such as patient name or social security number is clearly sensitive; in contrast, individual attributes such as age, sex, ZIP code, date of birth, profession, and marital status are not personally identifiable, as each of them alone usually does not contain sufficient information to uniquely identify any individuals, thereby should not be classified as sensitive. However, a combination of all or some of these non-sensitive attributes may be uniquely identifiable, thus forming an inference channel. Inference control in this context works by blocking users who access the database from obtaining responses of the queries that cover all the attributes necessary to complete an inference channel. In the setting of database access, equally important is that users who query the database also have privacy concern. Exposure of what data a user is accessing to the database server may lead to the compromise of user privacy [6,7,18,19,23], and possibly subject the user to targeted marketing, financial losses, etc. It is thus desirable that inference control is enforced by the server in a way that query privacy is also preserved (i.e., the server does not learn the content of the query). Note that to that end, a solution necessarily implements private information retrieval (PIR) (cf., [18,23]) so as to satisfy the query privacy requirement, but goes beyond that to also fulfil the inference control requirement. Woodruff and Staddon [28] are believed to be the first to systematically study this problem, and proposed private inference control (PIC) to attain both requirements. Private inference control works in a way that if the current query of a user, together with his prior queries, form an inference channel, then the user obtains a random value instead of the desired data as the query response from the server; while the server learns nothing on the query during the process. Subsequently, Jagannathan and Wright [17] extended private inference control to the case of aggregate database queries: specifically, a user query is a set of indices of the data in the database; the response of a query computes an aggregate function (e.g., sum, average) of the data items indexed by the query. Another related work are the priced oblivious transfer techniques studied by Aiello et al. [1], which can also be used
262
Y. Yang et al.
to attain private inference control for some specific scenarios, but not for the general setting addressed by [28,17]. Private inference control turns out to be a useful tool for database applications, especially at the time when user privacy is increasingly a concern nowadays. Unfortunately, practical deployment of private inference control may encounter an enormous obstacle, due to the fact that since the database server knows nothing about user queries, database systems enforcing private inference control can be easily exploited by users launching DoS attacks, i.e., some users deliberately query the database server to waste the precious resources of the server. It is a well known fact that inference control (even without privacy protection) is extremely computation intensive [2], hence DoS attacks are expected to be particularly effective in private inference control. Directly incorporating access control into inference control cannot entirely solve the problem if inference control does not provide any extra information (e.g., whether a query leads to inference or not) to the enforcement of access control. Without the assistance from inference control, rigid access control rules such as mandating the frequency of user queries or the number of continuous user queries will make the system extremely inconvenient. 1.1
Our Contribution
In this work, we are motivated to propose the concept of self-enforcing private inference control, in an attempt to resolve the above problem in private inference control. The intuition behind self-enforcing private inference control is to force users not to make queries that form inference channels; otherwise, penalty will incur on the querying users. In other words, users are obliged to enforce costly inference control by themselves before making queries and to only make inference-free queries that do not complete inference channels. Further, we manage to instantiate the self-enforcing intuition. Specifically, we formalize a model on self-enforcing private inference control, and propose a concrete scheme which is proven secure under the model. The proposed model and scheme are largely based on Woodruff and Staddon’s work [28]. In our scheme, “penalty” is instantiated to be a deprivation of the access privileges of the violating users. More precisely, if a user makes an inference-enabling query (which completes an inference channel together with his past queries), then the user’s access right is forfeited and he is rejected to make queries any further. We achieve this by incorporating access control into inference control, and basing access control on one-time access keys: a user is able to get the access key for next query only if his current query is inference-free. We point out that this approach lets the server learn in retrospection that a user’s last query is inference-free or not, which relaxes the stringent definition on query privacy set out in [28,17]; but we believe that it can still provide sufficient privacy protection for many practical applications, since the actual content of user queries is not revealed to the server (of course, a discussion on how to achieve the same level of query privacy as in [28,17] is also provided). Furthermore, we also discuss several important issues that complement and enhance our basic scheme.
Self-enforcing Private Inference Control
1.2
263
Organization
We review the building blocks that underly our scheme in Section 2. We then present our model and scheme for self-enforcing private inference control in Section 3, together with the security proof for the scheme. A variety of practical issues that complement and enhance the basic scheme are discussed in Section 4, before we conclude the paper in Section 5.
2
Preliminaries
For ease of understanding, we give a brief introduction to the cryptographic primitives that will be used in our scheme. Homomorphic Encryption. We need an additively homomorphic encryption scheme. Additively homomorphic encryption, E : (G1 , .) → (G2 , +), is a publickey encryption scheme satisfying E(a).E(b) = E(a + b), where a, b ∈ G2 . The Paillier homomorphic encryption [24], introduced below, is a typical additively homomorphic encryption scheme with semantic security. – KeyGen(1κ): Given a security parameter 1κ , this algorithm selects two large primes p, q and sets N = p.q; chooses g whose order of g (mod N 2 ) is a multiple of N . The public key is then set to be pk = (g, N ) and the corresponding secret key is sk = λ(N ) = lcm(p − 1, q − 1). – Hom Enc(M, pk): The encryption of a message M ∈ ZN using pk is the fol∗ lowing: choose a random r ∈ ZN , and compute C = g M rN (mod N 2 ). For notation brevity, we do not explicitly indicate pk in the input list. – Hom Dec(C, sk): The decryption of a ciphertext C using secret key sk is λ (mod N 2 )) M = L(C (mod N ), where L is defined to L(x) = x−1 N . L(gλ (mod N 2 )) The scheme is homomorphic: Hom Enc(M1 ).Hom Enc(M2 ) = (g M1 r1N ).(g M2 r2N ) = g M1 +M2 (r1 r2 )N = Hom Enc(M1 + M2 )
(mod N 2 )
It has been shown by Laur and Lipmaa [20] that the use of the Paillier homomorphic encryption in the setting of Conditional Disclosure of Secrets (ours belongs to this setting) is not secure, when G1 has a composite order. They further proposed a generic encoding mechanism to address this problem. In the rest of the paper, by using Hom Enc and Hom Dec, we assume that Laur and Lipmaa’s technique has already been incorporated in the Paillier homomorphic encryption scheme. Symmetric Private Information Retrieval. The notion of Private Information Retrieval (PIR) was first formalized by Chor et al. [7]. In their formalization, a database is modelled as an n-bit string and held by one or multiple servers; suppose a user wants to retrieve the i-th bit, an execution of PIR between the
264
Y. Yang et al.
user and the server(s) enables the former to get that bit from the latter while without revealing to the latter any information on the index i. In its original form, PIR is not concerned protecting the interest of the database, in the sense that the querying user can end up learning more bits than the requested bit. Symmetric PIR (SPIR) [18] adds to PIR the functionality of also protecting the secrecy of the database, so that the user can get nothing but the requested bit. Our scheme needs to leverage on single-server SPIR protocols, which usually achieve user query privacy relative to the computationally-bounded server. Naor and Pinkas showed how to transform any PIR protocol into such a SPIR protocol [23]. In addition, we also require SPIR protocols to operate on a database of records instead of bits. In fact, it is easy to transfer a bit-oriented SPIR protocol into a record-oriented protocol by treating a record as bits, and running the former as many times as the bit size of the records. Optimizations upon this straightforward method was given in [5]. For the purposes of proof, the SPIR protocol used in our scheme should be secure in the real/ideal model, in the sense that there is a simulator that can extract the index of the requested bit learned by any user U ∗ interacting with the honest server. Applying the transformation techniques of [23] to the PIR protocols in [9,19] yields such SPIR protocols.
3 3.1
Self-enforcing Private Inference Control Model
We consider a single-server scenario: the server houses a database consisting of a set of records, and allows users to retrieve records from the database. On the one hand, the server enforces inference control such that in a query, a user gets the requested record only if it does not complete an inference channel, together with his previous retrieved records. On the other hand, users want their query privacy to be protected, such that the server does not learn what records they are retrieving. The database is a string d ∈ ({0, 1}m)n of n records, each record has m attributes (note that for formalization simplicity, we here consider 1-bit attributes, but extending our formalization and scheme to attributes of larger size is straightforward). Let di denote the ith record and di,j denote the jth attribute value of the ith record. The inference channels we are considering are IC, a set of S ⊆ [1..m], each of which is a set of attribute indices. By IC, it means that for all i ∈ [1..n] and S ∈ IC, a user should not learn di,j for all j ∈ S. As an example, let IC = {{1, 2, 4}, {5, 6}}, then inference control is to prevent a user from getting all 1st , 2nd , 4th attributes and all 5th , 6th attributes of any record. Given a database, IC can be determined by the technique in [25]. Once IC is decided, it is input to both the server and users. Throughout the system’s lifetime, an honest user U generates a sequence of |Q| tuples, Q = ((i1 , j1 ), (i2 , j2 ), · · · , (i|Q| , j|Q| )), in order to retrieve di1 ,j1 , di2 ,j2 , . . ., di|Q| ,j|Q| . Users are allowed to query the database adaptively, so (it , jt ) can be generated depending on all the user’s previous interactions with the server. In our scheme, all pairs in Q are distinct (i.e., no repeated queries are allowed),
Self-enforcing Private Inference Control
265
and as such |Q| (m − 1)n. As we show shortly in Section 4, this is not a weakness, but instead facilitates assuaging DoS attacks. We further discuss how to allow repeated queries if needed. A sequence Q is said to be permissible if it does not compose any inference channel defined in IC, that is, for all S ∈ IC and all i ∈ [1..n], there exists a j ∈ S such that (i, j) ∈ / Q. The sequence Q is non-permissible if it is not permissible. Formally, we can treat Q = Q(U, d) as a random variable over U and d, which are in turn governed, respectively, by two uniform distribution μ and ς, where μ, ς are random bits consumed by the user and the server, respectively. Self-enforcing Private Inference Control (SePIC) is an interactive protocol between a user and the server. Let n, m, IC, 1κ be common input to both parties and d be an extra input to the server, where κ is a security parameter. Another common input is the initial access key K0 shared between the user and the server. The user registers to the server in advance, and gets K0 . Each execution of SePIC processes a query. Let m be the message computed and sent to the server by the user in the th execution of the protocol, and a be the response the server sends back to the user, 1 |Q|, we define M = {mi |1 i }, and A = {ai |1 i }. Let ΩU (A ) be state of the user and ΩS (M ) be state of the server, at the end of the th execution. The states may include the entire query history and the one-time access keys. Definition 1 (Self-enforcing Private Inference Control). Let QG be the query generation algorithm, AC the the access control algorithm, QP the query processing algorithm, and AR the answer reconstruction algorithm. a database access protocol runs the following process between a user and the server: For 1 |Q| 1. The user generates Q = (i , j ) such that Q1 , Q2 , · · · , Q are permissible. 2. The user computes m = QG(i , j , ΩU (A−1 ), μ) and sends m to the server. (1) (1) 3. The server computes (a , ΩS (M )) = AC(m , d, ΩS (M−1 ), ς) and (2) (2) (1) (2) (a , ΩS (M )) = QP(m , d, ΩS (M−1 ), ς), where a = a ∪ a (1) (2) and ΩS (M ) = ΩS (M ) ∪ ΩS (M ). The server then sends a to the user. 4. The user computes (outV , ΩU (A )) = AR(a , i , j , ΩU (A−1 ), μ), where outV is the requested record. We define the view of an arbitrary user U ∗ with respect to an honest but curious server to be V iewU ∗ (d, μ, ς) = (A|Q| , μ, 1κ , m, n, K0 ), and the view of an arbitrary server S ∗ with respect to an arbitrary user U ∗ to be V iewS ∗ (d, μ, ς) = (M|Q| , d, ς, 1κ , m, n, K0 ). A database access protocol consisting of algorithms QG, AC, QP, and AR is a SePIC protocol if it satisfies correctness and security:
266
Y. Yang et al.
Correctness. For all d ∈ ({0, 1}m)n and all honest users U , Pr[∀(iα , jα ) ∈ Q(U, d), outVα = diα ,jα ] = 1
μ,ς
(1)
Security. Security includes the following three aspects. 1. Query Privacy: For all d ∈ ({0, 1}m )n , for any honest user U and any two permissible query sequences Q1 and Q2 with equal length, for all honest but curious servers S ∗ , the probability that S ∗ can distinguish between Q1 and Q2 is negligible. That is, for all polynomial algorithm A, | Pr[A(V iewS ∗ (d, μ, ς)) = 1 | Q(U, d) = Q1 ] − μ
Pr[A(V iewS ∗ (d, μ, ς)) = 1 | Q(U, d) = Q2 ]| (κ) μ
(2)
where (κ) is a negligible function with respect to κ, and the probability is also taken over the random bits consumed by the adversary A. REMARK 1. By this definition, we relax the query privacy definition in [28], in that our definition relates to distinguishing two permissible sequences, while their definition distinguishes any two sequences. However, our definition well suits the setting we are considering, where an inference-enabling query immediately terminates the protocol. 2. Access Control: For any user U and any non-permissible query sequence Q(U, d), the last pair (i|Q| , j|Q| ) ∈ Q(U, d) must be inference-enabling, that is, Pr[(i|Q| , j|Q| ) ∈ Q(U, d) is inference-free | Q(U, d) is non-permissible] (κ). The intuition is that once an inference-enabling query is issued, the user cannot make any further query. Thus the last pair must be the inferenceenabling one. 3. Inference Control: The protocol runs in the real world, and we compare it with the ideal model, where a trusted third party, TTP, when given d ∈ ({0, 1}m)n , and a permissable Q, gives the user di,j for all (i, j) ∈ Q. More precisely, we require that for every U ∗ in the real world and every μ, there exists an efficient U in the ideal model, given the code of U ∗ and μ, that plays U ∗ ’s role, such that for every d ∈ ({0, 1}m)n , U can find a permissable Q such that the output of U ∗ interacting with the honest server and the output of U interacting with TTP are computationally indistinguishable (both the honest server in the real world and TTP in the ideal model are given d). Note that the Q found by U is a random variable induced by the uniform distribution on ς. 3.2
Our Scheme
We next propose a concrete SePIC protocol, assuming IC to be a particular form IC = {{1..m}}. The inference control rule is thus that for any record, the user cannot get all its attributes. The basic idea for our protocol is the following. Prior to query processing, the server enforces access control such that query
Self-enforcing Private Inference Control
267
processing goes on only if the user passes access control step; otherwise, the server rejects the user. Access control is based on a one-time access key shared between the server and the user. When processing a query, the server selects a random one-time key for the user’s next access, and the user will get the key only if his current query is inference free. In other words, if the user issues an inference-enabling query, he will lose his privilege for further queries. This forces the user to be cautious in making queries, and thus enforce inference control by himself to make sure that the query to be issued is inference free. Suppose by an initialization phase, IC is established. The input to the user is (1κ , n, m, K0 ) and to the server is (1κ , d, n, m, K0 ). We show the protocol for executing the user’s th query in Figure 1. For ease of understanding, we next outline the basic idea on how the protocol works. In the Access Control algorithm, as long as there are m − 1 or more i’s among i1 , i2 , · · · , ii−1 being equal to i , in which case the queries thus far are a non-permissible sequence1 , then the total number of e’s satisfying Hom Enc(.) = Hom Enc(0) is at most ( − 1) − (m − 1) = − m. This means that at most − m shares can be recovered, which are not sufficient to recover K+1 in a (− m+ 1)out-of-( − 1) secret sharing scheme (see Figure 1). So the user’s access privilege for next query is ”lost.” Without K+1 , the user is clearly unable to compute di ,j in the Answer Reconstruction algorithm. In this way, inference control is enforced. On the contrary, if the queries are a permissible sequence, K+1 clearly can be correctly recovered, so can the user recover di ,j . Query privacy is enforced due to the use of homomorphic encryption with semantic security and the use of the SPIR protocol: first, from Hom Enc(i ) and Hom Enc(j ) the server learns nothing on (i , j ). Second, through the SPIR protocol the server learns nothing on the entry retrieved by the user in the Query Processing algorithm. Performance. The communication cost for the th query is O()+ |SPIR|, where |SPIR| denotes the communication cost of the SPIR protocol. The computation overhead on the user side is O() plus that of the execution of the SPIR protocol. The computation overhead for the server is O( + nm) plus the execution of the SPIR protocol. 3.3
Security Analysis
We next analyze the security of the above protocol. We have the following theorem. Theorem 1. The protocol given in Figure 1 is a SePIC protocol with respect to Definition 1. Proof. It is not difficult to check that the protocol satisfies the correctness definition, considering our earlier explanation on how the protocol works. In the following, we focus on the security analysis and give the proof sketches. 1
This is because we do not allow repeated queries, so each of such queries must retrieve a different attribute of di .
268
Y. Yang et al.
Let the th pair in query be Q = (i , j ), where 1 |Q|, 1 i n and 1 j m Query Generation QG: If = 1, the user generates a public/private key pair for the homomorphic encryption scheme and passes the public key to the server. The user computes and sends Hom Enc(i ) and Hom Enc(j ) to the server. Access Control AC: 1. If < m, the server sets K+1 = 0, and skips access control, directly going to the Query Processing algorithma . For ≥ m, the server and the user perform an interactive authentication protocol, both using K (for = m, the two use K0 for authentication). If the authentication fails, the server aborts. Otherwise, the server selects a random K+1 , and in turn generates − 1 shares, s1 , s2 , · · · , s−1 , forming a ( − m + 1)out-of-( − 1) sharing of K+1 using a secret sharing scheme. 2. The server computes e1 = Hom Enc((i1 − i )s1 ), e2 = Hom Enc((i2 − i )s2 ), · · · , e−1 = Hom Enc((i−1 − i )s−1 ) using the user’s previous queries. The server then returns e1 , e2 , · · · , e−1 to the user, and also adds (Hom Enc(i ), Hom Enc(j )) to the user’s query history. 3. The user decrypts e1 , e2 , · · · , e−1 ; if the user’s query sequence thus far is permissible, the user can recover at least − m + 1 s s, thus reconstruct K+1 . Query Processing QP: (1) (2) 1. The server selects random numbers ri,j and ri,j , for every 1 i n, 1 (1) j m. The server then forms a table with n× m entries di,j = Hom Enc(r (i − i,j
(2) i ) + ri,j (j − j ) + K+1 + di,j ). Clearly, di ,j = Hom Enc(K+1 + di,j ), and each of the other entries is an encryption of a random number with respect to the user. 2. The user and the server performs a SPIR protocol upon d to get the (i , j )th entry di ,j .
Answer Reconstruction AR: The user decrypts di ,j to obtain K+1 + di ,j . If and only if the user has successfully recovered K+1 in AC, can he then recover di ,j . a
For the first m − 1 queries, access control is not necessary, because even all the m − 1 queries access the same record, they still cannot form an inference channel. From the m-th query onward, the server begins to enforce access control. K0 is then used for authentication in the m-th query, i.e., Km = K0 .
Fig. 1. Our Protocol
Self-enforcing Private Inference Control
269
1. Query Privacy. We prove by contradiction. Let us consider the actual view V iewS ∗ of an arbitrary server S ∗ with respect to an arbitrary honest user U ∗ in the protocol. After omitting the non-essential elements (with respect to query privacy) and common parameters, V iewS ∗ can be written as V iewS ∗ = (Hom Enc(i , j ), {SPIR(i , j )}, 0 )∈|Q| , where Hom Enc(i , j ) is shorthand for Hom Enc(i ) and Hom Enc(j ), {SPIR(i , j )} denotes the interaction transcript produced by an execution of the SPIR protocol, and 0 denotes the fact that the server knows that the query is inference-free. In V iewS ∗ , 0 can be omitted because every query generates the same element to the server. Therefore, we need to consider V iewS ∗ = (Hom Enc(i , j ), {SPIR(i , j )})∈|Q| . The intuition for the proof is then apparent, because it involves distinguishing homomorphic encryption and SPIR protocol transcript. The actual proof is a series of hybrid arguments on distinguishing V iewS ∗ [Q] = (Hom Enc(i , j ), {SPIR(i , j )})∈|Q| and V iewS ∗ [Q ] = (Hom Enc(i , j ), {SPIR(i , j )})∈|Q | , where Q = ((i1 , j1 ), (i2 , j2 ), · · ·), Q = ((i1 , j1 ), (i2 , j2 ), · · ·) are two permissible sequences with equal length. Suppose, to the contrary, that there is a PPT distinguisher D that can distinguish V iewS ∗ [Q] and V iewS ∗ [Q ] with non-negligible advantage Adv, we can show that a PPT D can be constructed to either break the semantic security of homomorphic encryption or break the privacy property of SPIR with advantage Adv/|Q|, by invoking D. The details are straightforward, following the hybrid arguments technique, which can be found in [15]. 2. Access Control. It suffices for us to consider the scenario that the th query is inference-enabling, but the user passes access control in the (+1)th query. We show that the probability for it to occur is negligible. There are two cases to consider. First, the th query is inference-enabling, but the user still manages to recover K+1 . The probability for this apparently is 1/|K|, where K is the space of one-time keys. Second, the user passes the access control in the ( + 1)th query without K+1 . The probability for this entirely relates to the strength of the authentication protocol. We denote this probability as Pr[auth-protocol failure], which is supposed to be negligible. To summarize, we have Pr[(i|Q| , j|Q| ) ∈ Q(U, d) is inference-free | Q(U, d) is non-permissible] 1/|K| + Pr[auth-protocol failure]. 3. Inference Control. We consider an arbitrary user U ∗ with random tape μ. Using a SPIR protocol with security in the real/ideal model, a simulator S, when given U ∗ ’s code and μ in the Access Control algorithm, can be formulated to extract the indices (i , j ) queried by U ∗ . Let U interact with TTP in the ideal model. U runs the code of U ∗ and uses the knowledge extractor of S to obtain (i , j ) and Hom Enc(i , j ) for some i and j . If the extracted indices (i , j ) = (i , j ) or if (i , j ) together with the past pairs queried from TTP form an inference channel, in the second step of Access Control, U will provide Hom Enc(r) for a random number r; otherwise, U will ask TTP for di ,j and follow the protocol as the honest server. U also honestly carries out query generation, asks for one-time keys from TTP, and executes authentication. Thus far, it is not hard to see that U can
270
Y. Yang et al.
generate a computationally indistinguishable view to U ∗ ’s, and in turn a computationally indistinguishable output.
4
Discussions
In this section, we discuss several issues pertaining to the self-enforcing private inference control system presented above. 4.1
Penalty Lifting and an Alternative
In our protocol, once a user issues an inference-enabling query, the user’s access privilege is forfeited for ever. One may argue that this violating-once-thenrejected penalty is too harsh. It is actually not hard to solve this problem in practical applications. For example, one may allow the user to regain his access privilege through some out-of-band channel: the server issues a new one-time access key to the user after the user accepted certain penalty, e.g., credit or financial penalty, and the server resets the user’s access account with this new key. Alternatively, it is possible to implement violating-multitimes-then-rejected penalty. To be specific, we allow a user to make a threshold number of inferenceenabling queries; however, if he makes one more inference-enabling query, then he forfeits his access right. The idea is the following (suppose the threshold is t). The one-time access keys {K } are no longer used for authentication in the Access Control algorithm. Instead, they are used to help a user obtain the onetime authentication keys {AK } , which are actually used in authentication. Of course, the generation and sharing of {K } between the server and the user remain the same as in the original protocol. Without loss of generality, in the th query, the server needs to pass AK+1 , selected randomly by the server, to the user for next access. Note that at this point of time (i.e., the beginning of the query), the user has been given Km (= K0 ), Km+1 , · · · , K , as per the original protocol. We should guarantee that the user gets AK+1 , only if he has made no more than t inference-enabling queries in the past − 1 queries, in which case the user should have obtained at least ( − m+ 1)− t keys among Km , Km+1 , · · · , K . Under this rationale, the server generates − m + 1 shares of AK+1 using a ( − m + 1 − t)-out-of-( − m + 1) secret sharing scheme, and then encrypts (e.g., using a block cipher) each share with a key from Km , Km+1 , · · · , K , and passes the encrypted shares to the user. Clearly, only if the user has made t or less inference-enabling queries, can he decrypt enough shares to reconstruct AK+1 . This method softens the violating-once-then-rejected penalty, thereby more acceptable, but it has the disadvantage that users have to keep their onetime access keys {K } . 4.2
Repeat Queries
Our protocol does not allow for repeat queries. This property is in fact an advantage with respect to our objective of curbing DoS attacks. Imagine that if
Self-enforcing Private Inference Control
271
repeat queries are allowed, a user can simply repeatedly issue an inference-free query to the server for the purpose of DoS attacks. While prohibiting repeat queries is good in combating DoS attacks, some systems may still need to enable repeat queries in catering to commom access custom. We can manage to extend our protocol to provide this property, but with relaxed query privacy. More precisely, it is revealed to the server the information that a query is a repeat one. We believe that such information disclosure is absolutely necessary in an anti-DoS private inference control system, since without distinguishing repeat queries, one cannot expect the server to know when to take actions. We next present an approach in handling repeat queries. The server treats repeat queries separately from the non-repeating queries: the server still uses the original protocol in Figure 1 to answer non-repeating queries, but replies to repeat queries in the following way. A repeat query is in the form of (“repeat query”, (Hom Enc(i), Hom Enc(j))). Suppose the user makes this repeat query after the th non-repeating query, then the user is supposed to have K+1 in his (1) (2) possession. First, the server selects random values ra and ra , for every 1 a (1) (2) , and then generates ea = Hom Enc(ra (i − ia ) + ra (j − ja ) + K+1 + R), where R is a random number, and each of the non-repeating query is Hom Enc(ia ) and Hom Enc(ja ). Note that the involvement of K+1 guarantee that the th non-repeating query must be inference-free. The server then sends (ea )1a to the user, who then decrypts the correct one to get R. It is easy to see that the user gets R only if the repeat query indeed repeats one of the non-repeating queries. (1) (2) Next, the server selects random values ra,b and ra,b , for every 1 a n, 1 b m, and then generates da,b = (Hom Enc(ra,b (i − a) + ra,b (j − b) + R + da,b ). The user then engages in a SPIR protocol with the server to get di,j , and in turn decrypts it to recover di,j with R. We should point out that the access control step is no longer needed in processing repeat queries. However, this does not necessarily weaken the ability to counter DoS attacks, since the server can anyway cap the number of continuous repeat queries. Capping in this case should not be deemed rigid, because the server is dealing with the unusual scenario of repeat queries. (1)
4.3
(2)
Stateful User
The countermeasure to DoS attacks in our protocol is essentially deterrence: if a user makes an inference-enabling query, he is rejected to access the database further. This is expected to force users to be cautious in making queries, and enforce inference control themselves in determining whether or not a query results in inference before querying. Since inference control bases upon a user’s past queries, users in our system have to be stateful, i.e., a user needs to keep his query history. This is not a serious problem if a user always uses a single machine for database access. However, a more general scenario is that a user has multiple machines. It is usually not convenient to freely transfer the up-to-
272
Y. Yang et al.
date query history among multiple machines. Fortunately, the database server in our system maintains (encrypted) query history for all users. As such, a user, at the point of access, can download his past queries from the server’s central repository, rather than keeping his query history on all machines. 4.4
Stricter Query Privacy
As mentioned earlier, our protocol achieves a relaxed level of query privacy, compared to the private inference control protocols in [17,28]. More precisely, by authenticating the user in current query, the database server learns in retrospection that whether the user’s last query is inference free or not (but without knowing the query content). Such information actually is exploited to entitle the server to timely stop the user from possible DoS attacks in our protocol. It is possible to modify our protocol to attain the same level of query privacy as in [17,28], but the resulting protocol is not as effective in curbing DoS attacks as our original protocol. The modification still follows the “self-enforcing” rationale, but the explicit authentication step is disabled or removed: the user will not be able to get the desired records for any further query, once he makes an inferenceenabling query; the server learns nothing about the query. We notice that the same rationale has already been used in [1], and the scheme for the static queries in [28] achieved the same objective as well. Under such a strategy, the server is not aware of inference-enabling queries, thus by default it has to allow any query to proceed. This is the reason why the (modified) protocol is not much effective in preventing DoS attacks. On the other hand, the protocol is still better than those in [17,28] (except for the one for static queries in [28]) in terms of antiDoS-attacks, because the user has to bear the consequences of DoS attacks, i.e., he can never retrieve useful data from the server again. In contrast, the users in the schemes in [17,28] have no worries in issuing inference-enabling queries, since they can still get the correct results as long as their further queries are inference free. The basic idea for the modification is the following. We remove the authentication step in the original protocol, and alter the way the one-time access keys are generated. In the original protocol, one-time access keys are independent of each other, and are selected as random numbers. In the modified protocol, an one-time access key is calculated from a random number together with the last one-time access key. For example, in the th query, K+1 is generated as K+1 = h(K , r), where K is the one-time access key generated in the ( − 1)th query and r is a random number. In the Access Control algorithm, r is secretshared instead of K+1 ; the Query Processing algorithm still uses K+1 . As such, suppose the ( − 1)th query causes inference and the user thus cannot obtain K , then the user in the th query is not able to compute K+1 , even the th query is inference free and the user recovers r; in turn the user cannot recover the requested record in the Answer Reconstruction algorithm. Likewise, without K+1 the user cannot compute K+2 , and so forth.
Self-enforcing Private Inference Control
5
273
Conclusions
DoS attacks are particularly effective in private inference control systems, as the database server learns nothing on user queries. We were thus motivated to propose self-enforcing private inference control. The idea is to force users to be cautious in making queries, as penalty will be inflicted upon the users making inference-enabling queries. To avoid punishment, the users are expected to enforce inference control themselves to determine whether or not a query will result in inference before issuing the query. In this way, the users are deterred from launching DoS attacks. We managed to instantiate the self-enforcing private inference control concept by presenting a formal model and a concrete scheme, which is provably secure under the model. Several important issues pertaining to the practicality of the proposed scheme were also discussed.
Acknowledgments We are grateful to the anonymous reviewers for their helpful comments, and for pointing out to us the work [20] that studied the use of the Paillier homomorphic encryption in Conditional Disclosure of Secrets.
References 1. Aiello, W., Ishai, Y., Reingold, O.: Priced Oblivious Transfer: How to Sell Digital Goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001) 2. Adam, N.R., Wortmann, J.C.: Security-Control Methods for Statistical Databases: A Comparative Study. ACM Computing Surveys 21(4), 516–556 (1989) 3. Brodsky, A., Farkas, C., Jajodia, S.: Secure Databases: Constraints, Inference Channels, and Monitoring Disclosures. IEEE Trans. Knowledge and Data Engineering 12(6), 1–20 (2000) 4. Chin, F.Y.: Security Problems on Inference Control for SUM, MAX, and MIN queries. J. ACM (33), 451–464 (1986) 5. Chor, B., Giboa, N., Naor, M.: Private Information Retrieval by Keywords. Technical Report CS0917, Israel Institute of Technology (1997) 6. Chor, B., Gilboa, N.: Computationally private information retrivial. In: Proc. 29th STOC, pp. 304–313 (1997) 7. Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. Journal of the ACM (1995) 8. Chin, F.Y., Kossowski, P., Loh, S.C.: Efficient Inference Control for Range Sum Queries. Theor. Comput. Sci. 32, 77–86 (1984) 9. Cachin, C., Micali, S., Stadler, M.: Computationally Private Information Retrieval with Polylogarithmic Communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 402. Springer, Heidelberg (1999) ¨ 10. Chin, F.Y., Ozsoyoglu, G.: Auditing and Inference Control in Statistical Database. IEEE Trans. Softw. Eng. 6, 574–582 (1982) 11. Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982)
274
Y. Yang et al.
12. Denning, D.E., Denning, P.J., Schwartz, M.D.: The Tracker: A threat to Statistical Database Security. ACM Trans. Database Systems 4(1), 76–96 (1979) 13. Dobkin, D., Jones, A.K., Lipton, R.J.: Secure Databases: Protection Against User Influence. ACM Trans. Database Systems 4(1), 97–106 (1979) 14. Farkas, C., Jajodia, S.: The Inference Problem: A Survey. SIGKDD Explorations 4(2), 6–11 (2002) 15. Goldreich, O.: Foundations of Cryptography: Basic Tools. The Proess of the Univeristy of Cambridge, Cambridge (2001) 16. Hoffman, L.J.: Modern Methods for Computer Security and Privacy. Prentice-Hall, Englewood Cliffs (1977) 17. Jagannathan, G., Wright, R.N.: Private Inference Control for Aggregate Database Queries. In: Proc. 7th IEEE International Conference on Data Mining Workshops, ICDMW 2007, pp. 711–716 (2007) 18. Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationally private information retrieval. In: Proc. 38th IEEE Symp. on Foundation of Computer Science, pp. 364–373 (1997) 19. Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Zhou, J., L´ opez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005) 20. Laur, S., Lipmaa, H.: A New Protocol for Conditional Disclosure of Secrets and Its Applications. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 207–225. Springer, Heidelberg (2007) 21. Li, Y., Lu, H., Deng, R.H.: Practical Inference Control for Data Cubes (extended abstract). In: Proc. IEEE Symposium on Security and Privacy, pp. 115–120 (2006) 22. Malvestuto, F.M., Mezzini, M.: Auditing Sum-Queries. In: Calvanese, D., Lenzerini, M., Motwani, R. (eds.) ICDT 2003. LNCS, vol. 2572, pp. 126–142. Springer, Heidelberg (2002) 23. Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In: Proc. 31th ACM STOC, pp. 245–254 (1999) 24. Paillier, P.: Public-key Cryptosystems based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999) 25. Qian, X., Stickel, M., Karp, P., Lunt, T., Garvey, T.: Detection and Elimination of Inference Channels in Multilevel Relational Database Systems. In: Proc. IEEE Symposium on Research in Security and Privacy, S&P 1993, pp. 196–205 (1993) 26. Schl¨ orer, J.: Disclosure from Statistical Databases: Quantitative Aspects of Trackers. ACM Trans. Database Systems 5(4), 467–492 (1980) 27. Su, T., Ozsoyoglu, G.: Inference in MLS Database Systems. IEEE Trans. Knowledge and Data Engineering 3(4), 474–485 (1991) 28. Woodruff, D., Staddon, J.: Private Inference Control. In: Proc. ACM CCS 2004, pp. 188–197 (2004) 29. Wang, L., Wijesekera, D., Jajodia, S.: Cardinality-based Inference Control in Sumonly Data Cubes. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 55–71. Springer, Heidelberg (2002)
Author Index
Au, Man Ho
129
Qin, Bo
76
Bao, Feng 260 Buldas, Ahto 230
Rangan, C. Pandu
Cao, Zhenfu 19 Cheng, Qingfeng 168 Chevallier-Mames, Benoˆıt
Saraswat, Vishal 140 Sch¨ age, Sven 104 Selvi, S. Sharmila Deva 61 Susilo, Willy 47, 90, 129
Dent, Alexander W. Dongna, E. 168
1
Fang, Liming 47 Fujisaki, Eiichiro 3, 118
32
Laur, Sven Li, Yingjiu Li, Zhoujun
230 260 214
Ustaoglu, Berkant
183
61
Wang, Jiandong 47 Warinschi, Bogdan 2 Weng, Jian 260 Wu, Qianhong 76 Xagawa, Keita
Ma, Chuangui 168 Moriyama, Daisuke 154 Mu, Yi 90, 129, 214 Niitsoo, Margus Nishimaki, Ryo
Tanaka, Keisuke 3, 118, 198 Tian, Yuan 245
Vivek, S. Sree
Guo, Fuchun 90 Guo, Hua 214 Joye, Marc
32
61
230 3, 118
Okamoto, Tatsuaki
154
198
Yang, Yanjiang 260 Yun, Aaram 140 Zhang, Hao 245 Zhang, Lei 76 Zhang, Xiyong 214 Zhou, Jianying 260 Zhou, Muxin 19