A Robust Identity-Based Signature Scheme that ... - Semantic Scholar

3 downloads 13381 Views 391KB Size Report
Jan 20, 2011 - like certificate-based signatures (CBS), certificate-less signatures (CLS) ..... US Patent: “Public key encryption with digital signature scheme”.
A Robust Identity-Based Signature Scheme that Avoids Key Escrow Problem Jaydip Sen Senior Scientist Innovation Labs, Tata Consultancy Services, Kolkata, India Email: [email protected] 6th ETSI Security Workshop 19 – 20 January 2011- ETSI, Sophia Antipolis, France

Agenda •

Overview of the work



Identity-Based Cryptography



The Contribution of the Proposed Scheme



Security model of the escrow-free identity-based signature scheme



User public key anonymity



Conclusion

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

Overview of the Work •

The proposed scheme is based on an identity-based cryptosystem that can authenticate a user by merely using an identity string as the public key of the user.



Each signer has his own public key and secret key. The private key generator generates the identity-based secret key for the signer with respect to the user public key. The signer uses both secret keys to sign a message.



Unlike the current scheme, the verification protocols of the existing schemes like certificate-based signatures (CBS), certificate-less signatures (CLS) and self-certificated signatures (SCS) require signer’s pubic key to be verified.



The proposed scheme also achieves highest level of trust as per Girault model of trust.



In addition to solving the key escrow problem, the proposed scheme also achieves anonymity of the user public key.

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

Identity-Based Cryptography (1) •

Identity-based cryptography  introduced by Shamir – Authentication of a public key by merely using an identity string as the public key – No necessity to ensure the validity of the public key



A series of identity-based schemes (IBS) current exist: – Identity-based signatures – Identity-based encryption – Hierarchical identity-based cryptography



In IBSs, there is a trusted party called private key generator (PKG) which generates the secret key for all users. – Full trust must be placed on the PKG – A malicious PKG can sell users’ keys, sign messages or decrypt ciphertexts on behalf of users without being confronted in a court of law  Key Escrow Problem.

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

Identity-Based Cryptography (2) •

Girault has defined three levels of trust to the PKG: – Level 1  PKG computes users’ secret keys and, therefore, can impersonate any user without being detected. Example: Identity-based signature schemes. – Level 2  PKG cannot compute users’ secret keys. However, PKG can still impersonate any user without being detected. Example: Certificate-less schemes. – Level 3  PKG cannot compute users’ secret keys and PKG cannot impersonate any user without being detected. Example: Certificate-based signature schemes and self-certificated schemes.



The existing schemes that achieve level 2 or level 3 of trust are not identity-based. It is an open problem to construct an identity-based signatures with level 2 or level 3 of trust without publishing the user public key.

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

The Contribution •

The concept of escrow-free identity-based signature is introduced to reduce the trust in the PKG.



Each signer has his own public key and secret key.



PKG generates the identity-based secret key for the signer with respect to the user public key.



The signer uses both the secret keys to sign a message. Hence, the signer is protected against a malicious PKG.



To verify the signature, it only requires the signer’s identity and the message. In the other schemes (CBS, CLS, SCS), the verification protocols require the signer’s public key to verify.



The scheme achieves level 3 of trust, which is the highest level of trust that can be achieved.

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

Security Model for the Identity-Based Signature Scheme (1) •

An escrow-free identity-based signature scheme has six polynomial-time algorithms:



Setup: On input a security parameter 1k, it generates the system parameter param, the master secret key msk and the master public key mpk.



UserKeyGen: On input the system parameter param, the user generates the user secret key usk and the user public key upk.



Extract: This is an interactive algorithm between the PKG and the user. The common input are param, upk, and an identity ID. The PKG’s algorithm Extractp private input is msk. The user’s algorithm Extractu private input is usk. The interaction includes the user giving the PKG a joining proof Pf which shows the user’s participation with respect to upk. The user obtains the identity-based secret key skID, upk with respect to the identity ID and the user public key upk.



Sign: On input param, usk, skID, upk and a message m, the user with identity ID generates a signature σ.



Verify: On input param, mpk, ID, m and σ, it returns 1 or 0 for accept or reject respectively.



Blame: This is an interactive algorithm between the PKG, the user and the judge. The common inputs are param, mpk, ID, upk, m and σ. The user’s algorithm Blameu with private input usk sends a blame request φ to a judge. The judge’s algorithm Blamej output “PKG” if: – Φ shows that σ is related to upk and the PKG’s algorithm Blamep, with private input msk, fails to provide a public key upk’, a joining proof Pf and a transcript ρ, such that (i) upk’ is related to σ, (ii) Pf shows the user’s participation with respect to upk’, and ρ is the transcript of the extract algorithm witb upk’. – Otherwise, the judge outputs “upk”.

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

Security Model for the Identity-Based Signature Scheme (2) •

Four entities are involved in the scheme: – Users – The PKG – The judge – Trusted Third Party (TTP) who certifies the joining proof Pf



It is assumed that the PKG and the TTP do not collude. Otherwise, the malicious PKG can sign a message with respect to upk and the TTP can provide a fake joining proof Pf and the malicious PKG is not caught by the Blame algorithm.



Also, it is assumed that the user and the TTP cannot collude. Otherwise, a malicious user can sign a message using his identity-based secret key and the TTP can intentionally disapprove the joining proof Pf. As a result, a malicious user cannot be caught by the Blame algorithm.



Although the signature is signed using usk and an identity-based secret key bound with upk, the verification of may not need upk. Similar to the standard identity-based signatures, the verification of only requires the identity ID.

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

User Public Key Anonymity (1) •

In the escrow-free IBS scheme, the user public key is included in the signature.



In some applications, it may not be desirable to let the verifier know the user public key: – Example: A student has a long-term user public key. He may apply for an identitybased secret key for his student ID from the university. He may also apply for an identity-based secret key for his email address from the Internet service provider. When a user uses escrow-free IBS he may not want the signatures from two different identities to be linked to the same public key.



In order to construct an escrow-free IBS scheme which is fully identity-based, a signature is required that contains any information about the user public key. This additional property is called user public key anonymity.

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

User Public Key Anonymity (2) •

The security model for user public key anonymity captures the attack that wants to distinguish if a signature is signed by an honest user with a user public key upk.



The attacker is given the master secret key, but cannot query any join oracle. In other words, the attacker can retrieve the master secret key from the real PKG, but not the join transcript from the real PKG.



The users joining the real PKG will have anonymity even if the master secret key is stolen.



The following game is designed for anonymity: – – –

– – – •

The simulator S gives param, a master public key mpk, a master secret key msk, two user public keys upk0, upk1 to the adversary A. A is allowed to query the oracle adaptively: Signing Oracle SO(m, ID, b): it returns a valid signature σ for the message m and the identity ID with respect to upkb. A sends a message m* and an identity ID* to S. S picks a random bit and computes σ*  Sign(param, usk, skID*, m), where skID* is the identity-based secret key computed using (msk, upk, ID*) and usk is the user secret key for upk. B sends σ* to A. A is allowed to query the above oracles adaptively. A returns a bit b*. A wins the game if = b*. We must require that there is no query of the form SO(m*, ID*, .).

An identity-based signature scheme is (ε, t, qs) –secure against anonymity if there is no t time adversary winning the game with probability at least with queries to SO.

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

Conclusion •

An identity-based signature scheme is presented that has two novelties: – It introduces the concept of identity-based cryptosystem fro generation of the secret key of a user from its public key, and overcomes the well-known key escrow problem in the traditional identity-based systems. – It also achieves public key anonymity since its uses identity to verify a signature, and it is possible for the signature to be anonymous with respect to the user public key.



The proposed IBS achieves level 3 of trust to the PKG, which is the highest level of trust of the model proposed by Girault. It is more secure than CBS, CLS, and SCS since the user public key is not involved and its not sent to the verifier.



While overcoming the problem of key escrow in the traditional identity-based schemes, the scheme does not need multiple PKGs to be deployed so that no extra infrastructure and communication cost is introduced between the users and different PKGs.



It is the only identity-based signature scheme that achieves user public key anonymity. Certificateless signature, certificate-based signatures and self-certificated signatures schemes resolve the key escrow problem but they are not identity-based scheme and user public key is used as public information.



The scheme is applicable in any real world client-server or peer-to-peer systems including lightweight power-constrained mobile and hand-held devices where secure authentication and message confidentiality are two prime requirements.

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.

A. Shamir, “Identity-based cryptosystems and signature schemes”. In CRYPTO’84, Vol. 196, LNCS, pp. 47 – 53, Springer, 1984. D. Boneh and M.K. Franklin, “identity-based encryption from the weil pairing”. In ASIACRYPT 2001, Vol., 2139, LNCS, pp. 213 – 229, Springer, 2004. C. Gentry and A. Silverberg, “Hierarchical ID-based cryptography”. In ASIACRYPT 2002, Vol. 2501, LNCS, pp. 548 – 566, Springer, 2002. M. Bellare, C. Nameprempre, and G. Neven, “Security proofs for identity-based identification and signature schemes”. In EUROCRYPT 2004, Vol. 3027, LNCS, pp. 268 – 286, Springer 2004. D. Galindo, J. Herranz, and E. Kiltz, “On the generic construction of identity-based signatures with additional properties”. In ASIACRYPT 2006, Vol. 4284, LNCS, pp. 178 – 193, Springer 2006. S. S. Al-Riyami and K.G. Paterson, “Certificate-less public key cryptography”. In ASIACRYPT 2003, Vol. 2894, LNCS, pp. 452-473, Springer 2003. C. Gentry. “Certificate-based encryption and certificate revocation problem”. In EUROCRYPT 2003, Vol. 2656, LNCS, pp. 272 – 293, Springer, 2003. M. Girault. “Self-certified public keys”. In EUROCRYPT ’91, Vol. 547, LNCS, pp. 490 – 497, Springer, 1991. V. Goyal. “Reducing trust in the PKG in Identity based Cryptosystems”. In CRYPTO 2007, Vol. 4622, LNCS, pp. 430 – 447, Springer, 2007 M.H. Au, Q. Huang, J. K. Liu, W. Susilo, D.S. Wong, and G. Yang. “Traceable and retrievable identity-based encryption’. In ACNS 2008, Vol. 5037, LNCS, pp. 94 – 110, 2008. V. Goyal, S. Lu, A. Sahai, and B. Waters. “Black-box accountable authority identity-based encryption.” In CCS 2008, pp. 427 – 436, ACM, 2008. A.P. Sui, S.S.M. Chow, L.C.K. Hui, S.;M. Yiu, K.P. Chow, W.W. Tsang, C.F. Chong, K.K.H. Pun, and H.W. Chan. “Separable and anonymous identity-based key issuing”. In ICPADS 2005, pp. 275 – 279, IEEE Computer Society, 2005. M. Bellare, A. Boldyreva, A. Desai, and D. Pointcheval. “Key-privacy in public-key encryption. In ASICRYPT 2001, Vol. 2248, LNCS, pp. 566 – 582, Springer, 2001. B.G. Kang, J.H. Park, and S.G. Hahn. “A certifcate-based signature scheme”. In CT-RSA 2004, Vol. 2964, LNCS, pp. 99 – 111, Springer, 2004. US Patent: “Identity and signature verification system”. Application No. 11/148,710, Publication No. US 2006/0291699 A1, Filing date: Jun 8, 2005. US Patent: “ID-based signature, encryption system and encryption method.” Application No: 11/048, 863, Patent No. 7711113, Filing date: Feb 3, 2005, Issue date: May 4, 2010. US Patent: “Efficient hybrid public key signature scheme”. Application no. 9/307,493, Filing date: May 7, 1999, Issue date: mar 2, 2004, Patent no. 6701434. US Patent: “Apparatus and method for demonstrating and confirming the status of digital certificates and other data.” Application No. 10/106,869, Publication no. US 2002/0188843 A1, Filing date: Mar 25, 2002. US Patent: “Public key encryption with digital signature scheme”. Patent No. 7707420, Filing Date: Jun 15, 2000, Issue Date: Apr 27, 2010, Application No. 9/594,368. US Patent: “Generating digital signatures using ephemeral cryptographic key”. Patent No. 7693277, Filing Date: Aug 8, 2005, Issue Date: Apr 6, 2010, Application No. 11/161,564

6th ETSI Security Workshop

Jan 19 - 20, 2011, France

6th ETSI Security Workshop

Jan 19 - 20, 2011, France