Probable Security Proof of A Blind Signature Scheme ...

12 downloads 6832 Views 104KB Size Report
sis of blind signature scheme over braid groups proposed by G. K.Verma in 2008. A blind signatuure scheme is a cryptographic premitive used for e-commerce ...
1

Probable Security Proof of A Blind Signature Scheme over Braid Groups Girraj Kumar Verma Department of Mathematics, Hindustan College of Science and Technology Farah,Mathura India (Email: [email protected])

Abstract

problem, which is much closer to conjugacy search problem considered in [17] by Ko et al . In braid groups, the decision version of conjugacy problem is easy and searching of conjugator is hard. This gap between two versions has been used for proving the security. The rest of the paper is organized as follows: In section 2, we have defined security properties of a blind signature scheme as defined in [19] and some problems over braid groups. In section 3 we have discussed the scheme by G. K. Verma [20] and then provide the security anlysis. In section 4 we have concluded our discussion.

In this paper, we have reinvestigated the security analysis of blind signature scheme over braid groups proposed by G. K.Verma in 2008. A blind signatuure scheme is a cryptographic premitive used for e-commerce for getting a signature from the signer without revealing any information about it’s contents. These schemes are especially used in e-transactions, e-votings, DRM systems etc. The security of blind signature is basically defined by two properties blindness and unforgeability. Here we prove a special form of unforgeability called one more forgery defined by Pointcheval et al .Altough, Verma has defined the Preliminaries same and discussed the security analysis using a stronger 2 assumption called chosen target conjugator search problem. In this paper, we are discussing the analysis using a 2.1 Security Properties of Blind Signasimple problem, which is much closer to conjugacy search ture problem. A blind signature scheme is a cryptographic primitive inKeywords: Blind Signature, Unforgeability, Braid Groups, volving two entities an user and a signer. So, we consider Conjugacy Problem, Probable Security the user as an adversary for providing the security proof. In this subsection we describe the required security properties of a blind signature scheme [19].

1

Introduction

1. Unforgeability: The standard notion of unforgeThe concept of blind signatures was introduced by D. ability under chosen message attack of digital signaChaum[9]. A blind signature scheme is a cryptographic tures cannot be used as a notion of unforgeability for premitive in which two entities a user and a signer are blind signatures since by their construction a user involved. It allows a user to obtain a signature from the has to be able to produce a valid signature of a presigner without revealing any information about the mesviously signed message . Here we consider a special sage or message signature pair after signature generation. form of unforgeability, namely, the user that has been The security arguments given by Pointcheval et al[19] are engaged in l runs of the blind signing protocol, should much concrete to analyze the security of a blind signature not be able to obtain more than l signatures. This scheme. formalization of security for blind signature is called The braid groups were first introduced to construct security against one more forgery[19]. a key agreement protocol and a public key encryption 2. Unlinkability: When the signature is verified, the scheme [16] in CRYPTO-2000 by Ko et al and in 2002 signer knows nothing about the message or its signaa digital signature scheme [17] was introduced by Ko et ture. al. Later some other signature schemes [20,21,22] were proposed using conjugacy problem over braid groups. In this paper, we are analysing the security of blind signature 2.2 Braid groups and Congugacy probscheme over braid groups proposed in 2008[20] in the ranlem dom oracle model. Altough, Verma has defined the same and discussed the security analysis using a stronger as- In this section, we give a brief description of the braid sumption called chosen target conjugator search problem. groups and discuss some hard problem related to conIn this paper, we are discussing the analysis using a simple jugacy search problem. For more information on braid





groups, word problem and conjugacy problem please re- and H : {0, 1} → Bn (l)and H1 : Bn (l) → {0, 1} be two fer to [2,4,16,17]. one way hash function. 1. Key Generation:Each user does the following steps

Definition: For each integer n, the n-Braid groupBn is defined to be the group generated by σ1 , σ2 , ....σn−1 with the relation:

(a) Selects a braid x ∈ Bn (l) such that x ∈ SSS(x); (b) Chooses (x0 = axa−1 , a) ∈R RSSBG(x, d); (c) Return pk = (x0 = axa−1 , x) and sk = a.

(i) σi σj = σj σi , Where| i − j |≥ 2 . (ii) σi σj σi = σj σi σj , Otherwise.

2. Blind Signing :

The integer n is called braid index and each element of Bn is called an n-braid.

• signer chooses (α = bxb−1 , b) ∈ RSSBG(x, d) and sends α as a commitment to the user. • Blinding: User chooses δ ∈R Bn (l) and computes α0 = δαδ −1 and h = H(mkH1 (α0 )) and then sends h to the signer.

Some Hard Problems: In this section we describe some mathematically hard problems over braid groups. We say that two braids x and y are conjugate ( written as x ≈ y)if there exist a braid a such that y = axa−1 . For m < n, Bm can be considered as a subgroup of Bn generated by σ1 , σ2 , .......σm−1 .

• signer computes β = bhb−1 , γ = ba−1 hab−1 and sends (β, γ) to user. • Unblinding: User computes β 0 = δβδ −1 , γ 0 = δγδ −1 and display (α0 , β 0 , γ 0 ) as a blind signature on message m.

Conjugacy Decision Problem (CDP) Instance:(x, y) ∈ Bn × Bn such that y = axa−1 for some a ∈ Bn . Objective: Determine whether x and y are conjugate or not. Conjugacy Search Problem (CSP) Instance:(x, y) ∈ Bn × Bn such that y = axa−1 for some a ∈ Bn . Objective: To find b ∈ Bn such that y = bxb−1 . Matching Triplet Search Problem(MTSP) Instance: A CSP hard pair (x, x0 ) ∈ Bn × Bn and y ∈ Bn . Objective: Find a triplet (α, β, γ) ∈ Bn × Bn × Bn such that α ≈ x, β ≈ γ ≈ y, αβ ≈ xy and αγ ≈ x0 y.

3. Verification: Verifier computes h = H(mkH1 (α0 )) and accepts the signature if and only if α0 ≈ x, β 0 ≈ h, γ 0 ≈ h, α0 β 0 ≈ xh, and α0 γ 0 ≈ x0 h.

3.2

In this section, we are analyzing the security of the above scheme in the random oracle model under chosen message attack. Definition: Let S = (K, S, V) be a signature scheme and let BS = (BK, BS, BV) be the corresponding blind signature scheme. An adversary A learns the public key pk randomly generated by BK. A is allowed to play the role of a user in the runs of the blind signing protocol, After interaction with the signer A outputs some number of message signature pairs. The advantage blind (A) is defined as the probability of the adversary AdvB n of A to output a set L of valid message signature pairs, such that the number of invoked blind signing protocols with the signer is strictly less than the size of L. We say that the blind signature scheme BS is secure against one more forgery under chosen message attack or just secure blind signature scheme if there does not exist a polynomial time adversary(PPT) A with non-negligible blind advantage AdvB (A). n

In [17], Ko et al has considered that CSP and MTSP are having approximately same complexity. Since braid group Bn is an infinite group, so it is impractical to use Bn for cryptographic purposes. As in [17,20] for a positive integer l, we take Bn (l) as the set of all braids from Bn having canonical length atmost l. So for each braid b in Bn (l), we can write b = ∆u π1 π2 .....πl , where ∆ is called the fundamental braid and π’s are permutations from Zn to Zn . Hence | Bn (l) |≤ (n!)l . Now there is an efficient polynomial time algorithm in [17] for solving CDP in Bn (l) but CSP is still exponential time to solve. So, this gap between two problems has been used by cryptographers to develop cryptographic protocols [16,17,20,21,22].

3 3.1

Analysis of Scheme

Theorem: If MTSP is infeasible in braid group Bn then the blind signature scheme in 3.1 is unforgeable under one more forgery as defined above.

Proposed Security Analysis Signature Scheme by Verma[20]

Proof: Let in braid group Bn , conjugacy decesion proble(CDP) is easy and conjygacy search problem(CSP) is hard. Let A be any polynomial time adversary attacking the blind signature scheme over braid group against one more forgery under chosen message attack.

In this section we are giving blind signature scheme by G. K. Verma . The parameters n, l, d are fixed as in [17,20] ∗ and the concatanation of two strings in {0, 1} is repre∗ sented by k . Let m ∈ {0, 1} be the message to be signed 2

Now we will use A to construct another probabilistic polynomial time(PPT) adversary B that will solve the M T SP MTSP with advantage AdvB (B) = n

[2] Emil Artin, Theory of Braids, Annals of Math, 48, pp. 101-126, 1947.

blind AdvB (A) n . qh

[3] M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, in proc. Ist CCS, ACM press, NewYork, pp.62-73, 1993.

Suppose the adversary B is given (x, axa−1 = x0 ) ∈ Bn × Bn and y ∈ Bn as challenge and B has to simulate ∗ the random hash oracle H : {0, 1} → Bn and blind signing oracle BS for adversary A. Suppose the number of hash oracle queries by A be qh and qs the number of queries to blind signing oracle. Each time A makes a new hash oracle query mi || H1 (αi0 ) for 1 ≤ i ≤ qh , that is distinct from the previous hash oracle query. If A makes a hash oracle query that it already made before, B searches in Hlist and replies with old one. Otherwise it replies in the following way: If i = i0 (for some 1 ≤ i0 ≤ qh ), then B returns H(mi || H1 (αi0 )) = y. Otherwise B choses a random braid ki ∈R Bn and returns H(mi || H1 (αi0 )) = ki and adds the answer to its Hlist .

[4] J. S. Birman, Braids, links, and mapping class groups, Annals of Math study, 82, Princeton University Press (1974). [5] J. S. Birman, K. H. Ko and S. J. Lee, A new approach to the word and conjugacy problem in the braid groups, Advances in cryptology139, pp.322-353, 1998. [6] A. Boldyreva, Efficient threshold signature, multi Signature and blind signature schemes based on the Gap-Diffey Hellman groups, Cryptology eprint archive Report, available at http://eprint.iacr.org/2002/118.pdf

When A makes a blind signing oracle queries on h, then B resends it to signing oracle a(∗)a−1 and forwards the answers to A. Evantually A halts and output a list of message signature pairs (m1 , σ1 ), (m2 , σ2 ), ...........(mqs +1 , σqs +1 ) where each σi = (αi0 , βi0 , γi0 ) for 1 ≤ i ≤ qs + 1. Now A selects a message signature pair (m, (α0 , β 0 , γ 0 )) and outputs it as forgery on message m. If m = mi0 , then α0 ≈ x, β 0 ≈ y, γ 0 ≈ y, α0 β 0 ≈ xy, and α0 γ 0 ≈ x0 y where H(mkH1 (α0 )) = y.

[7] S. Brands, Untraceable cash in wallets with observers, Advances in Cryptology Crypto-93, LNCS773, pp. 302-318, Springer Verlag, 1994. [8] J. C. Cha, K. H. Ko, S. J. Lee, J. W. Van and J. S. Cheon, An efficient implementation of Braid groups, Asiacrypt-2001, LNCS-2248, pp. 144-156, Springer Verlag, 2001. [9] D. Chaum, Blind signature systems, Proceedings of Crypto’ 83, pp. 153-158, Springer Verlag, 1984.

Therefore (α0 , β 0 , γ 0 ) is a solution of MTSP of in[10] D. Chaum, A. Fiat, M. Naor, Untraceable electronic stance (x, axa−1 = x0 ) ∈ Bn × Bn and y ∈ Bn and cash, Proceedings of Crypto-88, LNCS-403, pp. 319blind AdvBn (A) M T SP . Hence the theorem follows. AdvB (B) = 327, Springer Verlag, 1988. q n h [11] W. Diffey and M. E. Hellman. New directions in cryptography, IEEE transaction on Information Theory, 22(6),pp. 74-84, June 1977.

Otherwise, B reports failure and halt.

4

Conclusion

5

Acknowledgement

[12] N. Duff et al, Digital Right Management and consumer acceptability, Technical report of Indicare In this paper, we have analysed a blind signature scheme project, Dec. 04. over braid groups given in [20]. Our scurity analysis is defined for a new hard problem considered in [17], which [13] E. A. Elrifai and H. R. Morton, Algorithms for posis approximatelly has same complexity as CSP. itive braids, Quart. J. of Math. Oxford45, pp.479497,1994. [14] F. A. Garside, The braid groups and other groups, Quart. J. of Math.(78) Oxford20, pp. 235-254, 1969.

The author would like to thanks the review committee of the journal and all the persons whose references has been [15] D. Hofheinz and R. Steinwandt, A practical attack made this work possible. on some Braid group based cryptographic primitives, in Public key Cryptography, PKC 2003 proc., LNCS2567, pp. 187-198, Springer Verlag 2002.

References

[16] K. H. Ko, S. J. Lee, J. H. Cheon, J. W. Han, J. S. Kang and C. S. Park, New public key cryptosystem using Braid groups, Proc. Crypto-2000, LNCS-1880, pp. 166-183, Springer Verlag 2000.

[1] I. Anshel, M. Anshel, and D. Goldfeld, An algebraic method for public key cryptography, Math. Research Letter (6), pp. 287-291, 1999. 3

[17] K. H. Ko, D. H. Choi, M. S. Cho and J. W. Han, New signature scheme using conjugacy problem, Cryptology eprint archieve report, 2002, available at http://eprint.iacr.org/2002/168. [18] E. Lee, S. J. Lee and S. G. Hann, Pseudorandomness from braid groups, Advances in Cryptology, Crypto2001, LNCS-2139, pp.486-502, Springer Verlag, 2001. [19] D. Pointcheval and J. Stern, Probably secure blind signature schemes, Proc. Asiacrypt-96, LNCS-1163, pp. 252-265, Springer Verlag, 1996. [20] G. K. Verma, Blind signature schemes over Braid groups, Cryptology eprint archieve report, 2008, available at http://www.eprint.iacr.org/2008/027. [21] G. K. verma, A proxy signature scheme over braid groups, Cryptology eprint archive report, 2008, available at http://www.eprint.iacr.org/2008/160. [22] G. K. verma, A proxy blind signature scheme over braid groups, IJNS,vol-9(3),pp.214-217, 2009. .

4