The Security Model of Unidirectional Proxy Re-Signature with Private ...

Outline Proxy Re-signature Our Contribution Open Problems

The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key Jun Shao1,2 , Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu 1 College

of Computer and Information Engineering, Zhejiang Gongshang University 2 College of Information Sciences and Technology, Pennsylvania State University

2010-07-06 ACISP 2010, Sydney

Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu

The Security Model of Unidirectional Proxy Re-Signature with


Proxy Re-signature Our Contribution Observation on the AH Model The Artificially Designed Scheme The Improved Security Model Open Problems




Proxy Re-signature

Informally speaking, proxy re-signature (PRS) is such a kind of signature where a semi-trusted proxy with some additional information (a.k.a, re-signature key) can transform a signature of Alice (delegatee) to another signature of Bob (delegator) on the same message. However, the proxy cannot produce an arbitrary signature on behalf of either the delegatee or the delegator.




Desired Properties

I

Unidirectional

I

Multi-use

I

Private re-signature key

I

Transparent

I

Key-optimal

I

Non-interactive

I

Non-transitive

I

Temporary




Observation on the AH Model The Artificially Designed Scheme The Improved Security Model

Definition for Unidirectional Proxy Re-signature with Private Re-signature Key (UPRS-prk)

KeyGen: (pk, sk) ← KeyGen(1k ). ReKey: rkA→B ← ReKey(pkA , pkB , skB ). Sign: σ ← Sign(sk, m, `). ` = 1, owner-type signature; ` > 1, non-owner-type signature. ReSign: σB ← ReSign(rkA→B , pkA , m, σA , `). Verify: (1 or 0) ← Verify(pk, m, σ, `).





The AH Model: External Security

No inside attacker Pr[{(pki , ski ) ← KeyGen(1k )}i∈[1,n] , (t, m∗ , σ ∗ , `∗ ) ← AOs (·),Ors (·) ({pki }i∈[1,n] ) : Verify(pkt , m∗ , σ ∗ , `∗ ) = 1 ∧ (t, m∗ ) 6∈ Q],





The AH Model: Limited Proxy

The proxy is the possible inside attacker Pr[{(pki , ski ) ← KeyGen(1k )}i∈[1,n] , (t, m∗ , σ ∗ , `∗ ) ← AOs (·),Ork (·) ({pki }i∈[1,n] ) : Verify(pkt , m∗ , σ ∗ , `∗ ) = 1 ∧ (t, m∗ ) 6∈ Q],





The AH Model: Delegatee Security

The proxy and delegator are the possible inside attacker Pr[{(pki , ski ) ← KeyGen(1k )}i∈[0,n] , (m∗ , σ ∗ , `∗ ) ← AOs (·) (pk0 , {pki , ski }i∈[1,n] ) : Verify(pk0 , m∗ , σ ∗ , `∗ ) = 1 ∧ (0, m∗ ) 6∈ Q],





The AH Model: Delegator Security

The proxy and delegatee are the possible inside attacker Pr[{(pki , ski ) ← KeyGen(1k )}i∈[0,n] , (m∗ , σ ∗ , 1) ← AOs (·),Ork (·) (pk0 , {pki , ski }i∈[1,n] ) : Verify(pk0 , m∗ , σ ∗ , 1) = 1 ∧ (0, m∗ ) 6∈ Q],





Scheme Sus (Based on BLS short signature) KeyGen: pk = g a and sk = a. ReKey: (1)

(2)

(3)

0

0

rkA→B = (rkA→B , rkA→B , rkA→B ) = (r 0 , (pkA )r , H(g a·r ||2)1/b ).

Sign: I I

σ = (A, B, C ) = (H(m||0)r , g r , H(g r ||1)a ). σ = (A, B, C , D, E ) = (H(m||0)r1 , g r1 , H(g r1 ||1)r2 , g r2 , H(g r2 ||2)1/a ).





Scheme Sus (Based on BLS short signature)

ReSign: σ0

= (A0 , = (A, = (H(m||0)r , = (H(m||0)r1 ,

B 0, B, gr, g r1 ,

C 0, (1) C rkA→B , 0 H(g r ||1)ar , H(g r1 ||1)r2 ,


D 0, (2) rkA→B , 0 (pkA )r , g r2 ,

E 0) (3) rkA→B ) 0 H((pkA )r ||2)1/b ) H(g r2 ||2)1/b )




Scheme Sus (Based on BLS short signature) Verify: I

σ = (A, B, C ): ?

e(pk, H(B||1)) = e(g , C ), ?

e(B, H(m||0)) = e(g , A). I

σ = (A, B, C , D, E ): ?

e(g , H(D||2)) = e(pk, E ), ?

e(D, H(B||1)) = e(g , C ), ?

e(B, H(m||0)) = e(g , A).





Security of Scheme Sus

Theorem Scheme Sus is secure in the AH model if the eCDH problem is hard, and hash function H is treated as a random oracle.

Definition (eCDH Problem) Pr[A(g , g u , g v , g 1/v ) = g uv or g u/v ] ≥ ε,





An Attack on Scheme Sus

Alice → Proxy → Bob: Bob delegates his signing rights to Alice via Proxy. I

Alice: σa = (H(m||0)r , g r , H(g r ||1)a ).

I

Proxy: σb = (H(m||0)r , g r , (H(g r ||1)a )rka→b , rka→b , rka→b ).

I

Alice: replace m with what she wants.

(1)


(2)

(3)




An Attack on Scheme Sus

Alice → Proxy → Bob: Bob delegates his signing rights to Alice via Proxy. I

Alice: σa = (H(m||0)r , g r , H(g r ||1)a ).

I

Proxy: σb = (H(m||0)r , g r , (H(g r ||1)a )rka→b , rka→b , rka→b ).

I

Alice: replace m with what she wants.

(1)

(2)

(3)

This is against private re-signature key property.





The Improved Security Model

Static mode: Before the game starts, the adversary should decide which users and proxies are corrupted, and all the verification keys in the security model are generated by the challenger.





The Improved Security Model

Pr[{(pki , ski ) ← KeyGen(1k )}i∈[0,n] , (pk ∗ , m∗ , σ ∗ , `∗ ) ← AOs (·),Ork (·),Ors (·),Osk (·) : (pk ∗ , m∗ , σ ∗ , `∗ ) satifying the following requirements],





The Improved Security Model 1. Verify(pk ∗ , m∗ , σ ∗ , `∗ ) = 1. 2. The adversary has not made a secret key query on pk ∗ 3. The adversary has not made a signature query on (pk ∗ , m∗ ). 4. The adversary has not made a signature query on (pk 0 , m∗ ), which the adversary can transform it to the forgery by itself. 5. The adversary has not made a re-signature key query on (pki , pkj ), which can be used to transform a signature/re-signature query result to the forgery by the adversary. 6. The adversary has not made a re-signature query on (pki , pkj , m∗ , σi , ∗), which the adversary can transform it to the forgery by itself. Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu




Discussion on the Improved Security Model

I

Previous UPRS-prk schemes are still proven secure in the improved security model.

I

The improved security model can be extended to the chosen-key model by following the spirit mentioned by Libert and Vergnaud.




Open Problems

I

Pursue the security proofs of the existing UPRS-prk schemes in our security definition with the chosen-key model.

I

Design UPRS-prk schemes which can be proven secure in our security definition with the chosen-key model.




Thank You!

