Jul 6, 2010 - Proxy Re-signature. Informally speaking, proxy re-signature (PRS) is such a kind of ... Pr[{(pki ,ski ) â KeyGen(1k)}iâ[1,n],. (t,mâ,Ïâ,lâ) â AOs ...
Outline Proxy Re-signature Our Contribution Open Problems
The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key Jun Shao1,2 , Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu 1 College
of Computer and Information Engineering, Zhejiang Gongshang University 2 College of Information Sciences and Technology, Pennsylvania State University
2010-07-06 ACISP 2010, Sydney
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Proxy Re-signature Our Contribution Observation on the AH Model The Artificially Designed Scheme The Improved Security Model Open Problems
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Proxy Re-signature
Informally speaking, proxy re-signature (PRS) is such a kind of signature where a semi-trusted proxy with some additional information (a.k.a, re-signature key) can transform a signature of Alice (delegatee) to another signature of Bob (delegator) on the same message. However, the proxy cannot produce an arbitrary signature on behalf of either the delegatee or the delegator.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Desired Properties
I
Unidirectional
I
Multi-use
I
Private re-signature key
I
Transparent
I
Key-optimal
I
Non-interactive
I
Non-transitive
I
Temporary
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
Definition for Unidirectional Proxy Re-signature with Private Re-signature Key (UPRS-prk)
KeyGen: (pk, sk) ← KeyGen(1k ). ReKey: rkA→B ← ReKey(pkA , pkB , skB ). Sign: σ ← Sign(sk, m, `). ` = 1, owner-type signature; ` > 1, non-owner-type signature. ReSign: σB ← ReSign(rkA→B , pkA , m, σA , `). Verify: (1 or 0) ← Verify(pk, m, σ, `).
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
The AH Model: External Security
No inside attacker Pr[{(pki , ski ) ← KeyGen(1k )}i∈[1,n] , (t, m∗ , σ ∗ , `∗ ) ← AOs (·),Ors (·) ({pki }i∈[1,n] ) : Verify(pkt , m∗ , σ ∗ , `∗ ) = 1 ∧ (t, m∗ ) 6∈ Q],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
The AH Model: Limited Proxy
The proxy is the possible inside attacker Pr[{(pki , ski ) ← KeyGen(1k )}i∈[1,n] , (t, m∗ , σ ∗ , `∗ ) ← AOs (·),Ork (·) ({pki }i∈[1,n] ) : Verify(pkt , m∗ , σ ∗ , `∗ ) = 1 ∧ (t, m∗ ) 6∈ Q],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
The AH Model: Delegatee Security
The proxy and delegator are the possible inside attacker Pr[{(pki , ski ) ← KeyGen(1k )}i∈[0,n] , (m∗ , σ ∗ , `∗ ) ← AOs (·) (pk0 , {pki , ski }i∈[1,n] ) : Verify(pk0 , m∗ , σ ∗ , `∗ ) = 1 ∧ (0, m∗ ) 6∈ Q],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
The AH Model: Delegator Security
The proxy and delegatee are the possible inside attacker Pr[{(pki , ski ) ← KeyGen(1k )}i∈[0,n] , (m∗ , σ ∗ , 1) ← AOs (·),Ork (·) (pk0 , {pki , ski }i∈[1,n] ) : Verify(pk0 , m∗ , σ ∗ , 1) = 1 ∧ (0, m∗ ) 6∈ Q],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
Scheme Sus (Based on BLS short signature) KeyGen: pk = g a and sk = a. ReKey: (1)
(2)
(3)
0
0
rkA→B = (rkA→B , rkA→B , rkA→B ) = (r 0 , (pkA )r , H(g a·r ||2)1/b ).
Sign: I I
σ = (A, B, C ) = (H(m||0)r , g r , H(g r ||1)a ). σ = (A, B, C , D, E ) = (H(m||0)r1 , g r1 , H(g r1 ||1)r2 , g r2 , H(g r2 ||2)1/a ).
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
Scheme Sus (Based on BLS short signature)
ReSign: σ0
= (A0 , = (A, = (H(m||0)r , = (H(m||0)r1 ,
B 0, B, gr, g r1 ,
C 0, (1) C rkA→B , 0 H(g r ||1)ar , H(g r1 ||1)r2 ,
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
D 0, (2) rkA→B , 0 (pkA )r , g r2 ,
E 0) (3) rkA→B ) 0 H((pkA )r ||2)1/b ) H(g r2 ||2)1/b )
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
Scheme Sus (Based on BLS short signature) Verify: I
σ = (A, B, C ): ?
e(pk, H(B||1)) = e(g , C ), ?
e(B, H(m||0)) = e(g , A). I
σ = (A, B, C , D, E ): ?
e(g , H(D||2)) = e(pk, E ), ?
e(D, H(B||1)) = e(g , C ), ?
e(B, H(m||0)) = e(g , A).
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
Security of Scheme Sus
Theorem Scheme Sus is secure in the AH model if the eCDH problem is hard, and hash function H is treated as a random oracle.
Definition (eCDH Problem) Pr[A(g , g u , g v , g 1/v ) = g uv or g u/v ] ≥ ε,
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
An Attack on Scheme Sus
Alice → Proxy → Bob: Bob delegates his signing rights to Alice via Proxy. I
Alice: σa = (H(m||0)r , g r , H(g r ||1)a ).
I
Proxy: σb = (H(m||0)r , g r , (H(g r ||1)a )rka→b , rka→b , rka→b ).
I
Alice: replace m with what she wants.
(1)
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
(2)
(3)
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
An Attack on Scheme Sus
Alice → Proxy → Bob: Bob delegates his signing rights to Alice via Proxy. I
Alice: σa = (H(m||0)r , g r , H(g r ||1)a ).
I
Proxy: σb = (H(m||0)r , g r , (H(g r ||1)a )rka→b , rka→b , rka→b ).
I
Alice: replace m with what she wants.
(1)
(2)
(3)
This is against private re-signature key property.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
The Improved Security Model
Static mode: Before the game starts, the adversary should decide which users and proxies are corrupted, and all the verification keys in the security model are generated by the challenger.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
The Improved Security Model
Pr[{(pki , ski ) ← KeyGen(1k )}i∈[0,n] , (pk ∗ , m∗ , σ ∗ , `∗ ) ← AOs (·),Ork (·),Ors (·),Osk (·) : (pk ∗ , m∗ , σ ∗ , `∗ ) satifying the following requirements],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
The Improved Security Model 1. Verify(pk ∗ , m∗ , σ ∗ , `∗ ) = 1. 2. The adversary has not made a secret key query on pk ∗ 3. The adversary has not made a signature query on (pk ∗ , m∗ ). 4. The adversary has not made a signature query on (pk 0 , m∗ ), which the adversary can transform it to the forgery by itself. 5. The adversary has not made a re-signature key query on (pki , pkj ), which can be used to transform a signature/re-signature query result to the forgery by the adversary. 6. The adversary has not made a re-signature query on (pki , pkj , m∗ , σi , ∗), which the adversary can transform it to the forgery by itself. Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Observation on the AH Model The Artificially Designed Scheme The Improved Security Model
Discussion on the Improved Security Model
I
Previous UPRS-prk schemes are still proven secure in the improved security model.
I
The improved security model can be extended to the chosen-key model by following the spirit mentioned by Libert and Vergnaud.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Open Problems
I
Pursue the security proofs of the existing UPRS-prk schemes in our security definition with the chosen-key model.
I
Design UPRS-prk schemes which can be proven secure in our security definition with the chosen-key model.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with
Outline Proxy Re-signature Our Contribution Open Problems
Thank You!
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
The Security Model of Unidirectional Proxy Re-Signature with