Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany
5848
Josef Pieprzyk Fangguo Zhang (Eds.)
Provable Security Third International Conference, ProvSec 2009 Guangzhou, China, November 11-13, 2009 Proceedings
13
Volume Editors Josef Pieprzyk Macquarie University Department of Computing Sydney, NSW 2109, Australia E-mail:
[email protected] Fangguo Zhang Sun Yat-Sen University School of Information Science and Technology Guangzhou, 510275, P.R.China E-mail:
[email protected] Library of Congress Control Number: 2009934940 CR Subject Classification (1998): E.3, H.2.7, K.6.5, D.4.6, D.2.4, F.2.2, F.4.1 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN ISBN-10 ISBN-13
0302-9743 3-642-04641-X Springer Berlin Heidelberg New York 978-3-642-04641-4 Springer Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12764488 06/3180 543210
Preface
The third International Conference on Provable Security (ProvSec 2009) was held in Guangzhou, China, November 11-13, 2009. It continued the theme of Provable Security initiated by the ProvSec 2007 conference in Wollongong, Australia. The second ProvSec conference was organized in Shanghai, China. The conference was sponsored by the Center for Advanced Computing – Cryptography and Algorithms (ACAC), Macquarie University, Australia; Guangdong Key Laboratory of Information Security Technology, Sun Yat-sen University, China; and the National Natural Science Foundation of China (NSFC). Jiwu Huang was the General Chair and we, Josef Pieprzyk and Fangguo Zhang, were Program Co-chairs. The conference proceedings have been published by Springer in this volume of Lecture Notes in Computer Science. The Program Committee invited two distinguished researchers to deliver their keynote talks. The first speaker was Alex Dent from Royal Holloway, University of London. His talk was entitled “A Brief History of Security Models for Confidentiality”. The second speaker was Bogdan Warinschi from the University of Bristol, UK, who presented a talk on “Symbolic Methods for Provable Security”. We received 64 papers. Each paper was assigned to three referees. Papers submitted by the members of the Program Committee were assigned to five referees. In the first stage of the review process, the submitted papers were read and evaluated by the PC members and then in the second stage, the papers were scrutinized during an extensive discussion. Finally, the Program Committee chose 19 papers to be included in the conference program. The authors of the accepted papers had three weeks for revision and preparation of final versions. The revised papers were not subject to editorial review and the authors bear full responsibility for their contents. The submission and review process was supported by the Springer Online Conference Service. Many people contributed to the success of ProvSec 2009. First we would like to thank the authors of all papers (both accepted and rejected) for submitting their papers to the conference. Special thanks go to the members of the Program Committee and the external referees who gave their time, expertise and enthusiasm in order to ensure that each paper received a thorough and fair review. We are thankful to Vijayakrishnan Pasupathinathan for taking care of the OCS server. We extend our gratitude to all the people involved in organizing ProvSec 2009 from Guangdong Key Laboratory of Information Security Technology, in particular to Bo Zhang, Dong Wei, Lingling Xu, and Yamin Wen for their great efforts in making the conference run smoothly. November 2009
Josef Pieprzyk Fangguo Zhang
Third International Conference on Provable Security ProvSec 2009 November 11-13, Guangzhou, China Sponsored by Center for Advanced Computing – Cryptography and Algorithms Macquarie University, Australia Guangdong Key Laboratory of Information Security Technology Sun Yat-sen University, China The National Natural Science Foundation of China (NSFC)
General Chair Jiwu Huang
Sun Yat-sen University, China
Program Co-chairs Josef Pieprzyk Fangguo Zhang
Macquarie University, Australia Sun Yat-sen University, China
Program Committee Joonsang Baek Feng Bao Colin Boyd Xavier Boyen Lily Chen Kefei Chen Liqun Chen Serge Fehr Dengguo Feng Aggelos Kiayias Kwangjo Kim Marc Fischlin Fabien Laguillaumie Helger Lipmaa Yi Mu David Naccache Tatsuaki Okamoto Jacques Patarin Kenny Paterson Olivier Pereira
Institute for Infocomm Research, Singapore Institute for Infocomm Research, Singapore QUT, Australia Stanford University, USA NIST, USA Shanghai Jiaotong University, China Hewlett-Packard Laboratories, UK CWI, Netherlands Chinese Academy of Sciences, China University of Connecticut, USA KAIST, Korea Darmstadt University of Technology, Germany University of Caen, France University College London, UK University of Wollongong, Australia ENS, France NTT Labs, Japan Universit´e de Versailles, France Royal Holloway, UK UCL, Belgium
VIII
Organization
Dingyi Pei Raphael C.W. Phan Krzysztof Pietrzak Kouichi Sakurai Palash Sarkar Berry Schoenmakers Alice Silverberg Ron Steinfeld Willy Susilo Tsuyoshi Takagi Damien Vergnaud Jorge Villar Huaxiong Wang Duncan Wong Tzong-Chen Wu Shouhuai Xu Bo Yang Yunlei Zhao Yuliang Zheng
Guangzhou University, China Loughborough University, UK CWI, Netherlands Kyushu University, Japan Indian Statistical Institute, India TU Eindhoven, Netherlands University of California, Irvine, USA Macquarie University, Australia University of Wollongong, Australia Future University, Hakodate, Japan ENS, France Universitat Polit`ecnica de Catalunya, Spain Nanyang Technological University, Singapore City University of Hong Kong, China NTUST, Taiwan University of Texas at San Antonio, USA South China Agricultural University, China Fudan University, China University of North Carolina at Charlotte, USA
Publicity Chair Xiaofeng Chen
Xidian University, China
Organizing Committee Baodian Wei Haibo Tian Bo Zhang Lingling Xu Yamin Wen
Sun Sun Sun Sun Sun
Yat-sen Yat-sen Yat-sen Yat-sen Yat-sen
University, University, University, University, University,
China China China China China
Steering Committee Feng Bao Xavier Boyen Yi Mu Josef Pieprzyk Willy Susilo
Institute for Infocomm Research, Singapore Stanford University, USA University of Wollongong, Australia Macquarie University, Australia University of Wollongong, Australia
External Reviewers Au, Man Ho Bauer, Aurelie Canard, S´ebastien
Chen, Jianhong Dent, Alex Ding, Jintai
Galbraith, Steven Gorantla, Choudary Guo, Fuchun
Organization
Guo, Hua Groth, Jens Hohenberger, Susan Huang, Xinyi Jiang, Zhengtao Junod, Pascal Kiltz, Eike Li, Shengli
Liu, Joseph Long, Yu Minier, Marine Perlner, Ray R`afols, Carla Quaglia, Elizabeth Schr¨ oder, Dominique Stebila, Douglas
IX
Steinberger, John Turan, Meltem S¨ onmez Wang, Yongtao Weng, Jian Wu, Wei Yang, Guomin Zhang, Bin
Table of Contents
Invited Talks A Brief History of Security Models for Confidentiality . . . . . . . . . . . . . . . . Alexander W. Dent
1
Symbolic Methods for Provable Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bogdan Warinschi
2
Encryption Efficient Non-interactive Universally Composable String-Commitment Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ryo Nishimaki, Eiichiro Fujisaki, and Keisuke Tanaka
3
Spatial Encryption under Simpler Assumption . . . . . . . . . . . . . . . . . . . . . . . Muxin Zhou and Zhenfu Cao
19
Chosen-Ciphertext Secure RSA-Type Cryptosystems . . . . . . . . . . . . . . . . . Benoˆıt Chevallier-Mames and Marc Joye
32
Anonymous Conditional Proxy Re-encryption without Random Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Liming Fang, Willy Susilo, and Jiandong Wang Breaking and Fixing of an Identity Based Multi-signcryption Scheme . . . S. Sharmila Deva Selvi, S. Sree Vivek, and C. Pandu Rangan
47 61
Digital Signatures Identity-Based Verifiably Encrypted Signatures without Random Oracles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lei Zhang, Qianhong Wu, and Bo Qin
76
How to Prove Security of a Signature with a Tighter Security Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fuchun Guo, Yi Mu, and Willy Susilo
90
Twin Signature Schemes, Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sven Sch¨ age On the Insecurity of the Fiat-Shamir Signatures with Iterative Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Eiichiro Fujisaki, Ryo Nishimaki, and Keisuke Tanaka
104
118
XII
Table of Contents
Is the Notion of Divisible On-Line/Off-Line Signatures Stronger than On-Line/Off-Line Signatures? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Man Ho Au, Willy Susilo, and Yi Mu Anonymous Signatures Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vishal Saraswat and Aaram Yun
129 140
Cryptographic Protocols An eCK-Secure Authenticated Key Exchange Protocol without Random Oracles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Daisuke Moriyama and Tatsuaki Okamoto
154
Password Authenticated Key Exchange Based on RSA in the Three-Party Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E. Dongna, Qingfeng Cheng, and Chuangui Ma
168
Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Berkant Ustaoglu
183
Zero-Knowledge Protocols for NTRU: Application to Identification and Proof of Plaintext Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Keita Xagawa and Keisuke Tanaka
198
Server-Controlled Identity-Based Authenticated Key Exchange . . . . . . . . Hua Guo, Yi Mu, Xiyong Zhang, and Zhoujun Li
214
Reductions and Privacy Oracle Separation in the Non-uniform Model . . . . . . . . . . . . . . . . . . . . . . . . Ahto Buldas, Sven Laur, and Margus Niitsoo
230
GUC-Secure Set-Intersection Computation . . . . . . . . . . . . . . . . . . . . . . . . . . Yuan Tian and Hao Zhang
245
Self-enforcing Private Inference Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yanjiang Yang, Yingjiu Li, Jian Weng, Jianying Zhou, and Feng Bao
260
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
275
A Brief History of Security Models for Confidentiality Alexander W. Dent Information Security Group, Royal Holloway, University of London, U.K.
[email protected] Abstract. Despite the fact that industry continues to rate confidentiality protection as the least important security goal for a commercial organisation, the cryptographic community has a fascination with developing new encryption technologies. It often seems that the majority of advances in general cryptologic theory are a result of research designed to improve our ability to transmit messages confidentially. The development of security models are a good example of this phenomenon. The earliest attempts to produce cryptographic schemes with some provable security guarantees centred on encryption technologies (Shannon 1949; Rabin 1979). The modern security model for confidentiality dates back to the early eighties (Goldwasser–Micali 1982; Goldwasser– Micali 1984) when the notion of indistinguishability under chosen plaintext attacks (IND-CPA) was proposed. This was followed by the more advanced notions of IND-CCA1 security (Naor–Yung 1990) and IND-CCA2 security (Rackoff–Simon 1991) which are now so ubiquitous that they are often applied to new cryptographic primitives without thought. Many people have forgotten that the elegant notion of IND-CCA2 security is a simplification of the much more complex notion of semantic security. In this invited talk, we’ll consider the bedrock of cryptographic confidentiality: the notion of IND-CCA2 security. We’ll show by a series of examples that the simplifications that can be obtained in deriving the indistinguishability security notion from the semantic security notion for public key encryption can’t always be derived for other types of publickey cryptography. For example, – The IND-CCA2 model for public-key encryption only considers a single user (public key), whereas the security model for a signcryption scheme must consider multiple users. – The IND-CCA2 model for public-key encryption only considers attacks against a single (challenge) ciphertext, whereas the security model for deterministic encryption must consider attacks against multiple (challenge) ciphertexts. – The IND-CCA2 model for public-key encryption only considers an attacker that is trying to determine some information about a message of some known length, whereas some results in plaintext awareness require the attacker be unable to determine any information about a message of an unknown length. Our ultimate aim will be to define a general model and set of rules for deriving a security notion for confidentiality for an arbitrary public-key primitive. J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, p. 1, 2009. c Springer-Verlag Berlin Heidelberg 2009
Symbolic Methods for Provable Security Bogdan Warinschi Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol BS8 1UB, United Kingdom
[email protected] Abstract. Rigorous proofs are notoriously difficult to produce and verify even for seemingly simple cryptographic tasks. As a result, many published papers contain proofs that are most of the time incomplete and ocasionally flawed. Arguably, this indicates that the provable security paradigm is heading towards an undesirable crisis of rigor. Significant research efforts are under way in order to correct this state of affairs. Examples, from the inside of the crypto community, include the works of Shoup, Bellare, and Rogaway on game playing techniques and Shai Halevi manifesto for machine assisted cryptographic proofs. Further inspiration comes from the outside of the crypto community. Symbolic methods and techniques commonly used in the areas of programming languages, language-based security, and logics have recently been employed to create general frameworks for computational security analysis. The goal of this talk is to highlight the important role that symbolic methods could/should play within the general direction of provable security. I will present some of the existent results, exciting opportunities, and future challenges that stem from bringing together two research directions that for more than twenty years have developed largely indpendently.
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, p. 2, 2009.
Efficient Non-interactive Universally Composable String-Commitment Schemes Ryo Nishimaki1,2 , Eiichiro Fujisaki1 , and Keisuke Tanaka2 1
2
NTT, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan {nishimaki.ryo,fujisaki.eiichiro}@lab.ntt.co.jp Department of Mathematical and Computing Sciences, Tokyo Institute of Technology, W8-55, 2-12-1 Ookayama, Meguro-ku, Tokyo, 152-8552, Japan
[email protected] Abstract. The universal composability (UC) for commitment is a very strong security notion. It guarantees that commitment schemes remain secure even if they are composed with arbitrary protocols and polynomially many copies of the schemes are run concurrently. Several UC commitment schemes in the common reference string (CRS) model have been proposed, but, they are either interactive commitment or bit-commitment (not string-commitment) schemes. We propose new non-interactive string-commitment schemes that achieve UC security in the CRS model assuming the difficulty of the decisional Diffie-Hellman problem or the decisional composite residuosity problem, but our schemes are not reusable. The main building blocks of our constructions are all-but-one trapdoor functions (ABO-TDFs) introduced by Peikert and Waters in STOC 2008 to construct secure public-key encryption schemes. Our main idea is to use the homomorphic properties of the function indices of the all-but-one trapdoor functions and to extend the functions to probabilistic ones by using re-randomization of ciphertexts. This is a new application of ABO-TDFs. Keywords: universal composability, non-interactive string commitment, all-but-one trapdoor functions, homomorphism.
1 Introduction Commitment schemes are the digital analogues of envelopes. A sender provides a receiver with a sealed envelope that contains a message and later sends information for opening the sealed envelope. The notion of commitment is one of the most fundamental cryptographic primitives, such as public-key encryption (PKE) since it is an essential building block in many cryptographic protocols, such as zero-knowledge protocols [15]. 1.1 Background There are several security requirements for secure commitment schemes. If any unbounded (resp. computationally bounded) sender cannot change the message inside an envelope after sending the envelope, a commitment scheme is called statistically (resp. computationally) binding. If any computationally bounded (resp. unbounded) receiver J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 3–18, 2009. c Springer-Verlag Berlin Heidelberg 2009
4
R. Nishimaki, E. Fujisaki, and K. Tanaka
cannot learn about message m as long as the sender does not give the auxiliary information for opening the envelope, a commitment scheme is called computationally (resp. statistically) hiding. These two properties are basic security requirements [18] for secure commitment schemes in the stand-alone setting. These basic security notions were in the past thought to be sufficient. Dolev, Dwork, and Naor proposed a stronger security notion, non-malleability [14]. When an adversary sees a commitment to message m, it may be able to make a mauled commitment to another message m such that m and m have some relation, such as m = m + 1, without knowing m. Informally speaking, a commitment scheme is nonmalleable if any adversary cannot make such a mauled commitment in the man-in-themiddle setting, where an adversary is allowed to tap into the communication between a sender and a receiver and may change the content of the communication. However, even non-malleable commitment schemes are not sufficient when commitment schemes are run on today’s large network systems. In such a setting, a commitment scheme may be composed with arbitrary protocols and run concurrently. Universally composable (UC) commitment schemes [3, 5] remain secure even if polynomially many copies of the protocol are executed concurrently in an adversarially controlled manner. Universal composability is a very strong security requirement and implies non-malleability. We cannot construct UC commitment schemes in the plain model [5, 6], so we need set-up assumptions. We use a standard set-up assumption, the common reference string (CRS) model, where all parties have access to random strings that are guaranteed to be selected with a prescribed distribution by a trusted third party. Many existing UC commitment schemes are constructed in the CRS model [5, 7, 11, 12]. Constructing UC commitment schemes is very important since we can realize any UC-secure two- or multi-party computation if we obtain a UC commitment scheme [7]. 1.2 Our Contributions and Constructions We propose non-interactive universally composable commitment schemes that enable a committer to commit to a multi-bit string efficiently. Our constructions are based on all-but-one trapdoor functions (ABO-TDFs) (or equivalently lossy trapdoor functions) from the decisional Diffie-Hellman (DDH) problem [20] and the decisional composite residuosity (DCR) problem [22]. This is a new application of ABO-TDFs. ABO-TDFs were introduced by Peikert and Waters to construct PKE schemes secure against a chosen ciphertext attack (CCA PKE) [20]. Our scheme based on the DCR problem can enjoy the best redundancy ratio of a commitment to a message in the sense of communication complexity, among all the previously proposed schemes, regardless of interactive or non-interactive. Our Techniques. Here is an outline of our techniques. Loosely speaking, if a commitment scheme has two properties, called extractability and equivocality, it achieves UC security [7]. If we can extract contents of valid commitments by using trapdoors, a commitment scheme is extractable and, if we can make a fake commitment that opens to an arbitrary value later by using trapdoors, a commitment scheme is equivocal. In order to achieve these properties at the same time, we use ABO-TDFs. Each ABO-TDF is a
Efficient Non-interactive Universally Composable String-Commitment Schemes
5
trapdoor function with an extra input, called its branch. An ABO-TDF is an injective trapdoor function except for one special type of branch, called a lossy branch. If we use a lossy branch as a branch when we run an evaluation algorithm of an ABO-TDF, the output statistically loses information about the input. In this case, there are multiple input candidates for the output. That is, a simulator in the UC framework may be able to make an equivocal commitment by using trapdoors of ABO-TDFs and the lossy branch. On the other hand, if we do not use the lossy branch, the function is injective (statistically binding). That is, a simulator in the UC framework can extract the content of a valid commitment by using the trapdoors of ABO-TDFs. If we set the branches of an ABO-TDF as the verification keys of strong one-time signature schemes, any adversary in the UC framework cannot copy the verification key used by the simulator. If the simulator uses the verification key that was set as the lossy branch, a commitment generated by the simulator is equivocal and a commitment generated by the adversary is extractable. Therefore, we can achieve equivocality and extractability at the same time. However, we cannot use the original ABO-TDFs by Peikert and Waters directly since they are deterministic functions, meaning we cannot achieve equivocality. We convert them into probabilistic ones by using the homomorphic property of function indices. Function indices of ABO-TDFs consist of ciphertexts that are generated by a homomorphic encryption algorithm. Therefore, we can re-randomize ciphertexts by using their homomorphic properties and achieve equivocality. This conversion is reminiscent of the UC commitment scheme by Damgård and Nielsen [12] and is essential for our construction of UC commitment. 1.3 Related Works and Comparisons Several UC commitment schemes in the CRS model have been proposed, but none of them are both non-interactive and string commitment schemes. Canetti and Fischlin, and Canetti, Lindell, Ostrovsky, and Sahai constructed non-interactive UC commitment schemes in the CRS model, but they are bit-commitment schemes and inefficient since they are constructed from general primitives such as enhanced trapdoor permutations (eTDPs) or claw-free trapdoor function (CF-TDF) pairs [5, 7]. Both of their constructions use Ω(λ) bits to commit to one bit, where λ is the security parameter. Damgård and Nielsen, Damgård and Groth, and Camenish and Shoup constructed Table 1. Previous and our results in the CRS model
[5] [5] [7] [12] [11] [2] Ours
Bit/string bit bit bit string string string string
Interaction Reusability Assumptions non-interactive No eTDP non-interactive Yes CF-TDF pairs, CCA PKE non-interactive Yes eTDP, CCA PKE, PRC interactive Yes DCR (or p-subgroup) interactive Yes strong-RSA, DCR (or p-subgroup) interactive Yes DCR non-interactive No DCR (or DDH)
6
R. Nishimaki, E. Fujisaki, and K. Tanaka Table 2. Efficiency Comparison Communication [12] (DCR) (4s + 5)λ [11] (DCR) nmcom + 3(s + 1)λ sHVZK [2] P-com + v-enc + Πv-enc Ours (DCR) (s + 1)λ + + sig + |vk|
CRS length ≈ 17λ λ + (s + 1)λ · nparty ≈ 15λ |pknmcom | + λ ≈ 21λ |pkP-com | + |pkv-enc | ≈ 7λ (s + 1)λ + |h|
≈ (4nparty + 1)λ ≈ 5λ ≈ 9λ + |CRHF| ≈ 6λ
Round 3 3 3 1
efficient UC string-commitment schemes from number-theoretic problems, but they are interactive [2, 11, 12]. A comparison of our results and previous results is shown in Table 1. Reusability indicates whether a CRS can be reused polynomially many times or not. PRC means PKE with pseudorandom ciphertext. We propose the first efficient non-interactive UC string-commitment schemes from number-theoretic problems in the CRS model, but our schemes do not have reusability. An efficiency comparison of string-commitment schemes based on the DCR problem is shown in Table 2 (Let λ denote the security parameter). “Round” in the table means round-complexity, which is the number of interactions in the commit phase. The open phase is non-interactive in all protocols in the table. Our scheme is the most efficient since it is non-interactive. Parameters are as follows. Let s be an integer (public parameter of the Damgård-Jurik PKE [10]), nparty be the number of parties, nmcom (resp. |pknmcom |) be the length of the non-malleable commitment (resp. its public-key) based on strong-RSA [11], P-com (resp. |pkP-com |) be the length of Pedersen commitment (resp. its public-key) [19, 2], v-enc (resp. |pkv-enc |) be the ciphertext (resp. the sHVZK public-key) length of the verifiable encryption by Camenish and Shoup [2], Πv-enc be the transcript length of the proof (special honest-verifier zero-knowledge protocol) for the verifiable encryption, |CRHF| be a length of a collision resistant hash function, be a length of the committed string, sig be a signature length of a strong one-time signature, and |vk| be a verification key length of a strong one-time signature. We can set s = 3, = λ. In a work that was independent of ours, Zhu proposed a new UC commitment scheme based on the DDH problem over a squared composite modulus of the form N = pq at ISPEC’09 [23]. There are UC commitment schemes with other set-up assumptions or models [1,4,8, 16,17,21] (such as the key registration set-up [1], the generalized UC [4], and the angel model [21]), but we focus on regular UC commitment only in the CRS model and do not mention UC commitment schemes with other set-up assumptions or models.
2 Preliminaries 2.1 Notations and Conventions For any n ∈ N, let [n] be the set {1, . . . , n}. We write 0n for bit string 00 · · · 0 (n times). Let U denote the -bits uniform distribution and E[X] denote the expectation of random variable X.
Efficient Non-interactive Universally Composable String-Commitment Schemes
7
We describe probabilistic algorithms using standard notations and conventions. For probabilistic polynomial-time (PPT) algorithm A, A(x1 , x2 , ...; r) denotes the random R variable of A’s output on inputs x1 , x2 , ... and random coins r. We let y ← A(x1 , x2 , ...) denote that y is randomly selected from A(x1 , x2 , ...; r) according to its distribution. If S U is a finite set, then x ← S denotes that x is uniformly selected from S . If α is neither an algorithm nor a set, x ← α indicates that α is assigned to x. We say that function f : N → R is negligible in security parameter λ ∈ N if for every constant c ∈ N there exists kc ∈ N such that f (λ) < λ−c for any λ > kc . Hereafter, we use f < negl(λ) (or f < negl) to mean that f is negligible in λ. 2.2 Indistinguishability The statistical distance between two random variables X and Y over a countable set S is def defined as Δ(X, Y) = 12 α∈S | Pr[X = α] − Pr[X = α]|. Let X = {Xλ }λ∈I and Y = {Yλ }λ∈I denote two ensembles of random variables indexed by λ (where I is a countable set). Definition 1. We say that X and Y are statistically indistinguishable if Δ(Xλ , Yλ ) < negl. Definition 2. We say that X and Y are computationally indistinguishable if for every non-uniform PPT algorithm D, there exists negligible function negl such that for every λ ∈ I, |Pr[D(Xλ ) = 1] − Pr[D(Yλ ) = 1]| < negl. We write X ≈s Y (resp. X ≈c Y) to denote that X and Y are statistically (resp. computationally) indistinguishable. 2.3 Strongly Unforgeable Signature Schemes A signature scheme (Gen, Sign , Vrfy ) is said to be strongly unforgeable under a chosen message attack (sEUF-CMA) if the advantage of the following game is negligible. The R challenger first generates verification/signing key pair (vk, sk) ← Gen(1λ ) and gives vk to adversary A. Then, A chooses messages m ∈ M (where M is a fixed message R space) and queries them to its signing oracle, and it answers σ ← Signsk (m) to A. Then, A outputs (m , σ ) and wins the game if Vrfyvk (m , σ ) = 1 and (m , σ ) (m, σ). If A is allowed to query only one message (one-time chosen message attack), then it is said to be strongly unforgeable one-time signature (sEUF-OT). We often call it (strong) one-time signature in this paper. 2.4 Extracting Randomness Definition 3 (Pairwise Independent Hash Functions). A family of hash functions H = {hi : D → R} from domain D to range R is called pairwise independent if for every distinct x, x ∈ D and every y, y ∈ R, Pr U [h(x) = y ∧ h(x ) = y ] = 1/ |R|2 . h←H
The min-entropy of random variable X over domain S is defined as def H∞ (X) = − lg (maxs∈S Pr[X = s]). Peikert and Waters [20] used the notion of the average min-entropy as defined by Dodis, Ostrovsky, Reyzin, and Smith [13] to prove
8
R. Nishimaki, E. Fujisaki, and K. Tanaka
that their PKE scheme is secure since random variable X may be correlated with another variable Y whose value is known to adversaries in cryptographic settings. The average min-entropy is interpreted as the remaining unpredictability of X conditioned on the value of Y: def H∞ (X|Y) = − lg ( E [2−H∞ (X|Y=y) ]) = − lg ( E [max Pr[X = s]]). R
R
y←Y
y←Y
s∈S
Dodis, Ostrovsky, Reyzin, and Smith proved the following lemmas: Lemma 1 ( [13]). If Y takes at most 2r possible values and Z is any random variable, then H∞ (X|(Y, Z)) ≥ H∞ (X|Z) − r. Lemma 2 ( [13]). Let X and Y be random variables such that X ∈ {0, 1}n and H∞ (X|Y) ≥ k. Let H be a family of pairwise independent hash functions from {0, 1}n to {0, 1} . Then U for h ← H , we have Δ((Y, h, h(X)), (Y, h, U)) ≤ as long as ≤ k − 2 lg (1/ ). 2.5 Universal Composability We use the standard universal composability framework by Canetti [3] (with static or adaptive corruption of the parties). We consider the real world, the ideal world, and PPT environment Z, which tries to distinguish these two worlds. The Real World. In this world, there is adversary A and protocol π realizes functionality among some parties. Let REALπ,A,Z denote the ensemble of random variables when environment Z interacts with adversary A and parties P1 , ..., Pn running protocol π. The Ideal World. In this world, there are simulator (ideal adversary) S that simulates the real world, ideal functionality F , and dummy parties. Let IDEALF ,S,Z denote the ensemble of random variables when environment Z interacts with simulator S and ideal functionality F . Definition 4. Let F be an ideal functionality. We say that protocol π securely realizes F if for any adversary A there exists simulator S, such that for any environment Z, we have IDEALF ,S,Z ≈c REALπ,A,Z where A, S and Z are PPT interactive Turing machines. That is, ∀A, ∃S, ∀Z, Pr[Z(IDEAL ) = 1] − Pr[Z(REAL ) = 1] < negl. F ,S,Z
π,A,Z
We use the standard ideal functionalities proposed by Canetti [3]. We present the commitment functionality, FCOM in Fig. 1. In the UC framework, we consider the CRS model as an FCRS -hybrid model. See the paper of Canetti [3] for details of the UC framework, FCRS , and F -hybrid models. Intuitively, in order to achieve UC commitment (in the CRS model with adaptive corruption), a commitment scheme must satisfy the following two properties. Polynomial Equivocality. Simulator S must be able to make polynomially many fake commitments using the same CRS. That is, S can open to any string and give consistent randomness to adversary A. If S can make only one fake commitment, we call this property one-time equivocality.
Efficient Non-interactive Universally Composable String-Commitment Schemes
9
Functionality FCOM FCOM interacts with sender S and receiver R. 1. Upon receiving input (Commit, sid, m) from S, verify that sid = (S, R, sid ) for R, else ignore the input. Next, record m and generate public delayed output (Receipt, sid) to R. Once m is recorded, ignore any subsequent Commit inputs. 2. Upon receiving input (Open, sid) from S, proceed as follows: if there is recorded value m then generate public delayed output (Open, sid, m) to R. Otherwise, do nothing. 3. Upon receiving message (Corrupt-sender, sid) from the adversary, send m to the adversary. Furthermore, if the adversary now provides value m and the Receipt output was not yet written on R’s tape, change the recorded value to m . Fig. 1. Commitment functionality FCOM
Simulation Extractability. Simulator S must be able to extract the contents of any valid commitment generated by adversary A, even after A obtains polynomially many fake (equivocal) commitments generated by S. If A obtains only one fake commitment and S can do an extraction, we call this property one-time extractability. Of course, real honest parties cannot do such things. If multiple commitment (or open) operations use the same CRS in a protocol, we use an extension of FCOM that handles multiple commitment (or open) requests. This is called multi-session extension functionality FCOM [9] (or FMCOM [5]). For efficiency, we want to reuse the same CRS when multiple commitment requests occur. If we construct a protocol which realizes multi-session extension functionality FCOM , we achieve reusability [9]. A commitment scheme is said to be reusable if multiple commitment operations can use the same CRS. If a commitment scheme satisfies one-time equivocality and one-time extractability, it securely realizes single session functionality FCOM (cannot reuse the same CRS). We consider FCOM only since our schemes are not reusable. 2.6 All-But-One Trapdoor Functions Peikert and Waters proposed very useful and elegant cryptographic primitives: all-butone trapdoor functions (and lossy trapdoor functions) [20]. Definition 5 (All-But-One Trapdoor Functions [20]). Let λ be a security parameter. Let n(λ) denote the input length of the function and k(λ) the lossiness of the collection def (we omit λ hereafter). Let r = n − k be the residual leakage. In a collection of allbut-one trapdoor functions (ABO-TDFs), each function has several branches. Let B = {Bλ }λ∈N be a collection of sets whose elements are branches. A collection of (n, k)-allbut-one trapdoor functions with branch collection B consists of three polynomial-time algorithms (S abo , Gabo , G−1 abo ) having the following properties.
10
R. Nishimaki, E. Fujisaki, and K. Tanaka
Sampling a Trapdoor Function with given Lossy Branch. For any b∗ ∈ Bλ , algorithm S abo (1λ , b∗ ) outputs (ι, τ) where ι is a function index and τ is its trapdoor, that is, R (ι, τ) ← S abo (1λ , b∗ ). Injective Branch and Lossy Branch. For any b ∈ Bλ where b b∗ , algorithm Gabo (ι, b, ·) computes an injective function gι,b (·) over the domain {0, 1}n −1 ∗ ∗ and G−1 abo (τ, b, ·) computes gι,b (·). Algorithm G abo (ι, b , ·) computes function gι,b (·) over the domain {0, 1}n whose image size is at most 2r = 2n−k . Hidden Lossy Branch. For any b∗0 , b∗1 ∈ Bλ , it holds that ι0 ≈c ι1 (even if the adversary gets branches b∗0 and b∗1 ), where (ιi , τi ) ← S abo (1λ , b∗i ) for i = 0, 1. R
A few constructions of ABO-TDFs are known, but we review only the construction based on the Damgård-Jurik PKE due to the limitation of space (and its simplicity). See [20] for other constructions. An ABO-TDF based on the Damgård-Jurik PKE (i.e., from DCR) was constructed by Rosen and Segev [22]. Let N = pq be an (λ-bits) RSA modulus, where p and q are odd primes and gcd(N, φ(N)) = 1. Let φ denote Euler’s φ function and s ≥ 1 be an integer. For such N, group Z∗N s+1 as a multiplicative group is direct product G × H, where G is cyclic of order N s and H is isomorphic to Z∗N . In the Damgård-Jurik PKE, let publickey pk = (N, s), secret-key sk = lcm(p − 1, q − 1), and ciphertext c = Enc pk (m; r) = (1 + N)m r N mod N s+1 for m ∈ ZN s and r ← Z∗N . The decryption can be done by using the secret key. See [10, 22] for more details. It is confirmed that Enc pk (m1 ; r1 ) · Enc pk (m2 , r2 ) = Enc pk (m1 + m2 ; r1 · r2 ) by simple calculation. The algorithms of ABO-TDF from DCR are as follows. s
U
Sampling an ABO Function. Algorithm S abo (1λ , b∗ ) selects λ-bits RSA modulus N = pq and integer s ≥ 1. We need s ≥ 3 for meaningful lossiness (lossiness k = λs/2 − (λ + 1)). Function index ι consists of (pk, γ), where pk = (N, s) and U ∗ s γ = (1 + N)−b r N mod N s+1 = Enc pk (−b∗ ; r) for r ← Z∗N . Trapdoor τ consists of lossy branch b∗ , secret key lcm(p − 1, q − 1) and randomness r. x Evaluation. For input (ι, b, x), the output is y = Gabo (ι, b, x) = γ · (1 + N)b = x Enc pk (−b∗ ; r) · Enc pk (b; 1) . That is, y = Enc pk ((b − b∗ )x; r x ). Inversion. For input (τ, y), the output is x ← Dec sk (y)/(b − b∗ ) when b − b∗ 0.
3 Adding Randomness to ABO-TDFs for Equivocality In this section, we introduce a randomization procedure to achieve equivocality. We need equivocality to achieve UC commitment as explained in Section 2.5. Original ABO-TDFs (constructed from homomorphic encryption schemes) are deterministic functions [20]. However, if the function indices of ABO-TDFs consist of ciphertexts that have homomorphic properties, we can convert them to probabilistic functions even without knowing the trapdoors (we need only ciphertexts of 0). We need probabilistic ones to achieve equivocality (and UC commitment). The randomization technique introduced below is reminiscent of mixed commitment schemes introduced by Damgård and Nielsen [12]. In the Damgård-Jurik PKE, ciphertext re-randomization s is as follows: For r ∈ Z∗N , c · r N = Enc pk (m; r) · Encpk (0; r ) = Enc pk (m; r · r ). We can randomize output y of the evaluation algorithm.
Efficient Non-interactive Universally Composable String-Commitment Schemes
11
Randomization. For output y = Gabo (ι, b, x) and randomness r ← Z∗N , the randomU
def
ized output is Rand (y, r ) = y · Enc pk (0; r ) = Enc pk ((b − b∗ )x; r x · r ). Note that −1 Dec sk (Rand (y, r )) = Dec sk (y), that is, G−1 abo (τ, b, Rand (y, r )) = G abo (τ, b, y). For input x and randomness r , the evaluation and x randomization of ABO-TDFs are expressed as follows: Enc pk (−b∗ ; r) · Enc pk (b; 1) · Enc pk (0; r ). We can consider abstract expression below by using homomorphic encryption. Definition 6. A public-key encryption scheme (Gen, Enc , Dec ) is homomorphic if for R all λ and (pk, sk) ← Gen(1λ ), it is possible to define groups M pk , C pk , and R pk such that 1. Message space M pk is an abelian group written additively. Let 0M pk and 1M pk denote additive and multiplicative identities in M pk respectively. 2. Randomness space R pk is a group with group operator . Let 0R pk and 1R pk denote additive and multiplicative identities in R pk respectively. 3. Ciphertext space C pk is a group with group operator . 4. For every m1 , m2 ∈ M pk and r1 , r2 ∈ R pk , we have Enc pk (m1 , r1 ) Enc pk (m2 ; r2 ) = Enc pk (m1 + m2 ; r1 r2 ). We consider only additively homomorphic PKE schemes (but randomness space may be multiplicatively homomorphic as the Damgård-Jurik PKE [10]). x x def def For element c ∈ C pk (resp. r ∈ R pk ), c x = c · · · c (resp. r x = r · · · r). Let IR pk be additive or multiplicative identity in R pk , that is, 0R pk or 1R pk . Then, evaluation and randomization algorithms of ABO-TDFs constructed from additive homomorphic PKE schemes are expressed as follows: x The evaluation is ∗ Gabo (ι, b, x) = Enc pk (−b · 1M pk ; r) Enc pk (b · 1M pk ; IR pk ) and the randomization is Rand (Gabo (ι, b, x), r ) = Gabo (ι, b, x) Enc pk (0M pk ; r ) where index ι = pk, Enc pk (−b∗ · 1M pk ; r) . That is, Rand (Gabo (ι, b, x), r ) x = Enc pk (−b∗ · 1M pk ; r) Enc pk (b · 1M pk ; IR pk ) Enc pk (0M pk ; r ) x = Enc pk (b − b∗ ) · 1M pk ; r Enc pk (0M pk ; r ) = Enc pk ((b − b∗ ) · x; r x ) Enc pk (0M pk ; r ) =
Enc pk ((b − b∗ ) · x; r x r )
For ABO-TDFs based on (a variant of) ElGamal PKE, we can consider the same kind of abstract structure by using homomorphism, though we need to treat matrix encryption. See [20] for matrix encryption. We omit the details in the proceedings version due to the limitation of space. We think that the abstraction above is the essence of our UC commitment schemes. If b = b∗ (lossy branch), then Rand (Gabo (ι, b, x), r ) = Enc pk (0M ; r x r ). If we know x and r, we can choose input x and randomness r such that Enc pk (0M ; r x r ) = x x− x Enc pk (0M ; r r) by setting r = r r . This is used for the equivocation algorithm described in the next section.
12
R. Nishimaki, E. Fujisaki, and K. Tanaka
Remark 1. Adding randomness to ABO-TDFs does not kill the lossiness property of ABO-TDFs based on the Damgård-Jurik (and ElGamal) PKE, because the randomization does not change the randomness space Z∗N in the DCR-based construction (and Z p in the DDH-based construction) and the number of possible outputs is same as that of original DCR-based (and DDH-based) ABO-TDFs.
4 Construction and Security Proof We present our UC commitment schemes in this section. A function index of an ABOTDF and a pairwise independent hash function are used as CRSs. In the ideal world, simulator S knows a trapdoor of an ABO-TDF, randomness used in the sampling algorithm and a lossy branch since S can generate CRSs. Simulator S can set verification as a lossy branch ((vk, sk) is a verification/signing key pair). Therefore, if S uses key vk vk as a branch in a commit stage, the function statistically loses information about its input, i.e., every output of the function has many pre-images. Thus, S can make an equivocal commitment in this case. as a branch, the function does not However, if a party uses verification key vk vk lose any information about its input. Therefore, S can extract the input from the output of the function by using its trapdoor. In this section, (Gen, Sign, Vrfy ) denotes a strong one-time signature scheme. 4.1 Description of Our Commitment Scheme We describe our UC commitment scheme named UCC. CRS Generation. A function index of ABO-TDFs and a pairwise independent hash R function are the CRSs. Let crs ← (ι, h) be the CRSs, where (ι, τ) ← S abo (1λ , b∗ = vk
0 ), h ← H (H is a pairwise independent hash function family). In the ideal R R where (vk, sk) ← world, the simulator makes a fake CRS, (ι, τ) ← S abo (1λ , vk), λ is the lossy branch. Gen(1 ). That is, verification key vk R Commit. In order to commit m, generate (vk, sk) ← Gen(1λ ) and choose uniformly random u and v. The randomness space is according to an underlying cryptosystem. R Then, compute c1 = Rand (Gabo (ι, vk, u), v), c2 = h(u) ⊕ m, and σ ← Signsk (c1 , c2 ). Send com = (c1 , c2 , vk, σ) to the receiver. The receiver verifies that Vrfyvk ((c1 , c2 ), σ) = 1. If it is not valid, the receiver outputs ⊥. Open. Send (u, v, m) to the receiver. He verifies that c1 = Rand (Gabo (ι, vk, u), v) and c2 = h(u) ⊕ m. Extraction. Simulator S verifies that Vrfyvk ((c1 , c2 ), σ) = 1. If so, then S computes u ← G−1 abo (τ, vk, c1 ) and m ← h(u) ⊕ c2 by using τ. Else, output ⊥. Equivocation. In order to make a fake commitment, simulator S computes c 1 = U u), v (that is, uses the lossy branch), c 2 ← Rand Gabo (ι, vk, {0, 1} ( is the length U
R
of m), and σ ← Signsk c1 , c 2 ). In this case, c 1 consists of ciphertexts of 0 and ( the image size is very small, so a fake commitment is statistically indistinguishable from a real commitment (this will be proven formally in Section 4.2). Let
Efficient Non-interactive Universally Composable String-Commitment Schemes
13
com = ( c1 , c 2 , vk, σ) be the fake commitment. In order to open it to arbitrary m , first, S computes u such that c 2 = h( u) ⊕ m , i.e., u = h−1 ( c2 ⊕ m ). This computation can be done easily since h is a pairwise independent hash function. Value u is random since c 2 is uniformly distributed. Second, S computes v such that c 1 = EncN,s (0; ru · v) = EncN,s (0; r u · v), that is, v = ru− u · v (this is the DamgårdJurik PKE case). In this way, S can open com to arbitrary m by sending ( u, v, m ). Randomness r was used to generate the function index, so S knows this information. Note that u is one of the pre-images of c 1 , because no matter what input is given, c 1 consists of ciphertexts of 0 at the lossy branch (i.e., b = b∗ . See Section 2.6). Of course, honest parties and adversary A cannot execute the extraction and equivocation algorithms. In this scheme, simulator S can make a fake commitment only once and the verification key can be because the simulator needs to set the lossy branch vk the equivocation algorithm used only once. If the simulator sets the branch vki vk, does not work. 4.2 Security Proof of Our Scheme In this section, we show that UCC is a UC commitment scheme. Theorem 1. If the signature scheme is strongly unforgeable under a one-time chosen message attack, hash function family H is pairwise independent and the DCR (or DDH) problem is hard, then UCC securely realizes functionality FCOM (i.e., the single session version) in the FCRS -hybrid model. Proof. For any adversary A, we construct simulator S interacting with FCOM such that no environment Z can distinguish the ideal world with S and FCOM from the real world of scheme UCC with A. S starts by invoking a copy of A and simulates the interaction of A with Z and parties running the scheme. S proceeds as follows. Note that S and R mean a sender and a receiver respectively. Simulating the CRS. S prepares CRSs crs by sampling a function index of ABOTDFs, generating a key pair of a signature scheme, and choosing a pairwise indeR R U where (vk, sk) ← pendent hash function; (ι, τ) ← S abo (1λ , vk), Gen(1λ ), h ← H. Then, let crs ← (ι, h). When a party queries FCRS , return (CRS, sid, crs) to it. S knows trapdoor τ and randomness r used for S abo . Simulating the communication with Z. S writes every input value that it receives from Z into adversary A’s input tape. S copies every output value written by A on its output tape to S’s output tape. Simulating commit when S is uncorrupted (R may be corrupted). In the ideal world, if uncorrupted sender S is activated with (Commit, sid = (S, R, sid ), m) by Z and S passes the message to FCOM , S (who cannot know m but is informed about the commitment by receiving (Receipt, sid = (S, R, sid ))) simulates real sender σ u), v , S. That is, S sends com = ( c1 , c 2 , vk, ) to A, where c 1 = Rand Gabo (ι, vk, c 2 = υ where υ ← {0, 1} , σ = Signsk ( c1 , c 2 ). S also sends (Receipt, sid) from FCOM to R. If A corrupts S before delivering com to R and then modifies com U
14
R. Nishimaki, E. Fujisaki, and K. Tanaka
before delivering it, then S follows the instructions for a corrupted sender. If A corrupts S but does not modify the commitment, then S continues the simulation as above. Simulating open when S is uncorrupted (R may be corrupted). If uncorrupted sender S is activated with (Open, sid = (S, R, sid )) by Z and S has correctly committed to m, then S must have sent com on behalf of S in the black-box simulation of A at the commit stage. S now learns m from R via FCOM (S can obtain (Open, sid, m) from FCOM ) and opens com to m in the simulation of A by using the equivocal algorithm. Simulating corruption of parties. If A corrupts party P in the simulated interaction, S corrupts corresponding dummy party P in the ideal world and obtains all its unopened commitment values. S makes the internal state of P consistent with the values in the same way as above. Simulating commit when only S is corrupted. S sends (Corrupt-sender, sid) to FCOM . If simulated A (or Z) makes corrupted S send com∗ = (c∗1 , c∗2 , vk∗ , σ∗ ) to honest R in the simulated interaction, S must extract the committed value by A. S verifies the validity of signature σ∗ . If it is not valid, S ignores the messages. Otherwise, S runs the extraction algorithm by using τ, extracts m∗ and sends it to FCOM and Receipt response of FCOM to R. Simulating open when only S is corrupted. If A (a corrupted sender) sends open message (u∗ , v∗ , m∗ ) to uncorrupted receiver R in the simulated interaction, S verifies that (u∗ , v∗ , m∗ ) is a valid opening. If it is, S sends (Open, sid) to FCOM and sends the Open message from FCOM to R. Otherwise, S ignores the message. Simulating remaining cases. When both parties are corrupted, S simply runs A internally. In order to show that REALπ,A,Z ≈c IDEALF ,S,Z (here, π means UCC), we consider COM the following hybrid experiments with hybrid adversaries Hi (i = 1, 2, 3, 4) and their ensemble of random variables HYBiHi ,Z when environment Z interacts with Hi . HYB1H1 ,Z : The first hybrid experiment is the same as the real world experiment except
that hybrid adversary H1 aborts if adversary A sends valid commitment = vk∗ (not exact copy of a commitment generated (c∗1 , c∗2 , vk∗ , σ∗ ) such that vk by an honest sender). HYB2H2 ,Z : The second hybrid experiment is the same as the first one except that R R where (vk, sk) ← (ι, τ) ← S abo (1λ , vk) Gen(1λ ) in the CRS generation. HYB3H3 .Z : The third hybrid experiment is the same as the second one except that c 2 = υ U
where υ ← U . HYB4H4 .Z : The fourth hybrid experiment is the same as the ideal world experiment except that S does not extract m∗ . Instead, S sends 0 to dummy FCOM (in hybrid experiments, there is no FCOM ) if later A opens this commitment to m, then S patches dummy FCOM by inserting m in place of 0 . This can be done since this is a hybrid experiment and dummy FCOM is used. (Modifying FCOM in this way is illegal in the ideal world.)
Efficient Non-interactive Universally Composable String-Commitment Schemes
15
sk) is generated by Note that in these experiments, one-time signature key pair (vk, hybrid simulators and they use it as a branch when an honest party is required to make a commitment. Informal lemmas are as follows. It holds that REALπ,A,Z ≈c HYB1H1 ,Z ≈c HYB2H2 ,Z ≈s HYB3H3 ,Z ≈s HYB4H4 ,Z ≈s IDEALF ,S,Z by the following reasons. COM
REALπ,A,Z ≈c HYB1H1 ,Z holds by the strong unforgeability of the one-time signature
scheme.
HYB1H1 ,Z ≈c HYB2H2 ,Z holds by the computational indistinguishability of hidden lossy
branches.
HYB2H2 ,Z ≈s HYB3H3 ,Z holds by the statistical indistinguishability from the uniform
distribution. This follows from the generalized leftover hash lemma [13, 20].
HYB3H3 ,Z ≈s HYB4H4 ,Z holds since these are the same experiments expressed in two
different ways.
HYB4H4 ,Z ≈s IDEALF
,S,Z holds since these are the same experiments as long as adCOM versary A cannot validly open m even after A commits to m ( m ), that is, A cannot break the statistical binding property of (the ElGamal or the Damgård-Jurik) vk∗ holds, so the PKE. In these experiments, the ABO-TDF is injective since vk lemma follows.
From the sequences of indistinguishability above, the theorem follows. Formal lemmas and their proofs are as follows. Lemma 3. The environment’s views in REALπ,A,Z and HYB1H1 ,Z are computationally indistinguishable if the signature scheme is strongly unforgeable under a one-time chosen message attack. Proof. Let com = ( c1 , c 2 , vk, σ) be a commitment generated by an honest sender (or hybrid simulators in the name of the honest sender). We define event F as adversary A making valid commitment com∗ = (c∗1 , c∗2 , vk∗ , σ∗ ), such that com com∗ , We show that event F happens with negligible Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1, and vk∗ = vk. probability. The two views are identical as long as event F does not happen. Consider simulator H1 that attacks the signature scheme with a one-time chosen generated by Gen and simulates CRS generation message attack. H1 is given input vk vk
by setting crs ← (ι, h), where (ι, τ) ← S abo (1λ , 0 ) and h ← H. When Z asks an honest sender to make a commitment of message m, H 1 selects uniformly random u, v, u), v and c 2 = h(u) ⊕ m, queries its generates ( c1 , c 2 ), where c 1 = Rand Gabo (ι, vk, signing oracle on the message ( c1 , c 2 ), and obtains signature σ . Then, H1 lets com = ( c1 , c 2 , vk, σ) and sends it to A. Note that in these hybrid experiments, hybrid simulator H1 knows content m (unlike the ideal world). Upon receiving any commitment where σ∗ ) such that com com∗ = (c∗1 , c∗2 , vk∗ = vk, com∗ and Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1 from ∗ ∗ ∗ A, H1 outputs (c1 , c2 , σ ) as a forgery in the attack game of the signature scheme and sends error messages to the adversary. H1 simulates HYB1H1 ,Z perfectly to A (and environment Z). We show that event F happens if and only if H1 outputs a valid forgery. If F happens before Z asks an honest R
U
16
R. Nishimaki, E. Fujisaki, and K. Tanaka
party to make a commitment of m, then H1 makes a valid signature without queries to its signing oracle. This is a forgery. If F happens after Z asks an honest party to make a commitment of m, then we must have either ( c1 , c2 ) (c∗1 , c∗2 ) or σ σ∗ since ∗ ∗ ∗ ∗ com com . In either case, (c1 , c2 , σ ) is different from its single query ( c1 , c2 , σ) to the signing oracle. That is, it is a forgery. Since the signature scheme is strong one-time secure, event F happens with negligible probability. Thus, the lemma follows. Lemma 4. The environment’s views in HYB1H1 ,Z and HYB2H2 ,Z are computationally indistinguishable, assuming the hidden lossy branch property of the ABO-TDF collection. We show that Z’s views in HYB1H1 ,Z and HYB2H2 ,Z are computationally inR sk) ← distinguishable when signature key pair (vk, Gen is fixed. The lemma follows sk) since the distribution of (vk, sk) is identical by averaging over the choice of (vk, sk). We in these two experiments. Hereafter, in this proof of the lemma, fix any (vk, consider simulator H1/2 . H1/2 is given input (vk, sk) and ABO-TDF index ι which was R R vk vk generated as either (ι, τ) ← S abo (0 ) or (ι, τ) ← S abo (vk). That is, H1/2 sends (0 , vk) to the challenger as challenge lossy branches, then the challenger sends ι to H1/2 as the target function index. The output of H1/2 in the two experiments is computationally Proof.
vk
indistinguishable since the two inputs (index with branch 0 and index with branch are computationally indistinguishable. vk) The action of simulator H1/2 is as follows. H1/2 simulates CRS generation by set vk
ting crs ← (ι, h), where ι is the given input (ι where (ι, τ) ← S abo (0 ) or ι where R U and h ← (ι, τ) ← S abo (vk)) H . When Z asks an honest sender to make a commitment of u), v , c 2 = h(u)⊕m, message m, H1/2 generates ( c1 , c 2 , σ), where c 1 = Rand Gabo (ι, vk, and σ = Signsk ( c1 , c 2 ) (as in the first hybrid experiment, H1/2 knows content m). Then, H1/2 lets com = ( c1 , c 2 , vk, σ) and sends it to adversary A. If A makes valid commit∗ ∗ ∗ ∗ σ∗ ) such that com ment com = (c1 , c2 , vk = vk, com∗ and Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1, H2 aborts. vk R If H1/2 is given (ι, τ) ← S abo (0 ), its action is identical to H1 . If H1/2 is given R its action is identical to H2 . Therefore, the view generated by H1/2 (ι, τ) ← S abo (vk), R
vk
is identical to HYB1H1 ,Z when ι is generated by S abo (0 ) and is identical to HYB2H2 ,Z thus the lemma follows. when ι is generated by S abo (vk), Lemma 5. The environment’s views in HYB2H2 ,Z and HYB3H3 ,Z are statistically indistinguishable.
Proof. In this proof, we only consider the choice of hash function h and randomness u used by algorithm Gabo when generating commitment com because the focal point of this proof is the distribution of h(u). All other random coins are fixed. Note that randomness v does not affect the image size since it is used only for re-randomization. We show that the views in HYB2H2 ,Z and HYB3H3 ,Z are statistically indistinguishable when the coins are fixed. The lemma follows by averaging over the choice of the random coins.
Efficient Non-interactive Universally Composable String-Commitment Schemes
17
The only difference between the two experiments is whether c 2 = h(u) ⊕ m or c 2 = υ, U where υ ← U and com = ( c1 , c 2 , vk, σ) are generated by the hybrid simulator (in the ·), v is name of an honest sender). Randomized evaluation algorithm Rand Gabo (ι, vk, n−k is the lossy branch. Therefore, a lossy function with image size of at most 2 since vk random variable c1 = Rand Gabo (ι, vk, u), v can take at most 2n−k values. ∞ (u| We have H c1 , ι) ≥ H∞ (u|ι) − (n − k) = k by using Lemma 1,because randomness u is independent of index ι. Therefore, by Lemma 2 (X = u, Y = c1 , Z = ι), the hypothesis that ≤ k − 2 lg 1/ , and the definition of HYB2H2 ,Z and HYB3H3 ,Z , we have Δ(( c1 , h, h(u)), ( c1 , h, υ)) ≤ (λ), where υ ← U . That is, U
Δ(HYB2H2 ,Z , HYB3H3 ,Z ) ≤ (λ) = negl(λ). In HYB2H2 ,Z , we have c 2 = h(u) ⊕ m, while in HYB3H3 ,Z we have c 2 = υ, where υ ← U . It is easy to see that c 2 = υ is identically distributed to υ ⊕ m. The lemma follows. U
Lemma 6. The environment’s views in HYB3H3 ,Z and HYB4H4 ,Z are perfectly indistinguishable. Proof. This is trivial since these are the same two hybrid experiments expressed in two different ways. Lemma 7. The environment’s views in HYB4H4 ,Z and IDEALF ,S,Z are statistically COM indistinguishable. Proof. When adversary A (or environment Z) makes corrupted S send valid commitment com∗ = (c∗1 , c∗2 , vk∗ , σ∗ ) such that Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1, simulator S in the ideal world runs the extraction algorithm. Let m∗ be a message extracted from com∗ . In hybrid experiment HYB4H4 ,Z , A later may open commitment com∗ to m, that is, it sends (m, u, v). These two hybrid experiments are the same as long as A cannot validly open m such that m m∗ even after A commits to m∗ . When (m, u, v) is the valid opening of com∗ , c∗1 = Rand (Gabo (ι, vk∗ , u), v), c∗2 = vk∗ holds so h(u) ⊕ m, and Vrfyvk∗ (c∗1 , c∗2 , σ∗ ) = 1 holds. In these experiments, vk ∗ Rand (Gabo (ι, vk , u), v) is injective, that is, statistically binding. This means that com∗ uniquely determines value m. If a mismatch event m m∗ happens, then these two experiment are distinguishable, but this happens with negligible probability since the commitment is statistically binding as described above. The lemma follows.
References 1. Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally Composable Protocols with Relaxed Set-up Assumptions. In: FOCS 2004, pp. 186–195 (2004) 2. Camenisch, J., Shoup, V.: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)
18
R. Nishimaki, E. Fujisaki, and K. Tanaka
3. Canetti, R.: Universally Composable Security: A New Paradigm for Cryptograpic Protocols. In: Cryptology ePrint Archive, Report 2000/067, Preliminary version appeared in FOCS 2001 (2005) 4. Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally Composable Security with Global Setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007) 5. Canetti, R., Fischlin, M.: Universally Composable Commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001) 6. Canetti, R., Kushilevitz, E., Lindell, Y.: On the Limitations of Universally Composable TwoParty Computation Without Set-Up Assumptions. J. Cryptology 19(2), 135–167 (2006) 7. Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally Composable Two-Party and Multi-Party Secure Computation. In: STOC 2002, pp. 494–503 (2002) 8. Canetti, R., Pass, R., Shelat, A.: Cryptography from Sunspots: How to Use an Imperfect Reference String. In: FOCS 2007, pp. 249–259 (2007) 9. Canetti, R., Rabin, T.: Universal Composition with Joint State. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003) 10. Damgård, I., Jurik, M.: A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 125–140. Springer, Heidelberg (2001) 11. Damgård, I., Groth, J.: Non-interactive and Reusable Non-Malleable Commitment Schemes. In: STOC 2003, pp. 426–437 (2003) 12. Damgård, I., Nielsen, J.B.: Perfect Hiding and Perfect Binding Universally Composable Commitment Schemes with Constant Expansion Factor. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 581–596. Springer, Heidelberg (2002) 13. Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. SIAM J. Computing 38(1), 97–139 (2008) 14. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM J. Computing 30, 391–437 (2000) 15. Goldreich, O., Micali, S., Wigderson, A.: Proofs that Yield Nothing but their Validity, or All Languages in NP have Zero-Knowledge Proof Systems. Journal of the ACM 38(3), 691–729 (1991); Preliminary version appeared in FOCS 1986 16. Hofheinz, D., M¨uller-Quade, J.: Universally Composable Commitments Using Random Oracles. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 58–76. Springer, Heidelberg (2004) 17. Katz, J.: Universally Composable Multi-party Computation Using Tamper-Proof Hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007) 18. Naor, M.: Bit Commitment Using Pseudorandomness. J. Cryptology 4(2), 151–158 (1991) 19. Pedersen, T.P.: Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992) 20. Peikert, C., Waters, B.: Lossy Trapdoor Functions and Their Applications. In: STOC 2008, pp. 187–196 (2008) 21. Prabhakaran, M., Sahai, A.: New Notions of Security: Achieving Universal Composability without Trusted Setup. In: STOC 2004, pp. 242–251 (2004) 22. Rosen, A., Segev, G.: Efficient Lossy Trapdoor Functions based on the Composite Residuosity Assumption. In: Cryptology ePrint Archive, Report 2008/134 (2008) 23. Zhu, H.: New Constructions for Reusable, Non-erasure and Universally Composable Commitments. In: Bao, F., Li, H., Wang, G. (eds.) ISPEC 2009. LNCS, vol. 5451, pp. 102–111. Springer, Heidelberg (2009)
Spatial Encryption under Simpler Assumption Muxin Zhou and Zhenfu Cao Department of Computer Science and Engineering Shanghai Jiao Tong University
[email protected],
[email protected] Abstract. Spatial encryption was first proposed by Boneh and Hamburg. They showed that many useful encryption systems can be derived from it. In this paper, we describe two variants of spatial encryption. First we present a scheme that can be proved to be secure under the decisional bilinear Diffie-Hellman assumption, which is much simpler than the BDHE assumption used by Boneh and Hamburg. However, as a compromise, our ciphertext size and private key size are larger. We also discuss some techniques to shrink the private key of this scheme in a real application. Finally, we provide a hybrid construction which allows an optimal tradeoff between efficiency and security.
1
Introduction
Identity-based encryption [15,5], or IBE for short, is a cryptographic primitive proposed by Shamir. In such a system, a message is encrypted under the recipient’s identity and only the user with the matching identity can successfully open the message. Recently, a new vision for identity based encryption [15,5] has appeared called Predicate Encryption [13]. In these settings, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SKf , corresponding to a predicate f , can be used to decrypt a ciphertext associated with attribute I if and only if f (I) = 1. First in 2005, Sahai and Waters [14] proposed fuzzy IBE, in which they defined a measurement of similarity between two IDs. Decryption works if and only if the receiver’s identity is close enough to the targeted identity in the ciphertext. Their scheme can be easily extended to a new application called Attribute-Based Encryption (ABE) [11,16], in which the predicates are boolean functions. Boneh and Waters [8] proposed Hidden Vector Encryption (HVE), and Katz, Sahai and Waters [13] also constructed such a scheme for predicates corresponding to the evaluation of inner products. Both schemes have strong emphasis on anonymity. In 2008, Boneh and Hamburg developed a new general framework called generalized IBE (GIBE) [7], for constructing IBE systems with different properties. This framework is very close to Predicate Encryption [13], except that it incorporates delegation, an important property from hierarchical IBE [12,10]. A GIBE system allows a sender to encrypt a message under a certain policy, in some set P of all allowable policies. Users hold secret keys corresponding to J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 19–31, 2009. c Springer-Verlag Berlin Heidelberg 2009
20
M. Zhou and Z. Cao
roles. Roles are organized in a partially ordered set R, i.e., a set endowed with a reflexive, transitive, antisymmetric relation . Given the key Kρ1 , there is a delegation algorithm that can generate the key Kρ2 , as long as ρ1 ρ2 . For a role ρ ∈ R and a policy π ∈ P, we write open(ρ, π) if a user with a secret key for ρ is allowed to decrypt a message encrypted under π. We require this relation to be monotone, that is, if ρ ρ and open(ρ , π) then open(ρ, π). Also for simplicity, we require that R contains a top element , such that ρ for all ρ ∈ R, and open(, π) for all π ∈ P. Spacial encryption (SE) is proposed by Boneh and Hamburg [7] as an important instance of the GIBE framework. In a spatial encryption scheme, the policy set P are the points p of an n-dimensional space Znp , the role set R are all subspaces W of Znp ordered by inclusion and open(W, p) ⇔ p ∈ W . The construction proposed in their work is very efficient. The ciphertext size is always constant and the private key size grows with the complexity of the system. They reduce its security to decisional n-BDHE assumption, where n is the space dimension. Boneh et al show that many instances of GIBE can be derived from spatial encryption. Most important examples are hierarchical IBE, broadcast IBE, forward security schemes, etc. Our Contributions. We present two alternative constructions of spatial encryption. The first one can be proved to be secure under the decisional bilinear Diffie-Hellman assumption, which is much simpler than the underlying BDHE assumption used in Boneh and Hamburg’s construction. As a tradeoff, the size of a ciphertext in our scheme is no longer constant; instead, it is linearly dependent on the space dimension. One might notice that our scheme becomes very analogous to Boneh and Boyen’s HIBE [3] and its variants [1,2]. We also discuss two techniques for reducing the private key size. Unfortunately, the ciphertext size remains large. To shrink ciphertexts, we need a compromise with a strong assumption. We then construct a hybrid scheme that allows tradeoffs between efficiency and security. It is inspired by Boneh, Boyen and Goh’s construction of hybrid HIBE [4]. This scheme allows an additional parameter ω during setup. It’s a real number between 0 and 1. A smaller ω leads to efficiency, while a bigger one improves security. More precisely, the n-dimension hybrid scheme provides O(nω ) ciphertext, O(nω ) private key (plus rank of subspace), and is secure under the decisional (n1−ω )-BDHE assumption.
2
Preliminaries
Below, we recall the definition of spatial encryption and its security model. We also review the definition of bilinear maps and discuss the complexity assumptions on which the security of our systems rely. 2.1
Spatial Encryption
A spatial encryption system fits into the GIBE framework. Such a scheme consists of four randomized algorithms that run in polynomial time:
Spatial Encryption under Simpler Assumption
21
– Setup(λ, n) takes as input a security parameter λ and a space dimension n. It returns public parameters P P and a master secret key K . – Delegate(P P, W, KW , W ) takes the secret key KW for vector space W and outputs the secret key KW for W , where W ⊆ W . We require that the distribution of the private keys produced by Delegate() should be independent of the path taken. That is, if W1 ⊇ W2 ⊇ W3 , then Delegate(P P, W1 , KW1 , W3 ) should produce the same distribution as Delegate(P P, W2 , Delegate(P P, W1 , KW1 , W2 ), W3 ). – Encrypt(P P, v, m) encrypts a message m under a vector v. – Decrypt(P P, W, KW , v, c) uses a secret key KW to decrypt the ciphertext c under v. Decryption succeeds if and only if v ∈ W , so that Decrypt(P P, W, KW , v, Encrypt(P P, v, m)) = m holds true for all P P generated by Setup, for all vectors v and spaces W , and for all keys KW for W delegated directly or indirectly from K . 2.2
Security
We define chosen ciphertext security for spatial encryption system under a chosen vector attack by the following game between an adversary and a challenger. Setup: The challenger runs Setup(λ, n) and sends P P to the adversary. Phase I: The adversary makes delegation queries Wi to the challenger, which runs Delegate(P P, , K, Wi ) and returns KWi . The adversary may also make decryption queries (Wi , v i , ci ) to the challenger, where v i ∈ Wi . The challenger runs KWi ← Delegate(P P, , K, Wi ), then runs Decrypt(P P, Wi , KWi , v i , ci ) and returns the resulting mi (or ⊥ for failure). Challenge: The adversary outputs two messages m0 , m1 and a target vector v ∗ . We require that the adversary has not been given a decryption key for the target vector, that is, v ∗ ∈ Wi for all delegation queries Wi in phase I. The challenger chooses a random b ∈ {0, 1}, runs Encrypt(P P, v ∗ , mb ), and returns the resulting challenge ciphertext c∗ to the adversary. Phase II: The second query phase is exactly like the first one, except that the adversary may not issue decryption queries for c∗ or delegation queries for subspace that contains v ∗ . Guess: The adversary outputs a guess b ∈ {0, 1} and wins if b = b. We call an adversary A in the above game a IND-Vec-CCA adversary. We define the advantage of the adversary A in attacking a scheme E as 1 AdvE,A = Pr[b = b ] − 2 Definition 1. A spatial encryption system is (t, qd , qc , ) IND-Vec-CCA secure if all t-time IND-Vec-CCA adversaries making at most qd delegation queries and at most qc decryption queries have an advantage at most in winning the above game.
22
M. Zhou and Z. Cao
Canetti, Halevi and Katz [9] introduced a weaker notion of security in which the adversary chooses in advance v ∗ and sends it to the challenger before receiving the public parameters. Such an adversary is called a selective (IND-sVec-CCA) adversary. We can define IND-sVec-CCA security for spatial encryption analogically. We also define chosen plaintext security (CPA Security). In a CPA game, the adversary may not issue decryption queries at all. Definition 2. A spatial encryption system is (t, qd , ) IND-sVec-CPA secure if it is (t, qd , 0, ) IND-sVec-CCA secure. 2.3
Bilinear Maps
We review a few facts related to groups and bilinear maps. Let G and GT be two (multiplicative) cyclic groups of prime order p. Let g be a generator of G and e be a map, e : G × G → GT . e is a bilinear map when following properties hold. 1. Bilinearity: for all u, v ∈ G and a, b ∈ Zp , we have e(ua , v b ) = e(u, v)ab . 2. Non-degeneracy: e(g, g) = 1. We say that G is a bilinear group if the group action in G can be computed efficiently and there exists a group GT and an efficiently computable bilinear map e : G×G → GT as above. Note that the map e is symmetric since e(g a , g b ) = e(g, g)ab = e(g b , g a ). 2.4
Complexity Assumption
Let G be a bilinear group of prime order p. The Decisional BDH problem in G is defined as follows. Given g, g a , g b , g s ∈ G and Z ∈ GT , where a, b, s are randomly picked from Zp , one is asked to determine whether Z is equal to e(g, g)abs . An algorithm A has advantage in solving DBDH problem in G if Pr A(g, g a , g b , g s , e(g, g)abs ) = 0 − Pr[A(g, g a , g b , g s , R) = 0] ≥ where R is a random element in GT . We refer to the distribution on the left as PDBDH and the distribution on the right as RDBDH . Definition 3. The (t, )-DBDH assumption holds in G if no t-time algorithm has advantage at least in solving the DBDH problem in G. The decisional q-BDHE problem in G is defined as follows. Randomly pick i a, s ∈ Zp and g ∈ G. Denote g a as gi . Given a tuple t = (g, g1 , . . . , gq , gq+2 , . . . , g2q , g s ) ∈ G2q+1 and Z ∈ GT , one is asked to determine whether q+1 Z is equal to e(g, g)a s . An algorithm A has advantage in solving decisional q-BDHE problem in G if q+1 Pr A(t, e(g, g)a s ) = 0 − Pr[A(t, R) = 0] ≥ where R is a random element in GT . We refer to the distribution on the left as PBDHE and the distribution on the right as RBDHE .
Spatial Encryption under Simpler Assumption
23
Definition 4. The decisional (t, , q)-BDHE assumption holds in G if no t-time algorithm has advantage at least in solving the decisional q-BDHE problem in G.
3
Spatial Encryption with Security under DBDH
Now we present an n-dimension spatial encryption system that is IND-sVecCPA secure without random oracles under the decisional bilinear Diffie-Hellman assumption. This scheme can be viewed as a modified version of the Boneh et al’s origin scheme [7], under a simpler assumption (the origin scheme relies on decisional n-BDHE assumption [6]) but expanding ciphertexts. 3.1
Notation
For convenience, we will adopt some notations described below. – All vectors in this paper are always column vectors. For a matrix M ∈ Zn× , p we use Mi to denote the i-th column vector, and Mi,j to be the value in the j-th coordinate of the i-th column vector. – For a vector v = (v1 , v2 , . . . , vn ) ∈ Znp , we use g v to denote corresponding vector in G g v := (g v1 , g v2 , . . . , g vn ) ∈ Gn . – For vectors u, v ∈ Znp , we denote u, v as the dot product. – Given a matrix M ∈ Zn× and a vector v ∈ Znp , we write Sp(M, v) ⊆ Znp for p the subspace {M x + v : x ∈ Zp }. 3.2
Construction
Let G and GT be two groups of order p. Let e : G × G → GT be a bilinear map. Our spatial encryption system works as follows. Setup(λ, n): The algorithm generates p, G, GT , e according to the security parameter λ. It picks a random generator g ∈ G, random elements α, a ∈ Zp , b ∈ Znp , and publishes public parameters as P P = p, G, GT , e, g, g a , g b , e(g, g)α The master secret key is given by K = g α . Delegate(P P, W, W , KW ): A private key for a subspace W = Sp(M, v) where M ∈ Zn× has the form p
g α+av+b,r , g r , g aM r where r is randomly picked from Znp . It easily follows that any one can rerandomize his own secret key (k0 , kr , kM ) by choosing random vector r ∈ Znp and generating a new key
24
M. Zhou and Z. Cao
k0 · g av+b,r , kr · g r , kM · g aM r The algorithm takes W = Sp(M, v) and W = Sp(M , v ). Since W is a subspace of W , there exists T ∈ Z× and y ∈ Zp , such that M = M T and p v = v + M y. It computes the derived key as
ˆ W = g α+av+b,r · g ay M r , g r , g aT M r K
= g α+av +b,r , g r , g aM r and uses a random vector r ∈ Znp to re-randomize it. Encrypt(P P, v, m): To encrypt a message m ∈ GT under vector v, the sender chooses a random s ∈ Zp and computes the ciphertext as
m · e(g, g)αs , g s , g (av+b)s Decrypt(P P, KW , v, c): The receiver parses the ciphertext c which is encrypted under v as (c0 , c , c1 , . . . , cn ). It delegates KW to obtain the key Kv = (g α+av+b,r , g r ) as (k0 , k1 , . . . , kn ), then recovers plaintext by computing n n s(avi +bi )ri sα i=1 e(ci , ki ) i=1 e(g, g) c0 · = m · e(g, g) · = m. e(c , k0 ) e(g, g)sα+sav+b,r 3.3
Security Proof
Now we prove the security of our spatial encryption scheme under the standard decisional BDH assumption in G. Theorem 1. Suppose the (t, )-Decisional BDH assumption holds in G. Then the previously defined n-SE system is (t , qd , ) IND-sVec-CPA secure for arbitrary n, qd , and any t < t − O(nqd τ ) where τ is the time for an exponentiation in G. Proof. Suppose A is an adversary that breaks our system. We construct an algorithm B, that solves DBDH problem. The simulator B takes as input a DBDH challenge (g, g a , g b , g s , Z) where Z is either e(g, g)abs or a random element in GT . B proceeds as follow. Init: The adversary gives the simulator a vector v ∗ on which it intends to attack. Setup: The simulator B randomly picks α ∈ Zp , b ∈ Znp , and sets α = ab + α , b = −av ∗ + b . Obviously, B can efficiently compute all these public parameters, and they have a distribution identical to that in the actual construction. Then it sends the public parameters to A. Phase I: To respond to the delegation query for a subspace W = Sp(M, v), B randomly chooses r ∈ Znp and finds a vector u such that u M = 0 but v − v ∗ , u = 0. Since v ∗ ∈ W , i.e., v − v ∗ ∈ Span(M ), B can efficiently calculate the vector u mentioned above. Then it sets r=
bu + r v ∗ − v, u
Spatial Encryption under Simpler Assumption
25
Obviously, B can easily calculate g r . Now we observe that, for any vector w, we have aw, r =
abw, u + aw, r abw, u = ∗ + R(w) v ∗ − v, u v − v, u
The second term (without ab) can be easily calculated, and we denote it by R(w). Note that according to the choice of b, we can write av + b, r as av − v∗ , r + b , r. The simulator computes the first element of the private key as g α+av+b,r = g α+av−v
∗
,r+b ,r
∗
= g ab+α · g abv−v ,u/v ∗ = g α · g R(v−v ) · g b ,r
∗
−v,u+R(v−v ∗ )
· g b ,r
Moreover, since M u = 0, thus g aM r in the private key can be given as ∗ g aM r /v −v,u . As we can see here, the simulator can answer any delegation query as long as v ∗ ∈ W. Challenge: The adversary A sends two plaintexts m0 , m1 . B chooses a random bit μ ∈ {0, 1} and constructs challenge ciphertext c∗ as
mμ · Z · e(g α , g s ), g s , g sb . Obviously, if Z = e(g, g)abs then c∗ is a valid encryption of mμ under the vector v ∗ . Phase II: The simulator B continues to answer A’s delegation queries as above. Guess: The adversary finally outputs a guess μ of μ. If μ = μ, the simulator output 0 indicating Z = e(g, g)abs . Otherwise it outputs 1 meaning that Z = e(g, g)abs . When the input 5-tuple is sampled from PDBDH (where Z = e(g, g)abs ), then A’s view is identical to that in a real attack. Therefore A must satisfy |Pr[μ = μ ]− 12 | > . On the other hand, when the input 5-tuple is sampled from RDBDH (where Z is uniform in GT ), the challenge ciphertext c∗ is independent from the choice of μ in adversary’s view. Thus no adversary could have advantage in wining the game, that is, Pr[μ = μ ] = 12 . Therefore, we have Pr B(g, g a, g b , g s , e(g, g)abs ) = 0 − Pr B(g, g a , g b , g s , R) = 0 ≥ as required. This completes the proof. 3.4
Extensions
This construction suffers from large private keys and ciphertexts. In this section, we present two techniques to shrink the private keys. To reduce the size of ciphertexts we need a stronger security assumption. We will present such a hybrid scheme in Section 4.
26
M. Zhou and Z. Cao
Wildcards Support. When a user can choose an arbitrary value in some coordinate independently, we say that this user has full control of the coordinate. For example, in a 5-level hierarchical IBE system, a user Alice with identity (ID1 , ID2 ) can generate private keys for identities with her id as prefix. That is, she has the power to choose arbitrary values in the third, the fourth and the fifth coordinates. In the BH’s origin scheme, we have to associate her private key with (M, v) = ((e3 , e4 , e5 ), (ID1 , ID2 , 0, 0, 0)). In the new DBDH construction, we can simply omit M . Now the private key is associated with vector v like (ID1 , ID2 , ∗, ∗, ∗). Note that in our scheme, a user can simply neglect a coordinate when the corresponding item g r is absent. This provides a property we call “wildcards support”. The wildcards are denoted by a special symbol “∗”, just like the ones in the private key given above. One can notice that this scheme is very analogous to Boneh and Boyen’s HIBE [3]. The private key size grows with the depth of the user. The encryptor can also set wildcards in the target vector, indicating that the decryptor must have full control on the corresponding coordinate. Delegation and decryption still works as the basic construction. Merging g r . Again take the 5-level HIBE as example. The two items g r1 and g r2 in Alice’s private key can be merged. In other words, we can use a common g r{1,2} to replace them. Now suppose Alice wants to produce a private key for Bob whose identity is (ID1 , ID2 , ID3 , ID4 ). She chooses a new random element r{3,4} ∈ Zp and proceeds as before. The derived private key has only three group elements, rather than five in the basic scheme. The security proof still holds. But this technique somewhat conflicts with the definition of spatial encryption: private keys from different delegation paths may have different distributions. However, we can split it again by re-randomizing. In a practical system, this technique will raise some issues related to privacy, but never lead to weakness in security.
4
A Hybrid Scheme
In some practical scenarios, we may need a compromise between security and efficiency. For those requirements, we propose a hybrid spatial encryption scheme. It combines our spatial encryption scheme in the above section and BH’s origin scheme [7]. This hybrid scheme is inspired by Boneh, Boyen and Goh’s construction of hybrid HIBE [4]. The main idea is to partition all coordinates into small groups, and each fitted into a BDHE problem. To set up such a scheme, one must specify a real number w ∈ [0, 1]. Let n be the space dimension. The hybrid scheme can achieve O(nω ) ciphertexts, while is secure when the (n1−ω )-BDHE assumption holds. At one extreme, when ω = 0, the setting corresponds to the original efficient scheme proposed by Boneh et al; at another extreme, when we set ω to 1, the setting becomes the secure one we present in Section 3.2. First we introduce a new notation to partition vectors in Znp . Given a real number w ∈ [0, 1], let n1 = nω and n2 = n1−ω . We partition an n-dimension
Spatial Encryption under Simpler Assumption
27
vector into n1 vectors so that each is n2 -dimension as follows. Let v (1) denote the sub-vector (v1 , v2 , . . . , vn2 ) , v (2) denote the sub-vector (vn2 +1 , vn2 +2 , . . . , v2n2 ) , etc. That is, in a row vector form, v = ( v1 , . . . , vn2 , vn2 +1 , . . . , v2n2 , . . . , v(n1 −1)n2 +1 , . . . , vn1 n2 ) =( v(1) , v(2) , ..., v(n ) 1) Also, we denote the element v(i−1)n2 +j as v(i,j) . Since n ≤ n1 n2 , we may need to pad v(n1 ) with some zeros. We also apply this notation to matrixes. For example, M(1) denotes first n2 rows of M . Let G and GT be two groups of order p, where log p is approximately the security parameter λ. Let e : G × G → GT be a bilinear map. The hybrid scheme is described as follows. Setup(λ, n): The algorithm generates p, G, GT , e according to the security parameter λ. Pick a random generator g ∈ G, random elements α ∈ Zp , a ∈ Znp 2 , b ∈ Znp 1 , and publish public parameters as P P = p, G, GT , e, g, g a , g b , e(g, g)α The master secret key is given by K = (g α ). Delegate(P P, W, W , KW ): A private key for the subspace W = Sp(M, v) where M ∈ Zn× has the form p
n1 n1 g α+ i=1 ri (a,v(i) +bi ) , g r , g i=1 ri M(i) a where r is randomly picked from Znp 1 . The algorithm takes W = Sp(M, v) and W = Sp(M , v ). Since W is a subspace of W , there exists T ∈ Z× and y ∈ Zp , such that M = M T and p v = v + M y. Let
n1 n1 n1 ri (a,v (i) +bi ) ˆ W = g α+ i=1 K · g i=1 ri y M(i) a , g r , g i=1 ri T M(i) a
n1 n1 = g α+ i=1 ri (a,v(i) +(My)(i) +bi ) · g r , g i=1 ri (MT )(i) a
n1 n1 = g α+ i=1 ri (a,v(i) +bi ) , g r , g i=1 ri (M )(i) a and then a random r ∈ Znp 1 could be used to re-randomize it. Encrypt(P P, v, m): To encrypt a message m ∈ GT under vector v, the sender chooses a random s ∈ Zp and computes the ciphertext as
n1
m · e(g, g)αs , g s , g (a,v(i) +bi )s i=1
1 Decrypt(P P, KW , v, c): The receiver parses the ciphertext c as (c0 , c , {ci }ni=1 ). n1 α+ i=1 ri (a,v (i) +bi ) It first delegates KW to obtain the key K{v} = (g , gr ) 1 as (k0 , {ki }ni=1 ), then recovers plaintext by computing n1 e(ci , ki ) c0 · i=1 = m. e(c , k0 )
28
M. Zhou and Z. Cao
Remarks: To prove the security of the spatial encryption scheme under the DBDH assumption in Section 3, we split up the ciphertexts and the private keys into every coordinate. Instead of that, the hybrid scheme uses a more flexible strategy. A parameter ω which controls how fine those should be split is given in the setup algorithm. When we partition a vector into n1 groups of size n2 , a hybrid scheme achieves O(n1 +n2 ) public parameters, O(n1 + ) private keys and O(n1 ) ciphertexts, while its security can be reduced to the n2 -BDHE assumption. This enables users to adjust the proposed construction according to a concrete requirement in a practical environment. We also note that the sizes of groups may differ. In Boneh and Hamburg’s work [7], they present Product Scheme, which combines several GIBEs in one SE system. For example, email encryption in their work, combines a broadcast encryption system Eb (for PKGs) and a hierarchical IBE Eh (for users). Assume that each system takes up nb and nh dimensions to work. Then we can partition all coordinates into two groups, exactly of size nb and nh . In this way, we can shrink the PKG’s private keys to O(nb ) by utilizing wildcards (in Section 3.4) and slightly improve the security (from (nb + nh )-BDHE assumption to (max{nb , nh })-BDHE assumption). That is, by carefully investigating a real application, a hybrid scheme can achieve the optimal tradeoff between security and efficiency. Theorem 2. Let G be a bilinear group of prime order p. Consider a hybrid nSE system with compromise parameter ω. Suppose the decisional (t, , n1−ω )BDHE assumption holds in G, then the hybrid SE scheme is (t , qd , ) IND-sVecCPA secure for arbitrary qd and any t < t − O(τ nqd ) where τ is the maximum time for an exponentiation in G. The proof of this theorem is similar to that for the DBDH construction and is shown in Appendix A.
5
Conclusions
We present two variants of spatial encryption system. The first construction is a DBDH version of Boneh and Hamburg’s origin scheme. The security relies on the standard DBDH assumption, which is a simpler one than that used in origin construction. However, our private keys and ciphertexts are linearly dependent on the space dimension. The second one is a hybrid scheme, which finds a tradeoff between our basic construction and BH’s construction. It gives users the ability to adjust the proposed scheme according to the requirements of practical applications.
References 1. Abdalla, M., Catalano, D., Dent, A.W., Malone-Lee, J., Neven, G., Smart, N.P.: Identity-based encryption gone wild. In: Cryptology ePrint Archive, Report 2006/304 (2006), http://eprint.iacr.org/
Spatial Encryption under Simpler Assumption
29
2. Abdalla, M., Kiltz, E., Neven, G.: Generalized key delegation for hierarchical identity-based encryption. In: Biskup, J., L´ opez, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 139–154. Springer, Heidelberg (2007) 3. Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) 4. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005) 5. Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 6. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005) 7. Boneh, D., Hamburg, M.: Generalized identity based and broadcast encryption schemes. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455–470. Springer, Heidelberg (2008) 8. Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007) 9. Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: EUROCRYPT, pp. 255–271 (2003) 10. Gentry, C., Silverberg, A.: Hierarchical id-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) 11. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006) 12. Horwitz, J., Lynn, B.: Toward hierarchical identity-based encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002) 13. Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008) 14. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005) 15. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 16. Waters, B.: Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. Cryptology ePrint Archive, Report 2008/290 (2008), http://eprint.iacr.org/
A
Proof of Hybrid Construnction
We prove that the security of hybrid construction in Section 4 can be reduced to the decisional BDHE assumption. For convinience, we re-state the theorem.
30
M. Zhou and Z. Cao
Theorem 3. Let G be a bilinear group of prime order p. Consider a hybrid nSE system with all coordinates partitioned into n1 groups of size n2 . Suppose the decisional (t, , n2 )-BDHE assumption holds in G, then the hybrid SE scheme is (t , qd , ) IND-sVec-CPA secure for arbitrary qd and any t < t − O(τ nqd ) where τ is the maximum time for an exponentiation in G. Proof. Suppose A is an adversary that breaks our system. We construct an algorithm B, that solves the decisional n2 -BDHE problem. The simulator B takes as input a n2 -BDHE challenge t = (g, g1 , . . . , gn2 , gn2 +2 , . . . , g2n2 , g s ) and n2 +1 s Z where Z is either e(g, g)a or a random element in GT . B proceeds as follow. Init: The adversary gives the simulator a vector v ∗ on which it intends to attack. Setup: The simulator B randomly picks α ∈ Zp , a ∈ Znp 2 , b ∈ Znp 1 , and sets
n1 n2 ∗ α = an2 +1 + α , aj = aj + aj j=1 , bi = −a, v(i) + bi . i=1
We claim that B can efficiently compute all the public parameters, and they have a distribution identical to that in the actual construction, since each item has a “private chosen” variable. Phase I: To respond to a delegation query for a subspace W = Sp(M, v), B finds a vector u such that u M = 0 but v − v ∗ , u = 0. Since v ∗ ∈ W, ∗ i.e., v − v ∈ Span(M ), B can efficiently calculate the vector u mentioned above. Then it sets n1 n2 n2 −j+1 + ri j=1 u(i,j) a ri = v ∗ − v, u i=1
Znp 1 .
where r is randomly chosen from Obviously, g r can be efficiently calculated. Now we observe that, for any vector w ∈ Znp , we have ri a, w =
an2 +1 u(i) , w(i) + Ri (w) v ∗ − v, u
The items without an2 +1 in ri a, w are denoted as Ri (w). They can be easily calculated from (g, g1 , . . . , gn2 , gn2 +2 , . . . , g2n2 ). Note that according to the choice of b, we can write ri a, v (i) + ri bi as ri a, v (i) − v ∗(i) + ri bi . n1
Thus g i=1 ri (a,v(i) +bi ) contains a term of gn−1 , which will cancels out 2 +1 with the unknown term in g α . The simulator calculates as g α+
n1
= gα · g
i=1
ri (a,v(i) +bi )
n1
i=1
ri a,v(i) −v∗ (i)
= (gn2 +1 g α ) · g
n1
· g r,b
n2 +1 ∗ ∗ u(i) ,v (i) −v ∗ (i) /v −v,u+Ri (v−v )) i=1 (a
u,v−v ∗ /v∗ −v,u
= (gn2 +1 g α ) · (gn2 +1
= gα · g
n1
i=1
Ri (v−v ∗ )
· g r,b
g
n1
i=1
Ri (v−v ∗ )
) · g r,b
· g r,b
Spatial Encryption under Simpler Assumption n1
31
Moreover, since for k = 1, . . . , we have u, Mk = 0, g i=1 ri M(i) a can n1 be computed as {g i=1 Ri (Mk(i) ) }k=1 without knowing gn2 +1 directly. As we can see here, all three terms of the private key can be efficiently provided by the simulator as long as v ∗ ∈ W . Therefore, the simulator can answer any delegation query. Challenge: The adversary A sends two plaintexts m0 , m1 . B chooses a random bit μ ∈ {0, 1} and constructs challenge ciphertext c∗ as
mμ · Z · e(g α , g s ), g s , g sb . n2 +1
s Obviously, if Z = e(g, g)a then c∗ is a valid encryption of mμ under the ∗ vector v . Phase II: The simulator B continues to answer A’s delegation queries as Phase I. Guess: The adversary finally outputs a guess μ of μ. If μ = μ, the simulator n2 +1 s outputs 0 indicating Z = e(g, g)a . Otherwise it outputs 1 meaning that n2 +1 a s Z = e(g, g) .
When the input tuple is sampled from PBDHE , then A’s view is identical to that in a real attack. Therefore A must satisfy |Pr[μ = μ ] − 12 | > . On the other hand, when the input tuple is sampled from RBDHE , the challenge ciphertext c∗ is independent from the choice of μ in the adversary’s view. Thus no adversary could have an advantage in wining the game. That is, Pr[μ = μ ] = 12 . Therefore, we have Pr B(t, e(g, g)abs ) = 0 − Pr [B(t, R) = 0] ≥ as required. This completes the proof.
Chosen-Ciphertext Secure RSA-Type Cryptosystems Benoˆıt Chevallier-Mames1 and Marc Joye2 1
DCSSI, Laboratoire Crypto 51 Boulevard de la Tour Maubourg, 75700 Paris, France
[email protected] 2 Thomson R&D, Security Competence Center 1 avenue de Belle Fontaine, 35576 Cesson-S´evign´e Cedex, France
[email protected] http://joye.site88.net/
Abstract. This paper explains how to design fully secure RSA-type cryptosystems from schemes only secure against passive attacks, in the standard model. We rely on instance-independence assumptions, which, roughly speaking, conjecture that for certain problems, an interactive access to a solver for another problem does not help the challenger. Previously, instance-independence assumptions were used in a “negative” way, to prove that certain schemes proven in the random oracle model were not provable in the standard model. Our paradigm applies virtually to all (weakly secure) RSA-type encryption schemes for which public-key RSA exponent can be arbitrarily chosen. As an illustration, we present a chosen-ciphertext secure variant of the Naccache-Stern encryption scheme. Keywords: Chosen-ciphertext security, public-key encryption, standard model, RSA-based encryption schemes, instance-independence assumptions, one-time mappable chameleon hashing.
1 1.1
Introduction Chosen-Ciphertext Security
Building on the seminal work of Goldwasser and Micali [24], the commonly accepted security notion for public-key encryption is that of indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2, or IND-CCA for short) [39] (see also [32] for a weaker notion considering non-adaptive adversaries). To reach this security notion, there has been an extensive body of work on public-key encryption, a recent survey of which can be can be found in [17]. 1.2
Instance-Independence Assumptions
In [34,33], Paillier and Villar considered several assumptions in order to show that several RSA-based schemes were unprovable (under a black-box reduction) J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 32–46, 2009. c Springer-Verlag Berlin Heidelberg 2009
Chosen-Ciphertext Secure RSA-Type Cryptosystems
33
in the standard model while provably secure in the random oracle model. They refer to these assumptions as non-malleability assumptions, but to avoid any confusion with the classical notion of non-malleability of an encryption scheme (as proposed by Dolev, Dwork, and Naor [18]), we use the term of instanceindependence assumptions throughout this paper. Let P be a cryptographic problem. An access (possibly with certain restrictions on entries) to an oracle solving a problem Q may be a way to find more easily a solution to problem P. More precisely, the oracle solving Q is an interactive resource that is given to the adversary. For a pair (P, Q), the problem consisting in solving P with an access to a Q-solver oracle is called the (P, Q) assisted problem. Even if the problem Q is expected to be computationally hard (and thus, even if the Q-solver oracle gives a lot of extra power to the attacker), the (P, Q) assisted problem may remain hard. These are the cases that are considered in [34,33] (see also [23,28] for non-adaptive versions) and in this paper: The assumption that solving the (P, Q) assisted problem is only negligibly easier than solving the P problem is called the (P, Q) instance-independence assumption. The first example given in [34,33] is the assisted factorization: with an oracle solving factorization of n = n0 (with the restriction that n = 0 mod n0 for obvious reasons), it should remain hard to factor modulus n0 . Another example is the assisted e-th root computation: with an oracle returning e-th roots modulo n (for (e, n) = (e0 , n0 )) — where (e, n) is a possible output of some RSA key generator1 ), it should remain hard to compute an e0 -th root modulo n0 . Remark 1. We stress that instance-independence assumptions should not be confused with one-more assumptions. In a one-more-P problem, one is given access to two oracles, OGen and OSolve , and needs to solve (n + 1) independent instances of the P challenge (these challenges being given by OGen ), using at most n accesses to OSolve , which is an oracle that solves any chosen instance of problem P. Examples of one-more problems include the one-more RSA, the one-more DL and the one-more CDH [2]. The assisted (P, Q)-problems, which are supposedly as hard as their primitive problem P under instance-independence assumptions, are of different nature. Indeed, they consist in solving only one instance of the P-problem, using a possibly very large number of queries to an oracle solving the Q-problem. What makes these assisted problems non-trivial is the fact that, in contrast with onemore problems, the entries of the Q-problem solver are supposed to be “not too related” to the P-challenge (hence the name of instance-independence). As a consequence, assisted problems and one-more problems can hardly been linked or compared together. 1
For example, it should be supposed that n is not a multiple of n0 , or that e does not share common factors with e0 . Therefore, to hope to achieve the assumption, one may assume that e is prime, and that n has a certain fixed-length n .
34
B. Chevallier-Mames and M. Joye
1.3
Our Contributions
Instance-independence assumptions were used in [34,33] to prove that security proofs of several classical cryptosystems proven in the random oracle were impossible to achieve in the standard model, under a black-box reduction. On the contrary, this paper considers positive applications of instance-independence assumptions. Namely, we consider some simple and known IND-CPA primitives with certain properties (we refer to these primitives as public-key encryptions with ephemeral key), and show how to transform them into fully secure encryption schemes. We provide a proof that, under clearly defined instance-independence assumptions, the so-obtained schemes are as secure as their underlying primitives, in the standard model. Interestingly, RSA primitives we consider in this paper corresponds — under some instance-independence assumptions — to cryptographic objects named as adaptive one-way functions in [35]. Our primitives are more efficient than the general constructions given in [35] but, being specific, they rely on stronger assumptions. For the sake of illustration, we will present an application of our paradigm from the knapsack encryption scheme of Naccache and Stern [31]. Further applications of our paradigm can be found in the full version of this paper [11]. 1.4
Relation to IBE Technique
Our technique shares many common features with the identity-based construction in [5]. Very roughly, the idea behind the identity-based encryption (IBE) paradigm can be sum up as follows. For each new encryption, the user generates a fresh key pair (pk, sk) for a certain signature scheme, and encrypts a message by using an IND-ID-CPA secure IBE scheme (the result being noted c), using the public key pk as the identity in the IBE scheme. The resulting ciphertext is then made of pk, c, appended with a signature of c under private key sk. The IND-CCA security of the so-obtained encryption scheme is achieved since access to the decryption oracle is useless for an attacker: indeed, there is no way for this latter to gain information about the challenge from the oracle since it does not know the secret key sk∗ , and thus, cannot create ciphertexts corresponding to identity pk∗ of the challenge. The IND-ID-CPA security of the underlying IBE scheme suffices to conclude the proof2 . Our scheme uses in a way the same kind of strategy. Imagine one starts from an IND-CPA RSA-type encryption primitive, where additionally the user can decide the value of the public exponent e for each ciphertext (the public exponent being thus ephemeral ). If the user proves that it has generated e by himself (by exhibiting a proof of knowledge on something closely related to e), such an exponent would not be anymore reusable by an attacker, i.e., an attacker would not be able to submit to a decryption oracle a valid ciphertext with the ephemeral public exponent e∗ appearing in the challenge. In this way, we forbid the attacker to learn information from the decryption oracle in a way similar 2
We refer the reader to [9] for a more precise security proof.
Chosen-Ciphertext Secure RSA-Type Cryptosystems
35
to the IBE setting: the signature corresponding to public key pk makes that no valid ciphertext with same identity pk∗ as in the challenge can be queried. Unfortunately, there is an additional important issue to address in our setting: we have to provide the attacker with the decryption queries.. In the IBE setting, decryption queries are answered using the IND-ID-CPA security of the underlying identity-based encryption. In our context, the underlying IND-CPA RSA-type encryption primitive is insufficient. This is where instance-independence assumptions come into play in order to assume that our reduction has an access to an oracle answering decryption queries. One may finally remark that the [5] transformation has been modified by Kiltz in [25], who proposed an efficient conversion from a tag-based encryption to form a chosen-ciphertext secure encryption scheme. This transformation is more general than the IBE based one since any identity-based encryption scheme can be turned into a tag-encryption scheme. 1.5
Outline of the Paper
The rest of this paper is organized as follows. Section 2 reviews standard definitions and security notions for public-key encryption, as well as the paradigm of chameleon hashing. Section 3 introduces new cryptographic problems, and defines instance-independence assumptions. Section 4 describes our main construction, including a complete chosen-ciphertext secure scheme. Finally, Section 5 concludes the paper.
2
Preliminaries
In this section, we introduce some background on public-key encryption. We also review some ingredients that will be used in our constructions. 2.1
Public-Key Encryption
A public-key encryption scheme, E = (Gen, Enc, Dec), can be described as a tuple of probabilistic polynomial-time algorithms. By default, the message space is {0, 1}∗. Key Generation. Given a security parameter κ, Gen(1κ ) produces a pair (pk, sk) of matching public and private keys. Encryption. Given a message m in message space M and public key pk, Encpk (m) produces a ciphertext c ← Encpk (m). If x denotes the random coins used by Enc, we equivalently write c = Encpk (m, x). Decryption. Given a ciphertext c and private key sk, Decsk (c) returns a plaintext m or a special symbol ⊥ denoting that the ciphertext is invalid. We require that if c ← Encpk (m), then Decsk (c) returns m for all (pk, sk) ← Gen(1κ ) and messages drawn in the message space.
36
2.2
B. Chevallier-Mames and M. Joye
Security Notions for Encryption Schemes
Semantic security. The notion of semantic security (IND) [24], also known as indistinguishability of encryptions, captures a strong notion of privacy: The attacker should not learn any information whatsoever about a plaintext given its encryption. The adversary A = (A1 , A2 ) is said to (κ, ε, τ )-break IND when (pk, sk) ← Gen(1κ ), (m0 , m1 , s) ← A1 (pk), IND AdvE (A) = 2 × Pr − 1 ≥ ε , (1) b,x c ← Encpk (mb ) : A2 (m0 , m1 , s, c) = b where the probability is taken over the random coins of the experiment according to the distribution induced by Gen(1κ ) as well as the ones the adversary, where b ∈ {0, 1} and m0 , m1 ∈ M. A must run in at most τ steps and it is imposed that |m0 | = |m1 |. An encryption scheme is said to be semantically secure (or IND secure) if no probabilistic algorithm can (κ, ε, τ )-break IND for τ ≤ poly (κ) and ε ≥ 1/poly (κ). As we are in the public-key setting, it is worth noting that adversary A = (A1 , A2 ) is given the public-key pk and so can encrypt any message of its choice. In other words, the adversary can mount chosen-plaintext attacks (CPA). Hence, we write IND-CPA the security level offered by an IND-secure encryption scheme, emphasizing the fact that A has access to an encryption oracle (for free). Chosen-ciphertext attacks. IND-CPA security offers an adequate security level in the presence of a passive adversary. In a number of situations however (e.g., see [40]), this may reveal insufficient in the presence of a more powerful adversary that can do more than merely eavesdropping the exchanged messages. The “right” security level against active attacks is that of IND-CCA security, or security against chosen-ciphertext attacks [39,18] (see also [32]). The definition of the adversary’s advantage as given by Eq. (1) readily extends to the IND-CCA model but the adversary A = (A1 , A2 ) now is given an adaptive access to a decryption oracle to which it can submit any ciphertext of its choice with the exception that A2 may not query the decryption oracle on challenge ciphertext c. 2.3
Chameleon Hashing
Chameleon hash functions [26] (see also [7]) are hash functions associated with a pair (hk, tk) of hashing/trapdoor keys. The name chameleon refers to the ability of the owner of the trapdoor key to modify the input without changing the output. A chameleon hash function is defined by a triple of probabilistic polynomialtime algorithms (ChamGen, ChamHash, ChamColl). ChamGen, on input 1κ , produces a pair of hashing/trapdoor keys: (hk, tk) ← ChamGen(1κ ). Given a message m and a random string r, chameleon hash algorithm with hashing key hk ChamHashhk : {0, 1}∗ × {0, 1}∗ → {0, 1}∗, (m, r) → h = ChamHashhk (m, r)
Chosen-Ciphertext Secure RSA-Type Cryptosystems
37
generates a hash value ChamHashhk (m, r). Moreover, a chameleon hash function should satisfy the properties that (i) there exists no probabilistic polynomial-time algorithm that, on input random hashing key hk, can find two pairs of message/random string, (m1 , r1 ) and (m2 , r2 ) with m1 = m2 , such that the relation ChamHashhk (m1 , r1 ) = ChamHashhk (m2 , r2 ) is satisfied, except with negligible probability; (ii) on input trapdoor key tk, given (m1 , r1 , m2 ), algorithm ChamColl can find a string r2 = ChamColltk (m1 , r1 , m2 ) such that ChamHashhk (m1 , r1 ) = ChamHashhk (m2 , r2 ). (iii) all messages m induce (computationally) indistinguishable probability distributions on chameleon hash function ChamHashhk (m, r) for r chosen uniformly at random. Example 1. Consider the group G = g generated by an element g ∈ Z∗n , where n is an RSA modulus. Suppose that H : G → {0, 1}h is a second-preimage resistant hash function. It is easy to see that function Fv given by Fv : Z|G| × Z|G| → {0, 1}h , (m, r) → Fv (m, r) := H(g r v m mod n) is a chameleon hash function where hashing key is hk = {n, g, v} while trapdoor key is tk = {y}, with g y ≡ v (mod n). Given a triple (m1 , r1 , m2 ), a colliding value can be found using trapdoor key y as r2 = r1 + y(m1 − m2 ) mod |G|. Example 2. Suppose now that the order of G is unknown but that its order of magnitude is known: |G| ≈ 2g . We then restrict the range of messages in Fv to {0, 1}c and allow for larger random strings r ∈ {0, 1}g +c +2κ (where κ is some security parameter); trapdoor key y is chosen in {0, 1}g +κ3 . Since |G| is unknown, trapdoor key y cannot be recovered as y = (r2 − r1 )/(m1 − m2 ), as in Example 1. Two different colliding pairs (m1 , r1 ) and (m2 , r2 ) will only yield a multiple of |G|: L := (r1 − r2 ) + y(m1 − m2 ) ∝ |G| . For random strings r1 ← {0, 1}g +c +2κ , the statistical zero-knowledge property guarantees that L is non-zero with overwhelming probability (see e.g. [38]). Suppose further that n is a strong RSA modulus (i.e., n = (2p + 1)(2q + 1) for some primes p and q ) and that G is the set of quadratic residues modulo n. In this case, the value of 4L is a multiple of φ(n), which, using Miller’s algorithm [30], leads to the factorization of n.
3
Complexity Assumptions
3.1
Decision RSA Short Encrypted-Prime Problem
We start with the definition. 3
Such a setting is sufficient to ensure that the discrete logarithm of v in base g (i.e., y mod |G|) is statistically indistinguishable from a random integer modulo |G|.
38
B. Chevallier-Mames and M. Joye
Definition 1 (Decision RSA Short Encrypted-Prime Problem (D-RSASEP)). Let (e , n , k ) be security parameters. The challenger is given a triple (e0 , n0 , z0 ), where n0 is an n -bit RSA modulus, e0 is an e -bit random prime, and z0 ← Z∗n0 . Its goal is to decide whether or not z0 is of the form k e0 mod n0 , for some k ∈ Primes({2k −1 , 2k }). We have no proof that D-RSA-SEP problem is hard. Yet, we try to list some key points which are needed to assess its difficulty. We also relate it to other classical and close problems that appeared in the literature. First, parameter k is important, as it codes for the number of possible primes: there are around 2k /k primes of k bits. Thus, we want this latter quantity to be larger than the expected security limit of 2κ , where κ is the security parameter. For example, for a 112-bit security level, one needs k ≥ 119. Second, exponent e cannot be too small. Indeed, if e is too small, i.e., if e·k < n , the value k e mod n is actually equal to k e over the integers. Therefore, it is easy for the challenger to solve the D-RSA-SEP problem by computing e-th roots over the integers. The same holds true when e · k ≈ n as the challenger e can then first guess the quotient kn . Hence, typically, k = 119 and e = 3 is a bad setting. All in all, it is necessary for the problem to be hard that e · k n . Note that this is also imposed by Coppersmith’s algorithm [13]. It is very simple to see that D-RSA-SEP ⇐ RSA ⇐ FACT, where ⇐ denotes polynomial reductions. Apart from these easy reductions, we do not see any way to prove the relative security of the new problem we present. This may therefore be the subject of future research. RSA-type problems. We review below in this section some problems that were proposed in the literature, that are more or less related to D-RSA-SEP. Relationship with dependent-RSA problem. The dependent-RSA problem (DRSA) was introduced by Pointcheval in [37]: it was one of the first decisional RSAtype problems proposed in the literature. The idea consists in trying to mount an RSA equivalent of the ElGamal pair (g r , y r ). Notably, one of the proposed mode is the pair (re mod n, (r + 1)e mod n). The Dependent-RSA problem, in its computational version, is defined as computing (r +1)e mod n from (e, n, re mod n), while its decisional version consists in distinguishing (r + 1)e mod n from a random element in Z∗n , being given (e, n, re mod n). Essentially, Dependent-RSA and D-RSA-SEP problems feature in common that their hardness requires e to be large enough. Relationship with decisional small e-th residues problem. In [10], Catalano, Gennaro, Howgrave-Graham and Nguyen proposed the (computational/decisional) small e-th roots problem (DSeR being the notation of the decisional version). It arises from a variant of Paillier scheme they proposed. The decisional small e-roots problem is by definition to decide whether an input is of the form re mod n2 (with r ∈ Z∗n ) or not, being given (e, n).
Chosen-Ciphertext Secure RSA-Type Cryptosystems
39
This problem is close to D-RSA-SEP in the sense that it basically requires to distinguish small values raised to a power e (a small prime in D-RSA-SEP, an half-size integer in DSeR) from random values. Relationship with Micali-Schnorr pseudo-random bit generator. The pseudorandom bit generator designed by Micali and Schnorr [29] is based on the hypothesis that the distribution of k e mod n for random k -bit integers is indistinguishable from the distribution of elements of Z∗n . This is clearly an assumption that is very close to ours: in our case, we only added that the k that are considered are primes. 3.2
Instance-Independence Assumption
In [34,33], Paillier and Villar conjectured that the RSA(e0 , n0 ) problem (that is, the computation of e0 -th roots modulo n0 ) is not significantly simpler when one was given an interactive oracle returning e-th roots modulo n, for any pair (e, n) = (e0 , n0 ) of adversary’s choice. They refer to this kind of hypothesis as non-malleability assumptions, in the sense that an RSA challenge should not be transformed into another challenge, so that the oracle would help. To avoid confusion with the classical security notion of non-malleability [18], we rename in this paper the [34,33]-style assumptions as instance-independence assumptions. Intuitively, in this paper, we consider an instance-independence variant about the D-RSA-SEP problem, conjecturing that D-RSA-SEP(e0 , n0 ) is not significantly simpler when given an RSA(e, n) oracle, where we restrict even more the control of the adversary than in [34,33]: this latter can only have access to an oracle returning e-th roots modulo n0 , with e prime and where modulus is fixed to n0 . More formally, this gives the following definition. Definition 2 (Assisted Decision RSA Short Encrypted-Prime Problem (A-D-RSA-SEP)). Let (e , n , k ) be some security parameters. The challenger is given (e0 , n0 , z0 ), where n0 is an RSA n -bit modulus, e0 is a e -bit random prime, and z0 ∈ Z∗n0 . The challenger has qD adaptive accesses to an oracle On0 , which returns an e-th root of a chosen element β modulo n0 , for a chosen e -bit prime e = e0 : α ← On0 (e, β) such that αe = β mod n0 . The challenger’s goal is to decide whether or not z0 is of the form k e0 mod n0 , for some k ∈ Primes([2k −1 , 2k [). We conjecture that the assisted decision RSA short encrypted-prime problem is at most negligibly easier than the (standard) decision RSA short encryptedprime problem. Indeed, we suppose that the RSA(e, n0 ) problems are sufficiently independent for different prime exponents e, so that the access to the (limited) RSA oracle does not “dramatically” simplify the task of the challenger. In other words, because of this supposed independence, we believe that the A-D-RSA-SEP problem, which is interactive by nature, is almost as hard as its plain version
40
B. Chevallier-Mames and M. Joye
(see Definition 1). This assumption is what we call the (D-RSA-SEP, RSA) instance-independence assumption. We remark that this latter assumption is stronger than the ones used in [34,33], because the problems to solve in our constructions are decisional.
4 4.1
New RSA-Type Schemes An IND-CPA Encryption Scheme
We describe a semantically secure RSA-type encryption scheme derived from the multiplicative knapsack cryptosystem Naccache-Stern [31]. Key Generation. Some parameters are defined, namely a bit-length n , a bitlength k and a maximum index I so that Π :=
I
pi ≤ 2n −k −1
and pI < 2k −1 ,
i=1
where pi ’s denote the first primes sorted in increasing order. The message space is {0, 1}I . Let n = pq be an n -bit RSA modulus, made of two equallength primes p and q. Define λ = lcm(p − 1, q − 1) and for an integer e > 1 with gcd(e, λ) = 1, compute d = e−1 mod λ. The public key is pk = {n, e} while the private key is sk = {d}. Encryption. To encrypt a message m = {mi }i ∈ {0, 1}I , one picks a ran dom k -bit prime k, computes w = Ii=1 pi mi and c = (w · k)e mod n. The ciphertext is c. Decryption. To decrypt a ciphertext c, the legitimate receiver calculates t = cd mod n and decomposes it into the base of primes allowing a maximal valuation of 1 for each prime pi , i.e., t=
I
p i mi · k
with mi ∈ {0, 1} .
i=1
Message m is then recovered bit-by-bit as mi =
1 0
if t mod pi = 0, otherwise .
It is easy to show that the above scheme achieves IND-CPA security under the assumption that the D-RSA-SEP problem is hard (see Definition 1). 4.2
Making It Chosen-Ciphertext Secure
As for most RSA-type schemes, public exponent e can be “freely” chosen in the key generation of the previous scheme, subject to the condition that gcd(e, λ) = 1. In other words, this scheme can be modified into a public-key encryption
Chosen-Ciphertext Secure RSA-Type Cryptosystems
41
scheme with ephemeral key. Namely, the public key pk can be split into two parts: a fixed part n and a variable (ephemeral) part e. If the private key is defined as λ, the private exponent corresponding to e can be computed from λ as d = e−1 mod λ. Suppose for a moment that the ciphertexts are formed by pairs (c, e) obtained from the previous IND-CPA encryption scheme from a random ephemeral key e. Now, in the security proof, when adversary A = (A1 , A2 ) requests the decryption of (c, e), we simply call the RSA-oracle and get back corresponding plaintext m (or ⊥). This however supposes that e = e∗ , where (c∗ , e∗ ) denotes the challenge ciphertext, because of the restriction on the oracle in the A-D-RSA-SEP problem. First, we note that the probability that A1 queries on a ciphertext (c, e) with e = e∗ is negligible as A1 has no a priori knowledge on the value of e∗ . For this, we assume that the set from which the ephemeral key e is drawn from is sufficiently large. For A2 , things are more complicated: A2 knows e∗ from the challenge ciphertext (c∗ , e∗ ). The limitation on the oracle in the A-D-RSA-SEP problem prevents to obtain the corresponding plaintext from the RSA oracle (remember that only primes e = e∗ can be submitted). Therefore we adopt another strategy: in some sense we “forbid” A2 to submit ciphertexts of the form (c, e∗ ) by making “infeasible” for anyone to reuse a prior ephemeral key picked by someone else. To this end, we append a “proof”, say π, to the ciphertexts and modify the generation of e accordingly. The ciphertexts of are now represented by tuples (c, e, π). There are several possible realizations of this idea ([5]). One-time mappable chameleon hash function. Our proof π relies on a special kind of chameleon hash functions. As will become apparent, chameleon hash functions will be used so that the value of e can be recovered from (c, π). Their salient feature is that it is infeasible to find a second pair (c , π ) = (c, π) that will yield the same e, unless some trapdoor information on the generation of e is given. Since A2 has no such information about e∗ , the probability that A2 requests the decryption of a ciphertext (c, e∗ , π) with (c, π) = (c∗ , π∗ ) is negligible. The attentive reader will observe there is a last technical complication: e∗ , the ephemeral key used in the ciphertext challenge, is an input to the reduction algorithm and so it is unclear how to get a pair (c∗ , π∗ ) that will lead to the value of e∗ 4 . This problem is alleviated through the use of one-time mappable chameleon hashing. Basically, a one-time mappable hash function is a keyed hash function that can be controlled for one given pair of input/output. Definition 3 (One-time mappable hash function). Given a family of hash functions {H(i) }j , a one-time mappable hash function H(a) is a hash function such that on input (x∗ , h∗ ), it is easy to find an index a such that H(a) (x∗ ) = h∗ . It turns out that it is straightforward to construct a one-time mappable hash function from a regular hash function. Let H be a function mapping strings 4
This technical complication appears clearly in the security analysis; see [11, § 4.3].
42
B. Chevallier-Mames and M. Joye
of arbitrary length to strings of h bits. From H, we define the family of hash functions {H(i) }i , 0 ≤ i < 2h , given by H(i) : {0, 1}∗ → {0, 1}h , x → H(i) (x) := (H(x) + i) mod 2h .
(2)
Now given a pair (x∗ , h∗ ), if we set a := (h∗ − H(x∗ )) mod 2h , we obviously have H(a) (x∗ ) = h∗ . The above construction can be composed with chameleon hash functions so as to obtain one-time mappable chameleon hash functions. Moreover, it is easy to see that doing so, Properties (i)–(iii) for chameleon hash functions (cf. § 2.3) are still satisfied, provided that function H in Eq. (2) is second pre-image collision resistant. In order to satisfy the instance-independence assumption, ephemeral keys e are required to be e -bit primes. Hence, we need to modify the output of the hash function to accommodate this additional requirement5 . We give below an example of such a function that maps integers (of length at most h bits) to e -bit primes: Je : {0, 1}h → Primes([2e −1 , 2e [), x → Je (x) := NextPrimee [T (x)] with T (x) := x · 2e −h −1 + 2e −1 . For an integer t, function NextPrimee (t) returns the first prime larger than t, provided that this prime is smaller than 2e ; if no such prime exists, it returns the first prime larger than 2e −1 . For any x1 , x2 ∈ {0, 1}h , T (x1 ) = T (x2 ) implies x1 = x2 and thus function T is injective. In our construction, e and h satisfy e h so that there always6 exists an e -bit prime in a range of 2e −h −1 consecutive e -bit integers, which in turn implies that function Je is injective too. Putting all together, the one-time mappable chameleon hash to be used, obtained from chameleon hash function of Example 2, is given by7 : c n +c +2κ ChamHash(a) → Primes([2e −1 , 2e [), v : {0, 1} × {0, 1} (a) r m (m, r) → ChamHash(a) (g v mod n, v) . (3) v (m, r) := Je H
Our scheme. We are now ready to present our IND-CCA-secure RSA-type scheme. The security analysis is presented in the next section. Key Generation. On input security parameter κ, bit-lengths n , k , and index I are defined as in the basic scheme (see § 4.1). The message space is {0, 1}I . Let n = (2p + 1)(2q + 1) be a strong RSA modulus and let QR(n) denote 5
6 7
Actually, so-called division-intractable hash functions [21] would suffice for our purposes; but as pointed out in [14], the easiest way to meet the requirement of divisionintractability is to construct hash functions mapping strings to prime numbers. Unless a breaking, surprising fact on the distribution of prime numbers. (a) The pair (g r v m mod n, v) is viewed as a bit-string in the definition of ChamHashv .
Chosen-Ciphertext Secure RSA-Type Cryptosystems
43
the set of quadratic residues modulo n. Let also H : QR(n) → {0, 1}h be a second pre-image resistant hash function, for some bit-length h ≥ κ. Select a parameter a ← {0, 1}h and define H(a) (x) := (H(x) + a) mod 2h . For some bit-length c ≥ κ, let G : Zn → {0, 1}c be a second pre-image resistant hash function. Finally, let the one-time mappable chameleon hash function given by Eq. (3) for some g ← QR(n) and bit-length e satisfying (κ + log κ) ≤ e < n /2 and h e 8 . The public key is pk = {n, g, a} while the private key is sk = {λ} with λ = 2p q . Encryption. To encrypt a message m = {mi } ∈ {0, 1}I , do the following: 1. choose a random integer y ← {0, 1}n+κ and compute v = g y mod n; 2. choose a random pair (c, r) ← {0, 1}c × {0, 1}n+c +2κ and obtain prime e = ChamHash(a) v (c, r); 3. pick a random k -bit prime k and compute c = (w · k)e mod n with I w = i=1 pi mi ; 4. compute ρ = r + y(c − G(c )). The ciphertext is C = (c , v, ρ). Decryption. To decrypt a ciphertext C = (c , v, ρ), the legitimate user does the following: 1. recover e = ChamHash(a) v (G(c ), ρ); −1 2. compute d = e mod λ; 3. compute t = cd mod n and derive bit-by-bit corresponding message m as in the basic scheme. Observe that there is no validity test in the decryption: any ciphertext is considered as valid. This is not the first time that an encryption scheme which always decrypts is adaptively secure (e.g., [36]). 4.3
Security Analysis
We prove that the scheme is IND-CCA under the (D-RSA-SEP, RSA) assumption (see § 3.2). We have the following theorem: Theorem 1. Let A be an adversary which can break the IND-CCA security with success probability ε under a chosen-ciphertext attack within time τ . Assume that H and G are second pre-image resistant hash functions. Then the (D-RSASEP, RSA) problem can be solved with success probability 2ε and within time τ + qD · TOn + poly(κ), where TOn is the time of an RSA-oracle execution and qD is the number of decryption queries. In other words, assuming the RSA(e, n0 ) instances are independent for different prime exponents e, our scheme is as secure as the regular (i.e., non-interactive) version of the decision RSA short encrypted-prime problem. Due to lack of space, the proof is omitted. We refer the reader to [11] for the proof of Theorem 1. 8
Typical values for the different parameters are n = 2048, k = 160, I = 216, h = c = 128, and e = 256.
44
4.4
B. Chevallier-Mames and M. Joye
Further Schemes
Typically, for a 2048-bit modulus, the previous scheme allows one to encrypt 216bit messages. The message bandwidth can however be significantly increased by deriving an RSA-type scheme from the recent scheme presented in [12] (rather than the basic Naccache-Stern scheme). The above conversion applies in the same way. There exist other IND-CPA-secure RSA-type schemes allowing to freely exponent e, under various assumptions. These include by Pointcheval scheme [37] (based on dependent-RSA problem) or CGHN scheme [10] by Catalano, Gennaro, Howgrave-Graham and Nguyen (based on decisional small e-th residues problem). Again, the above conversion applies in the same way to get corresponding IND-CCA-secure RSA-type encryption schemes. Moreover, there are several possible constructions of one-time mappable chameleon hash functions. We refer the reader to [11, Appendix A] for a description of the so-obtained schemes.
5
Conclusion
In the context of RSA-based cryptography, instance-independence assumptions were used in the literature as a way to provide evidence that some schemes provably attaining a certain level of security in the random oracle would never be proved to achieve the same level in the standard model (in the black-box setting). In contrast, in this paper, we have shown positive applications of instance-independence assumptions in order to construct (simple) new encryption schemes with security reductions to some decisional problems. Among the possible instances of our technique, we pointed out a chosen-ciphertext secure encryption scheme of the Naccache-Stern knapsack, as well as schemes based on the dependent-RSA problem and decisional small e-th residues problem.
References 1. Abe, M., Cui, Y., Imai, H., Kiltz, E.: Efficient hybrid encryption from ID-based encryption. In: Designs, Codes and Cryptography (to appear) 2. Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSAinversion problems and the security of Chaum’s blind signature scheme. Journal of Cryptology 16(3), 185–215 (2003) 3. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: CCS 1993, pp. 62–73. ACM Press, New York (1993) 4. Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995) 5. Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM Journal on Computing 36(5), 915–942 (2006) 6. Boneh, D., Katz, J.: Improved efficiency for CCA-secure cryptosystems built using identity- based encryption. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 87–103. Springer, Heidelberg (2005) 7. Brassard, G., Chaum, D., Cr´epeau, C.: Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences 37(2), 156–189 (1988)
Chosen-Ciphertext Secure RSA-Type Cryptosystems
45
8. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups (extended abstract). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997) 9. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004) 10. Catalano, D., Gennaro, R., Howgrave-Graham, N., Nguyen, P.Q.: Paillier’s cryptosystem revisited. In: CCS 2001, pp. 206–214. ACM Press, New York (2001) 11. Chevallier-Mames, B., Joye, M.: Chosen-ciphertext secure RSA-type cryptosystems. In: Full version of this paper, available from Cryptology ePrint Archive, http://eprint.iacr.org/2009/377 12. Chevallier-Mames, B., Naccache, D., Stern, J.: Linear bandwidth Naccache-Stern encryption. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 327–339. Springer, Heidelberg (2008) 13. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997) 14. Coron, J.-S., Naccache, D.: Security analysis of the Gennaro-Halevi-Rabin signature scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 91–101. Springer, Heidelberg (2000) 15. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998) 16. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002) 17. Dent, A.W.: A brief history of provably secure public-key encryption. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 357–370. Springer, Heidelberg (2008) 18. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM Journal on Computing 30(2), 391–437 (2000) 19. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) 20. Fujisaki, E., Okamoto, T.: How to enhance the security of public-key encryption at minimum cost. IEICE Transaction of Fundamentals of Electronic Communications and Computer Science E83-A(1), 24–32 (2000) 21. Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999) 22. Girault, M.: An identity-based identification scheme based on discrete logarithms modulo a composite number. In: Damg˚ ard, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 481–486. Springer, Heidelberg (1991) 23. Gjøsteen, K.: A new security proof for Damg˚ ard’s ElGamal. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 150–158. Springer, Heidelberg (2006) 24. Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984) 25. Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006) 26. Krawczyk, H., Rabin, T.: Chameleon signatures. In: Network and Distributed System Security Symposium (NDSS 2000), pp. 143–154. Internet Society (2000)
46
B. Chevallier-Mames and M. Joye
27. Kurosawa, K., Desmedt, Y.: A new paradigm of hybrid encryption scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004) 28. Lipmaa, H.: On CCA1-security of ElGamal and Damg˚ ard’s ElGamal. Cryptology ePrint Archive. In: Report 2008/234 (2008) 29. Micali, S., Schnorr, C.-P.: Efficient, perfect polynomial random number generators. Journal of Cryptology 3(3), 157–172 (1991) 30. Miller, G.L.: Riemann’s hypothesis and tests for primality. Journal of Computer and System Sciences 13(3), 300–317 (1976) 31. Naccache, D., Stern, J.: A new public-key cryptosystem. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 27–36. Springer, Heidelberg (1997) 32. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: 22nd ACM STOC, pp. 427–437. ACM Press, New York (1990) 33. Paillier, P.: Impossibility proofs for RSA signatures in the standard model. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 31–48. Springer, Heidelberg (2007) 34. Paillier, P., Villar, J.L.: Trading one-wayness against chosen-ciphertext security in factoring-based encryption. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 252–266. Springer, Heidelberg (2006) 35. Pandey, O., Pass, R., Vaikuntanathan, V.: Adaptive one-way functions and applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 57–74. Springer, Heidelberg (2008) 36. Phan, D.H., Pointcheval, D.: Chosen-ciphertext security without redundancy. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 1–18. Springer, Heidelberg (2003) 37. Pointcheval, D.: New public key cryptosystems based on the dependent-RSA problems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 239–254. Springer, Heidelberg (1999) 38. Poupard, G., Stern, J.: Security analysis of a practical “on the fly” authentication and signature generation. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 422–436. Springer, Heidelberg (1998) 39. Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992) 40. Shoup, V.: Why chosen ciphertext security matters. Technical Report RZ 3076, IBM Research (November 1998)
Anonymous Conditional Proxy Re-encryption without Random Oracle Liming Fang1 , Willy Susilo2 , and Jiandong Wang1 1
College of Information Science and Technology Nanjing University of Aeronautics and Astronautics, Nanjing, China
[email protected] 2 Centre for Computer and Information Security Research School of Computer Science and Software Engineering University of Wollongong, Australia
[email protected] Abstract. A proxy re-encryption scheme enables a proxy to re-encrypt a ciphertext under a delegator’s public-key and designate it to a delegatee. Weng et al. introduced the notion of conditional proxy re-encryption (or C-PRE, for short), whereby only the ciphertext satisfying one condition set by the delegator can be transformed by the proxy and then decrypted by delegatee. Nonetheless, they left an open problem on how to construct CCA-secure C-PRE schemes with anonymity. In this paper, we first formalize the notion of anonymous condition CCA-secure PRE and present a respective security model. Then, we answer the question posed by Weng et al. affirmatively by presenting a new and efficient construction of anonymous conditional proxy re-encryption (C-PRE) scheme without requiring random oracle.
1 Introduction A proxy re-encryption (PRE) scheme allows a proxy to transform a ciphertext under a delegator’s public-key into a delegatee’s ciphertext on the same message by using some additional information. Blaze et al. [3] proposed the first PRE scheme, where plaintexts and secret keys remain hidden from the proxy. The limitation of their scheme relies on the fact that the proxy key can be used to translate ciphertexts from delegatee to delegator(i.e. bidirectional), and furthermore the proxy and the delegatee can collude to expose the delegator’s private key. In 2005, Ateniese et al. [1] showed how to construct unidirectional schemes using bilinear maps and simultaneously prevent proxies from colluding with delegatees in order to expose the delegator’s secret key. Their scheme [1] is proven secure in the random oracle model. In 2006, Green and Ateniese [15] extended the above notion to identitybased proxy re-encryption (IB-PRE), and proposed new CCA security models. Canetti and Hohenberger [9] also proposed new CCA secure PRE scheme that the proxy can verify the validity of the ciphertext prior to the transformation. In 2007, Chu and Tzeng [11] proposed a multi-use, unidirectional ID-based PRE scheme, and claimed that it was CCA secure in the standard model. On the contrary, Shao et al.[20] showed that this claim is indeed false. Till then, there was no known unidirectional PRE systems J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 47–60, 2009. c Springer-Verlag Berlin Heidelberg 2009
48
L. Fang, W. Susilo, and J. Wang
with chosen-ciphertext security that rely on the standard model. In PKC 08, Libert and Vergnaud [17] presented the first construction of unidirectional proxy re-encryption scheme with replayable chosen-ciphertext security [10] in the standard model. These constructions are based on bilinear pairings. In spite of the recent advances in implementation techniques, the pairing computation is still considered as a very expensive operation. To fill the gap, Deng et al. [12] proposed a CCA secure bidirectional PRE scheme without pairings in the random oracle model. After Deng et al.’s work, Shao and Cao [19] proposed a proxy re-encryption scheme without pairings, in which the proxy can only transform the ciphertext in one direction. Their scheme is CCA secure and collusion attack free in the random oracle model based on Decisional Diffie-Hellman (DDH) assumption and integer factorization assumption. The existing notion of PRE does not facilitate flexible delegation. We will motivate the flexible delegation by the following example. Suppose that Alice who is a manager of a bank, is having a holiday and away from work. She allows Bob to check her important emails, in case there is an urgent email. In this scenario, Alice should allow Bob to select her important emails to be read during her holiday, but not all of them. This can be done by using a proxy to transform a ciphertext under Alice’s public-key into Bob’s ciphertext when its subject contains the keyword ‘urgent’. The lack of flexible delegation has been considered as a drawback of PRE schemes [21]. To overcome the limitation of PRE, very recently, Weng et al. [21] presented a notion of conditional proxy re-encryption (C-PRE), whereby only ciphertexts satisfying one condition set by Alice can be transformed by the proxy and then decrypted by Bob. They formalized its security model and proposed an efficient C-PRE scheme, whose chosenciphertext security is proven in random oracle. Furthermore, they left an interesting open problem on how to construct CCA-secure C-PRE schemes with anonymity. Our Contributions. In this paper, we first formalize the anonymous condition of PRE security model. Then, we proceed with answering the question posed by Weng et al. [21] affirmatively by presenting a new and efficient construction of anonymous conditional proxy re-encryption (C-PRE) scheme. Based on the 3-QDBDH assumption and truncated q-ABDHE assumption, we prove its CCA security without random oracle. Compared with Weng et al.’s C-PRE [21], our scheme outperforms Weng et al.’s scheme[21] in the following aspects: (i) In contrast to Weng et al.’s scheme, our scheme provides anonymous condition; (ii) Our scheme does not rely on the random oracle model, i.e. in an idealized world where all parties get black-box accesses to a truly random function. It is well known that unfortunately a proof in the random oracle model can only serve as a heuristic argument and admittedly using quite contrived constructions, has been shown to possibly lead to insecure schemes when the random oracles are implemented in the standard model [7]. Paper Organization. The rest of this paper is organized as follows. In Section 2, we will provide the definitions and complexity assumption that will be used throughout this paper, together with the security model of anonymous C-PRE schemes. In Section 3, we present our anonymous C-PRE in the standard model. Finally, Section 4 concludes the paper.
Anonymous Conditional Proxy Re-encryption without Random Oracle
49
2 Definitions In this section, we first review the complexity assumption required in our schemes, and then provide the definition and security of a conditional proxy re-encryption scheme. 2.1 Negligible Function A function (n) : N → R is negligible in n if 1/(n) is a non-polynomially-bounded quantity in n. 2.2 Bilinear Maps Let G1 and G2 be multiplicative cyclic groups of prime order p, and g be a generator of G1 . We say e : G1 × G1 → G2 is a bilinear map [4,6], if the following conditions hold. 1. e(g 1 a , g 2 b ) = e(g 1 , g 2 )ab for all a, b ∈ Z p and g 1 , g 2 ∈ G1 . 2. e(g, g) = 1. 3. There is an efficient algorithm to compute e(g 1 , g 2 ) for all g 1 , g 2 ∈ G1 . 2.3 The 3-QDBDH Assumption Let e : G1 × G1 → G2 be a bilinear map. We define the advantage function Adv G 1 ,B 3 −QDBDH (λ) of an adversary B as 2
3
2
3
|P r[B(g, g x , g x , g x , g z , e(g, g)z /x ) = 1] − P r[B(g, g x , g x , g x , g z , e(g, g)r ) = 1]| where x, z, r ∈ Z p are randomly chosen. We say that the 3-QDBDH assumption [17] relative to generator G1 holds if Adv G 1 ,B 3 −QDBDH (λ) is negligible for all B. Dodis and Yampolskiy showed that this problem was indeed hard in generic groups [13]. Their result thus implies the hardness of 3-QDBDH in generic groups. 2.4 The Truncated q-ABDHE Assumption Let e : G1 × G1 → G2 be a bilinear map. We define the advantage function Adv G 1 ,B q−ABDHE (λ) of an adversary B as q
|P r[B(g, g x , · · · , g x , g z , g zx x
xq
z
P r[B (g, g , · · · , g , g , g
q +2
, e(g, g)zx
zx q +2
q +1
) = 1]−
r
, e(g, g) ) = 1]|
where x, z, r ∈ Z p are randomly chosen. We say that the truncated q-ABDHE assumption [14,16] relative to generator G1 holds if Adv G 1 ,B q−ABDHE (λ) is negligible for all B.
50
L. Fang, W. Susilo, and J. Wang
2.5 One-Time Signatures A one-time signature [8] consists of a triple of algorithms Sig = (G, S, V) such that, on input of a security parameter λ, G generates a one-time key pair (ssk, svk) while, for any message M , V(svk, σ, M ) outputs 1 whenever σ = S(ssk, M ) and 0 otherwise. As in [17] , we need strongly unforgeable one-time signatures, which means that no PPT adversary can create a new signature for a previously signed message. Sig = (G, S, V) is a strong one-time signature if the probability Adv OTS = P r[(ssk, svk) ← G(λ); (M, St) ← F (svk); σ ← S(ssk, M ); (M , σ ) ← F (M, σ, svk, St) : V(svk, σ , M ) = 1 ∧ (M , σ ) = (M, σ)], where St denotes the state information maintained by F between stages, is negligible for any PPT forger F . 2.6 Conditional Proxy Re-encryption In the following, we will provide the definition of a conditional proxy re-encryption scheme and the game-based security definition. Similar as [21], a C-PRE scheme involves three principals: a delegator (say user U i ), a proxy, and a delegatee (say user U j ). A message sent to U i with condition w is encrypted by the sender using both U i ’s public key and w. To authorize U j to decrypt such an encryption associated with w, U i gives the proxy a partial re-encryption key rk i,j and a condition key rk i,w corresponding to the condition w. These two keys are used by the proxy to perform ciphertext translation. One problem is when the condition w is not included in ciphertext, then how can the proxy know which conditional key should be applied? To solve the problem, we need to include a test into re-encryption algorithm, if the test result is “1” which means the condition w for ciphertext is match to the conditional key. Definition 1 (Conditional Proxy Re-encryption) A (single hop) conditional proxy re-encryption scheme [21] comprises the following algorithms: GlobalSetup(λ): The GlobalSetup algorithm is run by a trusted party that, takes as input a security parameter λ. It generates the global parameters P P . KeyGen(i): The key generation algorithm generates the public key pk i and the secret key sk i for user i. RKeyGen(sk i , pk j ): The partial re-encryption key generation algorithm, run by user i, takes as input a secret key sk i and another public key pk j . It outputs a partial re-encryption key rk i,j . CKeyGen(sk i , w): The condition key generation algorithm, run by user i, takes as input a secret key sk i and a condition w. It outputs a condition key ck i,w . Enc(pk, m, w): The encryption algorithm takes as input a public key pk, a plaintext m ∈ M and a condition w. It outputs a original conditional ciphertext CT associated with w under public key pk. Here M denotes the message space. ReEnc(CT i , rk i,j , ck i,w ): The re-encryption algorithm, run by the proxy, takes as input a conditional ciphertext CTi associated with w under public key pk i , a partial re-encryption key rk i,j and a condition key ck i,w . It first run T est(CT i , ck i,w ), if the test result is ”1”, then it outputs a re-encrypted ciphertext CTj under public key pk j , if the test result is ”0”, then it output the error symbol ⊥.
Anonymous Conditional Proxy Re-encryption without Random Oracle
51
Dec1(CT i , sk i ): The level 1 decryption algorithm takes as input a secret key sk i and a cipertext CTi . It outputs a message m ∈ M or the error symbol ⊥. Dec2(CT j , sk j ): The level 2 decryption algorithm takes as input a secret key sk j and a re-encrypted ciphertext CTj under public key pk j . It outputs a message m ∈ M or the error symbol ⊥. Note that we omit the global parameters P P as the other algorithms’ input for simplicity. The correctness of C-PRE means that, for any condition w, any message m, any (pk i , sk i ) ← KeyGen(i), (pk j , sk j ) ← KeyGen(j), and CT i = Enc(pk, m, w), P r[Dec1(CT i , sk i ) = m] = 1 and P r[Dec2(ReEnc(CT i , RKeyGen(sk i , pk j ), CKeyGen(sk i , w)), sk j ) = m] = 1. For any other condition w and user j with w = w and j = j, let be negligible, we have P r[Dec2(ReEnc(CT i , RKeyGen(ski , pkj ), CKeyGen(ski , w )), skj ) =⊥] = 1 −
and P r[Dec2(ReEnc(CT i , RKeyGen(ski , pkj ), CKeyGen(ski , w)), skj ) =⊥] = 1 − .
In the following, we provide the game-based security definition of C-PRE. Our definition considers a challenger that produces a number of public keys. As [17], we let the target public key, corrupted users and the honest users be determined at the beginning of the game. Additionally, we allow the adversary to adaptively query a re-encryption oracle and decryption oracles. We allow the challenger to reveal re-encryption keys rk ij when j is corrupt for honest users i that differ from the target receiver. Definition 2 (CPRE-IND-ANON-RCCA game) Let λ be the security parameter and A be the adversary. We consider the following two games. Let i∗ be the target user. Game 1: (IND-RCCA) 1. Setup: The challenger C perform GlobalSetup(λ) to get the public parameter P P . Give the public parameter P P to A. 2. Query phase 1. A makes the following queries: – Uncorrupted key generation query i : C first runs algorithm KeyGen(i) to obtain a public/secret key pair (pk i , sk i ), and then sends pk i to A. – Corrupted key generation query j : C first runs algorithm KeyGen(j) to obtain a public/secret key pair (pk j , sk j ), and then sends (pk j , sk j ) to A. – Partial re-encryption key query pk i , pk j : C runs algorithm RKeyGen(sk i , pk j ) to generate a partial re-encryption key rk i,j and returns it to A. Here, sk i is the secret key with respect to pk i . It is required that pk i and pk j have been generated beforehand by algorithm KeyGen.
52
L. Fang, W. Susilo, and J. Wang
– Condition key query pk i , w : C runs algorithm CKeyGen(sk i , w) to generate a condition key ck i,w and returns it to A. It is required that pk i has been generated beforehand by algorithm KeyGen. – Re-encryption query pk i , pk j , (w, CT i ) : C runs algorithm CT j = ReEnc(CT i , RKeyGen(sk i , pk j ), CKeyGen(sk i , w)) and returns the resulting ciphertext CT j to A. It is required that pk i and pk j have been generated beforehand by algorithm KeyGen. – Decryption query pk i , (w, CT i ) : Here pk i , (w, CT i ) denotes the queries on original conditional ciphertext. Challenger C returns the result of Dec1(CT i , sk i ) to A. It is required that pk i has been generated beforehand by algorithm KeyGen. – Decryption query pk j , CT j : Here pk j , CT j denotes the queries on reencrypted ciphertext. Challenger C returns the result of Dec2(CT j , sk j ) to A. It is required that pk i has been generated beforehand by algorithm KeyGen. 3. Challenge. Once A decides that Phase 1 is over, it outputs a target condition w∗ and two equal length plaintexts (m0 , m1 ). Challenger C chooses a bit b ∈ {0, 1} and sets the challenge ciphertext to be CT ∗ = Enc(pk i ∗ , mb , w∗ ), which is sent to A. 4. Query phase 2. A continues making queries as in the query phase 1. 5. Guess. A outputs the guess b . The adversary wins if b = b. During the above game, adversary A is subject to the following restrictions: – (i). A can not issue corrupted key generation queries on i∗ to obtain the target secret key sk i ∗ . – (ii). A can not issue decryption queries on neither pk i ∗ , (w∗ , CT ∗ ) nor pk j , CT j where pk j , CT j is a derivative of the challenge pair pk i ∗ , (w∗ , CT ∗ ) . Derivatives of pk i ∗ , (w∗ , CT ∗ ) are defined as Dec1(CT j , sk j ) ∈ {m0 , m1 } or Dec2 (CT j , sk j ) ∈ {m0 , m1 } (Replayable CCA-security rule, see more discussion in [17]). – (iii). A can not issue re-encryption queries on pk i ∗ , pk j , (w∗ , CT ∗ ) if pk j appears in a previous corrupted key generation query. – (iv). A can not obtain the partial re-encryption key rk i ∗ ,j if pk j appears in a previous corrupted key generation query. We refer to the above adversary A as an IND-RCCA adversary. His advantage is defined as SuccA Game 1 (λ) = |P r[b = b] − 1/2| Game 2: (IND-ANON-RCCA) – Query phase 1. Same as Game 1. – Challenge. Once A decides that Phase 1 is over, it outputs a condition pair (w0 , w1 ) and two equal length plaintexts (m0 , m1 ). Challenger C chooses a bit b ∈ {0, 1} and sets the challenge ciphertext to be CT ∗ = Enc(pk i ∗ , mb , wb ), which is sent to A.
Anonymous Conditional Proxy Re-encryption without Random Oracle
53
– Query phase 2. A continues making queries as in the query phase 1. – Guess. A outputs the guess b . The adversary wins if b = b . The restrictions in game 2 is similar to the game 1 : – (i). A can not issue corrupted key generation queries on i∗ to obtain the target secret key sk i . – (ii). A can not issue decryption queries on neither pk i ∗ , (w∗ , CT ∗ ) where w∗ ∈ {w0 , w1 } nor pk j , CT j where pk j , CT j is a derivative of the challenge pair pk i ∗ , (w∗ , CT ∗ ) . – (iii). A can not issue re-encryption queries on pk i ∗ , pk j , (w∗ , CT ∗ ) where w∗ ∈ {w0 , w1 } if pk j appears in a previous corrupted key generation query. – (iv). A can not obtain the condition key ck i ∗ ,w ∗ where w∗ ∈ {w0 , w1 }. We refer to the above adversary A as an IND-ANON-CCA adversary. His advantage is defined as SuccA Game 2 (λ) = |P r[b = b] − 1/2| The C-PRE scheme is said to be CPRE-IND-ANON-RCCA secure if both SuccA Game 1 (λ) and SuccA Game 2 (λ) are negligible.
3 Anonymous Conditional Proxy Re-encryption In this section, inspired by the original scheme by Weng et al. [21], we present our anonymous conditional proxy re-encryption scheme. We employ the technique used in Boneh et al. called public key encryption with keyword search [2,5,18]. Our main idea is to ask the sender to encrypt the message and later, by using a “trapdoor” (i.e. condition key), the proxy can then re-encrypt it. Then, the proxy will not know the contents of the message itself. 3.1 Our Construction The description of our conditional proxy re-encryption scheme is as follows. – GlobalSetup(λ): Let λ be the security parameter and (p, g, G1 , G2 , e) be the bilinear map parameters, generators u, v ∈ G1 and a strongly unforgeable one-time signature scheme sig = (G, S, V). Let message space be G2 and condition space be Z p ∗ . The global system parameters are (p, g, G1 , G2 , e, u, v, sig). – KeyGen(i): user i selects random xi , y i , a0 , a1 , a2 ∈ Z p ∗ , computes X i = g x i , Y i = g y i , hk = g a k , sets his public key as pk i = (X i , Y i , {hk }k ∈{0 ,1 ,2 }) and the secret key sk i = (pk i , xi , y i , a0 , a1 , a2 ). – RKeyGen(sk i , pk j ) : given user i’s private key sk i = (pk i , xi , y i ) and user j’s public key pk j , generates the unidirectional partial re-encryption key rk i,j = X j 1 /x i . – CKeyGen(sk i , w): given user i’s private key xi in sk i and a condition w ∈ Z p ∗ , selects three random sk ∈ Z p ∗ , computes dk = (hk g −s k )1 /(y i −w) , sets the condition key ck i,w = (dk , sk )k ∈{0 ,1 ,2 }.
54
L. Fang, W. Susilo, and J. Wang
– Enc(pk i , m, w): To encrypt a message m ∈ G2 under the public key pk i and condition w ∈ Z p ∗ , the sender proceeds as follows. 1. Selects a one-time signature key pair (ssk, svk) ← G(λ) and sets C 1 = svk. 2. Picks r ∈ Z p ∗ and computes C 2 = X i r , C 3 = e(g, g)r m, C 4 = (usvk v)r . 3. Generates a one-time signature σ = S(ssk, (C 3 , C 4 )) on the pair (C 3 , C 4 ). The regular ciphertext is CRi = (C 1 , C 2 , C 3 , C 4 , σ). 4. Pick r ∈ Z p ∗ and computes
K = e(g, h0 )r , C 3 = C 3 · K
C 5 = (Y i g −w )r , C 6 = e(g, g)r
t = H(C 3 , C 5 , C 6 ), C 7 = e(g, h1 )r t e(g, h2 )r
5. Generates another one-time signature σ = S(ssk, (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 )) on (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 ). 6. The condition ciphertext (i.e. original ciphertext) is CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ). – ReEnc(CT i , ck i,w , rk i,j ): on input of a (partial) re-encryption key rk i,j = X j 1 /x i , a condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } and a condition ciphertext CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ). It first run T est(CT i , ck i,w ), computes t = H(C 3 , C 5 , C 6 ), testing whether V(C 1 , σ , (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 )) = 1 ?
C 7 = e(C 5 , d1 t d2 )C 6 s 1 t+s 2 . If the check fails, outputs “0”, otherwise it outputs “1”, if the test result outputs “1”, then computes K = e(C 5 , d0 )C 6 s 0 , C 3 = C 3 /K. Hence, the regular ciphertext is CRi = (C 1 , C 2 , C 3 , C 4 , σ), check the validity of the latter by testing the following conditions ?
e(C 2 , uC 1 v) = e(X i , C 4 ) ?
V(C 1 , σ, (C 3 , C 4 )) = 1
(1) (2)
If well-formed, CT i , is re-encrypted by choosing t ∈ Z p ∗ and computing C 2 = X i t , C 2 = rk ij 1 /t = g (x j /x i )t
−1
, C 2 = C 2 t = X i rt
The re-encrypted ciphertext is CT j = (C 1 , C 2 , C 2 , C 2 , C 3 , C 4 , σ). If illformed, output ⊥.
Anonymous Conditional Proxy Re-encryption without Random Oracle
55
– Dec1(CT i , sk i ): On input a secret key sk i and any condition ciphertext CT i . Parse the condition ciphertext CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ). If V(C 1 , σ , (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 )) = 1, computes t = H(C 3 , C 5 , ?
C 6 ) and tests whether C 7 = (C 6 )a 1 t+a 2 . If the check fails, outputs ⊥. Otherwise, compute C 3 = C 3 /(C 6 )a 0 . Hence, the regular ciphertext is CRi = (C 1 , C 2 , C 3 , C 4 , σ), if the regular ciphertext satisfies relations (1) and (2), the receiver i can obtain m = C 3 /e(C 2 , g)1 /x i . The algorithm outputs ⊥ otherwise. – Dec2(CT j , sk j ): On input a secret key sk j and any re-encrypted ciphertext CT j = (C 1 , C 2 , C 2 , C 2 , C 3 , C 4 , σ). The validity of a re-encrypted ciphertext CT j is checked by testing if ?
e(C 2 , C 2 ) = e(X j , g) ?
e(C 2 , uC 1 v) = e(C 2 , C 4 ) ?
V(C 1 , σ, (C 3 , C 4 )) = 1
(3) (4) (5)
If relations (3)-(5) hold, the plaintext m = C 3 /e(C 2 , C 2 )1 /x j is returned. Otherwise, the algorithm outputs ⊥. Correctness. It is straightforward to verify that all the correctly generated original/reencrypted ciphertexts can be correctly decrypted. Here, we explain a re-encrypted ciphertext which has been generated by a proxy who does not have both the right partial re-encryption key and the right condition key can not be correctly decrypted by the delegatee with non-negligible probability. Given an original condition ciphertext CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ) associated with condition w under public key pk i = (X i , Y i , {hk }k ∈{0 ,1 ,2 }), there are two cases as follows. Case 1 (an error condition key.) Suppose a proxy, who has a partial re-encryption key rk i,j = X j 1 /x i and a condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } where dk = (hk g −s k )1 /(y i −w ) and w = w, runs ReEnc(CT i , ck i,w , rk i,j ) to translate ciphertext CT i into a ciphertext intended for user j. Obviously, CT i can not pass the va lidity check. Let C 5 = (Y i g −w )r , C 6 = e(g, g)r , and let t = H(C 3 , C 5 , C 6 ), C 7 = e(g, h1 )r t e(g, h2 )r . We have e(C 5 , (d1 )t (d2 ))C 6 s 1 t+s 2 = e(g, h1 )r t e(g, h2 )r = C 7 ⇔ e(g (y i −w)r , (g (a 1 −s 1 )/(y i −w ) )t e(g (y i −w)r , (g (a 2 −s 2 )/(y i −w ) ) e(g, g)r (s 1 t+s 2 ) = C7 ⇔ e(g, g)r (y i −w)/(y i −w )((a 1 −s 1 )t+(a 2 −s 2 )) e(g, g)r (s 1 t+s 2 ) = e(g, g)(a 1 t+a 2 )r ⇔ (a1 t+a2 )r ((y i −w)/(y i −w )−1)−(s1 t+s2 )r ((y i −w)/(y i −w )−1) =0 ⇔ (a1 t + a2 − s1 t − s2 )r ((w − w)/(y i − w )) =0 since s1 , s2 are randomly chosen and a1 , a2 , y i are the secret key, so (a1 t + a2 − s1 t − s2 ) = 0, w − w = 0 and y i − w = 0. Even though it passes the verification test, we can see K = e(C 5 , d0 )C 6 s 0 = e(g, h0 )r = K, since
56
L. Fang, W. Susilo, and J. Wang
⇔ K = e(g (y i −w)r , (g (a 0 −s 0 )/(y i −w ) )e(g, g)r s 0 = e(g, g)a 0 r r (y i −w)/(y i −w )(a 0 −s 0 ) r s o ⇔ e(g, g) e(g, g) = e(g, g)a 0 r ⇔ (a0 − s0 )r ((y i − w)/(y i − w ) − 1) =0 ⇔ (a0 − s0 )r (w − w)/(y i − w ) =0
Case 2 (an error partial re-encryption key). Suppose a proxy, who has a partial reencryption key rk i,j = X j 1 /x i and a condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } where dk = (hk g −s k )1 /(y i −w) and j = j, runs ReEnc(CT i , ck i,w , rk i,j ) to translate ciphertext CT i into a ciphertext CT j intended for user j. Parse CT j as (C 1 , C 2 , C 2 , −1 C 2 , C 3 , C 4 , σ), let C 2 = X i t , C 2 = rk ij 1 /t = g (x j /x i )t , C 2 = C 2 t = X i rt . Obviously, CT j can not pass the validity check when facing the decryption algorithm since e(C 2 , C 2 ) = e(X j , g). Intuitions of the security. The regular ciphertext is CRi = (C 1 , C 2 , C 3 , C 4 , σ) and the re-encrypted ciphertext CT j = (C 1 , C 2 , C 2 , C 2 , C 3 , C 4 , σ), which is the same as Libert and Vergnaud’s scheme [17]. The only difference is (C 3 , C 5 , C 6 , C 7 ) in the condition ciphertext (i.e. the original ciphertext) CT i = (C 1 , C 2 , C 3 , C 4 , σ, C 5 , C 6 , C 7 , σ ). However, (C 3 , C 5 , C 6 , C 7 ) is the Gentry’s CCA secure IBE [14] under identity w, which is IND-ANON-CCA secure. 3.2 Security of Our PRE In this subsection, we prove the CPRE-IND-ANON-RCCA security for our scheme without requiring random oracle. The analysis of Game 1 and Game 2 are as follows. Theorem 1. If the 3-QDBDH and q-ABDHE assumption holds, then the first scheme is CPRE-IND-ANON-RCCA secure in the standard model. Lemma 1. If there exists an IND-RCCA adversary A against our scheme, then there exists an algorithm B which can solve the 3-QDBDH problem. Proof. Since the prove is similar to [17], we omit it here. You can find it in the full paper. Lemma 2. If there exists a IND-ANON-RCCA adversary A against our scheme, then there exists an algorithm B which can solve the q-ABDHE problem for q ≥ q k + 1, where q k is the number of condition key queries on target user. Proof. Our approach to proving lemma 2 closely follow the proof of security for Gentry’s IBE scheme [14]. Suppose there exists a polynomial-time adversary, A, that can attack our scheme in the standard model. Let q k is the number of condition key queries on target user. We build a simulator B that can play a q-ABDHE game for q ≥ q k + 1. In the following, we call HU the set of honest parties, including user i∗ that is assigned the target public key pk i ∗ , and CU the set of corrupt parties. The simulation proceeds as follows: We first let the challenger set the groups G1 and G2 with an efficient bilinear map e 2 q and a generator g of G1 . Simulator B inputs a q-ABDHE instance (g, g x , g x , · · · , g x , q +2 q +1 g z , g zx , T ), and has to distinguish T = e(g, g)zx from a random element in G2 . 1. Setup: Let λ be the security parameter and (p, g, G1 , G2 , e) be the bilinear map parameters, generators u, v ∈ G1 and a strongly unforgeable one-time signature
Anonymous Conditional Proxy Re-encryption without Random Oracle
57
scheme sig = (G, S, V). The global system parameters are (p, g, G1 , G2 , e, u, v, sig) 2. Query phase 1. A makes the following queries: – Uncorrupted key generation query i : public keys of target user’s i = i∗ are defined as following: B picks three random degree q polynomials f k (X) where k ∈ {0, 1, 2}, defines {hk ∗ = g f k (x ) }k ∈{0 ,1 ,2 }, Y i ∗ = g x . This implicitly defines the partail system secret key value as {ak ∗ = f k (x)}k ∈{0 ,1 ,2 } . B selects random xi ∗ ∈ Z p ∗ , computes X i ∗ = g x i ∗ , and sets target user’s public key as pk i ∗ = (X i ∗ , Y i ∗ , {hk ∗ }k ∈{0 ,1 ,2 }), and sends public key to A. Public keys of honest user i ∈ HU \{i∗} are the same as the key generation algorithm, this means the simulator B can know both the public key and secret key of user i ∈ HU \{i∗}, and sends public key to A. – Corrupted key generation query i : Public keys of corrupt user i ∈ CU are the same as the key generation algorithm, this means the simulator B can know the both the public key and secret key of user i ∈ CU , and then sends (pk i , sk i ) to A. – Partial re-encryption key query pk i , pk j : B generates the unidirectional reencryption key rk i,j = X j 1 /x i . B can computes it correct, since B known the secret key part xi for all user. – Condition key query pk i , w : For a target user’s i = i∗ , then B computes {sw ,k = f k (w)}k ∈{0 ,1 ,2 }, dw ,k = g (f k (x )−f k (w))/(x −w) sends the condition key ck i ∗ ,w = {dw ,k , sw ,k }k ∈{0 ,1 ,2 } to A. When q ≥ q k + 1, {sw ,k = f k (w)}k ∈{0 ,1 ,2 } are random values from A’s view, since f k (X) where k ∈ {0, 1, 2} are random degree q polynomials. For a user i = i∗ , B selects three random sk ∈ Z p ∗ , computes dk = (hk g −s k )1 /(y i −w) sets the condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } . – Re-encryption query pk i , pk j , w, CT i : Since B can computes unidirectional re-encryption key rk i,j and the condition key ck i,w = (dk , sk )k ={0 ,1 ,2 } for all user i and j, so B can compute it correctly. – Decryption query pk j , CT j : If pk j , CT j denote the queries on re-encrypted ciphertext, C j = (C 1 , C 2 , C 2 , C 2 , C 3 , C 4 , σ). The validity of a re-encrypted ciphertext C j is checked by testing if ?
e(C 2 , C 2 ) = e(X j , g)
(6)
?
e(C 2 , uC 1 v) = e(C 2 , C 4 )
(7)
?
V(C 1 , σ, (C 3 , C 4 )) = 1
(8)
1 /x j
If relations (6)-(8) hold, the plaintext m = C 3 /e(C 2 , C 2 ) is returned. Otherwise, outputs ⊥. In the phase 2 stage, B must check that m differs from messages m0 , m1 involved in the challenge query. If m ∈ {m0 , m1 }, B returns ⊥ according to the replayable CCA-security rules.
58
L. Fang, W. Susilo, and J. Wang
– Decryption query pk i , w, CT i : If pk i , CT i denote the queries on original condition ciphertext CT i . B makes a re-encryption query on pk i , pk j , w, CT i to get the re-encrypted ciphertext CT j , then makes a decryption query on pk j , CT j , and sends the result to A 3. Challenge. Once A decides that Phase 1 is over, it outputs a target public key pk i ∗ , a condition pair (w0 , w1 ) and two equal length plaintexts (m0 , m1 ). B responds by choosing a random b ∈ {0, 1}, sets {sw b ,k = f k (wb )}k ∈{0 ,1 ,2 } Then B computes dw b ,k = g (f k (x )−f k (w b ))/(x −w b ) . (a) Selects a one-time signature key pair (ssk ∗ , svk ∗ ) ← G(λ) and set C 1 ∗ = svk ∗ . (b) Picks r ∈ Z p ∗ and computes ∗
C 2 ∗ = X i ∗ r , C 3 ∗ = e(g, g)r mb , C 4 ∗ = (usvk v)r . (c) Generates a one-time signature σ ∗ = S(ssk ∗ , (C 3 ∗ , C 4 ∗ )) on the pair (C 3 ∗ , C 4 ∗ ). The regular target ciphertext is CRi ∗ = (C 1 ∗ , C 2 ∗ , C 3 ∗ , C 4 ∗ , σ ∗ ). (d) Defines the degree q + 1 polynomial q+1 F ∗ (X) = (X q+2 − (wb )q+2 )/(X − wb ) = (F i ∗ X i ). i=0 Computes C 5 ∗ = g zx C6 ∗
q +2
q +2
(g z )−(w b ) ∗ q xi Fi ∗ = T F q +1 e(g z , ) i=0 (g )
C 3 ∗ = C 3 ∗ · e(C 5 ∗ , dw b ,0 )(C 6 ∗ )s w b ,0 t∗ = H(C 3 ∗ , C 5 ∗ , C 6 ∗ ) ∗
C 7 ∗ = e(C 5 ∗ , (dw b ,1 )t dw b ,2 ) · (C 6 ∗ )s w b ,1 t
∗
+s w b ,2
q +1
Let r∗ = zF ∗ (x), if T = e(g, g)zx , then ∗ ∗ ∗ C 5 ∗ = g (x −w b )r = (Y i ∗ g −w b )r C 6 ∗ = e(g, g)r , ∗ ∗ ∗ ∗ C 3 ∗ = C 3 ∗ · e(g, h0 ∗ )r and C 7 ∗ = e(g, h1 ∗ )t r e(g, h2 ∗ )r . (e) Generates another one-time signature σ ∗ = S(ssk, (C 1 ∗ , C 2 ∗ , C 3 ∗ , C 4 ∗ , σ ∗ , C 5 ∗ , C 6 ∗ , C 7 ∗ )) (f) The condition ciphertext is CT ∗ = (C 1 ∗ , C 2 ∗ , C 3 ∗ , C 4 ∗ , σ ∗ , C 5 ∗ , C 6 ∗ , C 7 ∗ , σ ∗ ). Then sends CT ∗ to A. 4. Query phase 2. A continues making queries as in the query phase 1. q +1 5. Guess. A outputs the guess b , if b = b, then output 1 meaning T = e(g, g)zx ; else output 0 meaning T = e(g, g)r .
Anonymous Conditional Proxy Re-encryption without Random Oracle
59
q +1
Probability Analysis: If T = e(g, g)zx , then the simulation is perfect, and A will guess the bit b correctly with probability 1/2 + . Else, T is uniformly random, and thus (C 5 ∗ , C 6 ∗ ) is a uniformly random and independent element. In this case, the inequality C 6 ∗ = e(C 5 ∗ , g)1 /(x −w b ) holds with probability 1 − 1/p. When these inequality hold, the value of K ∗ = e(C 5 ∗ , dw b ,0 )(C 6 ∗ )s w b ,0 = e(C 5 ∗ , (h0 )1 /(x −w b ) )((C 6 ∗ )/ (e(C 5 ∗ , g)1 /(x −w b ) ))s w b ,0 is uniformly random and independent from A’s view (except for the value C 3 ∗ ), since sw b ,0 (when q ≥ q k + 1, {sw b ,k = f k (wb )}k ∈{0 ,1 ,2 } are random values from A’s view) is uniformly random and independent from A’s view (except for the value C 3 ∗ ). Thus, C 3 ∗ is uniformly random and independent, and (C 5 ∗ , C 6 ∗ , C 3 ∗ ) can reveal no information regarding the bit b. This completes the proof of lemma 2.
4 Conclusion In this paper, we presented the first anonymous conditional proxy re-encryption (C-PRE) scheme without random oracle, which is an affirmative answer to the open question posed in [21]. Our system is efficient and only requires a well-known bilinear complexity assumption.
References 1. Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In: Proc. of the 12th Annual Network and Distributed System Security Symposium, pp. 29–44 (2005) 2. Baek, J., Safavi-Naini, R., Susilo, W.: Public key encryption with keyword search revisited. In: Gervasi, O., Murgante, B., Lagan`a, A., Taniar, D., Mun, Y., Gavrilova, M.L. (eds.) ICCSA 2008, Part I. LNCS, vol. 5072, pp. 1249–1259. Springer, Heidelberg (2008) 3. Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998) 4. Boneh, D., Boyen, X.: Efficient selective-ID based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) 5. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004) 6. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 229–231. Springer, Heidelberg (2001) 7. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proc. of 30th ACM STOC, pp. 209–218. ACM Press, New York (1998) 8. Canetti, R., Halevi, S., Katz, J.: Chosen-Ciphertext Security from Identity-Based Encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004) 9. Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: Proc. of the 14th ACM conference on Computer and communications security, pp. 185–194. ACM, New York (2007)
60
L. Fang, W. Susilo, and J. Wang
10. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003) 11. Chu, C., Tzeng, W.: Identity-based proxy re-encryption without random oracles. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 189–202. Springer, Heidelberg (2007) 12. Deng, R.H., Weng, J., Liu, S., Chen, K.: Chosen-cipertext secure proxy re-encryption without pairings. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 1–17. Springer, Heidelberg (2008) 13. Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005) 14. Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006) 15. Green, M., Ateniese, G.: Identity-based proxy re-encryption. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 288–306. Springer, Heidelberg (2007) 16. Kiltz, E., Vahlis, Y.: CCA2 secure IBE: standard model efficiency through authenticated symmetric encryption. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 221–238. Springer, Heidelberg (2008) 17. Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008) 18. Rhee, H.S., Susilo, W., Kim, H.-J.: Secure searchable public key encryption scheme against keyword guessing attacks. IEICE Electron. Express 6(5), 237–243 (2009) 19. Shao, J., Cao, Z.: CCA-secure proxy re-encryption without pairings. In: Proc. of PKC 2009. LNCS, vol. 5443, pp. 357–376. Springer, Heidelberg (2009) 20. Shao, J., Xing, D., Cao, Z.: Analysis of CCA secure unidirectional ID-based PRE scheme. Technical Report of TDT, Shanghai Jiao Tong University (2008) 21. Weng, J., Deng, R.H., Chu, C., Ding, X., Lai, J.: Conditional proxy re-encryption secure against chosen-ciphertext attack. In: Proc. of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009), pp. 322–332 (2009)
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme S. Sharmila Deva Selvi, S. Sree Vivek , and C. Pandu Rangan Theoretical Computer Science Lab, Department of Computer Science and Engineering, Indian Institute of Technology Madras, India {sharmila,svivek,prangan}@cse.iitm.ac.in
Abstract. Signcryption is a cryptographic primitive that provides authentication and confidentiality simultaneously in a single logical step. It is often required that multiple senders have to signcrypt a single message to a certain receiver. Obviously, it is inefficient to signcrypt the messages separately. An efficient alternative is to go for multi-signcryption. The concept of multi-signcryption is similar to that of multi-signatures with the added property - confidentiality. Recently, Jianhong et al. proposed an identity based multi-signcryption scheme. They claimed that their scheme is secure against adaptive chosen ciphertext attack and it is existentially unforgeable. In this paper, we show that their scheme is not secure against chosen plaintext attack and is existentially forgeable, we also provide a fix for the scheme and prove formally that the improved scheme is secure against both adaptive chosen ciphertext attack and existential forgery. Keywords: Identity Based Cryptography, Signcryption, Cryptanalysis, Multi-Signcryption, Bilinear Pairing, Provable Security , Random Oracle Model.
1
Introduction
Secure message transmission over an insecure channel like internet requires both confidentiality and authenticity. An encryption scheme is used to achieve confidentiality and digital signature is used to achieve unforgeability. Digital signcryption scheme is a cryptographic primitive that achieves both these properties together in an efficient way. In 1997, Zheng [13] proposed the first digital signcryption scheme with the aforementioned properties, lower computational cost and communication overhead than signing then encrypting (StE ) or encrypting then signing (EtS ) the message (i.e, signing and encrypting the same message independently). Since then, many signcryption schemes were proposed. Baek et
Work supported by Project No. CSE/05-06/076/DITX/CPAN on Protocols for Secure Communication and Computation sponsored by Department of Information Technology, Government of India.
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 61–75, 2009. c Springer-Verlag Berlin Heidelberg 2009
62
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
al. [2] gave the formal security model for digital signcryption schemes and provided the security proof for Zheng’s [13] scheme in the random oracle model. In 1984, Shamir [11] introduced the concept of identity based cryptography and proposed the first identity based signature scheme. The idea of identity based cryptography is to enable an user to use any arbitrary string that uniquely identifies him as his public key. Identity based cryptography serves as an efficient alternative to Public Key Infrastructure (PKI) based systems. Multi-signcryption schemes can be employed when multiple senders want to signcrypt a single message to a single receiver. Informally, a multi-signcryption scheme can be considered as a multi-signature scheme with message confidentiality. Jianhong et al. [12] were the first to propose an identity based multisigncryption scheme. There are a few multi-signcryption schemes available in the literature [9,8,10] but to the best of our knowledge Jianhong et al.’s [12] scheme is the only identity based multi-signcryption scheme available to date. Multi-signcryption schemes can be directly used in many applications, such as E-Business - for a joint signing of confidential contracts between two or more organizations, or E-Government - to signcrypt an electronic legal document by a number of higher authorities, or in membership - for access right authentication of confidential resources. In all these applications if the signcryptions are performed individually by the group of senders, the cost involved in unsigncryption is high. Multi-signcryption enables to perform unsigncryption with the cost equal to a single unsigncryption irrespective of the number of senders. Our Contribution. In this paper, we point out that Jianhong et al.’s [12] scheme is insecure with respect to chosen plaintext attack and is existentially forgeable. We also propose an improvement to Jianhong et al.’s [12] identity based multi-signcryption scheme and formally prove the confidentiality of the scheme against adaptive chosen ciphertext and identity attack. We give a new security model for unforgeability, which is adapted from Bellare et al.’s security model for identity based multi-signature schemes. Thus our scheme turns out to be the first provably secure identity based multi-signcryption scheme. We also give the complexity figure of the improved scheme.
2
Preliminaries
Dutta et al. [6] gives a brief review of Biliner Pairing, Computational Diffie Hellman Problem (CDHP) and Computational Bilinear Diffie Hellman Problem (CBDHP). We refer the Bilinear Diffie Hellman Problem (BDHP) in [6] as Computational Bilinear Diffie Hellman Problem (CBDHP) in this paper. 2.1
Identity-Based Multi-Signcryption
A generic Identity-Based Multi-Signcryption scheme for signcrypting a single message from n senders to a single recipient consists of the following probabilistic polynomial time algorithms:
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
63
– Setup(κ). Given a security parameter κ, the Private Key Generator (PKG) generates the public parameters params and master secret key msk of the system. – Key Extract(IDi ). Given an identity IDi of an user, the PKG computes the corresponding private key Si and transmits it to owner in a secure way. – Signcryption(m, L = {ID1 , . . . , IDn }, IDX , S1 , . . . , Sn ). To signcrypt a message m to the receiver IDX , the set of senders L with identity ID1 , . . . , IDn and private key S1 , . . . , Sn run this algorithm to obtain the signcryption σ. – Unsigncryption(σ, L = {ID1 , . . . , IDn }, IDX , SX ). When the receiver X with identity IDX and private key SX receives the signcrypted ciphertext σ from a set of senders L with identities L = {ID1 , . . . , IDn }, X executes this algorithm to obtain either the plain text m or a message invalid with respect to the validity of σ. 2.2
Security Model for Identity-Based Multi-Signcryption
The notion of semantic security of public key encryption was extended to identity-based signcryption scheme by Malone-Lee in [7]. This was later modified by Sherman et al. in [5] which incorporates indistinguishability against adaptive chosen ciphertext and identity attacks and existential unforgeability against adaptive chosen message and identity attacks. We describe below the security models for confidentiality of an identity-based multi-signcryption scheme against adaptively chosen ciphertext and identity attack, and provide a new model for unforgeability based on unforgeability model of Bellare et al.’s [3] for identity based multi-signature scheme. These are the strongest security notions for this problem. It is to be noted that Jianhong et al. [12] have proved confidentiality in the chosen identity model where as we prove our scheme in the adaptive chosen identity model which is considered to be stronger than chosen identity model [4]. Confidentiality: An identity based multi-signcryption scheme is indistinguishable against adaptive chosen ciphertext attacks (IND-CCA2), if no polynomially bounded adversary A has a non-negligible advantage in the following game between the challenger C and A: Setup: The challenger C runs this algorithm to generate the master public and private keys, params and msk respectively. C gives params to A and keeps the master private key msk secret from A. Phase 1: A performs a series of queries in an adaptive fashion in this phase. The queries allowed are given below: Key Extract queries: A chooses an identity IDi and gives it to C. C computes the corresponding private key Si and sends it to A. Signcryption queries: A produces a list of senders L = {ID1 , . . . , IDn }, the recipient identity IDX and a message m to C. C computes the signcryption σ of the message m with L as the group of senders, IDX as the receiver and sends σ to A.
64
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Unsigncryption queries: Given a ciphertext σ = Signcryption(m, L = {ID1 , . . . , IDn }, IDX , S1 , . . . , Sn ), C unsigncrypts σ with the receiver private key SX , the list of sender identities L and returns the corresponding message to A if σ is a valid signcryption from the list if senders L to the receiver IDX , else, C returns “invalid”. Challenge: At the end of Phase 1, A sends to C, plaintexts m0 and m1 of equal length, a receiver identity IDX and a sender list L = {ID1 , . . . , IDn }. Here, A should have created the public key corresponding to the user in the sender list L and the receiver IDX . However, A should not have queried the private key of IDX to the key extract oracle. Now, C chooses b ∈R {0, 1} and computes the challenge signcryption σ ∗ on the message mb with L as the group of senders, IDX as the receiver and returns σ ∗ to A. Phase 2: A can perform polynomially bounded number of queries adaptively again as in Phase 1 but A cannot ask the key extraction query on the receiver identity IDX or cannot ask the unsigncryption query on the challenge signcryption (σ ∗ , IDX ). Guess: A outputs a bit b and wins the game if b = b. The advantage of A is defined as AdvA = |2P r[b = b] − 1|, where P r[b = b] denotes the probability that b = b. Existential Unforgeability: Jianhong et al. [12] did not provide the formal security model for unforgeability of identity based multi-signcryption scheme but they claim that, a slightly altered security model of Malone-Lee et al. [7] has been adapted for their scheme. Bellare et al., in [3] have given two security notions for unforgeability of identity based multi-signature schemes, namely, single-signer security and multi-signer security, and have proved that single-signer security implies multi-signer security [3]. We extend the notion of single-signer security of Bellare et al. to prove the unforgeability of our improved identity based multi-signcryption scheme. An identity based multi-signcryption scheme is claimed to be existentially unforgeable under chosen message attack (EUF-CMA), if any polynomially bounded forger F has a negligible advantage in the following game: Setup: The challenger C runs the Setup algorithm to generate the master public and private keys, params and msk respectively. C gives params to F and keeps the master private key msk secret from F . Training Phase: F asks polynomial number of queries to the various oracles provided by C, without any restrictions. Forgery: At the end of the Training Phase, F chooses a message m and produces a signcryption σ ∗ on m with L = {ID1 , . . . , IDn } as the list of sender identities and IDX as the receiver identity. F wins the game if the private keys of at least one of the user in the list of senders L was not queried during Training Phase, σ ∗ is a valid signcryption and σ ∗ is not the output of any previous queries to the Signcryption Oracle with m as the message, L as the sender list and IDX as the receiver. (note that the private key SX of the receiver IDX can be queried by F during the Training Phase.)
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
3
65
Review and Attack of Jianhong et al.’s Identity Based Multi-Signcryption Scheme (JJ-IBMSC)
In this section we review the identity based multi-signcryption scheme of Jianhong et al.’s (JJ-IBMSC) presented in [12]. We also show that [12] does not provide both confidentiality and unforgeability. 3.1
Review of the Scheme
This scheme has the following four algorithms. 1. Setup: Given κ the security parameter and l the length of the message, the PKG chooses two groups G1 and G2 of prime order q > 2κ , a bilinear map eˆ : G1 × G1 → G2 and a random generator P of G1 . It then chooses a master private key s ∈R Z∗q , a system-wide public key Ppub = sP and three cryptographic hash functions H1 : {0, 1}∗ → G1 , H2 : G2 → {0, 1}l and H3 : {0, 1}∗ → Z∗q . The public parameters P arams= G1 , G2 , P, eˆ, H1 , H2 , H3 , Ppub , κ. 2. Key Extract: Given an identity IDi ∈ {0, 1}∗, the PKG does the following to extract the private key corresponding to IDi : – Computes Qi = H1 (IDi ) ∈ G1 and – Computes the private key Si = sQi . 3. Signcryption: Given a message m, a receiver identity IDX and a list of n sender identities L = {ID1 , . . . , IDn } Each sender i executes the following steps: – Chooses xi ∈R Zq ∗ and computes Ri = xi P . – Computes ωi = eˆ(Ppub , QX )xi . – Sends Ri , ωi to the other senders through a secure channel. – After receiving all other senders Ri , ωi values, each sender computes n n ω = j=1 ωj , c = H2 (ω) ⊕ m, R = j=1 Rj and Ti = xi H1 (m) + H3 (R)Si . The resultant signcryption is σ = c, T, R, L, where T = nj=1 Tj . 4. Unsigncryption: Given σ = c, T, R, L, the receiver with identity IDX does the following: – Computes ω = eˆ(R, SX ). – Retrieves the message m = H2 (ω ) ⊕ c. n ? – Accepts the message if eˆ(T, P ) = eˆ(R, H1 (m))ˆ e(Ppub , j=1 Qj )H3 (R) 3.2
Attacks on Jianhong et al.’s Identity Based Multi-Signcryption Scheme (JJ-IBMSC)
We launch two different attacks on the scheme to show both the weakness in confidentiality as well as unforgeability.
66
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Attack on Confidentiality: During the confidentiality game the adversary A interacts with the challenger C in Phase 1 by performing various queries on Hash, Key Extraction, Signcryption and Unsigncryption oracles. At the end of Phase 1, A choose two messages m0 and m1 , a list of sender identities L = {ID1 , . . . , IDn } and a targeted receiver identity IDX on which A wants to be challenged and sends them to C (note that, A should not have queried the private key for the targeted receiver identity IDX throughout the game but is allowed to query the private keys corresponding to all the senders in L). Now, C chooses a bit b ∈R {0, 1} and generates a challenge signcryption σ ∗ = c∗ , T ∗ , R∗ , L and sends σ ∗ to A. We now show that up on receiving the challenge signcryption σ ∗ , A can perform the following to check whether σ ∗ is a valid signcryption of message m0 or m1 . – Computes H0 = H1 (m0 ). ?
n – Checks whether eˆ(T, P ) = eˆ(R, H0 )ˆ e(Ppub , Σj=1 Qj )H3 (R) . ∗ – If the above check passes then σ is the signcryption of m0 , otherwise σ ∗ is the signcryption of the message m1 .
This shows that the scheme is not even secure against chosen plaintext attack because on receiving the challenge signcryption σ ∗ , A is capable of distinguishing whether σ ∗ is a signcryption of m0 or m1 , without any further interaction with C. Remark 1. This attack is possible because A knows the messages m0 and m1 during the confidentiality game and during unsigncryption, the message is di? n rectly used for the verification test eˆ(T, P ) = eˆ(R, H1 (m))ˆ e(Ppub , Σj=1 Qj )H3 (R) . ∗ Therefore, A can check the validity of σ with respect to both the messages and find out for which message the equation holds. Attack on Unforgeability: The forger F aims to generate the signcryption of a message m on a list of senders L∗ to a receiver IDY . Here the forger does not know the private key of any of the identities in L∗ . In order to achieve this, F first selects a set of identities L = {ID1 , . . . , IDk }, where F knows the private key corresponding to all the identities in L . F then sets L = L∗ ∪L . Now, F sends a message m, the list L and an identity IDX (where IDX = IDY ) to the challenger C and obtains a signcryption σ = c, T, R, L from C (Note that it is legal for F to ask this signcryption from C). F constructs σ ∗ = Signcryption(m, L = {ID1 , . . . , IDk }, IDY , S1 , . . . , Sk ) as follows: – As mentioned earlier let σ = c, T, R, L be the signcryption on m from L to IDX . – F queries the private key SY , corresponding to IDY (Since the receivers private key is available in the unforgeability game). – F takes the value R from σ and computes ω ∗ = eˆ(R, SY ) and computes a new value c∗ = m ⊕ H2 (ω ∗ ). – Computes T ∗ = T − H3 (R) (ΣIDi ∈L Si ) and sets R∗ = R
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
67
– Now, F produces σ ∗ = c∗ , T ∗ , R∗ , L∗ as a valid signcryption on the same message m as σ with L∗ as the list of senders and IDY as the receiver to the challenger. We show that the new signcryption σ ∗ = c∗ , T ∗ , R∗ , L∗ is valid because it passes the verification with respect to the private key of the receiver IDY . – Compute ω = eˆ(R∗ , SY )=ˆ e(R, SY ). – Retrieve the message m = H2 (ω ) ⊕ c∗ . – The message m obtained during unsigncryption is a valid message because ∗ n eˆ(T ∗ , P ) = eˆ(R∗ , H1 (m )) eˆ(Ppub , j=1 Qj )H3 (R ) . We show the correctness of the above check with respect to the forged signcryption. n eˆ(T ∗ , P )= eˆ(i=1 Ti , P ) n ∗ = eˆ(i=1 {xi H1 (m ) + H3 (R n)Si }, P ) ∗ n = eˆ( i=1 {xi }H1 (m ), P )ˆ e( i=1 {H 3 (R )sQi }, P ) n n = eˆ(H1 (m ), i=1 {xi P })ˆ e(H3 (R∗ ) i=1 {Qi }, sP ) ∗ n = eˆ(H1 (m ), R)ˆ e( i=1 {Qi }, Ppub )H3 (R ) Remark 2. Informally, this forgery is possible because there is no binding between the signature component Ti and the receiver identity IDX and the other senders in list L involved in the generation of signcryption σ. The component Ti acts as a signature because it is computed with the sender’s private keys. So, the forger F can alter the receiver and generate the new signcryption σ by changing the component c, the senders list and the receiver. The component c can be computed using the private key of the new receiver, which is known to F . (Note: It is well known that during unforgeability game for signcryption, F has access to the receiver’s private key in order to ensure insider security.)
4
Improved Identity Based Multi-Signcryption Scheme (I-IBMSC)
The scheme by Jianhong et al. [12] can be fixed by modifying it suitably so that it satisfies the necessary conditions outlined by An, Dodis and Rabin [1]. In this section, we present a possible fix for [12]. We also prove the indistinguishability against adaptive chosen ciphertext attack (IND-CCA2) for confidentiality and existential unforgeablity against chosen message attack (EUF-CMA) for unforgeability of I-IBMSC in the random oracle model. These are the strongest security notions for any identity based multi-signcryption scheme. Our modifications are simple and subtle and the formal proofs are non-trivial. 4.1
The Scheme (I-IBMSC)
The improved scheme has the following four algorithms as in JJ-IBMSC [12].
68
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
1. Setup: This algorithm is similar to that of the Setup algorithm in JJIBMSC with a new definition for the hash function H2 . We define H2 : {0, 1}∗ → {0, 1}l in I-IBMSC. We also add one more hash function H4 , which is defined as H4 : {0, 1}∗ → G1 . 2. Key Extract: This algorithm is identical to that of the Key Extract algorithm in JJ-IBMSC. 3. Signcryption: Given a message m, a receiver identity IDX and a list of n sender identities L = {ID1 , . . . , IDn }, each sender indexed i, for i = 1 to n executes the following steps: – Chooses xi ∈ Zq ∗ at random and computes Ri = xi P . – Computes ωi = eˆ(Ppub , QX )xi . – Sends Ri , ωi to all other senders in the list L, through a secure channel. After receiving all other senders Ri , ωi values, each sender continues to do the following; n – Computes ω = j=1 ωj and h2 = H2 (ω, L, IDX ). n – Sets c = h2 ⊕ m, computes R = j=1 Rj , M = H4 (m, ω, R, L, IDX ) and h3 = H3 (R, L, IDX ). – Computes Ti = xi M + h3 Si . Now, each sender IDi sends their corresponding Ti , c and R values to a clerk (Note that one of the senders in the list L may act as clerk), who checks whether c and R values sent by all senders are identical; if so, the clerk computes T = nj=1 Tj and outputs the resultant signcryption as σ = c, T, R, L. 4. Unsigncryption: Given σ = c, T, R, L, the receiver with identity IDX does the following to unsigncrypt it: – Computes ω = eˆ(R, SX ). – Computes h2 = H2 (ω , L, IDX ) and retrieves the message m = h2 ⊕ c. – Computes M = H4 (m , ω , R, L, IDX ) and h3 = H3 (R, L, IDX ). n ? – Accepts the message m if eˆ(T, P ) = eˆ(R, M )ˆ e(Ppub , j=1 {Qj })h3 . Note that the acceptance test is same as that of Jianhong et al.’s [12] but the change in the definition of the hash functions H2 , H3 and the introduction of the new hash function H4 provide the needed security for our system. 4.2
Security of the Scheme (I-IBMSC)
We prove the security of I-IBMSC with respect to confidentiality (IND-I-IBMSCCCA2) and unforgeability (EUF-I-IBMSC-CMA) in this section. Confidentiality Theorem 1. If an IND-I-IBMSC-CCA2 adversary A has an advantage against I-IBMSC scheme, asking qHi (i = 1, 2, 3, 4) hash queries to random oracles OHi (i = 1, 2, 3, 4), qe extract queries (qe = qe1 + qe2 , where qe1 and qe2 are the number of extract queries in the first phase and second phase respectively), qsc signcryption queries and qus unsigncryption queries, then there exist 1 an algorithm C that solves the CBDH problem with advantage qH qH . 1
2
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
69
Proof. Let C be a challenger, who is challenged with an instance of CBDHP say, (P, aP, bP, cP ) ∈ G41 for unknown a, b, c ∈ Z∗q . The aim of C is to compute α = eˆ(P, P )abc . Consider an adversary A who is capable of breaking the IND-IIBMSC-CCA2 security of I-IBMSC. C can make use of A to solve the CBDHP instance with non-negligible advantage in polynomial time as described below. It is assumed that in the IND-I-IBMSC-CCA2 game A queries OH1 oracle with ID before using ID as input for any oracle query. Setup: C starts the confidentiality game by setting up the system with P arams = κ, G1 , G2 , P, eˆ, Ppub , where Ppub = aP and models the hash functions Hi ’s as random oracles OHi , for i = 1 to 4 and sends the public parameters to A. Phase 1: A performs a series of queries to the oracles provided by C. In-order to maintain the consistency of the responses given by the oracles OHi , C maintain lists Li , for i = 1 to 4. The oracles provided by C and the responses given to the corresponding queries by C are described below: Oracle OH1 (IDi ): We will make a simplifying assumption that A queries the OH1 oracle with distinct identities in each query. There is no loss of generality due to this assumption, because, if the same identity is repeated, by definition the oracle consults the list L1 and gives the same response. Thus, we assume that A asks qH1 distinct queries for qH1 distinct identities. Among this qH1 identities, a random identity has to be selected as target identity and it is done as follows. C selects a random index γ, where 1 ≤ γ ≤ qH1 . C does not reveal γ to A. When A generates the γ th query on IDγ , C fixes IDγ as target identity for the challenge phase and C responds to A as follows: – If i = γ, C sets Qγ = bP , returns Qγ as the response to the query and stores IDγ , Qγ , ∗ in the list L1 . Here, C does not know b since C uses the bP value given in the instance of the CBDHP. – For all other queries, C chooses yi ∈R Zq∗ and sets Qi = yi P and stores IDi , Qi , yi in the list L1 . C returns Qi to A. (Note that as the identities are assumed to be distinct, for each query, we create distinct entry and add in the list L1 ). Oracle OH2 (ω, L, IDX ): When A makes this query, C checks for the tuple ω, L, IDX , h2 in the list L2 . If an entry was found then returns the corresponding h2 as the response else chooses h2 ∈R {0, 1}l and adds the tuple ω, L, IDX , h2 to the list L2 and returns h2 as the response to A. Oracle OH3 (R, L, IDX ): When A makes this query, C checks for the tuple R, L, IDX , h3 in the list L3 . If an entry was found then returns the corresponding h3 as the response else chooses h3 ∈R Z∗q and adds the tuple R, L, IDX , h3 to the list L3 and returns h3 as the response to A. Oracle OH4 (m, ω, R, L, IDX ): When A makes this query, C checks for the tuple m, ω, R, L, IDX , z, M in the list L4 . If an entry was found then returns the corresponding M as the response else chooses z ∈ Z∗q randomly and computes M = zPpub . C now adds the tuple m, ω, R, L, IDX , z, M to the list L4 and returns M as the response to A.
70
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Oracle OKeyExtract (IDi ): A chooses an identity IDi and queries the corresponding private key Si to this oracle (Note that A should have performed the OH1 (IDi ) query before performing this query). C responds to this query as follows: – If IDi = IDγ , then C aborts. – Else, C retrieves yi corresponding to IDi from L1 , computes Si = yi (aP ) = a(yi P ) = aQi and returns Si to A. Oracle OSigncryption (m, L, IDX ): Here, m is the message to be signcrypted, L is the list of identities of n senders and IDX is the identity of the receiver. If IDγ ∈ / L, then C can generate the signcryption on the message m because C knows the private key of all senders belonging to L. – If IDγ ∈ L then C performs the following: • Chooses z, r, h3 ∈R Z∗q . 1 • Computes M = z(Ppub ), R = (rP − h3 IDi ∈L Qi ). z • Stores the tuple R, L, IDX , h3 to the list L3 . • Computes T = rPpub . • Stores m, ω, R, L, IDX , z, M in list L4 . (Note: If this tuple is already available in list L4 then C repeats the above steps with different values of r and z.) • Compute ω = eˆ(R, SX ) and c = m ⊕ OH2 (ω, L, IDX ). Now, C returns the signcryption on message m as σ = c, T, R, L to A. It can be easily verified that σ is a valid signcryption on message m with L as the sender list, IDγ ∈ L and IDX as the receiver. Oracle OUnsigncryption (σ, L, IDX ): Here, σ is the signcryption, L is the list of identities of n senders and IDX is the receiver identity. To respond to this ? query, C checks whether IDX = IDγ . – If IDX = IDγ , C proceeds as per the normal unsigncryption algorithm, since C knows the private key of the receiver IDX . – If IDX = IDγ then C computes h3 = OH3 (R, L, IDX ) and performs the following to unsigncrypt σ: 1. Let Δ be the set of pairs (ω, h2 ) from the list L2 corresponding to (L, IDX ) ∈ σ. (The tuples in L2 will be of the form ω, L, IDX , h2 .) 2. For each (ω, h2 ) ∈ Δ, C performs the following, (a) Computes m = c ⊕ h2 . (b) Computes M = OH4 (m , ω, L, IDX ). ?
?
(c) Checks whether eˆ(M, R)1/z = ω and eˆ(T, P ) = eˆ(M, R)ˆ e(Ppub , h3 Q ) . (Note that z is retrieved from the tuples in the IDi ∈L i list L4 corresponding to (m , ω, L, IDX ), which is of the form m , ω, L, IDX , z, M ∈ L4 .) (d) If true, return m . 3. If the test in step 2(c) fails for all (ω, h2 ) ∈ Δ, C returns “invalid”. Challenge: At the end of Phase 1, A generates and sends to C, two plaintexts m0 and m1 of equal length, a sender list L = {ID1 , . . . , IDn } and
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
71
the receiver identity IDX . Note that A should not have queried the private key corresponding to IDX in Phase 1. C checks whether IDX = IDγ . If not, C aborts, else, C chooses a bit b ∈R {0, 1} and computes the challenge signcryption σ ∗ on the message mb with L as the group of senders and IDX as the receiver by performing the following: – C sets R = cP , chooses randomly T ∈ G1 and c ∈ {0, 1}l Now, C outputs the signcryption on the message mb as σ = c, T, R, L. Phase 2: A can perform polynomially bounded number of queries adaptively again as in Phase 1 with the restriction that A cannot query – The key extract oracle for the private key of IDX . – The unsigncryption oracle with the challenge signcryption σ ∗ , IDX . Guess: At the end of Phase 2, A outputs a guess b to C. Similar to the argument in [4], C ignores the response by A, picks a random ω from the list L2 and returns it as the solution to the CBDHP instance. Since the challenge ciphertext σ ∗ given to A is randomly distributed in the ciphertext space, A cannot gain any advantage in the IND-I-IBMSC-CCA2 game. Thus, any adversary that has advantage in the real IND-I-IBMSC-CCA2 game must necessarily recognize with probability at least that the challenge ciphertext provided by C is incorrect. For A to find that σ ∗ is not a valid ciphertext, A should have queried the OH2 oracle with ω = eˆ(R, Sγ ) (Since the receiver in σ ∗ is IDX = IDγ ). Here Sγ is the private key of the target identity and it is a(Qγ ) = abP . Also, C has set R = cP . Hence ω = eˆ(R, Sγ ) = eˆ(cP, abP ) = eˆ(P, P )abc . Therefore, one of the entries in the list L2 should be the value eˆ(P, P )abc . With probability qH1 , the value of ω chosen by C from list L2 2 will be the solution to CBDHP instance. Now, we analyze the probability of success of C. The events in which C aborts the IND-I-IBMSC-CCA2 game are, 1. E1 - when A queries the private key of the target identity IDγ and qe P r[E1 ] = 1 . qH1 2. E2 - when A does not choose the target identity IDγ as the receiver 1 during the challenge and P r[E2 ] = 1 − . qH1 − qe1 The probability that, C does not abort the IND-I-IBMSC-CCA2 game is given by qe 1 1 (P r[¬E1 ∧ ¬E2 ]) = 1 − 1 = qH1 qH1 − qe1 qH1 The probability that, the ω chosen randomly from L2 by C, being the solution 1 to CBDHP is qH . Therefore, the probability of C solving CBDHP is given 2 by, P r[C(P, aP, bP, cP |a, b, c ∈R Z∗q ) = eˆ(P, P )abc ] = qH 1qH 1
2
Since is non-negligible, the probability of C solving CBDHP is also nonnegligible.
72
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Unforgeability Theorem 2. If an EUF-I-IBMSC-CMA forger F exists against I-IBMSC scheme, asking qHi (i = 1, 2, 3, 4) hash queries to random oracles Hi (i = 1, 2, 3, 4), qe extract secret key queries, qsc signcryption queries and qus unsigncryption queries, then there exist an algorithm C that solves the CDHP with advantage. Proof. Let C be a challenger who is challenged with an instance of CDH problem say, (P, aP, bP ) ∈ G31 for unknown a, b ∈ Z∗q . The aim of C is to compute the value abP . Consider a forger F who is capable of breaking the EUF-I-IBMSCCMA security of I-IBMSC. C can make use of F to solve the CDH problem instance with non-negligible advantage in polynomial time as described below. Setup: C starts the unforgeability game by setting up the system with Ppub = aP , models the hash functions Hi ’s as random oracles OHi , for i = 1 to 4 and sends the public parameters P arams = κ, G1 , G2 , P, eˆ, Ppub to F . The elements of P arams are set identical to that of the CDH instance, C has received. It is assumed in the EUF-I-IBMSC-CMA game that A queries OH1 oracle with ID before using ID as input for any other query. Training Phase: F performs a series of queries to the oracles provided by C. In-order to maintain the consistency of the responses given by the oracles OHi , C maintain lists Li , for i = 1 to 4. The oracles OHi , i = 1, 2, 3 and OKeyExtract provided by C and the responses given to the corresponding queries by C are identical to that of the IND-I-IBMSC-CCA2 game. The description of the other oracles are given below, Oracle OH4 (m, ω, R, L, IDX ):When A makes this query, C checks for the tuple m, ω, R, L, IDX , z, M in the list L4 . If an entry was found then returns the corresponding M as the response else chooses z ∈ Z∗q randomly and if IDX = IDγ , C computes M = zP else computes M = zPpub . C now adds the tuple m, ω, R, L, IDX , z, M to the list L4 and returns M as the response to A. Oracle OSigncryption (m, L, IDX ): Here, m is the message to be signcrypted, L is the list of identities of n senders and IDX is the receiver identity (Note that the receiver identity can also be the target identity IDX ). Even in the case of IDX = IDγ , C can generate the signcryption on the message m because C knows the private key of all senders belonging to L. In order to respond to this query, C checks for each IDi ∈ L, whether IDi = IDγ . If IDγ ∈ / L, F follows the signcrypt protocol as C knows the private key of all senders in L. If IDγ ∈ L then C performs the following: – Chooses z, h3 randomly from Z∗q −h3 – Computes M = zQγ and R = Ppub . z – Computes ω = eˆ(R,SX ) and c = m ⊕ OH2 (ω, L, IDX ). – Computes T = h3 ( IDi ∈L∧IDi =IDγ Si ). – Stores m, ω, R, L, IDX , z, M in list L4 . (Note: If this tuple is already available in list L4 then C repeats the above steps with different values.)
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
73
Now, C stores m, σ = c, T, R, L, IDX in list L5 returns the signcryption on message m as σ to F . It can be easily verified that σ is a valid signcryption on message m with L as the sender list, IDγ ∈ L and IDX as the receiver. Oracle OUnsigncryption (σ, L, IDX ): Here, σ is the signcryption, L is the list of identities of n senders and IDX is the receiver identity. To respond to this query, C does the following. – If IDX = IDγ then C knows the private key of IDX and can perform the unsigncryption as per the protocol. – If IDX = IDγ , then C performs the following to unsigncrypt σ – If σ ∈ L5 , then C returns m to F , – Otherwise, C does the following: 1. Computes h3 = OH3 (R, L, IDX ). 2. Let Δ be the set of pairs (ω, h2 ) from the list L2 corresponding to (L, IDX ) ∈ σ. (The tuples in L2 will be of the form ω, L, IDX , h2 .) 3. For each (ω, h2 ) ∈ Δ, C performs the following, (a) Computes m = c ⊕ h2 . (b) Computes M = OH4 (m , ω, L, IDX ). ?
?
(c) Checks whether eˆ(M, R)1/z = ω and eˆ(T, P ) = eˆ(M, R)ˆ e(Ppub , h3 Q ) . (Note that z is retrieved from the tuples in the i IDi ∈L list L4 corresponding to (m , ω, L, IDX ), which is of the form m , ω, L, IDX , z, M ∈ L4 ). (d) If true, return m . 4. If the test in step 3(c) fails for all (ω, h2 ) ∈ Δ, C returns “invalid”. Forgery: Eventually, F outputs a forged signcryption σ ∗ = c∗ , T ∗ , R∗ , L on some message m∗ with L as the list of senders and an arbitrary receiver, say IDX . The restriction in generating σ ∗ is, F should not have generated σ ∗ by querying the signcryption oracle OSigncryption in any previous queries on the message m∗ with L as the list of senders and IDX as the receiver. C can very well unsigncrypt and verify the validity of the forged signcryption σ ∗ because C knows the secret key of the receiver during the unforgeability game. If the forged signcryption σ ∗ passes the verification and at least one of the identities in L say IDA was not the output of any previous key extract queries, then C can obtain the solution for the CDH problem instance by performing the following steps: – – – – –
C obtains ω ∗ and the message m∗ during unsigncryption. ∗ ∗ ∗ It then checks tuple of the form nthe list L4 for the n m , ω , R , L, IDX , z, M . n Computes i=1 {xi M }n= i=1 xi (zP )n = z i=1 (xi )P = zR. Computes X = T− i=1 {xi M } = i=1 h3 Si . Computes Y = ni=1 {h3 Si } − ni=1,i=A h3 Si = h3 SA . This is possible because C can retrieve the value h3 from the list L3 which corresponds to the tuple R, L, IDX , h3 and C knows the private key corresponding to all the identities of the sender list L except IDA . Therefore, C can compute: (h3 )−1 Y = (h3 )−1 h3 SA = (h3 )−1 h3 abP = abP
74
S.S.D. Selvi, S.S. Vivek, and C.P. Rangan
Thus, C is capable of finding abP value which is the solution for the CDH problem instance. So, if there exists a forger who can forge a valid signcryption with non-negligible advantage, then there exists an algorithm to solve the CDH problem with non-negligible advantage. Since this is not possible, no forger can forge a valid signcryption with non-negligible advantage. Hence, I-IBMSC is secure against any EUF-I-IBMSC-CMA attack. Now we analyse the probability of success of C in solving the CDHP. P r[C(aP, bP ) = abP |a, b ∈ Z∗q ] = P r[F (σ ∗ , IDX ) = V alid].P r[¬Abort] The events in which C aborts are: – E1 - F queries the private key of the target identity to the key extract oracle qe and P r[E1 ] = . qH1 – E2 - F doesnot choose ID γ as sender in Lwhich is used for forgery and qH1 − qe − n n P r[E2 ] = = 1− . qH1 − qe qH1 − qe Therefore, the probability that C does not abort the game is given by P r[¬Abort]= P r[¬E1 ∧¬E 2 ] qe n = 1− 1− 1− qH1 qH1 − qe qH1 − qe n n = = qH1 qH1 − qe qH1 Thus, the probability of success of C is given by P r[C(aP, bP ) = abP |a, b ∈ Z∗q ] = n qH1
5
Conclusion
As the only existing identity based multi-signcryption scheme is cryptanalized for its confidentiality and unforgeability, we do not compare the efficiency of our scheme with any other scheme but we present the complexity figure of I-IBMSC scheme below: Table 1. Complexity figure for I-IBMSC
Scheme
Signcrypt Designcrypt PA SM GE M G P A SM GE M G I-IBMSC 1/sender 3/sender 1/sender 1/sender 4 1 1 P A - Pairing, SM - Scalar Multiplication, GE - Exponentiation in G2 , GM - Mapping to G1 .
Breaking and Fixing of an Identity Based Multi-Signcryption Scheme
75
We have provided an improved identity based multi-signcryption scheme, which is an extension of Jianhong et al.’s scheme with the proper binding, that provides adequate security to the scheme. We have also proved the security of the improved scheme formally under the random oracle model.
References 1. An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002) 2. Baek, J., Steinfeld, R., Zheng, Y.: Formal proofs for the security of signcryption. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 80–98. Springer, Heidelberg (2002) 3. Bellare, M., Neven, G.: Identity-based multi-signatures from rsa. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 145–162. Springer, Heidelberg (2007) 4. Boyen, X.: Multipurpose identity-based signcryption (a swiss army knife for identity-based cryptography). In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383–399. Springer, Heidelberg (2003) 5. Chow, S.S.M., Yiu, S.-M., Hui, L.C.K., Chow, K.P.: Efficient forward and provably secure id-based signcryption scheme with public verifiability and public ciphertext authenticity. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 352–369. Springer, Heidelberg (2003) 6. Dutta, R., Barua, R., Sarkar, P.: Pairing-based cryptographic protocols: A survey. In: Cryptology ePrint Archive, Report 2004/064 (2004), http://eprint.iacr.org/ 7. Malone-Lee, J.: Identity-based signcryption. In: Cryptology ePrint Archive, Report 2002/098 (2002) 8. Mitomi, S., Miyaji, A.: A multisignature scheme with message flexibility, order flexibility and order verifiability. In: Clark, A., Boyd, C., Dawson, E.P. (eds.) ACISP 2000. LNCS, vol. 1841, pp. 298–312. Springer, Heidelberg (2000) 9. Pang, X., Catania, B., Tan, K.-L.: Securing your data in agent-based p2p systems. In: Eighth International Conference on Database Systems for Advanced Applications - DASFAA 2003, pp. 55–64. IEEE Computer Society, Los Alamitos (2003) 10. Seo, S.-H., Lee, S.-H.: A secure and flexible multi-signcryption scheme. In: Lagan´ a, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3046, pp. 689–697. Springer, Heidelberg (2004) 11. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 12. Zhang, J., Mao, J.: A novel identity-based multi-signcryption scheme. Computer Communications 32(1), 14–18 (2009) 13. Zheng, Y.: Digital signcryption or how to achieve cost(signature & encryption) < < cost(signature) + cost(encryption). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997)
Identity-Based Verifiably Encrypted Signatures without Random Oracles Lei Zhang1 , Qianhong Wu1,2 , and Bo Qin1,3 1
3
UNESCO Chair in Data Privacy Department of Computer Engineering and Mathematics Universitat Rovira i Virgili Av. Pa¨ısos Catalans 26, E-43007 Tarragona, Catalonia 2 Key Lab. of Aerospace Information Security and Trusted Computing Ministry of Education, School of Computer, Wuhan University, China Dept. of Maths, School of Science, Xi’an University of Technology, China {lei.zhang,qianhong.wu,bo.qin}@urv.cat
Abstract. Fair exchange protocol plays an important role in electronic commerce in the case of exchanging digital contracts. Verifiably encrypted signatures provide an optimistic solution to these scenarios with an off-line trusted third party. In this paper, we propose an identity-based verifiably encrypted signature scheme. The scheme is non-interactive to generate verifiably encrypted signatures and the resulting encrypted signature consists of only four group elements. Based on the computational Diffie-Hellman assumption, our scheme is proven secure without using random oracles. To the best of our knowledge, this is the first identity-based verifiably encrypted signature scheme provably secure in the standard model. Keywords: Identity-Based Cryptography, Fair Exchange, Verifiably Encrypted Signature, Provable Security.
1
Introduction
Suppose that two entities Alice and Bob wish to sign some contract. However, neither is willing to produce a signature without being sure that the other will. This kind of applications is referred to as fair exchange. Fair exchange protocols play a critical role in electronic payment systems, contract signing, electronic commerce and certified e-mail. Informally, a fair exchange protocol aims at enabling two entities, who do not fully trust each other, to exchange their items (digital signatures or e-merchandise) in a fair way, so that at the end of the protocol either both entities get the other’s item, or neither does, even if the protocol is halted by any reason. In the last years, a number of fair exchange protocols have been proposed [1,3,9,10,11,15,18,21,23]. Among them, Asokan et al. [1] were the first to formally study the problem of optimistic fair exchanges. They introduced a fair exchange protocol relying on a trusted third party (TTP) in an optimistic way, in the J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 76–89, 2009. c Springer-Verlag Berlin Heidelberg 2009
Identity-Based Verifiably Encrypted Signatures without Random Oracles
77
sense that the TTP does not participate in the actual exchange protocol unless one player crashes or attempts to cheat. In this proposal, the TTP is called offline TTP. However, the protocol by Asokan et al. relies on inefficient interactive zero-knowledge proofs. A verifiably encrypted signature scheme is designed for a fair exchange environment. In this notion, a verifier is able to verify that the encrypted signature hides the user’s signature on a publicly agreed message, but the verifier cannot extract the hidden signature. In 2003, Boneh et al. [3] proposed the first noninteractive verifiably encrypted signature scheme in traditional certificate-based public key cryptography. They implement their construction by aggregating the BLS short signatures [4]. To realize a fair exchange, Alice sends Bob a verifiably encrypted signature on the contract. Then Bob can send his signature to Alice. If Alice does not respond with her signature, Bob can send to the adjudicator (i.e., the off-line TTP) Alice’s verifiably encrypted signature and the transcript of his interaction with Alice. After validating the verifiably encrypted signature and the transcript, the adjudicator will extract Alice’s signature and send it to Bob. Following the work of Boneh et al., several research papers presented other non-interactive verifiably encrypted signature schemes [9,13,15,21,20]. They are all based on traditional public key cryptography, in which a certificate issued by the certificate authority (CA) must be used to provide the binding between an entity and its public key. Such certificate can be verified by anyone and it guarantees the authenticity of an entity’s public key. In practice, the management of public key certificates is costly in terms of computation, storage and communication. To simplify certificate management in traditional public key cryptography, Shamir introduced the concept of ID-based public key cryptography (ID-PKC) [17]. In ID-PKC systems, an entity’s public key is directly derived from its public information such as telephone number, e-mail address and IP address. Therefore, there is no need to obtain the certificate to verify the authenticity of the public key, unlike in traditional public key cryptography. Recently, the investigation of ID-based verifiably encrypted signatures (ID-VES) has attracted much attention [6,8,10,11,22,23]. In [8], a generic construction of ID-VES is presented. One may notice that there is a subtlety. In their generic construction, the public key of a user is no longer his identity only, which is different from the traditional definition of ID-PKC. Based on Hess’s identity-based signature scheme [12], Kwon and Lee [14] presented an efficient and concise ID-VES scheme of smaller size than previous ID-VES schemes in ID-PKC systems. 1.1
Our Contribution
Most verifiably encrypted signature schemes only provide provable security in the random oracle model [2]. However, security proofs in this model can only be considered as a heuristic argument. Canetti et al. [5] demonstrate that behaving like a “random oracle” is not a property that can be realized in general, and that security proofs in the random oracle model do not always imply the security of
78
L. Zhang, Q. Wu, and B. Qin
the actual scheme in the real world. Therefore, verifiably encrypted signature schemes provably secure without random oracles are of great interest. However, only few verifiably encrypted signature schemes [9,15,21] have been shown secure without using random oracles. These schemes are all presented in the setting of traditional public key cryptography. In this paper, we propose an identity-based verifiably encrypted signature scheme. The proposed scheme is non-interactive and does not rely on inefficient zero-knowledge proofs. The resulting encrypted signature consists of only four group elements and the scheme is efficient. For security, the proposal is proven secure without relying on random oracles. Furthermore, we use the computational Diffie-Hellman (CDH) assumption. We also exploit the aggregate extraction assumption which is shown equivalent to the CDH assumption [7]. Hence, our scheme enjoys both desirable performance and security, and is practical for fair exchange applications. We organize the rest of the paper as follows. Section 2 gives some preliminaries, including bilinear maps, computational problems and the notion of ID-VES schemes. Section 3 defines the security of ID-VES schemes. In Section 4 we present the construction of our ID-VES scheme. We prove the security of our scheme in Section 5. Finally, we conclude in Section 6.
2
Preliminaries
In this section, we will review some fundamental background, including the involved computational assumptions and the syntax of identity based verifiably encrypted signatures. 2.1
Bilinear Maps and Computational Problems
Let G1 be an additive group of prime order q and G2 be a multiplicative group of the same order. A mapping e : G1 × G1 −→ G2 is called a bilinear mapping if it satisfies the following properties: 1. Bilinearity: e(g a , g b ) = e(g, g)ab for all a, b ∈ Zq . 2. Non-degeneracy: There exists u, v ∈ G1 such that e(u, v) = 1. 3. Computability: There exists an efficient algorithm to compute e(u, v) for any u, v ∈ G1 . Discrete Logarithm (DL) Problem in G1 : Given h ∈ G1 , find an integer a ∈ Zq such that h = g a . Computational Diffie-Hellman (CDH) Problem in G1 : Given (g α , g β ) for unknown α, β ∈ Zq , compute g αβ . Aggregate Extraction Problem in G1 : Given (g α , g β , g γ , g δ , g αγ+βδ ) for unknown α, β, γ, δ ∈ Zq , compute g αγ . The aggregate extraction problem was introduced by Boneh et al. [3]. Coron and Naccache [7] showed that it is equivalent to the standard CDH problem.
Identity-Based Verifiably Encrypted Signatures without Random Oracles
2.2
79
Syntax of Identity-Based Verifiably Encrypted Signature Schemes
An ID-VES scheme is defined by eight algorithms: Setup, AKeyGen, UKeyGen, Sign, Verify, VESign, VEVerify and Adjudication. The description of each algorithm is as follows. – Setup: This algorithm is performed by the PKG who takes as input a security parameter k to produce a master-key and a list of system parameters params. – AKeyGen: This algorithm is performed by the adjudicator who takes as input the parameter list params to produce the adjudicator’s private and public key pair (x, y). – UKeyGen: This algorithm takes as input a user’s identity ID, the parameter list params and the master-key to produce the user’s private key dID . – Sign: This algorithm takes as input a message m, an identity ID, the parameter list params and a signer’s private key dID to produce an ordinary signature σ. – Verify: This algorithm takes as input a message m, a signature σ, the parameter list params, an identity ID to output True if the signature is correct, or False otherwise. – VESign: The inputs of this algorithm are the parameter list params, a private key dID of a signer whose identity is ID, a message m, and the adjudicator’s public key y. The output of this algorithm is a verifiably encrypted signature σ on m. – VEVerify: This algorithm takes as input a message m, a verifiably encrypted signature σ, the parameter list params, an identity ID and the adjudicator’s public key y to output True if the signature is correct, or False otherwise. – Adjudication: This algorithm takes as input a message m, a verifiably encrypted signature σ, the parameter list params, an identity ID and the adjudicator’s private key x to output the ordinary signature σ on m.
3
Security Definitions of Identity-Based Verifiably Encrypted Signature Schemes
Boneh et al. [3] specify two properties (besides correctness) that a verifiably encrypted signature scheme must satisfy: unforgeability and opacity. Unforgeability requires that it be difficult to forge a valid verifiably encrypted signature. Opacity requires that it be difficult, given a verifiably encrypted signature, to extract an ordinary signature on the same message. The security of ID-VES schemes is defined by following two games which are used to capture unforgeability and opacity properties respectively. Definition 1. An ID-VES scheme is said to be existentially unforgeable secure under adaptively chosen message and ID attacks, if no polynomial time adversary has a non-negligible success probability in the following Game 1:
80
L. Zhang, Q. Wu, and B. Qin
Game 1 (for unforgeability) This game is played between a challenger C and an adversary A. It has following three stages. 1. C runs the Setup algorithm, takes as input a security parameter k to obtain the master-key and the system parameter list params. C also runs AKeyGen to generate the adjudicator’s private and public key pair (x, y). Finally, params and y are sent to the adversary A. 2. A can adaptively query the following oracles: – UKeyGen-Oracle: The input of this oracle is an identity IDi . The output of this oracle is the private key di for IDi . – Sign-Oracle: The input of this oracle is an identity IDi , a message mi . The output of this oracle is an ordinary signature σi . It is required that σi be a valid signature on message mi under identity IDi . – VESign-Oracle: The input of this oracle is an identity IDi , a message mi . The output of this oracle is a verifiably encrypted signature σ ¯i . It is required that σ ¯i be a valid verifiably encrypted signature on message mi under identity IDi and adjudicator’s public key. – Adjudication-Oracle: The input of this oracle is an identity IDi , a message mi and a verifiably encrypted signature σ i . The output of this oracle is an ordinary signature σi . It is required that σi be a valid signature on message mi under identity IDi . 3. Eventually, A outputs a tuple (ID∗ , m∗ , σ ¯ ∗ ). We say that A wins Game 1 if and only if the output (ID∗ , m∗ , σ ¯ ∗ ) satisfies the following requirements: – σ ¯ ∗ is a valid verifiably encrypted signature on message m∗ under identity ID∗ and adjudicator’s public key y. – ID∗ has never been submitted to the UKeyGen-Oracle. – (ID∗ , m∗ ) has never been submitted to the VESign-Oracle. – (ID∗ , m∗ ) has never been submitted to the Sign-Oracle. Definition 2. An ID-VES scheme is said to be opaque under adaptively chosen message and ID attacks, if no polynomial time adversary has a non-negligible success probability in the following Game 2: Game 2 (for opacity) This game is played between a challenger C and an adversary A which also comprises three stages. 1. C runs the Setup algorithm, takes as input a security parameter k to obtain master-key and the system parameter list params. C also runs AKeyGen to generate the adjudicator’s private and public key pair (x, y). Finally, C sends params and y to the adversary A. 2. A can adaptively query the following oracles as defined in Game 1: UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, Adjudication-Oracle.
Identity-Based Verifiably Encrypted Signatures without Random Oracles
81
3. At the end of A’s attack, A outputs a tuple (ID∗ , m∗ , σ ∗ ). We say that A wins Game 2 if and only if the output (ID∗ , m∗ , σ ∗ ) satisfies the following requirements: – – – –
4
σ ∗ is a valid signature on message m∗ under identity ID∗ . ID∗ has not been submitted to the UKeyGen-Oracle. (ID∗ , m∗ ) has never been submitted to the Sign-Oracle. (ID∗ , m∗ , λ) has never been submitted to the Adjudication-Oracle, where λ is any valid verifiably encrypted signature on m∗ under identity ID∗ and adjudicator’s public key y.
A Concrete Identity-Based Verifiably Encrypted Signature Scheme
In this section, we present the concrete construction of an ID-VES signature. Our scheme is motivated from the Paterson-Schuldt identity-based signature [16] and the Waters’s scheme [19]. The construction is as follows: – Setup: Given a security parameter k, the PKG does the following: 1. Select a cyclic additive group G1 which is generated by g with a prime order q, such that there exist a cyclic multiplicative group G2 of the same order, and a bilinear map e : G1 × G1 −→ G2 . 2. Randomly choose s ∈ Zq and compute g1 = g s . 3. Choose cryptographic hash functions H1 : {0, 1}∗ −→ {0, 1}l and H2 : {0, 1}∗ −→ {0, 1}n. 4. Randomly select the following elements: g2 , u , m ∈R G1 ; u ˆi ∈R G1 for ˆ = {ˆ ˆ = {m i = 1, ..., l; m ˆ i ∈R G1 for i = 1, ..., n. Let U ui}, M ˆ i }. ˆ , m , M ˆ ) and The public parameters are params = (e, G1 , G2 , g, g1 , g2 , u , U s the master-key is g2 . – AKeyGen: The adjudicator accepts params, randomly chooses x ∈ Zq , computes y = g x , and sets (x, y) as the adjudicator’s private and public key pair. – UKeyGen: This algorithm accepts params, master-key g2s , an identity ID ∈ {0, 1}∗ and constructs the private key for the user as follows: 1. Compute u = H1 (ID), parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l . 2. Select a random ru ∈ Zq . 3. Output a private key du = (d0 , d1 ) where d0 = g2s (u
l i=1
u ˆui i )ru , d1 = g ru .
– Sign: On input a signer’s (whose identity is ID) private key du and a message m, the signer performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n .
82
L. Zhang, Q. Wu, and B. Qin
2. Compute π = u li=1 u ˆui i (note that this value can be pre-computed by the signer). 3. Select rm , rv ∈ Zq at random and compute σ1 = d0 π rv (m
n i=1
i rm m ˆw , σ2 = g rm , σ3 = d1 g rv . i )
4. Output σ = (σ1 , σ2 , σ3 ) as the signer’s signature on message m. – Verify: To verify a signature σ = (σ1 , σ2 , σ3 ) on a message m signed by a signer with an identity ID, the verifier performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n . 2. Verify e(σ1 , g) = e(g1 , g2 )e(u ?
l i=1
u ˆui i , σ3 )e(m
n i=1
i m ˆw i , σ2 ).
If the above equation holds, output True. Otherwise, output False. – VESign: On input a signer’s (whose identity is ID) private key du and a message m, the signer performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and represent u as a bit string l n (u1 , ..., ul ) ∈ {0, 1} l, anduiw as a bit string w = (w1 , ..., wn ) ∈ {0, 1} . 2. Compute π = u i=1 u ˆi . 3. Select r¯u , r¯m , r¯v ∈ Zq and compute σ ¯1 = d0 π r¯u (m
n i=1
¯m r¯v i r m ˆw y ,σ ¯2 = g r¯m , σ ¯3 = d1 g r¯u , σ ¯4 = g r¯v . i )
4. Output σ ¯ = (¯ σ1 , σ ¯2 , σ ¯3 , σ ¯4 ) as the verifiably encrypted signature on message m. – VEVerify: To verify a verifiably encrypted signature σ ¯ = (¯ σ1 , σ ¯2 , σ ¯3 , σ ¯4 ) on a message m of an identity ID, a verifier performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n . 2. Verify e(¯ σ1 , g) = e(g1 , g2 )e(y, σ ¯4 )e(u ?
l i=1
u ˆui i , σ ¯3 )e(m
n i=1
i m ˆw ¯2 ). i ,σ
If the above equation holds, output True. Otherwise, output False. – Adjudication: On input a verifiably encrypted signature σ ¯ = (¯ σ1 , σ ¯2 , σ ¯3 , σ ¯4 ) on a message m of an identity ID, the adjudicator performs the following steps: 1. Compute u = H1 (ID), w = H2 (m) and parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, w as a bit string (w1 , ..., wn ) ∈ {0, 1}n. 2. Select a, b ∈ Zq at random and compute σ1 = (u
3. Output σ =
l
uˆui i )a (m
i=1 (σ1 , σ2 , σ3 ).
n i=1
i b m ˆw ¯1 σ ¯4−x , σ2 = σ ¯2 g b , σ3 = σ ¯3 g a . i ) σ
Identity-Based Verifiably Encrypted Signatures without Random Oracles
5
83
Security Analysis
Theorem 1. If there exists an adversary A who has an advantage in forging a verifiably encrypted signature of our ID-VES scheme in an attack modeled by Game 1, within a time span t and querying at most qe , qs , qv and qa times UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, and Adjudication-Oracle, respectively; then the CDH problem in G1 can be solved within time t + O(qe l + (qs + qv + qa )(l + n))τm + O(qe + qs + qv + qa )τe with probability 1 16(qe + qs )qs (l + 1)(n + 1) where τm is the time to compute a multiplication in G1 , τe is the time to compute a exponentiation in G1 . Proof. C is given a CDH problem instance as follows. Given a group G1 , a generator g ∈ G1 , two elements g α , g β ∈ G1 , C is asked to output an element g αβ ∈ G1 . In order to use A to solve the CDH problem, C needs to simulate all the oracles in Game 1 for A. C does it in the following way. Stage 1. Let lu = 2(qe + qs ) and lm = 2qs . C randomly selects two integers ku and km such that 0 ≤ ku ≤ l and 0 ≤ km ≤ n. We assume that lu (l + 1) < q and lm (n + 1) < q for the given values of qe , qs , l and n. It also randomly selects the following integers: x ∈ Zlu ; z ∈ Zlm ; y , w ∈ Zq ; x ˆ1 , ..., x ˆl ∈ Zlu ; yˆ1 , ..., yˆl ∈ Zq ; zˆ1 , ..., zˆn ∈ Zlm ; w ˆ1 , ...w ˆ n ∈ Zq . Let u = H1 (ID) for an identity ID and w = H2 (m) for a message m; parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n. We further define the following functions for u and w as follows: F (u) = x +
l
x ˆi ui − lu ku , J(u) = y +
i=1
K(w) = z +
n
l
zˆi wi − lm km , L(w) = w +
i=1
yˆi ui ,
i=1 n
w ˆi wi .
i=1
C constructs a set of public parameters as follows: g1 = g α g2 = g β −l k +x u = g2 u u g y m = g2−lm km +z g w for 1 ≤ i ≤ l, u ˆi = g2xˆi g yˆi m ˆ i = g2zˆi g wˆi for 1 ≤ i ≤ n All the above public parameters are passed to A. C also picks x ∈ Zq as adjudicator’s private key, sets y = g x as adjudicator’s public key. y is passed to the adversary A as well. Note that the master-key will be g αβ and we have the following equations:
84
L. Zhang, Q. Wu, and B. Qin
u
l
i=1
F (u) J(u)
uˆui i = g2
g
and m
n
i=1
K(m) L(m)
i m ˆw i = g2
g
.
Stage 2. C simulates all the oracles as follows: UKeyGen-Oracle: Upon receiving a query for a private key of an identity ID, C computes u = H1 (ID) and parses u as a bit string (u1 , ..., ul ) ∈ {0, 1}l . Although C does not know the master-key, it still can construct the private key by assuming F (u) = 0 mod q. It randomly chooses r ∈ Zq and computes the private key as (d0 , d1 ) =
−J(u)/F (u) g1 (u
l i=1
−1/F (u) r u ˆui i )r , g1 g
.
By letting rˆ = r − α/F (u), it can be verified that (d0 , d1 ) is a valid private key, shown as follows: −J(u)/F (u)
d0 = g1 = = = = d1 =
(u
l
uˆui i )r
i=1 −J(u)/F (u) F (u) J(u) r F (u) g1 (g2 g ) = g −αJ(u)/F (u) (g2 g J(u) )r F (u) F (u) F (u) g −αJ(u) F (u) (g2 g J(u) )α/F (u) (g2 g J(u) )−α/F (u) (g2 g J(u) )r F (u) g −αJ(u)/F (u) g αβ g αJ(u)/F (u) (g2 g J(u) )rˆ l F (u) F (u) g αβ (g2 g J(u) )rˆ = g2α (g2 g J(u) )rˆ = g2α (u u ˆui i )rˆ i=1 −1/F (u) r r−α/F (u) rˆ g1 g =g =g
If F (u) = 0 mod q, since the above computation cannot be performed (division by 0), C aborts. To make it simple, C will abort if F (u) = 0 mod lu . The equivalency can be observed as follows. l The assumption lu (l+1) < q implies 0 ≤ lu ku < q and 0 ≤ x + i=1 x ˆi ui < q. We have −q < F (u) < q which implies if F (u) = 0 mod q then F (u) = 0 mod lu . Hence, F (u) = 0 mod lu implies F (u) = 0 mod q. Thus the former condition will be sufficient to ensure that a private key can be computed without abort. Sign-Oracle: For a given query of a signature on an identity ID and a message m, C computes u = H1 (ID), w = H2 (m), parses u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n. If F (u) = 0 mod lu , C can just construct a private key for ID as in a UKeyGen-Oracle query, and then use the Sign algorithm to create a signature on m. If F (u) = 0 mod lu , C will try to construct a signature in a similar way to the construction of a private key in a UKeyGen-Oracle query. Assume K(w) = 0 mod lm . Using the argument mentioned above, this implies K(w) = 0 mod q, given the assumption lm (n + 1) < q. The signature can be constructed by first randomly selecting ru , rm ∈ Zq
Identity-Based Verifiably Encrypted Signatures without Random Oracles
85
and then computing σ = (σ1 , σ2 , σ3 ) l n −1/K(m) rm ru ui ru −L(m)/K(m) wi rm = (u u ˆ i ) g1 (m m ˆ i ) , g1 g ,g =
i=1
g2α (u
i=1
l i=1
uˆui i )ru (m
n i=1
ˆm i r m ˆw , g rˆm , g ru i )
where rˆm = rm − α/K(m). If K(m) = 0 mod lm , C aborts. VESign-Oracle: On input an identity ID and a message m, let u = H1 (ID) and w = H2 (m), parse u as a bit string (u1 , ..., ul ) ∈ {0, 1}l, and w as a bit string (w1 , ..., wn ) ∈ {0, 1}n. C performs the following steps: 1. Submit (ID, m) to the Sign-Oracle; if the Sign-Oracle does not abort, an ordinary signature σ = (σ1 , σ2 , σ3 ) on m will be returned. 2. Select r¯v ∈ Zq , compute σ ¯1 = σ1 y r¯v , σ ¯2 = σ2 , σ ¯3 = σ3 , σ ¯4 = g r¯v . 3. Output σ ¯ = (¯ σ1 , σ ¯2 , σ ¯3 , σ ¯4 ). Adjudication-Oracle: On input an identity ID, a message m and a verifiably encrypted signature σ on m under identity ID, C can use the Adjudication algorithm of our scheme to produce the ordinary signature, since C knows the adjudicator’s private key. Stage 3. Finally, A outputs a verifiably encrypted signature σ ¯ ∗ = (¯ σ1∗ , σ ¯2∗ , σ ¯3∗ , σ ¯4∗ ) ∗ ∗ ∗ ∗ ∗ ∗ on a message m under identity ID . Let u = H1 (ID ), w = H2 (m ), represent u∗ as (u∗1 , ..., u∗l ) ∈ {0, 1}l , w∗ as (w1∗ , ..., wn∗ ) ∈ {0, 1}n; if F (u∗ ) = 0 mod q or K(w∗ ) = 0 mod q, C aborts. Otherwise, since C knows the adjudicator’s private key, he can extract the ordinary signature σ ∗ = (σ1∗ , σ2∗ , σ3∗ ) on m from σ ¯∗. By our setting, we have u
l i=1
uˆui i
=g
J(u∗ )
,m
n i=1
∗
K(w ) i m ˆw . i =g
∗
Since σ must satisfy e(σ1∗ , g) = e(g1 , g2 )e(u
l i=1
we have g αβ =
u∗
uˆi i , σ3∗ )e(m σ1∗
σ3∗
J(u∗ )
σ2∗ K(w
∗)
n i=1
w∗
m ˆ i i , σ2∗ ),
.
This is the solution of the CDH Problem. Let u ¨1 , ..., u¨qH be the output of the hash function H1 appearing in either UKeyGen-Oracle or in Sign-Oracle queries not involving the challenge identity
86
L. Zhang, Q. Wu, and B. Qin
ID∗ , and let m ¨ 1 , ..., m ¨ qM be the output of the hash function H2 in the SignOracle. We have qH ≤ qe + qs and qM ≤ qs . We also define the events Ai , A∗ , Bi , B ∗ as follows: Ai A∗ Bi B∗
: F (¨ ui ) = 0 mod lu where i = 1, ..., qH : F (u∗ ) = 0 mod q : K(m ¨ j) = 0 mod lm where j = 1, ..., qM : K(m∗ ) = 0 mod q
The probability of C not aborting is: Pr[¬abort] ≥ Pr[
qH
qM
Ai ∧ A∗ ∧
i=1
Bj ∧ B ∗ ].
j=1
H M Note that the events qi=1 Ai ∧ A∗ and qj=1 Bj ∧ B ∗ are independent. The assumption lu (l+1) < q implies that if F (u) = 0 mod q then F (u) = 0 mod lu . In addition, it also implies that if F (u) = 0 mod lu , there will be a unique choice of ku with 0 ≤ ku ≤ l such that F (u) = 0 mod q. Since ku , x and x ˆ1 , ..., x ˆl are randomly chosen, we have Pr[A∗ ] = Pr[F (u∗ ) = 0 mod q ∧ F (u∗ ) = 0
mod lu ]
= Pr[F (u∗ ) = 0 mod lu ] Pr[F (u∗ ) = 0 1 1 = lu l + 1
mod q|F (u∗ ) = 0
mod lu ]
On the other hand, we have: Pr[
qH
Ai |A∗ ] = 1 − Pr[
i=1
qH
¬Ai |A∗ ]
i=1
≥1−
qH
Pr[¬Ai |A∗ ]
i=1
Note F (¨ ui ) = 0 mod lu and F (¨ uj ) = 0 mod lu are independent, where i = j, since the outputs of F (¨ ui ) and F (¨ uj ) will differ in at least one randomly chosen value. Also since the events Ai and A∗ are independent for any i, we have Pr[¬Ai |A∗ ] = 1/lu . Hence we have Pr[
qH
Ai ∧ A∗ ] = Pr[A∗ ] Pr[
i=1
qH
Ai |A∗ ]
i=1
1 qe + qs ≥ (1 − ) lu (l + 1) lu and setting lu = 2(qe + qs ) as in the simulation gives Pr[
qH
i=1
Ai ∧ A∗ ] ≥
1 . 4(qe + qs )(l + 1)
Identity-Based Verifiably Encrypted Signatures without Random Oracles
87
A similar analysis for the Sign-Oracle queries gives the result Pr[
q M
Bj ∧ B ∗ ] ≥
i=1
1 . 4qs (n + 1)
And we get that Pr[¬abort] ≥ Pr[
qH
i=1
Ai ∧ A∗ ] Pr[
qM
Bj ∧ B ∗ ]
j=1
1 ≥ . 16(qe + qs )qs (l + 1)(n + 1) If the simulation does not abort, A will create a valid forgery with probability at least . Algorithm C can then compute g αβ from the forgery as shown above. The time complexity of algorithm C is dominated by the exponentiations and, for larger values of l and n, by the multiplications performed in the UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, and Adjudication-Oracle queries. For UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, and Adjudication-Oracle, there are O(l), O(l + n), O(l + n) and O(l + n) multiplications in G1 and O(1), O(1), O(1) and O(1) exponentiations in G1 . Hence, the time complexity of C is t + O(qe l + (qs + qv + qa )(l + n))τm + O(qe + qs + qv + qa )τe . Thus, the theorem follows. Theorem 2. If there exists an adversary A who has an advantage in an attack modeled by Game 2, within a time span t and querying at most qe , qs , qv and qa times UKeyGen-Oracle, Sign-Oracle, VESign-Oracle, and Adjudication-Oracle, respectively; then the aggregate extraction problem in G1 can be solved within time t + O(qe l + (qs + qv + qa )(l + n))τm + O(qe + qs + qv + qa )τe and with probability 1 . 16(qe + qs )qs (l + 1)(n + 1) Due to page limitation, the proof will be presented in the full version of this paper.
6
Conclusion
We presented an identity-based verifiably encrypted signature. The proposal is proven existentially unforgeable and opaque against adaptively chosen-message attack assuming that the CDH problem (and its equivalent variant of the aggregate extraction problem) is hard. Unlike existing schemes, our construction does not rely on the existence of random oracles. Our ID-VES scheme is also efficient and can be efficiently applied to fair exchange protocols.
88
L. Zhang, Q. Wu, and B. Qin
Acknowledgments and Disclaimer Thanks go to Josep Domingo-Ferrer for his comments on a draft of this paper. The authors are partly supported by the Spanish Government through projects TSI2007-65406-C03-01 “E-AEGIS” and CONSOLIDER INGENIO 2010 CSD2007-00004 “ARES”, and by the Government of Catalonia under grant 2009 SGR 1135. They are with the UNESCO Chair in Data Privacy, but their views do not necessarily reflect the position of UNESCO nor commit that organization.
References 1. Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communications 18(4), 593–610 (2000) 2. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM CCCS 1993, pp. 62–73. ACM Press, New York (1993) 3. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) 4. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001) 5. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004) 6. Cheng, X., Liu, J., Wang, X.: Identity-based aggregate and verifiably encrypted signatures from bilinear pairing. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Lagan´ a, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3483, pp. 1046–1054. Springer, Heidelberg (2005) 7. Coron, J.-S., Naccache, D.: Boneh et al.’s k-element aggregate extraction assumption is equivalent to the diffie-hellman assumption. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 392–397. Springer, Heidelberg (2003) 8. Galindo, D., Herranz, J., Kiltz, E.: On the generic construction of identity-based signatures with additional properties. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 178–193. Springer, Heidelberg (2006) 9. Gorantla, M., Saxena, A.: Verifiably encrypted signature without random oracles. In: Chakraborty, G. (ed.) ICDCIT 2005. LNCS, vol. 3816, pp. 357–363. Springer, Heidelberg (2005) 10. Gu, C., Zhu, Y.: An ID-based verifiably encrypted signature scheme based on Hess’s scheme. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 42–52. Springer, Heidelberg (2005) 11. Gu, C., Zhu, Y., Zhang, Y.: An ID-based optimistic fair signature exchange protocol from pairings. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS, vol. 3802, pp. 9–16. Springer, Heidelberg (2005) 12. Hess, F.: Efficient identity based signature schemes based on pairings. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310–324. Springer, Heidelberg (2003) 13. Hess, F.: On the security of the verifiably-encrypted signature scheme of Boneh, Gentry, Lynn and Shacham. Information Processing Letters 89(3), 111–114 (2004)
Identity-Based Verifiably Encrypted Signatures without Random Oracles
89
14. Kwon, S., Lee, S.H.: An efficient ID-based verifiably encrypted signature scheme based on Hess’s scheme. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 93–104. Springer, Heidelberg (2007) 15. Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006) 16. Paterson, K., Schuldt, J.: Efficient identity-based signatures secure in the standard model. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 207–222. Springer, Heidelberg (2006) 17. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 18. Shao, Z.: Certificate-based verifiably encrypted signatures from pairings. Information Sciences 178(10), 2360–2373 (2008) 19. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 20. Zhang, F., Safavi-Naini, R., Susilo, W.: Efficient verifiably encrypted signature and partially blind signature from bilinear pairings. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 191–204. Springer, Heidelberg (2003) 21. Zhang, J., Mao, J.: A novel verifiably encrypted signature scheme without random oracle. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 65–78. Springer, Heidelberg (2007) 22. Zhang, J., Zou, W.: A robust verifiably encrypted signature scheme. In: Zhou, X., Sokolsky, O., Yan, L., Jung, E.-S., Shao, Z., Mu, Y., Lee, D.C., Kim, D.Y., Jeong, Y.-S., Xu, C.-Z. (eds.) EUC Workshops 2006. LNCS, vol. 4097, pp. 731–740. Springer, Heidelberg (2006) 23. Zhang, Z., Feng, D., Xu, J., Zhou, Y.: Efficient ID-based optimistic fair exchange with provable security. In: Qing, S., Mao, W., L´ opez, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 14–26. Springer, Heidelberg (2005)
How to Prove Security of a Signature with a Tighter Security Reduction Fuchun Guo, Yi Mu, and Willy Susilo Centre for Computer and Information Security Research School of Computer Science and Software Engineering University of Wollongong, Wollongong NSW2522, Australia {fg278,ymu,wsusilo}@uow.edu.au
Abstract. It is a challenging task to construct a signature that it can be tightly reduced to a weak security assumption in the standard model. In this paper, we introduce a simple chameleon-hash-based transformation and show that it can tighten a security reduction of a signature scheme that suffers from a loose security reduction. Taking the Waters’ signature from Eurocrypt 2005 as an example, we demonstrate an improvement of the security reduction that the probability of success in the security reduction can be made as a constant and independent of the signature queries from an adversary. Our reduction methodology has never been considered in the literature and is applicable to many signature schemes such as identity-based signature schemes, online/offline signatures, and signatures with strong unforeability. Keywords: Signature, Security Proof, Chameleon Hash.
1
Introduction
A digital signature scheme is said secure, if forging a valid signature is not easier than solving a hard mathematical problem. In a security proof of signatures, if an adversary can successfully forge a valid signature with probability , one can take advantage of its ability to solve the underlying hard mathematical problem successfully with probability . This process is called security reduction. The relation for these two probabilities is therefore written as = λ for some parameter λ (≥ 1). The hardness of forging a signature and solving the underlying problem is normally not at the same level unless the security reduction is tight, i.e., λ is close to 1. Unfortunately, how to achieve a secure signature whose security can be tightly reduced to a standard mathematical problem (so-called weak assumption), such as the Computational Diffie-Hellman (CDH) problem, in the standard model, is often a challenging task. A desirable security proof should capture three properties: tightness, weak assumption, and standard model. The well-known signature schemes such as [11,7,2,12,17,1,20,18,15] are unable to capture all these properties. To date, several signature schemes (e.g., [12,17]), whose security is tightly reduced to a weak assumption, rely on random oracles. The signature schemes J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 90–103, 2009. c Springer-Verlag Berlin Heidelberg 2009
How to Prove Security of a Signature with a Tighter Security Reduction
91
[11,7,1,6] where the security can be tightly reduced to a hard assumption without random oracles must rely on a strong assumption, such as the strong RSA assumption or q-Strong Diffie-Hellman assumption or LRSW. In 2005, Waters [20] presented an efficient identity-based encryption that can be modified into a signature whose security proof is based on the CDH assumption in the standard model. However, the reduction probability varies in the sense that it depends on the number of signature queries from the adversary. If the adversary can forge a valid signature by querying only a few signatures, the security reduction is then tighter; otherwise, if the adversary has to query a large number of signatures before outputting a valid one, then the reduction is loose. In this paper, we introduce a very interesting solution to this problem, by making use of a chameleon hash and construct a new signature scheme, which is close to all the properties outlined above. The key contribution in this paper is that we demonstrate how to transfer a loose reduction to a tighter reduction with a constant probability from Waters scheme [20], where the reduction is independent of the number of signature queries. 1.1
Related Works
The notion of chameleon hash, or trapdoor hash function, was first introduced by Krawczyk and Rabin [16], who utilized it to construct chameleon signatures where the signed message is blind to the third parties. The chameleon hash is associated with a public hash key and a private hash key (trapdoor key). Loosely speaking, given the chameleon hash and the public hash key only, collisions are difficult to find, but it is easy when the private hash key is also known. Formally, let Hch be the chameleon hash and (m, s) be the input, it is hard/easy to find a new pair (m , s ) such that Hch (m, s) = Hch (m , s ) without/with the private hash key. One of most notable applications of chameleon hashing is the online/offline signature [9] due to Shamir and Tauman [19]. Another well-known application of chameleon hash is due to Boneh and Boyen [1] who applied it to a short signature construction without random oracles. Their first scheme was proved secure against weak chosen message attacks, where the adversary must output all messages to be queried before receiving the public key. Using the chameleon hash, the signature security then is transformed into strong existential unforgeability against chosen message attacks, which is slightly stronger than the standard notion. In 2005, Waters [20] introduced an efficient Identity-Based Encryption (IBE) scheme which is secure in the standard model under the CDH assumption and he also showed how to construct a signature from IBE with the same security result. However, the reduction is not tight with long public key size. Recently, Hohenberger and Waters [15] showed how the public key size can be shortened but the security still has the problem of loose reduction. Let us revisit some key points of Waters signature scheme, which we will tighten. Let the message space in his scheme be a n-bit length string and M [i] be the ith bit of message m. Define M ⊂ {1, 2, · · · , n} as the set of indices for i such
92
F. Guo, Y. Mu, and W. Susilo
that M [i] = 1. Let u0 , u1 , u2 , · · · , un be n + 1 elements randomly chosen from G of bilinear map e : G × G → GT . The format of message m in the scheme is defined as u0 i∈M ui . In the proof, each ui for all i = 0, 1, · · · , n in the setup phase of simulation contains the element g xi b , where xi is a small exponent and g b is one of the elements in the CDH problem. To be able to reduce the forgery to the CDH assumption (or to be able to solve the CDH problem), the requirements in signature query phase and the forgery phase are as follows. (1) Each signature query on message mi must satisfy that u0 i∈Mi ui includes the element g b for all signature queries; otherwise, the simulator will fail in a simulation. (2) The forged signature on message m∗ requires excluding g b from u0 i∈M∗ ui ; otherwise, the simulator cannot output the answer of the CDH problem. That is, some messages make g b ∈ u0 i∈M ui hold, but others do not. For simplicity, suppose the probability of u0 i∈M ui containing g b for a random message can be denoted by 1 − 1l (l > 1. Actually, the probability of the jth query on message mj such that g b ∈ u0 i∈Mj ui holds is less than the ith message when i ≤ j), then the simulation will succeed with probability 1 1 Pr[¬ abort] = (1 − )qs · , l l where qs is the maximum number of signature queries that the forger asks. Thus, the reduction result depends on the number of signature querying, because qs makes the reduction vary. Unfortunately, if the forger, for example, has to query qs ≈ 230 signatures to be able to forge a valid signature, then the reduction has to be regarded as loose for any l in setting. 1.2
Our Contribution
As analyzed above, a loose reduction stems from the failure of signature simulation in the query phase and then decreases the successful probability of solving the assumption in forgery phase. This observation inspires us to explore a better approach for tightening Waters signature, i.e., to make every signature generation in the simulation successful. We find that the chameleon hash is the ideal candidate for us to achieve this goal. Intuitively, in our approach, after generating all public key parameters, the simulator first generates signatures on qs random messages and then translates them into what the adversary will query by using the chameleon hash. Our contributions in this paper are twofold: 1. We apply a chameleon hash function to the Waters signature scheme and show that λ can be made less than 2n + 1 in our reduction, compared to 8qs (n + 1) of the Waters’ result; therefore, our reduction is much tighter and independent of the adversary’s requirement of signature query. 2. We apply our method to other interesting aspects. (1) We construct a tighter reduction of identity-based signature scheme. (2) We achieve an online/offline signature scheme. (3) We prove that our signature possesses strong existential unforgeability against chosen message attacks.
How to Prove Security of a Signature with a Tighter Security Reduction
93
The rest of the paper is organized as follows. Some preliminaries including the detailed construction of chameleon hash are provided in Section 2. The signature scheme and its security proof are presented in Section 3. The extensions to our scheme are described in Section 4. The conclusion is given in Section 5.
2
Definitions
In this section, we provide the definitions of our signature scheme. 2.1
Signature and Security
A signature scheme consists of the three algorithms (KeyGen, Sign, Verify), for key generation, message signing, and signature verification, respectively. The security of a signature scheme in a standard notion is modeled with existential unforgeability under a chosen message attack and strong existential unforgeability under a chosen message attack, where the games between a challenger C and an adversary (or known as a forger) A are described respectively as follows : Existential Unforgeability – Setup: The challenger C runs algorithm KeyGen to obtain a pair of private key (signing) key and public (verification) key (SK, P K). P K is given to the adversary A. – Query: A makes a signature query on message mi of his choice under P K. C responds to each query with a valid signature σmi . A can ask qs message queries at most. – Forgery: A outputs a signature pair (m∗ , σm∗ ) and wins the game if 1. A did not make a signature query on m∗ ; 2. σm∗ is a valid signature on m∗ signed by P K. We define AdvA1 as the probability that A wins in the above game. Strong Existential Unforgeability – Setup: The challenger C runs algorithm KeyGen to obtain a pair of private key (signing) key and public (verification) key (SK, P K). P K is given to the adversary A. – Query: A makes a signature query on message mi of his choice under P K. C responds to each query with a valid signature σmi . A can ask qs message queries at most. – Forgery: A outputs a signature pair (m∗ , σm∗ ) and wins the game if 1. (m∗ , σm∗ ) is not any of (m1 , σm1 ), (m2 , σm2 ), · · · , (mqs , σmqs ); 2. σm∗ is a valid signature on m∗ signed by P K. We define AdvA2 as the probability that A wins in the above game. Definition 1. A signature scheme is (t, qs , )-(strong) existential unforgeability against chosen message attack if no forger (t, qs , )-breaks it, where the forger A runs in time at most t and makes at most qs signature queries. AdvA1 (AdvA2 ) is at least .
94
2.2
F. Guo, Y. Mu, and W. Susilo
Bilinear Map
Let G and GT be two cyclic groups of prime order p. Let g be a generator of G. A map e : G × G → GT is called a bilinear map, if it satisfies the following properties: – Bilinearity: for all u, v ∈ G and a, b ∈ Zp , we have e(ua , v b ) = e(u, v)ab . – Non-degeneracy: e(g, g) = 1. I.e., e(g, g) is a generator of GT . – Computability: It is efficient to compute e(u, v) for all u, v ∈ G. 2.3
Complexity
The security of our signature scheme will be reduced to the hardness of the Discrete Log (DL) problem and the Computational Diffie-Hellman (CDH) problem in the group in which the signature is constructed. We briefly review the definition of the DL problem and the CDH problem here: Definition 2. Let G be the group defined as above with a generator g and element g a ∈ G where a is selected uniformly at random from Zp , the DL problem in G is to compute a. Definition 3. Let G be the group defined as above with a generator g and elements g a , g b ∈ G where a, b are selected uniformly at random from Zp , the CDH problem in G is to compute g ab . Definition 4. We say that the (t, )-CDH(DL) assumption holds in the group of G if there is no algorithm running in time t at most can solve the CDH(DL) problem in G with the probability at least . 2.4
Chameleon Hash
Let g ∈ G be the element from the paring e : G × G → GT and β be a random value from Zp . Set the element g3 = g β . The public chameleon hash key is (g, g3 ) and the private chameleon hash key is β. The input elements of chameleon hash is a pair (m, s) both from Zp and the output is an element of G, where the chameleon hash is defined as Hch (m, s) = g3m g s . Given a new m = m and β, it is easy to compute s = (m − m )β + s such that Hch (m , s ) = Hch (m, s). However, when the chameleon hash is secure and given the tuple (m, s, Hch (m, s)) only, any adversary cannot find a new pair (m , s ) in polynomial time such that both m = m and Hch (m , s ) = Hch (m, s) hold [19].
3
The Scheme
In this section, we show how to tighten the security reduction in the Waters signature scheme, where the reduction is independent of signature query.
How to Prove Security of a Signature with a Tighter Security Reduction
3.1
95
Signature Scheme
In our signature scheme, all messages and random values are assumed to be in Zp . Let e : G × G → GT be the bilinear map, G, GT be two cyclic groups of order p and g be the corresponding generator in G. KeyGen: Choose a secret α ∈ Zp at random and g2 , g3 , u0 randomly from G. Set the value g1 = g α . Choose a n-length vector u = (u1 , u2 , · · · , un ), where all ui ∈ G and a secure collision-resistant hash function H : {0, 1}∗ → {0, 1}n, defined in Waters signature scheme [20]. The public key P K and the private key SK are respectively P K = (g, g1 , g2 , g3 , u0 , u, H), SK = g2α . Sign: To generate a signature on m ∈ Zp : – Pick a random s ∈ Zp and set M = H(g3m g s ) ∈ {0, 1}n; – Let M [i] be the ith bit of hashing value M . Define M ⊂ {1, 2, · · · , n} to be the set of indices for i such that M [i] = 1. Pick a random r ∈ Zp and set the signature to be σm = σ1 , σ2 , σ3 = g2α (u0 ui )r , g r , s . i∈M
Verify: Given a signature σm = (σ1 , σ2 , σ3 ), a message m and the public key P K, the verifier first computes M = H(g3m g σ3 ) and then accepts the signature (σ1 , σ2 , σ3 ) on m signed by P K if the following equation holds e(σ1 , g) = e(g2 , g1 )e(u0 ui , σ2 ). i∈M
Correctness
e(σ1 , g) = e g2α (u0 ui )r , g i∈M
=
e(g2α , g)
· e (u0 ui )r , g i∈M
= e(g2 , g1 )e u0
ui , g r
i∈M
= e(g2 , g1 )e(u0
ui , σ2 ).
i∈M
Efficiency: Adding the random value s in signing, we actually do not sign message m directly but the output of hashing g3m g s . Thus, compared to Waters signature scheme, we add one 2-multi-exponent computation in signing and verification, and a 160 bit value s to the signature length when |p| = 160.
96
3.2
F. Guo, Y. Mu, and W. Susilo
Security Proof
In our construction, we sign M = H(g3m g s ) instead of message m. According to the security model definition, the forger will get signature queries from the simulator and those queries can be seen as the signatures on M1 , M2 , · · · , Mqs of pairs (m1 , s1 ), (m2 , s2 ), · · · , (mqs , sqs ), where s1 , s2 , · · · , sqs are set by the simulator. There are two kinds of adversary in forging a valid signature: Adversary I: the forger outputs an new pair of (m∗ , s∗ ), such that ∗
∗
m
g3m g s = g3 j g sj , m∗ = mj ∈ {m1 , m2 , · · · , mqs }. Then, suppose the signature on mi is (σ1 , σ2 , σ3 ), and the forger can output (σ1 , σ2 , s∗ ) as a valid forged signature on m∗ . Adversary II: the forger outputs a new pair of (m∗ , s∗ ), such that ∗
∗
g3m g s = g3mi g si , where the valid forged signature on m∗ is (σ1∗ , σ2∗ , σ3∗ ). Theorem 1. The signature scheme is (t, qs , )-existential unforgeability against the adversary I, assuming that the (t , )-DL assumption holds in G: t = t + O(qs (ntm + te )), = , where tm , te are the time for a multiplication and an exponentiation in G, respectively. Proof. The proof is similar to that of chameleon hash. Supposing there exists a (t, qs , )-adversary A against our scheme, we construct an algorithm B that solves the DL problem. Algorithm B is given as input a random pair (g, g a ) and is to output a as its goal. The interaction between algorithm B and A is as follows: To generate the signature system except the element g3 ∈ P K, B simulates all other public keys and private key as the original KeyGen algorithm by using g as the basic generator, and sets g3 = g a . Then, knowing the private key, B can respond any signature query from the adversary A. Suppose the adversary queried the signatures on m1 , m2 , · · · , mqs and B responded on each signature using random values s1 , s2 , · · · , sqs . Once the adversary finally outputs a valid forged signature (σ1 , σ2 , s∗ ) on m∗ = mj and the signature satisfies our definition above, we obtain: ∗ ∗ m g3m g s = g3 j g sj , s −s∗
and extract a = mj∗ −m3 j (mod p), which is the solution to DL problem. Absolutely, we can use it to solve the CDH assumption. The time complexity of the algorithm B is dominated by the signature generations. Since there are O(n) multiplications and O(1) exponentiations for each signature query, the time complexity of B is t = t + O(qs (ntm + te )), where tm is the time for multiplication and te is the time for exponentiation. 2
How to Prove Security of a Signature with a Tighter Security Reduction
97
Theorem 2. When the collision-resistant hash function is secure, the signature scheme is (t, qs , )-existential unforgeability against the adversary II, assuming that the (t , )-CDH assumption holds in G: t = t + O(qs (ntm + te )), = , 2n + 1 where tm , te are the time for a multiplication and an exponentiation in G, respectively. Proof. Suppose there exists a (t, qs , )-adversary A against our scheme, we construct an algorithm B that solves the CDH problem. Our approach is an extension to the proof of [20]. Algorithm B is given as input a random tuple (g, g a , g b ) and the goal is to output g ab . B works by interacting with A as follows: Setup: To generate the public key parameters P K = (g, g1 , g2 , g3 , u0 , u, H), B randomly chooses four integers k0 , k1 (k0 = k1 ), y0 and β, such that k0 , k1 ∈ [0, 2n], y0 ∈ Zp and sets g3 = g β ∈ G. B then randomly chooses a n-length vector x = (xi ) with all xi randomly from {1, 2} and another n-length vectors y = (yi ) with all yi randomly from Zp . After choosing a secure collision-resistant hash function H, B defines the parameters as: g1 = g a , g2 = g b , g3 = g β , u00 = g2−k0 g y0 , u01 = g2−k1 g y0 , ui = g2xi g yi . The following process is to choose a proper parameter from {u00 , u01 } as u0 ∈ P K. B randomly chooses γ1 , γ2 , · · · , γ2qs ∈ Zp and computes Mi = H(g γi ) ∈ {0, 1}n for all i = 1, 2, · · · , 2qs . Let F0 (M ) = xi − k0 , F1 (M ) = xi − k1 , J(M ) = y0 + yi . i∈M
i∈M
i∈M
If there are more than qs number of γi such that Fj (Mi ) = 0 for Mi ∈ {M1 , M2 , · · · , M2qs }, then there must be more than qs number of γi satisfying F1−j (Mi ) = 0, for Mi ∈ {M1 , M2 , · · · , M2qs }. Suppose j = 1 and F0 (Mi ) = 0 holds for γ1 , γ2 , · · · , γqs , then B sets u0 = u00 and the public key P K to be P K = (g, g1 , g2 , g3 , u0 , ui , H). We have the following equation holds F (M) J(M) u0 u i = g2 0 g . i∈M
Then, B sends the P K to the adversary A, stores γ1 , γ2 , · · · , γqs and responds signature queries in the following phase. Query: A makes signature queries. To respond a signature query on mi , B firstly chooses γi from the Setup phase, picks a random r ∈ Zp and sets the signature on mi to be: − J(Mi ) 1 − F (M F (M )r F (M ) ) σmi = (σ1 , σ2 , σ3 ) = g1 0 i · g2 0 i · g J(Mi )r , g r · g1 0 i , γi − mi β .
98
F. Guo, Y. Mu, and W. Susilo
Let r = r −
a F0 (Mi ) ,
we have
Mi = g3mi g σ3 = g mi β+σ3 = g γi , σ1 = g2α (u0 ui )r i∈Mi
= =
F (M ) g2a (g2 0 i g J(Mi ) )r a F (M ) r− g2a (g2 0 i g J(Mi ) ) F0 (Mi )
J(Mi ) 0 (Mi )
−F
= g1
g
) · g2−a · g1
F (Mi )r
· g2 0
J(Mi ) 0 (Mi )
−F
F (Mi ) J(Mi ) r
= g2a (g2 0
· g J(Mi )r ,
1 − F (M 0 i)
σ2 = g r = g r · g1
σ3 = si = γi − mi β Therefore, σmi is a valid signature on mi . B gives it to the adversary. Forgery: The adversary outputs a valid forged signature σm∗ = (σ1∗ , σ2∗ , σ3∗ ) on m∗ , such that ∗ ∗ g3m g σ3 = g3mi g si . ∗
∗
If H(g3m g σ3 ) = H(g3mi g si ), it is contrary to the security of hash function; otherwise, we have ∗ ∗ H(g3m g σ3 ) = H(g3mi g si ). ∗
∗
Let M ∗ = H(g3m g σ3 ), if F0 (M ∗ ) = 0, abort; otherwise, set the forged signature as σm∗ = (σ1∗ , σ2∗ , σ3∗ ) = g2α (u0 ui )r , g r , s . i∈M∗
B computes and outputs g2α (u0 i∈M∗ ui )r σ1∗ = (σ2∗ )J(M ∗ ) g rJ(M ∗ ) F (M ∗ )
∗
g a (g 0 g J(M ) )r = 2 2 rJ(M ∗ ) g = g2α = g ab , which is the solution to the given CDH problem. This completes the description of the simulation. It remains to analyze the probability of B for not aborting. From the simulation, we know that B will only abort in the forgery phase and we have
Pr[¬ abort] = Pr F0 (M ∗ ) = 0 .
How to Prove Security of a Signature with a Tighter Security Reduction
99
According to our definition, all xi ∈ {1, 2}, so we have the following range for any M ∈ {0, 1}n xi ∈ [0, 2n]. i∈M
The value k1 is universal random and according to the definition of F0 (M ) = i∈M xi − k1 , we have
1 Pr[¬ abort] = Pr F0 (M ∗ ) = 0 = . 2n + 1 That is, if the forger can output a valid forged signature with probability , the algorithm B will solve the CDH problem with probability /(2n + 1). The time complexity of the algorithm B is dominated by the exponentiations and multiplications for a large value of n. Since there are O(n) multiplications and O(1) exponentiations in the queries, the time complexity of B is t = t + O(qs (ntm + te )), where tm is the time for multiplication and te is the time for exponentiation. 2
4
Extension
Using the chameleon hash in signature construction, we can extend our methodology to the following three aspects. (1) Our method can be naturally applied to identity-based signatures. (2) It can be applied to the online/offline signing. (3) If the chameleon hash is secure, we can obtain the property of strong existential unforgeable security in our signature scheme, which can be also applied to a generic construction. 4.1
Identity-Based Signature
Paterson and Schuldt [18] proposed an identity-based signature directly utilizing a 2-level Hierarchical IBE [14,13] based on Waters’ IBE scheme but the reduction to the CDH problem is loose since it depends on the adversary’s regarding of both private key numbers and signature numbers. Using our signature construction, the reduction can be tighter where it depends on private key numbers only because the simulator is able to generate any signature query in query phase. The new IBS is not hard in construction by using Waters’ IBE as the first hierarchical level and our signature scheme as the second hierarchical level, where the proof is similar to Paterson-Schuldt’s proof. Thus, we omit the detailed scheme and proof here. 4.2
Online/Offline Signing
In our signing phase, the final signature on m is σm = σ1 , σ2 , σ3 = g2α (u0 ui )r , g r , s , i∈M
100
F. Guo, Y. Mu, and W. Susilo
where the input of hashing computation is g3m g s . Let g3 = g β for a random β ∈ Zp and the online/offline signing can be describes as follows: KeyGen: The final public key is THE P K same as in Section 3 and the private key is SK = (g2α , β). Sign: The signing is divided into the offline phase for pre-computation and the online phase for signature extraction. – Offline Phase • Randomly choose r, m, s ∈ Zp and compute σ1 , σ2 = g2α (u0 ui )r , g r , where M = H(g3m g s ). i∈M
• Store σ1 , σ2 , m, s for online computation and signature generation. – Online Phase: Given the message m ∈ Zp , compute s = (m − m )β + s and output σm = (σ1 , σ2 , s ) as the final signature on m . The signature is correct because
g3m g s = g m β g (m−m )β+s = g mβ+s = g3m g s . The signature format is not changed in online/offline construction and then the verification will be the same. In the above online/offline signing phase, the cost in online phase is only one modular multiplication, which is much faster than the exponentiations. 4.3
Strong Unforgeable Security
To achieve the strong unforgeable security, we need another collision-resistant hash function H1 : {0, 1}∗ → Zp with the other P K parameters and the construction based on the online/offline signing can be described as follows: Sign: The signing is divided into the offline phase for pre-computation and the online phase for signature extraction. – Offline Phase: Same as above. – Online Phase: Given the message m ∈ {0, 1}∗, (1) first compute m = H1 (σ1 , σ2 , m ) ∈ Zp and (2) then output s = (m − m )β + s . The final signature on m is σm = (σ1 , σ2 , s ). Verify: Given a signature σm = (σ1 , σ2 , σ3 ), a message m ∈ {0, 1}∗ and the public key P K. The verifier does as follows:
– Compute m = H1 (σ1 , σ2 , m ) and then M = H(g3m g σ3 ); – Accept the signature (σ1 , σ2 , σ3 ) on m signed by P K if the following equation holds e(σ1 , g) = e(g2 , g1 )e(u0 ui , σ2 ). i∈M
How to Prove Security of a Signature with a Tighter Security Reduction
101
Theorem 3. Assuming the security of chameleon hash and the hardness of CDH assumption, the above signature scheme possesses strong unforgeable security. Suppose the adversary queries messages mi and the signatures are σmi = σmi ,1 , σmi ,2 , σmi ,3 , for all i = 1, 2, · · · , qs . Once the adversary outputs a valid signature (σ1∗ , σ2∗ , σ3∗ ) on m∗ , the cases are as follows: – m∗ = mi for any i ∈ {m1 , m2 , · · · , mqs }: It means that the adversary can forge a signature on a new message m∗ . When the security of hash function H1 holds, we have H1 (σ1∗ , σ2∗ , m∗ ) = H1 (σmi ,1 , σmi ,2 , mi ), for all i = 1, 2, · · · , qs . H (σ∗ ,σ∗ ,m∗ )
∗
H1 (σm
,1 ,σm ,2 ,mi )
i i If g3 1 1 2 g σ3 = g3 g σmi ,3 holds for any i ∈ {1, 2, · · · , qs }, it will be contrary to the security of chameleon hash; H1 (σmi ,1 ,σmi ,2 ,mi ) σm ,3 H (σ∗ ,σ∗ ,m∗ ) σ∗ otherwise, g3 1 1 2 g 3 = g3 g i for all i = 1, 2, · · · , qs , then it is contrary to the hardness of CDH assumption since we can use the attack to break the CDH problem as in Theorem 2.
– m∗ = mj where j ∈ {m1 , m2 , · · · , mqs }: There will be two cases according to the forged signature (σ1∗ , σ2∗ , σ3∗ ) = (σmj ,1 , σmj ,2 , σmj ,3 ): • (σ1∗ , σ2∗ ) = (σmj ,1 , σmj ,2 ): This case will have the same result as above due to the inequality of output from hashing computation; • (σ1∗ , σ2∗ ) = (σmj ,1 , σmj ,2 ): This case has the same output of H1 hashH (σ1∗ ,σ2∗ ,m∗ ) σ∗ 3
ing computation but σ3∗ = σmj ,3 , which means that g3 1 H1 (σmi ,1 ,σmi ,2 ,mi ) σm ,3 g3 g i
g
=
for all i = 1, 2, · · · , qs , then the attack is also contrary to the CDH assumption. From the above, it is obvious that the strong unforgeable security is independent of our signature construction. Thus, the strong unforgeable security can be achieved in a generic way. Let a signature scheme (G, S, V), which denotes public key generation, signing and verification, respectively, be any existential unforgeability under a chosen message attack. Then, using the parameters from our above scheme, the generic way to extend to strong existential unforgeability under a chosen message attack can be described as follows: SysGen: The system parameters are SP = {G, S, V, H1 , g}. KeyGen: Let (pk, sk) be a pair of public/private key from G, randomly choose β ∈ Zp and set g3 = g β , the final public/private key of (P K, SK) is P K = (pk, g3 ), SK = (sk, β). Sign: Let σγ be a signature on g γ output from S using sk where γ ∈ Zp is secretly chosen at random. (1) First compute m = H1 (σγ , m) ∈ Zp and (2) then output s = γ − m β. The final signature on m is σm = (σγ , s ). Verify: Given the signature (σγ , s ), public key P K and system parameters SP , compute h = H1 (σγ , m). Accept the signature if σγ is a valid signature on g3h g s .
102
5
F. Guo, Y. Mu, and W. Susilo
Conclusion
A desirable signature scheme must capture all the keywords: “tightness”, “weak assumption” and “standard model” in the security proof. We showed how to transform a signature with a loose security reduction to a better scheme with a tighter security reduction. As an example, we provided an analysis to show why the Waters signature is not tight and then tighten the security reduction by applying a chameleon hash function. The security proof in our scheme demonstrated a constant probability that is independent from signature query. We also showed how to tighten an identity-based signature scheme, transform our scheme into online/offline signature and construct a signature scheme with strong unforgeable security.
References 1. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) 2. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001) 3. Boneh, D., Shen, E., Waters, B.: Strongly unforgeable signatures based on computational diffie-hellman. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 229–240. Springer, Heidelberg (2006) 4. Cheon, J.H.: Security analysis of the strong diffie-hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006) 5. Camenisch, J.L., Hohenberger, S., Pedersen, M.: Batch verification of short signatures. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 246–263. Springer, Heidelberg (2007) 6. Camenisch, J.L., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004) 7. Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. ACM Trans. on Information and System Security 3(3), 161–185 (2000) 8. Chen, X., Zhang, F., Susilo, W., Mu, Y.: Efficient generic online/offline signatures without key exposure. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 18–30. Springer, Heidelberg (2007) 9. Even, S., Goldreich, O., Micali, S.: Online/offline digital signatures. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 263–275. Springer, Heidelberg (1990) 10. Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006) 11. Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999) 12. Goh, E.J., Jarecki, S.: A signature scheme as secure as the Diffie- Hellman problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 401–415. Springer, Heidelberg (2003)
How to Prove Security of a Signature with a Tighter Security Reduction
103
13. Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) 14. Horwitz, J., Lynn, B.: Toward hierarchical identity-based encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002) 15. Hohenberger, S., Waters, B.: Realizing hash-and-sign signatures under Standard Assumptions. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 333–350. Springer, Heidelberg (2009) 16. Krawczyk, H., Rabin, T.: Chameleon signatures. In: Symposium on Network and Distributed Systems Security (NDSS 2000), February 2000, pp. 143–154. Internet Society (2000) 17. Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: 10th ACM Conf. on Computer and Communications Security, pp. 155–164 (2003) 18. Paterson, K., Schuldt, J.: Efficient identity-based signatures secure in the standard model. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 207–222. Springer, Heidelberg (2006) 19. Shamir, A., Tauman, Y.: Improved online/offline signature schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001) 20. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Twin Signature Schemes, Revisited Sven Sch¨ age Horst G¨ ortz Institute for IT-Security, University of Bochum, Germany
[email protected] Abstract. In this paper, we revisit the twin signature scheme by Naccache, Pointcheval and Stern from CCS 2001 that is secure under the Strong RSA (SRSA) assumption and improve its efficiency in several ways. First, we present a new twin signature scheme that is based on the Strong Diffie-Hellman (SDH) assumption in bilinear groups and allows for very short signatures and key material. A big advantage of this scheme is that, in contrast to the original scheme, it does not require a computationally expensive function for mapping messages to primes. We prove this new scheme secure under adaptive chosen message attacks. Second, we present a modification that allows to significantly increase efficiency when signing long messages. This construction uses collision-resistant hash functions as its basis. As a result, our improvements make the signature length independent of the message size. Our construction deviates from the standard hash-and-sign approach in which the hash value of the message is signed in place of the message itself. We show that in the case of twin signatures, one can exploit the properties of the hash function as an integral part of the signature scheme. This improvement can be applied to both the SRSA based and SDH based twin signature scheme.
1
Introduction
Digital signature schemes need little introduction. Besides encryption systems, they are the most fundamental public-key primitives. They are used in a variety of cryptographic protocols and by now, the literature knows many variants (e.g. ring signatures, group signatures, blind signatures). The Random Oracle Model. Most of the existing signature schemes are provably secure in the random oracle model [2] which assumes the existence of publicly available functions with truly random outputs. In practical realizations, these functions are then replaced by cryptographic hash functions. However, this model represents a very strong idealization of the real world and in 1998, Canetti, Goldreich and Halevi [7] showed that there exist signature schemes which have a security proof in the random oracle model but are insecure when instantiated with any hash function. Since then, research on signature schemes which are provably secure in the standard model has gained much attention. J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 104–117, 2009. c Springer-Verlag Berlin Heidelberg 2009
Twin Signature Schemes, Revisited
105
Motivation – Twin Signatures. Practical signature schemes that are secure in the standard model seem to be much harder to construct than signature schemes in the random oracle model, where we can apply, for example, the FiatShamir heuristic [12] that provides a general method to obtain secure signature schemes from three-move zero-knowledge protocols. In the standard model, we know only few secure signature schemes and even less design principles to construct them. In 2001, Naccache, Stern and Pointcheval presented a signature scheme that is proven secure without random oracles in the standard model. The scheme is secure solely under the Strong RSA (SRSA) assumption. The basic idea is to securely combine two distinct RSA groups such that an attacker must break the SRSA assumption in at least one of them. Though essentially relying on the properties of the underlying complexity assumption, this idea comes very close to a more general design principle. However, the original scheme was defined in SRSA groups where each group element has a 1024 bit representation. It is therefore not competitive with state-of-the-art signature schemes which have signature sizes of 340 bits [3] or below [17]. In this work, we generalize the Naccache et al. scheme and improve its efficiency in several ways. Contribution. First, we present a new twin signature scheme that is based on the SDH assumption in bilinear groups. Since the representation of group elements can be much shorter in bilinear groups (≈ 170 bits) than in RSA groups (≈ 1024 bits), the new signature scheme allows for much shorter signatures. Another part of our contribution deals with a formalization and generalization of techniques to properly combine the two RSA groups to yield an adaptively secure signature scheme. In this process, we extract the notion of chaining functions. Roughly speaking, chaining functions are binary functions that fulfill a certain form of collision-resistance and one-wayness. We show that the SRSA based twin signature scheme is secure for any secure chaining function. Likewise, we are able to prove our SDH based signature scheme secure for any secure chaining function. Next, we analyze the efficiency of twin signature schemes while concentrating on the two main issues signature size and computational complexity of the signing and verification procedure. We reveal a severe efficiency bottleneck in the Naccache et al. scheme when signing long messages as in the presented form, the signature size is proportional to the length of the input message. Finally, we give a solution to this problem by designing a new provably secure chaining function. Related Work. In 1984, Goldwasser, Micali and Rivest [16] published the first provable secure, but inefficient signature scheme. More than a decade later, in 1999, Gennaro, Halevi, and Rabin [15] and independently Cramer and Shoup [10] proposed the first secure hash-and-sign signature schemes which are secure in the standard model under the Strong RSA assumption (SRSA). Since then, several signature schemes have been proposed under the SRSA assumption [5,13,17,24]. Among them, we can find several schemes that rely on functions which map messages (or message-dependent intermediate values) to prime numbers
106
S. Sch¨ age
[8,15,21]1 . Existing examples of such functions are computationally expensive, since they include several, i.e. O(lm ) – where lm is the maximal bit size of the input length, costly primality tests [8,21]. Today, there are only few other complexity assumptions that have been utilized for the construction of signature schemes without random oracles. Three assumptions have been defined in bilinear groups with an efficient bilinear pairing: the LRSW [6], the SDH assumption [3,17] and the CDH [23] assumption. Only recently, Hohenberger and Waters presented the first signature scheme that is secure under the (plain) RSA assumption [18]. Bilinear groups have the advantage that the group representation for groups elements can be much shorter than in RSA groups. So far, the schemes secure under the SDH assumption seem to provide the best overall efficiency.
2
Preliminaries
Before presenting our results, we briefly review the necessary formal and mathematical definitions. 2.1
Notation $
If B is a set we write |B| to denote its size. For a set B, we use x ← B to denote that x is drawn from B uniformly at random. If s is a string, we write |s| to denote its bit-length. If s is a string, we use s||s to denote the result when concatening s with itself. For an algorithm A we write A(i1 , i2 , . . .) to denote that A has input parameters i1 , i2 , . . . . Similarly, we denote with y ← A(i1 , i2 , . . .) that A outputs y when running on inputs i1 , i2 , . . .. We write PPT (probabilistic polynomial time) to refer to randomized algorithms that run in polynomial time. The security parameter is denoted as κ ∈ N. Finally, we use 1κ to describe the string that consist of κ ones. 2.2
Signature Scheme
A digital signature scheme S consists of three algorithms. The probabilistic polynomial time (PPT) algorithm KeyGen generates a secret and public key pair (SK, P K). The PPT algorithm Sign takes as input a secret key SK and the message m and outputs a signature σ. Finally, the deterministic polynomial time algorithm Verify processes a public key P K, a message m and a signature σ to check whether σ is a legitimate signature on m signed by the holder of the secret key corresponding to P K. On successful verification the algorithm outputs 1, otherwise 0. 1
We note that [15] also consider division-intractable functions. However, it was shown in 2000 by Coron and Naccache [9] that contrarily to the results of numerical experiments performed by Gennaro, Halevi and Rabin [15] the security of divisionintractable functions only rises subexponentially with the input length. We therefore concentrate on prime mapping functions.
Twin Signature Schemes, Revisited
2.3
107
Existential Unforgeability
The strongest notion of security for signature schemes was defined by Goldwasser, Micali and Rivest in 1988 [16]. It has been formalized in the following attack game in which the attacker is granted oracle access to a signing oracle OSK (·). Setup. In the setup phase, (SK, P K) ← KeyGen(1κ ) is run and the public key P K is given to the adversary. Signature queries. The adversary adaptively queries OSK (·) with q = q(κ) messages m1 , . . . , mq of his choice and obtains q signatures σ1 , . . . , σq with σi = Sign(SK, m) for i ∈ {1, . . . , q}. Output. The attacker outputs (m∗ , ρ∗ ) with m∗ ∈ / {m1 , . . . , mq } and Verify(P K, m∗ , σ ∗ ) = 1. We denote the success probability of an adversary A (taken over the random coins of the challenger and the adversary) to win the above game as AdvS,A . Definition 1 (Existential Unforgeability). An adversary A is said to (q, t, )-break the existential unforgeability of the signature scheme S if A has success probability AdvS,A = after generating at most q queries and running in time t. A signature scheme S is said to be (q, t, )-secure if there exists no PPT adversary that (q, t, )-breaks the existential unforgeability of S. 2.4
Complexity Assumptions
In the following we introduce the complexity assumptions on which the security of the presented signature schemes relies on. Definition 2 (Strong RSA Assumption (SRSA) [1]). Given an RSA modulus n = pq (where p, q are sufficiently large primes), and an element u ∈ Z∗n , we say that the (SRSA , tSRSA )-assumption holds if for all tSRSA -time adversaries A Pr (u1/t mod n, t) ← A(n, u), t > 1, ≤ SRSA , where the probability is over the random choices of u, n and the random coins of A. Definition 3 (Bilinear groups). Let G1 =< g1 >, G2 =< g2 > and GT be groups of prime order p. The function e : G1 × G2 → GT is a bilinear pairing if it holds that 1.) ∀a ∈ G1 , b ∈ G2 , x, y ∈ Zp : e(ax , by ) = e(a, b)xy (bilinearity), 2.) e(g1 , g2 ) = 1GT is a generator of GT (non-degeneracy), and 3.) e is efficiently computable (efficiency). We call (G1 , g1 , G2 , g2 , GT , p, e) a bilinear group. Definition 4 (Strong Diffie-Hellman assumption (SDH) [3]). Given a bilinear group (G1 , g1 , G2 , g2 , GT , p, e), we say that the (qSDH , SDH , tSDH )SDH assumption holds if for all tSDH -time attackers A that are given T = (x2 ) (xq ) g1 , g1x , g1 , . . . , g1 , g2 , g2x ∈ Gq+1 × G22 with (q = qSDH ) it holds that 1 1/(x+c) Pr (g1 , c) ← A(T ), c ∈ Zp ≤ SDH ,
108
S. Sch¨ age
where the probability is over the random choices for g1 ∈ G1 , g2 ∈ G2 , x ∈ Zp and the random bits of A. 2.5
Collision-Resistant Hashing
Our constructions make use of collision-resistant cryptographic hash functions. Definition 5 (Collision-resistant hash function). Let H = {Hk }k∈N be a family and each Hk a collection of functions of the form h : {0, 1}∗ → {0, 1}k . H is called (th , h )-collision-resistant if for all th -time adversaries A there exists a negligible function h = h (k) with
$ h ← H , (m, m ) ← A(h), m = m , k Pr ≤ h , m, m ∈ {0, 1}∗, h(m) = h(m ) where the probability is over the random bits of A. 2.6
Chaining Functions
In our signature schemes, we will combine the input message m with a random value r using a function w : R × M → R. However, we must impose some requirements on w. Definition 6 (Chaining Functions). Let W = {Wk }k∈N be a family and each Wk a collection of functions of the form w : R × M → R with |R| ≤ 2k . We say that W is (tchain , chain )-chaining if for all attackers A there exists a negligible $
function chain = chain (k) and the following properties hold for w ← Wk : 1. For all m ∈ M it holds that w(R, m) = R. 2. Given z ∈ R, m ∈ M, it is easy to find r ∈ R such that w(r, m) = z. 3. For all r¯ ∈ R, it holds for all tchain -time attackers A that (m, m ) ← A(¯ r , w), m, m ∈ M, Pr ≤ chain , m = m , w(¯ r , m) = w(¯ r , m ) where the probability is over the random coins of A.2 4. For all m ∈ M and given random r, r ∈ R, it holds for all tchain -time attackers A that
Pr m ← A(r, r , m, w), m ∈ M, w(r, m) = w(r , m ) ≤ chain , where the probability is computed over the random coins of A and the random choices for r and r . 2
If w is also a permutation or just injective in the second input parameter, this requirement is trivially fulfilled.
Twin Signature Schemes, Revisited
109
If used in signature schemes, w is fixed at random during the key generation phase. In [21], Naccache et al. implicitly show that W = {W2k }k∈N is chaining for M = {0, 1}k and R = {0, 1}2k with k ∈ N if W2k = {w(r, m) = r ⊕ (m||m)}. The advantage of this function is its statistical security. The drawback is its inefficiency when signing long messages. Lemma 1. The above function W is (·, 2−k )-chaining according to Definition 6. Proof. Properties 1 and 2 are obvious. Property 3 follows from the fact that for any two m, m ∈ {0, 1}k with m = m it also holds that m||m = m ||m and hence r ⊕ m||m = r ⊕ m ||m for all r ∈ R. To show Property 4, suppose we are given a random m ∈ {0, 1}k and random r, r ∈ {0, 1}2k . Assume that there exists m ∈ {0, 1}k such that r ⊕ m||m = r ⊕ m ||m . We then must have that r ⊕ r can be represented as r¯||¯ r for some r¯ ∈ {0, 1}k . For a given random pair r and r this only happens with probability 2−k .
3
Twin Signatures
In this section, we present a generic variant SSRSA of the SRSA based twin signature scheme. l Let R = {0, 1} r , M = {0, 1}lm , and W be a (tchain , chain )-chaining function. Additionally, let p : {0, 1}lr → N be an efficient function that injectively maps strings to prime numbers. KeyGen(1κ ). Choose two RSA moduli n1 = p1 q1 and n2 = p2 q2 . Then randomly choose u1 ∈ Z∗n1 and u2 ∈ Z∗n2 . The public key is P K = (n1 , n2 , u1 , u2 ) and the secret key consists of the factorization of n1 and n2 : SK = (p1 , q1 , p2 , q2 ). We require 2lr − 1 ≤ min{φ(n1 ), φ(n2 )}. $
Sign(SK, m). Given a secret key SK and a message m ∈ M, pick r ← R and compute the signature σ = (s1 , s2 , r)3 as 1
1
s1 = u1p(w(r,m)) mod n1 , s2 = u2p(r) mod n2 . Verify(P K, m, σ). Given a public key P K, a message m, and a signature σ = (s1 , s2 , r), verify if the following equations hold: p(w(r,m)) ?
s1 3
p(r) ?
= u1 mod n1 , s2
= u2 mod n2 .
We made a small simplification here. In the original paper, not r is part of the signature but the randomness ω that is used to generate r. We stress that since r is drawn uniformly at random from R we must have that |ω| ≥ lr = 2lm and therefore ω is also dependent on the message size.
110
S. Sch¨ age
Theorem 1. Suppose the (tSRSA , SRSA )-SRSA assumption holds and W is a (tchain , chain )-chaining function. Then, SSRSA is (q, t, )-secure against adaptive chosen message attacks provided that t ≈ tSRSA + tchain , ≤ 2SRSA + 2q 2 chain . The proof of Theorem 1 closely follows [21].
4
An SDH Based Twin Signature Scheme
In this section, we present our SDH based twin signature scheme SSDH . Let a bilinear group (G1 , g1 , G2 , g2 , GT , p, e) and a (tchain , chain )-chaining function W with R = {0, . . . , tr } and tr ≤ p be given. Let gT = e(g1 , g2 ). $
KeyGen(1κ ). Choose two elements x1 , x2 ← Zp . The public key is P K = (P K1 , P K2 ) with P K1 = g2x1 and P K2 = g2x2 . The secret key is SK = (x1 , x2 ). $
Sign(SK, m). Given a secret key SK and a message m ∈ M , pick r ← R with r = −x2 and w(r, m) = −x1 and compute σ = (s1 , s2 , r) as 1
1
s1 = g1(x1 +w(r,m)) , s2 = g1(x2 +r) . Verify(P K, m, σ). Given a public key P K a message m and a signature σ = (s1 , s2 , r), verify whether the following equations hold: ? ? w(r,m) e s1 , P K 1 · g 2 = gT , e (s2 , P K2 · g2r ) = gT .
5
Security
Theorem 2. Suppose that the (qSDH , tSDH , SDH )-SDH assumption holds and that w is a (tchain , chain )-chaining function. Then, SSDH is (q, t, )-secure against adaptive chosen message attacks with q = qSDH , t ≈ tSDH + tchain , ≤ 2SDH + 2q 2 chain . Proof. By contradiction. Assume algorithm A is a forger that (q, t, )-breaks the existential unforgeability of SSDH . Then, we can construct a simulator B, that interacts with A and after q signature queries either breaks the SDH problem or the security of the chaining function in time t with advantage . We consider four types of forgeries m∗ , (s∗1 , s∗2 , r∗ ) A can output after making q signature queries m1 , . . . , mq and receiving q responses (s1,1 , s2,1 , r1 ), . . . , (s1,q , s2,q , rq ): Type I: r∗ ∈ / {r1 , . . . , rq }. Type II: r∗ = ri , i ∈ {1, . . . , q}, w(r∗ , m∗ ) ∈ / {w(r1 , m1 ), . . . , w(rq , mq )}. Type III: r∗ = ri , w(r∗ , m∗ ) = w(rj , mj ), i, j ∈ {1, . . . , q}, i = j. Type IV: r∗ = ri , w(r∗ , m∗ ) = w(ri , mi ), i ∈ {1, . . . , q}.
Twin Signature Schemes, Revisited
111
We subsequently assume that B at the beginning of the communication guesses which type of forgery A is going to output (with probability 14 ). According to this guess, B proceeds differently. If B’s guess turns out to be wrong, he simply aborts and restarts. Theorem 2 then follows by a standard hybrid argument. (x2 ) (xq ) Let gˆ1 , gˆ1x , gˆ1 , . . . , gˆ1 , gˆ2 , gˆ2x be the SDH challenge and (m, ˆ rˆ, rˆ ) the challenge for Property 4 of the chaining function. Let Pr[Si ] denote the success probability for an attacker to successfully forge signatures in Game i. Type I Forger Game0 . This is the original attack game. By assumption, A (q, t, )-breaks S when interacting with the signing oracle OSK (·). We have Pr[S0 ] = .
(1)
Game1 . This game is like the previous one except that B constructs the values $ g1 , P K1 and P K2 using the SDH challenge. First, B chooses x1 ← Zp and $
r(x)
r1 , . . . , rq ← R. Then, it computes g1 = gˆ1 , g2 = gˆ2 , P K1 = g2x1 , P K2 = g2x , q where r(x) := i=1 (x + ri ). Note that B can easily generate g1 by computing
q r(x) the coefficients βi ∈ Z for i ∈ {0, . . . , q} of r(x) = 0 βi xi and evaluating gˆ1 = βi q (xi ) ˆ1 . Since x1 and the ri ’s are chosen at random, the distribution of i=0 g the constructed values is equal to the previous game. Thus, Pr[S1 ] = Pr[S0 ] .
(2)
Game2 . Now, B simulates OSK (·) by answering A’s signature queries. For each received message mj ∈ M, B outputs σj = (s1,j , s2,j , rj ) with 1/(x1 +w(rj ,mj ))
s1,j = g1
q
, s2,j = gˆ1
i=1,i=j
(x+ri )
.
The simulator can easily compute s1,j since it knows x1 . The value s2,j can be computed like g1 using the SDH challenge. Since the rj ’s have been chosen randomly, the changes are purely conceptual. Pr[S2 ] = Pr[S1 ] . Let us now consider the forgery (m w(r ∗ ,m∗ )
e(s∗1 , P K1 g2
∗
, s∗1 , s∗2 , r∗ )
(3)
output by A. It must hold that ∗
) = e(s∗2 , P K2 g2r ) = e(g1 , g2 ) .
By assumption, we have that r∗ ∈ / {r1 , . . . , rq }. Using long division, the simulator can now compute d ∈ Z and a polynomial r (x) of degree q − 1 with coefficients in Z such that r(x) = (x + r∗ )r (x) + d. Since (x + r∗ ) does not divide r(x) we must have that d = 0. From the second verification equation we get that 1/(x+r ∗ ) r (x)+d/(x+r ∗ ) ∗ s2 = g1 = gˆ1 . Therefore, B can compute a solution to the SDH problem as 1/d 1/(x+r ∗ ) ∗ ∗ −r (x) s2 gˆ1 = gˆ1 ,r .
112
S. Sch¨ age
We finally have that Pr[S2 ] = SDH .
(4)
Type II Forger Now suppose B rightly expects A to be a Type II Forger. The proof proceeds analogously to the proof for Type I Forgers. $
$
Game1 . In this game, B chooses random x2 ← Zp and w1 , . . . , wq ← R. Now define v(x) := qi=0 (x + wi ). Then, B computes v(x)
g1 = gˆ1
, g2 = gˆ2 , P K1 = g2x , P K2 = g2x2 .
As before, the distribution of the values is equal to the previous game. Pr[S1 ] = Pr[S0 ] .
(5)
Game2 . In this game, B simulates the signing oracle. When receiving a query mj ∈ M, it first computes rj ∈ R such that wj = w(rj , mj ). It then outputs the signature σj = (s1,j , s2,j , rj ) with q
s1,j = gˆ1
i=1,i=j
(x+wi )
1/(x2 +rj )
, s2,j = g1
.
Since the wi ’s are chosen uniformly at random from R, so are the ri ’s because w is a permutation in the first input parameter. Pr[S2 ] = Pr[S1 ] .
(6)
Similar to the previous case, B can compute a polynomial v (x) and d ∈ Z with d = 0 such that v(x) = (x + w(r∗ , m∗ ))v (x) + d because w(r∗ , m∗ ) ∈ / {w(r1 , m1 ), . . . , w(rq , mq )} and thus (x + w(r∗ , m∗ )) does not divide v(x). The simulator then outputs a solution to the SDH problem as 1/d −v (x) s∗2 gˆ1 , w(r∗ , m∗ ) . We have that Pr[S2 ] = SDH .
(7)
Type III Forger $ Game1 . In this game, we let the simulator choose both secret keys x1 , x2 ← Zp . x1 x2 It sets g1 = gˆ1 , g2 = gˆ2 , P K1 = g2 , and P K2 = g2 . Pr[S1 ] = Pr[S0 ] .
(8) $
Game2 . Next, B makes two random guesses for distinct indices j, k ← {1, . . . , q}. For all i ∈ {1, . . . , q} \ {j, k}, the simulator proceeds according to Sign to simulate OSK (·) using the secret keys x1 and x2 . In particular, this means that the ri are chosen uniformly at random from R. For the j’th signature, B computes
Twin Signature Schemes, Revisited
113
rj such that w(ˆ r , m) ˆ = w(rj , mj ) using the challenge for the chaining function. For the k’th signature, B sets rk = rˆ . Since rˆ and rˆ originate from a random challenge for the chaining function and the remaining ri are chosen randomly we still have that Pr[S2 ] = Pr[S1 ] . (9) Game3 . By assumption, we have that A outputs a forgery m∗ , (s∗1 , s∗2 , r∗ ) with r∗ = ra for some a ∈ {1, . . . , q} and w(r∗ , m∗ ) = w(rb , mb ) for some b ∈ {1, . . . , q}. We have that a = b. Now, B aborts if b = j or a = k. Since rj and rk are perfectly indistinguishable from the remaining ri we have that Pr[S3 ] = 1/q 2 · Pr[S2 ] .
(10)
Otherwise, B has found a solution to the challenge for Property 4 w(ˆ r , m∗ ) = w(rk , m∗ ) = w(ra , m∗ ) = w(r∗ , m∗ ) = w(rb , mb ) = w(ˆ r , m). ˆ Pr[S3 ] = chain .
(11)
Type IV Forger $ Game1 . As before, we let the simulator choose both secret keys x1 , x2 ← Zp . It x1 x2 sets g1 = gˆ1 , g2 = gˆ2 , P K1 = g2 , and P K2 = g2 . Clearly, Pr[S1 ] = Pr[S0 ] .
(12)
Game2 . To simulate the signing oracle, B simply uses x1 and x2 as specified by Sign. Hence, Pr[S2 ] = Pr[S1 ] . (13) By assumption we have that B w(r∗ , m∗ ) = w(rj , m∗ ) = w(rj , mj ) for some j ∈ {1, . . . , q}. From the definition of the attack game we also know that m∗ = mj . So, B has found a collision for the chaining function (Property 3) and Pr[S2 ] = chain .
(14)
Putting together Equations (1)-(14), we get that = SDH for Type I and Type II forgeries, = q 2 chain for Type III forgers, and = chain for Type IV forgers. Clearly, ≤ SDH + q 2 chain for each type of forger. Finally, considering B’s initial guess we have that ≤ 2SDH + 2q 2 chain what proofs Theorem 2.
6
Improved Chaining Function
In this section, we analyze the efficiency of twin signature schemes when signing long messages. We concentrate on two issues. The first issue concerns the computational efficiency of the scheme. Recall the chaining function from Section 2.6. Since in the SRSA based scheme the input of p and hence the computational
114
S. Sch¨ age
efficiency depends on the message size lm , Naccache et al. recommend to apply a hash function h ∈ Hk prior to the prime mapping function p [21, §B.2]: w (r, m) = h(r ⊕ (m||m)). Now, p must only map values of maximal length k to prime numbers. One can easily see, that this improvement does not address the signature size, since r, by condition lr = 2lm , still depends on lm . This is our second issue. A further improvement is to first apply the collision-resistant hash function to the input message and then to sign the resulting hash value: w (r, m) = r ⊕ (h(m)||h(m)). Now, we have that lr = 2k and, as a result, r and the signature size are independent of lm . For both improvements (w and w ) we must assume that the underlying hash function is collision-resistant and so rely on additional complexity assumptions to maintain provable security (as long as the hash function does not solely rely on complexity assumptions that are provably weaker than SRSA, SDH respectively). We stress that we use hash functions solely for the purpose of (message) domain extension, not as instantiations of random oracles. For practical parameters, say k = 160, we now have that lr = 320. The final question is if this situation can further be improved. Ideally, we would have that lr = 160. This has several benefits. First, prime mapping can be twice as fast. Second, the signature size could be reduced by 160 bits. Suprisingly, we can show that when using hash functions with the additional property that random input strings are mapped to uniformly distributed output strings, we can do without the string concatenation: w ˜ : {0, 1}k × {0, 1}∗ → {0, 1}k w(r, ˜ m) = r ⊕ h(m) . Lemma 2. Let H = {Hk } be a (th , h )-collision-resistant hash function. Furthermore, assume that for every h ∈ Hk with k ∈ N h(m) is uniformly distributed in {0, 1}k for random m ∈ {0, 1}∗. Then, W = {Wk } with Wk = {w(r, ˜ m) = r ⊕ h(m)| h ∈ Hk } is (th , h )-chaining. Proof. The first two properties can be verified by inspection. Property 3 holds because r˜⊕h(m) = r˜⊕h(m ) implies h(m) = h(m ). So, any attacker that breaks Property 3 also breaks the collision-resistance of the hash function. To show that w ˜ fulfills Property 4 observe that r˜ ⊕ h(m) = r˜ ⊕ h(m ) implies r˜ ⊕ r˜ ⊕ h(m) = h(m ) for given random r, r ∈ {0, 1}k and m ∈ {0, 1}∗. Now, for contradiction, assume there exists an attacker A that can find m with probability ≥ h in time th . Then we can construct algorithm B that uses A to find collisions in the hash function. At first B chooses uniformly at random m ¯ ∈ {0, 1}∗ and computes y = h(m). ¯ Next, B chooses a random m ∈ {0, 1}∗ and a random k r ∈ {0, 1} , computes h(m), r = y ⊕ h(m) ⊕ r and runs A on (m, r, r ). As h(m) is random in {0, 1}k , so is r . Finally, A outputs m and since we have that r ⊕ r ⊕ h(m) = h(m ) = y = h(m) ¯ and because m ¯ = m with overwhelming probability, B has found a hash collision. This contradicts the fact that H is (th , h )-collision-resistant.
Twin Signature Schemes, Revisited
115
Table 1. Efficiency Comparison of Chaining Functions. Elements in G1 have around 170 bits [4,20], while RSA moduli have at least 1024 bits. Let lmax = max{4lm , 2048}. scheme chaining function signature size in bits #prim. tests #pairings SSDH r ⊕ h(m) k + 340 – 2 SSRSA r ⊕ h(m) k + 2048 O(k) – SSRSA r ⊕ (h(m)||h(m)) 2k + 2048 O(k) – [21, §B.2] h(r ⊕ (m||m)) 2lm + 2048 O(k) – [21] r ⊕ (m||m) 2lm + lmax O(lm ) –
7
Online/Offline Signature Schemes
In this section, we present a modification that further improves the efficiency of SSRSA and SSDH by turning them into online/offline signature schemes [11]. The key idea is to precompute s1 using a random z ∈ R in the offline phase as 1/(p(z)) 1/(x +z) s1 = u1 mod n1 , s1 = g1 1 respectively. In the online phase, when the signer wants to sign message m, she only has to find r such that z = w(r, m) 1/(p(r)) 1/(x +r) and compute s2 = u2 mod n2 , s2 = g1 2 respectively. In this way, we can save costly inversion and exponentiation operations in the online phase. However, the efficiency gain seems rather small when compared with what can be achieved in online/offline signature schemes that are based on signature schemes which utilize chameleon hash functions [19], like for example [22].
8
Summary
We have generalized and improved the twin signature scheme by Naccache et al. by 1.) presenting a generic twin signature scheme that is based on the SDH assumption and provides much shorter signatures than the original scheme and 2.) designing a new chaining function which allows to very efficiently sign and verify long messages. As a result, the signature size is not dependent on the input message anymore. For a hash function with 160 bit output values, the resulting signature scheme outputs signatures with only about 500 bits (as compared to >2048 bits in the original scheme). However, the state-of-the-art scheme by Boneh-Boyen is only 340 bits and significantly smaller. This indicates that although twin signature schemes provide a very general approach for constructing secure signature schemes in the standard model, they are inferior, in terms of efficiency, to schemes that utilize for example chameleon hash functions.
References 1. Bari´c, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)
116
S. Sch¨ age
2. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993) 3. Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptology 21(2), 149–177 (2008) 4. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin [14], pp. 41–55 5. Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003) 6. Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin [14], pp. 56–72 7. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: STOC, pp. 209–218 (1998) 8. Chevallier-Mames, B., Joye, M.: A practical and tightly secure signature scheme without hash function. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 339–356. Springer, Heidelberg (2007) 9. Coron, J.-S., Naccache, D.: Security analysis of the Gennaro-Halevi-Rabin signature scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 91–101. Springer, Heidelberg (2000) 10. Cramer, R., Shoup, V.: Signature schemes based on the Strong RSA assumption. In: ACM Conference on Computer and Communications Security, pp. 46–51 (1999) 11. Even, S., Goldreich, O., Micali, S.: On-line/off-line digital signatures. J. Cryptology 9(1), 35–67 (1996) 12. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1986) 13. Fischlin, M.: The Cramer-Shoup Strong-RSA signature scheme revisited. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 116–129. Springer, Heidelberg (2003) 14. Franklin, M. (ed.): CRYPTO 2004. LNCS, vol. 3152. Springer, Heidelberg (2004) 15. Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999) 16. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988) 17. Hofheinz, D., Kiltz, E.: Programmable hash functions and their applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 21–38. Springer, Heidelberg (2008) 18. Hohenberger, S., Waters, B.: Realizing hash-and-sign signatures under standard assumptions. In: Joux, A. (ed.) EUROCRYPT. LNCS, vol. 5479, pp. 333–350. Springer, Heidelberg (2009) 19. Krawczyk, H., Rabin, T.: Chameleon signatures. In: NDSS, The Internet Society (2000) 20. Miyaji, A., Nakabayashi, M., Takano, S.: Characterization of elliptic curve traces under FR-reduction. In: Won, D. (ed.) ICISC 2000. LNCS, vol. 2015, pp. 90–108. Springer, Heidelberg (2000)
Twin Signature Schemes, Revisited
117
21. Naccache, D., Pointcheval, D., Stern, J.: Twin signatures: an alternative to the hash-and-sign paradigm. In: ACM Conference on Computer and Communications Security, pp. 20–27 (2001) 22. Shamir, A., Tauman, Y.: Improved online/offline signature schemes. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 355–367. Springer, Heidelberg (2001) 23. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 24. Zhu, H.: New digital signature scheme attaining immunity to adaptive-chosen message attack. Chinese Journal of Electronics 10(4), 484–486 (2001)
On the Insecurity of the Fiat-Shamir Signatures with Iterative Hash Functions Eiichiro Fujisaki1 , Ryo Nishimaki1 , and Keisuke Tanaka2 1
NTT, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan {fujisaki.eiichiro,nishimaki.ryo}@lab.ntt.co.jp 2 Department of Mathematical and Computing Sciences, Tokyo Institute of Technology, W8-55, 2-12-1 Ookayama, Meguro-ku, Tokyo, 152-8552, Japan
[email protected] Abstract. At FOCS 2003, Goldwasser and Kalai showed the insecurity of the digital signature schemes obtained by the Fiat-Shamir transformation in the standard model. However, the proof of this negative result is complicated. This paper shows a much simpler counter example in the restricted (but realistic) case that the hash functions are designed by iterating an underlying hash function with an a-priori bounded input length, although we slightly extend the Fiat-Shamir paradigm. The result in [19] ruled out the case that the underlying identification schemes are interactive proofs, whereas this result can apply to the case.
1 1.1
Introduction The Fiat-Shamir Signatures
The Fiat-Shamir paradigm [17] is a general method that produces a digital signature scheme from a three-round public-coin interactive protocol by “collapsing” the interaction using a cryptographic hash function. Let (α, β, γ) be a transcript of a three-round public-coin identification protocol, such that α is the first message from the prover, β is a random query sent by the verifier, and γ is an answer to β from the prover. To remove the interaction and convert it to a digital signature scheme, the Fiat-Shamir paradigm takes the following approach: Let H be a function ensemble. The signer draws a hash function h from H and publish vk = (vk , h) as his public-key, where vk is a verification key of the underlying identification protocol. The signer, i.e., the prover in the starting identification protocol, produces α, computes β = h(α, m) by himself and finally yields γ such that (α, β, γ) is an acceptance transcript in the underlying identification protocol. Since the legitimate signer knows the secret key corresponding to vk , he can produce γ for any β such that (α, β, γ) is an acceptance transcript. The signer outputs (α, β, γ) as the signature for message m of the digital signature scheme obtained from the Fiat-Shamir paradigm on the underlying interactive protocol and hash function h. Fiat and Shamir [17] suggested that the resulting Fiat-Shamir signature schemes are secure in an “ideal” model (where the hash function is an ideal J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 118–128, 2009. c Springer-Verlag Berlin Heidelberg 2009
On the Insecurity of the Fiat-Shamir Signatures
119
function), if the underlying interactive protocols are sound. Later, this was formally validated by Pointcheval and Stern [29, 30], followed by [28, 1], in the so-called random oracle model [5]. Pointcheval and Stern [29] proved that for every three-round public-coin identification protocol that is a honest-verifier zero-knowledge proof of knowledge, the digital signature scheme transformed by the FS paradigm is existentially unforgeable against the chosen-message attacks (EUF-CMA) in the random oracle model. Later, Abdalla et. al. [1] showed necessary and sufficient conditions on three-round public-coin identifications for which the corresponding FS signature is EUF-CMA secure in the random oracle model. The condition is that the identification protocol is secure against impersonation under the passive attacks and the first message sent by the prover is randomly chosen from a large space. On the other hand, when it is implemented in the “real” world (where the random oracle is replaced with a real cryptographic function ensemble), a negative result was known. Goldwasser and Kalai [19] proved that there is a three-round public-coin protocol such that it is sound as identification, but the resulting FS signature scheme is vulnerable against key only attacks for any real cryptographic hash function (ensemble). The proof to show the insecurity of the FS paradigm is complicated: First, they proposed an identification protocol, denoted ID1 , which is not known whether it is sound or not, but the corresponding FS signature, denoted F S ID1 , is just insecure (for any cryptographic hash function ensemble). ID1 includes a heuristic 2-round CS-Proof or universal argument [25, 3], whose soundness is unknown. If the 2-round universal argument is really sound, ID1 is sound, Period. If not, there are two identification schemes, ID2 and ID3 , for which the following is satisfied: If there is a strong impersonator (against the above universal argument), it can be used to break ID3 , F S ID2 and F S ID3 , but it doesn’t work on ID2 . If there is a weak impersonator, it cannot be used to break ID3 but F S ID3 . In a nutshell, at least one (IDi , F S IDi ), for i = 1, 2, 3, results in a pair of a secure identification scheme and an insecure signature scheme, regardless of how sound the heuristic 2-round universal argument is. Since the FS signature scheme is EUF-CMA secure in the random oracle model if the underlying identification scheme is sound, this result illustrates a separation between the random oracle model and the standard model, as does the work of Canetti, et. al. [9], followed by e.g. [27, 22, 10, 8, 7, 15]. The result [19] applies only to the case that the underlying identification scheme is argument. It is still not known whether or not the resulting FS signature scheme is secure if the identification scheme is interactive proof. 1.2
Our Result
We provide a very simple example to show the failure of the (slightly extended) Fiat-Shamir paradigm in the restricted case that the hash functions (from {0, 1}∗ to {0, 1}k ) are designed by iterating an underlying hash function with an a-priori bounded input length (from {0, 1}n(k) to {0, 1}k ), which is the most common way to construct a hash function of an a-priori unbounded length input, such as Merkle-Damg˚ ard [24, 14] and [13, 4, 23, 6, 12].
120
E. Fujisaki, R. Nishimaki, and K. Tanaka
The original Fiat-Shamir paradigm is a method that converts a three-move public coin identification scheme into a digital signature scheme using a hash function ensemble. In this paper, we define an interactive Fiat-Shamir signature scheme, which is a digital signature scheme with oracle access. By starting with an (interactive) signature scheme, not an identification scheme, we can slightly relax the problem, because the complexity of a digital signature scheme can depend not only on security parameter k but on the size of message, whereas that of an identification scheme depends only on security parameter k. This paper version of the Fiat-Shamir transformation converts an interactive FS digital signature scheme into a non-interactive FS digital signature scheme by replacing an oracle with a hash function (drawn uniformly from a hash function ensemble) and providing the description of the hash function to the digital signature scheme. Soundness of this FS paradigm is now to ask if, for every interactive FS digital signature scheme, there is an efficient hash function ensemble such that the (non-interactive) FS digital signature scheme is secure in the real world, no matter when it is secure in the random oracle model. Of course, the answer to this question is negative, because of [19], but we provide a much simpler counter example in the case that a hash function is an iterative hash function. In addition, our negative result can apply to the class of the interactive Fiat-Shamir signature schemes transformed from interactive proofs, that [19] ruled out. Precisely, let H be a design for iteration, modeled as a deterministic Turing machine, which takes an arbitrary finite string and outputs a k-bit string, after having oracle access to a function mapping {0, 1}n(k) → {0, 1}k , repeatedly. We show that, for any design for iteration H, there is a Fiat-Shamir digital signature scheme, denoted F S, such that there is no function ensemble F that makes F S(H(F )) secure against universal forgery (for any sufficiently large message) G against key-only attacks, whereas F S H is EUF-CMA if H is carefully designed and G is a random oracle mapping {0, 1}n(k) to {0, 1}k . 1.3
Related Work
Canetti, Goldreich and Halevi [9] gave the first example that there are cryptographic protocols that are secure in the random oracle model, but cannot be securely instantiated in the real world. Since then, many works, e.g. [27, 19, 22, 10, 8, 7, 15], appeared that illustrate some gap between the random oracle model and the standard model. These counter examples seem to be classified to three categories: In the first category, they are constructed by attaching an artificial test algorithm to a secure cryptographic protocol, such that the test algorithm can distinguish efficiently any real cryptographic function from a random oracle and reveals the secret key if a real hash function is implemented. [9, 19, 22, 10] belong to this category. This result is also classified here. The test algorithm used in this paper is similar to that of [22]. In the second category, the target cryptographic schemes are demanded too much or constructed in too a restricted way to be realized in the real world, but in the random oracle model. In the third category, the targets are actual cryptographic protocols that are secure in the
On the Insecurity of the Fiat-Shamir Signatures
121
random oracle model. However, some separation results found in this category seem to be restrictive, so far. The result in [19] leave open the case that the underlying identification scheme is not argument, but interactive proof. Recently, Halevi, Myers and Rackoff [21] proposed a new cryptographic primitive, called a seed-incompressible (correlation intractable) function. Although they haven not yet found the existence of such functions in [21], their existence cannot be ruled out thus far. The open problem in [19] is related to the existence of this function. Our result is also related to theirs, but not directly, because seed-incompressible correlation intractable functions are, if they exist, bounded-input-length functions (whereas we essentially utilize that the hash functions have a-priori unbounded input length).
2
Definitions
Let , τ : N → R+ ∪ {0} be non-negative-valued functions. We say that (k) is negligible in k if, for any constant c > 0, there exists a constant, k0 ∈ N, such that (k) < (1/k)c for any k > k0 . We let (k) = negl(k) denote that (·) is a negligible function. We say that τ (k) is non-negligible in k if it is not negligible in k, namely, we say that τ (k) is non-negligible in k if there is constant c > 0 such that for infinitely many k’s, it holds τ (k) ≥ (1/k)c . We let τ (k) = non-negl(k) denote that τ (·) is a non-negligible function. We say that τ (k) is overwhelming in k if 1 − τ (k) = negl(k). A hash-function ensemble is a sequence of polynomial-size circuit family H = {Hk }k∈N such that for every k ∈ N, every h ∈ Hk is a function mapping {0, 1}∗ to {0, 1}k . We say that F = {Fk }k∈N is a hash-function ensemble with bounded input length n if for every k ∈ N, every f ∈ Fk is a function mapping {0, 1}n(k) to {0, 1}k . A random oracle is an ideal hash function that provides a random output for each new query. Identical input queries are given the same answer. In this paper, a random oracle maps either {0, 1}∗ to {0, 1}k , or {0, 1}n(k) to {0, 1}k . 2.1
Cryptographic Schemes
A cryptographic scheme consists of a set of probabilistic polynomial-time Turing machines, organized for one specific application, such as encryption and digital signature. We say that a cryptographic scheme has oracle access to O if algorithms in the cryptographic scheme may have oracle access to a random oracle if O is a random oracle, otherwise to a function, drawn uniformly from a function ensemble O once and for all in a “system set-up” phase. In this paper, a function to which an algorithm may have oracle access is either a function mapping {0, 1}n(k) to {0, 1}k or a function mapping {0, 1}∗ to {0, 1}k . Let Σ be a cryptographic scheme. We say that Σ is t-bounded if every algorithm in Σ runs within time t(|initial inputs|), where the initial inputs to Σ are all the inputs to all algorithms in Σ, minus all the inputs that can be created by algorithms in Σ. For example, the initial inputs to a digital signature scheme
122
E. Fujisaki, R. Nishimaki, and K. Tanaka
consist of 1k (for security parameter k) and message m. Σ is called efficient if t is a polynomial, plus every algorithm in Σ runs in a polynomial in its inputs. Let Σ be a cryptographic scheme with oracle access to a hash function ensemble H, denoted Σ H . We write Σ(H) to denote a new cryptographic scheme, constructed as follows: Every algorithm P in Σ is converted to P˜ . The algorithm firstly activated in Σ(H) draws a hash function h from H once and for all. P˜ takes as input the inputs to P and h (if necessary) and emulates P H . The main difference from Σ H is that the description of hash function h is given P˜ in Σ(H), but not P in Σ H . If H has oracle access to O, Σ(H) has oracle access to O, denoted Σ(H)O . Let G be a random oracle to which Σ may have oracle access. We define an implementation of Σ G using a function ensemble H to transform Σ G to Σ(H) by replacing G with H and converting Σ H into Σ(H). The security requirements of a cryptographic scheme are defined as specified games between a cryptographic scheme and an adversary, where an adversary is modeled as a polynomial-size circuit family. If a function is connected directly or indirectly to a cryptographic scheme, it depends on a security game, whether an adversary may have oracle access to it. A function is called public if an adversary can access it. 2.2
The Random Oracle Model
A random oracle is always public in the security games. Namely, if a cryptographic scheme has oracle access to a random oracle, an adversary may also have oracle access to the same random oracle. In addition, if a function to which the cryptographic scheme has oracle access may have oracle access to a random oracle, the adversary may have oracle access to the random oracle, too. 2.3
Indifferentiability
We use the notion of indifferentiability [22]. Let G : {0, 1}n(k) → {0, 1}k and R : {0, 1}∗ → {0, 1}k be random oracles. A Turing machine H with oracle access to G is said to be indifferentiable from R if there is a polynomial-time simulator S such that for any polynomial-size circuit family D it holds that | Pr[DH,G (1k ) = 1] − Pr[DR,S (1k ) = 1]| = negl(k), where S has oracle access to R and D has two oracle access. The simulator does not see the interaction between D and R. There exist several constructions of H with oracle access to G indifferential from R [13, 4, 23, 6, 12]. 2.4
Digital Signature Schemes
We use the standard definition of a digital signature scheme [20, 18]. A digital signature scheme is given by a triple, Σ = (KGen, Sign, Vrfy), of probabilistic polynomial-time Turing machines, where for every (sufficiently large) k ∈ N,
On the Insecurity of the Fiat-Shamir Signatures
123
– KGen, the key-generation algorithm, takes as input security parameter 1k and outputs a pair comprising the verification and signing keys, (vk, sk). – Sign, the signing algorithm, takes as input (vk, sk) and message m and produces signature σ. – Vrfy, the verification algorithm, takes as input (vk, m, σ) and outputs 0 or 1. For completeness, it is required that for any pair (vk, sk) in the range of KGen(1k ) and for any message m ∈ {0, 1}∗, it holds Vrfy(vk, m, Sign(vk, sk, m)) = 1. We stress that the running time of every algorithm in Σ is polynomially bounded in security parameter k and the size of m, only. We say that a digital signature scheme is existentially unforgeable against adaptively chosen message attacks (EUF-CMA) [20, 18], if for any adversary A of a probabilistic polynomial-time non-uniform Turing machine, the probability of the following game is negligible in k: KGen takes 1k and outputs (vk, sk). A takes vk and outputs (m, σ) after having access to Sign(vk, sk, ·) a polynomial (in k) times, where Vrfy(vk, m, σ) = 1 and m was not queried to Sig(vk, sk, ·). The probability is taken over KGen, Sign, and A. If the second condition is replaced with the case that (m, σ) was not in the query-answer history between A and Sign(vk, sk, ·) and if the probability is negligible, the signature scheme is called strongly existentially unforgeable against adaptively chosen message attacks (sEUF-CMA). We say that a digital signature scheme is vulnerable against key only attacks if there is an adversary A of a probabilistic polynomial-time non-uniform Turing machine, that takes vk drawn uniformly from KGen(1k ) and outputs the signature of an arbitrary m with a non-negligible (in k) probability, where A has no access to the signing oracle.
3
Interactive Fiat-Shamir Signature Schemes
As mentioned earlier, we start with a digital signature scheme with oracle access, and convert it to a (non-interactive) digital signature scheme by applying the Fiat-Shamir paradigm. Definition 1. Let O be an arbitrary function from {0, 1}∗ to {0, 1}k . An interactive Fiat-Shamir signature scheme F S O is a digital signature scheme with oracle access to O, such that F S = (KGen, Sign, Vrfy = (V1 , V2 )) consists of probabilistic polynomial-time Turing machines, with the following specification: For every (sufficiently large) k ∈ N, – KGen, the key-generation algorithm, takes 1k and outputs (vk, sk). – Sign, the signing algorithm, takes (vk, sk) and message m ∈ {0, 1}∗ as input. It then computes α and submits (α, m) to O to get back β = O(α, m). It then computes γ and outputs σ = (α, β, γ) as the signature of m with respects to vk.
124
E. Fujisaki, R. Nishimaki, and K. Tanaka
– Vrfy = (V1 , V2 ), the verification algorithm. V1 takes (vk, m, σ) as input. It parses σ to (α, β, γ) and submits (α, m) to O to get back β . If β = β, it outputs 0 and halts the verification procedure, otherwise feeds (vk, α, β, γ) to V2 , V2 takes (vk, α, β, γ) as input and outputs 1 or 0. The completeness is required as well: For any m ∈ {0, 1}∗, Pr[(vk, sk) ← KGen(1k ); σ ← SignO (vk, sk, m) : V1O (vk, m, σ) = 0 ∧ V2 (vk, σ) = 1] = 1. We stress that the running time of every algorithm in F S is bounded by a fixed polynomial in the security parameter k and the length of message m, which is O(poly(k + |m|)). Definition 2. We say that an interactive FS signature scheme is proof for ˜ the key generation algorithm if for any k ∈ N, for any vk ∈ KGen(1k ), it holds that maxα∈{0,1}p(k) pvk,α = negl(k), where pvk,α = Pr[β ← {0, 1}k : ˜ ˜ ˜ (α, β, γ)) = 1]. ∃γ such that V2 (vk, We define the Fiat-Shamir transformation using hash function ensemble H as the conversion of an interactive Fiat-Shamir signature scheme F S G with oracle access to O to the (non-interactive) Fiat-Shamir digital signature scheme F S(H), as follows (or as described in Sec. 2.1). Definition 3. Let O be an arbitrary function from {0, 1}∗ to {0, 1}k . Let H = {Hk }k∈N be a hash function ensemble, such that h : {0, 1}∗ → {0, 1}k for k ∈ N, and h ∈ Hk . Let F S = (KGen, Sign, Vrfy = (V1 , V2 )) be an interactive FiatShamir signature scheme with oracle access to O. The Fiat-Shamir paradigm transforms F S O into F S(H) using H. The resulting implementation, F S(H) = (KGen , Sign , Vrfy = (V1 , V2 )), is specified as follows. – KGen , the key-generation algorithm, takes as input 1k and invoke KGen with 1k to get (vk, sk). It picks up h ← Hk randomly and outputs (vk , sk ), where vk := (vk, h) and sk := sk. – Sign , the signing algorithm, takes (vk , sk , m) as input and parses vk to (vk, h). It then feeds (vk, sk, m) to Sign, where sk := sk , to let Sign submit (α, m). Sign computes β = h(α, m) to reply Sign with. Sign outputs σ as the signature of m with respects to vk , where σ is the output of Sign(vk, sk, m). – Vrfy = (V1 , V2 ), the verification algorithm. V1 takes (vk , m, σ) as input, parses vk to (vk, h) and feeds (vk, m, σ) to V1 to get (α, m), where σ = (α, β, γ). V1 computes β = h(α, m) and feeds it to V1 . If V1 outputs 0, then V1 outputs 0 and halts the verification procedure, otherwise feeds (vk , α, β, γ) to V2 . V2 takes (vk , α, β, γ) as input, parses vk to (vk, h) and feeds (vk, α, β, γ) to V2 . V2 outputs 1 if and only if V2 (vk, α, β, γ) = 1.
4
Proposed Digital Signature Scheme
A design for iteration H is a deterministic polynomial-time Turing machine. Let F S = (KGen, Sign, Vrfy = (V1 , V2 )) be an arbitrary interactive Fiat-Shamir
On the Insecurity of the Fiat-Shamir Signatures
125
signature scheme (as defined in Sec. 3). For simplicity, we assume that the first and the third messages, α , γ, sent by Sign in F S are chosen from {0, 1}p(k) for some polynomial p. We propose an interactive Fiat-Shamir signature scheme F S = (KGen , Sign , Vrfy ), as follows: – The key-generation algorithm KGen takes 1k , runs KGen with 1k , and outputs (vk, sk), generated by KGen(1k ). – The signing algorithm Sign takes as input (vk, sk) and message m and produces signature (α, β, γ) as follows. It first runs Sign on input (vk, sk) and m to get the first message (α , m). Then, Sign produces a description of an arbitrary hash function : {0, 1}n(k) → {0, 1}k , denoted π, such that |π| ≤ |m| and the maximum running steps taken by π evaluating an element in {0, 1}n(k) is less than or equal to |m|. Then, it chooses m ∈ {0, 1}|m| at random to set α = (α , π, m ). Sign submits (α, m) to hash oracle O and gets β. It then feeds β to Sign and gets γ. Finally Sign outputs (α, β, γ) as the signature of m. – The verification algorithm Vrfy = (V1 , V2 ). V1 takes as input (vk, m, σ). First, it parses σ to (α, β, γ) such that α = (α , π, m ). V1 feeds (vk, m, (α , β, γ)) to V1 . When V1 makes oracle query (α , m), V1 instead submits (α, m) to oracle O and feeds β = O(α, m) to V1 . If V1 outputs 0, V1 outputs 0 and halts, otherwise run V2 on input (vk, (α, β, γ)). V2 feeds (vk, (α , β, γ)) to V2 . If V2 outputs 1, then V2 outputs 1. Otherwise, V2 evaluates H(π)(α, m ). If it can be evaluated within an a-priori bounded number of steps, a polynomial in (k + |m|), and H(π)(α, m ) = β, V2 outputs 1, otherwise 0. Theorem 1. The proposed signature scheme F S is proof for KGen if the underlying signature scheme F S is proof for KGen. ˜ ˜ α , β, γ) with only a Since F S is proof for KGen, if vk ∈ KGen, V2 accepts (vk, negligible probability for any α . To exceed a negligible acceptance probability, it must hold H(π)(α, m ) = β with a non-negligible probability. However, the probability of holding H(π)(α, m ) = β is simply 2−k for any α, because π and m must be determined before β is chosen, where α = (α , π, m ).
5
Separation Results with Iterative Functions
The proposed signature scheme is secure in the random oracle model if H is carefully designed but for any H, cannot be securely implemented in the real world, when the implemented hash function is a iterative hash function using design for iteration H. Theorem 2. Let G : {0, 1}n(k) → {0, 1}k and R : {0, 1}∗ → {0, 1}k be random oracles. Let H be a design for iteration such that HG be computationally indifferentiable from R, such as [13, 23, 6, 12]. Let F S R be an interactive FS G signature scheme that is EUF-CMA in the random oracle model. Then, F S H is EUF-CMA in the random oracle model.
126
E. Fujisaki, R. Nishimaki, and K. Tanaka
We only give the sketch of the proof, because it is somewhat straight-forward. G Let A0 be an adversary that attacks our proposed scheme F S H in the sense of existentially forgeability under adaptively chosen message attacks in the random oracle model. We call this attack game game G0 . Let E0 be the event that A wins in game G0 . In game G1 , we construct adversary A1 (using A0 as oracle) that attacks F S R in the sense of EUF-CMA in the random oracle model. Since HG is computationally indifferentiable from random oracle R : {0, 1}∗ → {0, 1}k , for any oracle query of A0 to G, A1 can make the consistent answer, having access to R, with an overwhelming probability. Hence, Pr[E1 ] ≈ Pr[E0 ], where E1 is the event that A1 wins in game G1 . In game G2 , we modify verification algorithm Vrfy such that it accepts if and only if β = R(α, m) and V2 (vk , (α , β, γ)) = 1. Let E2 be the event that adversary A2 (= A1 ) wins in game G2 . The probability of holding H(π)(α, m ) = R(α, m) is simply 2−k for any (α, m), because π must be determined before α = (α , π, m ) is queried to R. Therefore, Pr[E2 ] ≈ Pr[E1 ]. In game G3 , we construct adversary A3 (using A2 as oracle) that attacks F S R in the sense of EUF-CMA in the random oracle model. Let E3 be the event that A3 wins in game G3 . For oracle query (α, m) of A2 to R, A3 converts it to a query (α , (π, m , m)) to R. By construction, it holds that Pr[E3 ] = Pr[E2 ]. By assumption, F S R is EUF-CMA in the random oracle model, which means Pr[E3 ] = negl(k). Hence, Pr[E0 ] = negl(k), since Pr[E0 ] ≈ Pr[E3 ]. Theorem 3. For any polynomial-time Turing machine H, F S (H(F )) is vulnerable against key only attacks for any polynomial-size hash function ensemble F = {Fk }k∈N , where F is a hash function ensemble with a bounded input length n, where for every k ∈ N, and every f ∈ Fk , f : {0, 1}n(k) → {0, 1}k . To prove the statement above, we construct an adversary that forges a signature, only given vk = (vk, f ). The adversary makes a program fˆ that efficiently computes f : {0, 1}n(k) → {0, 1}k . Let t := max(t , |fˆ|), where t is the maximum running steps of fˆ to compute f (x) for x ∈ {0, 1}n(k), and |fˆ| is the length of the binary representation of program fˆ. Note that, since f is part of vk , it is easy to construct such a program and computes the maximum running steps over {0, 1}n(k) . Then, let the adversary choose an arbitrary message m such that t ≤ |m|, arbitrary α , γ ∈ {0, 1}p(k) . Then it sets α = (α , fˆ, m) and computes β = H(fˆ)(α, m). Finally the adversary outputs (m, (α, β, γ)) as a forged signature for m, where α = (α , fˆ, m). The remain to be shown is that V2 in Vrfy can compute H(fˆ)(α, m) within an a-priori bounded polynomial number of steps in |m| + k, regardless of any (a-priori unbounded) polynomial-size function ensemble F . Let q be the number of queries of H to fˆ, which is bounded by some fixed polynomial (depending on fixed H) in the length of (α, m). So, the number of the running steps to compute H(fˆ)(α, m) is at most q · t + O(poly(k)) (Remember that t is the maximum running steps of fˆ to compute f (x) for x ∈ {0, 1}n(k)). Since the binary length of
On the Insecurity of the Fiat-Shamir Signatures
127
(α, m) is |α | + |fˆ| + 2|m|, which is O(poly(|m| + k)), the number of the running steps of computing H(fˆ)(α, m) is O(poly(|m| + k)).
6
Conclusion
If a hash function used in the Fiat-Shamir paradigm is chosen from an iterative hash function (ensemble), we can show a very simple example that the FiatShamir signature scheme cannot be securely implemented even against key only attacks. Our negative result can apply to the class that [19] ruled out. We slightly extended the Fiat-Shamir paradigm to show the above results.
References 1. Abdalla, M., An, J., Bellare, M., Namprempre, C.: From identification to signatures via the fiat-shamir transform: Minimizing assumptions for security and forwardsecurity. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 418. Springer, Heidelberg (2002) 2. Barak, B.: How to go beyond the black-box simulation barrier. In: Proceedings of the 42th IEEE Annual Symposium on Foundations of Computer Science (FOCS 2001) (October 2001), http://www.math.ias.edu/~ boaz 3. Barak, B., Goldreich, O.: Universal arguments and their applications. In: Conference on Computational Complexity 2002 (2002) 4. Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the emd transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006) 5. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: First ACM Conference on Computer and Communication Security, pp. 62–73. Association for Computing Machinery (1993) 6. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007 (May 2007) 7. Boldyreva, A., Fischlin, M.: Analysis of random oracle instantiation scenarios for oaep and other practical schemes. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 412–429. Springer, Heidelberg (2005) 8. Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004) 9. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proceedings of the 30th annual ACM Symposium on Theory of Computing (STOC 1998), New York, pp. 209–218 (1998) 10. Canetti, R., Goldreich, O., Halevi, S.: On the random oracle methodology as applied to length-restricted signature schemes. In: Naor [26], pp. 40–57 11. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004) 12. Chang, D., Nandi, M.: Improved indifferentiability security analysis of chopMD hash function. In: Preproceedings of FSE 2008 (2008)
128
E. Fujisaki, R. Nishimaki, and K. Tanaka
13. Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damg˚ ard revisited: How to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005) 14. Damg˚ ard, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990) 15. Dodis, Y., Oliveria, R., Pietrzak, K.: On the generic insecurity of the full domain hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 449–466. Springer, Heidelberg (2005) 16. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM. J. Computing 30(2), 391–437 (2000); Presented in STOC 1991 17. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1986) 18. Goldreich, O.: Foundations of Cryptography, 1st edn., vol. 2 (Basic Applications). Cambridge University Press, Cambridge (2004) 19. Goldwasser, S., Kalai, Y.T.: On the (In)security of the Fiat-Shamir Paradigm. In: Proceedings of the 44th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2003 (2003) 20. Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing 17(2), 281–308 (1988) 21. Halevi, S., Myers, S., Rackoff, C.: On seed-incompressible functions. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 19–36. Springer, Heidelberg (2008) 22. Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor [26], pp. 21–39 23. Maurer, U.M., Tessaro, S.: Domain extension of public random functions: Beyond the birthday barrier. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 187–204. Springer, Heidelberg (2007) 24. Merkle, R.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990) 25. Micali, C.: CS proofs. In: Proceedings of the 35th IEEE Annual Symposium on Foundations of Computer Science (FOCS 1994), pp. 436–453 (1997) 26. Naor, M. (ed.): TCC 2004. LNCS, vol. 2951. Springer, Heidelberg (2004) 27. Nielsen, J.B.: Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-commiting Encryption Case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 111. Springer, Heidelberg (2002) 28. Ohta, K., Okamoto, T.: On concrete security treatment of signatures derived from identification. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 354–369. Springer, Heidelberg (1998) 29. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996) 30. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13(4), 361–396 (2000) 31. Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosenciphertext security. In: Proceedings of the 40th IEEE Annual Symposium on Foundations of Computer Science (FOCS 1999), pp. 543–553 (1999) 32. De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust noninteractive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 566. Springer, Heidelberg (2001)
Is the Notion of Divisible On-Line/Off-Line Signatures Stronger than On-Line/Off-Line Signatures? Man Ho Au, Willy Susilo, and Yi Mu Center for Computer and Information Security Research School of Computer Science and Software Engineering University of Wollongong, Australia {aau,wsusilo,ymu}@uow.edu.au
Abstract. On-line/Off-line signatures are useful in many applications where the signer has a very limited response time once the message is presented. The idea is to perform the signing process in two phases. The first phase is performed off-line before the message to be signed is available and the second phase is performed on-line after the message to be signed is provided. Recently, in CT-RSA 2009, Gao et al. made a very interesting observation that most of the existing schemes possess the following structure. In the off-line phase, a partial signature, called the off-line token is computed first. Upon completion of the on-line phase, the off-line token constitutes part of the full signature. They considered the “off-line token exposure problem” in which the off-line token is exposed in the off-line phase and introduced a new model to capture this scenario. While intuitively the new requirement appears to be a stronger notion, Gao et al. cannot discover a concrete attack on any of the existing schemes under the new model. They regard clarifying the relationship between the models as an open problem. In this paper, we provide an affirmative answer to this open problem. We construct an On-line/Offline signature scheme, which is secure under the ordinary security model whilst it is insecure in the new model. Specifically, we present a security proof under the old model and a concrete attack of the scheme under the new model. This illustrates that the new model is indeed stronger. Keywords: on-line/off-line signatures, divisible on-line/off-line signatures, OS-EU-CMA, DOS-EU-CMA.
1
Introduction
The notion on-line/off-line signatures (OS) was put forth by Even, Goldreich and Micali in 1990 [11]. Their main idea is to split the signature generation algorithm into two phases, namely, off-line phase and on-line phase. To achieve efficient signing when a message is presented, they utilized an off-line phase to handle the most costly computations. When a message is available, the on-line
This work is supported by ARC Discovery Grant DP0877123.
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 129–139, 2009. c Springer-Verlag Berlin Heidelberg 2009
130
M.H. Au, W. Susilo, and Y. Mu
phase can then be performed efficiently in order to generate the required signature. Some of the signature schemes naturally fit into the framework of an on-line/off-line signature. The list includes the schemes from Fiat-Shamir (or any signature scheme obtained from Σ-Protocol using the Fiat-Shamir heuristics) [12], Schnorr [19], El-Gamal [13] and Boneh-Boyen [4]. Based on the work from Even, Goldreich and Micali, Shamir and Tauman [20] proposed an improved online/offline signature scheme utilizing the hash-signswitch paradigm . The online signing phase of their scheme maintains the efficiency of Even et al., while key size and signature size are largely reduced. Since then, many subsequent works have been done [15,24,16,22,23,7,9,6]. 1.1
Divisible of OS Schemes
Recently, in CT-RSA 2009, Gao et al. [26] made an interesting observation that most of the existing on-line/off-line signature schemes [13,22,23,7,16,9,6] share the following divisibility structure. A partial signature, called an off-line token, is first computed in the off-line phase. The remaining part of the signature is generated in the on-line phase when the message is known. OS schemes satisfying this framework is said to be divisible. Although the signature generation process is split into two stages, the transmission of the signature is a one-time process. The complete signature is sent to the recipient at the end of the on-line phase. Gao et al. studied an interesting problem: can the off-line token be transmitted to the recipient prior to the on-line phase while maintaining the security of the OS scheme? The significance of the question is that, the signer could send the signature in stages (during the off-line phase), possibly when the channel is less busy. This can make better utilization of the bandwidth. Another scenario is when the off-line tokens are unavoidably exposed to others (they referred this case as the “token exposure problem”), in case of on-line/off-line threshold signatures [9,6]. Gao et al. studied this off-line token exposure problem and proposed a new security model to capture it. In this paper, we referred the new model as DOSEU-CMA1 to distinguish it from the traditional (or ‘regular’) model of OS-EUCMA [11]. The standard notion of security for a signature scheme is existential unforgeability under chosen message attack (EU-CMA) [14]. Informally speaking, an attacker in this notion can request signatures on messages of its choice, possibly adaptively, before outputting a forged signature on any message, provided that it has not been given a signature on that message. Definition of DOSEU-CMA and OS-EU-CMA shall be reviewed in Section 2.5. Looking ahead, it is fair to say the notion OS-EU-CMA closely follows the requirement of EU-CMA in which the OS is treated as an ordinary signature. Additionally, an attacker in DOS-EU-CMA is allowed to separate his query of signature into two phases. Specifically, the attacker is allowed to decide the querying message after receiving the off-line token. 1
The abbreviation DOS refers to divisible on-line/off-line signatures.
Is the Notion of DOS Stronger than OS?
131
Gao et al. presented a new scheme secure under their new model. They also analyzed several existing schemes and observed that some of them are secure under the new model as well. Furthermore, the security of the remaining schemes under their examination is less clear. While they are not able to derive security proof under the new model, they also cannot discover any concrete attack on these schemes. Hence, they left the problem of finding the potential gap between the model of DOS-EU-CMA and OS-EU-CMA as an open problem. Specifically, they questioned whether a scheme that is secure in OS-EU-CMA but it is not secure in DOS-EU-CMA can be constructed at all, as an open problem. 1.2
Our Contribution
In this paper, we provide an affirmative answer to the aforementioned open problem. Specifically, we construct an on-line/off-line signature scheme2 and prove its security under the model of OS-EU-CMA. Then, we present a concrete attack on our scheme under the model of DOS-EU-CMA. Consequently, our construction illustrates the gap between to two models. In summary, we provide an affirmative answer to the open problem raised by Gao et al. in [26] and show that the new model is indeed stronger than the traditional model. We would like to stress that the sole purpose of our construction is to demonstrate the theoretical gap between the models. Thus, efficiency is not of our concern and indeed our scheme is by no means practical compared with existing On-line/Offline signatures. Table 1. Summary of the separation between the traditional model and the new model
[12,13,4,20,22,7] [19,9,6,26] Our scheme
1.3
Secure under the traditional model? Secure under the new model [26]? ? ×
Organization of the Paper
The rest of this paper is organized as follows. In Section 2, we review preliminaries including the models of OS-EU-CMA and DOS-EU-CMA. Next, we present our OS scheme, its security analysis under the model of OS-EU-CMA and an attack in the model of DOS-EU-CMA in Section 3. Finally, we conclude the paper in Section 4.
2
We note that we are not concentrating on developing a practical or efficient scheme. Rather, we are interested to show a scheme that is secure under OS-EU-CMA but it is not secure under DOS-EU-CMA, and hence, it provides an answer to the open problem raised by Gao et al. [26].
132
2
M.H. Au, W. Susilo, and Y. Mu
Preliminaries
2.1
Miscellaneous Notations
If S is a set, |S| represents its cardinality. If S is a non-empty set and a ∈R S, then a is an element in S drawn uniformly at random from S. We denote by Z the set of integers {. . . , −2, −1, 0, 1, 2, . . .} and by Zp we denote the set {0, . . . , p−1}. We say that a function negl(k) is a negligible function [1], if for all polynomials f (k), for all sufficiently large k, negl(k) < 1/f (k). 2.2
Bilinear Map
A pairing is a bilinear mapping from a pair of group elements to a group element. Specifically, let G1 , GT be cyclic groups of order p. Let g be a generator of G1 . A function eˆ : G1 × G1 → GT is said to be a pairing if it satisfies the following properties: – (Bilinearity.) eˆ(ux , v y ) = eˆ(u, v)xy for all u, v ∈ G1 and x, y ∈ Zp . – (Non-Degeneracy.) eˆ(g, g) = 1GT , where 1GT is the identity element of GT . – (Efficient Computability.) eˆ(u, v) can be computed efficiently (that is, in polynomial time) for all u, v ∈ G1 . – (Unique Representation.) All elements in G1 and GT have unique binary representation. 2.3
Number-Theoretic Assumptions
Security of our proposed signature scheme is related to the hardness of the following problems. The Discrete Logarithm Assumption. The discrete logarithm problem (DLP) [5] forms the basis in the security of many cryptosystems. Definition 1. The Discrete Logarithm Problem in G = g is defined as follows: On input a tuple (g, Y ) ∈ G2 , output x such that Y = g x . Shoup [21] derived a lower bound on any algorithms that solve DLP without exploiting any special properties of the encoding of the group element. Such algorithms are known as generic algorithms. Specifically, the lower bound is √ Ω d , where d is the largest prime dividing the order of the group. Indeed, such bound is met by the well-known Pollard’s rho algorithm [18] that works in arbitrary groups. The discrete logarithm assumption stated that there is no PPT algorithm solves DLP with non-negligible probability. Computational Diffie-Hellman Assumption. If we can solve DLP in G, we can also solve the computational Diffie-Hellman (CDH) [10] problem although whether the converse is true or not is still an open problem. Definition 2. The Computational Diffie-Hellman Problem in G = g such that |G| = p is defined as follows: On input a tuple (g, g x , g y ) ∈ G3 , output g xy . The CDH assumption states that no PPT solves CDHP with non-negligible probability.
Is the Notion of DOS Stronger than OS?
133
The Pairing Pre-image Assumption Definition 3. The Pairing Pre-Image Problem (PPIP) in G1 , GT such that G = g, |G1 | = |GT | = p with pairing eˆ : G1 × G1 → GT is defined as follows: On input a tuple (g, Z) ∈ G1 × GT , output X ∈ G1 such that eˆ(X, g) = Z. This problem is often implicitly assumed to be hard in many cryptosystems employing bilinear maps. Indeed , it is straightforward to show PPIP is no harder than DLP in GT and no easier than CDHP in G1 . Specifically, suppose DLP in GT is easy. Given a PPIP instance (g, Z), compute x such that Z = eˆ(g, g)x by solving DLP in GT of Z to base eˆ(g, g). Output g x as the solution to PPIP instance. On the other hand, assume PPIP is easy. Given a CDHP instance (g, g a , gb ) in G1 , compute X such that eˆ(X, g) = eˆ(g a , g b ) by solving PPIP with input g, eˆ(g a , g b ) . Output X as the solution of the CDHP instance. Thus, we have the following relationship between CDHP in G1 , PPIP and DLP in GT . CDHP in G1 0) and inserts (IDi , li P, li ) into the tuple list. • If IDi is the identifier of a gateway, then A sends this query to the simulator. The simulator randomly selects li ∈ Z∗q , and sends Qi = li P to A. A inserts (IDi , Qi , ⊥) into H1list . • A responds H1 (IDi ) = Qi to B. H2 (Si ) queries: Algorithm A maintains an initially empty list H2list with entries of the form (Su , mu , Ru , wu ). A responds to the query in the follows way. – If a tuple (Si , mi , Ri , wi ) has already appeared on the H2list , then A responds with Ri . – Otherwise, A randomly selects mi (i > 0) ∈R Z∗q . If mi aP = P , then responds to the BDH challenge with eˆ(bP, cP )1/mi . Otherwise A inserts (Si , mi , mi aP, ⊥) into the tuple list. A responds with mi aP . H3 (IDit , IDjt , Tit , Tjt , K t ) queries: A maintains an initially empty list H3list with entries of the form (IDit , IDjt , Tit , Tjt , K t , ζ t ) which is indexed by (IDit , IDjt , Tit , Tjt , K t ). A responds to the query in the following way. – If a tuple indexed by (IDit , IDjt , Tit , Tjt , K t ) is on the list, then A responds with ζ t . – Otherwise, A chooses a random string ζ t ∈ {0, 1}n and inserts a new tuple (IDit , IDjt , Tit , Tjt , K t , ζ t ) into the list H3list and returns ζ t . CorruptS (IDi ): A keeps a list Δ of (IDi , h(x1 ), h(x2 ), · · · , h(xn )) where IDi is the identifier of the gateway. A checks the list Δ . – If there is a tuple indexed by IDi , A returns h(xj ) ( j ∈ {1, · · · n} ) to B. – Otherwise, A gives the query to the simulator. The simulator proceeds in the following way: • Choose p random values aj−1 (j = 1, · · · , p) and construct h(x) = ap−1 xp−1 + ap−2 xp−2 + · · · + a1 x + a0 ; • Choose n random values x1 , · · · , xn and compute h(xj ) (1 ≤ j ≤ n). • Return h(xj ) to A, then A inserts ( IDi , h(x1 ), h(x2 ), · · · , h(xn ) ) into the list Δ . • Query Qi = H1 (IDi ). If Qi = bP , then ∗ Construct f (x) = xh(x) · Qi + aQi ; ∗ Choose a random value x0 and compute f (x0 ). ∗ Return f (x0 ) to A, then A inserts (IDi , f (x0 )) to Δ.
Server-Controlled Identity-Based Authenticated Key Exchange
225
Otherwise, A inserts (IDi , ⊥) to Δ. – A returns h(xj ) to B. CorruptA (IDi ): A goes through list H1list . If IDi is not on the list, A queries H1 (IDi ). A checks the value of li : if li =⊥, then A responds with li aP ; otherwise, A aborts the game (Event 1). CorruptB (IDi ): A keeps a list Δ of (IDi , f (x0 )) and a list Δ of (IDi , h(x1 ), h(x2 ), · · · , h(xn )). – If the tuple indexed by IDi is on the list, A returns f (x0 ) to B. – Otherwise, A gives the query to the simulator. The simulator proceeds in the following way: • Choose p random values aj−1 (j = 1, · · · , p) and construct h(x) = ap−1 xp−1 + ap−2 xp−2 + · · · + a1 x + a0 ; • Choose n random values x1 , · · · , xn and compute h(xj ) (1 ≤ j ≤ n). • Return h(xj ) to A, and then A inserts (IDi , h(x1 ), h(x2 ), · · · , h(xn )) into the list Δ . • Query Qi = H1 (IDi ). If Qi = bP , the simulator does the following: ∗ Construct f (x) = xh(x) · Qi + aQi ; ∗ Choose a random value x0 and compute f (x0 ). ∗ Return f (x0 ) to A, and then A inserts (IDi , f (x0 )) to Δ. ∗ Return f (x0 ) to B. Otherwise, A inserts (IDi , ⊥) to Δ and aborts the game (Event 2). t t SendA (Πi,j , M ): A maintains a list Ω1 for each oracle of the form (Πi,j , tranti,j , t t (r1 )ti,j , (r2 )ti,j , Ki,j ,SKi,j ) where tranti,j is the transcript of the oracle so far; t t (r1 )i,j , (r2 )i,j are the random integers used by the oracle to generate the mest t sages, and Ki,j and SKi,j are set ⊥ initially. This list is updated in other queries as well. A proceeds in the following way:
– Split M as M = (M1 , M2 ), and query Qi = H1 (IDi ) = li P , Qj = H1 (IDj ) and R = H2 (M1 ). – If M = ⊥, proceed as follows: • If t = J, ∗ If Qj = bP , abort the game (Event 3). ∗ Otherwise, randomly choose ξ ∈ Z∗q and ξ such that Φ = ξli cP is not shown on H2list , then randomly sample wt ∈ Z∗q and insert (ξli cP, ⊥, wt P, wt ) into H2list . Respond with (ξli cP , wt ξcP , ξ P and ξξ li cP ). Set (r1 )ti,j = ξc = ⊥ and (r2 )ti,j = ξa = ⊥. It is easy to verify that the response can pass the message check eˆ(wt P, ξli cP ) = eˆ(wt ξcP, li P ) and eˆ(P, ξξ li cP ) = eˆ(ξli cP, ξ P ).
226
H. Guo et al.
• Otherwise, randomly choose (r1 )ti,j ∈ Z∗q and (r2 )ti,j ∈ Z∗q such that (r1 )ti,j bP has not been shown on H3list as some Xu . Respond with ((r1 )ti,j Qi , (r1 )ti,j H2 ((r1 )ti,j Qi ), (r2 )ti,j aP , (r1 )ti,j (r2 )ti,j li aP ) where li aP can be found in the tuple index by IDi from H1list . – If M is the last message on the transcript, check if the equation eˆ(M1 , R) = eˆ(Qj , M2 ) holds or not. If not, reject the session. Otherwise, do nothing but accept the session. t t t SendB (Πi,j , M ): A maintains a list Ω2 for each oracle of the form (Πi,j , tranti,j ,ri,j , t t t t Ki,j ,SKi,j ) where trani,j is the transcript of the oracle so far; ri,j is the random t t integer used by the oracle to generate the messages, and Ki,j and SKi,j are set ⊥ initially. This list is updated in other queries as well. A proceeds in the following way:
– If M is the first message on the transcript, respond with M . – If M is the third message on the transcript, do the following: • If t = J, ∗ If Qj = bP , abort the game (Event 4). ∗ Otherwise, forward the query to the simulator. The simulator randomly samples ξ ∈ Z∗q such that Φ = ξli cP is not shown on H2list , and chooses wt ∈ Z∗q , then computes ξli cP and wt ξcP and returns them to A. A inserts (ξli cP, ⊥, wt ξcP, wt ) into the list H2list , and t responds with (ξli cP , wt ξcP ) and sets ri,j = ⊥. t t • Otherwise, randomly choose ri,j ∈ Z∗q such that ri,j bP has not been list t t t shown on H3 as some Xu . Respond with (ri,j Qi , ri,j H2 (ri,j Qi )). t SendS (Πi,j , M ): A keeps an initially empty list Γ with the entries of the form t (Πi,j , ((y1 )1 , (y2 )1 ), ((y1 )2 , (y2 )2 ), · · · , ((y1 )n , (y2 )n )). A firstly spits the message M as (M1 , M2 , M3 , M4 ), then queries Qi = H1 (IDi ) and R = H2 (M1 ). A checks the equations eˆ(M1 , R) = eˆ(Qi , M2 ) and eˆ(P, M4 ) = eˆ(M3 , M1 ). If the equations do not hold, reject the section. Otherwise, do the following:
– – – – –
Query CorruptS (IDi ) and Qj = H1 (IDj ). Compute g˜1 = eˆ(Qi , Qj ) and g˜2 = eˆ(M1 , Qj ). Compute (y1 )k = g˜1 h(xk ) and (y2 )k = g˜2 h(xk ) (k ∈ {1, 2, · · · , n}). t Insert a new tuple indexed by Πi,j into the list Γ . Respond at least p pairs ((y1 )k , (y2 )k ) (1 ≤ k ≤ n) to B.
t t RevealA (Πi,j ): A maintains a list L with tuples of the form (IDi , IDj , Ti , Tj , Πi,j ) where Ti is the message generated by IDi , and Tj = (M1 , M2 ) is the message received by IDi . A answers the queries as follows: t – Get the tuple of oracle Πi,j from Ω1 . t – If oracle Πi,j has not accepted, respond with ⊥. J – If t = J or if the J-th oracle has been generated as Πa,b and IDa = IDj , IDb = IDi and two oracles have the same session ID, abort the game (Event 5).
Server-Controlled Identity-Based Authenticated Key Exchange
227
t t – If SKi,j = ⊥, return SKi,j . – Otherwise, query Qi = H1 (IDi ). • If li = ⊥ (so di = li aP ), compute t
t Ki,j = eˆ(li aP, Qj )(r1 )i,j · eˆ(li aP, M1 )
where Qj is found from H1list for identifier IDj and M1 is the first tuple of the received message Tj . By making an H3 query, set t t SKi,j = H3 (IDi , IDj , Ti , Tj , Ki,j ). t t Update Ω1 by putting SKi,j , and then return SKi,j as the response. • Otherwise, it should have di = abP . A does not know this value and t t should not be able to compute Ki,j = eˆ(abP, Qj )ri,j · eˆ(abP, M1 ). A proceeds as follows: ∗ Query R = H2 (M1 ) and Qj = H1 (IDj ). ∗ Go through the list H2list to find a tuple (M1 , mt , mt aP, ⊥) indexed by M1 . If such a tuple exists, since Tj = (M1 , M2 ) satisfied the equation
eˆ(R, M1 ) = eˆ(M2 , lj P ), i.e., eˆ(mt aP, M1 ) = eˆ(M2 , lj P ), A forwards this query to the simulator. The simulator computes t
t Ki,j = eˆ(abP, Qj )ri,j · eˆ(abP, M1 ) lj t = eˆ(ri,j aP, lj bP ) · eˆ(bP, M2 ) mt
and returns it to A. A sets t t SKi,j = H3 (IDi , IDj , Ti , Tj , Ki,j ) t ∗ Otherwise, randomly sample SKi,j ∈ {0, 1}n, put (IDi , IDj , Ti , Tj , t Ki,j ) into the list L. t ∗ Return SKi,j as the response. t RevealB (Πi,j ): A maintains a list L with tuples of the form (IDi , IDj , Ti , Tj , t Πi,j ) where Ti is the message generated by IDi , and Tj = (M1 , M2 , M3 , M4 ) is the message received by IDi . A answers the queries as follows: t – Get the tuple of oracle Πi,j from Ω2 . t – If oracle Πi,j has not accepted, respond with ⊥. J – If t = J or if the J-th oracle has been generated as Πa,b and IDa = IDj , IDb = IDi and two oracles have the same session ID, abort the game (Event 6).
228
H. Guo et al.
t t – If SKi,j = ⊥, return SKi,j . – Otherwise, • Query Qi = H1 (IDi ) and Qj = H1 (IDj ). • If Qi = bP , compute
g˜1 h(x) = g˜1
p
s=1
h(xis )
p
x−xj j=1,j=s xi −xi s j
=
p s=1
g˜2 h(x) = g˜2
p
s=1
h(xis )
p
x−xj j=1,j=s xi −xi s j
=
p s=1
p
(yis )
x−xj j=1,j=s xi −xi s j
.
p
(yis )
x−xj j=1,j=s xi −xi s j
.
g˜1 h(x0 ) = eˆ(Qj , H1 (IDi )))h(x0 ) . g˜2 h(x0 ) = eˆ(M1 , H1 (IDi ))h(x0 ) . eˆ(Qj , f (x0 )) (g˜1 h(x0 ) )x0 eˆ(M1 , f (x0 )) (g˜2
h(x0 ) x0 )
=
eˆ(Qj , x0 h(x0 )H1 (IDi ) + Di ) = eˆ(Qj , Di ). eˆ(Qj , H1 (IDi ))x0 h(x0 )
=
eˆ(M1 , x0 h(x0 )H1 (IDi ) + Di ) = eˆ(M1 , Di ). eˆ(M1 , H1 (IDi ))x0 h(x0 ) t
skij = eˆ(Qj , Di )ri,j · eˆ(M1 , Di ). Here, Qj is found from H1list and M1 is the first tuple of the received mest t sage Tj . By making an H3 query, set SKi,j = H3 (IDj , IDi , Tj , Ti , Ki,j ). t t Update Ω2 by putting SKi,j and return SKi,j as the response. • Otherwise, it should have di = abP . A does not know f (x0 ) and should not be able to compute eˆ(abP, M1 ), thus should not be able to compute t t Ki,j = eˆ(Qj , abP )ri,j · eˆ(abP, M1 ) A proceeds as follows: ∗ Query R = H2 (M1 ) where M1 is found from Ω2 . ∗ Go through the list H2list to find a tuple (M1 , mt , mt aP, ⊥) indexed by M1 . Since (M1 , M2 ) satisfied the equation eˆ(M1 , R) = eˆ(Qj , M2 ), i.e, eˆ(M1 , mt aP ) = eˆ(lj P, M2 ), we can compute t
t t skij = eˆ(Qj , abP )ri,j · eˆ(abP, M1 ) = eˆ(ri,j lj bP, aP ) · eˆ(bP,
li M2 ), mt
where Qj is found from H1list for identifier IDj and (M1 , M2 ) are the two first tuples of the received message Tj . Set t t SKi,j = H3 (IDj , IDi , Tj , Ti , Ki,j ) t ∗ Otherwise, randomly sample SKi,j ∈ {0, 1}n, put (IDi , IDj , Ti , Tj , t Ki,j ) into list L. t ∗ return SKi,j as the response.
Server-Controlled Identity-Based Authenticated Key Exchange
229
t s Test(Πi,j ): If t = J or t = J but there is an oracle Πj,i which has the same session t ID as Πi,j that has been revealed, B aborts the game (Event 7). Otherwise, B responds to A a random number ζ ∈ {0, 1}n. After B finishes the queries, it returns its guess. Then A proceeds with the following steps: J – If M1 is the first tuple of the received message of Πi,j where IDi is the identifier of the user, then compute D = eˆ(li aP, M1 ). Note that here we have di = li aP where li = ⊥ found from H1list corresponding to identifier IDi , and J Ki,j = eˆ(li aP, bP )ξc · eˆ(li aP, M1 ) = (ˆ e(P, P )abc )ξli · eˆ(li aP, M1 ). J – If M1 is the first tuple of the received message of Πi,j where IDi is the identifier of the gateway, A asks for li from the simulator. This is allowed since the simulation is already finished. A then proceeds as follows: • Compute
g˜2
h(x)
p
= g˜2
s=1
h(xis )
p
x−xj j=1,j=s xi −xi s j
=
p s=1
p j=1,j=s (yis )
x−xj xi −xi s j
,
where at least p h(xi ) can be found from the list Δ which is indexed by IDi . Then, compute g˜2 h(x0 ) = eˆ(M1 , H1 (IDi ))h(x0 ) . • Compute eˆ(M1 , f (x0 )) D= = eˆ(M1 , Di ) (g˜2 h(x0 ) )x0 where f (x0 ) is found from Δ for identifier IDi . J Note that Ki,j = eˆ(bP, li aP )ξc · eˆ(M1 , Di ) = (ˆ e(P, P )abc )li ξ · eˆ(M1 , Di ). 1
– A randomly samples Kl from the H3list , and responds (Kl /D) ξli to the BDH challenge. J Let Event 8 be that, in the attack, adversary B indeed chose the oracle Πi,j as the challenger oracle where Idj was queried on H1 as the I-th distinct identifier query. Then according to the rules of the game, we have
Pr[Event 8] = Pr[∨7i=1 Event i] ≥
1 1 · . q1 qo
Claim. Let Event 9 be the event that B noticed the inconsistence between the simulation and the real world when A did not abort the simulation. Then Event 9 implies that the probability A solves the BDH problem is non-negligible. Due to to the page limitation, the proof is omitted. Claim. Let Event 10 be the event that K = eˆ(li aP, ξbcP ) · eˆ(li aP, M1 ) was not queried on H3 conditioned on Event 8, then Pr[Event 8] ≥ n(k). Due to to the page limitation, the proof is omitted.
Oracle Separation in the Non-uniform Model Ahto Buldas1,2,3, , Sven Laur3 , and Margus Niitsoo1,3 2
1 Cybernetica, Akadeemia tee 21, 12618 Tallinn, Estonia Tallinn University of Technology, Raja 15, 12618 Tallinn, Estonia 3 University of Tartu, Liivi 2, 50409 Tartu, Estonia {Ahto.Buldas,Sven.Laur,Margus.Niitsoo}@ut.ee
Abstract. Oracle separation methods are used in cryptography to rule out blackbox reductions between cryptographic primitives. It is sufficient to find an oracle relative to which the base primitive exists but there are no secure instances of the constructed primitive. In practice, it is beyond our current reach to construct a fixed oracle with such properties for most of the reductions because it is difficult to guarantee the existence of secure base primitives. For example, to show that there exist no black-box reductions from collision-free functions to one-way permutations we have to show that secure one-way permutations exist relative to the oracle. However, no deterministic constructions for unconditionally secure one-way permutations are known yet. To overcome this gap, randomized oracles are used to create random base primitives that are secure on average. After that, a fixed oracle with the desired properties is extracted from the probability distribution by using non-constructive combinatorial arguments such as the first Borel-Cantelli lemma. This oracle extraction argument only applies to uniform reductions because it uses the countability of the set of all uniform Turing machines. In this work, we show how to adapt oracle separation results to the non-uniform security model. We consider the known separation techniques that are capable of ruling out the so-called fully black-box reductions and show that they can be extended to the non-uniform model with only minor modifications. As almost all separation results known to date fit into our separation framework, we conclude that they imply non-existence of fully black-box reductions in the non-uniform model. We also generalize our approach to a certain strong form of semi-black-box reductions. However, it stays an open question whether it is possible to adapt our technique to the weaker notions of black-box reductions in the non-uniform model.
1 Introduction Complex cryptographic protocols are often built from simpler building blocks called primitives. Usually, the security of such protocols is proved based solely on the security guarantees of the original primitives independent of their actual implementation details. Such constructions are called black-box reductions. To date, almost all security proofs for efficient cryptographic constructions utilize black-box reductions.
This research was supported by the European Regional Development Fund through the Estonian Center of Excellence in Computer Science (EXCS), by Estonian SF grant no. 6944, and by EU FP6-15964: “AEOLUS”.
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 230–244, 2009. c Springer-Verlag Berlin Heidelberg 2009
Oracle Separation in the Non-uniform Model
231
Although back-box reductions are extremely useful cryptographic tools, there exist limits on where they can be applied. There are many known cases for which it is proved that such a reduction cannot exist. This usually means that a very clever proof construction is necessary if the reduction can be achieved at all. As very few of these clever constructions are known, the power and limits of black-box reductions are of a rather special interest to many people working in the field. The first separation result involving black-box reductions was given in 1989 by Impagliazzo and Rudich [5]. They showed that there are no such reductions from key agreement protocols to one-way functions. Their seminal paper was followed by a long line of similar types of results [3,4,8]. The approach was even generalized by Kim, Simon and Tetali [6] to give bounds on reduction efficiency. Though all these results leave open the existence of more specific security proofs they are still valuable hardness indicators as they rule out the most obvious approaches. Non-existence of black-box reductions is commonly shown by oracle separation techniques. In complexity theory, oracle separation has been widely applied to prove limits of the proving techniques capable of establishing set-theoretical inclusions between complexity classes. For example, with oracle separation one can easily show that diagonal arguments are insufficient to solve the famous P vs NP question. This is done by showing two oracles—one relative to which the conjecture holds and another for which it does not. In cryptography, oracle separation is used to argue that it is impossible to securely implement a primitive or a protocol P given only black-box access to a secure low-level primitive f as an instance of a class of primitives Q. This is done by defining an oracle such that the primitive f remains secure even if the adversary can access the oracle but any instance Pf of the protocol P being considered is insecure relative to the oracle. In classical separation results of complexity theory, oracles are defined as fixed functions that always behave the same way. In cryptographic separations, it is often hard to explicitly define a fixed separation oracle. For example, if one wishes that one way functions exist relative to the oracle, an explicit functional description of such function should then be given (as a part of the oracle). This is however still unreachable for the state of the art computer science—the existence of one way functions is conjectured but not yet proved. So, in cryptographic separations we often assume that oracles are chosen randomly from certain probability distributions. We then prove that the separation statements hold on average and then argue that there exists a particular choice of the oracle for which the statements hold. For example, one-way functions indeed exist in the random oracle model because random functions are one-way on average [5]. For modeling (simulating) a random oracle, it is often fruitful to assume that oracles are stateful— their output on a given input depends not only on the random choices but also on the previous queries made to the primitive. Such extensions can still be modeled via deterministic functions by just giving them random coins and their state as an extra input parameter. However, as the oracle separation results usually construct an oracle that gives an idealized implementation of the primitive, it makes sense to allow this oracle to also be either randomized or stateful. This is often modeled by constructing a large family of suitable deterministic oracles and then analyzing what happens on average if we pick one of them randomly. The same situation can also be formalized
232
A. Buldas, S. Laur, and M. Niitsoo
by having a large oracle that models the whole family and then giving it access to a randomness source so it could internally fix which constituent oracle it would use. This means that the reductions essentially use a randomized oracle. It would then seem natural that the oracle separation results would also be stated with respect to the random oracles. However, as the classical separation theorems are adopted from the classical model, the authors still try to make their oracle choice deterministic. Such an oracle extraction approach, though, has a big limitation—it usually requires the use of Borel-Cantelli lemma which only works when there are only countably many potential adversaries. In brief, non-existence of reductions can only be shown in the uniform model via this approach, as the set of non-uniform Turing machines is not countable. In this paper, we show that in many cases the oracle extraction step is actually unnecessary and propose a new oracle separation approach that is also applicable for non-uniform and precise reductions. For that, we show that there is a hierarchy of separation results depending on whether we treat cryptographic primitives as deterministic functions or randomized algorithms. As the main result, we prove that a separation result for randomized stateless primitives also implies the non-existence of black-box reductions for deterministic primitives. This means that one can freely use randomized oracle constructions to establish classical separation results. In particular, all classical separations [5,8,4] that were proved in the uniform setting can be shown to hold in the non-uniform and precise settings with just minor restrictions.
2 Preliminaries By x ← D we mean that x is chosen randomly according to a distribution D. If A is a probabilistic function or a Turing machine, then x ← A(y) means that x is chosen according to the output distribution of A on an input y. If D1 , . . . , Dm are distributions and F (x1 , . . . , xm ) is a predicate, then Pr [x1 ← D1 , . . . , xm ← Dm : F (x1 , . . . , xm )] denotes the probability that F (x1 , . . . , xm ) is true. We use the Big Oh notation for describing asymptotic properties of functions. In particular, f (k) = O(1) means that f is bounded and f (k) = k −ω(1) means that f (k) decreases faster than any polynomial, i.e., f is negligible. A Turing machine M is polytime if it runs in time k O(1) , where k denotes the input size that is mostly referred to as the security parameter. By an oracle Turing machine we mean an incompletely specified Turing machine S that comprises calls to oracles. The description can be completed by defining the oracle ∗ ∗ as a function O : {0, 1} → {0, 1} . In this case, the machine is denoted by SO . The function y ← O(x) does not have to be computable but has a conditional running time t(x), which does not necessarily reflect the actual amount of computations needed to produce y from x. The running time of SO comprises the conditional running time of oracle calls—each call O(x) takes t(x) steps. We assume that all the oracles O are polyO(1) time, that is t(x) = |x| , where |x| denotes the bit-length of x. Note that though the classical complexity-theoretic oracles only require a single step, this more general notion is appropriate in cryptography where oracles often model abstract adversaries with running time t. We say that S is a poly-time oracle machine if SO runs in polytime, whenever O is poly-time. By a non-uniform poly-time oracle machine we mean an
Oracle Separation in the Non-uniform Model
233
ordinary poly-time oracle machine S together with a family A = {ak }k∈N of (advice) bit-strings ak with length k O(1) . For any oracle O and any input x, it is assumed that SO (x) has access to the advice string a|x| . Usually, the advice strings are omitted for simplicity, but their presence must always be assumed when S is non-uniform. One of the most important facts about non-uniform poly-time Turing machines is that there is an uncountable number of them, whereas there are only countably many ordinary Turing machines.
3 Primitives Complex cryptographic constructions can often be decomposed into a few fundamental building blocks that are called primitives. One is usually interested in proving the security of constructions based solely on the properties of the underlying primitives. Reingold et al. [7] give a formal definition by considering primitives as families of functions of type f : {0, 1}∗ → {0, 1}∗ along with a matching between these functions and Turing machines implementing them. Indeed, for many common primitives such as one-way permutations or collision-resistant hash functions this formalization coincides with our intuition—an instance of a primitive is indeed just one function. In some more complicated cases that actually have more than one type of functionality, it may make more sense to define a primitive as a tuple of functions. However, we can usually concatenate these functions into one single function—we just use the first few input bits to tell the function which subfunction we want to use. This means that we can still formalize the primitive as one single function, although it may be a little counter-intuitive. A primitive is usually defined in terms of functional requirements that the instances of the primitive must satisfy before it makes sense to talk about their security. These requirements, though, are just syntactic and have nothing to do with security. For example, every permutation is an instance of the one-way permutation primitive, however, it does not have to be a secure instance. However, in the context of cryptography we also need to talk about security. Reingold et al. [7] define security in terms of a relation between primitives and Turing machines possibly breaking them. That is, a given machine either breaks the given primitive or it doesn’t. However, many common cryptographic primitives (such as one-way functions) already have randomness in their security games and thus breakages actually occur with certain probability. Hence, it makes sense to define the advantage as a function even for deterministic primitives and Turing machines. The advantage is usually defined in terms of the security parameter k which is usually tied to the actual input (or output) lengths used in the function1. All this leads to the following general definition. Definition 1 (Deterministic primitive). A deterministic primitive P is a set of functions of type f : {0, 1}∗ → {0, 1}∗. Primitives have an advantage function A DVP k (·, ·), which given as input the security parameter k ∈ N, an instance f of P, and an oraO cle Turing machine AO (an adversary) returns a real number A DVP k (f, A ) ∈ [0, 1] 1
By definition, the functions are required to work for all input lengths. This could be relaxed by defining some restrictions in the functional requirements part.
234
A. Buldas, S. Laur, and M. Niitsoo
(the advantage of AO ). The function A DVP k (f, ·) is extended to probabilistic Turing machines by taking the average over their randomness strings, assuming that each fixed randomness string gives a deterministic poly-time Turing machine for which A DV P () is O already defined. We say that AO breaks an instance f of P if A DV P = k −ω(1) . k (f, A ) O If for a fixed oracle O no probabilistic poly-time oracle Turing machine A breaks f then f is said to be secure relative to O. We emphasize that our definition says nothing about the efficiency of f . The function may even be non-computable, as long as the advantage that can be gained by any adversary is negligible. Of course, in practice one needs an instantiation of a primitive that is both efficient and secure. Commonly, it is required that we can compute the function f with a (uniform) poly-time Turing machine for f to be called efficient. This definition of a deterministic primitive can naturally be extended to the randomized case in the following way. Definition 2 (Randomized primitive). Let P be a deterministic primitive. Then the corresponding randomized primitive Pr is the set Pr = {f : R × {0, 1}∗ → {0, 1}∗|∀r ∈ R : f (r, ·) ∈ P} r r and A DV P A DV P k (f, ·) = E k (f (r, ·), ·) , where R is a randomness space. r∈R
In order to define stateful primitives, we must extend the advantage function A DV () consistently to state machines. As it is technically cumbersome and yields no additional insight, we leave it to Appendix A. It is also straightforward to define randomized stateful primitives by combining the two modifications made to the deterministic case. Since neither of the extensions actually forces us to introduce extra parameters (we can always take S = {∅} and R = ∅), it is clear that these four classes form a hierarchy in terms of set inclusions.
4 Reductions Reductions capture the relations between different security notions. A primitive P can be reduced to a primitive Q if there exists a construction that given a secure instance of the primitive Q yields a secure instance of P. Most common cryptographic reductions are black-box reductions, where an instance f of a primitive Q is treated as an atomic object in the construction and in the security proof. Despite of the ubiquity, the exact definition of black-box reductions is somewhat vague in the cryptographic literature. Impagliazzo and Rudich [5] were the first to informally define the notion of black-box reductions. A more formal definition was later given by Gertner et al. [3]. In this work, we consider four sub-notions of black-box reductions. The first step towards classification of black-box reductions was made by Reingold, Trevisan and Vadhan [7]. They showed a complex hierarchy of 7 types of different reductions. Our classification is based on their work but leaves out some of the more general reductions and introduces one that actually arises quite often in practice. Also,
Oracle Separation in the Non-uniform Model
235
we assume that the reduction construction is deterministic whereas the original hierarchy uses probabilistic Turing machines everywhere. This is necessary for reductions between deterministic primitives as the reduction cannot be allowed any randomization in that case. If we consider randomized primitives, P can usually be made deterministic even when it is randomized in essence— the key idea is to use the oracle as a source of randomness. This approach was already used by Impagliazzo and Rudich [5] in the first paper about oracle separations in cryptology. In the first three definitions, the construction of a derived primitive is independent of the actual implementation of P, whereas the construction itself may depend on the implementation in the last definition. The reduction in question is uniform if all oracle machines in the corresponding definition are uniform, otherwise the reduction is nonuniform. We assume that the construction P is always deterministic but the adversaries are allowed to be randomized. f
Definition 3. A fully black-box reduction P =⇒ Q is determined by two poly-time oracle machines P and S, satisfying the following two conditions: (C) If f implements Q then Pf implements P. (S) For every instance f ∈ Q, if A breaks Pf (as P) then SA,f breaks f (as Q). In brief, we must to provide a universal oracle algorithm S that can handle all successful adversaries to establish a fully black-box reduction. So-called semi-black-box reductions weaken this restriction by allowing for some specialization in the security proofs. The degree to which the specialization can go is different for different authors. We give two possible definitions, one just slightly stronger than the other. ss
Definition 4. Strong semi-black-box reduction P =⇒ Q is determined by a poly-time oracle machine P, satisfying the following two conditions: (C) If f correctly implements Q then Pf correctly implements P. (S) For all poly-time oracle machines A there exists a poly-time oracle machine B such that for every instance f ∈ Q if Af breaks Pf then Bf breaks f . ws
Definition 5. Weak semi-black-box reduction P =⇒ Q is determined by a poly-time oracle machine P, satisfying the following two conditions:2 (C) If f correctly implements Q then Pf correctly implements P. (S) For every instance f ∈ Q and a poly-time oracle machine A, there exists a polytime oracle machine B such that if Af breaks Pf then Bf breaks f . The difference between the two reduction types is very subtle. In the strong case, the construction of B may non-constructively depend on A and P but it has to be universal for all f ∈ Q. In the weak case, such a universal B might not exist—the construction of B may depend on f as well as on A and P. This subtle difference is however extremely important, as it seems to create a theoretical boundary for at least one general separation method we show later. In both semi-black-box reductions P must be universal for all valid instances f ∈ Q and as such, specific properties of an instance f cannot be used in the construction. 2
This was the reduction given by Reingold et al. [7] as the semi-black-box reduction.
236
A. Buldas, S. Laur, and M. Niitsoo
Variable semi-black-box reductions3 weaken even this restriction so that the constructions of both P and B may depend on the instance f . However, such constructions must exist for all instances of Q regardless of the actual efficiency of f . If we restrict f in the following definition to efficiently implementable instances of Q, then we get the definition of white-box reductions, which is the most general type of reductions. v
Definition 6. We say that there is a variable semi-black-box reduction P =⇒ Q iff for any correct implementation f of Q: (C) there exists a poly-time oracle machine Pf that correctly implements P; (S) for every instance f ∈ Q and for any poly-time oracle machine A, there exists a poly-time oracle machine B such that if Af breaks Pf , then Bf breaks f . These reduction types form a linear hierarchy with fully black-box reductions being the strongest and white-box reductions being the weakest. Existence of a reduction of one type also trivially implies the existence of reductions of all weaker types. This is important as it means that non-existence of a weaker reduction also implies nonexistence of all stronger reductions. We note that the preceding reduction types are all well-defined for all four primitive types. Moreover, it is worth noting that the definitions of randomized and stateful primitives are constructed in such a way that once the corresponding deterministic primitive is fixed and the advantage function for it given, we obtain consistent security definitions for all types of primitives and thus also the definitions for all types of reductions. Note that a primitive as an instance of more complex primitive (e.g. deterministic primitive as a randomized primitive) has exactly the same advantage as in the base case. Since both randomized and stateful constructions also contain all the deterministic primitives and the advantages stay the same when switching contexts, it is easy to show that if no reduction is possible between deterministic primitives then also none can exist for randomized or stateful cases—a reduction in one of these cases would have to hold for the deterministic cases as well as they are a subset of both extensions. Analogously if no reduction between two randomized or two stateful primitives can exist then clearly no reduction can exist between randomized stateful primitives as any one for them would imply the existence of one for both sub-classes (Fig. 1).
5 Classical Oracle Separations Non-existence of black-box reductions does not rule out the existence of generic whitew box reductions P =⇒ Q. However, the corresponding security proofs must utilize additional properties that cannot be deduced from an abstract description of the primitive. Hence, non-existence of black-box reductions is a hardness indicator showing that it is probably not possible to construct a primitive Q form a primitive P without using additional assumptions about the structure of a primitive P. The first such non-existence result in cryptography was proved by Impagliazzo and Rudich [5]. They built an oracle relative to which key agreement does not exist but one-way permutations do, thus showing the impossibility of black-box reductions of 3
They were called ∀∃-semi-black-box by Reingold et al.
Oracle Separation in the Non-uniform Model
237
key agreement to one-way permutations. There are many other such results known in cryptography [8,4,3]. Many of these separation results actually proved non-existence of variable semi-black-box reductions. To establish non-existence of black-box reductions, one usually constructs an oracle Of that securely implements the functionality of Q but contradicts the existence of the desired reduction. To prove this, more than one type of functionality if often required from the oracle. The functions can still be merged into a single oracle Of and we use the shorthand Of = (f, g) do emphasize that this has been done. Now, simple negations of the definitions of black-box reductions give the sufficient conditions for oracle separations. We give two theorems that are used the most often—the weakest and (practically) the strongest. Weak Separation (Hsiao-Reyzin [4]). Let Of = (f, g) be an oracle such that f securely implements a primitive Q. Now if for every poly-time oracle machine P that implements P when given oracle access to an implementation of Q, there is a poly-time oracle machine Af,g that breaks Pf as an instance of P, then there are no fully black-box f reductions P =⇒ Q. Strong Separation (Reingold et al. [7]). Let Of = (f ) be an oracle such that f securely implements a primitive Q. Now if for every poly-time oracle machine Pf that implements P there is a poly-time oracle machine Af that breaks Pf as an instance of v P, then there exist no variable semi-black-box reductions P =⇒ Q. For the weak separation, we can actually supply some extra functionality g along with the f that can be used by S to help break Pf but to which P construction has no access. This extra functionality is usually formalized as a separate oracle, but may actually be thought of as a part of the primitive that is not covered by any functional or security constraints and may thus be completely useless. As P has to be a general construction that works for all possible f , it gains nothing by using that part of the primitive and we may just as easily assume it doesn’t use it. However, the adversary construction might try to use it, and as we are interested in helping the adversary along, we provide information useful to him through that part. Since P has no access to it we do not have to analyze how g might help us in constructing a secure instance of P. This is actually the main difference between the two separation results. For the strong separation result, we can still give this extra functionality g in theory. However, it must be embedded into the calls of f , that is, there must exist a poly-time oracle machine Wf that implements g. As Reingold et al. [7] demonstrate, this can usually be done and is not really a strong limiting factor. However, the extra functionality g could possibly be used to increase the security of P and whether this extra help can still be bounded is what usually determines whether a variable semi-black-box reduction can be ruled out or not. The same reduction theorems hold equally well for all the four primitive classes. As an oracle is used in the place of the original primitive, this also means that using a deterministic oracle rules out the reduction in the deterministic case and using a randomized oracle rules it out for the randomized case. The corresponding hierarchy of non-existence results is depicted in Figure 1. Note that non-existence of black-box reductions for deterministic primitives naturally implies the non-existence of such a
238
A. Buldas, S. Laur, and M. Niitsoo
Randomized stateful primitives Randomized primitives
T1
–T
3
Stateful primitives Deterministic primitives
.A
p Ap
Fig. 1. Hierarchy of primitive types with respect to non-existence of reductions
reduction for all other primitive types and thus deterministic oracle constructions provide the strongest negative results. This is probably the reason why all the preceding work in this field has concentrated on finding a fixed deterministic oracle for the separation theorems. However, in the following we prove that non-existence results for deterministic and randomized primitives are actually equivalent in many cases and thus oracle separations using randomized oracles (or a family of oracles) are often just as powerful as the ones that fix one deterministic oracle.
6 Oracle Extraction Techniques In practice it is generally difficult to construct deterministic separation oracles. Hence, most separation results are based on randomized instances Of , which are later converted to deterministic instances by a clever choice of random coins. In this section, we show the limitation of such an oracle extraction methodology. Recall that for a randomized primitive f the advantage is always defined as an average over the randomness space R. Now, given a randomized oracle construction Of that refutes the existence of some type of black-box reduction, we need to fix the coins r so that the resulting oracle ∗ O∗f would still provide a secure instance f ∗ ∈ Q but on the construction Pf would be rendered insecure. This is always possible for fully black-box and semi-black-box reductions provided that we consider uniform adversaries. The corresponding proof uses the countability of uniform algorithms and the fundamental Borel-Cantelli lemma from probability theory. Lemma 1 (Borel,Cantelli). Let E1 , E2 , E3 , E4 , . . . be a countably infinite sequence of events. Let E∞ denote the event that infinitely many of these events take place. If n Pr [En ] < ∞ then Pr [E∞ ] = 0. Theorem 1. If we consider security against uniform adversaries, the existence of fully black-box and (both) semi-black-box reductions for randomized primitives implies the corresponding existence results for deterministic primitives and vice versa. Proof. For brevity, we prove the statement of the theorem only for weak semi-blackws box reductions P =⇒ Q, since the analysis of the other cases is analogous. The simple
Oracle Separation in the Non-uniform Model
239
ws
negation of the definition of P =⇒ Q gives us that either we cannot construct P from Q at all, or there exists a secure primitive f such that some poly-time adversary A breaks Pf . The non-constructibility for randomized primitives trivially implies the existence of deterministic implementations f (r, ·) that cannot be converted to P. Hence, we have to analyze only the case when f is secure but A can break Pf . This means that for a subsequence (kn ) ⊂ N the corresponding advantage is A DVP kn (f, A) ≥ knα . For clarity, assume that each security parameter k, the primitive f uses a different randomness space Rk . Then for each kn , we can consider a restricted set of random coins P f f (r,·) R◦kn = r ∈ Rkn : A DVP (P , A) ≤ 2 · A DV (P , A) . kn kn Let Of be a modified primitive that uses the original randomness space Rk for instances k∈ / {kn } and corresponding randomness space R◦kn otherwise. Then A DVQ kn (Of , B) ≤
A DVQ 2 · A DVQ nn (f, B) kn (f, B) ≤ , ◦ knα Pr r ← Rkn : r ∈ Rkn
◦ α as A DVQ nk (·) is a non-negative function and Pr r ← Rkn : r ∈ Rkn ≥ kn /2 . Thus, the modified primitive Of is still secure as an instance of the primitive Q. Next, we will fix the randomness r ∈ R◦1 × R◦2 × · · · =: R∗ so that the resulting deterministic primitive Orf (·) = Of (r, ·) remains secure. For that, it is sufficient to show that there exist r ∈ R∗ and a constant k0 such that A DVk (Orf , B) ≤ k 2 · A DV k (Of , B) r 2 for all k > k0 . Let Ek denote the event that A DV Q k (Of , B) > k · A DV k (Of , B). Then Q the event E∞ means that we cannot find k0 such that A DVk (Orf , B) ≤ k 2 ·A DVk (Of , B) for k > k0 . From the Markov inequality it then follows that k
1 Q r 2 Pr [Ek ] = Pr r ← R∗ : A DV Q (O , B) > k ·A DV (O , B) ≤ P r[(σ, s) ← Sim1 (k); (x, tr, b) ← ( Sim2 (s) , A1 , A2 , V )[σ] : b = 1 ∧ tr doesn’t match any transcript generated by Sim2 (s) ] − η(k). 1
More precisely this protocol should be called “zero-knowledge argument”, however, such difference is not essential in this paper so we harmlessly abuse the terminology.
GUC-Secure Set-Intersection Computation
251
It’s easy to see that NMZPoKR is a zero-knowledge proof of knowledge. [9,13] developed an efficient method to derive non-malleable zero-knowledge proof protocols based-on simulation-sound tag-based commitment schemes and the so-called Ω-protocols (proposed in [13]). In order to achieve GUC-security in our construction, we need to further enhance NMZPoK to the concept of identity-augmented non-malleable zero-knowledge proof protocol (IA-NMZPoK) as follows. Definition 2.4 (IA-NMZPoK Protocol for Relation R). The IA-NMZPoK Protocol for relation R, IA-NMZPoKR =(D, Setup, U KG, P, V, Sim = (Sim1 , Sim2 ), Ext = (Ext1 , Ext2 )) is a group of P.P.T. algorithms where Setup(k) generates master public/secret key-pair (mpk, msk), U KG(msk, id) generates id’s private-key usk(id) where id ∈ {P, V } (the prover’s and verifier’s identity). Sim1 takes usk(V ) as input, Ext1 takes usk(P ) as input. All algorithms except Setup take (mpk, σ) as one of its input (so it no longer explicitly appears). The protocol has the same properties as R’s NMZPoK protocol in definition 2.3. Note that by this definition an IA-NMZPoK protocol works in ACRS model [5] which ACRS is its mpk. In particular, only the corruptted verifier can run Sim (Sim1 taking usk(V ) as input) and only the corruptted prover can run Ext (Ext1 taking usk(P ) as input). This is exactly what is required in the ACRS model. Given a relation R, a general and efficient construction of IA-NMZPoK protocol for R is presented in the full version paper available at eprint.iacr.org/2008/392. 2.4
Commitment Scheme
We need the non-interactive identity-based trapdoor commitment scheme [5] (IBTC for short) as another important tool in our construction. Definition 2.5 (IBTC scheme [5]). The non-interactive identity-based trapdoor commitment scheme IBT C = (D, Setup, U KG, Cmt, V f, F akeCmt, F akeDmt) is a group of P.P.T. algorithms, where D(k) generates id, Setup(k) generates master public/secret key-pair (mpk, msk), U KG(msk, id) generates id’s user private-key usk(id), Cmt(mpk, id, M ) generates message M ’s commitment/decommitment pair (cmt, dmt), V f (mpk, id, M, cmt, dmt) outputs 0 or 1, by verifying whether cmt is M ’s commitment with respect to id. These algorithms are consistant, i.e., for any M : P r[(mpk, msk) ← Setup(k); (cmt, dmt) ← Cmt(mpk, id, M ) : V f (mpk, id, M, cmt, dmt) = 1] = 1 F akeCmt(mpk, id, usk(id)) generates (cmt, λ), F akeDmt(mpk, M, λ, cmt) gen¯ erates d(w.l.o.g. λ contains idusk(id) as one of its components so F akeDmt doesn’t explicitly take id and usk(id) as its input). A secure IBTC scheme has the following properties: (1) Hiding: for any id and M0 , M1 , (cmti , dmti ) ← Cmt(mpk, id, Mi ), i = 0, 1, then cmt0 ≈P.P.T. cmt1 ; binding (2) Binding: for any P.P.T. algorithm A, the function AdvIBT C,A (k) ≡ P r[(mpk, ∗ ∗ ∗ ∗ ∗ ∗ UKG(msk,.) msk) ← Setup(k); (id , cmt , M0 , d0 , M1 , d1 ) ← A (mpk) : A doesn’t
252
Y. Tian and H. Zhang
query oracle-U(msk,.) with id∗ ∧ M0∗ = M1∗ ∧ V f (mpk, id∗ , M0∗ , cmt∗ , d∗0 ) = ∗ ∗ ∗ ∗ V f (mpk, id , M1 , cmt , d1 ) = 1] is always negligible in k. (3) Equivocability: For any P.P.T. algorithm A = (A1 , A2 ) the following experiment always has |P r[b∗ = b] − 1/2| upper-bounded by a negligible function in k: (mpk, msk) ← Setup(k); (St, id∗ , M ∗ ) ← A1 (mpk, msk); usk(id∗ ) ← U KG(msk, id∗ ); (cmt, λ) ← F akeCmt(mpk, id∗ , usk(id∗ )); d1 ← F akeDmt(mpk, M ∗ , λ, cmt); d0 ←$ {0, 1}|d1| ; b ←$ {0, 1}; b∗ ← A2 (St, db ); Note that equivocability implies P r[V f (mpk, id∗ , M ∗ , cmt, d∗1 ) = 1] > 1 − γ(k) where γ(k) is a negligible function in k. [5] presents an efficient IBTC construction and proved its security.
3
General Construction
Now we present the formal construction of the real-world private set-intersection computation protocol Ψ . P1 and P2 denote two real-world parties with private set X1 = {x1 , . . . , xN 1 } and X2 = {y1 , . . . , yN 2 } respectively. Π = (ESetup, U KG, E, D) is a selective AN O CP A anonymous IBE scheme, ΔΠ Blind−UKG is the real-world protocol for Π’s user private-keys blind generation. IA-NMZPoK(w : R(x, w) = 1) denotes an IA-NMZPoK protocol for relation R where w is x’s witness. T C = (D, T Setup, U KG, Cmt, V f, F akeCmt, F akeDmt) is an IBTC scheme. M0 is a (fixed) public common plaintext. Ψ ’s ACRS is mpkT C mpkΔ mpkZK M0 where mpkT C , mpkΔ , mpkZK are respectively TC’s, ΔΠ Blind−UKG ’s and an IA-NMZPoK protocol (see below)’s master public key. Ψ works as follows: (1) P1 computes Π’s master public/secret-key (mpk, msk) ← ESetup(k), for each xi ∈ X1 (i = 1, . . . , N1 ) computes ciphertext ξi ← E(mpk, xi , M0 ; ri ) where ri is the independent randomness in each encryption, then computes (cmt, dmt) ← Cmt(mpkT C , P2 , ξ1 . . . ξN 1 ) and sends mpkcmt to P2 . (2) P1 and P2 run the protocol ΔΠ Blind−UKG where P1 (as the key-generater) inputs (mpk, msk) and P2 (as the key-receiver) inputs y1 , . . . , yN 2 to ΔΠ Blind−UKG . On ΔΠ ’s completion, P obtains N and P obtains usk(y 1 2 2 1 ), . . . , Blind−UKG usk(yN 2 ) as the output. (3) P1 sends ξ1 . . . ξN 1 dmt to P2 . (4) P2 verifies V f (mpkT C , P2 , ξ1 . . . ξN 1 , cmt, dmt) = 1. (5) P1 runs the protocol IA-NMZPoK((xi , ri ) : ξi = E(mpk, xi , M0 ; ri ), i = 1, , N1 ) as a prover with P2 as a verifier. On this IA-NMZPoK’s completion, P2 tries to decrypt each ξi by usk(yj )’s it obtained in step 2 and generates the set X0 ← {yj ∈ X2 : there exists ξi s.t. D(mpk, usk(yj ), ξi ) = M0 }. (6) P1 outputs N2 and P2 outputs X0 .
GUC-Secure Set-Intersection Computation
253
This general construction of Ψ is a ΔΠ Blind−UKG -hybrid protocol and we reGUC Π quire ΔΠ → F Blind−UKG Blind−UKG (definition 2.1). Since for each ξi = E(mpk, xi , M0 ; ri ), D(mpk, usk(yj ), ξi ) = M0 if and only if xi = yj so X0 = X1 ∩ X2 , i.e., P2 outputs the correct intersection. Regarding security, because the IBE scheme Π is (selective) anonymous, i.e., ciphertext ξi hides xi unless P2 has the correct user private-key usk(xi ), P2 knows nothing about X1 beyond X1 ∩ X2 . On the other hand, ΔΠ Blind−UKG ’s (GUC) security prevents P1 from knowing anything about P2 ’s private set X2 . GUC Π However, merely requiring ΔΠ FBlind−UKG cannot guarantee Blind−UKG → Ψ ’s GUC-security but only “half GUC-security” instead (i.e., the real adversary A corrupting P1 can be completely simulated by an ideal adversary S but this is not true when A corrupts P2 . Only data-privacy can be proved in the latter case). In order to make the real adversary always completely simulatable in ideal-world, some additional property is required for ΔΠ Blind−UKG . This leads to definition 3.1 and it is not hard to verify that our concrete construction of ΔΠ Blind−UKG in section 4 really satisfies this definition. Definition 3.1 (IBE’s User Private-keys Blind Generation Protocol with Extractor). Given IBE scheme Π=(ESetup, U KG, E, D) and GUC Π ΔΠ FBlind−UKG , let P1 , P2 be ΔΠ Blind−UKG → Blind−UKG ’s parties where P2 provides user-id a and obtains usk(a), P1 owns msk and (blindly) generates usk(a) for P2 . This ΔΠ Blind−UKG is defined as extractable, if there exists P.P.T. algorithm SetupΔ, U KGΔ , ExtΔ = (Ext1 , Ext2 ) and a negligible function δ(k), called the error function, such that (1) SetupΔ (k) generates the master public/secret-key pair (mpkΔ , mskΔ ). (2) U KGΔ (mskΔ , id) outputs a trapdoor uskΔ (P2 ) when id = P2 (key-receiver’s identity) and outputs nothing otherwise. (3) for any user-id a, honest P1 and any P.P.T. algorithm A, it is true that (via notations in subsection 2.3) Ext1 (usk(P2 )) outputs (σ, τ ) such that P r[Ext2 (mpkτ ; A(a))[σ] =a]>P r[Aa (mpk; P1 (mpk, msk))[σ] =U KG(msk, a)]−δ(k) where (mpk, msk) is Π’s master public/secret-key owned by P1 (mpk is published). We stress that all extractors in definition 2.3 and definition 3.1 are non-rewinding. Combining all the instantiations of subprotocols in this general construction (some presented in next section 4), it’s easy to see that we can get a O(1) and O(N1 + N2 ) message-complexity solution. Furthermore P1 , P2 has computationcomplexity of O(N1 + N2 ) and O(N1 N2 ) encryptions/decryptions respectively. The exact efficiency analysis can be only done for specific instantiation (e.g., that presented in next section) which is provided in the full version paper. The formal security consequence is the following theorem. Theorem 3.1. Suppose that Π=(ESetup, U KG, E, D) is a selective AN O CP A GUC Π anonymous IBE scheme, ΔΠ FBlind−UKG with extractor Blind−UKG →
254
Y. Tian and H. Zhang
ExtΠ = (ExtΠ,1 , ExtΠ,2 ) and error function δ as in def.3.1, IA-NMZPoK((xi , ri ) : ξi = E(mpk, xi , M0 ; ri ), i = 1, . . . , N1 ) is an IA-NMZPoK protocol, T C = (D, T Setup, U KG, Cmt, V f, F akeCmt, F akeDmt) is an IBTC scheme, then Ψ →GUC FIN T assuming static corruptions. Proof. At first it’s easy to verify that Ψ produces the correct intersection X1 ∩X2 at P2 . Now we prove its GUC-security in two cases that the real-world adversary A corrupts P1 or P2 respectively. Below P1∗ and P2∗ stand for P1 and P2 ’s respective counterparts in ideal-world. All parties are assumed to be initialized with a copy of the common reference string ACRS, i.e., the concatenation of TC’s master public-key mpkT C , ΔΠ Blind−UKG ’s mpkΔ , the IA-NMZPoK protocol’s mpkZK and M0 , generated by the pre-setup GACRS . For this ACRS, its msk is mskT C mskΔ mskZK and U KG(msk, id) outputs usk(id) = uskT C (id)uskΔ (id)uskZK (id) where uskT C (id), uskΔ (id) and uskZK (id) are respectively T C’s, ΔΠ Blind−UKG ’s and the IA-NMZPoK protocol’s user private-keys corresponding to id ∈ {P1 , P2 }. Π (1) A corrupts P1 : for simplicity we first make the proof in FBlind−UKG -hybrid model and then complete the proof by generalized universal composition the∗ orem. Let X1 = {x∗1 , . . . , x∗N 1 } be A’s (i.e., P1 ’s) own set, X2 = {y1∗ , . . . , yN 2} ∗ be P2 ’s own set. We need to construct an ideal adversary S1 who corrupts P1∗ , runs A as a black-box and simulates the real-world honest party P2 to interact with A: On receiving the message (sid, “input”, N2 ) from FIN T , S1 gets usk(P1 ) by querying the shared functionality GACRS with (“retrieve”, sid, P1 ) where usk(P1 )=uskT C (P1 )uskΔ (P1 )uskZK (P1 ), computes (σ, s, τ ) ←IA-NMZPoK:: Ext1 (uskZK (P1 )) (to avoid ambiguity, we use Γ :: f to represent a protocol Γ ’s algorithm f ), generates N2 data-items y1 , . . . , yN 2 at random and then starts A; After A sends the first message (mpkcmt), S1 interacts with A as an honest Π key-receiver in model of FBlind−UKG and obtains usk(y1 ), . . . , usk(yN 2 ); S1 intercepts the message ξ1 . . . ξN 1 dmt sent from A, verifies whether V f (mpkT C , P2 , ξ1 . . . ξN 1 , cmt, dmt) = 1 and then participates in protocol IANMZPoK((x∗i , ri ) : ξi = E(mpk, x∗i , M0 ; ri ), i = 1, . . . , N1 as a verifier calling the knowledge extractor IA-NMZPoK::Ext2 (τ ) to extract the witness (x∗i , ri ), i = 1, . . . , N1 (in fact only x∗i ’s are needed in this proof); S1 sends the message (sid,“input”, {x∗1 , . . . , x∗N 1 }) to FIN T , then outputs whatever A outputs to the environment. Let tr(A, S1 ) denote the transcripts due to the interaction between S1 and A, trψ (A, P2 (X2 )) denote the transcripts due to the interaction between A and P2 (X2 ) in the real-world protocol Ψ (P2 (X2 ) means the real-world party possessing the same private set X2 as P2∗ ). From A’s perspective, the difference beΠ tween tr(A, S1 ) and trψ (A, P2 (X2 )) is that the former provides FBlind−UKG with Π ∗ ∗ {y1 , . . . , yN 2 } as the input, the latter provides FBlind−UKG with {y1 , . . . , yN 2 }, Π but according to FBlind−UKG ’s specification A knows nothing about what dataΠ items are provided to FBlind−UKG by the other party except the number N2 , as a result, tr(A, S1 ) ≈ trψ (A, P2 (X2 )) (perfectly indistinguishable) from A’s
GUC-Secure Set-Intersection Computation
255
perspective. In particular, the distribution of A’s output due to interactions with S1 is the same as that (in real-world protocol Ψ ) due to interactions with P2 (X2 ). Let η be IA-NMZPoK protocol’s error function, AdvTbinding be attacker’s advanC tage against TC’s binding property, all are negligible functions in k. It’s not hard to show (by contradiction) that the probability with which S1 correctly extracts all A’s data-items x∗1 , . . . , x∗N 1 is greater than P r[P2 (mpkξ1 . . . ξN 1 ; A) = 1] − N1 (η + AdvTbinding ) ≥ P r[X0 = X1 ∩ X2 ] − N1 (η + AdvTbinding ), thereC C fore, the difference between the probability with which P2∗ (X2 ) outputs X1 ∩ X2 under the ideal-world adversary S1 ’s attacks and the probability with which P2 (X2 ) outputs X1 ∩ X2 under the real-world adversary A’s attacks against Ψ is upper-bounded by N1 (η +AdvTbinding ), also a negligible function in k. Combining C all the above facts, for any P.P.T. environment Z we have outputZ (Ψ, A) ≈P P T Π outputZ (FIN T , S1 ), i.e., Ψ →GUC FIN T in FBlind−UKG -hybrid model. Π Now replace the ideal functionality FBlind−UKG with ΔΠ Blind−UKG in Ψ . By GUC Π what is just proved, the assumption ΔΠ → F Blind−UKG Blind−UKG and the GUC-theorem, we still have the GUC-emulation consequence. In addition, it’s not hard to estimate S1 ’s time complexity TS1 = TA + O(N2 + N1 Te ) where TA and Te are A’s and the knowledge extractor’s computation time. ∗ ∗ (2) A corrupts P2 : Denote A’s (i.e.,P2 ’s) own set as X2 = {y1∗ , . . . , yN 2 }, P1 ’s ∗ ∗ own set as X1 = {x1 , . . . , xN 1 }, we need to construct an ideal adversary S2 . S2 corrupts P2∗ , gets usk(P2 ) by querying the pre-setup GACRS with (“retrieve”, sid, P2 ) where usk(P2 ) = uskT C (P2 )uskΔ (P2 )uskZK (P2 ), generates (σ, s) ←IANMZPoK::Sim1(uskZK (P2 )), runs A as a black-box and simulates the real-world honest party P1 to interact with A: On receiving message (sid, “input”, N1 ) from FIN T , S2 generates x1 , . . . , xN 1 at random, computes (mpk, msk) ← Setup(k) and ξi ← E(mpk, xi , M0 ; ri ) for each xi where ri is the independent randomness in each encryption, computes (cmt0 , λ) ← F akeCmt(mpkT C , P2 , uskT C (P2 )), starts A and sends the message mpkcmt0 to A; S2 interacts with A as the user private-key generator in ΔΠ Blind−UKG and calls ∗ ∗ the extractor ΔΠ :: Ext (usk (P )) to extract y Δ Δ 2 1 , . . . , yN 2 , sends the Blind−UKG ∗ ∗ ∗ message (sid, “input”, P2 , {y1 , . . . , yN 2 }) to FIN T ; S2 sends the message (sid, “intersection”, P2∗ ) to FIN T and gets the response ∗ ∗ {yj1 , . . . , yjt } (i.e., the set-intersection). To simplify the symbol, denote this response set as {y1∗ , . . . , yt∗ }. S2 computes ξi∗ ← E(mpk, yi∗ , M0 ; ri∗ ) (ri∗ ’s are selected at random) for i = 1, . . . , t, replaces arbitrary t ξi ’s with ξi∗ ’s and keeps other N1 -t ξi ’s unchanged, 0 making a new sequence denoted as ξ1 . . . ξN ← 1 , computes dmt 0 F akeDmt(mpkT C , ξ1 . . . ξN 1 , λ, cmt ). S2 sends the message ξ1 . . . ξN 1 dmt0 to A, interacts with A by calling IA-NMZPoK::Sim2(ξ 1 . . . ξN , s) where 1 ξi = E(mpk, x0i , M0 ; ri ), i = 1, . . . , N1 , x0i = yi∗ for t of N1 i’s and x0i = xi for other i’s. Finally S2 outputs whatever A outputs to the environment. Let tr(S2 , A) denote the transcripts due to the interaction between A and S2 , trΨ (P1 (X1 ), A) denote the transcripts due to the interaction between A and
256
Y. Tian and H. Zhang
the real-world party P1 (X1 ) (possessing the same set X1 = {x∗1 , . . . , x∗N 1 } as the ideal-world party P1∗ ). From A’s perspective, the differences between these two transcripts are: a) cmt in these two transcripts are respectively cmt0 output by F akeCmt and cmt output by Cmt(mpkT C , P2 , E(mpk, x∗1 , M0 ; r1 ) . . . E(mpk, x∗N 1 , M0 ; rN 1 )); b) dmt in these two transcripts are dmt0 output by F akeDmt and dmt output by Cmt(mpkT C , P2 , E(mpk, x∗1 , M0 ; r1 ) . . . E(mpk, x∗N 1 , M0 ; rN 1 )) respectively; c) Among the ciphertext sequence ξ1 . . . ξN 1 in these two transcripts, there are t ciphertexts ξi having the same identity public-key (i.e., x∗i ) but the remaining N1 -t ciphertexts having different identity public-keys; d) there are t IA-NMZPoK-witness’ with the same x0i . By TC’s equivocation property, (cmt, dmt)’s are P.P.T.-indistinguishable in both cases; because of IBE scheme’s selective AN O CP A anonymity, ξ1 . . . ξN 1 dmt in both cases are P.P.T.-indistinguishable (otherwise suppose they are P.P.T.-distinguishable with the difference δ ≥ 1/poly(k), it’s easy to construct a selective AN O CP A attacker against Π with an advantage at least δ/N1 , contradicting with Π’s selective AN O CP A anonymity). Now (1) (1) denote the ciphertext sequence ξ1 . . . ξN 1 in two cases as ξ1 . . . ξN 1 (2) (2) and ξ1 . . . ξN 1 respectively, denote the transcripts in session of IA(1) (1) NMZPoK as IA-NMZPoK(1)(= trS2(x1,,xN 1),A (mpkM0 ξ1 . . . ξN 1 )) and IA(2)
(2)
NMZPoK(2)(=trP 1(x∗ 1,...,x∗ N 1),A (mpkM0 ξ1 . . . ξN 1 )) respectively, by the (1) above analysis we have ξ1 . . . (1) (2) (2) ξN 1 ≈P P T ξ1 . . . ξN 1 ; furthermore,
by IA-NMZPoK’s zero-knowledge prop-
erty we have (2)
(2)
IA-NMZPoK(2) ≈P P T IA-NMZPoK::Sim2(ξ1 . . . ξN 1 , s) and by S2 ’s construction we also have (1)
(1)
IA-NMZPoK(1) =IA-NMZPoK::Sim2(ξ1 . . . ξN 1 , s) so IA-NMZPoK(1) ≈P P T IA-NMZPoK(2). As a result, the transcripts received by A in both cases are P.P.T.-indistinguishable. Let δ be ΔΠ Blind−UKG ’s extractor’s error function (negligible in k), then the probability with which S2 correctly extracts A’s one data-item yi∗ is at least P r[A(mpk; P1 (mpk, msk)) = U KG(msk, yi∗ )] − δ, so the probability with which ∗ S2 correctly extracts A’s all data-items y1∗ , . . . , yN 2 is at least P r[A(mpk; ∗ P1 (mpk, msk)) = U KG(msk, yi ) : i = 1, . . . , N2 ] − N2 δ ≥ P r[X0 = X1 ∩ X2 ] − N2 δ. As a result, S2 ’s output is P.P.T.- indistinguishable from A’s output in Ψ with respect to the GUC-environment Z with an error upper-bounded by AN O CP A N1 (k)AdvΠ (k) + N2 δ, which is also negligible in k. Note that in both cases the other party P1∗ (X1 ) and P1 (X1 ) always output the same N2 , so we have the consequence that outputZ (ψ, A) ≈P P T outputZ (FIN T , S2 ) and it’s easy to estimate S2 ’s time-complexity TS2 = TA + O(N1 + N2 Text ) where TA and Text are A’s and the extractor’s computation-time. By all the facts, we have Ψ →GUC FIN T .
GUC-Secure Set-Intersection Computation
4
257
An Instantiation via Boyen-Waters IBE Scheme
Theorem 3.1 presents security conditions for the general construction Ψ , among which some are available in existing works, e.g., the commitment scheme can be directly borrowed from [5]. The subprotocols which require new efficient constructions are only IBE scheme’s user private-keys generation protocol and the protocol IA-NMZPoK((a, r) : ξ = E(mpk, a, M0 ; r)). In this section we present an efficient instantiation of Ψ via Boyen-Waters IBE scheme. 4.1
Boyen-Waters IBE [3]
Given an bilinear group pairing ensemble J = {(p, G1 , G2 , e)}k where |G1 | = |G2 | = p, p is k-bit prime number, e : G1 × G1 → G2 is a non-degenerate pairing, Boyen-Waters IBE consists of ESetup(k) : g, g0 , g1 ←$ G1 ; ω, t1 , t2 , t3 , t4 ←$ Zp ; Ω ← e(g, g)t1 t2 ω ; v1 ← g t1 ; v2 ← g t2 ; v3 ← g t3 ; v4 ← g t4 ; mpk ← (G1 , G2 , p, e, Ω, g, g0 , g1 , v1 , v2 , v3 , v4 ); msk ← (ω, t1 , t2 , t3 , t4 ); return(mpk, msk); U KG(msk, a), a ∈ Zp : r1 , r2 ←$ Zp ; usk(a) ← (g r1 t1 t2 +r2 t3 t4 , g −t2 (g0 g1a )−r1 t2 , g −t1 (g0 g1a )−r1 t1 , (g0 g1a )−r2 t4 , (g0 g1a )−r2 t3 ); return(usk(a)); E(mpk, a, M ), M ∈ G2 : s, s1 , s2 ←$ Zp ; ξ ← (Ω s M, (g0 g1a )s , v1s−s1 , v2s1 , v3s−s2 , v4s2 ); return(ξ); D(mpk, usk(a), (ξ00 , ξ0 , ξ1 , ξ2 , ξ3 , ξ4 )) where usk(a) ≡ (d0 , d1 , d2 , d3 , d4 ) : T ← e(d0 , ξ0 )e(d1 , ξ1 )e(d2 , ξ2 )e(d3 , ξ3 )e(d4 , ξ4 ); return(ξ00 T ). [3] has proven that assuming the decisional bilinear Diffie-Hellman problem (DBDHP)’s hardness on J, this scheme is IN D CP A secure (data-private); assuming the decisional linear problem (D-LP)’s hardness, this scheme is selective AN O CP A anonymous. Notice that D-BDHP hardness implies D-LP’s hardness, all the above consequences can be also obtained only under D-BDHP’s hardness. 4.2
aters User Private-Keys Blind Generation Protocol ΔBoyen−W Blind−U KG and Its GUC-Security
For simplicity we only present how to blindly generate usk(a) for a single userid a. The generalization to blindly generating usk(a1 ) . . . usk(aN ) for multiple user-id’s a1 . . . aN is trival and still constant-round, though the total messagecomplexity is linearly increased. The two parties are P1 (with private input msk) and P2 (with private input a). Both parties have the common input mpk where (mpk, msk) are generated
258
Y. Tian and H. Zhang
by IBE scheme’s ESetup(k) (usually msk per se is the randomness in ESetup aters so we use a simplified notation mpk ← ESetup(msk) hereafter). ΔBoyen−W Blind−UKG has two IA-NMZPoK subprotocols (see below) which ACRS’s are denoted as aters mpkZK,II and mpkZK,III . ΔBoyen−W is in ACRS model which ACRS is Blind−UKG Boyen−W aters mpkZK,II mpkZK,III . ΔBlind−UKG works as follows: (1) P1 runs a protocol IA-NMZPoK(msk : mpk = ESetup(msk)) as a prover with P2 as a verifier, where the meaning of the notation IA-NMZPoK(msk : mpk = ESetup(msk)) follows section 3. Denote this protocol as IA-NMZPoKII . (2) P2 selects r1 , r2 , y1 , y2 , y3 , y4 at random, computes Ui ← g ri , Vi ← (g0 g1a )−ri for i = 1, 2 and hj ← g yj g1a for j = 1, 2, 3, 4, sends U1 U2 V1 V2 h1 h2 h3 h4 to P1 . Then P2 runs the protocol IA-NMZPoK((a, r1 , r2 , y1 , y2 , y3 , y4 ) : ∧i=1,2 Ui = g ri ∧i=1,2 Vi = (g0 g1a )−ri ∧j=1,2,3,4 hj = g yj g1a ) as a prover with P1 as a verifier. Denote this protocol as IA-NMZPoKIII . (3) P1 selects σ, r1 , r2 at random, computes d0 ← (g r1 U1σ )t1 t2 (g r2 U2σ )t3 t4 ; d1 ← −t2 −r1 t2 σt2 r1 t2 −t1 −r1 t1 σt1 g (h1 g0 ) V1 ; d1 ← g ; d2 ← g (h2 g0 ) V1 ; d2 ← g r1 t1 ; d3 ← σt σt (h3 g0 )−r2 t4 V2 4 ; d3 ← g r2 t4 ; d4 ← (h4 g0 )−r2 t3 V2 3 ; d4 ← g r2 t3 and sends d0 d1 d1 d2 d2 d3 d3 d4 d4 to P2 . y (4) P2 computes dj ← dj dj j , j = 1, 2, 3, 4 and outputs (d0 , d1 , d2 , d3 , d4 ). It’s easy to show by direct calculation that P2 outputs the cor rect usk(a) = (d0 , d1 , d2 , d3 , d4 ) where d0 =g (r1 +r1 σ)t1 t2 +(r2 +r2 σ)t3 t4 , d1 =g −t2 (g0 g1a )−(r1 +r1 σ)t2 , d2 = g −t1 (g0 g1a )−(r1 +r1 σ)t1 , d3 = (g0 g1a )−(r2 +r2 σ)t4 , d4 = (g0 g1a )−(r2 +r2 σ)t3 . Theorem 4.1. Suppose the bilinear group pairing J has D-BDHP hardness, both IA-NMZPoKII and IA-NMZPoKIII are identity-augmented non-malleable zero-knowledge proof protocols for specific relations described in the above, aters Boyen−W aters then ΔBoyen−W →GUC FBlind−UKG assuming static corruptions and Blind−UKG aters ΔBoyen−W satisfies def. 3.1. Blind−UKG The full version paper (eprint.iacr.org/2008/392) has detailed proof and all related IA-NMZPoK protocols’ constructions.
References 1. Aumann, Y., Lindell, Y.: Security against Covert Adversaries: Efficient Protocols for Realistic Adversaries. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 137–156. Springer, Heidelberg (2007) 2. Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., Malonelee, J., Neven, G., Paillier, P., Shi, H.: Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE and Extensions. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005) 3. Boyen, X., Waters, B.: Anonymous Hierarchical Identity-based Encryption without Random Oracles. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307. Springer, Heidelberg (2006)
GUC-Secure Set-Intersection Computation
259
4. Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: 42nd Annual Symposium on foundations of computer Science. IEEE Computer Society, pp. 136–145. IEEE Press, New York (2001) (Updated in 2005, http://eprint.iacr.org/2000/067http://eprint.iacr.org/2000/067) 5. Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally Composable Security with Global-Setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007) 6. Dodis, Y., Shoup, V., Walfish, S.: Efficient Constructions of Composable Commitments and Zero-Knowledge Proofs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 515–535. Springer, Heidelberg (2008) 7. Freedman, M., Ishai, Y., Pinkas, B., Reingold, O.: Keyword Search and Oblivious Pseudorandom Functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 303–324. Springer, Heidelberg (2005) 8. Freedman, M., Nissim, K., Pinkas, B.: Efficient Private Matching and Set Intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004) 9. Garay, J., MacKenzie, P., Yang, K.: Strengthening Zero-Knowledge Protocols Using Signatures. Journal of Cryptology 19(2), 169–209 (2006) 10. Goldreich, O.: Foundations of Cryptography, vol. 1-2. Cambridge University Press, Cambridge (2004) 11. Hazay, C., Lindell, Y.: Efficient Protocols for Set Intersection and Pattern Matching with Security Against Malicious and Covert Adversaries. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 155–175. Springer, Heidelberg (2008) 12. Kissner, L., Song, D.: Privacy-Preserving Set Operations. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 241–257. Springer, Heidelberg (2005) 13. MacKenzie, P., Yang, K.: On Simulation-Sound Trapdoor Commitments. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 382–400. Springer, Heidelberg (2004)
Appendix A: ACRS Model Recently [5] improves and generalizes the early UC-theory proposed in [4] to make a more general, realistic and strictly stronger security notion. The universal composition theorem is still true in this paradigm, however, the pre-setup needs to be strictly enhanced. In GUC paradigm the CRS model is insufficient to implement general cryptographic functionalities, instead we need a new pre-setup model called ACRS (augmented common reference string) model. This pre-setup Setup,UKG can be performed via a shared functionality Gacrs with two parameter functions Setup and U KG similar to IBE scheme’s master public/secret-key Setup,UKG generator and its user private-key generator. Gacrs ’s program is [5]: Initialization Phase: compute (mpk, msk) ← Setup(k) and store (mpk, msk); Running Phase: on receiving message (“CRS request”,Pi ) from any party Pi , response (“ACRS”, mpk) to Pi and the adversary S; On receiving message (“Retrieve”,sid,Pi ) from a corrupt party Pi , compute usk(Pi ) ← U KG(msk, Pi ) and return the message (“Private-key”, sid, usk(Pi )) to Pi ; if Pi is not a corrupt party, response nothing.
Self-enforcing Private Inference Control Yanjiang Yang1 , Yingjiu Li2 , Jian Weng3 , Jianying Zhou1 , and Feng Bao1
2
1 Institute for Infocomm Research, Singapore {yyang,jyzhou,baofeng}@i2r.a-star.edu.sg School of Information Systems, Singapore Management University
[email protected] 3 Dept. of Computer Science, Jinan University, China
[email protected] Abstract. Private inference control enables simultaneous enforcement of inference control and protection of users’ query privacy. Private inference control is a useful tool for database applications, especially when users are increasingly concerned about individual privacy nowadays. However, protection of query privacy on top of inference control is a double-edged sword: without letting the database server know the content of user queries, users can easily launch DoS attacks. To assuage DoS attacks in private inference control, we propose the concept of selfenforcing private inference control, whose intuition is to force users to only make inference-free queries by enforcing inference control themselves; otherwise, penalty will inflict upon the violating users. Towards instantiating the concept, we formalize a model on selfenforcing private inference control, and propose a concrete provably secure scheme, based on Woodruff and Staddon’s work. In our construction, “penalty” is instantiated to be a deprivation of users’ access privilege: so long as a user makes an inference-enabling query, his access privilege is forfeited and he is rejected to query the database any further. We also discuss several important issues that complement and enhance the basic scheme. Keywords: Inference control, self-enforcing, database.
1
Introduction
The inference problem, first studied in statistical databases [2,11] and then extended to multilevel databases and general-purpose databases [14], has been a long standing issue in database security. Inference refers to the fact that sensitive information beyond one’s privileges (with respect to the access control policy) can be inferred from the unsensitive data to which one is granted access. Access control (e.g., mandatory access control mechanism) cannot solve the inference problem, since inference results from the combination of a series of legitimate queries that are authorized by access control. The set of queries whose responses lead to inference is said to form an inference channel. The aim of inference control is to prevent the formation of inference channels. Many of the J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 260–274, 2009. c Springer-Verlag Berlin Heidelberg 2009
Self-enforcing Private Inference Control
261
inference control methods audit queries in order to ensure that a user’s current query, together with his past queries, cannot form any inference channel (see e.g., [12,26,13,8,10,16,21,22,29]). By complementing access control, inference control works as an extra line of defence to database secrecy. What forms an inference channel depends closely on the data to be protected and the protection objective. For example, in statistical databases, the objective is to answer queries on statistics of records (e.g., sum, mean, etc) without releasing individual records [4]; so an inference channel is created if an individual value can be deduced from a set of queries, each of which returns a statistic value of multiple records. In a multilevel database, a set of queries involving data classified at lower levels forms an inference channel if data classified at a high level can be derived from them, by means of database integrity constrains such as functional, multivalued, and join dependencies [3,27]. Our concern in this work is the inference channels that result in identifying the subjects contained in the database. As an example, let us consider a database of medical records for individuals: the explicit identifying information such as patient name or social security number is clearly sensitive; in contrast, individual attributes such as age, sex, ZIP code, date of birth, profession, and marital status are not personally identifiable, as each of them alone usually does not contain sufficient information to uniquely identify any individuals, thereby should not be classified as sensitive. However, a combination of all or some of these non-sensitive attributes may be uniquely identifiable, thus forming an inference channel. Inference control in this context works by blocking users who access the database from obtaining responses of the queries that cover all the attributes necessary to complete an inference channel. In the setting of database access, equally important is that users who query the database also have privacy concern. Exposure of what data a user is accessing to the database server may lead to the compromise of user privacy [6,7,18,19,23], and possibly subject the user to targeted marketing, financial losses, etc. It is thus desirable that inference control is enforced by the server in a way that query privacy is also preserved (i.e., the server does not learn the content of the query). Note that to that end, a solution necessarily implements private information retrieval (PIR) (cf., [18,23]) so as to satisfy the query privacy requirement, but goes beyond that to also fulfil the inference control requirement. Woodruff and Staddon [28] are believed to be the first to systematically study this problem, and proposed private inference control (PIC) to attain both requirements. Private inference control works in a way that if the current query of a user, together with his prior queries, form an inference channel, then the user obtains a random value instead of the desired data as the query response from the server; while the server learns nothing on the query during the process. Subsequently, Jagannathan and Wright [17] extended private inference control to the case of aggregate database queries: specifically, a user query is a set of indices of the data in the database; the response of a query computes an aggregate function (e.g., sum, average) of the data items indexed by the query. Another related work are the priced oblivious transfer techniques studied by Aiello et al. [1], which can also be used
262
Y. Yang et al.
to attain private inference control for some specific scenarios, but not for the general setting addressed by [28,17]. Private inference control turns out to be a useful tool for database applications, especially at the time when user privacy is increasingly a concern nowadays. Unfortunately, practical deployment of private inference control may encounter an enormous obstacle, due to the fact that since the database server knows nothing about user queries, database systems enforcing private inference control can be easily exploited by users launching DoS attacks, i.e., some users deliberately query the database server to waste the precious resources of the server. It is a well known fact that inference control (even without privacy protection) is extremely computation intensive [2], hence DoS attacks are expected to be particularly effective in private inference control. Directly incorporating access control into inference control cannot entirely solve the problem if inference control does not provide any extra information (e.g., whether a query leads to inference or not) to the enforcement of access control. Without the assistance from inference control, rigid access control rules such as mandating the frequency of user queries or the number of continuous user queries will make the system extremely inconvenient. 1.1
Our Contribution
In this work, we are motivated to propose the concept of self-enforcing private inference control, in an attempt to resolve the above problem in private inference control. The intuition behind self-enforcing private inference control is to force users not to make queries that form inference channels; otherwise, penalty will incur on the querying users. In other words, users are obliged to enforce costly inference control by themselves before making queries and to only make inference-free queries that do not complete inference channels. Further, we manage to instantiate the self-enforcing intuition. Specifically, we formalize a model on self-enforcing private inference control, and propose a concrete scheme which is proven secure under the model. The proposed model and scheme are largely based on Woodruff and Staddon’s work [28]. In our scheme, “penalty” is instantiated to be a deprivation of the access privileges of the violating users. More precisely, if a user makes an inference-enabling query (which completes an inference channel together with his past queries), then the user’s access right is forfeited and he is rejected to make queries any further. We achieve this by incorporating access control into inference control, and basing access control on one-time access keys: a user is able to get the access key for next query only if his current query is inference-free. We point out that this approach lets the server learn in retrospection that a user’s last query is inference-free or not, which relaxes the stringent definition on query privacy set out in [28,17]; but we believe that it can still provide sufficient privacy protection for many practical applications, since the actual content of user queries is not revealed to the server (of course, a discussion on how to achieve the same level of query privacy as in [28,17] is also provided). Furthermore, we also discuss several important issues that complement and enhance our basic scheme.
Self-enforcing Private Inference Control
1.2
263
Organization
We review the building blocks that underly our scheme in Section 2. We then present our model and scheme for self-enforcing private inference control in Section 3, together with the security proof for the scheme. A variety of practical issues that complement and enhance the basic scheme are discussed in Section 4, before we conclude the paper in Section 5.
2
Preliminaries
For ease of understanding, we give a brief introduction to the cryptographic primitives that will be used in our scheme. Homomorphic Encryption. We need an additively homomorphic encryption scheme. Additively homomorphic encryption, E : (G1 , .) → (G2 , +), is a publickey encryption scheme satisfying E(a).E(b) = E(a + b), where a, b ∈ G2 . The Paillier homomorphic encryption [24], introduced below, is a typical additively homomorphic encryption scheme with semantic security. – KeyGen(1κ): Given a security parameter 1κ , this algorithm selects two large primes p, q and sets N = p.q; chooses g whose order of g (mod N 2 ) is a multiple of N . The public key is then set to be pk = (g, N ) and the corresponding secret key is sk = λ(N ) = lcm(p − 1, q − 1). – Hom Enc(M, pk): The encryption of a message M ∈ ZN using pk is the fol∗ lowing: choose a random r ∈ ZN , and compute C = g M rN (mod N 2 ). For notation brevity, we do not explicitly indicate pk in the input list. – Hom Dec(C, sk): The decryption of a ciphertext C using secret key sk is λ (mod N 2 )) M = L(C (mod N ), where L is defined to L(x) = x−1 N . L(gλ (mod N 2 )) The scheme is homomorphic: Hom Enc(M1 ).Hom Enc(M2 ) = (g M1 r1N ).(g M2 r2N ) = g M1 +M2 (r1 r2 )N = Hom Enc(M1 + M2 )
(mod N 2 )
It has been shown by Laur and Lipmaa [20] that the use of the Paillier homomorphic encryption in the setting of Conditional Disclosure of Secrets (ours belongs to this setting) is not secure, when G1 has a composite order. They further proposed a generic encoding mechanism to address this problem. In the rest of the paper, by using Hom Enc and Hom Dec, we assume that Laur and Lipmaa’s technique has already been incorporated in the Paillier homomorphic encryption scheme. Symmetric Private Information Retrieval. The notion of Private Information Retrieval (PIR) was first formalized by Chor et al. [7]. In their formalization, a database is modelled as an n-bit string and held by one or multiple servers; suppose a user wants to retrieve the i-th bit, an execution of PIR between the
264
Y. Yang et al.
user and the server(s) enables the former to get that bit from the latter while without revealing to the latter any information on the index i. In its original form, PIR is not concerned protecting the interest of the database, in the sense that the querying user can end up learning more bits than the requested bit. Symmetric PIR (SPIR) [18] adds to PIR the functionality of also protecting the secrecy of the database, so that the user can get nothing but the requested bit. Our scheme needs to leverage on single-server SPIR protocols, which usually achieve user query privacy relative to the computationally-bounded server. Naor and Pinkas showed how to transform any PIR protocol into such a SPIR protocol [23]. In addition, we also require SPIR protocols to operate on a database of records instead of bits. In fact, it is easy to transfer a bit-oriented SPIR protocol into a record-oriented protocol by treating a record as bits, and running the former as many times as the bit size of the records. Optimizations upon this straightforward method was given in [5]. For the purposes of proof, the SPIR protocol used in our scheme should be secure in the real/ideal model, in the sense that there is a simulator that can extract the index of the requested bit learned by any user U ∗ interacting with the honest server. Applying the transformation techniques of [23] to the PIR protocols in [9,19] yields such SPIR protocols.
3 3.1
Self-enforcing Private Inference Control Model
We consider a single-server scenario: the server houses a database consisting of a set of records, and allows users to retrieve records from the database. On the one hand, the server enforces inference control such that in a query, a user gets the requested record only if it does not complete an inference channel, together with his previous retrieved records. On the other hand, users want their query privacy to be protected, such that the server does not learn what records they are retrieving. The database is a string d ∈ ({0, 1}m)n of n records, each record has m attributes (note that for formalization simplicity, we here consider 1-bit attributes, but extending our formalization and scheme to attributes of larger size is straightforward). Let di denote the ith record and di,j denote the jth attribute value of the ith record. The inference channels we are considering are IC, a set of S ⊆ [1..m], each of which is a set of attribute indices. By IC, it means that for all i ∈ [1..n] and S ∈ IC, a user should not learn di,j for all j ∈ S. As an example, let IC = {{1, 2, 4}, {5, 6}}, then inference control is to prevent a user from getting all 1st , 2nd , 4th attributes and all 5th , 6th attributes of any record. Given a database, IC can be determined by the technique in [25]. Once IC is decided, it is input to both the server and users. Throughout the system’s lifetime, an honest user U generates a sequence of |Q| tuples, Q = ((i1 , j1 ), (i2 , j2 ), · · · , (i|Q| , j|Q| )), in order to retrieve di1 ,j1 , di2 ,j2 , . . ., di|Q| ,j|Q| . Users are allowed to query the database adaptively, so (it , jt ) can be generated depending on all the user’s previous interactions with the server. In our scheme, all pairs in Q are distinct (i.e., no repeated queries are allowed),
Self-enforcing Private Inference Control
265
and as such |Q| (m − 1)n. As we show shortly in Section 4, this is not a weakness, but instead facilitates assuaging DoS attacks. We further discuss how to allow repeated queries if needed. A sequence Q is said to be permissible if it does not compose any inference channel defined in IC, that is, for all S ∈ IC and all i ∈ [1..n], there exists a j ∈ S such that (i, j) ∈ / Q. The sequence Q is non-permissible if it is not permissible. Formally, we can treat Q = Q(U, d) as a random variable over U and d, which are in turn governed, respectively, by two uniform distribution μ and ς, where μ, ς are random bits consumed by the user and the server, respectively. Self-enforcing Private Inference Control (SePIC) is an interactive protocol between a user and the server. Let n, m, IC, 1κ be common input to both parties and d be an extra input to the server, where κ is a security parameter. Another common input is the initial access key K0 shared between the user and the server. The user registers to the server in advance, and gets K0 . Each execution of SePIC processes a query. Let m be the message computed and sent to the server by the user in the th execution of the protocol, and a be the response the server sends back to the user, 1 |Q|, we define M = {mi |1 i }, and A = {ai |1 i }. Let ΩU (A ) be state of the user and ΩS (M ) be state of the server, at the end of the th execution. The states may include the entire query history and the one-time access keys. Definition 1 (Self-enforcing Private Inference Control). Let QG be the query generation algorithm, AC the the access control algorithm, QP the query processing algorithm, and AR the answer reconstruction algorithm. a database access protocol runs the following process between a user and the server: For 1 |Q| 1. The user generates Q = (i , j ) such that Q1 , Q2 , · · · , Q are permissible. 2. The user computes m = QG(i , j , ΩU (A−1 ), μ) and sends m to the server. (1) (1) 3. The server computes (a , ΩS (M )) = AC(m , d, ΩS (M−1 ), ς) and (2) (2) (1) (2) (a , ΩS (M )) = QP(m , d, ΩS (M−1 ), ς), where a = a ∪ a (1) (2) and ΩS (M ) = ΩS (M ) ∪ ΩS (M ). The server then sends a to the user. 4. The user computes (outV , ΩU (A )) = AR(a , i , j , ΩU (A−1 ), μ), where outV is the requested record. We define the view of an arbitrary user U ∗ with respect to an honest but curious server to be V iewU ∗ (d, μ, ς) = (A|Q| , μ, 1κ , m, n, K0 ), and the view of an arbitrary server S ∗ with respect to an arbitrary user U ∗ to be V iewS ∗ (d, μ, ς) = (M|Q| , d, ς, 1κ , m, n, K0 ). A database access protocol consisting of algorithms QG, AC, QP, and AR is a SePIC protocol if it satisfies correctness and security:
266
Y. Yang et al.
Correctness. For all d ∈ ({0, 1}m)n and all honest users U , Pr[∀(iα , jα ) ∈ Q(U, d), outVα = diα ,jα ] = 1
μ,ς
(1)
Security. Security includes the following three aspects. 1. Query Privacy: For all d ∈ ({0, 1}m )n , for any honest user U and any two permissible query sequences Q1 and Q2 with equal length, for all honest but curious servers S ∗ , the probability that S ∗ can distinguish between Q1 and Q2 is negligible. That is, for all polynomial algorithm A, | Pr[A(V iewS ∗ (d, μ, ς)) = 1 | Q(U, d) = Q1 ] − μ
Pr[A(V iewS ∗ (d, μ, ς)) = 1 | Q(U, d) = Q2 ]| (κ) μ
(2)
where (κ) is a negligible function with respect to κ, and the probability is also taken over the random bits consumed by the adversary A. REMARK 1. By this definition, we relax the query privacy definition in [28], in that our definition relates to distinguishing two permissible sequences, while their definition distinguishes any two sequences. However, our definition well suits the setting we are considering, where an inference-enabling query immediately terminates the protocol. 2. Access Control: For any user U and any non-permissible query sequence Q(U, d), the last pair (i|Q| , j|Q| ) ∈ Q(U, d) must be inference-enabling, that is, Pr[(i|Q| , j|Q| ) ∈ Q(U, d) is inference-free | Q(U, d) is non-permissible] (κ). The intuition is that once an inference-enabling query is issued, the user cannot make any further query. Thus the last pair must be the inferenceenabling one. 3. Inference Control: The protocol runs in the real world, and we compare it with the ideal model, where a trusted third party, TTP, when given d ∈ ({0, 1}m)n , and a permissable Q, gives the user di,j for all (i, j) ∈ Q. More precisely, we require that for every U ∗ in the real world and every μ, there exists an efficient U in the ideal model, given the code of U ∗ and μ, that plays U ∗ ’s role, such that for every d ∈ ({0, 1}m)n , U can find a permissable Q such that the output of U ∗ interacting with the honest server and the output of U interacting with TTP are computationally indistinguishable (both the honest server in the real world and TTP in the ideal model are given d). Note that the Q found by U is a random variable induced by the uniform distribution on ς. 3.2
Our Scheme
We next propose a concrete SePIC protocol, assuming IC to be a particular form IC = {{1..m}}. The inference control rule is thus that for any record, the user cannot get all its attributes. The basic idea for our protocol is the following. Prior to query processing, the server enforces access control such that query
Self-enforcing Private Inference Control
267
processing goes on only if the user passes access control step; otherwise, the server rejects the user. Access control is based on a one-time access key shared between the server and the user. When processing a query, the server selects a random one-time key for the user’s next access, and the user will get the key only if his current query is inference free. In other words, if the user issues an inference-enabling query, he will lose his privilege for further queries. This forces the user to be cautious in making queries, and thus enforce inference control by himself to make sure that the query to be issued is inference free. Suppose by an initialization phase, IC is established. The input to the user is (1κ , n, m, K0 ) and to the server is (1κ , d, n, m, K0 ). We show the protocol for executing the user’s th query in Figure 1. For ease of understanding, we next outline the basic idea on how the protocol works. In the Access Control algorithm, as long as there are m − 1 or more i’s among i1 , i2 , · · · , ii−1 being equal to i , in which case the queries thus far are a non-permissible sequence1 , then the total number of e’s satisfying Hom Enc(.) = Hom Enc(0) is at most ( − 1) − (m − 1) = − m. This means that at most − m shares can be recovered, which are not sufficient to recover K+1 in a (− m+ 1)out-of-( − 1) secret sharing scheme (see Figure 1). So the user’s access privilege for next query is ”lost.” Without K+1 , the user is clearly unable to compute di ,j in the Answer Reconstruction algorithm. In this way, inference control is enforced. On the contrary, if the queries are a permissible sequence, K+1 clearly can be correctly recovered, so can the user recover di ,j . Query privacy is enforced due to the use of homomorphic encryption with semantic security and the use of the SPIR protocol: first, from Hom Enc(i ) and Hom Enc(j ) the server learns nothing on (i , j ). Second, through the SPIR protocol the server learns nothing on the entry retrieved by the user in the Query Processing algorithm. Performance. The communication cost for the th query is O()+ |SPIR|, where |SPIR| denotes the communication cost of the SPIR protocol. The computation overhead on the user side is O() plus that of the execution of the SPIR protocol. The computation overhead for the server is O( + nm) plus the execution of the SPIR protocol. 3.3
Security Analysis
We next analyze the security of the above protocol. We have the following theorem. Theorem 1. The protocol given in Figure 1 is a SePIC protocol with respect to Definition 1. Proof. It is not difficult to check that the protocol satisfies the correctness definition, considering our earlier explanation on how the protocol works. In the following, we focus on the security analysis and give the proof sketches. 1
This is because we do not allow repeated queries, so each of such queries must retrieve a different attribute of di .
268
Y. Yang et al.
Let the th pair in query be Q = (i , j ), where 1 |Q|, 1 i n and 1 j m Query Generation QG: If = 1, the user generates a public/private key pair for the homomorphic encryption scheme and passes the public key to the server. The user computes and sends Hom Enc(i ) and Hom Enc(j ) to the server. Access Control AC: 1. If < m, the server sets K+1 = 0, and skips access control, directly going to the Query Processing algorithma . For ≥ m, the server and the user perform an interactive authentication protocol, both using K (for = m, the two use K0 for authentication). If the authentication fails, the server aborts. Otherwise, the server selects a random K+1 , and in turn generates − 1 shares, s1 , s2 , · · · , s−1 , forming a ( − m + 1)out-of-( − 1) sharing of K+1 using a secret sharing scheme. 2. The server computes e1 = Hom Enc((i1 − i )s1 ), e2 = Hom Enc((i2 − i )s2 ), · · · , e−1 = Hom Enc((i−1 − i )s−1 ) using the user’s previous queries. The server then returns e1 , e2 , · · · , e−1 to the user, and also adds (Hom Enc(i ), Hom Enc(j )) to the user’s query history. 3. The user decrypts e1 , e2 , · · · , e−1 ; if the user’s query sequence thus far is permissible, the user can recover at least − m + 1 s s, thus reconstruct K+1 . Query Processing QP: (1) (2) 1. The server selects random numbers ri,j and ri,j , for every 1 i n, 1 (1) j m. The server then forms a table with n× m entries di,j = Hom Enc(r (i − i,j
(2) i ) + ri,j (j − j ) + K+1 + di,j ). Clearly, di ,j = Hom Enc(K+1 + di,j ), and each of the other entries is an encryption of a random number with respect to the user. 2. The user and the server performs a SPIR protocol upon d to get the (i , j )th entry di ,j .
Answer Reconstruction AR: The user decrypts di ,j to obtain K+1 + di ,j . If and only if the user has successfully recovered K+1 in AC, can he then recover di ,j . a
For the first m − 1 queries, access control is not necessary, because even all the m − 1 queries access the same record, they still cannot form an inference channel. From the m-th query onward, the server begins to enforce access control. K0 is then used for authentication in the m-th query, i.e., Km = K0 .
Fig. 1. Our Protocol
Self-enforcing Private Inference Control
269
1. Query Privacy. We prove by contradiction. Let us consider the actual view V iewS ∗ of an arbitrary server S ∗ with respect to an arbitrary honest user U ∗ in the protocol. After omitting the non-essential elements (with respect to query privacy) and common parameters, V iewS ∗ can be written as V iewS ∗ = (Hom Enc(i , j ), {SPIR(i , j )}, 0 )∈|Q| , where Hom Enc(i , j ) is shorthand for Hom Enc(i ) and Hom Enc(j ), {SPIR(i , j )} denotes the interaction transcript produced by an execution of the SPIR protocol, and 0 denotes the fact that the server knows that the query is inference-free. In V iewS ∗ , 0 can be omitted because every query generates the same element to the server. Therefore, we need to consider V iewS ∗ = (Hom Enc(i , j ), {SPIR(i , j )})∈|Q| . The intuition for the proof is then apparent, because it involves distinguishing homomorphic encryption and SPIR protocol transcript. The actual proof is a series of hybrid arguments on distinguishing V iewS ∗ [Q] = (Hom Enc(i , j ), {SPIR(i , j )})∈|Q| and V iewS ∗ [Q ] = (Hom Enc(i , j ), {SPIR(i , j )})∈|Q | , where Q = ((i1 , j1 ), (i2 , j2 ), · · ·), Q = ((i1 , j1 ), (i2 , j2 ), · · ·) are two permissible sequences with equal length. Suppose, to the contrary, that there is a PPT distinguisher D that can distinguish V iewS ∗ [Q] and V iewS ∗ [Q ] with non-negligible advantage Adv, we can show that a PPT D can be constructed to either break the semantic security of homomorphic encryption or break the privacy property of SPIR with advantage Adv/|Q|, by invoking D. The details are straightforward, following the hybrid arguments technique, which can be found in [15]. 2. Access Control. It suffices for us to consider the scenario that the th query is inference-enabling, but the user passes access control in the (+1)th query. We show that the probability for it to occur is negligible. There are two cases to consider. First, the th query is inference-enabling, but the user still manages to recover K+1 . The probability for this apparently is 1/|K|, where K is the space of one-time keys. Second, the user passes the access control in the ( + 1)th query without K+1 . The probability for this entirely relates to the strength of the authentication protocol. We denote this probability as Pr[auth-protocol failure], which is supposed to be negligible. To summarize, we have Pr[(i|Q| , j|Q| ) ∈ Q(U, d) is inference-free | Q(U, d) is non-permissible] 1/|K| + Pr[auth-protocol failure]. 3. Inference Control. We consider an arbitrary user U ∗ with random tape μ. Using a SPIR protocol with security in the real/ideal model, a simulator S, when given U ∗ ’s code and μ in the Access Control algorithm, can be formulated to extract the indices (i , j ) queried by U ∗ . Let U interact with TTP in the ideal model. U runs the code of U ∗ and uses the knowledge extractor of S to obtain (i , j ) and Hom Enc(i , j ) for some i and j . If the extracted indices (i , j ) = (i , j ) or if (i , j ) together with the past pairs queried from TTP form an inference channel, in the second step of Access Control, U will provide Hom Enc(r) for a random number r; otherwise, U will ask TTP for di ,j and follow the protocol as the honest server. U also honestly carries out query generation, asks for one-time keys from TTP, and executes authentication. Thus far, it is not hard to see that U can
270
Y. Yang et al.
generate a computationally indistinguishable view to U ∗ ’s, and in turn a computationally indistinguishable output.
4
Discussions
In this section, we discuss several issues pertaining to the self-enforcing private inference control system presented above. 4.1
Penalty Lifting and an Alternative
In our protocol, once a user issues an inference-enabling query, the user’s access privilege is forfeited for ever. One may argue that this violating-once-thenrejected penalty is too harsh. It is actually not hard to solve this problem in practical applications. For example, one may allow the user to regain his access privilege through some out-of-band channel: the server issues a new one-time access key to the user after the user accepted certain penalty, e.g., credit or financial penalty, and the server resets the user’s access account with this new key. Alternatively, it is possible to implement violating-multitimes-then-rejected penalty. To be specific, we allow a user to make a threshold number of inferenceenabling queries; however, if he makes one more inference-enabling query, then he forfeits his access right. The idea is the following (suppose the threshold is t). The one-time access keys {K } are no longer used for authentication in the Access Control algorithm. Instead, they are used to help a user obtain the onetime authentication keys {AK } , which are actually used in authentication. Of course, the generation and sharing of {K } between the server and the user remain the same as in the original protocol. Without loss of generality, in the th query, the server needs to pass AK+1 , selected randomly by the server, to the user for next access. Note that at this point of time (i.e., the beginning of the query), the user has been given Km (= K0 ), Km+1 , · · · , K , as per the original protocol. We should guarantee that the user gets AK+1 , only if he has made no more than t inference-enabling queries in the past − 1 queries, in which case the user should have obtained at least ( − m+ 1)− t keys among Km , Km+1 , · · · , K . Under this rationale, the server generates − m + 1 shares of AK+1 using a ( − m + 1 − t)-out-of-( − m + 1) secret sharing scheme, and then encrypts (e.g., using a block cipher) each share with a key from Km , Km+1 , · · · , K , and passes the encrypted shares to the user. Clearly, only if the user has made t or less inference-enabling queries, can he decrypt enough shares to reconstruct AK+1 . This method softens the violating-once-then-rejected penalty, thereby more acceptable, but it has the disadvantage that users have to keep their onetime access keys {K } . 4.2
Repeat Queries
Our protocol does not allow for repeat queries. This property is in fact an advantage with respect to our objective of curbing DoS attacks. Imagine that if
Self-enforcing Private Inference Control
271
repeat queries are allowed, a user can simply repeatedly issue an inference-free query to the server for the purpose of DoS attacks. While prohibiting repeat queries is good in combating DoS attacks, some systems may still need to enable repeat queries in catering to commom access custom. We can manage to extend our protocol to provide this property, but with relaxed query privacy. More precisely, it is revealed to the server the information that a query is a repeat one. We believe that such information disclosure is absolutely necessary in an anti-DoS private inference control system, since without distinguishing repeat queries, one cannot expect the server to know when to take actions. We next present an approach in handling repeat queries. The server treats repeat queries separately from the non-repeating queries: the server still uses the original protocol in Figure 1 to answer non-repeating queries, but replies to repeat queries in the following way. A repeat query is in the form of (“repeat query”, (Hom Enc(i), Hom Enc(j))). Suppose the user makes this repeat query after the th non-repeating query, then the user is supposed to have K+1 in his (1) (2) possession. First, the server selects random values ra and ra , for every 1 a (1) (2) , and then generates ea = Hom Enc(ra (i − ia ) + ra (j − ja ) + K+1 + R), where R is a random number, and each of the non-repeating query is Hom Enc(ia ) and Hom Enc(ja ). Note that the involvement of K+1 guarantee that the th non-repeating query must be inference-free. The server then sends (ea )1a to the user, who then decrypts the correct one to get R. It is easy to see that the user gets R only if the repeat query indeed repeats one of the non-repeating queries. (1) (2) Next, the server selects random values ra,b and ra,b , for every 1 a n, 1 b m, and then generates da,b = (Hom Enc(ra,b (i − a) + ra,b (j − b) + R + da,b ). The user then engages in a SPIR protocol with the server to get di,j , and in turn decrypts it to recover di,j with R. We should point out that the access control step is no longer needed in processing repeat queries. However, this does not necessarily weaken the ability to counter DoS attacks, since the server can anyway cap the number of continuous repeat queries. Capping in this case should not be deemed rigid, because the server is dealing with the unusual scenario of repeat queries. (1)
4.3
(2)
Stateful User
The countermeasure to DoS attacks in our protocol is essentially deterrence: if a user makes an inference-enabling query, he is rejected to access the database further. This is expected to force users to be cautious in making queries, and enforce inference control themselves in determining whether or not a query results in inference before querying. Since inference control bases upon a user’s past queries, users in our system have to be stateful, i.e., a user needs to keep his query history. This is not a serious problem if a user always uses a single machine for database access. However, a more general scenario is that a user has multiple machines. It is usually not convenient to freely transfer the up-to-
272
Y. Yang et al.
date query history among multiple machines. Fortunately, the database server in our system maintains (encrypted) query history for all users. As such, a user, at the point of access, can download his past queries from the server’s central repository, rather than keeping his query history on all machines. 4.4
Stricter Query Privacy
As mentioned earlier, our protocol achieves a relaxed level of query privacy, compared to the private inference control protocols in [17,28]. More precisely, by authenticating the user in current query, the database server learns in retrospection that whether the user’s last query is inference free or not (but without knowing the query content). Such information actually is exploited to entitle the server to timely stop the user from possible DoS attacks in our protocol. It is possible to modify our protocol to attain the same level of query privacy as in [17,28], but the resulting protocol is not as effective in curbing DoS attacks as our original protocol. The modification still follows the “self-enforcing” rationale, but the explicit authentication step is disabled or removed: the user will not be able to get the desired records for any further query, once he makes an inferenceenabling query; the server learns nothing about the query. We notice that the same rationale has already been used in [1], and the scheme for the static queries in [28] achieved the same objective as well. Under such a strategy, the server is not aware of inference-enabling queries, thus by default it has to allow any query to proceed. This is the reason why the (modified) protocol is not much effective in preventing DoS attacks. On the other hand, the protocol is still better than those in [17,28] (except for the one for static queries in [28]) in terms of antiDoS-attacks, because the user has to bear the consequences of DoS attacks, i.e., he can never retrieve useful data from the server again. In contrast, the users in the schemes in [17,28] have no worries in issuing inference-enabling queries, since they can still get the correct results as long as their further queries are inference free. The basic idea for the modification is the following. We remove the authentication step in the original protocol, and alter the way the one-time access keys are generated. In the original protocol, one-time access keys are independent of each other, and are selected as random numbers. In the modified protocol, an one-time access key is calculated from a random number together with the last one-time access key. For example, in the th query, K+1 is generated as K+1 = h(K , r), where K is the one-time access key generated in the ( − 1)th query and r is a random number. In the Access Control algorithm, r is secretshared instead of K+1 ; the Query Processing algorithm still uses K+1 . As such, suppose the ( − 1)th query causes inference and the user thus cannot obtain K , then the user in the th query is not able to compute K+1 , even the th query is inference free and the user recovers r; in turn the user cannot recover the requested record in the Answer Reconstruction algorithm. Likewise, without K+1 the user cannot compute K+2 , and so forth.
Self-enforcing Private Inference Control
5
273
Conclusions
DoS attacks are particularly effective in private inference control systems, as the database server learns nothing on user queries. We were thus motivated to propose self-enforcing private inference control. The idea is to force users to be cautious in making queries, as penalty will be inflicted upon the users making inference-enabling queries. To avoid punishment, the users are expected to enforce inference control themselves to determine whether or not a query will result in inference before issuing the query. In this way, the users are deterred from launching DoS attacks. We managed to instantiate the self-enforcing private inference control concept by presenting a formal model and a concrete scheme, which is provably secure under the model. Several important issues pertaining to the practicality of the proposed scheme were also discussed.
Acknowledgments We are grateful to the anonymous reviewers for their helpful comments, and for pointing out to us the work [20] that studied the use of the Paillier homomorphic encryption in Conditional Disclosure of Secrets.
References 1. Aiello, W., Ishai, Y., Reingold, O.: Priced Oblivious Transfer: How to Sell Digital Goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001) 2. Adam, N.R., Wortmann, J.C.: Security-Control Methods for Statistical Databases: A Comparative Study. ACM Computing Surveys 21(4), 516–556 (1989) 3. Brodsky, A., Farkas, C., Jajodia, S.: Secure Databases: Constraints, Inference Channels, and Monitoring Disclosures. IEEE Trans. Knowledge and Data Engineering 12(6), 1–20 (2000) 4. Chin, F.Y.: Security Problems on Inference Control for SUM, MAX, and MIN queries. J. ACM (33), 451–464 (1986) 5. Chor, B., Giboa, N., Naor, M.: Private Information Retrieval by Keywords. Technical Report CS0917, Israel Institute of Technology (1997) 6. Chor, B., Gilboa, N.: Computationally private information retrivial. In: Proc. 29th STOC, pp. 304–313 (1997) 7. Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. Journal of the ACM (1995) 8. Chin, F.Y., Kossowski, P., Loh, S.C.: Efficient Inference Control for Range Sum Queries. Theor. Comput. Sci. 32, 77–86 (1984) 9. Cachin, C., Micali, S., Stadler, M.: Computationally Private Information Retrieval with Polylogarithmic Communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 402. Springer, Heidelberg (1999) ¨ 10. Chin, F.Y., Ozsoyoglu, G.: Auditing and Inference Control in Statistical Database. IEEE Trans. Softw. Eng. 6, 574–582 (1982) 11. Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982)
274
Y. Yang et al.
12. Denning, D.E., Denning, P.J., Schwartz, M.D.: The Tracker: A threat to Statistical Database Security. ACM Trans. Database Systems 4(1), 76–96 (1979) 13. Dobkin, D., Jones, A.K., Lipton, R.J.: Secure Databases: Protection Against User Influence. ACM Trans. Database Systems 4(1), 97–106 (1979) 14. Farkas, C., Jajodia, S.: The Inference Problem: A Survey. SIGKDD Explorations 4(2), 6–11 (2002) 15. Goldreich, O.: Foundations of Cryptography: Basic Tools. The Proess of the Univeristy of Cambridge, Cambridge (2001) 16. Hoffman, L.J.: Modern Methods for Computer Security and Privacy. Prentice-Hall, Englewood Cliffs (1977) 17. Jagannathan, G., Wright, R.N.: Private Inference Control for Aggregate Database Queries. In: Proc. 7th IEEE International Conference on Data Mining Workshops, ICDMW 2007, pp. 711–716 (2007) 18. Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationally private information retrieval. In: Proc. 38th IEEE Symp. on Foundation of Computer Science, pp. 364–373 (1997) 19. Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Zhou, J., L´ opez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005) 20. Laur, S., Lipmaa, H.: A New Protocol for Conditional Disclosure of Secrets and Its Applications. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 207–225. Springer, Heidelberg (2007) 21. Li, Y., Lu, H., Deng, R.H.: Practical Inference Control for Data Cubes (extended abstract). In: Proc. IEEE Symposium on Security and Privacy, pp. 115–120 (2006) 22. Malvestuto, F.M., Mezzini, M.: Auditing Sum-Queries. In: Calvanese, D., Lenzerini, M., Motwani, R. (eds.) ICDT 2003. LNCS, vol. 2572, pp. 126–142. Springer, Heidelberg (2002) 23. Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In: Proc. 31th ACM STOC, pp. 245–254 (1999) 24. Paillier, P.: Public-key Cryptosystems based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999) 25. Qian, X., Stickel, M., Karp, P., Lunt, T., Garvey, T.: Detection and Elimination of Inference Channels in Multilevel Relational Database Systems. In: Proc. IEEE Symposium on Research in Security and Privacy, S&P 1993, pp. 196–205 (1993) 26. Schl¨ orer, J.: Disclosure from Statistical Databases: Quantitative Aspects of Trackers. ACM Trans. Database Systems 5(4), 467–492 (1980) 27. Su, T., Ozsoyoglu, G.: Inference in MLS Database Systems. IEEE Trans. Knowledge and Data Engineering 3(4), 474–485 (1991) 28. Woodruff, D., Staddon, J.: Private Inference Control. In: Proc. ACM CCS 2004, pp. 188–197 (2004) 29. Wang, L., Wijesekera, D., Jajodia, S.: Cardinality-based Inference Control in Sumonly Data Cubes. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 55–71. Springer, Heidelberg (2002)
Author Index
Au, Man Ho
129
Qin, Bo
76
Bao, Feng 260 Buldas, Ahto 230
Rangan, C. Pandu
Cao, Zhenfu 19 Cheng, Qingfeng 168 Chevallier-Mames, Benoˆıt
Saraswat, Vishal 140 Sch¨ age, Sven 104 Selvi, S. Sharmila Deva 61 Susilo, Willy 47, 90, 129
Dent, Alexander W. Dongna, E. 168
1
Fang, Liming 47 Fujisaki, Eiichiro 3, 118
32
Laur, Sven Li, Yingjiu Li, Zhoujun
230 260 214
Ustaoglu, Berkant
183
61
Wang, Jiandong 47 Warinschi, Bogdan 2 Weng, Jian 260 Wu, Qianhong 76 Xagawa, Keita
Ma, Chuangui 168 Moriyama, Daisuke 154 Mu, Yi 90, 129, 214 Niitsoo, Margus Nishimaki, Ryo
Tanaka, Keisuke 3, 118, 198 Tian, Yuan 245
Vivek, S. Sree
Guo, Fuchun 90 Guo, Hua 214 Joye, Marc
32
61
230 3, 118
Okamoto, Tatsuaki
154
198
Yang, Yanjiang 260 Yun, Aaram 140 Zhang, Hao 245 Zhang, Lei 76 Zhang, Xiyong 214 Zhou, Jianying 260 Zhou, Muxin 19