Abstract
We propose the identity-based signature (IBS) scheme resilient to ephemerals leakage and setup. The scheme is applicable to scenarios, where signers can not trust thoroughly the signing devices, and doubts about the fairness of randomness the hardware and the operating system generate are justified. Our construction is based on the lightweight IBS by Galindo and Garcia. We present a formal security model for IBS in which all values coming from randomness source in signing procedure are leaked or set by adversary. We argue that the original scheme is vulnerable to universal forgery in our security model. We give details on our modified construction and provide a formal security proof in Random Oracle Model, claiming that even such a strong adversary cannot forge a signature in our scheme.
This research was partially supported by Wroclaw University of Science and Technology grant 049U/0044/19.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In case of Galindo-Garcia scheme, \({\mathtt {Data}}\) consists of two elements: \({\mathtt {Data}}({\mathtt {id}},1) = y\), \({\mathtt {Data}}({\mathtt {id}},2) = g^r\).
References
IEEE P1363.3/D9, May 2013: IEEE Standard for Identity-Based Cryptographic Techniques Using Pairings. IEEE (2013)
Akinyele, J.A., et al.: Charm: a framework for rapidly prototyping cryptosystems. J. Cryptogr. Eng. 3(2), 111–128 (2013)
Alwen, J., Dodis, Y., Wichs, D.: Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 36–54. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_3
Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 364–375 (2015)
Burnett, A., Byrne, F., Dowling, T., Duffy, A.: A biometric identity based signature scheme. Int. J. Netw. Secur. 5(3), 317–326 (2007)
Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: Yao, F.F., Luks, E.M. (eds.) Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing, Portland, OR, USA, 21–23 May 2000, pp. 235–244. ACM (2000)
Chai, Z., Cao, Z., Dong, X.: Identity-based signature scheme based on quadratic residues. Sci. China Ser. F: Inf. Sci. 50(3), 373–380 (2007)
Deng, L., Zeng, J.: Two new identity-based threshold ring signature schemes. Theor. Comput. Sci. 535, 38–45 (2014)
Galindo, D., Garcia, F.D.: A Schnorr-like lightweight identity-based signature scheme. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 135–148. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_9
Han, S., Wang, J., Liu, W.: An efficient identity-based group signature scheme over elliptic curves. In: Freire, M.M., Chemouil, P., Lorenz, P., Gravey, A. (eds.) ECUMN 2004. LNCS, vol. 3262, pp. 417–429. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30197-4_42
Ki, J.H., Hwang, J.Y., Lee, D.H.: Identity-based ring signature schemes for multiple domains. TIIS 6(10), 2692–2707 (2012)
Kim, M., Fujioka, A., Ustaoglu, B.: Strongly secure authenticated key exchange without NAXOS’ approach under computational Diffie-Hellman assumption. IEICE Trans. 95-A(1), 29–39 (2012)
Krzywiecki, Ł.: Schnorr-like identification scheme resistant to malicious subliminal setting of ephemeral secret. In: Bica, I., Reyhanitabar, R. (eds.) SECITC 2016. LNCS, vol. 10006, pp. 137–148. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47238-6_10
Krzywiecki, Ł., Kluczniak, K., Kozieł, P., Panwar, N.: Privacy-oriented dependency via deniable SIGMA protocol. Comput. Secur. 79, 53–67 (2018)
Krzywiecki, Ł., Kutyłowski, M.: Security of Okamoto identification scheme: a defense against ephemeral key leakage and setup. In: Proceedings of the Fifth ACM International Workshop on Security in Cloud Computing, SCC@AsiaCCS 2017, Abu Dhabi, United Arab Emirates, 2 April 2017, pp. 43–50 (2017)
Krzywiecki, Ł., Słowik, M.: Strongly deniable identification schemes immune to prover’s and verifier’s ephemeral leakage. In: Farshim, P., Simion, E. (eds.) SecITC 2017. LNCS, vol. 10543, pp. 115–128. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69284-5_9
Krzywiecki, Ł., Wlisłocki, T.: Deniable key establishment resistance against eKCI attacks. Secur. Commun. Netw. 2017, 7810352:1–7810352:13 (2017)
Krzywiecki, Ł., Wszoła, M., Kutyłowski, M.: Brief announcement: anonymous credentials secure to ephemeral leakage. In: Dolev, S., Lodha, S. (eds.) CSCML 2017. LNCS, vol. 10332, pp. 96–98. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60080-2_7
LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75670-5_1
Lee, J., Park, J.H.: Authenticated key exchange secure under the computational Diffie-Hellman assumption. Cryptology ePrint Archive, Report 2008/344 (2008)
Lin, C.-Y., Wu, T.-C., Zhang, F., Hwang, J.-J.: New identity-based society oriented signature schemes from pairings on elliptic curves. Appl. Math. Comput. 160(1), 245–260 (2005)
Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of kleptographic attacks. IACR Cryptology ePrint Archive, 2015/695 (2015)
Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Tseng, Y.-M., Tsai, T.-T., Huang, S.-S.: Leakage-free ID-based signature. Comput. J. 58(4), 750–757 (2015)
Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Cryptology ePrint Archive, Report 2007/123 (2007)
Wei, L., Zhang, L., Huang, D., Zhang, K.: Efficient and provably secure identity-based multi-signature schemes for data aggregation in marine wireless sensor networks. In: Fortino, G., et al. (eds.) 14th IEEE International Conference on Networking, Sensing and Control, ICNSC 2017, Calabria, Italy, 16–18 May 2017, pp. 593–598. IEEE (2017)
Wu, J.-D., Tseng, Y.-M., Huang, S.-S.: Leakage-resilient ID-based signature scheme in the generic bilinear group model. Secur. Commun. Netw. 9(17), 3987–4001 (2016)
Yang, Y., Hu, Y., Zhang, L.: An efficient biometric identity based signature scheme. TIIS 7(8), 2010–2026 (2013)
Zhang, Y., Yang, L., Wang, S.: An efficient identity-based signature scheme for vehicular communications. In: 11th International Conference on Computational Intelligence and Security, CIS 2015, Shenzhen, China, 19–20 December 2015, pp. 326–330. IEEE Computer Society (2015)
Zhang, Y., He, D., Huang, X., Wang, D., Choo, K.-K.R.: White-box implementation of the identity-based signature scheme in the IEEE P1363 standard for public key cryptography. IACR Cryptology ePrint Archive, 2018/814 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Vulnerability of Leakage-Resilient IBS by Wu et al. in Our Model
A Vulnerability of Leakage-Resilient IBS by Wu et al. in Our Model
We briefly present the protocols from [28]. The scheme is based on the idea that the secret keys are replaced with new values after each usage to prevent adversary from using leaked data accumulated in multiple protocol runs to recreate the secret. However, we show that the scheme is vulnerable to universal forgery in our security model where random values in signing procedure are leaked in full. Only one genuine signature is needed for forgery in our model.
-
ParGen: Given a security parameter \(\lambda \), generate type-1 bilinear pairing parameters: \((G, G_T, g \in G, p = |\langle g \rangle |, {\hat{e}}: G \times G \rightarrow G_T)\). Then:
-
1.
Select \(x, \alpha \) at random from \({\mathbb {Z}}_p^*\) and \(g_2\) at random from G. Compute system original key \(X=g_2^x\) and \(X_T = {\hat{e}}(g^x, g_2).\)
-
2.
The system current private key is \((S_{0,1}, S_{0,2}) = (g_2^\alpha , X \cdot g_2^{- \alpha })\).
-
3.
Select \(ui_0, ui_1, mi_0, mi_1\) at random from \({\mathbb {Z}}_p^*\), compute \(U_0 = g^{ui_0}, U_1 = g^{ui_1}, M_0 = g^{mi_0}, M_1 = g^{mi_1}\).
-
4.
Public parameters are \(PP=(G, G_T, g, g_2, p, {\hat{e}}, X_T, U_0, U_1, M_0, M_1)\).
-
1.
-
KeyExtract(ID), where ID is user’s identifier:
-
1.
Pick \(a, \gamma \) at random from \({\mathbb {Z}}_p^*\).
-
2.
\(S_{i,1} = S_{i-1, 1} \cdot g_2^a\).
-
3.
\(TI_E = S_{i, 1} \cdot (U_0 \cdot U_1 ^{ID}) ^\gamma \).
-
4.
\(QID_{ID} = g^\gamma \).
-
5.
\(S_{i,2} = S_{i-1, 2} \cdot g_2^{- a}\).
-
6.
\(SID_{ID} = S_{i,2} \cdot TI_E\).
-
7.
Output \(DID'=(SID_{ID}, QID_{ID})\).
-
8.
Upon receiving secret keys, a user selects random \(\beta \) and computes \(DID = (DID_{0,1} = g_2^{\beta }, DID_{0,2} = SID_{ID}\cdot g_2^{-\beta }, QID_{ID})\). DID is from now on the user’s key.
-
1.
-
Sign \((m_j)\)
-
1.
Select \(b, \eta \) at random from \({\mathbb {Z}}_p^*\).
-
2.
\(DID_{j,1} = DID_{j-1,1} \cdot g_2^b\).
-
3.
\(TI_S = DID_{j,1} \cdot (M_0 \cdot M_1^{m_j})^\eta \).
-
4.
\(\sigma _2 = g^\eta \).
-
5.
\(DID_{j,2} = DID_{j-1,2} \cdot g_2^{-b}\).
-
6.
\(\sigma _1=DID_{j,2} \cdot TI_S\).
-
7.
Output signature: \((\sigma _1, \sigma _2, QID_{ID})\).
-
1.
-
Verify: Accept signature iff
$$\begin{aligned} {\hat{e}}(g,\sigma _1)=X_T \cdot {\hat{e}}(\sigma _2, M_0 \cdot M_1 ^m) \cdot {\hat{e}}(QID_{ID}, U_0 \cdot U_1^{ID}). \end{aligned}$$
In the description above, we can notice that \(DID_{j,1} \cdot DID_{j,2}\) is constant in terms of j because \(g_2^b \cdot g_2^{-b} = 1\). Also note that \(\sigma _1 = DID_{j,2} \cdot DID_{j,1} \cdot (M_0 \cdot M_1^{m_j})^\eta \).
We can launch the following attack on the scheme:
-
1.
Query for one signature on arbitrary message m and obtain \((\sigma _1, \sigma _2, QID_{ID})\). From ephemeral values leakage, also obtain random values used in Sign, i.e. \(b, \eta \).
-
2.
Knowing random value \(\eta \), public values \(M_0, M_1\) and signed message m, compute \(E = (M_0 \cdot M_1^m)^{\eta }\).
-
3.
Compute \(F (= DID_{j,2} \cdot DID_{j,1}) = \sigma _1 \cdot E^{-1}\).
-
4.
From now on, you can select any message \(m'\) and any random value \(\eta '\), and forge the signature of \(m'\):
$$\begin{aligned} (\sigma _1 = F \cdot (M_0 \cdot M_1^{m'})^{\eta '}, \sigma _2 = g^{\eta '}, QID_{ID}). \end{aligned}$$
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Krzywiecki, Ł., Słowik, M., Szala, M. (2019). Identity-Based Signature Scheme Secure in Ephemeral Setup and Leakage Scenarios. In: Heng, SH., Lopez, J. (eds) Information Security Practice and Experience. ISPEC 2019. Lecture Notes in Computer Science(), vol 11879. Springer, Cham. https://doi.org/10.1007/978-3-030-34339-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-34339-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34338-5
Online ISBN: 978-3-030-34339-2
eBook Packages: Computer ScienceComputer Science (R0)