Identity-Based Signature Scheme Secure in Ephemeral Setup and Leakage Scenarios

Abstract

We propose the identity-based signature (IBS) scheme resilient to ephemerals leakage and setup. The scheme is applicable to scenarios, where signers can not trust thoroughly the signing devices, and doubts about the fairness of randomness the hardware and the operating system generate are justified. Our construction is based on the lightweight IBS by Galindo and Garcia. We present a formal security model for IBS in which all values coming from randomness source in signing procedure are leaked or set by adversary. We argue that the original scheme is vulnerable to universal forgery in our security model. We give details on our modified construction and provide a formal security proof in Random Oracle Model, claiming that even such a strong adversary cannot forge a signature in our scheme.

This research was partially supported by Wroclaw University of Science and Technology grant 049U/0044/19.

A Vulnerability of Leakage-Resilient IBS by Wu et al. in Our Model

We briefly present the protocols from [28]. The scheme is based on the idea that the secret keys are replaced with new values after each usage to prevent adversary from using leaked data accumulated in multiple protocol runs to recreate the secret. However, we show that the scheme is vulnerable to universal forgery in our security model where random values in signing procedure are leaked in full. Only one genuine signature is needed for forgery in our model.

• ParGen: Given a security parameter \(\lambda \), generate type-1 bilinear pairing parameters: \((G, G_T, g \in G, p = |\langle g \rangle |, {\hat{e}}: G \times G \rightarrow G_T)\). Then:

  1. 1.

     Select \(x, \alpha \) at random from \({\mathbb {Z}}_p^*\) and \(g_2\) at random from G. Compute system original key \(X=g_2^x\) and \(X_T = {\hat{e}}(g^x, g_2).\)

  2. 2.

     The system current private key is \((S_{0,1}, S_{0,2}) = (g_2^\alpha , X \cdot g_2^{- \alpha })\).

  3. 3.

     Select \(ui_0, ui_1, mi_0, mi_1\) at random from \({\mathbb {Z}}_p^*\), compute \(U_0 = g^{ui_0}, U_1 = g^{ui_1}, M_0 = g^{mi_0}, M_1 = g^{mi_1}\).

  4. 4.

     Public parameters are \(PP=(G, G_T, g, g_2, p, {\hat{e}}, X_T, U_0, U_1, M_0, M_1)\).

• KeyExtract(ID), where ID is user’s identifier:

  1. 1.

     Pick \(a, \gamma \) at random from \({\mathbb {Z}}_p^*\).

  2. 2.

     \(S_{i,1} = S_{i-1, 1} \cdot g_2^a\).

  3. 3.

     \(TI_E = S_{i, 1} \cdot (U_0 \cdot U_1 ^{ID}) ^\gamma \).

  4. 4.

     \(QID_{ID} = g^\gamma \).

  5. 5.

     \(S_{i,2} = S_{i-1, 2} \cdot g_2^{- a}\).

  6. 6.

     \(SID_{ID} = S_{i,2} \cdot TI_E\).

  7. 7.

     Output \(DID'=(SID_{ID}, QID_{ID})\).

  8. 8.

     Upon receiving secret keys, a user selects random \(\beta \) and computes \(DID = (DID_{0,1} = g_2^{\beta }, DID_{0,2} = SID_{ID}\cdot g_2^{-\beta }, QID_{ID})\). DID is from now on the user’s key.

• Sign \((m_j)\)

  1. 1.

     Select \(b, \eta \) at random from \({\mathbb {Z}}_p^*\).

  2. 2.

     \(DID_{j,1} = DID_{j-1,1} \cdot g_2^b\).

  3. 3.

     \(TI_S = DID_{j,1} \cdot (M_0 \cdot M_1^{m_j})^\eta \).

  4. 4.

     \(\sigma _2 = g^\eta \).

  5. 5.

     \(DID_{j,2} = DID_{j-1,2} \cdot g_2^{-b}\).

  6. 6.

     \(\sigma _1=DID_{j,2} \cdot TI_S\).

  7. 7.

     Output signature: \((\sigma _1, \sigma _2, QID_{ID})\).

• Verify: Accept signature iff

  $$\begin{aligned} {\hat{e}}(g,\sigma _1)=X_T \cdot {\hat{e}}(\sigma _2, M_0 \cdot M_1 ^m) \cdot {\hat{e}}(QID_{ID}, U_0 \cdot U_1^{ID}). \end{aligned}$$

In the description above, we can notice that \(DID_{j,1} \cdot DID_{j,2}\) is constant in terms of j because \(g_2^b \cdot g_2^{-b} = 1\). Also note that \(\sigma _1 = DID_{j,2} \cdot DID_{j,1} \cdot (M_0 \cdot M_1^{m_j})^\eta \).

We can launch the following attack on the scheme:

1. 1.

   Query for one signature on arbitrary message m and obtain \((\sigma _1, \sigma _2, QID_{ID})\). From ephemeral values leakage, also obtain random values used in Sign, i.e. \(b, \eta \).

2. 2.

   Knowing random value \(\eta \), public values \(M_0, M_1\) and signed message m, compute \(E = (M_0 \cdot M_1^m)^{\eta }\).

3. 3.

   Compute \(F (= DID_{j,2} \cdot DID_{j,1}) = \sigma _1 \cdot E^{-1}\).

4. 4.

   From now on, you can select any message \(m'\) and any random value \(\eta '\), and forge the signature of \(m'\):

   $$\begin{aligned} (\sigma _1 = F \cdot (M_0 \cdot M_1^{m'})^{\eta '}, \sigma _2 = g^{\eta '}, QID_{ID}). \end{aligned}$$